FIREWALL SECURITY:

Deploying firewall at network boundary is like aggregating the security at a single point. All data packets entering or leaving the internal network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. Windows firewall with advanced security can blocks ICMP ECHO request from server, solution is just to create an exception that allows ICMP requests through the firewall. Two exceptions to allow traffic through the firewall for ICMPv4 and ICMPv6 are,

ICMPv4 requests =  netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow ICMPv6 requests = “netsh advfirewall firewall add rule name=”ICMP Allow incoming V6 echo request” protocol=icmpv6:8,any dir=in action=allow

As attacks against web servers became more common, it became apparent that there was a need for firewalls to protect networks from attacks at the application layer. Packet filtering and stateful inspection firewalls can’t distinguish among valid application layer protocol requests, data and malicious traffic encapsulated within apparently valid protocol traffic.

Firewalls that provide application layer filtering can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data. Since this type of firewall makes a decision based on the payload’s content, it gives security engineers more granular control over network traffic and sets rules to permit or deny specific application requests or commands. For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host.

If this type of firewall could also prevent an attacker from connecting directly to the network, it would be even better. Putting the firewall on a proxy server would make it harder for an attacker to discover where the network actually is and create yet another layer of security.

When there is a proxy firewall in place, both the client and the server are forced to conduct the session through an intermediary — a proxy server that hosts an application layer firewall. Now, each time an external client requests a connection with an internal server (or vice versa), the client will open a connection with the proxy instead. If the connection meets the criteria in the firewall rule base, the proxy will open a connection to the requested server. Because the firewall is placed in the middle of the logical connection, it can watch traffic for any signs of malicious activity at the application layer.

The key benefit of application layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and domain name system (DNS), are being misused. Application layer firewall rules can also be used to control the execution of files or the handling of data by specific applications.

 

 

 

There are different types of firewall packet filtering, circuit level gateways, stateful inspection firewall, application level gateway  and next gen firewall .  A host-based firewall is installed on individual servers and monitors incoming and outgoing signals. A network-based firewall can be built into the cloud’s infrastructure, or it can be a virtual firewall service. A host-based IDPS monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of host characteristics a host-based IDPS might monitor are wired and wireless network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Most host-based IDPSs have detection software known as agents installed on the hosts of interest. Each agent monitors activity on a single host and may perform prevention actions. Some agents monitor a single specific application service -for example, a Web server program; these agents are also known as application-based IDPSs. Host-based IDPS agents are most commonly deployed to critical hosts, such as publicly accessible servers and servers containing sensitive information, although they can be deployed to other types of hosts as well. Some organizations use agents primarily to analyze activity that cannot be monitored by other security controls. For example, network-based IDPS sensors cannot analyze the activity within encrypted network communications, but host-based IDPS agents installed on endpoints can see the unencrypted activity. The network architecture for host-based IDPS deployments is typically simple.

 

AWS SECURITY:

security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. The infrastructure is totally virtualized using a heavily customized version of Xen . They have a complex cloud platform layer that allows clients to make requests via SOAP and HTTP query APIs. This platform layer handles the allocation of resources, metering, and a number of other cloud platform functions.

CloudTrail is an AWS service that generates log files of all API calls made within AWS, including the AWS management console, SDKs, command line tools, etc. This capability allows organizations to continuously monitor activities in AWS for compliance auditing and post-incident forensic investigations.

 

  1. VPC-SG is a security group assigned to your vpc.
  2. EC2-SG is a security group assigned to your ec2.
  3. Your ec2 instance is assigned to a vpc, so the VPC-SG security group becomes the outer most security layer and EC2-SG security group comes next.