DIIA-4-22-21-Firewall-And-Virtualization

The Institute of Internal Auditors Detroit Chapter Presents

1 Use Cases – Webinar Series IIA Detroit Chapter Webinar #4 – Firewall and Virtualization If You Have Questions…

Submit Questions and/or Comments via chat

3 Earning CPE Credit

In order to receive CPE credit for this webcast, participants must:

. Attend the webcast on individual device (one person per computer/device)

. Answer polling questions asked throughout the webcast

. CPE certificates will be sent to the e-mail address on your Zoom account within two weeks of this webinar.

. If you are unsure if that correct email address is on your zoom account, please send us the correct email in a chat message.

4 Polling Question #1: Please tell us your member status

A)Member Detroit Chapter

B)Member – Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing)

C)Member – Other District

D)Non-member

5 Agenda . Firewall/Demo – One hour . Virtualization/Demo – One hour

6 Firewalls . Firewall – a firewall is a host that mediates access to a network, allowing and disallowing certain type of access based on a configured security policy . Used to allow access to ports, protocols, etc. . Allows outbound traffic . Blocks unauthorized inbound traffic – Is a combination of hardware and software – Come “for free” inside many devices: routers, modems, wireless base stations etc. – Use firewalls to achieve selective border control – Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)

7 7 Firewall Placement

• In border network devices at the edge of your network • In interior network devices that move traffic from the border into your network • In a DMZ, which is a series of routers/switches that surround the strategic IT assets • In separate routers or router combinations that each enclose a segregated portion of the network • In software firewalls on all the individual workstations

8 8 Firewall Placement – Example

. Filter traffic going across perimeter boundary . Various levels of sophistication

Firewall

Intranet

9 Firewall Placement – Example DMZ Intranet Firewall

Intranet Web Server

Desktop

Mail Public Web Server Server DMZ

DNS Server

10 What Firewalls can’t do

• They are not a panacea – Only adds to defense in depth • If not managed properly – Can provide false sense of security • Cannot prevent insider attack • Firewalls act in a particular layer (or layers) • Most firewalls work at Layers 3 (Network) and 7 (Application) • Web Application Firewalls work on Layers 3, 4, 5, and 7

11 11 Firewalls Categorized by Development Era

. First generation: static packet filtering firewalls . Second generation: application-level firewalls or proxy servers . Third generation: stateful inspection firewalls (allows only packets for specific function and port e.g. UDP traffic for a certain port) . Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination and port addresses to enter . Fifth generation: Next Generation Firewall. Even has built-in Data Loss Prevention(DLP) capabilities

12 12 Firewalls Categorized by Deployment Structure . Most firewalls are appliances: stand-alone, self- contained systems . Commercial-grade firewall system consists of firewall application software running on general-purpose computer . Small office/home office (SOHO) or residential-grade firewalls, aka broadband gateways or DSL/cable modem routers, connect user’s local area network or a specific computer system to Internetworking device . Residential-grade firewall software is installed directly on the user’s system . Cloud firewalls are implemented in the cloud with integration with subscribing organizations

13 13 Polling Question #2

If I have a Next Generation Firewall installed in my network, I don’t need anything else: My network is protected with the latest technology a) True b) False

14 14 Selecting the Right Firewall . When selecting firewall, consider a number of factors: – What firewall offers right balance between protection and cost for needs of organization? – What features are included in base price and which are not? – Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? – Can firewall adapt to organization’s growing network

15 15 Configuring and Managing Firewalls . Each firewall device must have own set of configuration rules regulating its actions

. Firewall policy configuration is usually complex and difficult

. Configuring firewall policies both an art and a science

. When security rules conflict with the performance of business, security often loses

16 16 Best Practices for Firewalls . All traffic from trusted network is allowed out . Firewall device never directly accessed from public network . Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall . Internet Control Message Protocol (ICMP) data denied. (Ping is ICMP). ICMP can be used for simple DoS. . Telnet access to internal servers should be blocked. Use SSH. . FTP protocol should be blocked. S-FTP instead. . When Web services offered outside firewall, HTTP traffic should be denied from reaching internal networks

17 17 Best Practices for Firewalls

Security Activity Security Activity Deny all traffic by default and then add Install a firewall in front of any subnet rules for what needs to be allowed classified as critical Use NGFW firewalls instead of packet Use principle of least privileges. Allow the filters except for border routers minimum number of protocols from Firewall configuration backup should not minimum number of sources and minimum be stored in the network protected by the number of destinations same firewall At a minimum block ingress access to the Maintain network application matrix in a following ports: table and make this matrix available to firewall administrators TCP: 135, 137, 138, 139, 445, and 3389. Perform quarterly review of firewall policies UDP: 135, 137, 138, 139, 445, and 3389.

Provide High Availability and redundancy This will prevent Windows remote logins and file sharing through the firewall

18 18 Best Practices for Firewalls

Security Activity Install and configure Web Application Firewall for web applications Perform periodic penetration test of the firewall Only VPNs should be used to bypass firewall policies

19 19 Audit Considerations . Review organizations security policies and procedures and verify that the policies are implemented in the firewall(s) . Obtain and review network diagrams . Verify that logging is enabled in the firewall(s) . Review the log monitoring process and procedures . Obtain and review the last vulnerability scan and penetration test reports . Identify all allowed VPN entries . Obtain and review the firewall vendor information . Verify that default passwords have been changed . Review the change management process for rules and configuration changes . Verify that the firewall is physically secure . Identify redundant rules, unused objects, unused connections, and have those removed . Review the ACLs implemented . Identify who has access to the firewall and who can make changes to the firewall

20 20 Audit Considerations…(cont’d) . Consider using Center for Internet Security (CIS) standards to secure the firewall . Consider using automated tools to audit firewalls – Firewall rules and configuration information may be many pages – Firewall rules may not have been documented . If you have many firewalls, consider bringing in a 3rd party, with access to a tool, to review the firewalls

21 21 Polling Question #3

Firewalls should never be available for access from public networks a) True b) False

22 22 Polling Question #4

To have a layered defense, an organization must consider implementation of: a) Firewalls b) DMZ c) IDS/IPS d) All of the above

23 23 Demo 1 – Windows Defender Firewall

24 Demo 2 – Enterprise Firewall - VyOS . Open Source – Originally Vyatta . Router and firewall . Linux base . Available features – Routing – Firewall and NAT – VPN – Network services (DNS forwarding, DHCP,Netflow, etc.) . Enabled modules can also include IDS . Cloud support

25 Demo 2 – Enterprise Firewall – VyOS...(cont’d)

Internet

Gateway

Primary Firewall

Secondary Firewall

26 Virtualization What is Virtualization?

. The creation of virtual resources such as servers, desktops, switch, storage, etc. used to address the computing needs of the organization. – Abstraction of the hardware – The VM is stored as a file on the disk

. Goals of Virtualization – Scalability – Workload Management – Security

28 Types of Virtualization

. Desktop Virtualization . Server Virtualization . Network Virtualization . Storage Virtualization . Application Virtualization

29 Containers

. Lightweight alternatives to fully virtualized machines . An abstraction at the application layer – Packages an application with all the dependencies in its own namespace . Available in Linux, Windows, Cloud and App App App App Datacenter A B C D . Containers virtualize the OS instead of the hardware Docker . Containers are more portable than VMs . Used in development environment on a Host OS single application . Take up less space Infrastructure

30 Desktop Virtualization

• VMware Workstation (Local) • Microsoft Virtual PC (Local) • Citrix XenDesktop (Centralized)

31 Desktop Virtualization Architecture

Applications Applications Applications

Guest OS Guest OS Guest OS (Windows) (Linux) (VMware ESX)

V i r t u a l Virtual Machine Virtual Machine Virtual Machine

Virtual Machine Manager

Host OS P h y s i c a l Hardware

32 Comparison

. VMware Workstation – Costs more – More host & guests support – Better features (Snapshots, USB) – 64-bit hosts and guests . Microsoft Virtual PC – Free – Less hosts & guests support – Less VM features and capabilities

33 Benefits from Virtualization

• Save money and energy • Simplify management

34 Polling Question #5

One of the benefits of virtualization is the cost savings a) True b) False

35 35 Components of Virtual Machines?

• Configuration file • Hard disk file(s) • Virtual machine state file • In-memory file

36 Some Virtual Platforms

. Vmware . VirtualBox – Now owned by Dell – Originally Open Source – Runs on Windows, Linux, and in the – Now owned by Oracle cloud – Can be used in Windows, MacOS, and – More 3rd-party products designed for it Linux . Hyper-V . Kernel-based Virtual Machine (KVM) – By Microsoft – Open Source – Virtualizes x86-64 systems – Now merged into Linux – Has server and desktop – Turns Linux into a hypervisor – Less expensive to deploy . Proxmox Virtual Environment – Open Source – Linux based (QEMU/KVM/LXC) – Manages virtual server, containers, storage, network, etc. – Web-based interface 37 Uses

. Development . Testing . Training . Production Applications

38 Virtualization Types

• Hosted • Native or Bare-metal

39 Hosted Virtualization

. VMware Workstation . Oracle VirtualBox

40 Hosted Virtualization Architecture

Applications Applications Applications

Guest OS Guest OS Guest OS (Windows) (Linux) (MAC OS)

V i r t u a l Virtual Machine Virtual Machine Virtual Machine

Hypervisor

Host OS P h y s i c a l Hardware

41 Native Virtualization

• Citrix XenServer • VMware ESX/ESXi Server • Microsoft Hyper-V Server • Proxmox VE

42 Native (Bare-metal) Virtualization Architecture

Applications Applications Applications

Guest OS Guest OS Guest OS (Windows) (Linux) (MAC OS)

V i r t u a l Virtual Machine Virtual Machine Virtual Machine

Hypervisor (Native)

P h y s i c a l Hardware

43 What is a hypervisor?

. A hypervisor, also called a virtual machine manager (VMM), is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other.

44 ESX & ESXi

. ESX has a Service Console is based on Red Hat Enterprise Linux 3 (Update 6) that is heavily modified and stripped down and is used for management purposes. During the boot process the Service Console bootstraps the VMKernel using initrd and then turns over full control of all hardware resources to the VMkernel. When the VMkernel takes over the hardware resources of the host, the Service Console is warm booted and managed as a privileged virtual machine within the VMkernel.

. ESXi uses vSphere architecture and does not have a Linux Service Console but instead uses vCenter, a separate web tool, to manage multiple vSphere hosts. This is the current architecture of VMware and offers better hypervisor architecture, security, reliability, and management than ESX. With ESXi, the hypervisor is loaded into memory at boot time.

45 Hyper-V

. Virtualization isolates critical applications . Virtualization helps to consolidate multiple physical servers into a singular server . Using a virtual machine increases the ease of backing up essential servers . Updates or changes to an OS can be made on a virtual machine to test stability before being applied to a production machine . Reduces the need for physical devices in educational environments

46 Hyper-V

. Hyper-V Requirements – 64-bit version of Windows Server 2008 Standard, Enterprise, or Datacenter Edition – A server running a 64-bit processor with virtualization support and hardware data execution protection – Enough free memory and disk space to run virtual machines and store virtual hard drives; virtual machines use the same amount of memory and disk space resources as physical machines

47 For Auditors – Important Controls

. For Hosted virtualization, audit the underlying OS separately . Documentation of the whole virtualization architecture, including the network, supported systems, management system, etc. . Compare implemented hypervisor configuration against organizational security policy . Determine how patches, updates, and upgrades are managed . Determine what services and features are enabled and if they are needed . Review account and resource provisioning and deprovisioning . Review policy and procedure for provisioning and deprovisioning new hosts and VM . Evaluate the management of hardware capacity for virtual environment . Review how performance is managed and monitored (CPU, storage, memory, etc.) . Review backup policy and Business Continuity/Disaster Recovery plan and management . Evaluate the security of the remote hypervisor management

48 Polling Question #6

Hypervisor is a program which allows multiple operating systems to share a single hardware host. a) True b) False

49 49 Polling Question #6

Analysis Design Implement Manage

• Discovery • Detailed • Build virtual • Maintain in • Scenarios design infrastructure operations definition • Implementat • Test virtual • Monitor • Strategy ion plan infrastructure • Periodic definition • Move to Review • High level production design • TCO/ROI analysis

Continuous Optimization

Project Management

50 50 Virtualization Hands-on – VirtualBox Installation

Prerequisite

. Verify that Virtual . Verify that Virtual Technology is enabled Technology is enabled with Task Manager with systeminfo

Note: Virtual Technology is not needed for 32bit guest operating systems.

51 Virtualization Hands-on, cont’d

. Go to virtualbox.org . Click on the download button

. Supported OS – Windows – Linux – Mac – Solaris

52 Virtualization Hands-on, cont’d

Installing VirtualBox

. Double click the . Select the defaults downloaded file and click Next

53 Virtualization Hands-on, cont’d

. Configure how to start . Click Yes to VirtualBox and click acknowledge the Next network warning

54 Virtualization Hands-on, cont’d

. Click Install . Click Yes to Windows verification message . Installation begins

55 Virtualization Hands-on, cont’d

. Check the “Start Oracle . If the checkbox was VM VirtualBox….” completed, then double click . Click Finish the VirtualBox icon on the desktop

56 Virtualization Hands-on, cont’d

. Download Extension from . Click on the “+” sign and https://www.virtualbox.org/wiki/ browse to the downloaded Downloads file . Go to File -> Preference -> . Click Install Extensions -> Add new package

Note: The Extension pack provides support for USB 2.0 and 3.0 devices, VirtualBox RDP, disk encryption, etc. 57 Virtualization Hands-on, cont’d

. Host is installed.

58 Virtualization Hands-on – VirtualBox Installation

Creating a Guest VM . In the Name and operating system dialog screen: . Click the New button on the menu band on – Enter a name for the VM the top – Select a location for the VM file – Select the OS – Select the version of OS – Click Next

59 Virtualization Hands-on – VirtualBox Installation

Creating a Guest VM . Select how to manage storage and click Next . Select the disk file type and click Next

60 Virtualization Hands-on, cont’d

. Set the storage location and click Create

Note: The new VM is created and will show in the left panel. However, the guest operating system is not installed yet.

. Select the new VM . Click Start to power on the VM . Begin installing the guest OS

61 Virtualization – Proxmox VE Demo

. Open Source . Linux based . Use a regular web interface to manage hosts . Hosts can be clustered . Storage can be shared across hosts . Supports containers

62 Other Network Security Layers Network Intrusion Detection

NIDS

Internet Intranet

. Passive traffic interception – Send copy of traffic to NIDS – Do not block normal path . Better performance / worse security

64 NIDS vs. Firewalls

. Actions: – Firewalls: block or allow – NIDS: alert administrator, log, block (intrusion prevention system) . Policies: – Firewalls: ACL-style policy on (packet) attributes – NIDS: attack signatures, statistical anomalies . NIDS challenges: – Evasion – False positives

65 Using Proxy Servers

. Prevent the outside world from gathering information about your internal network . Provide valuable log information . Can redirect certain traffic, based on configuration . Typically runs on the firewall machine . Protects against spoofing

66 Network Address Translation

rest of local network Internet (e.g., home network) 10.0.0.0/24 10.0.0.1

10.0.0.4 10.0.0.2 138.76.29.7

10.0.0.3

All datagrams leaving local Datagrams with source or network have same single source destination in this network NAT IP address: 138.76.29.7, have 10.0.0.0/24 address for different source port numbers source, destination (as usual)