1
00:00:00,860 --> 00:00:06,830
Welcome to the lecture on network traffic monitoring First we will recall some basic information about

2
00:00:06,830 --> 00:00:09,500
firewalls and their configuration.

3
00:00:09,740 --> 00:00:15,170
The firewall which is really a special kind of router should control the network traffic rather than

4
00:00:15,230 --> 00:00:18,010
unobtrusively send senders and receivers packets

5
00:00:20,920 --> 00:00:26,690
the firewall should send only those packets that were allowed and block all others which packets get

6
00:00:26,690 --> 00:00:30,110
through and which packets get blocked as specified by the rules.

7
00:00:31,810 --> 00:00:38,950
That is the conditions according to which the firewall processes the packets such a condition in the

8
00:00:38,950 --> 00:00:42,220
general form looks as follows.

9
00:00:42,430 --> 00:00:46,730
Depending on the criteria the packet means it should be blocked or accepted.

10
00:00:47,770 --> 00:00:53,260
The information saved in the headers of the Protocols of the lower layers of the overside model is historically

11
00:00:53,260 --> 00:00:53,660
wise.

12
00:00:53,830 --> 00:01:00,340
The first criteria that appeared you can create rules that will filter the traffic on the basis of the

13
00:01:00,340 --> 00:01:10,200
sender's address recipient's address senders port or receivers port.

14
00:01:10,220 --> 00:01:16,130
There are two approaches to creating such rules or configuring then that work firewall.

15
00:01:16,160 --> 00:01:21,690
The first says that the default rule should be a block rule everything that is not explicitly allowed

16
00:01:21,780 --> 00:01:23,400
will be blocked by the firewall.

17
00:01:26,370 --> 00:01:32,410
An alternative approach is to create a default rule that will be an allow rule all traffic except for

18
00:01:32,410 --> 00:01:36,340
packets explicitly blocked will be permitted to pass through the firewall.

19
00:01:37,730 --> 00:01:42,510
Security wise the only effective way is to use the first approach by default.

20
00:01:42,530 --> 00:01:47,020
Everything that may threaten the security of computers that are to be protected must be blocked.

21
00:01:48,020 --> 00:01:54,900
The same intuitive rules should be applied in other security solutions in the same way you should prevent

22
00:01:54,900 --> 00:01:59,520
users from running any program of their liking and allow them only to install ones that are known to

23
00:01:59,520 --> 00:02:00,420
be safe.

24
00:02:01,740 --> 00:02:03,550
We will return to this issue later.

25
00:02:04,380 --> 00:02:08,420
When it comes to firewalls we all realize that the default rule should be a block rule

26
00:02:11,780 --> 00:02:18,110
such an attitude isn't very popular and other aspects of computer network security yet.

27
00:02:18,200 --> 00:02:25,270
Historically the first method of filtering network traffic was IP Hetter analysis in its time it was

28
00:02:25,270 --> 00:02:27,540
an effective solution.

29
00:02:27,560 --> 00:02:31,250
We're talking about situations dating back more than 15 years.

30
00:02:32,510 --> 00:02:38,170
Back then computers exchange data only if they had public IP addresses.

31
00:02:38,260 --> 00:02:42,490
No one used masks or more virtual and private addresses.

32
00:02:42,560 --> 00:02:46,950
Since then the situation has changed so these kind of firewalls are no longer effective.

33
00:02:48,350 --> 00:02:51,850
The use of the IP protocol has changed in the last 15 years.

34
00:02:54,990 --> 00:02:59,760
Another functionality that firewalls have acquired over the years is the ability to filter traffic on

35
00:02:59,760 --> 00:03:08,530
the basis of the headers of the fourth layer the transport layer protocols such as TCAP and UDP because

36
00:03:08,530 --> 00:03:12,330
these protocols are responsible for establishing the communication channel.

37
00:03:12,550 --> 00:03:18,520
It was possible to filter traffic on the basis of for example port numbers.

38
00:03:18,670 --> 00:03:23,150
It was possible to allow web browsing and deny P2P traffic.

39
00:03:23,230 --> 00:03:26,450
It's all done by filtering on the basis of some constant features.

40
00:03:26,470 --> 00:03:33,710
For example port numbers it is assumed that a given service will always run on the same port

41
00:03:36,460 --> 00:03:42,890
Farwell's filtering by transport layer protocol headers can usually check the session state to.

42
00:03:42,970 --> 00:03:49,780
This is the basis for the division of firewalls into stateless and stateful if a trusted computer look

43
00:03:49,780 --> 00:03:55,600
at it in your private network initiates communication the Internet connection firewall should allow

44
00:03:55,600 --> 00:03:57,740
it.

45
00:03:57,780 --> 00:04:02,310
This is due to the fact that the decision to connect to a less trusted server is consciously made by

46
00:04:02,310 --> 00:04:03,520
a trusted user.

47
00:04:04,920 --> 00:04:08,990
If however the server itself initiated the session then it should be blocked.

48
00:04:10,420 --> 00:04:16,610
That would be an untrusted computer trying to connect to one of the protected computers GCP session

49
00:04:16,620 --> 00:04:20,320
direction is crucial here.

50
00:04:20,390 --> 00:04:24,250
We will return to the issue of TCAP session direction later in the lecture.

51
00:04:28,690 --> 00:04:32,410
The next step in the development of firewalls was to enable them to filter packets.

52
00:04:32,410 --> 00:04:36,820
Not on the basis of headers but on the basis of data.

53
00:04:37,020 --> 00:04:41,730
You will notice that any firewall and almost every network monitor is equipped with the functionality

54
00:04:41,790 --> 00:04:49,490
allowing them to reassemble data a set of data can be divided into several packets.

55
00:04:49,570 --> 00:04:55,690
Therefore before making a decision whether it is correct or if a file type is allowed data from multiple

56
00:04:55,690 --> 00:05:03,250
packets must be gathered together the data from these packets must be reassembled into one unit this

57
00:05:03,250 --> 00:05:08,680
operation is computationally expensive and time consuming.

58
00:05:08,810 --> 00:05:15,000
Therefore application layer firewalls usually don't protect individual computers.

59
00:05:15,070 --> 00:05:22,780
They're specialized devices whose task is to protect in real time whole networks a situation where it

60
00:05:22,780 --> 00:05:28,660
takes a minute or even a couple of seconds for a firewall to assemble packets together examine their

61
00:05:28,660 --> 00:05:31,450
contents and send them begge is unsustainable.

62
00:05:33,790 --> 00:05:41,150
Application layer firewalls are rather expensive devices of large computational power a separate issue

63
00:05:41,150 --> 00:05:47,640
that should be discussed as the issue of data encryption with an application layer firewall installed

64
00:05:47,640 --> 00:05:48,750
and configured.

65
00:05:48,750 --> 00:05:54,570
Another problem arises that is when the firewall should let packets through and when to block them.

66
00:05:54,570 --> 00:05:55,970
If the data is encrypted

67
00:05:58,830 --> 00:06:05,340
the firewall should be able to first decrypt the data and later re-encrypt it.

68
00:06:05,400 --> 00:06:09,480
Without this the data would be completely unreadable for the firewall.

69
00:06:09,620 --> 00:06:16,980
The requirement to encrypt all data does not automatically improve the security of computer networks.

70
00:06:16,990 --> 00:06:19,980
It may sometimes have the opposite effect.

71
00:06:20,050 --> 00:06:25,040
Anyone who wants to send your private data outside will encrypt the data before sending it.

72
00:06:25,090 --> 00:06:28,860
Having a good chance of fooling your firewalls and intrusion detection systems

73
00:06:39,040 --> 00:06:40,770
even the firewalls are not perfect.

74
00:06:40,850 --> 00:06:45,100
They're very useful and effective indeed for the purposes they were created for

75
00:06:48,440 --> 00:06:52,120
firewalls should be used to control traffic between networks and suddenly it's

76
00:06:55,090 --> 00:07:00,820
you should use them to control the transmission of messages that are not needed outside primarily diagnostic

77
00:07:00,820 --> 00:07:01,620
messages.

78
00:07:03,280 --> 00:07:06,320
Such a control should take place on a corporate network boundary.

79
00:07:06,340 --> 00:07:12,870
Or even the boundaries of individual subnets while blocking the ICMP protocol and the sudden that level

80
00:07:12,870 --> 00:07:19,240
can cause some trouble logging these messages that the boundary is reasonable.

81
00:07:19,240 --> 00:07:25,400
The firewalls are perfect for controlling traffic between subnets having divided the network and the

82
00:07:25,400 --> 00:07:26,220
subnets.

83
00:07:26,420 --> 00:07:31,280
You can allow access to the subnet which hosts database servers only through the port service listen

84
00:07:31,280 --> 00:07:35,930
on in this way you prevent people from using them for other purposes.

85
00:07:36,080 --> 00:07:37,880
For example as files servers

86
00:07:40,540 --> 00:07:47,300
firewalls can be used also to block specific hosts or services most firewalls have a useful feature

87
00:07:47,300 --> 00:07:49,970
of generating traffic history.

88
00:07:49,990 --> 00:07:54,150
You can make a record of packets that passed through the firewall.

89
00:07:54,190 --> 00:07:58,920
This is useful in case you have to prove that an attack happened or track down the source of an attack.