1

The Institute of Internal AuditorsDetroit Chapter

Presents

Use Cases – Webinar Series IIA Detroit ChapterWebinar #4 – Firewall and Virtualization

3

If You Have Questions…

Submit Questions and/or Comments via chat

4

In order to receive CPE credit for this webcast, participants must:

Attend the webcast on individual device (one person per computer/device)

Answer polling questions asked throughout the webcast

CPE certificates will be sent to the e-mail address on your Zoom account within two weeks of this webinar.

If you are unsure if that correct email address is on your zoom account, please send us the correct email in a chat message.

Earning CPE Credit

5

Polling Question #1: Please tell us your member status

A)Member Detroit Chapter

B)Member – Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing)

C)Member – Other District

D)Non-member

6

Agenda

Firewall/Demo – One hourVirtualization/Demo – One hour

7

Firewalls

7

Firewall – a firewall is a host that mediates access to a

network, allowing and disallowing certain type ofaccess based on a configured security policyUsed to allow access to ports, protocols, etc.Allows outbound trafficBlocks unauthorized inbound traffic

– Is a combination of hardware and software– Come “for free” inside many devices: routers,

modems, wireless base stations etc.– Use firewalls to achieve selective border control– Prevent specific types of information from

moving between the outside world (untrustednetwork) and the inside world (trusted network)

8

Firewall Placement

8

• In border network devices at the edge of yournetwork

• In interior network devices that move trafficfrom the border into your network

• In a DMZ, which is a series of routers/switchesthat surround the strategic IT assets

• In separate routers or router combinations thateach enclose a segregated portion of thenetwork

• In software firewalls on all the individualworkstations

9

Firewall Placement – Example

Filter traffic going across perimeter boundary

Various levels of sophistication

Intranet

Firewall

10

Firewall Placement – Example DMZ

FirewallIntranet

Desktop

Public WebServer

DNSServer

MailServer

Intranet WebServer

DMZ

11

What Firewalls can’t do

• They are not a panacea– Only adds to defense in depth

• If not managed properly– Can provide false sense of

security• Cannot prevent insider attack• Firewalls act in a particular layer (or

layers)• Most firewalls work at Layers 3

(Network) and 7 (Application)• Web Application Firewalls work on

Layers 3, 4, 5, and 7

11

12

Firewalls Categorized by Development Era

12

First generation: static packet filtering firewalls Second generation: application-level firewalls or proxy

servers Third generation: stateful inspection firewalls (allows

only packets for specific function and port e.g. UDP traffic for a certain port) Fourth generation: dynamic packet filtering firewalls;

allow only packets with particular source, destination and port addresses to enter Fifth generation: Next Generation Firewall. Even has

built-in Data Loss Prevention(DLP) capabilities

13

Firewalls Categorized by Deployment Structure

13

Most firewalls are appliances: stand-alone, self-contained systems Commercial-grade firewall system consists of firewall

application software running on general-purpose computer Small office/home office (SOHO) or residential-grade

firewalls, aka broadband gateways or DSL/cable modem routers, connect user’s local area network or a specific computer system to Internetworking device Residential-grade firewall software is installed directly

on the user’s system Cloud firewalls are implemented in the cloud with

integration with subscribing organizations

14

Polling Question #2

If I have a Next Generation Firewall installed inmy network, I don’t need anything else: Mynetwork is protected with the latest technology

a) Trueb) False

14

15

Selecting the Right Firewall

15

When selecting firewall, consider a number offactors:

– What firewall offers right balance betweenprotection and cost for needs of organization?

– What features are included in base price andwhich are not?

– Ease of setup and configuration? Howaccessible are staff technicians who canconfigure the firewall?

– Can firewall adapt to organization’s growingnetwork

16

Configuring and Managing Firewalls

16

Each firewall device must have own set of configurationrules regulating its actions

Firewall policy configuration is usually complex anddifficult

Configuring firewall policies both an art and a science

When security rules conflict with the performance ofbusiness, security often loses

17

Best Practices for Firewalls

17

All traffic from trusted network is allowed out Firewall device never directly accessed from public

network Simple Mail Transport Protocol (SMTP) data allowed to

pass through firewall Internet Control Message Protocol (ICMP) data denied.

(Ping is ICMP). ICMP can be used for simple DoS. Telnet access to internal servers should be blocked. Use

SSH. FTP protocol should be blocked. S-FTP instead. When Web services offered outside firewall, HTTP traffic

should be denied from reaching internal networks

18

Best Practices for Firewalls

Security Activity

Deny all traffic by default and then add rules for what needs to be allowed

Use NGFW firewalls instead of packet filters except for border routers

Firewall configuration backup should not be stored in the network protected by the same firewall

Maintain network application matrix in a table and make this matrix available to firewall administrators

Perform quarterly review of firewall policies

Provide High Availability and redundancy

Security Activity

Install a firewall in front of any subnet classified as critical

Use principle of least privileges. Allow the minimum number of protocols from minimum number of sources and minimum number of destinations

At a minimum block ingress access to the following ports:

TCP: 135, 137, 138, 139, 445, and 3389.

UDP: 135, 137, 138, 139, 445, and 3389.

This will prevent Windows remote logins and file sharing through the firewall

18

19

Best Practices for Firewalls

Security Activity

Install and configure Web Application Firewall for web applications

Perform periodic penetration test of the firewall

Only VPNs should be used to bypass firewall policies

19

20

Audit Considerations

20

Review organizations security policies and procedures and verify that the policies are implemented in the firewall(s)

Obtain and review network diagrams Verify that logging is enabled in the firewall(s) Review the log monitoring process and procedures Obtain and review the last vulnerability scan and penetration test reports Identify all allowed VPN entries Obtain and review the firewall vendor information Verify that default passwords have been changed Review the change management process for rules and configuration changes Verify that the firewall is physically secure Identify redundant rules, unused objects, unused connections, and have those

removed Review the ACLs implemented Identify who has access to the firewall and who can make changes to the firewall

21

Audit Considerations…(cont’d)

21

Consider using Center for Internet Security (CIS) standards to secure the firewall Consider using automated tools to audit firewalls

– Firewall rules and configuration information may be many pages

– Firewall rules may not have been documented

If you have many firewalls, consider bringing in a 3rd

party, with access to a tool, to review the firewalls

22

Polling Question #3

Firewalls should never be available for accessfrom public networks

a) Trueb) False

22

23

Polling Question #4

To have a layered defense, an organizationmust consider implementation of:a) Firewallsb) DMZc) IDS/IPSd) All of the above

23

24

Demo 1 – Windows Defender Firewall

25

Demo 2 – Enterprise Firewall - VyOS Open Source – Originally

Vyatta Router and firewall Linux base Available features

– Routing– Firewall and NAT– VPN– Network services (DNS

forwarding, DHCP,Netflow, etc.)

Enabled modules can also include IDS Cloud support

26

Demo 2 – Enterprise Firewall – VyOS...(cont’d)

Gateway

Primary Firewall

Secondary Firewall

Internet

Virtualization

28

What is Virtualization? The creation of virtual resources such as servers,

desktops, switch, storage, etc. used to address the computing needs of the organization.

– Abstraction of the hardware

– The VM is stored as a file on the disk

Goals of Virtualization

– Scalability

– Workload Management

– Security

29

Types of Virtualization

Desktop Virtualization Server Virtualization Network Virtualization Storage Virtualization Application Virtualization

30

Containers

Lightweight alternatives to fully virtualized machines

An abstraction at the application layer– Packages an application with all the

dependencies in its own namespace Available in Linux, Windows, Cloud and

Datacenter Containers virtualize the OS instead of the

hardware Containers are more portable than VMs Used in development environment on a

single application Take up less space Infrastructure

Host OS

Docker

App A

App B

App D

App C

31

Desktop Virtualization

• VMware Workstation (Local)• Microsoft Virtual PC (Local)• Citrix XenDesktop (Centralized)

32

Desktop Virtualization Architecture

Hardware

Host OS

Virtual Machine Manager

Virtual Machine

Guest OS(VMware ESX)

Applications

Virtual Machine Virtual Machine

Guest OS(Windows)

Guest OS(Linux)

Applications Applications

V i r

t u

a l

P h

y s

i c a

l

33

VMware Workstation– Costs more– More host & guests support– Better features (Snapshots, USB)– 64-bit hosts and guests

Microsoft Virtual PC– Free– Less hosts & guests support– Less VM features and capabilities

Comparison

34

Benefits from Virtualization

• Save money and energy• Simplify management

35

Polling Question #5

One of the benefits of virtualization is the costsavings

a) Trueb) False

35

36

Components of Virtual Machines?

• Configuration file• Hard disk file(s)• Virtual machine state file• In-memory file

37

Some Virtual Platforms

Vmware

– Now owned by Dell

– Runs on Windows, Linux, and in the cloud

– More 3rd-party products designed for it

Hyper-V

– By Microsoft

– Virtualizes x86-64 systems

– Has server and desktop

– Less expensive to deploy

VirtualBox

– Originally Open Source

– Now owned by Oracle

– Can be used in Windows, MacOS, and Linux

Kernel-based Virtual Machine (KVM)

– Open Source

– Now merged into Linux

– Turns Linux into a hypervisor

Proxmox Virtual Environment– Open Source

– Linux based (QEMU/KVM/LXC)

– Manages virtual server, containers, storage, network, etc.

– Web-based interface

38

Uses

DevelopmentTestingTrainingProduction Applications

39

Virtualization Types

• Hosted• Native or Bare-metal

40

Hosted Virtualization

VMware Workstation Oracle VirtualBox

41

Hosted Virtualization Architecture

Hardware

Host OS

Hypervisor

Virtual Machine

Guest OS(MAC OS)

Applications

Virtual Machine Virtual Machine

Guest OS(Windows)

Guest OS(Linux)

Applications Applications

V i r

t u

a l

P h

y s

i c a

l

42

Native Virtualization

• Citrix XenServer• VMware ESX/ESXi Server• Microsoft Hyper-V Server• Proxmox VE

43

Native (Bare-metal) Virtualization Architecture

Hardware

Hypervisor (Native)

Virtual Machine

Guest OS(MAC OS)

Applications

Virtual Machine Virtual Machine

Guest OS(Windows)

Guest OS(Linux)

Applications Applications

V i r

t u

a l

P h

y s

i c a

l

44

A hypervisor, also called a virtual machine manager (VMM), is aprogram that allows multiple operating systems to share a singlehardware host. Each operating system appears to have the host'sprocessor, memory, and other resources all to itself. However, thehypervisor is actually controlling the host processor and resources,allocating what is needed to each operating system in turn andmaking sure that the guest operating systems (called virtualmachines) cannot disrupt each other.

What is a hypervisor?

45

ESX has a Service Console is based on Red Hat Enterprise Linux 3 (Update 6)that is heavily modified and stripped down and is used for managementpurposes. During the boot process the Service Console bootstraps theVMKernel using initrd and then turns over full control of all hardwareresources to the VMkernel. When the VMkernel takes over the hardwareresources of the host, the Service Console is warm booted and managed as aprivileged virtual machine within the VMkernel.

ESXi uses vSphere architecture and does not have a Linux Service Consolebut instead uses vCenter, a separate web tool, to manage multiple vSpherehosts. This is the current architecture of VMware and offers better hypervisorarchitecture, security, reliability, and management than ESX. With ESXi, thehypervisor is loaded into memory at boot time.

ESX & ESXi

46

Hyper-V

Virtualization isolates critical applications

Virtualization helps to consolidate multiple physical servers into a singular server

Using a virtual machine increases the ease of backing up essential servers

Updates or changes to an OS can be made on a virtual machine to test stability before being applied to a production machine

Reduces the need for physical devices in educational environments

47

Hyper-V

Hyper-V Requirements

– 64-bit version of Windows Server 2008 Standard, Enterprise, or Datacenter Edition

– A server running a 64-bit processor with virtualization support and hardware data execution protection

– Enough free memory and disk space to run virtual machines and store virtual hard drives; virtual machines use the same amount of memory and disk space resources as physical machines

48

For Auditors – Important Controls

For Hosted virtualization, audit the underlying OS separately Documentation of the whole virtualization architecture, including the network,

supported systems, management system, etc. Compare implemented hypervisor configuration against organizational security

policy Determine how patches, updates, and upgrades are managed Determine what services and features are enabled and if they are needed Review account and resource provisioning and deprovisioning Review policy and procedure for provisioning and deprovisioning new hosts and

VM Evaluate the management of hardware capacity for virtual environment Review how performance is managed and monitored (CPU, storage, memory,

etc.) Review backup policy and Business Continuity/Disaster Recovery plan and

management Evaluate the security of the remote hypervisor management

49

Polling Question #6

Hypervisor is a program which allows multipleoperating systems to share a single hardwarehost.

a) Trueb) False

49

50

Polling Question #6

50

Design

• Detailed design

• Implementation plan

Implement

• Build virtual infrastructure

• Test virtual infrastructure

• Move to production

Manage

• Maintain in operations

• Monitor• Periodic

Review

ContinuousOptimization

Analysis

• Discovery• Scenarios

definition• Strategy

definition• High level

design• TCO/ROI

analysis

Project Management

51

Virtualization Hands-on – VirtualBox Installation

Verify that Virtual Technology is enabled with Task Manager

Prerequisite

Verify that Virtual Technology is enabled with systeminfo

Note: Virtual Technology is not needed for 32bit guest operating systems.

52

Virtualization Hands-on, cont’d

Go to virtualbox.org

Click on the download button

Supported OS– Windows

– Linux

– Mac

– Solaris

53

Virtualization Hands-on, cont’d

Double click the downloaded file

Installing VirtualBox

Select the defaults and click Next

54

Virtualization Hands-on, cont’d

Configure how to start VirtualBox and click Next

Click Yes to acknowledge the network warning

55

Virtualization Hands-on, cont’d

Click Install Click Yes to Windows verification message

Installation begins

56

Virtualization Hands-on, cont’d

Check the “Start Oracle VM VirtualBox….”

Click Finish

If the checkbox was completed, then double click the VirtualBox icon on the desktop

57

Virtualization Hands-on, cont’d

Download Extension from https://www.virtualbox.org/wiki/Downloads

Go to File -> Preference -> Extensions -> Add new package

Click on the “+” sign and browse to the downloaded file

Click Install

Note: The Extension pack provides support for USB 2.0 and 3.0 devices, VirtualBox RDP, disk encryption, etc.

58

Virtualization Hands-on, cont’d

Host is installed.

59

Virtualization Hands-on – VirtualBox Installation

Click the New button on the menu band on the top

Creating a Guest VM In the Name and operating system dialog screen:

– Enter a name for the VM

– Select a location for the VM file

– Select the OS

– Select the version of OS

– Click Next

60

Virtualization Hands-on – VirtualBox Installation

Select the disk file type and click Next

Creating a Guest VM Select how to manage storage and click Next

61

Virtualization Hands-on, cont’d

Set the storage location and click Create

Note: The new VM is created and will show in the left panel. However, the guest operating system is not installed yet.

Select the new VM

Click Start to power on the VM

Begin installing the guest OS

62

Virtualization – Proxmox VE Demo

Open Source

Linux based

Use a regular web interface to manage hosts

Hosts can be clustered

Storage can be shared across hosts

Supports containers

Other Network Security Layers

64

Network Intrusion Detection

Passive traffic interception– Send copy of traffic to NIDS– Do not block normal path

Better performance / worse security

Intranet

NIDS

Internet

65

NIDS vs. Firewalls

Actions:– Firewalls: block or allow– NIDS: alert administrator, log, block (intrusion prevention system)

Policies:– Firewalls: ACL-style policy on (packet) attributes– NIDS: attack signatures, statistical anomalies

NIDS challenges:– Evasion– False positives

66

Using Proxy Servers

Prevent the outside world from gathering information about your internal network

Provide valuable log information

Can redirect certain traffic, based on configuration

Typically runs on the firewall machine

Protects against spoofing

67

Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

138.76.29.7

local network(e.g., home network)

10.0.0.0/24

rest ofInternet

Datagrams with source or destination in this network

have 10.0.0.0/24 address for source, destination (as usual)

All datagrams leaving localnetwork have same single source

NAT IP address: 138.76.29.7,different source port numbers