We covered blocking Facebook, Twitter and BitTorrent using Paloalto networks firewall by creating an application filter and specifying the required parameters to identify social media pattern in user traffic.

Cyber Security Study Notes

SOC Analyst Study Notes

What is a Firewall?

A firewall is software or hardware that monitors the network traffic and compares it against a set of rules before passing or blocking it. The most basic firewall should be able to inspect at least the packet’s protocol, source and destination port and IP addresses.

Firewall types based on packet filtering

  • Packet filtering firewalls or dubbed as stateless firewalls. These firewalls inspect each data packet as it travels through a network. They decide whether to block a specific packet based on the configured rules.
  • Application-layer firewalls can be a physical appliance using its own hardware or software-based installed on another machine, like a plug-in or a filter. These types of firewalls target applications and monitor their behavior. For example, if placed in front of a web server, they can inspect requests for HTTP connections and block abnormal floods of traffic indicating a DOS attack.
  • Circuit-level firewalls check whether TCP and UDP connections across a network are valid before data is exchanged. For example, this type of firewall might first check whether the source and destination addresses, the user, the time, and the date meet certain defined rules. Data is exchanged between parties without further investigation when these checks pass, and a session starts.
  • Proxy server firewalls  or called as web application firewalls. They control the information that goes in and out of a network. This ability means the server can monitor, filter, and cache data requests to and from a network. Firewall proxy servers provide safe and secure internet access to all devices on a network. As depicted in the image below, there can be no communication between the client machine and the internet without the proxy server.
  • Stateful firewalls inspect connections on a network. As traffic hits the firewall, it monitors all packets that go through it and stores a combination of information about the packets in a state table. The state table tracks sessions by recording port numbers as sessions start from inside the network and are transmitted outside of the network. Gathering this information helps the firewall recognize what legitimate traffic with the correct port numbers should look like upon its return, thus allowing legitimate replies back into the network. 
  • Next-generation firewalls perform many of the same functions as stateful firewalls but with more functions from other types of firewalls, such as packet filtering and VPN support. This type of firewall also investigates packets more thoroughly compared to stateful firewalls. For example, a next-generation firewall can examine the payload for each packet and inspect it for suspicious characteristics and malware. Examples include the Juniper SRX series and Cisco Firepower.

Blocking and Allowing Social Media Such as Facebook, Twitter using Paloalto Firewall

Step 1: Define the Untrusted Applications:

  • The user navigates to Objects > Application Groups and creates a new group called Untrusted Apps.
  • In this group, they add applications such as Facebook, Twitter, and BitTorrent (for blocking copyright infringement traffic).

Step 2: Create a Security Policy:

  • The user goes to Policies and creates a new security policy called Block Untrusted Inside Out.
  • The source zone is set to the inside network, and the destination zone is set to outside (the Internet).
  • The newly created Untrusted Apps group is selected under Applications.
  • The action for the policy is set to Deny, meaning traffic containing the listed applications will be blocked.

Adjusting Policy Order:

  • To ensure that the new policy is evaluated before other traffic is allowed, the user adjusts the order of the policies by moving the Block Untrusted Inside Out rule to the top, ensuring it is evaluated first.

Testing the Policy:

  • The user tests the configuration by attempting to access Google, which is allowed, and Facebook and Twitter, both of which are blocked by the firewall based on the newly created policy.

Conclusion

This kind of filtering is common in corporate environments where certain applications or websites are restricted to maintain productivity and security.The video concludes with a promise of future tutorials on Palo Alto Networks and advanced firewall configurations.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles