OS Security Builtin Firewalls

Submitted by coleen.yan@edd… on Mon, 04/15/2024 - 17:41
Sub Topics

Security and privacy in modern computing rely on an operating system that safeguards your system and information from startup to shut down. As we have seen in the previous topics, this comprehensive protection extends from the hardware level (chip) to the software layers. 

 A crucial aspect of this protection is the built-in firewall. Operating systems (OS) come equipped with built-in firewalls designed to control incoming and outgoing network traffic based on predetermined security rules.  

What are Firewalls? 

Firewalls are software or hardware-based devices that control or filter incoming and outgoing network traffic based on a set of rules. They are critical for protecting systems against unauthorised access and cyber threats. There are many types of firewalls, ranging from software-based solutions to dedicated appliances that protect enterprise networks. We can loosely classify firewalls into two groups: 

  1. Network Firewalls 
  2. Host Firewalls 

Network Firewalls

Network Firewalls are usually installed between a network and the internet, applying rules to all devices on the network. They give network administrators control over traffic, both from inside and outside the protected network. They are also able to control who can access a network by using lists of rules called access control lists (ACLs). These rules decide which types of data can come in and go out of the network. 

Generally, a network firewall works by performing some filtering steps

  • Filtering Traffic: The firewall looks at all the data trying to enter or leave the network and checks it against the rules in the ACLs. 
  • Ingress Filtering: This means blocking harmful data from entering the network. Think of it as a security guard stopping bad guys at the gate. 
  • Egress Filtering: This means stopping certain data from leaving the network. For example, if a computer is infected with malware, egress filtering can prevent the malware from sending information out to a hacker's server. 

In simpler terms, firewalls act like gatekeepers, making sure only safe data gets in and out of your network. 

Host Firewalls

Host Firewalls are usually installed on individual devices, such as laptops, desktops, and servers.

  • They typically support packet filtering, stateful packet inspection, and network address translation.
  •  They allow application-specific rules to be set for applications to allow specific applications to pass through.  
  • They run in the background most of the time to protect the computer system from malicious activity by controlling connections. They notify the users of any attempted intrusions. 

Operating systems feature these firewalls to regulate incoming and outgoing network traffic based on specific security rules. These firewalls are essential for defending against unauthorised access and cyber threats. 

In this topic, our focus will only be on host firewalls particularly the ones offered by an Operating System.

Firewall Rules

Firewall rules are specifications set by administrators that instruct a firewall on how to process incoming and outgoing network traffic.  

They are access control mechanisms that firewalls use to protect your system and network from being infiltrated by malicious or unauthorised traffic. 

Firewall rules play a key role in network and host security by dictating how firewalls should handle traffic based on parameters such as source or destination IP addresses, ports, and protocols.

Specifically, Firewall rules analyse the control information in data packets and decide whether to block or allow them based on predefined criteria. These criteria include: 

  • Source and Destination IP Addresses 
  • Ports (specific or range) 
  • Protocol Type (TCP, UDP, ICMP) 
  • Application, Service, or Program Name 
  • Dynamic Values (like default gateways, DHCP servers, DNS servers, and local subnets) 
  • Interface Type 
  • ICMP/ICMPv6 Traffic Type and Code 

These rules provide detailed conditions for identifying and managing traffic.

How Firewall Rules Work in Host-Based Firewalls 

A host-based firewall processes incoming and outgoing data packets by inspecting each packet, applying configured rules, and deciding whether to allow or block the traffic based on a sequential evaluation of these rules. 

By default (if no rule is defined), any traffic not explicitly allowed is blocked.

A diagram showing how firewall rules work

Source: https://www.paloaltonetworks.com/cyberpedia/what-are-firewall-rules

The diagram above shows the steps of how the firewall rule works:

Data Packet Arrival: 

Data packets are received by the firewall from the network. Each packet carries information about its source, destination, and other attributes. 

Packet Inspection: 

The firewall then inspects each packet to gather information about its source, destination, port, and the type of communication it represents e.g., is it a web application running with HTTP protocol or an email application running with SMTP or IMAP protocol? 

Rule Configuration: 

Firewall rules are predefined conditions that determine how the firewall should handle different types of traffic. These rules specify which sources, destinations, and ports are allowed or blocked. 

Decision Pathway: 

The firewall uses the configured rules to make decisions about the packet. It assesses whether the packet meets the conditions defined by the rules. 

Sequential Evaluation: 

The firewall evaluates packets against Access Control Lists (ACLs) in a sequential manner. Rules are processed from top to bottom until a match is found.

Match Action: 

Once a packet matches a rule, the firewall executes the action associated with that rule—allowing, denying, or rejecting the packet. 

Default Policy: 

If a packet does not match any of the defined rules, the firewall's default policy comes into play.  

By default, this policy is typically to deny all traffic that isn't explicitly allowed by the rules, enhancing network security. 

Stateful Inspection: 

Advanced firewalls may use stateful inspection to track ongoing connections and ensure that incoming traffic is part of an established session initiated by an internal user. This adds a layer of security by verifying the state of the connection. 

Below is an example of firewall rules:

Firewall Rule Example
Source address Source post Destination address Destination port Action
192.168.1.2 80 10.10.10.20 22 Allow
192.168.0.0/24 Any 192.168.0.0/24 443 Deny
Any Any Any Any Deny

Below is an example of application specific rules in Windows Defender Firewall:

A screenshot of a computer

Description automatically generated

Inbound and Outbound Firewall Rules 

Inbound Firewall Rules: 

  • In a firewall ruleset, inbound rules define which types of traffic are allowed to enter the network. 
  • Inbound traffic rules specify allowed connections, originating ports, and source addresses. For example, allowing HTTP traffic through port 80. 
  • When there are no inbound rules specified, the firewall blocks all inbound traffic. 
  • Inbound rules help safeguard the network from unauthorized access, malicious entities, and DoS attacks. 

Outbound Firewall Rules: 

  • Outbound rules determine which traffic is allowed to exit the network, specifying permissible destination addresses, ports, and protocols. 
  • Without explicit outbound rules, the firewall blocks all outbound traffic by default. 
  • Restricting outbound traffic can prevent malware from communicating with external servers. 

Read more about Windows Firewall Rules.

Built-in Firewall 

Depending on your OS, you may have a built-in host firewall, such as Windows Firewall (Window Defender), or you may need to install a third-party firewall, such as Uncomplicated Firewall (UFW) for Linux or Little Snitch for macOS. 

Windows OS Built-In Firewall 

Windows Firewall is a host-based firewall that is included with the operating system and enabled by default on all Windows editions. It is a built-in security feature that protects your device by filtering incoming and outgoing network traffic.  

The following are the common built-in security features of Windows firewall: 

  • Traffic Filtering: It can filter traffic based on source/destination IP addresses, IP protocol, and port numbers. 
  • Application Control:  It can allow or block traffic for specific applications and services. 
  • Host-Based Protection: As Windows firewalls usually come with the operating system, they require no extra hardware or software. 
  • IP Security Support: Windows Firewall supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as trusted devices cannot communicate with your device.  They also ensure certain network traffic is encrypted, protecting it from being read by malicious users. 
  • Network Location Awareness: Windows Firewall also works with Network Location Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected.  For example, Windows Firewall can apply the public network profile when the device is connected to a coffee shop wi-fi, and the private network profile when the device is connected to the home network. This allows you to apply more restrictive settings to public networks to help keep your device secure. 

Firewall Profiles  

Windows Firewall offers three network profiles: domain, private and public. The network profiles are used to assign rules. For example, you can allow a specific application to communicate on a private network, but not on a public network. 

Read more about Windows firewall profiles

Exploring Windows OS Security Tools and Applications 

Windows generally offers different tools to view the status and configure the Windows Firewall 

As shown in the image below, different apps on Windows can be used to examine the security and health status of devices running the Windows OS. All tools interact with the same underlying services but provide different levels of control over those services.

A screenshot of a computer

Description automatically generated

Windows Security 

The Windows Security app can be used to view the Windows Firewall status and access advanced tools to configure it.  

To view the Windows OS security app follow the steps below:

  1. Select START,  
  2. Type Windows Security, and press ENTER.  
  3. Once Windows Security is open, select the tab Firewall and Network Protection. Or type the following into your browser for shortcut: windowsdefender://network/  
  4. Click on Open Windows Security to open the Windows security app. 

Read the article to further understand how to use and customize Windows Security features.

Firewall and Network Protection in Windows Security  

Firewall and network protection in Windows Security lets you view the status of Microsoft Defender Firewall and see what networks your device is connected to. You can turn Microsoft Defender Firewall on or off and access advanced Microsoft Defender Firewall options for the following network types: 

  1. Domain (workplace) networks 
  2. Private (trusted) networks 
  3. Public (untrusted) networks 

Explore the following article to see how you can use this service to manage the security of your network and hosts running Windows OS.

Windows Defender Firewall with Advanced Security (WFAS) 

WFAS is a tool for setting up and managing advanced firewall settings on Windows. It can be used on individual devices or across multiple devices in a network. 

For a Single Device: 

Go to START, type wf.msc, and press ENTER to open the firewall settings:

A screenshot of a computer

Description automatically generated

For Devices in a Domain: 

Open Group Policy Management and edit or create a group policy object (GPO). 

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security to adjust settings for multiple devices.

Watch - Configuring Windows Defender Firewall (13:30 minutes)

Watch the following videos that introduce the Windows Defender Firewall and show you how to configure basic firewall settings, add applications to your firewall settings, and configure advanced port rules with Windows Defender Firewall Advanced Security settings. After watching, give it a try!

Watch - How to Configure the Firewall on Windows Server 2022 (16:59  minutes)

 Join the most enthisiastic IT expert Adam as he guides you through how to use the Windows Server Manager in Windows Server 2022 to set up the Windows Firewall with an Advanced Security role.

Now learn how to turn on and turn off Windows Firewall on your PC and try following the steps.

You can also access the Windows Firewall through the control panel of your Windows OS: 

 Open the Control Panel, select System and Security, then Windows Defender Firewall:

Linux OS Built-In Firewall 

The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for managing netfilter is the iptables suite of commands. 

 iptables provide a complete firewall solution that is both highly configurable and highly flexible. However, becoming skilled in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task. As a result, many frontends for iptables have been created over the years, each trying to achieve a different result and targeting a different audience.

Uncomplicated Firewall (UFW) 

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls.  

UFW is a tool that minimizes the effort of setting up a firewall by starting with an optimal default configuration. In many cases, it’s only necessary to know the name of the applications to be authorized. It has graphical frontends, like GUFW. 

ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.  

ufw aims to provide an easy-to-use interface for people unfamiliar with firewall concepts, while at the same time simplifying complicated iptables commands to help an administrator who knows what he or she is doing. ufw is an upstream for other distributions and graphical frontends. 

UFW is available for all Linux distributions. On Ubuntu, it’s pre-installed but disabled by default. Some VPS providers, however, supply UFW pre-configured and pre-activated. So, first, we need to look at the status of UFW.

Study the following tutorial on how to set up a Firewall using UFW on Ubuntu.

File System Security 

A file system is a structure used by an operating system to organise and manage files on a storage device such as a hard drive, solid-state, or USB flash drive. It defines how data is stored, accessed, and organised on the storage device.  

Without a file system, the operating system would see only large chunks of data without any way to distinguish one file from the next.

Read about different types of file systems and their pros and cons.

The file system can provide an additional level of security for your data. Windows operating systems use the New Technology File System (NTFS), which offers advanced security features compared to its predecessor, the File Allocation Table (FAT). 

FAT vs. NTFS

FAT is a simple Windows file system and is the table that exists at the very top of the volume.  

FAT has serious limitations in providing security. It only supports read-only, hidden, system, and archive file attributes, and not the wide variety of permissions that are available in NTFS. However, FAT is still supported. 

NTFS is the default file system used by Windows NT-based operating systems, starting in 1993 with Windows NT 3.1, all the way up to and including Windows 11. It is the current standard for Windows, offering robust security by allowing granular control over file and folder access.

In NTFS Security Features the image below shows My OS folder security - Groups and Permission:

NTFS has an advanced ability to secure the file system by granting or denying various permissions.  

Permissions define the type of access granted, such as full control, modify, list folder contents, read and write, and can be applied to folders and files and active directory objects. 

NTFS allows administrators to grant or deny various permissions to users and groups. These permissions include: 

  • Full Control 
  • Modify 
  • Read and Execute 
  • List Folder Contents 
  • Read 
  • Write 
  • Special Permissions 
  • Share Permissions: These apply to network access and include Full Control, Change, Read, and No Access. If both share and NTFS permissions are set, the most restrictive one applies. 
  • Administrative Shares: In a Windows OS, several hidden administrative shares are automatically created and indicated by a dollar sign ($) at the end of the share name. Permissions on hidden administrative shares cannot be modified.  

 File and folder permissions are based on the permissions granted to each user at the Windows login, regardless of whether they are on the local machine or accessing the resource over the network via a shared folder.  

A drive or folder can be shared, and clients can have access to the files on the network by using the Universal Naming convention.  

Being able to assign permission based on the roles and requirements gives the administrator some sort of control over which users and groups can gain access to the files and folders stored on the NTFS volume. Permissions are used according to how the resource is accessed. 

With NTFS, user-defined attributes can be added to a file. You can add custom attributes to files. 

For accountability, NTFS adds a timestamp indicating when the file was last accessed. 

Setting Permissions on NTFS Drive 

Permissions Tab: Only drives formatted with NTFS will show the permissions tab. Setting permissions is powerful but can be tricky, so it is important to understand how they work.

Watch - Configuring NTFS permissions (17:47 minutes)

This video demonstrates how to configure NTFS permissions on files and folders. This is demonstrated in Windows 10, but NTFS permissions work the same way on Windows Server.

On NTFS drives, you can set permissions for shared drives and folders. Permissions determine who can access files and folders and what they can do with them (e.g., read, write, modify). 

Permissions can be: 

  1. Explicit: That is, the permission is directly set on a file or folder. 
  2. Inherited: That is, the permission is passed down from the parent folder. Inheritance means that permissions will propagate from the parent to the child. Inheritance is used in the file system and active directory permissions. Inherited, permissions that are granted to a folder will extend into child objects, such as subfolders or files within the parent folder. 
  3. Effective permissions consist of explicit and inherited permissions. 

Read about the Linux File System.

How Windows NTFS and Linux Provide Granular Security 

Windows NTFS: 

  • Detailed Control: NTFS provides extensive options to control access to files and folders, making it possible to finely tune who can do what with your data. 
  • User and Group Permissions: You can set permissions for individual users or groups, offering flexibility and security. 

Linux: 

  • File Permissions: Linux uses a different system for permissions, typically with read, write, and execute permissions for the owner, group, and others. 
  • Advanced Options: Many Linux file systems also support Access Control Lists (ACLs) for more granular control, similar to NTFS. 

Controlling Folder Access to Prevent Ransomware 

Ransomware is a significant threat, capable of infecting your system through various means, such as malicious websites, email attachments or deceptive links.  

You can mitigate the risk by following best practices and using features like Controlled Folder Access in Windows Operating Systems.  

This feature adds an extra layer of security by preventing unauthorized applications from modifying files in protected folders. While it may require some effort to whitelist trusted applications, it significantly enhances your PC's security against ransomware attacks. 

Learn how to protect your folders with controlled folder access.

Best Practices to Protect Your PC from Ransomware
  1. Keep Windows Updated: Ensure your PC has the latest Windows version and security patches. 
  2. Enable Windows Security: Turn on Windows Security to protect against viruses and malware. 
  3. Turn on Controlled Folder Access: This feature helps protect important local folders from unauthorized programs like ransomware. 

Learn how to protect your folders with controlled folder access.

Firewalls and File Permission 

Objective: Learn how to configure and test Windows Firewall rules on Windows 11 VMs. 

Task: In this activity, you will demonstrate how to block and allow certain traffic using the Windows Operating System's built-in firewall. Follow the following instructions step-by-step instructions. 

  1. Setup Two Windows 11 VMs: Ensure both VMs are on the same network.
  2.  Ping Test: Open Command Prompt on both VMs. 
    On VM1, ping VM2’s IP address: ping <IP_of_VM2> 
    Take a screenshot of the successful ping response. 
  3. Block ICMP Traffic: 
    On VM2, open Windows Defender Firewall with Advanced Security: 
    Press Win + R, type wf.msc, and press Enter. 
    Go to Inbound Rules, and create a new rule: 
    Select New Rule... 
    Choose Custom, then click Next. 
    Under Protocol and Ports, select ICMPv4. 
    Under Action, select Block the connection. 
    Apply the rule to all profiles (Domain, Private, Public). 
    Name the rule "Block ICMP".
  4. Ping Test After Blocking: 
    On VM1, try pinging VM2’s IP address again: ping <IP_of_VM2> 
    Take a screenshot of the failed ping response. 
  5. Allow ICMP Traffic: 
    On VM2, disable the "Block ICMP" rule: 
    Right-click on the "Block ICMP" rule and select Disable Rule. 
    On VM1, ping VM2’s IP address again to confirm that ICMP traffic is allowed. 
    Take a screenshot of the successful ping response. Post it the OS Activity Forum and discuss any challenges you had completing the task.

 Objective: Learn how to configure and test Linux built-in firewalls in Ubuntu VMs. 

Task: In this exercise, you will demonstrate how to block and allow certain traffic using the Linux built-in firewall. Follow the following instructions step-by-step instructions. 

  1. Setup Two Windows 11 VMs: Ensure both VMs are on the same network. 
  2. Ping Test: 
    Open the Terminal on both VMs. 
    On VM1, ping VM2’s IP address: ping <IP_of_VM2> 
    Take a screenshot of the successful ping response. 
  3. Block ICMP Traffic: 
  4. On VM2, configure UFW to block ICMP 
    Run the following commands to do this: 
    sudo ufw deny proto icmp from any to any  
    sudo ufw reload 
    On VM1, try pinging VM2’s IP address again: ping <IP_of_VM2> 
    Take a screenshot of the failed ping response. 
  5. Allow ICMP Traffic: 
    On VM2, configure UFW to allow ICMP 
    Run the following commands to do this: 
    sudo ufw delete deny proto icmp from any to any 
    sudo ufw reload 
    On VM1, ping VM2’s IP address again to confirm that ICMP traffic is allowed. 
    Take a screenshot of the successful ping response. Post it the OS Activity Forum and discuss any challenges you had completing the task.

Objective: Learn how to create users and assign different permissions to files and folders. 

Task: In this exercise, you will demonstrate how to assign and revoke NTFS permissions on Windows 11. Follow the following instructions step-by-step instructions. 

  1. Create Users: On a Windows VM, open Command Prompt as Administrator. 
    Create two users by running the following commands: 
    net user User1 Password1 /add  
    net user User2 Password2 /add 
  2. Create a Folder and Assign Permissions: 
    Create a folder named "TestFolder" on the C: drive. 
    Right-click on "TestFolder" > Properties > Security tab. 
    Add "User1" and grant "Read & Execute" permissions. 
    Add "User2" and grant "Full Control" permissions. 
    Take a screenshot of the permission settings. 
  3. Test Permissions: 
    Log in as User1 and try to create a file in "TestFolder" (should be denied). 
    Log in as User2 and try to create a file in "TestFolder" (should be allowed). 
    Take screenshots of both actions. Post it the OS Activity Forum and discuss any challenges you had completing the task.
Module Linking
Main Topic Image
A programmer working on a desktop computer with multiple screens
Is Study Guide?
Off
Is Assessment Consultation?
Off