Firewall

Port Number:

A port number is a local address of a service. Generally, the port numbers are from 0 to 65535. Out of these 65535 ports, some ports are known as 'well-known ports', categorized between 0 to 1024. Beyond these, other ports are known as 'Ephermal ports' or 'Dynamic ports', depending upon OS to OS. These ports are assigned when there is a need.

Socket:

A Socket is a network address of a service (IP_addr + Port_number)

Endpoint:

(IP_address) + (Port_number) + (Service) & (Version_of_the_service)

Firewall:

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. The firewall works in three modes:

1. Incoming,
2. Outgoing and 
3. Forwarding.

In Cloud, we can only 'ALLOW' and 'BLOCK' firewall using firewall rules.

Types of Firewall:

* Generally, there are two types of firewall:

1. Software Firewall
2. Hardware Firewall

1. Software Firewall: 

Software Firewalls are mainly made for operating system protection and hardening (hardening means stopping unnecessary services to get access inside my OS).

2. Hardware Firewall: 

Hardware Firewalls are used for enterprise-level protection.

* In the cloud also there are two types of firewalls:

1. Security Group
2. Network Access Control List

1. Security Group (SG): 

SG works at instance level security.

2. Network Access Control List (NACL): 

NACL works at subnet level security.

We will see three types of troubleshooting if not able to access a server.

Ephermal Ports:

An ephemeral port is a short-lived transport protocol that is created by the operating system when a program requests any available user port. Ranges for these ports depends on OS to OS:

For Windows: Port Range is from 49152 to 65535 and

For Linux: Port Range is from 32768 to 61000

In AWS, there are three levels of security. From which, we can allow and deny access to our server. 

Troubleshooting steps when Web Server is not able to access:

1. Operating System level troubleshooting
2. Security Group level troubleshooting
3. NACL level troubleshooting

CASE #1: OPERATING SYSTEM LEVEL TROUBLESHOOTING

Steps we need to follow:

1. Launch a Windows instance
2. Disable the service on OS level
3. Troubleshoot and enable the service on OS level

Step 1: Launch a Windows instance:

I am launching a Windows instance, named 'win-web-iis' in Public Subnet of my VPC, named 'webshack-vpc':

AWS ➔ Services ➔ EC2 ➔ Instances ➔ Launch Instance ➔ [*] Free Tier only ➔ Select 'Windows Server 2008' AMI (because this is a very tiny image and takes less time to start) ➔ Instance Type: t2.micro ➔ Next ➔ Number of instances: 1 ➔ Network: select own created 'webshack-vpc' VPC ➔ Subnet: Select the subnet which has public access (as we are creating this instance for Web Server, so we require Internet) ➔ Auto-assign Public IP: (already enabled as we have enabled it at the time of creation of public subnet) ➔ Next ➔ Next: tags ➔ Name: 'win-web-iis' ➔ Next: SG ➔ Create a new SG or select an old one which is allowing port number 3389 ➔ Rule ➔ RDP: TCP: 3389: Anywhere ➔ Review and Launch ➔ Launch ➔ Create a new key-pair OR select any existing key pair ➔ Launch Instances ➔ View Instances.

For OS level troubleshooting, we are going to disable the service on OS level:

Step 2: Disable the service on OS level:

Login to Windows instance ➔ Run ➔ paste command: 'control.exe /name Microsoft.NetworkAndSharingCenter' (this command will open Network and Sharing Center) ➔ Windows Firewall ➔ Allow a program or feature through Windows Firewall ➔ Disable HTTP access ➔ OK.

This will block HTTP access from OS level, means if you access the web server from inside Windows instance, this will work but any outside person cannot access this. (you can verify it from accessing the web server from the laptop, using its public IP).

Disable HTTP access from Network and Sharing Center

We use this when we want to do hardening. Hardening means we do not want to allow unnecessary access on my PC. 

Step 3: Troubleshoot and enable the service on the Operating System level:

Again enable HTTP access from the web server, so that we can learn next level troubleshooting:

Login to Windows instance ➔ Run ➔ paste command: control.exe /name Microsoft.NetworkAndSharingCenter (this will open Network and Sharing Center) ➔ Windows Firewall ➔ Allow a program or feature through Windows Firewall ➔ Enable HTTP access ➔ OK.

CASE #2: SECURITY GROUP LEVEL TROUBLESHOOTING

Features of Security Group:

1. All inbound traffic is blocked by default.
2. All outbound traffic is allowed by default.
3. We can attach multiple security groups to Ec2 instance.
4. Security Groups are STATEFUL.
5. If we have created inbound traffic, that traffic is automatically allowed back out again.
6. We can not block any specific IP Address from the Security Group.
7. We can specify only to allow rules not deny rules.
8. Security Group protects instances and Interfaces.

WINDOWS:

Steps we need to follow:

1. Launch a Windows instance
2. Login to the Windows instance and install web server
3. Create a new SG, which allows port number 80
4. Attach this SG to the web server instance
5. Verify the browser on the laptop

Step 1: Launch a Windows instance and a Linux instance:

We are going to use the instance, which we created for OS level troubleshooting.

Step 2: Login to the Windows instance and install web server:

Copy public IP from instance's description ➔ Run ➔ Type 'mstsc' and hit Enter ➔ paste IP and get access by using username 'administrator' and decrypt password from AWS ➔ Login.

After login to the instance click on Start ➔ Administrative Tools ➔ Server Manager ➔ Roles ➔ Add Roles ➔ Next ➔ [*] Web Server IIS ➔ Next ➔ Close.

Now, the web server is created. Verify this by accessing localhost on the browser in Windows instance, which is working now. 

Also, verify this Web Server, by using public IP of windows instance in laptop browser, which is not working here. The reason is all inbound traffic is blocked by default in Security Group.

Step 3: Create a new SG, which allows port number 80: 

We can change in current SG but in that case, all other instances which are using this SG will get RDP and Web Server both accesses. So, we will create a new SG:

AWS ➔ Services ➔ EC2 ➔ Security Groups ➔ Create Security Group ➔ Security Group Name: web-access ➔ Description: web access for any OS web server ➔ VPC: select your VPC like I have my created VPC named 'webshack-vpc' ➔ Inbound: Add Rule ➔ Type: HTTP ➔ Source: Anywhere (for learning purpose we can select anywhere but in industry there must be specific IPs) ➔ Create. 

Step 4: Attach this SG to web server instance:

SG always attaches to the NIC card of the instance. So, navigate to the NIC card of web server instance:

AWS ➔ Services ➔ EC2 ➔ Instances ➔ Select instance ➔ Description ➔ Click on Network Interface: eth0 ➔ Now, click on Interface ID ➔ Actions ➔ Change Security Groups ➔ As previous SG is selected, select one more SG named 'web-access', which we created for web server ➔ Save.

Step 5: Verify the browser on the laptop:

Laptop ➔ Broswer ➔ use public IP to verify.

Yaayyyy...It's working now!!

LINUX:

Steps we need to follow:

1. Create a Linux instance
2. Create a new Security Group with no rules
3. Replace this SG with the SG you attached in Linux instance
4. Open one port for SSH access
5. Open port for ping command in Linux instance

Step 1: Create a Linux instance:
I am launching an instance in Public Subnet of my VPC, named 'webshack-vpc':

AWS ➔ Services ➔ EC2 ➔ Instances ➔ Launch Instance ➔ [*] Free Tier only ➔ Select 'Amazon Linux' AMI ➔ Instance Type: t2.micro ➔ Next ➔ Number of instances: 1 ➔ Network: select own created 'webshack-vpc' VPC ➔ Subnet: select public subnet of your VPC ➔ Auto-assign Public IP: (already enabled as we have enabled it at the time of creation of public subnet) ➔ Next ➔ Next: tags ➔ Name: 'linux-server' ➔ Next: SG ➔ Create a new SG or select an old one which is allowing port number 22 ➔ Description: linux-access is created to access linux instances ➔ Rule ➔ SSH: TCP: 22: Anywhere ➔ Review and Launch ➔ Launch ➔ Create a new key-pair OR select any existing key pair ➔ Launch Instances ➔ View Instances.

Step 2: Create a new Security Group with no rules:

AWS ➔ Services ➔ VPC ➔ Security Groups ➔ Create Security Group ➔ Security group name: testing-sg ➔ This SG is created only for testing purpose ➔ VPC: Select VPC, named webshack-vpc ➔ Create ➔ Close. 

Select security group, named 'testing-sg' ➔ Inbound Rules ➔ See Inbound Rule (there is no rule listed) ➔ See Outbound Rules (we have one rule here) ➔ Select and Edit rule ➔ delete this rule by clicking on cross in the right side (if we attach this SG to any instance, then we will not get any access on that instance ➔ After deleting that rule click on Save rules ➔ Close.

Step 3: Replace this SG with the SG you attached in Linux instance:

AWS ➔ Services ➔ EC2 ➔ Instances ➔ Select Linux instance named 'linux-server' ➔ In Description, click on the interface ID, which is 'eth0' ➔ In the popup click on 'eni-ID' (this will take us to the Network Interface) ➔ un-check old security group and give a tick mark in front of 'testing-sg' security group ➔ Save.

Network Interfaces

Now, the security group of Linux instance is changed and we can not access this instance from outside.

Step 4: Open one port for SSH access:

Now, if you try to access your Linux instance using PuTTY, this will not work because of Implicit Deny. So, just provide SSH access to 'testing-sg' security group:

AWS ➔ Services ➔ EC2 ➔ Security Group ➔ Select 'testing-sg' security group ➔ On INBOUND click 'Edit' ➔ Type: SSH ➔ Source: Anywhere (we are selecting Anywhere only for the practical purpose. In production you must provide IP or IP range) ➔ Save.

IMPORTANT:

1. Now, if you try to access to your Linux instance, you can (try to do it by using 'ec2-user' username). Here, traffic comes in, from port number 22 but there is no outbound rule, then how did we get access. We got access because of SG's one more feature, which is "STATEFUL". In this case, Ephermal Ports became active to take the traffic out. We can see which Ephermal Port was active to take our traffic out by using command 'netstat'. Use this command with sudo privileges for the full descriptive result.

$ sudo netstat -antlpu

$ sudo netstat -antlpu

2. We can access the instance now but we can not get any outside access to this instance. Like, if we ping google.com, it's disabled. Although, all outbound traffic is allowed by default in the security group. But we deleted the rule. So, explicit deny is blocking the traffic.

Step 5: Open port for ping command in Linux instance:

If we want to access ping command, then traffic will be originated from our instance. So, we need to write outbound rules in our 'testing-sg' security group:

AWS ➔ Services ➔ EC2 ➔ Security Group ➔ Select 'testing-sg' security group ➔ On Outbound click 'Edit' ➔ Type: All ICMP - IPv4 ➔ Source: Anywhere (we are selecting Anywhere only for a practical purpose. In production you must provide IP or IP range) ➔ Save.

We can ping Google now but we can not access any other service outside of this instance. Now, if we want to provide access to all traffic, we need to allow 'All traffic':

AWS ➔ Services ➔ EC2 ➔ Security Group ➔ Select 'testing-sg' security group ➔ On Outbound click 'Edit' ➔ Type: All traffic ➔ Destination: Anywhere ➔ and delete ICMP rule because we are not allowing all traffic form this ➔ Save.

Now any traffic can go to this Linux instance and simultaneously comes out.

CASE#3: NACL LEVEL TROUBLESHOOTING

NACL (Network Access Control List) provides a rule-based tool for controlling network traffic at the subnet level protocol.

Features of NACL:

1. Your VPC automatically comes with default NACL, and by default allows all the inbound and outbound traffic
2. NACL operates at the Subnet level.
3. Each subnet in your VPC must be associated with a NACL. If you do not associate explicitly, the subnet will be associated with default NACL.
4. You can associate NACL with multiple Subnets, however, a subnet can be associated with only one NACL at a time.
5. NACL contains a number list (start with 100) of rule that is evaluated in order.
6. NACL has a separate inbound and outbound rule, and each rule either allow or deny traffic (Based on IP address)
7. NACL is a STATELESS service.

Steps we need to follow:

1. Create a Linux instance
2. Create a Network ACL
3. Associate NACL to Subnet
4. Give Inbound rule to 'my-custom-nacl'
5. Give Outbound rule to 'my-custom-nacl'

Step 1: Launch a Linux instance:

I am going to use the same instance, named 'linux-server', which I created for previous practical.

Step 2: Create a Network ACL:

If we go to the NACL by navigating:
AWS ➔ Services ➔ VPC ➔ Network ACLs

Default NACLs

Here, we can see there are two Network ACLs, one is belonging to default VPC and another is belonging to my VPC, named 'webshack-vpc'. If we check its rules, then we can see that there is a Rule #, which is valued 100, also there is a Deny policy for the same rule. So, if we want to update any rule here, we need to write a rule which is lower than precedence because rules get read by numbers sequentially.

Default NACL Rules

Default NACL, does not has very good rules, so we are going to create a new Network ACL:
AWS ➔ Services ➔ VPC ➔ Network ACLs ➔ Create Network ACLs ➔ Name tag: my-custom-nacl ➔ VPC: select your VPC (I'm selecting my VPC named 'webshack-vpc') ➔ Create.

Select NCAL and verify Inbound rules and Outbound rules. Neither there is any Inbound rule nor any outbound rule.

Step 3: Associate NACL to Subnet:

IMPORTANT:
One NACL can be associated with multiple subnets, but one subnet can only have one NACL.

AWS ➔ Services ➔ VPC ➔ Network ACLs ➔ Select newly created NACL 'my-custom-nacl' ➔ Subnet associations ➔ Edit subnet associations ➔ Select the subnet on which you want to associate this NACL (I am selecting public subnet 'webshack-sub1-pub') ➔ Edit.

FIG: NACL SUBNET ASSOCIATIONS

Right now, we do not have any Inbound or outbound rule with our NCAL. So, we can not access to our Linux instance named 'linux-server' (try to access Linux instance using PuTTY). There will be an error 'Request time out'.

Step 4: Give Inbound rule to 'my-custom-nacl':

AWS ➔ Services ➔ VPC ➔ Network ACLs ➔ Select 'my-custom-nacl' ➔ Inbound Rules ➔ Edit inbound rules ➔ Add Rule ➔ Rule #: (provide Rule # on priority, like on which priority you wish this rule should be active. I am providing '1' ➔ Type: SSH ➔ Source: 0.0.0.0/0 ➔ Allow/Deny: Allow ➔ Save.

Now again try to do SSH, but still, this is not connecting. Because NCAL is stateless, it requires both Inbound and Outbound rules.

Step 5: Give Outbound rule to 'my-custom-nacl':

We provided SSH for the inbound rule but SSH is only to get in, so for outbound, we can not provide port number 22. Here. Ephermal ports come into the picture. We can not decide which Ephermal port will be active at that time. Because these port numbers activate only for one time. Another time when we access that service, there is no guarantee that we will get the same port number or not. So, we need to allow 'All Traffic', so that each port can get access to take traffic outside.

AWS ➔ Services ➔ VPC ➔ Network ACLs ➔ Select 'my-custom-nacl' ➔ Outbound Rules ➔ Edit Outbound rules ➔ Add Rule ➔ Rule #: (provide Rule # on priority, like on which priority you wish this rule should be active. I am providing '1' ➔ Type: All Traffic ➔ Destination: 0.0.0.0/0 ➔ Allow/Deny: Allow ➔ Save.

Step 6: Verify we are getting the access or not:

AWS ➔ Services ➔ EC2 ➔ Instances ➔ Select Linux Instance ➔ Copy Public IP ➔ Open PuTTY ➔ Paste Public IP ➔ Navigate SSH ➔ Click on 'Auth' ➔ Browse: Select ppk file ➔ Open ➔ Provide username 'ec2-user'.

Enjoyyyyyy!!