Cyber Security Chapter 6 - Firewalls
filtering methods
(1) stateful packet inspection filtering (2) static packet filtering (3) network address translation (4) application proxy filtering (5) intrusion prevention system filtering (6) antivirus filtering
false alarms
IDSs tend to be ignored after exhausted security staff members receive too many ________.
pass/deny decision
If an attack pack is provable, the firewall drops the packet. If it is not a provable attack packet, the firewall passes the packet to its destination.
internal firewalls
Many firms have __________ which filter traffic passing between different parts of the sites internal network
service field
The _______ field describes the service to be filtered. Often, this will be TCP or UDP, plus the port number or name of an application. It may also be ICMP or some other type of service defined by the number in the IP header's protocol field.
track field
The _______ field describes what the firewall should do after taking its action. This may be nothing ("none"), logging the information in a log file, or alerting someone.
action field
The _________ field says what firewalls should do with this service. The most obvious actions are Pass and Drop. Another possible action is Authenticate, which tells the firewall to authenticate the user. Other special-handling actions can be defined depending on the firm's specific policy.
firewalls field
The _________ field tells the firewall management server what firewalls or routers should be sent to ACLs based upon this policy.
source field and destination field
These can be host names, or they can be groups of IP addresses. Some groups are defined automatically by the system. The firewall administrator must define other groups manually.
policy number field
This field has a unique number for each policy. Policies can therefore be referred to by number.
black holing
a rule is added to the firewall to block all traffic from that IP address
demilitarized zone (DMZ)
a subnet that contains all of the servers and application proxy firewalls that must be accessible to the outside world
NAT traversal
allowing applications that were not designed to work with network address translation
multihomed
connects to multiple subnets
Access control lists (ACLs)
consist of a series of rules that are exceptions to the default behaviors
well-known port numbers
designate specific applications running on the server
socket
designates a specific program on a specific computer
state
distinct phase in connection between two applications
network address translation (NAT)
does not actually filter packets but effectively provides a great deal of protection. it is used in firewalls that use various types of examination methods as a second type of protection can thwart sniffers
unified threat management (UTM) firewalls
embrace both traditional firewall filtering methods and antivirus filtering
intrusion detection systems (IDSs)
examine streams of packets to look for suspicious activities that indicate possible attacks
application specific integrated circuits(ASICs)
filtering in hardward
ingress filtering
firewall examines packets entering the network from the outside. The purpose of this is to stop attack packets from entering the firm's internal network
firewall policy management system
has a firewall policy database holding the firms firewall policies
firewall policies
high-level statements to guide firewall implementers
vulnerability testing
it is important to conduct _____________________ after installation in order to detect errors.
connection
link between programs on different machines. consists of two sockets: - internal socket - external socket
deep packet inspection
looks at all the fields in the packet. including the IP header, the TCP or UDP header, and the application message
static packet filtering
looks at packets one at a time, in isolation
anomaly detection
looks at traffic patterns that indicate that some kind of attack is underway
wire speed
maximum speed of the lines that connect to it.
zero-day attacks
new attacks that are made before signatures are defined
connections
persistent conversations between different programs on different computers
sniffers
placed outside of corporate networks by hackers. allows attacker to learn about the network's host IP addresses and open port numbers on servers without sending probe packets.
Tor network
provides almost completely anonymous access to the Internet. uses a series of encrypted relay nodes to forward packets from senders to receivers
border firewall
sits at the boundary between the corporate site and the external Internet
intrusion prevention systems (IPSs)
stop attacks instead of merely identifying them and generating alarms
screening border router
stops simple high-volume attacks and ensures that responses to external scanning probes cannot reach an external attacker
exit nodes
the Tor node that ends up reaching the destination webserver
egress filtering
the firewall filters packets when they are leaving the network
ICMP echo probes
used in IP address scanning
Tor nodes
used to relay data between senders and receivers
stateful packet inspection (SPI)
uses specific examination methods depending on the state of the connection. used by nearly all corporate firewalls today.
it will drop packets it cannot process
what does a firewall do if it becomes overloaded with traffic?
default
what you get if you do not specify something specifically
Log file
where information about each dropped packet is stored. The process is called logging.
