Eleven Fifty Cybersecurity Network+ Chapter 10
Application-based firewall
-protects single host -Windows firewall -can perform packet filtering and control which processes can use the network interface -vulnerable to tampering
A network manager is configuring a firewall. Prepare the guidelines for the network manager to follow (choose two)
1. the most important placed at the top 2. only allow the minimum amount of traffic required
host-based firewall
A firewall that only protects the computer on which it's installed. (host)
UTM (Unified Threat Management)
A security appliance that combined multiple security controls into a single solution. UTM appliances can inspect data streams for malicious content and often include URL filtering malware inspection and content inspection components *intrusion detection/prevention *malware scanning *firewall *traffic filtering *Budget option
passive detection
A type of intruder detection that logs all network events to a file for an administrator to view later.
Network-Based Intrusion Prevention Systems (NIPSs)
Active response throttle bandwidth reconfigure firewall rewrite packets inline with network (at border between 2 zones) - all traffic travels through them creates SPoF (single point of failure) shunning = temporary block on IP end TCP session
session hijacking attack
An attack where the attacker exploits a legitimate session to obtain unauthorized access to an organization's network or services.
iptables
Firewall chains (direction or type of traffic) iptables works with the firewall chains, which apply to the different types of traffic passing through the system.
What is a means of using software tools to passively provide real-time analysis of either network traffic or system and application logs?
IDS - Intrusion Detection System
Three main chains (iptables)
INPUT - affecting incoming connections OUTPUT - for outgoing connections FORWARD - used for connections that are passing through the server, rather than being delivered locally. Rules applied to each chain to accept or drop traffic matching IP address or port number (no other criteria)
What parameters can a layer 3 firewall ruleset use?
IP source and destination, protocol type and port number
stateful inspection firewalls
Layer 5 stateful inspection (context-aware) can examine TCP headers state table (where info about sessions is stored) Can also apply packet filtering rules better protection against DoS (flood guard) examines TCP three-way handshake prevents session hijacking
What OSI layer does an NGFW work at and why?
Layer 7 because NGFW is configured with application-specific filters that can parse the contents of protocols such as HTTP, SMTP, or FTP
NGFW (Next Generation Firewall) or Layer 7
Layer 7 stateful multi-layer inspection or deep packet inspection (also application firewall can examine packet payload and monitor connections (stateful) requires filter for each application type of traffic web application firewall (WAF) Application aware firewall *both need SSL inspector to examine encrypted traffic
Misconfigured firewall and ACL issues
Misconfiguration blocks packets that are supposed to be allowed through. This will cause an application or protocol to fail to function correctly.
Host-based IDS (HIDS) and IPS (HIPS)
Monitor: -log files -system integrity -network interfaces -process launches Agent software running on a host (single host) Management and alerting channel
What security tool is used to throttle the bandwidth of attacking hosts and modifies suspect packets to render them harmless?
NIPS - Network-Based Intrusion Prevention System
Packet-filtering firewalls operate at what layer of the OSI model?
Network layer
Using iptables, in which chain would you create rules to block all outgoing traffic not meeting certain exceptions?
OUTPUT chain
A server that mediates the communications between a client and another server is known as?
Proxy Server
Signature Management
Signature-based -must be updated with latest definitions -many attacks do not confirm to specific signatures (so doesn't catch them all) Behavior-based (statistical/profile) -train sensor to recognize baseline "normal" -Heuristics -Statistical model of behavior -Tuning period (takes time - false positives) -High error rates (false negatives)
What type of firewall operates at Layer 5 (session) of the OSI model?
Stateful Inspection
Packet filtering rules
*IP filtering - accepting or denying traffic based on its source and/or destination IP address *Protocol ID/type (TCP, UDP, ICMP, routing protocols and so on). *Port filtering/security - accepting or denying a packet based on source and destination port numbers (TCP or UDP application type)
A reverse proxy is used with a published website to not directly expose the server to the Internet True or False?
True
T or F: Routers can have the functionality of a firewall built into the router firmware?
True
What is the main purpose of UTM?
Unified Threat Management (UTM) consolidates multiple security functions in a single appliance with a single management console.
A company has suffered a data breach. Investigators are able to establish exactly when the data breach occurred, but on checking the IDS logs, no evidence of the breach is present. What type of intrusion detection error condition is this
a false negative
rule-based management
a firewall, proxy or content filter. The aim of this principle is to only allow the minimum amount of traffic required for the operation of valid network services, and no more.
Intrusion Detection System (IDS)
a means of using software tools to provide real-time analysis of either network traffic or system and application logs. IDS Is similar to anti-virus software but it protects against a broader range of threats.
stateless
a packet filtering firewall is stateless. This means that it does not preserve information about the connection between two hosts. This type of filtering requires the least processing effort, but it can be vulnerable to attacks that are spread over a sequence of packets.
Forward Proxy Server
a router-type firewall forwards or blocks only Proxies store and forward breaks end-to-end connection between hosts proxy opens the connection with the server on behalf of the client (or vice versa) -most stateful firewalls are implemented as proxies -most can also cache and pre-fetch content to improve performance
What component does a network-based IDS use to scan traffic?
a sniffer or sensor
Network Operating System (NOS) firewall
a software-based firewall running under a network server OS, such as Windows or Linux. The server would function as a gateway or proxy for a network segment.
appliance firewall
a stand-alone hardware firewall that performs only the function of a firewall. The functions of the firewall are implemented on the appliance firmware. This is also a type of network-based firewall and monitors all traffic passing into and out of a network segment. This type of appliance could be implemented with routed interfaces or as layer 2 / virtual wire "transparent" firewall.
Signature-based detection
aka pattern matching means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates in an incident.
Layer 7 Firewall names
application firewall Application layer gateway stateful multilayer inspection deep packet inspection
misconfigured firewall and ACL issues
authorized application blocked *blocked TCP or UDP port *blocked IP address or network **Test from inside and outside firewall *inspect firewall log Unauthorized application not blocked- worse!
Other than attempting to block access to sites based on content, what other security options might be offered by internet content filters?
blocking access based on time of day or total usage
L3 Switch
can perform packet filtering
Intrustion Prevention System (IPS)
can provide an active response to any network threats that it matches. One typical preventive measure is to end the TCP session, sending a spoofed TCP reset packet to the attacking host.
What is shunning?
configuring an IPS to set a temporary firewall rule to block the suspect IP address
You are troubleshooting a connectivity problem with a network application server. Certain clients cannot connect to the service port. How could you rule out a network or remote client host firewall as the cause of the problem?
connect to or scan the service port from the same segment with no host firewall running
web application firewall (WAF)
could analyze the header and the HTML code present in HTTP packets to try to identify code that matches pattern in its threat database.
What sort of maintenance must be performed on signature-based monitoring software?
definition/signature updates
network-based firewall
deployed to protect a network segment (placed at border)
Content Filters (aka web security gateway)
designed for corporate control over employees' internet use. It could be implemented as a standalone appliance or proxy server software. -keyword or URL based filtering -time-of-day / total usage restrictions -personal software or internet gateway/ proxy -SSL inspection (required for encrypted traffic)
content filter or web security gateway
designed for corporate control over employees' internet use. It could be implemented as standalone appliance for proxy server software. May ISPs implement content filtering as part of their Internet access packages.
behavior-based detection
effective at detecting previously known threats
caching engine
frequently requested web pages are retained on the proxy, negating the need to re-fetch those pages for subsequent requests.
NOS firewall
gateway / proxy
Reverse Proxy Server
handle protocol-specific inbound traffic publish LAN server to network perimeter protects actual servers from being exposed in parameter network offload processing and cache content
Anti-virus scanners
hook calls to executable code scan code to identify malware signature identify suspicious code behavior through heuristics Remediation options - clean, quarantine, erase Malware identification and research CME - Common Malware Enumeration Manual removal techniques Block future infections
File Integrity Monitoring
hsoftware that audits key system files to make sure they match the authorized versions. FIM does this by computing a secure checksum, also know as a hashsum, for the "known-good" version of a file. It periodically scans protected files, re-computing a hashsum for the locally installed version and checking that it matches the "known-good" value. compare file signatures to known-good Windows File Protection and sfc Tripwire and OSSEC *Hashsum / Checksum
transparent proxy server (forced)
intercepts client traffic without the client having to be reconfigured. Must be implemented on a switch or router other inline network appliance.
What is a command line utility provided by many Linux distributions that allows administrators to edit the rules enforced by the Linux kernel firewall?
iptables
Implicit deny
last rule blocks all other traffic Firewall Rules are processed top-to-bottom
Heuristics
learning from experience
Firewall and ACL Configuration
least access rules processed top-to-bottom (most specific first) each rule either blocks or allows according to parameters (tuples) - outbound traffic - inbound traffic last rule blocks all other traffic (implicit deny) rule-based management
circuit-level inspection firewall
maintains stateful information about the session established between two hosts (including malicious attempts to start a bogus session) examines the TCP three-way handshake and can detect attempts to open connections maliciously.
circuit-level stateful inspection firewall
maintains stateful information about the session established between two hosts (including malicious attempts to start a bogus session). A stateful firewall operates at Layer 5 of the OSI Model. When a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. If it does not, it applies the ordinary packet filtering rules to determine whether to allow it. Once the connection has been allowed, the firewall allows traffic to pass unmonitored in order to conserve processing effort.
transparent proxy
must be implemented on a switch or router or other inline network appliance. Transparent proxy mode works without any additional configuration being necessary on clients. Transparent mode will filter SSL (port 443) if you enable HTTPS/SSL interception. Legitimate MitM
multi-purpose proxy
one configured with filters for multiple protocol types, such as HTTP, FTP and SMTP.
Next generation firewall (NGFW) or Layer 7 Firewall
one that can inspect and parse (interpret) the contents of packets at the Application layer.
security gateways
primary functions are to prevent viruses or Trojans infecting computers from the internet, block spam, and restrict web use to authorized sites acting as a content filter.
reverse proxy server
provides for protocol-specific inbound traffic. For security purposes, t is inadvisable to place application servers, such as messaging and VoIP servers, in the perimeter network, where they are directly exposed to the Internet. Instead, you can deploy a reverse proxy and configure it to listen for client requests from a public network (Internet) and create the appropriate request to the internal server on the corporate network. Some reverse proxy servers can handle encryption/decryption and authentication issues that arise when remote users attempt to connect to corporate servers, reducing the overhead of those servers.
proxy server
rather than inspecting traffic as it passes through, the proxy deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on, providing it confirms to the rules. A proxy is a man-in-the-middle, but legitimate one! This is more secure than a firewall that only performs filtering. IF a packet contains malicious content or construction that a firewall does not detect, the firewall will allow the packet. A proxy would erase the suspicious content in the process of rebuilding the packet. The drawback is that there is more processing to be done than with a firewall. Main benefit of a proxy server is that clients connect to a specified point within the perimeter network for web access. this provides a degree of traffic management and security. In addition, most web proxy servers provide caching engines.
pre-fetch pages
referenced in pages that have been requested. When the client computer then requests that page, the proxy server already has a local copy.
SOHO router firewall
single subnet (home network)
If a firewall does not preserve information about the connection between two hosts, it is:
stateless
Non-Transparent Proxy
the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080. legitimate MitM
firewalls
the devices principally used to implement security zones, such as intranet, DMZ and Internet. The basic function of a firewall is traffic filtering -restricts traffic allowed on network -configured with access control rules -network firewall (protects whole network or segment of network -Host firewall - protects single host -Level of operation (OSI Layer) 3, 5, 7
packet filtering firewalls
the earliest type of firewall. A packet filtering firewall is configured by specifying rules, which are called ACL (access control list). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule. An action can be either to deny (block or drop the packet, and optionally log an event) or to accept (let the packet pass through the firewall). A packet filtering firewall can inspect the headers of IP packets. The rules can be based on the information found in those headers. Works mainly at Layer 3 (Network), stateless rule-based ACL - deny or accept
router firewall
the functionality is built into the router firmware. Most SOHO internet router/modems have this type of firewall functionality, though they are typically limited to supporting a single subnet within the home network.
host-based IPS (HIPS)
the software can prevent system files from being modified or deleted, prevent services from being stopped or log off unauthorized users and filter network traffic
iptables -A INPUT -s 10.1.0.1 -j ACCEPT iptables -A INPUT -s 10.1.0.0/24 -j DROP
to change the firewall rules, commands such as the following would be used. These examples allow one IP address from a specific subnet to connect and block all others from the same subnet
Why would you deploy a reverse proxy?
to publish a web application without directly exposing the servers on the internal network to the internet.
iptables -L -v
to view the current status of the iptables and the volume of traffic using the chains
Port forwarding
used by devices, such as game consoles and applications such as servers to make sure that data coming from the Internet gets to the device that needs to use it.
Is it a good idea to block TCP and UDP ports in a firewall?
False
What security tool and software can be used to scan files and re-compute a hashsum to ensure it matches the correct value?
FIM File Integrity Monitoring
What type of firewall monitors packet sequence to prevent session jacking?
Circuit-level
What is the default rule on a firewall?
Deny anything not permitted by the preceding rules
Network IDS (NIDSs)
Deployed as a passive sniffer/sensor at network aggregation points. Uses signature, anomaly analysis real-time analysis of network traffic sensor inside firewall spanned port on switch limited prevention Detects (not prevent)s: -attack signatures -password guessing -port scans -worms -backdoors -malformed packets -policy violations