ITSY Ch 5.3 Firewalls
Firewall
Device/Software - Inspects network traffic and allows/blocks traffic based on rules
DDoS
Distributed Denial of Service. The main types of DoS attacks are flood attacks, SYN floods, ping floods, UDP floods, and port floods
Fragmented Packets
Firewall Security Feature - Blocks the sending of fragmented IP packets.
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from internet-based attacks. Which solution should you use?
A host-based firewall inspects traffic received by a host. Use a host-based firewall to protect against attacks when there is no network-based firewall, such as when you connect to the internet from a public location. A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. A VPN concentrator is a device connected to the edge of a private network that is used for remote access VPN connections. Remote clients establish a VPN connection to the VPN concentrator and are granted access to the private network. A proxy server is an Application-level firewall that acts as an intermediary between a secure private network and the public. Access to the public network from the private network goes through the proxy server.
Proxy Server
A proxy server is a device that stands as an intermediary between a secure private network and the public and is a specific implementation of an Application level firewall. With a proxy, every packet is stopped and inspected at the firewall, which causes a break between the client and the source server. Proxies can be configured to: Control both inbound and outbound traffic Increase performance by caching heavily accessed content (content is retrieved from the proxy cache instead of the original server) Filter content Shield or hide a private network Restrict access by user or by specific websites Allows inspection of encrypted packets, such as SSL inspection
You connect your computer to a wireless network available at the local library. You find that you can access all of the websites you want on the internet except for two. What might be causing the problem?
A proxy server is blocking access to the websites. A proxy server can be configured to block internet access based on website or URL. Many schools and public networks use proxy servers to prevent access to websites with objectionable content. Ports 80 and 443 are used by HTTP to retrieve all web content. If a firewall were blocking these ports, access would be denied to all websites. Port forwarding directs incoming connections to a host on the private network. Port triggering dynamically opens firewall ports based on applications that initiate contact from the private network.
Which of the following describes how access control lists can be used to improve network security?
An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number. Access control lists are configured on routers, and they operate on Layer 3 information. Port security is configured on switches, which filter traffic based on the MAC address in the frame. An intrusion detection system (IDS) or intrusion prevention system (IPS) examines patterns detected across multiple packets. An IPS can take action when a suspicious pattern of traffic is detected.
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
Circuit-level proxy/gateway A circuit-level proxy or gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A circuit-level gateway: Operates at OSI Layer 5 (Session layer). Keeps a table of known connections and sessions. Packets directed to known sessions are accepted. Verifies that packets are properly sequenced. Ensures that the TCP three-way handshake process occurs only when appropriate. Does not filter packets. Rather, it allows or denies sessions. A packet-filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header, such as source and destination addresses, ports, and service protocols. An Application-level gateway is a firewall that is capable of filtering based on information contained within the data portion of a packet (such as URLs within an HTTP request). A VPN concentrator is a device that is used to establish remote access VPN connections.
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ. When designing a firewall, the recommended practice is to close all ports and then only open those ports that allow the traffic that you want to allow inside the DMZ or the private network. Ports 20, 21, 53, 80, and 443 are common ports that are opened, but the exact ports you open depends on the services provided inside the DMZ.
You have just installed a packet-filtering firewall on your network. Which options are you able to set on your firewall? (Select all that apply.)
Destination address of a packet Source address of a packet Port number A packet-filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header, such as source and destination addresses, ports, and service protocols.
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated. Stateful firewalls, also referred to as stateful multilayer firewalls, determine the legitimacy of traffic based on the state of the connection from which the traffic originated. The stateful firewall maintains a state table that tracks the ongoing record of active connections. A virtual private network (VPN) is a network that provides secure access to a private network through a public network or the internet. Virtual private networks offer secure connectivity between many entities, both internally and remotely. Their use of encryption provides an effective defense against sniffing. Network Address Translation (NAT) separates IP addresses into two sets. This technology allows all internal traffic to share a single public IP address when connecting to an outside entity. A firewall can be implemented on circuit-level gateways or Application-level gateways. Both of these firewall designs sit between a host and a web server and communicate with the server on behalf of the host. They can also be used to cache frequently accessed websites for faster web page loading.
Packet Filtering (stateless)
Firewall - Makes decisions about which network traffic to allow by examining info in the IP packet header, such as source and destination addresses, ports, and service protocols. Packet filtering firewalls: Operates up to OSI Layer 3 (the Network layer) Uses access control lists (ACLs) or filter rules to control traffic Offers high performance because it only examines addressing information in the packet header Can be implemented using features that are included in most routers Is not very intelligent, so it is subject to DoS and buffer overflow attacks Is easy to implement and maintain, has a minimal impact on system performance, and is fairly inexpensive A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject each packet without considering whether the packet is part of a valid and active session.
Application Layer Firewall
Firewall - makes security decisions based on information contained within the data portion of a packet. An Application level gateway: Operates up to OSI Layer 7 (the Application layer) Stops each packet at the firewall and inspects it, so there is no IP forwarding Inspects encrypted packets, such as in SSL inspection Examines the entire content (not just individual packets) Understands or interfaces with the Application layer protocol Can filter based on user, group, and data such as URLs within an HTTP request Is the slowest form of firewall because entire messages are reassembled at the Application layer
TCP Flood
Firewall Security Feature - Drops all invalid TCP packets. This protects your network from SYN flood attacks.
Block ping to WAN
Firewall Security Feature - Helps prevent attackers from discovering your network through ICMP Echo (ping) requests.
ICMP Flood Detect Rate
Firewall Security Feature - Monitors non-ping ICMP packets. Triggered by too many ICMP responses.
SYN Flood Detect Rate
Firewall Security Feature - Prevent SYN floods. Monitors the rate of SYN packets during a configuration time period. Triggered by too many SYN packets.
UDP Flood
Firewall Security Feature - Prevent UDP Flood attacks by metering the number of simultaneous, active UDP connections from a single computer on the internal network.
Echo Storm Detect Rate
Firewall Security Feature - Prevent ping floods. Monitors rate of echo pings during a configuration time period. Triggered by too many pings.
ICMP Notification
Firewall Security Feature - Silently block the sending of ICMP notifications. Some protocols may require these notifications
Stealth Mode
Firewall Security Feature - prevents the response to port scans from the WAN. This protects against port floods.
Floodguard
Firewall Software - Protects against DoS and DDoS
Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use?
Hardware Hardware firewalls are physical devices that are usually placed at the junction or gateway between two networks, generally a private network and a public network like the internet. Hardware firewalls can be a standalone product or can also be built into devices like broadband routers. Software firewalls are generally used to protect individual hosts. Tunneling is when an attacker wraps a malicious command in an HTTP, ICMP, or ACK tunneling packet that bypasses the firewall and reaches an internal system. Stateful firewalls, also referred to as stateful multilayer firewalls, determine the legitimacy of traffic based on the state of the connection from which the traffic originated.
Network firewall
Hardware - Regulate traffic in and out of an entire network
Which of the following are features of an application-level gateway? (Select two.)
Reassembles entire messages Stops each packet at the firewall for inspection Application-level gateways: Operate up to OSL Layer 7 (Application layer) Stop each packet at the firewall for inspection (no IP forwarding) Inspect encrypted packets, such as an SSL inspection Examine the entire content that is sent (not just individual packets) Understand or interface with the application-layer protocol Can filter based on user, group, and data (such as URLs within an HTTP request) Is the slowest form of firewall protection because entire messages are reassembled at the Application layer Allowing only valid packets within approved sessions and verifying that packets are properly sequenced are features of a stateful firewall. Using access control lists is a feature of a packet-filtering firewall.
Stateful firewall (circuit-level proxy/gateway)
Software - Allows or denies traffic based on virtual circuits of sessions Operates up to OSI Layer 5 (the Session layer) Keeps track of known connections and sessions in a session table (also referred to as a state table) Allows only valid packets within approved sessions Verifies that packets are properly sequenced Ensures that the TCP three-way handshake process occurs only when appropriate Can filter traffic that uses dynamic ports because the firewall matches the session information (not the port numbers) for filtering In general, stateful inspection firewalls are slower than packet filtering firewalls. If only the session state is being used for filtering, a stateful inspection firewall can be faster after the initial session table has been created.
Stateless firewall
Software - Allows or denies traffic by examining info in IP packet headers
Application firewall (host-based firewall)
Software - Installed on a workstation and used to protect a single device
Which of the following are characteristics of a packet-filtering firewall? (Select two.)
Stateless Filters IP address and port A packet-filtering firewall makes decisions about which network traffic to allow by examining information in the IP packet header, such as source and destination addresses, ports, and service protocols. A packet-filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject each packet without considering whether the packet is part of a valid and active session. A circuit-level proxy or gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A circuit-level proxy is considered a stateful firewall because it keeps track of the state of a session. Application-level gateways filter on Application layer data, which might include data such as URLs within an HTTP request.
Open Systems Interconnection (OSI) model
a seven-layer architecture for defining how data is transmitted from computer to computer in a network, from the physical connection to the network to the applications that users run. It also standardizes interactions between network computers exchanging information.
