Lesson 10

¡Supera tus tareas y exámenes ahora con Quizwiz!

A proxy server provides the following services:

Hiding network resources Logging Caching

4 common firewall installation

Screening router single homed bastion dual homed bastion screened subnet

Application-layer proxy

By far the most popular types of proxy servers

Circuit-level gateways often provide...

Network Address Translation (NAT), in which a network host alters the packets of internal network hosts so they can be sent out across the Internet. You will learn more about NAT shortly.

The most popular circuit-level gateway is

SOCKS invented by David Koblas

Masquerading is useful with NAT..

because it allows hosts using private network IP addresses to communicate with hosts on the Internet. A commonly used phrase for masquerading is "packet mangling."

Disadvantages of Single-homed bastion host

increased cost and reduced performance

MASQUERADE

target allows you to establish NAT on a firewall.

Operating system hardening

the firewall's installation program disables or removes all unnecessary services

Chargeback

The concept of billing users for the volume of network traffic they generate.

modprobe -r ipchains

removes all ipchains modules

NAT and vendor terminology

trusting trusted

nat

used for creating NAT Contains the PREROUTING, OUTPUT and POSTROUTING tables.

ipchains forward

used to control packets being masqueraded, or sent to remote hosts

ipchains input

used to control packets entering the interface

Stateful multi-layer inspection

allows packet filters to overcome weaknesses inherent in packet filtering can examine packets in context because the firewall can maintain a database of past connections. allows you to detect and thwart ping and port scans, and help determine if a packet has been spoofed. allows packet filters to inspect packets at all layers of the OSI/RM, not just the network layer.

Screened host firewall (single-homed bastion)

hosts can be configured as either circuit-level or application-level gateways. When using either of these two types, each of which is a proxy server, the bastion host can hide the configuration of the internal network. The single-homed bastion host provides this functionality by using network address translation (NAT). Using NAT allows the network administrators to use any internal IP address scheme.

Dual-homed bastion host

identically to single-homed bastion hosts except that they have at least two network interfaces. serve as application gateways, and as packet filters and circuit gateways as well.

Single-homed bastion host

is a firewall device with only one network interface used for application-level gateway firewalls.

Another name for a choke point

is a network preimeter

Web security gateway

is an application designed to provide security protection from malware by classifying new and dynamic Web content in real-time, determining immediately whether the Web site and its contents are safe.

Proxy server

is an entity that stands for, or acts for and on behalf of, another person or thing. ie: attending a meeting for an absent colleague

The primary advantage of using a circuit-level gateway...

is that it provides NAT, which allows security and network administrators great flexibility when developing an internal IP addressing scheme.

Screened host firewall (dual homed bastion)

it creates a complete physical break between your network and any external one, such as the Internet

Firewall Terminology

Packet filter Proxy Server Network address translation

Logging

A proxy server can log incoming and outgoing access, allowing you to see the details of successful and failed connections.

circuit-level gateway is composed of two hosts:

An encrypted connection exists between the first firewall host and the second, and both work together to process traffic.

A firewall strategy should aim to meet four goals:

Implement a company's security policy Create a choke point Log Internet activity Limit network host exposure

Disadvantages of screening routers

a high degree of TCP/IP knowledge is required to create proper filters. configuration errors within a filter may allow unwanted traffic to pass, or may deny acceptable traffic.

Firewall

A security barrier that controls the flow of information between the Internet and private networks. A firewall prevents outsiders from accessing an enterprise's internal network, which accesses the Internet indirectly through a proxy server.

three types of firewalls

Packet Filter Circuit-level gateway Application-level gateway

Demilitarized zone (DMZ)

mini-network that resides between a company's internal network and the external network. The network is created by a screening router and, sometimes, a choke router. A DMZ is used as an additional buffer to further separate the public network from your internal private network.

Screened subnet firewall (DMZ)

most common method for implementing a firewall is the screened subnet (DMZ) because it creates a fairly secure space, or subnetwork, between the Internet and your network. benefits of this method is the fact that a hacker wanting to access your network must subvert three separate devices without being detected.

Masquerading

n relation to packet-filtering firewalls, masquerading is the process of altering the IP header. ei: alter the IP header so it appears to originate from the firewall, rather than from the original host.

proxy replaces the

network IP address with a single IP address. Multiple systems can use this single IP address.

Triple-homed bastion host

often separates the Internet, the internal network and the demilitarized zone (DMZ). creates a fairly secure space, or subnetwork, to locate servers that are accessed from the Internet, including modem pools, FTP and Web servers.

Circuit-level proxy

operates at the transport layer of the OSI/RM monitors the source and destination of TCP and UDP packets

Disadvantage: Single-homed bastion host

router can be reconfigured to pass information directly to the internal network, completely bypassing the bastion host.

ipchains output

used to control packets leaving the interface

The internal network address ranges are as follows:

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Caching

A proxy server can save information obtained from the Internet (for example, Web pages). This cache contains copies of information found on the Internet.

Creating Packet Filter Rules

Because a packet filter is a device that inspects each packet for pre-defined content, you must define rules that tell the packet filter what to block or allow. Although it does not provide error-proof protection, it is almost always the first line of defense.

Type of Service (ToS)

Bits that can help prioritize certain types of traffic. Routers can mark IP packets with certain ToS bits. For example, you can set ToS bits for all HTTP traffic, so that it is processed before any other traffic type.

Three ways exist to provide true NAT:

Configure masquerading on a packet-filtering firewall, such as a Linux system. Configure a circuit-level gateway. Use a proxy server to conduct requests on behalf of internal hosts.

Firewall Configuration Defaults

Deny all traffic, in which case you would specify certain types of traffic to allow in and out of your network. Allow all traffic, in which case you would specify certain types of traffic to deny.

Hiding network resources

Hackers will see only one IP address instead of all exposed systems.

a firewall works both ways:

It controls access to traffic entering and leaving the network.

Firewall Design Principles

Keeping Design Simple Making Contingency Plans

Many systems administrators place.....

Web and DNS servers in a DMZ because it is more convenient. The benefit of this practice is that the screening router provides some protection.

DMZ

a mini-network that resides between a company's internal network and the external network like the internet.

Proxy servers are very important to firewall applications because.....

a proxy replaces the network IP address with a single IP address.

mangle

alters the packets has PREROUTING (alters packets that have entered the system) and OUTPUT (alters packets that have been generated by the local operating system).

screening router

another term for a packet-filtering router that has at least one interface exposed to a public network, such as the Internet. A screening router is different from a bastion host in that it does not use additional services to thoroughly screen packets. A screening router is configured to examine inbound and outbound packets based upon filter rules.

Packet filter

are devices that process network traffic on a packet-by-packet basis.

Internal bastion hosts

can be any of the three common bastion host types. They are standard single-homed or multi-homed bastion hosts, but reside inside your company's internal network.

iptables

command manipulates a special area of the kernel called Netfilter

Screening routers

considered an excellent first line of defense You learned earlier that screening routers can be configured to reject all inbound and outbound traffic based upon IP address and TCP and UDP ports.

filter

contains the INPUT, OUTPUT and FORWARD chains. The default table reports when you list chains using the iptables -L command.

Web security gateway categorizes actual

content on Web sites, not just the sites themselves, which allows users to access Web sites but block portions of sites that are inappropriate or may pose a security risk. they can immediately protect users from malicious Web content.

Security administrators use choke points to limit

external access to their networks. Using a firewall strategy creates choke points, because all traffic must flow through the firewalls.

The primary disadvantage of a circuit-level gateway, however,

is that it requires modified applications. To work with a circuit-level gateway firewall, an application must be specifically written to provide all connection information to the SOCKS server

Network Address Translation (NAT)

is the practice of hiding internal IP addresses from the external network.

choke routers

the internal router (i.e., the router that presents an interface to the internal network) is often called a choke router. defines the point at which a public network can access your internal network. It also defines the point at which your internal network users can access the public network.

Trusted

the network and/or host that is allowed access to the system

Packet filters operate only at..

the network layer of the OSI/RM so they allow or block IP addresses and ports

Trusting

the proxy server that allows traffic from the internal network interface to enter the proxy server's system

Packet filter drawbacks

they cannot discriminate between good and bad packets. cannot tell if the routed packet contains good or malicious data. susceptible to embedded code within a standard packet. usually have to create more than 100 rules to limit and permit network access. Creating all these rules can be time-consuming. susceptibility to spoofing

advantage of using dual-homed bastion hosts

they create a complete break


Conjuntos de estudio relacionados

ACCT 302 Exam 2 Conceptual Questions

View Set

Physiology ch.8 learning h.w quiz

View Set

과목 3 수렵도구의 사용법 / 1종: 평가영역 1 수렵용 총기에 대한 기본

View Set

Chapter 19: Postoperative Nursing Management

View Set

1.1 App Development - Creating a Pega Platform application.

View Set

NGN Adult Health Gastrointestinal/Nutrition

View Set