Module 3, Unit 2 - Firewalls and Load Balancers

What is usually the purpose of the default rule on a firewall?

(Implicit Deny) block any traffic that has not a ACL rule

The rules by which a packet filtering firewall is configured. Each rule defines a specific type of data packet and the appropriate action to take when a packet matches a rule.

ACL (Access Control List)

What is the advantage of a firewall that works above layer 3 of the OSI Model?

AKA Circuit-level stateful inspection firewall, they maintain stateful information about the session established between two hosts (including malicious attempts to start a bogus session

What type of clustering consist of n node, all of which are processing concurrently, allowing the administrator to use the maximum capacity from available hardware while all nodes are functions, but increases the workload on the remaining nodes when one fails as the rest take up its workload?

Active/Active

What type of clustering use a redundant node to failover and performance is not affected, but it is more costly due to the hardware and operating system costs of the unused capacity?

Active/Passive

What is the most serious outcome of a badly configured firewall that leaves the system open to security vulnerabilities?

Allowing packets through that should be blocked

What type of attack is a type of Distributed Reflection DoS (DRDoS) where the adversary spoofs teh victim's IP address and attempts to open connections with multiple server, which then direct their SYN/ACK responses to the victim server?

Amplification Attack

A stand-alone hardware firewall that performs the function of a firewall only and functions are implemented on its firmware. It is also a type of network-based firewall and monitors all traffic passing into and out of a network segment.

Appliance firewall

A software-based firewall designed to run on a server to protect a particular application only. This type of host-based firewall would be deployed in addition to a network firewall.

Application firewall

What are other different names for application-aware firewalls?

Application layer gateway, stateful multilayer inspection, or deep packet inspection

Also known as application layer gateway, stateful multilayer inspection, or deep packet inspection, these can inspect the contents of packets at the application layer.

Application-aware firewall

What does clustering generally used to provide a high level of fault tolerance for?

Back-end applications

When a network is faced with a DDoS or similar flooding attack, what can an ISP use that drops packets for the affected IP address(es) into an area of the network that cannot be reached by any other part of the network?

Blackhole

What type of smurf attack sends a small request to a DNS in order to invoke a response that contains a lot of information, making it a very effective way of overwhelming the bandwith of the victim network, when an attacker has limited resources on their botnet?

Bogus DNS queries

A network of computers that have been compromised by Trojan/rootkit/worm malware. Providing this network of compromised computers can also subvert any firewalls between the controller (or "herder") and the compromised computers ("Zombies"), they can be remotely controlled and monitored using covert channels. The internet contains compromised networks of many millions of computers and their exploitation (mostly to send spam or for identity theft) is a robust part of the "shadow" economy.

Botnet

What are two most commonly used VIP protocols used?

CARP (Common Address Redundancy Protocol) \ GLBP (Gateway Load Balancing Protocol)

Which load balancer feature provides mechanism to reduce loads on servers if some information on the web servers may remain static?

Caching

What do web proxy servers provide whereby frequently requested web pages are retained on the proxy, negating the need to re-fetc those pages for subsequent analysis?

Caching engines

You are implementing a new e-commerce portal with multiple web servers accessing data on a SAN (Storage Area Network). Would you deploy load balancers to facilitate access by clients to the web server or by the web server to the SAN?

Clients to the web server (because load balancers are designed to fault tolerance by client requests to servers in a farm; clustering aids in providing redundancy and availability to SAN)

Provides fault-tolerance of stateful data whereby the data residing on one node, or pool, is made available to another node, or pool, seamlessly and transparently in the event of a node failure.

Clustering

Which load balancer feature is the ability to assign a specific server in the farm for certain types of traffic or a configurable proportion of the traffic?

Configurable load

Blocking incoming requests from internal or private IP addresses, blocking incoming requests from protocols that should only be functional inside the local network level, use penetration test to confirm configuration is secure, and secure the hardware on which the firewall is running and use the management interface are all basic principles for what?

Configuring a firewall

An attack that uses multiple compromised computers (a "botnet" of "zombies") to launch the attack.

DDoS (Distributed Denial of Service)

An attack that spoofs the victim's IP address and attempts to open connection with multiple servers. Those servers direct their SYN/ACK responses to the victim server, rapidly consuming the available bandwith. Also known as an amplification attack.

DRDoS (Distributed Reflection Denial of Service)

A network attack that causes a service at a given host to fail or to become unavailable to legitimate users. These attacks typically aim to disrupt a service, usually by overloading it.

DoS (Denial of Service)

There is growing evidence that nation states are engaging in "cyber warfare" and terrorist groups have also been implicated in DoS attacks on well-known companies and government institutions. There are also "hacker collectives" who might target an organization as part of a campaign. These are examples of what?

DoS attacks are coordinated between groups of attackers

Hardware or software that filters traffic passing into or out of a network (for example, between a private network and the Internet). This basic packet filter works at Layers 3 and 4 (Network and Transport) of the OSI model. More advanced filters (proxy and stateful inspection) can examine higher layer information, to provide enhanced security.

Firewall

A circuit-level firewall that examines the TCP three-way-handshake and can detect attempts to open connections maliciously.

Flood Guard

The references for inbound and outbound traffic inspection a firewall makes.

Ingress/Egress

A software application or gateway that filters client requests for various types of online information (web, FTP, IM, and so on). The filtering software can work on the basis of key words, URLs, time of day/total browsing time, and so on.

Internet content filter

How do DoS attacks target resource exhaustion vulnerabilities?

It consumes CPU cycles and memory on hosts processing DoS requests

Which type of load balancer would base forwarding decisions on IP address and TCP/UDP port values, works up to layer 4 of the OSI model, and is stateless?

Layer 4 load balancer

Which type of load balancer make forwarding decisions based on application-level data, such as a request for a particular URL or data types like video or audio streaming?

Layer 7 (content switch) load balancer

A type of switch or router that distributes client requests across available server nodes in a "farm" or pool. This provides fault tolerance and improves throughput.

Load-balancer

Why are most DoS attacks distributed?

Most DoS attacks attempt to deny bandwidth to web servers connected to the internet. Most-bandwith DoS attacks are distributed due to them being launched from multiple, compromised computers (AKA botnet)

What type of proxy is one that is configured with filters for multiple protocol types, such as HTTP, FTP, SMTP, and so on?

Multi-purpose proxy

A software-based firewall running under a network server OS. The server would function as a gateway or proxy for a network segment.

NOS firewall (Network Operating System)

A TCP/IP application protocol allowing machines to synchronize to the same time clock. This protocol runs over UDP port 123.

NTP (Network Time Protocol)

What is the difference between a network firewall and an application-based firewall?

Network firewalls are placed inline in the network and inspect all traffic that passes through it; application aware firewalls can inspect contents of packets at the application layer.

A basic proxy server provide for protocol-specific on what type of traffic?

Outbound

A type of script that allows a browser to select and configure an appropriate proxy server address and port number without requiring user intervention. This script can also be used maliciously to try to redirect browsers to phishing sites.

PAC (Proxy Auto-Config)

The earliest type of firewall, and the function that all firewalls can still perform, that inspect the headers of IP packets and rules can be applied based on the information found in these headers, such as: IP filetering, protocol ID/Type, and Port Filtering/security.

Packet Filtering

An application-layer load balancer can use what to keep a client connected to a session and work by setting a cookie, either on the node or injected by the load balancer.

Persistence

A firewall implemented as applications software running on the host. These can provide sophisticated network traffic filtering and block processes at the application level. However, as a user-mode application, they are more vulnerable to attack and evasion than kernel mode or network filtering appliances.

Personal Firewall

What function do proxy servers provide that allows the proxy to load a requested page that is referenced on the current page the client is using?

Pre-fetch pages

What similar principle to the Principle of Least Privilege are firewalls configured on?

Principle of least access (Only allow the minimum amount of traffic required for the operation of valid network services and no more.)

Which load balancer feature filters and manages traffic based on its priority?

Prioritization

A server that mediates the communications between a client and another server. This server can filter and often modify communications as well as providing caching services to improve performance.

Proxy Server

What type of proxy provides for protocol-specific inbound traffic?

Reverse proxy

What is the simplest form of a scheduling algorithm that simply picks the next node in the farm to direct packets to?

Round Robin

What type of load balancing is accomplished using software where a client enters a web server name in a browser and the DNS server responsible for resolving that name to an IP address for client connectivity will return on of several configured addresses, in turn, from amongst a group configured for the purpose?

Round Robin DNS

A firewall similar to an appliance firewall except its functionality is built into the router firmware. Most SOHO internet router/modems have this type of functionality

Router firewall

What type of management is a firewall an example of?

Rule-based management

Network dedicated to housing data, typically consisting of hard drives or solid-state drives and servers connected to switches via Host Bus Adapters. Data access in these types of networks is handled at block level.

SAN (Storage Area Network)

Which load balancer feature is used when SSL / TLS features are implemented, and the load balancer can handle the processing of authentication and encryption/decryption?

SSL offload

What type of attack works by witholding the client's ACK packet during TCP's three-way handshake?

SYN Flood

The code and metrics that determine which node is selected for processing each incoming request. Methods include picking the next node or picking the node with the fewest connections or best response time.

Scheduling Algorithm

The code and metrics that determine which node is selected for processing each incoming request.

Scheduling algorithm

This type of routing is a means of mitigating a DoS attack by redirecting the flooding traffic away from the production network where it can be analyzed.

Sinkhole

What type of attack is where the adversary spoofs the victim server's IP address and pings the broadcast address of a third-party network that consists of many hosts (aka the amplifying network), and then each host directs the echo responses to the victim server?

Smurf attack

A layere 4 approach to handling user sessions. It means that when a client establishes a session, it becomes "stuck" to the node that first accepted its request.

Source IP Affinity

In a circuit-level stateful inspection firewall, where is information about each session dynamically stored?

State table

The type of technique packet filtering is because the firewall examines each packet in isolation and has no record of previous packets.

Stateless

Proxies deconstruct each packet, performs analysis, then rebuilds the packet and forwards it on providing it conforms to the rules. What type of model is this known as?

Store and Forward

Which load balancer feature is the ability to group HTTP packets from a single client into a collection of packets assigned to a specific server?

TCP offload

How are firewall rules processed?

Top to bottom

The basic function of a firewall.

Traffic filtering

What type of proxy intercepts client traffic without the client having to be reconfigured?

Transparent

How are proxy servers generally classified?

Transparent / non-transparent

Software that sits between a client and server (a man-in-the-middle) and allows requests from the client and responses from the server to be analyzed and modified. Examples include PortSwigger's Burp Suite, OWASP's Zed Attack Proxy (ZAP), and Vega.

Transparent proxy

True or False? When deploying a non-transparent proxy, you must configure clients with the proxy address and port.

True

Each firewall ACL rule can specify whether to block or allow traffic based on a number of parameters known as?

Tuples

All-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, DLP, content filtering, and so on.

UTM (Unified Threat Management)

Each server node or instance needs it own IP address but externally the service is advertised using what?

VIP (Virtual IP) addresses

Specialized host firewall designed to prevent attacks against web applications and their back-end databases, such as SQL injections or XSS.

WAF (Web Application Firewall)

What are web proxies often described as due to their primary function is to prevent viruses or Trojan infecting computers from the internet, block spam, and restrict web use to authorized sites?

Web security gateways

What other scheduling algorithm method can be used where an administrator sets preferences or dynamic load information, or both?

Weighted

What distinguishes a personal software firewall from a network firewall appliance?

it is implemented as a software application on a single host and tend to be program- or process-based