CYBR 4200 Chapter 4
Providing Centralization
A firewall centralizes security for the organization it protects simplifies the security-related activities of the network administrator Having a firewall on the perimeter gives the network administrator a single location from which to configure security policies and monitor arriving and departing traffic.
Contributing to a VPN
A firewall is an ideal endpoint for VPN
An Analogy: Office Tower Security Guard
A firewall is like a security guard at a guardhouse or checkpoint To enable you to make decisions about who gets in and who does not, the security department has set up rules: A firewall performs the same types of functions as does a security guard - filtering unacceptable content or caching data
packet
datagram s the basic element of network data two types of information: 1. header general information about the size of the packet, the protocol that was used to send it, and the IP address of both the source computer and the destination 2. data the information you view and use
Screened Subnet Firewalls (with DMZ)
dominant architecture used today provides a DMZ - can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet common arrangement is a subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network many variants first general model: - two filtering routers, -one or more dual-homed bastion hosts between them second general model: - Connections from the outside or untrusted network are routed through an external filtering router. - Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ - Connections into the trusted internal network are allowed only from the DMZ bastion host servers.
Fourth-generation firewalls
dynamic packet-filtering firewalls allow only a particular packet with a particular source, destination, and port address to enter.
small office or residential-grade firewalls
either simplified dedicated appliances running on computing devices or application software installed directly on the user's computer.
Restricting Unauthorized Access from Inside the Network
employees can be a major source of trouble Firewalls cannot prevent all internal threats Be aware of the following: Employees who bring to the office mobile media (memory sticks, CD/DVDs, etc.) that contain virus-infected files Employees who access office computers from home using remote-access software that bypasses the perimeter firewall Attackers who obtain confidential information by contacting employees and deceiving them into giving up passwords, IP addresses, server names, and so on—that is, social engineering Poorly trained firewall administrators who might, for example, configure the firewall to filter out certain IP packets while passing along packets that arrive in fragments Employees who receive e-mail messages with executable attachments, which, if the employee downloads and executes the attachment, may launch a program that could spread to other computers using the recipient's e-mail address book
less obvious benefits,
enables you to log passing traffic, damage can be minimized.
Locating the firewall at the perimeter has one obvious benefit:
enables you to set up a checkpoint where you can block viruses and infected e-mail messages before they get inside
defense in depth
layered strategy encompasses multiple types and levels of control and might include a security policy, the firewall, intrusion detection software, virus scanners, and encryption.
Generation
level of technology a firewall has, later generations being more complex and more recently developed
proxy server
makes high-level application connections on behalf of internal hosts and other machines.
Stateful inspection firewalls
stateful firewalls keep track of each network connection between internal and external systems using a state table.
Third-generation firewalls
stateful inspection firewalls monitor network connections between internal and external systems using state tables
First-generation firewalls
static packet-filtering firewalls simple networking devices that filter packets according to their headers as the packets travel to and from the organization's networks
The most effective protection systems employ
not just one but several firewalls. combine the firewalls with routers and other components to delineate zones of trust
Hacking
the practice of infiltrating computers or networks to steal data, cause harm, or simply claim bragging rights.
The ability to restrict a specific service is now standard in most routers
- unable to detect whether packet headers have been modified IP spoofing attacks -falsification of the source IP address in a packet's header, so that it appears to have come from a trusted or legitimate sender attackers spoof using a source IP address that belongs to the target
Introduction
Achieving effective network security is a process that imposes controls on an organization's network resources, with the goal of balancing the risks and rewards that come from network usage. Networks that connect to the Internet for communications or commerce are particularly vulnerable Firewalls are now a required component of virtually every network, and serve as part of the defense in depth strategy by protecting many individual computers. But firewalls, if used in conjunction with other technical controls and security policies and programs, deployed according to the needs of the businesses they protect, and maintained and upgraded on a regular basis, are one of the most effective security tools a network administrator has. a firewall is not necessarily a single device, whether a router, appliance, VPN gateway, or software program Each individual firewall is a combination of software and hardware components.
Cisco ASA
Adaptive Security Appliance a series of secure, self-contained hardware devices that contain full-featured firewalls. notable for competitive pricing, extensive online documentation, and excellent customer support. rich in features, including high availability, an intrusion detection system, and protection against DoS attacks. replaced the Cisco PIX line as its primary firewall architecture
Filtering content
An application proxy server can be set up to filter on some detailed criteria block files that have a certain filename or part of a filename, a keyword, an e-mail attachment, or a type of content.
Packet-Filtering Rules
Any outbound packet must have a source address that is in your internal network. Any outbound packet must not have a destination address that is in your internal network. Any inbound packet must not have a source address that is in your internal network. Any inbound packet must have a destination address that is in your internal network. Any packet that enters or leaves your network must have a source or destination address that falls within the range of addresses in your network. Any outbound packet must have a source address that is in your internal network. Any outbound packet must not have a destination address that is in your internal network. Any inbound packet must not have a source address that is in your internal network. Any inbound packet must have a destination address that is in your internal network. Any packet that enters or leaves your network must have a source or destination address that falls within the range of addresses in your network.
Check Point Power-1
Check Point Software Technologies Ltd Check Point Software Technologies Ltd among the first to use stateful packet inspection to monitor network traffic. full array of security tools, including authentication, virus checking, intrusion detection, and packet filtering was the only firewall that was compliant with the Open Platform for SECurity (OPSEC) security standard run multiple parallel installations of Power-1 in tandem. has been incorporated into a number of firewall appliances Check Point acquired the Nokia line and has incorporated their technologies into the Check Point product suite.
Packet filtering
Determining whether to allow or deny the passage of packets of digital information, based on established security policy rules
Firewall security rules
Entry and exit points (called ports in the TCP/IP network) are specified for different types of content. Information that meets specified security criteria (such as coming from or going to a specific IP address) is allowed to pass, while other data is stopped. Data, in some cases, must pass through firewall software that functions as a sort of electronic metal detector, scanning for viruses and repairing infected files before they invade the network. Firewalls can be configured to send out alert messages and notify staff of break-ins if viruses are detected.
Enabling Documentation
Every firewall should be configured to provide information to the network administrator in the form of log files. can help a network administrator identify weak points in the security system so they can be strengthened
Limitations
Filtering does not hide the IP addresses of the hosts on the inside of a network perimeter that appear to be behind the filter from an outsider's perspective don't check to make sure the protocols inside packets are legitimate, either. can only limit addresses based on the source IP address listed in the packet's header, does not protect against IP spoofing do not provide adequate network protection. Larger organizations use multiple packet filters in a DMZ perimeter security setup.
Firewall Generations
Firewalls are frequently categorized by their position on a developmental continuum The first generation of firewall devices consists of routers that perform only simple packet-filtering operations ore recent generations of firewalls offer increasingly complex capabilities five generally recognized generations of firewalls
Firewall Categories
Firewalls can be categorized by processing mode, generation, or structure
restrictions most commonly implemented in packet-filtering firewalls are based on a combination of the following
IP source and destination address Direction (inbound or outbound) TCP or UDP (User Datagram Protocol) source and destination port (These protocols are discussed in the following pages.)
Internet Control Message Protocol (ICMP)
IP, can, however, use ICMP to report any errors that occurred in the transmission Ping and Traceroute use ICMP. an be filled with false information that can trick your hosts into redirecting or stopping communications.
Microsoft Internet Security & Acceleration Server
Internet Security & Acceleration Server an application-level firewall from Microsoft Corporation authentication through integration with Active Directory, virus scanning (through integrated third-party products), data-aware filtering capabilities, and IP packet-filtering functionality. upports the Cache Array Routing Protocol (CARP)
Firewall Security Features
Logging unauthorized (as well as authorized) accesses into and out of a network Providing a virtual private network (VPN) link, which can make two separated networks appear to be connected to one another Authenticating users who provide usernames and passwords so they can be identified and given access to the services they need Shielding hosts inside the network so that attackers cannot identify them and use them as staging areas for sustained attacks Caching data so that files that are repeatedly requested can be called from cache to reduce server load and improve Web-site performance Filtering content that is considered inappropriate (such as video streams) or dangerous (such as executable e-mail attachments)
Hacking Impacts
Loss of data - payroll, record health insurance information, and maintain staff directories online - Personnel and financial information Loss of time Staff resources Confidentiality
PAT and NAT
One approach to assigning these numbers is to use static, routable IP addresses - each computer is configured to use one IP address and that address can be reached by outside computers to make a connection directly to it - an easy target for an attacker, addressing methods that make internal network addresses invisible to outside computers. hide the TCP/IP information of hosts in the network so that attackers are unable to get the addresses, function as an outbound network-level proxy, acting as a single host that makes requests on behalf of all the internal hosts on the network. convert the IP addresses of internal hosts to the IP address assigned by the firewall.
internal network addresses assigned by PAT or NAT are drawn from three different ranges
Organizations that need large numbers of internally assigned addresses use the Class A address range of l0.x.x.x, Organizations that need smaller numbers of internally assigned addresses can select from the reserved group of 16 Class B address blocks found in the 172.16.x.x to 172.31.x.x range Those with smaller needs can use Class C addresses in the 192.168.x.x range, each of which has approximately 65,500 addresses Messages sent with internal addresses within these three reserved ranges cannot be routed externally, if a computer with one of these internal-use addresses is directly connected to the external network and avoids the PAT/NAT server, its traffic cannot be routed on the public network
Firewalls perform two basic security functions:
Packet filtering Application proxy
Application proxy
Providing network services to users while shielding individual host computers. This is done by breaking the IP flow
Stateful Packet-Filtering Firewalls
Stateful inspection, an examination of the data contained in a packet as well as the state of the connection between the internal and the external computer. state table kept in a memory location called the cache superior to stateless inspection because it uses the connection state to make decisions on whether to allow the traffic. can allow incoming packets that have been sent in response to internal requests primary disadvantage: dditional processing required to manage and verify packets against the state table, - can leave the system vulnerable to a DoS or DDoS attack can track connectionless packet traffic, maintain a dynamic state table, making changes (within predefined limits) to the filtering rules based on events as they happen blocks packets that are sent from an external computer that does not have a currently active connection to an internal compute
Stateless Packet-Filtering Firewalls
Stateless inspection firewall packet inspection that ignores the state of the connection between the internal computer and the external computer simply blocks or allows a packet based on the information in the header.
Protecting Critical Resources
These attacks are many and varied and can cause many kinds of losses
IP masquerading
To someone on the Internet or another outside network, it appears that all information is coming from a single computer when PAT is used, or from a small number of computers (IP numbers that do not change) when NAT is used individual machines can be assigned IP addresses in a private address range
bastion host and a service network
Together, they are the only part of the organization exposed to the Internet.
example of how stateful inspection works.
When the employee's request packet arrives at the stateful firewall, the following events occur: The firewall checks a list of active connections Because a connection does not yet exist, the firewall checks its list of rules - The packet is allowed to go on its way after the firewall makes an entry to the state table recording the connection attempt. When the packet is received by the White House server (probably after passing through one or more firewalls), a reply packet is generated and returned to the source company's firewall. At the company's firewall, the state table is checked, and the inbound packet's header is inspected. Because there's nothing suspicious about this packet, the firewall sends it to the computer that made the request.
Software vs. Hardware: The SOHO Firewall Debate
When you use software only, the attacker is inside your computer, battling a piece of software - could gain unrestricted access to your system. When you use the hardware device, even if the attacker manages to crash the firewall system, your computer and information are still safely behind the now-disabled connection
perimeter
a boundary between two zones of trust
Packet Filtering
a key function of any firewall. were one of the first types of firewalls are an effective element in any perimeter security setup typically functions at the IP level and determines whether to drop a packet (deny) or forward it to the next network connection (allow) based on the rules programmed into the firewall examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information. scan network data packets looking for compliance with or violation of the rules inspect packets at the network layer (Layer 3) of the OSI model Packet structure varies The two primary service types are TCP and UDP two components of the packet header: the destination and the source address - enforce address restrictions, which are defined in access control lists (ACLs), can be used as a simple firewall to filter data packets from inbound connections and allow outbound connections unrestricted access to the public network.
bastion host
a machine that has no unnecessary services, only the bare essentials
IP address mapping
a type of NAT or PAT static IP address assigned by an ISP is mapped to the private IP address of a computer on the local network address vectoring or static IP mapping shield actual internal IP addresses from the prying eyes of unauthorized external clients.
screened subnet
an entire network segment performs two functions: it protects the DMZ systems and information from outside threats by providing a network of intermediate security protects the internal networks by limiting how external connections can gain access to them can be expensive to implement and complex to configure and manage
extranet
an extended network that shares part of an organization's network with a third party (for example, a business partner)
Open Platform for SECurity (OPSEC)
an industry standards group that defines how firewalls should interoperate
firewall
anything—hardware, software, or a combination of the two—that can filter the transmission of packets of digital information as they attempt to pass through an interface between networks
Application Gateways
application-level firewall, proxy server, or application firewall. installed on a dedicated computer, separate from the filtering router, commonly used in conjunction with a filtering router.
Second-generation firewalls
application-level firewalls or proxy servers dedicated systems that are separate from the filtering router and that provide intermediate services for requesters.
Packet-Filtering Routers
between the organization's internal networks and the external service provider. configured to reject packets that the organization does not allow into the network drawbacks to this type of system include a lack of auditing and strong authentication. complexity of the access control lists used to filter the packets can degrade network performance.
URL filtering
block a site's Domain Name System (DNS) name
Mobile devices
blur the perimeter boundary even more mobile endpoints may extend the organization's network into Internet cafes, coffee shops, etc.
The firewall is positioned at the
border of the network zone of trust
Firewall Components
can contain many components, including a packet filter, a proxy server, an authentication system, and software that perform Network or Port Address Translation (NAT or PAT). Some firewalls can encrypt traffic, and some help establish VPNs Some firewalls are packaged in a hardware device that also functions as a router part of multiple-component security setups
Application proxies
can restrict internal users who want to gain unrestricted access to the Internet
Limitations Of Firewalls
can't be expected to do everything. should not be the only form of protection for a network should be part of an overall security plan and used in conjunction with other forms of protection,
Hybrid Firewalls
combine the elements of various types of firewalls may consist of two separate firewall devices; each is a separate firewall system, but they work in tandem advantage: enables an organization to make security improvements without completely replacing its existing firewalls.
Screened Host Firewalls
combine the packet-filtering router with a separate, dedicated firewall allows the router to prescreen packets to minimize the network traffic and load on the internal proxy examines an application layer protocol, such as HTTP, and performs the proxy services. separate host is often referred to as a bastion host - contains only cached copies of the internal Web documents - compromising the bastion host can disclose the configuration of internal networks and possibly provide external sources - commonly referred to as the sacrificial host - requires the external attack to compromise two separate systems before the attack can access internal data
Firewall Structures
commercial-grade firewalls Some firewall appliances use highly customized
VPN
connects two companies' networks over the Internet one of the safest ways to exchange information online
Commercial-Grade Firewall Systems
consists of application software that is configured for the firewall application runs on a general-purpose computer. can install firewall software on an existing general-purpose computer system or they can purchase hardware that has been configured to specifications exploit the fact that firewalls are essentially application software packages that use common general-purpose network connections
IP filtering
control the overall flow of IP traffic through your network. If you have identified a computer or network that you want to block from your company's network, you would specify Source IP or Destination IP rule criteria These rules will affect the entire TCP/IP suite of protocols (ICMP, UDP, or TCP).
Misconceptions about Firewalls
firewall is NOT designed to prevent all attackers, viruses, and would-be intruders from entering a computer or computer network software firewalls are designed simply to permit authorized traffic to pass through while blocking unauthorized and unwanted traffic Some managers may also think that once you deploy a firewall, you're done. firewalls aren't perfect, and they are not permanent - need constant maintenance - work best when they are part of a multilayered approach to network security
Limiting Employee Access to External Hosts
firewalls can selectively permit traffic to go from inside the network to the Internet or another network as a way of providing more precise control of how employees inside the network use external resources the firewall can act as a proxy server A single firewall product can provide both outbound packet filtering and outbound proxy services.
Firewall Architectures
four common architectural implementations for firewalls: packet-filtering routers, screened host firewalls, dual-homed firewalls, and screened subnet firewalls.
User Datagram Protocol (UDP)
handles the addressing of a message breaks a message into numbered segments reassembles the message when it reaches the destination computer connectionless without performing error-checking or waiting for an acknowledgment that the message has been received. useful for video and audio broadcasts on the Internet. set up rules to block UDP traffic on all ports 21 and below
Restricting Access from Outside the Network
he most obvious goal of a firewall is to regulate which packets of information can enter the network a firewall examines each packet to determine whether it meets the necessary "authorized" criteria. -criteria might be protocols or IP addresses on an "approved" list Anything not on the list is excluded
Small Office/Home Office (SOHO) Firewall Appliances
high-speed services are always on, and thus the computers connected to them are much more likely to be visible to the scans performed by attackers modern home computing operating systems with secure capabilities are rarely configured securely by their users residential users must implement some form of firewall to prevent loss, damage, or disclosure of personal information One of the most effective methods of improving computing security in the SOHO setting broadband gateways or DSL/cable modem routers, connect the user's local area network or a specific computer system to the Internetworking device - the cable modem or DSL router provided by the Internet service provider (ISP) serves first as a stateful firewall to enable inside-to-outside access can be configured to allow limited TCP/IP port forwarding and/or screened subnet capabilities have been enhanced to combine the features of wireless access points (WAPs) convenient combination devices give the SOHO user the strong protection that comes from the use of NAT services. - NAT assigns nonrouting local addresses to the computer systems in the local area network and uses the single ISP-assigned address to communicate some SOHO firewalls include packet filtering, port filtering, and simple intrusion detection systems, and some can even restrict access to specific MAC addresses intrusion detection feature even simple residential firewalls can be used to create a logical screened subnetwork
Processing mode
how the firewall examines the network traffic that it is trying to filter five major processing-mode categories (1) packet-filtering firewalls, (2) application gateways, (3) circuit gateways, (4) MAC layer firewalls, and (5) hybrids Hybrid firewalls use a combination of the other four methods. - most firewalls fall into this category
For a home user who uses the Internet for routine activities a firewall's primary job
is to isolate the local network from remote attackers. may also help prevent some Trojan horses from leveraging the local network through hidden openings called back doors
Fifth-generation firewalls
kernel proxies specialized form that works under Windows NT Executive, which is the kernel of Windows NT. evaluate packets at multiple layers of the protocol stack by checking security in the kernel as data is passed
port
network subaddress (assigned a number between 0 and 65,535) through which a particular type of data is allowed to pass.
MAC Layer Firewalls
not as well known designed to operate at the media access control sublayer of the data link layer (Layer 2) enables these firewalls to consider, in their filtering decisions, the specific host computer's identity, as represented by its MAC or Network Interface Card (NIC) address. the MAC addresses of specific host computers are linked to ACL entries that identify the specific types of packets that can be sent to each host all other traffic is blocked.
Circuit Gateways
operates at the transport layer. Connections are authorized based on addresses. do not usually examine traffic flowing between one network and another, prevent direct connections between one network and another creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic through these tunnels are often included in the application gateway category, relays TCP connections but does no extra processing or filtering of the protocol.
TCP filtering
ou should block packets that use ports below 20
Free Firewall Tools On the Internet
packet filter IPChains and TIS Firewall Toolkit aren't perfect ogging capabilities aren't as robust can be difficult to configure usually don't include a way to monitor the firewall in real time convenience, simplicity, and unbeatable price. Netfilter - firewall software that comes with the Linux 2.4 kernel, - powerful (and available for free) solution for stateless and stateful packet filtering, NAT, and packet processing. powerful (and available for free) solution for stateless and stateful packet filtering, NAT, and packet processing. may be difficult to use in everyday situations.
Software Firewalls
people may not be as protected as they think they are CNET magazine is a widely recognized source for technology industry reporting and product evaluations. claim to detect and prevent intrusion into the user's system without affecting usability. Users who implement this free, less-capable software often find that it delivers less-than-complete protection.
Application Layer Gateways
proxy server works at the Application layer can control the way applications inside the network access external networks setting up proxy services -acts as a substitute (i.e., a proxy) for the client shielding minimizes the effect of viruses, worms, Trojan horses, and other malware. runs special software that enables it to act as a proxy for a specific service request proxy server - accesses the Web server on behalf of the external client, and returns the requested pages to the users. - placed in an unsecured area of the network or in the demilitarized zone (DMZ) - Additional filtering routers can be implemented behind it understands the contents of the requested data can be configured to allow or deny (both actions can be taken as a result of filtering) specific content, such as viruses and executables. Load balancing IP address mapping Filtering content URL filtering
Dynamic filtering
reacts to an emergent event and updates or creates rules to deal with that event allowing an internal user to engage in a specific activity upon request dropping all packets from a particular address when an increase in the presence of a particular type of malformed packet is detected. allows only a particular packet with a particular source, destination, and port address based on the information contained in the packet header intermediate form, between traditional static packet filters and application proxies.
PAT/NAT-equipped firewall
receives a request from one of these computers replaces the real IP address with its own address (for PAT) or one from the outbound pool (for NAT). prevents external attacks from reaching internal machines with addresses in specified ranges.
Log files
record attempted intrusions and other suspicious activity, as well as mundane events like legitimate file accesses, unsuccessful connection attempts, and the like. can also identify intruders so they can be apprehended in case theft or damage actually occur.
static filtering,
requires that the filtering rules be developed and installed with the firewall created and sequenced either by a person directly editing the rule set or by a person using a programmable interface Any changes to the rules require human intervention. common in network routers and gateways. allows entire sets of one type of packet to enter in response to authorized requests
demilitarized zone (DMZ)
screened subnet AKA service network positioned between the internal network and the outside world.
extranet
segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public
port scanning attack
special software scans a series of network addresses, attempting to connect to each one. If a connection is made, it gives the attacker a target
commercial-grade firewalls
stand-alone units running on fully customized computing platforms that provide both the physical network connection and firmware programming necessary to perform their function Some firewall appliances use highly customized Other commercial firewall systems are actually off-the-shelf general-purpose computer systems that use custom application software
Commercial-Grade Firewall Appliances
stand-alone, self-contained combinations of computing hardware and software have many of the features of a general-purpose computer, with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of their being compromised ustomized software operating system that drives the device can be periodically upgraded only be modified using a direct physical connection or using extensive authentication and authorization protocols. rule sets are stored in nonvolatile memory and can thus be changed by technical staff when necessary may be manufactured from stripped-down, general-purpose computer systems, and/or they may be designed to run on a customized version of a general-purpose operating system tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.
McAfee Firewall Enterprise (Sidewinder)
technology purchased from Secure Computing flexible supporting application proxies, stateful inspection packet filtering, and IPSec VPNs.
Dual-Homed Host Firewalls
the bastion host contains two NICs One NIC is connected to the external network, and one is connected to the internal network all traffic must physically go through the firewall to move between the internal and external networks often makes use of NAT—mapping real, valid, external IP addresses to special ranges of nonroutable internal IP addresses NAT translates by dynamically assigning addresses to internal communications and tracking the conversations with sessions to determine which incoming message is a response to which outgoing traffic. if a dual-homed host is compromised, that compromise will likely disable the connection to the external network as traffic volume increases, a dual-homed host firewall may become overloaded provides strong overall protection with minimal expense
Structure
the kind of structure the firewalls are intended for, residential-grade or commercial-grade firewalls, hardware-based or software-based firewalls, and firewalls for appliance-based devices.
If you have an extranet
the location of the "perimeter" becomes a bit more murky it should have its own perimeter firewall because your network boundary technically extends to the end of the VPN you should install a firewall on the partner's VPN host
Load balancing
the number of connections assigned to each can be managed to assure an even workload. Large organizations commonly install more than one firewall and divide the traffic load between them.
The configuration that works best for a particular organization depends on three factors
the objectives of the network, the organization's ability to develop and implement the architectures, and the budget available for the function.
Providing for Authentication
the process of logging in to a server with a username and a password before being allowed access to protected information performed at the firewall and make use of encryption to protect the usernames and passwords transmitted from client to server (or client to firewall).
primary disadvantage of application-level firewalls
they are designed for a specific protocol cannot easily be reconfigured to protect against attacks on other protocols. typically restricted to a single application (e.g., FTP, Telnet, HTTP, SMTP, SNMP) processing time and resources necessary to read each packet down to the application layer diminish the ability of these firewalls to handle multiple types of applications
Packet-Filtering Firewalls
three kinds of packet-filtering firewalls: static filtering, dynamic filtering, and stateful inspection
state table
tracks the state and context of each packet in the conversation by recording which station sent what packet and when
remote access and social engineering attacks can be prevented only through
training and by raising awareness about security procedures.
Network Address Translation (NAT)
uses a pool of valid external IP addresses, assigning one to each internal computer requesting an outside connection it appears that all information is coming from a small number of computers (IP numbers that do not change) when NAT is used
Port Address Translation (PAT)
uses one external address for all other systems, assigning random and high-order port numbers to each internal computer it appears that all information is coming from a single computer when PAT is used
packet filtering firewall
virtually all do protects networks from port scanning attacks