D4-1: Firewall Architecture (CISSP Domain 4 Communication and Network Security)

single tier architecture

single tier architecture Placement of the private network behind a firewall, then connected through a router to the Internet. Useful against generic attacks, but offers minimal protection.

Application-level gateway firewalls

Proxy firewall copies packets from one network to another, and changes the source and destination address to protect the identity of the internal or private network. Performance is negatively impacted as each packet is inspected and processed. Operates at OSI L7 (Application).

Intrusion Detection System (IDS)

A device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system.

Signature-Based IDS

Matches on known patterns and stateful matching against a database.

NIDS (Network Detection System)

Network Intrusion Detection System (NIDS). Monitors one internal LAN.

single tier, two tier, three tier

Firewall deployment architecture

Stateful-Inspection firewall

Firewall evaluates the state/context of network traffic. AKA dynamic packet-filtering. Looks at source, destination address, application usage, source of origin and the relationship between the current packets and the previous packets on the same session. Will block unauthorized uses and activities. OSI L4 (Transport)

Circuit-level gateway firewall

Firewall that establish communication sessions between trusted partners; uses SOCKS and manages traffic based on communication (not content) of the traffic. Operates at OSI L5 (Session).

Multi-homed firewall

Firewall using multiple interfaces to filter traffic; capable of IP forwarding, forcing the filtering rules to control traffic rather than allowing a software-supported shortcut between one interface and another.

Screened Host

A firewall between the final router and the internal network. When traffic comes into the router, it is forwarded to the firewall and is inspected before going into the internal network.

Static packet-filetering firewall

A firewall that filters traffic by examining the message header data (src, dst, port address). Provides not authentication or original information and can be fooled with spoofed packets.

Multi-homed firewall (Three-legged firewall)

A firewall with three interfaces: one connected to the untrusted network; one to the internal network; and another connected to a part of the DMZ (network).

Dual-homed firewall

A host acting as a firewall, with two NICs: One connected to a trusted network, and the other connected to an untrusted network (Internet). It controls the forwarding of traffic between NICs, ensuring suspicious traffic does not reach the trusted network. The danger of relying on one of these devices as it can be a single point of failure and in a DoS attack, no traffic will pass.

Tarpit

A low-connection speed honeypot used to slow an attacker in order to analyze the movements of the attacker.

Honey-pot

A system configured attract hackers and is used to lure hackers into spending time, while information is gathered about the attack. This type of device should never be connected to a production environment.

Static packet filtering, application-level gateway, circuit-level gateway, and stateful inspection.

Four basic firewall types.

Padded cells

Hosts to which the attacker is transferred during an attack.

Rule or Heuristic-Based IDS

IDS that is knowledge-based, inference engine, rule-based, matched on a "if/then" basis.

IPS (Intrusion Prevention System)

Intrusion Prevention System (IPS) Intrusion system that can be host, signature, or anomaly based; does volume analysis and pattern detection. Can effect the overall performance and costs more than an IDS. The main focus is prevention.

Honey-Net

Similar to a Tarpit and Padded Cells, it is a network configured to be attractive to hackers.

Virtual Firewall

Software that has been specifically written to provide a security firewall in the virtual environment.

Anomaly-Based IDS

Statistical type IDS that uses protocol anomaly, traffic anomaly, matched against a database of behaviors.

Bastion Host

Term references the "position of the device," which is exposed to the public, facing the Internet. This device should be hardened as often targeted for attacks. If deployed separately, it should be placed outside the firewall or on the public side of the DMZ.

Screened Subnet / Demilitarized Zone (DMZ)

Two firewalls used to inspect traffic before it can enter the internal network, thereby allowing a company to give external systems limited access to public resources, without granting access to the internal network. It is a network where systems are placed that will be accessed regularly from the untrusted network.

HIDS (Host Intrusion Detection System)

Uses OS information such as logs and audit trails to detect intrusions.

Private Branch Exchange (PBX) used as a firewall

Used on a private telephone switch and connects the organization to the telco. It can have backdoors.

Static firewall (Static packet-filtering firewall)

static packet-filtering firewalls OSI L3 (Network) firewall, aka screening routers or common routers.