Network+ Chapter 8 Firewalls
Trivial File Transfer Protocol (TFTP) port?
69 TCP and UDP
Next Generation Firewall (NGFW)?
A Next-Generation Firewall (NGFW) combines a traditional firewall with other network device filtering functionalities like an application firewall. An NGFW: • Is application-aware • Tracks the state of traffic based on layers 2 through 7 • Utilizes an intrusion protection system (IPS) • Tracks the identity of the local traffic device and user ( LDAP, RADIUS, Active Directory) • Can be used in bridged and routed modes • Utilizes external intelligence sources
What is a circuit-level gateway filter?
A circuit-level gateway filters traffic based on the session's state, not the IP address or port number, like a packet filtering firewall. A circuit-level gateway makes filtering decisions based on the session layer information, which is the session ID number. The firewall only allows packets that match after sessions. In order to do this, the circuit-level gateway has to take advantage of the TCP three-way handshake. To establish a TCP session, a client computer first sends a request for a session with a very special packet called a SYN packet. The server responds back with an acknowledgment, an ACK, which says, — Yeah, I have a session available, and you can use it.— The client then responds with another acknowledgment called a SYN ACK, which acknowledges that it received the original session information and it wants to establish communications with the server. This is important because the circuit-level gateway monitors this three-way handshake process to identify an active session (one that's set up, acknowledged, and in use). When a packet is received by the firewall, it will move the packet header information just like a packet filtering firewall does. This time, it's going to examine the session information within that packet. If that session packet represents a legitimate setup session and it's currently active and inuse, then that communication is allowed. If it finds a session ID that is not active, that was never actually created, or that's already been closed, then that packet is dropped. Instead of examining every single packet and filtering based by rules, a circuit-level gateway just looks at the session ID and decides whether or not it's associated with a legitimate TCP session.
What is a hardware firewall?
A hardware firewall is typically used to protect an entire network or one specific network segment. Firewalls are dedicated hardware appliances that contain all the hardware and software necessary to protect the network. Hardware firewalls are much more expensive than other types of firewalls, but they also provide the best performance.
What is a network based firewall?
A network-based firewall sits at the edge of your network and acts as a barrier between your entire network and the outside internet. Network-based firewalls are usually hardware firewalls.
What is a Packet Filtering Firewall?
A packet filtering firewall examines the information within each packet header. It operates at layer three, on the Network layer of the OSI model. When a frame enters a packet filtering firewall, the firewall removes the framing information to expose the IP packet contents within that frame. The packet information includes the data, the destination IP address of the packet, and the source IP address of the packet, as well as the source port and destination port. With a packet filtering firewall, you can define ACLs based on that information that is contained within the IP packet, including the source IP address, destination IP address, source port number, and destination port number. Every packet that comes into the firewall is compared to ACL rules you define. These rules specify whether to allow or reject these packets based on the network interface that the packet was received on, the direction of the communication (whether it's inbound or outbound), the source IP address, the destination IP address, the source port number, or the destination port number. For example, the firewall could be configured to allow all packets from a specific source IP address.Alternatively, maybe you could define an ACL that blocks all inbound traffic that's destined for port 22.
Stateless vs Stateful
A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject it without considering whether the packet is part of a valid and active session. A circuit-level gateway is considered a stateful firewall because it keeps track of a session's state A circuit-level gateway can filter traffic that uses dynamic ports because the firewall matches the session information for filtering, not the port numbers. In general, circuit-level gateways are slower than packet filtering firewalls. However, if only the session state is used for filtering, a circuit-level gateway can be faster after the initial session information has been identified.
Why would you use a UTM
A small company without the budget to buy individual components. A small office without the physical space for individual components. A remote office without a technician to manage individual security components.
What is a demilitarized zone (DMZ)?
ALSO KNOWN AS A SCREENED SUBNET It's a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). • Publicly accessible resources (servers) are placed inside the screened subnet. Examples of publicly accessible resources include web, FTP, or email servers. • Packet filters on the outer firewall allow traffic directed to the public resources inside the DMZ. Packet filters on the inner firewall prevent unauthorized traffic from reaching the private network. • If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. • When designing the outer firewall packet filters, a common practice is to close all ports and open only the ports necessary for accessing the public resources inside the DMZ. • Typically, firewalls allow traffic that originates in the secured internal network into the DMZ and through to the internet. Traffic that originates in the DMZ (low-security area) or the internet (no-security area) should not be allowed access to the intranet (high-security area). Do not place any server in the DMZ that doesn't have to be there.
What is a ACL
Access Control Lists. In addition to protecting an entire network from attackers on the internet, you can also use firewalls can also to isolate and protect sensitive segments of your private network. For example, let's suppose we want to protect the servers that hold sensitive accounting data. We could create a special subnet for those servers and then install a firewall to protect that segmentfrom unauthorized traffic that originates from within our own private network or any traffic out on the internet. In order to do this, we define a set of rules on the firewall to specify that only very specific types of traffic are allowed through. The firewall rules block all other traffic. These filtering rules on the firewall are called Access Control Lists, or ACLs. The firewall scans incoming and outgoing network traffic, and it compares that traffic to the rules you've defined. Then it decides whether the traffic should be allowed or rejected.
What is a transparent firewall?
Also called a virtual firewall, operates at Layer 2 and is not seen as a router hop by connected devices. Both the internal and external interfaces on a transparent firewall connect to the same network segment. Because it is not a router, you can easily introduce a transparent firewall into an existing network.
What are some additional things a UTM can feature
An all-in-one security appliance can include the following security functions: • Spam filter • URL filter • Web content filter • Malware inspection • Intrusion detection system All-in-one security appliances can also include the following: • Network switch • Router • Firewall • TX uplink (integrated CSU/DSU) • Bandwidth shaping
What is an Application Layer Firewall?
An application-layer firewall is capable of filtering by information contained within a packet's data portion. An application-layer firewall: • Examines the entirety of the transferred content (not just individual packets). • Operates at OSI Layer 7 (Application layer). • Understands, or interfaces with, the application-layer protocol. • Filters content by user, group, and data (for example, URLs within an HTTP request). • Is the slowest form of firewall because entire messages are reassembled at the Application layer.
What is a host based firewall?
Host-based firewalls, on the other hand, protect a single system from unauthorized connections,and host-based firewalls are almost always software firewalls.
What is a routed firewall?
It's a Layer 3 router. In fact, many hardware routers include firewall functionality. Transmitting data through this type of firewall counts as a router hop. A routed firewall usually supports multiple interfaces, each connected to a different network segment.
What is Implicit Deny?
Most firewalls deny all traffic by default. This is called implicit deny, and it's very important.Implicit deny is a security technique that blocks everything unless it is explicitly allowed. You have to manually specify what traffic you want to allow through that firewall; everything else is blocked. For example, all IP addresses and port numbers are blocked except what's in the ACL. Not only is implicit deny a good security practice, it also makes your job as the network administrator a lot easier. Chances are, you want to block a lot more types of traffic than you want to allow.
What are network ports?
Network ports are logical connections provided by the TCP or UDP protocols at the Transport layer. They are used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine which protocol incoming traffic should be directed to.
What is a software firewall?
Software firewalls are typically used to protect a single computer or device.Software firewalls are a lot less expensive than hardware firewalls, but they are less robust. Firewalls are commonly used to protect private networks by filtering traffic from the network and internet. One of the main purposes of a firewall is to prevent attackers on the internet from gaining access to your private network.
What are Access control lists (ACLs)?
They are rules firewalls use to manage incoming or outgoing traffic.
What is a UTM?
Unified Threat Management Device A unified threat management device combines multiple security features into a single network appliance. A single UTM device can provide several security features: • Firewall • VPN • Ant-spam • Antivirus • Load balancing
What are iptables?
iptables is a command line firewall utility for Linux operation systems that uses three different policy chains to allow or block network traffic. When a connection is initiated to your system, iptables looks for a rule in its list to match it to. If it doesn't find one, it resorts to the default action in the tables.
How to create a DMZ
o Configure two firewall devices, one connected to the public network and one connected to the private network. o Configure a single device with three network cards, one connected to the public network, one connected to the private network, and one connected to the screened subnet. o Configure a single device with two network cards, one connected to the public network and another connected to a private subnet containing hosts that are accessible from the private network. Configure proxy ARP so the public interface of the firewall device responds to ARP requests for the public IP address of the device.
What do ACLs do?
• ACLs describe the traffic type that will be controlled. • ACL entries: o Describe traffic characteristics. o Identify permitted and denied traffic. o Can describe a specific traffic type, allow all traffic, or restrict all traffic. • An ACL usually contains an implicit deny any entry at the end of the list. • Each ACL applies only to a specific protocol. • Each router interface can have up to two ACLs for each protocol, one for incoming traffic and one for outgoing traffic. • When an ACL is applied to an interface, it identifies whether the list restricts incoming or outgoing traffic. • Each ACL can be applied to more than one interface. However, each interface can have only one incoming list and one outgoing list. • ACLs can be used to log traffic that matches the list statements.
What do ports do?
• Allow a single host with a single IP address to run network services. Each port number identifies a distinct service. • Can have over 65,000 ports per IP address. • Are regulated by the internet Corporation for Assigned Names and Numbers (ICANN).
ICANN categorizes ports as?
• Well known ports range from 0 to 1023 and are assigned to common protocols and services. • Registered ports range from 1024 to 49151 and are assigned to a specific service by ICANN. • Dynamic (also called private or high) ports range from 49152 to 65535 and can be used by any service on an ad hoc basis. Ports are assigned when a session is established, and ports are released when the session ends.
Network News Transport Protocol (NNTP) port?
119 TCP
H.323 Call Signaling port?
1720 TCP
Cisco Media Gateway Control Protocol (MGCP) port?
2427 UDP
Real-time Transport Protocol (RTP) Data Real-time Transport Protocol (RTP) Control ports?
5004 TCP and UDP 5005 TCP and UDP
Session Initiation Protocol (SIP) Session Initiation Protocol (SIP) over TLS
5060 TCP and UDP 5061 TCP
