8.1 - 8.3 Firewalls
5060 TCP and UDP 5061 TCP
5060 TCP and UDP 5061 TCP
You want to maintain tight security on your internal network, so you restrict access to the network through certain port numbers. If you want to allow users to continue to use DNS, which port should you enable?
53 The DNS service uses port 53.
Haley configures a website using Windows Server 2016 default values. What are the HTTP port and SSL port settings?
80 for HTTP; 443 for SSL The default TCP port setting for HTTP is 80. You can change that setting to another TCP setting that is not in use, but users will have to know they must request the non-default setting, or they will be unable to connect. The SSL port number is 443 and is only used with secure socket layers for encryption.
ICANN categorizes ports as follows:
> Well-known ports range from 0 to 1023 and are assigned to common protocols and services. > Registered ports range from 1024 to 49151 and are assigned to a specific service by ICANN. > Dynamic (also called private or high) ports range from 49152 to 65535 and can be used by any service on an ad hoc basis. Ports are assigned when a session is established, and ports are released when the session ends. The following table lists the well-known ports that correspond to common internet services:
Next Generation Firewall (NGFW)
A Next-Generation Firewall (NGFW) combines a traditional firewall with other network device filtering functionalities like an application firewall. An NGFW: > Is application-aware > Tracks the state of traffic based on layers 2 through 7 > Utilizes an intrusion protection system (IPS) > Tracks the identity of the local traffic device and user ( LDAP, RADIUS, Active Directory) > Can be used in bridged and routed modes > Utilizes external intelligence sources A common method for using firewalls is to define various network zones. Each zone identifies a collection of users who have similar access needs. Firewalls are configured at the edge of these zones to filter incoming and outbound traffic. For example, you can define a zone that includes all hosts on your private network protected from the internet, and you can define another zone within your network for controlled access to specific servers that hold sensitive information.
Demilitarized Zone
A buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet).
Circuit-Level Gateway
A circuit-level gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A circuit-level gateway: > Operates at OSI Layer 5 (Session layer). > Keeps a table of known connections and sessions. Packets directed to known sessions are accepted. > Verifies that packets are properly sequenced. > Ensures that the TCP three-way handshake process occurs only when appropriate. > Does not filter packets. Instead, it allows or denies sessions. A circuit-level gateway is considered a stateful firewall because it keeps track of a session's state A circuit-level gateway can filter traffic that uses dynamic ports because the firewall matches the session information for filtering, not the port numbers. In general, circuit-level gateways are slower than packet filtering firewalls. However, if only the session state is used for filtering, a circuit-level gateway can be faster after the initial session information has been identified.
8.3.8 Firewall Design and Configuration Facts
A demilitarized zone (DMZ) is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). > Create a DMZ by performing the following: - Configure two firewall devices, one connected to the public network and one connected to the private network. - Configure a single device with three network cards, one connected to the public network, one connected to the private network, and one connected to the screened subnet. - Configure a single device with two network cards, one connected to the public network and another connected to a private subnet containing hosts that are accessible from the private network. Configure proxy ARP so the public interface of the firewall device responds to ARP requests for the public IP address of the device. > Publicly accessible resources (servers) are placed inside the screened subnet. Examples of publicly accessible resources include web, FTP, or email servers. > Packet filters on the outer firewall allow traffic directed to the public resources inside the DMZ. Packet filters on the inner firewall prevent unauthorized traffic from reaching the private network. > If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. > When designing the outer firewall packet filters, a common practice is to close all ports and open only the ports necessary for accessing the public resources inside the DMZ. > Typically, firewalls allow traffic that originates in the secured internal network into the DMZ and through to the internet. Traffic that originates in the DMZ (low-security area) or the internet (no-security area) should not be allowed access to the intranet (high-security area). *Do not place any server in the DMZ that doesn't have to be there.
All-in-One Security Appliances
A device that combines many security functions into a single device, such as firewall, IDS/IPS, and antivirus.
8.1.3 Firewall Facts
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules.
Firewall
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules.
Packet Filtering Firewall
A packet filtering firewall allows and blocks network traffic by examining information in the IP packet heade,r such as source and destination addresses, ports, and service protocols. A packet filtering firewall: > Uses ACLs or filter rules to control traffic. > Operates at OSI Layer 3 (Network layer). > Offers high performance because it examines only the address information in the packet header. > Implements features that are included in most routers. > Is a popular solution because it is easy to implement and maintain, has a minimal impact on system performance, and is fairly inexpensive. A packet filtering firewall is considered a stateless firewall because it examines each packet and uses rules to accept or reject it without considering whether the packet is part of a valid and active session.
You connect your computer to a wireless network available at the local library. You find that you can access all the websites you want on the internet except for two. What might be causing the problem?
A proxy server is blocking access to the websites. A proxy server can be configured to block internet access based on website or URL. Many schools and public networks use proxy servers to prevent access to websites with objectionable content. Ports 80 and 443 are used by HTTP to retrieve all web content. If a firewall were blocking these ports, access would be denied to all websites. Port forwarding directs incoming connections to a host on the private network. Port triggering dynamically opens firewall ports based on applications that initiate contact from the private network.
An all-in-one security appliance is best suited for which type of implementation?
A remote office with no on-site technician. All-in one security appliances are best suited for small offices with limited space or a remote office without a technician to manage the individual security components. A company with a dedicated network closet would have the spaced necessary for multiple networking devices. A company that handles large amounts of data should use dedicated devices to maintain optimal performance. A credit card company should use dedicated security devices to secure sensitive data.
Routed Firewall
A routed firewall is a Layer 3 router. Many hardware routers include firewall functionality. Transmitting data through this type of firewall counts as a router hop. A routed firewall usually supports multiple interfaces, each connected to a different network segment.
Transparent Firewall
A transparent firewall, also called a virtual firewall, operates at Layer 2 and is not seen as a router hop by connected devices. Both the internal and external interfaces on a transparent firewall connect to the same network segment.
Unified Threat Management (UTM) Device
A unified threat management device combines multiple security features into a single network appliance. A single UTM device can provide several security features: > Firewall > VPN > Ant-spam > Antivirus > Load balancing By combining several services into one appliance, UTM devices make managing network security much easier. However, they also introduce a single point of failure—if the UTM fails, network security is lost. Additionally, UTM devices aren't as robust as other devices made for a specific use. Because of this, UTM devices are best suited for: > Offices where space limits don't allow for multiple security appliances. > Satellite offices that need to be managed remotely. Configuration changes need to be made on only one device rather than multiple devices. > Smaller businesses that wouldn't benefit from the robust features provided by specific security appliances.
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?
ACL
Access Control List (ACL)
Access control lists (ACLs) are rules firewalls use to manage incoming or outgoing traffic. You should be familiar with the following ACL characteristics: > ACLs describe the traffic type that will be controlled. > ACL entries: - Describe traffic characteristics. - Identify permitted and denied traffic. - Can describe a specific traffic type, allow all traffic, or restrict all traffic. > An ACL usually contains an implicit deny any entry at the end of the list. > Each ACL applies only to a specific protocol. > Each router interface can have up to two ACLs for each protocol, one for incoming traffic and one for outgoing traffic. > When an ACL is applied to an interface, it identifies whether the list restricts incoming or outgoing traffic. > Each ACL can be applied to more than one interface. However, each interface can have only one incoming list and one outgoing list. > ACLs can be used to log traffic that matches the list statements. *Many hardware routers, such as those from Cisco, also provide a packet filtering firewall. These devices are frequently used to fill both network roles (router and firewall) at the same time. > When you create an ACL on a Cisco device, a deny any statement is automatically added at the end of the list (this statement does not appear in the list itself). For a list to allow any traffic, it must have at least one permit statement that either permits a specific traffic type or permits all traffic not specifically restricted. *There are two general types of access lists used on Cisco devices:
8.2.2 Security Solution Facts
All-in-one security appliances combine many security functions into a single device. These appliances are also known as unified threat management (UTM) devices. These types of devices may be the best choice for: > A small company without the budget to buy individual components. > A small office without the physical space for individual components. > A remote office without a technician to manage individual security components. An all-in-one security appliance can include the following security functions: > Spam filter > URL filter > Web content filter > Malware inspection > Intrusion detection system All-in-one security appliances can also include the following: > Network switch > Router > Firewall > TX uplink (integrated CSU/DSU) > Bandwidth shaping
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allows HTTP traffic on port 80 on a web server. To allow HTTPS, you would use port 443.
sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allows SMTP mail on port 25.
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allows both HTTP and HTTPS on ports 80 and 443 on a web server.
Accept
Allows the connection.
Which of the following describes how access lists can be used to improve network security?
An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers. An access list filters traffic based on the IP header information such as source or destination IP address, protocol, or socket numbers. Access lists are configured on routers and operate on Layer 3 information. Port security is configured on switches and filters traffic based on the MAC address in the frame. An intrusion detection system (IDS) or intrusion prevention system (IPS) examines patterns detected across multiple packets. An IPS can take defensive action when a suspicious pattern of traffic is detected.
Application-Layer Firewall
An application-layer firewall is capable of filtering by information contained within a packet's data portion. An application-layer firewall: > Examines the entirety of the transferred content (not just individual packets). > Operates at OSI Layer 7 (Application layer). > Understands, or interfaces with, the application-layer protocol. > Filters content by user, group, and data (for example, URLs within an HTTP request). > Is the slowest form of firewall because entire messages are reassembled at the Application layer. One example of an application-layer firewall is a proxy server. A proxy server is a device that stands as an intermediary between a secure private network and the public. Proxies can be configured to: > Control both inbound and outbound traffic. > Increase performance by caching frequently accessed content. Content is retrieved from the proxy cache instead of the original server. > Filter content and restrict access depending on the user or specific website. > Shield or hide a private network. There are two different types of proxy servers: > A forward proxy server handles requests from inside a private network out to the internet. > A reverse proxy server handles requests from the internet to a server located inside a private network. A reverse proxy can perform load balancing, authentication, and caching. *Often, reverse proxies work transparently, meaning that clients requesting specific resources don't know they are using a reverse proxy to access a server.
8.3 Firewall Design and Implementation
As you study this section, answer the following questions: > How do firewalls manage incoming and outgoing traffic? > What is the difference between a standard ACL and an extended ACL? > What does the deny any statement do? > What is the difference between a routed firewall and a transparent firewall? In this section, you will learn to: > Create Firewall ACLs. > Configure a DMZ. > Configure a perimeter firewall. > Configure a proxy server. The key terms for this section include:
8.1 Firewalls
As you study this section, answer the following questions: > How does a packet filtering firewall differ from a circuit-level gateway? > Why is a packet filtering firewall a stateless device? > What types of filter criteria can an application layer gateway use for filtering? > Which security device might you choose to restrict access by user account? > What is the difference between a proxy and a reverse proxy? In this section, you will learn to: > Configure a host firewall. > Configure Linux iptables. The key terms for this section include:
8.2 Security Appliances
As you study this section, answer the following questions: > Under which conditions would you use an all-in-one security appliance? > Which security functions are included in an all-in-one security appliance? In this section, you will learn to: > Configure network security appliance access. The key terms for this section include:
Which of the following features are common functions of an all-in-one security appliance? (Select two.)
Bandwidth shaping Spam filtering All-in-one security appliances combine many security functions into a single device. Security functions in an all-in-one security appliance can include: Spam filter URL filter Web content filter Malware inspection Intrusion detection system In addition to security functions, all-in-one security appliances can include: Network switch Router Firewall TX uplink (integrated CSU/DSU) Bandwidth shaping
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
Blocks SMTP mail on port 25.
sudo iptables -A INPUT -s 192.168.0.254 -j DROP
Blocks all connections associate with the IP address of 192.168.0.254.
8.1.9 Practice Questions
CIST 1401
8.2.5 Practice Questions
CIST 1401
8.3.9 Practice Questions
CIST 1401
2427 UDP
Cisco Media Gateway Control Protocol (MGCP)
sudo iptables -F
Clears all the current rules.
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ. When designing a firewall, the recommended practice is to close all ports and then only open the ports that allow the traffic that you want inside the DMZ or the private network. Ports 20, 21, 53, 80, and 443 are common ports that are opened, but the exact ports you will open depend on the services provided inside the DMZ.
You recently installed a new all-in-one security appliance in a remote office. You are in the process of configuring the device. You need to: > Increase the security of the device. > Enable remote management from the main office. > Allow users to be managed through Active Directory. You want to configure the device so you can access it from the main office. You also want to make sure the device is as secure as possible. Which of the following tasks should you carry out? (Select two.)
Configure the device's authentication type to use Active Directory. Change the default username and password. When configuring a new all-in-one security appliance, the first thing you should do is change the default username and password. The device's default login credentials can be found on the internet and used to access the device. Most all-in-one security appliances can be integrated with a centralized authentication method, such as Active Directory. This is done in the domain configuration. Denying login from the WAN interface or all external IP addresses would not allow you to remotely manage the device from your main office. Groups are used by the device only and are not used by an authentication server. Creating an Active Directory group would not allow centralized user management.
Which of the following prevents access based on website ratings and classifications?
Content filter
Which of the following are true about routed firewalls? (Select two.)
Counts as a router hop. Supports multiple interfaces.
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet?
DMZ
Which firewall implementation creates a buffer network that can be used to host email or web servers?
DMZ
You have just installed a packet filtering firewall on your network. Which options will you be able to set on your firewall? (Select all that apply.)
Destination address of a packet Port number Source address of a packet Firewalls allow you to filter by IP address and port number.
Reject
Does not allow the connection, but will send a response back. This lets the sender know that he reached a system, but was rejected.
53 TCP and UDP
Domain Name Server (DNS)
In the output of the netstat command, you notice that a remote system has made a connection to your Windows Server 2016 system using TCP/IP port 21. Which of the following actions is the remote system most likely performing?
Downloading a file TCP/IP port 21 is assigned to the file transfer protocol (FTP). A system connected on this port is most likely downloading a file from an FTP server application hosted on the system. Downloading email can be achieved via a number of protocols, including the simple mail transfer protocol (SMTP), the post office protocol version 3 (POP3) and the internet message access protocol version 4 (IMAP4). SMTP uses TCP/IP port 25, while POP3 uses TCP/IP port 110, and IMAP4 uses TCP/IP port 143. Web pages are downloaded using the hypertext transfer protocol (HTTP) on TCP/IP port 80. Name resolution requests use the domain name service (DNS) protocol on TCP/IP port 53.
sudo iptables -A INPUT -j DROP
Drops all incoming traffic.
Drop
Drops the connection. For example, if someone pings your system, the request is dropped, and no response is sent to the user.
67 TCP and UDP 68 TCP and UDP
Dynamic Host Configuration Protocol (DHCP)
Extended ACL
Extended ACLs: > Can filter by: - Source IP protocol (IP, TCP, UDP, and so on) - Source host name or host IP address - Source or destination socket number - Destination host name or host IP address - Precedence or TOS values > Should be placed as close to the source as possible. > Use the following number ranges: - 100-199 - 2000-2699
You want to allow users to download files from a server running the TCP/IP protocol. You want to require user authentication to gain access to specific directories on the server. Which TCP/IP protocol should you implement to provide this capability?
FTP You should implement the file transfer protocol (FTP). It enables file transfers and supports user authentication. The trivial file transfer protocol (TFTP) enables file transfer, but does not support user authentication.
Which of the following is likely to be located in a DMZ?
FTP server An FTP server is the most likely component from this list to be located in a DMZ (demilitarized zone) or a buffer subnet. A DMZ should only contain servers that are to be accessed by external visitors. Often it is assumed that any server placed in the DMZ will be compromised. Therefore, no mission critical or sensitive systems are located in a DMZ. A domain controller may appear in a DMZ when the DMZ is an entire isolated domain, but this practice is not common. User workstations are never located in a DMZ. Unless specifically deployed for just the DMZ, backup servers are never located in a DMZ.
20 TCP and UDP 21 TCP and UDP
File Transfer Protocol (FTP)
Access Control List
Filtering rules firewalls use to identify which traffic to allow and which to block.
Access Control List (ACL)
Filtering rules firewalls use to identify which traffic to allow and which traffic to block.
Which of the following are characteristics of a packet filtering firewall? (Select two.)
Filters IP addresses, not ports Stateless
Access Control Lists
Firewalls use filtering rules, which are sometimes called access control lists (ACLs), to identify allowed and blocked traffic. A rule identifies specific characteristics: > The interface the rule applies to > The direction of traffic (inbound or outbound) > Packet information such as the source IP address, destination IP address, or port number > The action to take when the traffic matches the filter criteria *Each ACL has an implicit deny specification. This is a line at the end of the ACL stating that packets that don't match any defined rules are dropped > Firewalls do not offer protection against all attacks (such as email spoofing attacks).
1720 TCP
H.323 Call Signaling
443 TCP and UDP
HTTP over Secure Sockets Layer (HTTPS)
Which of the following are true about reverse proxy? (Select two.)
Handles requests from the internet to a server in a private network. Can perform load balancing, authentication, and caching. A reverse proxy server handles requests from the internet to a server located inside a private network. Reverse proxies can perform load balancing, authentication, and caching. Reverse proxies often work transparently, meaning clients don't know they are connected to a reverse proxy.
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from internet-based attacks. Which solution should you use?
Host-based firewall A host-based firewall inspects traffic received by a host. Use a host-based firewall to protect your computer from attacks when there is no network-based firewall, such as when you connect to the internet from a public location. A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect your data from attacks from internet hosts. A VPN concentrator is a device connected to the edge of a private network that is used for remote access VPN connections. Remote clients establish a VPN connection to the VPN concentrator and are granted access to the private network. A proxy server is an Application layer firewall that acts as an intermediary between a secure private network and the public. Access to the public network from the private network goes through the proxy server.
80 TCP and UDP
Hypertext Transfer Protocol (HTTP)
You have a router that is configured as a firewall. The router is a Layer 3 device only. Which of the following does the router use for identifying allowed or denied packets?
IP address A router acting as a firewall at Layer 3 is capable of making forwarding decisions based on the IP address. The MAC address is associated with OSI model Layer 2 and is used by switches and wireless access points to control access. The session ID is used by a circuit-level gateway, and usernames and passwords are used by Application layer firewalls.
You have a router that is configured as a firewall. The router is a Layer 3 device only. Which of the following does the router use for identifying allowed or denied packets?
IP address A router acting as a firewall at Layer 3 is capable of making forwarding decisions based on the IP address. The MAC address is associated with OSI model layer 2. Switches and wireless access points use MAC addresses to control access. The session ID is used by a circuit-level gateway, and username and password are used by Application layer firewalls.
You would like to control internet access based on users, time of day, and websites visited. How can you do this?
Install a proxy server. Allow internet access only through the proxy server. Use a proxy server to control internet access based on users, time of day, and websites visited. You configure these rules on the proxy server, and all internet access requests are routed through the proxy server. Use a packet filtering firewall, such as Windows Firewall, to allow or deny individual packets based on characteristics such as source or destination address and port number. Configure internet zones to identify trusted or restricted websites and control the types of actions that can be performed when visiting those sites.
389 TCP and UDP
Lightweight Directory Access Protocol (LDAP)
636 TCP and UDP
Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
sudo iptables -L
Lists all the current rules.
445 TCP
Microsoft Server Message Block (SMB) File Sharing
*To protect a server, ensure that only the necessary ports are open. For example, if the server is only used for email, shut down ports that correspond to FTP, DNS, HTTP, and other protocols.
N/A
137 TCP and UDP 138 TCP and UDP 139 TCP and UDP
NetBIOS Name Service NetBIOS Datagram Service NetBIOS Session Service
119 TCP
Network News Transport Protocol (NNTP)
123 TCP and UDP
Network Time Protocol (NTP)
Network Ports
Network ports are logical connections provided by the TCP or UDP protocols at the Transport layer. They are used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine which protocol incoming traffic should be directed to.
8.1.4 Common Ports
Network ports are logical connections provided by the TCP or UDP protocols at the Transport layer. They are used by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port numbers to determine which protocol incoming traffic should be directed to. Ports: > Allow a single host with a single IP address to run network services. Each port number identifies a distinct service. > Can have over 65,000 ports per IP address. > Are regulated by the internet Corporation for Assigned Names and Numbers (ICANN).
You manage a small network at work. Users use workstations connected to your network. No portable computers are allowed. As part of your security plan, you would like to scan all users' emails. You want to scan the emails and prevent any e-mails with malicious attachments from being received by users. Your solution should minimize administration, allowing you to centrally manage the scan settings. Which solution should you use?
Network-based firewall
Your company has a connection to the internet that allows users to access the internet. You also have a web server and an email server that you want to make available to internet users. You want to create a DMZ for these two servers. Which type of device should you use to create the DMZ?
Network-based firewall A demilitarized zone (DMZ) is a buffer network, or subnet, that sits between the private network and an untrusted network, such as the internet. To create a DMZ, use two network-based firewall devices, one connected to the public network, and one connected to the private network. A host-based firewall inspects traffic received by a host. Use a host-based firewall to protect your network from attacks when there is no network-based firewall, such as when you connect to the internet from a public location. A VPN concentrator is a device that is used to establish remote access VPN connections. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A passive IDS monitors, logs, and detects security breaches, but takes no action to stop or prevent attacks. An active IDS (also called an intrusion protection system, or IPS) performs the functions of an IDS, but can also react when security breaches occur.
After blocking a number of ports to secure your server, you are unable to send email. To allow email service, which of the following needs to be done?
Open port 25 to allow SMTP service. The simple mail transfer protocol (SMTP) uses TCP port 25 and is responsible for sending email. If port 25 is blocked, users will not be able to send email, but they could receive email using port 110 and the POP3 protocol. SNMP is used to monitor network traffic. POP3 uses port 110 and is used to retrieve email from a mail server.
Match the firewall type on the left with its associated characteristics on the right. Each firewall type may be used once, more than once, or not at all.
Operates at Layer 2. Virtual firewall Operates at Layer 3. Routed firewall Counts as a hop in the path between hosts. Routed firewall Does not count as a hop in the path between hosts. Virtual firewall Each interface connects to a different network. Routed firewall Each interface connects to the same network segment. Virtual firewall In a routed firewall, the firewall is also a Layer 3 router. In fact, many hardware routers include firewall functionality. Transmitting data through this type of firewall counts as a router hop. A routed firewall usually supports multiple interfaces, each connected to a different network segment. A transparent firewall (also called a virtual firewall) works differently. It operates at Layer 2, and it is not seen as a router hop by connected devices. Both the internal and external interfaces on a transparent firewall connect to the same network segment. Because it is not a router, you can easily introduce a transparent firewall into an existing network.
Which of the following are true of a circuit proxy filter firewall? (Select two.)
Operates at the Session layer. Verifies sequencing of session packets. A circuit proxy filter firewall operates at the Session layer. It verifies the sequencing of session packets, breaks the connections, and acts as a proxy between the server and the client. An Application layer firewall operates at the Application layer, examines the entire message, and can act as a proxy to clients. A stateful inspection firewall operates at the Network and Transport layers. It filters on both IP addresses and port numbers. A kernel proxy filtering firewall operates at the operating system ring 0.
Which of the following is a firewall function?
Packet filtering Firewalls often filter packets by checking each packet against a set of administrator-defined criteria. If the packet is not accepted, it is simply dropped.
Match the firewall type on the right with the OSI layer at which it operates. Each OSI Layer may be used once, more than once, or not at all.
Packet filtering firewall OSI Layer 3 Circuit-level proxy OSI Layer 5 Application-level gateway OSI Layer 7 Routed firewall OSI Layer 3 Transparent firewall OSI Layer 2
110 TCP
Post Office Protocol (POP3)
You manage a server that runs your company website. The web server has reached its capacity, and the number of client requests is greater than the server can handle. You would like to find a solution so that static web content can be offloaded to a different server while the web server continues to process dynamic content. Which solution should you implement?
Proxy server
You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.)
Put the database server on the private network. Put the web server inside the DMZ. Publicly accessible resources (servers) are placed inside the DMZ. Examples of publicly accessible resources include web, FTP, and email servers. Devices that should not be accessible to public users are placed on the private network. If you have a public server that communicates with another server, such as a database server, and that server should not have direct contact with public hosts, place the server on the private network and allow only traffic from the public server to cross the inner firewall.
5004 TCP and UDP 5005 TCP and UDP
Real-time Transport Protocol (RTP) Data Real-time Transport Protocol (RTP) Control
3389 TCP and UDP
Remote Desktop Protocol (RDP)
Based on the diagram, which type of proxy server is handling the client's request?
Reverse proxy server A reverse proxy server handles requests from the internet to an internal network. Instead of requests for a server going directly to the server, they first go to the reverse proxy server. A forward proxy server handles requests from an internal network out to the internet. An open proxy server is accessible to any user on the internet and is used to forward requests to and from anywhere on the internet. A circuit-level proxy server is typically used as a stateful firewall to allow or deny sessions.
22 TCP and UDP
SSH File Transfer Protocol (also known as Secure File Transfer Protocol or SFTP)
sudo /sbin/iptables-save
Saves changes to the iptables on Ubuntu systems. The command may differ on other Linux systems.
22 TCP and UDP
Secure Shell (SSH)
25 TCP and UDP
Simple Mail Transfer Protocol (SMTP)
161 UDP 162 TCP and UDP
Simple Network Management Protocol (SNMP)
You are monitoring network traffic on your network, and you see traffic between two network hosts on port 1720. What is the source of this network traffic?
Someone is using voice over IP (VoIP) to make a telephone call. Someone on the network is using voice over IP (VoIP) to make a telephone call. Some VoIP implementations use the H.323 protocol to set up, maintain, tear down, and redirect calls. H.323 uses port 1720. The DNS protocol sends name resolution requests to a DNS server on port 53. In a man-in-the-middle attack, a legitimate communication session between two network hosts is intercepted and possibly modified by an attacker. The FTP protocol uses ports 20 and 21 to transfer files between two network hosts.
You have just installed a packet filtering firewall on your network. Which options will you be able to set on your firewall? (Select all that apply.)
Source address of a packet Destination address of a packet Port number Firewalls allow you to filter by IP address and port number.
Standard ACL
Standard ACLs: > Can filter only on source host name or host IP address. > Should be placed as close to the destination as possible. > Use the following number ranges: 1-99 1300-1999
Which of the following are characteristics of a circuit-level gateway? (Select two.)
Stateful Filters by session A circuit-level proxy or gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A circuit-level proxy is considered a stateful firewall because it keeps track of the state of a session. Packet filtering firewalls are stateless and filter by on IP address and port number. Application-level gateways filter by the application layer data, which might include data such as URLs within an HTTP request.
23 TCP
Telnet
You administer a web server on your network. The computer has multiple IP addresses. They are 192.168.23.8 to 192.168.23.17. The name of the computer is www.westsim.com. You configured the website as follows: > IP address: 192.168.23.8 > HTTP Port: 1030 > SSL Port: 443 Users complain that they can't connect to the website when they type www.westsim.com. What is the most likely source of the problem?
The HTTP port should be changed to 80. The default HTTP port for the web is 80. You can change the default port; however, port 80 is the default port used by web browsers to make a connection to a web server. If you change the default port, the users must specify the correct port number, or they won't be able to connect to the server.
You are monitoring network traffic on your network, and you see traffic between two network hosts on port 2427. Which kind of network traffic uses this port?
The MGCP protocol is generating traffic, which VoIP uses to send voice data over a network. Someone on the network is using voice over IP (VoIP) to make a telephone call. Some VoIP implementations use the media gateway control protocol (MGCP) to set up, maintain, tear down, and redirect calls. MGCP uses port 2427. The DHCP protocol is used to automatically assign IP addresses to network hosts and utilizes IP ports 67 and 68. A ping of death attack utilizes an oversized ICMP echo request packet to crash a target system. The SSH protocol is used to remotely access another network host and uses port 22.
Firewall Types
There are two types of firewalls: > A routed firewall, is also a Layer 3 router. In fact, many hardware routers include firewall functionality. Transmitting data through this type of firewall counts as a router hop. A routed firewall usually supports multiple interfaces, each connected to a different network segment. > A transparent firewall, also called a virtual firewall, operates at Layer 2 and is not seen as a router hop by connected devices. Both the internal and external interfaces on a transparent firewall connect to the same network segment. Because it is not a router, you can easily introduce a transparent firewall into an existing network.
Examples
These are some examples of the uses and commands for iptables. Keep in mind that these are only a few examples; there are many more.
Input
This chain controls the behavior for incoming connections. For example, if a user attempts to ping your system, iptables attempts to match the IP address and port to a rule in the input chain.
Forward
This chain is used for incoming connections that aren't delivered locally. For example, if iptables are being used on a router, the traffic is not destined for the router, but the router will forward the traffic to the destination device.
Output
This chain is used for outgoing connections. For example, if you try to ping testout.com, iptables checks its output chain to see what the rules are regarding ping and testout.com before allowing or denying the ping request.
69 TCP and UDP
Trivial File Transfer Protocol (TFTP)
You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use?
Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ.
You are configuring a firewall to allow access to a server hosted on the demilitarized zone of your network. You open TCP/IP ports 80, 25, 110, and 143. Assuming that no other ports on the firewall need to be configured to provide access, which applications are most likely to be hosted on the server?
Web server and email server TCP/IP port 80 is associated with accessing web pages from a web server using the hypertext transfer protocol (HTTP). Email can be accessed using a number of protocols, including the simple mail transfer protocol (SMTP), the post office protocol version 3 (POP3) and the internet message access protocol version 4 (IMAP4). SMTP uses TCP/IP port 25, while POP3 uses TCP/IP port 110, and IMAP4 uses TCP/IP port 143. Domain name service (DNS) traffic uses TCP/IP port 53. Newsgroup servers are accessed using the network news transfer (NNTP) protocol on TCP/IP port 119. Dynamic host configuration protocol (DHCP) traffic uses the BOOTP protocol on TCP/IP ports 67 and 68.
8.1.8 Configure a Host Firewall
You are helping a friend in college with his network connection. He would like a high speed connection between his computers so he can play SuperBlast with others. In this lab, your task is to complete the following: > Choose an appropriate router that will provide security and the fastest local connection. > Connect the router to both computers and to the dorm internet connection. > Request new TCP/IP information from the router on both computers. > Configure Windows Firewall on both computers - Turn on Windows Firewall for both the Private and the Public network profiles. - Add an exception for the SuperBlast program only for the Private network profile. *In this lab, the appropriate router is preconfigured with the correct settings to make the connection to the internet service provider (ISP) and the internet. Complete this lab as follows: 1.Set up the router as follows: a. On the Shelf, expand Routers. b. Read the description for each device. c. Drag the Ethernet 100/1000TX router with firewall to the Workspace. 2. Connect the router as follows: a. Above the router, select Back to switch to the back view of the router. b. Select the cable currently connected to the wall plate and drag it to a LAN port on the router. c. Above the Dorm-PC2 computer, select Back to switch to the back view of the computer. d. On the Shelf, expand Cables. e. Select a Cat5e RJ45 cable. f. In the Selected Component window, drag the connector to the LAN port on the computer. g. In the Selected Component window, drag the other connector to a LAN port on the router. h. Select a Cat5e RJ45 cable. i. In the Selected Component window, drag a connector to the WAN port on the router. j. In the Selected Component window, drag the other connector to the port on the wall plate. 3. Provide power to the router as follows: a. On the Shelf, select the power adapter. b. In the Selected Component window, drag the DC power connector to the power port on the router. c. In the Selected Component window, drag the AC adapter connector to the surge protector. d. Above the router, select Front to switch to the front view to verify power and network activity lights. 4. Request new TCP/IP information from the router for Dorm-PC as follows: a. On the Dorm-PC monitor, select Click to view Windows 10. b. In the Search field on the taskbar, enter command prompt. c. Under Best Match, select Command Prompt. d. Enter ipconfig /renew and press Enter to request new TCP/IP information from the router. e. In the notification area, right-click the Network icon and select Open Network and Sharing Center. The network information map should indicate an active connection to the FirewallNetwork and the internet. 5. Configure Windows Firewall on Dorm-PC as follows: a. In Network and Sharing, select Windows Firewall. b. From the left menu, select Turn Windows Firewall on or off. c. Under Private network settings, select Turn on Windows Firewall. d. Under Public network settings, select Turn on Windows Firewall. e. Click OK. 6. Allow a program through the firewall on Dorm-PC as follows: a. From the left menu, select Allow an app or feature through Windows Firewall. b. Select Change settings. c. Select Allow another app to configure an exception for an uncommon program. d. In the Add an app dialog, select the program from the list. e. Select Add. f. Make sure the program is enabled on the Private network profile only. g. Click OK. 7. Request new TCP/IP information from the router for Dorm-PC2 as follows: a. From the top navigation tabs, select Bench. b. On the Dorm-PC2 monitor, select Click to view Windows 10. c. In the Search field on the taskbar, enter command prompt. d. Under Best Match, select Command Prompt. e. Enter ipconfig /renew and press Enter to request new TCP/IP information from the router. f. In the notification area, right-click the Network icon and select Open Network and Sharing Center. The network information map should indicate an active connection to the FirewallNetwork and the internet. 8. Configure Windows Firewall on Dorm-PC2 as follows: a. In Network and Sharing, select Windows Firewall. b. From the left menu, select Turn Windows Firewall on or off. c. Under Private network settings, select Turn on Windows Firewall. d. Under Public network settings, select Turn on Windows Firewall. e. Click OK. 9. Allow a program through the firewall on Dorm-PC2 as follows: a. From the left menu, select Allow an app or feature through Windows Firewall. b. Select Change settings. c. Select Allow another app to configure an exception for an uncommon program. d. In the Add an app dialog, select the program from the list. e. Select Add. f. Make sure the program is enabled on the Private network profile only. g. Click OK.
8.3.5 Configure a DMZ
You are the IT administrator for a small corporate network. Recently, you added a web server that runs services that need to be accessible from the internet. You need to place this server in a DMZ and configure the DMZ settings on the network security appliance (NSA). In this lab, your task is to perform the following: > Connect the left port of the CorpDMZWeb server to the Optional port on the NSA. > Configure the Optional port on the NSA for DMZ mode from the IT administrator's workstation. NSA management console address: http://198.28.56.18 Username: xAdmin Password: Admin$0nly (0 is zero) > Configure the DMZ port to act as a DHCP server with the default IP addresses. Primary DNS server address: 163.128.78.93 Secondary DNS server address:163.128.80.93 > Reserve the first IP address in the DMZ's DHCP address range for CorpDMZWeb. IP address: 172.16.2.100 MAC address: 1A:2B:C4:28:3B:9F > Configure the CorpDMZWeb server to obtain an IP address automatically. > Configure the CorpDMZWeb server to obtain a DNS address automatically. > Verify that the CorpDMZWeb server receives the reserved IP address. *Select Exhibits to view the network diagram for additional information. *Use the DMZ Port checklist on the Getting Started (Advanced) page. Complete this lab as follows: 1. Connect the Server to the NSA as follows: a. Under Workspace, select Back to switch to the back view of the server rack. b. Expand Cables under the Shelf. c. Select the Cat5e cable. d. In the Selected Component window, click on the network cable connector and drag it to the left Ethernet port on the CorpDMZWeb server. e. In the Selected Component window, click on the other network cable connector and drag it to the Optional port on the NSA. f. Use the slider by Workspace to zoom in and out as needed. 2. Configure the DMZ as follows: a. From the top menu, select Building A. b. Select Floor 1 to navigate to the IT Administration office. c. Select ITAdmin. d. On the taskbar, open Internet Explorer. e. In the URL field, enter the NSA Management address of 198.28.56.18 and press Enter. f. Maximize Internet Explorer for easier viewing. g. In the Username field, enter xAdmin. h. In the Password field, enter Admin$0nly (0 is zero). i. Select Log In. j. In the left pane under Getting Started, select Advanced. k. Under DMZ Port, select Set Optional Port to DMZ Mode. l. Select DMZ. m. Click Apply. n. In the left pane, select DMZ Config. o. On the DMZ Configuration page under DHCP mode, select DHCP Server from the drop-down list. p. In the Primary DNS Server field, enter 163.128.78.93. q. In the Secondary DNS Server field, enter 163.128.80.93; then click Apply. r. In the left pane, select DMZ Reserved IPs. s. On the DMZ Reserved IPs page, select Add. t. In the IP Address field, enter 172.16.2.100. u. In the MAC Address field, enter 1A:2B:C4:28:3B:9F; then click Apply. 3. Configure DMZ Server Networking as follows: a. From the top, select Building A. b. Select Basement to navigate back to the basement. c. Select CorpDMZWeb. d. Right-click the Network icon in the navigation area and select Open Network and Sharing Center. e. Select Change adapter settings. f. Right-click Ethernet and then select Properties. g. Select Internet Protocol Version 4 (TCP/IPv4). h. Select Properties. i. Select Obtain an IP address automatically. j. Select Obtain DNS server address automatically; then click OK. k. Click Close. l. Close the Network Connections dialog. m. In the Network and Sharing Center console, select Ethernet. n. Select Details to verify that the server has received the correct IP address and DNS server addresses.
Firewall Types
You can categorize firewalls by their location on the network: > A network-based firewall is installed on the edge of a private network or network segment. - Most network-based firewalls are considered hardware firewalls even though they use a combination of hardware and software to protect the network from internet attacks. - Network-based firewalls are more expensive and require more configuration than other types of firewalls, but they are much more robust and secure. A host-based firewall is installed on a single computer in a network. > Almost all host-based firewalls are software firewalls. > A host-based firewall can protect a computer when no network-based firewall exists (in other words, when connected to a public network). > Host-based firewalls are less expensive and easier to use than network-based firewalls, but they don't offer the same level of protection or customization. You can use a host-based firewall in addition to a network-based firewall to provide multiple layers of protection.
Actions Performed
You need to decide what action you want the rules to perform. You can accept, drop, or reject the connections. After you define your accept rules, you should create a rule to drop all other traffic to prevent unauthorized access to the system.
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public web server from attack.
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public web server from attack. Use a demilitarized zone (DMZ) to protect public hosts on the internet, such as a web server, from attack. The DMZ uses an outer firewall that prevents internet attacks. Inside the DMZ are all publicly accessible hosts. A second firewall protects the private network from the internet. Use a virtual private network (VPN) to encrypt data between two hosts on the internet. Use Network address translation (NAT) to hide internal IP addresses from the internet. Use an intrusion prevention system (IPS) to detect and respond to threats in real time.
8.2.4 Configure Network Security Appliance Access
You work as the IT security administrator for a small corporate network. You need to secure access to your network security appliance, which is still configured with the default user settings. In this lab, your task is to perform the following: > Rename the default user account (cisco) with the following parameters: Use the user name xAdmin. Use the password Admin$0nly (0 = zero). Set the idle timeout to 15 minutes. Set for LAN access only (no WAN access). Allow access only from CorpServer (192.168.0.10). > Create a new administrative user with the following parameters: Use the user name mbrown. Use the frst name Mary. Use the last name Brown. Set the user type to Administrator. Use the password St@y0ut! (0 = zero). Set the idle timeout to 15 minutes. Set for LAN access only (no WAN access). Allow access only from the administrator's workstation (192.168.0.21). *Access the NSA management console through Internet Explorer on http://198.28.56.18. Use the default username cisco and the password cisco. Complete this lab as follows: 1. Select Start. 2. Select All Apps. 3. Select Windows Accessories. 4. Select Internet Explorer. 5. In the URL field, type 198.28.56.18 and press Enter. 6. In the Username field, enter cisco. 7. In the Password field, enter cisco to log in to the Security Appliance Configuration utility. 8. Select Log In. 9. Rename the default user account as follows: a. From the Getting Started (Basic) page, select Change Default Admin Password and Add Users. b. Select Edit for the cisco username. c. In the User Name field, enter the new username. d. Select Check to Edit Password. e. Enter the current logged in administrator password. f. Enter the new password. g. Re-enter the new password to confirm the new password. h. Enter the idle timeout; then click Apply. 10. Create a new administrative user as follows: a. Select Add to add another user. b. In the User Name field, enter the username. c. Enter the first name. d. Enter the last name. e. From the User Type drop-down list, select Administrator. f. Enter the password. g. Re-enter the password to confirm the new password. h. Enter the idle timeout; then click Apply. 11. Edit user policies as follows: a. Under Edit User Policies, select Login to configure a login policy. b. Select Deny Login from WAN Interface; then click Apply. c. Repeat steps 11a-11b for the other user. 12. Define network access as follows: a. Under Edit User Policies, select By IP to configure IP address restrictions for login. b. Select Add. c. In the Source Address Type field, make sure IP Address is selected. d. In the Network Address/IP Address field, enter the appropriate IP address; then click Apply. e. Select Allow Login only from Defined Addresses. f. Click Apply to close the dialog. g. Repeat steps 12a-12f for the other user.
8.3.6 Configure a Perimeter Firewall
You work as the IT security administrator for a small corporate network. You recently placed a web server in the DMZ. You need to configure the perimeter firewall on the network security appliance to allow access to the web server from the LAN and the WAN. You would also like to improve security by utilizing the attack security features provided by the firewall. In this lab, your task is to perform the following: > Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ. > Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ. Use the following table for the HTTP and HTTPS rules: > Add a firewall rule to allow traffic from the LAN to the DMZ. > Enable all the firewall attack checks. Complete this lab as follows: 1. Configure the firewall as follows: a. From the top menu of the Security Appliance Configuration Utility, select Firewall. b. From the left pane, select IPv4 Rules. c. In the right pane, select Add. d. Modify the firewall rule parameters; then click Apply. e. Repeat steps 1c-1d for each firewall rule. 2. Enable firewall attack checks as follows: a. From the left pane, select Attacks. b. Select all the WAN security checks. c. Select all the LAN security checks. d. Select all the ICSA settings; then click Apply.
143 TCP
internet Message Access Protocol (IMAP4)
iptables
iptables is a command line firewall utility for Linux operation systems that uses three different policy chains to allow or block network traffic.
8.1.7 Linux iptable Facts
iptables is a command line firewall utility for Linux operation systems that uses three different policy chains to allow or block network traffic. When a connection is initiated to your system, iptables looks for a rule in its list to match it to. If it doesn't find one, it resorts to the default action in the tables. iptables almost always comes pre-installed on any Linux distribution. To update or install iptables, just retrieve the iptables package by entering the command: sudo apt install iptables-services
Chains
iptables uses three chains: input, forward, and output.
You have recently installed a new Windows Server 2016 system. To ensure the accuracy of the system time, you have loaded an application that synchronizes the hardware clock on the server with an external time source on the internet. Now, you must configure the firewall on your network to allow time synchronization traffic through. Which of the following ports are you most likely to open on the firewall?
123 TCP/IP port 123 is assigned to the network time protocol (NTP). NTP is used to communicate time synchronization information between systems on a network. The hypertext transfer protocol (HTTP) uses TCP/IP port 80. HTTP is the protocol used to send requests to a web server and retrieve web pages from a web server. TCP/IP port 119 is used by the network news transfer protocol (NNTP). NNTP is used to access and retrieve messages from newsgroups. TCP/IP port 110 is used by the post office protocol version 3 (POP3). POP3 is used to download email from mail servers.