Module 3: Firewall Fundamentals
expected encryption key length
256 bits
transport mode encryption
A form of encryption also known as point-to-point or host-to-host encryption. Transport mode encryption protects only the payload of traffic and leaves the header in plain-text original form.
Tunnel mode encryption
Aka site-to-site, LAN-to-LAN, gateway-to-gateway, host-to-LAN, and remote access encryption. complete encapsulation of the original traffic into a new tunneling protocol. The entire original header and payload are encrypted and a temporary link or tunnel header guides the data across the intermediary network.
____ the rules on a firewall are exceptions
All
public key cryptography
Asymmetric cryptography that uses key pairs Each participant in a communication or community has a discrete key pair set.-consists of a private key and a public key. The private key is kept secure and private at all times. The public key is put out for open public access and use. The key pairs work together as opposites. The encryption or encoding that one of the keys performs can only be undone by the opposite key of the pair.
what needs to be disabled before using software firewalls with multiple interfaces?
IP forwarding
any hardware connecting a local network—or even a single computer—to a telco's carrier network to access the Internet
ISP connection device
How does a firewall operate as a dead-man switch
If the firewall fails or goes offline, so does the connection it was filtering
four primary options of combined firewall types
Personal software firewall Commercial software firewall Personal hardware firewall Commercial hardware firewall
Firewalls for web e-commerce sites can act as the endpoint of what tunnels
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) tunnel
define deny by default/allow by exception
Some exception rules define what you allow. Some exception rules define what you wish to deny. The final option, sometimes called the final rule, is that anything that did not match one of the exceptions is denied by default.
firewalls can filter based on content T or F
T
firewalls can filter based on encryption T or F
T
firewalls can log events T or F?
T
port forwarding
The function of routing traffic from an external source received on a specific predefined IP address and port combination (also known as a socket) to an internal resource server. Also known as reverse proxy and static NAT.
what does a circuit proxy prevent
a direct connection from existing between a client and server to protect the network
software firewall uses what as its host.
a standard client or server
chokepoint
access point to other areas of resources, a chokepoint is a specialized kind of gateway that focuses on traffic to a single concentrated pathway to simplify the process of filtering
threat that takes some type of initiative to seek out a target to compromise
active threat
Position firewall ____ encryption is removed
after
symmetric cryptography
algorithms that use a single, shared secret key to encrypt and decrypt data very fast
a general filter for malicious activity firewall can do what
allow communication using any protocol on any port or limit communications to specific protocols and ports
Firewalls is not and cannot...
an authentication server a remote access server malicious code scanner intrusion detection system unencrypt traffic detect misconfigurations
Personal hardware firewall is part of
an integrated firewall product, such as a wireless access point (WAP) or a cable/digital subscriber line (DSL) modem
hardware firewall is aka
appliance firewall
the go-between or middleman between a client and a server
application proxy
what is able to inspect traffic fully at any layer, including the application payload
application proxy
Content filtering is often a feature of which firewalls
application proxy firewalls, stateful inspection firewalls, and dynamic packet-filtering firewalls
cryptography
art and science of changing information so it is not easily recognized or understood by unauthorized third parties
asymmetric cryptography
based on algorithms that use either key pairs or some other special mathematical mechanism Different keys are used for different purposes, different keys are used by different members of the communication session, and some systems use something different from keys altogether slow
Firewalls that work with SSL and TLS filters content _____ the web server receives and processes the information
before
Firewall rules center around
blocking traffic with spoofed addresses, uncommon ports, unauthorized protocols, invalid header constructions or values
types of firewall implementations
bump-in-the-wire and bump-in-the-stack.
examples of ISP connection devices
cable modems, DSL modems, satellite modems, routers, and wireless modems, include firewall features.
what does virtualizing firewalls gain you
can craft new network architectures that may not exist in the traditional network architectural concepts
proxy firewall
can hide the identity of one or both endpoints of a communication from the participants.
issues with dynamic packet filtering
can sometimes be fooled through manipulation of header contents that makes malicious traffic appear to be part of an existing valid session not all traffic uses states (ICMP, UDP)
socket
combo of IP address and port number
out of band communication
communication through a different channel or means OR communication stream that occurred separate in time from the existing communication.
Stateful inspection addresses the issue of
complex malicious traffic
firewalls can also filter based on what
content
avalanche effect
cryptography tactic where a small change elicits a large effect in the output hash.
hardware firewall uses what as its host
dedicated appliance
what philosophy or stance of security do firewalls follow
deny by default/allow by exception
stateful packet filtering
determines whether or not a current packet is part of an existing session, and allow/deny decisions are made based on this determination Layers 4-7 will keep track of current sessions in a state table stored in memory
Content filtering can focus on
domain name, URL, filename, file extension, or keywords in the content.
ontent filtering can focus on what
domain name, URL, filename, file extension, or some other form of keyword
limitation of application proxy firewall
each unique application will need its own dedicated application proxy
what happens if a firewall fails
fails into a secured state known as fail-safe or fail-secure.
Host firewall
filter traffic entering or leaving a single computer system and protects the network from the threats coming from the host
What is a firewall
filtering device that enforces network security policy and protects the network against external attacks
Ingress filtering
filtering packets arriving at a network from the outside
what happens if a packet fails to match any rule
firewall drops packet by default
Egress filtering
firewall filters packets when they are leaving the network, prevents replies to probe packets from leaving the network and prevents a firm's infected hosts from attacking other firms
Bastion host
firewall positioned at the initial entry point where a network interfaces with the Internet. It serves as the first line of defense for the network; also known as a sacrificial host
bump-in-the-stack
firewall that is implemented via software.
Network address translation is common on most modern ______
firewalls
circuit proxy/firewall
focuses its filtering on the initial setup process of a session, state, or circuit a list of rules of IP addresses, port numbers, domain names, networks, or even resource providers determine which circuits or connections are allowed and which are not.
Firewalls can act as a _____ or as a _____
general filter for malicious activity one-way sieve
most common filtering focus
header payload of packet close second
software firewall is aka
host firewall
what firewall provides protections for both inbound and outbound communications.
host software firewall
symmetric cryptography is the preferred method to secure data where
in storage or in transit of any size.
next generation firewall has what in addition to normal capabilities
integrated IDS/IPS functionality
a border firewall is unable to see what kind of traffic
interior
state
logical connection between a client and a resource server
one-way function
mathematical operation performed in one direction relatively easily, but impossible or nearly so to reverse used in asymmetrical cryptography
issue with static packet filtering
may allow the subsequent packets of a fragmented message through, even though the lead packet was dropped. This can result in a DoS on the destination system
firewall on operating system
native firewall
software firewall can only filter traffic that reaches what
network interface of its host.
dual-homed firewalls have two or more what
network interfaces
Firewalls differentiate between _____ and ____
networks, subnets
Best practice for where to place firewalls
on each host, on every border gateway or chokepoint, and between each significant subnet or interior network division
Firewalls can focus on what
packet header packet payload content of a session, the establishment of a circuit possibly other assets
threats you must seek out to be harmed
passive threat
Firewall is the _____ embodiment of the security policy.
phsyical
form of static reversal of network translation
port forwarding
firewalls can provide ______ services
port-forwarding
dynamic packet filtering
process of automatically creating temporary filters once a session is established, the firewall watches for packets that do not belong to authorized sessions allows for simpler rule sets
stateful inspection
process of automatically tracking sessions or states to allow inbound responses to previous outbound requests. Aka dynamic packet filtering
keyspace
range of keys that are valid for use for that specific algorithm.
port forwarding _____ the effective security provided by a firewall
reduces
Original firewall
screening router
firewalls can _____, or divide, based on results of filtering
segment
benefit of multiple homed firewalls
segments, subnets, or networks connected to each firewall interface are electronically isolated from each other
bump-in-the-wire
separate hardware firewall implementation
transparent proxy (in-line proxy)
server that stands in place of and behaves initially as if it were the web server and is installed immediately between the firewall, protecting against Internet intrusions, and a web server. Request passed here if it meets firewall rules
session of communication
state- TCP's three-way handshake
most common form of filtering
static packet filtering
Three main types of cryptography algorithms
symmetric, asymmetric, and hashing
Load balancer
take the load coming into a set of servers and ensure that the load is balanced between or among the servers, based on a variety of factors
Packet payload
the essential data of the packet
Network Address Translation (NAT)
translates between internal addresses and public external addresses most common translation service
encryption key
unique and secret number that controls the encryption and decryption processes performed by the algorithm very large binary number measured or defined in terms of its bit length.
what is the riskiest element in a network infrastructure.
user
static packet filtering
uses a static or fixed set of rules to filter network traffic focuses on header contents, not payload focus on Layer 3 & 4 fast
variety of firewall and firewall-like concepts using software to perform firewall activities.
virtual firewall
How does a firewall work
watches for traffic that fails to comply with the rules defined by the firewall administrator
what does fail-safe mean
when the firewall is offline, locked or frozen, or otherwise experiences a problem, the firewall stops all traffic rather than allowing all traffic through.
a sieve firewall
will only allow traffic to originate from the private or trusted side