Chapter 4: Firewall Technologies and Administration

log files

A record of all the hits a web server has received over a given period of time.

Internet Protocol (IP)

A set of rules responsible for disassembling, delivering, and reassembling packets over the Internet.

virtual firewalls

A software or hardware firewall that has been specifically created to operate in the virtual environment.

Screened subnet firewall

AKA DMZ, best firewall implementation method, 2 packet filtering router, one bastion host

bastion host

A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.

URL filtering

the ability to filter traffic based on a web address or a site's Domain Name System

both the frame and the packet contain two types of information:

the header and the data plus a trailer

the data

the information you view and use like the text of an email message, the contents of a Web page and the DLL frame in its entirety

Firewalls should not be

the only form of protection for a network

hardening

the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

port 80

the web; HTTP (Hypertext Transfer Protocol)

state table

tracks the state and context of each packet in the conversation by recording which station sent what packt and when

Social Engineering

using deception to obtain unauthorized access to information resources

Packet Structure

varies based on the nature of the packet

Firewall

(computing) a security system consisting of a combination of hardware and software that limits the exposure of a computer or computer network to attack from crackers

most commercial-grade firewalls are...

... dedicated appliances or stand-alone units running on fully customized computing platforms that provide both the physical networking connection and the firmware programming necessary to perform their functions.

Well Known Ports

0-1023; Which port categories include inbound ports of HTTP, HTTPS, FTP, and DNS?

Ports

0-65,535; a network subaddress. Places on the outside of the computer that connect to the motherboard and allows hardware to work

SOHO (Small office/home office)

A classification of networking equipment, usually marketed to consumers or small businesses, that focuses on low price and ease of configuration. SOHO networks differ from enterprise networks, which focus on flexibility and maximum performance.

socket

A combination of a port number and an IP address that uniquely identifies a connection.

proxy server

A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user. A firewall can be this.

perimeter firewall

A firewall that sits outside the organizational network; it is the first device that Internet traffic encounters.

switches

A layer 2 device that used to connect two or more network segments and regulate traffic.

Stateful Inspection

Compares certain key parts of the packet to a database of trusted information; superior to stateless inspection

gateway

Computer which acts as a bridge between a local area network and the Internet.

MAC layer firewalls

Designed to operate at the media access control layer of OSI network model - a sublayer of the DLL (layer 2)

load balancing

Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.

Port 21 (TCP)

FTP Control File: Transfer Protocol (FTP) is one of the oldest Internet protocols. FTP servers open their machine's port 21 and listen for incoming client connections. FTP clients connect to port 21 of remote FTP servers to initiate file transfer operations.Since there's much more to FTP protocol than this, see the discussion below for the details.

IPv4 packet format

Header = Version, header length, type of service, Total Length, Identification, IP Flags, Fragment Offset, TTL, Protocol, Header Checksum, Source Address, Destination Address, IP Option

packet filtering

Operates at Layer 3: Network where IP works

POP MAIL

PORT 110

software firewalls is installed on every machine and regulates traffic through

PORT NUMBERS AND APPLICATIONS

DMZ (perimeter network)

Physical or Logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted networking, usually the internet. Whatever you want the outside world to see, you put in the DMZ

IPv6 (Internet Protocol version 6)

Protocol in which addresses consist of eight sets of four hexadecimal numbers, each number being a value between 0000 and FFFF, using a colon to separate the numbers. Here's an example: FEDC:BA98:7654:3210:0800:200C:00CF:1234.

Internet Control Message Protocol (ICMP)

Provides a means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network.

Port 22

SSH (Secure Shell)

Firewall software

Software that filters what programs and network communications can access a computer.

Firmware

Software that is permanently stored in a chip. The BIOS on a motherboard is an example of firmware.

SMTP (Simple Mail Transfer Protocol)

TCP Port 25

The two primary service types are

TCP and UDP

Ephemeral ports

TCP/IP ports 1024 and 65,535. dYNAMICALLY ASSIGNED AS NEEDED AND HAVE NO MEANING OUTSIDE OF THE CONNECTION USING THEM.

Port 23 (Telnet)

Telnet is one of the earliest, original protocols of the Internet. A machine offering Telnet services is essentially offering to accept an "across the Internet" remote console terminal connection from any client device. This makes Telnet quite powerful and, without proper security, a significant security concern.

DNS (Domain Name System)

The Internet's system for converting alphabetic names into numeric IP addresses.Resolves names to numbers and resolves domain names to I.P. addresses.

IP address mapping

The process of mapping a static public IP address to a private IP address of a computer on the local network is called __ _______ ______.

TCP Handshake

The protocol by which a client and server machine establish communication for the transfer of data.

packet filtering router

These routers can be configured to reject packets that the organization does not allow in to network

Dual-homed host firewalls

Two NICs; one connected to an external network, and one connected to an internal network.

screened host firewall

Utilizes packet filtering router and bastion host, implements basic network layer security and application server security.

SYN, SYN/ACK, ACK

What is the three-way handshake sequence used to initiate TCP connections?

The packet will not be sent

What will happen if the default gateway is not specified on your computer and you try to reach another network?

perimeter

a boundary between two zones of trust or network borders.

Static Packet Filtering Firewall

a firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.

IRC (Internet Relay Chat)

a form of real-time internet text messaging often used with chat sessions. Some botnets have used IRC channels to control zombie computers through a command and control server.

packet-filtering routers

a form of router at the perimeter between the organization's internal networks and the external service provider configured to reject packets that the organization does not allow into the network.

trailer or footer

a frame also includes these at its end, after the data field, which can contain error-checking data.

Application gateway firewalls

a network device or computer that serves as a firewall and an intermediary between internal computers and computers on the internet (works at Layers 5, 6, and 7) (Session, Presentation, Application)

firewall rules are created and modified by the firewall administrator and specifies

a protocol such as ICMP, UDP, or HTTP, the IP address or address range, the TCP or UDP ports, and the desired firewall action.

Access Control List (ACL) (or firewall rules)

a set of IF-THEN rules used to determine what to do with arriving packets

Network Authentication

a standard for work and home computer networks that requires a user to enter an authentication code to use a secure Wi-Fi network

forward it to the next network connection

allow

fragmentation attack prevention

an application-level gateway can prevent these attacks because it reassembles packets, discards those that are malformed and sends only valid packets to the client

extranet

an extended network that shares part of an organization's network with a third party

Firewall System (software/hardware)

analyze network traffic and block unauthorised instrusions and identify suspicious behaviours. - by monitoring every packet that goes in and out of computer

Data at the physical layer is referred to as

bits or a bit stream

SOHO firewall appliances

broadband gateways or DSL/cable modem routers connect the local area network or a specific computer system to the Internet

application proxies

can restrict internal users who want to gain unrestricted access to the Internet. Provides network services to users

Deep Packet Inspection (DPI)

combines stateful packet filtering with the ability to analyze Application-layer protocols used in communication and determine if there are any inconsistencies, deviations, or malformed packets; looks into the packet itself allowing users to identify, categorize, and stop packets

Firewall Architectures

configurations of firewall devices based on the objectives of he network, the organization's ability to develop and implement the architecture, and the budget available for the function.

header

consists of general information about the size of the packet, the protocol that was used to send it, and the IP addresses of the source computer and the destination

Jump Rules

deep packet inspection is implemented through these. They enable the firewall to execute a separate set of rules that examines the packet in question in much greater detail.

the packet will be ignored

drop

simple firewall models

examine two components of the packet header: the destination and the source addresses

firewall rules are

executed in order

IP spoofing

falsification of the source IP address; occurs when an intruder uses another site's IP address to masquerade as that other site

Application level gateway

filter network traffic at the application level (L 7). A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user. (same as proxy server) Uses both stateful and DPI to detect malicious traffic

protocols

firewalls affect the transmission of packets based on the protocols used.

zone of trust

firewalls positioned at the border of the network

at the data link layer, the bit stream is encapsulated in a

frame

At the Network layer, ____________ are used to encapsulate packets or datagrams

frames

User Datagram Protocol (UDP)

handles the addressing of a message by breaking it down into numbered segments so that it can be transmitted and then, reassembles the message when it reaches the destination computer.

*Back doors (Hacking Technique)*

hidden openings that trojan horses can enter a system through

Filtering Firewall

inspect packets at the network layer (layer 3) of the OSI model.

packet filtering

inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules. All firewalls do this, It protects networds from port scanning and other types of attacks.

Firewalls should be used as part of a overall security system that includes:

intrusion prevention, antivirus, and encrypted communications

Network Address Translation (NAT)

is a method of remapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.[1]

one rule only executes once

is a perfectly configured firewall

cache

memory that is used to make a computer work faster

physical firewalls are installed between your

network and most likely the gateway

content filtering

occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information (application gateways)

packet-filtering firewalls examine every incoming packet header and can selectively filter packets based

on header information such as destination address, source address, packet type and other key information

Circuit gateways

operates at Layer 4: Transport (TCP and UDP work)

Circuit-level gateway firewall

operates at the Transport layer. L4. monitors handshake between packets to determine whether requested session is legit.

TCP (Transmission Control Protocol)

provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing.

form factor

refers to whether a firewall is a residential-grade or commercial grade, hardware-based or software-based, or appliance-based device

the packet will not be delivered

reject

Perimeter Defense

routers, firewalls, and intrusion prevention systems; no longer valid because VPNs are the rage

firewall appliances

stand-along, self-contained combinations of computing hardware and software

stateful packet-filtering firewalls

stateful inspection, called stateful packet filtering, is an examination of the data contained in a packet as well as the state of the connection between internal and external computers.

stateless packet-filtering firewalls

stateless packet filtering ignores the state of the connection between the internal computer and external computer and blocks or allows a packet based on the information in the header

appliances may be manufactured from

stripped-down, general-purpose computer systems, and/or they can be designed to run a custom version of a general-purpose operating system.