Chapter 4: Firewall Technologies and Administration
log files
A record of all the hits a web server has received over a given period of time.
Internet Protocol (IP)
A set of rules responsible for disassembling, delivering, and reassembling packets over the Internet.
virtual firewalls
A software or hardware firewall that has been specifically created to operate in the virtual environment.
Screened subnet firewall
AKA DMZ, best firewall implementation method, 2 packet filtering router, one bastion host
bastion host
A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.
URL filtering
the ability to filter traffic based on a web address or a site's Domain Name System
both the frame and the packet contain two types of information:
the header and the data plus a trailer
the data
the information you view and use like the text of an email message, the contents of a Web page and the DLL frame in its entirety
Firewalls should not be
the only form of protection for a network
hardening
the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services
port 80
the web; HTTP (Hypertext Transfer Protocol)
state table
tracks the state and context of each packet in the conversation by recording which station sent what packt and when
Social Engineering
using deception to obtain unauthorized access to information resources
Packet Structure
varies based on the nature of the packet
Firewall
(computing) a security system consisting of a combination of hardware and software that limits the exposure of a computer or computer network to attack from crackers
most commercial-grade firewalls are...
... dedicated appliances or stand-alone units running on fully customized computing platforms that provide both the physical networking connection and the firmware programming necessary to perform their functions.
Well Known Ports
0-1023; Which port categories include inbound ports of HTTP, HTTPS, FTP, and DNS?
Ports
0-65,535; a network subaddress. Places on the outside of the computer that connect to the motherboard and allows hardware to work
SOHO (Small office/home office)
A classification of networking equipment, usually marketed to consumers or small businesses, that focuses on low price and ease of configuration. SOHO networks differ from enterprise networks, which focus on flexibility and maximum performance.
socket
A combination of a port number and an IP address that uniquely identifies a connection.
proxy server
A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user. A firewall can be this.
perimeter firewall
A firewall that sits outside the organizational network; it is the first device that Internet traffic encounters.
switches
A layer 2 device that used to connect two or more network segments and regulate traffic.
Stateful Inspection
Compares certain key parts of the packet to a database of trusted information; superior to stateless inspection
gateway
Computer which acts as a bridge between a local area network and the Internet.
MAC layer firewalls
Designed to operate at the media access control layer of OSI network model - a sublayer of the DLL (layer 2)
load balancing
Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.
Port 21 (TCP)
FTP Control File: Transfer Protocol (FTP) is one of the oldest Internet protocols. FTP servers open their machine's port 21 and listen for incoming client connections. FTP clients connect to port 21 of remote FTP servers to initiate file transfer operations.Since there's much more to FTP protocol than this, see the discussion below for the details.
IPv4 packet format
Header = Version, header length, type of service, Total Length, Identification, IP Flags, Fragment Offset, TTL, Protocol, Header Checksum, Source Address, Destination Address, IP Option
packet filtering
Operates at Layer 3: Network where IP works
POP MAIL
PORT 110
software firewalls is installed on every machine and regulates traffic through
PORT NUMBERS AND APPLICATIONS
DMZ (perimeter network)
Physical or Logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted networking, usually the internet. Whatever you want the outside world to see, you put in the DMZ
IPv6 (Internet Protocol version 6)
Protocol in which addresses consist of eight sets of four hexadecimal numbers, each number being a value between 0000 and FFFF, using a colon to separate the numbers. Here's an example: FEDC:BA98:7654:3210:0800:200C:00CF:1234.
Internet Control Message Protocol (ICMP)
Provides a means to send error messages for non-transient error conditions and provides a way to probe the network in order to determine general characteristics about the network.
Port 22
SSH (Secure Shell)
Firewall software
Software that filters what programs and network communications can access a computer.
Firmware
Software that is permanently stored in a chip. The BIOS on a motherboard is an example of firmware.
SMTP (Simple Mail Transfer Protocol)
TCP Port 25
The two primary service types are
TCP and UDP
Ephemeral ports
TCP/IP ports 1024 and 65,535. dYNAMICALLY ASSIGNED AS NEEDED AND HAVE NO MEANING OUTSIDE OF THE CONNECTION USING THEM.
Port 23 (Telnet)
Telnet is one of the earliest, original protocols of the Internet. A machine offering Telnet services is essentially offering to accept an "across the Internet" remote console terminal connection from any client device. This makes Telnet quite powerful and, without proper security, a significant security concern.
DNS (Domain Name System)
The Internet's system for converting alphabetic names into numeric IP addresses.Resolves names to numbers and resolves domain names to I.P. addresses.
IP address mapping
The process of mapping a static public IP address to a private IP address of a computer on the local network is called __ _______ ______.
TCP Handshake
The protocol by which a client and server machine establish communication for the transfer of data.
packet filtering router
These routers can be configured to reject packets that the organization does not allow in to network
Dual-homed host firewalls
Two NICs; one connected to an external network, and one connected to an internal network.
screened host firewall
Utilizes packet filtering router and bastion host, implements basic network layer security and application server security.
SYN, SYN/ACK, ACK
What is the three-way handshake sequence used to initiate TCP connections?
The packet will not be sent
What will happen if the default gateway is not specified on your computer and you try to reach another network?
perimeter
a boundary between two zones of trust or network borders.
Static Packet Filtering Firewall
a firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.
IRC (Internet Relay Chat)
a form of real-time internet text messaging often used with chat sessions. Some botnets have used IRC channels to control zombie computers through a command and control server.
packet-filtering routers
a form of router at the perimeter between the organization's internal networks and the external service provider configured to reject packets that the organization does not allow into the network.
trailer or footer
a frame also includes these at its end, after the data field, which can contain error-checking data.
Application gateway firewalls
a network device or computer that serves as a firewall and an intermediary between internal computers and computers on the internet (works at Layers 5, 6, and 7) (Session, Presentation, Application)
firewall rules are created and modified by the firewall administrator and specifies
a protocol such as ICMP, UDP, or HTTP, the IP address or address range, the TCP or UDP ports, and the desired firewall action.
Access Control List (ACL) (or firewall rules)
a set of IF-THEN rules used to determine what to do with arriving packets
Network Authentication
a standard for work and home computer networks that requires a user to enter an authentication code to use a secure Wi-Fi network
forward it to the next network connection
allow
fragmentation attack prevention
an application-level gateway can prevent these attacks because it reassembles packets, discards those that are malformed and sends only valid packets to the client
extranet
an extended network that shares part of an organization's network with a third party
Firewall System (software/hardware)
analyze network traffic and block unauthorised instrusions and identify suspicious behaviours. - by monitoring every packet that goes in and out of computer
Data at the physical layer is referred to as
bits or a bit stream
SOHO firewall appliances
broadband gateways or DSL/cable modem routers connect the local area network or a specific computer system to the Internet
application proxies
can restrict internal users who want to gain unrestricted access to the Internet. Provides network services to users
Deep Packet Inspection (DPI)
combines stateful packet filtering with the ability to analyze Application-layer protocols used in communication and determine if there are any inconsistencies, deviations, or malformed packets; looks into the packet itself allowing users to identify, categorize, and stop packets
Firewall Architectures
configurations of firewall devices based on the objectives of he network, the organization's ability to develop and implement the architecture, and the budget available for the function.
header
consists of general information about the size of the packet, the protocol that was used to send it, and the IP addresses of the source computer and the destination
Jump Rules
deep packet inspection is implemented through these. They enable the firewall to execute a separate set of rules that examines the packet in question in much greater detail.
the packet will be ignored
drop
simple firewall models
examine two components of the packet header: the destination and the source addresses
firewall rules are
executed in order
IP spoofing
falsification of the source IP address; occurs when an intruder uses another site's IP address to masquerade as that other site
Application level gateway
filter network traffic at the application level (L 7). A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user. (same as proxy server) Uses both stateful and DPI to detect malicious traffic
protocols
firewalls affect the transmission of packets based on the protocols used.
zone of trust
firewalls positioned at the border of the network
at the data link layer, the bit stream is encapsulated in a
frame
At the Network layer, ____________ are used to encapsulate packets or datagrams
frames
User Datagram Protocol (UDP)
handles the addressing of a message by breaking it down into numbered segments so that it can be transmitted and then, reassembles the message when it reaches the destination computer.
*Back doors (Hacking Technique)*
hidden openings that trojan horses can enter a system through
Filtering Firewall
inspect packets at the network layer (layer 3) of the OSI model.
packet filtering
inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules. All firewalls do this, It protects networds from port scanning and other types of attacks.
Firewalls should be used as part of a overall security system that includes:
intrusion prevention, antivirus, and encrypted communications
Network Address Translation (NAT)
is a method of remapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.[1]
one rule only executes once
is a perfectly configured firewall
cache
memory that is used to make a computer work faster
physical firewalls are installed between your
network and most likely the gateway
content filtering
occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information (application gateways)
packet-filtering firewalls examine every incoming packet header and can selectively filter packets based
on header information such as destination address, source address, packet type and other key information
Circuit gateways
operates at Layer 4: Transport (TCP and UDP work)
Circuit-level gateway firewall
operates at the Transport layer. L4. monitors handshake between packets to determine whether requested session is legit.
TCP (Transmission Control Protocol)
provides reliable, ordered, and error-checked delivery of a stream of packets on the internet. TCP is tightly linked with IP and usually seen as TCP/IP in writing.
form factor
refers to whether a firewall is a residential-grade or commercial grade, hardware-based or software-based, or appliance-based device
the packet will not be delivered
reject
Perimeter Defense
routers, firewalls, and intrusion prevention systems; no longer valid because VPNs are the rage
firewall appliances
stand-along, self-contained combinations of computing hardware and software
stateful packet-filtering firewalls
stateful inspection, called stateful packet filtering, is an examination of the data contained in a packet as well as the state of the connection between internal and external computers.
stateless packet-filtering firewalls
stateless packet filtering ignores the state of the connection between the internal computer and external computer and blocks or allows a packet based on the information in the header
appliances may be manufactured from
stripped-down, general-purpose computer systems, and/or they can be designed to run a custom version of a general-purpose operating system.