3.3 - Firewalls Flashcards
1
Q
Standard Issue
A
- Universal security control
- Allows us to control the flow of traffic (inbound or outbound)
- very important for corporations to protect internal network from the internet
- Can include content control (NSFW, parental controls, etc…)
- sometimes have protection against malicious code (anti - malware / virus)
2
Q
Network - based firewalls
A
- Filter traffic by port number of application (Traditional)
- NGFW (Next Gen Firewalls also include filtering capabilities at the application layer)
- Many firewalls can act as endpoints (ex: IPSec tunnel when using VPN) Allows you to configure firewall as central place for remote access
- Most firewalls can be configured to act as a layer 3 device (effectively replace routers used to connect to the internet) (often sits on the ingress/ egress of the network)
- NAT (Network Address Translation) functionality (so you can have internal, private addresses which can communicate to address)
- Authenticate dynamic routing communication (b/c it’s acting like a router)
3
Q
Stateless Firewall
A
- Does not keep track of traffic flows (doesn’t know that the response from the webserver was as a result of our original request)
- Each packet is individual examined, regardless of past history
- Traffic sent outside of an active session will traverse a stateless firewall
- Needs to have a rule base that examines every flow of traffic (individual rules to handle both the request and response, since it doesn’t understand traffic flows)
- if an attacker gains access to a webserver to send unprompted information ( it doesn’t know it was unprompted and once it checks its rule base it will allow it, even though it was unprompted) potentially allowing malicious things through the firewall
- older style of firewall, very uncommon at this point
4
Q
Stateful Firewall
A
- Remembers the “state of the session
- Now, only need a single rule to allow communication from user through firewall to webserver and back (a stateless firewall, needed two rules)
- Ex: once user request hits the firewall, it is checked in ACL, if valid, the firewall will create a session table (which has information about that particular flow), the webserver sends a response, which checks the ACL table and then the session (or state) table, and is returned
- The rules are stored in ACL’s
- If an attacker initiates an attack from the webserver (when it hits the firewalls, it won’t match rule based or session table and it will be denied acces)
- Everything within a valid flow is allowed
- more secure than stateless
5
Q
UTM
A
- Unified Threat Management
- Web security gateway
- Newer version of a firewall
- Possible Additional features: URL filter / Content inspection, malware inspection, spam filter, CSU / DSU connective (for wide-area security connection), router / switching built in, firewall, IDS/ IPS, Bandwidth shaper, VPN endpoint
- All in one security appliance
- Challenges: Generally never one single vendor that could provide all services in one device
6
Q
NGFW
A
- Next-generation firewalls
- application layer devices that can see the application flows across all communication
- aka Application Layer Gateway
- aka Stateful multilayer inspection
- aka Deep packet inspection
- The OSI Application layer
- All data in every packet
- Requires some advanced decodes
- Every packets must be analyzed (regardless of IP address or ports being used), these are categorized before a security decision is determined
- more intelligent than UTM or traditional firewall
- Commonly network - based firewalls
7
Q
Network - based firewalls
A
- Control traffic flows based on the application
- (Ex: SQL, Twitter, youtube)
- might also include Intrusion Prevention System (IPS) might react to any vulnerabilities
- Content filtering (url filtering, or category filtering)
- provides more
8
Q
WAF
A
- Web application Firewall
- Not like a ‘normal’ firewall (which bases traffic flow on IP address/ ports)
- not like a NGFW (which examines applications for traffic flows)
- WAF Applies rules to Http/ Https conversations
- specifically built for web-based applications
- Allow / deny traffic based on input to application (based on expected input)
- Unexpected input is a common method of exploiting an application (SQL Injection)
9
Q
PCI DSS
A
- Payment Card Industry Data security standard
- ## mandates a WAF (Web application Firewall)
10
Q
ACL’s
A
- Access Control List
- aka Security Policy
- This is the list of rules for a firewall that determines who is allowed through
- based on tuples
- Groupings of categories
- Source IP, Destination IP, port number, time of day, application, etc.
11
Q
Logical-path
A
- Usually Top to bottom
- firewall tries to match the first rule, then second, etc.
- eventually, we will find a match, and then you know the flow
- Generally, the specific rules are at the top
- If there are no rule matches in the table, most firewalls will have an implicit deny (implicit deny’s don’t have logs, so if you want a log, you’ll have to create a rule that is open ended for a given protocol)
- ACLs (Access Control Lists), the rule table in firewalls, have so many rules, understanding how they traverse is important
12
Q
TCP protocol
A
- web traffic
- one attribute in an ACL rule table
13
Q
Local Port 443
A
- Typically HTTPs communication
- one attribute in an ACL rule table (the Local Port), obviously port number could be different
14
Q
Port 3389
A
- Commonly used for remote desktop
15
Q
Ex: Remote Port 53 and Protocol UDP
A
- DNS traffic
