4.5 Firewalls Flashcards

1
Q

Network-based firewalls

A

Filter traffic by port number or application
– Traditional vs. NGFW
* Encrypt traffic
– VPN between sites
* Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT)
– Dynamic routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Next-generation Firewalls (NGFW)

A

The OSI Application Layer
– Layer 7 firewall
* Can be called different names
– Application layer gateway
– Stateful multilayer inspection
– Deep packet inspection
* Requires some advanced decodes
– Every packet must be analyzed, categorized, and
a security decision determined

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Ports and protocols

A

Make forwarding decisions based on protocol
(TCP or UDP) and port number
– Traditional port-based firewalls
– Add to an NGFW for additional security
policy options
* Based on destination protocol and port
– Web server: tcp/80, tcp/443
– SSH server: tcp/22
– Microsoft RDP: tcp/3389
– DNS query: udp/53
– NTP: udp/123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Firewall rules

A

logical path
– Usually top-to-bottom
* Can be very general or very specific
– Specific rules are usually at the top
* Implicit deny
– Most firewalls include a deny at the bottom
– Even if you didn’t put one
* Access control lists (ACLs)
– Allow or disallow traffic
– Groupings of categories -
– Source IP, Destination IP, port number, time of day,
application, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Screened subnet

A

An additional layer of security between the you and
the Internet
– Public access to public resources
– Private data remains inaccessible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IPS rules

A

Intrusion Prevention System
– Usually integrated into an NGFW
* Different ways to find malicious traffic
– Look at traffic as it passes by
* Signature-based - Look for a perfect match
* Anomaly-based
– Build a baseline of what’s “normal”
– Unusual traffic patterns are flagged
* You determine what happens when unwanted
traffic appears
– Block, allow, send an alert, etc.
* Thousands of rules - Or more
* Rules can be customized by group
– Or as individual rules
* This can take time to find the right balance
– Security / alert “noise” / false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Content filtering

A

Control traffic based on data within the content
– URL filtering, website category filtering
* Corporate control of outbound and inbound data
– Sensitive materials
* Control of inappropriate content
– Not safe for work
– Parental controls
* Protection against evil
– Anti-virus, anti-malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

URL scanning

A

Allow or restrict based on Uniform Resource Locator
– Also called a Uniform Resource Identifier (URI)
– Allow list / Block list
* Managed by category
– Auction, Hacking, Malware,
– Travel, Recreation, etc.
* Can have limited control
– URLs aren’t the only way to surf
* Often integrated into an NGFW
– Filters traffic based on category or specific URL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Agent based

A

Install client software on the user’s device
– Usually managed from a central console
* Users can be located anywhere
– The local agent makes the filtering decisions
– Always-on, always filtering
* Updates must be distributed to all agents
– Cloud-based updates
– Update status shown at the console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Proxies

A

Sits between the users and the external network
* Receives the user requests and sends the request
on their behalf (the proxy)
* Useful for caching information, access control,
URL filtering, content scanning
* Applications may need to know how to use
the proxy (explicit)
* Some proxies are invisible (transparent)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Forward proxy

A

A centralized “internal proxy”
– Commonly used to protect and control user
access to the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Block rules

A

Based on specific URL
– *.professormesser.com: Allow
* Category of site content
– Usually divided into over 50 different topics
– Adult, Educational, Gambling, Government,
Home and Garden, Legal, Malware, News, etc.
* Different dispositions
– Educational: Allow
– Home and Garden: Allow and Alert
– Gambling: Block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Reputation

A

Filter URLs based on perceived risk
– A good reputation is allowed
– A bad reputation is blocked
– Risk: Trustworthy, Low risk, Medium risk, Suspicious,
High risk
* Automated reputation
– Sites are scanned and assigned a reputation
* Manual reputation
– Managers can administratively assign a rep
* Add these dispositions to the URL filter
– High risk: Block, Trustworthy: Allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DNS filtering

A

Before connecting to a website, get the IP address
– Perform a DNS lookup
* DNS is updated with real-time threat intelligence
– Both commercial and public lists
* Harmful sites are not resolved
– No IP address, no connection
* This works for any DNS lookup
– Not just web filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Active Directory

A

database of everything on the network
– Computers, user accounts, file shares, printers, groups,
and more
– Primarily Windows-based
* Manage authentication
– Users login using their AD credentials
* Centralized access control
– Determine which users can access resources
* Commonly used by the help desk
– Reset passwords, add and remove accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Group Policy

A

Manage the computers or users with Group Policies
– Local and Domain policies
– Group Policy Management Editor
* A central console
– Login scripts
– Network configurations (QoS)
– Security parameters
* Comprehensive control
– Hundreds of configuration options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security-Enhanced Linux (SELinux)

A

Security patches for the Linux kernel
– Adds mandatory access control (MAC) to Linux
– Linux traditionally uses
– Discretionary Access Control (DAC)
* Limits application access
– Least privilege
– A potential breach will have limited scope
* Open source
– Already included as an option with many Linux
distributions

18
Q

Unencrypted network data

A

Network traffic is important data
– Everything must be protected
* Some protocols aren’t encrypted
– All traffic sent in the clear
– Telnet, FTP, SMTP, IMAP
* Verify with a packet capture
– View everything sent over the network

19
Q

Protocol selection

A

Use a secure application protocol
– Built-in encryption
* A secure protocol may not be available
– This may be a deal-breaker

20
Q

Port selection

A

Secure and insecure application connections may be
available
– It’s common to run secure and insecure on different ports
* HTTP and HTTPS
– In-the-clear and encrypted web browsing
– HTTP: Port 80
– HTTPS: Port 443
* The port number does not guarantee security
– Confirm the security features are enabled
– Packet captures may be necessary

21
Q

Transport method

A

Don’t rely on the application
– Encrypt everything over the current
network transport
* 802.11 Wireless
– Open access point: No transport-level encryption
– WPA3: All user data is encrypted
* Virtual Private Network (VPN)
– Create an encrypted tunnel
– All traffic is encrypted and protected
– Often requires third-party services and software

22
Q

Email security challenges

A

The protocols used to transfer emails include
relatively few security checks
– It’s very easy to spoof an email
* Spoofing happens all the time
– Check your spam folder
* The email looks as if it originated from
james@professormesser.com
– But did it? How can you tell?
* A reputable sender will configure email validation
– Publicly available on the sender’s DNS server

23
Q

Mail gateway

A

The gatekeeper
– Evaluates the source of inbound email messages
– Blocks it at the gateway before it reaches the user
– On-site or cloud-based

24
Q

Sender Policy Framework (SPF)

A

SPF protocol
– Sender configures a list of all servers authorized to
send emails for a domain
* List of authorized mail servers are added to a
DNS TXT record
– Receiving mail servers perform a check to see if
incoming mail really did come from an authorized host

25
Domain Keys Identified Mail (DKIM)
mail server digitally signs all outgoing mail – The public key is in the DKIM TXT record * The signature is validated by the receiving mail servers – Not usually seen by the end user
26
DMARC
Domain-based Message Authentication, – Reporting, and Conformance (DMARC) – An extension of SPF and DKIM * The domain owner decides what receiving email servers should do with emails not validating using SPF and DKIM – That policy is written into a DNS TXT record – Accept all, send to spam, or reject the email * Compliance reports are sent to the email administrator – The domain owner can see how emails are received
27
FIM (File Integrity Monitoring)
Some files change all the time – Some files should NEVER change * Monitor important operating system and application files – Identify when changes occur * Windows - SFC (System File Checker) * Linux - Tripwire * Many host-based IPS options
28
Data Loss Prevention (DLP)
Where’s your data? – Social Security numbers, credit card numbers, medical records * Stop the data before the attackers get it – Data “leakage” * So many sources, so many destinations – Often requires multiple solutions in different places
29
Data Loss Prevention (DLP) systems
On your computer – Data in use – Endpoint DLP * On your network – Data in motion * On your server – Data at rest
30
USB blocking
DLP on a workstation – Allow or deny certain tasks * November 2008 - U.S. Department of Defense – Worm virus “agent.btz” replicates using USB storage – Bans removable flash media and storage devices * All devices had to be updated – Local DLP agent handled USB blocking * Ban was lifted in February 2010 – Replaced with strict guidelines
31
Cloud-based DLP
Located between users and the Internet – Watch every byte of network traffic – No hardware, no software * Block custom defined data strings – Unique data for your organization * Manage access to URLs – Prevent file transfers to cloud storage * Block viruses and malware – Anything traversing the network
32
DLP and email
Email continues to be the most critical risk vector – Inbound threats, outbound data loss * Check every email inbound and outbound – Internal system or cloud-based * Inbound – Block keywords, identify impostors, quarantine email messages * Outbound – Fake wire transfers, W-2 transmissions, employee information
33
Emailing a spreadsheet template
November 2016 * Boeing employee emails spouse a spreadsheet to use as a template * Contained the personal information of 36,000 Boeing employees – In hidden columns – Social security numbers, date of birth, etc. * Boeing sells its own DLP software – But only uses it for classified work
34
The endpoint
The user’s access – Applications and data * Stop the attackers – Inbound attacks – Outbound attacks * Many different platforms – Mobile, desktop * Protection is multi-faceted – Defense in depth
35
Edge vs. access control
Control at the edge – Your Internet link – Managed primarily through firewall rules – Firewall rules rarely change * Access control – Control from wherever you are – Inside or outside – Access can be based on many rules – By user, group, location, application, etc. – Access can be easily revoked or changed – Change your security posture at any time
36
Posture assessment
You can’t trust everyone’s computer – BYOD (Bring Your Own Device) – Malware infections / missing anti-malware – Unauthorized applications * Before connecting to the network, perform a health check – Is it a trusted device? – Is it running anti-virus? Which one? Is it updated? – Are the corporate applications installed? – Is it a mobile device? Is the disk encrypted? – The type of device doesn’t matter - Windows, Mac, Linux, iOS, Android
37
Health checks/posture assessment
Persistent agents – Permanently installed onto a system – Periodic updates may be required * Dissolvable agents – No installation is required – Runs during the posture assessment – Terminates when no longer required * Agentless NAC – Integrated with Active Directory – Checks are made during login and logoff – Can’t be scheduled
38
Failing your assessment
What happens when a posture assessment fails? – Too dangerous to allow access * Quarantine network, notify administrators – Just enough network access to fix the issue * Once resolved, try again – May require additional fixes
39
Endpoint detection and response (EDR)
A different method of threat protection – Scale to meet the increasing number of threats * Detect a threat – Signatures aren’t the only detection tool – Behavioral analysis, machine learning, process monitoring – Lightweight agent on the endpoint * Investigate the threat – Root cause analysis * Respond to the threat – Isolate the system, quarantine the threat, rollback to a previous config – API driven, no user or technician intervention required
40
Extended Detection and Response (XDR)
An evolution of EDR – Improve missed detections, false positives, and long investigation times – Attacks involve more than just the endpoint * Add network-based detection – Investigate and respond to network anomalies * Correlate endpoint, network, and cloud data – Improve detection rates – Simplify security event investigations
41
User behavior analytics
XDR commonly includes user behavior analytics – Extend the scope of anomaly detection * Watch users, hosts, network traffic, data repositories, etc. – Create a baseline or normal activity – Requires data analysis over an extended period * Watch for anything unusual – Use a set of rules, pattern matching, statistical analysis * Real-time detection of unusual activity – Catch the threat early