Chapter 6 - Firewalls Flashcards
What is a pass/deny decision?
A pass/deny decision is one where a packet is either passed through a firewall, or it is denied and dropped. Generally, provable attack packets are dropped on-sight.
What type of packet does a firewall drop and log?
A firewall will always drop and log a proven attack packet.
What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
A firewall passes through packets that are suspected attack packets, if they’re not proven.
Why does the firewall log information about dropped packets?
The firewall logs information about dropped packets so that a firewall administrator can review the log and determine the sort of attacks that are happening.
Distinguish between border firewalls and internal firewalls.
A border firewall separates a corporate entity’s network from the extranet. An internal network filters traffic between various parts of the internal network.
Distinguish between ingress and egress filtering.
Ingress filtering examines packets heading into the network, egress filtering examines packets leaving the network.
What does a firewall do if it cannot keep up with the traffic volume? Why is this action good/bad?
When a firewall cannot keep up with network volume, it drops ALL packets. Better safe than sorry, but it unfortunately provides a self-DoS attack.
Why is it that a firewall can keep up with traffic in general but fail to do so during a major attack?
If a firewall cannot filter traffic at the wire speed (the maximum speed of the lines that connect to it), the massively increased traffic of the attack may lead to the firewall dropping all packets.
As processing power increases in the future, what will this mean for firewall filtering?
As processing power increases, firewalls will begin to be able to respond to much more complex and subtle attacks.
What is Unified Threat Management (UTM)?
Unified Threat Management is a function a firewall can fulfill, where it not only filters packets, but acts as an antivirus as well as a spam filter.
What does it mean that a firewall should operate at wire speed?
To operate at wire speed means that the firewall is capable of handling the full speed of the lines that are connected to it.
What are the main mechanisms of firewall filtering?
There are six mechanisms for firewall filtering:
- Stateful Packet Inspection
- Static Packet Filtering
- Network Address Translation
- Application Proxy Filtering
- Intrusion Prevention System Filtering
- Antivirus Filtering
What filtering mechanisms do almost all main border firewalls use?
Almost all main border firewalls use Stateful Packet Inspection (SPI) as their primary inspection mechanism. However, they use other methods as secondary filtering mechanisms.
What are the two limitations of static packet filtering? Explain why each is bad.
Static packet filtering has two main limitations, that it cannot look at more than one packet at a time, so it misses the “scope” of larger threats, and it can only look at specific fields in the Internet and Transport headers, so it cannot stop attacks that require filtering of application messages, etc.
In what two secondary ways do corporations sometimes use static packet filtering?
Corporations sometimes use static packet filtering in border routers, as a way to relieve firewalls of some of the stress of high-volume but simple incoming attacks, as well as preventing probe replies from leaving.
Corporations also use static packet filtering as a secondary filtering mechanism due to its ability to stop specific attacks that would be more expensive to stop in another way.
What is a state?
A state is a distinct phase in a connection between two applications.
Are most packets part of the connection-opening state or the ongoing communication state? Why is this important for stateful packet inspection’s efficiency?
Most packets are part of the ongoing communication state. This is important because it allows for more complex investigation to be performed ONLY on connection-opening packets, which saves a considerable amount of resources.
What is a connection?
A connection is a link between two programs on different machines.
How is a connection between two programs on different computers represented?
A connection between two computers is represented by the addresses between the two sockets (an IP address, with a colon, followed by a port number).
Give the stateful packet inspection firewall rule for packets that do not attempt to open connections.
For a packet that is not opening a connection, a stateful packet inspection firewall will determine if the packet is part of an existing conversation. If it is, it is passed. If not, it is dropped.
Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.
SPI filtering for packets that are part of an ongoing communications is simple and insexpensive. The packet’s “to” and “from” are compared against the connections table, and is allowed if there is a match. Done.
UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
UDP is handled by SPI by treating the incoming messages as connection-opening, the outgoing as not, create a table entry, and then pass packets matching that connection.
What are the two simple default SPI firewall rules for packets that attempt to open connections?
Opening attempts coming from an internal host are allowed by default. Opening attempts coming from an external host are denied by default.
For stateful packet inspection firewalls, what do ingress ACLs permit in general?
Ingress ACLs permit access from specific externally originated connections.
What do egress ACLs disallow in general in SPI firewalls?
Egress ACLs disallow access to specific internal connections to outside hosts.
What do well-known port numbers designate?
Well-known port numbers designate specific applications running on a server.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection.
Yes, an SPI firewall ALWAYS considers its ACL rules.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection?
No, the firewall does not need ACL filtering as there is no access attempts being made.
Why are stateful packet inspection firewalls inexpensive?
Stateful packet inspection firewalls are inexpensive because the majority of the complex tasks are required only for connection-opening packets, which are a nearly-insignificant percentage of all packets. The rest are easy.
In practice, are SPI firewalls fairly safe?
Yes, stateful packet inspection firewalls are generally safe, due to the fact that with the exception of application-layer attacks, attacks rely on connection-opening packets.
Are SPI firewalls limited to SPI filtering?
SPI firewalls are not limited to SPI filtering, additional functionality can be added.
When NAT is used, why can sniffers not learn anything about the internal IP addresses of internal hosts?
When an internal host sends a packet out, it passes through the NAT firewall, which then replaces the original IP and port numbers with external IP addresses and stand-in port numbers. These are useless to attack with.
Why does NAT stop scanning probes?
NAT stops scanning probes because the IP addresses and port numbers won’t be on the translation table of the NAT firewall, and will cause the probes to be automatically rejected.
Why is NAT transversal necessary? Is it easy to select?
NAT transversal is necessary because not all protocols work with NAT. It is not easy to select, because the methods are generally complex.
What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?
An application proxy firewall sets itself up between the web browser and the server via an HTTP connection, acting as a browser to the server and a server to the browser. It’s a technological “food taster”, examining the application message (combining it if fragmented), and inspecting the content of that message.
Distinguish between proxy programs and application proxy firewalls.
An application proxy is a program that runs within the firewall. Each application proxy is program-specific in its relaying, so it can speak to only one type of application. An application proxy firewall will likely have an HTTP and an SMTP application proxy.
If you will need to filter four different types of programs, how many proxy programs will you need?
For four different types of applications, you’ll need four different proxy programs.
How many application proxy firewalls will you need, at a minimum?
You will need two application proxy firewalls, one to guard internal servers from external clients, and another to guard internal clients from external servers.
Can nearly all applications be proxied?
The other way around, most applications cannot be proxied.
Why is application proxy firewall operation processing-intensive?
Application proxy firewall operation is processing-intensive because the firewall needs to maintain two connections for each client/server pair.
Why do firms not use application proxy firewalls as main border firewalls?
Firms don’t use application proxy firewalls as their main border firewalls because of the prohibitive cost of the processing burden.
What are the two main roles of application proxy server firewalls today?
The main roles of application proxy server firewalls are to guard internal servers from external clients, and to guard internal clients from external servers.
Do stateful packet inspection firewalls automatically do application content filtering?
Stateful packet inspection firewalls do not automatically filter application content, but they can be configured to do so.
Do stateful packet inspection firewalls have the slow speed of relay operation?
Since stateful packet inspection firewalls do not have to implement relay operation, they do not suffer from that slowdown.
What three advantages do application proxy firewalls have in protection that SPI firewalls with content inspection do not?
Application proxy firewalls do three things that SPI firewalls with content inspection do not: They hide internal IP addresses, have header destruction, and protocol fidelity.
Why are SPI content filtering firewalls faster than application proxy firewalls?
SPI content filtering firewalls are faster than application proxy firewalls because they do not have to implement relay operation.
What filtering actions protect clients from malicious webservers with an application proxy firewall?
There are three actions that can be taken by application proxy firewalls to protect internal clients:
- The proxy can inspect the URL and compare to a black-list of URLs.
- The proxy can inspect scripts in downloaded webpages, dropping any sites that contain apparently malicious scripts.
- The proxy can inspect the MIME type in an HTTP response message, allowing it to determine the file type being downloaded.
What filtering actions prevent against internal client misbehavior in HTTP using an application proxy firewall?
Client misbehavior can be prevented using an application proxy firewall by having the proxy check the outgoing packets, inspecting the method in the URL table. HTTP POST can be used to send files out of the network. In fact, some proxies can be configured to automatically drop such HTTP request messages.
What filtering actions protect webservers from malicious clients with an application proxy firewall?
An application proxy firewall can inspect the method listen in the URL header. The POST method allows clients to upload files, which can be bad.
Additionally, an application proxy firewall can filter out HTTP request messages that appear to contain SQL injection attacks.
What three automatic protections do application proxy firewalls provide simply because of the way in which they operate?
Application proxy firewalls automatically provide three security features:
- Internal IP address hiding: Like NAT, packets that leave the proxy have the proxy’s IP address as their source, instead of the client.
- Header Destruction: When the proxy examines the application layer, it decapsulates it, destroying the original internet and transport headers. Some attacks use these headers, and are automatically thwarted.
- Protocol Fidelity: Often, attacks use port 80 (HTTP) for attacks. Since the proxy will be expecting HTTP, it won’t allow anything but HTTP through on that port.
Distinguish between firewalls and Intrusion Detection Systems (ISD).
A firewall can reject positively-identified attacks, whereas an IDS can only investigate and notify.
Why are IDS alarms often a problem?
IDS alarms are often a problem because they can throw far too many false positives.
What is a false positive?
A false positive is when the IDS detects a supposed attack or intrusion when one isn’t present.
What two types of filtering do IDSs use?
IDSs use two types of filtering, deep packet inspection, and packet stream analysis. Deep packet inspection refers to examining every field in a packet, including all headers. Packet stream inspection filters steams of packets (duh), instead of individuals, looking for a threat pattern.
Why is deep packet inspection important?
Deep packet inspection is important because some attacks cannot be stopped by a firewall that only looks at application content, or at the internet/transport layer headers.
Are IDSs processing-intensive?
Yes, IDSs are processing-intensive, due to the amount of processing power required to run deep packet inspection and packet stream analysis.
Distinguish between IDSs and IPSs.
IDSs, or intrusion detection systems, inspect packets or streams of packets, looking for attacks. IPSs, or intrusion prevention systems, can actually stop said attacks.
Why is the attack identification confidence spectrum important in deciding whether to allow IPSs to stop specific attacks?
The attack identification confidence spectrum is important in determining whether or not IPSs should stop attacks because, like IDSs, IPS can be prone to high numbers of false positives. The attack identification confidence spectrum allows for some refinement on what sort of attacks can be reliably identified.
What are two actions IPSs take when they identify an attack? Which is the most dangerous? The most effective?
IPSs take two common courses of action: dropping packets and limiting traffic. Dropping packets is highly dangerous, traffic limitation is the most effective.
How do firewalls and antivirus servers work together?
Firewalls and antivirus servers work together by having the firewall, when a incoming packet or set of packets meet a policy rule requiring an antivirus scan, pass on the packet or packet set to an antivirus server. The antivirus server will scan it for all manner of threats, and either return it to the firewall to send to the client, or send it directly to the client.
Are antivirus servers limited to just looking for viruses?
No, antivirus servers look for more than just viruses, they look for worms, phishing attempts, rootkits, and more.
What type of firewall does both traditional filtering and antivirus?
A unified threat management firewall, or UTM firewall, handles both antivirus and traditional filtering.
Why are screening routers used in a firewall architecture?
Screening firewalls are used in firewall architecture as a way to filter out simple, high-volume attacks using static packet filtering software, and to prevent responses to external scanning probes from reaching the outside. This eases the burden on the border firewall.
Why are internal firewalls desirable?
Internal firewalls are desirable because at times it is necessary to control who can access what parts of an internal network (ensuring that non-HR clients cannot access the HR server, for example).
Why is it easier to create appropriate access control list rules for server host firewalls than it is for border firewalls?
A border firewall has to manage dozens or hundreds of applications, making for a complex set of rules, whereas a a server host might only manage one or two applications.
What is a multihomed router?
If a router is multihomed, it means that it connects to multiple subnets.
What is a DMZ?
A DMZ, or DeMilitarized Zone, is a subnet that contains all of the servers and application proxy firewalls that must be accessable to the outside world.
Why do companies use DMZs?
Companies use DMZs in order to segregate externally-accessible hosts from internal hosts, allowing for separate access rules for each group.
What three types of hosts are placed in the DMZ?
The three main types of hosts that are placed in the DMZ are:
Public Servers
Application Proxy Firewalls
External DNS Servers (Used to give other hosts in the DMZ host names).
Why do companies put public servers in the DMZ?
Companies put public servers in the DMZ (such as webservers, or FTP servers) to allow for external clients (such as customers) to connect to the network.
Why do companies put application proxy firewalls in the DMZ?
Companies put application proxy firewalls in the DMZ because that’s the entire point of an application proxy firewall, to filter between the outside and an internal client; it is, by definition, in communication with external clients.
Distinguish between firewall policies and ACL rules.
Firewall policies are high-level guidelines established as a part of security planning. These policies are translated into actual ACL rules. Firewall policies are easier to understand, as they tend to be written in “plain English”.
Compare firewall hardening needs for firewall appliances, vendor-provided systems, and firewalls built on general-purpose machines.
Firewall appliances and vendor-provided systems generally need very little in the way of hardening, as their entire purpose is to be secure. General-purpose machines need quite a bit of hardening.
List what centralized firewall management systems do.
At the heart of a centralized firewall management system is the firewall policy management server. Firewall administrators create policies and send them there, select firewalls that the policies should govern, and the central configuration system then sends the needed ACL rules to the individual firewalls.
Why is vulnerability testing necessary?
Vulnerability testing is necessary primarily due to the complexity of writing ACL rules. It’s easy to make mistakes. Vulnerability is basically just double-checking your work.
What are the steps in firewall change management?
The steps in firewall change management are:
- Limit specific people to be able to request changes, and even fewer should be able to approve. One person should never have both roles.
- Implement the change in the way that will admit the least number of packets.
- Document the changes carefully.
- Test the firewall after each change. Then test that all previous changes still work (regression testing).
- Audit the whole process frequently.
Why is reading firewall logs important?
Reading firewall logs is the only way to develop an understanding of current threat environment, and helps detect attacks and vulnerabilities.
What packets are usually logged in log files?
Dropped packets are usually logged in firewall log files.
What cannot be determined if log files cover too short a period of time?
If log files cover too short a period of time, it won’t be possible to detect attacks that are part of a larger, prolonged attack.
Why is it difficult for a log file to cover a long period of time?
It is difficult for log files to cover long periods of time due to the disk capacity that they take up.
What is the advantage of logging all packets passing through a firewall?
The advantage of logging all packets that pass through a firewall is that it allows for deeper questions to be asked about the traffic passing through the firewalls, allowing to see attacks that might have gotten through, etc.
Why is logging all packets problematic?
Logging all packets invariably shortens the period of time the log file covers.
How can companies react to the decline in the effectiveness of border firewall filtering?
Companies can react to the decline in border firewall filtering by hardening internal hosts against attack.
Distinguish between signature detection and anomaly detection.
Signature detection looks for unique signatures (patterns in traffic data) from a pre-defined list in order to detect threats. Anomaly detection looks for changes in traffic patterns that might indicate an attack is under way.
What is a zero-day attack?
A zero-day attack is an attack that occurs before the signature of the attack can be determined and distributed.
Why are zero-day attacks impossible to stop with attack signatures?
Zero-day attacks are impossible to stop with attack signatures because a zero-day attack, by definition, does not have a known signature to be caught by.
What is the promise of anomaly detection?
Anomaly detection promises to detect threats that do not have a predefined signature.
Why is anomaly detection becoming critical for firewalls?
Anomaly detection is becoming critical for firewalls because of the speed at which threats like worms, viruses, and the like spread, there is a weakness in relying on signatures to be spread before an attack hits.
