Chapter 6 - Firewalls Flashcards
What is a pass/deny decision?
A pass/deny decision is one where a packet is either passed through a firewall, or it is denied and dropped. Generally, provable attack packets are dropped on-sight.
What type of packet does a firewall drop and log?
A firewall will always drop and log a proven attack packet.
What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
A firewall passes through packets that are suspected attack packets, if they’re not proven.
Why does the firewall log information about dropped packets?
The firewall logs information about dropped packets so that a firewall administrator can review the log and determine the sort of attacks that are happening.
Distinguish between border firewalls and internal firewalls.
A border firewall separates a corporate entity’s network from the extranet. An internal network filters traffic between various parts of the internal network.
Distinguish between ingress and egress filtering.
Ingress filtering examines packets heading into the network, egress filtering examines packets leaving the network.
What does a firewall do if it cannot keep up with the traffic volume? Why is this action good/bad?
When a firewall cannot keep up with network volume, it drops ALL packets. Better safe than sorry, but it unfortunately provides a self-DoS attack.
Why is it that a firewall can keep up with traffic in general but fail to do so during a major attack?
If a firewall cannot filter traffic at the wire speed (the maximum speed of the lines that connect to it), the massively increased traffic of the attack may lead to the firewall dropping all packets.
As processing power increases in the future, what will this mean for firewall filtering?
As processing power increases, firewalls will begin to be able to respond to much more complex and subtle attacks.
What is Unified Threat Management (UTM)?
Unified Threat Management is a function a firewall can fulfill, where it not only filters packets, but acts as an antivirus as well as a spam filter.
What does it mean that a firewall should operate at wire speed?
To operate at wire speed means that the firewall is capable of handling the full speed of the lines that are connected to it.
What are the main mechanisms of firewall filtering?
There are six mechanisms for firewall filtering:
- Stateful Packet Inspection
- Static Packet Filtering
- Network Address Translation
- Application Proxy Filtering
- Intrusion Prevention System Filtering
- Antivirus Filtering
What filtering mechanisms do almost all main border firewalls use?
Almost all main border firewalls use Stateful Packet Inspection (SPI) as their primary inspection mechanism. However, they use other methods as secondary filtering mechanisms.
What are the two limitations of static packet filtering? Explain why each is bad.
Static packet filtering has two main limitations, that it cannot look at more than one packet at a time, so it misses the “scope” of larger threats, and it can only look at specific fields in the Internet and Transport headers, so it cannot stop attacks that require filtering of application messages, etc.
In what two secondary ways do corporations sometimes use static packet filtering?
Corporations sometimes use static packet filtering in border routers, as a way to relieve firewalls of some of the stress of high-volume but simple incoming attacks, as well as preventing probe replies from leaving.
Corporations also use static packet filtering as a secondary filtering mechanism due to its ability to stop specific attacks that would be more expensive to stop in another way.
What is a state?
A state is a distinct phase in a connection between two applications.
Are most packets part of the connection-opening state or the ongoing communication state? Why is this important for stateful packet inspection’s efficiency?
Most packets are part of the ongoing communication state. This is important because it allows for more complex investigation to be performed ONLY on connection-opening packets, which saves a considerable amount of resources.
What is a connection?
A connection is a link between two programs on different machines.
How is a connection between two programs on different computers represented?
A connection between two computers is represented by the addresses between the two sockets (an IP address, with a colon, followed by a port number).
Give the stateful packet inspection firewall rule for packets that do not attempt to open connections.
For a packet that is not opening a connection, a stateful packet inspection firewall will determine if the packet is part of an existing conversation. If it is, it is passed. If not, it is dropped.
Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.
SPI filtering for packets that are part of an ongoing communications is simple and insexpensive. The packet’s “to” and “from” are compared against the connections table, and is allowed if there is a match. Done.
UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
UDP is handled by SPI by treating the incoming messages as connection-opening, the outgoing as not, create a table entry, and then pass packets matching that connection.
What are the two simple default SPI firewall rules for packets that attempt to open connections?
Opening attempts coming from an internal host are allowed by default. Opening attempts coming from an external host are denied by default.
For stateful packet inspection firewalls, what do ingress ACLs permit in general?
Ingress ACLs permit access from specific externally originated connections.