Chapter 6 - Firewalls

Question 1

What is a pass/deny decision?

Answer 1

A pass/deny decision is one where a packet is either passed through a firewall, or it is denied and dropped. Generally, provable attack packets are dropped on-sight.

Question 2

What type of packet does a firewall drop and log?

Answer 2

A firewall will always drop and log a proven attack packet.

Question 3

What does the firewall do about packets that it suspects (but cannot prove) are attack packets?

Answer 3

A firewall passes through packets that are suspected attack packets, if they’re not proven.

Question 4

Why does the firewall log information about dropped packets?

Answer 4

The firewall logs information about dropped packets so that a firewall administrator can review the log and determine the sort of attacks that are happening.

Question 5

Distinguish between border firewalls and internal firewalls.

Answer 5

A border firewall separates a corporate entity’s network from the extranet. An internal network filters traffic between various parts of the internal network.

Question 6

Distinguish between ingress and egress filtering.

Answer 6

Ingress filtering examines packets heading into the network, egress filtering examines packets leaving the network.

Question 7

What does a firewall do if it cannot keep up with the traffic volume? Why is this action good/bad?

Answer 7

When a firewall cannot keep up with network volume, it drops ALL packets. Better safe than sorry, but it unfortunately provides a self-DoS attack.

Question 8

Why is it that a firewall can keep up with traffic in general but fail to do so during a major attack?

Answer 8

If a firewall cannot filter traffic at the wire speed (the maximum speed of the lines that connect to it), the massively increased traffic of the attack may lead to the firewall dropping all packets.

Question 9

As processing power increases in the future, what will this mean for firewall filtering?

Answer 9

As processing power increases, firewalls will begin to be able to respond to much more complex and subtle attacks.

Question 10

What is Unified Threat Management (UTM)?

Answer 10

Unified Threat Management is a function a firewall can fulfill, where it not only filters packets, but acts as an antivirus as well as a spam filter.

Question 11

What does it mean that a firewall should operate at wire speed?

Answer 11

To operate at wire speed means that the firewall is capable of handling the full speed of the lines that are connected to it.

Question 12

What are the main mechanisms of firewall filtering?

Answer 12

There are six mechanisms for firewall filtering:

1. Stateful Packet Inspection
2. Static Packet Filtering
3. Network Address Translation
4. Application Proxy Filtering
5. Intrusion Prevention System Filtering
6. Antivirus Filtering

Question 13

What filtering mechanisms do almost all main border firewalls use?

Answer 13

Almost all main border firewalls use Stateful Packet Inspection (SPI) as their primary inspection mechanism. However, they use other methods as secondary filtering mechanisms.

Question 14

What are the two limitations of static packet filtering? Explain why each is bad.

Answer 14

Static packet filtering has two main limitations, that it cannot look at more than one packet at a time, so it misses the “scope” of larger threats, and it can only look at specific fields in the Internet and Transport headers, so it cannot stop attacks that require filtering of application messages, etc.

Question 15

In what two secondary ways do corporations sometimes use static packet filtering?

Answer 15

Corporations sometimes use static packet filtering in border routers, as a way to relieve firewalls of some of the stress of high-volume but simple incoming attacks, as well as preventing probe replies from leaving.
Corporations also use static packet filtering as a secondary filtering mechanism due to its ability to stop specific attacks that would be more expensive to stop in another way.

Question 16

What is a state?

Answer 16

A state is a distinct phase in a connection between two applications.

Question 17

Are most packets part of the connection-opening state or the ongoing communication state? Why is this important for stateful packet inspection’s efficiency?

Answer 17

Most packets are part of the ongoing communication state. This is important because it allows for more complex investigation to be performed ONLY on connection-opening packets, which saves a considerable amount of resources.

Question 18

What is a connection?

Answer 18

A connection is a link between two programs on different machines.

Question 19

How is a connection between two programs on different computers represented?

Answer 19

A connection between two computers is represented by the addresses between the two sockets (an IP address, with a colon, followed by a port number).

Question 20

Give the stateful packet inspection firewall rule for packets that do not attempt to open connections.

Answer 20

For a packet that is not opening a connection, a stateful packet inspection firewall will determine if the packet is part of an existing conversation. If it is, it is passed. If not, it is dropped.

Question 21

Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.

Answer 21

SPI filtering for packets that are part of an ongoing communications is simple and insexpensive. The packet’s “to” and “from” are compared against the connections table, and is allowed if there is a match. Done.

Question 22

UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?

Answer 22

UDP is handled by SPI by treating the incoming messages as connection-opening, the outgoing as not, create a table entry, and then pass packets matching that connection.

Question 23

What are the two simple default SPI firewall rules for packets that attempt to open connections?

Answer 23

Opening attempts coming from an internal host are allowed by default. Opening attempts coming from an external host are denied by default.

Question 24

For stateful packet inspection firewalls, what do ingress ACLs permit in general?

Answer 24

Ingress ACLs permit access from specific externally originated connections.

Question 25

What do egress ACLs disallow in general in SPI firewalls?

Answer 25

Egress ACLs disallow access to specific internal connections to outside hosts.

Question 26

What do well-known port numbers designate?

Answer 26

Well-known port numbers designate specific applications running on a server.

Question 27

In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection.

Answer 27

Yes, an SPI firewall ALWAYS considers its ACL rules.

Question 28

In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection?

Answer 28

No, the firewall does not need ACL filtering as there is no access attempts being made.

Question 29

Why are stateful packet inspection firewalls inexpensive?

Answer 29

Stateful packet inspection firewalls are inexpensive because the majority of the complex tasks are required only for connection-opening packets, which are a nearly-insignificant percentage of all packets. The rest are easy.

Question 30

In practice, are SPI firewalls fairly safe?

Answer 30

Yes, stateful packet inspection firewalls are generally safe, due to the fact that with the exception of application-layer attacks, attacks rely on connection-opening packets.

Question 31

Are SPI firewalls limited to SPI filtering?

Answer 31

SPI firewalls are not limited to SPI filtering, additional functionality can be added.

Question 32

When NAT is used, why can sniffers not learn anything about the internal IP addresses of internal hosts?

Answer 32

When an internal host sends a packet out, it passes through the NAT firewall, which then replaces the original IP and port numbers with external IP addresses and stand-in port numbers. These are useless to attack with.

Question 33

Why does NAT stop scanning probes?

Answer 33

NAT stops scanning probes because the IP addresses and port numbers won’t be on the translation table of the NAT firewall, and will cause the probes to be automatically rejected.

Question 34

Why is NAT transversal necessary? Is it easy to select?

Answer 34

NAT transversal is necessary because not all protocols work with NAT. It is not easy to select, because the methods are generally complex.

Question 35

What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?

Answer 35

An application proxy firewall sets itself up between the web browser and the server via an HTTP connection, acting as a browser to the server and a server to the browser. It’s a technological “food taster”, examining the application message (combining it if fragmented), and inspecting the content of that message.

Question 36

Distinguish between proxy programs and application proxy firewalls.

Answer 36

An application proxy is a program that runs within the firewall. Each application proxy is program-specific in its relaying, so it can speak to only one type of application. An application proxy firewall will likely have an HTTP and an SMTP application proxy.

Question 37

If you will need to filter four different types of programs, how many proxy programs will you need?

Answer 37

For four different types of applications, you’ll need four different proxy programs.

Question 38

How many application proxy firewalls will you need, at a minimum?

Answer 38

You will need two application proxy firewalls, one to guard internal servers from external clients, and another to guard internal clients from external servers.

Question 39

Can nearly all applications be proxied?

Answer 39

The other way around, most applications cannot be proxied.

Question 40

Why is application proxy firewall operation processing-intensive?

Answer 40

Application proxy firewall operation is processing-intensive because the firewall needs to maintain two connections for each client/server pair.

Question 41

Why do firms not use application proxy firewalls as main border firewalls?

Answer 41

Firms don’t use application proxy firewalls as their main border firewalls because of the prohibitive cost of the processing burden.

Question 42

What are the two main roles of application proxy server firewalls today?

Answer 42

The main roles of application proxy server firewalls are to guard internal servers from external clients, and to guard internal clients from external servers.

Question 43

Do stateful packet inspection firewalls automatically do application content filtering?

Answer 43

Stateful packet inspection firewalls do not automatically filter application content, but they can be configured to do so.

Question 44

Do stateful packet inspection firewalls have the slow speed of relay operation?

Answer 44

Since stateful packet inspection firewalls do not have to implement relay operation, they do not suffer from that slowdown.

Question 45

What three advantages do application proxy firewalls have in protection that SPI firewalls with content inspection do not?

Answer 45

Application proxy firewalls do three things that SPI firewalls with content inspection do not: They hide internal IP addresses, have header destruction, and protocol fidelity.

Question 46

Why are SPI content filtering firewalls faster than application proxy firewalls?

Answer 46

SPI content filtering firewalls are faster than application proxy firewalls because they do not have to implement relay operation.

Question 47

What filtering actions protect clients from malicious webservers with an application proxy firewall?

Answer 47

There are three actions that can be taken by application proxy firewalls to protect internal clients:

• The proxy can inspect the URL and compare to a black-list of URLs.
• The proxy can inspect scripts in downloaded webpages, dropping any sites that contain apparently malicious scripts.
• The proxy can inspect the MIME type in an HTTP response message, allowing it to determine the file type being downloaded.

Question 48

What filtering actions prevent against internal client misbehavior in HTTP using an application proxy firewall?

Answer 48

Client misbehavior can be prevented using an application proxy firewall by having the proxy check the outgoing packets, inspecting the method in the URL table. HTTP POST can be used to send files out of the network. In fact, some proxies can be configured to automatically drop such HTTP request messages.

Question 49

What filtering actions protect webservers from malicious clients with an application proxy firewall?

Answer 49

An application proxy firewall can inspect the method listen in the URL header. The POST method allows clients to upload files, which can be bad.
Additionally, an application proxy firewall can filter out HTTP request messages that appear to contain SQL injection attacks.

Question 50

What three automatic protections do application proxy firewalls provide simply because of the way in which they operate?

Answer 50

Application proxy firewalls automatically provide three security features:

• Internal IP address hiding: Like NAT, packets that leave the proxy have the proxy’s IP address as their source, instead of the client.
• Header Destruction: When the proxy examines the application layer, it decapsulates it, destroying the original internet and transport headers. Some attacks use these headers, and are automatically thwarted.
• Protocol Fidelity: Often, attacks use port 80 (HTTP) for attacks. Since the proxy will be expecting HTTP, it won’t allow anything but HTTP through on that port.

Question 51

Distinguish between firewalls and Intrusion Detection Systems (ISD).

Answer 51

A firewall can reject positively-identified attacks, whereas an IDS can only investigate and notify.

Question 52

Why are IDS alarms often a problem?

Answer 52

IDS alarms are often a problem because they can throw far too many false positives.

Question 53

What is a false positive?

Answer 53

A false positive is when the IDS detects a supposed attack or intrusion when one isn’t present.

Question 54

What two types of filtering do IDSs use?

Answer 54

IDSs use two types of filtering, deep packet inspection, and packet stream analysis. Deep packet inspection refers to examining every field in a packet, including all headers. Packet stream inspection filters steams of packets (duh), instead of individuals, looking for a threat pattern.

Question 55

Why is deep packet inspection important?

Answer 55

Deep packet inspection is important because some attacks cannot be stopped by a firewall that only looks at application content, or at the internet/transport layer headers.

Question 56

Are IDSs processing-intensive?

Answer 56

Yes, IDSs are processing-intensive, due to the amount of processing power required to run deep packet inspection and packet stream analysis.

Question 57

Distinguish between IDSs and IPSs.

Answer 57

IDSs, or intrusion detection systems, inspect packets or streams of packets, looking for attacks. IPSs, or intrusion prevention systems, can actually stop said attacks.

Question 58

Why is the attack identification confidence spectrum important in deciding whether to allow IPSs to stop specific attacks?

Answer 58

The attack identification confidence spectrum is important in determining whether or not IPSs should stop attacks because, like IDSs, IPS can be prone to high numbers of false positives. The attack identification confidence spectrum allows for some refinement on what sort of attacks can be reliably identified.

Question 59

What are two actions IPSs take when they identify an attack? Which is the most dangerous? The most effective?

Answer 59

IPSs take two common courses of action: dropping packets and limiting traffic. Dropping packets is highly dangerous, traffic limitation is the most effective.

Question 60

How do firewalls and antivirus servers work together?

Answer 60

Firewalls and antivirus servers work together by having the firewall, when a incoming packet or set of packets meet a policy rule requiring an antivirus scan, pass on the packet or packet set to an antivirus server. The antivirus server will scan it for all manner of threats, and either return it to the firewall to send to the client, or send it directly to the client.

Question 61

Are antivirus servers limited to just looking for viruses?

Answer 61

No, antivirus servers look for more than just viruses, they look for worms, phishing attempts, rootkits, and more.

Question 62

What type of firewall does both traditional filtering and antivirus?

Answer 62

A unified threat management firewall, or UTM firewall, handles both antivirus and traditional filtering.

Question 63

Why are screening routers used in a firewall architecture?

Answer 63

Screening firewalls are used in firewall architecture as a way to filter out simple, high-volume attacks using static packet filtering software, and to prevent responses to external scanning probes from reaching the outside. This eases the burden on the border firewall.

Question 64

Why are internal firewalls desirable?

Answer 64

Internal firewalls are desirable because at times it is necessary to control who can access what parts of an internal network (ensuring that non-HR clients cannot access the HR server, for example).

Question 65

Why is it easier to create appropriate access control list rules for server host firewalls than it is for border firewalls?

Answer 65

A border firewall has to manage dozens or hundreds of applications, making for a complex set of rules, whereas a a server host might only manage one or two applications.

Question 66

What is a multihomed router?

Answer 66

If a router is multihomed, it means that it connects to multiple subnets.

Question 67

What is a DMZ?

Answer 67

A DMZ, or DeMilitarized Zone, is a subnet that contains all of the servers and application proxy firewalls that must be accessable to the outside world.

Question 68

Why do companies use DMZs?

Answer 68

Companies use DMZs in order to segregate externally-accessible hosts from internal hosts, allowing for separate access rules for each group.

Question 69

What three types of hosts are placed in the DMZ?

Answer 69

The three main types of hosts that are placed in the DMZ are:
Public Servers
Application Proxy Firewalls
External DNS Servers (Used to give other hosts in the DMZ host names).

Question 70

Why do companies put public servers in the DMZ?

Answer 70

Companies put public servers in the DMZ (such as webservers, or FTP servers) to allow for external clients (such as customers) to connect to the network.

Question 71

Why do companies put application proxy firewalls in the DMZ?

Answer 71

Companies put application proxy firewalls in the DMZ because that’s the entire point of an application proxy firewall, to filter between the outside and an internal client; it is, by definition, in communication with external clients.

Question 72

Distinguish between firewall policies and ACL rules.

Answer 72

Firewall policies are high-level guidelines established as a part of security planning. These policies are translated into actual ACL rules. Firewall policies are easier to understand, as they tend to be written in “plain English”.

Question 73

Compare firewall hardening needs for firewall appliances, vendor-provided systems, and firewalls built on general-purpose machines.

Answer 73

Firewall appliances and vendor-provided systems generally need very little in the way of hardening, as their entire purpose is to be secure. General-purpose machines need quite a bit of hardening.

Question 74

List what centralized firewall management systems do.

Answer 74

At the heart of a centralized firewall management system is the firewall policy management server. Firewall administrators create policies and send them there, select firewalls that the policies should govern, and the central configuration system then sends the needed ACL rules to the individual firewalls.

Question 75

Why is vulnerability testing necessary?

Answer 75

Vulnerability testing is necessary primarily due to the complexity of writing ACL rules. It’s easy to make mistakes. Vulnerability is basically just double-checking your work.

Question 76

What are the steps in firewall change management?

Answer 76

The steps in firewall change management are:

1. Limit specific people to be able to request changes, and even fewer should be able to approve. One person should never have both roles.
2. Implement the change in the way that will admit the least number of packets.
3. Document the changes carefully.
4. Test the firewall after each change. Then test that all previous changes still work (regression testing).
5. Audit the whole process frequently.

Question 77

Why is reading firewall logs important?

Answer 77

Reading firewall logs is the only way to develop an understanding of current threat environment, and helps detect attacks and vulnerabilities.

Question 78

What packets are usually logged in log files?

Answer 78

Dropped packets are usually logged in firewall log files.

Question 79

What cannot be determined if log files cover too short a period of time?

Answer 79

If log files cover too short a period of time, it won’t be possible to detect attacks that are part of a larger, prolonged attack.

Question 80

Why is it difficult for a log file to cover a long period of time?

Answer 80

It is difficult for log files to cover long periods of time due to the disk capacity that they take up.

Question 81

What is the advantage of logging all packets passing through a firewall?

Answer 81

The advantage of logging all packets that pass through a firewall is that it allows for deeper questions to be asked about the traffic passing through the firewalls, allowing to see attacks that might have gotten through, etc.

Question 82

Why is logging all packets problematic?

Answer 82

Logging all packets invariably shortens the period of time the log file covers.

Question 83

How can companies react to the decline in the effectiveness of border firewall filtering?

Answer 83

Companies can react to the decline in border firewall filtering by hardening internal hosts against attack.

Question 84

Distinguish between signature detection and anomaly detection.

Answer 84

Signature detection looks for unique signatures (patterns in traffic data) from a pre-defined list in order to detect threats. Anomaly detection looks for changes in traffic patterns that might indicate an attack is under way.

Question 85

What is a zero-day attack?

Answer 85

A zero-day attack is an attack that occurs before the signature of the attack can be determined and distributed.

Question 86

Why are zero-day attacks impossible to stop with attack signatures?

Answer 86

Zero-day attacks are impossible to stop with attack signatures because a zero-day attack, by definition, does not have a known signature to be caught by.

Question 87

What is the promise of anomaly detection?

Answer 87

Anomaly detection promises to detect threats that do not have a predefined signature.

Question 88

Why is anomaly detection becoming critical for firewalls?

Answer 88

Anomaly detection is becoming critical for firewalls because of the speed at which threats like worms, viruses, and the like spread, there is a weakness in relying on signatures to be spread before an attack hits.