Chapter_6 Flashcards
Firewall
A combination of hardware and software that isolates internal net from larger Internet,
allowing some packets to pass, blocking others.
Firewall Locations in the Network
Between internal LAN and external network
At the gateways of sensitive subnetworks
within the organizational LAN
On end-user machines
Firewalls: Why?
Prevent denial of service attacks: E.g., SYN flooding:
Prevent illegal access of internal data
Allow only authorized access to inside network
Firewalls: Philosophies
1. Block all dangerous destinations
or
2. Block everything; unblock things known to
be both safe and necessary
Option 1: gets you into an arms race with the
attackers; you have to know everything that is
dangerous, in all parts of your network
Option 2: is much safer
TRUE
Firewalls: Types
Filtering firewalls
Proxy firewalls
Stateless Packet Filtering: Examples
slide 15
Packet Filtering
Packet filtering operates by sequentially
checking filtering rules against the datagram being inspected; the first rule matching the datagram determines the action taken
Packet Filtering Advantages:
Simplicity
Transparency to users
High speed
Packet Filtering Disadvantages:
Difficulty of setting up packet filter rules
Lack of authentication
Possible attacks and appropriate
countermeasures
IP address spoofing: Intruder attempts to gain access by altering a packet’s IP address
Countermeasure: discard packets with an inside source address if the packet arrives on an external interface
Source routing attacks: source station specifies the route that a packet should take as it crosses the Internet, to bypass security
measures
Countermeasure: discard all packets that use this option
Tiny fragment attacks: intruder uses the IP fragmentation option
force the TCP header information into a separate packet fragment.
This attack is designed to circumvent filtering rules that depend on
TCP header information.
Countermeasure: discard all packets where the protocol type is TCP
and IP Fragment Flag is equal to 1
Session (Stateful) Packet Filteri
Track status of every TCP connection
Track connection setup (SYN), teardown (FIN): can
determine whether incoming, outgoing packets “makes sense”
Timeout inactive connections at firewall: no longer admit
packets
Proxy Firewalls
Packet-level filtering allows an org to perform coarse-grain filtering on IP/TCP/UDP headers, including IP addr, port #, and acknowledgment bits
Proxy Firewalls Application level
Filters packets on application data as well as on IP/TCP/UDP fields Example: allow select internal users to telnet outside host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between two connections 3. Router filter (blocks) all telnet connections not originating from gateway
Proxy Firewalls Application level
Advantages:
Higher security than packet filters
Only need to scrutinize a few allowable applications
Easy to log and audit all incoming traffic
Disadvantages:
Additional processing overhead on each connection (2
spliced connections b/w the end users, gateway as splice
point)
Circuit-level Gateway
Typical use is a situation in which the system
administrator trusts the internal users
An example is the SOCKS package
Slide 36
TRUE
Bastion Host
Bastion host is a hardened system implementing
application-level gateway behind packet filter
All non-essential services are turned off
Application-specific proxies for supported services
• Each proxy supports only a subset of application’s commands, is logged
and audited, disk access restricted, runs as a non-privileged user in a
separate directory (independent of others)
Support for user authentication
All traffic flows through bastion host
Packet router allows external packets to enter only if their
destination is bastion host, and internal packets to leave
only if their origin is bastion host
Limitations of Firewalls and Gateways
IP spoofing: router can’t know if data “really” comes
from claimed source
If multiple applications need special treatment, each
has own application gateway
Client software must know how to contact gateway
E.g., must set IP address of proxy in Web browser
Filters often use all or nothing policy for UDP
Firewalls can and cannot
Firewalls can Restrict incoming and outgoing traffic by IP address, ports, or users Block invalid packets Firewalls cannot protect Traffic that does not cross it Routing around Internal traffic When mis-configured 70% of all attacks come from inside the firewall
VPN (Virtual Private Network)
Securely and privately connect two or more
remote sites of an organization as if on a LAN
Authenticate users
Encrypt packets sent over the Internet, “VPN
Tunnel”
IPSec (IP layer encryption)
Secure Sockets Layer /TLS
OpenVPN, an open standard VPN. It is a variation
of SSL-based VPN that is capable of running over
UDP
Slide 46
TRUE
Intrusion Detection Systems
Intrusion:
A successful attack
Intruders attempt to bypass the security mechanisms
of computer systems or network infrastructures and
violate security properties: confidentiality, integrity, or
availability.
Three types:
System scanning - Denial of service (DoS) –
System penetration
Intrusion detection:
The process of identifying and responding to intrusion
activities
The process of monitoring the events occurring in a
computer system or network infrastructures and
analyzing them for signs of intrusions
Challenges to IDS
The challenge to current IDSes is how to
maximize accurate alerts.
False negative: IDS fails to identify an
intrusion attempt
False positive: IDS incorrectly identifies an
innocuous event as an intrusion
IDS vs Firewall
Firewall:
A system that enforces an access control policy
between two networks.
As a fence around a system, a firewall has a couple
of well-chosen gates.
A fence has no capability of detecting intrusions
IDS:
does recognize intrusions and to answer: When?
Where? What? Who? How?
An IDS complements firewall and doublechecks misconfigured firewall
