Exam Prep Flashcards
Where to place ACLs?
Standard: as close to destination as possible.
Extended: as close to source as possible.
Which layers do packet filter and stateful firewalls operate at?
Packet filter: layers 3 and 4
Stateful : layers 3, 4 and 5
Discuss reflexive ACLs
Allows IP traffic from sessions originating from their network while blocking outside traffic from coming in.
Router examines outside traffic and makes a temporary ACL to allow it.
Discuss dynamic ACLs
Authenticates a user and permits that user and associated traffic through the firewall.
Discuss common firewall properties
- must be resistant to attacks
- must be the only transit point between networks
- enforces access policy of the organisation
Discuss the protective measures if a firewall
- exposure of sensitive hosts and applications
- exposure of protocol flaws
- malicious data
Discuss limitations of a firewall
- misconfiguration can be deadly
- end use can be restricted by policies
Discuss firewall design practice
- position firewall at key security boundaries with different trust levels
- should be primary security device
- Denny all traffic by default
Implement various firewall technologies (DiD)
Stateful vs stateless
Stateless: ACLs filter traffic based on source and destination IP, tcp and UDP port numbers, tcp flags, icmp types/codes.
Stateful; inspection remembers the state if requests, stores them in a session table, tracking each connection. It detects if applications need more traffic steams and dynamically allows them. Monitors the state if connections, initiating, data transfer or terminated.
Disadvantages of packet filtering firewalls
- can be complex to configure
- can’t prevent arp layer attacks
- susceptible to tcp IP protocols attacks
Advantages of packet filtering firewalls
- they process packets very fast
- they easily match on most criteria. Layer three and four segment headers provide a lot of flexibility in implementing policies.
Uses for packet filtering firewalls
- typically implemented on a permittee router as a first line of defence
- when security policies can be fulfilled using packet filters alone
Stateful firewalls
- tracks every connection traversing all interfaces and confirms they are valid
- examines info in the headers of layer 3 and 4 segments eg tcp flags.
- state table contains source and dest addresses, port numbers, UDP connection info and tcp seq numbers
Improvements if stateful over packet filter firewalls
- maintains session table
- recognises dynamic apps that need extra connections or access through the firewall
Zone-based firewalls
- stateful inspection
- app inspection
- URL filtering
- per policy parameters
- transport firewall
- virtual routing and forward aware
Zone types
Public-dmz
Dmz-private
Private-dmz
Private-public
Benefits of zone based
- not dependent on ACLs
- blocks unless explicitly allowed
- policies easier to config and Tshoot
- one policy affects all traffic in that zone, no need for multiple ACLs
Actions of ZPF
Inspect: automatically allow return traffic and icmp messages. Handles prosper establishment of data sessions.
Pass: like permit in an ACL. Doesn’t track the state of sessions. Only allows in one direction a similar corresponding policy must be applied in the opposite directions to allow traffic two way.
Drop: like deny in an ACL. Log option available
Ips/ids signature types.
Atomic: one packet required
Composite: many packets required
Atomic signatures
- examines single packets for icmp, tcp, UDP
- doesn’t require any knowledge of previous or future packets
- ids vulnerable …. Ips not.
Composite signature
- requires multiple policies to match before an alarm is triggered, must maintain state info.
- sensor detects a packet that matches then monitors proceeding packets.
iDS vs IPS
IDS: passive , promiscuous.
IPS: active, inline. Latency packet loss etc
Five steps of setting up a GRE tunnel.
- create tunnel interface
- assign tunnel IP
- identify source
- identify destination
- (optional) identify the protocol to be encapsulated
Authentication header
- doesn’t provide confidentiality (encryption).
- only ensures origin of data and verify data has not been modified in transit.
- if used alone provides weak protection
- can have problems with NAT
Encapsulating security payload (esp)
- same as ah but provides encryption
- payload encrypted then hashed.
VPN transport/tunnel mode
Transport:
- security provided for layer 4 and above only.
- ESP transport mode used between hosts.
- works well with GRE… GRE hides address of end address.
Tunnel mode:
- provides security for whole IP packet
- ESP tunnel mode used in remote access and site to site
- IP packet encrypted and encapsulated in another IP packet (IP-in-IP encryption).
IKE
- Helps IPSec securely exchange keys
- combines isakmp and Oakley protocols
- IKE/isakmp terms often used interchangeably.
IKE phases
Phase 1:
- Negotiates IKE protocol suit
- Exchange keying materials to protect DH sessions.
- Peers Authenticates each other
- Establishes IKE SA
Phase 2:
- Negotiates IPSEC parameters.
- Establishes IPSEC SAs
- Periodically negotiates SAs to ensure security
- Optionally performs additional DH exchange
Services of IPSEC
Confidentiality: Provides encryption to prevent data being read
Integrity: hashes checksums
Authentication:
- usernames and passwords
- one time passwords
- pre shared keys
- digital certificates
Anti-reply protection
Verifies each packet is unique and not a duplicate. Packets are protected by comparing the sequence numbers. Late or duplicate packets are dropped.
Application layer gateway firewalls
Firewalls which dynamically monitor application layer protocols and dynamically allow them through the firewall. For the duration of the session only.
Steps in hacking
- reconnaissance
- social engineering
- privilege escalation
- back doors
Providing secure access to a router
Establish dedicated management work station
Encryption if all data
Packet filter
Securing a router from attacks
- physical security - locks, authentication
- router hardening - services ports etc
- os security - max ram, latest stable os, secure copy as a backup
Access rule criteria of firewalls. Name and describe four
- rules based on service control
Determine the type of services and access - rules based on direction control
Ie http outbound but not inbound - rules based on user control
Restrictions on users inside FW or external VPN - rules based on behaviour control
Controls how services behave, ie filter email to eliminate spam
AGLs
- higher level of security than packet filters
- layers 3,4,5 and 7
- they include specialise software and proxy servers
- can provide detailed checks for valid data
- act as intermediary between client and server
- external IP of proxy used not client
Advantages of AGL
- Authenticate individuals not devices
- make it harder to spoof and dos
- monitor and filters apps
- detailed logging
IPS/ids evasion techniques
- traffic fragmentation
- timing attacks
- resource exhaustion
- encryption and tunnelling
Where would IPS and ids used together?
Ids could be used on the outside of the firewall/untrustworthy network in promiscuous mode to capture and always a lot of traffic and attacks. This information could then be used to make improvements to internal security and to an IPS running inside. The IPS would be inline on the inside of the firewall/trusted and could focus on defending the network more specifically given the info collected by the external ids.
What does tcp established keyword do?
Only allows return traffic. Forces router to check for tcp ack and rst flags. If ack bit is set it’s assumed to be return traffic, if not it’s dropped.
This isn’t stateful it’s basic
IPS signature detection technique. Advantages and disadvantages
Signature based:
- easy to configure
- gives fewer false positives
- have good signature design
- can’t detect unknown threats
- initially produce a lot of false positives
- signatures need to be created , updated and tuned
IPS policy based detection advantages nd disadvantages
- simple and reliable
- allows for customisable policies
- can detect unknown attacks
- detailed knowledge of network traffic required
- can be time consuming to create policies
IPS anomaly based detection advantages and disadvantages
- easy to configure
- can detect unknown attacks
- difficult to profile typical activity in large networks
- traffic policy must be constant
IPS reputation based detection advantages and disadvantages
- leverages local, enterprise and global correlation
- provides improved accuracy and relevance
- prone to false positives and negatives
- requires timely updates
What is. Signature file and engine?
Engine typically responds to the protocol in which the signature occurs and looks for malicious activity in that protocol. Used to load signature files and scan engines
Each engine works as an interrogator and specialises in one type of interrogation
What is Anti replay
Verifies each packet is unique and not duplicated. By comparing sequence numbers. Packets that come before the sliding window are considered late or duplicate and dropped
Ah?
Data integrity through hashing Data origin authentication through hashing Anti replay protection Protocol number 51 Supports mac md5 and sha 2
Doesn’t provide confidentiality
All text unencrypted
Problems with NAT
Esp?
Data confidentiality through encryption
Data integrity through hashing
Data origin authentication through hashing
Anti replay protection
It encapsulates the data to be protected
Protocol number 50
Transport mode
Security provided to transport layer and above
Protects payload but leaves original IP address in plaintext
Used between hosts and not comparable with NAT
Works well with GRE because GRE hides the original IP
Tunnel mode
Provides security for the complete IP packet
Original IP packet encrypted and then encapsulated in another IP packet (ip in IP encryption)
Used in remote access and site to site VPNS
What does IPSEC use IKE for?
Authenticates peers and generates encryption keys Negotiates SA between peers automatic key generation Automatic key refresh Manageable manual config
IKE phase 1
Negotiates IKE protocol suite (encryption, hash. Key exchange, lifetime)
Exchanges keying materials (DH)
Authenticates each other
IKE phase 2
Which data should be protected between peers
What security protocols used to protect traffic
How should data be protected (encryption, hash)
What mode of operation (tunnel or transport)
What key management should be used
What is the lifetime of data connection
Five steps of VPN
Interesting traffic arrive sat router IKE phase one IKE phase 2 Transmit data Tunnel terminated
AH, ESP and NAT
Ah breaks completely with any type of NAT. Doesn’t work with pat because an outer UDP or tcp header is needed. Won’t work with NAT because most of the fields in the IP packet are used to calculate hmac.
Esp works with NAT since outer header not included in hash calculation
Esp doesn’t work with pat for same reason as ah
Advatages and disadvantages of a static packet filter
Based on simple permit and deny statements
Minimal impact on network performance
Simple to implement
Configurable on most routers
Can perform many of the basic filtering needs
Susceptible to IP spoofing Doesn't accurate filter fragmented packets Extremely long ACLs hard to manage Stateless Doesn't work well with dynamic apps
Advantages and disadvantages of ALGs
Very tight control is possible due to layer 7 analysis
More difficult to attack end devices due to proxy
Provides very detailed logging
May be implemented on common hardware
Processor intensive
Not all apps supported
Special client software may be needed
Memory and disk intensive
Advantages and disadvantages of stateful firewalls
Can be used as primary means if defence
Can be implemented on routers and dedicated FW
Dynamic in nature
Provides defence against dos and spoofing
May not prevent app layer attacks
Not all protocols contain controlled state info, UDP, icmp etc
Some dynamic apps may experience problems as the firewall ride to adapt and open ports
Doesn’t authenticate users by default
Syntax for ZBF policy
Class-map type inspect match-any MYCMAP
Match protocol http
Match protocol ftp
Policy-map type inspect MYPMAP
Class type inspect MYCMAP
Inspect
IKE phase 1
Hagle
Hash Authentication DH group Lifetime of the tunnel Encryption algorithm for phase 1
Solution to NAT problems with esp
NAT traversal (NAT-T). Inserts a tcp or UDP header after the outer IP header but before the esp header. Allowing to to work with PAT.
Dynamic and static NAT works with esp but not ah as ah includes the IP header in the hash calculation.
