Firewall Basics

Question 1

The word firewall commonly describes

Answer 1

a system or device or Software

Question 2

Firewall is placed between

Answer 2

a trusted network and an untrusted network

Question 3

A firewall is security devices used to

Answer 3

stop or mitigate unauthorized access.

Question 4

The only traffic allowed on the network

Answer 4

is defined via the firewall policies.

Question 5

It grants or rejects access to traffic flows between

Answer 5

untrusted & trusted zone

Question 6

A firewall monitors and check

Answer 6

incoming and outgoing network related traffic

Question 7

It decides to allow or block specific traffic based on

Answer 7

defined set of security rules.

Question 8

A firewall can be

Answer 8

hardware, software, or both or can be Cloud-based or Virtual

Question 9

The first generation of firewall technology consisted of

Answer 9

packet filters techniques.

Question 10

The second generation of firewall started with

Answer 10

application layers technologies

Question 11

The third generation of firewall had

Answer 11

“Stateful” filters inspection also called NGFW

Question 12

Stateful Firewall:

Answer 12

o It maintain the state of connection when packet is travelling for the appliance.
o State Full Firewall maintain the state of connection in the state table of Firewall.
o After adding information in state table, it forwards the packet to the destination.
o When it receive the reply-packet, it match the packet information to state-table.
o If Firewall receive the reply packet if match packet is accepted otherwise drop.

Question 13

Simplified Packet Flow

Answer 13

Question 14

Stateless Firewalls:

Answer 14

o Stateless Firewalls watch network traffic and restrict or block the packets.
o This Firewalls restrict or block packet based on source & destination addresses.
o Stateless Firewalls also restrict or block packet based on other static values.
o Stateless Firewalls are not ‘aware’ of the traffic patterns or the data flows.
o A stateless firewall filter, also known as an Access Control List or (ACL).
o Stateless Firewall does not state fully inspect the traffic to keep the records.
o It evaluates packet contents statically and does not keep track of connection state.
o An example of a packet filtering firewall is the Extended ACL on Cisco Routers

Question 15

Packet Filtering Firewall:

Answer 15

o In Packet, filtering firewall packets are filtered using the Access-List (ACL).
o Packet Filtering Firewall is vulnerable to IP spoofing network attack easily.
o Cisco IOS use Standard or Extended ACL, Named ACL etc to filter the traffic.
o Limits info is allowed into a network based on the destination and source address.
o Packet Filtering Firewall can only be implemented on Network & Transport Layers.
o Packet Filtering Firewall filters packets based on address and port number only.

Question 16

Proxy Firewall:

Answer 16

o Proxy Firewall works as a proxy for clients of Internal LAN users.
o No direct communication occurs between client & destination server.
o Takes requests from a client, puts that client on hold for a moment.
o Makes the requests as if it is its own request out to the final destination.
o Proxy Firewall is Memory and disk intensive at the proxy server or device.
o Proxy Firewall could potentially be a single point of failure in the network.

Question 17

Application Firewall:

Answer 17

o Application level gateways works on the Application Layer of the OSI reference Model.
o Application Firewall you can block or control the traffic generated by any applications.
o Application Firewalls can also be configured as Caching Servers to increase performance.
o Application Level gateway Firewall is more processor intensive but have very tight control.
o Application Firewall is the ability to analyze traffic all the way up to the Application Layer.

Question 18

Personal Firewall:

Answer 18

o Personal Firewall is typically software application that is installed on endpoint device.
o Personal Firewall protect the device itself from unauthorized intrusions or access.
o Most operating systems such as windows or Linux have integrated personal firewalls.
o Personal Firewalls protect a single host or device only in the network.
o Personal Firewalls control traffic arriving at and leaving individual hosts.
o Personal Firewalls have the ability to permit and deny traffic based on the application.
o Personal Firewalls have also the ability to define policies for different classes of network.

Question 19

Transparent Firewall:

Answer 19

o It works at layer 2, or it forwards the frames based on destination MAC.
o It has the capabilities to filter the traffic from layer 2 to layer 7 of OSI Model.
o Transparent Firewall is invisible to devices on both sides of protected network.
o Transparent mode does not support dynamic routing protocols or more stuff.

Question 20

Virtual Wire Firewall:

Answer 20

o Virtual Wire Firewall mode logically binds two Ethernet interfaces together.
o Virtual Wire Firewall mode allowing for all traffic to pass between interfaces.
o Virtual Wire, also known V-Wire, deployment options use Virtual Wire interfaces.
o A virtual Wire Firewall mode requires no changes to adjacent network devices.
o A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT & decryption.
o Virtual Wire Firewall mode is typically used when no switching or routing is needed

Question 21

Traditional Network Firewall:

Answer 21

o Traditional firewalls work at the network & transport layer of OSI Model.
o Allow or block traffic based on criteria such as an IP address and/or port

Question 22

Zone-Based Firewall:

Answer 22

o Zone Based Firewall is the most advanced method of a Stateful Firewall.
o Zone Based Firewall is available on Cisco IOS Routers.
o The idea behind ZBF is that we do not assign access-lists to interfaces.
o In ZBF, different zones created & assigned Interfaces to different zones.
o In Zone Based Firewall security policies assigned to traffic between zones.

Question 23

Could-Based Firewall:

Answer 23

o Cloud Firewalls are software-based, cloud deployed network devices.
o Cloud Firewalls built to stop or mitigate unwanted access to private networks.
o As Cloud Firewalls a new technology, they are designed for modern business needs.
o Cloud Firewalls are sit within online application environments to stop any attacks.
o Firewall-as-a-service (FWaaS), Security-as-a-service (SECaaS) are the examples.

Question 24

Virtual Firewall:

Answer 24

o Virtual firewall is a firewall service or an application for virtualized environment.
o Virtual firewall provides packet filtering within a virtualized environment.
o Virtual firewalls are commonly used to protect virtualized environments only.
o Virtual firewall is often deployed as a software appliance in virtual environment.
o A virtual firewall manages and controls incoming and outgoing traffic.
o It works in conjunction with switches and servers similar to a physical firewall.

Question 25

UTM Firewall:

Answer 25

o The term UTM firewall or simply UTM (Unified Threat Management) is the terminology. o It is given to hardware or software device capable of assembling various security functions. o Such as packet filtering, proxy, IDS & IPS, protection against malware, application control. o UTM provides multiple security features & services in single device or service on network. o UTM includes functions such as anti-virus, anti-spam, content filtering, & web filtering etc. o UTM (Unified Threat Management) Firewall is not consider Next-Generation Firewall.

Question 26

Next-Generation Firewall (NGFW):

Answer 26

o NGFW performs the role of a traditional firewall and adds NGIPS features. o Next-Generation Firewall is part of the third generation of Firewall technology. o All NGFWs offer two key features App Awareness & Control & ID Awareness. o Next-Generation Firewall (NGFW) provide deep-packet inspection of traffic. o Next-Generation Firewall add application-level inspection & Intrusion Prevention. o Next-Generation Firewall provides all traditional IPS features with high performance. o Next-Generation Firewall allow, and block traffic based on specific application as well. o Next-Generation Firewall allow, and block traffic based on user information as well. o Next-Generation Firewall (NGFW) provide both IPS and application control functions. o There is no big difference between the UTM and Next-Generation Firewall (NGFW). o Next-Generation Firewall provide high performance and Processing using to protect.

Question 27

Palo Alto Firewall:

Answer 27

o The only firewall to identify, control & inspect your SSL encrypted traffic & applications. o The only firewall with real-time content scanning to protect you against viruses. o The only firewall to protect against spyware, data leakage & application vulnerabilities. o The only next-generation firewall based on a stream-based threat prevention engine. o Palo Alto unleashes the power of the cloud against threats known and unknown. o Palo Alto is security application that allows or denies traffic by a single fingerprint. o If one company experiences unique attack, all other subscribers’ networks are updated. o You can allow certain functions of an application without blocking the entire application

Question 28

Single Pass:

Answer 28

o Palo Alto firewalls are based on a unique Single Pass Parallel Processing (SP3) Architecture. o Single Pass Parallel Processing (SP3) enables high-throughput, low-latency network security. o SP3, combines two components Single Pass software and Parallel Processing hardware. o Palo Alto firewalls the single pass software performs an operation once per packet. o Packet is processed, networking functions, policy lookup, application identification all once. o Packet is decoding & signature matching for any & all threats & content all performed once. o the single pass software in next-generation firewalls scans content once to avoid latency. o This Single Pass traffic processing enables very high throughput and low latency.

Question 29

Parallel Processing:

Answer 29

o The other critical piece of Palo Alto Networks SP3 Architecture is hardware. o It is use Parallel Processing hardware to ensure Single Pass software runs fast. o Palo Alto Networks engineers designed separate data plan and control plane. o This separation means you can update the device while still keep forwarding going. o Palo Alto firewall using multiple cores and processors will run checks in parallel. o It is not re-compile files in order to scan them but scan stream for signature. o Identification Technologies Transform the Firewall, App-ID, User-ID, and Content-ID.

Question 30

App-ID (Application Identification) :

Answer 30

Is a combination of application signatures, protocol detection and decryption, protocol encoding, and heuristics to identify Applications. This application identification is carried through to the Content-ID functionality to scan and inspect applications appropriate to their use as well as to the policy engine

Question 31

Content-ID (Scan Content):

Answer 31

Single hardware accelerated signature format to scan traffic for data credit card numbers, social security numbers, and custom patterns and Threats vulnerability exploits -IPS, viruses and spyware plus a URL categorization engine to perform URL Filtering.

Question 32

User-ID (Identify User):

Answer 32

Maps IP Address to Active Directory users and users to groups (roles) to enable visibility and policy enforcement by user and group.

Question 33

Single-Pass Architecture:

Answer 33

o PAN Firewall are optimized to only inspect the packet "ONE TIME", concurrently. o At same time do Signature Matching, Security Processing & Networking Processing. o All in Parallel to each other without having to re buffer same packet over & over again. o Single-Pass performs the L7 classification and inspection Operations once per packet. o Strength of Palo Alto Networks Firewall is its Single Pass Parallel Processing (SP3) engine. o Every single layer of Protection Antivirus, Spyware, Data Filtering & Vulnerability protection. o Palo Alto Networks Firewall all utilized the same stream-based signature format. o allows PAN to buffer and inspect a packet at the same time, it can do all three in parallel.

Question 34

Control Plane:

Answer 34

o Management Functionality is provided via a dedicated control plan processor. o Drives configuration management, logging & reporting, without touching data processing. o Palo Alto Control Plan has its own Dual Core CPU, dedicated RAM, and dedicated RAM.

Question 35

Data Plane:

Answer 35

o Palo Alto Firewall Data Plan It is the Traffic Forwarding Plan with different chip sets. o Three functions Signature Match process inspects traffic built on Regular Expressions. o The second function is Security Processors matches against Palo Alto security policies. o And the last function is Network Processor is used for traffic forwarding etc.

Question 36

Networking:

Answer 36

Packet Routing, Flow lookup, Stat Counts, NAT & All performed on Dedicated Network Pro.

Question 37

Security:

Answer 37

User-ID, App-ID, & Policy Engine, all occur on multicore, Encrypting, Decryption, Decompression

Question 38

Signature:

Answer 38

Content-ID performs Signature Lookups via a Dedicated FPGA with dedicated Memory.

Question 39

Question 40

Firewall Zones:

Answer 40

o Security zones are logical way to group physical and virtual interfaces on the Firewall. o Security Zones is used to control and log the traffic that traverses specific interfaces. o Interface on Firewall must be assigned to security zone before interface process traffic. o Zone can have multiple interfaces of same type, but interface belong to only one zone. o Palo Alto Firewalls zone names have no predefined meaning or policy associations. o Palo Alto Firewalls rely on concept of security zones in order to apply security policies. o It means that Security Policies (Firewall Rules) are applied to zones & not to interfaces. o This zone feature is similar to Cisco’s Zone-Based Firewall supported by IOS Routers. o Policy rules on Firewall use zones to identify where traffic comes from & where going. o Traffic can flow freely within a zone, but traffic cannot flow between different zones. o Traffic between different zones can’t flow until define Security policy rule that allows it. o Creating a security zone in the Palo Alto Networks NG Firewalls involves three steps. o Specify the Zone Name, Select the Zone Type and Assign the Interface to the given Zone.