Firewall [midtem] Flashcards
controls traffic entering/exiting network interfaces
scans only 1 packet at a time
scans (protocol,src/dest IP address & TCP/UDP port)
low security - no scans above Layer 3 OSI (network)
high performance and scalebility
router at internet edge to filter out noise for firewalls
STATIC PACKET FILTERING
series of packets in/out of network
tracks state & characteristics of network connections connections tracked via state table
extra security (NAT & VPN)
new packets are compared to the state table
better security (scans Layer 3 and UP)
high performance, transparency & extensibility
state table can automatically adjust firewall
dynamic
STATEFUL PACKET INSPECTION (SPI)
network gateway between networks or security zones
does the same as SPI & SPF firewalls + more!
operates on Layer 7 with application awareness
filter based off apps, protocols and users (LDAP & AD)
very expensive $$$$
resource heavy (depending on security ft enabled)
single gateway device + security controls = Unified Threat Management (UTM)
Next Generation Firewall (NGFW) (third-gen)
firewall feature that is based on patterns or signatures…
Intrusion Detection System (IDS)
can reset or block connections based on patterns and signatures that perform malicious activities
Intrusion Prevention System (IPS)
inspects files travelling over the firewall for virus signatures, can detect and block malware BEFORE downloaded
Inline Antivirus
detects and blocks specific data structures from being exported
Data Loss Prevention (DLP)
block based on predetermined web site categorization (porn)
Web Proxy | Web Content Filtering
gateway placed before SMTP server for extra filtering
Email Filtering
- protects web applications
- inspects HTTP traffic going to and from web apps
- prevents attacks i.e: buffer overflows, cross site scripting (XSS) *token hi-jacking and SQL injection (SQLi) *injection attacks should not exist if setup correctly!
- sometimes a reverse proxy
- a proxy will sit between webserver and internet
Web Application Firewall (WAF)
- scans traffic flowing North South
- does not protect network from attacks originating from within network!
- analogous with trust but verify
Perimeter-Centric Approach
- removes assumption of trust and inspects all possible traffic
- made up of user and application identification
- content scanning to move trust boundary as close to resource as possible
- scans traffic in all directions North, South, East & West
- never trust!, always verify!
- protects internal network from lateral attacks
Zero Trust Security Model
connection-oriented
Connections start with 3-way handshake
connections end with session being terminated
Transmission Control Protocol (TCP)
- client sends server SYN packet to synchronize sequence numbers
- server responds with synchronization acknowledge, or SYN/ACK
- client sends acknowledge (ACK), and TCP connection is established
- data is now interchangeable between server & client
- SYN/ACK flags are contained IN the TCP header
TCP 3-Way Handshake
SYN—->
ACK
client sends FIN-ACK packet
server responds FIN-ACK
client responds final ACK packet
TCP Connection Termination
- are large port numbers(#) for clients source port(s)
- chosen at random!
- 49152-65535 recommended port range via IANA
Ephemeral Source Port
LISTEN (linux) LISTENING (windows) ------------------------------------ ESTABLISHED -------------------------------------- TIME-WAIT
TCP Connection States
Domain
Private
Public
Windows Firewall profiles
you can use __________________ to detect profile and enable rules based on profile….
Application Programming Interface (API)
if you want to secure devices even more when on public network you can use ___________
Group Policy Object (GPO)
• packet filtering framework on Linux kernel with;
i. Stateless packet filtering ii. Stateful packet filtering iii. Network Address Translation (NAT) iv. Port Address Translation (PAT)
Netfilter
code that handles intercepted function calls events or messages passed between the software components
Hook
standard firewall in Linux
configure view tables of packet filter rules
IPtables
+ nftables (modern varient)
i. packet protocol type
ii. source address
iii. destination address
iv. source port
v. destination port
vi. network interface being used
vii. relation to previous packets
IPtable definable Rules
ACCEPT, DROP, RETURN
TARGET functions
IPtables and rules are organized into….
CHAINS
Packets are checked against chains how….
Sequentially
3 default chains….
INPUT, OUTPUT, FORWARD
RFC 1918
- 0.0.0-10.255.255.255
- 16.0.0-172.31.255.255
- 168.0.0-192.168.255.255
modifies network address in IP Headers of packets
NAT
DHCP Request Process
Discover port:67 (client)
Offer port:68 (server)
Request (client)
Acknowledge (server)
maintain distinct rule-set for each traffic flow (ingress and egress)
security zones common practice for enterprise solutions
Firewall Inspection
Block ALL incoming traffic by default….
sudo iptables -p INPUT DROP
Open port 22 to be reached ONLY by 172.16.200.100
sudo iptables -I INPUT 2 TCP –dport 22 -s172.16.200.100 -j ACCEPT
Which command removes a config file for SSH?
sudo rm -f /etc/ssh/sshd_not_to_be_run
Which command will allow packets of existing outbound connections to be allowed back in WITHOUT being dropped?
sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
IPtables uses a set of _____ which have _____ that contain set of built-in or user defined _____
tables - chains - rules
