Firewall [midtem]

Question 1

controls traffic entering/exiting network interfaces
scans only 1 packet at a time
scans (protocol,src/dest IP address & TCP/UDP port)
low security - no scans above Layer 3 OSI (network)
high performance and scalebility
router at internet edge to filter out noise for firewalls

Answer 1

STATIC PACKET FILTERING

Question 2

series of packets in/out of network
tracks state & characteristics of network connections connections tracked via state table
extra security (NAT & VPN)
new packets are compared to the state table
better security (scans Layer 3 and UP)
high performance, transparency & extensibility
state table can automatically adjust firewall
dynamic

Answer 2

STATEFUL PACKET INSPECTION (SPI)

Question 3

network gateway between networks or security zones
does the same as SPI & SPF firewalls + more!
operates on Layer 7 with application awareness
filter based off apps, protocols and users (LDAP & AD)
very expensive $$$$
resource heavy (depending on security ft enabled)
single gateway device + security controls = Unified Threat Management (UTM)

Answer 3

Next Generation Firewall (NGFW) (third-gen)

Question 4

firewall feature that is based on patterns or signatures…

Answer 4

Intrusion Detection System (IDS)

Question 5

can reset or block connections based on patterns and signatures that perform malicious activities

Answer 5

Intrusion Prevention System (IPS)

Question 6

inspects files travelling over the firewall for virus signatures, can detect and block malware BEFORE downloaded

Answer 6

Inline Antivirus

Question 7

detects and blocks specific data structures from being exported

Answer 7

Data Loss Prevention (DLP)

Question 8

block based on predetermined web site categorization (porn)

Answer 8

Web Proxy | Web Content Filtering

Question 9

gateway placed before SMTP server for extra filtering

Answer 9

Email Filtering

Question 10

• protects web applications
  
  • inspects HTTP traffic going to and from web apps
  • prevents attacks i.e: buffer overflows, cross site scripting (XSS) *token hi-jacking and SQL injection (SQLi) *injection attacks should not exist if setup correctly!
  • sometimes a reverse proxy
  • a proxy will sit between webserver and internet

Answer 10

Web Application Firewall (WAF)

Question 11

• scans traffic flowing North South
  
  • does not protect network from attacks originating from within network!
  • analogous with trust but verify

Answer 11

Perimeter-Centric Approach

Question 12

• removes assumption of trust and inspects all possible traffic
  
  • made up of user and application identification
  • content scanning to move trust boundary as close to resource as possible
  • scans traffic in all directions North, South, East & West
  • never trust!, always verify!
  • protects internal network from lateral attacks

Answer 12

Zero Trust Security Model

Question 13

connection-oriented
Connections start with 3-way handshake
connections end with session being terminated

Answer 13

Transmission Control Protocol (TCP)

Question 14

• client sends server SYN packet to synchronize sequence numbers
  
  • server responds with synchronization acknowledge, or SYN/ACK
  • client sends acknowledge (ACK), and TCP connection is established
  • data is now interchangeable between server & client
  • SYN/ACK flags are contained IN the TCP header

Answer 14

TCP 3-Way Handshake

SYN—->
ACK

Question 15

client sends FIN-ACK packet
server responds FIN-ACK
client responds final ACK packet

Answer 15

TCP Connection Termination

Question 16

• are large port numbers(#) for clients source port(s)
  
  • chosen at random!
  • 49152-65535 recommended port range via IANA

Answer 16

Ephemeral Source Port

Question 17

LISTEN (linux) 
LISTENING (windows) 
------------------------------------
ESTABLISHED 
--------------------------------------
TIME-WAIT

Answer 17

TCP Connection States

Question 18

Domain
Private
Public

Answer 18

Windows Firewall profiles

Question 19

you can use __________________ to detect profile and enable rules based on profile….

Answer 19

Application Programming Interface (API)

Question 20

if you want to secure devices even more when on public network you can use ___________

Answer 20

Group Policy Object (GPO)

Question 21

• packet filtering framework on Linux kernel with;

	i. Stateless packet filtering 
	ii. Stateful packet filtering 
	iii. Network Address Translation (NAT) 
	iv. Port Address Translation (PAT)

Answer 21

Netfilter

Question 22

code that handles intercepted function calls events or messages passed between the software components

Answer 22

Hook

Question 23

standard firewall in Linux

configure view tables of packet filter rules

Answer 23

IPtables

+ nftables (modern varient)

Question 24

i. packet protocol type
ii. source address
iii. destination address
iv. source port
v. destination port
vi. network interface being used
vii. relation to previous packets

Answer 24

IPtable definable Rules

Question 25

ACCEPT, DROP, RETURN

Answer 25

TARGET functions

Question 26

IPtables and rules are organized into….

Answer 26

CHAINS

Question 27

Packets are checked against chains how….

Answer 27

Sequentially

Question 28

3 default chains….

Answer 28

INPUT, OUTPUT, FORWARD

Question 29

RFC 1918

Answer 29

10. 0.0.0-10.255.255.255
11. 16.0.0-172.31.255.255
12. 168.0.0-192.168.255.255

Question 30

modifies network address in IP Headers of packets

Answer 30

NAT

Question 31

DHCP Request Process

Answer 31

Discover port:67 (client)
Offer port:68 (server)
Request (client)
Acknowledge (server)

Question 32

maintain distinct rule-set for each traffic flow (ingress and egress)
security zones common practice for enterprise solutions

Answer 32

Firewall Inspection

Question 33

Block ALL incoming traffic by default….

Answer 33

sudo iptables -p INPUT DROP

Question 34

Open port 22 to be reached ONLY by 172.16.200.100

Answer 34

sudo iptables -I INPUT 2 TCP –dport 22 -s172.16.200.100 -j ACCEPT

Question 35

Which command removes a config file for SSH?

Answer 35

sudo rm -f /etc/ssh/sshd_not_to_be_run

Question 36

Which command will allow packets of existing outbound connections to be allowed back in WITHOUT being dropped?

Answer 36

sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

Question 37

IPtables uses a set of _____ which have _____ that contain set of built-in or user defined _____

Answer 37

tables - chains - rules