Firewalls

Question 1

What is a Firewall

Answer 1

A system or group of systems used to control access between two networks – a trusted network (Internal Private Network) & an untrusted network (Internet).

Question 2

Perimeter Defence (mcq)

Answer 2

Intercepts and controls traffic between networks with differing levels of trust, enforced with a network security policy

Log inter-network activity, and limit the exposure of an organization.

Question 3

Firewall Challenges

Answer 3

Detecting malware

Connections that do not go through the firewall

Unknown threats

Poorly trained firewall administrator

Question 4

Stateful Packet Filtering (open ended)

Answer 4

• Maintains an entry for each established connection
• Packet filter based on profile of the entries
• Keeps track of TCP sequence numbers to prevent attacks based on sequence numbers
• Inspect data for protocols (FTP, IM, SIP) commands
• Detects and drops packets that overload server
• Disallow packets that has no connection to server

Question 5

Stateful Packet Filtering drawbacks

Answer 5

Cannot prevent, Trojan, spyware, adware where an connection has been established from within the network.

Question 6

Stateful Packet Filtering Solution

Answer 6

Deep Packet Inspection (DPI)
Examines also the data part of packet (content)

Question 7

One example of Web Application Firewall

Answer 7

ModSecurity

Question 8

What is Web Application Firewall

Answer 8

• Inspect request and response data (including HTTPS)
• Increase information log (Credit card numbers, ID numbers, Passwords, Raw Transaction data)
• Act as an inbound proxy to Webserver: Apache, IIS

Question 9

What does Web Application Firewall alert

Answer 9

SQL Injection
XSS
Buffer Overflow
Cookie Tampering
Abnormal Activities
etc

Question 10

Unified Threat Management (UTM)

Answer 10

Consolidates multiple security and networking functions all on one appliance. Popular with SMEs (Small Medium Enterprise)

Question 11

Examples of Unified Threat Management (UTM)

Answer 11

• Firewall
• IDS/IPS
• SIEM
• Secure Web/Email Gateway
• Remote Access

Question 12

Unified Threat Management (UTM) Advantages

Answer 12

• Browser based management
• Short learning curve for security policy configuration
• Localized software and documentation
• By 2022, more than 50% of new SMB firewall deployment will tunnel web traffic to a cloud-based secure web gateway, up from less than 10% today.

Question 13

Application Firewall (Often called NGFW)

Answer 13

(ref image)

Question 14

4 Properties of Next generation firewall (NGFW)

Answer 14

1. Application Awareness
   Does not assume a specific application is running on a specific port.
   Firewall can monitor traffic from layers 2 to 7 with greater granularity
   Eg: HTTP Port 80 assumed to be HTTP Traffic. Useful for bandwidth
   control (P2P)
2. Identity Awareness
   Track the identity of the local traffic device and user,
   Typically using existing enterprise authentication systems
   (i.e. Active Directory, LDAP). Control the what a specific
   User or groups is allowed to send and receive
3. Extra firewall Intelligence
   Optimized rule set and intelligence gathered from outside sources
   continually (Whitelist, blacklist, directory integration to block by
   identity)
4. Integrated IPS
   Automatic correlation to IPS(To cover in PM) to suggest
   blocking of certain malicious websites. Eg: Block and address
   that is continually loading the IPS with bad traffic

Question 15

Packet Filtering Rules (Two common strategies)

Answer 15

1) Build rules from most specific to most general. This is to ensure that
a general rule does not “override” a more specific but conflicting
rule.
2) Rules should be ordered such that the ones most often used are at
top of list. Done for performance reasons.

Question 16

First 4 Best Practices

Answer 16

1) Deny all traffic by default, and only enable those services that are
needed.
2) Disable or uninstall any unnecessary services and software on the
firewall that are not specifically required.
3) Limit the number of applications that run on the firewall in order to
let the firewall do what it’s best at doing.
4) Run the firewall service as a unique user ID instead of administrator
or root.

Question 17

Last 4 Best Practices

Answer 17

5) Change the default firewall administrator or root password
6) Do not rely on packet filtering alone. Use stateful
inspection and application proxies if possible.
7 Ensure that physical access to the firewall is controlled.
8) Regularly monitor firewall logs.
9) Document all firewall rule changes.

Question 18

What is Packet filtering firewall

Answer 18

Stateless
- Filters packet content, Layer 3 and sometimes Layer 4 information
- Firewall makes decision based on packet header

Question 19

What is Stateful firewall

Answer 19

Stateful Inspection
- Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state
- Keep state information about transactions (Connection)

Question 20

What is Application gateway firewall

Answer 20

proxy firewall
Filters information at Layers 3, 4, 5 & 7