Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Information Systems Security > Firewalls > Flashcards

Firewalls Flashcards

1
Q

A company wishes to make an http service on port 8080 available to internet surfers, indicate a network and / or server configuration to provide the service safely and explain the reasons for the choices made.

A

I use a firewall of the screened subnet type with the right web proxy and web server on the DMZ in order to have a good level of security given by gateway, bastion and router with packet filtering, but at the same time avoid SPOF given the double check done on the packages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

With reference to a network firewall, briefly explain how to configure the whitelist and blacklist

A

Whitelist: everything that is not explicitly granted does not pass
Blacklist: everything that is not explicitly prohibited passes

They are strategies implemented to decide what type of packets to enter (or leave) the network; the first option is generally preferred because it is safer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe packet filter technology and describe advantages and limitations

A

It consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Draw the scheme of a dual homed gateway firewall architecture, illustrate the role of its components, advantages and disadvantages.

A

A dual-homed gateway is put in series with the screening router, a machine equipped with two network cards, one interfaced to the external network and the other interfaced to the internal one, both with routing disabled, and a running process that has the task to decide which traffic is allowed to pass from one network interface to another. This system has a double control point:
* the router acts as a packet filter;
* the dual-homed gateway houses a circuit-level gateway or an application-level gateway as required.
As the gateway interfaces on two different networks, the intermediate network is isolated from the internal network and can be used as a DMZ for public servers. Pros and cons:
+ masking: the gateway can mask the internal network;
+ simplicity: implementation is simple;
+ cost: only small additional hardware requirements are required (eg fast network card);
+ double line of defense: it is not enough to exploit the bug of one of the two devices to enter the internal network.
- management: two systems are required;
- bottleneck: all traffic must pass through the dual-homed gateway;
- flexibility: some types of traffic require control by servers in the internal network (eg spam e-mails).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Packet filter and application level gateway inside a firewall: similarities, differences, advantages and disadvantages of both.

A

Both do header-based packet filtering, but the packet filter works at layer 3, while the application level gateway works at the application layer.
Packet filter: consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Application-level gateway: inspects packets at the application level (payload): it is made up internally by a series of proxies, one for each application protocol;
it can play the role of terminator: it interacts directly with the client as if it were the server, and with the server as if it were the client; can perform the masking or renumbering of IP addresses: it may be necessary if it is acting as a terminator and one of the two parties asks for the authentication of the other; it can also have authentication functions, especially in egress: the gateway asks the client in the external network to authenticate itself in order to apply the appropriate policies to it. Pros and cons:
+ maximum security: the rules are more granular and simpler than the packet filter, as the controls are based on the application layer;
+ parallelization: multiple CPU cores work in parallel (SMP).
- performance: more thorough checks require more time;
- application dependent: each application protocol requires a specific proxy: - delay in supporting new applications;
- resource consumption: many proxies mean many processes;
- low performance: the processes work in user mode;
- breakdown of the client-server model: it may not be completely transparent to clients, and often requires a modification of the client application;
- attacks: since the client interacts directly with the gateway, the firewall operating system is exposed to attacks;
- application-level security protocols: the firewall may not be able to correctly interpret the contents of the packets (eg SSL: the packet content is encrypted).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the circuit gateway and from what does it protect?

A

It is a non “application-aware” proxy that creates a transport layer circuit between the client and the server without having any understanding of the syntax of the data in transit
Pros and cons:
+ The servers are isolated from all attacks involving:
* the TCP three-way handshake: the protection is activated at the beginning of the session and lasts for the entire session;
* IP packet fragmentation: the proxy reassembles the packet to fully understand its contents.
- breakdown of the client-server model (for the duration of the session): it may require changes to the applications (eg client authentication: it normally occurs at the application level, not at the transport level);
- many limitations of the packet filter remain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IDS vs IPS: what they are and differences

A

Intrusion Detection System (IDS) is a system for identifying individuals who use a computer or network without authorization.
Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
The difference is that IDS notifies you if it detects an attack, the IPS also tries to
block it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain what the IPS technique consists of.

A

Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
An IPS consists of:
* IDS: detects an attack in progress (eg excess of ICMP packets);
* distributed dynamic firewall: reacts very quickly (eg blocks all ICMP traffic).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a firewall?

A

It is a controlled connection between networks at different security levels, so it is a boundary protection (network filter). The goal is to not let problems propagate and to stop them as soon as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Ingress vs. Egress firewall

A

Ingress firewall
* it takes care of incoming connections
* typically used to select the (public) services offered
* sometimes as part of an application exchange initiated by my users

Egress firewall
* outgoing connections
* typically to check the activity of my personnel (!)

This classification is easy for channel-based services (e.g. TCP applications), but difficult for message-based stateless services (e.g. ICMP, UDP applications)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cheswick and Bellovin commendements

A

The three commandments of firewall
1. the FW must be the only contact point of the internal network (trusted) with the external one (untrusted)
2. only the “authorized” traffic can traverse the FW
3. the FW must be a highly secure system itself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Allowlist and Denylist

A

Allowlist
* “All that is not explicitly permitted, is forbidden”
* higher security (gatekeeper)
* more difficult to manage

Denylist
* “All that is not explicitly forbidden, is permitted”
* lower security (open gates)
* more easy to manage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Basic components of a firewall

A
  • packet filter / screening router / choke: component that filters traffic at network level
  • bastion host: it is a secure system with periodic auditing. It is in the first line of defense
  • application gateway (proxy): service that works on behalf of an application, with access control
  • dual-homed gateway: system with two network cards that are a bridge between two different networks and routing disabled -> can mask the internal network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Firewall technologies list

A
  • Packet filter
  • Circuit level gateway
  • Application level gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Packet filter

A

It is a firewall technology.

  • present of routers
  • it performs an inspection at network level checking network header and transport header

Pros and cons
* independent of applications
* good scalability
* these are approximate controls: easy to “fool” (e.g. IP spoofing, fragmented packets)
* good performance
* low cost (available on routers and in many OS)
* difficult to support services with dynamically allocated ports (e.g. FTP)
* complex to configure
* difficult to perform user authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Application level gateway

A

It is a firewall technology.

  • it is composed by a set of proxies inspecting the packet payload at application level
  • often requires modifications to the client application
  • may optionally mask / renumber the internal IP addresses
  • when used as part of a firewall, usually performs also peer authentication
  • top security!! (e.g. against buffer overflow of the target application)
  • each app has its own proxy
  • heavy in computational resources beause each application has its own process -> low performance but fine grained control
  • it breaks the client-server model -> more protection for the server, client authN possible, not transaaprent to the client

Proxies can be:
* transparent proxy: it is less intrusive for the client but it needs more work because it has to extract the destination and reroute packets
* strong app proxy: it checks not only packet sintax but semantics too -> only some commands/data are forwarded. This is the only correct configuration for a proxy

There are two types of proxies:
* forward proxy
* reverse proxy

17
Q

Forward proxy

A

It is one of the possible kind of proxies in an application level gateway technology.

A forward proxy is a server placed between the client (internal network) and the real server (external network).
For example the HTTP forward proxy is a HTTP server acting just as a front-end and then passing requests to the real server (external). It is an egress controll (outgoing connections from the internal network).
It permits:
* network access control list
* shared cache of external pages for all internal users
* authentication + authorization of internal users
* various controls (e.g. allowed sites, transfer direction, data types, …)

18
Q

Circuit level gateway

A

This is a firewall technology.

It is a single generic proxy not application aware.
* it creates a transport-level circuit between client and server …
* … but it doesn’t understand or manipulate in any way the payload data
* … it just copies between its two interfaces the TCP segments or UDP datagrams (if they match the access control rules)
* … but, in doing this, it will re-assemble the IP packets and hence it will provide protection against some L3/L4 attacks
* So it breaks the TCP/UDP-level client/server model during the connection -> (1) more protection for the server that is isolated from all attacks related to the TCP handshake and isolated from all attacks related to the IP fragmentation (2) may authenticate the client but this requires modification to the application

This technology still exhibits many limitations of the packet filter.

SOCKS is the most famous one

19
Q

Reverse proxy, configurations’ drawings

A

It is one of the possible kind of proxies in an application level gateway technology.

A reverse proxy is a server that sits between the internal network and a server or group of servers.

HTTP reverse proxy
It is an HTTP server acting just as a front-end for the real server(s) which the requests are passed to.

It implements:
* network ACL & content inspection
* obfuscation (no info about the real server)
* TLS accelerator (with unprotected back-end connections …): it can be the endpoint of a TLS channel
* load balancer
* web accelerator (= cache for static content)
* compression -> major speed
* spoon feeding (gets from the server a whole dynamic page and feeds it to the client according to its speed, so unloading the application server)

There are two possible configurations for a reverse proxy draw them!!!:
* the first configuration is based on a three legged firewall: this means that the firewall is connected to the external net, to the internaal one and to the DMZ. In the DMZ are placed the reverse proxy and the servers for which it is a front end. It is good beacuse confines the attacks in the DMZ. A server and a client of the internal network can just communicate passing through the proxy and the firewall.
* the second configuration has always a three legged firewall (internal, external, DMZ). Here the proxy is always in the DMZ while the servers are in the internal network. Servers and reverse proxy are conencted by a/some VPN(s). Even if the servers are in the internal network there is. not direct access because access is performed only through the reverse poxy.

The suggested configuration is the first one because it confines the attack in the DMZ.

20
Q

WAF (Web Application Firewall)

A

As web applications become more and more used, they become prime targets for various security threats.

A WAF is a module installed at a proxy (forward and/or reverse) to filter the application traffic.
Filtering is applied to:
* HTTP commands
* header of HTTP request/response
* content of HTTP request/response

ModSecurity is an example of WAF. It is a plugin for Apache and NGINX (50% and 30% of worldwide
HTTP servers)
OWASP ModSecurity Core Rule Set (CRS)

21
Q

Firewall architectures (list)

A
  • packet filter
  • dual-homed gateway
  • screened host
  • screened subnet
22
Q

Paket filter architecture and drawing

A

This architecture exploits the packet filter to screen the traffic both at IP and upper levels.
If implemented with a router then it is a “screening router architecture” and there’s no need for extra dedicated hardware.
There is no need for a proxy and hence no need to modify the applications.

  • simple
  • cheap
  • insecure!
  • single point of failure
23
Q

Dual-homed gateway architecture and drawing

A

It is a dual-homed because it has two network cards and automatic routing disabled.

It is composed of a packet filter and of a bastion host (usually a gateway), so it is an implementation of the defense in depth security principle.

The bastion host is just a general purpose computer with gateway capabilities.

The traffic goes first to the packet filter and just if it passes its controls the traffic goes to the gateway.

  • easy to implement
  • small additional hardware requirements
  • the internal network can be masqueraded by the gateway even without the NAT
  • unflexible because each packet is double checked even if, with the infromations that the gateway has, the filtering is not improved -> it is a useless checking and leads to a large work overhead
24
Q

Screened host architecture and drawing

A

This firewall architecture tries to improve the dual-homed gateway one.
This archhitecture is made of a packet fiilter and a bastion host.

Here just the packets that need to be double checked go to the bastion host. The packet filter is connected both to the internal network and to the bastion host so it will direct the packets based on its decisions.

This is double line of defense not for every packet and the packet filter is a single point of failure.

The packet filter is a router that:
* blocks traffic INT > EXT unless from the bastion
* blocks traffic EXT > INT unless goes to the bastion

The bastion host runs a circuit/application gateway to control the authorized services.

This architecture is more expensive and complex to manage (two systems rather one) but more flexible (skip control over some services / hosts).

Only the hosts/protocols passing through the bastion can be masked (unless the PF uses NAT)

25
Q

Screened subnet architecture and drawing

A

This architecture has not a single point of failure beacuse it is made of two packet filters (of different vendors) and one bastion host.

The first packet filter permits or deies access to the traffic. The permitted traffic goes to the second one that decides if sending it to the internal network or to the bastion host.

There is a double defense also for those packets that are not filtered by the bastion host; it is a triple defense if they reach the bastion host.

This architecture has the DMZ, that is the De-Militarized Zone). It contains not only the gateway but also public servers, remote points of access… It is completely decoupled both from the internal and the external networks.

The routing may be configured so that the internal network is unknown.

This is the most complex and. expensive solution.
To reduce costs and simplify management often the PFs are omitted (and their function incorporated into the gateway -> minor cost and single interface): this configuration is also known as “three-legged firewall”.
This means that the firewall is a single element with three cards and so it is again a single point of failure and it is more complex so more prone to errors and to attacks.

26
Q

Local/personal firewall

A

This firewall is directly installed at the node to be protected and it is typically, a packet filter
With respect to a normal network firewall, it may limit the PROCESSES that are permitted:
* to open network channels towards other nodes (i.e. act as a client)
* to answer network requests (i.e. act as a server)

It is important to limit the diffusion of malware and trojans, or to
avoid configuration mistakes.
Beware: in order to be effective, the firewall management MUST be separated from system management

27
Q

Protection offered by a firewall

A

A firewall is 100% effective only for attacks over/against blocked channels.
The other channels, whose traffic is permitted, require other protection techniques:
* VPN
* “semantic” firewall / IDS
* application-level security

28
Q

Intrusion Detection System (IDS)

A

It is a system to identify actors using a computer or a network without
authorization. It is extendable to identify authorized actors violating their privileges

This system works on the hypothesis that the behavioural “pattern” of non-authorized users differs from that of the authorized ones.

There is the possibility to have undetected attacks or false positives. Human intervention is needed to check the alarm raised by the IDS.

They can be active or passive. But typically IDSs have both parts.

Passive IDS
It tries to identify signs of attacks using:
* cryptographic checksum (e.g. tripwire) on the servers file: it checks that they have not been modified
* pattern matching (“attack signature”): it looks for specific packets that are typical of an attack

Active IDS
It goes through three steps:
1. “learning” = statistical analysis of the system behaviour
2. “monitoring” = active statistical info collection of traffic, data, sequences, actions
3. “reaction” = comparison against statistical parameters (reaction when a threshold is exceeded)

29
Q

IDS: topological features

A

HIDS (host-based IDS)
* log analysis (OS, service or application)
* internal OS monitoring tools

NIDS (network-based IDS)
* network traffic monitoring tools
* cannot perform detection if traffic is encrypted

NIDS components
* sensor: checks traffic and logs looking for suspect patterns then generates the relevant security events. Could also interact with the system (ACLs, TCP reset, … )
* director: coordinates the sensors and manages the security database
* IDS message system: it makes the sensors and the director communicate. It offers a secure and reliable communication among the IDS components offering authN, integrity.

The communication, if possible, is performed on different physical networks.

The firewall, taking into account the three legged firewall, comprehensive of IDS, should be configured as follows:
* sensors on the internal network hosts
* a sensor for the internal interface of the firewall
* sensors on each server placed into the DMZ
* a network sensor on the external interface of the firewall
* the IDS collects all their informations

30
Q

IPS

A

Intrusion Prevention System
It is a technology with the goal to speed-up and automate (bad word) the reaction to intrusions using an IDS and a distributed dynamic firewall.
This is a technology, not a product, with large impact on many elements of the protection system.
It is dangerous! It may take the wrong decision being automatic and block innocent traffic.

Often integrated in a single product with the IDS.

31
Q

Next-Generation Firewall (NGFW)

A

It is a kind of firewaall that tries to identify applications independently of whatever network port is used. If possible it can deciphering/re-ciphering the traffic.
The goal is to really identify what is the real application that is being carried out from that port.
This allows to write per-application policies.

It offers integration with authN systems and this permits to write per-user policies.

32
Q

Unified Threat Management (UTM)

A

It is the integration of several products in a single device. They can be firewall, VPN, anti-malware, content-inspection, IDPS, … It can have just one products or more, based on how you configure it and haw much you pay it.

The actual capabilities depend upon the manufacturer.
It is mainly targeted to reduce the number of different systems, hence the management complexity and the cost

33
Q

Honey pot and Honey net

A

A honeypot is a security mechanism set up to detect, deflect, or, in some manner, attract attempts at unauthorized use of information systems. It acts as a decoy (esca) to attract attackers and monitor their activities to gather valuable information about their techniques and methods.

It consistes in adding a second DMZ, called decoy DMZ, that is home to a honey pot that is a easily attackable machine.

They can also be placed inside the internal network to detect malicious behaviours from internal users.

Information Systems Security (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions