Firewalls Flashcards
Next Generation Firewall (NGFW)
Firewall that can identify applications flowing across network regardless of IP address and port # used.
Teams can set policies to allow or block access to application on network.
Other names for NGFWs
- Application Layer Gateway
- Stateful Multilayer Inspection
- Deep Packet Inspection
NGFw Capabilities
- Allow/block application at feature level
- Identify attacks and malware and block at the network level
- Examine encrypted data
- Prevent access to URLs or URL Category
- SSL decryption capability
Can decrypt info to examine and the re-encrypt and send info on its way.
Host-based Firewalls
Personal firewall that runs on every endpoint.
1.
It allows/disallows incoming/outgoing application traffic.
2. Can view all stat that is local.
Maintains control by application process.
3. Can see traffic in device
4. I’d malware and block before execution.
5. manage centrally.
Web Application Firewall (WAF)
Protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
typically protects web applications from attacks like
1. cross-site forgery
2. cross-site-scripting (XSS)
3. file inclusion
4. SQL injection
What layer does a WAF align with?
Protocol layer 7 defense.
Not designed to defend against all types of attacks, is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.
How does a WAF work?
WAFs operate through a set of rules often called policies. Policies protect against vulnerabilities in the application by filtering out malicious traffic.
Value of a WAF comes from the speed and ease with which policy modification can be implemented
- faster response to varying attack vectors
Example: during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.
Where are WAFs deployed in relation to the web application server?
WAFs are deployed in front of a web application
a shield is placed between the web application and the Internet.
WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.
WAF Blocklist
A WAF that operates based on a blocklist (negative security model) protects against known attacks.
Think of Blocklist WAF is a club bouncer instructed to deny admittance to guests who don’t meet the dress code.
WAF Allowlist
WAF based on an allowlist (positive security model) only admits traffic that has been pre-approved.
This is like the bouncer at an exclusive party, he or she only admits people who are on the list.
Network-based WAF
A network-based WAF is generally hardware-based.
PROS:
Installed locally, minimize latency
CONS:
most expensive option
require the storage and maintenance of physical equipment.
Host-based WAF
host-based WAF may be fully integrated into an application’s software.
PROS:
Less expensive than a network-based WAF
offers more customizability.
CONS:
Consumption of local server resources,
implementation complexity
maintenance costs.
These components typically require engineering time, and may be costly.
Cloud-based WAF
PROS:
Affordable option that is very easy to implement
they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic.
minimal upfront cost - users pay monthly or annually for security as a service.
Offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end.
CONS:
Users hand over the responsibility to a third party, therefore some features of the WAF may be a black box to them.
Example of Reverse Proxy Functionality
User checking bank account balance
- bank’s login page is served up by a web server that acts as a reverse proxy
- users submit username and password
- request again goes to the web server, which acts as a reverse proxy
-RP sends the request through authentication servers, application servers and database servers that reside behind various firewalls on isolated private networks
- RP crafts a response based on the data returned from the servers that reside on the private subnets
- sends that response back to the client on the public internet
