Firewalls

Question 1

What are the types of Firewalls?

Answer 1

Packet filtering router, Gateway firewalls (screened host, dual homed gateway firewall, screened subnet firewall), Additional Concepts (NAT, stateful inspection)

Question 2

What is a packet filtering router?

Answer 2

the router is the entry and exist point to a network so it should be used as a firewall. Packet filtering routers use ACLs to provide security.

Question 3

What two principles is an ACL based on?

Answer 3

sequential processing

deny all except when explicitly permitted

Question 4

What are the ACL orders of operation?

Answer 4

Deny person, deny family, permit friend—– deny all

Question 5

Describe the flowchart for ACL operation?

Answer 5

1 - is there an ACL?
2 - Check for permit
3 - Routing
4 - Is there an ACL at the other end?
5 - Is the packet permitted?

Question 6

What are the parts of a standard acl?

Answer 6

access-list acl number (1-99) permit/deny source[mask]
interface interface-number
ip access-group acl-number in/out

Question 7

What are the parts of an extended acl?

Answer 7

access-list acl-number(100-199) permit/deny protocol source[source-mask] destination[destination-mask] [eq port number]
interface interface-number
ip access-group acl number in/out

Question 8

What is the rule of thumb for choosing an interface for Standard ACLs?

Answer 8

bind it closest to the network being protected

Question 9

What is the rule of thumb for choosing an interface for extended ACLs

Answer 9

place it closest to the source network whenever possible

Question 10

What are the limitations of packet filtering?

Answer 10

• works up to the layer 3 only
• address spoofing can penetrate ACLs
• Testing of complex ACLs is difficult
• Chews up router processing time
• Filtering of specific application commands is not possible
• State information is not stored
• Allows direct TCP connection between outside and inside networks

Question 11

What pieces are part of a gateway firewall?

Answer 11

Inside server and client, Outside server and client, Bastion host (proxy client and servers)

Question 12

What is a bastion host?

Answer 12

A special gateway host that acts as a relay for all services. Acts as a proxy/client server for each application. BH eliminates the direct exchange of packets between the private and outside network

Question 13

What are some design features of bastion hosts?

Answer 13

• execute a secure version of the OS
• only essential services are installed
• each proxy is independent
• each proxy can be configured to allow access only to specific hosts
• each proxy can be configured to support only a subset of the applications command set
• BH will require additional authentication from the user
• Users are not permitted to log on to BHs
• No disk access is performed by the proxies

Question 14

Describe a screened host firewall

Answer 14

• BH resides on the same network segment as the private network hosts and secure servers
• packet filter is configured to let in traffic only to BH
• inside systems may be permitted to have direct access to the Internet or may have to use proxy services
• Information servers do not require high security
• Outside and inside users may be permitted to access the information servers directly

–high flexibility, low security

Question 15

describe a dual homed gateway firewall

Answer 15

• BH has two network interfaces
• all traffic destined for private network forced through BH which means that they have to set up proxies
• Information servers can be placed on separate segment so that outside users can access them without setting up proxies – high security and low flexibility

Question 16

describe a screened subnet firewall

Answer 16

Instead of having a dual homed BH, it uses two routers. The BH and the information servers are placed on the segment between the two routers. Defines a DMS network between the private network and the outside network.
Direct transmission of traffic across DMZ is prohibited.
Outer Router R2:
Inbound traffic - allows only to BH or to information servers
Outbound traffic - allows only from BH
Inner Router R1
Inbound traffic - allows only from BH
Outbound traffic allows only to BH and possible to information servers

Good flexibility and good security

Question 17

What does NAT stand for?

Answer 17

Network Address Translation?

Question 18

What is the NAT concept?

Answer 18

One of the important features of a gateway firewall is that IP addresses of the private network need not be advertised to outside networks. This is made possible by translating the internal or private addresses to external or public addresses.
In addition to providing security NAT is also very useful in mitigating the problem of IP address depletion

Question 19

Describe a static NAT

Answer 19

Every internal host is assigned a unique external address. The address mapping is fixed (1 to 1).
Simplest to set up
Least efficient in terms of address preservation
Useful when internal hosts have to be accessible from outside

Question 20

Describe a dynamic NAT

Answer 20

Each private IP address is dynamically assigned a public address at the NAT on a demand basis. The address mapping function can change.

Many to a pool

• solves the static NAT problem of inefficiency
• however if the NAT runs out of a registered addresses to allocate then access is denied

many to 1 NAT
- this technique enables translation of multiple IP addresses to one single address by using different client port numbers. Useful when a large number of internal users requires simultaneous connection to the outside network.

Question 21

A company has 15 servers and 1000 clients. How many public addresses does it need?

Answer 21

Needs 16 IP addresses, 15 static and 1 dynamic

Question 22

What are some of the limitations of traditional firewalls?

Answer 22

• limited security for connectionless services
• for such services, the firewall acts mainly like a packet filter
  Even for connection-oriented services, spoofing can penetrate the firewall
• these limitations are caused because traditional firewalls do not store the state or context information of the interaction

Question 23

What is a stateful inspection firewalls

Answer 23

• basic principles of gateway firewall plus the state and context of an ongoing interaction – the history of the transaction
• history of port numbers and addresses used, types of requests, sequence numbers
• stateful inspection allows more intelligent decision making by manipulating information based on previous communication and application states.

Question 24

What is a host firewall?

Answer 24

placed on clients and servers, last line of defense, offer tailored security because of fewer functions to support on host

Question 25

What are some trends in firewalls?

Answer 25

• deep inspection firewalls,
• content based filtering,
• integration of content based filtering, deep inspection, stateful inspection, intrusion detection, and anti virus protection

Question 26

What are some limitations fo firewalls overall?

Answer 26

• firewall security is based on two assumptions - all internal users are trusted, all traffic from outside flows through the firewall
• does not protect against malicious code/malware
• cannot protect if headers are encrypted
• performance drain
• once the data leaves the firewall, it offers no protection