Firewalls Flashcards
The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
(T/F)
True
A firewall can serve as the platform for IPSec..(T/F)
True
A packet filtering firewall is typically configured to filter packets going in both directions. (T/F)
True
A prime disadvantage of an application-level gateway is the additional processing overhead on each connection. (T/F)
True
A DMZ is one of the internal firewalls protecting the bulk of the enterprise network. (T/F)
False
The _______ defines the transport protocol.
IP protocol field
A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.
circuit-level
Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server.
DMZ
A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.
distributed firewall
The ________ attack is designed to circumvent filtering rules that depend on TCP header information.
tiny fragment
Firewall design goals
All traffic from inside to outside and vice versa must pass through firewall.
Only authorized traffic as defined by local security policy will be allowed to pass
The firewall itself is immune to penetration. (use hardened system)
Critical component to planning/implementation of firewall
suitable access policy: lists traffic authoried to pass through firewall
Type of traffic
address ranges
protocols
applications
content
Firewall characteristics
IP Address and Protocol Values
Application Protocol
User Identity
Network Activity
Firewall Capabilities
Firewall defines a single choke point that attempts to keep unauthorized user out of the protected network, prohibit potentially vulnerable services from entering/leaving network, and provide protection from IP spoofing and routing attacks
Provides location for monitoring security related events
Platform for internet functions not related to security
Platform for IPSec (implement virtual private networks)
Gives insight into traffic
mix via logging
Network Address Translation
Encryption
Firewall Limitations
Firewalls cannot protect…
- -Traffic that does not cross it
- —–Routing around
- —–Internal traffic
- -When misconfigured
Can’t protect against attacks that bypass the firewall (internal systems with dial out or mobile broadband, or dial in)
Can’t fully protect against internal threats
Improperly secured wireless LAN accessible from outside
Laptop, PDA, portable storage device may be infected outside the network and then attached internally
Types of Firewalls
Packet filtering
Stateful inspection
Application proxy/Application Level Gateway
Circuit level firewall/gateway/proxy
Packet Filtering Firewall
Rules applied to incoming/outgoing IP packets.
Packet Filtering Firewall
Filtering rules based on:
Source IP address
Destination IP address
Source and destination transport level address
IP Protocol field
Interface
Packet Filtering Firewall
Default policies
Discard packets not expressly permitted
-More conservative, controlled, visible to users
Forward packets not expressly prohibited
-Easier to manage and use but less secure
Packet Filtering Firewall weaknesses
don’t examine upper-layer data, so can’t prevent attacks that employ application specific vulnerabilities or functions
limited information available, so logging functionality limited
don’t support advanced user authentication schemes
vulnerable to attacjs and exploits of TCP/IP specification and protocol stack (network layer address spoofing)
small number of variables used in access control decisions, so susceptible to security breaches from improper configurations
Packet Filtering Firewall
Typical attacks
IP address spoofing
Source routing attacks
Tiny fragment attacks
Stateful Inspection Firewalls
creates directory of outbound TCP connections, entry for each currently established connection, firewalls only allows incoming traffic to high numbered ports for packets that fit profile in the directory
tightens up packet filters
Application Level Gateway
aka application proxy
acts as a relay of application level traffic. user must be authenticated before gateway relays TCP segments containing application data between endpoints
More secure than packet filters
disadvantage: additional processing overhead on each connection
Circuit level Gateway
aka circuit level proxy
can be stand alone or specialized
does not permit end to end TCP connection
Gateway relays TCP segments from one connection to another without examining contents. Just determines which connections allowed
Example: SOCKS
Firewall Basing Considerations
Bastion Host: system id’d as critical strong point in network security
Host-based firewall: software module used to secure individual host
Personal firewall: controls traffic between PC/workstation and internet/enterprise network
Firewall Location and Configuration options
DMZ Networks
Virtual Private Networks
Distributed Firewalls
DMZ Networks
External firewall at edge of network just inside router that connects to Internet
Internal firewalls protect the bulk of networked devices. 3 purposes:
- adds more stringent filtering
- two-way protection (protects remainder of network from attacks launched from DMZ and protects DMZ from internal attacks(
- multiples internal firewalls protect internal systems from each other
Systems externally accessible but protected
Virtual Private Networks
set of computers that interconnect by means of unsecure network and make use of encryption and special protocls that provide security
Distributed Firewalls
Stand-alone firewall devices plus host-based firewalls working together under central administrative control
May need internal DMZ and external DMZ
Firewall Topologies
Host-resident firewall (personal firewall software, firewall software on servers)
Screening router (single router between internal and external networks with stateless or full packet filtering)
Single bastion inline: (single firewall device between internal and external router)
Single bastion T (similar to single bastion inline but with third network interface on bastion to DMZ)
double bastion inline (DMZ sandwiched between bastion firewalls)
Distributed firewall configuration
Intrusion Prevention Systems
Host Based IPS (signature/heuristic or anomaly detection techniques to identify attacks)
Network-Based IPS (inline NIDS with authority to modify/discard packets and tear down TCP connections)
Distributed or Hybrid IPS (gathers data from host and network based sensors in central analysis system to return updated signatures and behavior patterns)
Network-Based IPS
Methods to identify malicious packets:
- pattern matching
- stateful matching
- protocol anomaly
- traffic anomaly
- statistical anomaly
Host Based IPS Examples
- modification of system
- privilege escalation exploits
- buffer overflow exploits
- access to email contact lists
- directory traversal
Firewall defined
Firewall is a widely-deployed prevention technology.
Firewalls can protect your computer and your personal information from
Hackers breaking into your system (attack traffic is often from untrusted parts of the Internet or even a known malicious sites, and a firewall can block it)
Viruses and worms that spread across the Internet (There are several ways to identify and block such traffic: such as the volume of such traffic or that such traffic has specially crafted packets that are known to target vulnerable services, or the traffic from the all over the Internet including the untrusted networks; The firewall can use such knowledge to block such virus and worm traffic).
Outgoing traffic from your computer created by a virus infection (This is similar to #2, except the traffic is outbound rather than inbound, )
Firewalls cannot provide protection
Against phishing scams and other fraudulent activity, spyware being installed on your computer, or viruses spread through e-mail (spyware: stealing information and send it out to a site; such site can appear to be legitimate or at least not know to be malicious, and the volume of traffic can be small; so it can be hard for a firewall to stop it)
Against Internet traffic that appears to be from a legitimate source (because firewall is designed to allow traffic from a legitimate source, e.g., another trusted network).
Firewall Design Goals
Enforcement of security policies
- -All traffic from internal network to the Internet, and vice versa, must pass through the firewall
- -Only traffic authorized by policy is allowed to pass
Dependable
–The firewall itself is immune to subversion
Filtering Types
Packet filtering
–Access Control Lists
Session filtering
- -Dynamic Packet Filtering
- -Stateful Inspection
- -Context Based Access Control
Packet Filtering Advantages
Simplicity
Typically transparent to users and are very fast
Tiny fragment attacks
The intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter
will make a filtering decision on the first fragment of a packet. All subsequent
fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. The attacker
hopes that the filtering firewall examines only the first fragment and that the remaining fragments are passed through.
In order for a fragmented packet to be successfully reassembled at the destination each fragment must obey the following rules.
each fragment must share a common fragment id number
Each fragment must say what its place or offset is in the original unfragmented packet.
Each fragment must tell the length of the data carried in the fragment.
each fragment must know whether more fragments follow it.
Bastion Hosts Common characteristics:
Runs secure O/S, only essential services
May require user authentication to access proxyor host
Each proxy can restrict features, hosts accessed
Each proxy is small, simple, checked for security
Limited disk use, hence read-only code
Each proxy runs as a non-privileged user in a private and secured directory on the bastion host.
Host Based Firewall Advantages
Filtering rules can be tailored to the host environment
Protection is provided independent of topology
Provides an additional layer of protection
Advanced Firewall Protection
Stealth Mode hides the system fromthe internet by dropping unsolicited communication packets
UDP packets can be blocked
Logging for checking on unwanted activity
Applications must have authorization to provide services
Internal Firewall Purposes:
Add more stringent filtering capability
Provide two-way protection with respect to the DMZ
Multiple firewalls can be used to protect portions of the internal network from each other