Firewalls Flashcards

1
Q

The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
(T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A firewall can serve as the platform for IPSec..(T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A packet filtering firewall is typically configured to filter packets going in both directions. (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A prime disadvantage of an application-level gateway is the additional processing overhead on each connection. (T/F)

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A DMZ is one of the internal firewalls protecting the bulk of the enterprise network. (T/F)

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The _______ defines the transport protocol.

A

IP protocol field

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.

A

circuit-level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server.

A

DMZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.

A

distributed firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The ________ attack is designed to circumvent filtering rules that depend on TCP header information.

A

tiny fragment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Firewall design goals

A

All traffic from inside to outside and vice versa must pass through firewall.

Only authorized traffic as defined by local security policy will be allowed to pass

The firewall itself is immune to penetration. (use hardened system)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Critical component to planning/implementation of firewall

A

suitable access policy: lists traffic authoried to pass through firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Type of traffic

A

address ranges

protocols

applications

content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Firewall characteristics

A

IP Address and Protocol Values

Application Protocol

User Identity

Network Activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Firewall Capabilities

A

Firewall defines a single choke point that attempts to keep unauthorized user out of the protected network, prohibit potentially vulnerable services from entering/leaving network, and provide protection from IP spoofing and routing attacks

Provides location for monitoring security related events

Platform for internet functions not related to security

Platform for IPSec (implement virtual private networks)

Gives insight into traffic
mix via logging

Network Address Translation

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Firewall Limitations

A

Firewalls cannot protect…

  • -Traffic that does not cross it
  • —–Routing around
  • —–Internal traffic
  • -When misconfigured

Can’t protect against attacks that bypass the firewall (internal systems with dial out or mobile broadband, or dial in)

Can’t fully protect against internal threats

Improperly secured wireless LAN accessible from outside

Laptop, PDA, portable storage device may be infected outside the network and then attached internally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Types of Firewalls

A

Packet filtering

Stateful inspection

Application proxy/Application Level Gateway

Circuit level firewall/gateway/proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Packet Filtering Firewall

A

Rules applied to incoming/outgoing IP packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Packet Filtering Firewall

Filtering rules based on:

A

Source IP address

Destination IP address

Source and destination transport level address

IP Protocol field

Interface

20
Q

Packet Filtering Firewall

Default policies

A

Discard packets not expressly permitted
-More conservative, controlled, visible to users

Forward packets not expressly prohibited
-Easier to manage and use but less secure

21
Q

Packet Filtering Firewall weaknesses

A

don’t examine upper-layer data, so can’t prevent attacks that employ application specific vulnerabilities or functions

limited information available, so logging functionality limited

don’t support advanced user authentication schemes

vulnerable to attacjs and exploits of TCP/IP specification and protocol stack (network layer address spoofing)

small number of variables used in access control decisions, so susceptible to security breaches from improper configurations

22
Q

Packet Filtering Firewall

Typical attacks

A

IP address spoofing

Source routing attacks

Tiny fragment attacks

23
Q

Stateful Inspection Firewalls

A

creates directory of outbound TCP connections, entry for each currently established connection, firewalls only allows incoming traffic to high numbered ports for packets that fit profile in the directory

tightens up packet filters

24
Q

Application Level Gateway

A

aka application proxy

acts as a relay of application level traffic. user must be authenticated before gateway relays TCP segments containing application data between endpoints

More secure than packet filters

disadvantage: additional processing overhead on each connection

25
Q

Circuit level Gateway

A

aka circuit level proxy

can be stand alone or specialized

does not permit end to end TCP connection

Gateway relays TCP segments from one connection to another without examining contents. Just determines which connections allowed

Example: SOCKS

26
Q

Firewall Basing Considerations

A

Bastion Host: system id’d as critical strong point in network security

Host-based firewall: software module used to secure individual host

Personal firewall: controls traffic between PC/workstation and internet/enterprise network

27
Q

Firewall Location and Configuration options

A

DMZ Networks

Virtual Private Networks

Distributed Firewalls

28
Q

DMZ Networks

A

External firewall at edge of network just inside router that connects to Internet

Internal firewalls protect the bulk of networked devices. 3 purposes:

  1. adds more stringent filtering
  2. two-way protection (protects remainder of network from attacks launched from DMZ and protects DMZ from internal attacks(
  3. multiples internal firewalls protect internal systems from each other

Systems externally accessible but protected

29
Q

Virtual Private Networks

A

set of computers that interconnect by means of unsecure network and make use of encryption and special protocls that provide security

30
Q

Distributed Firewalls

A

Stand-alone firewall devices plus host-based firewalls working together under central administrative control

May need internal DMZ and external DMZ

31
Q

Firewall Topologies

A

Host-resident firewall (personal firewall software, firewall software on servers)

Screening router (single router between internal and external networks with stateless or full packet filtering)

Single bastion inline: (single firewall device between internal and external router)

Single bastion T (similar to single bastion inline but with third network interface on bastion to DMZ)

double bastion inline (DMZ sandwiched between bastion firewalls)

Distributed firewall configuration

32
Q

Intrusion Prevention Systems

A

Host Based IPS (signature/heuristic or anomaly detection techniques to identify attacks)

Network-Based IPS (inline NIDS with authority to modify/discard packets and tear down TCP connections)

Distributed or Hybrid IPS (gathers data from host and network based sensors in central analysis system to return updated signatures and behavior patterns)

33
Q

Network-Based IPS

Methods to identify malicious packets:

A
  • pattern matching
  • stateful matching
  • protocol anomaly
  • traffic anomaly
  • statistical anomaly
34
Q

Host Based IPS Examples

A
  • modification of system
  • privilege escalation exploits
  • buffer overflow exploits
  • access to email contact lists
  • directory traversal
35
Q

Firewall defined

A

Firewall is a widely-deployed prevention technology.

36
Q

Firewalls can protect your computer and your personal information from

A

Hackers breaking into your system (attack traffic is often from untrusted parts of the Internet or even a known malicious sites, and a firewall can block it)

Viruses and worms that spread across the Internet (There are several ways to identify and block such traffic: such as the volume of such traffic or that such traffic has specially crafted packets that are known to target vulnerable services, or the traffic from the all over the Internet including the untrusted networks; The firewall can use such knowledge to block such virus and worm traffic).

Outgoing traffic from your computer created by a virus infection (This is similar to #2, except the traffic is outbound rather than inbound, )

37
Q

Firewalls cannot provide protection

A

Against phishing scams and other fraudulent activity, spyware being installed on your computer, or viruses spread through e-mail (spyware: stealing information and send it out to a site; such site can appear to be legitimate or at least not know to be malicious, and the volume of traffic can be small; so it can be hard for a firewall to stop it)

Against Internet traffic that appears to be from a legitimate source (because firewall is designed to allow traffic from a legitimate source, e.g., another trusted network).

38
Q

Firewall Design Goals

A

Enforcement of security policies

  • -All traffic from internal network to the Internet, and vice versa, must pass through the firewall
  • -Only traffic authorized by policy is allowed to pass

Dependable
–The firewall itself is immune to subversion

39
Q

Filtering Types

A

Packet filtering
–Access Control Lists

Session filtering

  • -Dynamic Packet Filtering
  • -Stateful Inspection
  • -Context Based Access Control
40
Q

Packet Filtering Advantages

A

Simplicity

Typically transparent to users and are very fast

41
Q

Tiny fragment attacks

A

The intruder uses the IP fragmentation option to create

extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter

will make a filtering decision on the first fragment of a packet. All subsequent
fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. The attacker

hopes that the filtering firewall examines only the first fragment and that the remaining fragments are passed through.

42
Q

In order for a fragmented packet to be successfully reassembled at the destination each fragment must obey the following rules.

A

each fragment must share a common fragment id number

Each fragment must say what its place or offset is in the original unfragmented packet.

Each fragment must tell the length of the data carried in the fragment.

each fragment must know whether more fragments follow it.

43
Q

Bastion Hosts Common characteristics:

A

Runs secure O/S, only essential services

May require user authentication to access proxyor host

Each proxy can restrict features, hosts accessed

Each proxy is small, simple, checked for security

Limited disk use, hence read-only code

Each proxy runs as a non-privileged user in a private and secured directory on the bastion host.

44
Q

Host Based Firewall Advantages

A

Filtering rules can be tailored to the host environment

Protection is provided independent of topology

Provides an additional layer of protection

45
Q

Advanced Firewall Protection

A

Stealth Mode hides the system fromthe internet by dropping unsolicited communication packets

UDP packets can be blocked

Logging for checking on unwanted activity

Applications must have authorization to provide services

46
Q

Internal Firewall Purposes:

A

Add more stringent filtering capability

Provide two-way protection with respect to the DMZ

Multiple firewalls can be used to protect portions of the internal network from each other