Lesson 10 Flashcards
Packet Filtering Firewalls
- Provide controls on the Network (3) and Transport (4) layers
- Enforces network ACL
- Deny(block or drop), log, or accept a packet
- Inspection of each packet header for:
- src & dest IP address
- protocol ID/type (TCP, UDP, ICMP, routing protocols,..)
- src & dest port numbers (TCP or UDP app type)
- works on inbound/outbound/both packets
- two types stateless and stateful
Stateless Firewall
A basic packet filtering firewall
- Does not preserve information about network sessions
- Not in use much anymore
Stateful Inspection Firewall
- State table stores connection information, shows session data
- Provides controls on the Transport (4) layer
- TCP handshake
- new vs established and related connections
- Provides controls on the Application (7) Layer
- Validate protocol
- Match threat signatures
- Application specific filtering
ip tables
-Command line utility to edit the rules enforced by the Linux kernel firewall
iptables –list INPUT –line-numbers -n
shows the content of the input chain with line number and no name resolution
- A append
- D delete
- R rules
Firewall implementation
Firewall appliances
- Standalone HW deployed to monitor traffic passing in and out of a network zone
- Routed (layer 3)
- forwards between subnets
- Bridge/transparent (layer 2)
- inspects traffic between two nodes, like a switch and a router
- Router/firewall
- implemented as firmware as part of a router, not really an appliance
Application Based
- SW run on any type of computing host
- host based - enforces ACLs and SW process network access rules
- application firewall - host based FW running on a svr next to a network firewall
- network operating system (NOS) firewall - A server functioning as a gateway or proxy for a network segment
Application-based firewalls
Host based
- protects a single host
- performs packet filtering via ACL and also allow/block SW processes from network
Application
- runs on a server to protect an application, like Web or SQLServer
Network Operating System (NOS)
- Network Server firewall acting a as a gateway or proxy for a network segment
Proxy Servers
- Similar to an application firewall, but works on a store-and-forward model
- deconstucts each packet, analyzes it, rebuilds the packet and forwards it on according to set rules
Forward Proxies
- Works on outbound traffic, traffic from a client computer
- Provides caching engines to store frequently used webpages
- Can be application specific (Web/http) or multipurpose for multiple types or protocols
- two class types:
- non-transparent
- client must be configured with proxies server address and port to use it
- transparent
- intercepts client traffic without client having to be reconfigured
- must be implemented on the switch or router or other inline network appliance
- non-transparent
- both types can require authentication, usually SSO
Reverse Proxy Servers
- Protocol specific inbound traffic
- Keeps external hosts from connecting directly to internal servers
- applies filtering rules prior to making request for app server
- can handle app specific load balancing, traffic encryption and caching
ACL
Access Control Lists for firewalls
- principle of least access
- rules regarding protocol traffic to and from hosts
- processed top to bottom
- implicit deny
- explicit deny at end will force logging of denials due to those not matching and of the rules
NAT
Network Address Translation
- translates between private LAN host IPs and the public addressing scheme used by routers, firewalls, or proxy servers on the network edge
- private internal IP addresses have been defined to be non-routable on the internet
- Class A : 10.x.x.x.
- Class B: 172.16.x.x - 172.32.x.x
- Class C: 192.168.x.x
Static/Dynamic NAT
- Performs a 1:1 mapping between private and public network addresses
NAPT
Network Address Port Translation
- provides a means for multiple private IP address to mapped onto a single public address
Port forwarding
or a Destination NAT
- uses the routers public address to publish a web service, but forwards incoming requests to a different IP
- Port forwarding means that a router takes a request from the internet for a particular application (like HTTP/port 80) and sends them to a designated host and port on the DMZ or LAN
NIDS
Network Based Intrusion Detection System
- uses a network sensor (packet sniffer) to capture traffic
- analyzes the for malicious traffic
- displays alerts to a console or dashboard
- does NOT block the malicious traffic, just alert and log
- does NOT slow the traffic down
- identifies hosts and applications
- detects attack signatures, password guessing attempts, port scans, works, backdoor apps, malformed packets or sessions, and policy violations
- can be used to fine tune firewall rulesets, remove or block IPs and processes from the network, or other security controls