Lesson 10 Flashcards

1
Q

Packet Filtering Firewalls

A
  • Provide controls on the Network (3) and Transport (4) layers
  • Enforces network ACL
  • Deny(block or drop), log, or accept a packet
  • Inspection of each packet header for:
    • src & dest IP address
    • protocol ID/type (TCP, UDP, ICMP, routing protocols,..)
    • src & dest port numbers (TCP or UDP app type)
  • works on inbound/outbound/both packets
  • two types stateless and stateful
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Stateless Firewall

A

A basic packet filtering firewall

  • Does not preserve information about network sessions
  • Not in use much anymore
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Stateful Inspection Firewall

A
  • State table stores connection information, shows session data
  • Provides controls on the Transport (4) layer
    • TCP handshake
    • new vs established and related connections
  • Provides controls on the Application (7) Layer
    • Validate protocol
    • Match threat signatures
    • Application specific filtering
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

ip tables

A

-Command line utility to edit the rules enforced by the Linux kernel firewall

iptables –list INPUT –line-numbers -n

shows the content of the input chain with line number and no name resolution

  • A append
  • D delete
  • R rules
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Firewall implementation

A

Firewall appliances

  • Standalone HW deployed to monitor traffic passing in and out of a network zone
  • Routed (layer 3)
    • forwards between subnets
  • Bridge/transparent (layer 2)
    • inspects traffic between two nodes, like a switch and a router
  • Router/firewall
    • implemented as firmware as part of a router, not really an appliance

Application Based

  • SW run on any type of computing host
  • host based - enforces ACLs and SW process network access rules
  • application firewall - host based FW running on a svr next to a network firewall
  • network operating system (NOS) firewall - A server functioning as a gateway or proxy for a network segment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Application-based firewalls

A

Host based
- protects a single host
- performs packet filtering via ACL and also allow/block SW processes from network
Application
- runs on a server to protect an application, like Web or SQLServer
Network Operating System (NOS)
- Network Server firewall acting a as a gateway or proxy for a network segment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Proxy Servers

A
  • Similar to an application firewall, but works on a store-and-forward model
  • deconstucts each packet, analyzes it, rebuilds the packet and forwards it on according to set rules
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forward Proxies

A
  • Works on outbound traffic, traffic from a client computer
  • Provides caching engines to store frequently used webpages
  • Can be application specific (Web/http) or multipurpose for multiple types or protocols
  • two class types:
    • non-transparent
      • client must be configured with proxies server address and port to use it
    • transparent
      • intercepts client traffic without client having to be reconfigured
      • must be implemented on the switch or router or other inline network appliance
  • both types can require authentication, usually SSO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Reverse Proxy Servers

A
  • Protocol specific inbound traffic
  • Keeps external hosts from connecting directly to internal servers
  • applies filtering rules prior to making request for app server
  • can handle app specific load balancing, traffic encryption and caching
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ACL

A

Access Control Lists for firewalls

  • principle of least access
  • rules regarding protocol traffic to and from hosts
  • processed top to bottom
  • implicit deny
  • explicit deny at end will force logging of denials due to those not matching and of the rules
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NAT

A

Network Address Translation

  • translates between private LAN host IPs and the public addressing scheme used by routers, firewalls, or proxy servers on the network edge
  • private internal IP addresses have been defined to be non-routable on the internet
  • Class A : 10.x.x.x.
  • Class B: 172.16.x.x - 172.32.x.x
  • Class C: 192.168.x.x
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Static/Dynamic NAT

A
  • Performs a 1:1 mapping between private and public network addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

NAPT

A

Network Address Port Translation

- provides a means for multiple private IP address to mapped onto a single public address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Port forwarding

A

or a Destination NAT

  • uses the routers public address to publish a web service, but forwards incoming requests to a different IP
  • Port forwarding means that a router takes a request from the internet for a particular application (like HTTP/port 80) and sends them to a designated host and port on the DMZ or LAN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

NIDS

A

Network Based Intrusion Detection System

  • uses a network sensor (packet sniffer) to capture traffic
  • analyzes the for malicious traffic
  • displays alerts to a console or dashboard
  • does NOT block the malicious traffic, just alert and log
  • does NOT slow the traffic down
  • identifies hosts and applications
  • detects attack signatures, password guessing attempts, port scans, works, backdoor apps, malformed packets or sessions, and policy violations
  • can be used to fine tune firewall rulesets, remove or block IPs and processes from the network, or other security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SPAN/mirror port

A

Packet capture sensor connected to a specially configured port on the switch with receives copies of the frames of all the other ports

  • not completely reliable
    • Frames with errors are not mirrored and frames can be dropped during heavy loads
17
Q

Passive TAP

A

Passive Test Access Point

  • HW box with ports for cabling of input and output ports with a splitter to copy the signal
  • Better than SPAN in that all frames are copied, even errored frames, and load does not affect the copying
18
Q

Active TAP

A

Active Test Access Point

  • a powered device to perform signal regeneration
  • can be a point of failure if the power is lost, it will block the traffic
  • should have battery or UPS connected to avoid this
19
Q

NIPS

A

Network Based Intrusion Prevention

  • provides an active response to any network threat that it matches
  • positioned like a firewall at the boarder between two network zones
  • appliances are inline with the network, all traffic passes through them
  • can provide Content Filtering in addition to inline, wire-speed antivirus scanning
  • responses to numerous attacks, apply temporary filter on the firewall, throttling bandwidth to attacking hosts, modify suspect packets, run a script to further IPS SW abilities