M9: Firewalls and tunnels, security architecture - C10 Flashcards
What is a Firewall?
M9: Firewalls and tunnels, security architecture - C10
A gateway providing access control and filtering. Thus it can allow, deny or modify any package in either direction through it.
Relates to Complete-Mediation(P4) and Isolated-Compartments(P5)
P. 282
What is an Encrypted Tunnel?
M9: Firewalls and tunnels, security architecture - C10
Is an encrypted persistet connection between two networks and/or hosts
What is a Virtual Private Network?
M9: Firewalls and tunnels, security architecture - C10
Is a private network established over the network. It is maintained by secure communication channels and authentications.
What are Perimeter-based Defenses?
M9: Firewalls and tunnels, security architecture - C10
Defenses focused on the edge of the network, such as Firewalls
Why filter inbound packages?
M9: Firewalls and tunnels, security architecture - C10
Filtering inbound packages protects the internal network from the outside forces
Why filter outbound packages?
M9: Firewalls and tunnels, security architecture - C10
To both limit exposed functionality and detect/monitor unauthorized transfers.
What is a package filter Firewall?
M9: Firewalls and tunnels, security architecture - C10
Also called a Screening Router, it filters packages based on the header information in particular source IP. It often acts as a first line of defence.
What are the Actions a Package Filter Firewall can take?
M9: Firewalls and tunnels, security architecture - C10
The primary actions on any given package are
* Allow - allow
* Drop - silently drop
* Reject - drop and inform source
Additionally we may log information about the package.
intelligent pack filtering may involvde content based rules
What is a Stateless package filter?
M9: Firewalls and tunnels, security architecture - C10
A firewall where each package is examined Individually.
What is a Stateful package filter?
M9: Firewalls and tunnels, security architecture - C10
A firewall which stores data about prior packets to inform decisions about future packets. It investigates the flow.
What is a Dynamic package filter?
M9: Firewalls and tunnels, security architecture - C10
An adaptive statefull package filter
Why should the firewall use allow listing rather than deny listing?
M9: Firewalls and tunnels, security architecture - C10
P2(Safe Defaults) - motivates that we deny-by-default. Alternatively we would need to enumerate all the baddies and exploits in our deny-list to achieve the same safety, which is impossible.
What is the connection between Firewall and Security Policy?
M9: Firewalls and tunnels, security architecture - C10
In a sense the Firewall instantiates the network security policy through its rule set.
What are the recognized limitations of Firewalls
Limitations include
* Topological - is there truly a perimeter?
* Malicious insiders - user/hosts within network may be compromised
* Bad connections - users may inadvertently make visit infected sites
* Tunneling - Filtering based on port number, can be circumvented
* Encrypted Content - Package inspection may be defeated by encrypted content.
What is a Proxy firewall?
M9: Firewalls and tunnels, security architecture - C10
Like any proxy it sits between the internal and external network. Ideally all trafic is routed through the proxy, without any knowledge of or impact on the end hosts.
What is a Circuit-level proxy?
M9: Firewalls and tunnels, security architecture - C10
Facilitates internal and external hosts connecting, seemingly to eachother, but in reality to and through the proxy. This way only allowed connections can be made.
What is an Application-level filter?
M9: Firewalls and tunnels, security architecture - C10
Uses specialized programs for pre-determined applications with deep understanding of protocols to examine and possibly ammend packages.
P. 290
What are Proxy Firewall Requirements?
M9: Firewalls and tunnels, security architecture - C10
- Transparency - users experience is unchanged
- Performance - Performance is not degredaded
What are the Limitations of Application-Level Filters
M9: Firewalls and tunnels, security architecture - C10
They require highly specialized programs often implemented in hardware to reduce performance impacts. Thus limited in range to only the most used and most critical of protocols.
What is a Bastion Host
M9: Firewalls and tunnels, security architecture - C10
It is a harded host exposed to the internet on one side and the internal network on the other
How can Firewalls provide Defense-in-Depth(P13)
M9: Firewalls and tunnels, security architecture - C10
By using internal Firewalls we can frustrate attackers who have gained initial access
What are the components of a comprehensive Firewall architecture?
M9: Firewalls and tunnels, security architecture - C10
An outer layer using a perimeter network - DMZ.
It consists of a Bastion host between two Screening Routers (package filters). The routers filter inbound and outbound packages and the Bastion provides more screening such as Application-level filtering
What is a WAF?
Web Application Filter
M9: Firewalls and tunnels, security architecture - C10
An application filter firewall, targeting HTTP and HTTPS
What is a DMZ?
Demilitarized Zone
M9: Firewalls and tunnels, security architecture - C10
Contains our servers in a separately secured environment
What is NAT?
Network Address Translation
M9: Firewalls and tunnels, security architecture - C10
Translates from external IP addresses to internal IP addresses. This can have incidental or secundary security benefits in that if there is no mapping there is no way to connect.
Why would we want to limit outgoing pings?
M9: Firewalls and tunnels, security architecture - C10
Outgoing pings can be used to
* Map the internal network
* Can be used to ping a Command and Control server
What security principles should we practice with out perimeter defense?
M9: Firewalls and tunnels, security architecture - C10
- Defence in Depth
- No Single Point of Failure
- Segmentation
- Deny by Default
Where to encrypt?
M9: Firewalls and tunnels, security architecture - C10
“Depends”
Internet layer with IPSec
Transport layer with TLS
Application layer.
Transport mode vs Tunnel mode?
M9: Firewalls and tunnels, security architecture - C10
Transport mode encrypts end to end.
Tunnel encrypts network to network.
There are security tradeoff between them.
Why dont we aways use Tunnel Mode?
M9: Firewalls and tunnels, security architecture - C10
- Difficult - Difficult to setup and keep running with rapidly changing internel infrastructure
- Inspection - internally encrypted data makes surveilance difficult
Why use advanced servers?
Advanced as in placed further forward
M9: Firewalls and tunnels, security architecture - C10
They allow us to segregate critical data from exposed data.
Why are Perimeter Defences less applicable now?
M9: Firewalls and tunnels, security architecture - C10
There is less and less a clear cut perimeter, and trusting hosts on the network is outdated.
What is Zero-Trust?
M9: Firewalls and tunnels, security architecture - C10
A new paradigm in security, where we assume that everyone/everything is compromised.
What is OT?
Operational Technology
M9: Firewalls and tunnels, security architecture - C10
Runs all the physical stuff like machines.
What is the purdue model?
M9: Firewalls and tunnels, security architecture - C10
A layered security model between IT systems and OT systems.
Why are OT systems not always updated?
M9: Firewalls and tunnels, security architecture - C10
- Often the money maker of the company.
- If it aint broke
- Often manual process
