M9: Firewalls and tunnels, security architecture - C10 Flashcards
What is a Firewall?
A gateway providing access control and filtering. Thus it can allow, deny or modify any package in either direction through it.
Relates to Complete-Mediation(P4) and Isolated-Compartments(P5)
P. 282
What is an Encrypted Tunnel?
Is an encrypted persistet connection between two networks and/or hosts
What is a Virtual Private Network?
Is a private network established over the network. It is maintained by secure communication channels and authentications.
What are Perimeter-based Defenses?
Defenses focused on the edge of the network, such as Firewalls
Why filter inbound packages?
Filtering inbound packages protects the internal network from the outside forces
Why filter outbound packages?
To both limit exposed functionality and detect/monitor unauthorized transfers.
What is a package filter Firewall?
Also called a Screening Router, it filters packages based on the header information in particular source IP. It often acts as a first line of defence.
What are the Actions a Package Filter Firewall can take?
The primary actions on any given package are
* Allow - allow
* Drop - silently drop
* Reject - drop and inform source
Additionally we may log information about the package.
intelligent pack filtering may involvde content based rules
What is a Stateless package filter?
A firewall where each package is examined Individually.
What is a Stateful package filter?
A firewall which stores data about prior packets to inform decisions about future packets. It investigates the flow.
What is a Dynamic package filter?
An adaptive statefull package filter
Why should the firewall use allow listing rather than deny listing?
P2(Safe Defaults) - motivates that we deny-by-default. Alternatively we would need to enumerate all the baddies and exploits in our deny-list to achieve the same safety, which is impossible.
What is the connection between Firewall and Security Policy?
In a sense the Firewall instantiates the network security policy through its rule set.
What are the recognized limitations of Firewalls
Limitations include
* Topological - is there truly a perimeter?
* Malicious insiders - user/hosts within network may be compromised
* Bad connections - users may inadvertently make visit infected sites
* Tunneling - Filtering based on port number, can be circumvented
* Encrypted Content - Package inspection may be defeated by encrypted content.
What is a Proxy firewall?
Like any proxy it sits between the internal and external network. Ideally all trafic is routed through the proxy, without any knowledge of or impact on the end hosts.
What is a Circuit-level proxy?
Facilitates internal and external hosts connecting, seemingly to eachother, but in reality to and through the proxy. This way only allowed connections can be made.
What is an Application-level filter?
Uses specialized programs for pre-determined applications with deep understanding of protocols to examine and possibly ammend packages.
P. 290
What are Proxy Firewall Requirements?
- Transparency - users experience is unchanged
- Performance - Performance is not degredaded
What are the Limitations of Application-Level Filters
They require highly specialized programs often implemented in hardware to reduce performance impacts. Thus limited in range to only the most used and most critical of protocols.
What is a Bastion Host
It is a harded host exposed to the internet on one side and the internal network on the other
How can Firewalls provide Defense-in-Depth(P13)
By using internal Firewalls we can frustrate attackers who have gained initial access
What are the components of a comprehensive Firewall architecture?
An outer layer using a perimeter network - DMZ.
It consists of a Bastion host between two Screening Routers (package filters). The routers filter inbound and outbound packages and the Bastion provides more screening such as Application-level filtering
What is a WAF?
Web Application Filter
An application filter firewall, targeting HTTP and HTTPS
What is a DMZ?
Demilitarized Zone
Contains our servers in a separately secured environment
What is NAT?
Network Address Translation
Translates from external IP addresses to internal IP addresses. This can have incidental or secundary security benefits in that if there is no mapping there is no way to connect.
Why would we want to limit outgoing pings?
Outgoing pings can be used to
* Map the internal network
* Can be used to ping a Command and Control server
What security principles should we practice with out perimeter defense?
- Defence in Depth
- No Single Point of Failure
- Segmentation
- Deny by Default
Where to encrypt?
Can encrypt Transportation layer with TLS.
Applications can also encrypt their communication to increase security.
Transport mode vs Tunnel mode?
Transport mode encrypts end to end.
Tunnel encrypts network to network.
There are security tradeoff between them.
Why dont we aways use Tunnel Mode?
- Difficult - Difficult to setup and keep running with rapidly changing internel infrastructure
- Inspection - internally encrypted data makes surveilance difficult
Why use advanced servers?
Advanced as in placed further forward
They allow us to segregate critical data from exposed data.
Why are Perimeter Defences less applicable now?
There is less and less a clear cut perimeter, and trusting hosts on the network is outdated.
What is Zero-Trust?
A new paradigm in security, where we assume that everyone/everything is compromised.
What is OT?
Operational Technology
Runs all the physical stuff like machines.
What is the purdue model?
A layered security model between IT systems and OT systems.
Why are OT systems not always updated?
- Often the money maker of the company.
- If it aint broke
- Often manual process