Module 6.1 Flashcards
A system, or group of systems, that enforces an access control policy between networks.
Firewall
- Firewalls are resistant to network attacks.
- Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall.
- Firewalls enforce the access control policy.
Common Firewall Properties
- They prevent the exposure of sensitive hosts, resources, and applications to untrusted users.
- They sanitize protocol flow, which prevents the exploitation of protocol flaws.
- They block malicious data from servers and clients.
- They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network.
Firewall Benefits
- A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.
- The data from many applications cannot be passed over firewalls securely.
- Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.
- Network performance can slow down.
- Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
Firewall Limitations
A firewall design where there is typically one inside interface connected to the private network, one outside interface connected to the public network
Demilitarized Zone (DMZ)
Typical firewall DMZ configuration:
- Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted.
- Traffic originating from the public network and traveling to the private network is generally blocked.
Use zones to provide additional flexibility. A zone is a group of one or more interfaces that have similar functions or features. Zones are used to specify where a Cisco IOS firewall rule or policy should be applied.
Zone-Based Policy Firewalls (ZPFs)
Four common types of firewalls are:
- Packet Filtering (Stateless) Firewall
- Stateful Firewall
- Application Gateway Firewall
- Next Generation Firewalls
Usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information.
Packet Filtering (Stateless) Firewall
Provide packet filtering by using connection information maintained in a state table. It analyzes traffic at OSI Layer 3 through 5.
Stateful Firewall
Filters information at Layers 3, 4, 5, and 7 of the OSI model. Most of the firewall control and filtering is done in software.
Application Gateway Firewall
Go beyond stateful firewalls by providing integrated intrusion prevention, application awareness and control, upgrade paths to include future information feeds, and techniques to address evolving security threats.
Next Generation Firewalls
A PC or server with firewall software running on it.
Host-based (server and personal) firewall
Filters IP traffic between a pair of bridged interfaces.
Transparent firewall
A combination of the various firewall types.
Hybrid firewall
Advantages
- No Impact on network (latency, jitter)
- No Network impact if there is a sensor failure
- No network impact if there is sensor overload
Disadvantages
- Response action cannot stop trigger packets
- Correct tuning required for response actions
- More vulnerable to network security evasion techniques
IDS
Advantages
- Stops trigger packets
- Can use stream normalization techniques
Disadvantages
- Sensor issues might affect network traffic
- Sensor overloading impacts the network
- Some impact on network (latency, jitter)
IPS
Two kinds of IPS
host-based IPS (HIPS) and network-based IPS.
- Software installed on a host to monitor and analyze suspicious activity.
- Can monitor abnormal activity and prevent the host from executing commands that do not match typical behavior
- Network traffic can also be monitored to prevent the host from participating in a denial-of-service
(DoS) attack or being part of an illicit FTP session.
Host-based IPS (HIPS)
- Can be implemented using a dedicated or non-dedicated IPS device.
- Implementations are a critical component of intrusion prevention.
- There are host-based IDS/IPS solutions, but these must be integrated with a network-based IPS implementation to ensure a robust security architecture.
- Sensors detect malicious and unauthorized activity in real-time and can act when required.
Network-based IPS
What are the Specialized Security Appliances?
- Cisco Advanced Malware Protection (AMP)
- Cisco Web Security Appliance (WSA)
- Cisco Email Security Appliance (ESA)
- An enterprise-class advanced malware analysis and protection solution
- Provides comprehensive malware protection for organizations before, during, and after an attack
- Accesses the collective security intelligence of the Cisco Talos Security Intelligence and Research Group
Cisco Advanced Malware Protection (AMP)
- A secure web gateway that combines leading protections to help organizations address the growing challenges of securing and controlling web traffic
- Protects the network by automatically blocking risky sites and testing unknown sites before allowing users to access them
- Provides malware protection, application visibility and control, acceptable use policy controls, insightful reporting, and secure mobility
Web Security Appliance (WSA)
- Defends mission-critical email systems
- Constantly updated by real-time feeds from the Cisco Talos
- Features include spam blocking, advanced malware protection, and outbound message control
Cisco Email Security Appliance (ESA)
