Module 9 Flashcards
A ___ is a system, or group of systems, that enforces an access control policy between networks.
firewall
All firewalls share some common properties:
Firewalls are resistant to network attacks.
Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall.
Firewalls enforce the access control policy.
There are several benefits of using a firewall in a network:
They prevent the exposure of sensitive hosts, resources, and applications to untrusted users.
They sanitize protocol flow, which prevents the exploitation of protocol flaws.
They block malicious data from servers and clients.
They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network.
Firewalls also have some limitations:
A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.
Network performance can slow down.
Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
Types of Firewall
Packet Filtering (Stateless) Firewall
Stateful Firewall
Application Gateway Firewall
Next Generation Firewall
Other methods of implementing firewalls include:
Host-based (server and personal) firewall - A PC or server with firewall software running on it.
Transparent firewall - Filters IP traffic between a pair of bridged interfaces.
Hybrid firewall - A combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.
An ____ filters information at Layers 3, 4, 5, and 7 of the OSI reference model.
application gateway firewall
A _____ is a combination of the various firewall types.
hybrid firewall
A _____ is part of a router firewall that permits or denies traffic based on Layer 3 and Layer 4 information.
packet filtering firewall
_____ is a PC or server with firewall software running on it.
Host-based firewalls
A _____ filters IP traffic between a pair of bridged interfaces.
transparent firewall
There are several advantages of using a packet filtering firewall:
Packet filters implement simple permit or deny rule sets.
Packet filters have a low impact on network performance.
Packet filters are easy to implement, and are supported by most routers.
Packet filters provide an initial degree of security at the network layer.
Packet filters perform almost all the tasks of a high-end firewall at a much lower cost.
There are several disadvantages of using a packet filtering firewall:
Packet filters are susceptible to IP spoofing. Threat actors can send arbitrary packets that meet ACL criteria and pass through the filter.
Packet filters do not reliably filter fragmented packets. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
Packet filters use complex ACLs, which can be difficult to implement and maintain.
Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
There are several benefits to using a stateful firewall in a network:
Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
Stateful firewalls strengthen packet filtering by providing more stringent control over security.
Stateful firewalls improve performance over packet filters or proxy servers.
Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
Stateful firewalls provide more log information than a packet filtering firewall.
Stateful firewalls also present some limitations:
Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of the HTTP connection.
Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and, therefore, do not garner as much support for filtering.
It is difficult to track connections that use dynamic port negotiation. Some applications open multiple connections. This requires a whole new range of ports that must be opened to allow this second connection.
Stateful firewalls do not support user authentication.
Benefits
Primary means of defense
Strong packet filtering
Improved performance over packet filters
Defends against spoofing and DoS attacks
Richer data log
Limitations
No Application Layer inspection
Limited tracking of stateless protocols
Difficult to defend against dynamic port negotiation
No authentication support
Common Security Architectures / Common Firewall Designs
Private and Public
Demilitarized Zone
Zone-Based Policy Firewalls
Considerations for Layered Network Defense
Network Core security - Protects against malicious software and traffic anomalies, enforces network policies, and ensures survivability
Perimeter security - Secures boundaries between zones
Communications security - Provides information assurance
Endpoint security - Provides identity and device security policy compliance
A ____ typically has one inside interface, one outside interface, and one DMZ interface.
demilitarized firewall design
In a ____, security measures are taken at the network core, perimeter, endpoints, and other communication security points.
layered network defense
The public internet is considered _____. Internal networks are generally considered to be _____; however additional security may be required to protect them from threats. In a ZPF, traffic that travels within zones is generally considered as trusted.
untrusted ; trusted
____ groups interfaces into zones that have similar functions or features.
ZPF
What is one benefit of using a next-generation firewall rather than a stateful firewall?
Stateful firewalls and next-generation firewalls provide better log information than a packet filtering firewall, both defend against spoofing, and both filter unwanted traffic. Next-generation firewalls provide the following benefits over stateful firewalls:
Granularity control within applications
Website and application traffic filtering based on site reputation
Proactive rather than reactive protection from Internet threats
Enforcement of security policies based on multiple criteria including user, device, role, application, and threat profile
Improved performance with NAT, VPN, and stateful inspections
Integrated IPS
_____ to limit access to endpoints. _____ to firewall devices to prevent tampering unauthorized access to configuration ports.
Disable unnecessary network services ; Strictly control physical access
Which three layers of the OSI model include information that is commonly inspected by a stateful firewall? (Choose three.)
A stateful firewall provides filtering at the network layer, but also analyzes traffic at OSI Layer 4 and Layer 5.
Which type of firewall is supported by most routers and is the easiest to implement?
A packet filtering firewall uses a simple policy table look-up that filters traffic based on specific criteria and is considered the easiest firewall to implement.
Which statement is a characteristic of a packet filtering firewall?
Packet filtering firewalls have a low impact on network performance. They are stateless, examining each packet individually and they do not filter fragmented packets well.
Which type of firewall generally has a low impact on network performance?
A stateless firewall uses a simple policy table look-up that filters traffic based on specific criteria and causes minimal impact on network performance.
What are two characteristics of an application gateway firewall? (Choose two.)
Which type of traffic is usually blocked when implementing a demilitarized zone?
A firewall will usually block traffic that is originating from the DMZ network and traveling to the private network. If traffic originated from the private network and the DMZ is sending returning traffic to the private network, then it will be allowed.
Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 or 4 information?
A packet filtering firewall uses a simple policy table look-up that filters traffic based on specific criteria. These firewalls are usually part of a router firewall. They permit or deny traffic based on Layer 3 and Layer 4 information.
How does a firewall handle traffic that is originating from the DMZ network and traveling to a private network?
A firewall will usually block traffic that is originating from the DMZ network and traveling to the private network. If traffic originated from the private network and the DMZ is sending returning traffic to the private network, then it will be allowed.
Which two protocols are stateless and do not generate connection information needed to build a state table? (Choose two.)
Connectionless protocols, such as ICMP and UDP, are not stateful and do not generate connection information for a state table.
What are two benefits of implementing a firewall in a network? (Choose two.)
There are several benefits of using a firewall in a network:
It prevents the exposure of sensitive hosts, resources, and applications to untrusted users.
It sanitizes protocol flow, which prevents the exploitation of protocol flaws.
It blocks malicious data from servers and clients.
It reduces security management complexity by off-loading most of the network access control to a few firewalls in the network.
When implementing a ZPF, which statement describes a zone?
When implementing a zone-based policy firewall (ZPF), a zone is a group of one or more interfaces that have similar functions or features.
