Network Security Defences Flashcards
Do ALL hosts connected to Internet have a unique global IP Address?
Depends;
- Private IP network is an IP network that is not directly connected to the Internet
- IP addresses in a private network can be assigned arbitrarily
What is NAT? What does it do?
- NAT is a router function designed for IP address conversion
- It enables Private Networks that use unregistered IP addresses to connect to Internet.
- It allows connecting two networks together and translates the private (not globally unique) addresses in the internal network into globally unique addresses, before packets are forwarded to another network.
What is the security advantage of NAT?
Hides computers IP addresses port numbers and their connections in internal
networks.
What are the benefits of a Network Firewall?
- It restricts people to entering at one carefully controlled point
- It prevents attackers from getting close to other defences
- It restricts people to leaving at one carefully controlled point
- It monitors incoming and outgoing network traffic and permits, or blocks
network packets based on a set of security rules.
Firewall Configuration what is White listing?
Default DENY, Everything that is not explicitly permitted is denied.
What can a Firewall can do with a Packet?
- The firewall forwards the packet. Allow/Permit
- The firewall deletes the packet and does not forward it. Delete
- Other options include to log that a certain type of packet appeared,
to inform the admin, etc.
Firewall Configuration what is Blacklisting?
Default PERMIT, Everything that is not explicitly forbidden is permitted
How can a firewall gain information for its decision?
it can only use the packet and the data in its header fields
What are 3 Types of Firewalls?
- Stateless Firewalls (uses Stateless Packet Filtering)
- Stateful Firewalls (uses Stateful Packet Filtering)
- Application-layer firewalls
What is a stateless Firewall?
- Allow or block IP packets based on their IP header fields and TCP/UDP port numbers.
- Packet filter is defined as a rule table
- Each rule consist of conditions and an action
- For each packet, the first matching rule is applied
- The firewall keeps no state
- The filtering decision is made separately for every packet, and does not take
into account any earlier decisions made on related packets.
What are the packer filtering rule options?
- Inbound:
- Outbound:
- Either
What is the difference between TCP and UDP?
TCP = Transmission Control Protocol - session and connection between two parties
- *UDP** =User DatagramProtocol - No need to open / close connections
- Just transmit / broadcast /receive some data
Why are the risks withstateless firewalls?
- Since the firewall does not keep state, it doesn’t “remember” whether a telnet
flow is already established, and what source port number the client selected.
Admin makes a rule allowing a client computer on an internal network to talk to a
DNS server outside the firewall.
He would tell the firewall to allow UDP packets from that host, with source ports
1024 to 65535 destined to destination host 1.2.3.4 on destination port 53.
This rule works fine, but what happens when the DNS server responds?
To allow the response, you need a rule to allow UDP packets from source port 53 to
destination ports 1024 to 65535.
The problem with allowing those UDP packets is that attackers could talk to any UDP service on a port between 1024 and 65535, as long as they use a source port of 53!
What are the Pros and Cons of a stateless firewall?
Pros;
- Simpler to implement, less complexity
- Highest performance
Challanges;
- limitations in protecting Private Networks
- Limitation in supporting UDP
Stateless filtering can still be found, e.g., in routers, but these devices should not be perceived as “real” firewalls, should only be used in internal network.
What is the purpose of a stateful firewall?
- packets that arrive may generate a state in the firewall
- An important feature of stateful firewalling is connection tracking
- The firewall sees the first packet of a connection.
- Subsequent packets are considered to be part of this connection
What states in a stateful firewall can connections be?
- New
- Established
- Related
- Invalid
What are the Key Limitation of Packet-level Firewalls?
Do not prevent application-specific attacks
• No content (payload) inspection
• For example, firewall will not block an attack string that is a buffer overflow in a
URL decoding routine.
Or
an e-mail attachment that contains a virus could pass
through the firewall if SMTP/POP connections are allowed
What are application-level firewalls?
- Evaluates network packets for valid data at the application layer before allowing a connection
- The firewall examines the data in all network packets at the application layer and maintains complete connection state and sequencing information
Limitations;
Obvious: Big overhead and slow!!
Need separate proxy for each application (FTP, HTTP, ..)
Proxy services are vulnerable to operating system and application level bugs
What is De-militarized zone (DMZ)?
A subnetwork added between an external and an internal network in order to provide an additional layer of security; also called perimeter network. (separates the internal network from the outside world.
- Outsiders can obtain the information that they need about a company without accessing the internal network.
- The company’s confidential and proprietary company information should be
stored behind your DMZ on your internal network.
What is a Bastion Host?
- A computer that must be highly secured because it is more vulnerable to attacks than other hosts on a subnetwork
- A bastion host in a firewall is usually the main point of contact for user processes of hosts of internal networks with processes of external hosts
- Web Server, Mail Server, etc. placed in DMZ are Bastion Host.
What is Simple Packet Filter Architecture?
a packet filtering router
What is a Dual-Homed Host Architecture?
The dual-homed host provides:
- Proxy services to internal and / or external clients
- Potentially additional packet filtering capabilities
- Properties of the dual-homed host: It has at least two network interfaces
- Drawback: As all permitted traffic passes through the bastion host, this may introduce a performance bottleneck
What is a Screened Host Architecture
The packet filter:
- Allows permitted IP traffic between screened host and the Internet
- Blocks direct traffic between other internal hosts and the Internet
- The screened host provides proxy services:
- The screened host acts as a bastion host, being partially protected by the packet filter
What is a Screened Subnet Architecture
- A DMZ is created between two packet filters
- The inner packet filter serves for additional protection in case the bastion host is compromised:
- This avoids a compromised bastion host to sniff internal traffic
- The DMZ (i.e., perimeter network) is also a good place to host a publicly accessible information server, e.g. a www-server (use for websites, etc)
What can firewalls do?
- A firewall is a focus for security decisions
- A firewall can enforce a security policy, i.e. concerning access control
- A firewall can log Internet activity efficiently
- A firewall can block unwanted traffic if the traffic can be characterized,
- A firewall can limit exposure to security problems in one part of a network
What can firewalls not do?
- A firewall can’t protect against malicious insiders
- A firewall can’t protect against connections that don’t go through it
- A firewall can’t protect against completely new threats (Zero Day?)
- A firewall can’t fully protect against viruses
