Test 1 Flashcards
Which type of firewall will protect against a SYN flood attack?
Static firewall
What type of firewall can protect from internal threats?
Host firewall
What are 2 advantages and disadvantages of hardware firewalls?
+ fast throughput
+ out-of-the-box
- expensive
- difficult to upgrade
What are 2 advantages and disadvantages of software firewalls?
+ cheap
+ less recovery time
- constant updates/patches
- stripped down OS without secure accounts
What is a Firewall?
Can be hardware or software which protects the network against intrusion and is the most effective way to secure the network link (put a firewall between the local network and internet).
What are some firewall best practices?
Principle of Least Privilege Apply traffic rules and exceptions: untrusted/trusted hosts/ports/applications Perform regular risk assessments Ensure proper change management Secure remote management Defer to company policy
What is Static Filtering?
A traditional firewall which has a very basic purpose: to control traffic entering in or exiting network interfaces.
Can be implemented on a single host and at/near a network gateway.
How are packets evaluated in Static Filtering?
Each is evaluated one at a time with the following header information:
Protocol, Source IP, Destination IP, Source port (rarely), Destination port
What is Stateful Filtering?
Packets belonging to active connections are allowed to pass through and connections are tracked in a state table.
How are packets evaluated in Static Filtering?
When new packets arrive, their contents are compared to the state tables to determine whether they are denied or permitted.
What is a Next Generation Firewall (NGFW)?
Same as traditional firewalls but can also filter based on applications, protocols and users and typically require more resources to do their job. They can be very expensive, depending on the hardware and licensing options that are chosen.
What is Unified Threat Management?
The concept of having a single gateway device (NGFW) with a multitude of security controls.
What are Web Application Firewalls (WAFs)?
Put in place to protect web applications, they inspect HTTP traffic going to and from web applications to detect and prevent attacks specific to web applications and can be considered a reverse proxy.
What is the Zero Trust Security Model?
The Zero Trust Security Model removes the assumption of trust, and inspects all possible traffic. It monitors traffic flowing from NorthSouth and EastWest and is analogous with the approach: never trust, always verify. It protects internal resources from lateral attacks.
What is TCP?
Transmission Control Protocol is connection oriented.
Connections begin with a three-way handshake.
Connections end with the session being terminated.
What happens when you send a SYN to a closed port?
It will respond with a RST
What happens when you send a SYN to a filtered port?
No response is received
What happens when you send a SYN to an open port?
You will receive a SYN/ACK back
What are some considerations when troubleshooting firewalls?
Can you replicate the problem?
Is the affected host online?
Is the affected service functioning?
Is it a routing problem?
What is Netstat?
A command that can be used on both Windows and Linux to determine if a particular service is listening on a network interface.
What is Nmap?
Network Mapper: a free open source tool that allows administrators (and attackers) to scan network devices to determine what ports are open and can be used to fingerprint services on open ports to determine specific service information such as web server type and version.
What is Netfilter?
A packet filtering framework built into the Linux
kernel offering and uses kernel hooks at which packets can be inspected or manipulated.
What is Iptables?
A standard firewall included in many Linux distributions which interfaces with the kernel-level netfilter hooks and is used to configure and view tables of packet filter rules. Nftables is a modern variant that may eventually become more popular than iptables.
What are Iptables rules like?
Iptables rules are organized into chains. Chains are
collections of rules that a packet is checked against
sequentially.
What is NAT?
Modifies network addresses in the IP headers of packets to allow remapping of one IP address space into another and allows hosts in a private network to transparently communicate with hosts on external networks.
What is PAT?
Allows incoming sessions, that are initiated from an external host, to map a specific internal host and port.
What are the default iptables chains?
INPUT – triggered after an incoming packet has been routed to the local system
OUTPUT – triggered by locally generated outbound traffic as it enters the network stack
FORWARD – triggered after an incoming packet has been routed and needs to be forwarded to another host
What is the DHCP pattern?
Discover
Offer
Request
Acknowledge
What is Packet Filter?
OpenBSD’s system for filtering TCP/IP traffic and doing NAT. It is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization.
