Lesson 10

Question 1

Packet Filtering Firewalls

Answer 1

• Provide controls on the Network (3) and Transport (4) layers
• Enforces network ACL
• Deny(block or drop), log, or accept a packet
• Inspection of each packet header for:
  
  • src & dest IP address
  • protocol ID/type (TCP, UDP, ICMP, routing protocols,..)
  • src & dest port numbers (TCP or UDP app type)
• works on inbound/outbound/both packets
• two types stateless and stateful

Question 2

Stateless Firewall

Answer 2

A basic packet filtering firewall

• Does not preserve information about network sessions
• Not in use much anymore

Question 3

Stateful Inspection Firewall

Answer 3

• State table stores connection information, shows session data
• Provides controls on the Transport (4) layer
  
  • TCP handshake
  • new vs established and related connections
• Provides controls on the Application (7) Layer
  
  • Validate protocol
  • Match threat signatures
  • Application specific filtering

Question 4

ip tables

Answer 4

-Command line utility to edit the rules enforced by the Linux kernel firewall

iptables –list INPUT –line-numbers -n

shows the content of the input chain with line number and no name resolution

• A append
• D delete
• R rules

Question 5

Firewall implementation

Answer 5

Firewall appliances

• Standalone HW deployed to monitor traffic passing in and out of a network zone
• Routed (layer 3)
  
  • forwards between subnets
• Bridge/transparent (layer 2)
  
  • inspects traffic between two nodes, like a switch and a router
• Router/firewall
  
  • implemented as firmware as part of a router, not really an appliance

Application Based

• SW run on any type of computing host
• host based - enforces ACLs and SW process network access rules
• application firewall - host based FW running on a svr next to a network firewall
• network operating system (NOS) firewall - A server functioning as a gateway or proxy for a network segment

Question 6

Application-based firewalls

Answer 6

Host based
- protects a single host
- performs packet filtering via ACL and also allow/block SW processes from network
Application
- runs on a server to protect an application, like Web or SQLServer
Network Operating System (NOS)
- Network Server firewall acting a as a gateway or proxy for a network segment

Question 7

Proxy Servers

Answer 7

• Similar to an application firewall, but works on a store-and-forward model
• deconstucts each packet, analyzes it, rebuilds the packet and forwards it on according to set rules

Question 8

Forward Proxies

Answer 8

• Works on outbound traffic, traffic from a client computer
• Provides caching engines to store frequently used webpages
• Can be application specific (Web/http) or multipurpose for multiple types or protocols
• two class types:
  
  • non-transparent
    
    • client must be configured with proxies server address and port to use it
  • transparent
    
    • intercepts client traffic without client having to be reconfigured
    • must be implemented on the switch or router or other inline network appliance
• both types can require authentication, usually SSO

Question 9

Reverse Proxy Servers

Answer 9

• Protocol specific inbound traffic
• Keeps external hosts from connecting directly to internal servers
• applies filtering rules prior to making request for app server
• can handle app specific load balancing, traffic encryption and caching

Question 10

ACL

Answer 10

Access Control Lists for firewalls

• principle of least access
• rules regarding protocol traffic to and from hosts
• processed top to bottom
• implicit deny
• explicit deny at end will force logging of denials due to those not matching and of the rules

Question 11

NAT

Answer 11

Network Address Translation

• translates between private LAN host IPs and the public addressing scheme used by routers, firewalls, or proxy servers on the network edge
• private internal IP addresses have been defined to be non-routable on the internet
• Class A : 10.x.x.x.
• Class B: 172.16.x.x - 172.32.x.x
• Class C: 192.168.x.x

Question 12

Static/Dynamic NAT

Answer 12

• Performs a 1:1 mapping between private and public network addresses

Question 13

NAPT

Answer 13

Network Address Port Translation

- provides a means for multiple private IP address to mapped onto a single public address

Question 14

Port forwarding

Answer 14

or a Destination NAT

• uses the routers public address to publish a web service, but forwards incoming requests to a different IP
• Port forwarding means that a router takes a request from the internet for a particular application (like HTTP/port 80) and sends them to a designated host and port on the DMZ or LAN

Question 15

NIDS

Answer 15

Network Based Intrusion Detection System

• uses a network sensor (packet sniffer) to capture traffic
• analyzes the for malicious traffic
• displays alerts to a console or dashboard
• does NOT block the malicious traffic, just alert and log
• does NOT slow the traffic down
• identifies hosts and applications
• detects attack signatures, password guessing attempts, port scans, works, backdoor apps, malformed packets or sessions, and policy violations
• can be used to fine tune firewall rulesets, remove or block IPs and processes from the network, or other security controls

Question 16

SPAN/mirror port

Answer 16

Packet capture sensor connected to a specially configured port on the switch with receives copies of the frames of all the other ports

• not completely reliable
  
  • Frames with errors are not mirrored and frames can be dropped during heavy loads

Question 17

Passive TAP

Answer 17

Passive Test Access Point

• HW box with ports for cabling of input and output ports with a splitter to copy the signal
• Better than SPAN in that all frames are copied, even errored frames, and load does not affect the copying

Question 18

Active TAP

Answer 18

Active Test Access Point

• a powered device to perform signal regeneration
• can be a point of failure if the power is lost, it will block the traffic
• should have battery or UPS connected to avoid this

Question 19

NIPS

Answer 19

Network Based Intrusion Prevention

• provides an active response to any network threat that it matches
• positioned like a firewall at the boarder between two network zones
• appliances are inline with the network, all traffic passes through them
• can provide Content Filtering in addition to inline, wire-speed antivirus scanning
• responses to numerous attacks, apply temporary filter on the firewall, throttling bandwidth to attacking hosts, modify suspect packets, run a script to further IPS SW abilities