3.5 Firewalls and Host-Based Intrusion Prevention Flashcards
3.5.1 Firewalls
A firewall is a system, or group of systems, that enforces an access control policy between networks.
Common Firewall Properties
All firewalls share some common properties:
Firewalls are resistant to network attacks.
Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall.
Firewalls enforce the access control policy.
Firewall Benefits
There are several benefits of using a firewall in a network:
They prevent the exposure of sensitive hosts, resources, and applications to untrusted users.
They sanitize protocol flow, which prevents the exploitation of protocol flaws.
They block malicious data from servers and clients.
They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network.
Firewall Limitations
Firewalls also have some limitations:
A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.
The data from many applications cannot be passed over firewalls securely.
Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.
Network performance can slow down.
Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.
3.5.2 Types of Firewalls
Packet Filtering (Stateless) Firewall
Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria.
Stateful Firewall
Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layer 4 and Layer 5.
The stateful firewall figure shows the 7 layers of the o s i model with layers 3, 4, and 5 emphasized.
Application Gateway Firewall
An application gateway firewall (proxy firewall), as shown in the figure, filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software. When a client needs to access a remote server, it connects to a proxy server. The proxy server connects to the remote server on behalf of the client. Therefore, the server only sees a connection from the proxy server.
The application gateway firewall figure shows the 7 layers of the o s i model with layer 7 emphasized and a bar connecting layers 7 and 6 with the words application gateway firewall to the side as well as layers 3, 4, and 5 emphasized with the words application gateway firewall.
Next Generation Firewall
Next-generation firewalls (NGFW) go beyond stateful firewalls by providing:
Integrated intrusion prevention
Application awareness and control to see and block risky apps
Upgrade paths to include future information feeds
Techniques to address evolving security threats
Host-based (server and personal) firewall - A PC or server with firewall software running on it.
Transparent firewall - Filters IP traffic between a pair of bridged interfaces.
Hybrid firewall - A combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.
3.5.4 Packet Filtering Firewall Benefits and Limitations
Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria.
There are several advantages of using a packet filtering firewall:
Packet filters implement simple permit or deny rule sets.
Packet filters have a low impact on network performance.
Packet filters are easy to implement, and are supported by most routers.
Packet filters provide an initial degree of security at the network layer.
Packet filters perform almost all the tasks of a high-end firewall at a much lower cost.
Packet filters do not represent a complete firewall solution, but they are an important element of a firewall security policy. There are several disadvantages of using a packet filtering firewall:
Packet filters are susceptible to IP spoofing. Threat actors can send arbitrary packets that meet ACL criteria and pass through the filter.
Packet filters do not reliably filter fragmented packets. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
Packet filters use complex ACLs, which can be difficult to implement and maintain.
Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.
3.5.5 Stateful Firewall Benefits and Limitations
There are several benefits to using a stateful firewall in a network:
Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
Stateful firewalls strengthen packet filtering by providing more stringent control over security.
Stateful firewalls improve performance over packet filters or proxy servers.
Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
Stateful firewalls provide more log information than a packet filtering firewall.
Stateful firewalls also present some limitations:
Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of the HTTP connection.
Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and, therefore, do not garner as much support for filtering.
It is difficult to track connections that use dynamic port negotiation. Some applications open multiple connections. This requires a whole new range of ports that must be opened to allow this second connection.
Stateful firewalls do not support user authentication.
3.5.6 Host-Based Firewalls
Host-based personal firewalls are standalone software programs that control traffic entering or leaving a computer. Firewall apps are also available for Android phones and tablets.
Host-based firewalls may use a set of predefined policies, or profiles, to control packets entering and leaving a computer. They also may have rules that can be directly modified or created to control access based on addresses, protocols, and ports. Host-based firewall applications can also be configured to issue alerts to users if suspicious behavior is detected. They can then offer the user the ability to allow an offending application to run or to be prevented from running in the future.
Logging varies depending on the firewall application. It typically includes the date and time of the event, whether the connection was allowed or denied, information about the source or destination IP addresses of packets, and the source and destination ports of the encapsulated segments. In addition, common activities such as DNS lookups and other routine events can show up in host-based firewall logs, so filtering and other parsing techniques are useful for inspecting large amounts of log data.
One approach to intrusion prevention is the use of distributed firewalls. Distributed firewalls combine features of host-based firewalls with centralized management. The management function pushes rules to the hosts and may also accept log files from the hosts.
Whether installed completely on the host or distributed, host-based firewalls are an important layer of network security along with network-based firewalls.
3.5.7 Antimalware Programs
Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware.
