Chapter 6 - Firewalls Flashcards
What is a pass/deny decision?
A pass/deny decision is one where a packet is either passed through a firewall, or it is denied and dropped. Generally, provable attack packets are dropped on-sight.
What type of packet does a firewall drop and log?
A firewall will always drop and log a proven attack packet.
What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
A firewall passes through packets that are suspected attack packets, if they’re not proven.
Why does the firewall log information about dropped packets?
The firewall logs information about dropped packets so that a firewall administrator can review the log and determine the sort of attacks that are happening.
Distinguish between border firewalls and internal firewalls.
A border firewall separates a corporate entity’s network from the extranet. An internal network filters traffic between various parts of the internal network.
Distinguish between ingress and egress filtering.
Ingress filtering examines packets heading into the network, egress filtering examines packets leaving the network.
What does a firewall do if it cannot keep up with the traffic volume? Why is this action good/bad?
When a firewall cannot keep up with network volume, it drops ALL packets. Better safe than sorry, but it unfortunately provides a self-DoS attack.
Why is it that a firewall can keep up with traffic in general but fail to do so during a major attack?
If a firewall cannot filter traffic at the wire speed (the maximum speed of the lines that connect to it), the massively increased traffic of the attack may lead to the firewall dropping all packets.
As processing power increases in the future, what will this mean for firewall filtering?
As processing power increases, firewalls will begin to be able to respond to much more complex and subtle attacks.
What is Unified Threat Management (UTM)?
Unified Threat Management is a function a firewall can fulfill, where it not only filters packets, but acts as an antivirus as well as a spam filter.
What does it mean that a firewall should operate at wire speed?
To operate at wire speed means that the firewall is capable of handling the full speed of the lines that are connected to it.
What are the main mechanisms of firewall filtering?
There are six mechanisms for firewall filtering:
- Stateful Packet Inspection
- Static Packet Filtering
- Network Address Translation
- Application Proxy Filtering
- Intrusion Prevention System Filtering
- Antivirus Filtering
What filtering mechanisms do almost all main border firewalls use?
Almost all main border firewalls use Stateful Packet Inspection (SPI) as their primary inspection mechanism. However, they use other methods as secondary filtering mechanisms.
What are the two limitations of static packet filtering? Explain why each is bad.
Static packet filtering has two main limitations, that it cannot look at more than one packet at a time, so it misses the “scope” of larger threats, and it can only look at specific fields in the Internet and Transport headers, so it cannot stop attacks that require filtering of application messages, etc.
In what two secondary ways do corporations sometimes use static packet filtering?
Corporations sometimes use static packet filtering in border routers, as a way to relieve firewalls of some of the stress of high-volume but simple incoming attacks, as well as preventing probe replies from leaving.
Corporations also use static packet filtering as a secondary filtering mechanism due to its ability to stop specific attacks that would be more expensive to stop in another way.
What is a state?
A state is a distinct phase in a connection between two applications.
Are most packets part of the connection-opening state or the ongoing communication state? Why is this important for stateful packet inspection’s efficiency?
Most packets are part of the ongoing communication state. This is important because it allows for more complex investigation to be performed ONLY on connection-opening packets, which saves a considerable amount of resources.
What is a connection?
A connection is a link between two programs on different machines.
How is a connection between two programs on different computers represented?
A connection between two computers is represented by the addresses between the two sockets (an IP address, with a colon, followed by a port number).
Give the stateful packet inspection firewall rule for packets that do not attempt to open connections.
For a packet that is not opening a connection, a stateful packet inspection firewall will determine if the packet is part of an existing conversation. If it is, it is passed. If not, it is dropped.
Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.
SPI filtering for packets that are part of an ongoing communications is simple and insexpensive. The packet’s “to” and “from” are compared against the connections table, and is allowed if there is a match. Done.
UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
UDP is handled by SPI by treating the incoming messages as connection-opening, the outgoing as not, create a table entry, and then pass packets matching that connection.
What are the two simple default SPI firewall rules for packets that attempt to open connections?
Opening attempts coming from an internal host are allowed by default. Opening attempts coming from an external host are denied by default.
For stateful packet inspection firewalls, what do ingress ACLs permit in general?
Ingress ACLs permit access from specific externally originated connections.
What do egress ACLs disallow in general in SPI firewalls?
Egress ACLs disallow access to specific internal connections to outside hosts.
What do well-known port numbers designate?
Well-known port numbers designate specific applications running on a server.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection.
Yes, an SPI firewall ALWAYS considers its ACL rules.
In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection?
No, the firewall does not need ACL filtering as there is no access attempts being made.
Why are stateful packet inspection firewalls inexpensive?
Stateful packet inspection firewalls are inexpensive because the majority of the complex tasks are required only for connection-opening packets, which are a nearly-insignificant percentage of all packets. The rest are easy.
In practice, are SPI firewalls fairly safe?
Yes, stateful packet inspection firewalls are generally safe, due to the fact that with the exception of application-layer attacks, attacks rely on connection-opening packets.
Are SPI firewalls limited to SPI filtering?
SPI firewalls are not limited to SPI filtering, additional functionality can be added.
When NAT is used, why can sniffers not learn anything about the internal IP addresses of internal hosts?
When an internal host sends a packet out, it passes through the NAT firewall, which then replaces the original IP and port numbers with external IP addresses and stand-in port numbers. These are useless to attack with.
Why does NAT stop scanning probes?
NAT stops scanning probes because the IP addresses and port numbers won’t be on the translation table of the NAT firewall, and will cause the probes to be automatically rejected.
Why is NAT transversal necessary? Is it easy to select?
NAT transversal is necessary because not all protocols work with NAT. It is not easy to select, because the methods are generally complex.
What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?
An application proxy firewall sets itself up between the web browser and the server via an HTTP connection, acting as a browser to the server and a server to the browser. It’s a technological “food taster”, examining the application message (combining it if fragmented), and inspecting the content of that message.