Firewalls Flashcards
A company wishes to make an http service on port 8080 available to internet surfers, indicate a network and / or server configuration to provide the service safely and explain the reasons for the choices made.
I use a firewall of the screened subnet type with the right web proxy and web server on the DMZ in order to have a good level of security given by gateway, bastion and router with packet filtering, but at the same time avoid SPOF given the double check done on the packages
With reference to a network firewall, briefly explain how to configure the whitelist and blacklist
Whitelist: everything that is not explicitly granted does not pass Blacklist: everything that is not explicitly prohibited does not pass
They are strategies implemented to decide what type of packets to enter (or leave) the
network; the first option is generally preferred because it is safer.
Describe the screened host gateway firewall architecture indicating actors, advantages and disadvantages.
The bridge between the internal network and the external network is moved to the screening router, to which a network card has been added: once a packet coming from the outside is authorized by the packet filter, it can take two paths:
* can be sent again to the gateway (now a bastion host), if it needs further investigation;
* can enter the internal network directly, if it needs to be controlled by an internal server (eg mail server).
Pros and cons:
+ flexibility: it is possible to lighten the controls related to some services or hosts by avoiding going through the gateway.
- masking: masking is only possible for packets passing through the bastion host;
- single point of failure: the router firmware may have bugs.
Describe packet filter technology and describe advantages and limitations
It consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Draw the scheme of a dual homed gateway firewall architecture, illustrate the role of its components, advantages and disadvantages.
A dual-homed gateway is put in series with the screening router, a machine equipped with two network cards, one interfaced to the external network and the other interfaced to the internal one, both with routing disabled, and a running process that has the task to decide which traffic is allowed to pass from one network interface to another. This system has a double control point:
* the router acts as a packet filter;
* the dual-homed gateway houses a circuit-level gateway or an application-level gateway as required.
As the gateway interfaces on two different networks, the intermediate network is isolated from the internal network and can be used as a DMZ for public servers. Pros and cons:
+ masking: the gateway can mask the internal network;
+ simplicity: implementation is simple;
+ cost: only small additional hardware requirements are required (eg fast network card);
+ double line of defense: it is not enough to exploit the bug of one of the two devices to enter the internal network.
- management: two systems are required;
- bottleneck: all traffic must pass through the dual-homed gateway;
- flexibility: some types of traffic require control by servers in the internal network (eg spam e-mails).
Packet filter and circuit gateway inside a firewall: similari ties, differences, advantages and disadvantages of both.
Both do header-based packet filtering, but the packet filter works at layer 3, while the circuit gateway works at layer 4.
Packet filter: consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Circuit gateway: is a non “application-aware” proxy that creates a transport layer circuit between the client and the server without having any understanding of the syntax of the data in transit
Pros and cons:
+ The servers are isolated from all attacks involving:
* the TCP three-way handshake: the protection is activated at the beginning of the session and lasts for the entire session;
* IP packet fragmentation: the proxy reassembles the packet to fully understand its contents.
- breakdown of the client-server model (for the duration of the session): it may require changes to the applications (eg client authentication: it normally occurs at the application level, not at the transport level);
- many limitations of the packet filter remain.
Packet filter and application level gateway inside a firewall: similarities, differences, advantages and disadvantages of both.
Both do header-based packet filtering, but the packet filter works at layer 3, while the application level gateway works at the application layer.
Packet filter: consists of filtering packets entering or leaving a network, and can be stateless (static) or statefull (dinamic):
-static: coarse filtering is applied based on level 3 addresses and level 4 ports with a blacklist or whitelist system
-dinamic: stores status information from the transport layer and / or from the application layer; distinguishes new connections from those already open, thanks to a status table for open connections) packets that correspond to a row of the table are accepted without further checks.
Pros and cons:
+ very scalable
+ good performance (but slightly better dinamic being statefull) + low cost
- complex configurations
- unsafe (inaccurate controls)
Application-level gateway: inspects packets at the application level (payload): it is made up internally by a series of proxies, one for each application protocol;
it can play the role of terminator: it interacts directly with the client as if it were the server, and with the server as if it were the client; can perform the masking or renumbering of IP addresses: it may be necessary if it is acting as a terminator and one of the two parties asks for the authentication of the other; it can also have authentication functions, especially in egress: the gateway asks the client in the external network to authenticate itself in order to apply the appropriate policies to it. Pros and cons:
+ maximum security: the rules are more granular and simpler than the packet filter, as the controls are based on the application layer;
+ parallelization: multiple CPU cores work in parallel (SMP).
- performance: more thorough checks require more time;
- application dependent: each application protocol requires a specific proxy: - delay in supporting new applications;
- resource consumption: many proxies mean many processes;
- low performance: the processes work in user mode;
- breakdown of the client-server model: it may not be completely transparent to clients, and often requires a modification of the client application;
- attacks: since the client interacts directly with the gateway, the firewall operating system is exposed to attacks;
- application-level security protocols: the firewall may not be able to correctly interpret the contents of the packets (eg SSL: the packet content is encrypted).
Draw the scheme of the “Screened Subnet”. Indicate the role of the individual components. Advantages and disadvantages of this scheme.
Router screening was split into two:
* the packet filter part filters incoming and outgoing traffic;
* the router part acts as a bridge between the two networks.
Pros and cons:
+ flexibility: it is possible to lighten the controls relating to some services or hosts by avoiding going through the gateway;
+ double line of defense: it is not enough to exploit the bug of one of the two devices to enter the internal network.
- cost: three devices are required;
- multi-vendor: the devices must be from three different manufacturers, otherwise they could suffer from common bugs.
What is the circuit gateway and from what does it protect?
It is a non “application-aware” proxy that creates a transport layer circuit between the client and the server without having any understanding of the syntax of the data in transit
Pros and cons:
+ The servers are isolated from all attacks involving:
* the TCP three-way handshake: the protection is activated at the beginning of the session and lasts for the entire session;
* IP packet fragmentation: the proxy reassembles the packet to fully understand its contents.
- breakdown of the client-server model (for the duration of the session): it may require changes to the applications (eg client authentication: it normally occurs at the application level, not at the transport level);
- many limitations of the packet filter remain.
IDS vs IPS: what they are and differences
Intrusion Detection System (IDS) is a system for identifying individuals who use a computer or network without authorization.
Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
The difference is that IDS notifies you if it detects an attack, the IPS also tries to
block it.
Explain the operation of an application-level gateway component within a firewall and discuss its advantages and disadvantages.
Inspect packets at the application level (payload): it is made up internally by a series of proxies, one for each application protocol;
it can play the role of terminator: it interacts directly with the client as if it were the server, and with the server as if it were the client; can perform the masking or renumbering of IP addresses: it may be necessary if it is acting as a terminator and one of the two parties asks for the authentication of the other; it can also have authentication functions, especially in egress: the gateway asks the client in the external network to authenticate itself in order to apply the appropriate policies to it. Pros and cons:
+ maximum security: the rules are more granular and simpler than the packet filter, as the controls are based on the application layer;
+ parallelization: multiple CPU cores work in parallel (SMP).
- performance: more thorough checks require more time;
- application dependent: each application protocol requires a specific proxy: - delay in supporting new applications;
- resource consumption: many proxies mean many processes;
- low performance: the processes work in user mode;
- breakdown of the client-server model: it may not be completely transparent to clients, and often requires a modification of the client application;
- attacks: since the client interacts directly with the gateway, the firewall operating system is exposed to attacks;
- application-level security protocols: the firewall may not be able to correctly interpret the contents of the packets (eg SSL: the packet content is encrypted).
Explain what the IPS technique consists of.
Intrusion Prevention System (IPS) is a system that can detect intrusive activity and can also try to stop the activity, ideally before it reaches its objectives.
An IPS consists of:
* IDS: detects an attack in progress (eg excess of ICMP packets);
* distributed dynamic firewall: reacts very quickly (eg blocks all ICMP traffic).
