Firewalls

Question 1

The firewall may be a single computer system or a set of two or more systems that cooperate to perform the firewall function.
(T/F)

Answer 1

True

Question 2

A firewall can serve as the platform for IPSec..(T/F)

Answer 2

True

Question 3

A packet filtering firewall is typically configured to filter packets going in both directions. (T/F)

Answer 3

True

Question 4

A prime disadvantage of an application-level gateway is the additional processing overhead on each connection. (T/F)

Answer 4

True

Question 5

A DMZ is one of the internal firewalls protecting the bulk of the enterprise network. (T/F)

Answer 5

False

Question 6

The _______ defines the transport protocol.

Answer 6

IP protocol field

Question 7

A _________ gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host.

Answer 7

circuit-level

Question 8

Typically the systems in the ________ require or foster external connectivity such as a corporate Web site, an e-mail server, or a DNS server.

Answer 8

DMZ

Question 9

A _______ configuration involves stand-alone firewall devices plus host-based firewalls working together under a central administrative control.

Answer 9

distributed firewall

Question 10

The ________ attack is designed to circumvent filtering rules that depend on TCP header information.

Answer 10

tiny fragment

Question 11

Firewall design goals

Answer 11

All traffic from inside to outside and vice versa must pass through firewall.

Only authorized traffic as defined by local security policy will be allowed to pass

The firewall itself is immune to penetration. (use hardened system)

Question 12

Critical component to planning/implementation of firewall

Answer 12

suitable access policy: lists traffic authoried to pass through firewall

Question 13

Type of traffic

Answer 13

address ranges

protocols

applications

content

Question 14

Firewall characteristics

Answer 14

IP Address and Protocol Values

Application Protocol

User Identity

Network Activity

Question 15

Firewall Capabilities

Answer 15

Firewall defines a single choke point that attempts to keep unauthorized user out of the protected network, prohibit potentially vulnerable services from entering/leaving network, and provide protection from IP spoofing and routing attacks

Provides location for monitoring security related events

Platform for internet functions not related to security

Platform for IPSec (implement virtual private networks)

Gives insight into traffic
mix via logging

Network Address Translation

Encryption

Question 16

Firewall Limitations

Answer 16

Firewalls cannot protect…

• -Traffic that does not cross it
• —–Routing around
• —–Internal traffic
• -When misconfigured

Can’t protect against attacks that bypass the firewall (internal systems with dial out or mobile broadband, or dial in)

Can’t fully protect against internal threats

Improperly secured wireless LAN accessible from outside

Laptop, PDA, portable storage device may be infected outside the network and then attached internally

Question 17

Types of Firewalls

Answer 17

Packet filtering

Stateful inspection

Application proxy/Application Level Gateway

Circuit level firewall/gateway/proxy

Question 18

Packet Filtering Firewall

Answer 18

Rules applied to incoming/outgoing IP packets.

Question 19

Packet Filtering Firewall

Filtering rules based on:

Answer 19

Source IP address

Destination IP address

Source and destination transport level address

IP Protocol field

Interface

Question 20

Packet Filtering Firewall

Default policies

Answer 20

Discard packets not expressly permitted
-More conservative, controlled, visible to users

Forward packets not expressly prohibited
-Easier to manage and use but less secure

Question 21

Packet Filtering Firewall weaknesses

Answer 21

don’t examine upper-layer data, so can’t prevent attacks that employ application specific vulnerabilities or functions

limited information available, so logging functionality limited

don’t support advanced user authentication schemes

vulnerable to attacjs and exploits of TCP/IP specification and protocol stack (network layer address spoofing)

small number of variables used in access control decisions, so susceptible to security breaches from improper configurations

Question 22

Packet Filtering Firewall

Typical attacks

Answer 22

IP address spoofing

Source routing attacks

Tiny fragment attacks

Question 23

Stateful Inspection Firewalls

Answer 23

creates directory of outbound TCP connections, entry for each currently established connection, firewalls only allows incoming traffic to high numbered ports for packets that fit profile in the directory

tightens up packet filters

Question 24

Application Level Gateway

Answer 24

aka application proxy

acts as a relay of application level traffic. user must be authenticated before gateway relays TCP segments containing application data between endpoints

More secure than packet filters

disadvantage: additional processing overhead on each connection

Question 25

Circuit level Gateway

Answer 25

aka circuit level proxy can be stand alone or specialized does not permit end to end TCP connection Gateway relays TCP segments from one connection to another without examining contents. Just determines which connections allowed Example: SOCKS

Question 26

Firewall Basing Considerations

Answer 26

Bastion Host: system id'd as critical strong point in network security Host-based firewall: software module used to secure individual host Personal firewall: controls traffic between PC/workstation and internet/enterprise network

Question 27

Firewall Location and Configuration options

Answer 27

DMZ Networks Virtual Private Networks Distributed Firewalls

Question 28

DMZ Networks

Answer 28

External firewall at edge of network just inside router that connects to Internet Internal firewalls protect the bulk of networked devices. 3 purposes: 1. adds more stringent filtering 2. two-way protection (protects remainder of network from attacks launched from DMZ and protects DMZ from internal attacks( 3. multiples internal firewalls protect internal systems from each other Systems externally accessible but protected

Question 29

Virtual Private Networks

Answer 29

set of computers that interconnect by means of unsecure network and make use of encryption and special protocls that provide security

Question 30

Distributed Firewalls

Answer 30

Stand-alone firewall devices plus host-based firewalls working together under central administrative control May need internal DMZ and external DMZ

Question 31

Firewall Topologies

Answer 31

Host-resident firewall (personal firewall software, firewall software on servers) Screening router (single router between internal and external networks with stateless or full packet filtering) Single bastion inline: (single firewall device between internal and external router) Single bastion T (similar to single bastion inline but with third network interface on bastion to DMZ) double bastion inline (DMZ sandwiched between bastion firewalls) Distributed firewall configuration

Question 32

Intrusion Prevention Systems

Answer 32

Host Based IPS (signature/heuristic or anomaly detection techniques to identify attacks) Network-Based IPS (inline NIDS with authority to modify/discard packets and tear down TCP connections) Distributed or Hybrid IPS (gathers data from host and network based sensors in central analysis system to return updated signatures and behavior patterns)

Question 33

Network-Based IPS | Methods to identify malicious packets:

Answer 33

- pattern matching - stateful matching - protocol anomaly - traffic anomaly - statistical anomaly

Question 34

Host Based IPS Examples

Answer 34

- modification of system - privilege escalation exploits - buffer overflow exploits - access to email contact lists - directory traversal

Question 35

Firewall defined

Answer 35

Firewall is a widely-deployed prevention technology.

Question 36

Firewalls can protect your computer and your personal information from

Answer 36

Hackers breaking into your system (attack traffic is often from untrusted parts of the Internet or even a known malicious sites, and a firewall can block it) Viruses and worms that spread across the Internet (There are several ways to identify and block such traffic: such as the volume of such traffic or that such traffic has specially crafted packets that are known to target vulnerable services, or the traffic from the all over the Internet including the untrusted networks; The firewall can use such knowledge to block such virus and worm traffic). Outgoing traffic from your computer created by a virus infection (This is similar to #2, except the traffic is outbound rather than inbound, )

Question 37

Firewalls cannot provide protection

Answer 37

Against phishing scams and other fraudulent activity, spyware being installed on your computer, or viruses spread through e-mail (spyware: stealing information and send it out to a site; such site can appear to be legitimate or at least not know to be malicious, and the volume of traffic can be small; so it can be hard for a firewall to stop it) Against Internet traffic that appears to be from a legitimate source (because firewall is designed to allow traffic from a legitimate source, e.g., another trusted network).

Question 38

Firewall Design Goals

Answer 38

Enforcement of security policies - -All traffic from internal network to the Internet, and vice versa, must pass through the firewall - -Only traffic authorized by policy is allowed to pass Dependable --The firewall itself is immune to subversion

Question 39

Filtering Types

Answer 39

Packet filtering --Access Control Lists Session filtering - -Dynamic Packet Filtering - -Stateful Inspection - -Context Based Access Control

Question 40

Packet Filtering Advantages

Answer 40

Simplicity Typically transparent to users and are very fast

Question 41

Tiny fragment attacks

Answer 41

The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. This attack is designed to circumvent filtering rules that depend on TCP header information. Typically, a packet filter will make a filtering decision on the first fragment of a packet. All subsequent fragments of that packet are filtered out solely on the basis that they are part of the packet whose first fragment was rejected. The attacker hopes that the filtering firewall examines only the first fragment and that the remaining fragments are passed through.

Question 42

In order for a fragmented packet to be successfully reassembled at the destination each fragment must obey the following rules.

Answer 42

each fragment must share a common fragment id number Each fragment must say what its place or offset is in the original unfragmented packet. Each fragment must tell the length of the data carried in the fragment. each fragment must know whether more fragments follow it.

Question 43

Bastion Hosts Common characteristics:

Answer 43

Runs secure O/S, only essential services May require user authentication to access proxyor host Each proxy can restrict features, hosts accessed Each proxy is small, simple, checked for security Limited disk use, hence read-only code Each proxy runs as a non-privileged user in a private and secured directory on the bastion host.

Question 44

Host Based Firewall Advantages

Answer 44

Filtering rules can be tailored to the host environment Protection is provided independent of topology Provides an additional layer of protection

Question 45

Advanced Firewall Protection

Answer 45

Stealth Mode hides the system fromthe internet by dropping unsolicited communication packets UDP packets can be blocked Logging for checking on unwanted activity Applications must have authorization to provide services

Question 46

Internal Firewall Purposes:

Answer 46

Add more stringent filtering capability Provide two-way protection with respect to the DMZ Multiple firewalls can be used to protect portions of the internal network from each other