Firewalls Flashcards
(36 cards)
Firewall policies rarely concern themselves with the _______________ layer.
Data Link Layer
NAT (is / is not) considered a firewall technology.
NAT is not considered a firewall technology.
The network(s) that is on a firewall’s internal interface is sometimes referred to as the ________ interface (or network).
protected
(True / False) Most firewalls sold today provide stateful packet filtering.
True
The most common example of a pure packet filtering device is a router that employs _____________
Access Control Lists
_________ ______ being blocked by firewalls is a common cause of VPN interoperability issues.
Fragmented Packets
As a general rule, what should firewalls do with fragments?
a. Block them all
b. Permit them all
c. Reassemble them, then make the appropriate permit/deny decision
d. No general rule was provided, must consider on case-by-case basis.
d. No general rule was provided, must consider on case-by-case basis.
Firewalls become stateful and track the state of connections by incorporating greater awareness of the _________ layer.
Transport
What specific transport layer information do you think (or know) the firewall will use/reference to gather information about the state of a connection?
- Flags
- Socket Pairs
- Seq Numbers
- Ack Numbers
What is said with regard to stateful inspection of UDP traffic?
a. UDP traffic simply cannot be filtered statefully because it’s a connectionless protocol.
b. UDP traffic can be filtered statefully the same way as TCP traffic.
c. Stateful filters will use matching IPs and port numbers to filter UDP statefully.
d. Stateful filters will use flags in the UDP header to filter statefully.
c. Stateful filters will use matching IPs and port numbers to filter UDP statefully.
How does a stateful (non-application-level) firewall know when to remove a UDP (or other stateless protocol) session from its state table?
a. By observing the corresponding Fin/Ack session termination traffic.
b. By observing session payload information to determine when the transaction is complete.
c. By sending an ICMP message to the client to query for continued session usage.
d. It cannot know, and must resort to simple time-out.
d. It cannot know, and must resort to simple time-out.
How does a stateful, application-level, firewall know when to remove a DNS UDP (i.e., specific instance of UDP traffic) session from its state table?
a. By observing the corresponding Fin/Ack session termination traffic.
b. By observing session payload information to determine when the transaction is complete.
c. By sending an ICMP message to the client to query for continued session usage.
d. It cannot know, and must resort to simple time-out.
b. By observing session payload information to determine when the transaction is complete.
Application firewalls are referred to by some vendors as deep packet inspection firewall. What is meant/implied by “deep” ?
That the firewall blocks content that is abnormal at the application layer.
Some application firewalls might employ a security-control feature that directly mitigates one of the principal threats for computer security: buffer overflow attacks. What is this security control?
Input Validation
“Positivity” refers to the strategy of ensuring that the traffic/transactions involved in support of a particular protocol, follow the expected, (i.e. good, i.e. positive) behavior. This is in contrast to the (more typical) strategy of trying to identify all bad (“negative”) behavior. What is the term used for this concept?
RFC Compliance
Firewall terminology—particularly with respect to capabilities—is quite confusing owing to differing names given to the same technology and differing technology descriptions given for the same technology name! I’ll have more to say on this in lecture. According to this section, what is/are the main distinction(s) between an application firewall (AF) and an application-proxy gateway (APG)?
a. APG better “isolates” the protected host, and can inspect encrypted traffic.
b. AF actually understands the application layer, whereas APG only looks for signatures.
c. APG will double as a Web cache server, whereas an AF won’t.
d. AFs can operate transparently, APG-based firewalls are by their nature non-transparent.
a. APG better “isolates” the protected host, and can inspect encrypted traffic.
Aside from issues of traffic workload/throughput (affecting availability), which of these most succinctly addresses the main disadvantage of application-proxy gateways?
a. The requirement to have crypto keys installed.
b. “Generic agents”
c. The inability to install them in a manner that is transparent to the protected host(s).
d. The inability to require/check authentication of individual network users.
b. “Generic agents”
Dedicated proxy servers are generally used to decrease firewall [the dedicated network firewall that is] workload and conduct __________________ filtering and __________________ that might be difficult to perform on the firewall itself.
Dedicated proxy servers are generally used to decrease firewall [the dedicated network firewall that is] workload and conduct SPECIALIZED filtering and LOGGING that might be difficult to perform on the firewall itself.
The two most common VPN protocols are
a. SSL and L2TP
b. TLS and SSL
c. IPSec and SSL/TLS
d. IPSec and WPA
c. IPSec and SSL/TLS
The two most common VPN architectures are
a. Authentication and Encryption
b. Site-to-site and end-to-end
c. Gateway-to-gateway and host-to-gateway
d. Tunneled and Direct
c. Gateway-to-gateway and host-to-gateway
Many firewalls include _______________ _________________ for encryption to minimize the impact of VPN services. (FYI: this is very similar to previous lecture discussion regarding ASIC)
Hardware Acceleration
What is NAC (Network Access Control)?
a. Just another fancy name for firewalling/filtering of network traffic.
b. Control of protected network access via more thorough ingress packet inspection.
c. A term used to describe a network that only permits access via VPN.
d. Limits network access contingent upon requestor’s “health check” and credentials.
d. Limits network access contingent upon requestor’s “health check” and credentials.
All other things being equal… which of these would you think/intuit would be able to perform more reliable and accurate protection for a specific host (client or server)?
a. A network-based firewall
b. A host-based firewall
b. A host-based firewall
What was the “bottom-line” security take-away regarding the use of UPnP?
a. It should be enabled for maximum security.
b. It should only be enabled for hosts that are being used remotely.
c. It should be off by default, due to risk of being subverted by a malicious application.
d. It should be on by default, then only de-activated if a known threat is discovered.
c. It should be off by default, due to risk of being subverted by a malicious application.
