Flashcards in Lecture 16: 6th November 2019 Deck (49)
What is a firewall?
A network security system implemented in hardware or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. They hide the structure of the internal network.
What is an IDS?
Intrusion Detection System = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.
What do default permit and default forbidden mean?
They rerfer to the default action taken on a packet by a firewall when a mathing rule cannot be found. default permit = let it in/out, default forbidden = drop it.
What can firewalls do?
cannot prevent all attackers, viruses or intruders.
- Permit authorised traffic
- Block or deny unauthorised traffic
- Log accesses in and out
- Provide a VPN link
- Authenticate users and give access to appropriate services
- Shield hosts
- Cache data to improve web site performance
- Filter content
When do firewalls work best?
as part of a multilayered approach, aka defence in depth
What is defence in depth?
An information assurance concept in which multiple layers of security controls are used to protect a network to provide redundancy.
Why is placement an important consideration involving firewalls?
Need to consider required connections outside of the network. Keep them possible but minimise number of machines outside a firewall.
What are some types of firewalls?
Packet filters : looks at packet headers for addresses, ports, protocols
Stateful inspection filters : maintains state information and keeps common ports open.
Stateless inspection filters: Blocks or allows a packet based on header information.
Application proxies : simulates application and performs access control.
Personal firewalls: blocks blacklisted traffic.
How do packet filtering firewalls work?
Inspect IP headers and TCP and UDP port numbers. The bypass (allow through), bypass, or protect (IPSec)
How do stateful inspection fitering firewalls work?
Examine packet payload in addition to headers to build up a state of the connection, held in a state table, in a cache. If a packet doesn't correspond to the state of its connection pass to a rule base to check if it can be forwarded. Requires a lot of processing. Supports more protocols than a simple packet filter.
How do Application Level Proxies work?
Proxies analyse the application layer data of IP packets. Proxies support protocols for SMTP, HTTP, SSH, FTP etc. Most commonly used for HTTP or SMTP traffic, functioning as a screen for all traffic into and out of ports. They are relatively slow as they have to inspect, compare, rebuild packets and process client requests. A complete server & client implementation in one box for every protocol the firewall should handle.
Client connects to firewall.
Firewall validates request.
Firewall connects to server.
Response comes back through firewall.
Can enforce application-specific policies and conceal clients, translate network
addresses and filter content.
What are Application Level Proxies aka?
Application Gateway, Proxy Server or Application Firewall
What do proxies do?
A proxy server acts as a gateway between you and the internet. It's an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.
How and why may proxies and packet filter firewalls be used together?
To provide a defence in depth.
- Each type inspects different parts of IP packets.
- Proxies scan whole data portion, therefore they create larger log files
- If a packet filter has a rule for a packet the action is as directed; block or allow, therefore relatively faster.
- A proxy has to rebuild the packet with new IP information.
- The proxy rebuild means that damaged packets are dropped.
What are some issues with firewalls?
don't protect against skilled attackers
accurate system state description must always be maintained to know the weakest point of entry
many attacks through legitimate-seeming downloads
rules may proliferate and be used to make attacks
What are some limitations of firewalls?
don't protect against bug-based attacks, internal attackers, or attacks from machines within the network once compromised.
Can be routed around - tunnelling, dialup servers, cross-links.
Can be too restrictive and stop you from doing what you want.
Encrypted traffic can always get through - even if malicious.
Many services now over HTTP to avoid firewalls - defats the purpose and made protocol design worse.
What are some network topologies that pertain to firewalls?
The Bastion Server can be the firewall: running all external services and acting as a packet filter or proxy. Alternatively, the firewall does packet filtering and monitoring or there is a second LAN to hold the external servers that deal with mail, web, etc. services.
Screened Subnet (DMZ): has an interface towards the external network/ Internet and another towards the protected network. A third interface card screens the screened subnet. This third area, the Demilitarised Zone provides services to external users such as Web or SMTP servers.
Dual Firewalls: Instead of a single firewall with 3 interfaces, the dual firewall uses 2 firewalls with the screened subnet between them. The protected network is therefore behind two firewalls.
What is a firewall rule base?
A set of instructions that governs the actions of a firewall on packets with certain properties.
What are the fields in a firewall IDS?
1 Control or rule number
2 Type of rule; Allow, Deny, Drop, Alert
3 The direction of traffic; inbound or outbound
4 Transport Protocol; UDP, TCP, etc
5 Source Socket; host & service identification
6 Destination Socket; receiving host & service identification
7 Policy number; refers to management policies.
What is a permissive firewall rule base?
Permissive = allow by default, block some.
- Easy to make mistakes.
- If you forget to block something, you are allowing it into the system unchallenged.
- Protocol management to prevent “on-the-fly” changes by staff
What is a restrictive firewall rule base?
Restrictive = block by default, allow some.
- Much more secure.
- If you forget something, someone will complain and you can allow the protocol, but it's overhead and annoying for users.
Why may tunneling be a security issue with firewalls?
Can make an encapsulating tunnel to wrap your actual IP packets in a service or port number that is permitted by the firewall and have them de-encapsulated either side.
What is a vulnerability assessment?
The process of identifying, quantifying, and prioritizing (or ranking) security flaws in a system or network. May include open ports, software used, network topology, and a prioritised list of vulnerabilities.
What tools can you use to perform a vulnerability assessment?
Software: ISS Scanner, Stat, Nessus, etc.
Audit Services: manual Penetration tests
Web based commercial: Qualys, Security Point, etc
What is an intrusion?
Any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and almost always jeopardize the security of networks and/or their data.
What is an IDPS?
Intrusion Detection and Prevention System = real name for an IDS to note importance of preventing intrusions as well as detecting and reacting to them. IDS = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.
In practice, firewalls and IDSes are combined into one system - IDPSes.
What are the 2 general approaches to intrusion detection?
Misuse detection: Knowledge-based IDS - Rule Based
Anomaly detection: Behaviour-based IDS - statistical anomalies
What is an attack signature?
A unique arrangement of information that can be used by and IDS to identify an attacker's attempt to exploit a known operating system or application vulnerability.
What is a knowledge-based IDS?
An IDS which looks for attack signatures in traffic data and log files to detect intrusions.