Firewall Overview and Techniques

Questions and Answers

What is the primary function of a firewall in a network?

• To serve as a database for storing sensitive information
• To define a single choke point that keeps unauthorized users out (correct)
• To manage physical connections of network hardware
• To provide high-speed internet access to users

Which technique does a firewall use to control the services that can be accessed?

• Behavior control
• Service control (correct)
• User control
• Direction control

What limitation is specifically highlighted regarding firewalls?

• Firewalls require constant user supervision.
• Firewalls may not protect against attacks that bypass the organization. (correct)
• Firewalls can prevent all types of network attacks.
• Firewalls are infallible if properly configured.

Which of the following is NOT a capability of a firewall?

Serving as a high-speed data processor (A)

In firewall management, what does user control primarily focus on?

Which user is attempting to access a service (A)

How does direction control function within a firewall?

It determines the direction of service requests allowed through the firewall. (C)

What type of services may a firewall prohibit?

Potentially vulnerable services entering or leaving the network (D)

What role does a firewall play in a virtual private network (VPN)?

It serves as the location for implementing the VPN. (A)

What is the primary role of intrusion detection systems (IDSs)?

To gather and analyze information for signs of intrusions (B)

Which type of IDS specifically monitors individual hosts for suspicious activity?

Host-based IDS (A)

What distinguishes an Intrusion Prevention System (IPS) from an Intrusion Detection System (IDS)?

IPS takes action to prevent attacks while IDS only logs activities (C)

Which of the following is NOT a component of an Intrusion Detection System?

Firewalls (D)

What is the function of an analyzer in an Intrusion Detection System?

To determine if an intrusion has occurred based on collected data (A)

What is a significant disadvantage of an Intrusion Prevention System (IPS)?

It can generate false positives and potentially block legitimate traffic (B)

How does a network-based Intrusion Detection System (IDS) function?

It analyzes network traffic and application protocols for suspicious activity (A)

Which of the following best describes the functioning of sensors in an IDS?

They collect data from various parts of a system to identify potential intrusions (B)

What is one significant limitation of packet filtering firewalls?

They cannot prevent attacks that exploit application-specific vulnerabilities. (D)

Which of the following is NOT a component examined by a packet filtering firewall?

Application type (A)

In the context of packet filtering firewalls, what is a common vulnerability associated with improper configurations?

Security breaches that arise from human error. (A)

Which of the following is an advantage of using packet filtering firewalls?

They are often transparent to users. (D)

What is one of the protocols typically allowed in the rules for packet filtering firewalls?

SMTP (B)

What does the term 'IP address spoofing' refer to in the context of attacks on packet filtering firewalls?

Transmitting packets from outside with a source IP that appears to be an internal host. (A)

What key feature do packet filtering firewalls lack regarding user authentication?

Advanced user authentication schemes. (D)

What countermeasure can be employed against IP address spoofing attacks?

Discard packets with an inside source address on an external interface. (B)

Which of the following is a characteristic of packet filtering firewalls?

They analyze individual packets at a basic level. (C)

What is a characteristic of a router-based firewall?

Acts as the first line of defense in a network (D)

Which firewall type involves two separate firewalls for added security?

Screened network firewall (A)

What is the main use of Network Address Translation (NAT)?

To translate internal IP addresses to public addresses (C)

What is a primary function of proxy servers in a network?

To provide logging information and protect against spoofing (D)

Which is true about single machine firewalls (SMFW)?

They are typically software-based and easy to configure. (B)

Which statement about intrusion detection systems is correct?

They detect violations of security policy that affect confidentiality, integrity, or availability. (D)

What is a common characteristic of hybrid firewalls?

They combine multiple firewall implementations like SPI and circuit level gateways. (A)

What is the primary function of the Windows 10/11 firewall?

To block both inbound and outbound packets (B)

What is one of the main characteristics of medium-sized network firewalls?

They often include a dedicated network administration personnel. (C)

How should firewalls be maintained for optimal security?

Logs should be reviewed periodically for anomalies and performance statistics utilized. (B)

What is the main purpose of a network-based intrusion detection system (NIDS)?

To monitor and analyze network packets for suspicious activity. (A)

What is a common disadvantage of preemptive blocking in intrusion detection?

It may block legitimate traffic due to false positives. (B)

In anomaly detection, what defines acceptable behavior levels?

Normal usage profiles (C)

Which method is NOT typically associated with anomaly detection?

Signature-based detection (A)

What is the main function of a honeypot in cybersecurity?

To serve as bait for attackers to analyze their methods. (C)

What type of signature detection looks for specific patterns in packet headers?

Header condition signatures (A)

What challenge does user/group work profiling face in dynamic environments?

Difficulty in maintaining updated profiles due to changing behaviors. (B)

In relation to incident management, what is data normalization?

The act of identifying and correcting discrepancies in data formats. (D)

What is the primary mode of operation for Snort that monitors all traffic on a computer?

Sniffer mode (D)

Which technique is often used for analyzing payloads in real-time?

Sandboxing (B)

What does resource profiling measure in anomaly detection?

The typical resource usage across the system. (B)

What type of problems can payload analysis help identify?

Malicious payload patterns (C)

What is the purpose of correlation in incident management?

To identify relationships and patterns across different data entries. (D)

Which aspect of anomaly detection can lead to false positives?

Threshold monitoring (C)

What is the primary purpose of a perimeter network (DMZ)?

To isolate internal systems from external threats (A)

Which two main approaches to intrusion detection are commonly recognized?

Signature-based and anomaly-based detection (A)

What is a critical challenge in implementing a Web proxy for all external traffic?

Identifying what constitutes Web traffic (D)

What is a key feature of intrusion detection systems?

Monitoring network traffic to identify suspicious behavior (A)

Which characteristic is essential for firewalls to effectively enhance security?

Monitoring and filtering of incoming and outgoing traffic (B)

Flashcards

Firewall Techniques

Methods used by firewalls to control access and enforce security policies.

Service Control

Firewall technique deciding which internet services can access the network (inbound/outbound).

Direction Control

Firewall technique deciding the direction of service requests allowed through the firewall.

User Control

Firewall technique controlling access to a service based on the user attempting to access it.

Behavior Control

Firewall technique controlling how individual services are used.

Firewall Capabilities

Features of firewalls in protecting networks and supporting internet functions.

Firewall Limitations

Weaknesses firewalls have in protecting against certain types of attacks or security loopholes.

Unauthorized Access

Untrusted users attempting to gain access to a network bypassing a firewall.

Internal Firewall

A firewall that separates parts of an enterprise network, protecting it from internal threats.

Packet Filtering Firewall

A basic firewall examining packet details (source, destination, port, protocol) to control network access.

Source Address

The address of the computer sending the network packet.

Destination Address

The address of the computer receiving the network packet.

Source Port

A number associated with the application program on a computer sending a network packet.

Destination Port

A number associated with the application program on a computer receiving a network packet.

IP Spoofing

An attack where the attacker pretends to be a trusted device on the network.

Countermeasure (Spoofing)

Discarding packets with an inside source address if they arrive on an external interface.

Firewall Weakness

Packet filtering firewalls don't prevent attacks exploiting application vulnerabilities.

Firewall Advantage

Packet filtering firewalls are fast and simple to use.

Intrusion Detection

The process of analyzing system events to identify possible security breaches.

Intrusion Prevention

A proactive approach to security that actively blocks potential threats.

Intrusion Detection System (IDS)

Software or hardware that monitors a system for unauthorized access attempts and alerts administrators.

Host-based IDS

An IDS that monitors activity on a single computer, like a laptop or server.

Network-based IDS

An IDS that monitors traffic across a network, looking for suspicious activity.

IDS Sensors

Components of an IDS that collect data from various parts of a system.

IDS Analyzers

Parts of an IDS that analyze sensor data to determine if an intrusion is happening.

IDS User Interface

A way for users to view IDS outputs and manage its behavior.

Hybrid Firewall

Combines various firewall techniques like stateful packet inspection (SPI) and circuit-level gateways for enhanced security.

Network Host-Based Firewall

A software-based firewall installed on a network host that controls incoming and outgoing traffic based on defined rules.

Dual-Homed Host Firewall

A network host with two network interfaces, one connected to the external network and the other to the internal network, both secured by separate firewalls.

Router-Based Firewall

A firewall integrated into a network router, providing basic packet filtering and security for the entire network.

Screened Host Firewall

A firewall setup that combines a bastion host (a hardened system) and a screening router for enhanced security.

DMZ (Demilitarized Zone)

A separate segment of a network that hosts servers exposed to the public internet, protected by two firewalls for security.

Stateful Packet Inspection (SPI)

A firewall technique that analyzes the entire state of a communication session, not just individual packets, to identify and block suspicious activity.

Application Gateway Firewall

A firewall that focuses on protecting specific applications, filtering traffic based on the application's protocol and behavior.

Proxy Server

A server that acts as an intermediary between a client and a server, hiding the client's identity and providing additional security benefits.

Network Address Translation (NAT)

A technique that translates private IP addresses on a network to public IP addresses used on the internet, allowing multiple internal devices to share a single public IP address.

Perimeter Network (DMZ)

A network segment that sits between an internal network and the external internet, acting as a buffer for public-facing services. It provides an extra layer of security by isolating sensitive systems from direct external access.

Types of IDS Approaches

Two main approaches: signature-based and anomaly-based. Signature-based IDS searches for known attack patterns, matching them to a database of signatures. Anomaly-based IDS identifies unusual behavior compared to normal network traffic, even if the attack patterns are unknown.

Network Traffic Analysis

Analyzing the flow of data packets within a network to identify patterns, anomalies, and suspicious behavior. It examines factors like source and destination IP addresses, ports, protocols, and packet size.

Payload Analysis

Examining the actual content of data packets to detect malicious code or suspicious data. This delves deeper, looking for specific keywords, patterns, and potential threats hidden within the data.

Preemptive Blocking

A security measure that attempts to prevent intrusions by blocking suspicious activity before it becomes malicious. It operates by analyzing user behavior and blocking activities that deviate from normal patterns.

Anomaly Detection

A security approach that identifies potential intrusions by detecting deviations from normal network behavior. It relies on establishing baseline patterns of normal activity and flagging any significant departures.

Threshold Monitoring

A technique used in anomaly detection that sets limits for acceptable network activity. Any behavior that exceeds these limits triggers an alert, suggesting a potential security breach.

Resource Profiling

A method for detecting anomalies by analyzing system-wide resource utilization. It creates profiles of typical resource usage and identifies any significant deviations as potential threats.

User/Group Work Profiling

A technique for anomaly detection that establishes profiles of typical user or group activities. Any behaviors that fall outside these profiles are considered suspicious.

Executable Profiling

A method that monitors the resource use of programs to detect malware attacks. It analyzes how programs utilize system resources and flags any abnormal resource consumption as potentially malicious.

Network-Based Intrusion Detection System (NIDS)

A security system that monitors network traffic in real-time for malicious activities. It analyzes network packets for suspicious patterns or known attack signatures.

String Signatures

A type of intrusion detection technique that identifies known malicious patterns in network packets. These patterns are like unique fingerprints of known attacks.

Port Signatures

A type of intrusion detection technique that monitors network traffic to see if it's attempting to access known vulnerable ports. These ports are often exploited by attackers to gain unauthorized access.

Header Condition Signatures

A type of intrusion detection technique that analyzes the headers of network packets for suspicious patterns. Attackers often try to manipulate packet headers to deceive security systems.

Snort

A popular, open-source intrusion detection system (IDS) available on various platforms. It can monitor network traffic for suspicious patterns and potential attacks.

Sniffer Mode (Snort)

A mode in Snort where it passively captures all network traffic on a system to analyze it. Useful for identifying potential security threats or observing encrypted traffic.

Packet Logger Mode (Snort)

A mode in Snort where it records all captured network traffic into a file. Useful for analyzing patterns or searching for specific activities.

Network Intrusion-Detection Mode (Snort)

A mode in Snort where it actively analyzes network traffic for suspicious activity based on predefined rules. When a rule is triggered, Snort can issue alerts or take further actions.

Honeypot

A decoy system designed to attract and trap attackers. It's set up to appear as a valuable target, but it's actually a controlled environment where attacker actions are monitored and analyzed.

Incident Management

A structured process for handling and responding to security incidents. It involves detecting incidents, assessing their impact, coordinating response actions, and learning from the experience.

Study Notes

Firewall Overview

• Firewalls are essential components of computer and network security.
• They act as a barrier between a protected network (e.g., enterprise network) and the untrusted outside world (e.g., internet).
• Firewalls control access to and from the network.
• There are various types of firewalls with different capabilities like packet filtering, stateful inspection, application-level gateways and circuit-level gateways.

Firewall Techniques

• Firewalls use various techniques to control access and enforce security policies.
• This includes service control to define allowed internet services, direction control to specify traffic direction, user control to manage access based on the user and behavior control to dictate how services operate within the firewall.

Firewall Capabilities

• Firewalls define a single choke point to prevent unauthorized access.
• They control and filter services entering or leaving the network.
• Firewalls offer protection against IP spoofing and other attacks.
• They provide a central point for monitoring security events.
• Firewalls facilitate several internet functions not related to security, such as virtual private networks.

Firewall Limitations

• Firewalls cannot block attacks that bypass them.
• They may not fully protect against internal threats, such as malicious or compromised employees.
• Improperly secured wireless networks can bypass firewalls.
• Firewalls may not protect against attacks on internal devices or connections.

Packet Filtering Firewalls

• These are basic firewalls that inspect packets' source and destination addresses, ports, and protocols.
• Rules define allowed traffic based on these criteria.
• Simple to implement but have limited capabilities.
• Prone to vulnerabilities and attacks exploiting TCP/IP issues.

Stateful Inspection Firewalls

• Firewalls actively monitor network connections and maintain a state table of active connections.
• They can analyze the context of packets and thus are more resistant to attacks that depend on packet order or content.
• More secure than simple packet filtering but may still be vulnerable to sophisticated attacks.

Application-Level Gateways (Application Proxies)

• Firewalls operate at the application layer, filtering traffic based on application-level details.
• This provides more robust security than packet filtering at the lower layers.
• Introduces higher processing overhead for each connection.

Circuit-Level Gateways

• Firewalls operate at the TCP connection level.
• The firewall verifies that connections are authentic and valid.
• Suitable when administrators trust the internal users but offers no application-layer filtering.

Hybrid Firewalls

• Combining various firewall types.
• State Inspection firewall and Circuit level firewall might be used together.
• More complex but offer enhanced security.

Intrusion Detection Systems (IDS)

• Systems passively monitor network activity and detect suspicious events or activities.
• They log observed activity and alert administrators when intrusions are detected.
• There are host-based IDS and network-based IDS.
• Host-based monitors individual host activity, while network-based monitors activity on network segments.

Intrusion Prevention Systems (IPS)

• System actively tries to prevent ongoing attacks.
• System intervenes to stop potential attacks via a variety of techniques based on network or host patterns.
• Can be an important security tool.

Common Firewall Implementations

• There are four main implementations:
• Network host-based
• Dual-homed host
• Screened host
• Routed based firewall.

Problems With Firewalls

• A common management issue is requiring all external web traffic to go through the organization's web proxy.
• It is complicated to establish network traffic, define what constitutes web traffic, and decide on appropriate ports and protocols for monitoring.

Summary

• Firewalls are crucial for network security
• These networks act as a critical security layer, controlling and filtering traffic flow.