Perimeter defense: Firewalls, VPNs, and Intrusion Detection

Questions and Answers

Which principle reflects fire-resistant doors designed to isolate damage and contain spread in case of fire, mirroring the purpose of network firewalls?

• Least-Privilege
• Isolated-Compartments (correct)
• Safe-Defaults
• Complete-Mediation

In a network firewall's basic model, what is the term for packets arriving from the private network viewpoint?

• Outbound
• Internal
• Inbound (correct)
• External

What action does a 'first-matching rule' firewall take when a packet satisfies a condition?

• Applies all rules whose conditions are met.
• Ignores the packet and proceeds to the next rule.
• Takes the action specified by the first rule whose condition is met. (correct)
• Skips processing the packet entirely.

Which of the following actions can a packet-filter firewall NOT take?

Modify the packet's payload. (B)

What is the primary difference between a stateless and a stateful packet filter?

A stateless filter processes each packet independently, while a stateful filter keeps track of packet details. (C)

What motivates a default-deny firewall ruleset?

The principle of 'safe defaults'. (B)

What is a key limitation of relying solely on firewalls for network security?

Firewalls cannot protect against malicious insiders. (C)

How might a malicious actor bypass firewall rules that rely on port numbers to allow only permitted services?

By tunneling one protocol through another. (A)

Why is content-based inspection at firewalls precluded by encryption?

Encryption prevents the firewall from reading the content. (B)

What is the purpose of a DMZ (demilitarized zone) in an enterprise firewall architecture?

To create a subnetwork between the external network and the internal network that provides an additional layer of security. (D)

What capability does SSH provide?

An encrypted tunnel for secure communication. (B)

Which protocol is NOT typically replaced by SSH?

icmp (C)

In the context of SSH, what is the purpose of the transport layer protocol?

To provide server authentication, encryption, and integrity protection. (D)

What is the 'trust on first use' (TOFU) approach in SSH server authentication designed to protect against?

Passive attackers. (D)

In SSH, what does local port forwarding achieve?

It redirects data from unsecured applications through an SSH tunnel. (D)

What security risk is associated with “trusted” login hosts?

An attacker gaining access to one account can gain password-free access to other machines. (A)

What is the primary purpose of encrypting entire packets at origin before network transmission?

To protect the packet content from eavesdropping and tampering. (D)

What is the technique of 'tunneling' in networking?

One data stream's journey being facilitated by another. (C)

What is a key benefit of using a VPN?

Secure transit via public/untrusted channels. (A)

What is a limitation of relying on encrypted tunnels for network security?

They make network monitoring and content-based filtering difficult. (D)

In IPsec, what function does the IKE protocol serve?

Key management. (B)

What does an IPsec Security Association (SA) define?

A set of security parameters for a communication session. (D)

Within IPsec, what is the primary function of the Authentication Header (AH)?

To provide a MAC for data origin authentication. (C)

When using IPsec in transport mode, where is the IPsec header inserted in the packet?

After the original IP header, before the original IP payload. (A)

Which deployment is NOT a typical approach for integrating IPsec into a system?

Application-level proxy. (C)

What does 'IP address' identify?

An addressable interface for data delivery to an IP host device. (C)

Which protocol maps IP addresses to physical MAC addresses on a local area network (LAN)?

ARP (C)

What is the role of 'ports' in networking?

To allow servers to host more than one service. (B)

What is the purpose of the TCP three-way handshake?

To establish a reliable connection between two hosts. (A)

What is the function of ICMP (Internet Control Message Protocol)?

To send error, diagnostic, and control messages. (D)

Flashcards

Firewall

A gateway providing access control functionality to allow, deny, or modify data passing between networks.

Complete Mediation

The principle that network traffic should not bypass the firewall in any direction.

Perimeter-Based Defenses

Protecting a trusted internal network from an untrusted external network.

Inbound Packets

Packets arriving at a network from an external source.

Outbound Packets

Packets leaving a network to an external destination.

Stateless Packet Filter

A firewall that examines each packet independently.

Stateful Packet Filter

A firewall that keeps track of packet details for later use.

Default-Deny Rulesets

A set of firewall rules where a packet is only allowed if it explicitly matches an accept rule.

Firewalls as Chokepoints

Using an entry point as a central point for monitoring, control, and packet rejection.

Network DMZ

A subnetwork positioned between an external network and an internal network to be protected.

Bastion Host

A defensive host exposed to a hostile network, hardened to withstand attacks.

Dual-Homed Host

A computer with two distinct network interfaces.

Tunneling

Combining one protocol inside another to bypass firewall restrictions.

Proxy Firewall

A security intermediary between an internal client and an external service.

Circuit-Level Proxy Firewall

A firewall that relays connections through a single proxy point.

Application-Level filter

Carries out application-specific processing for authorized applications.

SSH

Secure Shell, provides an encrypted tunnel to a shell.

Trust in Host Key

Verifying the server's public key before trusting it.

SSH Port Forwarding

Data from unsecured applications sent through a secure SSH connection.

SCP

Transferring files securely using SSH.

Private Network

Network that is intended for access only by trusted users.

Site-to-Site VPNs

Bridging Private Networks across a public channel.

Remote Access VPNs

Allow authorized clients remote access to a private network.

Limitations of Encrypted Tunnels.

Prevents effective network-based monitoring and filtering.

IPsec

Provides network-layer security services, encryption, and authentication.

IPsec Suite

Allows multiple security services to be delivered through three protocols.

Study Notes

• Chapter discusses perimeter-based defenses, starting with firewalls and technologies to secure network communications

Key points:

• Encrypted tunnels and virtual private networks (VPNs) are illustrated by SSH and IPsec
• Risks of network-accessible services and how to securely provide such services are considered
• Focuses on network defense options and their limitations
• Puts security design principles into practice
• Includes reminders of computer security goals: protecting data and passwords in transit, protecting resources from unauthorized network access, preserving integrity and availability of hosts against network-based threats
• Firewalls at enterprise perimeters keep out unauthorized traffic
• Intrusion detection systems provide awareness and opportunities to ameliorate breaches
• User traffic is cryptographically protected by technologies like IPsec VPNs, SSH, TLS, and encrypted email
• Authentication of incoming packets distinguishes authorized entities and data

Network-accessible services:

• The flexibility and functionality enables by network-accessible services come with security implications
• Remote access to network-based services should be over secured channels, complemented by mechanisms for monitoring traffic and partial control of flow

Encrypted network communications:

• Provide legitimate parties protection for transmitted data and remote access to trusted environments
• Intruders or malicious insiders can use the same tools, making their communications inaccessible
• Reinforces the importance of proper access control, authentication, policy enforcement, and intrusion detection

Packet-Filter Firewalls:

• A network security firewall provides access control functionality to allow/deny and modify data between two networks
• Designed to ensure traffic cannot bypass the firewall in either direction, in theory packets undergo complete-mediation
• Network firewalls serve in perimeter-based defenses, protecting a trusted private (internal) network from an untrusted public (external) network like the Internet

Inbound vs. Outbound Packets:

• Packets arriving from the private network viewpoint are inbound
• packets leaving are outbound
• Filtering inbound packets protects the internal network from the Internet
• Filtering outbound packets allows awareness and partial control of data sent/services accessed (e.g., to enforce security policy, detect unauthorized transfers or data exfiltration)

Packet-Filter Rules and Actions:

• A packet-filter firewall is configured
• Contains a list of rules in the form condition, action
• The action taken for a packet is that specified by the first rule whose condition it satisfies
• Primary Actions include ALLOW (permit), DROP (discard silently), and REJECT (drop and inform source)
• REJECT can send a TCP RST packet or an ICMP "destination unreachable" for UDP
• Additional logging of packets may occur
• Efficiency is based on five TCP/IP header fields (src_addr, src_port, dst_addr, dst_port, prot (protocol)), and ICMP type/code if ICMP

Stateless vs. Stateful Filters:

• Simple stateless packet filter: processes independently of others
• Stateful packet filter: tracks details as packets are processed for later use via a firewall state table
• Stateful filters track TCP connection states to treat packets from established connections differently
• Dynamic packet filters: track connection-related socket details or automatically change rules

Packet-Filtering Rules:

• Mitigate spoofed source IP addresses
• Deny packets from spam servers; allow/restrict incoming connections to mailservers
• Control outbound HTTP requests, allowing responses while rejecting unsolicited inbound packets
• Allow DNS queries and responses
• Address denial of service
• Default Deny - Block packets matching no other rules
• Stateful filtering allows SYN-ACK packets only if a SYN packet was recently sent

Default-Deny Rulesets:

• Motivates default-deny, allowing packets only on explicit accept rules constructed from security policies stating allowed access
• Default-allow, allows packets lacking explicit blocking rules, has tempting usability but is unnecessarily dangerous

Firewalls and Security Policy:

• Packet filter executes rules determining which packets may enter/exit an enterprise network
• Instantiates an internal security policy
• Practicality requires filtering outbound service requests based on destination ports in TCP headers if server ports were guaranteed to be bound to known services

Limitations & other details:

• Firewalls can be used to protect legacy applications within contained subnetworks
• Firewalls act as an enforcement point monitoring incoming access by remote adversaries
• Firewalls instantiate accepted defensive principles like defense-in-depth and isolation
• Traditional firewalls are not intrusion-detection systems
• Firewalls may be bypassed by tunneling, and content-based inspection is precluded by encryption without interception
• Packet filtering may involve dynamic (temporary) rule allowing the out-to-in connection to that port
• NAT allows for complementary services like VPN endpoints, network monitoring, and logging

Dedicated vs. Hybrid Firewalls:

• Dedicated firewalls - smaller attack surface, specialist expertise, architectural features
• Hybrid appliances reduce security boxes, provide multiple functions plus intrusion detection, and deep packet inspections

Personal and Distributed Firewalls:

• Host-based firewalls filter packets into/out of each individual host, supported by major OS
• Use case: End-user machines on untrusted networks
• One default-deny approach is user prompts on first access requests, building allowlists/denylists
• Distributed firewalls have centrally-defined policies distributed

Proxy Firewalls and Firewall Architectures:

• Proxy firewalls, including circuit-level and application-level filters, act as intermediaries between internal clients and external services
• Circuit-level proxy firewalls generically relay connections through a single proxy point and the primary mediation is to allow or deny the connection, and then relay bytes
• Application-level filters carry out application-specific processing through multiple specialized processors for a pre-determined set of authorized applications.

Proxy Firewall Requirements:

Must provide transparency and limited performance degredation

Circuit-Level Proxies:

• Delivered on the enterprise goal of safely facilitating outbound connections

Application-Level Filters:

• Filter traffic using specialized programs for a pre-determined set of applications
• May result in not only blocking packets entirely, but altering payloads

Bastion Hosts:

• A defensive host exposed to a hostile network
• Should be hardened (locked down) by disabling all interfaces
• Provide the function of facilitating controlled Internet access for internal hosts.

Dual-homed host:

• A computer with two distinct network interfaces, and correspondingly two network addresses
• If routing functionality between the two interfaces is disabled, a dual-homed host is suitable for a circuit-level proxy

Enterprise Firewall Architectures:

• A single screening router (router with packet filtering) offers basic protection but limited configurability
• DMZ provides an outer layer in a Defense-in-Depth strategy but must maintain Least-Privilege policies

SSH (Secure Shell):

• Internet Protocol (IP) lacks built-in security services
• SSH provides an encrypted tunnel to get to a shell (and other programs)
• Using TCP for reliable packet transport, SSH provides a security tunnel by its own transport layer protocol, protecting both login passwords sent to remote services, and other data to be transported by TCP
• Any program available on a remote host can be run through the security tunnel and can secure custom-built utilities

SSH Security:

• SSH server authentication, encryption, and integrity protection
• SSH client-to-server authentication
• Connection protocol enables use of a single SSH connection for multiple purposes
• Conformant software must support the client public-key option, but all clients need not have public keys 9TLS set-up (Chapter 9) similarly uses a recognized server public key to establish a fresh session key.

SSH Clients:

• During session negotiation, the SSH server declares which client authentication methods its SSH clients may use, including:
• client password
• Kerberos ticket
• client public key

SSH Servers

• Server authentication involves a server public key called the SSH host key with standard protocols for using a recognized public key for authenticated key establishment
• Clients recognize the host key using trust on first use but the end-user can cross-check the fingerprint

Trust Models for SSH Host Keys:

• Model 1 - client database of SSH server keys stored in a local client database for future use as a trusted SSH server key
• Model 2 - CA-certified SSH server keys uses a CA verification public key to verify offered SSH host keys

SSH Forwarding

• SSH uses port forwarding of TCP ports to redirect data from unsecured applications through a pre-established SSH connection

###VPNs and Encrypted Tunnels VPN Motivation: Plaintext Packets:

• Normal TCP/IP packets are plaintext, where content is visible and alterable
• Idea: Encrypt entire packets at origin devices before network transmission

Tunneling:

• One data stream's journey (the inner) being facilitated by another; the imagery is of a tunnel.
• Not all tunnels provide security, but security tunnels allow secure transit via public/untrusted channels

VPNs:

• A virtual private network unites physically distant users/subnetworks
• secured not by physical isolation but use of encrypted tunnels and special-purpose protocols
• It preserves packet header data used for routing by having encryption take place at the tail of the datagram

Encrypted Tunnels:

• Payload prevented via effective network monitoring and content-based filtering
• If the protocol is blocked by a firewall it may still be sent as the data protocol through an open firewall

VPNs:

• Transport Mode: Host to Host
• Tunnel Mode: Network to Network and Host to Network

IPsec:

• Provides a suite of security services delivered by IKE for key management, AH for authentication only, and ESP that includes encryption and authentication options

ESP

• Allows encryption of IPsec payload and services similar to AH, like MAC

Network and TCP/IP:

• Interconnected via the network
• The Internet Protocol (IP) is the main protocol in the TCP/IP protocol suite for packet-switched networks with a logical address used in network routing
• Packets are delivered through "hops" between intermediate network devices involving a datagram composed of a header to facilitate delivery, and a payload, the data intended for the recipient.
• Network and server communications secured through ports, numbers, TCP set ups and the three-way handshake