Understanding Firewalls Quiz

Firewall Configurations

• The "screened subnet firewall configuration" is the most secure, with two packet-filtering routers, one between the bastion host and the Internet, and the other between the bastion host and the internal network, creating an isolated subnetwork.

• This configuration offers several advantages, including:

  • Two levels of defense to thwart intruders
  • The outside router advertises only the existence of the screened subnet to the Internet, making the internal network invisible
  • The inside router advertises only the existence of the screened subnet to the internal network, preventing systems on the inside network from constructing direct routes to the Internet

Access Control

• A system identifies a user and determines what resources they can access
• The general model is that of an access matrix, with:
  • Subject: active entity (user, process)
  • Object: passive entity (file or resource)
  • Access right: way object can be accessed
• The access matrix can be decomposed into:
  • Columns: access control lists
  • Rows: capability tickets

Reference Monitor

• The reference monitor is a controlling element in the hardware and operating system of a computer

Firewalls

• A firewall is a choke point of control and monitoring that interconnects networks with differing trust levels
• Firewalls impose restrictions on network services, allowing only authorized traffic
• Firewalls can:
  • Audit and control access
  • Implement alarms for abnormal behavior
  • Implement VPNs using IPSec
• Firewalls must be immune to penetration

Firewall Limitations

• Firewalls cannot protect from attacks bypassing them (e.g., utility modems, trusted organizations, trusted services)
• Firewalls cannot protect against internal threats
• Firewalls cannot protect against the transfer of all virus-infected programs or files due to the huge range of operating systems and file types

Packet Filters

• Packet filters are the simplest and fastest firewall component
• They examine each IP packet and permit or deny according to rules, restricting access to services (ports)
• Possible default policies can be set

Attacks on Packet Filters

• IP address spoofing: fake source address to be trusted
  • Countermeasure: add filters on the router to block source routing attacks
• Tiny fragment attacks: split header info. over several tiny packets
  • Countermeasure: discard or reassemble before checking

Stateful Packet Filters

• Stateful packet filters examine each IP packet in context, keeping track of client-server sessions and checking each packet's validity
• They are better able to detect bogus packets out of context

Application Level Gateway (or Proxy)

• Application level gateways have application-specific gateways/proxies
• They have full access to the protocol and validate user requests as legal
• They can log/audit traffic at the application level
• Separate proxies are needed for each service

Circuit Level Gateway

• Circuit level gateways relay two TCP connections, imposing security by limiting which connections are allowed
• Once created, they usually relay traffic without examining contents
• They are typically used when trust internal users, allowing general outbound connections

Bastion Host

• A bastion host is a highly secure host system that runs circuit/Application level gateways or provides externally accessible services
• It is potentially exposed to "hostile" elements, hence it is secured to withstand this
• It has a hardened O/S, essential services, and extra authentication, and may support two or more net connections
• It may be trusted to enforce policy of trusted separation between these net connections