Podcast
Questions and Answers
How many levels of defense does the 'screened subnet firewall configuration' offer?
How many levels of defense does the 'screened subnet firewall configuration' offer?
What is a key feature of a firewall based on the text?
What is a key feature of a firewall based on the text?
In the 'screened subnet firewall configuration', what entities are separated from the internal network?
In the 'screened subnet firewall configuration', what entities are separated from the internal network?
Which of the following is NOT a limitation of a firewall as discussed in the text?
Which of the following is NOT a limitation of a firewall as discussed in the text?
Signup and view all the answers
What does the outside router in the 'screened subnet firewall configuration' advertise to the Internet?
What does the outside router in the 'screened subnet firewall configuration' advertise to the Internet?
Signup and view all the answers
What is a key function of packet filters in a firewall system?
What is a key function of packet filters in a firewall system?
Signup and view all the answers
What is the general model for access control discussed in the text?
What is the general model for access control discussed in the text?
Signup and view all the answers
Which of the following attacks is mentioned as a risk to packet filters in the text?
Which of the following attacks is mentioned as a risk to packet filters in the text?
Signup and view all the answers
In access control, how can the access matrix be decomposed?
In access control, how can the access matrix be decomposed?
Signup and view all the answers
What is a common limitation of packet filters in terms of examining IP packets?
What is a common limitation of packet filters in terms of examining IP packets?
Signup and view all the answers
What role does the reference monitor play in computer systems according to the text?
What role does the reference monitor play in computer systems according to the text?
Signup and view all the answers
What is a countermeasure mentioned in the text to address IP address spoofing attacks?
What is a countermeasure mentioned in the text to address IP address spoofing attacks?
Signup and view all the answers
What security feature do stateful packet filters provide that traditional packet filters do not?
What security feature do stateful packet filters provide that traditional packet filters do not?
Signup and view all the answers
Which type of firewall requires separate proxies for each service?
Which type of firewall requires separate proxies for each service?
Signup and view all the answers
What is the primary function of a Circuit Level Gateway?
What is the primary function of a Circuit Level Gateway?
Signup and view all the answers
In the 'screened host firewall, single-homed bastion configuration', what forces an intruder to generally penetrate two separate systems to compromise internal security?
In the 'screened host firewall, single-homed bastion configuration', what forces an intruder to generally penetrate two separate systems to compromise internal security?
Signup and view all the answers
What is a key characteristic of a Bastion Host?
What is a key characteristic of a Bastion Host?
Signup and view all the answers
Why does the 'screened host firewall, dual-homed bastion configuration' physically separate the external and internal networks?
Why does the 'screened host firewall, dual-homed bastion configuration' physically separate the external and internal networks?
Signup and view all the answers
Study Notes
Firewall Configurations
-
The "screened subnet firewall configuration" is the most secure, with two packet-filtering routers, one between the bastion host and the Internet, and the other between the bastion host and the internal network, creating an isolated subnetwork.
-
This configuration offers several advantages, including:
- Two levels of defense to thwart intruders
- The outside router advertises only the existence of the screened subnet to the Internet, making the internal network invisible
- The inside router advertises only the existence of the screened subnet to the internal network, preventing systems on the inside network from constructing direct routes to the Internet
Access Control
- A system identifies a user and determines what resources they can access
- The general model is that of an access matrix, with:
- Subject: active entity (user, process)
- Object: passive entity (file or resource)
- Access right: way object can be accessed
- The access matrix can be decomposed into:
- Columns: access control lists
- Rows: capability tickets
Reference Monitor
- The reference monitor is a controlling element in the hardware and operating system of a computer
Firewalls
- A firewall is a choke point of control and monitoring that interconnects networks with differing trust levels
- Firewalls impose restrictions on network services, allowing only authorized traffic
- Firewalls can:
- Audit and control access
- Implement alarms for abnormal behavior
- Implement VPNs using IPSec
- Firewalls must be immune to penetration
Firewall Limitations
- Firewalls cannot protect from attacks bypassing them (e.g., utility modems, trusted organizations, trusted services)
- Firewalls cannot protect against internal threats
- Firewalls cannot protect against the transfer of all virus-infected programs or files due to the huge range of operating systems and file types
Packet Filters
- Packet filters are the simplest and fastest firewall component
- They examine each IP packet and permit or deny according to rules, restricting access to services (ports)
- Possible default policies can be set
Attacks on Packet Filters
- IP address spoofing: fake source address to be trusted
- Countermeasure: add filters on the router to block source routing attacks
- Tiny fragment attacks: split header info. over several tiny packets
- Countermeasure: discard or reassemble before checking
Stateful Packet Filters
- Stateful packet filters examine each IP packet in context, keeping track of client-server sessions and checking each packet's validity
- They are better able to detect bogus packets out of context
Application Level Gateway (or Proxy)
- Application level gateways have application-specific gateways/proxies
- They have full access to the protocol and validate user requests as legal
- They can log/audit traffic at the application level
- Separate proxies are needed for each service
Circuit Level Gateway
- Circuit level gateways relay two TCP connections, imposing security by limiting which connections are allowed
- Once created, they usually relay traffic without examining contents
- They are typically used when trust internal users, allowing general outbound connections
Bastion Host
- A bastion host is a highly secure host system that runs circuit/Application level gateways or provides externally accessible services
- It is potentially exposed to "hostile" elements, hence it is secured to withstand this
- It has a hardened O/S, essential services, and extra authentication, and may support two or more net connections
- It may be trusted to enforce policy of trusted separation between these net connections
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge on firewalls with this quiz covering the definition, functions, and features of firewalls. Learn about choke points of control, monitoring, restrictions on network services, authorized traffic, and more.
