Understanding Firewalls: Types, Functionality, and Limitations

Questions and Answers

Which of the following is a security function typically associated with firewalls?

• Data encryption
• Packet filtering (correct)
• Load balancing across servers
• Network address assignment

In the context of network security, what is a common misconception about software firewalls?

• They provide complete protection against all threats.
• They function best as part of a multi-layered security strategy. (correct)
• They are ineffective on home networks.
• They do not require constant maintenance.

Which of the following functions is analogous to a security guard monitoring entry and exit points in an office tower?

• Monitoring network traffic for suspicious activity (correct)
• Filtering inappropriate content
• Logging network traffic
• Scanning for viruses

Which security feature offered by some firewalls helps prevent attackers from using internal hosts as staging areas for sustained attacks?

Shielding hosts (A)

What is the primary purpose of locating a firewall at the network perimeter?

To set up a checkpoint for blocking threats (B)

Which of the following is a core component commonly found in firewalls?

Packet filter (D)

What security task does a firewall perform by regulating which packets of information can enter the network?

Restricting access from outside the network (B)

What is the function of a 'socket' in the context of network communication?

A combination of sender and receiver addresses (B)

How do firewalls contribute to VPNs?

By connecting two companies' networks over the Internet (B)

Which layer of the OSI model is most closely associated with packet filtering?

Network Layer (B)

What is a primary function of a packet-filtering firewall?

Determining whether to forward or drop a packet (B)

What distinguishes stateful packet-filtering firewalls from stateless packet-filtering firewalls?

Stateful Firewalls keep a state table. (C)

Which of the following protocols is essential to understand when configuring packet-filtering rules?

Internet Control Message Protocol (ICMP) (A)

What is the purpose of Port Address Translation (PAT) and Network Address Translation (NAT) in firewalls?

To make internal network addresses invisible to external computers (A)

At which layer of the OSI model do Application Layer Gateways operate?

Application layer (A)

What is a primary disadvantage of Application Layer Gateways?

They cannot be reconfigured to protect against attacks on other protocols. (B)

Which of the following best explains the use of the letter 'x' in an IP address notation like 10.10.x.x in firewall configurations?

It signifies a variable value. (B)

What is the purpose of a CIDR mask in network addressing?

To indicate the boundary between network and host addresses (D)

Which category describes how a firewall examines network traffic?

Processing Mode (D)

Which of the following is a type of packet-filtering firewall?

Dynamic filtering (B)

At which layer of the OSI model do circuit gateways operate?

The transport layer (C)

What characteristic defines MAC layer firewalls?

They consider specific host computer identities. (B)

What is a defining feature of fourth-generation firewalls?

Dynamic packet filtering (A)

Which statement accurately describes commercial-grade firewall appliances?

They use firmware-based instructions to increase reliability. (B)

What characterizes a small office/home office (SOHO) firewall appliance?

It acts as a stateful firewall. (C)

What capability extends broadband router devices beyond simple NAT services?

Including intrusion prevention systems (D)

What limitation applies to software firewalls regarding functionality?

They are not fully functional (A)

What is the primary function of Netfilter?

Providing stateless and stateful packet filtering (A)

What is a key security advantage of hardware firewalls over software firewalls in SOHO settings?

Computers remain protected even if the firewall crashes. (A)

How do packet-filtering routers enhance network security?

By blocking unauthorized packets (D)

What is a key architectural component of screened host firewalls?

An application proxy server (A)

What distinguishes dual-homed host firewalls from other architectures?

Traffic goes through the firewall to move. (B)

What is a primary characteristic of screened subnet firewalls?

Each host is protecting the trusted network. (B)

Why shouldn't firewalls be the only form of protection for a network?

They cannot do everything. (B)

Which of the following is a key function of any firewall?

Packet filtering (D)

How are firewalls typically categorized?

Processing mode, generation, and structure (C)

Flashcards

What is a Firewall?

A security tool composed of software and hardware that filters digital information packets.

What is the purpose of Software Firewalls?

Permitting authorized traffic while blocking unauthorized traffic.

What functions does a Firewall perform?

Monitoring entry/exit points, scanning for viruses, sending alerts.

What Advanced Features do Firewalls Offer?

Logging, VPN, Authentication, shielding hosts, caching data, content filtering.

What is a Network Perimeter?

A boundary between two zones of trust.

What are Firewall Components?

Packet filter, proxy server, authentication system, NAT/PAT software, bastion host.

What is the job of restricting access from outside networks?

Regulating packet entry and preventing port scanning attacks.

What are Ports?

Ports allow multiple network services to share a single network address.

What is a Socket?

Combination of sender's and receiver's address.

What are the two port flavors?

Well-known (0-1023) and Ephemeral (1024-65535).

What are Firewall Security Tasks?

Limiting access, protecting resources, preventing hacking, centralization, documentation, authentication, VPN.

How do Filtering firewalls work?

Inspecting packets at the network layer (Layer 3) of the OSI model.

What factors determine packet filtering?

IP source/destination, direction, TCP/UDP source/destination port.

What are Stateless Packet-Filtering Firewalls?

Ignores the connection state between internal and external computers.

What are Stateful Packet-Filtering Firewalls?

Examines data and connection state between computers.

What is the function of PAT and NAT?

Make internal network addresses invisible to external computers.

What do Application Layer Gateways do?

They control application access via proxy services and minimize malware effects.

What are the advantages and disadvantages of Application layer gateways?

Designed for a specific protocol; valuable security benefit.

The letter 'x' in IP addresses

Used to represent a range of values or any value in an IP address.

What does CIDR stand for?

Classless Inter-Domain Routing

How are firewalls categorized?

Processing mode, generation, and structure.

What are the processing modes for Firewalls?

Packet-filtering firewalls, application gateways, circuit gateways, MAC layer firewalls, and hybrids

How do Circuit Gateways work?

Operate at the transport layer and authorize connections based on addresses.

Firewall generations

Static, application-level, stateful inspection, and dynamic.

What is DMZ?

Dominant architecture today; screened subnet firewalls.

Study Notes

Overview

• Common misconceptions about firewalls will be identified
• Dependency of a firewall on an effective security policy is detailed
• A description of what a firewall does will be provided
• Different types of firewall protection are described
• The limitations of firewalls will be explained

Introduction

• Firewalls and related technical controls are a fundamental security tool
• Planning for and designing firewalls will be overviewed
• Each individual firewall is a combination of software and hardware components

Firewalls Explained

• A firewall filters packet transmissions of digital information
• It filters as packets attempts to pass through an interface between networks
• Basic security functions include packet filtering and application proxy

Misconceptions about Firewalls

• Software firewalls permit authorized traffic while blocking unauthorized traffic
• Software firewalls need constant maintenance to keep up with security threats
• Software firewalls work best in a multilayered approach to network security

An Analogy: Office Tower Security Guard

• Firewalls perform the same functions as a security guard at a checkpoint
• Firewalls monitor entry/exit points, scan for viruses, and repair infected files before they invade the network
• Firewalls can be configured to send out alert messages and notify staff of break-ins or if viruses are detected

Firewall Security Features

• Firewalls offer advanced security functions like logging, VPN, and authentication
• Firewalls shield hosts inside the network so that attackers can't identify them and use them as staging areas
• Other security features include caching data and filtering inappropriate content

Firewall Network Perimeter Security

• A perimeter is a boundary between two zones of trust
• Extranets, VPNs, and mobile devices have blurred this boundary
• Locating a firewall at the perimeter sets up a checkpoint to block viruses and infected e-mails

Firewall Components

• Firewall components are packet filter, proxy server, and authentication system
• Components include software performing Network or Port Address Translation (NAT or PAT)
• Another component is the bastion host, which only has the bare essentials

Firewall Security Tasks

• Firewalls restrict network access from the outside by regulating packets which enter
• Firewalls protect from port scanning attacks through packet filtering
• Restricting unauthorized access from inside the network prevents damage from malicious or careless employees

Technical Details: Ports

• Ports allow many network services to share a single network address
• A socket is a combination of a sender's full address and receiver's address
• Well-known ports are number 1023 or below and Ephemeral ports are number 1024 to 65535

Firewall Security Tasks (cont'd)

• Limiting employee access to external hosts provides precise control of how employees use external network resources
• Firewalls protect from varied types of attacks, and protect critical resources
• Attacks can also have tangible organization-wide impact
• Centralization is provided by firewalls, they centralize security for the organization
• Firewalls enable documentation by providing information to the network administrator in log files
• Authentication is provided by recognizing users with registered usernames and passwords
• Firewalls can contribute to a VPN by connecting two companies' networks over the Internet

Types of Firewall Protection

• The seven-layer OSI networking model is a type of firewall protection
• Firewalls function in different ways

Packet Filtering

• A packet, sometimes called a datagram, is a basic element of network data
• Packets contain header and data
• Packet-filtering firewalls function at the IP level
• They determine whether to drop a packet or forward it based on programmed rules
• Filtering firewalls inspect packets at the network layer (Layer 3) of the OSI model
• When they find a packet violates a rule, it stop it from traveling from one network to another
• This is based on IP source/destination address, direction, and TCP/UDP source/destination port
• Stateless packet-filtering firewalls ignore state of internal/external computer connections
• Stateful packet-filtering firewalls examine data in a packet and the state of connection between internal/external computers
• Stateful Packet-filtering Firewalls use a state table kept in a memory location called the cache.
• Stateful packet filtering firewalls can leave the system vulnerable to a DoS or DDoS attack
• Packet-filtering rules are dependent on the establishment of rules
• Rules require an understanding of protocols that make up the Internet function
• Important protocols are the Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), and TCP/IP filtering

PAT and NAT

• Each computer on a network is assigned an IP address
• Port Address Translation (PAT) and Network Address Translation (NAT) make internal network addresses invisible to outside computers
• They function as an outbound network-level proxy

Application Layer Gateways

• Application Layer Gateways work at the Application layer
• These gateways control the way applications inside the network access external networks by setting up proxy services
• Application Layer Gateways minimize the effect of viruses, worms, Trojan horses, and other malware
• They run special software that enable them to act as a proxy for a specific service request
• Designed for specific protocols is a primary disadvantage of Application Layer Gateways
• Application Layer Gateways cannot easily be reconfigured, as they designed for a specific protocols
• Application Layer Gateways have a valuable security benefit through filtering content
• They can be configured to allow or deny specific content, such as viruses and executables

Offline "X" Marks the Spot

• The letter “x” is used in two ways.
• It might indicate a value in the range of 0 to 254
• The letter “x” can represent any value, but in a different location
• "x" can refer to an address that meets the defined portion

Technical Details: Fresh Hot CIDR

• "CIDR" is an acronym for Classless Inter-Domain Routing
• CIDR masks mitigate the inefficiencies in the way IP addresses are organized
• CIDR assigns addresses using the demarcation between network/host address
• A slash (/) and subsequent number indicate where the boundary between the network/host addresses is located

Firewall Categories

• Firewalls can be categorized by processing mode, which is how it examines traffic
• Firewalls can be categorized by generation, which is the level of technology a firewall has
• Finally firewalls can be categorized by structure, as the kind of structure they are intended for

Processing Mode

• Five major processing-mode categories for firewalls are packet-filtering firewalls, application gateways, circuit gateways, MAC layer firewalls, and hybrids
• Most firewalls are hybrids
• There are three kinds of packet-filtering firewalls, static, dynamic, and stateful inspection
• Application gateways are frequently installed on a dedicated computer, and are separate from the filtering router
• They are commonly used in conjunction with a filtering router
• Circuit gateways operate at the transport layer
• Connections are authorized based on addresses
• MAC layer firewalls operate at the media access control sublayer of the data link layer
• MAC layer firewalls consider specific host computer's identity
• Hybrid firewalls combine elements of various types of firewalls

Firewall Generations

• First-generation firewalls consist of static packet-filtering firewalls
• Second-generation firewalls are application-level firewalls/proxy servers
• Third-generation firewalls use stateful inspection
• Fourth-generation firewalls, also known as dynamic packet-filtering firewalls allow only a particular packet with a particular source/destination/port address
• Fifth-generation firewalls have kernel proxies
• Those proxies work under Windows NT Executive and use the Kernel of Windows NT

Firewall Structures

• Commercial-grade firewall appliances are stand-alone/self-contained combinations of computing hardware/software
• Commercial-grade firewall appliances have many features of a general-purpose computer
• With the addition of firmware-based instructions, commercial-grade firewall appliances increase reliability/performance and minimize likelihood of compromise
• Commercial-grade firewall systems consist of application software configured for the firewall application and run on a general-purpose computer
• Full-featured, commercial-grade firewall packages include Check Point Power-1, Cisco ASA, Microsoft Internet Security & Acceleration Server, McAfee Firewall Enterprise (Sidewinder)
• Small office/home office (SOHO) firewall appliances are effective methods of improving security in the SOHO setting
• First, these serve as stateful firewalls, enable inside-to-outside access, and can be configured to all limited TCP/IP port forwarding and/or screened subnet capabilities
• Broadband router devices function as packet-filtering firewalls
• Enhanced to combine the features of wireless access points as well as small stackable LAN switches in a single device
• Broadband router devices include packet/port filtering and simple intrusion detection systems, provide more than simple NAT services, and restrict access to specific MAC addresses
• Some commercial firewalls offer free software versions
• These free versions are not fully functional
• There are free firewall tools available on the Internet
• Most free firewall software also runs on a free operating system, which is convenient and simple
• Netfilter is firewall software that comes with Linux 2.4 kernel
• It's a solution for stateless/stateful packet filtering, NAT, and packet processing
• In the SOHO firewall debate with software and hardware, computer and information are safe behind the now-disabled connection if an attacker crashes the firewall.
• Assigned a nonroutable IP address that is virtually impossible to reach from the outside in the SOHO firewall debate
• Software devices can be disabled and allow free network access in the SOHO firewall debate

Firewall Architectures

• Packet-filtering routers reject packets that the organization does not allow into the network
• Screened host firewalls combine the packet-filtering router with a separate, dedicated firewall
• Screened Host Firewalls use an application proxy server
• Dual-homed host firewalls have a bastion host with two NICs rather than one
• One NIC is connected to the external network and the other is connected to the internal
• All traffic must physically go through the firewall to move between the internal and external networks
• The dominant architecture used today is Screened subnet firewalls with DMZs
• Screened subnet firewalls include a subnet firewall consisting of two or more internal bastion hosts behind a packet-filtering router
• Each host is protecting the trusted network
• There are many variants of the screened subnet architecture

Limitations Of Firewalls

• Firewalls cannot be expected to do everything
• Firewalls should not be the only form of protection for a network

Summary

• Firewalls filter transmissions of packets of digital information as they pass through a network boundary
• Packet filtering is a key function of any firewall
• Application layer gateways control the way applications inside the network access external networks
• Firewalls can be categorized by processing mode, generation, or structure