Chapter 7 - 03 - Understand Different Types of Firewalls and their Role - 05_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCER
Tags
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Application Proxy _'_‘ Corporate network Application s. QO An application-level proxy Internet Firewal oty e @’m‘ works as a proxy server and filters connections for *u........ g::-:-............................... =. ( i)......... g N@ réz specific services D lt filterS Connections based ‘.".__"_.._"_,,_-:,_"__,,_,__“_..'§ DNS ; Sessssasssnssasessssesenssans %.. [ETTTTTTTTTTTTP PP PP PP on the services and External network i Internal network protocols LU i HTIPS i Q For example, an FTP proxy iONNT will only allow FTP. trafficto o Filters traffic for ’ pass through, while all specific server other services and protocols will be blocked Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited Application Proxy An application-level proxy works as a proxy server and filters connections for specific services. It filters connections based on the services and protocols. For example, an FTP proxy will only allow FTP traffic to pass through, while all other services and protocols will be blocked. It is a type of server that acts as an interface between the user workstation and the Internet. It correlates with the gateway server and separates the enterprise network from the Internet. It receives requests from users for services and responds to the original requests only. A proxy service is an application or program that helps forward user requests (for example, FTP or Telnet) to the actual services. Proxies are also called application-level gateways as they renew the connections and act as a gateway to the services. Proxies run on a firewall host that is either a dual-homed host or some other bastion host for security purposes. Some proxies, named caching proxies, run for the purpose of network efficiency. They keep copies of the requested data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts request the same data. Caching proxies help in reducing load on network connections whereas proxy servers provide both security and caching. A proxy service is available between a user on an internal network and a service on an outside network (Internet) and is transparent. Instead of direct communication between each, they talk with the proxy and it handles all the communication between user and the Internet service. Transparency is the key advantage when using proxy services. To the user, a proxy server presents the illusion that they are dealing directly with the real server whereas the real server thinks that it is dealing directly with the user. Module 07 Page 779 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Corporate network.i Applicatio Application Firewall PP Ppi : Internet Server proxy server proxy ™ r= e L] ------- -_-—---llllununno--- e e e.----. eeennneeeaan. i P Y osmTP| SG External network : : Internal network : FTP : :! HTTPS HTTPS i i: NNTP NNTP Filters traffic for specific server Figure 7.49: Application proxy Advantages Proxy services can be good at logging because they can understand application protocols and allow logging in an effective way. Proxy services reduce the load on network links as they are capable of caching copies of frequently requested data and allow it to be directly loaded from the system instead of the network. Proxy systems perform user-level authentication, as they are involved in the connection. Proxy systems automatically provide protection for weak or faulty IP implementations as they sit between the client and the Internet and generate new IP packets for the client. Disadvantages Proxy services lag behind non-proxy services until a suitable proxy software is made available. Each service in a proxy may use different servers. Proxy services may require changes in the client, applications, and procedures. The complexity of application proxies makes them vulnerable to various attacks such as DosS. If the proxy is not configured for SSL/TLS inspection, it cannot filter or examine encrypted packets. Module 07 Page 780 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Network Address Translation (NAT) 0010 §0 100100 o0 181110300. 30300100012 : P:d":‘e ol Public 1P ~rayn i IPID: 192.168.168.2 ress Address O Network address translation separates IP addresses into two sets i! ’ v 192.168.168.1 v 200.0.0.45 and enables the LAN to use these addresses for internal and : [:] 4 external traffic respecfivelv. “.............. -. PR e~ STTTTIIIICID : " Switch o O It also works with a router, the same as packet filtering does; NAT | 1pp: 192.168.168.3 Internet will also modify the packets the router sends at the same time O 1t has the ability to change the address of the packet and make it appear to have arrived from a valid address ‘\‘ D ’ Q 1t limits the number of public IP addresses an organization can use e IPID: 192.168.168.2 Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited Network Address Translation (NAT) Network address translation separates IP addresses into two sets and enables the LAN to use these addresses for internal and external traffic, respectively. A NAT helps hide an internal network layout and forces connections to go through a choke point. It works with the help of a router, helping to send packets and modifying them. When the internal machine sends the packet to the outside machine, NAT modifies the source address of the particular packet to make it appear as if it is coming from a valid address. Similarly, when the outside machine sends the packet to the internal machine NAT modifies the destination address to turn the visible address into the correct internal address. It limits the number of public IP addresses an organization can use. It can act as a firewall filtering technique where it allows only those connections which originate on the inside network and will block the connections which originate on the outside network. NATs can also modify the source and destination port numbers. NAT systems use the following schemes for translating between internal and external addresses: = One external host address is assigned for each internal address, and the same translation is always applied. This scheme slows down connections and does not provide any savings in address space. This type of mapping is also known as 1:1 mapping and can be either static or dynamic. = An external host address is dynamically allocated without modifying the port numbers at the time when the internal host initiates a connection. This scheme restricts the number of internal hosts that can simultaneously access the Internet to the number of available external addresses. = A fixed mapping is created from internal addresses to externally visible addresses, and port mapping is used such that multiple internal machines use the same external Module 07 Page 781 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls address. This type of mapping is also known as overloaded NAT or network address port translation (NAPT). A pair of an external host address and a port is dynamically allocated each time an internal host initiates a connection. This scheme has the highest possible efficiency in the use of external host addresses. A router’s IP address is used to communicate with external hosts and to forward incoming packets to a different IP address. That is, the router processes the requests originating from the Internet for a particular application and forwards them to the target application server residing inside a DMZ or internal network. This mapping is known as destination NAT or port forwarding. E‘., kL Private dad IP Public IP IPID: 192.168.168.2 -, Address Address NV v P “, 192.168.168.1 200.0.0.45 ‘};\\\(‘............. ——— HCICICRC SEEEEEREEE &........... ,.".Switch o NAT o Internet IP1D: 192.168.168.3 & IP ID: 192.168.168.2 Figure 7.50: Illustration of network address translation Advantages NAT help enforce the firewall's control over outbound connections. It restricts incoming traffic and allows only packets that are part of a current interaction initiated from the inside. It helps hide the internal network's configuration and thereby reduces vulnerability of the network or system from outside attacks. Disadvantages The NAT system has to guess how long it should keep a particular translation, which is impossible to correctly guess every time. NAT interferes with encryption and authentication systems that ensure security of the data. Dynamic allocation of ports may interfere with packet filtering. Module 07 Page 782 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Virtual Private Network A VPN is a private network VPN Router / e VPN Router / constructed using public networks, Firewall Firewall such as the Internet It is used for the secure transmission VPN Tunnel of sensitive information over an untrusted network, using encapsulation and encryption It establishes a virtual point-to- point connection through the use of dedicated connections The computing device running the VPN software can only access the VPN Pri VoRS roRwor k PriTusto Retwor k Copyright © by | L All Rights Reserved. Reproduction is Strictly Prohibited. Virtual Private Network A VPN is a private network constructed using public networks, such as the Internet. It is used for the secure transmission of sensitive information over an untrusted network, using encapsulation and encryption. It establishes a virtual point-to-point connection through the use of dedicated connections. The computing device running the VPN software can only access the VPN. It is used for connecting Wide Area Networks (WAN). VPN allows computers of one network to connect to computers on another network. It employs encryption and integrity protection to enable utilization of a public network as a private network. A VPN performs encryption and decryption outside the packet-filtering perimeter to allow the inspection of packets coming from other sites; it encapsulates packets sent over the Internet. A VPN combines the advantages of both public and private networks. They have no relation to firewall technology, but firewalls are convenient tools for adding VPN features as they help in providing secure remote services. Any VPN that runs over the Internet employs the following principles: = Encrypts all traffic = Checks for integrity protection = Encapsulates new packets, which are sent across the Internet to something that reverses the encapsulation = Checks for integrity = Finally, decrypts the traffic Module 07 Page 783 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls VPN Router / VPN Router/. Internet. Firewall Firewall 7 (7 ) ULl VPN Tunnel Private network ) # Private network Figure 7.51: Virtual private network Advantages VPNs provide several security advantages, and they are listed below: = A VPN hides all the traffic that flows through it, ensures encryption, and protects the data from snooping. = |t provides remote access for protocols while also defending against outside attacks. Disadvantages = As a VPN runs on a public network, the user remains vulnerable to an attack on the destination network. Module 07 Page 784 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.