CNIT 455 Exam 1

what is a packet filter?

software that limits connectivity by blocking ingress and/or egress traffic using some form of rule-based filtering

T/F a firewall always includes a packet filter, but not all packet filters are firewalls

true

what are some of the ways a packet filter can be packaged?

1. as software that interacts with the existing IP stack

2. as a replacement for the IP stack (bastion host)

3. specialized network device (hardware firewall like ASA)

T/F it is okay to use DNS names as part of packet filtering?

false, never use DNS names as part of packet filtering as DNS names are easy to spoof

what are the two ways packet filters are weak to IP address spoofing?

1. directly

2. remotely

what is meant by a packet filter being directly vulnerable to IP address spoofing?

devices are on the same subnet and start playing ARP games

what is meant by a packet filter being remotely vulnerable to IP address spoofing?

IP address gets spoofed using IP source routing like loose source record routing

what is loose source record routing (LSRR)?

telling a packet to go through a specific router, effectively allowing it to spoof the source on an IP address and still have traffic find its way back correctly

T/F you should always disable loose source record routing

true

T/F destination ports are standardized

true, though only loosely, meaning that someone could use "standard" ports in "nonstandard" ways

T/F source ports are standardized

false, they are randomly chosen from port 1024 and above

what is static port filtering?

only allowing traffic based on the port number or IP/port number combo, where each packet is checked independently

what is dynamic port filtering?

also known as stateful packet filtering, the firewall checks context of the packet in addition to the src/dst addresses

what is destination static port filtering?

examining and filtering based on the destination port number, without checking context

what is the limitation of destination static port filtering?

it only works if the host on the other end responds via the port is received traffic from as there is no context for the traffic

what is source static port filtering?

filtering based on the source port, though very hard to do effectively as source ports are chosen at random between 1024 and 65535

what is bi-directional static filtering?

filtering based on traffic destined or coming from the same port number, a poor attempt to get static filtering to work

what is TCP static source port filtering?

filtering that only allows ingress traffic from ephemeral source ports if they have the ACK bit set in the TCP header, ensuring that packets are part of a data flow

what is the limitation of TCP static source port filtering?

only works for outgoing traffic, doesn't solve anything for unsolicited incoming traffic, as well as flows that open multiple connections like FTP or H.323

what is UDP source port static filtering?

"we're basically screwed" - the slides

how does dynamic packet filtering work?

keeps ports closed, then opens ports based on the context by building a state table that tracks things like TCP sequence numbers and UDP data flows, as well as examining layer 7 to ensure traffic is what it says it is

T/F stateful packet inspect (SPI) is still a packet filtering firewall

true

what are the 3 things to do with traffic that is blocked?

1. send ICMP "host not reachable"

2. send ICMP "host not administratively reachable"

3 send nothing

what is the worst response to send for blocked traffic?

"host not administratively reachable" because it tells an attacker that there is a firewall that is blocking that type of traffic

what is the best response to send for blocked traffic?

"send nothing" in hopes that they'll give up/the program will time out

what are strengths for packet filters?

they're usually pretty fast and can approach line speeds

what are some weaknesses for packet filters?

1. internal and external hosts are allowed to directly communicate with each other, meaning no idea what is happening once the connection is established

2. limited authentication/authorization of users

3. little to no logging

what are the two processes typically used for inter-networking?

bridging and routing?

what are bridges?

layer 2 devices that operate in promiscuous mode and forward frames based on its local address table (LAT)

what is a local address table?

a table that a bridge uses the keep track of which physical port a layer 2 address is seen on, requires bridge to operate in promiscuous mode

what is the difference between a bridge and a switch?

a switch is just a multi-port bridge

what is the downside of bridging?

vulnerable to broadcast storms and loops

what is a filtering bridge?

a bridge that contains a packet filter, can protect address sets not easily routed, and noncontiguous addresses in a single L3 segment

why might one want to use a fitlering bridge?

to protect addresses that cannot be aggregated, or in environment where you cannot make any changes to the L3 routing

what is required to implement a filtering bridge?

requires a dedicated target interface or a VLAN

what are some weaknesses of a filtering bridge?

it introduced latency from promiscuous mode, still vulnerable to broadcast storms and loops

what are the best practices for a filtering bridge?

1. don't use it, use routing instead

2. use SNAT if only targeting a couple addresses

3. leave the target NIC unbound (no IP address)

4. avoid sharing interface as a bridge source and routing/NAT target

T/F the logical place to put a packet filter is when bridging (L2)

false

what is routing?

the layer 3 process where packets are rewritten to be addressed to an interfaces L3 address

T/F the logical place to put a packet filter is when routing (L3)

true, since the L3 address will be processed anyway

what are the two types of routing?

1. standard routing

2. network address translation (NAT)

what is standard routing?

simply adding a packet filter to a router

what is network address translation?

addresses are re-written when they leave the router

why might one want to use standard routing + packet filter?

used best when filtering for internet server as it adds the least latency

what is a drawback of using standard routing + packet filter?

addresses on both sides of the firewall must be legal/publically routable, in other words private and link local addresses do not work

T/F normal routing rules and protocols do not work when using standard routing + packet filter

false, all normal routing rules and protocols still work, like default routes, route aggregation, and routing protocols

what happens to outgoing traffic (priv -> pub) when NAT is used?

the source address get rewritten from the internal address of the host to the public address of the router

what happens to incoming traffic (pub -> priv) when NAT is used?

the destination address gets rewritten from the public address of the router to the internal address of the host

what is static NAT (SNAT)?

an implementation of NAT that only operates at L3 where an internal address on the inside is mapped to a public address on the Internet, making it so a single internal host gets a dedicated public address

what are some notable aspects of SNAT?

1. operates at L3 only

2. allows multiple addresses to be bound to a single public interface on the firewall

3. does not reduce the required number of public addresses (no sharing)

4. supports both ingress egress connection requests

what are best practices when implementing SNAT?

only use when unsolicited incoming connections are needed

what are some drawbacks of SNAT?

1. external interfaces can only support a limited number of addresses (~10)

2. adds latency to all traffic as all packets must be inspected and potentially translated

what is dynamic NAT (DNAT)?

an implementation of NAT that operates at layer 4/5 where the src address for all outgoing traffic is translated to the public address of the firewall, allowing a single public address to support many private clients

how does the firewall keep track of connections when using DNAT?

the firewall builds a state table comprised of L3 addresses, L4 ports, and L5 session info to track which connection belongs to which internal device

T/F DNAT does not have any support for unsolicited incoming connections

false, it has limited support via port forwarding, where a port on the public side can be mapped to a port on an internal host

what are the best practices when implementing DNAT?

it is the best routing solution for true private zones

what are the benefits of DNAT?

1. minimizes the number of public addresses required

2. does not require additional configuration when new internal hosts are added

3. provides perfect protection from incoming connection requests (except when port forwarding)

what is a drawback of DNAT?

sessions between an internal host and an external host are still direct in nature, so a session could be co-opted for nefarious use

what is an application layer gateway (ALG)?

a way to insulate an internal host from an external host by having the ALG act as a proxy that relays communications between internal and external hosts

what is the benefit of an ALG?

1. allows access between private address space and public address space

2. allows robust inspect of L6/L7 traffic (web filtering/email spam)

3. allows protocols that dynamically open ports to traverse the public/private boundary (e.g. active FTP)

what is the drawback of an ALG?

a separate ALG is required for each L6/L7 protocol

what are hybrid firewalls?

solutions that combine elements of traditional packet filters and ALGs, where most solutions are current categorized

what are the two common firewall performance metrics?

1. throughput

2. packet forwarding rate

which is the "bad" firewall performance metric?

throughput, as it can be misleading as the protocol is more often what affects throughput than the firewall itself

what is the "good" firewall performance metric?

packet forwarding rate, as it more accurately measures performance and better captures the latency as packets cross the firewall

what are the drawbacks of packet inspection?

1. adds latency because the packets must be buffered

2. adds latency because state inspect requires table lookup

3. adds latency as all forms of NAT require headers to be rewritten + table updates

T/F latency is added on a per-connection basis?

false, latency is added on a per-packet basis

what is the order of added latency from best to worst?

standard routing > bridging > SNAT > DNAT > ALG

how does standard routing increase latency?

barely affects latency as minimal additional processing is required

how does bridging increase latency?

requirement of NICs being in promiscuous mode reduces efficiency

how does SNAT increase latency?

the src/dst L3 addresses must re-written in both directions

how does DNAT increase latency?

src/dst L3 and L4 addresses must be rewritten

how do ALGs increase latency?

two separate sessions must be managed per "connection"

T/F firewalls are the end-all-be-all of network security

false, you should pratice defense in depth, where securit is implemented at multiple locations/layers/tiers

what are the 4 common zone types?

1. public

2. private

3. DMZ

4. other (i.e. vpn)

what is the public zone/network?

the raw internet

what is the private zone/network?

RFC 1918 space that is isolated from the public internet

what is the DMZ zone/network?

a zone that is partially isolated form the public network and completely isolated from the private network, only allowing minimal required traffic from the public network

what is the purpose of the DMZ?

to allow unsolicited interactions with unknown hosts, protecting the private network if a host in the DMZ is compromised

T/F multiple DMZs can be implemented in layers or in parallel to increase isolation/security?

true

what are parallel DMZs?

a separate DMZ network segment is created for each service offered

what is the benefit of a parallel DMZ?

reduces impact of a host in a parallel DMZ being compromised as that host will not be able to communicate with others in the DMZ in addition to the private network

what should one do if parallel DMZs cannot be practically implemented?

create individual rules for each host in the DMZ, with packet filters on the hosts themselves to protect themselves from other hosts in the DMZ

what is a layered DMZ?

different DMZ layers or application tiers are created to reduce the impact of a public-facing server being breached

what are some examples of a layered DMZ?

an email forwarder in the first DMZ, an internal mail server in the second DMZ, and then clients in the private zone

what is the ranking from most ideal to least ideal for DMZ design between the first DMZ and the public network?

basic routing > bridging = SNAT > DNAT/port forwarding

T/F is it a good idea to have your edge router filter out basic garbage?

true, the benefits of having the edge router filter out crap like RFC 1918, packet fragments, and more outweighs the slight increase in latency

what is a multiple armed firewall design?

a single firewall with multiple interfaces is used to separate the public, private, and DMZ networks

what is the benefit of using a multiple armed firewall design?

fairly inexpensive to implement as you only need to buy one firewall

what is the drawback of using a multiple armed firewall design?

rules are more complex, and it creates a single point of insecurity/failure

what is a multiple firewall design?

DMZs are separated by different physical firewalls, ideally from different brands to reduce risk of 0-day vulnerabilities

what impact do VLANs have for DMZs?

it allows a logical DMZ to be extended across a larger network, which is useful for IP telephony, and is typically more flexible and less expensive that using multiple NICs

what are some considerations for IP addressing DMZ(s)?

1. outer DMZ that service the internet should be addressed with valid public addresses

2. inner DMZ can/should use private addresses as they are not directly connected to the internet

3. internal clients should always use private addresses

what are some considerations for DNS when implementing a DMZ?

you should have 2 DNS domains, one for the public facing side and one for the private side

what is "IN" for a rule on an external interface?

traffic coming into the firewall from the outside/internet

what is "OUT" for a rule on an external interface?

traffic that came from inside your network that is leaving the firewall to the outside/internet

what is "IN" for a rule on an internal interface?

traffic that is coming into the firewall from the inside/private

what is "OUT" for a rule on an internal interface?

traffic that came from "somewhere else" and is leaving out the internal interface

what is an inbound/ingress traffic flow?

traffic that comes from the outside/external/public interface and is destined from an internal/private address

what is an outbound/egress traffic flow?

traffic that comes from an internal/private interface and is destined for an external/public address