Ch8 - 8.01 - Understanding Firewalls & Proxy Servers

Question 1

Firewalls

Answer 1

Firewalls are designed to protect systems on one side of the firewall from systems on the other side by analyzing packets that reach the firewall and determining whether each packet is allowed to pass through. You will configure rules on the firewall that indicate to the firewall which traffic is to pass through and which is to be blocked.

For the Security+ exam, know that firewalls are examples of protective controls, as they have rules configured to control what type of traffic can enter the network. This chapter also discusses intrusion detection systems, which in general are considered detective controls (unless it is an active IDS, or IPS)

Question 2

Host-based or Application-based Firewall

Answer 2

A piece of software you install on a system that is used to protect that one system

Question 3

Network-based Firewall

Answer 3

Network-based firewall is placed at the edge of the network and controls what traffic is allowed to enter and leave the network.

Question 4

Types of Firewalls

Answer 4

1. Packet-Filtering Firewall (Stateless)
2. Stateful Packet Inspection Firewall
3. Application-Layer Firewall

Question 5

Packet-Filtering Firewall (Stateless Inspection Firewall)

Answer 5

A packet-filtering firewall can block or allow traffic (known as filtering traffic) based on the source or destination IP address and the source or destination port number

Packet-filtering firewall filters traffic based on the layer-3 and layer-4 headers.

Cons:
The attacker could alter the addresses in the header of the packet to fit into the rule placed on the firewall, and then the firewall would allow the packet into the network.

Question 6

Stateful Packet Inspection Firewall

Answer 6

Like packet-filtering firewalls, a stateful packet inspection firewall can filter traffic based on the source and destination IP address or port number, but can also look at the context of the conversation and determine if the packet is supposed to be received at that point in the conversation. If the firewall receives a packet in the correct context of the conversation and the packet follows one of the rules, it allows the packet into the network.

Pros:
Stateful packet inspection firewalls use rules to filter traffic as well, but they also are smart enough to know the context of the conversation. (In other words, can filter traffic by knowing what packets are expected during certain phases of the conversation)

Example:
An example of a stateful packet inspection firewall knowing about the context of a conversation is that if a hacker tries to send malicious commands to the firewall with a destination port of 80 and the hacker has not performed a three-way handshake first, the firewall says, “Nope, sorry, you are not allowed in because I don’t see that we have established a connection.” Stateful packet inspection firewalls know that before TCP communication can occur, there needs to be a three-way handshake.

Question 7

Application-Layer Firewall

Answer 7

The application-layer firewall, the next type of firewall, implements features of both the packet-filtering firewall and the stateful packet inspection firewall, but also can filter traffic based on the payload data of the packet.

This means that an application-layer firewall can deny packets containing suspicious commands. This allows the
firewall to control what types of actions, or commands, can be passed through the firewall in the payload of the packet.

Question 8

Firewall Topologies

Answer 8

1. Dual-Homed Host Firewalls

2. Screened-Host Firewalls

Question 9

Dual-Homed Host Firewalls

Answer 9

A dual-homed host firewall consists of a single computer with two physical network interfaces that acts as a gateway between the two networks. The server’s routing capability is disabled so that the firewall software that is installed on the system can handle all traffic management. An application firewall or proxy server software is typically run on this system to pass packets from one side of the dual-homed system to the other. You must be careful not to enable routing within the network operating system that will be used as the dual-homed system, or you will bypass your firewall software and simply be routing data

Question 10

Screened-Host Firewalls

Answer 10

Screened-host firewall configurations are considered by many to be more secure than the dual-homed firewall. In this configuration, you place a screening router between the dual-homed host and the public network. This enables you to provide packet filtering before the packets reach the dual-homed firewall, thereby adding an extra layer of network security. The dual-homed system can then run an application firewall or a proxy server to provide additional security to this configuration.

In short, a screened-host firewall configuration adds an extra layer of security by adding a packet-filtering router in front of the firewall.

Question 11

Screened-Subnet Firewalls

Answer 11

A screened-subnet firewall configuration takes
security to the next level by further isolating the internal network from the public network. An additional screening router is placed between the internal network and the dual-homed firewall.

Pros:
This provides two additional levels of security. First, by adding a screening router internally, you can protect the dual-homed firewall host from an attack by an internal source. Second, it makes an external attack much more difficult because the number of layers that an attacker must go through is increased.

Question 12

Security Zones
(Firewalls divide networks into different zones)

Answer 12

1. Private LAN/intranet
2. DMZ
3. Public zone
4. Extranet
5. Wireless
6. Guest

Question 13

Private LAN/intranet

Answer 13

The firewall placed in front of the private LAN
ensures that no traffic from any other network is sent through the firewall to the private LAN. Note that this zone could be called the private zone, private LAN, or intranet zone.

Question 14

DMZ

Answer 14

The DMZ is an area between two firewalls (typically referred to as external and internal firewalls) that allows selected traffic from the Internet to pass through the external firewall into systems within the DMZ. The purpose of the internal firewall is to not allow any traffic originating from the Internet to pass through it. The DMZ is where you place any servers that need to be reached by the general public, such as a web server, SMTP server, FTP server, or DNS server.

Question 15

Public Zone

Answer 15

The public zone is any network not controlled by the network administrator. The best and most popular example of a public zone is the Internet. As a firewall administrator, you will control which traffic comes from the public zone to the intranet zone

Question 16

Extranet (Zone)

Answer 16

An extranet zone includes servers that you want to make accessible to selected organizations via the Internet or other public zones.

Question 17

Wireless (Zone)

Answer 17

The wireless network could be placed in a network zone of its own, which gives the firewall administrator the opportunity to control which zones the wireless client can access. For example, you may not want the wireless network to access the intranet or extranet zones.

Question 18

Guest (Zone)

Answer 18

The guest zone is designed for visitors to your office location. Visitors typically do not need access to the private network or even the extranet zone; they typically just need Internet access to check e-mail and surf the Internet. You can create a guest zone that has access to the public Internet zone, but does not have access to any of the other zones

Question 19

Network Address Translation

Answer 19

Network address translation (NAT), which allows you to use a private address range on the inside of the network that is then translated to a public address used on the NAT device. This is accomplished by the NAT device having one of its interfaces connected to the Internet (known as the public interface), while the other interfaces are connected to the private network (known as private interfaces).

Question 20

Proxy Servers

How a proxy server works

Answer 20

1. The workstations (clients) on the network are configured to send Internet requests to the proxy server.
2. A workstation submits a request for a web page on the Internet to the proxy server.
3. The proxy server then connects to the Internet site on behalf of the user and transmits the request on to the Internet web server.
4. The Internet web site sends the reply to the proxy server.
5. The proxy server sends the reply to the original workstation that made the request.

Question 21

Benefits of Using Proxy Servers

Answer 21

1. (User PoV) Anonimity
2. (User PoV) Performance (Caching Feature)
3. (Admin PoV) Central Point of Web Surfing Management
4. (Admin PoV) Authentication

Question 22

Anonimity (Proxy Servers)

Answer 22

From the outside world’s point of view, the request came from the proxy server (which it actually did). If someone looks at the source IP address of the request and decides to attack that source IP address, then they are attacking the proxy server and not the internal system. At no point did the workstation inside the network make a connection to the Internet resource!

Question 23

Performance - Caching Feature (Proxy Servers)

Answer 23

Some proxy servers implement a caching feature as well, which stores the web page that was requested by the client on the proxy server. The benefit of this is that the next client that requests the same web page can receive the page more quickly because the proxy server already has the content and does not need to retrieve it from the Internet.

Question 24

Central Point of Web Surfing Management (Proxy Servers)

Answer 24

Proxy servers also allow the administrator to have a central point where they can log and filter what web sites users are allowed to visit. Most proxy servers have reporting features so that the administrator can view a list of most-visited web sites. The administrator can then choose whether to continue to allow access to a site or, if it is not of a business nature, to deny access to the site.

Question 25

Forward Proxy

Answer 25

A forward proxy is what was describe earlier—the client sends the request to the proxy server and the proxy server retrieves the resource out on the Internet and sends the response to the client. With a forward proxy, the internal system does not talk to a system on the Internet directly.

Question 26

Reverse Proxy

Answer 26

A reverse proxy is used in a scenario where you want a system on the Internet to be able to send a request to
one of your internal systems, such as a web server or mail server.

In this situation, the direction of communication is reversed, but all communication still goes through the proxy (reverse proxy in this case).

The system on the Internet sends the request to the reverse proxy server, which then forwards the request to the internal server after checking that the request is not malicious.

Question 27

Web Application Firewall

Answer 27

A web application firewall is an application-layer firewall that allows you to control which HTTP messages can reach your web server. Controlling the HTTP messages allows you to protect against common attacks targeting web servers.

The difference between a web application firewall and a regular network firewall is that the web application firewall is focused on analyzing HTTP traffic, while the network firewall analyzes all network traffic.

Question 28

Web Security Gateway

Answer 28

A web security gateway is a device or software that protects your network from malicious content on the Internet. Web security gateways not only protect your employees from inappropriate content such as pornography on the Web, but also scan the content for malicious code, and can provide data loss prevention (DLP) for your company by ensuring that employees are not posting sensitive information on the Web.