Term
| If a packet is a ___, the firewall will drop it. If it isn't, then the firewall passes it. This is called a ___. |
|
Definition
provable attack packet
pass/deny decision |
|
|
Term
| firewalls usually record information about each dropped packet in a ___. this is called ___ |
|
Definition
|
|
Term
| a ___ sits at the boundary between the corporate site and external internet. |
|
Definition
|
|
Term
in ___ the firewall examines packets entering the network from the outside.
in ___ the firewall filters packets when they are leaving the network. Why when leaving? |
|
Definition
ingress filtering
egress filtering
This prevents replies to probe packets from leaving the network. |
|
|
Term
What happens when a firewall becomes overloaded with traffic?
What is the issue with this? |
|
Definition
It will drop the packets it can't process.
Creates a self inflected DoS |
|
|
Term
| At what speed must firewalls be able to handle incoming traffic? |
|
Definition
| At wire speed, the maximum speed of data coming to each port. |
|
|
Term
| What is the most important firewall filtering method? |
|
Definition
| stateful packet inspection (SPI) |
|
|
Term
| How do intrusion prevention systems stop attacks? |
|
Definition
| It examines all layers in each packet and by examining complex relationships within streams of packets |
|
|
Term
| what is Unified Threat Management (UTM)? |
|
Definition
| they handle traditional firewall processing, antivirus filtering and spam filtering. |
|
|
Term
| Do traditional firewalls do antivirus filtering and other application level malware filtering? |
|
Definition
|
|
Term
| What are the filtering methods used for examining packets? |
|
Definition
stateful packet inspection filtering
static packet filtering
network address translation
application proxy filtering
intrusion prevention system filtering
antivirus filtering |
|
|
Term
| What is the primary inspection mechanism used by border firewalls? |
|
Definition
| stateful packet inspection (SPI) |
|
|
Term
| The earliest border firewalls used ___. Is this limited? |
|
Definition
static packet filtering
it is extremely limited |
|
|
Term
| ___ looks at packets one at a time in isolation |
|
Definition
|
|
Term
| why is static packet filtering limited |
|
Definition
| It only examines one packet at a time. Many attacks can only be stopped by understanding a packet's place in a stream of packets. |
|
|
Term
| static packet filter firewalls only look at what layer headers? Do they look at all fields in those headers? |
|
Definition
internet and transport layer headers
no |
|
|
Term
| What are some attacks a static packet filter firewall stops effectively? |
|
Definition
internet control message protocol (ICMP) echo messages
Spoofed source IP addresses |
|
|
Term
| What are two peripheral uses for static packet filtering? |
|
Definition
border firewalls use static packet filtering as a secondary filtering mechanism
Some firms turn their border ROUTERS into static packet filtering firewalls by adding software. |
|
|
Term
| Nearly all corporate border firewalls today use the ___ filtering method. |
|
Definition
| Stateful Packet Inspection (SPI) |
|
|
Term
| SPI focuses on ___, which are persistent conversations between different programs on different computers. |
|
Definition
|
|
Term
| A ___ is a distinct phase in a connection between two applications |
|
Definition
|
|
Term
| What are the states? Describe them |
|
Definition
Opening State: the two applications agree to open a connection
Ongoing communication state: for most connections, traffic is dominated by exchanges during this state. |
|
|
Term
| How does stateful packet inspection (SPI) work? |
|
Definition
| it changes its specific examination method depending on the current state. |
|
|
Term
| The vast majority of packets are not part of what attempt |
|
Definition
|
|
Term
| Stateful packet inspection is simple for packets that ___ attempt to open a connection. What is the consequence of this |
|
Definition
don't
Nearly all packets are handled quickly, simply and inexpensively. |
|
|
Term
| in networking is represented by it's ___, which designates a ___ on a specific computer. |
|
Definition
Socket
Specific Program (Designated by a port number) |
|
|
Term
What is a connection?
How many sockets does it consist of? |
|
Definition
It is a link between programs on different machines.
2, internal and external |
|
|
Term
| in Stateful packet inspection (SPI), when a packet arrives that doesn't attempt to open a connection, the SPI firewall checks if it is part of a previously approved connection. What happens then? |
|
Definition
If it is part of an existing connection in the connection table, the packet is passed, usually without further filtering
if it isn't part of an existing connection in the connection table, it is dropped and logged. |
|
|
Term
| Can SPI firewalls handle ICMP and UDP? |
|
Definition
|
|
Term
| Withe SPI processing, it is very simple. IF the connection is in the table, ___ the packet. If not, ___ the packet. |
|
Definition
|
|
Term
| By default, SPI firewalls permit all attempts to open a connection from an ___ host to an ___ host. |
|
Definition
|
|
Term
| To specify exceptions to default rules, SPI firewalls have ___. |
|
Definition
| access control lists for both internal and external connection opening attempts. |
|
|
Term
| what is an Access control list (ACL)? |
|
Definition
| a series of rules that are exceptions to the default behavior |
|
|
Term
| ACL rules typically involve ___ or ___ ports. |
|
Definition
|
|
Term
| What is a well known port number? (Not the specific numbers, but the definition) |
|
Definition
| they designate specific applications running on the server. |
|
|
Term
| what is the range of well known port numbers? |
|
Definition
|
|
Term
| Firewall administrator's should always choose the access control list (ACL) rule that implements the policy, but also ___ |
|
Definition
| minimizes openings through the firewall |
|
|
Term
| in practice, attacks other than ___ rarely get through an SPI firewall unless the administrator creates an incorrect ___ |
|
Definition
application layer attacks
Access Control List (ACL) |
|
|
Term
| Network Address Translation (NAT) is used in firewalls that use ___ |
|
Definition
| various types of examination methods as a second type of protection |
|
|
Term
What is a sniffer?
What does it allow a hacker to do |
|
Definition
It is a program that captures packets and notes source IP addresses and port numbers.
It allows an attacker to learn about the networks IP addresses and open port numbers without sending packets |
|
|
Term
| How does Network Address Translation (NAT) work? |
|
Definition
It replaces a source IP addresses and port numbers with external (stand in) addresses and numbers.
It keeps the original IP and socket numbers in a table.
When it gets a response, it forwards to the proper host. |
|
|
Term
| How does Network Address Translation (NAT) stop a sniffer? |
|
Definition
| The sniffer can't learn about the private IPs or port numbers because they have been replaced. |
|
|
Term
___ allows applications that were not designed to work with Network Address Translation (NAT), work with it.
What is the downside, if any? |
|
Definition
NAT traversal.
There are several methods and all have limitations |
|
|
Term
| Neither ___ nor ___ firewalls examine application messages |
|
Definition
static packet filter
Stateful Packet Inspection (SPI) |
|
|
Term
| What is the purpose of the ingress Access control lists (ACL) |
|
Definition
| the default behavior is to drop all attempts to open a connection from the outside. The list can change the defaults. |
|
|
Term
| a ___ explicitly filters application layer messages |
|
Definition
|
|
Term
| How does a proxy firewall inspect application layer content? |
|
Definition
| it collects all of the segments of an application message if it is fragmented, and then inspects the content. |
|
|
Term
| Application proxies use application specific relaying, in which they act as both a client and a host when the packet arrives. Thus, the firewall needs a separate application proxy program for ___ |
|
Definition
| each application protocol |
|
|
Term
| Why can't application proxy firewalls be used as a main border firewall? |
|
Definition
| Maintaining two connections for each client/server pair is highly processing intensive and can only handle a limited number of pairs. It can't handle the load. |
|
|
Term
| In addition to their slow operation per packet, application proxy firewalls have another serious limitation. What is it? |
|
Definition
| Only a few applications can be effectively proxied |
|
|
Term
| There are two common uses of application proxy firewalls today. What are they? |
|
Definition
Protect internal clients from malicious external servers
sit between an internal server and external clients. |
|
|
Term
| For HTTP, proxy programs can do several types of filtering. What are three of them? |
|
Definition
inspect the URL and compare it with a table of black listed URLs
Inspect scripts, and drop if needed, in downloaded webpages
Inspect the MIME type in an HTTP response |
|
|
Term
| many firms drop any HTTP request message that uses the POST method in order to provide ___ |
|
Definition
|
|
Term
| In addition to filtering the content of the application layer message, there are three other protections that application proxy firewalls offer: |
|
Definition
Internal IP address hiding: Hides IP addresses of internal hosts
Header destruction: Discards the internet and transport layer headers in the arriving packet
Protocol fidelity: Breaks connections when attempting to bypass aspects of the firewall |
|
|
Term
| Stateful packet inspection (SPI) is being challenged by a new type of filtering which is ___ |
|
Definition
| Intrusion Prevention System (IPS) filtering. |
|
|
Term
| How does an intrusion detection system (IDS) work? |
|
Definition
| It examines streams of packets to look for suspicious activities that indicate possible attacks |
|
|
Term
| Can an intrusion detection system (IDS) drop a packet if it is merely suspicious? |
|
Definition
|
|
Term
| Firewalls stop ___. IDSs identify ___ |
|
Definition
provable attacks
suspicious packets that may or may not be part of attacks |
|
|
Term
| What are two serious limitations of IDSs? |
|
Definition
too many false alarms
heavy processing requirements |
|
|
Term
| What makes an IDS have heavy processing requirements |
|
Definition
Deep packet inspection: IDSs look at at all fields in the packet, including the IP header, TCP or UDP header and application message.
Packet Stream Analysis:it filters packet streams rather than individual packets |
|
|
Term
| Instead of just identifying attacks, Intrusion prevention systems (IPS) will ___ |
|
Definition
| stop some kinds of attacks |
|
|
Term
| ___ is much faster than ___, allowing IPSs to be used even when traffic volume is high. This is due to ___ |
|
Definition
Hardware filtering
software filtering
Application-specific integrated circuits (ASICs) |
|
|
Term
| What do Intrusion prevention systems (IPS) do when they detect suspicious traffic at the high end of the attack identification confidence spectrum? |
|
Definition
Drop attack packets. This is dangerous but highly effective.
Bandwidth limitation: |
|
|
Term
| what will an antivirus server look for? |
|
Definition
viruses worms trojan horses spam
phishing rootkits malicious scripts other malware. |
|
|
Term
| What is a unified threat management (UTM) firewall? |
|
Definition
| does traditional firewall filtering methods and antivirus |
|
|
Term
| What are the types of firewalls? What is the job of each? |
|
Definition
Main border firewalls: it filters at the point where the corporate network connects to the internet
screening border routers: Static packet filtering software on the router to stop simple high volume attacks.
internal firewalls: controls traffic flowing between different parts of the firm's internal network
host firewalls: individual hosts - both clients and servers - firewalls |
|
|
Term
| Border firewalls and internal firewalls are complex to set up because: |
|
Definition
| they must protect a large number of client-server connections with different filtering needs. |
|
|
Term
|
Definition
| a subnet that contains all of the servers and application proxy firewalls that must be accessible to the outside world. |
|
|
Term
| Connections between the ___ and the internal subnet are dangerous. |
|
Definition
|
|
Term
| What are the main hosts in the DMZ? |
|
Definition
Public servers
application proxy
firewalls
external DNS server |
|
|
Term
| ___ are high level statements to guide firewall implementers |
|
Definition
|
|
Term
| Each firewall policy must be translated into an ___ that the firewall can understand |
|
Definition
| ACL (Access control list) rule |
|
|
Term
| ___ are pre-packaged firewalls. |
|
Definition
|
|
Term
| If a company has lots of firewalls it will use a ___. At the heart of this system is the ___ |
|
Definition
central firewall management system.
Firewall policy management server |
|
|
Term
| based on policies, the ___ sends appropriate ACL rules to individual firewalls. There is no need for an admin to manually install rules on ___ |
|
Definition
central configuration system
each firewall |
|
|
Term
| What fields are in a firewall policy database |
|
Definition
policy number
source and destination
service
action
track (logging)
firewalls (which firewalls/routers should be sent to ACLs) |
|
|
Term
| After firewall instillation and configuration, you must do ___ |
|
Definition
|
|
Term
| ___ is the most time consuming part of firewall administration |
|
Definition
|
|
Term
| As more attacks will make it past border firewalls, it is increasingly important to harden ___ against attacks. |
|
Definition
|
|
Term
| ___ are new attacks that are made before signatures are defined |
|
Definition
|
|
Term
| one way to address threats for which no signature exists is to use ___ |
|
Definition
|
|
Term
| ___ filters traffic passing between different parts of the site's internal network |
|
Definition
|
|
