12.1 Key Terms
packet
filtering = Packet filtering is a static check on known information such
as source/destination address and source/destination port information.
stateful
filtering = More than just a simple packet filter check, stateful
inspection can determine whether a network flow exists and can look at
information up to the application layer. A stateful filtering firewall
dynamically allows the return traffic to the user, from the server they were
accessing on the other side of the firewall. This is implemented in the ASA
firewall and in the Zone-Based Firewall feature on an IOS router.
transparent
firewall = Firewall implemented at Layer 2 of the OSI model, but still
including the ability to analyze traffic at Layer 3 and higher.
NAT
= Network Address Translation. The process of swapping out an IP address of a
packet in transit with an alternative address. An example of its use would be
workstations on the inside of a network using private IP addresses and having
those source addresses modified by the NAT router, before packets from those
workstations are sent out to the Internet.
PAT
= Port Address Translation. This is a subset of NAT, with multiple devices
being mapped to a single address. It is also referred to as a many-to-one
translation.
12.2 Things to
Remember
12.2.1 Advantages and Disadvantages of Application
Layer Gateways
Advantages
=> Disadvantages
Very tight control is possible, due to analysing the
traffic all the way to the application layer
=> Is processor intensive because most of the
work is done via software on the proxy server
It is more difficult to implement an attack against an
end device because of the proxy server standing between the attacker and
potential victim.
=> Not all applications are supported, and in
practice it might support a specific few applications.
Can provide very detailed logging
=> Special client software may be required
May be implemented on common hardware
=> Memory and disk intensive at the proxy server.
Could potentially be a single point of failure in the network, unless fault tolerance
is also configured.
12.2.2 Advantages and Disadvantages of Stateful
Packet-Filtering Devices
Advantages
=> Disadvantages
Can be used as a primary means of defense by filtering
unwanted or unexpected traffic
=> Might not be able to identify or prevent an
application layer attack.
Can be implemented on routers and dedicated firewalls
=> Not all protocols contain tightly controlled
state information, such as User Datagram Protocol (UDP) and Internet Control
Message Protocol (ICMP)
Dynamic in nature compared to static packet filtering
=> Some applications may dynamically open up
new ports from the server, which if a firewall is not analyzing specific
applications or prepared for this server to open up a new port, it could cause
a failure of that application for the end user. If a firewall also supports
application layer inspection, it may be able to predict and allow this inbound
connection.
Provides a defense against spoofing and denial-of-service
(DoS) attacks
=> Stateful technology, by itself, does not
support user authentication. This, however, does not prevent a firewall that
implements stateful packet filtering from also implementing authentication as
an additional feature.
12.2.3 NAT Terminology
NAT Term >
Description
Inside
local > The real IP configured on an inside host, such as PC1.
Inside
global > The mapped/global address that the router is swapping out
for the inside host during NAT. The outside world sees PC1 coming from this
mapped/global address.
Outside
local > If performing NAT on outside devices (outside NAT), this is
the mapped address of the outside device (such as Server A) as it would appear
to inside hosts. If not doing outside NAT on the router, this appears as the
normal outside device’s IP address to the inside devices.
Outside
global > The real IP configured on an outside host, such as the IP on
Server A.
12.2.4 Firewall Access Rules
Rule >
Description
Rules
based on service control > These rules are based on the types of
services that may be accessed through the firewall, inbound or outbound. An
example is that access to web servers, both HTTP or HTTPS, is allowed while all
other types of traffic are denied.
Rules
based on address control > These rules are based on the
source/destination addresses involved, usually with a permit or deny based on
specific entries in an access control list.
Rules
based on direction control > These rules specify where the initial
traffic can flow. For example, a rule might say that traffic from the inside
going to the outside (which we could also call outbound traffic) is permitted.
Traffic initiated from the outside going to inside resources (which we could
call inbound traffic) would be denied. Note that stateful filtering, with its
stateful database, could dynamically allow the return traffic back to the
inside users. These types of rules could very easily be combined (and usually
are) with various protocols/services (such as HTTP, HTTPS, and so on).
Rules
based on user control > These rules control access based on knowing
who the user is and what that user is authorized to do. This can be implemented
via AAA services.
Rules
based on behavior control > These rules control how a particular
service is used. For example, a firewall may implement an email filter to
protect against spam.
Comments
Post a Comment