Chapter 13
Understanding Firewalls

CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • images5.1 Describe operational strengths and weaknesses of the different firewall technologies
    • Proxy firewalls
    • Application firewall
    • Personal firewall
  • images5.2 Compare stateful vs. stateless firewalls
    • Operations
    • Function of the state table

images Firewalls are part of the foundation of security in a network. They protect the network perimeter and control access between security zones within your networks. You will also typically deploy firewalls in layers, meaning you will place firewalls on each device. Firewalls differ in the way they examine the traffic they are designed to control and in the effect they have on network performance.

In this chapter, you will learn the following:

  • The operational strengths and weaknesses of the different firewall technologies
  • The functions of stateful and stateless firewalls

Understanding Firewall Technologies

Firewalls come with a range of abilities and go about their jobs in different ways depending on the job for which they were designed. They can differ in the OSI layer on which they operate and in the types of actions they can take and the attack types they can mitigate. In this section, you’ll learn about a variety of these devices. In the section following this one, you’ll look at one firewall capability that deserves a section all its own.

Packet Filtering

Packet filtering firewalls are the least detrimental to throughput because they only inspect the header of the packet for allowed IP addresses or port numbers. Although even performing this function will slow traffic, it involves only looking at the beginning of the packet and making a quick allow or disallow decision.

Although packet filtering firewalls serve an important function, they cannot prevent many attack types. They cannot prevent IP spoofing, attacks that are specific to an application, attacks that depend on packet fragmentation, or attacks that take advantage of the TCP handshake. More advanced inspection firewall types are required to stop these attacks.

Proxy Firewalls

Proxy firewalls stand between each connection from the outside to the inside and make the connection on behalf of the endpoints. Therefore, there is no direct connection. The proxy firewall acts as a relay between the two endpoints. Proxy firewalls can operate at two different layers of the OSI model. Both are discussed shortly.

Circuit-level proxies operate at the Session layer (layer 5) of the OSI model. They make decisions based on the protocol header and Session layer information. Because they do not do deep packet inspection (at layer 7 or the Application layer), they are considered application-independent and can be used for wide ranges of layer 7 protocol types.

A SOCKS firewall is an example of a circuit-level firewall. This requires a SOCKS client on the computers. Many vendors have integrated their software with SOCKS to make using this type of firewall easier.

A kernel proxy firewall is an example of a fifth-generation firewall. It inspects the packet at every layer of the OSI model but does not introduce the performance hit that an Application layer firewall will because it does this at the kernel layer. It also follows the proxy model in that it stands between the two systems and creates connections on their behalf.

Proxy servers can be appliances, or they can be software that is installed on a server operating system. These servers act like a proxy firewall in that they create the web connection between systems on their behalf, but they can typically allow and disallow traffic on a more granular basis. For example, a proxy server might allow the Sales group to go to certain websites while not allowing the Data Entry group access to these same sites. The functionality extends beyond HTTP to other traffic types, such as FTP and others.

Proxy servers can provide an additional beneficial function called web caching. When a proxy server is configured to provide web caching, it saves a copy of all web pages that have been delivered to internal computers in a web cache. If any user requests the same page later, the proxy server has a local copy and need not spend the time and effort to retrieve it from the Internet. This greatly improves web performance for frequently requested pages.

Application Firewall

Application-level proxies perform deep packet inspection. This type of firewall understands the details of the communication process at layer 7 for the application of interest. An application-level firewall maintains a different proxy function for each protocol. For example, for HTTP the proxy will be able to read and filter traffic based on specific HTTP commands. Operating at this layer requires each packet to be completely opened and closed, making this firewall the most impactful on performance.

Personal Firewall

Personal firewalls may be those that come with an operating system like the Windows Firewall, or they may be third-party host firewalls such as Kaspersky Internet Security or Zone Alarm Pro Firewall. These firewalls, called either host or personal firewalls, protect only the device on which the software is installed.

While never a replacement for properly positioned network firewalls, they are an excellent complement to the protection provided by the network firewalls, and installing both types of firewalls is an example of exercising the concept of defense in depth. This concept prescribes that you should always deploy multiple barriers to unauthorized access.

One key feature that a personal firewall can provide (although in many cases this is not configured by default) is the ability to control egress traffic. This is traffic leaving the device and can help to prevent malware that “calls home” to a command-and-control server from functioning. These firewalls can also help protect systems from other systems inside the network perimeter.

Stateful vs. Stateless Firewalls

One key type of firewall that we saved for the end of this chapter is a stateful firewall. Stateful firewalls are those that are aware of the proper functioning of the TCP handshake, keep track of the state of all connections with respect to this process, and can recognize when packets are trying to enter the network that don’t make sense in the context of the TCP handshake. Just as a review, Figure 13.1 shows the process.

Image described by caption and surrounding text.

FIGURE 13.1 TCP three-way handshake

In this process, a packet should never arrive at a firewall for delivery that has both the SYN flag and the ACK flag set unless it is part of an existing handshake process, and it should be in response to a packet sent from inside the network with the SYN flag set. This is the type of packet that the stateful firewall would disallow. It also can recognize other attack types that attempt to misuse this process. It does this by maintaining a state table about all current connections and the status of each connection process. This allows it to recognize any traffic that doesn’t make sense with the current state of the connection. Of course, maintaining this table and referencing the table causes this firewall type to have more of an effect on performance than a packet filtering firewall.

Operations

Figure 13.2 shows the operation of a stateful firewall.

Diagram shows computer icon on left and CPU on right with arrows between them labeled SYN, SYN/ACK, and ACK.

FIGURE 13.2 Stateful firewall operation

The device C1 on the right is sending a SYN packet to the device H1. The firewall permitted and recorded that operation in its state table and will monitor that table whenever a packet arrives at the firewall to ensure that any packets permitted either are connection requests from the inside (SYN packets only) or are part of an existing connection and that all rules of the handshake are enforced. For example, in the scenario, a packet from the outside destined for C1 from H1 with an ACK flag set would be rejected because the next expected packet type in the handshake would be a packet with the SYN and ACK flags set.

State Table

The state table is used to monitor all allowed connections. The following are the key items that are typically recorded by a stateful firewall with respect to each connection:

  • Source IP address
  • Source port number
  • Destination IP address
  • Destination port number
  • IP Protocol
  • Flags
  • Timeout

Summary

In this chapter, you learned about various firewall technologies such as proxy, application, personal, and stateful firewalls. You learned their strength and weaknesses. You also learned about stateful firewalls in greater detail and described the relationship between the operation of these firewalls and the TCP three-way handshake. Finally, you learned what is contained in the state table of a stateful firewall.

Exam Essentials

Identify the operational strength and weaknesses of firewall technologies. These include proxy, application, personal, and stateful firewalls. Describe each technology’s impact on performance and the features that each provides.

Describe the relationship between the TCP three-way handshake and stateful firewalls. Stateful firewalls understand the three-way handshake and can recognize illegal packets that don’t make sense in the TCP connection process.

Identify contents of a state table. Key items that are typically recorded by a stateful firewall with respect to each connection are source port number, destination IP address, destination port number, IP protocol, flags, and timeout.

Review Questions

  1. Which firewall technology is the least detrimental to performance?

    1. Proxy
    2. Stateful
    3. Packet filtering
    4. SOCKS

  2. Which firewall type operates at the session layer?

    1. Circuit-level proxy
    2. Stateful
    3. Packet filtering
    4. SOCKS

  3. Which statement is true of a kernel-level proxy?

    1. Operates at the Transport layer
    2. Considered a fifth-generation firewall
    3. Maintains a state table
    4. Examines only the header

  4. Which of the following is not a proxy firewall?

    1. Kernel
    2. Circuit-level
    3. SOCKS
    4. Application

  5. Which type of firewall is Zone Alarm Pro Firewall?

    1. Personal
    2. Stateful
    3. Packet filtering
    4. SOCKS

  6. Which value for each connection is not contained in the state table of a stateful firewall?

    1. Destination MAC address
    2. Source IP address
    3. Destination IP address
    4. Flags

  7. You have selected a firewall that performs deep packet inspection but also creates a performance hit on throughput. What type did you select?

    1. Personal
    2. Application level
    3. Packet filtering
    4. SOCKS

  8. Which also offers the benefit of web page caching?

    1. Personal firewalls
    2. Application-level firewalls
    3. Proxy servers
    4. SOCKS firewalls

  9. At what layer of the OSI model do circuit-level proxies operate?

    1. Network
    2. Transport
    3. Application
    4. Session

  10. Which of the following is most susceptible to IP spoofing attacks?

    1. Packet-filtering firewalls
    2. Application-level firewalls
    3. Proxy servers
    4. SOCKS firewalls

  11. Which of the following will be able to read and filter traffic based on specific HTTP commands?

    1. Packet-filtering firewalls
    2. Application-level firewalls
    3. Proxy servers
    4. SOCKS firewalls

  12. What is the only legitimate response to a packet with the SYN flag set?

    1. SYN/FIN
    2. ACK
    3. SYN/ACK
    4. FIN

  13. A packet was just received with the SYN/ACK flags set. What data structure will a stateful firewall use to determine whether this packet is allowed?

    1. ARP cache
    2. Routing table
    3. DNS resolver cache
    4. State table

  14. Installing both personal and network firewalls is an example of exercising what concept?

    1. Defense in depth
    2. Separation of duties
    3. Least privilege
    4. Need to know

  15. A SOCKS firewall is an example of which firewall technology?

    1. Packet-filtering firewalls
    2. Circuit-level firewall
    3. Proxy servers
    4. Stateful firewalls

  16. Which traffic type would be accepted by a stateful firewall?

    1. A SYN/ACK packet that is not related to a current connection
    2. An ACK packet that is in response to a SYN packet in a current connection setup
    3. A SYN/ACK packet in response to a SYN packet in a current connection setup
    4. An ACK packet that is not related to a current connection

  17. Which of the following is not a proxy firewall?

    1. SOCKS firewalls
    2. Circuit-level firewalls
    3. Stateful firewalls
    4. Kernel-level firewalls

  18. Which statement is not true of personal firewalls?

    1. May be those that come with an operating system like the Windows Firewall or may be third-party hosted firewalls
    2. Protect only the device on which the software is installed
    3. Can control egress traffic
    4. Can be a replacement for properly positioned network firewalls

  19. Which firewall technology is the most detrimental to performance?

    1. Application level
    2. Stateful
    3. Packet filtering
    4. SOCKS

  20. Which firewall type operates at the Network and Transport layers?

    1. Circuit-level proxy
    2. Packet filtering
    3. Stateful
    4. SOCKS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset