EJB - Bean Types

EJB - Bean Types

根據上一篇EJB-簡介所提到，EJB根據beans的功用分成三大類分別是session beans, message-driven beans和entities。

Session Beans

Session bean是為了執行特定商業操作而被client調用，如檢查客戶信用history。Session這個名字意味著bean實例存在時間是“每個工作單位”和當伺服器shutdown或crash的時候就會消失。Session bean可以將任何應用程式邏輯模組化。Session bean有兩類分別為: stateful和stateless。

           Stateful session bean當客戶調用的時候在不需要寫任何多餘的程式碼的狀況下可以自動儲存bean的狀態。比較典型的例子就是網頁商城裡的購物車系統。相反，stateless session bean 不會維護任何狀態和模組應用程式服務。我們可以實作商業流程如信用卡付費或檢查查客戶信用記錄而建立stateless session bean.

           一個session beans不管在本地或遠端都可以透過Java RMI被調用。一個stateless session bean可以公開為網頁服務。

Message-driven Beans

MDBs 就像session beans，都是處理商業邏輯。但MDBs最大的不同是clients永遠不會直接調用MDB method。相反MDBs是透過訊息驅動然後傳給messaging server, 就是在系統元件之間啟動傳送非同步訊息。Messaging servers的典型例子有IBM WebSphere MQ，SonicMQ， Oracle Advance Queueing,和 TIBCO。MDBs通常是使用在系統整合或非同步處理的健全性。上。Messaging的一個例子，從自動零售系統傳送庫存補貨的需求到供應鏈管理系統。

Entities and the Java Persistence API

EJB 3當中其中一個新特色就是處理persistence的方法。之前我們概略的提到persistence 提供者和JPA，現在讓我們更深入到細節。 

         Persistence的能力是將Java objects中包含的data自動儲存到關聯式資料庫像Oracle, SQL Server, DB2。Persistence 在 EJB 3是透過JPA管理。它自動的使用Object-relational mapping(ORM)這項技術persists Java objects。ORM的本質是透過設定檔在java objects處理mapping data然後儲存到資料表中。它緩解我們寫底層，複雜的JDBC程式碼persist objects到資料庫的工作。

           在EJB 3中，persistence provider基本上就是Java Persistence API (JPA)所支援的ORM框架。JPA定義了一些標準：

•  ORM設定metadata的建立mapping entities到 relational tables.
•  EntityManager API – 是一個標準的API在entities執行CRUD persistence operations.
•  Java Persistence Query Language (JPQL)，是用來搜尋和獲取persisted application data.

自從為了Java平台JPA將 ORM frameworks標準化，我們可以在應用程式plug in ORM 產品如 JBOSS Hibernate,OracleTopLink，或BEA Kodo 做為JPA“persistence provider”的底層。

Entities

如果在我們的應用程式採用JPA建立persistence logic，那就必須使用entities. Entities是Java objects用來persisted到資料庫。就像session beans將process模組化，entities將低階應用概念包裝成高階商業流程管理。

The EntityManager

JPA EntityManager介面管理entities和提供persistence 服務。Entities會告訴JPA provider如何map資料庫。EntityManager 介面讀取ORM metadata的entity和執行persistence. EntityManager知道如何對entities在資料庫中執行CRUD（CREATE, RETRIEVE, UPDATE, DELETE）。另外JPA 提供處理lifecycle management，performance tuning，caching和transaction management的能力。

Java Persistence Query Language

JPA 有提供一個類似SQL的語言稱為Java Persistence Query Language (JPQL) 可以搜尋儲存在資料庫中的entities. 在一個健全和彈性的API如JPQL，我們在選擇自動persistence而不是手寫JDBC是不會遺失任何東西。另外，JPA支援native database-specific SQL, 在一些罕有的案件是這是值得使用。

         在這時候，我們應該對EJB各個部分都有部分的認識。我們也知道需要透過EJB container去執行session beans和MDBs 且persistence provider執行entities，那這些元件都能存取EJB 3所提供的服務。

Reference：

1）EJB 3 in action

EJB - 簡介

EJB – 簡介

         EJB 的全名是Enterprise JavaBeans，簡單來說它是一個平台讓開發人員使用Java語言開發一個portable, reusable 和 scalable 的商業應用程式。自EJB推出的時候就一直宣導它是一個元件模組或框架且可以讓我們在開發商業應用程式時不需要重新開發一些服務例如：transactions, security, automated persistence 等等。EJB允許開發人員在開發應用程式時專注在商業邏輯不需要花費時間在建立基礎架構的程式碼。

        在開發人員的觀點來看，EJB只是一段的Java程式碼執行在一個特別的運行環境稱為 EJB container, 且提供大量的component services.

EJB as a Component

        在這每當提到EJBs時，指的是伺服端的components，你可以用它來構建應用程序的某些部分例如：商業邏輯，persistence code. 很多人往往對 components這個詞聯想到開發一個複雜和重量級的CORBA, Microsoft COM+ 程式碼。但在EJB3.0這個嶄新的世界，component 它只是一個不外乎多了一些特別功能的POJO。更重要的是，這些功能在不需要的時候都是“隱形”，不要分散component真正用途上的注意力。

        Component 背後真正的想法是有效率的封裝應用程式的行為。Component的使用者不需要了解內部如何運作。他們只需要知道傳入什麼和回傳什麼。EJB components 有三種：session beans, message-driven beans和entities. Session beans和message-driven beans 是在EJB應用程式實作商業邏輯，而entities則使用在persistence.

        Component 是可以重複使用。假設現在公司開發一個賣書的網站，設計了一個用信用卡過賬的模組只是簡單的Java物件。然後另一組人又在不同的開發環境當中開發了賣CD的網站，這時候因為開發環境的不同所以不能直接套用之前信用卡的模組，另一組人需要將你整個模組複製到他們的網站才能使用，因為沒有更容易的方法可以存取之前的模組。如果是使用EJB components建立的信用卡模組，這會讓新使用者更簡單的重複使用該模組而不需要知道其內部運作（Figure 1）。

Figure 1

EJB as a Framework

        EJB components 是在container中。Components和container可以看成對商業應用程式開發提供有價值服務的框架。

        雖然很多人認為使用EJB開發中等的網頁應用程式有點大材小用。但從頭開發一個商業應用程式是不實際的。大多數的伺服端應用程式有很多是普遍的 ，就像管理應用程式狀態 ，資料庫提取或儲存資料，安全性，非同步進程，整合系統等等。

        作為一個框架，EJB container提供了這些普遍的功能，那EJB components 可以直接使用這些功能到自己的應用程式也不需要重新開發這類功能。這些服務，當EJB components 部署在EJB container的時候就能使用，就像Figure 2. 這代表開發一個高品質，豐富功能的應用程式比你所想的還要快。

Figure 2

        Container使用了一些優雅的新方法提供服務給EJB components：metadata annotations 是當container部署EJBs用來預設EJBs 服務的類別。在Java 5中有介紹metadata annotations是設定一段程式碼的設定，如某些class需要特定屬性。這是程式語言的宣告方式讓開發者註明需要完成什麼然後系統將程式碼加上。

        在 EJB meta annotations 大大的簡化了應用程式的開發和測試，不需要額外的xml 設定檔案. 這允許當開發者需要的時可宣告式的增加愛服務到EJB components。就像Figure

3 描繪，annotations 將一個簡單的POJO轉換成 EJB

Figure 3

Layered architectures and EJB

        大多數的企業應用程式包含大量的components.企業應用程式是為了解決客戶特定問題所設計，但它們共享很多common 特色。舉例來說，多數企業應用程式有些UI界面，商業模式，將資料儲存到資料庫特性。因為這些共同特性，在構建企業應用程式可以跟隨常見架構或設計原則稱為 “patterns”.

        對於伺服端開發，較好的pattern是layered architectures. 在layered architecture 中components被劃分在tiers。應用程式的每一個tier都有很好定義。EJB在建立應用程式允許採用兩種不同的layered architecture分別是：traditional four-tier architecture 和 domain-drive design (DDD).

Traditional four-tier layered architecture

Figure 4 顯示traditional four-tier layered architecture.這個架構非常直覺也非常普及。在這架構presentation layer是負責GUI和處理user input, 然後將每個得到的request傳給business logic layer. Business logic layer是應用程式的核心而且包含工作流程和processing的邏輯。Business logic layer透過persistence tier 從資料庫獲取或儲存資料。Persistence layer 在 database layer之上提供高階的抽象的OO。Database layer 就是DBMS。

Figure 4

EJB 明顯不是presentation layer. EJB完全支援在實作商業邏輯和persistence layer. Figure 5 顯示 EJB如何透過它的服務支援這些layers.在一開始有提到bean的種類session beans 和 message-driven beans是用在business logic tier, 而entities實在persistence layer.

Figure 5

        Traditional four-tier architecture 是不完美的。其中一個常見的批評就是破壞了OO模組化商業領域為物件且封裝資料和行為的理想。因為traditional architecture 專注在business process的模組化而不是領域。而且persistence layer也比較像簡單的資料處理元件，像資料庫資料的定義而不是OO世界的第一級公民。

Domain-driven design

Domain-driven design (DDD )重點放在領域的物件應該包含商業邏輯和不應該只是複製資料庫的資料。Domain objects 在EJB3 也稱為entities。在DDD中，一個貿易應用程式的Catalog和Customer物件是entities的典型例子，它們應該包含商業邏輯。

        然而，就算EJB發布的時它的價值已經非常清楚，但還是很困難的實作DDD。在EJB 2 實作 domain model是不可能的，因為beans不是 POJOs 且沒有支援多數的OO特色，如：inheritance 和 polymorphism。有個好消息是EJB 3 已經可以讓我們簡單的跟隨好的OO設計或DDD。在EJB 3 Java Persistence API (JPA)定義的entities 支援OO。我們可以簡單的實作persistence object,最重要的是可以簡單的增加商業邏輯在entities上，那在透過EJB 3實作一個rich domain 是在簡單不過的任務。

Reference：
1）EJB 3 in action

CCNA Security Chapter 6 筆記

CCNA Security Chapter 6 筆記

Endpoint Security

The high-profile threats most often discussed in the media are external threats, such as Internet worms and DoS attacks. But securing an internal local area network (LAN) is just as important as securing the perimeter of a network. Without a secure LAN, users in an organization may not be able to access the network, which can significantly reduce productivity.

Operating systems provide basic security services to applications:

• Trusted code and trusted path - Ensures that the integrity of the operating system is not violated. Trusted code refers to the assurance that the operating system code is not compromised. An operating system might provide integrity checking of all running code by using hash message authentication codes (HMACs) or digital signatures. Integrity verification of add-on software might be necessary at installation. Digital signatures can also be used. Trusted path refers to a facility that ensures that the user is using a genuine system and not a Trojan Horse. 
• Privileged context of execution - Provides identity authentication and certain privileges based on the identity.
• Process memory protection and isolation - Provides separation from other users and their data.
• Access control to resources - Ensures confidentiality and integrity of data.

These are a few techniques that help protect an endpoint from operating system vulnerabilities:

• Least privilege concept - To better protect an endpoint, a process should never be given more privilege than is necessary to perform a job.
• Isolation between processes - Isolation between processes can be virtual or physical. For example, memory protection can be done in hardware. Some trusted operating systems provide isolation using logical execution compartments.
• Reference monitor - A reference monitor is an access control concept that refers to a mechanism or process that mediates all access to objects. It provides a central point for all policy decisions, typically implementing auditing functions to keep track of access. 
• Small, verifiable pieces of code - For all security functionality, it is desirable to have small, easily verifiable pieces of code that are managed and monitored by a reference monitor. 

Layer 2 Security

Network security professionals must mitigate attacks within the Layer 2 infrastructure. These attacks include MAC address spoofing, STP manipulation, MAC address table overflows, LAN storms, and VLAN attacks.

The first step in mitigating attacks such as these is to understand the underlying threats posed by the Layer 2 infrastructure. Layer 2 can be a very weak link to the higher OSI Layers because if Layer 2 is compromised, hackers can work their way up. It is important for the network security professional to remember that Layer 2 attacks typically require internal access, either from an employee or visitor

From a security perspective, Layer 2 independence creates a challenge because when the layer is compromised, other layers are not aware of that fact, leaving them open to being compromised. Network security is only as strong as the weakest link, and that link is often the Data Link Layer.

To help prevent Layer 2 exploitations, an application must carefully validate user input. The input might contain improperly formatted data, control sequences, or too much data, such as with buffer overflows. Remember, buffer overflow exploits try to overwrite memory on an application. 

MAC Address Spoofing Attacks

Unlike hubs, switches regulate the flow of data between ports by creating instant networks that contain only the two endpoint devices communicating with each other at that moment in time. Switches accomplish this by forwarding data out specific ports based on the MAC address. Switches maintain MAC address tables, also known as content-addressable memory (CAM) lookup tables, to track the source MAC addresses associated with each switch port. These lookup tables are populated by an address-learning process on the switch. 

MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host. The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host.

When the switch changes the MAC address table, the target host does not receive any traffic until it sends traffic. When the target host sends traffic, the switch receives and examines the frame, resulting in the MAC address table being rewritten once more, realigning the MAC address to the original port.

MAC Address Flood Attacks

The most common way of implementing a MAC address table overflow attack is using the macof tool. This tool floods a switch with frames containing randomly generated source and destination MAC and IP addresses. Over a short period of time, the MAC address table fills up. When the MAC address table is full of invalid source MAC addresses, the switch begins to flood all frames that it receives. As long as macof is left running, the table on the switch remains full, and the switch continues to flood all received frames out of every port.

STP Manipulation Attacks

Another vulnerability of Layer 2 devices is the Spanning Tree Protocol (STP). STP is a Layer 2 protocol that ensures a loop-free topology. STP operates by electing a root bridge and building a tree topology from that root. STP allows for redundancy, but at the same time, ensures that only one link is operational at a time and no loops are present.

To conduct an STP manipulation attack, the attacking host broadcasts STP configuration and topology change BPDUs to force spanning-tree recalculations. The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge. If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible.

LAN Storm Attacks

A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm. Broadcast storms can also occur on networks. Remember that switches always forward broadcasts out all ports. Some necessary protocols, such as ARP and DHCP, use broadcasts; therefore, switches must be able to forward broadcast traffic.

While it is not possible to prevent all types of packet storms and excessive broadcasts, it is possible to suppress them using storm control. Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold. Storm control then blocks traffic when the rising threshold is reached.

VLAN Attacks

There are a number of different types of VLAN attacks prevalent in modern switched networks. Rather than list all the types of attacks, it is important to understand the general methodology behind these attacks and the primary approaches to mitigate them.

In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking configuration on most switches. The network attacker configures a system to spoof itself as a switch. This spoofing requires that the network attacker be capable of emulating either ISL or 802.1Q signaling along with Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling. By tricking a switch into thinking it is another switch that needs to trunk, an attacker can gain access to all the VLANs allowed on the trunk port. This attack requires a configuration on the port that supports trunking with auto or dynamic mode to succeed. As a result, the attacker is a member of all the VLANS that are trunked on the switch and can hop, that is, send and receive traffic on all the VLANs.

A VLAN hopping attack can be launched in one of two ways:

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
• Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.

The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.

CCNA Security Chapter 5 筆記

CCNA Security Chapter 5 筆記

IDS and IPS Characteristics 

Internet worms and viruses can spread across the world in a matter of minutes. A network must instantly recognize and mitigate worm and virus threats. Firewalls can only do so much and cannot protect against malware and zero-day attacks.

Intrusion Detection System

1. An attack is launched on a network that has a sensor deployed in promiscuous IDS mode. Copies all packets are sent to the IDS sensor for packet analysis. However, the target machine will experience the malicious attack.
2.  The IDS sensor matches the malicious traffic to a signature and sends the switch command to deny access the malicious traffic.
3. The IDS sends an alarm to a management console for logging and other management purposes.

Intrusion Prevention System

1. An attack is launched on a network that has a sensor deployed in IPS inline mode
2. The IPS sensor analyzes the packets they enter the IPS sensor interface. The IPS sensor match the malicious traffic to a signature and the attack stopped immediately.
3. The IPS sensor can send an alarm to the management console for logging and other management purposes.
4. Traffic by violation can be dropped by IPS sensor.

Common characteristics of IDS and IPS:

1.  Both technologies are deployed as sensors.
2.  Both technologies use signatures to detect patterns of misuse in network traffic.
3.  Both can detect atomic patterns (single-packet) or composite patterns (multi-packet).

IDS Advantages and Disadvantages

• Advantages 
• No impact on network (latency, jitter)
• No network impact if there is a sensor failure
• No network impact if there is sensor overload
• Disadvantages
• Response action cannot stop trigger packets
• Correct tuning required for response actions
• More vulnerable to network security evasion techniques

IPS Advantages and Disadvantages

• Advantages 
• Stops trigger packets
• Can use stream normalization techniques
• Disadvantages
• Sensor issues might affect network traffic
• Sensor overloading impacts the network
• Some impact on network (latency, jitter)

IPS Signature Characteristics

Signatures have three distinctive attributes:

• Type
• Trigger (alarm) 
• Action

Signature Types

Signature types are generally categorized as atomic or composite.

Atomic

An atomic signature is the simplest type of signature. It consists of a single packet, activity, or event that is examined to determine if it matches a configured signature. If it does, an alarm is triggered, and a signature action is performed. Because these signatures can be matched on a single event, they do not require an intrusion system to maintain state information. State refers to situations in which multiple packets of information are required that are not necessarily received at the same time. For example, if there was a requirement to maintain state, it would be necessary for the IDS or IPS to track the three-way handshake of established TCP connections. With atomic signatures, the entire inspection can be accomplished in an atomic operation that does not require any knowledge of past or future activities. 

Detecting atomic signatures consumes minimal resources (such as memory) on the IPS or IDS device. These signatures are easy to identify and understand because they are compared against a specific event or packet. Traffic analysis for these atomic signatures can usually be performed very quickly and efficiently. For example, a LAND attack is an atomic signature because it sends a spoofed TCP SYN packet (connection initiation) with the IP address of the target host and an open port as both source and destination. The reason a LAND attack works are because it causes the machine to reply to itself continuously. One packet is required to identify this type of attack. An IDS is particularly vulnerable to an atomic attack because, until it finds the attack, malicious single packets are allowed into the network. However, an IPS prevents these packets from entering the network altogether.

Composite

A composite signature is also called a stateful signature. This type of signature identifies a sequence of operations distributed across multiple hosts over an arbitrary period of time. Unlike atomic signatures, the stateful properties of composite signatures usually require several pieces of data to match an attack signature, and an IPS device must maintain state. The length of time that the signatures must maintain state is known as the event horizon. 

The length of an event horizon varies from one signature to another. An IPS cannot maintain state information indefinitely without eventually running out of resources. Therefore, an IPS uses a configured event horizon to determine how long it looks for a specific attack signature when an initial signature component is detected. Configuring the length of the event horizon is a tradeoff between consuming system resources and being able to detect an attack that occurs over an extended period of time.

Signature Alarm

The heart of any IPS signature is the signature alarm, often referred to as the signature trigger. Consider a home security system. The triggering mechanism for a burglar alarm could be a motion detector that detects the movement of an individual entering a room protected by an alarm. 

The Cisco IDS and IPS sensors can use four types of signature triggers.

• Pattern-based detection
• Anomaly-based detection
• Policy-based detection
• Honey pot-based detection

Pattern-Based Detection

Pattern-based detection, also known as signature-based detection, is the simplest triggering mechanism because it searches for a specific, pre-defined pattern. A signature-based IDS or IPS sensor compares the network traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found. 

Anomaly-Based Detection

Anomaly-based detection, also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. This normal profile can be learned by monitoring activity on the network or specific applications on the host over a period of time. It can also be based on a defined specification, such as an RFC. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.

Policy-Based Detection

Policy-based detection, also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis. 

Honey Pot-Based Detection

Honey pot-based detection uses a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, administrators can analyze incoming types of attacks and malicious traffic patterns. They can then use this analysis to tune their sensor signatures to detect new types of malicious network traffic. Honey pot systems are rarely used in production environments. Antivirus and other security vendors tend to use them for research.

Signature Action

A signature detects the activity for which it is configured, the signature triggers one or more actions. Several actions can be performed:

• Generate an alert.
• Log the activity.
• Drop or prevent the activity.
• Reset a TCP connection.
• Block future activity.
• Allow the activity.

Generating an Alert

Monitoring the alerts generated by network-based and host-based IPS systems is vital to understanding the attacks being launched against the network. If an attacker causes a flood of bogus alerts, examining these alerts can overload the security analysts. Both network- and host-based IPS solutions incorporate two types of alerts to enable an administrator to efficiently monitor the operation of the network: atomic alerts and summary alerts. Understanding these types of alerts is critical to providing the most effective protection for a network. 

Logging the Activity

In some situations, an administrator does not necessarily have enough information to stop an activity. Therefore, logging the actions or packets that are seen so that they can be analyzed later in more detail is very important. By performing a detailed analysis, an administrator can identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.

Dropping or Preventing the Activity

One of the most powerful actions that an IPS device can perform is to drop packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity. Unlike a traditional IDS device, the IPS device actively forwards packets across two of its interfaces. The analysis engine determines which packets should be forwarded and which packets should be dropped.

Resetting a TCP Connection

The TCP Reset Signature Action is a basic action that can be used to terminate TCP connections by generating a packet for the connection with the TCP RST flag set. Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations. The reset TCP connection action can be used in conjunction with deny packet and deny connection actions. Deny packet and deny flow actions do not automatically cause TCP reset actions to occur.

Blocking Future Activity

Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of the infrastructure devices. The ACL stops traffic from an attacking system without requiring the IPS to consume resources analyzing the traffic. After a configured period of time, the IPS device removes the ACL. Network IPS devices usually provide this blocking functionality along with other actions such as dropping unwanted packets. One advantage of the blocking action is that a single IPS device can stop traffic at multiple locations throughout the network, regardless of the location of the IPS device. For example, an IPS device located deep within the network can apply ACLs at the perimeter router or firewall.

Allowing the Activity

The final action is the Allow Signature action. It might seem a little confusing, because most IPS devices are designed to stop or prevent unwanted traffic on a network. The allow action is necessary so that an administrator can define exceptions to configured signatures. When an IPS device is configured to disallow certain activities, sometimes there is a need to allow a few systems or users to be exceptions to the configured rule. Configuring exceptions enables administrators to take a more restrictive approach to security because they can first deny everything and then allow only the activities that are needed.

CCNA Security Chapter 4 Firewall 筆記

CCNA Security Chapter 4 Firewall 筆記

Securing Networks with Firewalls

A firewall is a system or group of systems that enforces an access control policy between networks. It can include options such as a packet filtering router, a switch with two VLANs, and multiple hosts with firewall software.

Firewalls are different things to different people and organizations, but all firewalls share some common properties:

• They are resistant to attacks.
• They are the only transit point between networks (all traffic flows through the firewall).
• They enforce the access control policy.

There are several benefits of using a firewall in a network:

• Exposure of sensitive hosts and applications to untrusted users can be prevented. 
• The protocol flow can be sanitized, preventing the exploitation of protocol flaws. 
• Malicious data can be blocked from servers and clients.
• Security policy enforcement can be made simple, scalable, and robust with a properly configured firewall. 
• Offloading most of the network access control to a few points in the network can reduce the complexity of security management.

Firewalls also present some limitations:

• If misconfigured, a firewall can have serious consequences (single point of failure). 
• The data from many applications cannot be passed over firewalls securely. 
• Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. 
• Network performance can slow down. 
• Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

Types of Firewalls

A firewall system can be composed of many different devices and components. One component is traffic filtering, which is what most people commonly call a firewall.

• Packet filtering firewall - Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.
• Stateful firewall - Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
• Application gateway firewall (proxy firewall) - A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
• Network address translation (NAT) firewall - A firewall that expands the number of IP addresses available and hides network addressing design.

Other methods of implementing firewalls include:

• Host-based (server and personal) firewall - A PC or server with firewall software running on it.
• Transparent firewall - A firewall that filters IP traffic between a pair of bridged interfaces.
• Hybrid firewall - A firewall that is a combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Packet filtering firewalls 

Packet filtering firewalls use a simple policy table lookup that permits or denies traffic based on specific criteria:

• Source IP address
• Destination IP address
• Protocol
• Source port number
• Destination port number
• Synchronize/start (SYN) packet receipt

Packet filters do not represent a complete firewall solution, but they are an important element.

Advantages

• Simple permit or deny rule sets can be used to implement a packet filter.
• Packet filters have a low impact on network performance.
• Packet filters are easy to implement, and are supported by most routers.
• An initial degree of security at the Network Layer can be provided by a packet filter.
• A packet filter can perform almost all tasks of a high-end firewall at a much lower cost.

Disadvantages

• Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter.
• Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
• Complex ACLs are difficult to implement and maintain correctly.
• Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
• Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.

Stateful firewalls 

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering using connection information maintained in a state table.

Advantages

• Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
• By providing more stringent control over security, stateful firewalls strengthen packet filtering.
• Stateful firewalls improve performance over packet filters or proxy servers.
• Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
• More log information is provided by a stateful firewall than a packet filtering firewall.

Disadvantages

• Stateful firewalls cannot prevent Application Layer attacks because they do not examine the actual contents of the HTTP connection.
• Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and therefore do not garner as much support for filtering.
• Some applications open multiple connections requiring a whole new range of ports opened to allow this second connection.
• Stateful firewalls do not support user authentication.

Firewalls in Network Design

In network security, there is often reference to a demilitarized zone (DMZ). A DMZ is a portion of a network bounded by a firewall or set of firewalls. The term was originally used as a military description for an area between military powers where conflict is not permitted.

Some designs are as simple as designating an outside network and inside network, determined by two interfaces on a firewall. The public network (or outside network) is untrusted and the private network (or inside network) is trusted. Typically a firewall with two interfaces is configured as follows:

• Traffic originating from the private network is inspected as it traverses toward the public network, and is permitted with little or no restriction; inspected traffic returning from the public network, that is associated with traffic that originated from the private network, is permitted. 
• Traffic originating from the public network, and traveling to the private network, is generally blocked entirely. 

A network security professional is responsible for creating and maintaining a security policy, including a firewall security policy. This is a partial generic list that can serve as a starting point for firewall security policy:

• Position firewalls at critical security boundaries.
• Firewalls are a critical part of network security, but it is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default, and permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs. 
• Practice change management for firewall configuration changes.
• Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.

Reference :

1) CCNA Security Cisco Network Academy