CCNA Security Chapter 4 Firewall 筆記

CCNA Security Chapter 4 Firewall 筆記

Securing Networks with Firewalls

A firewall is a system or group of systems that enforces an access control policy between networks. It can include options such as a packet filtering router, a switch with two VLANs, and multiple hosts with firewall software.

Firewalls are different things to different people and organizations, but all firewalls share some common properties:

• They are resistant to attacks.
• They are the only transit point between networks (all traffic flows through the firewall).
• They enforce the access control policy.

There are several benefits of using a firewall in a network:

• Exposure of sensitive hosts and applications to untrusted users can be prevented. 
• The protocol flow can be sanitized, preventing the exploitation of protocol flaws. 
• Malicious data can be blocked from servers and clients.
• Security policy enforcement can be made simple, scalable, and robust with a properly configured firewall. 
• Offloading most of the network access control to a few points in the network can reduce the complexity of security management.

Firewalls also present some limitations:

• If misconfigured, a firewall can have serious consequences (single point of failure). 
• The data from many applications cannot be passed over firewalls securely. 
• Users might proactively search for ways around the firewall to receive blocked material, exposing the network to potential attack. 
• Network performance can slow down. 
• Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

Types of Firewalls

A firewall system can be composed of many different devices and components. One component is traffic filtering, which is what most people commonly call a firewall.

• Packet filtering firewall - Typically is a router with the capability to filter some packet content, such as Layer 3 and sometimes Layer 4 information.
• Stateful firewall - Monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
• Application gateway firewall (proxy firewall) - A firewall that filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software.
• Network address translation (NAT) firewall - A firewall that expands the number of IP addresses available and hides network addressing design.

Other methods of implementing firewalls include:

• Host-based (server and personal) firewall - A PC or server with firewall software running on it.
• Transparent firewall - A firewall that filters IP traffic between a pair of bridged interfaces.
• Hybrid firewall - A firewall that is a combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Packet filtering firewalls 

Packet filtering firewalls use a simple policy table lookup that permits or denies traffic based on specific criteria:

• Source IP address
• Destination IP address
• Protocol
• Source port number
• Destination port number
• Synchronize/start (SYN) packet receipt

Packet filters do not represent a complete firewall solution, but they are an important element.

Advantages

• Simple permit or deny rule sets can be used to implement a packet filter.
• Packet filters have a low impact on network performance.
• Packet filters are easy to implement, and are supported by most routers.
• An initial degree of security at the Network Layer can be provided by a packet filter.
• A packet filter can perform almost all tasks of a high-end firewall at a much lower cost.

Disadvantages

• Packet filtering is susceptible to IP spoofing. Hackers send arbitrary packets that fit ACL criteria and pass through the filter.
• Packet filters do not filter fragmented packets well. Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally. Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
• Complex ACLs are difficult to implement and maintain correctly.
• Packet filters cannot dynamically filter certain services. For example, sessions that use dynamic port negotiations are difficult to filter without opening access to a whole range of ports.
• Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.

Stateful firewalls 

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering using connection information maintained in a state table.

Advantages

• Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
• By providing more stringent control over security, stateful firewalls strengthen packet filtering.
• Stateful firewalls improve performance over packet filters or proxy servers.
• Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
• More log information is provided by a stateful firewall than a packet filtering firewall.

Disadvantages

• Stateful firewalls cannot prevent Application Layer attacks because they do not examine the actual contents of the HTTP connection.
• Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and therefore do not garner as much support for filtering.
• Some applications open multiple connections requiring a whole new range of ports opened to allow this second connection.
• Stateful firewalls do not support user authentication.

Firewalls in Network Design

In network security, there is often reference to a demilitarized zone (DMZ). A DMZ is a portion of a network bounded by a firewall or set of firewalls. The term was originally used as a military description for an area between military powers where conflict is not permitted.

Some designs are as simple as designating an outside network and inside network, determined by two interfaces on a firewall. The public network (or outside network) is untrusted and the private network (or inside network) is trusted. Typically a firewall with two interfaces is configured as follows:

• Traffic originating from the private network is inspected as it traverses toward the public network, and is permitted with little or no restriction; inspected traffic returning from the public network, that is associated with traffic that originated from the private network, is permitted. 
• Traffic originating from the public network, and traveling to the private network, is generally blocked entirely. 

A network security professional is responsible for creating and maintaining a security policy, including a firewall security policy. This is a partial generic list that can serve as a starting point for firewall security policy:

• Position firewalls at critical security boundaries.
• Firewalls are a critical part of network security, but it is unwise to rely exclusively on a firewall for security.
• Deny all traffic by default, and permit only services that are needed.
• Ensure that physical access to the firewall is controlled.
• Regularly monitor firewall logs. 
• Practice change management for firewall configuration changes.
• Firewalls primarily protect from technical attacks originating from the outside. Inside attacks tend to be nontechnical in nature.

Reference :

1) CCNA Security Cisco Network Academy