Cybersecurity Essentials - Module 15 Cheat Sheet

# Module 15: Firewall Technologies :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 15.1 Secure Networks with Firewalls #### 15.1.1 Firewalls **Common Firewall Properties** - Firewalls are resistant to network attacks. - Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall. - Firewalls enforce the access control policy. **Firewall Benefits** - Prevent exposure of sensitive hosts, resources, and applications to untrusted users. - Sanitize protocol flow, preventing the exploitation of protocol flaws. - Block malicious data from servers and clients. - Reduce security management complexity by off-loading most network access control to a few firewalls. **Firewall Limitations** - Misconfiguration can create a single point of failure. - Many applications' data cannot pass securely over firewalls. - Users might bypass firewalls, exposing the network to attacks. - Network performance may degrade. - Unauthorized traffic can be tunneled as legitimate traffic. --- #### 15.1.2 Types of Firewalls **Comparison of Firewall Types** | **Type** | **Functionality** | **OS Layer** | |-------------------------|-----------------------------------------------------------------------------------------------------------------------|-------------------------------------------| | **Packet Filtering** | Filters traffic based on Layer 3 and Layer 4 criteria (source IP, port, protocol). Stateless. | Layers 3, 4 | | **Stateful** | Tracks connections in a state table. Filters packets based on connection state. | Layers 3, 4, 5 | | **Application Gateway** | Filters traffic at application level. Acts as a proxy server. | Layers 3, 4, 5, 7 | | **Next-Generation** | Extends stateful filtering with integrated intrusion prevention, application awareness, and evolving threat defenses. | Network and Application Layers | | **Host-Based** | A PC or server with dedicated firewall software. | Depends on the software's capabilities. | | **Transparent** | Filters IP traffic between bridged interfaces. | Network Layer | | **Hybrid** | Combines features of other firewall types, such as stateful and application gateway firewalls. | Varies based on the combination of types. | --- #### 15.1.3 Packet Filtering Firewall Benefits and Limitations **Packet Filtering Benefits** - Implements simple permit/deny rule sets. - Low impact on network performance. - Easy to implement and supported by most routers. - Provides initial security at the network layer. - Cost-effective compared to high-end firewalls. **Packet Filtering Limitations** - Vulnerable to IP spoofing. - Cannot reliably filter fragmented packets. - Complex ACLs can be difficult to implement and maintain. - Cannot dynamically filter services using dynamic port negotiations. - Stateless, examining packets individually without context. --- #### 15.1.4 Stateful Firewall Benefits and Limitations **Stateful Firewall Benefits** - Primary means of defense against unwanted traffic. - Strengthens packet filtering with more stringent control. - Improves performance compared to packet filters or proxy servers. - Defends against spoofing and DoS attacks by analyzing connection states. - Provides richer log information. **Stateful Firewall Limitations** - Cannot inspect application-layer attacks (e.g., HTTP connection content). - Stateless protocols (e.g., UDP, ICMP) do not generate connection data. - Tracking connections with dynamic port negotiation is complex. - Does not support user authentication. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/9-1-3-check-your-understanding-identify-the-type-of-firewall-answers.html). ::: >[!Warning]Recap >There are several different types of firewalls. Packet filtering (stateless) firewalls provide Layer 3 and sometimes Layer 4 filtering. A stateful inspection firewall allows or blocks traffic based on state, port, and protocol. Application gateway firewalls (proxy firewall) filter information at Layers 3, 4, 5, and 7. Next-generation firewalls provide additional services beyond application gateways such as integrated intrusion prevention, application awareness and control to see and block risky apps, access to future information feeds, and techniques to address evolving security threats. ### 15.2 Secure Network Architectures --- #### 15.2.1 Common Security Architectures **Private and Public Network Firewall Design** - **Private Network (Trusted)** - Traffic originating from the private network is permitted and inspected as it moves toward the public network. - Inspected traffic returning from the public network is permitted only if associated with traffic that originated from the private network. - **Public Network (Untrusted)** - Traffic originating from the public network and traveling to the private network is blocked by default. ![image](https://hackmd.io/_uploads/S1arzPFVyg.png) **Demilitarized Zone (DMZ) Firewall Design** - **Traffic Between Networks** - Traffic from the private network to the public or DMZ network: Permitted and inspected. - Traffic from the DMZ network to the private network: Usually blocked. - Traffic from the DMZ to the public network: Selectively permitted based on service requirements. - Traffic from the public network to the DMZ: Selectively permitted and inspected (e.g., email, DNS, HTTP, HTTPS). - Traffic from the public network to the private network: Blocked. ![image](https://hackmd.io/_uploads/SJwvzwYNke.png) **Zone-Based Policy Firewalls (ZPFs)** - **Zones** - A zone is a group of one or more interfaces with similar features. - Traffic between interfaces in the same zone passes freely. - Zone-to-zone traffic is blocked by default unless explicitly permitted. - **Self Zone** - The router itself (all router interface IP addresses) is part of the self zone. - Traffic destined to or sourced from the router must have explicit policies for management traffic (e.g., SSH, SNMP, routing protocols). ![image](https://hackmd.io/_uploads/BkPOMDKN1x.png) --- #### 15.2.2 Layered Defense **Layers in Network Defense** - **Network Core Security**: Protects against malware, enforces policies, and ensures survivability. - **Perimeter Security**: Secures boundaries between zones. - **Communication Security**: Provides information assurance. - **Endpoint Security**: Ensures identity and device policy compliance. **Layered Defense Approach** - **Policy Enforcement Points** - Traffic first encounters a packet filter at the edge router. - If allowed, traffic moves to a screened firewall or bastion host system for additional filtering. - Final checks are performed by an interior screening router before reaching the internal host. - **Considerations** - Firewalls cannot stop intrusions originating from internal hosts or rogue access points. - Firewalls do not replace disaster recovery mechanisms. - Informed administrators and users are essential for comprehensive security. **Best Practices for Layered Defense** - Place firewalls at security boundaries. - Deny all traffic by default. - Permit only necessary services. - Restrict physical access to firewalls. - Regularly monitor firewall logs. - Practice change management for firewall configurations. - Use firewalls as a part of a broader security strategy, not as the sole defense mechanism. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/9-2-3-check-your-understanding-network-security-design-concepts-answers.html). ::: >[!Warning]Recap >Common security architectures define the boundaries of traffic entering and leaving the network. When looking at a topology that has access to outside or public networks, you should be able to determine the security architecture. Some designs are as simple as designating an outside network and inside network which are determined by two interfaces on a firewall. Networks that require public access to services will often include a DMZ that the public can access, while strictly blocking access to the inside network. ZPFs use the concept of zones to provide additional flexibility. A zone is a group of one or more interfaces that have similar functions, features, and security requirements. A layered security approach uses firewalls and other security measures to provide security at different functional layers of the network.