Please enable JavaScript.

Coggle requires JavaScript to display documents.

8.5.5 (3) (Packet Filtering Firewalls (disadvantage (if a single packet…

- - - - organizations with many routers may face difficulties in designing, coding and maintaining the rule base.
    - - the potential for an attack is determined by the total number of hosts and services to which the packet filtering router permits traffic.
  - - - attacker fakes the IP address of either an internal network host or a trusted network host so that the packet being sent will pass the rule base of the firewall
        
        allows for penetration of the system
        perimeter
      - if IP spoofing uses
        
        internal IP address
        
        firewall can be configured to drop the packet on the basis of packet flow direction analysis.
        
        External
        
        if the attacker has access to a secure or trusted external IP address and spoofs on that address, the firewall architecture is defenseless.
    - - It is possible to define the routing that an IP packet must take when it traverses from the source host to the destination host, across the Internet
      - Only those that know of the IP address, subnet mask and default gateway settings at the firewall routing station can do this
        
        clear defense against this attack is to examine each packet and, if the source routing specification is enabled, drop that packet
    - - an attacker fragments the IP packet into smaller ones and pushes it through the firewall
        
        in the hope that only the first of the sequence of fragmented packets would be examined and the others would pass without review.
      - is true if the default setting is to pass residual packets.
        
        This can be countered by configuring the firewall to drop all packets where IP fragmentation is enabled.
- - - - Therefore, in the event of a break-in, only the firewall system has been compromised, not the entire network
  - - - Circuit-level firewalls are more efficient and also operate at the application level—
        
        where TCP and User Datagram Protocol (UDP) sessions are validated, typically through a single, general-purpose proxy before opening a connection
    - - could be an appliance or sit atop hardened (tightly secured) OSs, such as Windows or UNIX. They work at the application level of the OSI model.
        
        application-level gateway firewall is a system that analyzes packets through a set of proxies—one for each service (e.g., HTTP proxy for web traffic, FTP proxy)
  - - - because of network address translation (NAT) capability.
        
        This capability takes private internal network addresses (unusable on the Internet) and maps them to a table of public IP addresses, assigned to the organization, which can be used across the Internet.
  - - - To offset this problem, the concept of load balancing is applicable in cases where a redundant fail-over firewall system may be used
- - - - done by mapping the source IP address of an incoming packet with the list of destination IP addresses that is maintained and updated
  - - - against a set of rules specified by the firewall administrator
- - - - Utilizing a packet-filtering router and a bastion host, this approach implements
        
        basic network layer security (packet filtering) #
        
        and application server security (proxy services). #
      - Router filtering rules allow inbound traffic to access only the bastion host, which blocks access to internal systems.
        
        security policy of the organization determines whether inside systems are permitted direct access to the Internet or whether they are required to use the proxy services on the bastion host
    - - firewall system that has two or more network interfaces, each of which is connected to a different network.
        
        dual-homed bastion host is configured with and
        
        one interface established for information servers
        
        another for private network host computers
      - dual-homed firewall usually acts to block or filter some or all of the traffic trying to pass between the networks
      - more restrictive form of a screened-host
        firewall system
    - - Utilizing two packet-filtering routers and a bastion host, this approach creates the most secure firewall system because
        
        it supports network- and application-level security while defining a separate DMZ network.
      - functions as a small, isolated network for an organization’s public servers, bastion host information servers and modem pools
      - limit access from the Internet and the organization’s private network.
        
        Incoming traffic access is restricted into the DMZ network by the outside router and
        
        protects the organization against certain attacks by limiting the services available for use.
        
        external systems can access only the bastion host (and its proxying service capabilities to internal systems) and possibly information servers in the DMZ.
        
        permits internal systems to access only the bastion host and information servers in the DMZ
        
        inside router provides a second line of defense, managing DMZ access to the private network, while accepting only traffic originating from the bastion host.
        
        For outbound traffic, the inside router manages private network access to the DMZ network.
      - key benefits ,
        
        private network addresses are not disclosed to the Internet, and internal systems do not have direct access to the Internet.