How is static filtering different from dynamic filtering of packets which is perceived to offer improved security?

Principals of Information Security 4th Edition Questions
Chapter 6 Questions

1. What is the typical relationship among the untrusted network, the firewall, and the trusted network? The relationship is that data is only limited to what firewalls allow via specific places called “ports”. There is the untrusted network on the outside, then the firewall which prevents unwanted or suspicious connections, and the trusted network is what lies within the bounds of the firewall.

2. What is the relationship between a TCP and UDP packet? Will any specific transaction usually involve both types of packets? A TCP Packet sends information, and reports back to the sender on progress to assure that information has been sent and received. UDP on the other hand is designed more for speed after establishing a connection and is used to strive for the fastest data retrieval rate as possible, but for this type of packet, it’s less important that it reports back. I don’t believe there will be specific transactions that involve both types of packets. But TCP is better for assuring that data is being received completely, but UDP focuses on assuring data is retrieved as quickly as possible.

3. How is an application layer firewall different from a packet-filtering firewall? Why is an application layer firewall sometimes called a proxy server? A packet-filtering firewall only allows “a particular packet with a particular source, destination, and port address to enter”. (POIS P.253) An application layer firewall is sometimes called a proxy server because it “runs special software that acts as a proxy for a service request” It is more to deal with outgoing connections and making connections within the DMZ zone of an organization.

4. How is static filtering different from dynamic filtering of packets? Which is perceived to offer improved security? Static filtering works with rules that are already designated or “developed and installed with the firewall” and only a person can change it, as software isn’t smart enough to determine if those connecting is authorized or not. However dynamic filtering of packets recognizes unauthorized patterns or connections that are unusual and immediately begins to block them or filter them. I believe that dynamic filtering is perceived to offer improved security, but unfortunately, if an attack is made to that firewall using a DDOS attack, the firewall would probably be overloaded and not be able to handle requests as it would keep having to add temporary IP restrictions and therefore limiting others from connecting. (POIS P.253)

5. What is stateful inspection? How is state information maintained during a network connection or transaction? Stateful inspection keeps “track of each network connection between internal and external systems on a state table.” This basically means any kind of traffic that goes through a stateful inspection firewall is monitored to where it came from and who used it.

State information is maintained by looking at its state table, then refers to its access control logic to see whether it’s ok to let traffic occur. 6. What is a circuit gateway, and how does it differ from the other forms of firewalls? After reading this portion on Circuit Gateways several times, it isn’t exactly clear to me what a circuit gateway is, but it seems that it’s much like setting up a VPN within a network to transfer data between different portions of a company. It differs from other form of firewalls because it does no extra processing and scanning to make sure the information is ok to let through. There’s already a secure connection being established between an application on the outside of the network and the inside.

7. What special function does a cache server perform? Why is this useful for larger organizations? A cache server is a server that basically makes available frequently used pages. For example, big corporations use cache servers to make sure pages that they use to market their products are basically pre-rendered and ready to send instead of asking for a full request from a webpage host. It also adds an additional layer of protection against attacks as only portions of a website can be attacked at a time.

8. Describe how the various types of firewalls interact with the network traffic at various levels of the OSI model. Packet filtering firewalls include Static Filtering, dynamic filtering, and stateful inspection filtering these all work at the transport layer of the network. Packet filtering interacts with network traffic to confirm or deny it based on a rule set for a packet going up against a set of rules that is determined. Static filtering is up against a rule set for each packet, dynamic filtering filters packets depending on network traffic and usage limits, and stateful inspection examines packets and verifies where they are coming and going to determine via logs. 9. What is a hybrid firewall?

A Hybrid firewall “combine the elements of other types of firewalls that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways.” (POIS P.256) It’s pretty nice because it takes all the network security protocols and kind of combines them in one package so a network can be improved without replacing several different firewall technologies.

10. List the five generations of firewall technology. Which generations are still in common use? 1st Generation: Static packet filtering (going up against a pre-defined set of rules) 2nd Generation: Application level firewalls, which are able to be configured via applications and have the ability to manage traffic that applications make,” providing intermediate services for requestors” (POIS P.256) 3rd Generation: Inspection firewalls: “monitor network connections between internal and external systems using tables.” (POIS P.256) 4th Generation: Dynamic packet-filtering firewalls, “allow only a particular packet with a particular service, destination, and port address to enter.” (POIS P.256) 5th Generation: A kernel proxy that evaluates packets at multiple layers, checking security as it’s passed through the firewall. There is a “security policy that is configured into the kernel proxy as it inspects each packet.” (POIS P.256) The generations that are in common use are pretty much all of them, but it’s more likely that application level firewalls, or kernel proxy firewalls being the ones most often used.

11. How does a commercial-grade firewall appliance differ from a commercial-grade fire- wall system? Why is this difference significant?

A commercial-grade firewall appliance is a firewall that is completely independent from client computers, it runs on the firmware of a switch, and is maintained through a direct connection to the switch. Via that connection it can be configured to block and allow different kinds of traffic. A commercial grade firewall system basically runs as software on client computers which allows and prevents different kind of traffic from coming and going through a network connection. This is a significant difference because the load of processing incoming and outgoing traffic is now dealt with by client computers, and not a separate box. In order to decrease load problems from servers and other clients on a network, a commercial-grade firewall appliance is highly recommended.

12. Explain the basic technology that makes residential/SOHO firewall appliances effective in protecting a local network. Why is this usually adequate for protection? Many single office, or home office setups don’t need to have a crazy amount of protection because it’s unlikely that they would be a target of an attack verses a small home or business. This is adequate for protection because it creates a local NAT, works as a basic almost built in firewall, and stops most known intrusions or connections internally.

13. What key features point up the superiority of residential/SOHO firewall appliances over personal computer-based firewall software? Restrict mac filtering, allow port forwarding, configuring ports to be on or off, and also they are easy to configure because they are usually built into a network sharing switch.

14. How do screened host architectures for firewalls differ from screened subnet firewall architectures? Which of these offers more security for the information assets that remain on the trusted network? Screened host architectures use both packet filtering and a separate dedicated firewall, it allows packets to be screened before entering a network and accessing an internal proxy. While a screened subnet firewall architecture utilizes a DMZ as a dedicated port between the device and a single host. This helps even more with routing unauthorized network traffic, as all requests that occur within the network do not respond to outside IP addresses. Screened subnet firewalls with a DMZ offer way more security as it is very difficult to communicate with servers in a DMZ because they are only configured to communicate on the local network. 15. What a sacrificial host? What is a bastion host?

A sacrificial host is a host that works as a sole defender of a network and communicates between incoming information and works as a proxy server. The separate host that’s used to perform communication protocols on a server is called a bastion host. 16. What is a DMZ? Is this really an appropriate name for the technology, considering the function this type of subnet performs? A DMZ works as sort of a middle ground between an untrusted network and a trusted network, usually between two firewalls. I believe it is a proper name for the technology as it helps with being an area where nobody can really do anything, unless somebody is tapped directly into the line itself. 17. What are the three questions that must be addressed when selecting a firewall for a specific organization? “1. Which type of firewall technology offers the right balance between protection and cost for the needs of the
organization?” “2. What features are included in the base price? What features are available at extra cost? Are all cost factors known? “ “3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall?” “4. Can the candidate firewall adapt to the growing network in the target organization?” (POIS P.267)

Paraphrased, how big is your organization, how much security will you need, how is your budget and how much do you want to be managing incoming and outgoing connections. 18. What is RADIUS? What advantage does it have over TACACS? RADIUS or “Authentication Dial-In User Service” works to help allow a user to log in and work remotely it first comes as a request remotely from (hopefully) an authorized worker, it then goes over to a remote access server to deal with authentication, it is then sent to the radius server to confirm or deny the request, then the yes or no signal is sent back to the remote access server and back to the client to confirm the connection request. This is convenient because while one server can be used to work with authentication, if it ever got overloaded, the local radius server would still be accessible. Radius however adds an additional layer of security using “encryption standards including Internet Protocol Security (IPSec) or Transport Layer Security (TLS)” I personally prefer RADIUS security as it works great with a VPN and usually isn’t a problem when coming as an outbound connection through a firewall. (POIS P.279) 19. What is a content filter? Where is it placed in the network to gain the best result for the organization? Content filters are basically filters that are put locally on a client computer, or as part of a firewall that help with managing content a client or computer is using. They are really great because they help block out NSFW content and potentially dangerous material from entering a network. They can be set up alongside a firewall within an organization’s network internally, or installed on a client computer. 20. What is a VPN? Why is it becoming more widely used?

A VPN is a virtual private network is basically a network connection that allows for other people outside to connect to a network, and it acts as if it is connected to a network internally. This is becoming more widely used
with corporations because they can connect to a network as if they are there locally. It’s very convenient for business to do this so they can share information privately within a secure network connection.