1.Using Outbound NAT A. How secure are the hosts on a site with outbound (many to one) NAT? No inbound NAT Answer: very security attacks attacks initiated from the Internet to the site B. Are the hosts on a site secure from attacks on the internet? Answer: No. The can visit a site and be susceptible to XSS and other attacks. Clients can also be phished and many other attacks C. If you want to protect users from XSS, would you exchange the firewall for a proxy firewall or WAF? Answer: Proxy firewall. Firewall is typically for outbound connections. WAFs are typically intended to protect a particular web site 1, T/F stateful inspection dependent upon user authentication and identity? Answer: False, stateful inspection is based on 5 tuple, on the client side use source IP and source port. User authentication is used for some, but not all, firewalls. 2. T/F IP spoofing is defined as the creation of IP packets with forged destination addresses, in order to conceal the identity of the sender? False, spoofing is forged source addresses 3. In terms of Linux iptables filtering, what is the difference between packets destined to local host and packets forwarded by local host Answer Incoming packets destined to local host: Pre Routing -> Input Incoming packets destined to other host (i.e. forwarding, routing) Pre Routing -> Forward -> Post Routing Both are firewalls, host is protecting the local host, forwarding is protecting another host 4. T/F. Forward is only used when linux host is performing router functions Answer True 5. Which are iptables tables: A. Filter B. NAT C. Mangle D. Forward Answer: all but forward 6. If you are using a Linux server as a L3 firewall (router firewall) which chains will you use? Answer: Incoming packets destined to other host (i.e. forwarding, routing) Pre Routing -> Forward -> Post Routing 7. Review names and types of firewalls Host-resident firewall or host-based firewall - Includes personal firewall software and firewall software on servers Screening router - Single router between internal and external networks with stateless or full packet filtering Single bastion inline - Single firewall device between an internal and external router. This is Stallings definition. Single bastion T - Has a third network interface on bastion to a DMZ where externally visible servers are placed Double bastion inline - DMZ is sandwiched between bastion firewalls Double bastion T - DMZ is on a separate network interface on the bastion firewall Distributed firewall configuration - Used by large businesses and government organizations 8. If you are using a Linux server to restrict access based on MAC layer addresses, which command might you use? A. iptables, B. ip6tables C. ebtables D. arptables E. ipset F. nftables Answer: ebtables 9. What is IP spoofing and how can it be prevented? Answer: IP spoofing is a practice where an attacker illicitly impersonates another machine by manipulating IP packets. Most common way to prevent is to write bogon filters (block private IP addresses) and block the organization’s IP address from coming into the network. Spoofing source IP addresses versus crafting packets for exfiltration Source IP routing. Intent is to by pass filtering rules Easily blocked Typically blocked IP Fragment Intent is to by pass filtering rules Easily blocked Typically blocked 10. Can a firewall that only filters on the 5 tuple, block selected pages in a given web site? Assume, all all pages are sources from the same server Answer: No, not with just 5 tuple. Can an IPS blocked selected pages? Answer: Yes, if you can define a signature correctly Can a WAF block selected pages? Answer: Yes, if you can define a ModSecurity rule 11. Stateful versus Stateless Both operate at Layer 3 and Layer 4 of the Open Systems Interconnection (OSI) model. Proxy retrieves data from an online resource on your behalf. Firewalls monitor and evaluate the traffic passed to the end user. Stateful packet filtering firewalls: Keeps track of the state of network connections. This firewall adds the traffic into a stable table once it is approved. Stateful firewalls are able to detect fake messaging and unauthorized access. They have a powerful memory as they remember the main aspects of network connections. They have stronger attack mitigation. More resource intensive Computationally expensive to setup and maintain the connection table. Stateless packet filtering firewalls: Access Control Lists (ACLs). Not aware of the current state of connection/incoming traffic. The device accepts or rejects an incoming packer by checking if it matches the ACL rules or not. Stateless firewalls are faster than stateful firewalls. They perform better in heavy traffic as they do not dive deep into the information of a packet as stateful firewalls do. 12. Advantages of NAT 1. Help conserve public IP space by using private IP address space 2. Improve security by spearing Intern and public (Internet) ip address space and hosts 3. Improves flexibility to assign IP addresses 4. Improves standardization by allowing the assignment of IP addresses 13. Disadvantages of NAT 1. Can impact performance and scalability - nat’ing table requires setup and maintenance - Many to one NAT’ing can result in using all availBVLE TCP source ports - 100k connections per second, have 64k ports available 2. NAT cannot be used with some protocols: IPSEC, TACACS 3. Can consume CPU and memory 14. Pros of proxy firewalls Provides anonymity and enhanced security as it abstracts your IP address from external sources Allows for private browsing Allows you to access location-specific content Prevents your employees from accessing harmful, malicious, or inappropriate content Enhances your network performance and also provides an extra layer of security Acts as a part of firewall implementation and can also be set up via web filters 15. Proxy Server Works on the application layer of the OSI model Connects to an external server and communicates on the behalf of the client Provides anonymity and bypass restrictions Can be set up on both sides with public networks Involves less administrative overhead usually as it serves as a mediator for the request/response cycle Works on the application protocol level Filters client-side requests for the connection 16. Firewall Monitors and filters all the incoming and outgoing traffic on a given network Works on the network and transport layer of an OSI model Protects an internal private network against cyberattacks Is an interface between the public and the private network Involves more overhead due to its configuration and filtering rules Filters web/data packets Works on data packet level