Network Security Fundamentals [Electronic resources] نسخه متنی

Firewall Basics

A firewall is defined as a gateway or access server (hardware- or software-based) or several gateways or access servers that are designated as buffers between any connected public network and a private network. A firewall is a device that separates a trusted network from an untrusted network. It may be a router, a PC running specialized software, or a combination of devices. A Cisco firewall router primarily uses access lists to ensure the security of the private network.

Figure 9-1 displays a network in which firewalls are typically located between the trusted networks and untrusted networks.

Data-driven, application-layer attacks have proliferated in recent years, with a dramatic rise in the late 1990s and the 21st century. With this increase, it has become clear that the existing solution set that was based on access lists is not adequate to counter these threats in a cost-efficient manner. Standalone devices are becoming an integral part of implementing effective security. Firewalls are primarily designed to address the countless threats posed to an organization's network by permitting access only to valid traffic. Identifying valid traffic is a difficult task, and therefore security personnel should be well aware of existing intrusion techniques and attacks. Just as a reference, the following list presents a brief overview of common attack types.

• TCP SYN flood attacks
  This form of denial-of-service (DoS) attack randomly opens up a number of TCP ports to make network devices use CPU cycles for bogus requests. By tying up valuable resources on the remote host (both CPU cycles and memory), the CPU is busy with bogus requests. In turn, legitimate users are affected by denial of access or poor network response. This type of attack renders the host unusable.

• E-mail attacks
  This form of DoS attack sends a random number of e-mails to a host. E-mail attacks are designed to fill inboxes with thousands of bogus e-mails (also called e-mail bombs), thereby ensuring that the end user cannot send or receive legitimate mail.

• CPU-intensive attacks
  This form of DoS attack ties up system resources by using programs such as Trojan horses (programs designed to capture usernames and passwords from a network) or enabling viruses to disable remote systems.

• Teardrop
  A teardrop attack exploits an overlapping IP fragment implementation bug in various operating systems. The bug causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments, causing the host to hang or crash.

• DNS poisoning
  In this attack, the attacker exploits the DNS server, causing the server to return false IP addresses to a domain name query.

• UDP bomb
  A UDP bomb causes the kernel of the host operating system to panic and crash by sending a field of illegal length in the packet header.

• Distributed denial-of-service (DDoS)
  This attack uses DoS attacks run by multiple hosts. The attacker first compromises vulnerable hosts using various tools and techniques. Then the actual DDoS attack on a target is run from the pool of all these compromised hosts.

• Chargen attack
  This type of attack causes congestion on a network (high bandwidth utilization) by producing a high-character input after establishing a User Datagram Protocol (UDP) service or, more specifically, the chargen service.

• Out-of-band attacks
  Applications or even operating systems such as Windows 95 have built-in vulnerabilities on data port 139 (known as WinNuke) if the intruders can ascertain the IP address.

• Land.C attack
  This attack uses a program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specify the target's host address as both source and destination. This program can use TCP port 113 or 139 (source/destination), which can also cause a system to stop functioning.

• Spoof attack
  In a spoof attack, the attacker creates IP packets with an address found (or spoofed) from a legitimate source. This type of attack can be powerful when a router is connected to the Internet with one or more internal addresses. More details on ARP and DNS spoofing attacks are provided in Chapter 2, "Understanding VulnerabilitiesThe Need for Security."

• Smurf attack
  The Smurf attack, named after the exploitive Smurf software program, is one of the many network-level attacks against hosts. In this attack, an intruder sends a large amount of Internet Control Message Protocol (ICMP) echo (ping) traffic to IP broadcast addresses, all of it having the spoofed source address of a victim. For more details, see http://www.cert.org/advisories/CA-1998-01l.

  Smurf attacks include a primary and a secondary victim and are extremely potent and damaging to any IP network.

• Man-in-the-middle attack
  With a man-in-the-middle attack, an intruder intercepts traffic that is in transit. The intruder can then either rewrite the traffic or alter the packets before the packets reach the original destination.

The Cisco Secure Encyclopedia (CSEC) has been developed as a central warehouse of security knowledge to provide Cisco security professionals with an interactive database of security vulnerability information. CSEC contains detailed information about security vulnerabilities, including countermeasures, affected systems and software, and CiscoSecure products that can help you test for vulnerabilities or detect when malicious users attempt to exploit your systems. More details can be found at