【Network Security】Comprehensive Diagram of Firewall Knowledge Points (3)

This series of articles includes:

• [Network Security] Comprehensive Diagram of Firewall Knowledge Points (1)
• [Network Security] Comprehensive Diagram of Firewall Knowledge Points (2)
• 【Network Security】Comprehensive Diagram of Firewall Knowledge Points (3)

---

39. What is a DoS attack?

The full name of DoS isDenial of Service, which means that the service cannot be continued. The service here refers to the application program service of the server. For example, when the client initiates an HTTP request, the server can send an HTTP response, which means that the HTTP service is completed. A DoS attack is an attack on servers and network devices, which creates a traffic volume far exceeding the pre-designed one, making it impossible for servers and network devices to reply to response messages normally, resulting in the system being attacked being unable to provide services . DoS attacks can also take advantage of security holes in the operating system or programs, etc., to make the system abnormal with a small amount of traffic. In DoS, the method of launching an attack on a server through multiple springboards of a botnet is called a DDoS (Distributed Denial of Service) attack.

40. What are the types of DoS attacks? What precautions does the firewall have?

• Syn Flood : A large number of TCP SYN packets are sent, resulting in excessive consumption of server resources, and the status of being unable to provide services for a period of time. In the firewall, define the number of SYN packets allowed to pass per second. When the SYN packets in the network exceed this value, the SYN Cookie policy will be implemented. The SYN Cookie strategy is that when the server receives the SYN message from the client, it does not establish a TCP connection, but puts the hash value of the TCP header content as a serial number into the SYN-ACK message and returns it. After receiving the ACK message containing the correct response number, the session information is stored in the memory, which effectively prevents the attack from consuming the server memory.

• ICMP Flood : Also known asPing Floodsending a large number of ICMP Echo Request messages to consume server memory, making the server temporarily unable to provide services. The firewall defines the maximum number of ICMP packets allowed within one second, and temporarily does not process ICMP packets exceeding this value.

• UDP Flood : A large number of UDP packets are sent to consume the memory of the server, making the server temporarily unable to provide services. The firewall defines the maximum number of UDP packets allowed within one second, and temporarily does not process UDP packets exceeding this value.

• IP Flood : Send a large number of IP packets to consume the memory of the server, making the server temporarily unable to provide services. The firewall defines the maximum number of IP packets allowed within one second, and temporarily does not process IP packets exceeding this value.

• Land : Send packets with the same source address and destination address. Devices that suffer from such attacks and have security vulnerabilities will continue to forward data to themselves and cause downtime. The firewall discards all such packets.

• Tear Drop : Send forgedoffsetpackets containing illegal IP fragments. For such attacks, for devices with security vulnerabilities, packets cannot be regenerated, resulting in downtime. The firewall discards all such packets.

• Ping of Death : sending exceeds the maximum length of the IP packet$65535$ping ._ This type of attack can lead to non-operational conditions for devices with security vulnerabilities. The firewall discards all such packets.

• Smurf : Set the address of the attack target as the source address, and broadcast ICMP Echo Request messages, so that the attack target receives a large number of ICMP Echo Reply messages and consumes bandwidth resources.

• Fraggle : Similar to Smurf, UDP replaces ICMP to launch attacks, and usesecho,Chargen,daytime,qotdand other ports at the same time. Firewalls generally close such ports, or use security policies to block them.

• Connection Flood : Repeatedly generate a large numberopenof connections that are in the state for a long time, occupyingsocketthe resources of the attack target. If there is no limit on the maximum number of connections on the server side, a system crash will occur.

• Reload : Press the key continuously in the web browserF5to make the web page perform refresh operations repeatedly, which is also calledF5an attack. When the web traffic is high, it will increase the load on the server.

41. How to defend against DoS?

Defense against DoS is to limit abnormal high-speed communication traffic, which is generally realized by setting areas, network interfaces, networks and other units.

DoS defense can also intercept packets containing illegal content or low security. If such packets are processed by firewalls or routers, resources will be wasted. Therefore, special DoS defense functions are required to block such attacks.

42. What is port scanning?

Before launching an attack, the attacker will investigate the equipment of the attack target. The most basic and most commonly used method is port scanning ( port scan). Port scanning can be divided into two categories: TCP port scanning and UDP port scanning . It sends packets to TCP ports and UDP ports in order to detect whether the destination device has opened the corresponding service. For example, the scan result of a certain device is that $22$ port, the attacker will know that the device has opened the SSH service, and then use the SSH service to access the device and launch subsequent attacks.

Firewalls can detect port scanning behavior and can block it.

43. What types of port scanning are there?

• TCP port scan : 0 0 for TCP$0$ ~ 65535 65535 Scan all ports 65535, or scan ports within a certain range, so as to detect which ports are available on the server$.$The scanning process is to send a TCP ( ) packet to the server) messageSYNis receivedSYN + ACKIf the port is closed, a TCP (RST + ACK) message will be received from the server.

• SYN port scanning : a type of TCP port scanning, no need to complete$3$ -way handshake, port scanning directly for SYN packets, also called half-scanning. at$During\; the\; 3$ -way handshake process, it is judged whether the port is open according to whether the server replies with an ACK message or a RST message.

• ACK port scanning : In order to avoid the detection of SYN port scanning by the firewall, send ACK message to the server, and judge whether the port is open according to the window size of the reply RST message. Only valid for servers that send packets with different window sizes when the port is opened or closed.

• Null port scan : all fields of the TCP header sent to the server are$0$ message,RST + ACKjudge whether the server port is open or not by whether the server returns a message.

• FIN port scanning : Send FIN message to the server, andRST + ACKjudge whether the port is open according to whether the message is received.

• Xmas port scanning : all fields of the TCP header sent to the server are$1$ message,RST + ACKjudge whether the port is open or not according to whether the message is received.

• UDP port scan : 0 0 for UDP$0$ ~ 65535 65535 Scan all ports 65535, or scan ports within a certain range, so as to detect which ports are available on the server$.$

• Host Sweep : Send ICMP messages or TCP messages to a large number of hosts. If a response is returned, it will judge whether the host exists according to the returned response message, and know which applications are running on the host and other information. TCP SYN Host Sweep will send TCP SYN packets to the same port of multiple hosts at the same time.

44. What illegal message attacks are there?

• IP address spoofing (IP Spoofing): In order to pass through the firewall and avoid being monitored and logged, the attack method of forging the source IP address in the IP header.

• Fragmented packets : Fragmented IP packets are often used for attacks due to weak security, so the firewall has the function of intercepting fragmented packets. If the MTU size of the message is the same as that of the communication link, fragmentation will not be sent, and this function will not affect normal communication.

• ICMP Fragmentation : Similar to IP fragmentation, the firewall also has the function of intercepting ICMP fragmentation.

• Jumbo ICMP packetsPing of Death : Firewalls can avoid attacksby blocking ICMP packets larger than a certain size

• Illegal ICMP message : If there is an undefined value in the header of the received ICMP message, additional exception handling is required. The firewall will intercept such illegal ICMP packets.

• Control of TCP packets other than SYN : Before a TCP session starts, a SYN packet will be sent. If in an unacknowledged TCP session, field bits other than SYN are received$1$ TCP packets are likely to be attacks such as port scanning, so it is necessary to block such packets through a firewall.

45. What is IDS/IPS?

IDS , the full nameIntrusion Detection System, is Intrusion Detection System . IPS , the full nameIntrusion Prevention Systemis Intrusion Prevention System , collectively referred to as IDS/IPS .

IDS is responsible for detecting illegal intrusion and notifying the system administrator, while IPS intercepts the protocols and applications used by illegal intrusion through settings.

Threats that IDS/IPS can detect are:

• DoS attack
• Information leakage caused by P2P
• Run malware such as worms, Trojan horses, keyloggers, etc.
• Intrusion into LAN and Intrusion Detection Behavior

When IDS / IPS detects an intrusion, it will deal with it accordingly:

• Notify the administrator, via e-mail or SNMP, etc.
• record log
• Intercept communication and send TCP RST message to attacker

46. ​​What is Deep Inspection?

The Deep Inspection function of the firewall can reassemble the TCP data segment of the application data flow for a specific application layer protocol, and detect whether it contains illegal application parameters.

47. What types of attacks can IDS/IPS and Deep Inspection detect and block?

• Information Leakage : Attacks launched by attackers using emails with malicious scripts or URLs with malware. If the attack is successful, the other party's confidential information can be obtained.

• Execute code : Send illegal data to the server, let the server accept and execute the remote code.

• DoS attack : An attack that sends a large number of packets, increasing the CPU and memory usage of the server, and preventing the server from providing services normally.

• Buffer overflow (Buffer Overflow): A malicious program induces the server to run memory exceeding the upper limit, resulting in an attack of buffer overflow.

• SQL injection : Aiming at web applications, using the database SQL language to perform illegal operations on the database.

• Brute force cracking (Brute Force Attack): Also known as a loop attack, using tools such as a password dictionary to repeatedly try an attack on the administrator password. In order to prevent this type of attack, it is necessary to execute the wrong input$A\; similar\; policy\; that\; cuts\; off\; sessions\; after\; 3$ passcodes.

• Cross-site scripting (Cross-site Scripting): CSS or XSS for short. By exploiting the vulnerability of the web application, when submitting the page form, the server executes the script carrying the HTML tag to achieve the purpose of hijacking the session or phishing.

• exploit attack : A program or script used in an attack that exploits a software security flaw.

• Browser hijacking : By manipulating a browser carrying malicious software, when a user browses a web page, the form and content of the displayed page are tampered with. Generally, it will lead to the continuous pop-up of the advertisement bar, the automatic addition of URL links, and the failure of jumping to other web pages.

• Phishing : Use emails or websites connected to forged official website URLs to defraud users of their personal credit card and bank account information.

• Botnet : Infect multiple PCs through bots, and send garbage and implement DoS attacks at the same time according to the attacker's order. Mainly by using IRC to issue attack orders to zombies.

48. What is CVE?

CVE ( Common Vulnerabilities ExposuresCommon Vulnerabilities and Exposures ) is a project of the American non-profit organization MIRTE Corporation to identify known vulnerabilities. The organization will assign a CVE identification number ( ) to the discovered security vulnerability CVE-ID. When the security manufacturer provides multiple vulnerability prevention countermeasures, it will use this number to inform the user which security vulnerability is the problem. With " CVE-(AD)-( $4$ -character number)", indicating that the use of this number has a known security vulnerability.

49. What is anti-virus?

Antivirus Also known as an antivirus strategy , protect devices from viruses by installing antivirus software on personal computers and servers.

The method of installing antivirus software on the terminal is called host-based antivirus . The way of scanning all communication data on the network through the firewall and special equipment of the Internet gateway is called gateway antivirus . The use of gateway-type anti-virus can prevent the spread of viruses in the LAN and the occurrence of springboard attacks on the network.

Advantages of Gateway Antivirus	Disadvantages of host-based antivirus
Ability to enforce the same policies for all clients, policies for client PCs as well as virtual PCs	Client PCs and virtual PCs cannot adopt the same security policy
Does not depend on the operating system of the client, even if the operating system stops supporting, it will not affect the scanning	Difficult to apply to discontinued or unsupported operating systems
Save the trouble of installing software and upgrading software for clients	All clients need to install software, which consumes energy
The user cannot subjectively stop the scanning process	Users can subjectively stop scanning or upgrade
Ability to protect against viruses from internal clients	Although able to scan external incoming data, it cannot detect infected file traffic
Ability to implement unified management of logs, reports, etc. through gateway devices	Logs, etc. are stored on each PC, and unified management requires other system support

Advantages of Hosted Antivirus	Disadvantages of Gateway Antivirus
Does not depend on a specific communication protocol	Not all communication protocols are supported, only FTP, HTTP and email protocols are supported
Ability to scan all received documents	Cannot scan all files, such as compressed files with passwords, etc.
Ability to perform custom scans for specific installed operating systems	-

The operation of confirming whether a virus exists is called scanning . Host-type antivirus scans are performed within the host, while gateway-type virus scans are done in traffic.

50. What is anti-spam?

Spam refers to harassing emails, advertising emails, and fraudulent emails. Many products have anti-spam functions to filter such spam emails, but anti-spam emails can easily lead to false detections. It is possible that normal emails are archived in the harassment software, and people mistakenly think that they have not received emails. This needs to be paid attention to.

51. What is DLP?

DLP , the full nameData Loss Prevention, is the function of preventing information leakage .

This function is to detect the application data exchanged in the network, and when a specific file or data is found, perform operations such as alarming, disconnecting the session, and recording logs in a timely manner. It is mainly composed of two parts : file filtering and data filtering .

Function	illustrate
file filtering	By detecting the file information exchanged within the session, the inflow of unnecessary files and the outflow of confidential files are blocked. Generally, the file name, extension, and file internal data are analyzed and classified to determine whether the file needs to be blocked.
data filtering	By detecting the data information exchanged in the session, if the data matching a specific keyword is found, it will be discarded or alerted.

52. What is URL filtering?

The URL filtering function is in HTTP communication. When the client initiates a request to the server, it can check the URL information, determine whether the URL can be accessed, and intercept harmful Web sites. It is usually used as software and firewalls on the server. And one of the functions of the proxy server is provided to the user.

53. What monitoring functions does the firewall have?

The firewall has monitoring functions such as monitoring, alarm notification, logging and reporting.

• Monitoring (monitoring): Monitor the real-time status of the network and network equipment, observe the traffic status and fault information in time, and when a fault or abnormal situation occurs, it can timely alarm and notify the administrator.

• Alarm Notification (alerting): When a fault occurs and a defined event occurs, an alarm notification occurs to the administrator. The alarm method can be sending SNMP Trap, sending Syslog communication to the Syslog server, sending email to the server, etc.

• Logging (logging): the function of recording various logs such as traffic logs and event logs. Logs can be exported as plain text, CSV, PDF, etc.

• Report (reporting): Process logs through the Web and provide information such as charts and charts at a glance. Some firewalls send Syslog logs or dedicated logs to the management server, and display reports on the management server.

54. What is the packet capture function?

Some security devices have the packet capture function. The captured packets can be browsed on the device, or exported as WinPcapfiles in the format, and Wiresharkbrowsed in this application. When a communication failure occurs, it can be analyzed based on the captured packet information.

55. What are the elements of firewall performance?

• Simultaneous online sessions : The firewall controls the communication flow in units of sessions by managing the session table. The number of entries that can be recorded in the session table indicates the number of simultaneous online sessions that the firewall can handle. Smaller firewall appliances typically manage tens of thousands of sessions, while firewalls used by telecom service providers can manage millions of sessions simultaneously.

• Number of NAT tables : Some firewalls or routers maintain session tables and NAT tables separately. The number of NAT tables indicates the number of online NAT sessions at the same time, and this value indicates the maximum number of NAT sessions that the device can establish. Firewalls that do not have an upper limit on the number of NAT tables generally use the upper limit on the number of sessions.

• The number of new sessions per second : The performance of a router is generally described by the two parameters ofbitthe numberof sessions that can be transmitted per secondbit/sand the number of packets forwarded per secondppsThe firewall also adds a parameter of the number of new sessions per second, which is expressed in 1 1How many complete session establishment processes can be completed within$1\; second.$$A$ complete session establishment process includes: monitoring TCP connection$3$ -way handshake, if the handshake is normal, session information is generated, and the information is recorded in the session table and other operations. Also introduces another indicator, expressed in1 1The number of times a session can be completed from establishment to end within$1\; second\; is\; called\; the\; number\; of\; connections\; per\; second.$