3B. Analyse Appliance Monitoring Output Flashcards
Be able to interpret System event logs, Firewall logs, WAF Logs, Proxy Server Logs, Intrusion Detection and Prevention logs
a
What information do syslogs provide?
information about the state of the network, servers, hardware, and applications, including details such as errors, security events, and authentication events sent over port 514 TCP/IP. No encryption or authentication.
How has syslog been improved in its latest implementation?
- Now uses port 1468 for delivery confirmation, so if a syslog is not delivered, it will be sent again
- Uses TLS to encrypt msgs sent to servers
- Uses MD5/SHA1 for authentication and integrity
What is an implicit deny firewall rule?
Traffic that does not match a specified rule is dropped
What are some key principles of firewall rulesets?
1) Block incoming requests from internal or private, loopback, and multicast IP address ranges as these have obviously been spoofed
2) Block incoming requests from protocols that should only be functioning at a local network level (e.g., ICMP, DHCP)
3) Configure IPv6 rules. Some hosts run dual-stack TCP/IP implementations with IPv6 on by default. Misconfiguration of a router could allow adversaries unfiltered access to the network over IPv6
Dropping vs Rejecting
Dropping involves not informing the client that a packet has been blocked, making it harder for adversaries to determine port states, while Rejecting will send a response to the client, which is useful for troubleshooting
What security intelligence do firewall logs provide?
1) Connections permitted or denied
2) Port and protocol usage
3) Bandwidth usage
4) Address translation audit trail
What are some guidelines for Egress filtering?
- Allow only whitelisted application ports, restrict destination addresses to authorised internet hosts (or use URL/content filtering to detect malicious traffic)
- Restrict DNS lookups to your own DNS services
- Block known bad IP addresses
- Block IP address spaces that are not authorised on local network
- Block internet access from host subnets that do not need it
Firewalking
Recon technique that involves enumerating firewall configurations. Attacker identifies open ports on the perimeter firewall, crafts packet for open port with TTL of one past the firewall. If the packet is received, it will respond with “TTL Exceeded”. Can be mitigated with NAT.
Black holes
A type of defensive packet filtering whereby traffic is silently dropped before reaching its destination e.g. to mitigate a DoS, DoS traffic is sent to an IP address that is mapped to a non-existent host.
Sinkholes
Similar to black holes, except that traffic is redirected to another network for analysis
Forward Proxy
A server that forwards internal host HTTP requests to the intended destination
- Useful if outbound traffic must comply with policies
- Improves performance as it uses caching services
Non-transparent Proxy
client must be configured with the server address to have HTTP requests forwarded by proxy server
transparent proxy
proxy intercepts traffic even if client isn’t configured to the server address. This is implemented at Network Layer.
What do Forward Proxy logs show?
- User ID
- Request method used by client
- HTTP status code
- Size of MIME type of the resource returned to the client
Reverse proxy
A server that protects clients from direct contact with client requests.
What do Reverse Proxy logs show?
- Indicators of attack or compromise e.g., malicious code in HTTP request headers and URLS
- Statistical analysis of response codes can identify anomalous deviation from baseline traffic
What is an IDS?
A packet sniffer (i.e., sensor) placed inside a firewall, attached to a SPAN or TAP port, that uses a ruleset to match suspicious traffic and generate event logs
What is IEEE 802.1X?
A standard for encapsulating EAP communications that provide port-based authentication
Port-based NAC (PNAC)
Network access device (e.g., switch, router) requests authentication of the connecting host (i.e., supplicant) before activating the port. Does this by activating the EAPoL protocol and waits for the supplicant to provide authentication data
Health Policy
set of rules and guidelines that define the minimum security configuration that a device must meet to be granted network access (e.g., firmware version, IDS status)