Chapter_6

Question 1

Firewall

Answer 1

A combination of hardware and software that isolates internal net from larger Internet,
allowing some packets to pass, blocking others.

Question 2

Firewall Locations in the Network

Answer 2

Between internal LAN and external network
At the gateways of sensitive subnetworks
within the organizational LAN
On end-user machines

Question 3

Firewalls: Why?

Answer 3

Prevent denial of service attacks: E.g., SYN flooding:
Prevent illegal access of internal data
Allow only authorized access to inside network

Question 4

Firewalls: Philosophies
1. Block all dangerous destinations
or
2. Block everything; unblock things known to
be both safe and necessary
 Option 1: gets you into an arms race with the
attackers; you have to know everything that is
dangerous, in all parts of your network
 Option 2: is much safer

Answer 4

TRUE

Question 5

Firewalls: Types

Answer 5

Filtering firewalls

Proxy firewalls

Question 6

Stateless Packet Filtering: Examples

Answer 6

slide 15

Question 7

Packet Filtering

Answer 7

 Packet filtering operates by sequentially
checking filtering rules against the datagram being inspected; the first rule matching the datagram determines the action taken

Question 8

Packet Filtering  Advantages:

Answer 8

 Simplicity
 Transparency to users
 High speed

Question 9

Packet Filtering Disadvantages:

Answer 9

Difficulty of setting up packet filter rules

 Lack of authentication

Question 10

Possible attacks and appropriate

countermeasures

Answer 10

 IP address spoofing: Intruder attempts to gain access by altering a packet’s IP address
 Countermeasure: discard packets with an inside source address if the packet arrives on an external interface
 Source routing attacks: source station specifies the route that a packet should take as it crosses the Internet, to bypass security
measures
 Countermeasure: discard all packets that use this option
 Tiny fragment attacks: intruder uses the IP fragmentation option
force the TCP header information into a separate packet fragment.
This attack is designed to circumvent filtering rules that depend on
TCP header information.
 Countermeasure: discard all packets where the protocol type is TCP
and IP Fragment Flag is equal to 1

Question 11

Session (Stateful) Packet Filteri

Answer 11

 Track status of every TCP connection
 Track connection setup (SYN), teardown (FIN): can
determine whether incoming, outgoing packets “makes sense”
 Timeout inactive connections at firewall: no longer admit
packets

Question 12

Proxy Firewalls

Answer 12

Packet-level filtering allows an org to perform coarse-grain filtering on IP/TCP/UDP headers, including IP addr, port #, and acknowledgment bits

Question 13

Proxy Firewalls Application level

Answer 13

Filters packets on
application data as well
as on IP/TCP/UDP fields
 Example: allow select
internal users to telnet
outside
host-to-gateway
telnet session
gateway-to-remote
host telnet session
application
gateway
router and filter
1. Require all telnet users to telnet through gateway
2. For authorized users, gateway sets up telnet connection to
destination host. Gateway relays data between two
connections
3. Router filter (blocks) all telnet connections not originating
from gateway

Question 14

Proxy Firewalls Application level

Answer 14

 Advantages:
 Higher security than packet filters
 Only need to scrutinize a few allowable applications
 Easy to log and audit all incoming traffic
 Disadvantages:
 Additional processing overhead on each connection (2
spliced connections b/w the end users, gateway as splice
point)

Question 15

Circuit-level Gateway

Answer 15

Typical use is a situation in which the system
administrator trusts the internal users
 An example is the SOCKS package

Question 16

Slide 36

Answer 16

TRUE

Question 17

Bastion Host

Answer 17

Bastion host is a hardened system implementing
application-level gateway behind packet filter
 All non-essential services are turned off
 Application-specific proxies for supported services
• Each proxy supports only a subset of application’s commands, is logged
and audited, disk access restricted, runs as a non-privileged user in a
separate directory (independent of others)
 Support for user authentication
 All traffic flows through bastion host
 Packet router allows external packets to enter only if their
destination is bastion host, and internal packets to leave
only if their origin is bastion host

Question 18

Limitations of Firewalls and Gateways

Answer 18

 IP spoofing: router can’t know if data “really” comes
from claimed source
 If multiple applications need special treatment, each
has own application gateway
 Client software must know how to contact gateway
 E.g., must set IP address of proxy in Web browser
 Filters often use all or nothing policy for UDP

Question 19

Firewalls can and cannot

Answer 19

Firewalls can
 Restrict incoming and outgoing traffic by IP
address, ports, or users
 Block invalid packets
Firewalls cannot protect
 Traffic that does not cross it
 Routing around
 Internal traffic
 When mis-configured
 70% of all attacks come from inside the firewall

Question 20

VPN (Virtual Private Network)

Answer 20

Securely and privately connect two or more
remote sites of an organization as if on a LAN
 Authenticate users
 Encrypt packets sent over the Internet, “VPN
Tunnel”
 IPSec (IP layer encryption)
 Secure Sockets Layer /TLS
 OpenVPN, an open standard VPN. It is a variation
of SSL-based VPN that is capable of running over
UDP

Question 21

Slide 46

Answer 21

TRUE

Question 22

Intrusion Detection Systems

Answer 22

 Intrusion:
 A successful attack
 Intruders attempt to bypass the security mechanisms
of computer systems or network infrastructures and
violate security properties: confidentiality, integrity, or
availability.
 Three types:
System scanning - Denial of service (DoS) –
System penetration
 Intrusion detection:
 The process of identifying and responding to intrusion
activities
 The process of monitoring the events occurring in a
computer system or network infrastructures and
analyzing them for signs of intrusions

Question 23

Challenges to IDS

Answer 23

 The challenge to current IDSes is how to
maximize accurate alerts.
 False negative: IDS fails to identify an
intrusion attempt
 False positive: IDS incorrectly identifies an
innocuous event as an intrusion

Question 24

IDS vs Firewall

Answer 24

 Firewall:
 A system that enforces an access control policy
between two networks.
 As a fence around a system, a firewall has a couple
of well-chosen gates.
 A fence has no capability of detecting intrusions
 IDS:
 does recognize intrusions and to answer: When?
Where? What? Who? How?
 An IDS complements firewall and doublechecks misconfigured firewall

Question 25

IDS vs Firewall

Answer 25

 Firewall: Active filtering

 IDS: Passive monitorin

Question 26

Anomaly Detection

Answer 26

 Identifies unacceptable deviation from expected
behavior
 An anomaly might include
 Users logging in at strange hours
 Unexplained reboots or changes to system clocks
 Unusual error massages from mailers, daemons, or other
servers
 Multiple, failed login attempts with bad pwds
 Unauthorized use of the su command to gain UNIX root
access
 Users logging in from unfamiliar sites on the network
 Note: unexpected behavior is not necessarily an
attack; it may represent new, legitimate behavior that
needs to be added to the category of expected
behavior

Question 27

Misuse Detection

Answer 27

 Sometimes called attack signature detection
 Identifies patterns corresponding to known
attacks
 Describe intrusion signatures based on past known
anomalous activities
 Match observed activities against intrusion
signatures in database
 Decide whether a given pattern of activity is
suspicious or not
 Examples: rule-based system, immune system,
neural networks, state transition analysis, data
mining, abstraction-based model, pattern
matching, case-based reasoning, and genetic
algorithms.

Question 28

Slide 69

Answer 28

TRUE

Question 29

Host-based IDSs

Answer 29

Definition: A host-based intrusion detection
system is a software that monitors a system or
applications log files. It responds with an alarm or
a countermeasure when a user attempts to gain
access to unauthorized data, files or services.

Question 30

Network-based IDSs

Answer 30

 Definition: A network-based intrusion detection
system monitors network traffic and responds with an
alarm when it identifies a traffic pattern that it
deems to be either a scanning attempt or a denial of
service or other attack. It is quite useful in
demonstrating that “bad guys” are actually trying to
get into your computers.

Question 31

Host-based vs. Network-based IDS

Answer 31

Slide 74

Question 32

Evaluation of IDS

Answer 32

Type I error: (false negative) – Intrusive but
not being detected
 Type II error: (false positive) – Not intrusive
but being detected as intrusive

Question 33

Slide 79 and 80

Answer 33

TRUE