Exam Prep

Question 0

Where to place ACLs?

Answer 0

Standard: as close to destination as possible.
Extended: as close to source as possible.

Question 1

Which layers do packet filter and stateful firewalls operate at?

Answer 1

Packet filter: layers 3 and 4

Stateful : layers 3, 4 and 5

Question 2

Discuss reflexive ACLs

Answer 2

Allows IP traffic from sessions originating from their network while blocking outside traffic from coming in.

Router examines outside traffic and makes a temporary ACL to allow it.

Question 3

Discuss dynamic ACLs

Answer 3

Authenticates a user and permits that user and associated traffic through the firewall.

Question 4

Discuss common firewall properties

Answer 4

• must be resistant to attacks
• must be the only transit point between networks
• enforces access policy of the organisation

Question 5

Discuss the protective measures if a firewall

Answer 5

• exposure of sensitive hosts and applications
• exposure of protocol flaws
• malicious data

Question 6

Discuss limitations of a firewall

Answer 6

• misconfiguration can be deadly

- end use can be restricted by policies

Question 7

Discuss firewall design practice

Answer 7

• position firewall at key security boundaries with different trust levels
• should be primary security device
• Denny all traffic by default
  Implement various firewall technologies (DiD)

Question 8

Stateful vs stateless

Answer 8

Stateless: ACLs filter traffic based on source and destination IP, tcp and UDP port numbers, tcp flags, icmp types/codes.

Stateful; inspection remembers the state if requests, stores them in a session table, tracking each connection. It detects if applications need more traffic steams and dynamically allows them. Monitors the state if connections, initiating, data transfer or terminated.

Question 9

Disadvantages of packet filtering firewalls

Answer 9

• can be complex to configure
• can’t prevent arp layer attacks
• susceptible to tcp IP protocols attacks

Question 10

Advantages of packet filtering firewalls

Answer 10

• they process packets very fast
• they easily match on most criteria. Layer three and four segment headers provide a lot of flexibility in implementing policies.

Question 11

Uses for packet filtering firewalls

Answer 11

• typically implemented on a permittee router as a first line of defence
• when security policies can be fulfilled using packet filters alone

Question 12

Stateful firewalls

Answer 12

• tracks every connection traversing all interfaces and confirms they are valid
• examines info in the headers of layer 3 and 4 segments eg tcp flags.
• state table contains source and dest addresses, port numbers, UDP connection info and tcp seq numbers

Question 13

Improvements if stateful over packet filter firewalls

Answer 13

• maintains session table

- recognises dynamic apps that need extra connections or access through the firewall

Question 14

Zone-based firewalls

Answer 14

• stateful inspection
• app inspection
• URL filtering
• per policy parameters
• transport firewall
• virtual routing and forward aware

Question 15

Zone types

Answer 15

Public-dmz
Dmz-private
Private-dmz
Private-public

Question 16

Benefits of zone based

Answer 16

• not dependent on ACLs
• blocks unless explicitly allowed
• policies easier to config and Tshoot
• one policy affects all traffic in that zone, no need for multiple ACLs

Question 17

Actions of ZPF

Answer 17

Inspect: automatically allow return traffic and icmp messages. Handles prosper establishment of data sessions.

Pass: like permit in an ACL. Doesn’t track the state of sessions. Only allows in one direction a similar corresponding policy must be applied in the opposite directions to allow traffic two way.

Drop: like deny in an ACL. Log option available

Question 18

Ips/ids signature types.

Answer 18

Atomic: one packet required
Composite: many packets required

Question 19

Atomic signatures

Answer 19

• examines single packets for icmp, tcp, UDP
• doesn’t require any knowledge of previous or future packets
• ids vulnerable …. Ips not.

Question 20

Composite signature

Answer 20

• requires multiple policies to match before an alarm is triggered, must maintain state info.
• sensor detects a packet that matches then monitors proceeding packets.

Question 21

iDS vs IPS

Answer 21

IDS: passive , promiscuous.
IPS: active, inline. Latency packet loss etc

Question 22

Five steps of setting up a GRE tunnel.

Answer 22

• create tunnel interface
• assign tunnel IP
• identify source
• identify destination
• (optional) identify the protocol to be encapsulated

Question 23

Authentication header

Answer 23

• doesn’t provide confidentiality (encryption).
• only ensures origin of data and verify data has not been modified in transit.
• if used alone provides weak protection
• can have problems with NAT

Question 24

Encapsulating security payload (esp)

Answer 24

• same as ah but provides encryption

- payload encrypted then hashed.

Question 25

VPN transport/tunnel mode

Answer 25

Transport:

• security provided for layer 4 and above only.
• ESP transport mode used between hosts.
• works well with GRE… GRE hides address of end address.

Tunnel mode:

• provides security for whole IP packet
• ESP tunnel mode used in remote access and site to site
• IP packet encrypted and encapsulated in another IP packet (IP-in-IP encryption).

Question 26

IKE

Answer 26

• Helps IPSec securely exchange keys
• combines isakmp and Oakley protocols
• IKE/isakmp terms often used interchangeably.

Question 27

IKE phases

Answer 27

Phase 1:

• Negotiates IKE protocol suit
• Exchange keying materials to protect DH sessions.
• Peers Authenticates each other
• Establishes IKE SA

Phase 2:

• Negotiates IPSEC parameters.
• Establishes IPSEC SAs
• Periodically negotiates SAs to ensure security
• Optionally performs additional DH exchange

Question 28

Services of IPSEC

Answer 28

Confidentiality: Provides encryption to prevent data being read

Integrity: hashes checksums

Authentication:

• usernames and passwords
• one time passwords
• pre shared keys
• digital certificates

Question 29

Anti-reply protection

Answer 29

Verifies each packet is unique and not a duplicate. Packets are protected by comparing the sequence numbers. Late or duplicate packets are dropped.

Question 30

Application layer gateway firewalls

Answer 30

Firewalls which dynamically monitor application layer protocols and dynamically allow them through the firewall. For the duration of the session only.

Question 31

Steps in hacking

Answer 31

• reconnaissance
• social engineering
• privilege escalation
• back doors

Question 32

Providing secure access to a router

Answer 32

Establish dedicated management work station
Encryption if all data
Packet filter

Question 33

Securing a router from attacks

Answer 33

• physical security - locks, authentication
• router hardening - services ports etc
• os security - max ram, latest stable os, secure copy as a backup

Question 34

Access rule criteria of firewalls. Name and describe four

Answer 34

• rules based on service control
  Determine the type of services and access
• rules based on direction control
  Ie http outbound but not inbound
• rules based on user control
  Restrictions on users inside FW or external VPN
• rules based on behaviour control
  Controls how services behave, ie filter email to eliminate spam

Question 35

AGLs

Answer 35

• higher level of security than packet filters
• layers 3,4,5 and 7
• they include specialise software and proxy servers
• can provide detailed checks for valid data
• act as intermediary between client and server
• external IP of proxy used not client

Question 36

Advantages of AGL

Answer 36

• Authenticate individuals not devices
• make it harder to spoof and dos
• monitor and filters apps
• detailed logging

Question 37

IPS/ids evasion techniques

Answer 37

• traffic fragmentation
• timing attacks
• resource exhaustion
• encryption and tunnelling

Question 38

Where would IPS and ids used together?

Answer 38

Ids could be used on the outside of the firewall/untrustworthy network in promiscuous mode to capture and always a lot of traffic and attacks. This information could then be used to make improvements to internal security and to an IPS running inside. The IPS would be inline on the inside of the firewall/trusted and could focus on defending the network more specifically given the info collected by the external ids.

Question 39

What does tcp established keyword do?

Answer 39

Only allows return traffic. Forces router to check for tcp ack and rst flags. If ack bit is set it’s assumed to be return traffic, if not it’s dropped.

This isn’t stateful it’s basic

Question 40

IPS signature detection technique. Advantages and disadvantages

Answer 40

Signature based:

• easy to configure
• gives fewer false positives
• have good signature design
• can’t detect unknown threats
• initially produce a lot of false positives
• signatures need to be created , updated and tuned

Question 41

IPS policy based detection advantages nd disadvantages

Answer 41

• simple and reliable
• allows for customisable policies
• can detect unknown attacks
• detailed knowledge of network traffic required
• can be time consuming to create policies

Question 42

IPS anomaly based detection advantages and disadvantages

Answer 42

• easy to configure
• can detect unknown attacks
• difficult to profile typical activity in large networks
• traffic policy must be constant

Question 43

IPS reputation based detection advantages and disadvantages

Answer 43

• leverages local, enterprise and global correlation
• provides improved accuracy and relevance
• prone to false positives and negatives
• requires timely updates

Question 44

What is. Signature file and engine?

Answer 44

Engine typically responds to the protocol in which the signature occurs and looks for malicious activity in that protocol. Used to load signature files and scan engines

Each engine works as an interrogator and specialises in one type of interrogation

Question 45

What is Anti replay

Answer 45

Verifies each packet is unique and not duplicated. By comparing sequence numbers. Packets that come before the sliding window are considered late or duplicate and dropped

Question 46

Ah?

Answer 46

Data integrity through hashing
Data origin authentication through hashing 
Anti replay protection
Protocol number 51
Supports mac md5 and sha 2

Doesn’t provide confidentiality
All text unencrypted
Problems with NAT

Question 47

Esp?

Answer 47

Data confidentiality through encryption
Data integrity through hashing
Data origin authentication through hashing
Anti replay protection
It encapsulates the data to be protected
Protocol number 50

Question 48

Transport mode

Answer 48

Security provided to transport layer and above
Protects payload but leaves original IP address in plaintext
Used between hosts and not comparable with NAT
Works well with GRE because GRE hides the original IP

Question 49

Tunnel mode

Answer 49

Provides security for the complete IP packet
Original IP packet encrypted and then encapsulated in another IP packet (ip in IP encryption)
Used in remote access and site to site VPNS

Question 50

What does IPSEC use IKE for?

Answer 50

Authenticates peers and generates encryption keys 
Negotiates SA between peers 
automatic key generation
Automatic key refresh 
Manageable manual config

Question 51

IKE phase 1

Answer 51

Negotiates IKE protocol suite (encryption, hash. Key exchange, lifetime)
Exchanges keying materials (DH)
Authenticates each other

Question 52

IKE phase 2

Answer 52

Which data should be protected between peers
What security protocols used to protect traffic
How should data be protected (encryption, hash)
What mode of operation (tunnel or transport)
What key management should be used
What is the lifetime of data connection

Question 53

Five steps of VPN

Answer 53

Interesting traffic arrive sat router 
IKE phase one
IKE phase 2
Transmit data
Tunnel terminated

Question 54

AH, ESP and NAT

Answer 54

Ah breaks completely with any type of NAT. Doesn’t work with pat because an outer UDP or tcp header is needed. Won’t work with NAT because most of the fields in the IP packet are used to calculate hmac.

Esp works with NAT since outer header not included in hash calculation
Esp doesn’t work with pat for same reason as ah

Question 55

Advatages and disadvantages of a static packet filter

Answer 55

Based on simple permit and deny statements
Minimal impact on network performance
Simple to implement
Configurable on most routers
Can perform many of the basic filtering needs

Susceptible to IP spoofing
Doesn't accurate filter fragmented packets
Extremely long ACLs hard to manage
Stateless
Doesn't work well with dynamic apps

Question 56

Advantages and disadvantages of ALGs

Answer 56

Very tight control is possible due to layer 7 analysis
More difficult to attack end devices due to proxy
Provides very detailed logging
May be implemented on common hardware

Processor intensive
Not all apps supported
Special client software may be needed
Memory and disk intensive

Question 57

Advantages and disadvantages of stateful firewalls

Answer 57

Can be used as primary means if defence
Can be implemented on routers and dedicated FW
Dynamic in nature
Provides defence against dos and spoofing

May not prevent app layer attacks
Not all protocols contain controlled state info, UDP, icmp etc
Some dynamic apps may experience problems as the firewall ride to adapt and open ports
Doesn’t authenticate users by default

Question 58

Syntax for ZBF policy

Answer 58

Class-map type inspect match-any MYCMAP
Match protocol http
Match protocol ftp

Policy-map type inspect MYPMAP
Class type inspect MYCMAP
Inspect

Question 59

IKE phase 1

Answer 59

Hagle

Hash 
Authentication 
DH group 
Lifetime of the tunnel 
Encryption algorithm for phase 1

Question 60

Solution to NAT problems with esp

Answer 60

NAT traversal (NAT-T). Inserts a tcp or UDP header after the outer IP header but before the esp header. Allowing to to work with PAT.

Dynamic and static NAT works with esp but not ah as ah includes the IP header in the hash calculation.