Final Exam Prep - Textbook Items

Question 1

Types of Firewalls (4)

Answer 1

Packet Filtering Firewall
Stateful Inspection Firewalls
Application-Level Gateway
Circuit-Level Gateway

Question 2

Firewall Basing (3)

Answer 2

Bastion Host
Host-Based Firewalls
Personal Firewall

Question 3

Firewall Location and Configurations (3)

Answer 3

DMZ Networks
Virtual Private Networks
Distributed Firewalls

Question 4

Intrusion Prevention Systems

Answer 4

Host-Based IPS
Network-Based IPS
Distributed or Hybrid IPS
Snort Inline

Question 5

network-based IPS (NIPS)

Answer 5

inline NIDS with the authority to modify or discard packets and tear down TCP connections. As with a NIDS, a NIPS makes use of techniques such as signature/heuristic detection and anomaly detection.

Pattern matching: 
Stateful matching: 
Protocol anomaly: 
Traffic anomaly: 
Statistical anomaly:

Question 6

9.1 List three design goals for a firewall.

Answer 6

9.1 Answers

1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this chapter.
2. Onlyauthorizedtraffic,asdefinedbythelocalsecuritypolicy,willbeallowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this chapter.
3. The firewall itself is immune to penetration. This implies the use of a hard- ened system with a secured operating system. Trusted computer systems are suitable for hosting a firewall and often required in government applications.

Question 7

IP address spoofing

Answer 7

intruder transmits packets from the outside with a source IP address field containing an address of an internal host.

countermeasure is to discard packets with an inside source address if the packet arrives on an external interface often implemented at the router external to the firewall.

Question 8

packet filtering firewall

Answer 8

applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet

configured to filter packets going in BOTH DIRECTIONS

Filtering based on:
Source IP address:
Destination IP address
Source and destination transport-level address
IP protocol field
Interface

Question 9

Tiny fragment attacks

Answer 9

The intruder uses the IP fragmentation option to cre- ate extremely small fragments and force the TCP header information into a separate packet fragment.

defeated by enforcing a rule that the first fragment of a packet must contain
a predefined minimum amount of the transport header. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments.

Question 10

application-level gateway

Answer 10

also called an application proxy, acts as a relay of application-level traffic .The user contacts the gateway using a TCP/ IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the fire- wall. Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features.
Application-level gateways tend to be more secure than packet filters.

Question 11

bastion host

Answer 11

a system identified by the firewall administrator as a critical strong point in the network’s security. Typically, the bastion host serves as a platform for an application-level or circuit-level gateway

bastion host hardware platform executes a secure version of its operating system, making it a hardened system.

Only the services that the network administrator considers essential are installed

Question 12

circuit-level gateway firewall

Answer 12

or circuit-level proxy.

can be a stand-alone system or it can be a specialized function performed by an application-level gateway for certain applications.

does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents.

The security function consists of determining which connections will be allowed.

A typical use of circuit-level gateways is a situation in which the system administrator trusts the internal users. The gateway can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections

SOCKS

Question 13

host-based firewall

Answer 13

software module used to secure an individual host.

filter and restrict the flow of packets.

A common location for such firewalls is a server.

advantages

 Filtering rules can be tailored to the host environment.
 Protection is provided independent of topology. Thus both internal and exter- nal attacks must pass through the firewall.
 Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. A new type of server can be added to the network, with its own firewall, without the necessity of altering the network firewall configuration.

Question 14

host-based IPS (HIPS)

Answer 14

can make use of either signature/heuristic or anomaly detection techniques to identify attacks

Examples of the types of malicious behavior addressed by a HIPS include the following:

• Modification of system resources: Rootkits, Trojan horses, and backdoors operate by changing system resources, such as libraries, directories, registry settings, and user accounts.
• Privilege-escalation exploits
• Buffer-overflow exploits:
• Access to e-mail contact list:
• Directory traversal:

Question 15

Distributed or Hybrid IPS

Answer 15

Type of NIPS
gathers data from a large number of host and network-based sensors, relays this intelligence to a central analysis system able to correlate, and analyze the data

Question 16

stateful packet inspection firewall

Answer 16

tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, as shown in Table 9.2. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.

Question 17

unified threat management

UTM

Answer 17

a single device that integrates a variety of approaches to dealing with network-based attacks

approach to reducing the administrative and performance burden is to replace all inline network products (firewall, IPS, IDS, VPN, antispam, antisypware, and so on)

Question 18

virtual private network (VPN)

Answer 18

consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security.

uses encryption and authentication in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet.

Question 19

intruder behavior

Answer 19

Target Acquisition and Information Gathering:
Initial Access:
Privilege Escalation:
Information Gathering or System Exploit:
Maintaining Access:
Covering Tracks:

Question 20

banner grabbing

Answer 20

consists of initiating a connection to a network server and recording the data that is returned at the beginning of the session. This information can specify the name of the application, version number, and even the operating system that is running the server

Question 21

3 logical components of IDS

Answer 21

Sensors
Analyzers
User interface:

Question 22

3 logical components of IDS

Answer 22

Sensors
Analyzers
User interface

Question 23

IDS Classifications

Answer 23

Host-based IDS (HIDS): Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity.
Network-based IDS (NIDS): Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity.
Distributed or hybrid IDS: Combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity.

Question 24

base-rate fallacy

Answer 24

difficult to meet the standard of high rate of detections with a low rate of false alarms. In general, if the actual numbers of intrusions is low compared to the num- ber of legitimate uses of a system, then the false alarm rate will be high unless the
test is extremely discriminating.

Question 25

IDS analysis approaches

Answer 25

1. Anomaly detection
   Statistical
   Knowledge based
   Machine-learning 
2. Signature or Heuristic detection

Question 26

host-based IDS

Answer 26

a specialized layer of security software to vulnerable or sensitive systems; such as database servers and administrative systems.

primary benefit of a HIDS is that it can detect both external and internal intrusions, something that is not possible either with network-based IDSs or fire- walls.

can use either anomaly or signature and heuristic approaches to detect unauthorized behavior on the monitored host.

Question 27

types of attacks that are suitable for anomaly detection

Answer 27

Denial-of-service (DoS) attacks
Scanning
Worms

Question 28

honeypot

Answer 28

Divert an attacker from accessing critical systems.
Collect information about the attacker’s activity.
Encourage the attacker to stay on the system long enough for administrators to respond.

Question 29

inline sensor

Answer 29

Type of NIDS sensor.

inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.

Question 30

intrusion detection exchange format

Answer 30

document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model.

Question 31

Two types of network sensor

Answer 31

inline
passive

More commonly, passive sensors are used.

Question 32

passive sensor

Answer 32

monitors a copy of network traffic; the actual traffic does not pass through the device. From the point of view of traffic flow, the passive sensor is more efficient than the inline sensor, because it does not add an extra handling step that contributes to packet delay.

Question 33

Snort installation consists of four logical components

Answer 33

Packet decoder
Detection engine: The detection engine does the actual work of intrusion detection.
Logger
Alerter

Question 34

symmetric encryption 5 ingredients

Answer 34

Plaintext
Encryption algorithm
Secret key
Ciphertext:
Decryption algorithm:

Question 35

two general approaches to attacking symmetric encryption

Answer 35

cryptanalysis

brute force attack

Question 36

Advanced Encryption Standard (AES)
asymmetric encryption 
authentication 
brute-force attack 
ciphertext
collision resistant 
confidentiality 
cryptanalysis
Data Encryption Standard (DES)
data integrity
Decryption
Diffie-Hellman key exchange 
digital signature
Digital Signature Standard (DSS)
elliptic curve cryptography 
hash function
keystream
message authentication 
message authentication code (MAC)
modes of operation 
one-way hash function 
plaintext
preimage resistant 
private key 
pseudorandom number
public key
public-key certificate 
public-key encryption 
random number
RSA
second preimage resistant 
secret key
secure hash algorithm (SHA)
secure hash function 
strong collision resistant 

triple DES
weak collision resistant

Answer 36

-

Question 37

Symmetric Block Encryption Algorithms

Answer 37

Data Encryption Standard (DES),
triple DES,
and the Advanced Encryption Standard (AES);

Question 38

9.2 List four characteristics used by firewalls to control access and enforce a security
policy.
9.3 What information is used by a typical packet filtering firewall?
9.4 What are some weaknesses of a packet filtering firewall?
9.5 What is the difference between a packet filtering firewall and a stateful inspection
firewall?
9.6 What is an application-level gateway?
9.7 What is a circuit-level gateway?
9.8 What are the differences among the firewalls of Figure 9.1?
9.9 What are the common characteristics of a bastion host?
9.10 Why is it useful to have host-based firewalls?
9.11 What is a DMZ network and what types of systems would you expect to find on such
networks?
9.12 What is the difference between an internal and an external firewall?
9.13 How does an IPS differ from a firewall?
9.14 What are the different places an IPS can be based?
9.15 How can an IPS attempt to block malicious activity?
9.16 How does a UTM system differ from a firewall?

Answer 38

-