Firewalls and Intrusion Detection

Question 1

What is a firewall?

Answer 1

A security device that sits between the internet and an intranet

Question 2

What are the goals of a firewall?

Answer 2

Enforces security policy (only authorized traffic passes)

Dependable (firewall is immune to subversion)

Question 3

What is allowed to pass through the firewall?

Answer 3

Traffic such as address ranges, protocols, applications and content types

Question 4

How is a firewall access policy created?

Answer 4

Developed from an organization’s information security risk assessment and policy
Depends on what kind of traffic the organization needs to support

Question 5

What are the limitations of a firewall?

Answer 5

Internal traffic
Traffic routed around the firewall
Can be misconfigured

Question 6

What else can firewalls do?

Answer 6

Encryption
Network Address Translation
Additional information through logging

Question 7

What kinds of filtering can firewalls do?

Answer 7

Packet filtering

Session filtering

Question 8

What is packet filtering?

Answer 8

Packets are allowed through based on individual packets (usually based on IP or TCP header)
No state information saved
Packets forwarded or discarded based on rule match

Question 9

What are the two default policies for packet filtering firewalls?

Answer 9

Discard: prohibit unless expressly allowed (visible to users)
Forward: permit unless expressly prohibited (easier to manage, less secure)

Question 10

What happens when dynamic protocols are in use?

Answer 10

An entire range of ports must be open (normally >1024)

Question 11

What are the advantages of packet filtering?

Answer 11

Simple
Transparent to users
Very fast

Question 12

What are the disadvantages of packet filtering?

Answer 12

Cannot prevent attacks that use application specific vulnerabilities or functions
Limited logging ability
Vulnerable to attacks that take advantage of TCP/IP
Can be improperly configured

Question 13

What are defenses for packet filtering firewalls?

Answer 13

Discard packets with an inside source address that come in from the outside
Discard all packets where the source destination specifies the route to take
First fragment of a packet must contain the minimum amount of transport header

Question 14

What is a Stateful Inspection Firewall?

Answer 14

Creates a directory of TCP connections
Packets must match profile of these directory entries
Keeps track of TCP sequence numbers
Inspects data for protocols like FTP, IM and SIPS

Question 15

What is an application level gateway?

Answer 15

Also called an application proxy
Acts as a relay of application level traffic
Requester connects to proxy. Proxy accesses internal resources on their behalf and returns results.
Must have proxy code for each application
Secure, but at expense of processing overhead for each connection

Question 16

What is a bastion host?

Answer 16

Serves as a platform for application level gateway

Critical strong point in network’s security

Question 17

What are the characteristics of a bastion host?

Answer 17

Runs secure OS with only essential services
May require authentication
Each proxy can be restrictive
Each proxy is small, simple, checked for security
Limited disk use (read only code)
Each proxy runs as a non privileged user in private and secure directory

Question 18

What are host based firewalls?

Answer 18

Used to secure an individual host
Filters and restricts packet flows
Can be flexible to host environment
Independent of topology
Additional layer of protection

Question 19

What is a personal firewall?

Answer 19

Controls traffic between workstation and internet
Usually a software module on computer
Less complex
Primary role is to deny unauthorized remote access

Question 20

What are some advanced firewall protective measures?

Answer 20

Stealth mode: drop unsolicited communication packets
Block UDP packets
Check for unwanted activity
Applications need authorization to provide services

Question 21

What are internal firewalls?

Answer 21

Firewalls that sit inside a network
Provides two way protection with respect to the DMZ
Can protection parts of internal network from each other

Question 22

What is distributed firewall deployment?

Answer 22

Multiple firewalls (internal, external, host) operating under a centralized administrative control

Question 23

What are firewall topologies?

Answer 23

Host-resident firewall
Screening router
Single bastion inline
Single bastion T
Double bastion inline
Double bastion T
Distributed firewall configuration

Question 24

What is a screening router?

Answer 24

Single router between internal and external networks with stateless or full packet filtering

Question 25

What is a single bastion inline?

Answer 25

A single firewall device between internal and external router

Question 26

What is a single bastion T?

Answer 26

Third network interface on bastion to a DMZ where externally visible servers are placed

Question 27

What is a double bastion inline?

Answer 27

DMZ is sandwiched between bastion firewalls

Question 28

What is a double bastion T?

Answer 28

DMZ on separate network interface on a bastion firewall

Question 29

What is an Intrusion Detection System effective against?

Answer 29

Known, less sophisticated attacks

Question 30

What is an IDS ineffective against?

Answer 30

Zero day exploits

Question 31

What are the primary assumptions of intrusion detection?

Answer 31

• System activities are observable

- Activities have distinct evidence

Question 32

What are the components of an IDS? (Algorithmic)

Answer 32

Features (capture evidence)

Models (draw conclusions from the evidence)

Question 33

What are the components of an IDS? (Sys Architecture)

Answer 33

Audit data processor
Knowledge Base
Decision Engine
Alarm generation and responses

Question 34

What is the order of components in an IDS?

Answer 34

• Data preprocessor
• Detection engine (detection models generate alerts)
• Decision engine (decision table generates response/report)

Question 35

What are the types intrusion detection approaches are there?

Answer 35

• Modeling and analysis
• Deployment
• Development and maintenance

Question 36

What is anomaly detection?

Answer 36

• Analysis approach
• Collects data of legitimate users over a period of time (baseline)
• Compares baseline to new behavior to determine if behavior is normal or not

Question 37

What is misuse/signature detection?

Answer 37

• Analysis approach
• Compares known malicious data patterns (signatures) to current behavior
• Only effective when rules are known
• Signatures need to be large enough to minimize false alarm rate

Question 38

What is a statistical approach?

Answer 38

Analysis of observed behavior using variable models or time series models of observed metrics

Question 39

What is a knowledge based approach?

Answer 39

An expert classifies observed behavior according to a set of rules that model legitimate behavior

Question 40

What is a machine learning approach?

Answer 40

Automatically determines classification of behavior from training data using data mining techniques

Question 41

What are the problems with classification approaches?

Answer 41

Efficiency

Cost

Question 42

What are the advantages of a statistical approach?

Answer 42

• Simple
• Low computation cost
• Lack of assumptions about expected behavior

Question 43

What are the disadvantages of statistical approaches?

Answer 43

• Difficulty selecting suitable metrics

- Cannot model all behaviors

Question 44

What are the advantages of knowledge based approaches?

Answer 44

• Robust

- Flexible

Question 45

What are the disadvantages of knowledge based approaches?

Answer 45

• Difficult and time consuming to learn

- Need humans

Question 46

What are the advantages of using a machine learning approach?

Answer 46

• Flexible
• Adaptable
• Able to capture relationships between data points

Question 47

What are the disadvantages of using a machine learning approach?

Answer 47

• Depends on assumptions about acceptable behavior
• High false alarm rate
• High resource cost
• Significant time and computational resources
• Dependent on training data

Question 48

What are different machine learning intruder detection approaches?

Answer 48

• Bayesian networks
• Markov models
• Neural networks
• Clustering and outlier detection

Question 49

What are the advantages of the signature approach?

Answer 49

• Low cost in time and resources

- Widely accepted and used

Question 50

What are the disadvantages of the signature approach?

Answer 50

• Takes a lot of time and effort to create new signatures

- Cannot detect zero day attacks

Question 51

What is rule based detection?

Answer 51

Uses rules for identifying known penetrations or identify suspicious behavior

Rules are usually specific

Question 52

What do network intrusion detection systems do?

Answer 52

• Perform passive monitoring (records and analyzes data)
• Only acts if an alert is sent out and the response policy has a response
• Monitors traffic at selected points on a network

Question 53

What are the parts of a NIDS?

Answer 53

• Sensors
• NIDS management servers
• Human management consoles

Question 54

What are inline sensors?

Answer 54

• Detects and prevents attacks on the network
• Traffic that it is monitoring must pass through it
• Firewall + NIDS combo

Question 55

What is a passive sensor?

Answer 55

• Monitors a copy of network traffic, not actual traffic

- More efficient

Question 56

What is the difference between a firewall and a Network IDS?

Answer 56

Active vs passive

Fail close vs fail open

Question 57

What are honeypots?

Answer 57

• Decoy systems that lure attackers away from critical systems
• Collect information on attackers as soon as it is accessed
• Delay attackers so that administrators can respond

Question 58

How do you know when a honeypot has been compromised?

Answer 58

Should be no outbound traffic from a honeypot

Question 59

What are the two types of honeypots?

Answer 59

Low interaction (partial copy of the system)
High interaction system (full copy)

Question 60

How do we evaluate IDS?

Answer 60

• Scalable
• Resilient
• How good they are at guessing attacks correctly

Question 61

What does the Bayesian Detection Rate tell us about IDS?

Answer 61

• Need to reduce false alarm rates
• Need a high base rate
• Multiple independent detection models are needed
• Want the BDR to be high

Question 62

What is the base rate at the packet level for a Network IDS?

Answer 62

Low

Question 63

How can an attacker avoid NIDS?

Answer 63

• Ambiguities in protocols have led to different implementations in different OSes (TTL, fragmentation overlap)

Question 64

What is an IPS?

Answer 64

• Intrusion Detection and Prevention System
• Extension of an IDS
• Can block or prevent malicious activity
• Host-based, network-based, distributed/hybrid based
• Can use anomaly detection