IDS and IPSec

Question 1

What is an intrusion detection system?

Answer 1

A system’s second line of defense that monitors events and analyzes them for signs of intrusions.

Intrusions are defined as attempts to compromise confidentiality, integrity, or availability.

Question 2

What is the primary function of a firewall?

Answer 2

Perimeter security by deciding which packets are allowed or denied, and which must be modified before passing.

Question 3

What is a limitation of firewalls?

Answer 3

Cannot detect security breaches associated with traffic that does not pass through it.

Question 4

What is an insider attack?

Answer 4

The most difficult type of attack to detect and prevent, often motivated by revenge or a feeling of entitlement.

Question 5

Define masquerader.

Answer 5

An unauthorized user who penetrates a system’s access controls to exploit a legitimate user’s privileges.

Question 6

Define misfeasor.

Answer 6

A legitimate user who is authorized for access but misuses their privileges.

Question 7

What is a clandestine user?

Answer 7

An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls.

Question 8

What are common behaviors of hackers?

Answer 8

• Map network for accessible services
• Identify potentially vulnerable services
• Use brute force methods
• Install remote administration tools

Question 9

What does an intrusion detection system (IDS) enable?

Answer 9

Collection of information about intrusion techniques that can be used to strengthen intrusion prevention measures.

Question 10

What are false positives in intrusion detection?

Answer 10

An intrusion is reported when none has actually occurred.

Question 11

What are false negatives in intrusion detection?

Answer 11

Fails to identify an actual intrusion when one has occurred.

Question 12

What is a true positive in the context of IDS?

Answer 12

An event the IDS accurately identifies as an intrusion.

Question 13

What is the goal of an effective IDS?

Answer 13

• Maximize true positives
• Minimize false positives and false negatives
• Minimize time spent verifying attacks

Question 14

What is a host-based IDS (HIDS)?

Answer 14

Monitors single host activity, detects intrusions, logs suspicious events, and sends alerts.

Question 15

What is signature/misuse detection?

Answer 15

Detection method that compares known malicious data patterns with current behavior.

Question 16

What is rule-based anomaly detection?

Answer 16

Analyzes historical audit records to identify usage patterns and generate rules that describe those patterns.

Question 17

What is an anomalous behavior?

Answer 17

Anything that deviates from the baseline of normal behavior will be flagged and logged as anomalous.

Question 18

What is statistical anomaly detection?

Answer 18

Collection of data relating to the behavior of legitimate users over time to identify illegitimate behavior.

Question 19

What is the base-rate fallacy in IDS?

Answer 19

An IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level.

Question 20

What does a network-based IDS (NIDS) monitor?

Answer 20

Network traffic at selected points, examining the traffic packet by packet in real time.

Question 21

What is a honeypot?

Answer 21

Decoy systems designed to lure potential attackers and collect information about their activity.

Question 22

What is the difference between low interaction and high interaction honeypots?

Answer 22

• Low interaction: Emulates specific IT services
• High interaction: A real system with a full operating system and applications

Question 23

What is Snort?

Answer 23

A lightweight IDS that can function as a packet sniffer and network intrusion detection system.

Question 24

What are the two protocols used in IPSec?

Answer 24

• Authentication Header (AH)
• Encapsulation Security Protocol (ESP)

Question 25

What is the purpose of the Security Association (SA) in IPSec?

Answer 25

Establishes a network-layer logical connection between source and destination entities.

Question 26

What are the three situations for IPSec architecture?

Answer 26

* Host-to-host * Host-to-gateway * Gateway-to-gateway

Question 27

What does the Encapsulation Security Protocol (ESP) provide?

Answer 27

Source authentication, data integrity, and confidentiality.

Question 28

Fill in the blank: An IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level, otherwise it provides a _______.

Answer 28

[false sense of security]

Question 29

What is a common logging component for all types of IDS?

Answer 29

Timestamp, connection/session ID, event/alert type, rating, source and destination IP addresses.

Question 30

What is a main advantage of statistical anomaly-based intrusion detection systems?

Answer 30

Can detect 'zero days' or extremely new attacks.

Question 31

What is a disadvantage of signature/misuse detection?

Answer 31

Fails to detect new attack types and variants of known attacks.

Question 32

What is the primary purpose of IPSec?

Answer 32

To secure Internet Protocol communications.

Question 33

What uniquely identifies a Security Association (SA)?

Answer 33

The Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header.

Question 34

What does SPI stand for in the context of IPSec?

Answer 34

Security Parameters Index.

Question 35

What is the length of the Security Parameters Index (SPI)?

Answer 35

32-bit unsigned integer.

Question 36

What does the Security Protocol Identifier indicate?

Answer 36

Whether the association is an AH or ESP.

Question 37

What information does a Security Association (SA) store?

Answer 37

Parameters including SPI, origin SA interface, destination SA interface, type of encryption used, encryption key, type of integrity check used, and authentication key.

Question 38

What is the purpose of the Security Association Database (SAD)?

Answer 38

Defines the parameters associated with each SA.

Question 39

What is the function of the Security Policy Database (SPD)?

Answer 39

Determines if a given datagram should use IPSec.

Question 40

What do selectors in the SPD do?

Answer 40

Filter outgoing traffic based on IPs and upper-layer protocol field values.

Question 41

What happens to a packet if no match is found in the SPD?

Answer 41

The packet is discarded.

Question 42

True or False: If the SPD policy is BYPASS, the packet is forwarded without further IPSec processing.

Answer 42

True.

Question 43

What does the anti-replay service protect against?

Answer 43

Replay attacks where an attacker resends a copy of an authenticated packet.

Question 44

What is the maximum sequence number limit for IPSec?

Answer 44

232-1.

Question 45

What does the Authentication Header (AH) provide?

Answer 45

Source authentication and data integrity.

Question 46

What are the key components of the Encapsulation Security Payload (ESP)?

Answer 46

* SPI * Sequence Number * Payload data * Padding * Pad length * Next header * Integrity check

Question 47

What does ESP provide that AH does not?

Answer 47

Confidentiality of message content.

Question 48

Fill in the blank: The IPsec transport mode protects the _______ of an IP packet.

Answer 48

payload.

Question 49

In tunnel mode, what does ESP encrypt?

Answer 49

The entire inner IP packet, including the inner IP header.

Question 50

What is a security association bundle?

Answer 50

A sequence of SAs through which traffic must be processed to provide desired IPSec services.

Question 51

What is the purpose of the Internet Key Exchange (IKE)?

Answer 51

Mutual authentication, shared secret establishment, crypto algorithms negotiation, and security association establishment.

Question 52

What are the two types of key management in IPSec?

Answer 52

* Manual * Automatic

Question 53

What is the default automated key management protocol of IPSec?

Answer 53

ISAKMP/Oakley protocol.

Question 54

What is the main advantage of IKE over traditional key exchange methods?

Answer 54

It retains the advantages of Diffie-Hellman while countering its weaknesses.

Question 55

What are cookies used for in IKE?

Answer 55

To thwart clogging attacks.

Question 56

True or False: IKE allows for the negotiation of security attributes.

Answer 56

True.

Question 57

What does Phase 1 of IKE establish?

Answer 57

A secure, authenticated channel between two computers.

Question 58

What is negotiated during Phase 2 of IKE?

Answer 58

IPsec Security Associations (AH, ESP).

Question 59

What port does IKE Phase 1 exchange use?

Answer 59

UDP Port 500.

Question 60

What protocols does AH and ESP use?

Answer 60

* AH uses IP protocol 51 * ESP uses IP protocol 50

Question 61

What is the purpose of the IKE payload types?

Answer 61

To define various elements needed for establishing, negotiating, modifying, and deleting SAs.

Question 62

What combination of security does the Transport-Tunnel bundle provide?

Answer 62

Authentication before encryption between two hosts.

Question 63

What is a common example of a cryptographic suite in IKE?

Answer 63

Suite VPN A relies on 3DES and HMAC.

Question 64

What is the recommended cryptographic suite for new VPNs using IPSec?

Answer 64

Suite VPN B, which relies on AES.