Intrusion Prevention Flashcards

1
Q

Firewall

A

controlled link to erect a security wall or perimeter. Single choke point -> defense in depth

definite rules on what can pass through
rules can use:
- ip address/protocol for specific services
- access controls by application
- access based on user’s identity (ipsec)
- time or request

Scope
single choke point, monitors -> audits, logs, platform for IPSec or VPNs, cannot protect if firewall is bypassed, or if device is infected outside and then attached

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Types of firewalls - Packet filtering

A

Rules on incoming/outgoing IP packet -> discards/forwards
Can define source/dest IP, transport-level protocol, interface
Default policies
discard what is not explicitly allowed, forward which is not explicitly disallowed
discard more conservative -> gov org, businesses
forward more user-friendly -> reduced security, univ

Adding a need to have the ACK flag activated will filter only on requests that have an established connection
cannot prevent application-level vulnerabilities

vulnerable to TCP/IP spec and protocol attacks. Network layer address spoofing. cannot detect Layer 3 address information when altered.

Attacks and countermeasures
IP spoofing, intruder transmits packets from the outside with an address of an internal host -> discard packets with an inside source address that arrive from external interfaces
Source routing attack, source station specifies route a packet takes -> discard all packets that use this option
tiny fragment attacks, intruder uses IP fragmentation to create extremely small fragments and force TCP header into separate packet fragment -> enforce all packets must contain predefined min amount of transport header

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Types of firewalls - Stateful inspection

A

Creates a directory of outbound TCP connections, allows incoming traffic only for packets that fir a profile of one of the entries
Some keep track of TCP seq numbers to prevent attacks like session hijacking
FTP, IM, SIPS commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Types of firewalls - Application-Level Gateway/Proxy

A

Relay of application-level traffic.
User contacts gateway -> user authenticates -> gateway relays TCP segments between the two endpoints -> if gateway does not implement the application proxy code is discarded -> explicitly define allowable applications
Adds overhead on each connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Types of firewalls - Circuit-level gateway/proxy

A

Sets up two TCP connections, one between itself and a TCP user on inner host and one itself and a TCP user on outside host.
It decides which connections will be allowed

Internal users are trusted -> application-level proxy for inbound and circuit-level for outbound.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SOCKS - Circuit-level gateway

A

Framework for client-server applications (TCP/UDP)
shim-layer between app and transport layers
TCP Port 1080

socks server -> unix and windows based firewalls
socks client -> internal hosts protected by firewall
socks-ified client programs -> FTP/TELNET recompilation or encapsulation routines

Socks server receives a request to establish an appropriate connection otherwise it denies it. TCP/UDP packets are forwarded as long as the connection remains established.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Firewall basing

A

Most common -> stand-alone machine runnig Unix or Linux
or a software module in a router/LAN switch or in a server.

Bastion Host
critical strong point + platform for app-level circuit-level gateways or IPSec
executes a secure version of the OS, making it a hardened system
only essential services installed
additional authentication/user allowed to proxy services
can execute only subset of app’s command set
access to only specific host systems
maintains detailed audit information
small sw packages, easier to analyze and check for vulnerabilities
proxies are separate modules that can be uninstalled without affecting operation
No disk access only to read initial config file. Executable code can be made read-only
each proxy runs as a non-privileged user in a private and secured directory

Host-based
rules tailored to host, internal and external attacks must pass through
used along stand-alone it is an additional layer of protection

Network Device
packet filtering, stateful inspection already inside routers/switches monitor and filter packet flows

Virtual Firewall
virtualized versions of server, swtiches, routers, firewall bastion hosts, etc.

Personal Firewall
between personal computer and internet or LAN
deny unauth remote access to computer and monitor outgoing activity (worms, malware)
netfilter (linux) pf (macOS) windows firewall
stealth mode drops unsolicited communication packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Firewall location

A

External firewall between internet DMZ and internal firewall
basic protection for enterprise network

Internal firewall protecting workstations, app and db servers
stringent filtering capability
protects the remainder of the network from attacks launched from DMZ systems (worms, rootkits, bots or other malware)
protects DMZ systems from internal attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Virtual Private Networks

A

computers interconnect by means of unsecure networks using encryption and special protocols to provide security

VPN uses encryption and authentication in the lower protocol layers to provide a secure connection through an insecure network
encryption done by firewall or routers

most common mechanism is at IP level known as IPSec

IPSec networking device will typically encrypt and compress all traffic going into the WAN and decrypt and uncompress traffic coming from WAN

IPSec might be part of firewall but some filtering capabilities are lost; if its in router device is less secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Distributed Firewalls

A

stand-alone firewall devices plus host-based firewalls under central administrative control

set policies and monitor security across the entire network
monitoring includes log aggregation and analysis, firewall statistics and fine-grained remote monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Intrusion Prevention

A

Attempts to block or prevent detected malicious activity
Can use anomaly detection to identify illegitimate behavior, signature/heuristic detection to identify malicious behavior

Responds by modifying and blocking (network -> packets across perimeter; programs -> system calls)
Like a firewall but uses specialized algorithms

Host-based identify
- modification of system resources -> trojan, backdoors, rootkits can change sys resources, libraries, directories, registry settings user accounts
- privilege-escalation exploits -> ordinary users root access
- buffer-overflow exploits
- access to e-mail contact list -> mailing copy of worm to spread
- directory traversal -> allows hacker to traverse web server outside of permitted range

can be used as a sandbox, quarantines code by isolation, runs and monitors its behavior if violation, it is halted and prevented from executing in the normal system environment.
protects system calls, file system access, registry settings and input/output communications.

Network based IPS
inline NIDS can modify or discard packets and tear down TCP connections
does anomaly and signature/heuristic but also flow data protection
application payload in a seq of packets be reassembled -> filters content of flow if suspects is malicious
does pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly.

Distributed or Hybrid IPS
gather data from a large number of hosts or network sensors. Correlate, analyze with updated signatures and behavior patterns.
Digital immune system (IBM) defend against malicious behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Snort inline

A

Drop -> rejects packet based on rules and logs
Reject -> rejects packet and logs result if TCP TCP reset message if UDP/ICMP port unreachable
Sdrop -> rejects a packet but does not log
Replace option modify packets rather than drop them -> good use in combination with a honeypot, attacks fail and attacker does not know why

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Unified Threat Management System

A

replace all inline network products (firewall, IPS, IDS, VPN, antispam, antispyware) with UTM
Includes multiple sec features integrated into one box must be able to perform network firewalling, network ID and IP and gateway anti-virus.

Downside, performance, throughput and latency

Functions
- inbound decrypted if VPN boundary IPSec decryption is performed
- initial firewall filters traffic, discard packets violate rules pass packet that conform
- multiple modules process packets at multiple protocol levels
- data analysis engine reassembles multipacket payloads
- some traffic may need to be reencrypted
- all detected threads reported to logging and reporting module
- bandwidth-shaping module can use various priority and QoS algorithms to optimize performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly