Lecture 16: 6th November 2019

Question 1

What is a firewall?

Answer 1

A network security system implemented in hardware or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. They hide the structure of the internal network.

Question 2

What is an IDS?

Answer 2

Intrusion Detection System = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.

Question 3

What do default permit and default forbidden mean?

Answer 3

They rerfer to the default action taken on a packet by a firewall when a mathing rule cannot be found. default permit = let it in/out, default forbidden = drop it.

Question 4

What can firewalls do?

Answer 4

cannot prevent all attackers, viruses or intruders.
can:
- Permit authorised traffic
- Block or deny unauthorised traffic
- Log accesses in and out
- Provide a VPN link
- Authenticate users and give access to appropriate services
- Shield hosts
- Cache data to improve web site performance
- Filter content

Question 5

When do firewalls work best?

Answer 5

as part of a multilayered approach, aka defence in depth

Question 6

What is defence in depth?

Answer 6

An information assurance concept in which multiple layers of security controls are used to protect a network to provide redundancy.

Question 7

Why is placement an important consideration involving firewalls?

Answer 7

Need to consider required connections outside of the network. Keep them possible but minimise number of machines outside a firewall.

Question 8

What are some types of firewalls?

Answer 8

Packet filters : looks at packet headers for addresses, ports, protocols

Stateful inspection filters : maintains state information and keeps common ports open.

Stateless inspection filters: Blocks or allows a packet based on header information.

Application proxies : simulates application and performs access control.

Personal firewalls: blocks blacklisted traffic.

Question 9

How do packet filtering firewalls work?

Answer 9

Inspect IP headers and TCP and UDP port numbers. The bypass (allow through), bypass, or protect (IPSec)

Question 10

How do stateful inspection fitering firewalls work?

Answer 10

Examine packet payload in addition to headers to build up a state of the connection, held in a state table, in a cache. If a packet doesn’t correspond to the state of its connection pass to a rule base to check if it can be forwarded. Requires a lot of processing. Supports more protocols than a simple packet filter.

Question 11

How do Application Level Proxies work?

Answer 11

Proxies analyse the application layer data of IP packets. Proxies support protocols for SMTP, HTTP, SSH, FTP etc. Most commonly used for HTTP or SMTP traffic, functioning as a screen for all traffic into and out of ports. They are relatively slow as they have to inspect, compare, rebuild packets and process client requests. A complete server & client implementation in one box for every protocol the firewall should handle.

Client connects to firewall.
Firewall validates request.
Firewall connects to server.
Response comes back through firewall.

Can enforce application-specific policies and conceal clients, translate network
addresses and filter content.

Question 12

What are Application Level Proxies aka?

Answer 12

Application Gateway, Proxy Server or Application Firewall

Question 13

What do proxies do?

Answer 13

A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.

Question 14

How and why may proxies and packet filter firewalls be used together?

Answer 14

To provide a defence in depth.

• Each type inspects different parts of IP packets.
• Proxies scan whole data portion, therefore they create larger log files
• If a packet filter has a rule for a packet the action is as directed; block or allow, therefore relatively faster.
• A proxy has to rebuild the packet with new IP information.
• The proxy rebuild means that damaged packets are dropped.

Question 15

What are some issues with firewalls?

Answer 15

don’t protect against skilled attackers

accurate system state description must always be maintained to know the weakest point of entry

many attacks through legitimate-seeming downloads

rules may proliferate and be used to make attacks

Question 16

What are some limitations of firewalls?

Answer 16

don’t protect against bug-based attacks, internal attackers, or attacks from machines within the network once compromised.

Can be routed around - tunnelling, dialup servers, cross-links.

Can be too restrictive and stop you from doing what you want.

Encrypted traffic can always get through - even if malicious.

Many services now over HTTP to avoid firewalls - defats the purpose and made protocol design worse.

Question 17

What are some network topologies that pertain to firewalls?

Answer 17

The Bastion Server can be the firewall: running all external services and acting as a packet filter or proxy. Alternatively, the firewall does packet filtering and monitoring or there is a second LAN to hold the external servers that deal with mail, web, etc. services.

Screened Subnet (DMZ): has an interface towards the external network/ Internet and another towards the protected network. A third interface card screens the screened subnet. This third area, the Demilitarised Zone provides services to external users such as Web or SMTP servers.

Dual Firewalls: Instead of a single firewall with 3 interfaces, the dual firewall uses 2 firewalls with the screened subnet between them. The protected network is therefore behind two firewalls.

Question 18

What is a firewall rule base?

Answer 18

A set of instructions that governs the actions of a firewall on packets with certain properties.

Question 19

What are the fields in a firewall IDS?

Answer 19

1 Control or rule number
2 Type of rule; Allow, Deny, Drop, Alert
3 The direction of traffic; inbound or outbound
4 Transport Protocol; UDP, TCP, etc
5 Source Socket; host & service identification
6 Destination Socket; receiving host & service identification
7 Policy number; refers to management policies.

Question 20

What is a permissive firewall rule base?

Answer 20

Permissive = allow by default, block some.

• Easy to make mistakes.
• If you forget to block something, you are allowing it into the system unchallenged.
• Protocol management to prevent “on-the-fly” changes by staff

Question 21

What is a restrictive firewall rule base?

Answer 21

Restrictive = block by default, allow some.

• Much more secure.
• If you forget something, someone will complain and you can allow the protocol, but it’s overhead and annoying for users.

Question 22

Why may tunneling be a security issue with firewalls?

Answer 22

Can make an encapsulating tunnel to wrap your actual IP packets in a service or port number that is permitted by the firewall and have them de-encapsulated either side.

Question 23

What is a vulnerability assessment?

Answer 23

The process of identifying, quantifying, and prioritizing (or ranking) security flaws in a system or network. May include open ports, software used, network topology, and a prioritised list of vulnerabilities.

Question 24

What tools can you use to perform a vulnerability assessment?

Answer 24

Software: ISS Scanner, Stat, Nessus, etc.
Audit Services: manual Penetration tests
Web based commercial: Qualys, Security Point, etc

Question 25

What is an intrusion?

Answer 25

Any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and almost always jeopardize the security of networks and/or their data.

Question 26

What is an IDPS?

Answer 26

Intrusion Detection and Prevention System = real name for an IDS to note importance of preventing intrusions as well as detecting and reacting to them. IDS = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.

In practice, firewalls and IDSes are combined into one system - IDPSes.

Question 27

What are the 2 general approaches to intrusion detection?

Answer 27

Misuse detection: Knowledge-based IDS - Rule Based

Anomaly detection: Behaviour-based IDS - statistical anomalies

Question 28

What is an attack signature?

Answer 28

A unique arrangement of information that can be used by and IDS to identify an attacker’s attempt to exploit a known operating system or application vulnerability.

Question 29

What is a knowledge-based IDS?

Answer 29

An IDS which looks for attack signatures in traffic data and log files to detect intrusions.

Question 30

How do knowledge-based IDSes work?

Answer 30

They look for attack signatures in traffic data and log files that indicate suspicious behaviour, such as login attempts, time of access, SYN flooding, escalation of privileges, unknown access, and target acquisition. They consider known information including security policies and known vulnerabilities.

Question 31

What is a knowledge-based IDS aka?

Answer 31

misuse-based IDS and rule-based IDS

Question 32

Why does an IDS not need to know about security vulnerabilities in a particular system? Does and IDS really perform intrusion detection?

Answer 32

Actually just need to know rules of the normal baseline and where an anomaly is, not the underlying attack. No - just identifying anomalies outside of set limits (rules) which indicate intrusions, not intrusions themselves.

Question 33

What is the architecture of IDSes?

Answer 33

Distributed sensors to gather data and a centralised console to manage sensors, analyse data, report and react.

Ideally:

• Protected communications between sensors and console
• Protected storage for signature database/logs
• Secure console configuration
• Secured signature updates from vendor
• Otherwise, the IDS itself can be attacked and manipulated; IDS vulnerabilities have been exploited

Question 34

What are some types of IDS?

Answer 34

Network-Based IDS (NIDS).

Host-Based IDS (HIDS).

Knowledge-based IDS: An IDS which looks for attack signatures in traffic data and log files to detect intrusions.

Question 35

What is a HIDS?

Answer 35

Host-Based IDS (HIDS): These look at logfiles to verify Message digests/checksums of key system files. They are effectively an internal system monitor. An intrusion detection system that monitors the computer infrastructure on which it is installed, analyzing traffic and logging malicious behavior.

A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.

Question 36

What is a NIDS?

Answer 36

Network-Based IDS (NIDS): these can be trained to recognise attack signatures via pattern matching (e.g. expressions, bytecode), frequency or threshold crossing (uncommon port usage). IDSes that are intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit and report back to an administrator.

A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.

Question 37

How does a HIDS work?

Answer 37

Usually monitors system, event, and security logs on Windows and syslog in Unix environments.
- E.g., observe sequences of system calls to check whether a change from user to supervisor mode had been effected properly through a command like su.

Verify checksums of key system files & executables at regular intervals for unexpected changes. Some products use regular expressions to refine attack signatures.
- E.g., passwd program executed AND .rhosts file changed. Some products listen to port activity and alert when specific ports are accessed – limited NIDS capability.

Question 38

How does a NIDS work?

Answer 38

Uses network packets as data source. Typically a network adapter running in promiscuous mode.

Monitors and analyzes all traffic in real-time.

Attack recognition module uses three common techniques to recognise attack signatures:

• Pattern, expression or bytecode matching;
• Frequency or threshold crossing (e.g. detect port scanning activity);
• Correlation of lesser events (in reality, not much of this in commercial systems).

Question 39

Why are NIDSes and HIDSes often used together?

Answer 39

They compliment each other’s capabilities.

Attacks a NIDS can detect but a HIDS cannot:
SYN flood, Smurf, Teardrop, Backdoor…

And HIDS but not NIDS:
Trojan login script, walk up to an unattended keyboard, encrypted traffic…

Question 40

What are the three main types of action taken by an IDS in response to an intrusion?

Answer 40

notify; store; react (action).

Question 41

What may a NIDS do in response to an intrusion?

Answer 41

Notify: alarm to console, email, SNMP trap, view active session

Store:
NIDS: log summary, log network data

Action:
NIDS: kill connection (TCP reset), reconfigure firewall

Question 42

What may a HIDS do in response to an intrusion?

Answer 42

Notify:
HIDS: alarm to console, email, SNMP trap

Store:
HIDS: log summary

Action:
HIDS: terminate user log in, disable user account, restore index.html

Question 43

What are some dangers of automated intrusion response?

Answer 43

Attacker tricks IDS to respond, but response aimed at innocent target (say, by spoofing source IP address).

Users locked out of their accounts because of false positives.

Repeated e-mail notification becomes a denial of service attack on sysadmin’s e-mail account.

Repeated restoration of index.html reduces website availability

Question 44

What are the main challenges associated with IDSes?

Answer 44

Collecting and evaluating large amounts of data.
- Combine events for more compact presentation.
False positives, false negatives.

Life intrusion detection systems generate lots of data.
- E.g., a DMZ with 60 hosts, monitored 7 days by NIDS with 244 signatures: 771,733 alerts created (Gollman).

Data mining applied for extracting useful information from such data collections.

Context-aware systems filter out attacks that are irrelevant for the systems being monitored.
- Ignore attacks on software or services you are not running.

Question 45

Are anomalies necessarily attacks?

Answer 45

No, they are only patterns which are thought to indicate an intrusion/attack has taken place or is taking place.

Question 46

Where are IDSes useful?

Answer 46

As a second line of defence (in addition to firewalls, cryptographic protocols, etc.).

Question 47

Why can firewall rules often have poor performance?

Answer 47

Akin to a big switch statement or many conditionals, so the performance of rules is sensitive to their ordering (bad if check every rule and at the very end, with a rule for each possibility).

Question 48

What was the POODLE attack?

Answer 48

A MITM attack for SSL connections to browsers. The attacker forces the connection to use SSL 3.0 then exploits a design flaw in SSL 3.0 that allows the padding of data at the end of a block cipher to be changed so that the encryption cipher becomes less secure each time it is passed. It eventually reveals the plaintext input after repeatedly padding messages.

Question 49

What is a dual firewall?

Answer 49

Instead of a single firewall with 3 interfaces, the dual
firewall uses 2 firewalls with the screened subnet between them. The protected network is therefore behind two firewalls. One firewall before subnet and after internal network, screens intranetwork traffic. Other after subnet and before the Internet, screens internetwork traffic.