Lecture 5: Firewalls, intrusion detection

Question 1

Explain the “Principle of Complete Mediation”

Answer 1

It is required that all accesses to objects are to be checked, in order to ensure that they are allowed

Question 2

Explain what a “Reference monitor” is

Answer 2

It is a module in operating systems, that:

• Checks requests against table of allowed requests, only lets authorised ones go through
• Monitor is itself tamper proof, and
• Verifiable

Question 3

What does “ingress” and “egress” mean in the context of firewalls

Answer 3

Ingress: incoming traffic
Egress: outgoing traffic

Question 4

List some capabilities that a firewall provides

Answer 4

• Defines a single choke point
• Provides a location for monitoring security events
• Convenient platform for some internet functions, such as NAT, usage monitoring, IPSEC VPNs

Question 5

List some limitations of a firewall

Answer 5

• Cannot protect against attacks bypassing the firewall
• May not protect fully against internal threats
• Improperly secure wireless LAN
• Laptop, PDA, and portable storage devices could be infected outside then used inside

Question 6

List four different types of firewalls

Answer 6

• Packet filtering firewall
• Stateful inspection firewall
• Application proxy firewall
• Circuit-level firewall

Question 7

Explain what a “Packet filtering firewall” does, and where it is used

Answer 7

• Applies rules to packets in/out of firewall
• Based on information in packet header
  
  • E.g., Src/dest, IP address & port, IP protocol, interface
• Typically, a list of rules of matches on fields
  
  • If match, rule says if forward or discard packet
• Two default policies:
  
  • Discard – prohibit unless expressly permitted
  • Forwards – permit unless expressly prohibited

Question 8

Give some examples of weakness’ with “Packet Filter firewalls”

Answer 8

• Cannot prevent attack on application bugs
• Limited logging functionality
• Does not support advanced user authentication
• Vulnerable to attacks on TCP/IP protocol bugs
• Improper config can lead to breaches

Question 9

Explain what a “Stateful inspection firewall” does, and how it works

Answer 9

Reviews packet header information BUT also keeps info on TCP connections

• Typically have low, “known” port number for server, and
• High, dynamically assigned client port number
• Compared to simple packet filtering, stateful inspection tightens rules for TCP traffic by using a directory of TCP connections
• Only allow incoming traffic to high-numbered ports for packets matching an entry in this directory

Question 10

Explain what an “Application-level gateway” does, and how it works

Answer 10

• Acts as a relay of application-level traffic:
  
  • User contacts gateway with remote host name
  • Authenticates themselves
  • Gateway contacts application on remote host and relays TCP segments between server and user
• Must have proxy code for each application
• More secure than packet filters, but
• Higher overheads

Question 11

Explain what a “Circuit-level gateway” is , and how it works

Answer 11

• Sets up two TCP connections, one to and inside user and one to an outside host
• Relays TCP segments from one connection to the other without examining contents
  
  • Hence independent of application logic
  • Just determines whether relay is permitted
• Typically used when inside users trusted
  
  • May use application-level gateway inbound and circuit-level gateway outbound
  • Hence lower overheads

Question 12

List three different ways of basing a firewall

Answer 12

• Bastion host
• Individual host-based firewall
• Personal firewall

Question 13

Explain what a “Bastion host” is, and how it works

Answer 13

• Used to secure individual host
• Available in/add-on for many O/S
• Filter packet flows
• Often used on servers
• Advantages:
o Tailored filter rules for specific host needs
o Protection from both internal/external attacks
o Additional layer of protection to org firewall

Question 14

Explain what a “Personal firewall is”, and how it works

Answer 14

• Controls traffic flow to/from PC/workstation
• For both home or corporate use
• May be software module on PC
• Or in home router/gateway
• Typically, much less complex
• Primary role to deny unauthorized access
• May also monitor outgoing traffic to detect/block worm/malware activity

Question 15

Give some examples of different intrusions

Answer 15

• Remote root compromise
• Web server defacement
• Guessing/cracking passwords
• Copying viewing sensitive data/databases
• Running a packet sniffer

Question 16

Give some examples of how to defend against “Insider attacks”

Answer 16

• IDS/IPS may help but also need:

o Least privilege, monitor logs, strong authentication, termination process to block access & mirror data

Question 17

List two classes of “Intrusion Detection Systems”

Answer 17

o Host-based IDS: monitor single host activity

o Network-based IDS: monitor network traffic

Question 18

List the logical components that constitute “Intrusion Detection Systems”

Answer 18

o Sensors – collect data
o Analyzers – determine if intrusion has occurred
o User interface – manage/direct/view IDS

Question 19

Give some examples of requirements for an “Intrusion Detection System”

Answer 19

• Run continually
• Be fault tolerant
• Resist subversion
• Impose a minimal overhead on system
• Configured according to system security policies
• Adapt to changes in systems and users
• Scale to monitor large numbers of systems
• Provide graceful degradation of service
• Allow dynamic reconfiguration

Question 20

Explain what a “Host-based IDS” is, and how it works

Answer 20

• Specialized software to monitor system activity to detect suspicious behavior
o Primary purpose is to detect intrusions, log suspicious events, and send alerts
o Can detect both external and internal intrusions

Question 21

List two different approaches used by “Host-based IDS”

Answer 21

• Two approaches, often used in combination:
o Anomaly detection – defines normal/expected behavior
♣ Threshold detection
♣ Profile based
o Signature detection – defines proper behavior

Question 22

Explain what “Audit Records” are, and specify the two variants

Answer 22

• A fundamental tool for intrusion detection
• Two variants:
o Native audit records – provided by O/S
♣ Always available but may not be optimum
o Detection-specific audit records – IDS specific
♣ Additional overhead but specific to IDS task
♣ Often log individual elementary actions
♣ E.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp

Question 23

Explain the two types of “Anomaly Detection”

Answer 23

• Threshold detection
o Checks excessive event occurrences over time
o Alone a crude and ineffective intruder detector
o Must determine both thresholds and time intervals
• Profile based
o Characterize past behavior of users/groups
o Then detect significant deviations
o Based on analysis of audit records
♣ Gather metrics: counter, gauge, interval timer, resource utilization
♣ Analyze: mean and standard deviation, multivariate, Markov process, time series, operational model

Question 24

Explain what “Signature Detection” is, and how it works

Answer 24

• Observe events on system and applying a set of rules to decide if intruder
• Rule-based penetration identification
o Rules identify known penetrations/weaknesses
o Often by analyzing attack scripts from internet
o Supplemented with rules from security experts

Question 25

Explain how a “Network-based IDS” works

Answer 25

• Monitor at selected points on a network
• In (near) real time to detect intrusion patterns
• May examine network, transport and/or application level protocol activity directed toward systems

Comprises several sensors:

• Inline (possibly as part of other net device)
• Passive (monitors copy of traffic)

Question 26

Give some examples of “Intrusion Detection Techniques”

Answer 26

• Signature detection:
  
  • At application, transport, network layers; unexpected application services, policy violations
• Anomaly detection
  
  • Of DOS attacks, scanning, worms
• When potential violation detected, sensor sends an alert and logs information
  
  • Used by analysis module to refine params and algos
  • By security admin to improve protections

Question 27

Explain what “Honeypots” are, and how they work

Answer 27

• Decoy systems
  
  • Fabricated info
  • Instrumented with monitors/event loggers
  • Divert and hold attacker to collect activity info
  • Without exposing production systems
• Initially were single systems
• More recently emulate entire networks

Question 28

List some examples of limitations of “Intrusion detection”

Answer 28

• Response can lead to DOS
• False alarms, users/attackers get around them
• Rules: citizens are entitled to know protection algorithms
• “too few attacks” – base rate fallacy
• Constant need for updates
• Encrypted traffic hard to analyse
• Constant trade-offs