Middleboxes Flashcards
Name 4 different network middleboxes.
1.Firewalls: filter traffic based on set of rules
2.Intrusion detection system: monitor the traffic and collect data to analyze security anomalies
3.NAT: Allows multiple private hosts to share a single public ip address.
4.Load balancers: provides one point of entry to a service and distributes to multiple instances of a service.
What are the 3 security components?
1.Security goals/requirements (mentioned in first lecture)
2.Security policies: rules to implement the requirement (how to get there)
3.Security mechanisms: enforce the policy (what tools do we use?)
What is the difference between stateful and stateless firewalls? advantages and disadvatanges.
Stateful - They generate state. The state helps keep track of connections.
Stateless: no state information is generated
Keeping state is expensive. If we have few rules then stateless filtering is faster.
What is a bastion host and what are its purposes
It is a host that is more exposed to the external network than the hosts of the network is protects.
its purposes are packet filtering, and providing proxy services.
Mention some methods for securing bastion hosts:
1.disable ssh password login
2.prepate for the bastion host to be compromised
3. it should not sniff internal traffic
4.regular backups
Name the firewall architectures, explain in some words what each is
- Simple packet filter architecture : a packet filtering router or firewall is between the internet and the internal network
- Dual homed host architecture : Bastion host between internet and internal network.
- Screen host architecture : packet filtering between internet and internal network and then bastion host is connected to the internal network as well.
- Screen subnet architecture - Demilitarized zone: DMZ is made of two packet filtering and a bastion host between both. this DMZ is between internet and internal network.
What are the detection methods in IDS? explain each in few words. include advantages and disadvantages.
1.Misuse detection : signature of attacks are stored in database and we monitor traffic for signatures. +efficient detection
+less false positive
- detects only known attacks
-more false negatives
2.Anomaly detection: we model the normal or expected state of system, we raise alarm if state differs
+Able to detect new attacks
-More false positives
What data sources does IDS use? mention some and name advantages and disadvantages.
1.Network based
Performs analysis on network packets.
-Cannot analyse encrypted data
2.Host based
Analyses data from individual systems.
+Able to function in environments with
encrypted data
When is the information processed in IDS?
- Real-time detection
Data are intercepted and processed while system is running
2.A posteriori
Information is logged
How does the system react on an attack?
1.Passive: detect and report by logging
2.Active: close connections
Firewall notes (flip me)
- firewall rules are matched sequentially
- best practice: put ESTABLISHED rules first
- ACK flag can be used to approximate ESTABLISHED connections (first SYN packet does not set ACK flag)
What is Reverse Path Filtering used for in the Linux kernel?
IP Spoofing protection mechanism, if a packet arrives at interface i, the kernel checks whether the source IP is reachable through i
