Network Defence Flashcards
What is a firewall?
Special reference monitor that mediates access to a network and hide the stucture of the network.
May have a default permit or default forbidden state.
May be ingress or egress filtering devices
What can firewalls do?
Permit or block traffic Log accesses Provide CPN link Authenticate users Shield hosts Cache data Filter content
How are decisions made on where to place firewalls?
Need to assess the application it’s protecting and allow for the application to work while securing it.
What are the generic types of firewall?
Packet filters
Stateful inspection filters
Stateless inspection filters
Application proxies
What do packet filter firewalls do?
Look at packet header for addresses, ports and protocols
What do stateful inspection filters firewalls do?
Maintains state information and keeps common ports open
What do stateless inspection filters firewalls do?
Blocks or allows packets based on header information
What do application proxy firewalls do?
Simulates application and performs access control
How do personal firewalls deal with traffic?
Block blacklisted traffic
What actions do firewalls take on IP packets?
Bypass Drop Protect (IPSec channel)
What rules might be specified on a packet when using packet filtering?
Actions
Specification of source/dest IP or ports
Dictate traffic in both directions.
Why is stateful inspection stateful?
Packet filtering examines the packet data as well as the state of the connection.
This information is used to build the state table which is held in cache.
How are rules defined in a state table?
Need only specify packet in one direction, replies and further packets in the connection are automatically processed.
What happens when a packet doesn’t match the State Table?
The stateful firewall defaults to Rule Base checking to check if the packet can be forward.
How do application level proxies work?
Proxy analyses the application layer of the IP packet.
Uses this information to complete the data request of the client and return the result to the client.
What is faster, proxies or packet filters?
Packet filters as proxies scan the whole log file.
They are usually used in tandem to provide defence in depth.
What are the limitations of firewalls?
Can be too restrictive
Encryption prevents the firewall blocking malicious traffic
Protocol tunneling means that programs can still be executed but under the guise of http.
What do firewalls not provide any protection against?
No protection against attacks based on bugs
No protection against insider threat
No protection inside the network once a firewall has been compromised.
What is a bastion server?
Firewall, runs all external services and acts as a packet filter or proxy.
Alternatively it is a packet filter that passes traffic to servers.
What is a screened subnet? (DMZ)?
Has an interface towards both the external and internal networks.
Third interfaces screens the screened subnet. This screened subnet provides services to external users ie. Web or SMTP servers.
What are dual firewalls?
Use 2 firewalls with a screened subnet between them to protect the network.
The area between them is the DMZ.
What are the fields of a firewall?
Rule number Type of rule Direction of traffic Transport protocol Source socket Destination Socket Policy number
What is a permissive rule base?
Allow by default, block some.
What are the limitations of using a permissive rule base?
Easy to make mistakes
If you forget to block something, allowing it into the system unchallenged
Protocol management is required to prevent staff chaning on the fly.
What is a restrictive rule base?
Block by default, allow some
More secure, if you forget something someone will notice
What are the problems with matching rules?
Packets can contain several headers so when setting a policy one must know which order the rules and headers are evauluated.
What are two options for evaluating rules in a firewall?
Apply first matching entry in the list of rules
Apply the entry with the best match for the packet.
How should firewalls be tested?
Outside-in approach should look at architectural risks, code scanning and security requirements.
Vulnerable systems and high priority system should be more secured.
What is a vulnerability assessment?
Examines the security state of the network:
Open ports
Software packages running
Network topology
Prioritised lists of vulnerabilities
What is an IDS?
Intrusion Detection System
Can be based at either the network or the host, these are response tools used for the deterrence, detection, damage assessment as well as attack anticipation.
What are the common features of an IDS?
Event Logging Traffic Analysis Integrity checking Configuration management notification Network tapping/sensors Response system Handling and containment of intrusions
What is an intrustion?
Anything from a benign exploration, corporate data modification or the copying/deletion of a file.
What types of detection are there for IDPS?
Misuse detection - Rule based
Anomaly detection - Statistical anomaly based.
How does anomaly detection work?
Attack signatures are network traffic patterns that have been learned and, when detected, combatted.
Produces profiles of users or system workload.
IDPS only as good as it’s trained to be.
Important not to pick up false positives.
What is the limitation of a knowledge-based IDS?
Only as good as the database it uses, which needs to be kept up to date.
Large number of vulnerabilities and exploit methods so effective databases are difficult to build
Large database is slow.
What are examples of signatures used in a knowledge-based IDS?
Number of recent failed login attempts
Bit patterns in an IP packet indicating a buffer overflow.
Some types of SYN packets.
How does anomaly IDS detect attacks?
Deviations from the baseline raise an alarm.
Baseline is normal operating parameters
What are the limitations of Anomaly-based IDS?
Legitimate users may deviate from the baseline
Baseline can be shifted over time by a patient attacker.
What is a CIDS?
Centralised intrusion detection system.
Central console manages sensor network, analyses data, reports data and reacts.
What’s does the ideal CIDS architecture have?
Protected communications between sensors and console.
Protected storage for signature DB.
Secure console config
What is a NIDS?
Network Based IDS
Can be trained to recognise attack signatures by pattern matching frequency or threshold crossing.
Looks for attack signatures in network traffic, in realtime.
What is HIDS?
Host Based IDS
Look at logfiles to verify message digests/checksums of key system files.
Verifies checksums of key system files and executables.
Use regex and port usage to check attack signatures.
What are the IDS response options?
Notify
Store
Action
How does NIDS do IDS response?
Notify: alarm to console, email, snmp trap, views active session
Store: Log summary, log network data
Action: kill connection, reconfigure firewall
How does HIDS do IDS response?
Notify: alarm to console, email, snmp trap
Store: Log summary
Action: Terminate user login, disable user account, restore index.html
What are the dangers of automated response?
Attacker can trick IDS to respond to innocent targets.
Can lock users out of accounts
Repreated email to sysadmin is a form of DoS
Repeated restoration of index.html reduces website availability
