Network Defence

Question 1

What is a firewall?

Answer 1

Special reference monitor that mediates access to a network and hide the stucture of the network.

May have a default permit or default forbidden state.

May be ingress or egress filtering devices

Question 2

What can firewalls do?

Answer 2

Permit or block traffic
Log accesses
Provide CPN link
Authenticate users
Shield hosts
Cache data
Filter content

Question 3

How are decisions made on where to place firewalls?

Answer 3

Need to assess the application it’s protecting and allow for the application to work while securing it.

Question 4

What are the generic types of firewall?

Answer 4

Packet filters
Stateful inspection filters
Stateless inspection filters
Application proxies

Question 5

What do packet filter firewalls do?

Answer 5

Look at packet header for addresses, ports and protocols

Question 6

What do stateful inspection filters firewalls do?

Answer 6

Maintains state information and keeps common ports open

Question 7

What do stateless inspection filters firewalls do?

Answer 7

Blocks or allows packets based on header information

Question 8

What do application proxy firewalls do?

Answer 8

Simulates application and performs access control

Question 9

How do personal firewalls deal with traffic?

Answer 9

Block blacklisted traffic

Question 10

What actions do firewalls take on IP packets?

Answer 10

Bypass
Drop
Protect (IPSec channel)

Question 11

What rules might be specified on a packet when using packet filtering?

Answer 11

Actions
Specification of source/dest IP or ports
Dictate traffic in both directions.

Question 12

Why is stateful inspection stateful?

Answer 12

Packet filtering examines the packet data as well as the state of the connection.

This information is used to build the state table which is held in cache.

Question 13

How are rules defined in a state table?

Answer 13

Need only specify packet in one direction, replies and further packets in the connection are automatically processed.

Question 14

What happens when a packet doesn’t match the State Table?

Answer 14

The stateful firewall defaults to Rule Base checking to check if the packet can be forward.

Question 15

How do application level proxies work?

Answer 15

Proxy analyses the application layer of the IP packet.

Uses this information to complete the data request of the client and return the result to the client.

Question 16

What is faster, proxies or packet filters?

Answer 16

Packet filters as proxies scan the whole log file.

They are usually used in tandem to provide defence in depth.

Question 17

What are the limitations of firewalls?

Answer 17

Can be too restrictive

Encryption prevents the firewall blocking malicious traffic

Protocol tunneling means that programs can still be executed but under the guise of http.

Question 18

What do firewalls not provide any protection against?

Answer 18

No protection against attacks based on bugs

No protection against insider threat

No protection inside the network once a firewall has been compromised.

Question 19

What is a bastion server?

Answer 19

Firewall, runs all external services and acts as a packet filter or proxy.

Alternatively it is a packet filter that passes traffic to servers.

Question 20

What is a screened subnet? (DMZ)?

Answer 20

Has an interface towards both the external and internal networks.

Third interfaces screens the screened subnet. This screened subnet provides services to external users ie. Web or SMTP servers.

Question 21

What are dual firewalls?

Answer 21

Use 2 firewalls with a screened subnet between them to protect the network.

The area between them is the DMZ.

Question 22

What are the fields of a firewall?

Answer 22

Rule number
Type of rule
Direction of traffic
Transport protocol
Source socket
Destination Socket
Policy number

Question 23

What is a permissive rule base?

Answer 23

Allow by default, block some.

Question 24

What are the limitations of using a permissive rule base?

Answer 24

Easy to make mistakes

If you forget to block something, allowing it into the system unchallenged

Protocol management is required to prevent staff chaning on the fly.

Question 25

What is a restrictive rule base?

Answer 25

Block by default, allow some

More secure, if you forget something someone will notice

Question 26

What are the problems with matching rules?

Answer 26

Packets can contain several headers so when setting a policy one must know which order the rules and headers are evauluated.

Question 27

What are two options for evaluating rules in a firewall?

Answer 27

Apply first matching entry in the list of rules

Apply the entry with the best match for the packet.

Question 28

How should firewalls be tested?

Answer 28

Outside-in approach should look at architectural risks, code scanning and security requirements.

Vulnerable systems and high priority system should be more secured.

Question 29

What is a vulnerability assessment?

Answer 29

Examines the security state of the network:

Open ports
Software packages running
Network topology
Prioritised lists of vulnerabilities

Question 30

What is an IDS?

Answer 30

Intrusion Detection System

Can be based at either the network or the host, these are response tools used for the deterrence, detection, damage assessment as well as attack anticipation.

Question 31

What are the common features of an IDS?

Answer 31

Event Logging
Traffic Analysis
Integrity checking
Configuration management
notification
Network tapping/sensors
Response system
Handling and containment of intrusions

Question 32

What is an intrustion?

Answer 32

Anything from a benign exploration, corporate data modification or the copying/deletion of a file.

Question 33

What types of detection are there for IDPS?

Answer 33

Misuse detection - Rule based

Anomaly detection - Statistical anomaly based.

Question 34

How does anomaly detection work?

Answer 34

Attack signatures are network traffic patterns that have been learned and, when detected, combatted.

Produces profiles of users or system workload.

IDPS only as good as it’s trained to be.

Important not to pick up false positives.

Question 35

What is the limitation of a knowledge-based IDS?

Answer 35

Only as good as the database it uses, which needs to be kept up to date.

Large number of vulnerabilities and exploit methods so effective databases are difficult to build

Large database is slow.

Question 36

What are examples of signatures used in a knowledge-based IDS?

Answer 36

Number of recent failed login attempts

Bit patterns in an IP packet indicating a buffer overflow.

Some types of SYN packets.

Question 37

How does anomaly IDS detect attacks?

Answer 37

Deviations from the baseline raise an alarm.

Baseline is normal operating parameters

Question 38

What are the limitations of Anomaly-based IDS?

Answer 38

Legitimate users may deviate from the baseline

Baseline can be shifted over time by a patient attacker.

Question 39

What is a CIDS?

Answer 39

Centralised intrusion detection system.

Central console manages sensor network, analyses data, reports data and reacts.

Question 40

What’s does the ideal CIDS architecture have?

Answer 40

Protected communications between sensors and console.

Protected storage for signature DB.

Secure console config

Question 41

What is a NIDS?

Answer 41

Network Based IDS

Can be trained to recognise attack signatures by pattern matching frequency or threshold crossing.

Looks for attack signatures in network traffic, in realtime.

Question 42

What is HIDS?

Answer 42

Host Based IDS
Look at logfiles to verify message digests/checksums of key system files.

Verifies checksums of key system files and executables.

Use regex and port usage to check attack signatures.

Question 43

What are the IDS response options?

Answer 43

Notify
Store
Action

Question 44

How does NIDS do IDS response?

Answer 44

Notify: alarm to console, email, snmp trap, views active session

Store: Log summary, log network data

Action: kill connection, reconfigure firewall

Question 45

How does HIDS do IDS response?

Answer 45

Notify: alarm to console, email, snmp trap

Store: Log summary

Action: Terminate user login, disable user account, restore index.html

Question 46

What are the dangers of automated response?

Answer 46

Attacker can trick IDS to respond to innocent targets.

Can lock users out of accounts

Repreated email to sysadmin is a form of DoS

Repeated restoration of index.html reduces website availability