Network Security

Question 1

What’s the difference between an IDS and an IPS in terms of taking action?

Answer 1

IDS tools don’t take action on their own.

IPS control system accepts and rejects a packet based on the rule set.

Question 2

What three logical components make up an Intrusion Detection System?

Answer 2

Sensors: software and/or data sources that collect data.

Analysers: determines if intrusion has occurred.

User interface: views output or controls system behaviour.

Question 3

What is an NIDS?

How does it work and where is analysis of traffic patterns performed?

Answer 3

Network-based Intrusion Detection System.

Monitors network traffic and analyses network, transport, application protocols to identify suspicious activity.

Works by monitoring traffic at selected points on a network, it examines traffic packet by packet in real or close to real time.

Analysis of traffic may be done at the sensor, the management server, or a combination of the two.

Question 4

What is a HIDS?

Answer 4

Host-based Intrusion Detection System

It monitors the characteristics of a single host for suspicious activity, such as on a PC, phone or tablet.

Question 5

What’s a honeypot and what’s it used for?

Answer 5

Decoy systems that can be fake services, databases or networks.

Filled with fabricated information and have no real production value.

Designed to lure a potential attacker away from critical systems
Collect info about the attacker’s activity
Encourage attacker to stay on system long enough for administrators to respond.

Question 6

Is a firewall an IDS or an IPS and where is it inserted?

Answer 6

IPS - Intrusion Prevention System

Inserted between the premises network and the internet to establish a controlled link.

Question 7

What are two capabilities and four limitations of a firewall?

Answer 7

1. Defines a single choke point.
2. Provides a location for monitoring security events.

-

1. Cannot protect against attacks bypassing firewall.
2. May not fully protect against internal threats.
3. Improperly secured wireless LANs can be accessed from outside organisation.
4. A laptop, PDA or portable storage devices may be infected outside the network then used internally.

Question 8

Do client attacks require access to the remote host?

Give an example of a client attack.

Answer 8

No, the adversary attempts to achieve user authentication without access to the remote host or the intervening communications path.

Such as password guessing/cracking.

Question 9

An IDS is composed of three logical components, what are they?

Answer 9

1. Sensors - software/data sources that collect data. Common sources are system call traces, audit records, file integrity checksums, registry access.
2. Analysers - determines if intrusion has occurred.
3. User interface - views output or controls system behaviour.

Question 10

How does a Distributed or Hybrid IDS work?

Answer 10

Combines information from sensors, both host and network based, in a central analyser.

They’re able to better identify and respond to intrusion activity.

Stores information with logs and analyses using algorithms.