Quiz 2 Ch.9, 10, 11, 17 Flashcards
Ch. 9 Need for firewalls
Internet connectivity is essential but creates threat
FW inserted between premises network and internet to establish link
FW characteristics
Design goals
- all traffic from inside to outside must pass through FW
- FW immune to penetration
FW access policy
this lists types of traffic authorized to pass through FW
- includes address ranges, protocols, applications, content
FW Filter Characteristics
IP address and protocol values
- Application protocol
- User identity
- Network activity
FW Capabilities and limits
C: Defines single choke point
- can serve as platform for IPSec
L: Cannot protect against attacks bypassing firewall
- may not protect fully against internal threats
Types of FW
- Packet Filtering FW
- Stateful inspection FW
- Application-level gateway
- Circuit-level gateway
Packet Filter
adv.
- Simplicity
- typically transparent to users and fast
weaknesses.
- cant prevent attacks that employ application specific vulnerabilities
- applies rules to each incoming and outgoing ip packet
Stateful Inspection FW
Tighten rules for TCP traffic by creating directory of outbound TCP connections
- Reviews packet info but also records info about TCP connections
Application Level gateway
acts as relay of application level traffic
- must have proxy code for each application
- tend to be more secure than packet filters
- disadv. is additional processing overhead on each connection
Circuit level gateway
Sets up 2 TCP connections, one between itself and a TCP user on inner host and one on an outside host
- used when inside users are trusted
SOCKS circuit level gateway
To provide framework for client-server applications in TCP/UDP domains
Bastion Hosts
- System identified as critical strong point
- Serves as platform for an application level or circuit level gateway
Characteristics of BH
- runs secure OS only essential services
- may require user authentication to access proxy
each proxy: - restrict features
- small, simple
Host-based FW
used to secure an individual host
- available in OS or can be provided as an add-on package
Personal FW
- Controls traffic between a PC and internet
- software module
FW Topologies
- Host-resident FW
- Screening router
- Single bastion inline
- Single bastion T
- Double bastion inline
- Double bastion T
- Distributed FW configuration
DMZ demilitarized zone
Systems that are externally accessible but need some protections are usually located on DMZ
Intrusion Prevention Systems IPS
Capability to attempt to block/prevent detected malicious activity
- host-based, network-based, distributed/hybrid
- use anomaly detection to identify behavior that is not that of legit users
Host-Based IPS (HIPS)
Can make use of either signature or anomaly detection techniques to identify attacks
Sig: focus is on the specific content of app. network traffic
Ano.: IPS is looking for behavior patterns that indicate malware
HIPS Examples of the types
Modification of system resources
- Privilege-escalation exploits
- Buffer-overflow exploits
- access to email contact list
HIPS capabilities
Can be tailored to specific platform
- set of general purpose tools may be used for desktop or server
- Use sandbox approach
Role of HIPS
provide an integrated, single-product suite of functions
Network-Based IPS NIPS
Inline NIDS with authority to modify or discard packets and tear down TCP connections
NIPS
Makes use of signature/heuristic detection and anomaly
- provide flow data protection
NIPS- methods used to identify malicious packets
- Pattern matching
- Stateful matching
- Protocol anomaly
- Traffic anomaly
- Statistical anomaly
Distributed or hybrid approach
Digital Immune System
Comprehensive defense against malicious behavior caused by malware
- gathers data from a large number of host and network-based sensores, relays this info to central analysis system to analyze then send respond/defend
Snort inline
- Enables Snort to function as an intrusion prevention system
- includes a replace option which allows the snort user to modify packets rather than drop them
Ch. 10 Buffer overflow
- very common attack mechanism - first - Morris Worm in 1988
- a condition at an interface under which more input can be placed into buffer or data holding area than the capacity allocated, overwriting other info
BO basics
Programming error when a process attempts to store data beyond the limits of a fixed-sized buffer
- Overwrites adjacent memory locations
- Buffer could be located on stack
BO Attacks
To exploit a BO an attacker needs:
- to identify a BO vulnerability in some program that can be triggered using externally sourced data under the attackers control
- to understand how that buffer is stored in memory and determine potential for corruption
Stack BO
Occur when buffer is located on stack
- also called as stack smashing - used by Morris Worm
- exploits included an unchecked BO
Stack frame - when one function calls another it needs somewhere to save return address
Shellcode - Code supplied by attacker
- function was to transfer control to user command-line interpreter, or shell, which will give access to any program
- Machine code -specific to processor and OS
- need good assembly language skills to create
- Metasploit project - provides useful info to people who perform penetration
BO Defenses
- Compile time defenses
- Run-time defenses
Compile time defenses
Use modern high-level language
- not vulnerable to BO attacks
DISADV.
- additional code must be executed at run time to impose checks
- flexibility and safety comes at a cost in resource use
CTD
- C designers placed much more emphasis on space efficiency and performance than on type safety
- Programmers need to inspect the code and rewrite any unsafe coding
- P have audited existing code base, including OS, standard libraries and common util.
CTD Stack Protection
add function entry and exit code to check stack for signs of corruption
- use random canary
- Stackshield and Return Address Defender (RAD)
