Topic 9B

Question 1

firewall

Answer 1

serves as the first line of defense in network security. It monitors and controls the incoming and outgoing network traffic based on predetermined rules, effectively creating a barrier between a trusted internal network and untrusted external networks.

Question 2

Intrusion detection systems (IDS) and intrusion prevention systems (IPS)

Answer 2

An IDS monitors network traffic for signs of possible incidents and alerts systems administrators when such activities are detected.

An IPS, on the other hand, not only detects but also prevents identified threats by automatically taking action, such as blocking network traffic or terminating connections.

Question 3

Web filters

Answer 3

prevent users from accessing potentially malicious websites, block the download of malicious files, and can even monitor and control access to restricted sites

Question 4

access control list (ACL)

Answer 4

a list of permissions associated with a network device, such as a router or a switch, that controls traffic at a network interface level.

ACLs typically use packet information like source and destination IP addresses, port numbers, and the protocol to decide whether to permit or deny the traffic.

Question 5

a firewall rule

Answer 5

dictates how firewalls should handle inbound or outbound network traffic for specific IP addresses, IP ranges, or network interfaces.

Firewalls typically provide both network and application-level control. They are designed to protect a network perimeter by preventing unauthorized access to or from a network.

Question 6

What firewall rules take the most priority?

Answer 6

The rules in a firewall’s ACL are processed from top to bottom

The final default rule is typically to block any traffic that has not matched a rule (implicit deny). If the firewall does not have a default implicit deny rule, an explicit deny all rule can be added manually to the end of the ACL.

Question 7

tuples

Answer 7

Each rule can specify whether to block or allow traffic based on several parameters

If you think of each rule being like a row in a database, the tuples are the columns.

For example, in the previous screenshot, the tuples include Protocol, Source (address), (Source) Port, Destination (address), (Destination) Port, and so on.

Question 8

Some other basic principles include the following for firewalls:

Answer 8

Block incoming requests from internal or private IP addresses (that have obviously been spoofed).

Block incoming requests from protocols that should only function at a local network level, such as ICMP, DHCP, or routing protocol traffic.

Use penetration testing to confirm the configuration is secure. Log access attempts and monitor the logs for suspicious activity.

Take the usual steps to secure the hardware on which the firewall is running and use the management interface.

Question 9

Host-based IDS/IPS (HIDS/HIPS)

Answer 9

are installed on individual systems or servers

they monitor and analyze system behavior and configurations for suspicious activities.

HIDS/HIPS are particularly effective at identifying insider threats, detecting changes in system files, and monitoring non-network events like local logins and system processes.

Question 10

OSSEC is an

Answer 10

open-source HIDS solution that performs log analysis, integrity checking,

Windows registry monitoring, rootkit detection, real-time alerting, and active response. It is compatible with multiple platforms, including Linux, Windows, and MacOS.

Question 11

Network-based IDS/IPS (NIDS/NIPS)

Answer 11

monitors network traffic. They look for patterns or signatures of known threats and unusual network packet behavior.

NIDS/NIPS are effective at identifying and responding to threats across multiple systems, like distributed denial-of-service (DDoS) attacks or network scanning activities.

Question 12

Intrusion detection systems (IDS)

Answer 12

IDS systems are passive, inspecting network traffic, identifying potential threats based on predefined rules or unusual behavior, and sending alerts to administrators.

Question 13

intrusion prevention systems (IPS)

Answer 13

are proactive security tools that detect potential threats and take action to prevent or mitigate them.

An IPS identifies a threat using methods similar to an IDS and can block traffic from the offending source, drop malicious packets, or reset connections to disrupt an attack.

there is a risk of false positives leading to blocking legitimate traffic.

Question 14

what is Snort

Answer 14

one of the most well-known IDS tools.

It uses a rule-driven language, which combines the benefits of signature, protocol, and anomaly-based inspection methods, providing robust detection capabilities.

Open Source

Question 15

what is Suricata

Answer 15

is a high-performance open source IDS/IPS/NSM engine. Suricata is designed to take full advantage of modern hardware and deliver higher performance and scalability than Snort.

Suricata can function as an IDS or an IPS, and is compatible with Snort rulesets, making it a highly flexible option for network security.

Question 16

What is Security Onion

Answer 16

a Linux distribution designed for intrusion detection, network security monitoring, and log management. It includes both Snort and Suricata, along with a host of other tools, to provide a complete platform for network security.

Question 17

analysis engine

Answer 17

is the component that scans and interprets the traffic captured by the sensor with the purpose of identifying suspicious traffic. T

he analysis engine determines an event’s classification with typical options of ignore, log only, alert, and block (IPS). A set of programmed rules drives the analysis engine’s decision-making process.

Question 18

Signature-based detection

Answer 18

(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures.

If traffic matches a pattern then the engine generates an incident.

Needs to be updated regularly for the latest attacks. There are commercial services that you can pay for.

Question 19

Behavioral-based detection

Answer 19

the engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident.

The software will be able to identify zero-day attacks, insider threats, and other malicious activity for which there is a single signature.

Question 20

network behavior and anomaly detection (NBAD)

Answer 20

provide behavioral based of detection. An NBAD engine uses heuristics (meaning to learn from experience) to generate a statistical model of what baseline normal traffic looks like.

It may develop several profiles to model network use at different times of the day. This means that the system generates false positives and false negatives until it has had time to improve its statistical model of what is “normal.”

Question 21

there are two general classes of behavior-based detection products that utilize machine learning

Answer 21

User and entity behavior analytics (UEBA)—are products that scan indicators from multiple intrusion detection and log sources to identify anomalies. They are often integrated with security information and event management (SIEM) platforms.

Network traffic analysis (NTA)—are products are closer to IDS and NBAD in that they apply analysis techniques only to network streams rather than multiple network and log data sources.

Question 22

Trend analysis

Answer 22

is a critical aspect of managing intrusion detection systems (IDS) and intrusion prevention systems (IPS) as it aids in understanding an environment over time, helping to identify patterns, anomalies, and potential threats

Question 23

Web filtering

Answer 23

Its primary function is to block users from accessing malicious or inappropriate websites, thereby protecting the network from potential threats.

can restrict access based on various criteria such as URL, IP address, content category, or even specific keywords.

Question 24

Agent-based web filtering

Answer 24

installing a software agent on desktop computers, laptops, and mobile devices. The agents enforce compliance with the organization’s web filtering policies.

Agent-based solutions typically leverage cloud platforms to ensure they can communicate with devices regardless of the network they are connected to.

can also provide detailed reporting and analytics. The agent can log web access attempts and return this data to a management server for analysis allowing security analysts to monitor Internet usage patterns, identify attempts to access blocked content, and fine-tune the filtering rules as required.

Question 25

A centralized proxy server

Answer 25

acting as an intermediary between end users and the Internet.

The primary role of the proxy in web content filtering is to analyze web requests from users and determine whether to permit or deny access based on established policies.

Question 26

Centralized proxy server techniques

Answer 26

URL scanning
Content categorization
Block Rules
Reputation-Based Filtering

Question 27

Web Filtering Issues

Answer 27

Overblocking
Underblocking
Without proper configuration, web filters may be unable to inspect encrypted traffic, representing most modern web traffic.