Week 3 - Intruders and Firewalls

Question 1

What are the 3 types of network intruders?

Answer 1

1. Masquerader
   Unauthorised user
   Penetrates systems access control
2. Misfeasor
   Misbehaving insider
   Accesses unauthorized data/information; Misuses authorized privileges
3. Clandestine User
   Outsider and/or Insider
   Seizes supervisory control to avoid auditing

Question 2

What are some examples of intrusions?

Answer 2

• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• And many more!

Question 3

What are 3 intruder behaviour patterns?

Answer 3

1. Hackers:
   - Often target opportunities and share information with others.
   - Can be detected by IDSs, IPSs, CERTs.
2. Criminals:
   - Target specific victims.
3. Insider Attacks:
   - Pose significant detection challenges, as insiders have access and knowledge of the target system’s structure and content.

Question 4

What are 4 intrusion technique examples?

Answer 4

1. Guessing Attacks
   Exhaustively try all short passwords (those of one to three characters).
2. Trojan Horse
   Use a Trojan horse to bypass restrictions on access.
3. Physical Attacks
   Tap the line between a remote user and the host system
4. Exploiting Attacks
   Buffer overflow on a program that runs with certain privileges

Question 5

What are the two intrusion detection approaches?

Answer 5

The two intrusion detection approaches are:

1. Statistics-based:
   Method:
   - Collect data on legitimate user behaviour.
   - Use statistical tests to predict behaviour.
   - Effective against masqueraders.
   - Ineffective against misfeasors.
2. Rule-based (Signature-based):
   Method:
   - Define rules to classify behaviour as intruder or legitimate.
   - Effective at detecting penetrations.

Question 6

What are the two different types of audit records?

Answer 6

The two different types of audit records are:

1. Native Audit Records: Capture raw system user activities without requiring additional software. Advantage: No need for extra data collection. Disadvantage: May lack necessary information.
2. Detection-Specific Audit Records: Generate only the information required by Intrusion Detection Systems, including subject, action, object, exception condition, resource usage, and timestamp.

Question 7

What are honeypots?

Answer 7

Honeypots are decoy systems that divert attackers from critical infrastructure, lacking production value but collecting attacker activity. Placed at multiple locations, like outside the external firewall, externally available servers (e.g., web, email), and fully internal machines, they entice attackers to linger for admin response by appearing valuable.

Question 8

What are the 4 intrusion detection outcomes?

Answer 8

Intrusion Detection Outcomes:

1. True Positive: Correctly detect intrusion.
2. True Negative: Correctly detect non-intrusion.
3. False Positive: Incorrectly detect non-intrusion as intrusion.
4. False Negative: Incorrectly detect intrusion as non-intrusion.

Question 9

What is the base rate fallacy?

Answer 9

Base-Rate Fallacy of Intrusion Detection Systems:

Goal: Detect most intrusions while maintaining a low false alarm rate.
Challenge: Balancing high detection rates with low false alarms is difficult due to inherent probabilities.

Question 10

What are the different kinds of password vulnerabilities/attacks?

Answer 10

Offline Dictionary Attack:
Method: Compares hashed commonly used passwords with those in the password file.
Countermeasures:
Prevent unauthorized access to the password file.
Identify compromise.

Specific Account Attack (Brute-force):
Method: Brute-force guessing on specific accounts.
Countermeasure: Limit the number of login attempts.

Popular Password Attack & Single User Guessing:
Method: Targets common passwords or guesses passwords for a single user.
Countermeasure: Prevent the use of common passwords.

Workstation Hijacking:
Method: Waits for unattended workstations.
Countermeasure: Automatically log out after inactivity.

Exploiting User Mistakes:
Method: Exploits user errors like writing down passwords.
Countermeasure: Provide proper training and use intrusion detection.

Exploiting Multiple Password Use:
Method: Multiple devices sharing the same password.
Countermeasure: Prohibit the use of the same password.

Electronic Monitoring:
Method: Monitors plaintext password transfers.
Countermeasure: Use encryption, though not always efficient.

Question 11

How do hashed passwords work?

Answer 11

Hashed passwords are created by converting user passwords into unique strings of characters using a cryptographic hash function, which are then stored in the system. During authentication, the entered password is hashed and compared to the stored hash, allowing access if they match.

Question 12

What are the 4 user password choices?

Answer 12

The User Password Choices are:

Education: Avoid common passwords, especially in large user populations.

Computer-generated passwords offer strong security but are difficult to remember.

Reactive password checking periodically scans for weak passwords, though efficiency can be an issue.

Proactive password checking enhances security by assessing password strength during setup.

Question 13

What is a firewall?

Answer 13

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, helping to prevent unauthorized access, malicious attacks, and the spread of malware.

Question 14

What are the characteristics of a firewall?

Answer 14

Firewall Characteristics:

Definition: Implements an access policy to regulate network traffic.
Design Goals:
All traffic between internal and external networks passes through the firewall.
Only authorized traffic, as per the security policy, is allowed.
The firewall itself is resistant to penetration.
Filtering Criteria:
IP addresses, protocol values.
Source/destination IP address and port number.
Specific services.
Application protocol and data control.
User identity for insider control.
Network activity, such as time and requests.

Question 15

What is the scope and limitations of a firewall?

Answer 15

Firewall Scope & Limitations

Firewall Scope:

• Acts as a single checkpoint to block unauthorized users and monitor security events.
• Provides functions like network address translation, auditing Internet usage, and supporting virtual private networks.

Limitations:

• Ineffective against attacks bypassing firewalls.
• Offers partial protection against internal threats.
• Unable to secure improperly secured wireless LANs.
• Does not prevent infection of portable devices externally and subsequent internal attachment.

Question 16

What are the 4 types of firewall?

Answer 16

Types of Firewalls:

1. Packet Filtering Firewall:
   Examines information in TCP/IP headers.
   Weakness: Doesn’t inspect upper-layer data.
2. Stateful Inspection Firewall:
   Builds on Packet Filtering Firewalls by recording TCP connection details, like sequence numbers.
3. Application Proxy Firewall (Application-Level Gateway):
   Verifies application authentication information at the remote host.
4. Circuit-Level Proxy Firewall (Circuit-Level Gateway):
   Acts as a proxy between two ends of a TCP connection.
   Establishes two TCP connections: one between internal network and firewall, and another between firewall and external network.

Question 17

What is a bastion host and what does it require?

Answer 17

Bastion Host:

Definition: Platform for an application-level or circuit-level gateway.
Requirements:
- Runs on a secure OS version.
- Installs only essential services (e.g., DNS, FTP, HTTP, SMTP).
- Requires additional authentication for each service.
- Has separate settings for each service, including command set, access control, and access logs.

Question 18

What are the different types of firewall configurations?

Answer 18

Firewall Configurations:
1. External + Internal Firewall:
- DMZ between them.
- Honeypot in DMZ.
- Sensitive hosts inside internal firewall.
- Internal firewall provides additional filtering.
- Two-way protection against attacks from DMZ and insiders.

2. Screening Router:
   
   • Firewall functions at router between internal and external networks.
   • Suitable for small offices and home offices.
3. Single Bastion Inline:
   
   • Single bastion between internal and external networks.
   • Suitable for small-to-medium-sized organizations.
4. Single Bastion T:
   
   • Single bastion connected to internal network and DMZ.
   • Suitable for medium to large organizations.
5. Double Bastion Inline:
   
   • DMZ between internal and external firewalls.
   • Suitable for large businesses and governments.
6. Double Bastion T:
   
   • Required for Australian Government use.
7. Distributed Firewall:
   
   • Suitable for large businesses and governments.