Lecture 8

Question 1

What is Security Intrusion?

Answer 1

A security incident where the intruder gains or attempts to gain unauthorised access to a system

Question 2

What is Intrusion Detection?

Answer 2

A security service that monitors and analyses the system for suspicious behaviour.

• The user is warned of the attempts of accessing their resources in an unauthorised manner.

Question 3

Intrusion Detection System (IDSs)

Answer 3

Is a software/application that monitors and analyses the system’s activities and determines whether or not an attack is in place

• LOGS + ALERTS TRAFFIC

Compromises three logical components:

• Sensors – Collect data > forward this information to the analyzer
• Analysers – Determine if the intrusion has occurred
• User Interface – View output or control system behaviour

Question 4

The two main types of IDS are:

Answer 4

Host-Based IDS

• Adds a layer of security software to vulnerable/sensitive systems
• Monitors the characteristics of a single host for suspicious behaviour activity
  
  • By detecting intrusions, log suspicious events send alerts
• Detects internal and external intrusion

Network-Based IDS

• Monitors network traffic and analyses network transport, and application protocols to identify suspicious activity.
• Analyses the traffic patterns done by the sensor

Question 5

What are the two Sensor Deployment?

Answer 5

Inline sensor

• Inserted into the network that the traffic is monitoring must pass through the sensor

Passive sensor

• Monitors copies of the **network traffic **

Question 6

What are the two Host Based Approaches?

Answer 6

Anomaly Detection

• Accomplished using threshold detection + statistics
• Involves countering the number of specific event types of legitmate users over a period of time
• Used to detect changes in an individual’s behaviour

Signature detection

• Involves attempts to set rules that can be used to decide that a given behaviour is that of an intruder

Question 7

What are the NIDS Intrusion Detection Techniques?

Answer 7

Similar to a host-based IDS techniques

Signature detection:

• At application
• Transport
• Network layers
• Unexpected application service
• Policy violations

Anomaly detection:

• DOS attacks
• Scanning
• Worms

Question 8

What are the Firewall characteristics? List the Security Policy

Answer 8

• All traffic from inside to outside must pass through the firewall
• Only authorised traffic defined by the security policy are allowed to pass through
• Packets that do not match policy are rejected.

Firewall’s site’s security policy:

• Security control
• Direction control
• User control
• Behaviour control

Question 9

What are the Capabilities + Limitations of Firewall?

Answer 9

Capabilities:

• Defines a single choke point
• Provides a location for monitoring security events

Limitations:

• Cannot protect against attacks for bypassing the firewall
• May not protect internal attacks
• Improperly secured wireless LAN can be accessed from outside the **organisation **

Question 10

What is Packet Filtering Firewall and it’s two default policies?

Answer 10

• Applies rules to each incoming and outgoing IP packet
• Filtering rules are based on information contained in a network packet
  
  • Source IP address
  • Destination IP address
  • Source + destination transport level address
  • IP protocol field

Two default policies

Discard: Prohibit unless expressly permitted

Forward: Permit unless expressly prohibited

Question 11

What are the Packet Filter Advantages + Disadvantage?

Answer 11

Advantages:

• Simple
• Typically transparent to users

Disadvantages:

• Cannot prevent attacks to specific vulnerabilities
• Limited logging
• Does not support advanced user authentication
• Improper configuration > **breeches **

Question 12

What is Application-Level Gateway?

Answer 12

Application-Level Gateway

“Application proxy”

• User contacts the gateway using a TCP/IP application
• User is authenticated
• Gateway contacts application on a remote host and relays TCP segments between server and user

Question 13

What is a Circuit-Level Gateway?

Answer 13

“Proxy”

• Sets up TCP connections between itself + TCP user on an inner host and outside host
• Relies on TCP segments from one connection without examining contents
• Used when inside users are trusted

Question 14

What is a Host-Based Firewalls?

Answer 14

• Used to secure an individual host
• Available in OS/provided as an add-on package
• Filter, restrict packet flows
• Common location is a server

Question 15

What is a Personal Firewall?

Answer 15

• Controls the traffic in a PC or workstation
  
  • Both home and corporate use
• Can be housed in a router that connects to all the home computers to a DSL cable modem
• Role: Deny unauthorised access
• Monitors to detect worms, malware activity

Question 16

List a few Firewall Typologies

Answer 16

• Host-resident firewall
• Screen router
• Single bastion inline
• Single bastion T

Question 17

What is Intrusion Prevention Systems (IPS)?

Answer 17

• Inline network based IDS that can block traffic
• Blocks anything that it believes is ‘malicious’
• Prevent it from reaching the different targets on your network
• Network/host based
• Functional addition to the firewall ADDS IDS capabilities

Question 18

What are Host-Based IPS (HIPS)?

Answer 18

• Uses anomaly + signature detection techniques:

Signature:

• Focuses on content application payloads in packets, look for patterns to identify malicious

Anomaly:

• Looks for behaviour patterns that indicate malware
• Uses sandbox approach to **monitor behaviour **

Question 19

Network-Based IPS (NIPS) + List the malicious packets

Answer 19

• Authority to discard packets + tear down TCP connections
• Uses anomaly + signature detection techniques
• Provide full data protection

Malicious packets:

• Pattern matching
• Stateful matching
• Protocol anomaly
• Traffic anomaly
• Statistical anomaly