3B. Analyse Appliance Monitoring Output Flashcards
Be able to interpret System event logs, Firewall logs, WAF Logs, Proxy Server Logs, Intrusion Detection and Prevention logs
a
What information do syslogs provide?
information about the state of the network, servers, hardware, and applications, including details such as errors, security events, and authentication events sent over port 514 TCP/IP. No encryption or authentication.
How has syslog been improved in its latest implementation?
- Now uses port 1468 for delivery confirmation, so if a syslog is not delivered, it will be sent again
- Uses TLS to encrypt msgs sent to servers
- Uses MD5/SHA1 for authentication and integrity
What is an implicit deny firewall rule?
Traffic that does not match a specified rule is dropped
What are some key principles of firewall rulesets?
1) Block incoming requests from internal or private, loopback, and multicast IP address ranges as these have obviously been spoofed
2) Block incoming requests from protocols that should only be functioning at a local network level (e.g., ICMP, DHCP)
3) Configure IPv6 rules. Some hosts run dual-stack TCP/IP implementations with IPv6 on by default. Misconfiguration of a router could allow adversaries unfiltered access to the network over IPv6
Dropping vs Rejecting
Dropping involves not informing the client that a packet has been blocked, making it harder for adversaries to determine port states, while Rejecting will send a response to the client, which is useful for troubleshooting
What security intelligence do firewall logs provide?
1) Connections permitted or denied
2) Port and protocol usage
3) Bandwidth usage
4) Address translation audit trail
What are some guidelines for Egress filtering?
- Allow only whitelisted application ports, restrict destination addresses to authorised internet hosts (or use URL/content filtering to detect malicious traffic)
- Restrict DNS lookups to your own DNS services
- Block known bad IP addresses
- Block IP address spaces that are not authorised on local network
- Block internet access from host subnets that do not need it
Firewalking
Recon technique that involves enumerating firewall configurations. Attacker identifies open ports on the perimeter firewall, crafts packet for open port with TTL of one past the firewall. If the packet is received, it will respond with “TTL Exceeded”. Can be mitigated with NAT.
Black holes
A type of defensive packet filtering whereby traffic is silently dropped before reaching its destination e.g. to mitigate a DoS, DoS traffic is sent to an IP address that is mapped to a non-existent host.
Sinkholes
Similar to black holes, except that traffic is redirected to another network for analysis
Forward Proxy
A server that forwards internal host HTTP requests to the intended destination
- Useful if outbound traffic must comply with policies
- Improves performance as it uses caching services
Non-transparent Proxy
client must be configured with the server address to have HTTP requests forwarded by proxy server
transparent proxy
proxy intercepts traffic even if client isn’t configured to the server address. This is implemented at Network Layer.
What do Forward Proxy logs show?
- User ID
- Request method used by client
- HTTP status code
- Size of MIME type of the resource returned to the client
