Exam Prep

Question 0

Where to place ACLs?

Answer 0

Standard: as close to destination as possible.
Extended: as close to source as possible.

Question 1

Which layers do packet filter and stateful firewalls operate at?

Answer 1

Packet filter: layers 3 and 4

Stateful : layers 3, 4 and 5

Question 2

Discuss reflexive ACLs

Answer 2

Allows IP traffic from sessions originating from their network while blocking outside traffic from coming in.

Router examines outside traffic and makes a temporary ACL to allow it.

Question 3

Discuss dynamic ACLs

Answer 3

Authenticates a user and permits that user and associated traffic through the firewall.

Question 4

Discuss common firewall properties

Answer 4

• must be resistant to attacks
• must be the only transit point between networks
• enforces access policy of the organisation

Question 5

Discuss the protective measures if a firewall

Answer 5

• exposure of sensitive hosts and applications
• exposure of protocol flaws
• malicious data

Question 6

Discuss limitations of a firewall

Answer 6

• misconfiguration can be deadly

- end use can be restricted by policies

Question 7

Discuss firewall design practice

Answer 7

• position firewall at key security boundaries with different trust levels
• should be primary security device
• Denny all traffic by default
  Implement various firewall technologies (DiD)

Question 8

Stateful vs stateless

Answer 8

Stateless: ACLs filter traffic based on source and destination IP, tcp and UDP port numbers, tcp flags, icmp types/codes.

Stateful; inspection remembers the state if requests, stores them in a session table, tracking each connection. It detects if applications need more traffic steams and dynamically allows them. Monitors the state if connections, initiating, data transfer or terminated.

Question 9

Disadvantages of packet filtering firewalls

Answer 9

• can be complex to configure
• can’t prevent arp layer attacks
• susceptible to tcp IP protocols attacks

Question 10

Advantages of packet filtering firewalls

Answer 10

• they process packets very fast
• they easily match on most criteria. Layer three and four segment headers provide a lot of flexibility in implementing policies.

Question 11

Uses for packet filtering firewalls

Answer 11

• typically implemented on a permittee router as a first line of defence
• when security policies can be fulfilled using packet filters alone

Question 12

Stateful firewalls

Answer 12

• tracks every connection traversing all interfaces and confirms they are valid
• examines info in the headers of layer 3 and 4 segments eg tcp flags.
• state table contains source and dest addresses, port numbers, UDP connection info and tcp seq numbers

Question 13

Improvements if stateful over packet filter firewalls

Answer 13

• maintains session table

- recognises dynamic apps that need extra connections or access through the firewall

Question 14

Zone-based firewalls

Answer 14

• stateful inspection
• app inspection
• URL filtering
• per policy parameters
• transport firewall
• virtual routing and forward aware

Question 15

Zone types

Answer 15

Public-dmz
Dmz-private
Private-dmz
Private-public

Question 16

Benefits of zone based

Answer 16

• not dependent on ACLs
• blocks unless explicitly allowed
• policies easier to config and Tshoot
• one policy affects all traffic in that zone, no need for multiple ACLs

Question 17

Actions of ZPF

Answer 17

Inspect: automatically allow return traffic and icmp messages. Handles prosper establishment of data sessions.

Pass: like permit in an ACL. Doesn’t track the state of sessions. Only allows in one direction a similar corresponding policy must be applied in the opposite directions to allow traffic two way.

Drop: like deny in an ACL. Log option available

Question 18

Ips/ids signature types.

Answer 18

Atomic: one packet required
Composite: many packets required

Question 19

Atomic signatures

Answer 19

• examines single packets for icmp, tcp, UDP
• doesn’t require any knowledge of previous or future packets
• ids vulnerable …. Ips not.

Question 20

Composite signature

Answer 20

• requires multiple policies to match before an alarm is triggered, must maintain state info.
• sensor detects a packet that matches then monitors proceeding packets.

Question 21

iDS vs IPS

Answer 21

IDS: passive , promiscuous.
IPS: active, inline. Latency packet loss etc

Question 22

Five steps of setting up a GRE tunnel.

Answer 22

• create tunnel interface
• assign tunnel IP
• identify source
• identify destination
• (optional) identify the protocol to be encapsulated

Question 23

Authentication header

Answer 23

• doesn’t provide confidentiality (encryption).
• only ensures origin of data and verify data has not been modified in transit.
• if used alone provides weak protection
• can have problems with NAT

Question 24

Encapsulating security payload (esp)

Answer 24

- same as ah but provides encryption | - payload encrypted then hashed.

Question 25

VPN transport/tunnel mode

Answer 25

Transport: - security provided for layer 4 and above only. - ESP transport mode used between hosts. - works well with GRE... GRE hides address of end address. Tunnel mode: - provides security for whole IP packet - ESP tunnel mode used in remote access and site to site - IP packet encrypted and encapsulated in another IP packet (IP-in-IP encryption).

Question 26

IKE

Answer 26

- Helps IPSec securely exchange keys - combines isakmp and Oakley protocols - IKE/isakmp terms often used interchangeably.

Question 27

IKE phases

Answer 27

Phase 1: - Negotiates IKE protocol suit - Exchange keying materials to protect DH sessions. - Peers Authenticates each other - Establishes IKE SA Phase 2: - Negotiates IPSEC parameters. - Establishes IPSEC SAs - Periodically negotiates SAs to ensure security - Optionally performs additional DH exchange

Question 28

Services of IPSEC

Answer 28

Confidentiality: Provides encryption to prevent data being read Integrity: hashes checksums Authentication: - usernames and passwords - one time passwords - pre shared keys - digital certificates

Question 29

Anti-reply protection

Answer 29

Verifies each packet is unique and not a duplicate. Packets are protected by comparing the sequence numbers. Late or duplicate packets are dropped.

Question 30

Application layer gateway firewalls

Answer 30

Firewalls which dynamically monitor application layer protocols and dynamically allow them through the firewall. For the duration of the session only.

Question 31

Steps in hacking

Answer 31

- reconnaissance - social engineering - privilege escalation - back doors

Question 32

Providing secure access to a router

Answer 32

Establish dedicated management work station Encryption if all data Packet filter

Question 33

Securing a router from attacks

Answer 33

- physical security - locks, authentication - router hardening - services ports etc - os security - max ram, latest stable os, secure copy as a backup

Question 34

Access rule criteria of firewalls. Name and describe four

Answer 34

- rules based on service control Determine the type of services and access - rules based on direction control Ie http outbound but not inbound - rules based on user control Restrictions on users inside FW or external VPN - rules based on behaviour control Controls how services behave, ie filter email to eliminate spam

Question 35

AGLs

Answer 35

- higher level of security than packet filters - layers 3,4,5 and 7 - they include specialise software and proxy servers - can provide detailed checks for valid data - act as intermediary between client and server - external IP of proxy used not client

Question 36

Advantages of AGL

Answer 36

- Authenticate individuals not devices - make it harder to spoof and dos - monitor and filters apps - detailed logging

Question 37

IPS/ids evasion techniques

Answer 37

- traffic fragmentation - timing attacks - resource exhaustion - encryption and tunnelling

Question 38

Where would IPS and ids used together?

Answer 38

Ids could be used on the outside of the firewall/untrustworthy network in promiscuous mode to capture and always a lot of traffic and attacks. This information could then be used to make improvements to internal security and to an IPS running inside. The IPS would be inline on the inside of the firewall/trusted and could focus on defending the network more specifically given the info collected by the external ids.

Question 39

What does tcp established keyword do?

Answer 39

Only allows return traffic. Forces router to check for tcp ack and rst flags. If ack bit is set it's assumed to be return traffic, if not it's dropped. This isn't stateful it's basic

Question 40

IPS signature detection technique. Advantages and disadvantages

Answer 40

Signature based: - easy to configure - gives fewer false positives - have good signature design - can't detect unknown threats - initially produce a lot of false positives - signatures need to be created , updated and tuned

Question 41

IPS policy based detection advantages nd disadvantages

Answer 41

- simple and reliable - allows for customisable policies - can detect unknown attacks - detailed knowledge of network traffic required - can be time consuming to create policies

Question 42

IPS anomaly based detection advantages and disadvantages

Answer 42

- easy to configure - can detect unknown attacks - difficult to profile typical activity in large networks - traffic policy must be constant

Question 43

IPS reputation based detection advantages and disadvantages

Answer 43

- leverages local, enterprise and global correlation - provides improved accuracy and relevance - prone to false positives and negatives - requires timely updates

Question 44

What is. Signature file and engine?

Answer 44

Engine typically responds to the protocol in which the signature occurs and looks for malicious activity in that protocol. Used to load signature files and scan engines Each engine works as an interrogator and specialises in one type of interrogation

Question 45

What is Anti replay

Answer 45

Verifies each packet is unique and not duplicated. By comparing sequence numbers. Packets that come before the sliding window are considered late or duplicate and dropped

Question 46

Ah?

Answer 46

``` Data integrity through hashing Data origin authentication through hashing Anti replay protection Protocol number 51 Supports mac md5 and sha 2 ``` Doesn't provide confidentiality All text unencrypted Problems with NAT

Question 47

Esp?

Answer 47

Data confidentiality through encryption Data integrity through hashing Data origin authentication through hashing Anti replay protection It encapsulates the data to be protected Protocol number 50

Question 48

Transport mode

Answer 48

Security provided to transport layer and above Protects payload but leaves original IP address in plaintext Used between hosts and not comparable with NAT Works well with GRE because GRE hides the original IP

Question 49

Tunnel mode

Answer 49

Provides security for the complete IP packet Original IP packet encrypted and then encapsulated in another IP packet (ip in IP encryption) Used in remote access and site to site VPNS

Question 50

What does IPSEC use IKE for?

Answer 50

``` Authenticates peers and generates encryption keys Negotiates SA between peers automatic key generation Automatic key refresh Manageable manual config ```

Question 51

IKE phase 1

Answer 51

Negotiates IKE protocol suite (encryption, hash. Key exchange, lifetime) Exchanges keying materials (DH) Authenticates each other

Question 52

IKE phase 2

Answer 52

Which data should be protected between peers What security protocols used to protect traffic How should data be protected (encryption, hash) What mode of operation (tunnel or transport) What key management should be used What is the lifetime of data connection

Question 53

Five steps of VPN

Answer 53

``` Interesting traffic arrive sat router IKE phase one IKE phase 2 Transmit data Tunnel terminated ```

Question 54

AH, ESP and NAT

Answer 54

Ah breaks completely with any type of NAT. Doesn't work with pat because an outer UDP or tcp header is needed. Won't work with NAT because most of the fields in the IP packet are used to calculate hmac. Esp works with NAT since outer header not included in hash calculation Esp doesn't work with pat for same reason as ah

Question 55

Advatages and disadvantages of a static packet filter

Answer 55

Based on simple permit and deny statements Minimal impact on network performance Simple to implement Configurable on most routers Can perform many of the basic filtering needs ``` Susceptible to IP spoofing Doesn't accurate filter fragmented packets Extremely long ACLs hard to manage Stateless Doesn't work well with dynamic apps ```

Question 56

Advantages and disadvantages of ALGs

Answer 56

Very tight control is possible due to layer 7 analysis More difficult to attack end devices due to proxy Provides very detailed logging May be implemented on common hardware Processor intensive Not all apps supported Special client software may be needed Memory and disk intensive

Question 57

Advantages and disadvantages of stateful firewalls

Answer 57

Can be used as primary means if defence Can be implemented on routers and dedicated FW Dynamic in nature Provides defence against dos and spoofing May not prevent app layer attacks Not all protocols contain controlled state info, UDP, icmp etc Some dynamic apps may experience problems as the firewall ride to adapt and open ports Doesn't authenticate users by default

Question 58

Syntax for ZBF policy

Answer 58

Class-map type inspect match-any MYCMAP Match protocol http Match protocol ftp Policy-map type inspect MYPMAP Class type inspect MYCMAP Inspect

Question 59

IKE phase 1

Answer 59

Hagle ``` Hash Authentication DH group Lifetime of the tunnel Encryption algorithm for phase 1 ```

Question 60

Solution to NAT problems with esp

Answer 60

NAT traversal (NAT-T). Inserts a tcp or UDP header after the outer IP header but before the esp header. Allowing to to work with PAT. Dynamic and static NAT works with esp but not ah as ah includes the IP header in the hash calculation.