Lecture 16: 6th November 2019 Flashcards Preview

CS4203 Computer Security > Lecture 16: 6th November 2019 > Flashcards

Flashcards in Lecture 16: 6th November 2019 Deck (49)
Loading flashcards...
1
Q

What is a firewall?

A

A network security system implemented in hardware or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. They hide the structure of the internal network.

2
Q

What is an IDS?

A

Intrusion Detection System = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.

3
Q

What do default permit and default forbidden mean?

A

They rerfer to the default action taken on a packet by a firewall when a mathing rule cannot be found. default permit = let it in/out, default forbidden = drop it.

4
Q

What can firewalls do?

A

cannot prevent all attackers, viruses or intruders.
can:
- Permit authorised traffic
- Block or deny unauthorised traffic
- Log accesses in and out
- Provide a VPN link
- Authenticate users and give access to appropriate services
- Shield hosts
- Cache data to improve web site performance
- Filter content

5
Q

When do firewalls work best?

A

as part of a multilayered approach, aka defence in depth

6
Q

What is defence in depth?

A

An information assurance concept in which multiple layers of security controls are used to protect a network to provide redundancy.

7
Q

Why is placement an important consideration involving firewalls?

A

Need to consider required connections outside of the network. Keep them possible but minimise number of machines outside a firewall.

8
Q

What are some types of firewalls?

A

Packet filters : looks at packet headers for addresses, ports, protocols

Stateful inspection filters : maintains state information and keeps common ports open.

Stateless inspection filters: Blocks or allows a packet based on header information.

Application proxies : simulates application and performs access control.

Personal firewalls: blocks blacklisted traffic.

9
Q

How do packet filtering firewalls work?

A

Inspect IP headers and TCP and UDP port numbers. The bypass (allow through), bypass, or protect (IPSec)

10
Q

How do stateful inspection fitering firewalls work?

A

Examine packet payload in addition to headers to build up a state of the connection, held in a state table, in a cache. If a packet doesn’t correspond to the state of its connection pass to a rule base to check if it can be forwarded. Requires a lot of processing. Supports more protocols than a simple packet filter.

11
Q

How do Application Level Proxies work?

A

Proxies analyse the application layer data of IP packets. Proxies support protocols for SMTP, HTTP, SSH, FTP etc. Most commonly used for HTTP or SMTP traffic, functioning as a screen for all traffic into and out of ports. They are relatively slow as they have to inspect, compare, rebuild packets and process client requests. A complete server & client implementation in one box for every protocol the firewall should handle.

Client connects to firewall.
Firewall validates request.
Firewall connects to server.
Response comes back through firewall.

Can enforce application-specific policies and conceal clients, translate network
addresses and filter content.

12
Q

What are Application Level Proxies aka?

A

Application Gateway, Proxy Server or Application Firewall

13
Q

What do proxies do?

A

A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.

14
Q

How and why may proxies and packet filter firewalls be used together?

A

To provide a defence in depth.

  • Each type inspects different parts of IP packets.
  • Proxies scan whole data portion, therefore they create larger log files
  • If a packet filter has a rule for a packet the action is as directed; block or allow, therefore relatively faster.
  • A proxy has to rebuild the packet with new IP information.
  • The proxy rebuild means that damaged packets are dropped.
15
Q

What are some issues with firewalls?

A

don’t protect against skilled attackers

accurate system state description must always be maintained to know the weakest point of entry

many attacks through legitimate-seeming downloads

rules may proliferate and be used to make attacks

16
Q

What are some limitations of firewalls?

A

don’t protect against bug-based attacks, internal attackers, or attacks from machines within the network once compromised.

Can be routed around - tunnelling, dialup servers, cross-links.

Can be too restrictive and stop you from doing what you want.

Encrypted traffic can always get through - even if malicious.

Many services now over HTTP to avoid firewalls - defats the purpose and made protocol design worse.

17
Q

What are some network topologies that pertain to firewalls?

A

The Bastion Server can be the firewall: running all external services and acting as a packet filter or proxy. Alternatively, the firewall does packet filtering and monitoring or there is a second LAN to hold the external servers that deal with mail, web, etc. services.

Screened Subnet (DMZ): has an interface towards the external network/ Internet and another towards the protected network. A third interface card screens the screened subnet. This third area, the Demilitarised Zone provides services to external users such as Web or SMTP servers.

Dual Firewalls: Instead of a single firewall with 3 interfaces, the dual firewall uses 2 firewalls with the screened subnet between them. The protected network is therefore behind two firewalls.

18
Q

What is a firewall rule base?

A

A set of instructions that governs the actions of a firewall on packets with certain properties.

19
Q

What are the fields in a firewall IDS?

A

1 Control or rule number
2 Type of rule; Allow, Deny, Drop, Alert
3 The direction of traffic; inbound or outbound
4 Transport Protocol; UDP, TCP, etc
5 Source Socket; host & service identification
6 Destination Socket; receiving host & service identification
7 Policy number; refers to management policies.

20
Q

What is a permissive firewall rule base?

A

Permissive = allow by default, block some.

  • Easy to make mistakes.
  • If you forget to block something, you are allowing it into the system unchallenged.
  • Protocol management to prevent “on-the-fly” changes by staff
21
Q

What is a restrictive firewall rule base?

A

Restrictive = block by default, allow some.

  • Much more secure.
  • If you forget something, someone will complain and you can allow the protocol, but it’s overhead and annoying for users.
22
Q

Why may tunneling be a security issue with firewalls?

A

Can make an encapsulating tunnel to wrap your actual IP packets in a service or port number that is permitted by the firewall and have them de-encapsulated either side.

23
Q

What is a vulnerability assessment?

A

The process of identifying, quantifying, and prioritizing (or ranking) security flaws in a system or network. May include open ports, software used, network topology, and a prioritised list of vulnerabilities.

24
Q

What tools can you use to perform a vulnerability assessment?

A

Software: ISS Scanner, Stat, Nessus, etc.
Audit Services: manual Penetration tests
Web based commercial: Qualys, Security Point, etc

25
Q

What is an intrusion?

A

Any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and almost always jeopardize the security of networks and/or their data.

26
Q

What is an IDPS?

A

Intrusion Detection and Prevention System = real name for an IDS to note importance of preventing intrusions as well as detecting and reacting to them. IDS = A network security system implemented in hardware or software that monitors a network or system for malicious activity or policy violations.

In practice, firewalls and IDSes are combined into one system - IDPSes.

27
Q

What are the 2 general approaches to intrusion detection?

A

Misuse detection: Knowledge-based IDS - Rule Based

Anomaly detection: Behaviour-based IDS - statistical anomalies

28
Q

What is an attack signature?

A

A unique arrangement of information that can be used by and IDS to identify an attacker’s attempt to exploit a known operating system or application vulnerability.

29
Q

What is a knowledge-based IDS?

A

An IDS which looks for attack signatures in traffic data and log files to detect intrusions.

30
Q

How do knowledge-based IDSes work?

A

They look for attack signatures in traffic data and log files that indicate suspicious behaviour, such as login attempts, time of access, SYN flooding, escalation of privileges, unknown access, and target acquisition. They consider known information including security policies and known vulnerabilities.

31
Q

What is a knowledge-based IDS aka?

A

misuse-based IDS and rule-based IDS

32
Q

Why does an IDS not need to know about security vulnerabilities in a particular system? Does and IDS really perform intrusion detection?

A

Actually just need to know rules of the normal baseline and where an anomaly is, not the underlying attack. No - just identifying anomalies outside of set limits (rules) which indicate intrusions, not intrusions themselves.

33
Q

What is the architecture of IDSes?

A

Distributed sensors to gather data and a centralised console to manage sensors, analyse data, report and react.

Ideally:

  • Protected communications between sensors and console
  • Protected storage for signature database/logs
  • Secure console configuration
  • Secured signature updates from vendor
  • Otherwise, the IDS itself can be attacked and manipulated; IDS vulnerabilities have been exploited
34
Q

What are some types of IDS?

A

Network-Based IDS (NIDS).

Host-Based IDS (HIDS).

Knowledge-based IDS: An IDS which looks for attack signatures in traffic data and log files to detect intrusions.

35
Q

What is a HIDS?

A

Host-Based IDS (HIDS): These look at logfiles to verify Message digests/checksums of key system files. They are effectively an internal system monitor. An intrusion detection system that monitors the computer infrastructure on which it is installed, analyzing traffic and logging malicious behavior.

A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.

36
Q

What is a NIDS?

A

Network-Based IDS (NIDS): these can be trained to recognise attack signatures via pattern matching (e.g. expressions, bytecode), frequency or threshold crossing (uncommon port usage). IDSes that are intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit and report back to an administrator.

A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.

37
Q

How does a HIDS work?

A

Usually monitors system, event, and security logs on Windows and syslog in Unix environments.
- E.g., observe sequences of system calls to check whether a change from user to supervisor mode had been effected properly through a command like su.

Verify checksums of key system files & executables at regular intervals for unexpected changes. Some products use regular expressions to refine attack signatures.
- E.g., passwd program executed AND .rhosts file changed. Some products listen to port activity and alert when specific ports are accessed – limited NIDS capability.

38
Q

How does a NIDS work?

A

Uses network packets as data source. Typically a network adapter running in promiscuous mode.

Monitors and analyzes all traffic in real-time.

Attack recognition module uses three common techniques to recognise attack signatures:

  • Pattern, expression or bytecode matching;
  • Frequency or threshold crossing (e.g. detect port scanning activity);
  • Correlation of lesser events (in reality, not much of this in commercial systems).
39
Q

Why are NIDSes and HIDSes often used together?

A

They compliment each other’s capabilities.

Attacks a NIDS can detect but a HIDS cannot:
SYN flood, Smurf, Teardrop, Backdoor…

And HIDS but not NIDS:
Trojan login script, walk up to an unattended keyboard, encrypted traffic…

40
Q

What are the three main types of action taken by an IDS in response to an intrusion?

A

notify; store; react (action).

41
Q

What may a NIDS do in response to an intrusion?

A

Notify: alarm to console, email, SNMP trap, view active session

Store:
NIDS: log summary, log network data

Action:
NIDS: kill connection (TCP reset), reconfigure firewall

42
Q

What may a HIDS do in response to an intrusion?

A

Notify:
HIDS: alarm to console, email, SNMP trap

Store:
HIDS: log summary

Action:
HIDS: terminate user log in, disable user account, restore index.html

43
Q

What are some dangers of automated intrusion response?

A

Attacker tricks IDS to respond, but response aimed at innocent target (say, by spoofing source IP address).

Users locked out of their accounts because of false positives.

Repeated e-mail notification becomes a denial of service attack on sysadmin’s e-mail account.

Repeated restoration of index.html reduces website availability

44
Q

What are the main challenges associated with IDSes?

A

Collecting and evaluating large amounts of data.
- Combine events for more compact presentation.
False positives, false negatives.

Life intrusion detection systems generate lots of data.
- E.g., a DMZ with 60 hosts, monitored 7 days by NIDS with 244 signatures: 771,733 alerts created (Gollman).

Data mining applied for extracting useful information from such data collections.

Context-aware systems filter out attacks that are irrelevant for the systems being monitored.
- Ignore attacks on software or services you are not running.

45
Q

Are anomalies necessarily attacks?

A

No, they are only patterns which are thought to indicate an intrusion/attack has taken place or is taking place.

46
Q

Where are IDSes useful?

A

As a second line of defence (in addition to firewalls, cryptographic protocols, etc.).

47
Q

Why can firewall rules often have poor performance?

A

Akin to a big switch statement or many conditionals, so the performance of rules is sensitive to their ordering (bad if check every rule and at the very end, with a rule for each possibility).

48
Q

What was the POODLE attack?

A

A MITM attack for SSL connections to browsers. The attacker forces the connection to use SSL 3.0 then exploits a design flaw in SSL 3.0 that allows the padding of data at the end of a block cipher to be changed so that the encryption cipher becomes less secure each time it is passed. It eventually reveals the plaintext input after repeatedly padding messages.

49
Q

What is a dual firewall?

A

Instead of a single firewall with 3 interfaces, the dual
firewall uses 2 firewalls with the screened subnet between them. The protected network is therefore behind two firewalls. One firewall before subnet and after internal network, screens intranetwork traffic. Other after subnet and before the Internet, screens internetwork traffic.