Lecture 2 - Network Security

Question 1

Basic Network Definition

Answer 1

Set of devices connected together.

Question 2

Four points of network security

Answer 2

Scalability (grow in users)
Availability (continuous)
Manageability (Staff able to manage)
Security (Not after thought)

Question 3

Seven Domains of IT infra

Answer 3

• User
  _ Workstation
• LAN
• LAN to WAN
• WAN
• Remote Access
• System/App

Question 4

User domain

Answer 4

Any individual associated with the org, with or without logins.

Threats: Social engineering/phishing

Question 5

Workstation domain

Answer 5

Workstations/standalone systems and home computers.

Threats: Malware, port scanning, default pass, unpatched OS.

Question 6

LAN Domain

Answer 6

Hosts on private LANs

Question 7

LAN to WAN Domain

Answer 7

Routers/firewalls at LAN/WAN connection point

Threats: Port scanning Dos

Vulnerabilities: Weak permeter security, default config, misconfig

Risks: Instability and malicious traffic

Question 8

Remote Access Domain

Answer 8

Org resources via remote access

Threats: Malware, rogue access point

Vulnerabilities: Unencrypted wireless, weak security controls

Risks: Compromise of remote sys results in org compromise

Question 9

WAN Domain

Answer 9

Routers, switches and firewalls that ensure connectivity between LANs

Threats: Eavesdropping, Availability

Vulnerabilities: DNS Poisoning

Risks: Attacks on DNS root, clear text traffic intercepted, disaster

Question 10

Sys/ App Domain

Answer 10

Servers, apps, databases etc

Threats: SQL injection, XSS, DoS

Vulnerabilities: Unpatched OS, misconfig, insecure code

Risks: Instability, Data loss, loss of function

Question 11

Network Analysis Steps

Answer 11

1. Create network baseline using Nmap/Zenmap
2. Capture data at specific points on net
3. Analyse captured data
4. Investigate/resolve, update baseline,

Question 12

Security Controls 3 sections

Answer 12

Physical
Procedural
Technical

Question 13

Physical Controls

Answer 13

• Door locks, guards etc
• Fire detection and suppression, other environmental
• Electrical grounding etc

Question 14

Procedural Controls

Answer 14

• Policies/procedures
• Insurance
• Background and financial checks
• Data loss prevention
• Awareness training

Question 15

Technical Controls

Answer 15

• Login ID
• TImeouts
  – Logs and audit trails
• Firewalls and routers
• Encryption/Public Key Infrastructure

Question 16

Firewall

Answer 16

Integrated colleciton of security mesaures that prevent unauthorised access to a network.

Question 17

A Firewall can/is:

Answer 17

• Security Gateway
• Traffic Control Device
• Packet Filtering
• Routing
• ENforce security policy
• Loggin
• Secure the net from external attack

Question 18

Firewalls are not/cannot:

Answer 18

• Be the only security
• Not an auth server
• Not a remote acces server
• Cannot see the content of encrypted packets
• Cannot see all traffic if positioned incorrectly
• Not a malicious code scanner
• Not an IDS.

Question 19

Firewall Ingress/Egree filtering

Answer 19

Monitoring and filtering directional inbound/outbound traffic

Question 20

Packet filtering

Answer 20

Examines network protocol headers and parameter.s

Stateless (rules) or stateful (conneciton states)

Question 21

Content Filtering

Answer 21

Focuses on network protocol payloads

Question 22

Firewall risks and disadvantages

Answer 22

• Central point of attack.
• Can degrade system performance
• May restrict legitimate users
• Do not provide data integrity and confidentiality

Question 23

Firewall rules

Answer 23

An instruction set that indicates what actions a firewall should take

Question 24

Firewall rule structure

Answer 24

• Protocol
• Src Address
• Src Port
• Target Address
• Target Port
• Action

Question 25

Why log?

Answer 25

• Validate rules
• Historical and reactive tracking

Question 26

WHat data to log?

Answer 26

• Connections
• Traffic to successfully traverse through the firewall
• Configuration Chagnes
• Firewall system access

Question 27

General rule for what protocols to allow

Answer 27

Allow encrypted protocols and only allow unencrypted for users that require it with sufficient training.

If it is internal you might allow it but again, risk assess.`

Question 28

DMZ Design

Answer 28

Segregate devices etc based on risk.
Isolate certain services + functions.
Adds additional security layer.

Question 29

DMZ

Answer 29

A zone with an intermediate trust level, between the internet and trusted internal network

Question 30

DMZ Architecture

Answer 30

Uses firewall to restrict access from internet to private LAN.

Single or dual firewall.

Question 31

DMZ single firewall

Answer 31

At least 3 network interfaces:

1st: External net
2nd: internal net
3rd: DMZ

Question 32

DMZ Dual Firewall

Answer 32

First firewall (frontend) configured to allow traffic destined to DMZ only
Second (backend) allows DMZ to internal.

Question 33

DMZ single vs dual

Answer 33

Cost
More rules and isngle point failure with single.

Question 34

RFC 1918

Answer 34

Address Allocation for Private Internets.

Most recommended for firewall configuration

Question 35

Private VLAN in DMZ

Answer 35

If one DMZ server is compromised, then can be used to access other DMZ servers.

Use VLANs to separate servers in the DMZ.

Question 36

DMZ general rules

Answer 36

Traffic to DMZ is authorised.
Traffic from the DMZ is prohibited/denied.
Traffic from internal to external is authorised but not in return.

Question 37

IDS

Answer 37

Intrusion Detection Systems

Question 38

Define an intrusion

Answer 38

Set of actions aimed to compromise security

Question 39

Activity is suspicious (IDS) if

Answer 39

1. Matches a pattern for known malicious activity
2. Differs significantly from previous patterns of use.

Question 40

IDS Components

Answer 40

Audit Data Preprocessor
Detection Engine (+Models)
Decision Engine (+Table)

Question 41

IDS Functions

Answer 41

1. Monitor activity
2. Audit Sys config
3. Assess system integrity
4. Recognise known attacks
5. Indentify abnormal activity
6. Manage audit trails
7. Correct config errors
8. Install/open traps to record info

Question 42

IDS Types

Answer 42

• Network (links/backbones)
• Host (OS)
• Distributed (group of remote sensor IDSes)
• Gateway (deployed at gateway)

Question 43

IDS responses

Answer 43

Alarm
Cut user access
Reject traffic
…

Question 44

IDS Problems

Answer 44

• Inaccuracy for exploit based signatures
• Cannot recognise unknown intrusions
• Cannot provide quality forensics info

Question 45

IDS before or after firewall

Answer 45

Before can be very slow but after might be quicker.

Before might be required to protect firewall