IT366 Study Guide
Typically, data from the outside is not allowed to be forwarded directly to a device on the internal network, nor vice versa. How can such data be forwarded if allowed? Hint: The firewall does not forward it directly
Redirected to proxy server in the DMZ
In SNMP, messages carry data values that are defined in a hierarchical structure known as ____.
Management Information Bases(MIB)
What is NAT? How does it work? What is the implication of using it in "hide" mode?
NAT is commonly used to allow all the devices on an internal subnet to share a single external IP address.
What is an SNMP proxy agent?
may be used as a go-between, communicating with managers via SNMP and with the component using some other protocol.
The USM authentication module uses HMACs. What service/s does it provide? How?
• The authentication module is designed to provide authentication of origin and authentication of integrity of an individual message by appending an HMAC to the message.
A very common approach in firewall design is to create a so-called DMZ. Why was this name chosen?
"demilitarized zone" (DMZ) between the trusted internal network and the untrusted outside world.
How is a padded cell different from a honeypot?
A ____ also mimics the real system, but its purpose to contain the damage of an attack If an IDS detects an attack in progress, it can redirect attack traffic to the padded cell. If the attacker believes he/she is still in the target system (because it looks "real"), he/she may check it out, read data, even cause damage, but no real harm is done because the system has no valuable content.
What is an SNMP SET operation?
A manager can request an agent to change a data value/s for a specific object.
What is an SNMP GET operation?
A manager can retrieve a set of related data objects from an agent as follows:
A firewall creates network zones. Data cannot pass directly from a device in one zone to a device in another. How can data be passed between such devices if allowed?
A multi-homed host is a computer (typically a server, not a workstation) with multiple network interfaces (not just multiple IP addresses on one interface). the firewall software can implement policy rules regarding transfer of data between entities in the 3 zones If a packet is to be forwarded the firewall may modify it and will send it out of the appropriate network interface.
What is a stateful packet filter?
A stateful packet filter maintains a context (or state) for each packet forwarded and uses it to make filtering decisions for subsequent related packets. This allows it to accept or reject packets based not only on the content of each packet, but the context in which the packet appears. For example, it will reject a packet that appears to be a response for which there was not a valid request
What is an application gateway?
An application gateway operates at a higher level, interpreting the context of data traffic for a single application-level protocol. For example, an email gateway can be configured to examine email messages passing through it to detect inbound "spam" and outbound relay traffic. The rules it applies require awareness of the structure of mail messages.
What is a "screened subnet" configuration? What device/s does it use?
An alternative design places the DMZ between two screening devices (typically routers). This is known as a screened subnet, because the DMZ portion of the network is hidden between the screening devices
- Trap
An unsolicited message sent from an agent to a manager Some examples of Trap messages: - coldStart - the agent is re-starting and its configuration may be different - warmStart - the agent is re-starting with the same configuration - linkDown - the agent's component has a communication link that has disconnected - linkUp - the agent's component has a communication link that is newly connected - authenticationFailure - the agent received a request that is not authenticated - enterpriseSpecific - this is used for "custom" Traps
Data should not be allowed to "bounce" off any of the firewall's interfaces. Why not?
Direct outside-to-inside connections are not allowed. If direct inside-to-outside connections also are not allowed (which is common) and "bouncing" is prohibited in each zone, all traffic must pass to XOR from the DMZ.
How was authentication enabled in SNMPv1? To what type of attack was it vulnerable?
In SNMP v1, each agent would have a "community string" for read-only (Get) access and another for read-write (Get and Set) access (if Set was allowed for that agent). These community strings acted as simple passwords. A request would include the string and would only be responded to if it was correct. These strings were sent "in the clear" across the network, so eavesdropping ("sniffing") would reveal them to an attacker monitoring the network.
What is the implication of using it in "hide" mode?
It also "hides" the existence of the internal network. From the outside, there appears to be only the NAT router. This technique is sometimes called "IP masquerading"
What are the basic functions of a firewall?
It is designed to allow legitimate data traffic to pass in each direction, but prevent unauthorized data traffic in either direction. Designed to provide security
UDP was selected as the Transport layer protocol for SNMP. Why not use TCP?
SNMP was originally specified with UDP at the Transport layer. TCP was not used because problems in the network (which SNMP might help manage!) could cause SNMP messages to be lost. Studies have shown that TCP is fine when the network is fine, or close to it, but severe network problems make SNMP possibly unusable.
How does a GetRequest (or a SetRequest) identify a data value to be returned (or set)? How can a set of related values be requested and returned?
SNMPv1 defined 5 types of message: - GetRequest Sent from a manager to an agent to request a specific data object. - GetNextRequest Sent from a manager to an agent to request the next data object following some identified point in an MIB. - GetResponse Sent from an agent to a manager to return a data object. - SetRequest Sent from a manager to an agent to change a data object's value.
Does SNMP specify the content of such messages? Explain.
SNMPv1 defined 5 types of message: - GetRequest Sent from a manager to an agent to request a specific data object. - GetNextRequest Sent from a manager to an agent to request the next data object following some identified point in an MIB. - GetResponse Sent from an agent to a manager to return a data object. - SetRequest Sent from a manager to an agent to change a data object's value. - Trap An unsolicited message sent from an agent to a manager
What is NAT? How does it work?
The NAT router will have a single external IP address for itself. For each TCP or UDP connection established by an internal device, the NAT router will translate the internal IP address and TCP/UDP port number to its external IP address and an "ephemeral" port number. The NAT router maintains a table of these associations. This allows multiple devices to use the same port number on the inside
The USM privacy module uses symmetric encryption. What service/s does it provide? How?
The privacy module is designed to provide confidentiality of an individual message by encrypting it. DES in CBC mode was the first encryption algorithm specified.
What should they NOT be used for? (honeypot)
The purpose of a honeypot is not to gather evidence to prosecute intruders - it is to learn what techniques attackers use and what works against this target. This allows security professionals to design defensive measures for "live" targets.
- What is a stateless packet filter?
The simplest type of firewall is a stateless packet filter. It examines the header of an IP packet (and possibly the TCP or UDP header of the payload) and uses programmed policy rules to determine whether the packet should be forwarded. Each packet is examined in isolation - there is no context or awareness of the state of the connection. IP header IP
What is a DMZ in the firewall context? What should be in a DMZ?
This design is known as a screened host firewall, because the DMZ host(s) are "screened" behind the firewall. Servers that are designed to interact with entities on the outside are placed in the DMZ.
what is honeynet
a collection of honeypots networked together, usually in a separate network (or subnet) from the main network.
What is a "screened host" configuration? What device/s does it use?
a screening router and a bastion host. This design is known as a screened host firewall, because the DMZ host(s) are "screened" behind the firewall.
The VACM allows a "view" of the MIB to be defined for each user. What is a view?
a subset (perhaps 100%) of the MIB contents, and defines whether the user has read-only or read-write access to each data value in the view.
A firewall is typically a network "gateway" between ____ and ____
a trusted internal network( e.g. a corporate intranet) and an untrusted external network (e.g. the Internet).
SNMP is a framework for sending and receiving messages over an IP-based network. What is it designed to allow?
allows monitoring of network devices such as servers, workstations, printers, routers, bridges, and hubs, as well as services such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS).
What is an SNMP manager? How is it typically controlled?
is an component that allows agents to be managed remotely. Most managers are designed to be controlled by a human user.
Why are they used?(honeypot)
is intended to make an intruder believe it is a "real" system, worth investigating and attacking. It needs to contain non-trivial data structures and data content - an attacker will quickly recognize an "empty shell". Ideally, it closely replicates the structure of valuable systems
What is an SNMP agent? How does it typically operate?
it is a component that runs on some host. Typically an agent is an unattended software component that is always running.
what is a honeypot
it is a host (computer) designed to attract attackers, like bears to honey. It is typically a server, not a workstation.
The USM timeliness module uses synchronized clocks and timestamps in messages. Why?
• The timeliness module is designed to provide authentication of timeliness of an individual message by appending a timestamp to the message. If the integrity of the message content is authenticated (see previous slide), the timestamp is checked to see if it is recent. (This requires synchronization of clocks across system components.)
How does the SNMPv3 USM limit access to authorized users?
• View-based access control - authentication module -timeliness module -privacy module