Module 12 - Evading IDS, Firewalls, and Honeypots

The firewall architecture consists of which 3 elements?

- Bastion Host - Screened Subnet - Multi-homed Firewall

actions that an IPS is meant to perform:

- Generate alerts if any abnormal traffic is detected in the network - Continuously record real-time logs of network activities - Block and filter malicious traffic - Detect and eliminate threats quickly, as it is placed inline in the operational network - Identify threats accurately without generating false positives *An IPS takes actions based on certain rules and policies configured into it. In other words, the IPS can identify, log, and prevent the occurrence of any intrusion or attack in the network. IPS can also be employed to detect critical issues in corporate security policies such as notorious insider threats, malicious network guests, etc

What are the 2 types of firewalls?

- Hardware firewalls - Software firewalls

Several firewall technologies are available for organizations to implement their security measures. Sometimes, firewall technologies are combined with other technologies to build another firewall technology. For example, NAT is a routing technology; however, when it is combined with a firewall, it is considered a firewall technology. The various firewall technologies are listed below:

- Packet filtering - Circuit-Level Gateways - Application-Level Firewall - Stateful Multilayer Inspection - Application proxies - VPN - Network Address Translation

What three methods used by an IDS to detect intrusions in the network?

- Signature Recognition - Anomaly Detection - Protocol Anomaly Detection

The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate a _______________ intrusion.

file system

Cisco ASA and FortiGate are examples of software firewalls or hardware firewalls?

hardware firewalls

What is the best way to present alarms?

to explain which part of state system is compromised

Like IDS, IPS are also classified into two types:

- Host-based IPS - Network-based IPS

3 disadvantages of a hardware firewall:

- More expensive than a software firewall - Difficult to implement and configure - Consumes more spaces and involves cabling Diagram 1061

What are a few things that need to be done before deploying the IDS?

- analyze the network topology - understand how the traffic flows to and from the resources that an attacker can use to gain access to the network - identify the critical components that will be possible targets of various attacks against the network. *After the position of the IDS in the network is determined, the IDS must be configured to maximize its network protection effect.

A dedicated firewall placed on the perimeter of the network. Built into broadband routers or used as a standalone product. Employes the technique of packet filtering. Is this a software firewall or hardware firewall being described?

Hardware Firewall

This type of firewall functions on an individual system or a particular network connected using a single interface. Software or hardware firewall?

Hardware Firewall *It reads the header of a packet to find out the source and destination addresses, and compares them with a set of predefined and/or user-created rules that determine whether it should forward or drop the packet. However, hardware firewalls are expensive as well as difficult to implement and upgrade.

Sometimes harmless (innocent) network traffic can have a pattern that looks like an attack. When this happens, the IDS mistakenly thinks an attack is happening, even though it's not, and sends a false positive alert. A false positive alert is when...

meaning it raises an alarm for something that isn't actually a threat. *Improper signatures may trigger false alerts. To detect misuse, a massive number of signatures are required. The more the signatures, the greater are the chances are of the IDS detecting attacks; however, the traffic may incorrectly match with the signatures, thus impeding system performance.

What are one of the most common places to deploy an IDS?

near the firewall *Depending on the traffic to be monitored, an IDS is placed outside/inside the firewall to monitor suspicious traffic originating from outside/inside the network. When placed inside, the IDS will be ideal if it is near a DMZ; however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network.

A sudden increase in bandwidth consumption is an indication of ______________ intrusion.

network

Repeated probes of the available services on your machines is an indication of (a) _________________________ intrusion.

network

A sudden influx of log data could indicate a _______________ intrusion.

network A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks

general indicators of network intrusions:

o A sudden increase in bandwidth consumption o Repeated probes of the available services on your machines o Connection requests from IPs other than those in the network range, which imply that an unauthenticated user (intruder) is attempting to connect to the network o Repeated login attempts from remote hosts o A sudden influx of log data, which could indicate attempts at DoS attacks, bandwidth consumption, and DDoS attacks

3 disadvantages of a software firewall:

o Consumes system resources. o Difficult to uninstall. o Not appropriate for environments requiring faster response times.

What happens if the packet signatures do match perfectly with the signatures in the IDS signature database?

the activity detection system can alert admins about possible attacks

Any service such as email, web, or FTP that provides access to external users can be placed in the DMZ. However, what can NOT reside in the DMZ?

web servers that communicate with database servers cannot reside in the DMZ as they could give outside users direct access to sensitive information.

Main functions of IDS:

▪ An IDS gathers and analyzes information from within a computer or a network to identify possible violations of the security policy, including unauthorized access, as well as misuse. ▪ An IDS is also referred to as a "packet sniffer," which intercepts packets traveling via various communication media and protocols, usually TCP/IP. ▪ The packets are analyzed after they are captured. ▪ An IDS evaluates traffic for suspected intrusions and raises an alarm upon detecting such intrusions.

What are the three advantages of IPS over IDS?

▪ Unlike IDS, IPS can block as well as drop illegal packets in the network ▪ IPS can be used to monitor activities occurring in a single organization ▪ IPS can prevent the occurrence of direct attacks in the network by controlling the amount of network traffic

A DMZ is created using a firewall with ________________________________, that are assigned specific roles, such as an internal trusted network, a DMZ network, or an external untrusted network (internet).

a firewall with three or more network interfaces *Any service such as email, web, or FTP that provides access to external users can be placed in the DMZ.

What does a circuit-level gateway firewall check as a way to determine whether a requested session is valid?

it checks the TCP handshake between packets

What are the 2 types of intrusion detection systems?

1. Network-Based Intrusion Detection System 2. Host-Based Intrusion Detection System

Application proxies operate at which OSI layer(s)?

Application

Circuit-Level Gateways operate at which OSI layer(s)?

Session layer

VPNs operate at which OSI layer(s)?

Application Presentation Session Transport Network Data Link All except physical layer

Also known as "not-use detection", this type of detection involves a database of anomalies. It detects intrusions based on the fixed behavioral characteristics of the users and components in a computer system.

Anomaly Detection

This firewall focuses on the application layer rather than just the packets. Incoming and outgoing traffic is restricted to services supported by the proxy; all other service requests are denied.

Application-Level Firewall Application-based proxy firewalls work at the application layer instead of just focusing on data packets. These firewalls, called application-level gateways (or proxies), can filter data at the application layer of the OSI or TCP/IP models. They allow only traffic for certain services that the proxy supports, blocking everything else. These firewalls are needed because there's a lot of voice, video, and shared data at the data-link and network layers, which could be used to gain unauthorized access to networks. When set up as web proxies, application-level gateways block certain types of traffic like FTP, gopher, and telnet. They also inspect and filter commands specific to applications, like HTTP post and get requests.

What do IDS typically check for when monitoring inbound/outbound traffic?

signatures that match known intrusion patterns and raise an alarm when a match is detected

Which type of firewall tends to use more resources than the other, which reduces the speed of the system? software or hardware firewall

software

Designed for defending the network against attacks. It acts as a mediator between inside and outside networks. A computer system designed and configured to protect network resources from attacks.

Bastion Host A bastion host is a computer system designed and configured to protect network resources from attacks. Traffic entering or leaving the network passes through the firewall. It has two interfaces: o Public interface directly connected to the Internet o Private interface connected to the intranet

Norton, McAfee, and Kaspersky, are all examples of software firewalls or hardware firewalls?

software firewalls

Which type of firewall allows or prevents data streams; but they do not filter individual packets? They are also relatively inexpensive and hide the information about the private network that they protect.

Circuit-Level Gateway Firewall

Which type of firewall monitors requests to create sessions and determine if those sessions will be allowed?

Circuit-Level Gateway Firewall

This firewall works at the session layer of the OSI model or transport layer of TCP/IP. It forwards data between networks without verification and blocks incoming packets from the host but allows the traffic to pass through itself.

Circuit-Level Gateway Firewall Information passed to remote computers through a circuit-level gateway will appear to have originated from the gateway, as the incoming traffic carries the IP address of the proxy (circuit-level gateway). Such firewalls monitor requests to create sessions and determine if those sessions will be allowed.

When using a three-homed firewall, where are the 3 connections made?

First connection: Links to the internet, so public users can send requests. Second connection: Goes to the DMZ, where public-facing services (like a website) are hosted. Third connection: Connects to your private network (intranet), which is kept secure. The DMZ responds to public requests and has no hosts accessed by the private network. Internet users cannot access the private zone

What serves as a buffer between the secure internal network and the insecure internet?

DMZ *adds a layer of security to the corporate LAN, thus preventing direct access to other parts of the network.

An area that hosts computers or a small sub-network placed as a neutral zone between a particular company's internal network and an untrusted external network to prevent outsider access to a company's private data.

Demilitarized Zone (DMZ)

In packet filtering, what is used to check if the packet is going to the correct destination and if the destination accepts these types of packets? Can be found from the IP header of the packet.

Destination IP address

In packet filtering, what is used to monitor the destination port regarding the services to be allowed and the services to be denied?

Destination TCP/UDP port

In packet filtering, what is used to check whether the packet is entering or leaving the private network?

Direction

Occurs when an IDS fails to react to an actual attack event. This condition is the most dangerous failure, as the purpose of an IDS is to detect and respond to attacks. A) True Positive B) False Negative C)False Positive D) True Negative

False Negative (Attack - No Alert)

Occurs if an event triggers an alarm when no actual attack is in progress. It occurs when an IDS treats regular system activity as an attack. False positives tend to make users insensitive to alarms and weaken their reactions to actual intrusion events. While testing the configuration of an IDS, administrators use false positives to determine whether the IDS can distinguish between false positives and real attacks. A) True Positive B) False Negative C)False Positive D) True Negative

False Positive (No attack - Alert)

Software or hardware-based system located at the network gateway that protects the resources of a private network from unauthorized access by users on other networks.

Firewall They are placed at the junction or gateway between two networks, usually a private network and a public network such as the Internet. Firewalls examine all the messages entering or leaving the intranet and block those that do not meet the specified security criteria. Firewalls may be concerned with the type of traffic or with the source or destination addresses and ports. A firewall can be configured to check inbound traffic at a "checkpoint," where a security audit is performed. It can also act as an active "phone tap" tool for identifying an intruder's attempt to dial into modems in a secured network

This type of IDS analyzes each systems behavior.

Host-Based IDS *The HIDS can be installed on any system ranging from a desktop PC to a server. It is more versatile than the NIDS. In addition to detecting unauthorized insider activity, host-based systems are also effective in detecting unauthorized file modification. The HIDS focuses on the changing aspects of local systems. It is also more platform-centric, with a greater focus on the Windows OS; nevertheless, other HIDS are available for UNIX platforms. These mechanisms usually include auditing events that occur on a specific host. They are not very common because of the overhead they incur by having to monitor each system event.

What happens if the signature matches?

IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or raising an alarm to notify the administrator diagram 1051

What is the disadvantage of the three-homed firewall?

If it is compromised, both the DMZ and the intranet could also be compromised *A safer technique is to use multiple firewalls to separate the Internet from the DMZ, and to then separate the DMZ from the intranet.

In packet filtering, what is used to check whether the packet is coming from an unreliable zone?

Interface

A security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions.

Intrusion Detection System (IDS) IDS are extremely useful as they monitor the inbound/outbound traffic of the network and check for suspicious activities continuously to detect a network or system security breach.

Considered as active IDS, as they are capable of not only detecting intrusions but also preventing them.

Intrusion Prevention System (IPS) *IPS are continuous monitoring systems that often sit behind firewalls as an additional layer of protection. Unlike IDS, which are passive, IPS are placed inline in the network, between the source and the destination, to actively analyze the network traffic and make automated decisions regarding the traffic that is entering the network

A node with multiple NICS that connects to two or more networks. It connects each interface to separate network segments logically and physically. Also helps in increasing the efficiency and reliability of an IP network. More than three interfaces.

Multi-homed Firewall *The multi-homed firewall has more than three interfaces that allow for further subdividing the systems based on the specific security objectives of the organization. However, the model that provides deeper protection is the back-to-back firewall. In short, a multi-homed firewall handles all traffic by itself, while a screened subnet uses multiple firewalls for more separation and protection between zones.

Network Address Translation (NAT) operates at which OSI layer(s)?

Network layer

Stateful Multilayer Inspection operates at which OSI layer(s)?

Network layer

This type of IDS checks every packet entering the network for the presence of anomalies and incorrect data. It captures and inspects all traffic and generates alerts at the IP or application level based on the content.

Network-Based IDS *NIDS are more distributed than host-based IDS. The NIDS identifies the anomalies at the router and host levels. It audits the information contained in the data packets and logs the information of malicious packets; furthermore, it assigns a threat level to each risk after receiving the data packets. The threat level enables the security team to remain on alert. These mechanisms typically consist of a black box placed on the network in a promiscuous mode, listening for patterns indicative of an intrusion. It detects malicious activity such as DoS attacks, port scans, or even attempts to break into computers by monitoring network traffic.

In this firewall, each packet is compared with a set of criteria before it is forwarded. They focus individual packets, analyzes their header information, and determine which way they need to be directed.

Packet filtering firewall Depending on the packet and the criteria, the firewall can drop the packet and transmit it or send a message to the originator. The rules can include the source and the destination IP address, the source and the destination port number, and the protocol used. It works at the internet layer of the TCP/IP model or the network layer of the OSI model.

What is the difference between passive and active IDS?

Passive IDS only detects intrusions, while an active IPS not only detects intrusions in the network but also prevents them

This type of detection depends on the anomalies specific to a protocol. It identifies particular flaws in vendor's deployment of the TCP/IP protocol. Protocols are designed according to RFC specifications, which dictate standard handshakes to permit universal communication.

Protocol Anomaly Detection

In packet filtering, what is used to check whether the protocol that the packet is carrying should be allowed?

Protocol in use

A protected network created with a two- or three-homed firewall behind a screening firewall and is a term that is commonly used to refer to the DMZ.

Screened Subnet 1. You have two firewalls—one facing the public internet and another facing your private network. 2. Between these firewalls is a special zone called a demilitarized zone (DMZ), where things like public-facing web servers are kept. 3. If someone tries to attack, they first have to get through the first firewall and the DMZ before they can even attempt to reach the internal network. This setup creates a buffer zone to reduce the risk of attackers reaching the internal systems.

Sudden changes in logs such as short or incomplete logs is an indication of _____________ intrusions.

system

Unfamiliar processes could be an indication of _______________ intrusion.

system

Unusual graphic displays or text messages could be an indication of ________________ intrusion.

system

Usually, slow system performance is a indication of ____________________ intrusion.

system

Also known as misuse detection, tries to identify events that indicate an abuse of a system or network. Involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision.

Signature Recognition The signatures for IDS were created under the assumption that the model must detect an attack without disturbing normal system traffic. Only attacks should match the model; otherwise, false alarms could occur.

This type of firewall sits between a regular application and the networking components of the OS. More useful for individual home users and it is suitable for mobile users who need digital security when working outside the corporate network. Software or hardware firewall?

Software Firewall *Further, it is easy to install on an individual's PC, notebook, or workgroup server. It helps protect your system from outside attempts at unauthorized access and provides protection against everyday Trojans and email worms. It includes privacy controls, web filtering, and more.

This type of firewall implants itself in the critical area of the application/network path. It analyzes the data flow against the rule set.

Software firewall

In packet filtering, what is used to check whether the packet is coming from a valid source? Can be found from the IP header of the packet.

Source IP address Used to check whether the packet is coming from a VALID source. The information about the source IP address can found from the IP header of the packet.

In packet filtering, what is used to check the source of the packet?

Source TCP/UDP port

In packet filtering, what is used to check whether the packet has SYN, ACK, or other bits set for the connection to be made?

TCP flag bits

Packet filtering operates at which OSI layer(s)?

Transport layer Data Link layer

Occurs when an IDS identifies an activity as acceptable behavior and the activity is acceptable. A true negative means successfully ignoring acceptable behavior. It is not harmful, as the IDS performs as expected in this case. No Attack, No Alert A) True Positive B) False Negative C)False Positive D) True Negative

True Negative (No attack - No Alert)

Occurs when an event triggers an alarm and cause the IDS to reach as if a real attack is in progress. The event may be an actual attack, in which case an attacker attempts to compromise the network, or it may be a drill, in which case security personnel use hacker tools to test a network segment. Attack - Alert A) True Positive B) False Negative C)False Positive D) True Negative

True Positive (Attack - Alert)

Which 2 new virus attacks have driven the need for multiple signatures for a single attack?

URSNIF and VIRLOCK *To catch these attacks, an Intrusion Detection System (IDS) might need multiple signatures—kind of like having different fingerprints for the same person. Even a small change, like flipping one bit (tiny piece of data), can make the old "fingerprint" (signature) useless. So, new signatures are needed to recognize each variation of the attack, even if it's almost the same as the original.

Where should firewall always be installed?

away from the rest of the network, so that none of the incoming requests can gain direct access to a private network resource.

What is the most challenging step in creating an anomaly detector?

establishing a model of normal use *It keeps track of normal activity and then looks for anything that seems "off" or different. However, network traffic is often unpredictable, and there are lots of small changes that happen all the time. This makes it hard to build an accurate model of what "normal" traffic looks like. As a result, the system might flag harmless changes as problems, labeling them as anomalies when they're just normal variations in how the network is used. Also, these models aren't perfect for every network, so it's important to use them on specific networks where they can be more accurate.

- General Indications of Intrusions - general indicators of file system intrusions: *By observing system files, the presence of an intrusion can be identified. System files record the activities of the system. Any modification or deletion of the file attributes or the file itself is a sign that the system has been a target of an attack:

o If you find new, unknown files/programs on your system, then there is a possibility that the system has been intruded into. The system can be compromised to the extent that it can, in turn, compromise other network systems. o When an intruder gains access to a system, he or she tries to escalate privileges to gain administrative access. When the intruder obtains administrator privileges, he/she could change file permissions, for example, from read-only to write. o Unexplained modifications in file size are also an indication of an attack. Make sure you analyze all your system files. o The presence of rogue suid and sgid files on your Linux system that do not match your master list of suid and sgid files could indicate an attack. o You can identify unfamiliar file names in directories, including executable files with strange extensions and double extensions. o Missing files are also a sign of a probable intrusion/attack.

3 advantages of a software firewall:

o Less expensive than hardware firewalls. o Ideal for personal or home use. o Easier to configure and reconfigure.

3 advantages of hardware firewalls:

o Security: A hardware firewall with its operating system (OS) is considered to reduce security risks and increase the level of security controls. o Speed: Hardware firewalls initiate faster responses and enable more traffic. o Minimal Interference: Since a hardware firewall is a separate network component, it enables better management and allows the firewall to shut down, move, or be reconfigured without much interference in the network.

general indicators of system intrusions:

o Sudden changes in logs such as short or incomplete logs o Unusually slow system performance o Missing logs or logs with incorrect permissions or ownership o Modifications to system software and configuration files o Unusual graphic displays or text messages o Gaps in system accounting o System crashes or reboots o Unfamiliar processes

What is the primary purpose of the IDS?

provide real-time monitoring and detection of intrusions *Additionally, reactive IDS (and IPS) can intercept, respond to, and/or prevent intrusion

What is the advantage of screening a subnet away from the intranet?

public requests can be responded to without allowing traffic into the intranet