Firewall Outline

Building Internet Firewalls


Chapter 1

	What are you trying to protect?
		Your data
		Your resources
		Your reputation
	What characteristics of your data needs to be protected?
		Secrecy - they can't see it
		Integrity - they can't change it
		Availability - we can access it
	Types of attacks
		Intrusion
		Denial of service
		Information theft
	Protection models
		No security
		Security through obscurity
		Host security
		Network security
	What is a firewall?
		Restrict entry through a choke point
		Protects other defenses
		Restrict exit through a choke point
	What can a firewall do?
		A focal point for security decisions
		Enforcement point for security policies
		Log activity efficiently
		Limits your exposure
	What can't a firewall do?
		Protect against malicious insiders
		Protect what doesn't go through it
		Complex new threats
		Protect against viruses
		Set itself up correctly

Chapter 2

	What are some services that you might want to allow or block?
		web - http/https
		email - smtp
		file transfer - ftp
		remote terminal access - telnet / ssh
		hostname/address lookup - DNS/LDAP/WINS
		file/print sharing - SMB/Netbios/NFS/lpd
		Remote graphical interfaces - X11/VNC/Terminal
			Services/PCanywhere/BO2k
		Real-time conferencing - IM/NetMeeting/MBONE
		System Management - SNMP
		Routing - RIP/OSPF/EGP,BGP,...
		Network Diagnostics - ping/traceroute
		Network Time
		Databases - MSSQL/Oracle/...
		Games - quake/...

Chapter 3

	What are some common security principles?
		Least Privilege
		Defense in depth
		Choke point
		Weakest Link
		Fail-safe stance
		Universal participation
		Diversity of Defense
		Inherent Weaknesses
		Common Configuration
		Common Heritage
		Skin-Deep diferences
		simplicity
		Security through obscurity

Chapter 4

	What are the common layers of network protocols?
		Application layer - smtp, telnet, ftp, ...
		Transport layer - TCP, UDP, ICMP, ...
		Internet layer - IP
		Network access layer - Ethernet, FDDI, ATM, ...
	What is meant by the term "encapsulation"?
	What are some non-IP protocols?
		AppleTalk
		IPX
	What are some attacks based on low-level protocols?
		Port scanning
		IP spoofing
		Packet interception

Chapter 5

	What do the following terms mean?
		Firewall
		Host
		Bastion host
		Dual-homed host
		Network address translation (NAT)
		Packet
		Packet filtering
		Perimeter network
		Proxy
		Virtual Private Network (VPN)

Chapter 6

	Describe how each of the following firewall architectures work
		Screening router
		Perimeter Network
		Split perimeter network

Chapter 7

	What attributes would you consider when choosing a firewall?
		Scalability
		Reliability & Redundancy
		Audit-ability
		Price
		Ease of management and configuration
		Adaptability
		Appropriateness

Chapter 8

	What components are used in developing packet filter rules?
		Source IP address
		Destination IP address
		Source Port
		Destination Port
		Protocol
	What does Stateful or dynamic packet filtering do?
	What is Masquerading or Network Address Translation (NAT)?

Chapter 9

	What is a proxy?  What does it do?
	What are some common proxies?
		Socks
		TIS Firewall ToolKit
		Microsoft Proxy Server

Chapter 10

	What makes a Bastion Host?
		Turn off unused services
		keep up to date vendor patches
		Watch it closely

Chapter 11

	What services might you want to disable on a unix bastion host?
		nfsd
		biod
		mountd
		statd/lockd/rquotad
		automountd/amd
		keyserv
		rexd/walld
		tftpd
		bootpd/bootpd/dhcpd
		rlogin/rsh/rcp/rexec
		routed
		fingerd
		ftpd
		uucpd
		rwhod
		lpd
		echo/chargen/discard/daytime/quotd
	What security audit tools might you use on a unix host?
		COPS
		SATAN
		Tiger
		Tripwire

Chapter 12

	What services might you want to disable on a NT/W2k server?
		DNS
		Printing
		NetBIOS
		RAS
		echo/chargen/discard/daytime/quotd
		snmp

Chapter 13

	List some different kinds of attacks against internet services
		Command channel attacks
		Data driven attacks
		False authentication
		Hijacking
		packet sniffing
		Data injection and modification
		Replay
		Denial of service
	What are some indicators of Security?
		Security was one of the design criteria
		Supplier appears to be aware of major types of security
			problems and can speak to how they have been avoided
		It is possible to review the code
		Somebody you know and trust has reviewed the code
		A process is in place to distribute notifications of
			security problems and updates
		Server implements a recent version of the protocol
		Uses standard error logging mechanisms (syslog/Event Viewer)
		Has a secure distribution mechanism

Chapter 14

	List some types of Remote Procedure Call mechanisms
		Sun RPC
		Microsoft RPC
		Distributed Component Object Model (DCOM)
		NetBios over TCP/IP (NetBT)
		Common Internet File System (CIFS)
		Server Message Block (SMB)
		Common Object Request Broker Architecture (COBRA)
		Internet Inter-Orb Protocol (IIOP)
		ToolTalk
	List some network level security protocols
		Transport Layer Security (TLS)
		Secure Socket Layer (SSL)
		Generic Secure Services API (GSSAPI)
		IPsec
		Remote Access Service (RAS)
		Point to Point Tunneling Protocol (PPTP)
		Layer 2 Transport Protocol (L2TP)

Chapter 15

	What are some web related languages?
		JavaScript
		VBScript
		Java
		ActiveX
	What are some web related protocols?
		Internet Cache Protocol (ICP)
		Cache Array Routing Protocol (CARP)
		Web Cache Coordination Protocol (WCCP)
		RealAudio/RealVideo
		Gopher
		Wais

Chapter 16

	What are the three parts of the Mail system?
		mail transfer agent (MTA) - sendmail, smail, qmail, postfix
		mail delivery agent (MDA) - localmail, procmail, ...
		Mail user agent (MUA) - a mail client program
	What are some mail related protocols?
		SMTP - MTA/MDA protocol
		POP/IMAP - server to MUA protocol

Chapter 17

	What are some file sharing protocols?
		FTP
		TFTP
		NFS
		NetBios/Samba
	What are some printing protocols?
		lpr/lprng
		SMB

Chapter 18

	What are some Remote access protocols?
		Telnet
		Rexec/Rsh/Rlogin/Rcp
		Ssh
		X11
		Terminal Services
		BO2K

Chapter 19

	What are some real-time conferencing services
		Internet Relay Chat (IRC)
		ICQ/AIM/MSN IM/.. Instant Messaging
		talk
		T.120 and H.323 chat/whiteboard sharing
		NetMeeting
		MBONE

Chapter 20

	What are some Naming and Directory Services
		Domain Name System (DNS)
		WINS/NetBios names
		Network Information Service (NIS/YP)
		Lightweight Directory Access Protocol (LDAP)
		Active Directory (MS)
		E-Directory (Novell)
		finger
		whois

Chapter 21

	What are some Authentication/Authorization/Auditing servers?
		Unix PAM/NIS
		TIS FWTK Authentication Server
		Kerberos
		NTLM Domains
		SMB Authentication
		Remote Authentication Dailin User Service (RADIUS)
		Terminal Access Controller Access Control System (TACACS)
		Auth and Identd

Chapter 22

	What are some administrative services?
		syslog (unix)
		Simple Network Management Protocol (SNMP)
		System Management Server (MS SMS)
	What are some common routing protocols?
		Routing Information Protocol (RIP)
		Open Shortest Path First (OSPF)
		Internet Group Management Protocol (IGMP)
		Router Discovery/ICMP Router Discovery (IRDP)
	What are some boot-time protocols?
		bootp
		Dynamic Host Configuration Protocol (DHCP)
	What are some file synchronization protocols?
		rdist
		rsync
		W2K File Replication Service (FRS)

Chapter 23

	What are some database related protocols?
		Open Database Connectivity (ODBC)
		Java Database Connectivity (JDBC)
		Oracle SQL Net
		Tabular Data Stream (TBS) for Sybase and MS SQL

Chapter 25

	What should your security policy contain?
		Explanations
		Responsibilities
		Regular language
		Enforcement authority
		Provision for exceptions
		Provision for reviews
		Specific security issues
	What should your security policy not contain?
		Technical details
		Somebody else's problems
		Problems that aren't computer security problems
	What should you do when making a security policy decision?
		Enlist allies
		Get everyone affected involved
		Communicate the issues clearly
		Present risks and benefits in different ways to
			different people
		Accept the group decision, right or wrong.
		Condense important decisions with implications

Chapter 26

	What do you need to do to maintain your firewall?
		Monitor disk space, especially for logs
		Make sure that your firewall configuration is backed up
		Keep up to date with mailing lists, web sites,
			professional forums
		Keep your system up to date with current patches

Chapter 27

	What should you do in the event of an incident
		Evaluate the situation
		Disconnect or shut down the system
		Analyze and respond
		Notify your organization
		Save the data
		restore/reinstall and recover
		Document the incident

Intrusion Detection, Network Security Beyond the Firewall


Chapter 1

	What are some classifications of security products?
		Identification and Authentification
		Access Control
		Scanners
		Intrusion Detection and Monitoring
	What are some attributes of security products?
		Real Time or Interval based
		Centralized or Distributed
		System Level or Network Level
		Augment or Replace existing systems
		Use Existing data or New data source

Chapter 2

	What are some ways that hackers exploit weak password security
		Easily guessed passwords
		Brute Force
		Social Engineering
		Trojan Horses
		Network sniffing
		Electronic Emissions Monitoring
		Software bugs
	What are some third party authentication servers
		Kerberos
		X.509 certificates
		One-time passwords
		SecureID card and pin
		Challenge-Response
		Biometrics

Chapter 4

	What are some network level security encryption methods?
		X.509 authentication
		MD5 encryption
		IPsec
	What are some of the problems at the IP layer?
		Sniffing
		Address impersonation
		Impersonation attacks
	What are the benefits of IPsec?
		Authentication header
		Encapsulation Security payload

Chapter 5

	What are the advantages of Pattern matching IDS systems?
		The number and types of events to monitor can be reduced
			to the services that you are monitoring
		Pattern matching engines are efficient with less
			floating point calculations
	What are the disadvantages of pattern matching IDS systems?
		Scalability and performance is a function of the rulebase
		Extensibility is often difficult
		New patterns will need to be added as new attacks are found
		Pattern matchers don't learn on their own
		New attack patterns may be difficult to generate
	What are the advantages of Statistical anomaly IDS systems?
		Well understood statistical techniques can be used
		Tracking is not memory intensive
		Simple thresholds are easily understood
	What are the disadvantages of Statistical anomaly IDS systems?
		Underlying assumptions about the data my not be
			statistically sound.
		Combining values from different variables also may be
			statistically incorrect.
		Establishing a baseline is often a challenge
		Not all users exhibit consistent behavior
		A hacker that knows that intrusions are being determined
			based on statistical behavior may alter his
			behavior
		A hacker who uses multiple accounts can spread his
			behavior among the accounts and go undetected.
		Intrusive behavior averages out over time.
		Setting thresholds for indicating intrusive events
			requires experience.

Chapter 6

	List the 5 classes of attacks
		Internal Denial of Service attack
		Internal Privilege Escalation
		Internal superuser privileges
		External Denial of Service attack
		External Privilege Escalation
	What are some sources of system generated log data?
		syslog
		sulog
		utmp
		wtmp
		lastlog

Chapter 7

	What are the two types of scanners?
		local - examining the inside of a machine for vulnerabilities
		external - examining the machine from the outside
	What kinds of vulnerabilities does a local scanner look for?
		Bad entries in the password file
		Trusted hosts in /etc/hosts.equiv and .rhosts files
		Improper ownership of startup, config, or contab files
		Unneeded internet services
		Liberal sendmail options
		What patches have been applied vs what are available
		Invalid UIDs and GIDs, misconfigured accounts
		Active sniffers on network adapters
	What kinds of vulnerabilities does a remote scanner look for?
		Network services with bugs in them
		Misconfigured network services
		Network services that you probably don't want offered.
	List several local scanners
		COPS
		Tiger
		Tripwire
	List several external scanners
		Nessus
		ISS
		Sara

Chapter 8

	What kinds of attacks might an internal IDS system look for?
		Covering tracks
		Gaining privilege
		Using known attack programs
		Misuse outcomes
		Self defense
		System access
		Vulnerabilities
		Masquerading
		Failed login attempts
		su attempts
	Where do you go to find new attacks?
		Bugtraq
		Best of Security
		NT Secruity
	What are the main reason for vulnerabilities?
		Improper configuration
		Software bugs
	What kinds of software constructs contribute to vulnerabilities?
		Buffer overflow problems
		How resources are created, read, written, and destroyed
		Improper default assumptions
		Handling of data input values
		Adherence to the least privileged principle
	What kinds of activities might you want to monitor?
		Attempts to write, link, or delete in system directories
		Attempts to modify system time, /dev/mem, or /dev/kmem
		Attempts to modify system audit subsystem
		Attempts to run known rogue programs, zap, crack, Satan, COPS
		Attempts to enable network interfaces in promiscuous mode
		Attempts to run exploratory programs (who,finger,ps,find,rwho)
		Attempts by unprivileged to run priv programs like
			mount, exportfs, mknod, ...

Chapter 9

	What kinds of things to Network IDS systems look for?
		TCP sequence number guessing attempts
		IP address impersonation
		Session hijacking
		IP Fragmentation
		Denial of Service attacks
		Sendmail bugs (EXPN, VRFY, debug)
		phf, test.cgi, and other CGI bugs
		Buffer overflows in finger and DNS
		Various NFS, FTP, or TFTP bugs
	What are some of the limitations of Network Packet Sniffers
		Network sniffers do not see all packets
		Network sniffers are blinded by encryption
		May miss DOS side affects or back door installations

Chapter 10

	What are some sources of data for NT IDSs?
		Event log files (system, applications, and security)
	What do you monitor on NT?
		New user creation
		Administrator logs in or out
		Administrator establishes a trust relationship
		Someone deletes a critical system file
		Someone changes another user's profile
		Someone takes ownership of another user's file
	What are some IDS products for NT?
		Centrax
		ISS SAFESuite and RealSecure
		Security Dynamics' KSA and KSM

Chapter 11

	How do you respond to an intrusion?
		Evaluate and decide what response is required
		Disconnect or shutdown resources
		Analyze and respond to the incident
		Alert other people according to your policy
		Save the system state
		Restore hacked system
		Document what happened