Firewall Outline
Building Internet Firewalls
Chapter 1
What are you trying to protect?
Your data
Your resources
Your reputation
What characteristics of your data needs to be protected?
Secrecy - they can't see it
Integrity - they can't change it
Availability - we can access it
Types of attacks
Intrusion
Denial of service
Information theft
Protection models
No security
Security through obscurity
Host security
Network security
What is a firewall?
Restrict entry through a choke point
Protects other defenses
Restrict exit through a choke point
What can a firewall do?
A focal point for security decisions
Enforcement point for security policies
Log activity efficiently
Limits your exposure
What can't a firewall do?
Protect against malicious insiders
Protect what doesn't go through it
Complex new threats
Protect against viruses
Set itself up correctly
Chapter 2
What are some services that you might want to allow or block?
web - http/https
email - smtp
file transfer - ftp
remote terminal access - telnet / ssh
hostname/address lookup - DNS/LDAP/WINS
file/print sharing - SMB/Netbios/NFS/lpd
Remote graphical interfaces - X11/VNC/Terminal
Services/PCanywhere/BO2k
Real-time conferencing - IM/NetMeeting/MBONE
System Management - SNMP
Routing - RIP/OSPF/EGP,BGP,...
Network Diagnostics - ping/traceroute
Network Time
Databases - MSSQL/Oracle/...
Games - quake/...
Chapter 3
What are some common security principles?
Least Privilege
Defense in depth
Choke point
Weakest Link
Fail-safe stance
Universal participation
Diversity of Defense
Inherent Weaknesses
Common Configuration
Common Heritage
Skin-Deep diferences
simplicity
Security through obscurity
Chapter 4
What are the common layers of network protocols?
Application layer - smtp, telnet, ftp, ...
Transport layer - TCP, UDP, ICMP, ...
Internet layer - IP
Network access layer - Ethernet, FDDI, ATM, ...
What is meant by the term "encapsulation"?
What are some non-IP protocols?
AppleTalk
IPX
What are some attacks based on low-level protocols?
Port scanning
IP spoofing
Packet interception
Chapter 5
What do the following terms mean?
Firewall
Host
Bastion host
Dual-homed host
Network address translation (NAT)
Packet
Packet filtering
Perimeter network
Proxy
Virtual Private Network (VPN)
Chapter 6
Describe how each of the following firewall architectures work
Screening router
Perimeter Network
Split perimeter network
Chapter 7
What attributes would you consider when choosing a firewall?
Scalability
Reliability & Redundancy
Audit-ability
Price
Ease of management and configuration
Adaptability
Appropriateness
Chapter 8
What components are used in developing packet filter rules?
Source IP address
Destination IP address
Source Port
Destination Port
Protocol
What does Stateful or dynamic packet filtering do?
What is Masquerading or Network Address Translation (NAT)?
Chapter 9
What is a proxy? What does it do?
What are some common proxies?
Socks
TIS Firewall ToolKit
Microsoft Proxy Server
Chapter 10
What makes a Bastion Host?
Turn off unused services
keep up to date vendor patches
Watch it closely
Chapter 11
What services might you want to disable on a unix bastion host?
nfsd
biod
mountd
statd/lockd/rquotad
automountd/amd
keyserv
rexd/walld
tftpd
bootpd/bootpd/dhcpd
rlogin/rsh/rcp/rexec
routed
fingerd
ftpd
uucpd
rwhod
lpd
echo/chargen/discard/daytime/quotd
What security audit tools might you use on a unix host?
COPS
SATAN
Tiger
Tripwire
Chapter 12
What services might you want to disable on a NT/W2k server?
DNS
Printing
NetBIOS
RAS
echo/chargen/discard/daytime/quotd
snmp
Chapter 13
List some different kinds of attacks against internet services
Command channel attacks
Data driven attacks
False authentication
Hijacking
packet sniffing
Data injection and modification
Replay
Denial of service
What are some indicators of Security?
Security was one of the design criteria
Supplier appears to be aware of major types of security
problems and can speak to how they have been avoided
It is possible to review the code
Somebody you know and trust has reviewed the code
A process is in place to distribute notifications of
security problems and updates
Server implements a recent version of the protocol
Uses standard error logging mechanisms (syslog/Event Viewer)
Has a secure distribution mechanism
Chapter 14
List some types of Remote Procedure Call mechanisms
Sun RPC
Microsoft RPC
Distributed Component Object Model (DCOM)
NetBios over TCP/IP (NetBT)
Common Internet File System (CIFS)
Server Message Block (SMB)
Common Object Request Broker Architecture (COBRA)
Internet Inter-Orb Protocol (IIOP)
ToolTalk
List some network level security protocols
Transport Layer Security (TLS)
Secure Socket Layer (SSL)
Generic Secure Services API (GSSAPI)
IPsec
Remote Access Service (RAS)
Point to Point Tunneling Protocol (PPTP)
Layer 2 Transport Protocol (L2TP)
Chapter 15
What are some web related languages?
JavaScript
VBScript
Java
ActiveX
What are some web related protocols?
Internet Cache Protocol (ICP)
Cache Array Routing Protocol (CARP)
Web Cache Coordination Protocol (WCCP)
RealAudio/RealVideo
Gopher
Wais
Chapter 16
What are the three parts of the Mail system?
mail transfer agent (MTA) - sendmail, smail, qmail, postfix
mail delivery agent (MDA) - localmail, procmail, ...
Mail user agent (MUA) - a mail client program
What are some mail related protocols?
SMTP - MTA/MDA protocol
POP/IMAP - server to MUA protocol
Chapter 17
What are some file sharing protocols?
FTP
TFTP
NFS
NetBios/Samba
What are some printing protocols?
lpr/lprng
SMB
Chapter 18
What are some Remote access protocols?
Telnet
Rexec/Rsh/Rlogin/Rcp
Ssh
X11
Terminal Services
BO2K
Chapter 19
What are some real-time conferencing services
Internet Relay Chat (IRC)
ICQ/AIM/MSN IM/.. Instant Messaging
talk
T.120 and H.323 chat/whiteboard sharing
NetMeeting
MBONE
Chapter 20
What are some Naming and Directory Services
Domain Name System (DNS)
WINS/NetBios names
Network Information Service (NIS/YP)
Lightweight Directory Access Protocol (LDAP)
Active Directory (MS)
E-Directory (Novell)
finger
whois
Chapter 21
What are some Authentication/Authorization/Auditing servers?
Unix PAM/NIS
TIS FWTK Authentication Server
Kerberos
NTLM Domains
SMB Authentication
Remote Authentication Dailin User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS)
Auth and Identd
Chapter 22
What are some administrative services?
syslog (unix)
Simple Network Management Protocol (SNMP)
System Management Server (MS SMS)
What are some common routing protocols?
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Internet Group Management Protocol (IGMP)
Router Discovery/ICMP Router Discovery (IRDP)
What are some boot-time protocols?
bootp
Dynamic Host Configuration Protocol (DHCP)
What are some file synchronization protocols?
rdist
rsync
W2K File Replication Service (FRS)
Chapter 23
What are some database related protocols?
Open Database Connectivity (ODBC)
Java Database Connectivity (JDBC)
Oracle SQL Net
Tabular Data Stream (TBS) for Sybase and MS SQL
Chapter 25
What should your security policy contain?
Explanations
Responsibilities
Regular language
Enforcement authority
Provision for exceptions
Provision for reviews
Specific security issues
What should your security policy not contain?
Technical details
Somebody else's problems
Problems that aren't computer security problems
What should you do when making a security policy decision?
Enlist allies
Get everyone affected involved
Communicate the issues clearly
Present risks and benefits in different ways to
different people
Accept the group decision, right or wrong.
Condense important decisions with implications
Chapter 26
What do you need to do to maintain your firewall?
Monitor disk space, especially for logs
Make sure that your firewall configuration is backed up
Keep up to date with mailing lists, web sites,
professional forums
Keep your system up to date with current patches
Chapter 27
What should you do in the event of an incident
Evaluate the situation
Disconnect or shut down the system
Analyze and respond
Notify your organization
Save the data
restore/reinstall and recover
Document the incident
Intrusion Detection, Network Security Beyond the Firewall
Chapter 1
What are some classifications of security products?
Identification and Authentification
Access Control
Scanners
Intrusion Detection and Monitoring
What are some attributes of security products?
Real Time or Interval based
Centralized or Distributed
System Level or Network Level
Augment or Replace existing systems
Use Existing data or New data source
Chapter 2
What are some ways that hackers exploit weak password security
Easily guessed passwords
Brute Force
Social Engineering
Trojan Horses
Network sniffing
Electronic Emissions Monitoring
Software bugs
What are some third party authentication servers
Kerberos
X.509 certificates
One-time passwords
SecureID card and pin
Challenge-Response
Biometrics
Chapter 4
What are some network level security encryption methods?
X.509 authentication
MD5 encryption
IPsec
What are some of the problems at the IP layer?
Sniffing
Address impersonation
Impersonation attacks
What are the benefits of IPsec?
Authentication header
Encapsulation Security payload
Chapter 5
What are the advantages of Pattern matching IDS systems?
The number and types of events to monitor can be reduced
to the services that you are monitoring
Pattern matching engines are efficient with less
floating point calculations
What are the disadvantages of pattern matching IDS systems?
Scalability and performance is a function of the rulebase
Extensibility is often difficult
New patterns will need to be added as new attacks are found
Pattern matchers don't learn on their own
New attack patterns may be difficult to generate
What are the advantages of Statistical anomaly IDS systems?
Well understood statistical techniques can be used
Tracking is not memory intensive
Simple thresholds are easily understood
What are the disadvantages of Statistical anomaly IDS systems?
Underlying assumptions about the data my not be
statistically sound.
Combining values from different variables also may be
statistically incorrect.
Establishing a baseline is often a challenge
Not all users exhibit consistent behavior
A hacker that knows that intrusions are being determined
based on statistical behavior may alter his
behavior
A hacker who uses multiple accounts can spread his
behavior among the accounts and go undetected.
Intrusive behavior averages out over time.
Setting thresholds for indicating intrusive events
requires experience.
Chapter 6
List the 5 classes of attacks
Internal Denial of Service attack
Internal Privilege Escalation
Internal superuser privileges
External Denial of Service attack
External Privilege Escalation
What are some sources of system generated log data?
syslog
sulog
utmp
wtmp
lastlog
Chapter 7
What are the two types of scanners?
local - examining the inside of a machine for vulnerabilities
external - examining the machine from the outside
What kinds of vulnerabilities does a local scanner look for?
Bad entries in the password file
Trusted hosts in /etc/hosts.equiv and .rhosts files
Improper ownership of startup, config, or contab files
Unneeded internet services
Liberal sendmail options
What patches have been applied vs what are available
Invalid UIDs and GIDs, misconfigured accounts
Active sniffers on network adapters
What kinds of vulnerabilities does a remote scanner look for?
Network services with bugs in them
Misconfigured network services
Network services that you probably don't want offered.
List several local scanners
COPS
Tiger
Tripwire
List several external scanners
Nessus
ISS
Sara
Chapter 8
What kinds of attacks might an internal IDS system look for?
Covering tracks
Gaining privilege
Using known attack programs
Misuse outcomes
Self defense
System access
Vulnerabilities
Masquerading
Failed login attempts
su attempts
Where do you go to find new attacks?
Bugtraq
Best of Security
NT Secruity
What are the main reason for vulnerabilities?
Improper configuration
Software bugs
What kinds of software constructs contribute to vulnerabilities?
Buffer overflow problems
How resources are created, read, written, and destroyed
Improper default assumptions
Handling of data input values
Adherence to the least privileged principle
What kinds of activities might you want to monitor?
Attempts to write, link, or delete in system directories
Attempts to modify system time, /dev/mem, or /dev/kmem
Attempts to modify system audit subsystem
Attempts to run known rogue programs, zap, crack, Satan, COPS
Attempts to enable network interfaces in promiscuous mode
Attempts to run exploratory programs (who,finger,ps,find,rwho)
Attempts by unprivileged to run priv programs like
mount, exportfs, mknod, ...
Chapter 9
What kinds of things to Network IDS systems look for?
TCP sequence number guessing attempts
IP address impersonation
Session hijacking
IP Fragmentation
Denial of Service attacks
Sendmail bugs (EXPN, VRFY, debug)
phf, test.cgi, and other CGI bugs
Buffer overflows in finger and DNS
Various NFS, FTP, or TFTP bugs
What are some of the limitations of Network Packet Sniffers
Network sniffers do not see all packets
Network sniffers are blinded by encryption
May miss DOS side affects or back door installations
Chapter 10
What are some sources of data for NT IDSs?
Event log files (system, applications, and security)
What do you monitor on NT?
New user creation
Administrator logs in or out
Administrator establishes a trust relationship
Someone deletes a critical system file
Someone changes another user's profile
Someone takes ownership of another user's file
What are some IDS products for NT?
Centrax
ISS SAFESuite and RealSecure
Security Dynamics' KSA and KSM
Chapter 11
How do you respond to an intrusion?
Evaluate and decide what response is required
Disconnect or shutdown resources
Analyze and respond to the incident
Alert other people according to your policy
Save the system state
Restore hacked system
Document what happened