CNIT 455 Final Exam

CNIT 455 Final Exam What are some sources of security information and training? - CORRECT ANSWER-- ISC2 - SANS (more technical and less management) - CERT - CIS What are the basic components of a security model? - CORRECT ANSWER-- confidentiality - integrity - availability - authentication - authorization - encryption - non-repudiation What is non-repudiation? - CORRECT ANSWER-The state of affairs in which the maker of the statement will not be able to challenge the validity of the statement What should the approach be to a security model? - CORRECT ANSWER-1. Prevention 2. Detection 3. Containment 4. Investigation 5. Recovery 6. Follow-up What is a packet filter? - CORRECT ANSWER-- software that limits connectivity - blocks ingress and/or egress traffic - rule-based filtering True/False: All packet filters are firewalls - CORRECT ANSWER-False: - not all packet filters are firewalls - a firewall always includes a packet filter What is a software firewall? - CORRECT ANSWER-- software that interacts with the existing IP stack What is a hardware firewall? - CORRECT ANSWER-- specialized network device - physical hardware that contains a packet filter What are some of the best practices in packet filtering? - CORRECT ANSWER-- limit access based on address criteria - always use IP addresses - never use DNS names (easier to spoof) - control access based on source/destination IP addresses How is IP address spoofing typically accomplished? - CORRECT ANSWER-- directly: ARP manipulation - remotely: IP source routing; loose source record routing What is loose source record routing? - CORRECT ANSWER-- the packet is told that it must go through a specific router - used to allow access to networks that would otherwise be unreachable What is the primary vulnerability with loose source record routing? - CORRECT ANSWER-- enables a machine to spoof an address and still have traffic find it correctly True/False: Always disable loose source record routing on your border routers and firewalls - CORRECT ANSWER-True True/False: Only destination TCP/UDP ports are standardized - CORRECT ANSWERTrue How are source TCP/UDP ports chosen? - CORRECT ANSWER-- randomly - 1024+ What is static port filtering? - CORRECT ANSWER-- traffic is only allowed based on the port number or IP/port number combination - more granularity than IP-only filtering - each packet is checked independently What is dynamic port filtering? - CORRECT ANSWER-- checks the context of the packet as well as the source/destination IP address What is stateful packet inspection (SPI)? - CORRECT ANSWER-- another name for dynamic port filtering - checks the context of the packet as well as the source/destination IP address What is destination static port filtering? - CORRECT ANSWER-- examines and filters based on the destination port number (ie. traffic destined for port 25 is only allowed to a mail server) What is the major limitation of destination static port filtering? - CORRECT ANSWER-- only works if a server responds to incoming messages on the port received (ie. web server) What is source static port forwarding? - CORRECT ANSWER-- filtering based on the source port What is a bidirectional static filter? - CORRECT ANSWER-- looks at both the source and destination ports for ingress traffic What is TCP static source port filtering? - CORRECT ANSWER-- only allow ingress traffic on ports 1024+ that have the ACK bit set in the TCP header - ensures that these packets are part of a data flow - reliable for outgoing traffic What is a drawback to TCP static source port filtering? - CORRECT ANSWER-- doesn't work for flows that dynamically open multiple connections (ie. FTP non-passive mode; use FTP in passive mode to force the client to initiate all of the connections) What is the primary issue with UDP source port static filtering? - CORRECT ANSWER-- UDP is connectionless and there are no ACK flags to check What are the advantages to using dynamic packet filtering? - CORRECT ANSWER-- keeps ports closed until needed - controls access to open ports based on context and protocol/detail information - builds state table (ie. sequence numbers in TCP communication; UDP data flows) - can require/provide authentication - can examine application layer to ensure the appropriate traffic is being passed What should you do with blocked traffic? - CORRECT ANSWER-- send an ICMP "Host Not Reachable" message (traffic type not allowed) - send an ICMP "Host Not Administratively Reachable" message (firewall blocking traffic) - send nothing (could waste bandwidth but is considered safest solution) What are the strengths of a packet filter? - CORRECT ANSWER-- fast - line speeds What are the weaknesses of a packet filter? - CORRECT ANSWER-- internal/external machines communicate directly (once communication is allowed, we have no idea what else is occurring) - limited authentication/authorization of users - little to no logging A hardware device that can perform internetworking operations and packet filtering is typically referred to as what? - CORRECT ANSWER-- firewall In what mode do bridge NICs operate? - CORRECT ANSWER-- promiscuous mode How are frames/cells forwarded in a bridge? - CORRECT ANSWER-- frames/cells are forwarded based on their destination layer 2 address What is a filtering bridge? - CORRECT ANSWER-- bridge that contains a packet filter - allows protecting address sets that are not easily routed - requires a dedicated target interface (VLAN) What are some of the drawbacks to using a filtering bridge? - CORRECT ANSWER-- latency is induced from promiscuous mode - broadcast storms/loops What are some best practices in regards to using a filtering bridge? - CORRECT ANSWER-- use straight-forward routing - use SNAT in place of a small number of addresses - leave target NIC unbound (without an IP address) - avoid sharing an interface as a bridge source and routing/NAT target What the best filtering practices in regards to standard routing? - CORRECT ANSWER- - use whenever possible to filter Internet servers (least latency) - addresses on both sides of firewall must be appropriate to inter-network (ie. no RFC 1918 addressing on public network) What is static NAT? - CORRECT ANSWER-- 1:1 NAT - operates exclusively at layer 3 What are some best practices when using static NAT? - CORRECT ANSWER-- use only when incoming connections are needed - limit each external interface to less than 10 addresses What is dynamic NAT? - CORRECT ANSWER-- also known as Port Address Translation (PAT) - outgoing traffic is translated to a single public address on the firewall What is another term for describing DNAT for incoming connections? - CORRECT ANSWER-- port forwarding What are some best practices in regards to using dynamic NAT? - CORRECT ANSWER-- best routing solution for true private zones - sessions are made directly between internal/external hosts for egress traffic What is an Application Layer Gateway (ALG)? - CORRECT ANSWER-- insulates internal machine from external machine - proxy - separate ALGs required for each layer 6/layer 7 protocol - allow robust inspection of layer 6/layer 7 traffic (ie. web proxy, SPAM/malware filtering) - allow protocols that dynamically open ports to traverse public/private boundary (ie. active FTP) What is a hybrid firewall? - CORRECT ANSWER-- combines elements of packet filters and ALGs - majority of current solutions fall into this category What are some examples of hybrid firewalls? - CORRECT ANSWER-- MS FFTMG What are the primary firewall performance metrics? - CORRECT ANSWER-- throughput (bytes per second) - packet forwarding rate (packets per second) What is the better firewall performance metric? - CORRECT ANSWER-packet forwarding rate True/False: All forms of NAT require the packet header to be re-written which adds additional latency in packet inspection - CORRECT ANSWER-True True/False: Latency is added on a per-packet basis - CORRECT ANSWER-True What is the order of latency from best to worst in a packet filter? - CORRECT ANSWER-1. Standard routing 2. Bridging 3. SNAT 4. DNAT/PAT 5. ALGs What is the most overused approach in regards to firewall implementations? - CORRECT ANSWER-- "triple-lock-the-front-door" approach - then leaving the backdoor unlocked What is the public network zone? - CORRECT ANSWER-- Internet What is the private network zone? - CORRECT ANSWER-- zone isolated from public network - RFC 1918 address space What is the DMZ zone? - CORRECT ANSWER-- partially isolated from public network - minimal traffic is allowed from unknown sources - isolated from private network Of what does a typical DMZ architecture consist? - CORRECT ANSWER-- minimal risky interaction with unknown hosts is allowed - allows protection in event that Internet host is compromised - multiple DMZs increase isolation/security What is a parallel DMZ architecture? - CORRECT ANSWER-- separate DMZ network segment created for each service offered (typically multiple interfaces from a single firewall) - reduces exposure What is a layered DMZ architecture? - CORRECT ANSWER-- protects systems from threats by adding additional security between application tiers (ie. mail forwarder in 1st DMZ, internal mail server in 2nd DMZ, clients in inner/private zone) What advantages does separating the first DMZ from the public network have? - CORRECT ANSWER-- basic routing works best - bridging is good but adds some latency - SNAT is good but adds some latency What advantages does separating multiple DMZs from each other have? - CORRECT ANSWER-- basic routing works best only if you have a large enough aggregated public address space - SNAT is the most common solution True/False: Edge routers should be used to filter basic information in a DMZ implementation - CORRECT ANSWER-True What is the primary drawback to using a multiple-armed firewall? - CORRECT ANSWER-single point of insecurity True/False: In a multiple firewall environment, it is best to use the same brand of firewall to protect from yet undiscovered vulnerabilities - CORRECT ANSWER-False: - use different brands How do VLANs in a DMZ architecture work? - CORRECT ANSWER-- allows logical DMZ to be extended across a larger network - useful for IP telephony (ie. voice traffic on its own network) - more flexible and less expensive than using multiple physical NICs What are some IP addressing considerations when designing a DMZ architecture? - CORRECT ANSWER-- outer DMZs should have valid public addresses - subsequent DMZs should use private addressing (provided the hosts aren't directly accessing the Internet) - internal clients should always use private addressing What are some DMZ DNS design considerations? - CORRECT ANSWER-- should have at least two DNS domains: 1. DMZ hosts that service Internet 2. Internet network that never sends information to Internet