What is IP spoofing
IP Spoofing sending packets using a source IP address that is not yours
Often related to DoS attacks (DNS amplification attack)
Name two strategies how a firewall can be implemented
stateful, stateless
Name all the firewall architectures
- Screened Subnet Architecture
- ScreenedHostArchitecture
-Dual Homed Bastion Host - Simple packet filtering Architecture
What are NIDS and HIDS?
Network based IDS
- Unauthorized network access
- Reconnaissance network scans
- Abuse of bandwidth resources
- network protocol violations
Host based IDS
- Privilege Abuse
- Accidentally assigned privileges
- Account compromise
- Access and modificatin of critical data
- Information leakage
What is the benefit of Screened Subnet Architecture?
There are 2 Filters beside the Bastion Host
There is a second packet filter in case a service in DMZ is compromised
What are the three security components?
Security Requirements
Security Policy
Security Mechanisms
Spoofing Protection
Outgoing
- Only allow source IPs which belong to you
- Dont be an operator who facilitates DOS attacks to the Internet
Incoming
- Only allow ‘valid’ source IPs
- For a varying definition fo ‘valid’
- IPs which belong to you are not valid
- local and special purpose IPs are not valid
Rule of thumb: UNIV \ (Your IPs U Special Purpose IPs)
Name two Firewall default strategies and which one should we choose
Default deny strategy
- only explicitly allowed traffic is permitted
- minimizes attack surface
Default permit strategy
- allow everything by default
How does a stateful firewall work
- tracks the state of connections
- Maintains a connection table
- Allows packets that belong to an established or related connection
- Only the initial packet must match a rule, replies are allowed automatically
Upside and Downside of a stateless firewall
Upside:
High performance
- No connection tracking
- Less memory and CPU usage
Downside
- No connection awareness
- Return traffic must be explicitly allowed
-More error-prone configuration
Would you add HIDS to the web and Mail server, what would be the trade offs
The HIDS could monitor the machines for attacks that compromise configuration integrity on the server itself. However, running a HIDS would add performance drawbacks by real time monitoring of the host activity.
