Lesson 10

Question 1

Packet Filtering Firewalls

Answer 1

arliest type of network firewall. All firewalls can still
perform this basic function.

• *****Enforce a network access control list (ACL)
• Act to deny (block or drop), log, or accept a packet
• Inspect headers of individual packets
  * Source and destination IP address
  * Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on)
  * Source and destination port numbers (TCP or UDP application type)
• Inbound, outbound, or both
• Stateless operation

Question 2

Stateless operation

Answer 2

(packet filtering firewall)
This means that it does not preserve
information about network sessions.

This type of filtering requires the least
processing effort, but it can be vulnerable to attacks that are spread over a sequence
of packets.

Question 3

Stateful Inspection Firewalls

Answer 3

State table stores connection information

A stateful inspection firewall addresses these problems by tracking information about
the session established between two hosts, or blocking malicious attempts to start a
bogus session. The vast majority of firewalls now incorporate some level of stateful
inspection capability.

Question 4

iptable

Answer 4

linux tool that allow you to edit rules on your firewall (drop, accept, etc) See slide 6 for sample ip table

Question 5

Firewall impllementation

Answer 5

1. Firewall appliances (physical appliance
   •Routed (layer 3)
   •Bridged/transparent (layer 2)
   •Router/firewall
2. Application-based firewalls
   •Host-based (personal)
   •Application firewall
   •Network operating system (NOS) firewall

Question 6

Types of Firewall Appliances

Answer 6

appliance firewall is a stand-alone hardware firewall deployed to monitor traffic
passing into and out of a network zone. A firewall appliance can be deployed in two
ways:

•Routed (layer 3) - the firewall performs forwarding between subnets. Each interface
on the firewall connects to a different subnet and represents a different security
zone.
•Bridged/transparent (layer 2) - the firewall inspects traffic passing between two nodes, such
as a router and a switch.
•Router/firewall - SOHO. Built into the router. but usually the router is meant first as a router and secondarily as a firewall

Question 7

Application-based firewalls

Answer 7

Host-based (personal) - software firewal runing on a single host

Application firewall—software designed to run on a server to protect a particular
application

Network operating system (NOS) firewall— protects a server. a software-based firewall running
under a network server OS, such as Windows or Linux. The server would function as
a gateway or proxy for a network segment.

Question 8

Forward Proxy Servers

Answer 8

Proxy opens connections with external servers on behalf of internal clients

Question 9

Transparrent vs non-transparent proxy

Answer 9

non-transparent proxy means that the client must be configured with the proxy
server address and port number to use it. The port on which the proxy server
accepts client connections is often configured as port 8080.auto
• A transparent (or forced or intercepting) proxy intercepts client traffic without
the client having to be reconfigured. A transparent proxy must be implemented on a
switch or router or other inline network appliance.

Question 10

Reverse proxy server

Answer 10

Proxy opens connections with internal servers on behalf of external clients

Question 11

Access Control Lists

Answer 11

• Least access - minimum amoiunt of traffic allowed for a service
• Top to bottom processing order - order of rules
• Implicit deny - deny everyting that does fit rules
• Explicit deny all
• Criteria for rules (tuples) - parameters within a rule
• Documenting and testing configuration

Question 12

Network address translation (NAT)

Answer 12

translates private to public IP addresses and public to proviate

Question 13

Static and dynamic source NAT

Answer 13

perform 1:1 mappings between private (“inside
local”) network address and public (“inside global”) addresses. These mappings can
be static or dynamically assigned

Question 14

Overloaded NAT/Network Address Port Translation (NAPT)/Port Address
Translation (PAT)—

Answer 14

provides a means for multiple private IP addresses to be mapped onto a single public address. For

Question 15

Virtual Firewalls

Answer 15

Hypervisor-based
•Filtering built into the hypervisor or cloud service

Virtual appliance
•Deployed as a virtual machine to the cloud

Multiple context
•Firewall appliance running multiple instances

•East-west security design and microsegmentation

Question 16

Main purpose of Virutal firewals

Answer 16

to support the east-west security and zero-trust

microsegmentation design paradigms

Question 17

Open source vs proprietary firewalls

Answer 17

Source code inspection and supply chain issues
• Wholly proprietary appliance OS
• partially proprietary - UNIX or Linux kernel with proprietary features
• Wholly open-source

•Support arrangements and subscription features should be considered…as well as access to threat feeds etc

Question 18

intrusion detection system (IDS)

Answer 18

is a means of using software tools to provide

real-time analysis of either network traffic or system and application logs

Question 19

networkbased IDS (NIDS)

Answer 19

captures traffic via a packet sniffer, referred to as a sensor.

Passive detection/alerting*

Question 20

Network-Based Intrusion Prevention Systems

Answer 20

• Intrusion prevention system (IPS)
• Active response to threats
  * Reset session
  * Apply firewall filters on the flyto shun traffic
  * Bandwidth throttling
  * Packet modification
  * Run a script or other process
• Anti-virus scanning/content filtering
• Inline placement—risk of failure

Question 21

Signature-Based Detection

Answer 21

• Analysis engine
• Signature-based detection
  
  • Pattern matching
  • Database of known attack signatures
  • Must be updated with latest definitions/plug-ins/feeds
  • **Many attack tools do not conform to specific signatures

Question 22

Behavior and Anomaly-Based Detection

Answer 22

Computer learns behaviors. ….could protected against zero day attached…a lot of false positives and false negatives until it leanrs

• Behavioral-based detection
• Train sensor with baseline normal behavior to recognize anomalous behavior •Network behaviorand anomaly detection (NBAD)
  * Heuristics (learning from experience)
  * Machine learning assisted analysis

Anomaly-based detection as irregularity in packet construction

Question 23

Next-generation firewall

Answer 23

•Application-aware filtering, user account-based filtering, IPS, cloud inspection, …

Question 24

Unified threat management (UTM)

Answer 24

• Combining security controls into single agent and management platforms
• Firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway, …

Question 25

Content/URL filter

Answer 25

* Focuses on user traffic * Content block lists and allow lists * Time-based restrictions to browsing * also known as....Secure web gateway (SWG)

Question 26

Host based Intrusion detection system (HIDS)

Answer 26

A host-based IDS (HIDS) captures information from a single host, such as a server,router, or firewall. The core ability isto capture and analyze log files One of the core features of HIDS is file integrity monitoring (FIM).

Question 27

file integrity monitoring (FIM).

Answer 27

One of the core features of hos.t-based IDS (HIDS) •Cryptographic hash or file signature verifies integrity of files •Compare hashes manually or verify signature with publisher’s public key •Windows File Protection/sfc •Tripwire and OSSEC

Question 28

Web Application Firewalls (WAF)

Answer 28

designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks. * Able to inspect code in HTTP packets * Matches suspicious code to vulnerability database * Can be implemented as software on host or as appliance

Question 29

Monitoring Services

Answer 29

Packet capture •Sniffers and flow analysis •Traffic and protocol statistics •Packet analysis Network monitors •Appliance state data •Heartbeat availability monitoring Logs •System logs to diagnose availability issues •Security logs to audit access

Question 30

Packet capture

Answer 30

* Sniffers and flow analysis * Traffic and protocol statistics * Packet analysis

Question 31

Network monitors

Answer 31

* Appliance state data | * Heartbeat availability monitoring

Question 32

Logs

Answer 32

* System logs to diagnose availability issues | * Security logs to audit access

Question 33

Security Information and Event Management (SIEM)

Answer 33

Software designed to assist with managing security data inputs and provide reporting and alerting is often described as security information and event management (SIEM). The core function of an SIEM tool is to aggregate traffic data and logs. - Log Collection - Log Aggregation - Alanaysis and Report Review

Question 34

Log Collection (SIEM)

Answer 34

Agent-based •Local agent (host) to forward logs (installed) • Listener/collector •Protocol-based remote log forwarding (syslog) (configured) • Sensor •Packet capture and traffic flow data. SIEM also collects packet data

Question 35

Log Aggregation (SIEM)

Answer 35

* Consolidation of multiple log formats to facilitate search/query and correlation * Normalization of fields * Time synchronization

Question 36

Analysis and Report review (SIEM)

Answer 36

* Correlation * Relating security data and threat intelligence * Alerting of indicators of compromise (IOC) * Basic rules versus machine learning * User and entity behavioranalytics (UEBA) * Sentiment analysis * Machine interpretation of natural language * Emotion AI * Security orchestration, automation, response (SOAR)

Question 37

•Correlation

Answer 37

* Relating security data and threat intelligence * Alerting of indicators of compromise (IOC) * Basic rules versus machine learning

Question 38

•User and entity behavior analytics (UEBA)

Answer 38

solution supports identification of malicious behaviors from comparison to a baseline. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services.

Question 39

•Security orchestration, automation, response (SOAR)

Answer 39

designed as a solution to | the problem of the volume of alerts overwhelming analysts' ability to respond.

Question 40

•Sentiment analysis

Answer 40

•Machine interpretation of natural language •Emotion AI ...i.e. monitoring social media for disgruntled customers complaining etc

Question 41

File Manipulation (SIEM)

Answer 41

While SIEM can automate many functions of log collection and review, you may also have to manually prepare data using a Linux command line. * cat * View contents of one or more files * headand tail * View first and last lines of file * logger * Write input to system log

Question 42

ReRegular Expressions and grep

Answer 42

i didn't really understand these but these are more log commands