Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
25 Cards in this Set
- Front
- Back
|
a. TCP/UDP port numbers
TCP |
The destination port number is used to identify a requested service•
The sourceport number is used to distinguish between multiple sessions of the same service between two hosts. When a TCP session is made the sending system picks a unique (usually random) number greater than 1023 for the source port number. Some “well known” port numbers are: –25 (SMTP, Simple Mail Transfer Protocol) –80 (HTTP, HyperText Transfer Protocol) –20 and 21 (FTP, File Transfer Protocol) |
|
|
a. TCP/UDP port numbers.
UDP |
The UDP protocol is a connectionless protocol, packets are not acknowledged
•It is simpler and requires less overhead •It is more susceptible to IP spoofing (as will be shown) •Uses destination port numbers just like TCP Used for services on LANs, like NFS, where the likelihood of a lost packet is small •Used for query-response services like DNS lookup, which is used to determine that the IP address of Internet hosts (e.g., Amazon.com) |
|
|
b. Connection oriented TCP vice connectionless UDP.
|
The TCP protocol is a connection oriented protocol
–Packets are acknowledged •Packets are re-sent if an acknowledgment is not received –Packets are sequenced •If packets are received out of order, they are re-ordered. The UDP protocol is a connectionless protocol, packets are not acknowledged •It is simpler and requires less overhead •It is more susceptible to IP spoofing (as will be shown) •Uses destination port numbers just like TCP |
|
|
c. TCP three-way handshake.
|
–each system sends a randomly chosen Initial Sequence Number (ISN)
–the correct response or ACK (acknowledgment) for an initial sequence number is ISN + 1 |
|
|
2. Firewalls
|
May be a router, server, or specialized hardware device. It monitors packets and filters those that do not meet the requirements of the security policy.
It is a “choke point” in the network. |
|
|
a. Network access control.
|
A firewall device supports and enforces the company’s network security policy.
|
|
|
b. Static packet filtering. (pros and cons)
|
Pro:
Scalable Not application dependent High performance because they do not carry out extensive processing on the packets. Con: Cannot prevent attacks that employ application-specific vulnerabilities or functions. Logging functionality is limited. Do not support advanced user authentification schemes. Many cannot detect a network packet in which the OSI Layer 3 addressing information has been spoofed. Susceptible to security breaches caused by improper configurations |
|
|
c. Dynamic packet filtering. (pros and cons)
|
Pro:
Option of allowing any type of traffic outbound and permitting only response traffic inbound. Con: |
|
|
d. Application Gateways filtering. (pros and cons)
|
Pro:
The outside world only knows about the address of the application gateway •Hackers cannot attack a system if they don’t know its address. Filter at the application level. Con: –Are very costly –Proxy servers are application specific –COTS firewalls come with a common set of proxies, if you need a special one you have to write it yourself Can limit network performance. |
|
|
3. DeMilitarized Zone (DMZ)
|
Network segment located between the protected and unprotected networks.
Provides a buffer zone. Usually contains web, mail, and DNS servers. |
|
|
. Intrusion Detection Systems (IDSs)
|
There are three common IDSs architectures
–Host-based –Network-based –Distributed sensors |
|
|
a. Host-based. (pros and cons)
|
Pro:
If not using a console, no new hardware is required –Can detect attacks that do not travel across the network link observed by the network sensor. Can detect multiple log on attempts on the host. Con: Impacts performance of the hosts –The host OS audit must be configured to record the information required by the IDS –Needs to be installed on every host being protected If the host is compromised, the IDS process can be detected and possibly terminated –OS specific (Unix host-based IDS won’t run on NT and vice versa) Can only react after the fact •By the time the audit log has recorded the activity resulting from an attack, the attack has likely already happened If correlation between multiple host-based IDS is not implemented, then distributed attacks can go undetected by staying below the threshold of each host-based IDS |
|
|
b. Network-based. (pros and cons)
|
Pro:
Can respond to attacks (via dynamic updating of the firewall rules) since it knows the IP addresses of the attack packets. –Can see traffic that is destined for multiple hosts •This can address the distributed (below the host threshold) attack –Network based attacks, like port scanning, are easier to handle with network-based IDSs. Can be configured to be totally passive (undetectable) –Even if the IDS sends information to a console, another network can be used for this so that the IDS will be undetectable –Does not impact host performance Con: –Requires new hardware –Will lose packets when the traffic gets heavy –Will not detect host based attacks or host to host attacks that do not travel across the network link observed by the IDS |
|
|
c. Distributed Sensor-based. (pros and cons)
|
It consists of host-based agents and network-based sensors that communicate with a central system that correlates all the data
Pro: The agents on the hosts are kept small and do not perform much processing other than reviewing the OS audit log and forwarding the information to the central system •Being able to combine data from all hosts allows the system to observe distributed low level attacks Furthermore, combining this information with network sensor data yields an even greater opportunity to observe a greater range of attacks Con: These systems require extra hardware and are expensive •The agents are OS specific and need to be installed on all hosts that are to be protected by the host-based feature |
|
|
Goals of IDSs.
|
• The ability to detect a new attack
• The ability to react in real time |
|
|
Transmission Control Protocol (TCP)
|
Transport Layer
Connection oriented protocol |
|
|
Internet Protocol (IP)
|
Network Layer
Lower level protocol |
|
|
User Datagram Protocol (UDP)
|
Transport Layer
Connectionless protocol |
|
|
IP Spoofing
|
Sometimes attackers use someone else’s IP address as the source IP address in packets that they send
|
|
|
TCP 3-way handshake
|
the client sending an ISN of 2895
–the server returning an ACK value of 2896 and sending an ISN of 4722 and –the client returning an ACK value of 4723 |
|
|
Firewall
|
Firewalls are access control mechanisms that, generally, reside at the gateway between two networks
•They serve to support or enforce a network access control policy •There should be a policy that states what data and services external users can and cannot access |
|
|
Static Packet Filter
|
The simplest firewall mechanism
•Very fast •Packets are rejected or allowed based upon packet header information |
|
|
Dynamic Packet Filter
|
Dynamic packet filters screen packets on header information (just like static packet filtering) but they also can use information that has been stored about previous packets
•Dynamic packet filters store information about some selected previous packets in a state table |
|
|
Application Gateway
|
The third type of firewall mechanism is the application gateway
–It generally consists of a number of application specific programs called proxy servers •Access control in these servers happens at the application layer |
|
|
Honey Pot
|
A computer that usually sits in the screened subnet, or DMZ to lure hackers. Admin may enable ports or services that are popular to exploit while services are emulated.
|
