Week 6 - Security Tools

What is the main purpose of a firewall

To protect networks from network based attacks by filtering traffic

What can a firewall be implemented as

A network device or host based software

What can firewalls examine

IP addresses ports protocol headers payloads sessions and application protocols

What are the four firewall types in this lecture

Packet filtering stateful application proxy and stateful multilayer inspection firewalls

What is a packet filtering firewall

A basic stateless firewall that allows or denies packets using predefined rules

What is an ACL in firewalling

An Access Control List of predefined allow or deny rules

Why is a packet filtering firewall called stateless

It checks each packet in isolation without tracking session context

Which attributes are commonly used in packet filtering rules

Source IP destination IP protocol source port destination port inbound interface and outbound interface

What happens when no firewall rule matches

A default action is applied

What is the safer default firewall action

Default discard

Why is relying only on a remote port dangerous in packet filtering

An attacker may abuse that port to access internal machines

How can the TCP ACK flag help approximate statefulness

It suggests the packet is part of an existing conversation

What are key strengths of packet filtering firewalls

They are simple low cost and fast

What are key weaknesses of packet filtering firewalls

They do not stop application layer attacks and have limited logging and authentication

Why is IP spoofing a concern for packet filtering firewalls

They rely heavily on packet header information that may be forged

What is a stateful firewall

A firewall that tracks client server sessions and checks packets in context

What is the main advantage of a stateful firewall over a packet filtering firewall

It can distinguish valid session traffic from bogus or unsolicited packets

Why must a stateful firewall track outgoing requests

So it can allow replies to high numbered client ports only when they match an existing connection

How can tracking TCP sequence numbers improve firewall security

It helps defend against attacks such as session hijacking

What is an application level firewall

A proxy based firewall that filters traffic at the application layer

What extra services can an application level firewall provide

Caching and logging

How can an application level firewall enforce policy

By blocking or allowing specific applications or services

Why is caching useful in an application level firewall

It saves bandwidth by serving repeated content from cache

What is a circuit level firewall

A firewall that validates session setup and handshakes without inspecting packet contents

How does a circuit level firewall differ from an application level firewall

Circuit level checks sessions while application level checks specific applications or services

What is a stateful multilayer inspection firewall

A firewall that combines packet filtering circuit level and application level filtering

Why are stateful multilayer inspection firewalls powerful

They can filter at network transport and application layers

What is the main trade off of stateful multilayer inspection firewalls

They are the most expensive type

What is a vulnerability

A software flaw or configuration error that lets attackers violate confidentiality integrity or availability

Where can vulnerabilities exist

In all layers of a system

What is the goal of vulnerability scanning

To find weaknesses and services before attackers exploit them

Why is vulnerability scanning considered pre emptive

It aims to remove weaknesses before exploitation

How do attackers use scanning

As reconnaissance before an attack

How are known and new vulnerabilities typically discovered

Known ones by tools and new ones by humans such as researchers or hacker groups

What are the main scanning categories listed

Port scanners network vulnerability scanners and web application vulnerability scanners

What is Nmap an example of

A port scanner

What are Nessus and OpenVAS examples of

Network vulnerability scanners

What is a ping or ICMP scan typically used for

Basic server discovery

In UDP scanning what usually suggests a port is open

No response

In UDP scanning what usually suggests a port is closed

An ICMP unreachable response

In TCP SYN scanning what response suggests an open port

SYN plus ACK

In TCP SYN scanning what response suggests a closed port

RST plus ACK

Why is a full TCP connect scan easy to detect

It completes the three way handshake

What is TCP SYN scanning also called

Half open scanning

Why is TCP SYN scanning stealthier than a full connect scan

Many systems do not log it as a full connection

What result is associated with TCP FIN scanning on an open port

No response

What are CVEs

Standardised names for publicly known vulnerabilities

Who maintains CVE

MITRE

What does NVD add beyond CVE entries

Security metrics such as CVSS scores and vectors

Who maintains NVD

NIST

What is the biggest weakness of vulnerability scanning

It struggles with new and unknown vulnerabilities such as zero days

Why is sandboxing used

To contain untrusted code so it cannot perform unapproved actions

What is confinement in sandboxing

Isolating an application so it cannot do unauthorised actions

At what levels can sandboxing be implemented

Hardware virtual machines system call interposition software fault isolation and application specific methods

What is system call interposition

Intercepting and controlling system calls before they reach the kernel

What does system call interposition allow defenders to enforce

Fine grained security policies on process behaviour

What is a key limitation of system call interposition

Performance overhead and possible bypass if incomplete

What does chroot do

It changes a process root directory to restrict filesystem access to a jail

Why is chroot not a strong security sandbox

It is mainly a filesystem view change and does not fully isolate a malicious program

What practical issue arises when using chroot

Programs and libraries needed inside the jail must also be provided

How can a process escape a chroot jail according to the slides

If it has root privilege

What problem does Software Fault Isolation try to solve

It stops unsafe code in the same address space from corrupting other code or data

How does SFI constrain untrusted code

By adding checks so it only jumps and writes within its own segments

What is the role of the verifier in SFI

To reject code that contains unsafe or privileged instructions

What is one implementation challenge for SFI on x86

Variable length instructions make guard placement harder

What is one major challenge in sandboxing overall

Defining a correct sandboxing policy