Firewall and NIDS Placement Quiz

Questions and Answers

What is the concern if incoming packets arrive at Telnet, FTP, SUNRPC, or IMAP ports when they are not used by the site?

The incoming packets are suspicious

What type of signature is the WinNuke attack an example of?

Header signature

What is the purpose of placing a NIDS sensor outside the main enterprise firewall?

To establish the level of threat for a given enterprise network

What is the significance of a TCP packet with both SYN and FIN flags set?

It is an attempt to start and stop a connection at the same time

What is the purpose of a NIDS sensor in the DMZ?

To monitor traffic between the Internet and the DMZ

What is the primary goal of NIDS sensor placement?

To detect and alert on suspicious traffic

What type of detection is useful for identifying unknown attacks?

Anomaly-based detection

What is the primary advantage of placing a NIDS sensor inside the main firewall but outside internal firewalls?

It monitors for penetration attempts that target internal services

What is the significance of a NIDS sensor in identifying the source of an attack?

It helps to identify the attack source

What is the primary goal of analyzing firewall logs?

To identify potential security threats

Study Notes

NIDS Placement

• NIDS sensors can be placed behind internal firewalls to monitor major backbone networks, LANs, and specific network segments for more targeted attacks.
• Four types of locations for NIDS sensors:
  • Outside the main enterprise firewall: monitors threat levels and helps win management support for security efforts.
  • In the network demilitarized zone (DMZ), inside the main firewall but outside internal firewalls: monitors penetration attempts on open services.
  • Behind internal firewalls: monitors major backbone networks and LANs.
  • Behind internal firewalls: monitors LANs that support user workstations and servers specific to single departments.

Firewalls

• A firewall is a barrier between two computers or computer systems.
• Firewalls filter incoming packets based on parameters like packet size, source IP address, protocol, and destination port.
• Linux and Windows (from XP onwards) have built-in firewalls.
• Windows 7 expanded firewall functionality to handle inbound and outbound traffic filtering.
• Windows 8 and 10 did not change firewall functionality significantly.
• Individual computer firewalls should be turned on and configured in addition to perimeter firewalls.
• Dedicated firewalls are necessary between a network and the outside world in an organizational setting.

NIDS Function

• Network-based IDS monitors network traffic on a specific segment as a data source.
• NIDS captures all network traffic by placing the network interface card in promiscuous mode.
• Three primary types of signatures:
  • String signatures: look for specific text strings indicating possible attacks (e.g., UNIX “cat “+ +” >/.rhosts”).
  • Port signatures: watch for connection attempts to frequently attacked ports (e.g., Telnet TCP port 23, FTP TCP port 21/20).
  • Header signatures: detect dangerous or illogical packet header combinations (e.g., WinNuke, TCP packet with both SYN and FIN flags set).