1 / 13

ECE6612 Quiz 2 -> Exam Topics (see also Q1 and Q2 Topics) Spring 2013

ECE6612 Quiz 2 -> Exam Topics (see also Q1 and Q2 Topics) Spring 2013. Chapter 10a - Firewalls. Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used.

nibal
Télécharger la présentation

ECE6612 Quiz 2 -> Exam Topics (see also Q1 and Q2 Topics) Spring 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECE6612 Quiz 2 -> Exam Topics (see also Q1 and Q2 Topics) Spring 2013

  2. Chapter 10a - Firewalls Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used. Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set up inside or outside. NAT - Network Address Translation, Private Address ranges (10. , 192.168, …). Inbound connections must match “forwarding table” Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains. Attacks - how does Firewall protect against scanning, bad-fragments, bad TCP flags, Smuft attack, ... Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch” 2

  3. Chapter 10b - Trusted Systems Subject, Object, Access Rights (permissions) Policy - Access matrix or ACL (access control list) Basic Security Rules: No read up (simple security property) No write down (do not widen accessibility) Need to Know. Reference Monitor, audit file, security kernel database. Requirements to be a “Trusted System”: Complete Mediation, Isolation, Verifiability “Common Criteria” Security Specifications are multi-national trust ratings. 3

  4. Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address). “Spoofed” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of one host can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “Fast Flux DNS” and “DNS Cache Poisoning”? ARP - Used by IP layer to find the MAC layer address to use. What is “ARP Poisoning”? 4

  5. Chapter 12 - Traffic Visualization Not covered. 5

  6. Chapter 13 - NetSec Utilities What do they do? John the Ripper Metasploit dsniff nmap Tripwire Wireshark, tcpdump, nslookup, traceroute, whois, netstat, dd Security Organizations: US-CERT (U.S. Computer Emergency Response Team) SANS NIPC (FBI - Nat. Infrastructure Protection Center) What to do if a host is compromised. Evidence – preserve chain of custody Disconnect from network, by power-off if possible. UNIX 'dd' utility good for making an image of a hard disk 6

  7. Slide Set 14 - Wireless Security WEP is weak security, but far better than nothing (GTother). WPA is better, but needs long passphases (22 characters) WPA2 is best, but not completely compatible with older cards (GTwpa - available in 2010,  GTwifi in 2012). Use longest key-length possible. WPS 7-digit install is broken. Enable use of “allowed list” of MAC addresses. Use higher-layer security - IPsec or HTTPS(SSL), email w TLS. Use a firewall and IDS to isolate wireless access points (WAP’s) just like you do for the Internet gateways. Search for rogue WAP’s: What is an “Evil Twin” attack? Authentication: RADIUS, CHAP - Challenge Authentication 7

  8. Slide set 15 - Hidden Data Hidden Files (on UNIX, name starts with “.”) Startup scripts (great place to hide a Trojan Horse) Covert channels (hide in “Ping” packets, SSH, port 80, FTP) Steganography (hiding data in an image file) Watch for new processes ( use 'ps aux'), new files (particularly “suid” files*), open Internet TCP and UDP ports ('netstat -nalp' or 'sockstat -4') *An “suid” file (chmod 4755) owned by root always runs with root privileges. 8

  9. Slide Set 16 - Safe Computing Eliminate unneeded daemons, “suid programs,” open ports, and user accounts (to "harden" the computer). Enforce long, mixed-character passwords. Explain “Once root, always root” (Copeland's 2nd rule*) (The 1st rule is "No security without physical security.") (The 3rd rule is "Layers of protection and detection are needed ... .") Use host OS firewall to limit connections as much as possible (MacOS: use /etc/hosts.allow to limit incoming ssh IPs, "Little Snitch" to limit by application and outgoing IP connections). Keep security patches up to date, from OS and application vendors. Most compromises today come from email and Web accesses (no click needed). 9

  10. Slide Set 17 – Shell Code "Shellcode" is binary code that will execute without being processed by a "Loader". 1. Must make kernel system calls directly (no standard lib.s) 2. Must use absolute or relative jumps (no relocatable jumps) 3. Must be written using assembly language, and with a limited set of commands (e.g., no labels). The original shelllcode opened a backdoor with a command shell (bash, cmd.exe, …). Now shellcode has been written to open an internet connection, download and install malware (e.g., rootkit or bot), transfer files, … Buffer Overflow(what is it, what does it do) [ gets(buf) ] 1) Can change data, 2) can redirect program counter to execute shellcode. How to prevent a “Buffer Overflow” [use fgets(n, buf, stdin) vs. gets()] What’s a “sled”? Why should OS randomize stack memory addresses? What is “polymorphic” code? 10

  11. Current Affairs Spear Phishing - used for government-level attacks. BotNets - used by organized crime for spam email (fake drugs, stock pumping, phishing to steal identity info, links to Web sites with exploits). Distinguished by use of P2P networking. Dynamic DNS (fast-flux DNS) - used to direct hacker URL to various IP addresses. Modified DNS Server IP - site sometimes misdirects URLs. DNS Cache Poisoning - send phony responses to own query. Adware and Spyware - nuisance software that pops-up ads and reports Web usage, but could report more sensitive info. Insider Attacks - unauthorized access to steal government or corporate data, forge records, cover up embezzlement. There will be a question on something from Jason Belford's talk, and from the "Hacking America" documentary. 11

  12. Terms to Know Malware - any malicious software. RAT - Remote Administration Tool (remote control of host). Hack-Back - reverse hacking of attacker - usually illegal (many attacking hosts are compromised, damage hurts innocents) Exploit code - can be in Microsoft Office documents, HTML mail or Web pages, database files, image files, data input (SQL poison, buffer overflow), text files (shell code and .bat files). Root Kit - installs special versions of OS utilities which hide the presence of an intruder (files, processes, sockets, accounts). 12

  13. Three Basic Rules Without Physical Security, there is no security. Once "root", always "root" (or "admin"). Multiple layers of prevention and monitoring are necessary to achieve the optimum degree of protection (for a given budget). [complete prevention is impossible]. 13

More Related