As a security manager, you need to implement security measures to detect intrusions from LAN. You boss need some understanding of IDS before approving your solution. a) How many types of IDS are available? Name them all and describe each (8 marks) Ans: -Host Based IDS (HIDS) – Similar to NIDS but only analyzes network traffic to and from a single machine (1. 6) – Network IDS (NIDS) – Analyzes packets on a network and tries to determine if a hacker is trying to break into a system. An NIDS typically runs on a hub or a router, analyzing all traffic flowing through the device (1.6)
System Integrity Verifier (SIV) – keeps track of critical system files and notifies an administrator when they are altered. (1. 6) – Log file Monitor (LFM) – Scan through logs generated by network services looking for attacks Patterns. (1. 6) – Honeypot – A deception system that has false services to attract hacker attention. (1. 6) b) What are the limitations of host based IDS (HIDS)? (8 marks) Ans: – Traffic overloading can easily crash a HIDS since it is usually installed and running on a platform such as a software OS, (2)
– HIDS cannot examine encrypted network traffic passing through. (2) – It is specific to types of systems and makes them impractical for many environments. If the server is running multiple services such as DNS, file sharing, SMTP and so on, the host based IDS system might not be able to detect intrusions. (2) – It runs as a background process and do not have access to the core communication functionality of the system. If an attacker fins a way to the access the OS somehow, IDS could be disabled. (2) OR SIMILAR (4 items with description needed)
c) Please describe SYN attack. (5 marks) Ans: A SYN attack exploits the use of a small buffer space during the TCP three hand shake in order to prevent a server from accepting inbound TCP connection. When a server receives the first SYN=1 packet, it stores this connection request in a small “in-process: queue. Since sessions tend to be established quickly, this queue is small and can store only small number of connection requests. This method is taken for optimizing memory. (2. 5) A SYN attack floods this smaller queue with connection requests.
When the target system replies, the attacking system does not respond and leaves the connection request in the smaller queue for time expiration. By filling up this queue with bogus requests, the target system can no longer to accept legitimate requests. A form of Denial of Service. (2,5) d) What are the ways to minimize the SYN attack? (4 marks) Ans: Increase the size of the in process queue which can provide additional space so that additional connection requests can be queued. (2) OR Decrease the amount of time before stale entries are purged from the in process queue.
It can prevent busy systems connected by a slow network link from being refused a connection. (2) QUESTION 2 (25 points) a) In encryption, what are symmetric and asymmetric keys? How they differ? (6 marks) Ans: Symmetric key uses the same key to encrypt and decrypt data. However, they are easy to be captured during key exchange between two networked hosts. If any one key is lost to an attacker, the traffic content can be compromised. The major advantage is the comparatively high speed for encryption and decryption of data between (3)
Asymmetric key uses two mathematically different keys to encrypt (Private) and decrypt (Public). During a key exchange, it is harder to capture content of keys and reuse it for decryption since private key will not be exchanged (3) OR Similar b) In PKI, what are Public Key and Private or crypto keys? In what situation, it advances over other such as SSH (8 marks) Ans: In Public-Private Key Infrastructure (PKI), Private key mathematically derives a additional key called public key (2), once a key pair is generated by its owner. However, information cannot be encrypted by public key but by private key.
(1. 5) The private key is an encryption key for the owner to encrypt data on his/her communication device. He can then distribute his public or a mathematically related key to his intended recipient. (1. 5) It can be distributed through some transport mechanism such as floppy. The recipient can use the sender’s public to decrypt data. (2-23 to -24) The major advantage over SSH is that PKI does not require a real time channel be created before data exchange. A file or email can be encrypted in advance by the private key and be sent over unsecured media.
(3) OR SIMILAR in PKI concept. c) How firewalls differ from proxy? When they are used? (6 marks) Ans: In a network situation, a proxy divides the network connection between a server and client devices. Proxy receives request from an internal client and forward the request to another host such as a server on behalf of the client by providing its proxy external network address. (1. 5) On the other hand, a firewall also divides traffic between a server and client to examine packets passing through its external and internal interfaces for possible attacks.
Firewalls can also create policies or rules to govern what kind of packet types can pass. (1. 5) Proxy can reduce traffic on WAN by caching requested content while reducing the risks of exposing its clients network addresses in order to minimize the attacks. (1. 5) Firewall can be implemented to control unwanted traffic to flow between. It is usually used in a defensive situation on network (1. 5) d) Please describe each item in a short sentence (5 Marks) i) ICMP – Internet Control Message Protocol provides flow control and route determination in IP protocol.
A proxy agent captures the traffics from both web server and client. When a client replies with a password on the corresponding bank account, the password is shown in clear text. A hacker then can use the legitimate credential for logging into the bank account. (3) ii) How can we make the session more secure? List three names. (5) Ans: Possible solutions including encrypting credentials, Secure Socket Layer, Certificate mapping, PKI, etc. (1. 3 each) c) How can RAID 0, 1 and 5 on a server provide fault tolerance in hardware emergency?
(9) Ans: Also redundant array of inexpensive disks provides fault tolerance against hard disk crashes. There are many levels: RAID 0 to 5. (2) With level 0, it is strictly for performance gains and provides no fault tolerance. RAID 0 stripes the data across multiple hard disks. (2) RAID 1 maintains a full copy of all files information on every disk and thus is sometimes referred to as disk mirroring. Should a disk fail; each of the remaining disks has a full copy of the entire file system. (2) RAID 5 has data and ECC storage capability.
This arrangement helps to improve speed over RAID 0 with fault tolerance feature. Yet it also suffers from bottlenecks on the parity drive. Compared with RAID 1, it increases disk space in all disk storage minus one disk. (3) QUESTION 4 (25 points) a) How does Kerberos work in authenticating user? (5) Ans: Kerberos is an authentication method which can be used for single sign-on mechanism and allows mutual authentication and encrypted communication between user and services. (2) 1. User authenticates to the local OS. A local agent sends an authentication request to the Kerberos server.
(1) 2. The server responds by sending the encrypted credentials for the user attempting to authenticate to the system and local agent then tries to decrypt the credentials using the user supplied password. (1) 3. If succeed with the password, the user is validated and given authentication ticket for access other Kerberos authenticated services (1) OR Similar b) Given a netmask (subnet mask) 255. 255. 224. 0, please determine if both the IP addresses, 172. 16. 65. 148 and 172. 16. 97. 221, reside on the same sub network? Please show your calculations and justify your answer. (6)