Topic 19, Evading IDS, Firewalls and Honeypots
You are the security administrator for a large network. You want to prevent attackers
from running any sort of traceroute into your DMZ and discovering the internal
structure of publicly accessible areas of the network. How can you achieve this?
A.
Block TCP at the firewall
B.
Block UDP at the firewall
C.
Block ICMP at the firewall
D.
There is no way to completely block tracerouting into this area
There is no way to completely block tracerouting into this area
Explanation: If you create rules that prevents attackers to perform traceroutes to your
DMZ then you’ll also prevent anyone from accessing the DMZ from outside the company
network and in that case it is not a DMZ you have.
Which address translation scheme would allow a single public IP address to always
correspond to a single machine on an internal network, allowing "server
publishing"?
A.
Overloading Port Address Translation
B.
Dynamic Port Address Translation
C.
Dynamic Network Address Translation
D.
Static Network Address Translation
Static Network Address Translation
Explanation: Mapping an unregistered IP address to a registered IP address on a one-toone
basis. Particularly useful when a device needs to be accessible from outside the
network.
Which definition among those given below best describes a covert channel?
A.
A server program using a port that is not well known.
B.
Making use of a protocol in a way it is not intended to be used.
C.
It is the multiplexing taking place on a communication link.
D.
It is one of the weak channels used by WEP which makes it insecure.
Making use of a protocol in a way it is not intended to be used.
Explanation: A covert channel is described as: "any communication channel that can be
exploited by a process to transfer information in a manner that violates the systems
security policy." Essentially, it is a method of communication that is not part of an actual
computer system design, but can be used to transfer information to users or system
processes that normally would not be allowed access to the information.
You have discovered that an employee has attached a modem to his telephone line
and workstation. He has used this modem to dial in to his workstation, thereby
bypassing your firewall. A security breach has occurred as a direct result of this
activity. The employee explains that he used the modem because he had to
download software for a department project. What can you do to solve this problem?
A.
Install a network-based IDS
B.
Reconfigure the firewall
C.
Conduct a needs analysis
D.
Enforce your security policy
Enforce your security policy
Explanation: The employee was unaware of security policy
Jonathan being a keen administrator has followed all of the best practices he could
find on securing his Windows Server. He renamed the Administrator account to a
new name that can’t be easily guessed but there remain people who attempt to
compromise his newly renamed administrator account. How can a remote attacker
decipher the name of the administrator account if it has been renamed?
A.
The attacker guessed the new name
B.
The attacker used the user2sid program
C.
The attacker used to sid2user program
D.
The attacker used NMAP with the V option
The attacker used to sid2user program
Explanation: User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager)
from the local or a remote machine Sid2user.exe can then be used to retrieve the names of
all the user accounts and more. These utilities do not exploit a bug but call the functions
LookupAccountName and LookupAccountSid respectively. What is more these can be
called against a remote machine without providing logon credentials save those needed for
a null session connection.
Given the following extract from the snort log on a honeypot, what do you infer from
the attack?
A.
A new port was opened
B.
A new user id was created
C.
The exploit was successful
D.
The exploit was not successful
The exploit was not successful
Explanation: The attacker submits a PASS to the honeypot and receives a login incorrect
before disconnecting.
Network Intrusion Detection systems can monitor traffic in real time on networks.
Which one of the following techniques can be very effective at avoiding proper
detection?
A.
Fragmentation of packets.
B.
Use of only TCP based protocols.
C.
Use of only UDP based protocols.
D.
Use of fragmented ICMP traffic only
Fragmentation of packets.
Explanation: If the default fragmentation reassembly timeout is set to higher on the client
than on the IDS then the it is possible to send an attack in fragments that will never be
reassembled in the IDS but they will be reassembled and read on the client computer
acting victim.
An employee wants to defeat detection by a network-based IDS application. He does
not want to attack the system containing the IDS application.
Which of the following strategies can be used to defeat detection by a networkbased
IDS application? (Choose the best answer)
A.
Create a network tunnel.
B.
Create a multiple false positives.
C.
Create a SYN flood.
D.
Create a ping flood.
Create a network tunnel.
Explanation: Certain types of encryption presents challenges to network-based intrusion
detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes
the data after it has been decrypted.
What is the tool Firewalk used for?
A.
To test the IDS for proper operation
B.
To test a firewall for proper operation
C.
To determine what rules are in place for a firewall
D.
To test the webserver configuration
E.
Firewalk is a firewall auto configuration tool
To determine what rules are in place for a firewall
Explanation: Firewalk is an active reconnaissance network security tool that attempts to
determine what layer 4 protocols a given IP forwarding device "firewall" will pass. Firewalk
works by sending out TCP or UDP packets with a TTL one greater than the targeted
gateway. If the gateway allows the traffic, it will forward the packets to the next hop where
they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does
not allow the traffic, it will likely drop the packets and no response will be returned.
Which of the following tools can be used to perform a zone transfer?
A.
NSLookup
B.
Finger
C.
Dig
D.
Sam Spade
E.
Host
F.
Netcat
G.
Neotrace
NSLookup
Dig
Sam Spade
Host
Explanation: There are a number of tools that can be used to perform a zone transfer.
Some of these include: NSLookup, Host, Dig, and Sam Spade.
Bob, an Administrator at company was furious when he discovered that his buddy
Trent, has launched a session hijack attack against his network, and sniffed on his
communication, including administrative tasks suck as configuring routers,
firewalls, IDS, via Telnet.
Bob, being an unhappy administrator, seeks your help to assist him in ensuring that
attackers such as Trent will not be able to launch a session hijack in company.
Based on the above scenario, please choose which would be your corrective
measurement actions (Choose two)
A.
Use encrypted protocols, like those found in the OpenSSH suite.
B.
Implement FAT32 filesystem for faster indexing and improved performance.
C.
Configure the appropriate spoof rules on gateways (internal and external).
D.
Monitor for CRP caches, by using IDS products.
Use encrypted protocols, like those found in the OpenSSH suite.
Configure the appropriate spoof rules on gateways (internal and external).
Explanation: First you should encrypt the data passed between the parties; in particular
the session key. This technique is widely relied-upon by web-based banks and other ecommerce
services, because it completely prevents sniffing-style attacks. However, it could
still be possible to perform some other kind of session hijack. By configuring the
appropriate spoof rules you prevent the attacker from using the same IP address as the
victim as thus you can implement secondary check to see that the IP does not change in
the middle of the session.
While scanning a network you observe that all of the web servers in the DMZ are
responding to ACK packets on port 80.
What can you infer from this observation?
A.
They are using Windows based web servers.
B.
They are using UNIX based web servers.
C.
They are not using an intrusion detection system.
D.
They are not using a stateful inspection firewall.
They are not using a stateful inspection firewall.
Explanation: If they used a stateful inspection firewall this firewall would know if there has
been a SYN-ACK before the ACK.
| Page 17 out of 64 Pages |
| Previous |