Chapter 16
Evading IDSs, Firewalls, and Honeypots

CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  1. image III. Security
    • Vulnerabilities
  2. image IV. Tools/Systems/Programs
    • O. Operating environments
    • Q. Log analysis tools
    • S. Exploitation tools

At this point in this book you have seen quite a number of ways to break into a computer system, network, or organization. The problem is that though a lot of these attacks are effective at getting information and other items from a target, they can be detected or thwarted. Today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.

Today’s corporations employ many defensive measures, each with its own way of putting a stop to your attack. Intrusion detection systems (IDSs), intrusion prevention systems (IPSs), firewalls, honeypots, and others form potent obstacles to your activities. Although these devices are formidable they are not insurmountable, so you need to first learn how they work and then see what you can do to overcome the obstacles or just get around them altogether. This chapter focuses on these systems and how to deal with them.

Honeypots, IDSs, and Firewalls

Before we delve into the various evasion techniques you can use to get around a defender’s defensive and detective mechanisms, you must learn how they work. We’ll look at each of these systems and show what they are designed to defend against and how they detect or stop an attack.

The Role of Intrusion Detection Systems

An intrusion detection system (IDS) is an application or device used to gather and analyze information that passes across a network or host. An IDS is designed to analyze, identify, and report on any violations or misuse of a network or host.

Let’s take a close look at how an IDS works. An IDS is used to monitor and protect networks by detecting malicious activity and reporting it to a network administrator. Once activities of this type are detected, an administrator is alerted.

Here are some things to keep in mind as we go forward. An IDS:

  • Is designed to detect malicious or nonstandard behavior
  • Gathers information from within a network to detect violations of security policy
  • Reports violations and deviations to an administrator or system owner

The Four Types of Intrusion Detection Systems

In practice there are four types of IDSs, each offering unique capabilities that the others do not. We’ll first discuss the types available and where each fits in; then we’ll delve deeper into each.

  • The first type, and one of the most common, is the NIDS. The NIDS is designed to inspect every packet entering the network for the presence of malicious or damaging behavior and, when malicious activity is detected, throw an alert. The NIDS is able to monitor traffic from the router to the host itself. Much like a packet sniffer, an NIDS operates similar to a network card in promiscuous mode. In practice this type of IDS can take the form of a dedicated computer or the more common black box design (which is a dedicated device altogether).
  • The next major kind of IDS is the host-based intrusion detection system (HIDS), which is installed on a server or computer. An HIDS is responsible for monitoring activities on a system. It is adept at detecting misuse of a system, including insider abuses. Its location on a host puts the HIDS in close proximity to the activities that occur on a host as well as in a perfect position to deal with threats on that host. HIDSs are commonly available on the Windows platform but are found on Linux and Unix systems as well.
  • Log file monitors (LFMs) monitor log files created by network services. The LFM IDS searches through the logs and identifies malicious events. Like NIDSs, these systems look for patterns in the log files that suggest an intrusion. A typical example would be parsers for HTTP server log files that look for intruders who try well-known security holes, such as the phf attack. An example of a log file monitoring program is swatch.
  • File integrity checking mechanisms, such as Tripwire, check for Trojan horses or files that have otherwise been modified, indicating an intruder has already been there.

The Inner Workings of an IDS

The main purpose of an IDS is to detect and alert an administrator about an attack. The administrator can then determine, based on the information received from the IDS, what action to take.

An IDS functions in the following way:

  1. The IDS monitors network activity for anomalies—that is, signatures or behaviors that may indicate an attack or other malicious behavior. If the activity detected matches signatures that the IDS has on record or a known attack, the IDS reports the activity to an administrator for them to decide what to do. Based on the configuration in place on the IDS, the system can also take additional actions, such as sending text messages, paging someone, or sending an e-mail.
  2. If the packet passes the anomaly stage, then stateful protocol analysis is done.

IDS Detection Methods

So what mechanisms allow an IDS to determine what is an attack and what is not? What works with the rule engine? Well, one of three methods will be used: signature, protocol, or anomaly detection.

Signature Detection

The first form of detection or recognition is based on signature; this method is also sometimes called misuse detection. The system compares traffic to known models and when matches are found it reports the attack.

  • Pattern matching is the most basic form of detecting and is used in many systems. The process relies on the comparison of known patterns against captured traffic. However, consider the following when implementing a pattern matching system: The most basic form of this mechanism is pattern matching, in which traffic is compared against known binary models. These models may in fact be looking for changes or patterns in the TCP flags on traffic.
  • Signature recognition is effective at detecting known attacks and poor at detecting ones not in its database. There is also a slight possibility that other traffic not related to an attack will trigger a false positive.
  • Additionally, improper signatures can cause other problems such as false positives and false negatives.
  • As the signature database increases in size, the time it takes to analyze traffic increases, resulting in a reduction in performance. In fact, if enough traffic attempts to pass through the IDS and performance is already impacted, traffic may be dropped and not analyzed.
  • Evolution of attacks and minor variations of attacks can result in the need for multiple signatures for a single attack. Just a single bit change can trigger the need for a new signature to be created.

Although these problems may seem to bar the implementation of such systems, or at least cause some concern, this type of IDS is widely deployed.

Anomaly Detection

Anomaly detection is different from signature detection in how it detects potential attacks. In this system, any activity that matches something in the database is considered an anomaly. Additionally, any deviation from normal activity is regarded as an attack and triggers further action. Unlike the signature-based system, this type of system must be set up to understand what normal activity on a network is so that it can detect deviations from this baseline. If the system is not configured as to what normal behavior on a network is supposed to be, false positives and negatives can easily become a problem.

Protocol Anomaly Detection

The third type of detection used by IDS systems is protocol anomaly detection. It is based on the anomalies that are specific to a given protocol. To determine what anomalies are present, the system uses known specifications for a protocol and then uses that as a model to compare traffic against. Through use of this design, new attacks may be discovered.

This method can detect new attacks before normal anomaly detection or signature detection can. The detection method relies on the use or misuse of the protocol and not the rapidly changing attack method. Unlike the prior two methods, protocol anomaly detection does not require signature updates to be downloaded. Alarms in this type of system are typically presented differently from others, and thus the manufacturers’ guides should be consulted as each may be different.

Signs of an Intrusion

So what type of activities are indications of a potential attack? What type of actions can an IDS respond to? Let’s take a look at activities that may indicate an intrusion has occurred.

Host System Intrusions

What is an indicator of an attack on a host? A wide range of activities could be construed as an attack:

  • File system anomalies such as unknown files, altered file attributes, and/or alteration of files.
  • New files or folders that appear without explanation or whose purpose cannot be ascertained. New files may be a sign of items such as a rootkit or an attack that could be spread across a network.
  • Presence of rogue suid or sgid on a Linux system.
  • Unknown or unexplained modifications to files.
  • Unknown file extensions.
  • Cryptic filenames.
  • Double extensions such as filename.exe.exe.

This is not an exhaustive list. As attackers evolve, so do the attacks that may be used against a target.

Network Intrusions

Indications of a potential network attack or intrusion include the following:

  • Increased and unexplained use of network bandwidth
  • Probes or services on systems on the network
  • Connection requests from unknown IPs outside the local network
  • Repeated login attempts from remote hosts
  • Unknown or unexplained messages in log files
Nonspecific Signs of Intrusion

Other signs can appear that may indicate the presence of an intruder or potential intrusion in progress:

  • Modifications to system software and configuration files
  • Missing logs or logs with incorrect permissions or ownership
  • System crashes or reboots
  • Gaps in the system accounting
  • Unfamiliar processes
  • Use of unknown logins
  • Logins during nonworking hours
  • Presence of new user accounts
  • Gaps in system audit files
  • Decrease in system performance
  • Unexplained system reboots or crashes

Firewalls

Firewalls are another protective device for networks that stand in the way of a penetration tester or attacker. Firewalls represent a barrier or logical delineation between two zones or areas of trust. In its simplest form an implementation of a firewall represents the barrier between a private and a public network, but things can get much more complicated from there as you’ll see in this section.

When discussing firewalls, it is important to understand how they work and their placement on a network. A firewall is a collection of programs and services located at the choke point (or the location where traffic enters and exits the network). It is designed to filter all traffic flowing in and out and determine if that traffic should be allowed to continue. In many cases the firewall is placed in such a way as to be distanced from important resources so that in the case of compromise key resources are not adversely impacted. If enough care and planning are taken along with a healthy dose of testing, only traffic that is explicitly allowed to pass will be able to do so, with all other traffic, dropped at the firewall.

Some details about firewalls to be aware of:

  • Firewalls are a form of IDS since all traffic can be monitored and logged when it crosses the firewall.
  • A firewall’s configuration is mandated by a company’s own security policy and will change to keep pace with the goals of the organization.
  • Firewalls are typically configured to allow only specific kinds of traffic such as e-mail protocols, web protocols, or remote access protocols.
  • In some cases, a firewall may also act as a form of phone tap, allowing for the identification of attempts to dial into the network.
  • A firewall uses rules that determine how traffic will be handled. Rules exist for traffic entering and exiting the network, and it is possible for traffic going one way not to be allowed to go the other.
  • For traffic that passes the firewall, the device will also act as a router, helping guide traffic flowing between networks.
  • Firewalls can filter traffic based on a multitude of criteria, including destination, origin, protocol, content, or application.
  • In the event that traffic of a malicious nature tries to pass the firewall, an alarm can be configured that will alert a system administrator or other party as needed.

Firewall Configurations

Not all firewalls or firewall setups are created equal, so you need to be familiar with each setup and how it works. Firewalls can be set up and arranged in several ways, each offering its own advantages and disadvantages. In this section we’ll cover each method.

Bastion Host

A bastion host is intended to be the point through which traffic enters and exits the network. It is a computer system that hosts nothing other than what it needs to perform its defined role, which, in this case, is to protect resources from attack. This type of host has two interfaces: one connected to the public network and the other to the internal network.

Screened Subnet

This type of setup uses a single firewall with three built-in interfaces. The three interfaces are connected to the Internet, the DMZ (more on this in a moment), and the intranet. The obvious advantage of this setup is that the individual areas are separated from one another by virtue of the fact that each is connected to its own interface. This offers the advantage of preventing a compromise in one area from affecting one of the other areas.

Multihomed Firewall

A multihomed firewall refers to two or more networks. Each interface is connected to its own network segment logically and physically. A multihomed firewall is commonly used to increase efficiency and reliability of an IP network. In this case, more than three interfaces are present to allow for further subdividing the systems based on the specific security objectives of the organization.

Demilitarized Zone (DMZ)

A DMZ is a buffer zone between the public and private networks in an organization. It is used to act as not only a buffer zone, but also a way to host services that a company wishes to make publicly available without allowing direct access to their own internal network.

A DMZ is constructed through the use of a firewall. Three or more network interfaces are assigned specific roles such as internal trusted network, DMZ network, and external untrusted network (Internet).

Types of Firewalls

Not all firewalls are the same, and you must know the various types of firewall and be able to understand how each works:

Packet Filtering Firewall This is perhaps the simplest form of firewall. It works at the network level of the OSI model. Typically these firewalls are built directly into a router as part of its standard feature set. This firewall compares the properties of a packet such as source and destination address, protocol, and port. If a packet doesn’t match a defined rule, it is dropped. If the packet matches a rule, it typically is allowed to pass.

Circuit-Level Gateway This is a more complex form of firewall that works at the session layer of the OSI model. A circuit-level firewall is able to detect whether a requested session is valid by checking the TCP handshaking between the packets. Circuit-level gateways do not filter individual packets.

Application-Level Firewall These firewalls analyze the application information to make decisions about whether to transmit the packets.

Stateful Multilayer Inspection firewall This firewall combines the aspects of the other three types. They filter packets at the network layer to determine whether session packets are legitimate, and they evaluate the contents of packets at the application layer. The inability of the packet filter firewall to check the header of the packets to allow the passing of packets is overcome by stateful packet filtering.

What’s That Firewall Running?

To determine a type of firewall and even a brand, you can use your experience with port scanning and tools to build information about the firewall your target is running. By identifying certain ports, you can link the results to a specific firewall and from that point determine the type of attack or process to take in order to compromise or bypass the device.

Fortunately we you can perform banner grabbing with Telnet to identify the service running on a port. If you encounter a firewall that has specific ports running, that may help in identification. It is possible to banner grab and see what is reported back.

Firewalking

Another effective way to determine the configuration of a firewall is through firewalking. Firewalking may sound like a painful process and test of courage, but it is actually the process of probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets at the firewall. The key to making this successful is the fact that the packets are set to have one more hop in their time to live (TTL) in order to get them past the firewall or elicit a response stating otherwise.

To perform a firewalk against a firewall, you need three components:

Firewalking Host The system, outside the target network, from which the data packets are sent to the destination host, in order to gain more information about the target network

Gateway Host The system on the target network that is connected to the Internet, through which the data packet passes on its way to the target network

Destination Host The target system on the target network that the data packets are addressed to

Once you have used firewalking to gain information about the firewall and how it responds to traffic and probes, the next step is to plan your attack. You may find it possible to use tools such as packet crafters and port redirection to evade the configuration in place.

Honeypots

One of the more interesting systems you will encounter is a honeypot. A honeypot may sound like something out of a Winnie the Pooh book, but it is actually a device or system used to attract and trap attackers that are trying to gain access to a system. However, honeypots are far from being just a booby trap; they have also been used as research tools, as decoys, and just to gain information. They are not designed to address any specific security problem.

Because of the way honeypots are positioned, it is safe to assume that any and all interactions with the device are anything but benign in nature.

High vs. Low Interaction

Honeypots are not all created equal. There are two main categories: high- and low-interaction varieties.

Low-interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system. If attacked, the system detects the activity and throws an error that can be reviewed by an administrator.

High-interaction honeypots are more complex than low-interaction ones in that they are no longer a single system that looks vulnerable but an entire network typically known as a honeynet. Any activity that happens in this tightly controlled and monitored environment is reported. One other difference in this setup is that in lieu of emulation, real systems with real applications are present.

Run Silent, Run Deep: Evasion Techniques

Each of the devices covered in this chapter is designed to stop or slow down an attack. Since you, as a penetration tester, are trying to test a system, you must be able to get around these devices if possible or at least know how to attempt to do so. In this section we discuss the various mechanisms available, how they work, and what devices they are designed to deal with.

Denial of Service vs. IDS

Another mechanism for getting around an IDS is to attack the IDS directly or exploit a weakness in the system via a DoS attack. A DoS or DDoS attack overwhelms or disables a target in such a way as to make it temporarily or permanently unavailable. Through the consumption of vital system resources, the overall performance of the target is adversely impacted, making it less able, or completely unable, to respond to legitimate traffic, or at least not function to the best of its ability.

If we target an IDS with a DoS attack, something interesting happens: The IDS functions erratically or not at all. To understand this, think of what an IDS is doing and how many resources it needs to do so. An IDS is sniffing traffic and comparing that traffic to rules, which takes a considerable amount of resources to perform. If these resources can be consumed by another event, then it can have the effect of changing the behavior of the IDS. By using enumeration and system hacking methods it is possible for an attacker to identify which resources are under load or are vital to the proper functioning of the IDS. Once those resources are identified, the attacker can clog up or consume the resources to make the IDS not function properly or become occupied by useless traffic.

Obfuscating

Because an IDS can rely on being able to observe or read information, the process of obscuring or obfuscating code can be an effective evasion technique. This technique relies on manipulating information in such a way that the IDS cannot comprehend or understand it but the target can. This can be accomplished via manual manipulation of code or through the use of an obfuscator. One example that has been successful against older IDSs is the use of Unicode. By changing standard code such as HTTP requests and responses to their Unicode equivalents, you can produce code that the web server understands but the IDS may not.

Crying Wolf

Remember the story from your childhood of the boy who cried wolf? The shepherd boy in the story cried wolf so many times as a joke that when the wolf was actually attacking his flock no one believed him and his flock got eaten. The moral of the story is that liars are rewarded with disbelief from others even when they tell the truth. How does this apply to our IDS discussion? Essentially the same way as the boy in the story: An attacker can target the IDS with an actual attack, causing it to react to the activity and alert the system owner. If done repeatedly, the owner of the system will see log files full of information that says an attack is happening, but no other evidence suggests the same. Eventually the system owner may start to ignore these warnings, or what they perceive to be false positives, and become lax in their observations. Thus an attacker can strike at their actual target in plain sight.

Session Splicing

The type of evasion technique known as session splicing is an IDS evasion technique that exploits how some types of IDSs don’t reassemble or rebuild sessions before analyzing traffic. Additionally, it is possible to fool some systems by fragmenting packets or tampering with the transmission of packets in such a way that the IDS cannot analyze them and instead forwards them to the target host.

Fun with Flags

The TCP protocol uses flags on packets to describe the status of the packet. Knowledge of these flags can yield benefits such as evasion techniques for IDSs.

Bogus RST

RST is one of the many flags used to end two-way communications between endpoints. In addition to these flags, checksums are used to verify the integrity of the packet to ensure that what was received is what was sent originally. An attacker can use alteration of this checksum to cause the IDS to not process the packet. What happens with some IDSs is that upon receipt of an invalid checksum, processing stops and the traffic passes unimpeded by the IDS without raising an alert.

Sense of Urgency

The URG flag is used to mark data as being urgent in nature. Although it is used to indicate which information is of an urgent nature, all information that flows before it is ignored in order to process the urgent data. Some IDSs do not take this previous data into account and let it pass unimpeded, letting an attack potentially pass without hindrance.

Encryption

Some IDSs cannot process encrypted traffic and therefore will let it pass. In fact, of all the evasion techniques, encryption is one of the most effective.

Evading Firewalls

Earlier you learned what a firewall is capable of doing and the different types that exist. So how does an attacker evade these devices? A handful of techniques are available.

IP Address Spoofing

One effective way an attacker can evade a firewall is to appear as something else, such as a trusted host. Using spoofing to modify address information, the attacker can make the source of an attack appear to come from someplace else rather than the malicious party.

Source Routing

Using this technique, the sender of the packet designates the route that a packet should take through the network in such a way that the designated route should bypass the firewall node. Using this technique, the attacker can evade the firewall restrictions.

Through the use of source routing, it is entirely possible for the attacker or sender of a packet to specify the route they want it to take instead of leaving such choices up to the normal routing process. In this process the origin or source of a packet is assumed to have all the information it needs about the layout of a network and can therefore specify its own best path for getting to its destination.

By employing source routing, an attacker may be able to reach a system that would not normally be reachable. These systems could include those with private IP addresses or those that are protected under normal conditions from the Internet. The attacker may even be able to perform IP spoofing, further complicating detection and tracing of the attack by making the packet’s origin unknown or different from its actual origin.

Fortunately, the easiest way to prevent source routing is to configure routers to ignore any source routing attempts on the privately controlled network.

Fragmentation

The attacker uses the IP fragmentation technique to create extremely small fragments and force the TCP header information into the next fragment. This may result in a case where the TCP flags field is forced into the second fragment, while filters can check these flags only in the first octet. Thus the IDS ignores the TCP flags.

IP Addresses to Access Websites

A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an IP address in place of a URL. Since some firewalls only look at URLs instead of the actual IP address, use of the address to access a website can allow an attacker to bypass the device.

Other mechanisms that are somewhat similar to this technique are using website anonymizers and using open public proxy servers to get around the firewalls or website restrictions of a company.

Using ICMP Tunneling

Yet another method to bypass or evade a firewall is through the use of ICMP tunneling. ICMP can be used to bypass a firewall through a little-known part of the RFC 792 specification (responsible for defining the operation of ICMP). The ICMP protocol defines the format and structure of the packet, but not what the packet carries as part of its data portion. Due to this ambiguous definition of the data portion, the contents can be completely arbitrary, thus allowing for a diverse range of items to be included within the data section. This section can include information regarding applications that can open a covert channel or plant malware. The end result can be that an organization’s firewalls can be opened.

One tool that is effective at performing this type of task is Loki, which has the ability to tunnel commands within an ICMP echo packet. Other similar tools are ncovert and 007shell, both of which allow for the crafting of packets that can be used to bypass a firewall.

Using ACK Tunneling

Pursuing a variation of a theme, you can also use ACK tunneling to bypass the scrutiny of a firewall. ACK tunneling exploits the fact that some firewalls do not check packets that have the ACK bit configured. The reason for this lapse is that the ACK packet is used to respond to previous, and assumed legitimate, traffic that has already been approved.

An attacker can leverage this by sending packets with the ACK flag set using a tool such as AckCmd.

HTTP Tunneling

An additional variation of the tunneling method involves exploiting the HTTP protocol. This method may be one of the easiest ones to use mainly due to the fact that the HTTP protocol is already allowed through many firewalls as part of normal operation. HTTP traffic is considered normal due to the requirement for just about every company to have Internet access or provide access to resources such as web servers and web applications to the public and as such it does not appear abnormal.

One tool that may be used to exploit this situation is HTTPTunnel, which uses a client-server architecture to facilitate its operation.

Testing a Firewall and IDS

With so many techniques and mechanisms at your disposal, you can now test your defensive and monitoring capabilities.

Overview of Testing a Firewall

The following are the general steps and process for testing the integrity and capability of a firewall, whether it is based on hardware or software:

  1. Footprint the target.
  2. Perform port scanning.
  3. Perform banner grabbing against open ports.
  4. Attempt firewalking.
  5. Disable trusted hosts.
  6. Perform IP address spoofing.
  7. Perform source routing.
  8. Substitute an IP address for a URL.
  9. Perform a fragmentation attack.
  10. Use an anonymizer.
  11. Make use of a proxy server to bypass a firewall.
  12. Use ICMP tunneling.
  13. Use ACK tunneling.
Overview of Testing an IDS

Much like testing a firewall, there is a general process for testing an IDS. It tends to be something like the following:

  1. Disable trusted hosts.
  2. Attempt an insertion attack.
  3. Implement evasion techniques.
  4. Perform a DoS.
  5. Use code obfuscation.
  6. Perform a false positive generation technique.
  7. Attempt a Unicode attack.
  8. Perform a fragmentation attack.

It is important for you to remember that not every attack will work when testing a firewall or IDS, but you should still log the results and make note of the way the devices respond. When testing is completed, compare and analyze the results to see if you can determine any patterns or behavior that may indicate the nature of the environment or vulnerabilities present.

Summary

In this chapter we looked at firewalls, IDSs, and honeypots as mechanisms used to defend a network as well as something to evade as an attacker. You saw that the problem is that whereas many attacks are effective at getting information, they can be thwarted by using any of the systems we have covered. In fact, today’s networks and environments employ a range of defensive and detective measures designed to deal with such attacks.

Today’s corporations use many defensive measures, each with its own way of putting a stop to attacks. Systems such as intrusion detection systems, intrusion prevention systems, firewalls, honeypots, and others form very potent adversaries and obstacles to your activities. Although these devices are formidable they are not insurmountable, so you must first learn how they work and then see what you can do to overcome the obstacles or just get around them altogether.

Exam Essentials

Understand the different types of firewalls. Know that not all firewalls are the same and that each operates a little differently. For example, packet filtering firewalls work at the network level and are commonly found embedded in routers, whereas stateful firewalls are devices unto themselves.

Know the differences between HIDSs and NIDSs. Understand that an HIDS and an NIDS are not the same and do not monitor the same type of activity. An NIDS monitors traffic on a network, but diminishes in effectiveness where a host is concerned. An HIDS has diminishing capability outside of a specific host.

Understand the role of a honeypot. A honeypot is a tool used to attract an attacker for the purpose of research, acting as a decoy, or to gain intelligence as to what types of attacks you may be facing and how well your defenses are working.

Review Questions

  1. An HIDS is used to monitor activity on which of the following?

    1. Network
    2. Application
    3. Log file
    4. Host

  2. Which of the following can be used to identify a firewall?

    1. Search engines
    2. E-mail
    3. Port scanning
    4. Google hacking

  3. An NIDS is based on technology similar to which of the following:

    1. Packet sniffing
    2. Privilege escalation
    3. Enumeration
    4. Backdoor

  4. Which of the following can be used to evade an IDS?

    1. Packet sniffing
    2. Port scanning
    3. Enumeration
    4. Encryption

  5. Altering a checksum of a packet can be used to do what?

    1. Send an RST
    2. Send a URG
    3. Reset a connection
    4. Evade an NIDS

  6. Firewalking is done to accomplish which of the following?

    1. Find the configuration of an NIDS
    2. Find the configuration of an HIDS
    3. Uncover a honeypot
    4. Analyze a firewall

  7. An attacker can use _________ to find information about a firewall.

    1. Banner grabbing
    2. Backdoors
    3. Packet mapping
    4. NNTP

  8. A _________ is used to attack an IDS.

    1. NULL session
    2. DoS
    3. Shellcode
    4. Port scan

  9. Which of the following uses a database of known attacks?

    1. Signature file
    2. Anomaly
    3. Behavior
    4. Shellcode

  10. An anomaly-based NIDS is designed to look for what?

    1. Patterns of known attacks
    2. Deviations from known traffic patterns
    3. Log alterations
    4. False positives

  11. Multihomed firewall has a minimum of how many network connections?

    1. 2
    2. 3
    3. 4
    4. 5

  12. DMZ is created with which of the following?

    1. A firewall and a router
    2. A multihomed firewall
    3. Two routers
    4. A multihomed router

  13. A firewall is used to separate which of the following?

    1. Networks
    2. Hosts
    3. Permissions
    4. ACL

  14. SMTP is used to perform which function?

    1. Monitor network equipment
    2. Transmit status information
    3. Send e-mail messages
    4. Transfer files

  15. Which ports does SNMP use to function?

    1. 160 and 161
    2. 160 and 162
    3. 389 and 160
    4. 161 and 162

  16. HTTP is typically open on which port in a firewall?

    1. 25
    2. 443
    3. 80
    4. 110

  17. What is a system used as a chokepoint for traffic?

    1. IDS
    2. DMZ
    3. Bastion host
    4. SNMP host

  18. At which layer of the OSI model does a packet filtering firewall work?

    1. 1
    2. 2
    3. 3
    4. 4

  19. What type of firewall analyzes the status of traffic?

    1. Circuit level
    2. Packet filtering
    3. Stateful inspection
    4. NIDS

  20. What can be used instead of a URL to evade some firewalls?

    1. IP address
    2. Encryption
    3. Stateful inspection
    4. NIDS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.163.91