Explain the Types of IDS and IDP Systems and Provide Some Examples of Each.

This is always a good start to the IDP portion of the interview because it gets immediately to the heart of the IDS/IDP debate. Network security hardware and software vendors have confused many network professionals with markets and submarkets of intrusion detection. Originally, there was just “intrusion detection.” The systems (also called sensors) were either network-based, also known as a network IDS (NIDS), or host-based, also known as a host IDS (HIDS). The early systems simply tapped into the network at switches with monitored/mirrored ports.
The term IDS is now considered a first-generation term. Today, many vendors distinguish detection from prevention. Detection means passive monitoring, whereas prevention means active monitoring. With the introduction of the term prevention came the introduction of new acronyms — NIPS (Network IPS) and HIPS (Host IPS). Vendors like to call detection reactive and prevention proactive. The IPS devices have the ability to detect as well as prevent attacks using a response mechanism—if in a tap/span configuration — or blocking mechanism — if using an inline configuration. IPS is more of a second-generation term. Many equate an IDS to a burglar alarm. Network sensors detect an intrusion much the same way a door or window sensor detects unwanted entry. The home sensors alert the alarm company or home siren to the intruder. An IPS is a way to prevent attacks from penetrating
the network. Some vendors and even NIST have gone so far as to use the acronym IDP (Intrusion Detection and Prevention) to include both the IDS and IPS functionality. Throughout this chapter, we continue to use IDP to represent both IDS and IPS systems.

VPN Interview Q&A

The following questions provide an idea of some of the types of questions you should be able to answer.

Q: How many messages are exchanged during Phase I Aggressive mode, and would you recommendit for a site-to-site VPN?
A: Three and no: The identity of the peer is exposed during the reduced number of messages.

Q: What are some issues related to deploying IPsec with ESP across the network?
A: In tunnel mode, ESP adds a new IP and ESP header, which results in a larger packet size. In addition, ESP packets are marked Do Not Fragment (DF) in most vendor implementations. Configuring a Path MTU discovery feature or other vendor-specific feature is required to reduce your MSS to allow successful transmission of full-size packets.

Q: Please explain how you can identify which type of IPsec security protocol and mode are used with only a packet sniffer.
A: The next header field indicates which protocol is next. If TCP, then transport mode is used; if IP, then tunnel mode is used. In the IP header, the Protocol field will indicate what type of protocol is used (ESP IP protocol 50 or AH IP protocol 51).

Q: What protocols are required to pass through the edge of your network to an IPsec appliance running ESP with IKE?
A: ESP is IP Protocol 50, and IKE traditionally operations over UDP Port 500. If NAT Traversal is used, then UDP Port 4500 is traditionally used.

Q: Describe the purpose of a Security Assocation (SA) and what the minimum number are to establish a VPN tunnel with a remote peer using only ESP/tunnel mode.
A: An SA is a uni-directional set of parameters used to establish a secure communication channel with a far end gateway or host. A minimum of two SAs is required to establish bi-directional communication with the far-end peer.

Q: What is the minimum number of parameters needed to uniquely identify a Security
Association?
A: Three: SPI, peer IP address, and type of protocol used (ESP or AH).

Q: Please describe some of the resources you have used to evaluate and select an IPsec platform.
A: Depending on the business requirements (and any possible government regulations—FIPS 140-2), I would create a short list of vendors from sources such as Gartner, and Forrester because they review financials and customer support issues that may be difficult to confirm in a lab. Continuing to work against business requirements, I would review the IPsec vendor list from ICSA Labs (“Google ICSA Labs IPsec Certified”) if there are interoperability requirements with other
vendors or a planned migration. I would reference NIST’s Common Criteria Evaluation and Validation Scheme (CCEVS) to reduce my shortlist to a “very” short list. FIPS 140-2 evaluates the vendor’s cryptographic implementation for adherence with the standard. Selecting a vendor that meets or exceeds this standard can further reduce your short list. I would also reference the VPN Consortium to review any vendor- specific enhancements or interoperability issues. Finally, I would bring in the top three vendors that meet the stated business requirements, and work with the gear

Symmetric Key Cryptography

Symmetric key encryption uses a bi-directional or reversible encryption algorithm to provide confidentially of data. In other words, the sender and receiver of the sensitive data share a secret key. The sender feeds the secret key and data into any of a number of symmetric key algorithms to encrypt the plaintext data into cipher text. The receiver uses the exact same secret key to decrypt the cipher text back
into plain-text using the same symmetric key algorithm. If Alice and Bob, to use the classic crypto characters, are sitting on different floors of the same building, then securely exchanging the secret key may not pose a risk. There is still a question of storage of the key, so compromise may still be an issue. However,
if Alice is in Virginia, and Bob is on vacation in Singapore, then exchanging the secret key securely presents an issue and opens the door to potential comprise of the secret key.

There are currently three NIST approved symmetric ciphers. The newest addition to this list, the Advanced Encryption Standard (AES,) was added in November 2001. The Whitehouse Office of Management and Budget (OMB), responsible for the OMB circulars, delivered a notice shortly after NIST released AES stating that the new encryption method is expected to be valid for the next 20–30 years. NIST has stated that it will review AES every five years for continued use.

Symmetric ciphers are divided into stream and block ciphers. Block ciphers exercise their mathematical prowess on fixed-size chunks of data. Stream ciphers, on the other hand, operate on the data in a serial fashion or continuous stream — one bit at a time.

The two protocols we discuss in this pages are block ciphers. Therefore, we focus our discussion on these block ciphers only. For more information on streaming ciphers, Google “Streaming cipher.” One of the most popular streaming ciphers in use today is RC4, which is implemented in the original IEEE 802.11b, aka WEP. The current evolution of WEP is called WPA, which alleviates a key scheduler issue by using the Temporal Key Integrity Protocol (TKIP). The latest standard on the street is IEEE 802.11i, which introduces AES as the required encryption protocol. Your Internet browser also uses RC4 when connecting to most Internet sites using SSL.

Firewall Interview Q&A

Q: What is a packet filter firewall?
A: A packet filter firewall inspects traffic on a per-packet basis. It matches only on an individual packet basis. It is not capable of determining a packet flow or session. Packet filters can match a packet from the simple source and destination IP up to and including specific protocol flags such as TCP SYN and FIN. This varies based upon the vendor’s implementation of a packet filter.

Q: What is stateful inspection?
A: In stateful inspection, a firewall inspects traffic based upon the state of the connection. The firewall is aware of the beginning, middle, and end of a connection. If the connection goes out of state, the firewall is able to detect it.

Q: What is an application proxy firewall?
A: An application proxy firewall proxies connections that attempt to go through the firewall. The client’s request is always proxied to server. The server’s response is proxied back to the client as well. This allows the proxy to completely inspect the connection.

Q: What does the term DMZ stand for?
A: This stands for demilitarized zone. It is a term that represents a segmented network to which access is protected by a firewall.

Q: Why would you want a high-availability firewall deployment in your network?
A: Because a firewall is often placed at a critical point in your network. If it were to fail, you would lose access to critical resources such as Internet access.

Q: What are the characteristics of an appliance firewall?
A: An appliance-based firewall is a device that is built for a specific purpose. The purpose in this case is to be a firewall.

Q: What is NAT?
A: NAT stands for Network Address Translation. With NAT, a packet has either the source or destination IP address modified as it passes through a firewall.

Q: What is Unified Threat Management?
A: Unified Threat Management, or UTM, is a collection of technologies that are bundled together to eliminate threats on the network. These technologies include deep-packet inspection, antivirus, antispam, and URL filtering.

Q: What are the main configuration components in a firewall?
A: The firewall’s configuration (networking/routing), the firewall policy (the policy that restricts traffic for a device), and the firewall’s objects (the components used during the firewall’s policy configuration.

Q: What is a secure router?
A: A secure router is a device that couples the features of a router and a firewall, including the use of WAN interfaces, firewall services, and, often, a UTM feature set.

Q: What company was the first to implement firewall technologies?
A: Cisco Systems originally implemented firewall features in the form of packet filters on routers.

Q: Who are the three market leaders in the firewall technology space?
A: Cisco, Check Point, and Juniper Networks are the three market leaders. Cisco is the number one leader in firewall appliances. Check Point is the market leader in software-based firewalls. Juniper Networks is in second place behind Cisco for firewall appliances.

Q: What was Check Point’s most important impact on the firewall market?
A: The creation of an easy-to-use central management tool. This tool contained easy-to-use GUIs and still sets the bar for user interfaces today.

Q: What is the most basic deployment for a firewall?
A: The most basic deployment for a firewall is placing a firewall between an untrusted network, such as the Internet, and the local area network. This placement limits the access that the Internet has to the local area network. The local area network has important services that should not be Internet accessible. These services include file servers and e-mail servers.

Q: Can you list the three core firewall technologies?
A: Packet filter, stateful inspection, and application proxies are the core firewall technologies.

Q: What are three technologies you can find in the UTM feature set?
A: Antivirus inspection, antispam, and deep-packet inspection. Antivirus technologies often focus on the inspection of Web and e-mail traffic.

Unified Threat Management Firewall

Unified Threat Management (UTM) is a new term in the firewall industry — in fact, UTM is the hottest buzzword in the industry today. The term describes the combination of several security technologies on one device. The typical UTM technologies are the following: stateful firewall; IPS; antivirus; antispyware;
antiphishing; anti-adware; antispam; and Web filtering. This technology is included typically on a firewall that employs a stateful firewall as its core technology. This technology is used in lower-speed deployments of a gigabit-per-second throughput or less.

UTM increases the security of a stateful firewall by adding different layers of inspection. It does this and still maintains the important throughput, which is one of the important benefits of stateful inspection. The Intrusion Prevention System functions implemented in UTM are usually subsets of full-blown IPS features. This form of IPS was formerly known as Deep Inspection or Deep Packet Inspection. The
IPS feature looks for specific attacks inside flows. These attacks are usually divided into categories of severity. The IPS component is usually deployed to stop the most critical attacks that are active threats, such as worms.
A discussion of the IPS features of UTM can be found at www.securityfocus.com/
infocus/1716.c. Network-based antivirus technology is often limited to a small set of protocols. These protocols are the ones in which viruses are most commonly found, such as HyperText Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3). Anti-x protocols (spyware, adware, and spam) block or at least limit the amount of incoming spyware, adware, and spam. These products can be developed by the firewall vendor themselves or they can be
products developed by partners. As with the antivirus products, these products are used only on specific protocols, such as mail protocols in the case of antispam.
Web filtering allows you to block Web sites that are inappropriate for your organization. By including filtering on the firewall, you reduce the number of devices that need to be managed in your environment.

The features for integrated Web filtering can be limited as opposed to using a full installation of a filtering product. Often, Web filtering is done by partnering with a major player such as Websense or Surf Control.
UTM features are often best deployed in low throughput environments with low user
counts. Over the years, performance of such features has become much better. In the past, you would never want to deploy these features in environments with more than 50 people. Today, however, many products can support several hundred users. UTM is a great technology to add to your environment, and the future for it looks bright.

Intrusion Protection System (IPS) technologies have been deployed on stand-alone devices in the past. However, today you can run a complete IPS system on your firewall. You do so by combining (usually) a stateful firewall technology with an IPS engine. Throughput typically depends on the implementation. Some vendors choose to dedicate specific hardware resources to the IPS inspection. These devices have the highest throughput — much more than a completely software-based implementation. This IPS technology deployment differs from UTM because it is much more feature rich and supports more protocols. A typical UTM deployment consists of a couple hundred signatures and supports a dozen signatures whereas a true IPS deployment consists of several thousand signatures and 40 or more protocols. A signature is a specific pattern or combination of patterns that match an attack. The inclusion of IPS on firewalls provides stateful firewalls with the security that an application proxy can
provide yet at incredibly fast, multigigabit speeds.

You can find a more in-depth discussion of IPS at www.securityfocus.com/infocus/1670.

Network Address Translation Network Address Translation (NAT) is a technology that allows you to change one IP address into another as a packet passes through a firewall. This can be done to the source IP, destination IP, or both. NAT gives you the ability to do several different things, the first being the ability to hide your network’s IP address range, obfuscating what its true IP address range is. You can use a set of nonroutable IP addresses for your private network. These typically come from the Request For Comment (RFC) 1918 address set. Because these addresses are not routable on the Internet, you need to hide them behind public IP addresses.

Most organizations do not have the ability to provide one public IP address for each private IP address. In these cases, a combination of NAT and Port Address Translation (PAT) is used. PAT swaps the source port of the packet to a higher port and then uses a single IP address to hide many internal IP addresses behind. The firewall tracks the connection by mapping the original source port to the new PAT port.

Doing so allows it to know which connection belongs to which internal IP.
To read more about NAT, go to www.tcpipguide.com and search for NAT. You can find a more indepth discussion there.

Virtual Private Networks
A Virtual Private Network (VPN) is created by employing a protocol that allows packets to be transported between two endpoints yet seem as though they are part of the same network. Using one of several protocols such as Multiprotocol Label Switching (MPLS), IPsec, or Generic Router Encapsulation, you can create a VPN. Most firewalls create VPNs using IPsec. IPsec is a protocol suite that enables the secure
transport of traffic between two endpoints. Most firewall products on the market today allow for thecreation of IPsec VPNs. IPsec VPN.

Application Proxy Firewall

An application proxy is the most secure firewall technology on the market today. An application proxy firewall operates as a middleman to all of the connections that attempt to pass through it. As the technology’s name suggests, this type of firewall proxies an application’s connection. When a client attempts to make a connection through the firewall, the firewall terminates the connection to it. Then the firewall opens and initiates a connection to the destination host on behalf of the client. All the data can be inspected by the application proxy firewall as it passes between the client-proxy connection and proxy-server connection.

This type of separation, plus the capability to inspect all the data, is why the application proxy firewall is the most secure. The firewall must have a protocol decoder built in for each of the supported protocols. If it doesn’t, it is possible to support any protocol with a generic proxy. A generic proxy, however, does not provide the same level of inspection as a custom protocol decoder. The generic proxy still can proxy a connection but is unable to understand the application inside the connection.

The application proxy must open a connection for each session passing through the firewall, which takes a great amount of work on the firewall’s part. The slower performance that results from managing so many connections has led to the general disuse of this technology as the main firewall for an organization.

However, many companies still use application proxy firewalls in limited-use scenarios and for environments in which performance isn’t a factor.
Application proxy firewalls are most commonly used for providing Web-based services. This use includes an authenticated proxy for monitoring outbound Web access and application accelerator products. Application accelerator products sit in front of the Web servers and proxy connections while also providing SSL acceleration and content compression.

The two most notable vendors providing application proxy firewalls today are Microsoft and Secure Computing. Microsoft uses proxy technology in its Internet Security and Acceleration Server (ISA)product. The ISA server, although not used as a main firewall device, is still highly popular in Microsoftfocused
organizations. Secure Computing’s Sidewinder G2 firewall is also a widely deployed product. Secure Computing purchased the Gauntlet firewall in 2002. Gauntlet was the most popular application proxy firewall during the peak usage of the application proxy technology.

You can read more about ISA server at www.microsoft.com/isaserver/.

You can find more information about secure computing and the G2 firewall at www.securecomputing.com.