10. Firewalls & Intrusion Detection Systems

January-2004 [18]

e) What is firewall? State briefly how it works. [4]

g) With the possibility of inside attack, where should IDS devices be located? [4]

c) What is the difference between IDS and Firewall? [4]

ans :-- A firewall is a hardware and/or software which functions in a networked environment to block unauthorized access while permitting authorized communications. Firewall is a device and/or a sotware that stands between a local network and the Internet, and filters traffic that might be harmful.
An Intrusion Detection System (IDS) is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report intrusion attempts to the network.
We can think a firewall as security personnel at the gate and an IDS device is a security camera after the gate. A firewall can block connection, while a Intrusion Detection System (IDS) cannot block connection. An Intrusion Detection System (IDS) alert any intrusion attempts to the security administrator.
However an Intrusion Detection and Prevention System (IDPS) can block connections if it finds the connections is an intrusion attempt.
Are you confused about whether to use a firewall or an intrusion detection system to protect your computer from unauthorized access? Read this article to learn about the difference between a firewall and IDS.
Although computers have essentially become common household item these days, not many of use are aware of all the security requirements advised for our computer systems. Two common security items in popular use are firewalls, both software and hardware, and software intrusion dection systems or IDS.
To understand the difference between firewalls and IDS, imagine that you keep a lot of valuables in your home and wish to protect them. What do you do? You set barriers such as gates at the entrance and also install home security systems like security alarms. We can relate locked gates to firewalls and security alarms to intrusion detection systems.

An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, while a firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

7. Write short notes on the following:

c) Proxy Firewall. [6]

July-2004 [18]

c) What are the different components of IDS? Explain the different types of IDS. [5]

ans:-
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports.Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding.They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

Terminology

Alert/Alarm: A signal suggesting that a system has been or is being attacked.
True Positive: A legitimate attack which triggers an IDS to produce an alarm.
False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
False Negative: A failure of an IDS to detect an actual attack.
True Negative: When no attack has taken place and no alarm is raised.
Noise: Data or interference that can trigger a false positive.
Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:

An authorized user with limited permissions.
A user with full permissions and who misuses their powers.

Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.

Types

For the purpose of dealing with IT, there are two main types of IDS:

Network intrusion detection system (NIDS)

is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.

Host-based intrusion detection system (HIDS)

It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.

Stack-based intrusion detection system (SIDS)

This type of system consists of an evolution to the HIDS systems. The packets are examined as they go through the TCP/IP stack and, therefor, it is not necessary for them to work with the network interface in promiscuous mode. This fact makes its implementation to be dependent on the Operating System that is being used.

Intrusion detection systems can also be system-specific using custom tools and honeypots.

Passive and/or reactive systems

In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect" (alert) and/or "prevent."

Comparison with firewalls

Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

Statistical anomaly and signature based IDSes

All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS

A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal).

Signature-based IDS

Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat.During this lag time your IDS will be unable to identify the threat.

Limitations

Noise can severely limit an Intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.
Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.

Evasion techniques

Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.

Development

One preliminary IDS concept consisted of a set of tools intended to help administrators review audit trails. User access logs, file access logs, and system event logs are examples of audit trails.
Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today.^[5] Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data.^[6] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).
The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann.Haystack was also developed this year using statistics to reduce audit trails.
Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp on a VAX 3500 computer.The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt. NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data.Network Flight Recorder (NFR) in 1999 also used libpcap.APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later, and has since become the world's largest used IDS/IPS system with over 300,000 active users.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.
In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.

a) What is the basic purpose of a firewall? Briefly discuss the different types of firewalls. [8]

b) Present and discuss the screened subnet architecture of firewalls. [5]

January-2005 [24]

b) Briefly describe steps from recovering from system compromise in which an intruder or an attacker has gained access to system. [6]

a) What is an Intrusion Detection System? Describe briefly the main components of an IDS with the help of a diagram. [10]

b) You will find that experts disagree on the relative strength of proxy servers and packet filtering firewalls. Examine their arguments and justify your own verdict on their dispute? [8]

July-2005 [36]

b) What is a proxy and how does it work? [4]

e) Is a firewall sufficient to secure network or do we need anything else? [4]

f) How can an intrusion detection system actively respond to an attack? [4]

b) What other countermeasures besides IDS are there in a network? What are different types on Intrusion Detection Systems? [6]

c) What are Intrusion Prevention Systems? Explain. [6]

ans:-- Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity.
Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. ^[2][3] More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. ^[4] An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options.

Classifications

Intrusion prevention systems can be classified into four different types:
Network-based intrusion prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
Wireless intrusion prevention systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
Host-based intrusion prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Detection methods

The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.
Signature-based detection: This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability.
Statistical anomaly-based detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action.
Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.”

c) What is Demilitarized Zone? Explain with a diagram. [6]

ans :-- In computer security, a DMZ (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military action is not permitted.

Rationale

In a computer network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and Domain Name System (DNS) servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder were to succeed in attacking all of them.
Hosts in the DMZ have limited connectivity to specific hosts in the internal network, although communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
A DMZ configuration typically provides security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing.

Services in the DMZ

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:

Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.
E-mail messages and particularly the user database are confidential information, so they are typically stored on servers that cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from the SMTP servers that are exposed to the Internet.
The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.
For security, legal compliance and monitoring reasons, in a business environment, some enterprises install a proxy server within the DMZ. This has the following consequences:

Obliges the internal users (usually employees) to use the proxy to get Internet access.
Allows the company to reduce Internet access bandwidth requirements because some of the web content may be cached by the proxy server.
Simplifies the recording and monitoring of user activities and block content violating acceptable use policies.

A reverse proxy server, like a proxy server, is an intermediary, but is used the other way around. Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources. For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to his email server. Only the reverse proxy server can physically access the internal email server. This is an extra layer of security, which is particularly recommended when internal resources need to be accessed from the outside. Usually such a reverse proxy mechanism is provided by using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a packet filter firewall does.

Architecture

Diagram of a typical network employing DMZ using a three-legged firewall

Diagram of a typical network employing DMZ using dual firewalls

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.

Single firewall

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Dual firewall

A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network.
This setup is considered more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, accidental misconfiguration is less likely to occur the same way across the configuration interfaces of two different vendors, and a security hole found to exist in one vendor's system is less likely to occur in the other one. This architecture is, of course, more costly. The practice of using different firewalls from different vendors is sometimes described as a component of a "defense in depth" security strategy.

DMZ host

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device.

7. Write short notes on the following:

b) Reverse Proxy [6]

ans :-- In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself.^[1] While a forward proxy is usually situated between the client application (such as a web browser) and the server(s) hosting the desired resources, a reverse proxy is usually situated closer to the server(s) and will only return a configured set of resources.

Uses of reverse proxies

Reverse proxies can hide the existence and characteristics of the origin server(s).
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware.
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator.
A reverse proxy can optimize content by compressing it in order to speed up loading times.
In a technique known as "spoon feeding",^[2] a dynamically generated page can be produced all at once and served to the reverse-proxy, which can then return it to the client a little bit at a time. The program that generates the page is not forced to remain open and tying up server resources during the possibly extended time the client requires to complete the transfer.
Reverse proxies can be used whenever multiple web servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyses each incoming call and delivers it to the right server within the local area network.

Reverse proxy server software

aiCache is a commercial reverse proxy and a caching reverse proxy.
Airlock, a Web Application Firewall developed and marketed by the Swiss company Ergon Informatik AG. It offers SSL termination, upstream authentication, blacklist and white-list filtering as well as load balancing capabilities.
Apache HTTP Server may be extended with mod_proxy to be used as a reverse proxy; a caching reverse proxy server may be configured using the mod_cache module in conjunction with mod_proxy.^[3]
Apache Traffic Server, an open source, high-performance routing and caching server.
ApplianSys CACHEbox is a high-performance HTTP/HTTPS/FTP caching proxy appliance supporting reverse- as well as forward deployment modes.
Arahe SiteCelerate is a commercial high performance reverse proxy with caching and compression. It offers image and text compression.
Armorlogic Profense, an advanced reverse proxy (with web application firewall module) and content load balancer.
Blue Coat Systems ProxySG, a forward proxy that can also be used as a reverse proxy.
F5 Networks BIG-IP can be used as a reverse proxy with load balancing capabilities and has an optional application security module (ASM) to protect against attacks.
Cherokee can be used as a reverse proxy as well as a web server and load balancer.
GoAnywhere Gateway, an enhanced reverse proxy that allows FTP, FTPS, SFTP and HTTP services without exposing sensitive files in the DMZ or opening incoming ports into the internal network.
Internet Information Services 7.0 with URL Rewrite v2 and Application Request Routing can act as a reverse proxy.^[4]
Lighttpd can be used as a reverse proxy with load balancing capabilities.
LiteSpeed Web Server can be used as a transparent reverse proxy server running in front of any web server or application server that supports the HTTP protocol.
McAfee Web Gateway is a product that can act as a reverse proxy. It also provides SSL decryption, caching, anti-virus, anti-spam and other threat detection features.
Microsoft Forefront Threat Management Gateway (Forefront TMG), formerly known as Microsoft Internet Security and Acceleration Server (ISA Server), is a commercial proxy, firewall and caching solution by Microsoft.
Netscaler ADC (Citrix Systems), A hardware and software solution providing advanced application and service delivery. Netscaler is a reverse-proxy with high-speed load balancing and content switching, data compression, content caching, SSL acceleration, network optimization, application visibility and application security on a single platform.Citrix Netscaler ADC
Nginx is a web- and reverse proxy server.
Novell Access Manager is a commercial security solution which includes a reverse proxy, a policy-based access manager, and SSL VPN. All components use an LDAP-like directory or federation with Liberty and others.
Perlbal is a Perl-based reverse proxy load balancer and web server.
PortFusion is an open-source, tiny, multi-protocol, distributed reverse proxy mainly for windows, and for all types of TCP-based traffic. Developed at the University of Heidelberg for remote administration and web service routing. Its focus is on maximum throughput, small binary and source code size and easy configuration from the command line.
Pound is a reverse proxy, load balancer and HTTPS front-end for Web server(s).
Secure Entry Server, a Reverse Proxy developed and marketed by Switzerland's United Security Providers AG. It offers SSL termination, filtering, quality of application, integration engine as well as secure login service with a wide range of authentication protocols.
Squid is a proxy server that may be installed in a reverse proxy configuration.
Stunnel can be used as a local SSL reverse proxy.

January-2006 [17]

f) What is an application level firewall and why is it necessary? [4]

a) In most of the campus/corporate networks, we find firewalls preceded by a router, but not the reverse. Can you explain why this has become almost a de-facto standard? [3]

b) What are the three classes of intruders? Discuss any three metrics used in profile-based anomaly detection. Explain the architecture of a distributed intrusion detection system (with a suitable diagram) and name the various components. [10]

July-2006 [34]

c) How does two filtering routers make the screened subnet firewall most secure? [4]

a) What are the basic techniques that are used by firewalls to control access and enforce the site’s security policy? [12]

b) Which type of firewall does act as a relay of application level traffic? Explain, how it is better from other types of firewalls. [6]

a) What are some of the attacks that can be made on packet filtering routers and their appropriate counter measures? [12]

January-2007 [19]

a) Distinguish between Host based and Network based Intrusion Prevention Systems. [4]

g) In most of the campus/corporate networks, we find firewalls preceded by a router, but not the reverse. Why has this become almost a de-facto standard? [4]

b) Compare the strength and weaknesses of Intrusion Detection System (IDS)? [6]

c) Why can IP spoofing not be prevented by using Packet Filter Firewall Technique? [5]

July-2007 [18]

g) A firewall’s basic task is to control traffic between computer networks with different zones of trust. What are the main categories of firewall with reference to the layers where the traffic can be intercepted? Define each category with example. [4]

c) What is Intrusion Detection System (IDS)? Briefly explain network based IDS and host based IDS. [6]

c) A firewall is an information Technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization’s security polity. What is stateless and stateful firewall? Explain. [8]

January-2008 [10]

a) What do you understand by a firewall? What is the packet filter? Explain the application level gateway mechanism in firewall to protect the vulnerable network. [10]

July-2008 [10]

b) A firewall’s responsibility is to control traffic between computer networks with different zones of trust. Explain the main categories of firewall with reference to the layers where the traffic can be intercepted. Briefly explain each of them. [4]

b) What is intrusion detection system (IDS)? Briefly explain the following types of IDS.

i) Network based IDS

ii) Protocol based IDS

iii) Application based IDS

iv) Host based IDS [6]

January-2009 [23]

b) Why can IP spoofing not be prevented by using Packet Filter Firewall Technique? [6]

b) In most of the campus/corporate networks, we find firewalls preceded by a router, but not the reverse. Explain, why this has become almost a de-facto standard. [6]

a) What are the advantages of using IDS? [5]

7. Write short notes on any three of the following:

d) Demilitarized Zone [6]

July-2009 [19]

d) An application gateway is an application program that runs on a firewall system between two networks. Briefly explain how it works? [4]

c) Present and discuss the screened subnet architecture of firewalls. [6]

b) What do you understand by Intrusion Detection System? Briefly explain its various types. [9]

January-2010 [12]

b) What is the packet filter firewall? Explain the three main functions performed by packet filter firewall. Which techniques are used to break the security of packet filter firewall? [9]

a) What are the three benefits that can be provided by an Intrusion Detection System? [3]

July-2010 [28]

b) Why does an application level gateway tend to be more secure than packet filters? [4]

c) Explain briefly any three tasks performed by a firewall. [4]

b) List three attacks that can be activated on packet filtering routers. Also suggest appropriate countermeasures. [9]

a) Briefly classify three classes of intruders? [6]

b) What are the benefits of an Intrusion Detection System? Explain. [5]

Saturday 14 January 2012

network security(10)