Unity University

College of Engineering , Technology and Computational Sciences

Department of Computer Science

Course Title: Computer system Security

Topic: Intrusion Detection Overview
Objectives

Upon completion of this chapter, you will be able to perform the following tasks:

 Define intrusion detection.

 Explain the difference between true and false, and positive and negative alarms.
 Describe the relationship between vulnerabilities and exploits.
 Explain the differences between HIPS and NIDS.
 Describe the various techniques used to evade intrusion detection.

1. Intrusion Detection
Intrusion detection has been defined as the ability to detect misuse, abuse, and unauthorized
access to networked resources. The network can be made up of network devices such as routers,
printers, firewalls, and servers.

Intrusion Detection key features

 An IDS is a specialized tool that knows how to read and interpret the contents of log files
from routers, firewalls, servers, and other network devices.
 IDS often stores a database of known attack signatures and can compare patterns of
activity, traffic, or behavior it sees in the logs it is monitoring against those signatures to
recognize when a close match between a signature and current or recent behavior occurs.
 At that point, the IDS can issue alarms or alerts, take various kinds of automatic action
ranging from shutting down Internet links or specific servers to launching backtraces,
and make other active attempts to identify attackers and actively collect evidence of their
nefarious activities.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 1

 Unity University
 IDSs that monitor network backbones and look for attack signatures are called network-
based IDSs, whereas those that operate on hosts defend and monitor the operating and
file systems for signs of intrusion and are called host-based IDSs.

The following are three types of network attacks:

 Reconnaissance attacks—An intruder is attempting to discover and map systems,

services, or vulnerabilities.
 Access attacks—An intruder attacks networks or systems to retrieve data, gain access, or
escalate their access privileges.
 Denial of service (DoS) attacks—An intruder attacks your network in a manner that
damages or corrupts your computer system, or denies legitimate users access to the
network, systems, or services.

a) Reconnaissance attack

Reconnaissance is the unauthorized discovery and mapping of systems, services, or

vulnerabilities. It is known as information gathering and, in most cases, precedes an actual
access or denial of service attack. The malicious intruder typically ping sweeps the target
network first to determine what IP addresses are alive . After this is accomplished, the intruder
determines what network services or ports are active on the live IP addresses by performing a
port sweep or port scan. From this information the intruder queries the ports to determine the
application type and version as well as the type and version of operating system running on the
target host. Based on this information, the intruder can determine if a possible vulnerability
exists that can be exploited.

Reconnaissance is somewhat analogous to a thief casing a neighborhood for vulnerable homes,

such as an unoccupied residence, an easy-to-open door or window, and so on. In many cases the
intruders go as far as “rattling the door handle,” not to go in immediately if open, but to discover
vulnerable services that they can exploit at a later time when no one is looking.

Performing reconnaissance
Performing reconnaissance involves the use of common commands or utilities available in all
operating systems. For example, using the nslookup and whois utilities, the attacker can easily
determine the IP address space assigned to a given corporation or entity.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 2

 Unity University
The ping command tells the attacker what IP addresses are “alive” on the network.
 Common commands or administrative utilities — nslookup, ping, netcat,
telnet, finger, rpcinfo, File Explorer, srvinfo, DumpSec
 Hacker tools—NMAP, Nessus, custom scripts

b) Access attack

Access is an all-encompassing term that refers to unauthorized data manipulation, system access,

or privileged escalation.

Unauthorized data retrieval is simply reading, writing, copying, or moving files that are not
intended to be accessible to the intruder. Sometimes this is as easy as finding shared folders in
Windows or NFS exported directories in UNIX systems with read or read and write access to
everyone. The intruder will have no problems getting to the files and, more often than not, the
accessible information is highly confidential and completely unprotected from prying eyes,
especially if the attacker is an internal user.

System access is the ability for an unauthorized intruder to gain access to a device for which the
intruder does not have an account or password. Entering or accessing systems to which one does
not have access usually involves running a hack, script, or tool that exploits a known
vulnerability of the system or application being attacked.

Another form of access attacks involves privilege escalation. Privilege escalation occurs when
users obtain privileges or rights to objects that were not assigned by administrators. Objects can
be files, commands, or other components on a network device.
The intent is to gain access to information or execute procedures for which they are not
authorized at their current levels of access.
In many cases this involves gaining administrative privileges to systems or devices to install
sniffers, create backdoor accounts, or delete log files.

In some cases intruders want to gain access without necessarily wanting to steal information—
especially when the motive is intellectual challenge, curiosity, or ignorance.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 3

 Unity University
Access methods
Usually, the first line of defense when it comes to access attacks is strong authentication. In many
cases, user passwords are too easily guessed by attempting to enter default passwords or brute force
attacks. These attacks involve attempting to log onto a host with a common user name and then
trying different password combinations that are commonly used. This technique is especially
effective if the attacker has some prior knowledge about the user being targeted. Or

1. Exploit easily guessed passwords

– Default
– Brute force

2. Exploit mis-administered services

– IP services
– Trust relationships
– File sharing

Exploiting mis-administered services is simply taking advantage of services that are

poorly installed and administered by novice or unknowing administrators. One of the
easiest services to
exploit is file sharing. Too often users share their files by creating a shared folder or
directory with full access to everyone, and sometimes a user does not realize that others
can access the folder. This can be prevented with password-protected shares, or sharing
only with intended users. Other common mis-administered services are anonymous FTP
and TFTP servers, SNMP, Windows registry access, and trust relationships.

3. Exploit application holes

– Mishandled input data—Access outside application domain, buffer overflows, race
– Conditions
– Protocol weaknesses—Fragmentation, TCP session hijack

4. Trojan horses—Programs that introduce an inconspicuous backdoor into a host

Application security holes have been around since the first piece of software was written.
These holes are usually a result of unanticipated behavior of software code or
unexpected inputs. An example of this is a program that breaks out into a root shell when
receiving an out-of-band input.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 4

 Unity University

Protocol weaknesses are types of application holes. Examples of this are IP

fragmentation and TCP session hijack. The attacker is taking advantage of protocol
design deficiencies that the original designers did not anticipate.

Finally Trojan horses are used to gain unauthorized access by tricking a legitimate user
to run Trojan programs that install or open back doors for attackers to secretly break in.
Then the attackers, circumventing in many cases any authentication procedures, enter
through the back door.

c) Denial of Service attack

Denial of Service (DoS) is an attacker disabling or corrupting networks, systems, or services with
the intent of denying the service to intended users.
It usually involves either crashing the system or slowing it to the point that it is unusable. But
DoS can be as simple as wiping out or corrupting information necessary for business. In most
cases, performing the attack involves simply running a hack, script, or tool. The attacker does
not need prior access to the target because all that is usually required is a way to get to it. For
these reasons and because of the great damaging potential, DoS attacks are the most feared by
companies conducting business that uses the Internet.

Denial of Service Methods

 Resource Overload attacks include:
– Disk space, bandwidth, buffers
– Ping floods, SYN flood, UDP bombs
– Unsolicited Commercial E-mail (UCE)
 Fragmentation or Impossible Packets
– Large ICMP packets
– IP fragment overlay
– Same Source and Destination IP packet

Common Denial of Service (DoS) (or resource overload) attacks include: ping floods (smurf), TCP
SYN floods (neptune), and packet storms (UDP bomb and fraggle). Unsolicited Commercial E-mail
(UCE), often referred to as SPAM, attempts to overload mail servers.
Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 5
 Unity University

2. Difference between true and false, and positive and negative alarms.
False Alarms

The ability for an intrusion detection product to accurately detect an attack or a policy violation
and generate an alarm is critical to its functionality. The two forms of false alarms are false
positives and false negatives.

A false positive is a situation in which normal traffic or a benign action causes the signature to
fire. Consider the following scenario: a signature exists that generates alarms if any network
devices’ enable password is entered incorrectly. A network administrator attempts to log in to a
Cisco router but mistakenly enters the wrong password. The IDS cannot distinguish between a
rogue user and the network administrator, and generates an alarm.

A false negative is a situation in which a signature is not fired when offending traffic is detected.
Offending traffic can be as simple as someone sending confidential documents outside of the
corporate network to an attack against corporate web servers. False negatives should be
considered software bugs and reported in accordance to the software license agreement.

True Alarms
Like false alarms, there are two forms of true alarms. A true positive is a situation in which a
signature is fired properly when offending traffic is detected and an alarm is generated. For
example, Cisco IDS Sensors have signatures that detect Unicode attacks against Microsoft IIS
web servers. If a Unicode attack is launched against Microsoft IIS web servers, the Sensors
detect the attack and generate an alarm.
A true negative is a situation in which a signature is not fired when non-offending traffic is
captured and analyzed. In other words, the Sensor does not fire an alarm when it captures and
analyzes ‘normal’ network traffic.

3. Relationship between vulnerabilities and exploits.

A vulnerability is a weakness that compromises either the security or functionality of a system.

The following are examples of vulnerabilities:
 Poor passwords—Passwords are the first line of defense. Weak or easily guessed
passwords are considered vulnerabilities.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 6

 Unity University
 Improper input handling—Software that does not properly handle all possible input can
have unexpected results. Often this leads to either a DoS or access to restricted system
resources.
 Insecure communication—Data that is transferred in clear-text is susceptible to
interception. The information can be system passwords, employee records, and
confidential company documents are some examples of data that is vulnerable to
interception.

An exploit is the mechanism used to leverage a vulnerability to compromise the security or

functionality of a system. The following are examples of exploits:
 Password guessing tools—These tools attempt to “crack” passwords by using knowledge
of the algorithm used to generate the actual password or by attempting to access a system
using permutations and combinations of different character sets. Some popular password
cracking tools are L0phtcrack and john the ripper.
 Shell or batch scripts—These scripts are created to automate attacks or perform simple
procedures known to expose the vulnerability.
 Executable code—Exploits written as executable code require programming knowledge
and access to software tools such as a compiler. Consequently, executable code exploits
are considered to be more advanced forms of exploitation.

4. Intrusion Detection Technologies

This section describes the various technologies implemented in IDSs.

 Profile-Based Intrusion Detection

Also known as Anomaly Detection—Activity deviates from the profile of “normal”
activity
 Requires creation of statistical user and network profiles
 Prone to high number of false positives— Difficult to define “normal” activity
Profile-based intrusion detection generates an alarm when activity on the network goes
outside of the profile. By collecting examples of user and network activity, you can build a
profile of normal activity. For example, a web server farm would typically generate web
(HTTP) traffic. A profile could be created to monitor web traffic.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 7

 Unity University
Another example is a network segment where the users are helpdesk technicians. The
help desk technician’s primary function is to monitor e-mail requests. A profile could be
created to monitor mail (SMTP) traffic. The problem with this method of intrusion
detection is that users do not feel a responsibility to follow a profile. Humans do not
consistently keep to a normal pattern; consequently, what may be defined as normal
activity today might not be normal activity tomorrow. Simply put: there is too much
variation in the way users act on the network for this type of detection to be effective.
For example, some help desk technicians may access the web or telnet to systems in order
to troubleshoot problems. Based on the profile created, this type of network activity
would trigger alarms, although the alarms are likely to be benign.

 Signature-Based Intrusion Detection

Also known as Misuse Detection or Pattern Matching—Matches pattern of malicious activity
 Requires creation of signatures
 Less prone to false positives—Based on the signature’s ability to match malicious
activity

Signature-based intrusion detection is less prone to false positives when detecting

unauthorized activity.
A signature is a set of rules pertaining to typical intrusion activity . Highly skilled network
engineers research known attacks and vulnerabilities and can develop signatures to detect
these attacks and vulnerabilities.
Cisco IDS implements signatures that can look at every packet going through the network
and generates alarms when necessary. Cisco IDS generates alarms when a specific pattern
of traffic is matched or a signature is triggered. You can configure Cisco IDS to exclude
signatures and modify signature parameters to work optimally in your network
environment.

 Protocol analysis-based intrusion detection

Intrusion detection analysis is performed on the protocol specified in the data stream.
 Examines the protocol to determine the validity of the packet
 Checks the content of the payload (pattern matching)

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 8

 Unity University
Protocol analysis-based intrusion detection is similar to signature-based, but performs a
more in depth analysis of the protocols specified in the packets. For example, an attack is
launched against a server. The attacker sends an IP packet with a protocol type that,
according to an RFC,
should not contain any data in the payload. A protocol analysis-based IDS is able to detect
this type of attack based on the knowledge of the protocol.

 Responsive
 Reactive IDSs can respond to an attack.
– Terminate session (TCP resets)
– Block offending traffic (ACL)
– Create session log files (IP logging)
– Restrict access to protected resources

Intrusion detection technology is traditionally considered a passive monitoring tool. Earlier IDS
simply monitored the network for suspicious activity or parsed system log files. Today’s
intrusion detection system (IDS) offers much more reactive responses and preventive measures
when an intrusion or malicious activity is detected. The common reactive responses are as
follows:
 Terminate the session—The IDS sends TCP packets with the reset bit set to both the
source address of the attack and destination address of the target.
 Blocking offending traffic—The IDS communicates with the network device and applies
an access control list entry specifying that the source address of the attack be denied.
 Create session log files—The IDS creates a session log file capturing the data transmitted
from the source address of the attack.
 Restrict access to protected resources —The IDS prevents the attacker from accessing
system resources outside the allowed realm or domain specified.

4.1 Host-Based Intrusion Protection System(HIPS)

HIPS Features
 Agent software is installed on each host.
 Provides individual host detection and protection.
 Does not require special hardware.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 9

 Unity University
An advantage of HIPS is that it can monitor operating system processes and protect critical
system resources including files that may exist only on that specific host.
Today’s HIPS software requires Agent software to be installed on each host to monitor activity
performed on and against the host. The Agent software performs the intrusion detection analysis
and protects the host.
The figure below illustrates a typical HIPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The Agents report events to a central Console server located inside the corporate firewall.

4.2 Network-Based Intrusion Detection Systems (NIDS)

A NIDS involves the deployment of monitoring devices or “Sensors” throughout the network,
which capture and analyze the traffic as it traverses the network. The Sensors detect malicious
and unauthorized activity in real time and can take action when required.
Sensors can be deployed at designated network points that enable security managers to monitor
network activity while it is occurring, regardless of the location of the target of the attack.
NIDS gives security managers real-time security insight into their network regardless of network
growth. Network growth can occur by adding either additional hosts or new networks.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 10

 Unity University
Additional hosts added to existing protected networks would be covered without any new
Sensors. Additional Sensors can easily be deployed to protect the new networks. Some of the
factors that influence the addition of Sensors are as follows:
Excepted traffic capacity—For example, the addition of a new gigabit network segment requires
a high-capacity Sensor.
Performance capabilities of the Sensor—The current Sensor may not be able to perform given
the new traffic capacity.
Network implementation—The security policy or network design may require additional Sensors
to help enforce security boundaries.

NIDS Features

 Sensors are connected to network segments. A single Sensor can monitor many hosts.
 Growth of a network is easily protected. New hosts and devices can be added to the
network without additional Sensors.
 The Sensors are network appliances tuned for intrusion detection analysis.
– The operating system is “hardened.”
– The hardware is dedicated to intrusion detection analysis.

NIDS Sensors are typically tuned for intrusion detection analysis. The underlying operating
system is “stripped” of unnecessary network services and essential services are secured.

The hardware chosen provides the maximum intrusion detection analysis possible for various
networks. The hardware includes the following:
Network interface card (NIC)—NIDS must be able to connect into any network. Common NIDS
NICs include Ethernet, Fast Ethernet, GigEthernet, Token Ring, and FDDI.

Processor—Intrusion detection requires CPU power to perform intrusion detection protocol

analysis and pattern matching.

Memory—Intrusion detection analysis is memory intensive. Memory directly impacts the ability
of a NIDS to efficiently and accurately detect an attack.

The figure below illustrates a typical NIDS deployment. Sensors are deployed at network entry
points that protect critical network segments. The network segments have both internal and
Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 11
 Unity University
external corporate resources. The Sensors report to a central management and monitoring
server located inside the corporate firewall.

5. Intrusion Detection Evasive Techniques

The hacker community is aware of the various IDS technologies used and has identified ways to
evade intrusion detection. Attempting to elude intrusion detection is accomplished using
intrusion detection evasive techniques. The following are common intrusion detection evasive
techniques:
 Flooding
 Fragmentation
 Encryption
 Obfuscation

a) Flooding

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 12

 Unity University

Intrusion detection systems rely on their ability to capture packets off the wire and analyze them
as quickly as possible. This requires the IDS has adequate memory capacity and processor speed.
By flooding the network with noise traffic and causing the IDS to capture unnecessary packets,
the attacker can launch an attack that can go undetected. If the attack is detected, the IDS
resources may be exhausted causing a delayed response and thus is unable to respond in a timely
manner. In the figure, the attacker is sending large amounts of traffic as signified by the larger
pipe. Meanwhile, the actual attack is being sent to the target host, as represented by the thin pipe
that reaches the target host.

b) Fragmentation

Networks are connected via various media types such as Ethernet, FDDI, Token Ring, and ATM.
Each of these technologies specifies the allowed maximum transmission unit (MTU). The MTU
value is different for each technology. Consequently, fragmentation of these transmission units
(packets, cells) is allowed to accommodate for differing MTU sizes.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 13

 Unity University

Fragmentation adds a level of complexity that IDS must address. The IDS now must keep track
of the fragmented packets and perform reassembly. Reassembly is highly processor-intensive
and requires sufficient memory.
In the figure, the attacker is splitting malicious packets into smaller packets that are transmitted
to the target host in an attempt to elude intrusion detection and have the target host reassemble
the packets.

c) Encryption

NIDSs monitor the network and capture the packets as they traverse the network. NIDS relies on
the data being transmitted in clear-text. When packets are encrypted, the NIDS captures the
data but is unable to decrypt the data and cannot perform meaningful intrusion detection
analysis.

This type of evasive technique assumes the attacker has already established a secure session with
the target network or host. Some examples of secure sessions that can be used are as follows:
 Secure Socket Layer (SSL) connection to a secure web site
 Secure Shell (SSH) connection to a SSH server
 Site-to-Site VPN tunnel
 Client-to-LAN VPN tunnel

Summary

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 14

 Unity University
 Intrusion detection is the ability to detect attacks against networks including network
devices and hosts.
 Exploits are used to leverage vulnerabilities associated with a system.
 False positive alarms can be triggered by normal network activity.
 True positive alarms are signatures that are triggered as expected.
 HIPS provides individual host protection and detection.
 NIDS provides broader protection by monitoring network segments.
 Evasive techniques are used by hackers to elude intrusion detection systems.
 Common IDS evasive techniques are: flooding, fragmentation, and encryption.

Review questions
Q: What type of IDS should I choose?
A: The type of IDS you choose to employ on your network will depend on what type of network
you have and what types of applications you are running.
Host-based IDSs can effectively monitor one specific computer, but not the entire network.
Network-based IDSs can monitor the entire network from a high-level view, but may miss
some type of attacks. Application-based IDSs are specific to one application, such as a
database application, and will monitor attacks only on that application.

Q:You have installed an Active IDS system onto your network. When an attack occurs and is
detected by your new IDS, what might you expect it to do? (Choose all that apply)
a) Inform the attacker that his or her actions may be monitored as part of the network AUP.
b) Disable a service or services.
c) Terminate the connection after a predefined amount of time.
d) Shut down a server or servers.

Q: You have an IDS system running only on one computer in your network. What type of IDS
system is this?
a) Active
b) Host
c) Network
d) Anomaly

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 15

 Unity University
Q: You have detected an attack against your network. Your server log shows the originating IP
address, but you need to determine what domain it came from. How can you do this?
a) Perform a reverse DNS lookup.
b) Ping the root server.
c) Examine your DNS server’s A records.
d) Call your ISP to have them locate the required information for you.

Q: After analyzing a suspected attack, you incorrectly determine that an attack has occurred,
when in fact one has not occurred.What is this called?
a) False positive
b) False negative
c) Honeypot
d) Signature based IDS

Q: Which of the following are a benefit of removing unused or unneeded services and protocols?
a) More machine resource availability
b) More network throughput
c) Less need for administration
d) More security

Q: Which is the most important reason for the removal of unused, unnecessary, or unneeded
protocols, services, and applications?
a) Increased security
b) Increased performance
c) Less need for administration
d) Less machine resource use

Q: The act of attempting to appear to be someone you’re not in order to gain access to a system is
known as which of the following?
a) Spoofing
b) DDoS
c) Replay
Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 16
 Unity University
d) Sniffing

Q: Which of the following is the best way to protect your organization from revealing sensitive
information through dumpster diving?
a) Establish a policy requiring employees to change passwords every 30 to 60 days.
b) Teach employees the value of not disclosing restricted information over the telephone to
unknown parties.
c) Add a new firewall to the network.
d) Shred all sensitive documentation.

Q: Which of the following attacks involves a SYN flood?

a) DoS
b) TCP hijacking
c) Replay
d) MITM

Note: DoS attacks can be launched by creating a SYN flood. A SYN flood sends thousands of SYN
(synchronization) packets to a victim computer, which then sends the SYN/ACK (acknowledgement)
back, and patiently waits for a response that never comes. While the server waits on thousands of
replies, the resources are consumed in such a way as to render the machine useless.

Q: Buffer overflows can allow attackers to do which of the following?

a) Speak with employees to get sensitive information
b) Run code on a remote host as a privileged user
c) Write viruses that cause damage to systems
d) Crash server hard disks

Note: Buffer overflows are a type of software exploit that are often used by attackers to run code on
victim machines. Examples would be xterms or root shells.

Q: Sending multiple packets with which of the following TCP flags set can launch a common DoS
attack?
a) ACK

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 17

 Unity University
b) URG
c) PSH
d) SYN

Note: SYN flags are set on synchronization packets that are sent in overwhelming numbers to a
server, to consume its resources and render it useless to legitimate clients that attempt to connect to
it. This type of attack is known as a SYN flood.

Q: Which of the following is the best definition of IP spoofing?

a) Sending thousands of packets to a victim host in an attempt to shut it down
b) Cracking the encryption of a password scheme
c) Pretending to be someone you are not to gain access to a system
d) Sending fragmented TCP/IP packets through a firewall to trick stateful inspection filters

Note: IP spoofing is defined as pretending to be a host that you are not, in order to exploit a trust
mechanism on a network and gain access to a system.

Q: Which of the following can be classified as denial of service attacks? (Select all that apply.)
a) Unplugging the main router for a network
b) Using zombies to send a SYN flood to a host
c) Using a buffer overflow to crash a Web server
d) Capturing packets from an unprotected network link

Q: Packet sniffing will help with which of the following? (Select all that apply.)
a) Capturing e-mail to gain classified information
b) Launching a DDoS attack with zombie machines
c) Grabbing passwords sent in the clear
d) Developing a firewall deployment strategy

Note: Packet sniffing allows attackers to see all traffic on a network. With this ability, attackers can
easily view e-mail and passwords sent in the clear.

Q: Which of the following is true of brute force attacks?

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 18

 Unity University
a) They are always the fastest way to break any password.
b) They try all possible combinations of a password.
c) They are efficient and quiet on networks.
d) They will create a buffer overflow attack on a victim host.

Note: Brute force attacks try every possible character combination in order to find the correct
password.

Q: Software or a specific configuration or coding that allows unauthenticated access to a system is

known as which of the following?
a) Operating system
b) Back door
c) Logic bomb
d) Social engineering

Q: Which of the following is the most common reason that an attacker would place a back door in a
system?
a) To spread viruses
b) To provide an interactive login without authentication or logging
c) To remove critical system files
d) To run a peer-to-peer file-sharing server

Q: You are implementing a firewall for a small company that wishes to establish an Internet
presence. The company wants to use its dedicated Internet connection to allow employees to access
the Internet as well as host a Web server. What is the best type of firewall to use in this situation?
a) A packet filtering firewall
b) A stateful inspection firewall
c) An application layer gateway
d) No firewall is necessary

Note: A packet-filtering firewall will fill the needs of the company, cost the least, and perform the
fastest without adding unnecessary processing overhead that would slow down traffic.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 19

 Unity University

Q: A company has contracted you to audit their security practices in day-to-day IT operations. You
are working with the team responsible for configuring the company’s routers and notice that the
technician is using a normal Telnet session to log in to all of the routers he is working with. What
recommendation would you make in your report?
a) Telnet is an unsafe method of communicating with the company’s routers and the
technician should use the router’s Web interface instead.
b) Telnet is an unsafe method of communicating with the company’s routers and the
technician should use the router’s SSH interface instead.
c) Telnet is an unsafe method of communicating with the company’s routers and the
technician should use the router’s console port instead.
d) Telnet is a safe method of communicating with the company’s routers and you have no
recommendation.

Q: Your company is considering implementing wireless networking in various conference rooms so

that visiting executives can access the Internet from their wireless-equipped laptops or PDAs. The
conference rooms are on the second floor of the building and all of them have windows looking out
on parking areas. Why would you recommend against implementing this?
a) The wireless communications would interfere with normal communications on the LAN.
b) This is a security risk as someone with a laptop, a wireless network card, and an antenna
could sit in the parking lot and access the wireless cell.
c) Wireless would not work in the conference rooms because the signals would resonate off
the windows.
d) There is nothing wrong with this idea and no reason to recommend against it.

Q: To allow its employees remote access to the corporate network, a company has implemented a
hardware VPN solution. Why is this considered a secure remote access solution?
a) Because only the company’s employees will know the address to connect to in order to use
the VPN.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 20

 Unity University
b) Because VPNs use the Internet to transfer data.
c) Because a VPN uses compression to make its data secure.
d) Because a VPN uses encryption to make its data secure.

Q: Some new servers are being installed on your company’s network and you have been asked to
work with the installer to ensure that they are as secure as possible from hack attempts. What is the
most important step you should take to ensure that the servers’ OSs are secure?
a) Make sure that the installer is certified.
b) Make sure that the latest OS service pack is installed.
c) Make sure that the latest OS service pack and all security patches are installed.
d) Make sure that the servers have locks on the hot-swap drive chassis.

Q: You have been asked to implement a secure network infrastructure for a farm of servers. Your
company has asked you to use the most secure cable available for this. Why would you choose fiber?
a) Fiber has shielding so that it cannot be cut through.
b) Fiber is impervious to EMI and is therefore more secure.
c) Fiber uses light rather than electricity for communications, making it less likely to be
hacked into remotely.
d) Fiber is unable to be easily tapped into.

Q: What should you do to data stored on a hard drive in order to make it as secure as possible if the
drive is removed from your site?
a) Encrypt it
b) Compress it
c) Archive it
d) Make sure that a password is required to log into all computers at your site

Q: Your company has had a problem in the past with virus infections occurring on the corporate
network. These problems have been traced to users bringing in infected stick-memory and infecting
their office computers. What is the best solution to this problem?
a) Send an e-mail to all of the users telling them not to use infected disks.

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 21

 Unity University
b) Ensure that every office computer has up-to-date virus protection software loaded and
active.
c) Make the users use CDs for data transfer.
d) Ensure that the users are supplied with a batch of new, virus-free disks.

----------------------------------------- The End! ------------------------------------

Source: Feleke M. HaileMariam (Dr. ̶ Eng.) Page 22