Answered You can hire a professional tutor to get the answer.
1. Firewall a. MASQUERADE. 1. How MASQUERADE is used?
1. Firewalla. MASQUERADE.1. How MASQUERADE is used?Ans:2. Give an example of iptables command for setting upMASQUERADE.Ans:3. When an intranet’s http response return, what action will beperformed on the packet based MASQUERADE function?Ans:b. DNAT.1. How DNAT is used?Ans:2. Is it applied in PREROUTING or POSTROUTING?Ans:c. A web site uses cgi-scripts on a DMZ web server to save thepurchasing/credit card information filled by the customer. Thepurchasing/credit card information is then transferred back to theintranet database server for processing. Unfortunately (or we shouldsay inconveniently for the designer) the security policy of the innerfirewall prohibits the DMZ web server from initiating a connection to theintranet. We need to let intranet database server periodically pull thecredit card files in. Here we assume the hacker can only read thedirectory for the purchasing/credit card info but not changing the cgiscript1. One security engineer proposes to use AES to encrypt the creditcard info as a file before the data is transferred back by the intranetdatabase server for processing. What is wrong with the design?Ans:2. Someone suggest other encryption scheme will work. Please namethe scheme and describe how and why it will work even when thehacker is scanning constantly.Ans:3. Assume now the hacker can read the main memory content. Willthe above scheme still work? How do you prevent the plain creditcard info in the memory from being snatched?Ans:4. Assume now the hacker can overwrite files including the scripts.Will the above scheme work? How do you detect that if you cannotprevent that? Name a system that help you detect that.Ans:2. IDSa. How can zero-day worm be detected? Briefly discuss one technique.Ans:b. If a hacker changes the content of the TFN DDoS attack msg from"1234" to "blast", what will be the new snort rule to be added?Ans:c. The above scenario indicates the problem with IDS detection based onspecific patterns.1. If the attacker changes the content again, the existing rules willproduce false _______. (Fill in the blank).2. One security engineering suggests change the attribute“Content:blast” to “Content: *” a wildcard pattern that match. Thisnew snort rule will produce way to many false _____. (Fill in theblank).3. What is your solution to this? Hint. We discuss a paper using thisapproach for detecting zero day worm.Ans:d. What are the rule optons in SNORT that can improve the efficiency ofthe intrusion detection process? List two. Briefly discuss why.Ans:e. Explain how the honeypot can be used to reduce the false positives.Ans:f. New iptables feature allows the match of a string and thus can be usedto implement snort IDS rule.For example,alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS$HTTP_PORTS (msg: “WEB-ATTACKS nmap command attempt”;flow:to_server, established; content:”nmap%20”; nocase;classtype:web-application-attack; sid:1361; rev:5;)can be implemented as$IPTABLES –A FWSNORT –p tcp - - dport 80 –m string –string “nmap%20” –algo bm –m comment – comment “WEB-ATTACKS nmapcommand attempt; classtype:web-application-attack; sid:1361; rev:5;FWS:1.0;” –j LOG –log-ip-options –log-tcp-options –log-prefix “[20]SID1361 ESTAB “1. What is the advantage on implementing IDS rule as an iptablescommand?2. What will be the iptables command for the following SNORT Rule:Alert tcp any any -> 192.168.1.0/24 143 (content: “|90CB C0FFFFFF|/bin/sh”; msg: “IMAP buffer overflow!”)
