Part 1: Explain what a honeypot is. In your explanation, give at least one advan
ID: 3872349 • Letter: P
Question
Part 1: Explain what a honeypot is. In your explanation, give at least one advantage and one disadvantage of deploying a honeypot on a corporate network.
Part 2: An organization has a network architecture similar to that discussed in class, with a DMZ and an internal network. Should the organization's Active Directory server go in the DMZ or the internal network. Explain your answer in about a paragraph. (If you're not familiar with Active Directory, do some research!)
Part 3: Distinguish among packet filtering firewalls, stateful inspection firewalls, and proxy firewalls. A thorough answer will require at least a paragraph for each type of firewall.
Acme Corporation wants to be sure employees surfing the web aren't victimized through drive-by downloads. Which type of firewall should Acme use? Explain why your answer is correct.
Part 4: Explain why an organization's firewall should block incoming packets the destination address of which is the organization's broadcast address.
Part 5: Explain why an organization's firewall should block outgoing packets the source addresses of which are not in the organization's address space.
Explanation / Answer
Part1) Answer:
Honeypot is "a resource whose value is being in attacked or compromised". This means that whatever we designate as a honeypot, it is our expectation and goal to have the system probed, attacked, and potentially exploited. Keep in mind, honeypots are not a solution, they do not 'fix' anything. Instead, honeypots are a tool, how you use that tool is up to you and depends on what you are attempting to achieve. Honeypots may be a system that merely emulates other systems or applications, creates a jailed environment, or may be standard built systems. Regardless of how you build and use the honeypot, it's value lies in the fact that it is attacked.
We will break honeypots into two broad categories as "production" and "research", a breakdown I found to be very useful. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. The second category, research, includes honeypots that are designed to gain information on the blackhat community. These honeypots do not add direct value to a specific organization; instead, they are used to gather intelligence on the general threats organizations may face, allowing the organization to better protect against those threats.
Honeypots have certain advantages and disadvantages that affect their value as below :
Advantage 1: Data Collection:
Honeypots collect very little data, and what they do collect is normally of high value. This cuts the noise down, make it much easier to collect and archive data. One of the greatest problems in security is wading through gigabytes of meaningless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format
Disadvantage 1: Singel point
Honeypots all have one common problem: they are worthless if no one attacks them. Yes, they can accomplish wonderful things; but if the attacker does not send any packets to the honeypot, it will be blissfully unaware of any unauthorized activity.
Part 3 Answer:
Packet Filtering Firewall : Packet filtering firewall is used to control network access by monitoring outgoing and incoming packet and allowing them to pass or stop based on source and destination IP address, protocols and ports. It analyses traffic at the transport protocol layer (but mainly uses first 3 layers).
Packet firewalls treats each packet in Isolation. They have no ability to tell whether a packet is part of an existing stream of traffic. Only It can allow or deny the packets based on unique packet headers.Packet filtering firewall maintains a filtering table which decides whether the packet will be forwarded or discarded.
Stateful Inspection Firewall : Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection state of packet, unlike Packet filtering firewall, which makes it more efficient. It keeps track of the state of networks connection travelling across it, such as TCP streams. So the filtering decisions would not only be based on defined rules, but also on packet’s history in the state table.
Proxy Firewall : Proxy firewall or application layer firewall can inspect and filter the packets on any OSI layer, up to application layer. It has ability to block specific content, also recognize when certain application and protocols (like HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. A proxy firewall prevents direct connection between either side of firewall, each packet has to pass through the proxy. It can allow or block the traffic based on predefined rules.
Acme should use Porxy Firewall , as it allows each request passes through firewall while employees surfing the web.
Part 4 Answer:
An organization should block incoming packets from the destination address of which is organization's broadcast address as this is broadcasting spam messages in an organization to affect all systems.
At the Internet router, it is important to block any external traffic that is sourced from an internal IP address. For example, if you have your own allocated block of addresses, you should not see external traffic sourced from one of your internal addresses. If you see traffic sourced from your own internal IP space trying to enter your network from the Internet, it suggests either that someone is spoofing your addresses to try to do you harm or a routing problem has occurred. It is important to block this type of traffic at the Internet router because it is very possible that traffic allegedly sourced from your internal IP space is only subject to limited filtering once it gets to your internal network.
If you don't restrict the incoming packets/data that hosts in your internal networks can access, malware will inevitably find its way onto some of your hosts and may exfiltrate data to a location that an attacker controls. Data exfiltration could be also unintentional, i.e., an insider might incorrectly attach sensitive information an email message to upload it to a document sharing service. Sadly, data exfiltration often results from configuration error: misconfigured NetBIOS, DNS, or other service traffic can leak from your trusted networks and be captured or exploited by external parties.
Irrespective of the cause, data exfiltration is a threat you can’t mitigate without egress traffic enforcement, and one you can’t readily detect if you don't log and monitor traffic behavior associated with permitted and prohibited services.
Part 5 Answer:
Organization firewall should block outgoing packets from source addresses which are not in organizations's address space as there is a chance that employee sending some confidential data/information to any one by which company can face problems.
an organization should block everything outbound, really, except a handful of ports. Port 25 is only allowed to the email server on the DMZ and port 25 is only allowed out of the DMZ from said email server. If a client workstation gets infected and starts spewing out network traffic for whatever reason on whatever port, I want to be able to track it down quickly.