12 Network security Flashcards
What is the foundation of network security?
A secure design
Networks must be designed with security in mind, considering the attack surface and segmentation.
What does NAC stand for in network security?
Network Access Control
NAC and 802.1X protect networks from untrusted devices.
What are some methods to prevent network issues from malicious or misconfigured systems?
(3)
- Port security
- Loop prevention
- Broadcast storm protection
Broadcast storm protection, or storm control, is a network security feature that prevents network overload by limiting broadcast, multicast, and unknown unicast traffic on a switch, dropping excessive traffic when a threshold is exceeded.
Loop protection in networking aims to prevent network loops, which can cause broadcast storms and network instability, by blocking ports or disabling links when a loop is detected.
What is the purpose of network taps?
Allow packet capture by creating a copy of traffic from other ports.
What is a VPN used for?
To tunnel network traffic to another location.
Fill in the blank: Secure network design includes concepts like _______.
[key learning term]
Examples include physical isolation, logical segmentation, and secure protocols.
What is the function of jump servers?
Provide a secure way to access systems in another security zone.
What are load balancers used for?
Spread load among systems.
True or False: Proxy servers centralize connections from a group of clients to a server.
True
What do web filters do?
Filter content and URLs based on rules.
What is the role of data loss prevention systems?
Monitor to ensure that sensitive data is identified and flagged.
What do IDS and IPS devices do?
Identify and take action based on malicious behavior.
IPS =
An Intrusion Prevention System (IPS) is a network security technology that monitors network traffic for malicious activity and actively blocks or mitigates detected threats in real-time, safeguarding the network’s integrity
IDS = An Intrusion Detection System (IDS) is a network security technology that monitors network traffic and systems for malicious activity or policy violations, alerting administrators to potential threats.
Here’s a more detailed explanation:
What it does:
Monitoring:
IDSs constantly monitor network traffic and system activity for suspicious or malicious behavior.
Detection:
They identify potential threats by comparing network traffic and system activity against a database of known attack signatures or by detecting unusual patterns.
Alerting:
When suspicious activity is detected, the IDS sends alerts to security administrators or security information and event management (SIEM) systems.
Types:
Network-based IDS (NIDS): Monitors network traffic for suspicious activity.
Host-based IDS (HIDS): Monitors the activity on individual computer systems.
Importance:
IDSs are a crucial part of a comprehensive cybersecurity strategy, helping organizations detect and respond to cyberattacks in a timely manner.
IDS vs. IPS:
While an IDS detects and alerts about potential threats, an Intrusion Prevention System (IPS) can actively take action to block or prevent those threats.
Example:
Suricata is a free, open-source IDS/IPS cybersecurity
What types of firewalls are mentioned?
- Next-generation firewalls
- Web application firewalls
- Unified threat management appliances
A next-generation firewall (NGFW) enhances traditional firewalls by offering deeper network traffic control and security services, including application awareness, integrated intrusion prevention, and cloud-delivered threat intelligence, going beyond basic packet filtering and stateful inspection.
A Web Application Firewall (WAF) is a security tool that protects web applications and APIs by filtering, monitoring, and blocking malicious web traffic and application-layer attacks, such as SQL injection and cross-site scripting, before they reach the application.
Unified Threat Management (UTM) is a cybersecurity approach that consolidates multiple security functions into a single device or service, offering a simplified and centralized solution for network protection against various threats.
What is the purpose of access control lists?
Determine what traffic can flow through devices based on rules.
What is out-of-band management?
Management interfaces on a separate VLAN or physical network.
What does DNSSEC do?
Helps validate DNS servers and responses.
What protocols are leveraged for email security?
- DMARC
- DKIM
- SPF
SPF, DKIM, and DMARC are email authentication protocols that work together to verify the legitimacy of emails and prevent spoofing and phishing attacks. SPF verifies the sending server, DKIM adds a digital signature, and DMARC provides instructions on how to handle emails that fail authentication.
Here’s a more detailed explanation:
SPF (Sender Policy Framework):
SPF defines which mail servers are authorized to send emails on behalf of a specific domain.
It does this by listing the authorized IP addresses in a DNS TXT record.
Receiving email servers check if the sending server’s IP address is listed in the SPF record for the domain.
If the IP address is not authorized, the email may be flagged as suspicious or rejected.
DKIM (DomainKeys Identified Mail):
DKIM uses cryptographic signing to verify the authenticity of an email and ensure that it hasn’t been tampered with.
The sender uses a private key to sign the email, and the receiver uses the corresponding public key (stored in the domain’s DNS) to verify the signature.
This helps ensure that the email was actually sent by the domain owner and hasn’t been altered in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance):
DMARC builds upon SPF and DKIM by providing instructions to email receivers on how to handle emails that fail SPF or DKIM checks.
Domain owners can configure DMARC policies to instruct receivers to reject, quarantine, or simply flag emails that fail authentication.
DMARC also enables the generation of reports that provide insights into email authentication performance, allowing domain owners to identify and address issues.
DMARC policies are defined in a TXT record in the domain’s DNS.
What is the function of TLS in network security?
Protect network traffic.
What do file integrity monitors check?
If files have been changed.
What are honeypots and honeynets used for?
Gather information about attackers.
What is the significance of secure protocols?
Provide ways to send and receive information securely.
What are some key secure protocols mentioned?
- SRTP
- IMAPS
- POPS
- LDAPS
SRTP securely transmits audio and video, IMAPS and POPS are secure versions of IMAP and POP email protocols, and LDAPS secures LDAP directory access.
Fill in the blank: On-path attacks _______ traffic through a system controlled by an attacker.
[key learning term]
On-path attacks intercept and potentially modify traffic through a system controlled by an attacker, acting as a “man-in-the-middle”.
What are examples of DNS attacks?
- Domain hijacking
- DNS poisoning
- URL redirection
In DNS hijacking, an attacker targets the DNS record of the website on the nameserver. Nameserver records basically tell the Internet where to go to find out a domain’s IP address. If the nameserver records are improperly configured (i.e., “poisoned”), attackers can divert queries to a different domain nameserver.
What do credential replay attacks exploit?
Poorly designed or insecure protocols.
What do denial-of-service attacks aim to do?
Consume resources or target services to cause them to fail.
True or False: Reflected denial-of-service attacks use spoofed source addresses.
True
What is the difference between reflected and amplified denial-of-service attacks?
Reflected uses spoofed addresses; amplified uses small queries for large results.
An amplified denial-of-service (DDoS) attack exploits vulnerabilities in protocols like DNS or NTP to send small requests that trigger significantly larger responses, overwhelming the target with traffic.
