12 Network security Flashcards
What is Zero Trust in network security?
A security model that emphasizes strict access controls and does not trust any entity by default.
It includes Control Plane components like Adaptive identity, Threat scope reduction, Policy-driven access control, and Data Plane aspects like Implicit trust zones.
What are the components of Deception and disruption technology?
- Honeypot
- Honeynet
- Honeyfile
- Honeytoken
These technologies are designed to deceive attackers and disrupt their activities.
What types of network attacks are commonly identified?
- Distributed denial-of-service (DDoS)
- Domain Name System (DNS) attacks
- Wireless attacks
- On-path attacks
- Credential replay attacks
- Malicious code
Each type presents unique challenges and requires specific mitigation strategies.
What is the purpose of segmentation in network security?
To divide a network into smaller segments to enhance security and control access.
This mitigates risk by limiting the spread of attacks.
What does an Access Control List (ACL) do?
It defines permissions for users and devices to access network resources.
ACLs are crucial for managing access controls in network environments.
What is an Air-gapped network?
A network that is physically isolated from other networks to enhance security.
This isolation prevents unauthorized access and cyber attacks.
What are the failure modes in network security?
- Fail-open
- Fail-closed
These modes determine how a system behaves during a failure, impacting security.
What is the role of a Jump server?
To serve as a secure access point for administrative tasks in a network.
Jump servers minimize direct access to sensitive resources.
What is a Web Application Firewall (WAF)?
A security device that monitors and filters HTTP traffic to and from a web application.
WAFs protect against common web attacks like SQL injection and cross-site scripting.
What are the types of firewalls mentioned?
- Web application firewall (WAF)
- Unified threat management (UTM)
- Next-generation firewall (NGFW)
- Layer 4/Layer 7 firewalls
Each firewall type offers different levels of protection and features.
What does VPN stand for?
Virtual Private Network.
VPNs create secure connections over untrusted networks.
What is the purpose of DNS filtering?
To block access to malicious domains and protect users from phishing and malware.
DNS filtering is a proactive security measure.
What are the components of Email Security?
- DMARC
- DKIM
- SPF
- Gateway
These protocols help authenticate emails and prevent spoofing.
What is DLP in the context of network security?
Data Loss Prevention.
DLP technologies are used to prevent sensitive data from being lost, misused, or accessed by unauthorized users.
What is the significance of hardening targets?
To strengthen network devices against attacks by minimizing vulnerabilities.
Common targets include switches and routers.
True or False: A proxy server can help in improving network security.
True.
Proxy servers can hide the IP addresses of users and filter traffic.
Fill in the blank: The __________ is used to monitor network devices and can send alerts when issues arise.
Simple Network Management Protocol (SNMP) traps
SNMP is widely used for network management.
What are common indicators of malicious activity in networks?
- On-path attacks
- DNS attacks
- Layer 2 attacks
- DDoS
- Credential replay attacks
Recognizing these indicators can help in early detection of security incidents.
What is the primary focus of the Security+ exam?
Implementing designs and explaining the importance of security concepts and components.
What does defense-in-depth refer to in security design?
Multiple controls designed to ensure that a failure in a single control is unlikely to cause a security breach.
How many layers are in the OSI model?
Seven layers.
What are Layers 1–3 of the OSI model known as?
Media layers.
What do Layers 4–7 of the OSI model address?
Reliable data transmission, session management, encryption, and translation of data.
Define attack surface.
The points at which an unauthorized user could gain access to a device or organization.
What is a key concern regarding device placement in network security?
Securing specific zones or network segments.
What are security zones?
Network segments that are separate from less secure zones through logical or physical means.
What is the concept of high availability (HA)?
The ability of a service or system to be consistently available without downtime.
What does the term ‘fail-closed’ mean?
A state where no traffic passes when a security device fails.
Fill in the blank: _______ is the idea of separating devices with no connection between them.
Physical isolation
What is logical segmentation commonly implemented with?
Virtual local area networks (VLANs).
What does SASE stand for?
Secure Access Service Edge.
True or False: Software-defined networking (SDN) allows for dynamic configuration of security zones.
True.
What is the purpose of reputation services?
To track IP addresses, domains, and hosts that engage in malicious activity.
What is the primary goal of network segmentation?
To apply controls or assist with functionality by dividing a network into logical or physical groupings.
What is a screened subnet commonly used for?
To contain web servers or other Internet-facing devices.
What does the term ‘east-west’ traffic refer to?
Traffic flow between systems in the same security zone.
Fill in the blank: _______ is when a protocol is selected based on its secure version.
Implementing secure protocols
What is the difference between fail-open and fail-closed?
Fail-open allows all traffic to pass; fail-closed blocks all traffic.
What is a common risk associated with using alternate ports for services?
Many port scans will still discover the service despite using alternate ports.
Define high availability (HA) design considerations.
Focus on reliability, elimination of single points of failure, and ability to detect and remediate failures.
What are common technologies used for network segmentation?
- VLANs
- Screened subnets (DMZs)
- Intranets
- Extranets
What is the concept of Zero Trust networks?
Nobody is trusted, regardless of whether they are internal or external.
What is the purpose of a cloud access security broker (CASB)?
To enforce policies for cloud resources between service providers and consumers.
What does SD-WAN stand for?
Software-defined wide area network.
True or False: MPLS is commonly used in SD-WAN designs.
True.
What is the role of network taps?
To monitor or access traffic.
Fill in the blank: _______ is a method of providing logical segmentation using software.
Logical segmentation
What does the term ‘east-west’ traffic refer to in a datacenter?
Traffic flow between systems in the same security zone that moves left and right
This terminology describes intrasystem communications.
What is the key principle of Zero Trust architecture?
There is no trust boundary and no network edge; each action is validated when requested
Access is allowed only after policies are checked, including identity and security status.
What are the components of the Control Plane in Zero Trust?
- Adaptive identity
- Threat scope reduction
- Policy-driven access control
- Policy Administrator
These components work together to enforce security policies and decisions.
What role do Policy Engines play in Zero Trust?
They make policy decisions based on rules and external systems
They utilize a trust algorithm to determine access to resources.
Define the term ‘Policy Enforcement Point’ in the context of Zero Trust.
A component that communicates with Policy Administrators to manage access requests
It forwards requests from subjects and receives instructions about connections.
What is the difference between preadmission and postadmission checks in NAC?
- Preadmission: Checks occur before device connects to the network
- Postadmission: Checks occur after device is connected
Different checks are driven by security objectives.
What is the primary function of Network Access Control (NAC)?
To determine whether a system or device should be allowed to connect to a network
NAC places devices into appropriate zones based on security checks.
What is 802.1X used for?
Authenticating devices connected to wired and wireless networks
It employs centralized authentication using EAP.
What is the purpose of port security?
To limit the number of MAC addresses that can be used on a single port
This helps prevent MAC address spoofing and CAM table overflows.
What does DHCP snooping do?
Prevents rogue DHCP servers from handing out IP addresses
It drops messages from unauthorized DHCP servers.
What are the two major VPN technologies mentioned?
- IPSec VPNs
- SSL VPNs
IPSec operates at layer 3; SSL uses TLS and can be clientless.
True or False: A full-tunnel VPN sends all traffic through the VPN.
True
In contrast, split-tunnel VPNs send only specific traffic through the VPN.
What is the main advantage of agent-based NAC solutions?
Greater ability to determine the security state of a machine
They validate patch levels and security settings before admitting a system.
What is the role of the Policy Administrator in Zero Trust?
To execute decisions made by the Policy Engine
They establish or remove communication paths between subjects and resources.
Fill in the blank: The _______ allows a subject to connect through a Policy Enforcement Point.
untrusted system
This connection enables trusted transactions to enterprise resources.
What is the typical use of site-to-site VPNs?
To extend an organization’s network and are frequently always-on VPNs.
They automatically attempt to reconnect if a failure occurs.
How do remote-access VPNs differ from site-to-site VPNs?
Remote-access VPNs are used in an as-needed mode by remote workers.
Workers activate the VPN only when connecting to specific resources.
What is a full-tunnel VPN?
A VPN that sends all network traffic through the VPN tunnel.
This keeps traffic secure when using untrusted networks.
What is a split-tunnel VPN?
A VPN that only sends traffic intended for systems on the remote trusted network through the VPN tunnel.
It uses less bandwidth but leaves other traffic unprotected.
What are NAC, 802.1X, and VPN used for?
They all play roles in securing networks and network traffic.
Familiarity with each is important for exams.
What are network appliances?
Special-purpose hardware devices, virtual machine and cloud-based software appliances, and hybrid models.
They are used in network design.
What advantages do hardware appliances offer?
Purpose-built for high-speed traffic handling capabilities and other specific functions.
They are typically more efficient than general-purpose devices.
What factors to consider when choosing a network appliance?
Environment, capabilities needed, existing infrastructure, upgradability, support, and cost.
Choosing a DNS appliance requires careful consideration.
What are the two types of proxy servers?
- Forward proxies
- Reverse proxies
Forward proxies anonymize client requests while reverse proxies aid in load balancing.
What is the purpose of jump servers?
To securely operate in security zones with different security levels.
They provide access with necessary administrative tools.
What do load balancers do?
Distribute traffic to multiple systems, provide redundancy, and ease upgrades and patching.
They help manage web service infrastructures.
What are the two major modes of operation for load balancers?
- Active/active
- Active/passive
Active/active systems share load while active/passive systems activate backups when needed.
What is persistence in load balancing?
Ensures that a client and a server continue to communicate throughout the duration of a session.
This provides a smoother experience for the client.
What is the difference between Layer 4 and Layer 7 devices?
Layer 4 devices operate at the transport layer, while Layer 7 devices interact with application layer traffic.
This distinction impacts application security.
What is a next-generation firewall (NGFW)?
A firewall that interacts with traffic at both layer 4 and layer 7, providing application awareness.
NGFWs can stop application attacks and monitor unexpected traffic.
What are the two detection methods used by intrusion detection and prevention systems?
- Signature-based detection
- Anomaly-based detection
Signature-based relies on known patterns, while anomaly-based detects unusual behavior.
What is the difference between inline and tap network devices?
- Inline devices interact with traffic but may cause outages if they fail.
- Tap devices replicate traffic for inspection without interrupting it.
Taps are safer but offer less interaction with traffic.
What are stateful firewalls?
Firewalls that track the state of active connections and allow traffic based on the state of the conversation.
They provide more context for security decisions.
What are unified threat management (UTM) devices?
Devices that include a range of capabilities such as firewall, IDS/IPS, and data loss prevention.
They are often deployed for an ‘out of the box’ solution.
What is the purpose of web application firewalls (WAFs)?
To intercept, analyze, and apply rules to web traffic.
They protect against attacks targeting web applications.
Fill in the blank: A _______ solution is used to prevent data loss from a network.
[data loss prevention (DLP)]
DLP solutions often pair agents with filtering capabilities.
What is the primary function of a UTM device?
To provide a wide range of security functionalities and manage multiple security devices through a single interface
UTM stands for Unified Threat Management.
What is a web application firewall (WAF)?
A security device designed to intercept, analyze, and apply rules to web traffic
WAFs help to block attacks in real time and can modify traffic to remove dangerous elements.
What elements are typically included in a firewall rule?
Source, ports and protocols, allow/deny statement, destination IP addresses, host or hosts
Example rule: ALLOW TCP port ANY from 10.0.10.0/24 to 10.1.1.68/32 to TCP port 80.
What is a screened subnet?
A network setup using three interfaces on a firewall to separate untrusted, secured, and public areas
Often referred to as a DMZ.
Define Access Control Lists (ACLs).
Rules that either permit or deny actions on network devices
ACLs can be simple or complex and are similar to firewall rules.
What is the basic format for Cisco’s IP-based ACLs?
access-list access-list-number dynamic name {permit|deny} [protocol] {source source-wildcard|any} {destination destination-wildcard|any}
ACLs allow for detailed control over network traffic.
What is a honeypot?
A system intentionally configured to appear vulnerable for research on attacker techniques
Honeypots are monitored to document attacker actions.
What is the purpose of honeyfiles?
To serve as intrusion detection by containing detectable data in areas attackers are likely to visit
If accessed, it indicates a potential breach.
What are honeytokens?
Attractive data used to track unauthorized access or transfer attempts
They can be found in databases or files and help identify breaches.
What is the role of Domain Name System Security Extensions (DNSSEC)?
To provide authentication of DNS data to validate queries
DNSSEC helps close security gaps in the DNS protocol.
What are the three major methods of email protection outlined in the Security+ exam?
- DKIM
- SPF
- DMARC
Each method has a specific role in verifying email authenticity.
What does DKIM do?
Adds a signature to emails to verify they are from the claimed domain
It helps ensure message integrity.
What is SPF in email security?
An authentication technique that publishes a list of authorized email servers
SPF records help prevent spoofing.
What does DMARC stand for?
Domain-based Message Authentication Reporting and Conformance
DMARC uses SPF and DKIM to validate email authenticity.
What is the key concept of ephemeral keys in TLS?
Each connection receives a unique, temporary key to ensure perfect forward secrecy
This protects past and future communications even if a key is compromised.
What is the Simple Network Management Protocol (SNMP) used for?
To monitor and manage network devices
SNMP uses a management information base (MIB) for device information.
What is an SNMP trap?
A message sent from an SNMP agent to a manager to notify of an error or event
Traps allow for proactive management of network devices.
What is the significance of monitoring services and systems?
Ensures that organizational services are online and functioning as expected
Monitoring is crucial for maintaining service availability.
What is the primary function of monitoring services and systems?
To ensure that an organization’s services are online and accessible
Monitoring includes checking service responses and validating service functionality.
What is the simplest level of service monitoring?
Validating whether a service port is open and responding
This basic functionality helps identify significant issues like service failures.
What does the next level of monitoring require?
Interaction with the service and understanding of valid responses
This includes validating performance and response times.
What does the final level of monitoring systems look for?
Indicators of likely failure
It uses a broad range of data to identify pending problems.
Where are service monitoring tools commonly integrated?
Operations monitoring tools, SIEM devices, and organizational management platforms
These tools help provide insight into ongoing issues for security administrators.
What is the role of a file integrity monitor?
To detect changes in configuration files and restore them to normal
It reports on unexpected changes in the system.
What is a well-known file integrity monitoring tool?
Tripwire
Tripwire has both commercial and open-source versions.
How do file integrity monitoring tools like Tripwire work?
They create a signature or fingerprint for a file and monitor for changes
They focus on unexpected and unintended changes.
What is a key challenge when using file integrity monitors?
They can be noisy and require careful setup and maintenance
Files change frequently, making monitoring complex.
What is meant by hardening network devices?
Securing them to keep them safe from attacks
Hardening guidelines exist for many device operating systems.
Who provides hardening guidelines for network devices?
The Center for Internet Security (CIS) and device manufacturers
These guidelines help follow industry best practices.
What is an important step in hardening network devices?
Protecting their management console
This often involves using isolated VLANs and access via jump servers or VPN.
Why is physical security critical for network devices?
To secure network closets and monitor access
Electronic access mechanisms help track who accesses secured spaces.
True or False: Securing the services a network provides is not important for the Security+ exam.
False
It is a key element in the exam outline.
Fill in the blank: File integrity monitoring helps to track _______.
[changes]
It is essential for maintaining system integrity.
What is the primary purpose of secure protocols in network security?
To ensure that a system or network breach does not result in additional exposure of network traffic.
Secure protocols are essential in a defense-in-depth strategy.
Which secure version of the Session Initiation Protocol is used for secure voice and video communications?
SIPS
SIPS is the secure version of SIP.
What is the secure version of the Network Time Protocol called?
NTS
NTS relies on TLS for authentication.
Name three secure protocols used for email communication.
- IMAPS
- POPS
- S/MIME
These protocols ensure secure email retrieval and transmission.
What has largely replaced File Transfer Protocol (FTP)?
- HTTPS file transfers
- SFTP
- FTPS
The choice depends on organizational preferences.
What does LDAPS stand for?
Lightweight Directory Access Protocol Secure
LDAPS is the secure version of LDAP.
Which protocol is used for secure remote shell access?
SSH
SSH has replaced telnet for secure remote access.
True or False: DNSSEC provides confidentiality for DNS information.
False
DNSSEC focuses on ensuring that DNS information is not modified but does not provide confidentiality.
What does SNMPv3 improve upon compared to previous versions?
Authentication, message integrity validation, and confidentiality via encryption.
Only the authPriv level uses encryption.
Fill in the blank: Hypertext Transfer Protocol over SSL/TLS is commonly referred to as _______.
HTTPS
HTTPS relies on TLS for security.
What is the secure version of the Real-Time Protocol called?
SRTP
SRTP provides security for audio and video streams.
What does S/MIME provide for email messages?
Encryption and signing of MIME data
It ensures authentication, integrity, nonrepudiation, and confidentiality.
What is the main function of IPSec?
To encrypt and authenticate IP traffic.
IPSec is a suite of security protocols.
What are the two main components of IPSec that focus on security?
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
AH ensures data integrity, while ESP provides encryption.
What does ISAKMP define in relation to IPSec?
How to authenticate the system and manage security associations.
ISAKMP is crucial for key exchange and authentication.
What is the original port for HTTP?
TCP 80
The secure version, HTTPS, uses TCP 443.
List two protocols used for secure email authentication.
- DKIM
- DMARC
These protocols help improve email security and reduce spam.
Fill in the blank: The secure version of FTP that uses TLS is called _______.
FTPS
FTPS can operate in explicit or implicit mode.
What is the main advantage of SFTP over FTPS?
Easier to get through firewalls
SFTP uses only the SSH port.
Which protocol is used to secure VPN connections?
IPSec
IPSec is often used in tunnel mode for VPNs.
What is an on-path attack also known as?
Man-in-the-middle (MitM) attack
An on-path attack involves relaying traffic through a system controlled by an attacker.
What can an attacker do during an on-path attack?
Eavesdrop or alter communications
This allows attackers to read and modify data being transmitted.
What is SSL stripping?
An attack that removes TLS encryption to read traffic intended for a trusted endpoint
SSL stripping takes advantage of the transition from HTTP to HTTPS.
What are the three phases of an SSL stripping attack?
- User sends an HTTP request
- Server responds with a redirect to HTTPS
- User sends an HTTPS request for the page
Each phase is critical for the success of the attack.
How can you stop SSL stripping attacks?
- Configure systems to expect certificates from known authorities
- Use HTTP Strict Transport Security (HSTS)
- Require HTTPS throughout the site
- Use browser plug-ins like HTTPS Everywhere
These strategies help mitigate the risk of SSL stripping.
What is a browser-based on-path attack?
An attack relying on a Trojan inserted into a user’s browser
This type of attack can bypass TLS encryption and access authenticated sessions.
What are common indicators of on-path attacks?
Changed network gateways or routes
Sophisticated attackers may compromise network switches or routers.
What is domain hijacking?
Changing the registration of a domain to intercept traffic
This can be done through technical means or social engineering.
What is DNS poisoning?
Providing false DNS responses to redirect traffic
This can involve pretending to be an authoritative DNS server.
What does DNSSEC do?
Validates the origin of DNS information and ensures responses are unmodified
This helps prevent DNS attacks like DNS poisoning.
What is URL redirection in the context of DNS attacks?
Inserting alternate IP addresses into a system’s hosts file
This can mislead systems during DNS lookups.
What are credential replay attacks?
Capturing and re-sending valid network data
Most commonly, this involves re-sending authentication hashes.
What is a common indicator of replay attacks?
On-path attack indicators like modified gateways or routes
These changes can signify an ongoing replay attack.
What are common examples of malicious code?
- Worms
- Backdoors
- Viruses
- Trojans
- Ransomware
These can spread via network connections.
What is a distributed denial-of-service (DDoS) attack?
An attack conducted from multiple locations, networks, or systems
DDoS attacks are difficult to stop and hard to detect.
What are the two major categories of network DDoS attacks?
- Volume-based
- Protocol-based
Each category targets different aspects of network traffic.
What is a UDP flood?
A volume-based DDoS attack that sends massive amounts of UDP traffic
UDP floods exploit the lack of a handshake protocol.
What is a SYN flood?
A protocol-based DDoS attack that sends SYN packets without completing the handshake
This consumes TCP stack resources on the target.
What is an amplified denial-of-service attack?
An attack that uses small queries to generate large responses from legitimate services
This type of attack amplifies the amount of traffic directed at the target.
What is a reflected denial-of-service attack?
An attack where the spoofed IP address causes a legitimate service to conduct the attack
This makes it difficult to identify the actual attacker.
What is the final element to know for the exam regarding network attacks?
Familiarity with secure protocols and common network attacks
Understanding how to identify, prevent, and respond to these attacks is crucial.
What must security professionals understand about secure networks?
How secure networks are designed
This includes infrastructure considerations, connectivity requirements, and security zones.
What factors are included in infrastructure considerations for security professionals?
The organization’s attack surface, device placement, and security zones
These factors help in establishing a secure network design.
What connectivity requirements need to be accounted for in network design?
Speed and latency
Additionally, failure modes need to be determined for devices.
What are the two types of failure modes for devices in a secure network?
- Fail open to maintain access
- Fail closed to ensure security
What concepts help create barriers to attacks and exploits?
- Physical isolation
- Air-gapping
- Logical segmentation
What do high-availability design concepts ensure?
Systems remain online despite issues or disasters
What is the purpose of secure protocols in network security?
To keep data secure in transit
What is a characteristic of software-defined networks?
They rely on the ability to be controlled by software
What do SD-WANs manage?
Connectivity outside of the local organization
What does SASE help protect?
Devices regardless of their location
What model does zero trust concepts promote?
A continuous validation and authorization model
What technologies help control access to networks?
- Network access control (NAC)
- 802.1X
- Port security
What do VPNs provide?
Secure remote access and protect organizational data in transit
What are security tools often available as?
Security appliances and devices
What is the function of secure access via jump boxes?
Allows administrators to safely cross security boundaries
Name three network capabilities provided by load balancers, proxy servers, and web filters.
- Load balancing
- Proxy services
- Web filtering
What security functionalities do firewalls, IDS, IPS devices, and DLP tools provide?
Focused security functionality
What should be included in security and device management design options?
- Out-of-band management techniques
- Access control lists
- Quality-of-service functionality
- Routing protocol security options
- DNS security configurations
- Broad use of TLS and TLS-enabled services
- SNMP and monitoring tools
- Honeynets and honeypots
What is important about using secure protocols and services?
Understanding limitations and implementation requirements
What happens once attackers are in a network?
They will attempt to gain access to network traffic
What options are part of the secure network design toolkit?
- Secure email
- Secure FTP
- Secure HTTP
- Secure Shell
What types of attacks need to be identified in network security?
- On-path attacks
- DNS attacks
- Credential replay
- Distributed denial-of-service attacks
What do identifiable characteristics of attacks include?
Traffic patterns and switch behavior
