2.0 - Technologies and Tools Flashcards
Describe how the principle of least privilege would be applied to an Access Control List (ACL)
Most ACLs are read top to bottom, so it would list all of the Permit statements, with a Deny All statement at the bottom of the list.
You would like to start blocking network traffic based on specific application actions, not just by IP and port. What solution will you need?
Application-Based Firewall. These can inspect traffic on the application layer and filter specific traffic for a given application.
This security feature can look at packets within context and determine if a message is part of a conversation that started inside the network, or a new attempt from outside the network.
Stateful Packet Inspection, on a firewall.
All firewall rulesets should include this rule.
Implicit Deny - in the form of a Deny All command at the bottom of the rule list.
Your brand new organization will need to establish this document in order to determine how network security hardware and software are implemented.
Secure Network Administration Principles
This system defines the desired operational state of systems in such a way that they can be presented a rules.
Rule-Base Management. This method is used for firewalls, proxies, switches, routers, anti-malware, IDS/IPS and more.
Multiple remote users are unable to establish a VPN connection. What network device would you check first.
VPN Concentrator
You need to connect an entire remote office to the main network. What type of connection should you use?
Site-to-Site VPN - as opposed to a Remote Access VPN, which connects a single PC.
This set of protocols works at the network layer (layer 3) to security exchange packets, so that all higher-layer protocols such as TCP, UDP and ICMP are encrypted.
IPSec
Describe the difference between Trasnport Mode IPSec and Tunnel Mode IPSec.
Transport Mode - security is provided end-to-end, including the final link to the host. Source and destination IP addresses are not secured.
Tunnel Mode - security occurs between endpoints, but not all the way to the final host. Source and destination address are secured (with the tunnel).
Describe the host-to-host configuration for IPSec.
With the Host-to-Host configuration, one or two security associations (SA) are created for each direction between two hosts.
How does the tunnel mode of IPSec work?
With IPSec in tunnel mode only, the endpoint devices do not take part in IPSec, but security gateways on each side of the internet connection encrypt the data on Layer 3.
Can IPSec be run from the endpoints and through a tunnel?
Yes. With this configuration, IPSec is setup on each endpoint, but also run through an IPSec tunnel between to gateway devices. This way data is protected right to the endpoint, and IP addresses are protected through the cloud.
This could be called a tunnel inside a tunnel.
Describe the tunnel from host to gateway configuration for IPSec.
With tunnel from host to gateway IPSec, there is one gateway device which encypts at layer 3 from a host in the cloud to a host on the LAN. Encryption is end to end.
What are the two protocols used in IPSec and how do they differ?
The AH (Athentication Header) protocol in IPSec does not protect the IP header, so the source and destination IP addresses can be read.
The ESP (Encapsulating Security Payload) protocol in IPSec protects the entire packet, including the IP header.
They can be used separately or together, and in tunnel or transport mode.
What are some the components of an IDS / NIDS / NIPS?
An IDS will usually include:
- Traffic controller or sensor - a log collector and/or a traffice sniffer
- Analysis engine - The brains of the IDS
- Signature database - reference of malicious patterns and definitions
- User Interface and reporting
When a home user is on a VPN connection from their PC, they can see the company network, but internet sites realize that they are at home and see them at their home IP address. How does this occur.
The VPN connection is set to Split Tunnel mode. In Full Tunnel mode, all of their web browsing would go through the VPN.
Your network is heavily NAT encoded. What type of VPN would be better.
A TLS-based VPN will have an easier time with multiple NAT connections. IPSec-based VPNs have issues crossing multiple NAT domains.
Home users are tired of having to sign into the VPN every morning. What can you implement so that they don’t key your car?
An Alway-on VPN will have pre-configured configuration and credentials and would not require user interaction.
What is the difference between a NIDS and a NIPS?
A Network Intrusion Detection System (NIDS) will detect a network intrusion but take no action against it.
A Network Intrusion Prevention System (NIDS) has all of the features of a NIDS plus it will take steps to stop the attack.
This type of NIPS / NIDS uses a library of patterns to detect issues.
Signature-Based
This type of NIDS / NIPS uses AI algorithms to detect suspect behavior. It may be able to catch zero day attacks.
Heuristic/Behaviral IPS
This IDS detection model learns what normal behavior looks like on your network, the watches for behavior that differs from that.
Anamaly detection model
A NIPS would need this type of sensor; a NIDS would not.
A NIPS (Network Intrusion Protection System) would need an Inline sensor so that it can directly interact with the data stream and act as a gateway.
A NIDS only detects issues, so it could use a Passive sensor, which uses a copy process to deliver the data to the IPS.
Network performance will be lower with an inline sensor.
You have a set of SQL servers that need the highest level of protection, and only communicate on a few protocols. What type of NIDS/NIPS could you use?
An In-Band NIPS / NIDS will use an inline sensor and will be able to make observations and/or intervene very quickly. But performance issues can be an issue, especially if many traffic types are being monitored.
An Out-of-Band NIDS uses a passive sensor. It has greater flexibility, but there will be a delay before it detects an issue.
In-Band would work in this scenario, but not to protect and entire network.
Your NIDS is connected to a larger SIEM solution. What advantage will that give you?
Shared analytics from the other SIEM members, which should provide better detection, few false positives, and better detection of Advanced Persistent Threats (APT).
Your new intern has configured a new router for remote management via Telnet. What should you do?
Chastise them for not using SSH. Telnet is not secure. (But be nice about it.)
This list on a router determines which packets are allowed to enter the network.
ACL (Access Control List)
How can you reduce IP spoofing from the outside world?
Configure your routers with antispoofing measures. They will reject internal packets where the source IP address does not match the interface IP space.
You have a older switch that can only be configured via SNMPv2. Is that a problem?
Yes. SNMPv1 and SNMPv2 send passwords in clear text. Upgrade it or replace it so that communication is in SNMPv3.
What are the three types of port security that a switch can provide?
Switches can provide these types of port security:
- Static Learning - A single MAC allowed on the port.
- Dynamic learning - the switch learns each new MAC is it attached.
- Sticky learning - same as dynamic but the list is not reset on reboot
You need your switches to route traffic. What type of switch will you need?
Layer 3 switches can perform routing functions. Layer 2 switches cannot.
What protocol on a layer 2 switch will help prevent traffic loops?
Spanning Tree Protocol (STP) allows for multiple, rendundant routing paths, while breaking an loops that occur.
This feature of most firewalls and IDS/IPS solutions prevent from DoS, DDoS, and Smurf attacks.
Flood Guard. It monitors traffic rates to detect these types of attacks.
You want to limit the type of requests that can be sent to your web servers. What type of proxy should you put in front of them.
A Reverse Proxy will intercept all incoming requests to your web servers. It can filter traffic, decrypt SSL/TLS traffic, cache graphics and load balance.
What system can you use to filter users’ web browsing.
A Forward Proxy can filter outbound web requests made by users on the network.
You want to put users behind a proxy server without changing settings on each PC. What do you need?
A Transparent Proxy
(sometimes called a Force Proxy, Gateway, or Tunneling Proxy)
This simple system filters traffict to just one program.
Application Proxy
(As opposed to a Multipurpose Proxy)
List some services proxies can provide.
Proxies can provide:
- Anonimization
- Caching
- Content Filtering
What is an Open Proxy?
An Open Proxy is one that is publicly available, and can be used to circumvent corporate, school or government proxies.
You want clients to remain connected to the same sever throughout their entire session. What feature do you need on your Load Balancer?
Affinity-Based Scheduling
You want your servers to each receive the same number of requests, eventually modified to account for the load on each server. What Load Balancer feature do you need?
Round-Robin Scheduling
How can multiple Load Balancers be configured for redundancy?
Redundant load balancers can be:
- Active-Passive - the secondary device steps in only when the primary fails.
- Active-Active - all devices are active. (Make sure their workload does not exceed N-1 devices, or the system will crash of one device goes down.)
What type of IP addressing do Load Balancers need to use?
Load Balancers use Virtal IPs, which allow multiple IPs to be reflected back to users as a single IP address.
Is hiding the SSID of your wireless network an effective security step?
Not really. The SSID is still part of every packet, and can be discovered by sniffers.
Should you raname the default SSID and disable SSID broadcast on your new Wi-Fi network.
Yes. These important setups, but not a complete wireless security solution.
You want just the five corporate-owned laptops to be on the production Wi-Fi. What type of filtering can you do, and how effective is it?
With a defined set of devices, you could use MAC filtering on your wireless network. But attackers could sniff out the MACs in use and spoof them.
You want to fine-tune how far beyond the outer walls the wireless signal goes. What do you configure?
Signal Strength
What wireless protocols are 2.4 GHz?
b/g and n are 2.4 GHz
a, n and AC are 5.0 GHz
You want to manage all of our WAPs from a central device. What do you need?
A Thin, or Controller-Based, AP is designed to be managed by a controller. These systems can provide NAC (Network Access Control).
The CIO would like to purchase a system the can collect an analyze security data from multiple sources on the network. What solution would work?
System Information and Event Management (SIEM) system