2.1 Install and configure network components

Question 1

Firewall

Answer 1

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules

Types of implementations:

1) Firewalls that protect a whole network
2) Firewalls that protect a single host.
3) Border firewalls, filter traffic between trusted local network and untrusted external networks.
4) Internal firewalls, such as DMZ config’s can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones.

Question 2

ACL

Answer 2

(Access Control List) Specifies which subjects (user accounts, host IP addresses) are allowed or denied access and privileges given over the object.

Question 3

Application-based firewall vs. network-based firewall

Answer 3

Application-based firewalls: run as software on any type of computing host.
Network-based: hardware firewall that performs function of firewall only.

Question 4

Stateful vs. stateless

Answer 4

Stateless: a type of firewall that does not preserve information about the connection between two hosts or previous packets. ex. packet-filtering firewall.
Stateful: a type of firewall that stores information about hosts in a dynamically updated stable state .

Question 5

Implicit deny

Answer 5

A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.

Question 6

VPN concentrator

Answer 6

A VPN-enabled router. Helps manage multiple VPN gateways remotely. It is a server-side feature.

Question 7

Remote access vs. site-to-site

Answer 7

Remote access: clients temporarily connect to a VPN gateway from a local network.
Site-to-site: two or more local networks permanently connected, each of which runs a VPN gateway. ex. branch office connected to headquarters

Question 8

IPSec

Answer 8

Internet Protocol Security: a set of standards you can use to secure data as it travels across a network or the internet.

Question 9

Tunnel mode

Answer 9

1/2 IPSec mode; the IP header for each packet is not encrypted, just the data (payload). This mode would be used to secure communications on a private network.

Question 10

Transport mode

Answer 10

2/2 IPSec mode; the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network. This is also referred to as a router implementation.

Question 11

AH

Answer 11

Authentication Header; AN IPsec PROTOCOL that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.

Question 12

ESP

Answer 12

Encapsulation Security PAYLOAD; an IPSec protocol that provides authentication AND confidentiality by encrypting the packets.

Question 13

Split tunnel vs full tunnel

Answer 13

The two ways of managing a connection between a client and a VPN.
Split tunnel: the client accesses the Internet directly using its “native” IP configuration and DNS servers.
Full tunnel: Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy.

Question 14

TLS

Answer 14

Transport Layer Security VPN; commonly referred to a SSL VPN, is a client-to-server connection that authenticates the client which creates an encrypted tunnel for the user to submit authentication credentials.

Question 15

Always-on VPN

Answer 15

A version of VPN where the computer establishes the VPN whenever the Internet connection over a trusted network is detected.

Question 16

NIPS/NIDS

Answer 16

Network-based intrusion Prevention system: an inline security device that montors suspicious network and/or system traffic and reacts in real time to block it.

Network intrusion Detection system: a packet sniffer with an analysis engine to identify malicious traffic and a console to allow configuration of the system. Provides passive detection. Identifies and logs hosts and applications, and detects attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions etc.

Question 17

Signature-based

Answer 17

Also referred to as pattern-matching, means that the engine/anti-virus is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

Question 18

Heuristic/behavioral Detection

Answer 18

Also referred to as profile-based detection, means that the engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline generates an incident. Helps detect ‘zero day’ attacks. The engine generates a statistical model of what the baseline looks like, using heuristics.

Question 19

Anomaly (logs)

Answer 19

Looking for irregularities in the use of protocols.

Question 20

Inline vs. passive (protection)

Answer 20

Inline: protects the whole network, provides active response to any network threats
Passive detection: log intrusion incidents and to display an alert to mgmt. interface/email admin account.

Question 21

In-band vs. out-of-band

Answer 21

In-band: the sensor uses the same network as the link being monitored
Out-of-band: establishes separate cabling infrastructure or same cabling but separate VLAN.

Question 22

Rules

Answer 22

plug-ins, feeds

Question 23

Analytics (logs)

Answer 23

The process of reviewing the events and incidents that trigger IDS/IPS

Question 24

Router firewall

Answer 24

A router firewall has firewall functionality built into the router firmware.

Question 25

Anti-spoofing

Answer 25

IP spoofing disguises the identity of the attacker’s host machine. Anti-spoofing requires authenticated IPSec tunnels to critical services

Question 26

Switch

Answer 26

Switch ports are used to physically segment or segregate hosts.

Question 27

Layer 2 vs. Layer 3

Answer 27

Layer 2 is a broadcast Media Access Control (MAC) level network, while a Layer 3 is a segmented routing over internet protocol (IP) network.

Question 28

Loop prevention

Answer 28

Spanning Tree Protocol (STP) prevent layer 2 looping.

Question 29

Flood guard

Answer 29

Portfast command, and BPDU Guard settings prevent ports from being flooded.

Question 30

Proxy

Answer 30

Router that acts as a relay between client and server in DMZ. Web proxies are often described as web security gateways and their usual function is to prevent viruses or Trojans.

Question 31

Forward and Reverse proxy

Answer 31

Forward Proxy: intermediary server/gateway the client puts forward between itself and server
Reverse Proxy: intermediary gateway the server puts between itself and client

Question 32

Transparent Proxy

Answer 32

A transparent proxy intercepts client traffic without the client having to be reconfigured. Must be implemented on a switch or router.

Question 33

Load balancer

Answer 33

Distributes client request across available server nodes in a farm/pool. Uses Virtual IP, Scheduling, Round Robins and Affinity.

Question 34

Scheduling

Answer 34

Code and metrics that determine which node is selected for processing each incoming request.

Question 35

Affinity

Answer 35

When a client establishes a session, it becomes stuck to the node that first accepted the request.

Question 36

Round Robin

Answer 36

Load balancing scheduling algorithm which simply picks the next node/server

Question 37

Active-passive clustering

Answer 37

Use a redundant node to failover. The last node doesn’t support and services until a failover occurs. Then the redundant node assumes the IP address of the failed node.

Question 38

Active-active clustering

Answer 38

All nodes are processing concurrently.

Question 39

Virtual IPs

Answer 39

Each server node or instance needs its own IP address, but externally a load-balanced service is advertised using Virtual IP (VIP) address.

Question 40

Access point

Answer 40

A device that provides a connection between wireless devices and can connect to wired networks. The AP is normally attached to the LAN using standard cabling and transmites and receives network traffic to and from wireless devices.

Question 41

SSID

Answer 41

Service Set Identifier is a character string that identifies a particular wireless LAN

Question 42

MAC filtering

Answer 42

(Media Access Control filtering) Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

Question 43

Signal Strength

Answer 43

The amount of power used by the radio in an access point or station.

Question 44

Band selection/width

Answer 44

Wi-Fi products work in either the 2.4 GHz or the 5 GHz band or both. Bandwidth is the maximum volume of data that can be transmitted across a network over a period of time.

Question 45

Antenna types and placement

Answer 45

Rubber ducky antennas: the plastic coated variants often used as AP’s
Yagi: bar with fins ex. old t.v. antenna
Parabolic: dish
Directional: useful to an eavesdropper

Placement should consider the maximum range (about 30m). Other radio devices may cause interference such as fluorescent lighting, microwave ovens, and heavy machinery.

Question 46

Fat vs. thin (AP’s)

Answer 46

An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of wireless controller is known as a Fat AP.
AP’s that require a wireless controller in order to function are known as Thin AP’s.

Question 47

SIEM

Answer 47

(Security Information and Event Management) A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. Used to review logs.

Question 48

Aggregation (logs)

Answer 48

Pools logs from sources including: switches, routers, firewalls, IDS sensors, vulnerability scanners, malware scanners, Data Loss Prevention, and databases.

Question 49

Correlation

Answer 49

Link individual events or data points into meaningful indicator of risk.

Question 50

Automated alerting and triggers

Answer 50

Allow administrators to identify and troubleshoot serious logs and event anomalies promptly. May take the form of a recorded log or an active notification like an email

Question 51

Time synchronization

Answer 51

Configure a standard time zone across all appliances to aid a SIEM’s log records.

Question 52

Event deduplication

Answer 52

Reducing redundancy of identical errors.

Question 53

Logs

Answer 53

Logs function as an audit trail of action and provide a warning of intrusion attempts. Logs record both authorized and unauthorized usses of resource and privilege.

Question 54

DLP

Answer 54

(Data Loss Prevention) products that scan content in structured formats, such as a database with a formal AC model or unstructured formats. They use a dictionary database or algorithm to identify confidential data and restrict the transfer of this data.

Question 55

Cloud-based DLP

Answer 55

Extends the protection mechanisms to cloud storage services, using either proxy to mediate access to the cloud service provider’s API to perform scanning and policy enforcement.

Question 56

NAC

Answer 56

(Network Access Control) A means of ensuring endpoint security- ensuring that all devices connecting to the network conform to a health policy.

Question 57

Dissolvable vs. permanent

Answer 57

Dissolvable: a non-persistent agent is loaded into memory during posture assessment but is not installed on the device.
Permanent: a persistent agent is installed as a software application on the client.

Question 58

Host health checks

Answer 58

Part of a posture assessment. Verify compliance with the health policy.

Question 59

Agent vs. agentless

Answer 59

Agentless: posture assessment performed when a NAC solution must support a wide range of devices, but less detailed information about the client is available.
Agent: A client software which gathers information about a device such as anti-virus, patch status etc.

Question 60

Mail gateway

Answer 60

Provides spam filtering, data loss prevention and encryption.

Question 61

Spam filter

Answer 61

Blocking unwanted email.

Question 62

Bridge

Answer 62

A device similar to a switch that has one port for incoming traffic and one port for outgoing traffic.

Question 63

SSL/TLS accelerators

Answer 63

A hardware device with a specialist chipset - Application Specific Integrated Circuit - dedicated to performing public key encryption. Usually they are implemented as plug-in cards for server equipment or load balancing appliances and therefore can be placed anywhere in the network where SSL/TLS offloading is desired.

Question 64

SSL decryptors

Answer 64

A type of proxy used to examine encrypted traffic before it enters or leaves the network. Ensures that traffic complies with data policies and that encryption is not being misused i.i. data exfiltration or to operate a Command & Control (C2) Remote Access Trojan.

Question 65

Media gateway

Answer 65

Handles the job of interfacing between to multiple communication applications to create a unified communication application (UC)

Question 66

Hardware security module

Answer 66

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.