2.1 Install and configure network components Flashcards
Firewall
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules
Types of implementations:
1) Firewalls that protect a whole network
2) Firewalls that protect a single host.
3) Border firewalls, filter traffic between trusted local network and untrusted external networks.
4) Internal firewalls, such as DMZ config’s can be placed anywhere within the network, either inline or as host firewalls, to filter traffic flows between different security zones.
ACL
(Access Control List) Specifies which subjects (user accounts, host IP addresses) are allowed or denied access and privileges given over the object.
Application-based firewall vs. network-based firewall
Application-based firewalls: run as software on any type of computing host.
Network-based: hardware firewall that performs function of firewall only.
Stateful vs. stateless
Stateless: a type of firewall that does not preserve information about the connection between two hosts or previous packets. ex. packet-filtering firewall.
Stateful: a type of firewall that stores information about hosts in a dynamically updated stable state .
Implicit deny
A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.
VPN concentrator
A VPN-enabled router. Helps manage multiple VPN gateways remotely. It is a server-side feature.
Remote access vs. site-to-site
Remote access: clients temporarily connect to a VPN gateway from a local network.
Site-to-site: two or more local networks permanently connected, each of which runs a VPN gateway. ex. branch office connected to headquarters
IPSec
Internet Protocol Security: a set of standards you can use to secure data as it travels across a network or the internet.
Tunnel mode
1/2 IPSec mode; the IP header for each packet is not encrypted, just the data (payload). This mode would be used to secure communications on a private network.
Transport mode
2/2 IPSec mode; the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network. This is also referred to as a router implementation.
AH
Authentication Header; AN IPsec PROTOCOL that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.
ESP
Encapsulation Security PAYLOAD; an IPSec protocol that provides authentication AND confidentiality by encrypting the packets.
Split tunnel vs full tunnel
The two ways of managing a connection between a client and a VPN.
Split tunnel: the client accesses the Internet directly using its “native” IP configuration and DNS servers.
Full tunnel: Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy.
TLS
Transport Layer Security VPN; commonly referred to a SSL VPN, is a client-to-server connection that authenticates the client which creates an encrypted tunnel for the user to submit authentication credentials.
Always-on VPN
A version of VPN where the computer establishes the VPN whenever the Internet connection over a trusted network is detected.
NIPS/NIDS
Network-based intrusion Prevention system: an inline security device that montors suspicious network and/or system traffic and reacts in real time to block it.
Network intrusion Detection system: a packet sniffer with an analysis engine to identify malicious traffic and a console to allow configuration of the system. Provides passive detection. Identifies and logs hosts and applications, and detects attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions etc.
Signature-based
Also referred to as pattern-matching, means that the engine/anti-virus is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
Heuristic/behavioral Detection
Also referred to as profile-based detection, means that the engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline generates an incident. Helps detect ‘zero day’ attacks. The engine generates a statistical model of what the baseline looks like, using heuristics.
Anomaly (logs)
Looking for irregularities in the use of protocols.
Inline vs. passive (protection)
Inline: protects the whole network, provides active response to any network threats
Passive detection: log intrusion incidents and to display an alert to mgmt. interface/email admin account.
In-band vs. out-of-band
In-band: the sensor uses the same network as the link being monitored
Out-of-band: establishes separate cabling infrastructure or same cabling but separate VLAN.
Rules
plug-ins, feeds
Analytics (logs)
The process of reviewing the events and incidents that trigger IDS/IPS
Router firewall
A router firewall has firewall functionality built into the router firmware.
Anti-spoofing
IP spoofing disguises the identity of the attacker’s host machine. Anti-spoofing requires authenticated IPSec tunnels to critical services
Switch
Switch ports are used to physically segment or segregate hosts.
Layer 2 vs. Layer 3
Layer 2 is a broadcast Media Access Control (MAC) level network, while a Layer 3 is a segmented routing over internet protocol (IP) network.
Loop prevention
Spanning Tree Protocol (STP) prevent layer 2 looping.
Flood guard
Portfast command, and BPDU Guard settings prevent ports from being flooded.
Proxy
Router that acts as a relay between client and server in DMZ. Web proxies are often described as web security gateways and their usual function is to prevent viruses or Trojans.
Forward and Reverse proxy
Forward Proxy: intermediary server/gateway the client puts forward between itself and server
Reverse Proxy: intermediary gateway the server puts between itself and client
Transparent Proxy
A transparent proxy intercepts client traffic without the client having to be reconfigured. Must be implemented on a switch or router.
Load balancer
Distributes client request across available server nodes in a farm/pool. Uses Virtual IP, Scheduling, Round Robins and Affinity.
Scheduling
Code and metrics that determine which node is selected for processing each incoming request.
Affinity
When a client establishes a session, it becomes stuck to the node that first accepted the request.
Round Robin
Load balancing scheduling algorithm which simply picks the next node/server
Active-passive clustering
Use a redundant node to failover. The last node doesn’t support and services until a failover occurs. Then the redundant node assumes the IP address of the failed node.
Active-active clustering
All nodes are processing concurrently.
Virtual IPs
Each server node or instance needs its own IP address, but externally a load-balanced service is advertised using Virtual IP (VIP) address.
Access point
A device that provides a connection between wireless devices and can connect to wired networks. The AP is normally attached to the LAN using standard cabling and transmites and receives network traffic to and from wireless devices.
SSID
Service Set Identifier is a character string that identifies a particular wireless LAN
MAC filtering
(Media Access Control filtering) Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.
Signal Strength
The amount of power used by the radio in an access point or station.
Band selection/width
Wi-Fi products work in either the 2.4 GHz or the 5 GHz band or both. Bandwidth is the maximum volume of data that can be transmitted across a network over a period of time.
Antenna types and placement
Rubber ducky antennas: the plastic coated variants often used as AP’s
Yagi: bar with fins ex. old t.v. antenna
Parabolic: dish
Directional: useful to an eavesdropper
Placement should consider the maximum range (about 30m). Other radio devices may cause interference such as fluorescent lighting, microwave ovens, and heavy machinery.
Fat vs. thin (AP’s)
An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of wireless controller is known as a Fat AP.
AP’s that require a wireless controller in order to function are known as Thin AP’s.
SIEM
(Security Information and Event Management) A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. Used to review logs.
Aggregation (logs)
Pools logs from sources including: switches, routers, firewalls, IDS sensors, vulnerability scanners, malware scanners, Data Loss Prevention, and databases.
Correlation
Link individual events or data points into meaningful indicator of risk.
Automated alerting and triggers
Allow administrators to identify and troubleshoot serious logs and event anomalies promptly. May take the form of a recorded log or an active notification like an email
Time synchronization
Configure a standard time zone across all appliances to aid a SIEM’s log records.
Event deduplication
Reducing redundancy of identical errors.
Logs
Logs function as an audit trail of action and provide a warning of intrusion attempts. Logs record both authorized and unauthorized usses of resource and privilege.
DLP
(Data Loss Prevention) products that scan content in structured formats, such as a database with a formal AC model or unstructured formats. They use a dictionary database or algorithm to identify confidential data and restrict the transfer of this data.
Cloud-based DLP
Extends the protection mechanisms to cloud storage services, using either proxy to mediate access to the cloud service provider’s API to perform scanning and policy enforcement.
NAC
(Network Access Control) A means of ensuring endpoint security- ensuring that all devices connecting to the network conform to a health policy.
Dissolvable vs. permanent
Dissolvable: a non-persistent agent is loaded into memory during posture assessment but is not installed on the device.
Permanent: a persistent agent is installed as a software application on the client.
Host health checks
Part of a posture assessment. Verify compliance with the health policy.
Agent vs. agentless
Agentless: posture assessment performed when a NAC solution must support a wide range of devices, but less detailed information about the client is available.
Agent: A client software which gathers information about a device such as anti-virus, patch status etc.
Mail gateway
Provides spam filtering, data loss prevention and encryption.
Spam filter
Blocking unwanted email.
Bridge
A device similar to a switch that has one port for incoming traffic and one port for outgoing traffic.
SSL/TLS accelerators
A hardware device with a specialist chipset - Application Specific Integrated Circuit - dedicated to performing public key encryption. Usually they are implemented as plug-in cards for server equipment or load balancing appliances and therefore can be placed anywhere in the network where SSL/TLS offloading is desired.
SSL decryptors
A type of proxy used to examine encrypted traffic before it enters or leaves the network. Ensures that traffic complies with data policies and that encryption is not being misused i.i. data exfiltration or to operate a Command & Control (C2) Remote Access Trojan.
Media gateway
Handles the job of interfacing between to multiple communication applications to create a unified communication application (UC)
Hardware security module
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
