3.2 Flashcards
IDS
intrustion detection
logs or alerts on malicious activities
IPS
logs alerts and takes an action to prevent the malicious activity
NIDS
network based IDS
Monitors the traffic coming in and out of a network
stand alone device
HIDS
Looks at suspicious network traffic going to or from a single or endpoint
host based IDS
piece of software on a server or endpoint
WIDS
Detects attempts to cause a denial of a service on a wireless
network
Wireless IDS
Signature-base IDS
Analyzes traffic based on defined signatures and can only
recognize attacks based on previously identified attacks in its database
cannot defend against zero day attacks
Pattern Matching Signature based IDS
specific pattern of steps
NIDS or WIDS
Stateful Matching Signature based IDS
known system baseline and reports any changes to that state
HIDS
Anomaly based IDS
Analyzes traffic and compares it to a normal baseline of traffic to
determine whether a threat is occurring
can result in higher rate of false positives
Statistical
■ Protocol
■ Traffic
■ Rule or Heuristic
■ Application-based
Network Appliance
A dedicated hardware device with pre-installed software for specific networking
service
Load Balancers
Distribute network/application traffic across multiple servers
● Enhance server efficiency and prevent overload
● Ensure redundancy and reliability
● Perform continuous health checks
● Application Delivery Controllers (ADCs) offer advanced functionality
● Essential for high-demand environments and high-traffic websites
Proxy Server
Act as intermediaries between clients and servers
-can store a copy of cached server info
● Provide content caching, requests filtering, and login management
● Enhance request speed and reduce bandwidth usage
● Add a security layer and enforce network utilization policies
● Protect against DDoS attacks
● Facilitate load balancing and user authentication
● Handle data encryption and ensure compliance with data sovereignty
laws
Sensors
Monitor, detect, and analyze network traffic and data flow
● Identify unusual activities, security breaches, and performance issues
● Provide real-time insights for proactive network management
● Aid in performance monitoring and alerting
● Act as the first line of defense against cyber threat
Jump Servers/Jump Box
Secure gateways for system administrators to access devices in different
security zones
● Control access and reduce the attack surface area
● Offer protection against downtime and data breaches
● Simplify logging and auditing
- very secure device
ADC
advanced load balancer
Port Security
A network switch feature that restricts device access to specific ports based on
MAC addresses
Network switch
Networking devices that operate at Layer 2 of the OSI model
■ Use MAC addresses for traffic switching decisions through transparent bridging
■ Efficiently prevent collisions, operate in full duplex mode
■ Remember connected devices based on MAC addresses
■ Broadcast traffic only to intended receivers, increasing security
more secure then hubs because traffic only goes to intended receivers not everyone
CAM table
a table on the switch that dtores mac addresses associated with switch ports
content addressable memory table
-can flood a switch with MAC addresses switch then starts acting like a hub
Port Security implementation
Associate specific MAC addresses with interfaces
■ Prevent unauthorized devices from connecting
■ Can use Sticky MACs for easier setup (first connected laptop is admin and no other macs can connect)
■ Susceptible to MAC spoofing attacks
we can setup the network jack in the lobby of our office building to only accept information from specific mac addresses
802/1x authentication
Provides port-based authentication for wired and wireless networks
■ Requires three roles
● Supplicant
● Authenticator
● Authentication server
■ Utilizes RADIUS or TACACS+ for actual authentication
supplicant
device or user requesting access to your network
authenticator
switch, wap etc
authetication server
centralized authentication device either classified as a radius or tacas+ server
RADIUS
cross platform
TACACS+ c
cisco proprietary
supports all protocols
EAP
extensible authentication protocol
a framework for various authentication methods
EAP-MD5
○ Uses simple passwords and the challenge handshake
authentication process to provide remote access authentication
○ One-way authentication process
○ Doesn’t provide mutual authentication
● EAP-TLS
○ Uses public key infrastructure with a digital certificate which is
installed on both the client and the server
○ Uses mutual authentication
● EAP-TTLS
○ REquires a digital certificate on the server, but not on the client
○ The client uses a password for authentication
● EAP-FAST
○ Uses protected access credential, instead of a certificate, to
establish mutual authentication
● PEAP
○ Supports mutual authentication using server certificates and
EAP-LEAP
○ Cisco proprietary and limited to Cisco devices
SD-WAN
software defined wide area network
a virtualized approach to managing and optimizing wide area network connections
Traditional WANs
○ Cannot efficiently integrate cloud services
● SD-WAN
○ Enables dynamic and efficient routing, improving visibility,
performance, and manageability
Ideal for enterprises with multiple branch offices moving towards
cloud-based services`
SASE
(Secure Access Service Edge
A network architecture combining network security and WAN capabilities in a
single cloud-based service
-Utilizes software-defined networking (SDN) for security and networking
services from the cloud
Components
● Firewalls
● VPNs
● Zero-trust network access
● Cloud Access Security Brokers (CASBs)
CASB
VPN
virtual private network
extend private networks across public networks. Allow remote users to securely connect to an orgs network
its a tunnel across untrusted publicinternet
site to site
client to site
clientless
site to site VPN
connects two SITES or OFFICES not just a single laptop cost effectively
slower but more secure
office in DC to california you could buy a fiber line for a direct connection 3k miles even low speed its very expensive you can instead use site to site vpn
its a tunnel from office to office
client to site
connects a single host(laptop) to the central office
ideal for remote user access to the central network
options for ful tunnel or split tunnel configuraitons
clientless
uses a web browser to establish a secure remote access vpn
uses https
Full tunnel vpn
can be used with site to site or client to site
encrypts and routes all network connects back to central location
provides high security
you cant access a wireless printer in your home office because its not connected to the corporate network
split tunnel vpn
can be used with site to site or client to site
divides traffic routing some through the vpn some directly through the internet
enhances performance
less secure
TLS
transport layer security
provides encryption and security for data in transit
HTTPS
layers 5 6 and 7
encrypts your password and username when logging into udemy so its not in plaintext being passed over internet
TCP
use transmission control protocol for secure connections between a client and a server
more overhead then udp
DTLS
datagram transport layer security
a faster user datagram protocol based UDP based alternative of tls
ensures end user security and protects against eavesdropping in clientless VPN connections
faster then TLS
IPSec
internet protocol security
A secure protocol suite for IP communication
■ Provides confidentiality, integrity, authentication, and anti-replay protection
■ Used for both site-to-site and client-to-site VPNs
most often used instead of a clientless tls vpn tunnel
IPSec tunneling modes - transport
uses original IP header
client to site vpns
MTU maximum transmission unit size
IPSec tunneling modes - tunneling mode
Adds a new header to encapsulate the entire packet
○ Ideal for site-to-site VPNs
○ May increase packet size and require jumbo frames
○ Provides confidentiality for both payload and header
AH
authentication header
Offers connectionless data integrity and data origin authentication for IP
datagrams using cryptographic hashes as identification information
ESP
Encapsulating Security Payload (
Provides confidentiality, integrity, and encryption
● Provides replay protection
● Encrypts the packet’s payload
Security Zones
isolate devices with similar security requirements
screened subnets
act as buffer zones between internal and external network
hosts public facing services protecting core internal networks
DMZ
Attack Surface
Refers to points where unauthorized access or data extraction can occur
■ A larger attack surface increases the risk of vulnerabilities
■ Identify and mitigate vulnerabilities to reduce the attack surface
■ Regularly assess and minimize the attack surface for network security
Fail open
Allows traffic to pass during a failure, maintaining connectivity but
reducing security
Fail closed
Blocks all traffic during a failure, prioritizing security over connectivit
Defense in Depth
Utilize multiple layers of security to ensure robust protection even if one control fails
Risk based approach
Prioritize controls based on potential risks and vulnerabilities specific to
the infrastructure
Lifecycle management
Regularly review, update, and retire controls to adapt to the evolving threat landscape
Open Design Principle
Ensure transparency and accountability through rigorous testing and
scrutiny of controls
Benchmarking
Compare your organization’s processes and security metrics with industry
best practices
best practices security infrastructure
Align with Frameworks
● Utilize established frameworks (e.g., NIST, ISO) to ensure comprehensive
and tested methodologies
■ Customize Frameworks
● Tailor framework controls to your organization’s unique risk profile and
business operations
■ Stakeholder Engagement and Training
● Engage all relevant stakeholders in the decision-making process, and
conduct regular training to keep the workforce updated on security
controls and threats
