3.2 Flashcards
Secure infrastructures, intrusion prevention, network appliances, port security, firewall types, secure communication
3 ways to secure network connectivity
Application-level encryption
Network-level encryption (VPN, IPsec tunnels)
Secure the network cabling
A data security method that encrypts data as it passes through an application and across multiple layers, including disk, file, and database. It’s considered a secure approach to enterprise data protection because it protects data before it leaves an application, regardless of where it’s used, moved, or stored.
Application-level encryption
A configuration that allows data to continue to flow even after a system fails.
Fail-open
A configuration that prevents data from flowing (no communication/network connection) after a system fails.
Fail-closed
Devices that perform packet forwarding, monitoring, and examining services in a network. They are critical.
ex. Firewall, IDS, IPS, antimalware, routers, switches.
Inline devices
A type of monitoring that occurs when a monitoring tool is placed in the critical path of the network data. The traffic is monitored in real-time as it passes by.
Commonly used in IPS.
Active monitoring
AKA inline monitoring
A type of monitoring where a copy of the network traffic is examined using a tap or port monitor. The data cannot be blocked in real-time in this configuration.
Commonly used in IDS. (Even though it’s still using an IPS. This is because it can’t block traffic in real-time.)
Passive monitoring
AKA out-of-band monitoring
Why would an organization be uncomfortable with a real-time IPS?
It may cause some downtime to the network due to blocking legitimate traffic.
A network switch or router feature that copies network packets from one port to another for analysis. The copied traffic is then sent to a monitoring device, such as an intrusion detection system or network analyzer.
Port mirroring
SPAN stands for
Switched Port Analyzer
A dedicated port on a switch that takes a mirrored copy of network traffic from within the switch to be sent to a destination.
SPAN
A connection point in a network where real traffic is copied. The duplicate copies are then used for security analysis and monitoring.
Network TAP
A highly-secured device on the inside of a network, but it is accessible from the outside. It limits access only to individuals that are authorized.
It is used to administer critical networks remotely.
Jump server
A server that sits between the internal users and the internet. The internal devices connect to this server, and the server connects to the internet on the users’ behalf.
This allows the server to evaluate the packets, checking for malicious code, before giving it back to the user.
Proxy server
3 functions of a proxy server
Caching responses - saves time and bandwidth
URL filtering - limits what websites are accessible
Content scanning - blocks malicious code
2 types of proxy servers
Explicit
Transparent
A type of proxy server that must be configured in the application/client OS so that the app/OS knows to communicate with it.
Explicit proxy server
A type of proxy server that does not require any configuration for the application/client OS. It automatically makes request on a user’s behalf. The user has no idea that this proxy is in place.
Transparent proxy server
Most proxies in use are ____ proxies
Application-level
Meaning they understand the way applications work
True/False
Most application-level proxies only know how one application works (ex. HTTP)
False
While some proxies may only know one application, many of them are multipurpose proxies (ex. HTTP, HTTPS, FTP, etc.)
This proxy server sends out user requests to the internet and then examines the responses before passing them along back to the users. It sits inside the internal network with the user.
This server can also act as a caching server. When two requests are identical, the server simply sends out the cached response. This limits the load on the network.
Internal proxy
AKA forward proxy
This proxy server receives requests from the internet, examines them, passes them along to a web server, and then returns the response to the internet. It sits inside the internal network with the web server.
This server can also act as a caching server. When two requests have the same response, the server simply sends out the cached response. This limits the load on the web server.
Reverse proxy
A third-party, uncontrolled proxy server that is often used to circumvent security controls. It is available for anyone on the internet to use.
Instead of using the proxy inside your internal network, you connect directly to this proxy which does the work. This is a security risk because you don’t know who controls this device. The person controlling it could listen to your requests, add advertisements, or even inject malicious code into responses.
Open proxy
An invisible network device or service that breaks up traffic into smaller chunks for multiple servers to process.
This improves efficiency, provides fault tolerance, and dynamically changes how much traffic is assigned to what server in order to get the best performance.
Load balancer
The process of a dynamic routing protocol noticing and reacting to a topology change in order to shift to a stable state - for example, one of the devices failing. This is used in fault tolerance and load balancing.
Convergence
A load balancing configuration where all of the servers connected to the load balancer are all active and being used by the load balancer.
Active/active load balancing
A load balancing configuration where some servers are active and being used by the load balancer, while some other servers are on standby, waiting to be used when an active server fails.
Active/passive load balancing
5 additional functions of a load balancer
TCP offload
SSL offload
Caching
Prioritization - some apps/protocols get information faster
Content switching
A function of a load balancer that allows it to have a single connection to all servers, instead of having to repeatedly set up and tear down TCP sessions for each server. This improves response time.
TCP offload
A function of a load balancer that allows it to decrypt traffic before sending it to the servers, and then encrypting the traffic again to send a response. (ex. HTTPS to HTTP and vice versa)
This passes the traffic to the backend servers in cleartext.
SSL offload
AKA SSL termination
SSL offload is AKA
SSL termination
A function of a load balancer that enables it to direct client request to the best-suited server based on the content of the request. This boosts reliability, scalability, and performance of applications.
Content switching
Network devices and services that examine traffic for anomalies. They often note this activity in logs (ex. web server access logs, firewall logs, authentication logs, database transaction logs, email logs, etc.)
Sensors
A central database that collects logs from multiple sensors and devices.
This could be a proprietary console that only works with a certain type of device, or it could be something that can collect data from many different types of devices (ex. SIEM)
Collectors
True/False
Port security only works on wireless networks
False
Port security works on both wireless and wired networks, though it’s more common for wireless
An authentication framework that allows manufacturers to create their own authentication methods according to their standards.
It integrates with 802.1X, which prevents access to a network until authentication succeeds.
EAP
EAP stands for
Extensible Authentication Protocol
NAC stands for
Port-based Network Access Control
IEEE 802.1X is AKA
NAC
What is the IEEE standard that prevents a user from accessing a network until authentication succeeds?
802.1X
How do EAP and 802.1X work together?
You provide your login credentials via EAP, and then 802.1X allows your access into the network.
What other authentication databases and protocols do EAP and 802.1X often work in conjunction with? (4)
RADIUS
LDAP
TACACS+
Kerberos
etc…
The client in an 802.1X/EAP transaction
Supplicant
The device that provides network access in an 802.1X/EAP transaction. Until authentication is complete, it blocks access.
It sits between the supplicant and the authentication server.
Authenticator
The device that validates client credentials in an 802.1X/EAP transaction
Authentication server
A device/service that controls the flow of traffic including inbound and outbound data, controls inappropriate content, and protects against malware.
Firewall
Difference between traditional firewall and NGFW
The traditional firewall operates at OSI layer 4
The NGFW operates at OSI layer 7, the application layer, which means it can control traffic based on what application is being used to access a resource, or what application is being accessed.
A layer 3 device is AKA
Router
True/False
Most firewalls can be layer 3 devices (routers), meaning they sit at the edge of the network. This functionality includes NAT and routing protocols.
True
UTM stands for
Unified Threat Management
What layer does the NGFW work on?
Application layer (7)
NGFW is AKA (3)
Application layer gateway
Stateful multilayer inspection device
Deep packet inspection
UTM is AKA
Web security gateway
All-in-one security appliance
Features of UTM devices (reasons why it’s called all-in-one security appliance) (8)
URL filtering/content inspection
Malware inspection
Spam filter
CSU/DSU functionality
Router/switch functionality
IDS/IPS
Bandwidth shaper
VPN endpoint
What is a challenge when using a UTM?
Most UTMs only operate at Layer 4–they only look at port numbers–so using all of its features can cause performance issues
True/False
NGFWs can examine ALL traffic traversing the network and can perform a full packet decode of every packet in the network. (They can see the sender, the receiver, the application used, the ports used, etc.)
True
True/False
A NGFW can have a knowledge base of known vulnerabilities for different applications to be incorporated into its firewall capabilities, effectively turning it into an IPS.
True
NGFWs can control website traffic by ____.
Category
ex. Gambling, education, gaming, etc.
A type of firewall that applies rules to HTTP/HTTPS conversations. It analyzes inputs into web based applications, and either allows or disallows the traffic depending on what the input is.
It can block injection attacks.
WAF
WAF stands for
Web Application Firewall
WAF is commonly used alongside a ____
NGFW
WAFs can block ____ attacks.
Injection
A hardware networking device that manages multiple encrypted VPN tunnels within a business network.
It stands between the remote user and the internal corporate network. It decrypts the VPN-encrypted packets from the remote user, and sends the packets in cleartext to the corporate network.
This device is often integrated into a firewall.
VPN concentrator
Name the VPN:
Can be run from a browser or from a lightweight VPN client
Used for remote access communication from a SINGLE device.
Can be configured to be always-on; every time your computer starts up, so does the VPN
No requirement to use a certain type of credential (digital certificates, shared passwords); use the credentials you normally use
Uses port TCP 443 to encrypt data with SSL/TLS. Because it uses ports well-known for encrypted data, it has almost no issues with firewalls.
SSL/TLS VPN
AKA Remote access VPN
Name the VPN:
Used to connect different corporate branches to each other
Firewalls act as the VPN concentrators - there is no VPN software on the clients themselves
IPsec VPN
AKA site-to-site VPN
SSL/TLS VPN is AKA
Remote access VPN
IPsec VPN is AKA
Site-to-site VPN
SD-WAN stands for
Software Defined Networking in a Wide Area Network
A new form of WAN that is built specifically for cloud-based apps.
Instead of having all users communicating to a set of internal datacenter servers, and from there to the cloud app–this technology allows WANs to be flexible enough to allow users to connect directly to cloud applications.
SD-WAN
SASE stands for
Secure Access Server Edge
A cloud-based network architecture that combines VPN and SD-WAN capabilities with cloud-native security functions (firewalls, CASBs, secure web gateways, and zero trust network access).
Rather than every client having to go through a VPN concentrator or firewall, this software is directly installed on every client. This way, each client can connect securely and directly to any cloud through this VPN. The client can then connect to any cloud-based services they need, even if they are in different clouds, without the need of a VPN concentrator.
A “next generation” VPN
SASE
The VPN used for user access to an internal network
SSL/TLS VPN
The VPN used for site-to-site access
IPsec tunnels
A networking technology that gives WANs the flexibility to enable user access to clouds without having to go through a central internal datacenter server.
This technology does not adequately address cloud security concerns.
SD-WAN
This requires significant planning and implementation in order to carry out correctly.
A complete network and security solution that allows clients to access clouds without having to go through a VPN concentrator. It securely sends packets through the Internet to any cloud the user needs.
SASE
