3.3 - Secure Network Designs Flashcards

1
Q

Load Balancing

A
  • Distribute incoming load across multiple severs which makes it more available than would be possible with just one server
  • Invisible to the end user
  • Can scale into very large implementations
  • provides fault tolerance, service remains available
  • Can configure it balance across multiple servers and you can also configure TCP offload to the load balancer instead of down to the individual server
  • Can be used for SSL offload too (load balance could be performing the SSL encryption and sending decrypted info to the individual server)
  • Can provide caching (fast response)
  • Can provide prioritization (QoS)
  • Can provide content switching (certain apps get switched to certain servers)
  • Ex: web server farms, database farms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Fault tolerance

A
  • Server outages have no effect

- Very fast convergence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Round Robin

A
  • Type of scheduling in a load balancing
  • Traffic from internet, through load balancer gets distributed to server A, then server B, etc
  • ensures all servers get same amount of load across everyone across the network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Weighted Round Robin

A
  • Prioritizes the server use
  • might prioritize one server over the others (ex: server A gets half the load and the other three get the remaining portions)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Dynamic Round Robin

A
  • Monitor the server load and distribute to the server with the lowest use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Active/ Active Load balancing

A
  • Meaning you have multiple active server in use
  • Round Robin, Weighted Round Robin and Dynamic Round Robin are all useful strategies
  • If one server fails any one of the others can step up to continue operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Affinity

A
  • A kinship, likeness
  • In the context of load balancing, A user communicating through a load balancer will always be connected to the same server
  • can be accomplished via a session id or a IP Addresses + port numbers
  • each user is “stuck” to the same server
  • source affinity / sticky session / session persistence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Active / passive Load Balancing

A
  • Some servers are active and some are on standby
  • if an active server fails, other devices can become active
  • this all takes place via the load balancer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Segmenting the network

A
  • Options: Physical, logical, or virtual segmentation
  • allowing /disallowing traffic b/c devices
  • Some Considerations when choosing segmentation options:
  • Sometimes common to segment application instances into their own segments (esp when they need high bandwidth and throughput)
  • Security could be a factor (users should not talk directly to DB servers). Only applications in the core are SQL and SSH
  • Compliance - Mandated segmentation (PCI compliance for credit cards). Makes change control easier
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Physical segmentation

A
  • Airgap b/n switch A and switch B
  • If you need a connection, so that they can communicate, would need to run a cable between these switches
  • or put a router or firewall in between
  • Could also separate all the webservers on one switch and all the DB serves on another switch
  • Or could put customer A on one switch and customer B on another (no direct connection b/n switches)
  • Challenges with this design: separate power, upgrades, separately maintained.
  • Disadvantages: Also you then probably have a number of interfaces on the switches are going unused, so spending a lot of money on switch and not using it to the fullest extend
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Logical Segmentation with VLANs

A
  • Virtual Local Area Network
  • Same functionality (customer A on one part of the switch and then customer B on a different part of the same switch. But b/c of configurations in the VLAN the customers can’t communicate with each other)
  • it’s like having 2 physical devices, but it’s one device with a logical separation
  • if the two needed to communicate, would need a cable, router or firewall like physical segmentation
  • Separated logically instead of physically
  • Cannot communicate between VLANs without a Layer 3 device / router
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Screened subnet

A
  • Previously known as the DMZ (demilitarized zone)
  • a separate network for incoming internet traffic
  • People from internet come in (usually go through a firewall), which redirect them to the screened subnet switch (where they can get access to the services)
  • The connection behind the firewall that goes to the internal network switch would have additional protections
  • An additional layer of security between the internet and you
  • Public asses to public resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Extranet

A
  • Similar configuration to a screened subnet
  • A private network for partners (vendors, suppliers)
  • Internet, communication goes through a firewall, and then the firewall directs them to the extranet (the internal network is a different connection)
  • The extranet provides vendors etc with access to our internal resources (without giving them direct access)
  • Unlike a screened subnet, an extranet usually has additional authentication (only allow access to authorized users, like your vendors or partners)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Intranet

A
  • Private network, only available internally
  • Very different than a screened subnet or extranet
  • Only accessible from inside network (ex: from headquarters or remote site)
  • Commonly has internal servers that can provide company announcement/ employee documents (only accessible by employees of the company)
  • No external access (Internal or VPN only)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

East-west traffic

A
  • East-West: traffic between devices in the same data center
  • Relatively fast response times (local)
  • Traffic flows within a data center provide additional segmentation challenges
  • Ex: sheer number of devices in data center and many users accessing them
  • Important to know where traffic starts and ends (data flows).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

North-South Traffic

A
  • Is either inbound or outbound from data center
  • Ingress/egress to an outside device
  • a different security posture than east-west traffic (b/c often coming from unknown/ untrusted source)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Zero Trust

A
  • New security posture for internal networks: trust no one in your network
  • Zero trust is a holistic approach to network security (covers every device, every process, every person)
  • Everything (devices, people, applications, etc.) must be verified (multifactor authentication, encryption, system permissions, additional firewalls, monitoring and analytics etc)

(- Traditionally, once you got inside the network, traditionally not a lot of security, there was an inherent trust
- Traditionally, once you’re through the firewall, there are few security controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

VPN

A
  • Virtual Private Netowrk
  • Encrypted (private) data traversing a public network
  • uses a concentrator
  • Sometimes VPN client software is configured to be “always-on” or you may have to turn it on
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Concentrator

A
  • Encryption / decryption access device
  • often integrated into a firewall
  • The ‘workhorse of the VPN’
  • many deployment options
  • some are cryptographic hardware
  • some are software-based options
  • used with a client software (sometimes built into OS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Remote access VPN

A
  • Your laptop -> start VPN software, -> this creates an encrypted tunnel to the VPN concentrator (encrypted) -> and then on the other side of the VPN Concentrator it will decrypt and go to your corporate network
  • ## this works in reverse too. Corporate info -> VPN concentrator (where it’s encrypted) -> through the tunnel to your laptop
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SSL VPN

A
  • Secure Sockets Layer VPN
  • Uses common SSL / TLS protocol (tcp/ port 443)
  • No big VPN clients (usually providing remote access to a single device using this SSL VPN)
  • (Almost) no firewall issues!
  • Authenticate users (no requirement for digital certificates or shared passwords (like IPSec)
  • Don’t usually need complex VPN passwords
  • Can often be run from browswer or from a (usually light) VPN client (across many OS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

HTML5 VPNs

A
  • Hyper Text Markup Language version 5
  • The language commonly used in web browsers
  • Includes comprehensive API support
  • Web cryptography API
  • Nothing to install (Create a VPN tunnel without a separate VPN application). Start browswer, connect to network and that’s it you can use SSL VPN.
  • Only thing you have to have is browswer that supports HTML5 (most modern browsers do)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Full Tunnel

A
  • Everything that is being transported by a remote user is sent to the VPN concentrator, the VPN concentrator will then decide where the data will go
  • User can’t break out of the tunnel to the VPN Concentrator
  • Ex: If user on VPN wanted to go to another website, they’d have to go to the VPN concentrator, the VPN concentrator would go to the website and then pass it back to the remote user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Split Tunnel

A
  • The VPN admin can configure some information to go through the tunnel and some to go outside in a split tunnel
  • If a remote user wants to go to a non-corporate website, they can use a split in the tunnel to go to that website instead of going straight to the VPN concentrator
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Site to site VPN

A
  • Can have a VPN connection b/n remote locations
  • Ex: A corporate network and a Remote site networks, they each have their own Firewall / VPN Concentrator and they have an encrypted tunnel between the two VPN Concentrators
  • almost always “always-on” or dynamically connect to each other
  • Often uses L2TP (layer 2 tunneling protocol)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

L2TP

A
  • Layer 2 Tunneling Protocol
  • Connecting sites over a layer 3 network, as if they were connected at layer 2
  • Commonly implemented with IPSec
  • L2TP for the tunnel, add on IPsec for the encryption ( aka T2TP over IPsec (L2TP/IPSec) )
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

IPSec

A
  • Internet Protocol Security
  • Security for OSI Layer3
  • Authentication and encryption for every packet
  • Supports encryption and packet signing (so you can have security of data and anti-replay is built in)
  • Very standardized (common to use, multivendor implementations)
  • 2 core protocols: AH (Authentication Header) and ESP (Encapsulation Security Payload)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

IP Sec Tunnel - how to send data

A
  • 2 ways: Transport mode and tunnel mode
  • Most configurations of IP Sec will include both AH (for integrity + authentication of outer header) and ESP (for encryption of data)
  • 3.3 3rd video if need to re-reference graphics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Transport Mode

A
  • One of the two ways to send data over an IPSec tunnel (other is tunnel mode)
  • The original packet: IP Header - Data
  • Transport mode:
  • IP Header - IPSec Headers - Data (encrypted by the IPSec Header/Trailer) - IPSec Trailer
  • Doesn’t protect everything bc the IPSec headers are sent in the clear
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Tunnel Mode

A
  • One of the two ways to send data over an IPSec tunnel (other is Transport mode)
  • The original packet: IP Header - Data
  • Tunnel mode: NewIP Header - IPSec Headers - IP Header - Data - IPSec Trailers
  • Protects both the IP Header and the Data, creates a brand new IPSecHeader that goes to the VPN Concentrator on the other side
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

AH

A
  • Authentication Header protocol
  • Hash of the packet and the shared key (shared b/n the two IPSec concentrators)
  • SHA-2 is common
  • If you’re only concerned about the integrity of the data, may not need to authenticate, and AH is a good option
  • Doesn’t provide encryption, but provides integrity (hash)
  • Guarantees the data origin (authentication)
  • Prevents reply attackers (sequence numbers)
  • this is less common than ESP (Encapsulation Security Payload)
  • Adds the AH to the packet header
  • New IP Header - AH - Header - IP Header - Data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

ESP

A
  • Encapsulation Security Payload
  • Encrypts and Authenticates across IPSec tunnel
  • Commonly uses SHA-2 for hash, AES for encryption
  • Adds a header, a trailer, and an Integrity Check Value (can change them in IPSec config tho)
  • New IP Header - ESP Header - IP Header - Data - ESP Trailer - Integrity Check Value
  • ESP Header -> ESP Trailer is authenticated
  • IP Header -> ESP Trailer is Encrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Port Security

A
  • There’s a lot of security that happens at the physical switch interface
  • Control and protect, limit overall traffic, control specific traffic types, watch for unusual / unwanted traffic
  • Different options available
  • (In this particular usage, not talking about TCP or UDP ports - think of it is the physical port)
  • Often the first and last point of transmission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Broadcasts

A
  • Send information to everyone at once
  • One frame or packet, received by everyone
  • everyone must examine the broadcast
  • fortunately they have a limited scope (limited to the broadcast domain)
  • VLAN is a broadcast domain
  • With IP Version 4, very common to see broadcasts (routing updates, ARP requests, can add up quickly)
  • Unfortunately, can be malicious software or a bad NIC
  • Need a way to control traffic
  • IPV6 does not use IPV6 (it uses multicast, which are easier to manage, than broadcast)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Broadcast Controls

A
  • The switch can control broadcasts (limit the number of broadcasts per second)
  • Can often be used to control multicast and unknown unicast traffic (giving admins a tight level of control)
  • Might be a way to limit broadcasts by specific values or percentage (or change over normal traffic patterns)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Loop Protection

A
  • Connect 2 switches to each other, they’ll send traffic back and forth to each other, forever (there’s no counting mechanism at the MAC layer)
  • This could bring down the network (and it’s easy to do), accidently plug the wrong cable into the wrong interface
  • Fortunately, the IEEE has the 802.1D standard protocol to prevent loops in bridged (Switched) networks (1990)
  • Layer 2 protection doesn’t have a a way to prevent loops over the network
37
Q

802.1D

A
  • An IEEE standard has the 802.1D standard protocol to prevent loops in bridged (Switched) networks (1990)
  • Created by Radia Perlman
  • Used practically everywhere
  • This is Spanning Tree Protocol
38
Q

Spanning Tree Protocol

A
  • Common way to prevent loops
  • 802.1D
  • Switches are connecting many different networks (many different chances for creating loops) unless you’re using spanning tree
  • ‘BP’ - blocked port - administratively blocked to prevent a loop
  • Also good at finding problems and working around them (ex: if there was an outage in one area that might affect paths, STP, is monitoring itself for situations like this. If there’s an outage, it will put itself into convergence mode to examine what interfaces available / not available based on a given outage. It can shift the Block Ports in order to accommodate outages
  • When you initialize spanning tree, it takes time for spanning tree to interrogate the potential paths
39
Q

BPDU Guard

A
  • Bridge Portocol Data Unit combines the speed of PortFast + the protection of Spanning Tree Protocol
  • Bypass the listening and learning states (ex: if you just plug in one end user device, there’s no chance for a loop, but spanning tree doesn’t know this unless you configure it for a BPDU Guard) this would mean no downtime
  • Cisco calls this PortFast
  • BPDU is the primary protocol used by spanning tree
  • If a BPDU frame is seen on a PortFast configured interface (workstation), shut down the interface
  • Risk someone could plug in with another switch and then there is a potential for a loop
  • When you initialize spanning tree, it takes time for spanning tree to interrogate the potential paths
40
Q

DHCP Snooping

A
  • Dynamic Host Configuration Protocol
  • If someone plugs in an unauthorized DHCP server it could cause a potential DoS or security issue
  • if DHCP discovers communication from an untrusted source, it can filer it out and prevent it from communicating with other devices, this is the DHCP snooping
  • Another risk (someone could plug in a DHCP device that is unauthorized)
  • IP Tracking on a layer 2 device (switch)
  • The switch is a DHCP firewall
  • Trusted: Routers, switches, DHCP servers
  • Untrusted: Other computers, unofficial HDCP servers
41
Q

MAC Filtering

A
  • Media Access Control
  • Physical interface on our ethernet cards
  • the ‘hardware’ access
  • Limit access through the physical hardware address
  • keeps the neighbors out (don’t let people plug in unknown devices)
  • additional administration with visitors
  • Challenge: with MAC filtering, no security at layer 2 that can encrypt / obscure the MAC address (Easy to find working MAC addresses through wireless LAN analysis, MAC addresses can be spoofed using free open source software)
  • MAC filtering more of an administrative tool, not really a security feature (“security through obscurity”)
42
Q

DNS Summary

A
  • DNS - originally had no security, relatively easy to poison
  • Then created DNSSEC (Domain Name System Security Extension) that enabled validation of DNS responses (origin authentication, data integrity)
  • We do this through Public Key cryptography (DNS records are signed with a trusted third party, signed DNS records are published in a public DNS server)
43
Q

Using DNS for security

A
  • B/c all our users have to access DNS to get the IP address of the device they want to communicate with, so we can tell our DNS server, if a user tries to visit a known malicious locations (send them to a sinkhole, an IP address we set up that we can collect data on).
  • We can immediately id stations that may have been infected with malware
  • Stop end users from visiting dangerous sites (DNS resolves to a sinkhole address)
44
Q

Sinkhole

A
  • An IP address that we set up in order to funnel traffic into from known bad sites from our DNS server
  • This helps us identify systems that are potentially infected (those visiting the sinkhole) and we can prevent further exploitation
45
Q

Content Filtering

A
  • Prevent DNS queries to unwanted or suspicious sites
46
Q

Out-of-band management

A
  • IT professionals use this to work around issues when the network isn’t available
  • Or the device isn’t accessible from the network
  • Most devices have a separate management interface ( sometime a serial or usb or ethernet connection)
  • often connect a wireless modem / or cellular modem which allows you to connect out-of-band to that device
  • Console router / comm server (out-of-band access for multiple devices) connect to the console router, then choose where you want to go
47
Q

QoS (need for it)

A
  • Quality of Service
  • Process of Prioritizing traffic performance
  • Prioritize by max bandwidth, traffic rates, VLAN etc.
  • many different devices, many different applications
  • Each one has different network requirements (some require more bandwidth - VoIP, if streaming video you might have a buffer, DB application is interactive)
  • Network admins need to set a priority
  • Realtime things like VoIP are ‘more important’ (voice traffic over youtube)
  • method of implementing QoS can vary widely(can be in switches, routers, NexGen firewalls)
48
Q

IPv6 Security

A
  • IPV6 a lot of config settings inside protocol itself that will assist in security on the network
  • More IPv6 address than IPv4 (more difficult to do port scans or IP scans)
  • B/c so many address available for IPV6, basically no need for NAT (although NAT is not a security feature)
  • Without NAT, can simplify the communication process
  • Some attacks disappear (No ARP, so no ARP spoofing )
  • Doesn’t mean that IPv6 is any more or less secure, it’s just different than IPv4 (new attacks will appear, for example Neighbor Cache Exhaustion)
  • In IPV4 there wasn’t as much emphasis on security on network
49
Q

NAT

A
  • Port Address Translation (or outbound traffic translation)
  • many environments it simply limited the number of public IP addresses that would be available
  • needed for IPv4 not IPv6
50
Q

ARP

A
  • Address Resolution Protocol

- Was removed b/n IPv4 and IPv6 so ARP spoofing is no longer a concern in IPv6

51
Q

Neighbor Cache Exhaustion

A
  • In IPv6, can fill up neighboring devices on the network, not allowing your device to communicate across the network
52
Q

Taps

A
  • Physical tap, can disconnect a link and put a tap in and then they can see all traffic going over the network
53
Q

Port Mirror

A
  • Port redirection, SPAN (Switch Port Analyzer), called a SPAN in a cisco switch
  • Software-based tap
  • become very useful when no other options are available
  • limited functionality but can work well in a pinch
54
Q

Monitoring Service

A
  • An organization that might constantly monitor your network
  • Includes ongoing security checks (making sure you have the latest patches)
  • A SoC (Security Operations Center)
  • identify broad range of threats
  • can respond quickly since constantly monitoring
  • usually 24/7
    • They will help with maintaining compliance like HIPAA PCI DSS
55
Q

SoC

A
  • Security Operations Center
  • picture a command center like in the movies
  • identify broad range of threats
  • can respond quickly since constantly monitoring
  • usually 24/7
  • They will help with maintaining compliance like HIPAA PCI DSS
56
Q

FIM

A
  • File Integrity Monitoring
  • Monitor files that would not change (ex: OS files)
  • if they change, there’s probably malicious code doing it
  • many host-based apps IPS options
  • Tripwire (Linus)
  • SFC (Windows)
57
Q

SFC

A
  • System File Checker
  • on demand FIM (file integrity monitoring)
  • Windows
  • will go through all your sys files
58
Q

Tripwire

A
  • For Linux

- real time FIM (File Integrity Monitoring)

59
Q

Edge control

A
  • Usually connecting your device to the internet
  • Managed primarily through firewall rules
  • Firewall rules rarely change
  • vs Access Control
60
Q

Access control

A
  • Allowing / disallowing is based on a lot of criteria (not just based on whether or not your on the edge)
  • Rules for inside or outside
  • Access can be based on many rules (user, group, location, application, etc.)
  • Access can be easily revoked or changed (Can change your security posture at any time)
  • vs. Edge control
61
Q

Posture Assesment

A
  • Considerations for the security team
  • EX: BYOD (Bring your own device)
  • Before connecting to the network, perform a posture assessment
  • Is it a trusted device?
  • Is it running anti-virus? which one? is it updated?
  • Are there corporate applications installed?
  • Is it a mobile device? Is the disk encrypted
  • The type of device doesn’t matter - Windows, Mac, Linus, iOS, Android
  • Sometimes need a persistent agent to perform a posture assessment or a dissolvable agent
62
Q

BYOD

A
  • Bring your own device
  • you can’t trust everyone’s computer
  • if it’s a BYOD, should be considered in the Posture Assessment
  • Can have malware / infections/ missing anti-malware
  • unauthorized applications
63
Q

Persistent Agent

A
  • Permanently installed onto a system
  • Periodic updates may be required
  • need to maintain this
  • Can be used to run a posture assessment
64
Q

Dissolvable Agent

A
  • No installation is required
  • Runs during the posture assessment
  • Terminates when no longer required
65
Q

Agentless NAC

A
  • Integrated with Active Directory
  • Checks are made during login / logoff
  • Can’t be scheduled
66
Q

Failing a Posture Assement

A
  • If you can’t meet the minimum requirements for the network
  • Often put in a quarantine network
  • allows users to address the issue (just enough network access to fix the issue
  • Can try again and run the posture assessment
67
Q

Proxy Server

A
  • Sits b/n the users and the rest of the external network
  • Receives the user request and sends its own request on their behalf (the proxy)
  • if everything ok, it provides the response to the user
  • Proxy server, b/c it’s in the middle controls a lot
  • Ex: Caching, access control (login required), URL filtering, content scanning
68
Q

Explicit proxy permission

A
  • Tells the end user devices that the Proxy Server is located at a specific IP address + Port
69
Q

Transparent Proxies

A
  • These are invisible, meaning the end user doesn’t know they’re sitting in the middle of the conversation
70
Q

Application Proxies

A
  • “Proxy” usually refers to application proxies (not NAT)
  • The proxy understand how the application works
  • May only know one individual application (ex: only HTTP) or it could support multiple purposes (ex: HTTP, HTTPs)
  • (one of the simplest ‘proxies’ is a NAT (Network - level proxy)
71
Q

Forward Proxy

A
  • An ‘internal proxy’
  • Commonly used to protect and control user access to the internet
  • Users make request to proxy, the proxy examines URL or check the URL category, if it passes, then the proxy will perform the request for the user and send it to the user. The internet will send the response to the proxy, it will examine it and send a copy of the response back to the user.
72
Q

Reverse Proxy

A
  • Inbound traffic from the Internet to your internal service
  • Request starts from the internet -> proxy -> user (then it goes back to the internet)
  • opposite of Forward Proxy
73
Q

Open Proxy

A
  • A third-party, uncontrolled proxy
  • Can be a significant security concern
  • Often used to circumvent existing controls
  • Concern what the proxy is doing to the data (could potentially change the code, like put an ad on the response or could add malicious code)
  • Proxy isn’t on internal network
74
Q

NIDS / NIPS

A
  • Network Intrusion Detection System / Network Intrusion Prevention System
  • Watch traffic and block or mitigate attacks
  • Watches for intrusions (exploits against OS, apps, etc.)
  • Watches for buffer overflows, XSS, other vulnerabilities
  • More common than NIDS (Network Intrusion Detection System)
  • Differences here are Detection vs. Prevention
  • Typically the NIDS doesn’t have a way to block communication (just an alarm)
  • NIPS stops it before going to the network in real-time
  • Therefore IDS aren’t as common as IPS
75
Q

Passive Monitoring

A
  • Scenario: IPS might be getting info from a switch that is connected to other devices (laptops / servers)
  • Passive monitoring would examine a copy of the traffic in the switch either via a (Port Mirror (in Cisco, called a SPAN - software based) or may be a physical network tap
  • No way to block (prevent) traffic, it will send the sys admin an alert (b/c the IPS isn’t in line with the network traffic flows b/c it’s off to the side)
  • It might be able to limit traffic using an out-of-band response (but can’t totally block it)
  • Less common than In-line monitoring
76
Q

Out-of-band response

A
  • When malicious traffic is identified IPS sends TCP RST (reset) frames (this effectively stops the traffic flow coming from the devices to the switch, but doesn’t stop the original packet from getting through)
  • After the fact
  • However, this example is b/c it’s TCP (protocol based) if it was UDP (protocol), then they couldn’t send the reset frames and block subsequent traffic
77
Q

Inline monitoring

A
  • IDS/ IPS (Intrusion Detection System / Intrusion Prevention System) sits physically inline (core switch -> IPS -> firewall -> internet)
  • All traffic passes through the IDS/ IPS
  • more common than passive monitoring
  • The IPS is examining the IPS traffic (b/c it’s in band, it can block traffic in real time) would drop packet, and nothing would come out the other side inside your network
78
Q

Identification technologies

A
  • These are the ways that the IPS (intrusion prevention system) can determine what is malicious or not
  • EX: signature based, anomaly-based, behavior-based, heuristics
79
Q

Signature-based identification

A
  • Looks for a perfect match

- then IPS will id it as malicious

80
Q

Anomaly -based identification

A
  • IPS (intrusion prevention system) can look at what traffic is normal and then ID anomalies
  • Requires that it sits on the network for a period of time to identify what ‘normal’ is
  • Ex: if there is usually a relatively low level of traffic and then a spike, it could ID the spike as an anomaly
81
Q

Behavior based identification

A
  • IPS (intrusion prevention system) can look at certain types of behavior
  • Ex: might understand what a normal DB request and what a SQL injection looks like (and even if there’s not a specific signature)
  • it could ID and block it
82
Q

Heuristic-based identificatio

A
  • IPS (intrusion prevention system) can look at artificial intelligence / big data
  • be able to understand broadly of how the network works
  • likely in bigger companies with larger resources
83
Q

Jump Server

A
  • Provides access to secure network zones (usually a private network) in a protected network
  • highly - secure device
  • hardened and monitored
  • if we need to provide administration to any of the servers, you could jump from external client to any of the internal server
  • have to be very careful when configuring jump server (since anyone would have access to any of the servers)
84
Q

HSM

A
  • Hardware Security Module
  • Used in large environments (clusters, redundant power)
  • specifically designed to monitor and control large number of keys
  • more than just a server, usually has specialized hardware for cryptography (either purpose built or an add in)
  • can provide secure storage (ex: key storage)
  • many are configured as a cryptographic accelerator
85
Q

Cryptographic Accelerators

A
  • if you install these in your HSM (hardware security module) you can offload some of the CPU overhead needed for encryption from your servers
  • instead you put it on the HSM which has specific hardware to deal with cryptography
86
Q

Sensors and Collectors

A
  • Needs to be some way to take all statistics from network (ex: from routers, servers, firewalls, and have logs)
  • Aggregate and centralize information from network devices
87
Q

Sensors

A
  • Intrusion prevention systems, firewall logs, authentication logs, webserver access logs, database transaction logs, email logs
  • sensors are gathering all this information and sending it to the Collectors
88
Q

Collectors

A
  • Receive all the log data from the sensors
  • Usually a console or series of consoles on network
  • Usually receives sensor data, parses data and then displays a representation of the data on the screen
  • Proprietary consoles ( products specific, ex: IPS, firewalls), or it could be a SIEM consoles, syslog servers
  • Many SIEMS include a correlation engine to compare diverse sensor data
89
Q

SIEM

A
  • Security Information and Event Management tool

- Collect log files from environment and then consolidate and compares the log and provides an output on the screen