4.5 Flashcards
Types of firewalls
Web App
unified threat management
next generation
Port
logical communication endpoints on a computer or server
Inbound port
listens for connections
outbound port
used to connect to a server
Port classification
Well known (0-1023)
registered (1024-49151)
dynamic and private
Protocols
rules governing device communication and data exchange
screened subnet
aka dual homed host
its a dmz and its a logical separated network area between internal network and internet
Types of firewalls
packet filtering
proxy
stateful
kernel proxy
packet filtering firewall
fastest because its only checking packet acts similar to a router
cannot prevent ip spoofing due to limited insepction
operates at layer 4 (transport layer)
stateful firewall
tracks connections and requests allowing return traffic for outbound requests
operates at layer 4 (transport layer)
Proxy firewall
makes connections on behalf of endpoints enhancing security
- very secure
- acts as an intermidiary
- operaties on app layer or session layer - 5
kernel proxy
full packet inspection at every layer
minimal impact on network performance
placed close to every system thy protect
NGFW
next generation firewall
- application aware (distinguishes different types of traffic)
-conducts deep packet analysis
-operates fast
UTM
unified threat management firewall
-combines multiple securty functions in a single device
- functions can include firewall, intrusion prevention, antivirus, and more
-single point of failure protection
WAF
web app firewall
–http traffic
-prevents SQL injections etc
In line WAF
live attack prevention
device sits between the network firewall and the web servers
Out of band WAF
device receives a mirrored copy of web server traffic
ACL
access control list
- essential for securing networks from unwanted traffic
consist of permit and deny statements often based on port numbers
the
place most specific rules at the top and generic at the bottom
ACL key pieces of information
type of traffic
source of traffic
destination of traffic
action to take against traffic
Hardware based firewall
a dedicated network security device that filers and controls network traffic at the hardware level
commonly used to protect an entire network or subnet
Software firewall
a firewall that runs as a software app on inidividual devices
NAC
network access control
-used to protect networks from both known and unknown devices by scanning devices to assess their security status before granting network access
-can be a applied as a hardware or a software solution
Persistent Agents
installed on devices in a corporate environment where the org conrtrols and owns the device software
non-persistent agents
common in environments with personal devices where users connect to a web based app and download an agent for scanning. It deletes itself after inspection
802.1x standard
port based network access control mechanism based on IEEE 802.1x standard
modern NAC solutions build on this
Rule based Access Control
NAC can use rule based methods like
-time based factors
-location based
-role based
-rule based (implement complex admission policies with logicial statements)
WEb filtering
Web filtering or content filtering is used to control or restrict the content users
can access on the internet
■ Crucial for businesses, educational institutions, and parents to ensure safe and
productive internet use
Types of web filtering
agent based
centralized proxy
URL scanning
content categorization
block rules
reputation based filtering
Agent based web filtering
involves installing an agent on each device
monitors and enforces web usage policies
effective for remote and mobile workers
Centralized proxy
uses a proxy server as an intermediary between an organization’s end
users and the Internet
● Evaluates and controls web requests based on policies
● If the request does not conform with the policies, the request is simply
blocked or denied
URL scanning
Analyzes website URLs to check for matches in a database of known
malicious websites
Content Categorization
Classifies websites into categories (e.g., social media, adult content) and
blocks or allows categories based on policies
Block rules
Specific guidelines set by organizations to prevent access to certain
websites or categories, often used to address security threats
Reputation based filtering
Blocks or allows websites based on a reputation score determined by
third-party services, considering factors like hosting malware or phish
DNS filtering
DNS filtering (Domain Name System filtering) blocks access to specific websites
by preventing the translation of domain names to their IP addresses
-Users’ devices request domain name translation from DNS servers; if the domain
is on the block list, the server withholds the IP address to prevent access
■ Commonly used to enforce internet usage policies, block inappropriate content,
and protect against malicious websites
■ Often employed by schools, universities, and organizations to ensure safe and
educational internet usage
DKIM
domainkeys identified mail
-Allows the receiver to verify the source and integrity of an email by
adding a digital signature to the email headers
● The recipient server validates the DKIM signature using the sender’s
public cryptographic key in the domain’s DNS records
● Benefits
○ Email authentication
○ Protection against email spoofing
○ Improved email deliverability
○ Enhanced reputation score
SPF
sender policy framework
Prevents sender address forgery by verifying the sender’s IP against
authorized IPs listed in the sender’s domain DNS records
● A receiving server checks if the sender’s IP is authorized in the SPF recor
DMARC
domain based message authentication reporting and conformance
DMARC detects and prevents email spoofing by setting policies for email
sending and handling failures
● DMARC can work with DKIM, SPF, or both
● Implementation helps protect against
○ Business email compromise attacks
○ Phishing
○ Scams
○ Cyber threats
Email gateway protocol configuration
Email gateways serve as entry and exit points for emails, facilitating
secure and efficient email transmission
● They use SMTP (Simple Mail Transfer Protocol) to send and receive emails
● Email gateways handle email routing, email security, policy enforcement,
and email encryption
Email gateway deployment options
on premiscloud based
hybrid
spam filtering
Spam filtering detects and prevents unwanted and unsolicited emails from
reaching users’ inboxes
■ Techniques
● Content analysis
● Bayesian filtering
● DNS-based sinkhole list
● Email filtering rules
EDR
end point detection and response
Category of security tools that monitor endpoint and network events and record
the information in a central databas
how endpoint detection works
Data Collection
● Collects data from endpoints (devices that are physically on the endpoint
of a network)
○ System processes
○ Registry changes
○ Memory usage
○ Network traffic patterns
■ Data Consolidation
● Sends collected data to a centralized security solution or database
■ Threat Detection
● Analyzes data using techniques like signature-based and behavioral-based
detection to identify threats
■ Alerts and Threat Response
● Takes actions such as creating alerts or performing threat response
actions when threats are detected
■ Threat Investigation
● Provides tools for security teams to investigate threats, including detailed
timelines and forensic data
■ Remediation
● Removing malicious files
● Reversing changes
● Restoring systems to their normal state
FIM
file integrity monitoring
Validates the integrity of operating system and application software files by
comparing their current state with a known, good baseline
■ Identifies changes to
● Binary files
● System and Application Files
● Configuration and Parameter Files
■ Monitors critical system files for changes using agents and hash digests,
triggering alerts when unauthorized changes occur
XDR
extended detection and response
ecurity strategy that integrates multiple protection technologies into a single
platform
■ Improves detection accuracy and simplified incident response
■ Correlates data across multiple security layers to detect threats faster, including
● email
● endpoint
● server
● cloud workloads
● network
○ Difference between EDR and XDR
■ EDR is focused on the endpoints to detect and respond to potential threats
■ XDR is more comprehensive solution because it focuses on endpoints, but also
on networks, cloud, and email to detect and respond to potential threats
● It integrates multiple protection technologies
UBA
user behavior analytics
advanced security strategy that uses big data and machine learning to analyze behaviors for detecting security threats
UEBA
User and Entity Behavior Analytics (UEBA)
■ Technology similar to UBA but extends the monitoring of entities like routers,
servers, and endpoints in addition to user accounts
Secure protocols
Choose secure protocols to protect data in transit from unauthorized access
● Examples include HTTP vs. HTTPS, FTP vs. SFTP, Telnet vs. SSH
Telnet
app layer protocol that allows one computer to log onto another computer that is part of the same network
transmits in plaintext
use ssh instead of
TCP
TCP (Transmission Control Protocol)
● Connection-oriented, ensuring data delivery without errors
● Ideal for applications where data accuracy is crucial, like web and email
servers
● Uses acknowledgments, retransmission, and sequencing for data integrity
UDP
Connectionless and faster, but doesn’t guarantee data delivery
● Suitable for applications prioritizing speed over accuracy, like streaming
video or gaming
