5.0 Network Architecture Flashcards by Antonio Martinez

The selection and placement of media, devices, protocols/services, and data assets.

Network architecture

How well did you know this?

Not at all

Perfectly

The media, appliances, and addressing/forwarding protocols that support basic connectivity.

Network infrastructure

How well did you know this?

Not at all

Perfectly

Provides the addressing mechanism for logical networks and subnets.

Internet Protocol (IP)

How well did you know this?

Not at all

Perfectly

All the points at which a threat actor could gain access to hosts and services.

Attack surface

How well did you know this?

Not at all

Perfectly

this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling

Test access point (TAP)

How well did you know this?

Not at all

Perfectly

this means that the sensor is attached to a specially configured port on a switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored , and frames may be dropped under heavy load.

SPAN (switched port analyzer)/mirror port

How well did you know this?

Not at all

Perfectly

control is one that does not require any sort of client or agent configuration or host data transfer to operate. For example, network traffic can be directed or copied to a sensor and scanned by an analysis engine

passive security

How well did you know this?

Not at all

Perfectly

that performs scanning must be configured with credentials and access permissions and exchange data with target hosts. An _____ that performs filtering requires hosts to be explicitly configured to use the control. This might mean installing agent software on the host or configuring network settings to use the control as a gateway

active security control

How well did you know this?

Not at all

Perfectly

Portions of the network or system that have specific security concerns or requirements.

Security zone

How well did you know this?

Not at all

Perfectly

A network that does not require a physical connection.

Wireless network

How well did you know this?

Not at all

Perfectly

A network that grants internet access only to guest users. A guest network has a firewall to regulate guest user access.

Guest network

How well did you know this?

Not at all

Perfectly

A host (honeypot), network (honeynet), file (honeyfile), or credential/token (honeytoken) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

Honeynet

How well did you know this?

Not at all

Perfectly

A decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.

Ad hoc

How well did you know this?

Not at all

Perfectly

A temporary DNS record that redirects malicious traffic to a controlled IP address.

DNS sinkhole

How well did you know this?

Not at all

Perfectly

A hardened server that provides access to other hosts.

Jump server

How well did you know this?

Not at all

Perfectly

Agent-based web filtering involves installing a software agent on desktop computers, laptops, and mobile devices. The agents enforce compliance with the organization’s web filtering policies.

Agent-based filtering

How well did you know this?

Not at all

Perfectly

A network that contains publicly accessible resources and is located between the private network and an untrusted network, such as the internet. It is protected by a firewall.

Screened subnet

How well did you know this?

Not at all

Perfectly

A _______ acts on behalf of a client or user when attempting to access resources over the internet. The _______, in this position of an intermediary, provides a layer of protection to the client. A ______ works on a store-and-forward model. This means the ______deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on, if it conforms to the rules it’s been configured with. Client computers connect to a specified point on the perimeter network for web access.
Benefits a ________ can provide:
Traffic management
Protection
Anonymity for users by masking their IP addresses
Caching engines
Content filtering
Content monitoring
Incoming network traffic distribution across multiple servers to help balance the load

Proxy server

How well did you know this?

Not at all

Perfectly

Internet content filter

How well did you know this?

Not at all

Perfectly

Deception strategy that returns spoofed data in response to network probes.

Fake telemetry

How well did you know this?

Not at all

Perfectly

An appliance that combines many security functions into a single device.

All-in-one
security appliance

How well did you know this?

Not at all

Perfectly

A device that has the ability to analyze and manage network traffic based on the application-layer protocol.

Application-aware devices

How well did you know this?

Not at all

Perfectly

A ______ is a hardened server that provides access to other hosts. ________ are often used for administrative tasks where administrators connect to the _______ first and then use it to access other internal systems, like servers or devices. A ________ is primarily used to enhance security by controlling access to sensitive resources. It acts as a gateway to access certain systems that are kept isolated from the external network. The ________ is typically locked down and secured to a higher degree, ensuring that only authorized users can access it, reducing the risk of unauthorized access to critical systems.

Jump server

How well did you know this?

Not at all

Perfectly

A ________, while primarily used to distribute network traffic across multiple servers to optimize performance, can also serve as a security appliance in certain scenarios. A ______ distributes client requests across available server nodes in a farm or pool. This is used to provision services that can scale from light to heavy loads and to provide mitigation against denial-of-service attacks.

Load balancer

How well did you know this?

Not at all

Perfectly

There are two main types of load balancers:

Layer 4 — A layer 4 load balancer makes forwarding decisions on IP address and TCP/UPD port values, working at the transport layer of the OSI model. Layer 7 — A layer 7 load balancer, or content switch, makes forwarding decisions based on application-level data, such as a request for a particular URL web address or data types like video or audio streaming, which requires more complex logic.

Sensor

A packet sniffer is referred to as a _________. Typically, the packet capture sensor is placed behind a firewall or close to a server of particular importance. The idea is to identify malicious traffic that has managed to get past the firewall. A single sniffer can record a large amount of traffic data so it's best to not put multiple sensors all over the network without provisioning the resources to manage them properly. Depending on network size and resources, one or only a few sensors are deployed to monitor key assets or network paths. The traffic captured by each sensor is transferred to a host or appliance running an intrusion detection system (IDS), such as Snort, Suricata, or Zeek. When traffic matches a detection signature, the IDS raises an alert or generates a log entry but does not block the source host. This type of passive sensor does not slow down traffic and is undetectable by the attacker. An IDS is used to identify and log hosts and applications and to detect password-guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and other policy violations.

An __________ incorporates multiple security functions into a single piece of hardware. Unified Threat Management, or UTM, is the most common all-in-one appliance. UTM puts several key security components into a single device that's usually managed using a web interface. A manufacturer subscription for updates may also be required. Commonly implemented functionality of all-in-one-security devices include the following: URL filtering—prevents users from accessing URL restricted categories. Content inspection—helps ensure HTTP connections and content meet specified criteria. For example, many content filters actively monitor data streams by inspecting the packets in search of viruses, Trojans, worms, and other malicious code. Spam filtering—reduces junk mail in mailboxes of users. Firewall—can be configured with rules and used to log traffic to and from the network. Intrusion detection system—An IDS sends an alert if a network attack is detected. Intrusion prevention system—An IPS sends an alert if a network attack is detected or prevented. A UTM usually includes networking features as well, such as the following: Switch Router Traffic shaping management

All-in-one security appliance

A wirelessly broadcasted network is used on most internal networks so that internal users do not require a physical connection to a router or switch.

Wireless

A _______ network at an organization often grants internet access only to guest users, but it also has some type of firewall to regulate that access. There could be limited internal resources made available on a _______ network. Normally, it is just a way for guests to access the internet without being allowed on the intranet or internal network.

Guest

is a private network (LAN) that employs internet information services for internal use only. For example, your company network might include web servers and email servers that are used by company employees.

Intranet

is a special network created to trap potential attackers. _____ have vulnerabilities that lure attacks so that you can track their actions and protect your real network. _______ can generate extremely useful security information

Honeynet

is a privately controlled network distinct from the intranet but located between the internet and a private LAN. An extranet is often used to grant resource access to business partners, suppliers, and even customers outside of the organization.

Extranet

is a broadcasted network connection used within an organization. Users do not need a physical connection to a network port to connect to the intranet or internal resources. Instead, they use a wireless connection on their device to connect to a wireless access point.

Wireless Zone

a deception strategy that returns spoofed data in response to network probes. ______ is defined as the collection of data at remote points and their automatic transmission to receiving equipment for monitoring. As such, organizations provide false data meant to deceive the attacker. This type of fake information might include fake credentials or fake IP address information. It might be an internal report detailing vulnerable systems that require updates when they are really honeypots designed to capture attacker information.

Fake Telemetry

To work correctly, the malware must use the organization's DNS server. If it uses a public DNS server or its own DNS server, this will not work. You can mitigate this by configuring firewalls to block DNS queries going outside the perimeter. A sinkhole does not prevent malware and cannot prevent malware execution or remove malware from the system. Creating a sinkhole can take time. Even if obtained from trusted internet sources, it's possible legitimate sites are used to forward malicious content. This could result in restrictions to legitimate websites. Therefore, sinkholes should be internal only. If attackers can access the DNS server externally, they can change entries in the sinkhole and use it to their benefit.

DNS Sinkhole disadvantages

Any host that is exposed to attack and has been hardened or fortified against attack.

Bastion or sacrificial host

A firewall device that typically has three network interfaces. One interface connects to the internet, one interface connects to the public subnet, and one interface connects to the private network.

Duel-homed gateway

The router that is most external to the network and closest to the internet.

Screening router

A device residing within the screened subnet that requires users to authenticate in order to access resources within the screened subnet or the intranet.

Screened host gateway

Two-firewall screened subnet

A screened subnet uses two firewalls. The external firewall is connected to the internet and allows access to public resources. The internal firewall connects the screened subnet to the private network. With a screened subnet, if the outer firewall is compromised, the inner firewall still protects the private network

A device, or software running on a device, that inspects network traffic and allows or blocks traffic based on a set of rules.

Firewall

A firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.

Web application firewall (WAF)

A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. Network-based firewalls are typically dedicated hardware devices.

Network firewall

A basic packet filtering firewall is stateless. This means that it does not preserve information about network sessions. Each packet is analyzed independently, with no record of previously processed packets. This type of filtering requires the least processing effort, but it can be vulnerable to attacks spread over a sequence of packets. A stateless firewall can also introduce problems in traffic flow, especially when using some sort of load balancing or when clients or servers need to use dynamically assigned ports.

Stateless firewall

A stateful inspection firewall tracks information about the session established between two hosts. All firewalls now incorporate some level of stateful inspection capability. Session data is stored in a state table. When a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. If it does not, it applies the ordinary packet filtering rules to determine whether to allow it. Once the connection has been allowed, the firewall usually allows traffic to pass unmonitored in order to conserve processing effort.

Stateful firewall

A host-based firewall inspects traffic received by a host. Use a host-based firewall to protect against attacks when there is no network-based firewall, such as when you connect to the internet from a public location. Host-based firewalls are typically software programs. A host-based firewall can be configured to meet the security requirements of the specific host and add an additional layer of security even when a network firewall has been implemented.

Host-based firewall

Layer 7 application-aware filtering, including inspection of Transport Layer Security (TLS) encrypted traffic. Integration with network directories, facilitating per-user or per-role content and time-based filtering policies, providing better protection against an insider threat. Intrusion prevention system (IPS) functionality. Next-generation firewalls can combine traditional firewall functionalities with advanced capabilities, such as deep packet inspection, intrusion prevention, and application awareness. Integration with cloud networking.

Next-generation firewall

performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this value in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality.

Authentication Header (AH)

can be used to encrypt the packet rather than simply calculating an ICV. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Encapsulating Security Payload (ESP)

Transport mode—is used to secure communications between hosts on a private network. When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header. Tunnel mode—is used for communications between VPN sites across an unsecure network. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no use case in tunnel mode, as confidentiality is usually required.

IPSEC modes

Phase I establishes the identity of the two peers and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating peers are commonly used: Digital certificates —are issued to each peer by a mutually trusted certificate authority to identify one another. Pre-shared key (group authentication) —is when the same passphrase is configured on both peers. Phase II uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPsec session.

IKE negotiations take place over two phases:

The practice of encapsulating data from one protocol for safe transfer over another network such as the Internet.

Tunneling

A early tunneling protocol developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.

Point-to-Point Tunneling Protocol (PPTP)

A tunneling protocol developed by Cisco to establish virtual private network connections over the internet.

Layer 2 Forwarding (L2F)

Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.

Internet Protocol Security (IPsec)

A well-established protocol to secure IP protocols, such as HTTP and FTP. And can also be used to secure other application protocols and as a virtual private networking (VPN) solution.

Secure Sockets Layer (SSL)

Security protocol that uses certificates for authentication and encryption to protect web communications and other application protocols.

Transport Layer Security (TLS)

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Network access control (NAC)

Plan - A committee should convene and make decisions that define how NAC should work. Define - The roles, identities, and permissions (policies) must be defined. Apply - Once defined, the policies must be applied. Review/Revise - As business needs change, the process must be reviewed to determine whether changes are required.

NAC Process

A repository of vulnerabilities hosted by MITRE Corporation.

Common Vulnerabilities and Exposures (CVEs)

A switch feature that restricts connection to a given port based on the MAC address.

MAC filtering/port security

A switch feature that follows the 802.1x protocol to allow only authenticated devices to connect.

Port authentication

A security feature on some switches that filters out untrusted DHCP messages.

Dynamic Host Configuration protocol (DHCP) snooping

A table maintained by a switch that contains MAC addresses and their corresponding port locations.

Content-addressable memory (CAM) table

An attack that overloads a switch's MAC forwarding table to make the switch function like a hub.

MAC flooding

A security feature on some switches that verifies each ARP request has a valid IP to MAC binding.

Dynamic ARP Inspection (DAI)

An attack in which the attacker's MAC address is associated with the IP address of a target's device.

ARP spoofing

An attack in which the source MAC address is changed on frames sent by the attacker.

VLAN hopping

An attack in which the attacking host adds two VLAN tags instead of one to the header of the frames that it transmits.

Double tagging

An unsecure protocol that could allow unauthorized devices to modify a switch's configuration.

Dynamic Trunking Protocol (DTP)

An attack in which the source MAC address is changed in the header of a frame

MAC spoofing