8 - 3: Network Security Devices Flashcards
Switches
Connect devices to the network
Wireless Access Points
Connect to switches to create Wi-fi networks
Switches operate at _____ of the OSI model
Level 2: data. MAC addresses only
If a switch happens to operate at level _ of the OSI model, it can _____
3, interpret IP addresses
Routers
Aggregate network traffic going to or from large networks
Router functions
Intelligently management packets, provide security by maintaining an access control list
Stateless inspection
Restricting network traffic without regard to connection state
Bridges
Simply connect two networks together
Firewalls
Determine if connections should be allowed based on security policy
Firewalls often sit at:
The perimeter between routers and the internet
Stateless inspection (firewalls)
Inspecting packets as they came through the firewall, highly inefficient and had no historical data
DMZ
accepts external communications and isolates them from internal networks
Stateful inspections
Monitor active connections, where the firewall monitors packet traffic for the duration of the connection
Firewall rule contents
1) Source System Address, 2) Destination System Address 3) Destination Port and Protocol 4) allow/deny action
Default/Implicit deny
If a request does not align to a rule, it is automatically denied
NGFW
Next Generation Firewall, uses a lot of contextual information in making decisions
Other firewall roles
Network Address Translation, content/URL filtering, Web Application Firewall
Web Application Firewall
A specialized firewall that blocks website content including HTML elements, SQL forms, outdated media, etc.
Network firewalls
Physical devices
Host-based firewalls
Software Apps or OS components that reside on a server
Advantage to using both firewall types
Achieves defense in depth
Proxy servers
Connect to a websites on a users’ behalf and is in the middle of a server/client connection
Proxy security benefits
1) Anonymity - only captures proxy server name 2) Performance - proxy server caches frequent pages 3) Content filtering - the proxy server itself can filter content on visited pages
Forward proxies
Work on behalf of clients, web servers are not aware they are communicating with a proxy
Reverse proxies
Work on behalf of servers sitting on a remote network, receiving client requests, passing them on to a proxy, then eventually on to the web server itself
Transparent proxies
Work without either client or servers’ knowledge. Causes some errors with TLS encryption
Load balancers
Scale network traffic to meet demand by answering which servers will answer what demands
Virtual IP address
The address where a load balancer receives requests before deciding how to answer
Autoscaling
Automatically adding more servers to answer demand
Load balancer security roles
SSL certificate management, URL filtering, web application functions
Round-Robin load balancing
The load balancer rotates through a pool of available servers giving each an equal load. Not the best as not all servers are equal.
Advanced Scheduling Algorithms
Distribute requests based an algorithm accounting for performance, current load
Session persistence
Routing an individual’s requests to the same server using the regular scheduling algorithm
Load balancer caution
Can be a single point of failure, keep them in high availability mode
Load balancer approaches
Active-Active: 2 balancers running continuously
Active-Passive: 1 balancer running, 1 in a backup. Monitors sessions and is ready to go if the first fails
VPN roles
Connect remote locations to each other, connect remote users to locations. Significant encryption resource use
VPN mechanism
Creates a tunnel encrypting incoming traffic and decrypting outcoming traffic.
VPN endpoints
Firewall, router, server, dedicated concentrator
IPsec
Internet Protocol Security, an earlier method of creating VPN tunnels at the network OSI layer, typically for site-to-site tunnels
L2TP
Layer 2 Tunneling Protocol - a protocol IPsec supports
Remote user VPNs
Typically use port SSL/TLS encryption on port 443
HTML5 VPN
Web based interface which makes use of internal network resources and proxies for VPN connections entirely within a web browser
Full-tunnel VPN
All traffic is routed through the tunnel, regardless of its destination
Split-tunnel VPN
Only traffic intended for the organization is routed through the VPN tunnel. Recommended against because even though they conserve bandwidth, they may confuse users as they are not technically always secure
Always-on VPN
Devices connect to a VPN at boot
Intrusion detection
Monitors network traffic for potentially malicious traffic and alerts administrators
Intrusion prevention
Monitors network traffic for potentially malicious traffic and automatically blocks when detected
False positive
Alerted to a threat that did not take place
False negative
An event took place but was not alerted
Signature-based detection
Screens activity against a database of actions, as signatures. AKA rule-based detection
Anomaly detection
Develops a model of what is baseline or normal behavior, then checks network activity against that baseline
IDS/IPS systems are at ____ level
Application / OSI level 7
Anomaly detection is AKA
Behavior detection or heuristic detection
In-band / inline deployment
IPS sits directly on the network path and all communications must pass through it. Raises risk of, if the inline IPS fails, it could disrupt all network communications
Out-of-band
IPS sits outside the flow of network traffic, connected to a SPAN port on a switch allowing it to receive copies of traffic sent through the network. AKA passive mode, because it can react by sending block commands for future communications but cannot stop them while they happen
Protocol analyzers
Allow looking at individual packets traveling through a network
Wireshark
A widely used, free protocol analyzer
tcpdump
A command-line protocol analyzer
tcpreplay
A command-line tool that allows editing and replaying packet captures
Unified Threat Management
A device that combines all security services into a single unit. Don’t usually perform SSL termination