8 - 4: Network Security Techniques Flashcards
Two major objectives
Perimeter security and limit physical access to authorized users and devices
Perimeter security
Keeping unwanted users out of the network entirely
Access Control Lists
ACLs, the records of users allowed past a firewall
Network Access Control
Intercepts network traffic coming from unknown devices and verifies authorization before beginning communication
Rules
The simplest form of restriction, expressed as technical terms or business logic
NAC Authentication protocol
802.1x
Three systems in NAC protocol
1) Device attempting to connect to NAC network, must be running a supplicant 2) a switch that the device connects to, if a wired network 3) back-end authentication server
Supplicant
Performs all NAC duties on behalf of user and system
Authenticator
On wireless systems, the device/switch which receives credentials from the end user
Back-end authentication server
In NAC, performs authentication for all authenticators on the network
Additional NAC capabilities
Role-based access and posture checking
Role-based access
Once the authenticator knows user identity, it decides where they are placed
Posture checkers
Verify that systems connecting to the network meet certain criteria, such as current antivirus software
Inbound NAC
NAC device is directly involved with making and enforcing access control
Outbound NAC
NAC device makes enforcement decisions, everything else makes the networking decisions
Firewall errors
Shadowed rule, promiscuous rules, orphaned rules
Shadowed rule
A rule base contains a rule that will never be executed because it is placed in the rule base. Occurs when rules are executed from general to specific
Promiscuous rules
Violate the rule of least privilege
Orphaned rules
When a system or service is decommissioned but the rules are not removed from the firewall
Standard Access Control List entries
access-list [number] [permit/deny] [source] [mask]
Extended Access Control Lists
Block addresses based on source and destination addresses, protocols, and ports
Why firewalls over routers?
1) purpose specific and efficient 2) advanced rule capability 3) integrate with and have advanced security function
VLAN pruning
The least privilege rule applied to the amount of VLANS
VLAN hopping
Moving from one VLAN to another with more access/resources, typically by impersonating a switching
VLAN hopping
Moving from one VLAN to another with more access/resources, typically by impersonating a switching
Mitigating VLAN hopping
Deny automatic VLAN trunk negotiation and only trunk when a net admin allows
Port security
Limits MAC addresses to prevent disconnecting devices from switches and replacing them with a rogue device
Port security modes
Static and dynamic
Static port security
admin manually configures each switch port with the allowable MAC address. Slower but safer
Dynamic port security
Admin enables port security then has it remember the first MAC address it sees then restrict access to that one. Faster but riskier
DHCP snooping
Blocks malicious DHCP traffic, checking it for proper format and origination
SYN flood
An attack sending thousands of partially opened TCP connections of only the initial SYN packets but not answering the SYN-ACK packets
MAC flooding
Attackers send large numbers of different MAC addresses to a switch hoping to overflow a switches MAC address table, causing it to forget where devices are, then flood traffic, enabling eavesdropping
Flood guard protection
Controls the number of open connections that each source system may have
Routing loops
Occur when there are multiple physical paths between two network devices which begin mistakenly routing broadcast traffic redundantly
Broadcast storm
When a routing loop occurs and no capacity is left for legitimate use
Spanning tree protocol
Prevents loops by allowing multiple physical connections between devices, but restricts logical connections preventing the final links forming a loop
Bridge Protocol Data Units
Status massages spanning tree protocols use
Firewall log details
Connection attempts, timestamps, relevant firewall rule deployed
Firewall log use
1) incident response 2) connectivity issues 3) regular monitoring for anomalous connections
Network flow data
Keeps records of network traffic as summary details, but not packet contents or enclosed data
SNMP
Simple Network Management Protocol, capable of automating many of the tasks related to administration
SNMP components
Managed devices, SNMP agent
Managed devices
Any networking devices overseen by SNMP
SNMP agent
Software on the managed device allowing communication with the SNMP service
Network management system
Central system responsible for communicating with SNMP agents and managing the network
Get request
When the network management system wants information from a managed device
Current SNMP version
SNMP version 3
SNMP trap
Communication sent when a managed device has information to report to the management system
Jump boxes
Allow administrative connections for facilitating connection, or jumping, between security zones in a segmented system. Can be a powerful tool to circumvent network segmentation. Have a bunch of different names
Darknets
IP address space that is not legitimately used but monitored for attacker activity
Honeyfiles
Files intended to look like legitimate data/filters, but actually keep garbage
Honeypots
Fake networks intended to lure attackers, but immediately alerts security staff
Honeynets
Large-scale, multiple honeypots used to lure attackers
DNS sinkhole
Altered DNS records used to reroute malicious botnet traffic
