8. Network Defense Flashcards
layers of network defence
defences are layered as attacks are also layered
- first level
- firewall to control access to/from unauthorised network - second level
- intrustion detection/protection against malicious network activity - third level
- VPM provides encryption over public IP network
firewall
can be implemented as hardware/software
monitor and filter traffic
zero trust model
- don’t trust external
- don’t trust employees
attacks that firewall can prevent
- port scanning(limited)
- wardriving
- DDoS (limited)
packet filtering
stateless firewall
- look at each packet
- does not look connection
stateful firewall
- look at connections and maintain state table
- use table to maintain security policies
intrusion detection system IDS
- detects unauthorised access to network without traffic through it
- HUB: promiscuous mode
- SWITCH: port mirroring
- can be extended to host based IDS
- inspect contents on the endpoints
- deep packet inspection
- covers larger scope
intrusion protection system IPS
- does what IDS does + protection
2. located between firewall and internal network
proxies
- protects by redirecting requests at application layer
- dedicated checks for each service protocol in application layer
- not suitable for real time service - scans incoming traffic and conduct DPI
- compute intensive
virtual private network
- authentication
- user must be authenticated before secure tunnel is established - tunneling
- encapsulation using own protocol - encryption
- data is protected when using tunnel
security protocols for VPN
- IPSec
- encryption takes place in 2 stages IKEv1
- need keys
- able to guess keys based on the error response from server
- IKEv2 fix error but prone to dictionary attack - TLS
- faster and better security
- the closer the guess is to the actual password, the shorter the error message
honey pots
- deliberately weakened endpoint
- decoy
- setup in VM and isolated
- need to change often to look convincing
network attacks
- port spoofing
- port scanning
- router
- evil twin - hotspot hijacking
- evil twin - DoS
- packet sniffing
port spoofing
- SSH usually assigned to port 22
- security tools used to lock down port 22
- SSH commands can be embedded to other protocols for different port
- can be spotted by DPI
port scanning
check ports to see which are open, closed, filtered
find the application running behind the port
1. TCP scan
- send SYN to ports
- if port open, port will reply with SYN ACK
- if port closed, port will reply with RST ACK
- half open scan
- immediately remove connection by sending RST if port is open.
- port remains open
TCP scan pro/con
advantages
- no special privileges
- accurate in determining TCP services
- can distinguish between open, close, filtered
disadvantages
- time consuming
- easily detected by IPS/IDS
- recorded in target’s log
half open scan pro/con
advantages
- faster than tcp
- stealthy (no target log)
- able to differentiate open, close, filtered
disadvantage
- require privilege access
- some firewall watch out for half open scans
