Application Monitoring Flashcards
A list of permitted and denied network connections based on either IP addresses,
ports, or applications in use
Access Control List (ACL)
Firewall logs can provide you with four types of useful security data
Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred
A Linux-based firewall that uses the syslog file format for its logs
iptables
A Windows-based firewall that uses the W3C Extended Log File Format
Windows Firewall
A condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
Blinding Attack
A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet
Demilitarized Zone (DMZ)
Basic principles for configuring firewall ACLs
▪ Block incoming requests from internal or private, loopback, and
multicast IP address ranges
▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized
hosts and ports only
A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or
an ICMP port/protocol unreachable to the requester
Drop Versus Reject
ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command and Control servers
Egress Filtering
Best practices for configuring egress filters
▪ Only allow whitelisted application ports and destination addresses
▪ Restrict DNS lookups to trusted and authorized DNS services
▪ Block access to known bad IP address ranges (blacklist)
▪ Block all internet access from host subnets that don’t use it (e.g.,
ICS/SCADA)
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic
Black Hole
Unused physical network ports or unused IP address space within a local network often used by attackers
Dark Nets
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis
Sinkhole
A server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance
Forward Proxy
A server that redirects requests and responses for clients configured with the
proxy address and port
Nontransparent Proxy
A server that redirects requests and responses without the client being explicitly configured to use it
Transparent Proxy (Forced or Intercepting Proxy)
A type of proxy server that protects servers from direct contact
with client requests
Reverse Proxy
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks
Web Application Firewall (WAF)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress
Intrusion Detection System (IDS)
A software and/or hardware system that scans, audits, and monitors the security
infrastructure for signs of attacks in progress and can actively block the attacks
Intrusion Prevention System (IPS)
An open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode
Snort (snort.org)
An open-source IDS for UNIX/Linux platforms that contains a
scripting engine which can be used to act on significant events
(notices) by generating an alert or implementing some sort of
shunning mechanism
Zeek (zeek.org)
An open-source Linux-based platform for security monitoring,
incident response, and threat hunting. It bundles Snort,
Suricata, Zeek, Wireshark, and NetworkMiner with log
management and incident management tools
Security Onion (securityonion.net)
Refer to the blocking unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network
Port Security
