Application Monitoring Flashcards
A list of permitted and denied network connections based on either IP addresses,
ports, or applications in use
Access Control List (ACL)
Firewall logs can provide you with four types of useful security data
Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred
A Linux-based firewall that uses the syslog file format for its logs
iptables
A Windows-based firewall that uses the W3C Extended Log File Format
Windows Firewall
A condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
Blinding Attack
A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet
Demilitarized Zone (DMZ)
Basic principles for configuring firewall ACLs
▪ Block incoming requests from internal or private, loopback, and
multicast IP address ranges
▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized
hosts and ports only
A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or
an ICMP port/protocol unreachable to the requester
Drop Versus Reject
ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command and Control servers
Egress Filtering
Best practices for configuring egress filters
▪ Only allow whitelisted application ports and destination addresses
▪ Restrict DNS lookups to trusted and authorized DNS services
▪ Block access to known bad IP address ranges (blacklist)
▪ Block all internet access from host subnets that don’t use it (e.g.,
ICS/SCADA)
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic
Black Hole
Unused physical network ports or unused IP address space within a local network often used by attackers
Dark Nets
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis
Sinkhole
A server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance
Forward Proxy
A server that redirects requests and responses for clients configured with the
proxy address and port
Nontransparent Proxy