Application Monitoring Flashcards
A list of permitted and denied network connections based on either IP addresses,
ports, or applications in use
Access Control List (ACL)
Firewall logs can provide you with four types of useful security data
Connections that are permitted or denied
Port and protocol usage in the network
Bandwidth utilization with the duration and volume of usage
An audit log of the address translations (NAT/PAT) that occurred
A Linux-based firewall that uses the syslog file format for its logs
iptables
A Windows-based firewall that uses the W3C Extended Log File Format
Windows Firewall
A condition that occurs when a firewall is under-resourced and cannot log data fast enough, therefore some data is missed
Blinding Attack
A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet
Demilitarized Zone (DMZ)
Basic principles for configuring firewall ACLs
▪ Block incoming requests from internal or private, loopback, and
multicast IP address ranges
▪ Block incoming requests from protocols that should only be used locally (ICMP, DHCP, OSPF, SMB, etc)
▪ Configure IPv6 to either block all IPv6 traffic or allow it to authorized
hosts and ports only
A deny rule can either drop a packet or explicitly reject it by sending a TCP RST or
an ICMP port/protocol unreachable to the requester
Drop Versus Reject
ACL rules that are applied to traffic leaving a network to prevent malware from communicating to Command and Control servers
Egress Filtering
Best practices for configuring egress filters
▪ Only allow whitelisted application ports and destination addresses
▪ Restrict DNS lookups to trusted and authorized DNS services
▪ Block access to known bad IP address ranges (blacklist)
▪ Block all internet access from host subnets that don’t use it (e.g.,
ICS/SCADA)
A means of mitigating DoS or intrusion attacks by silently dropping (discarding) traffic
Black Hole
Unused physical network ports or unused IP address space within a local network often used by attackers
Dark Nets
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis
Sinkhole
A server that mediates the communications between a client and another server, can filter or modify communications, and provides caching services to improve performance
Forward Proxy
A server that redirects requests and responses for clients configured with the
proxy address and port
Nontransparent Proxy
A server that redirects requests and responses without the client being explicitly configured to use it
Transparent Proxy (Forced or Intercepting Proxy)
A type of proxy server that protects servers from direct contact
with client requests
Reverse Proxy
A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks
Web Application Firewall (WAF)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress
Intrusion Detection System (IDS)
A software and/or hardware system that scans, audits, and monitors the security
infrastructure for signs of attacks in progress and can actively block the attacks
Intrusion Prevention System (IPS)
An open-source software available for Windows and selected Linux distributions that can operate as an IDS or IPS mode
Snort (snort.org)
An open-source IDS for UNIX/Linux platforms that contains a
scripting engine which can be used to act on significant events
(notices) by generating an alert or implementing some sort of
shunning mechanism
Zeek (zeek.org)
An open-source Linux-based platform for security monitoring,
incident response, and threat hunting. It bundles Snort,
Suricata, Zeek, Wireshark, and NetworkMiner with log
management and incident management tools
Security Onion (securityonion.net)
Refer to the blocking unauthorized application service ports on hosts and firewalls, or the physical and remote access ports used to allow a host to communicate on the local network
Port Security
Physical access to the switch ports and switch hardware should be
restricted to authorized staff
Physical Port Security
Applying an access control list to a switch or access point so that only
clients with approved MAC addresses can connect to it
MAC Filtering
A general term for the collected protocols, policies, and hardware that
authenticate and authorize access to a network at the device level
Network Access Control (NAC)
Network access control (NAC) provides the means to authenticate users and
evaluate device integrity before a network connection is permitted
NAC Configuration
A standard for encapsulating EAP (Extensible Authentication Protocol)
communications over a LAN or wireless LAN and that provides port-based authentication
802.1X
A switch (or router) that performs some sort of authentication of the attached device before activating the port
Port-based NAC
The process of assessing the
endpoint for compliance with the
health policy
Posture Assessment
The process and procedures that occur is a device does not meet the minimum-security profile
Remediation
The point at which client devices are granted or denied access based on their compliance with a health policy
Pre- and Post-admission Control
Defines access periods for given hosts using a time-based ACL
Time-based
Evaluates the location of the endpoint requesting access using geolocation of its
IP, GPS, or other mechanisms
Location-based
NAC method that re-evaluates a device’s authorization when it is used to do
something (also called adaptive NAC)
Role-based
A complex admission policy that enforces a a series of rules which are written as
logical statements (IF …. AND …. OR)
Rule-based
