Ch4: Securing Your Network Flashcards
HIDS
Host-based intrusion detection system can monitor all traffic on a single host system to detect malicious activity
NIDS
Network-based intrusion detection system is installed on network devices such as routers or firewalls to monitor network traffic and detect network-based attacks. Cannot monitor encrypted traffic or traffic on individual hosts
TCP handshake sequence
SYN, SYN/ACK, ACK
SYN flood attack
Attacker sends multiple SYN packets but never completes the handshake with an ACK
Signature-based detection (IDSs)
Identifies issues based on known attacks or vulnerabilities and can detect known anomalies
Heuristic/Behavioral-based detection (IDSs)
Can detect unknown anomalies by starting with a performance baseline of normal behavior and comparing network traffic against it to detect abnormal behavior
False positive
Indicates an attack is occurring when no attack is active (increases admins workload)
False negative
System does not detect or report an attack that is actually occurring
An IPS can…
detect, react, and prevent attacks. It can actively monitor data streams, detect malicious content, and stop attacks in progress.
An IDS can…
monitor and respond to an attack
IPS and IDS collect data differently because…
IPS is inline with the traffic - all traffic passes through the IPS (in-band). IDS collects data passively, not inline with the traffic (out-of-band)
IPS is what type of control?
Preventive control
Honeypot
A “sweet”-looking server that has been left open or unsecured in order to divert attackers from the live network or allow observation of the attacker
Honeynet
A group of honeypots within a separate network or zone, but accessible from an organization’s primary network
IEEE 802.1x
Port-based authentication protocol that ensures only authorized clients can connect to a network
Fat AP
A stand-alone access point that is managed independently
Thin AP
A controller-based AP managed by a wireless controller. The controller configures the AP
SSID
Service set identifier identifies the name of the wireless network (you should change the name so it’s not ‘Netgear’)
SSID Broadcasting
You can disable the SSID broadcast to hide the network from casual users, but it will not be hidden from an attacker with a wireless sniffer (and is not more secure)
MAC filtering
Can restrict access to a wireless network to specific clients
To bypass MAC filtering…
use a wireless sniffer to discover the allowed MAC addresses, then configure your NIC to have one of the allowed MACs (spoof it)
Easy way to limit the range of an AP
Reduce the AP’s power level so people outside the intended area will be out of range
WPA
Wi-Fi Protected Access provided an immediate replacement for WEP and originally used TKIP. Later implementations support the stronger AES encryption
TKIP
Temporary Key Integrity Protocol is an older encryption protocol used with WPA (deprecated by IEEE due to security issues)