Ch4: Securing Your Network Flashcards
HIDS
Host-based intrusion detection system can monitor all traffic on a single host system to detect malicious activity
NIDS
Network-based intrusion detection system is installed on network devices such as routers or firewalls to monitor network traffic and detect network-based attacks. Cannot monitor encrypted traffic or traffic on individual hosts
TCP handshake sequence
SYN, SYN/ACK, ACK
SYN flood attack
Attacker sends multiple SYN packets but never completes the handshake with an ACK
Signature-based detection (IDSs)
Identifies issues based on known attacks or vulnerabilities and can detect known anomalies
Heuristic/Behavioral-based detection (IDSs)
Can detect unknown anomalies by starting with a performance baseline of normal behavior and comparing network traffic against it to detect abnormal behavior
False positive
Indicates an attack is occurring when no attack is active (increases admins workload)
False negative
System does not detect or report an attack that is actually occurring
An IPS can…
detect, react, and prevent attacks. It can actively monitor data streams, detect malicious content, and stop attacks in progress.
An IDS can…
monitor and respond to an attack
IPS and IDS collect data differently because…
IPS is inline with the traffic - all traffic passes through the IPS (in-band). IDS collects data passively, not inline with the traffic (out-of-band)
IPS is what type of control?
Preventive control
Honeypot
A “sweet”-looking server that has been left open or unsecured in order to divert attackers from the live network or allow observation of the attacker
Honeynet
A group of honeypots within a separate network or zone, but accessible from an organization’s primary network
IEEE 802.1x
Port-based authentication protocol that ensures only authorized clients can connect to a network
Fat AP
A stand-alone access point that is managed independently
Thin AP
A controller-based AP managed by a wireless controller. The controller configures the AP
SSID
Service set identifier identifies the name of the wireless network (you should change the name so it’s not ‘Netgear’)
SSID Broadcasting
You can disable the SSID broadcast to hide the network from casual users, but it will not be hidden from an attacker with a wireless sniffer (and is not more secure)
MAC filtering
Can restrict access to a wireless network to specific clients
To bypass MAC filtering…
use a wireless sniffer to discover the allowed MAC addresses, then configure your NIC to have one of the allowed MACs (spoof it)
Easy way to limit the range of an AP
Reduce the AP’s power level so people outside the intended area will be out of range
WPA
Wi-Fi Protected Access provided an immediate replacement for WEP and originally used TKIP. Later implementations support the stronger AES encryption
TKIP
Temporary Key Integrity Protocol is an older encryption protocol used with WPA (deprecated by IEEE due to security issues)
WPA2
Permanent replacement for WEP and WPA. Supports CCMP (based on AES) which is much stronger than TKIP
CCMP
Cipher Block Chaining Message Authentication Code Protocol
PSK
Pre-shared key. Does not provide individual authentication
Why does PSK not provide authentication?
Authentication is proving a user’s identity by using credentials. PSK is a pre-shared key or password. Simply providing a password with no username provides authorization but no authentication since no user’s identity was proven
What modes can WPA and WPA2 operate in?
PSK or Enterprise mode (or Open mode)
Open mode
No security, allows all users to use the AP
Enterprise mode
Provides strong authentication. Uses an 802.1x server
EAP
Extensible Authentication Protocol is an authentication framework that provides general guidance for authentication methods
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling supports certificates, but they are optional
PEAP
Protected EAP encapsulates and encrypts the EAP conversation in a TLS tunnel. PEAP requires a certificate on the server, but not the clients
EAP-TTLS
EAP-Tunneled TLS is an extension of PEAP allowing systems to use some older authentication methods (like PAP) within a TLS tunnel. Requires a certificate on the 802.1x server but not the clients
EAP-TLS
One of the most secure EAP standards. Requires certificates on the 802.1x server and on each of the wireless clients
Disassociation attack
Removes a wireless client from a wireless network, forcing it to reauthenticate
WPS
Wi-Fi Protected Setup allows users to configure wireless devices by pressing buttons OR entering an 8-digit PIN
WPS attack
Brute forces the 8-digit PIN within hours, then uses it to discover the passphrase
Rogue AP
Provides access to unauthorized users and are often used to capture and exfiltrate data
Evil twin
Rouge AP using the same SSID as a legitimate AP
Bluejacking
Unauthorized sending of text messages to a nearby Bluetooth device
Bluesnarfing
Unauthorized access to, or theft of information from, a Bluetooth device
Prevent bluejacking and bluesnarfing by
Ensuring devices cannot be paired without manual user intervention
Replay attack
Attacker captures data sent between two entities, modifies it, and attempts to impersonate on of the parties by resending the data
Prevent network replay attacks by using
WPA2 with CCMP/AES. TKIP is vulnerable to replay attacks
RFID attacks
Eavesdropping, replay, and DoS
VPN
Virtual private network provides remote access to a private network via a public network.
VPN concentrators
Dedicated devices used for VPNs that include all services needed to create a secure VPN supporting many clients
IPsec
Internet protocol security is a secure encryption protocol used with VPNs
ESP
Encapsulating Security Payload provides confidentiality, integrity, and authentication for VPN traffic
IPsec Tunnel Mode
Used for VPN traffic, has protocol ID 50 for ESP
IPsec authenticates clients using
IKE (Internet Key Exchange) over port 500
Full tunnel
Encrypts all traffic after a user has connected to a VPN
Split tunnel
Only encrypts traffic destined for the VPN’s private network
NAC
Network access control includes methods to inspect clients for health, like having up-to-date AV software. NAC can restrict access of unhealthy clients to a remediation network. NAC can be used for VPN or internal clients
NAC agents
Permanent agents are installed on the clients. Dissolvable agents are not installed and are often used to inspect employee-owned mobile devices
PAP
Password Authentication Protocol uses a password or PIN, but send the information over a network in plaintext, making it susceptible to sniffing attacks.
CHAP
Challenge Handshake Authentication Protocol is more secure than PAP because passwords are not sent over the network in cleartext
Centralized authentication services
RADIUS, TACACS+, Diameter
TACACS+
Proprietary to Cisco but can be used with Kerberos
Diameter
Improvement over RADIUS and supports many additional capabilities like securing transmissions with EAP
