Chapter 12 Network Security Flashcards
What is Defense in Depth?
Defense in depth is using multiple layers of security controls to ensure the failure of a single control is unlikely to cause a breach.
What is purpose of the OSI model?
The purpose of the OSI model is to conceptually describe how devices and software operate together through networks
OSI Model Structure
The 7 layers are divided into two groups, the host layers and media layers. Layers 1-3 are the media layers used to transmit bits that make up network traffic. Layers 4-7 are the host layers that ensure data transmission is reliable and manageable.
- Physical Layer
- Data Link Layer
- Network Layer
- Transport Layer
- Session Layer
- Presentation Layer
- Application Layer
What is Network Segmentation?
Network Segmentation is the division of networks into logical or physical groups. The most common concept used for network segmentation is a VLAN. These included DMZs, intranets, and extranets.
What is a DMZ?
a DMZ is a perimeter network that protects and adds an extra layer of security to an organizations internal LAN from untrusted traffic.
Intranet vs. Extranet
Intranet is a network where employees communicate, collaborate, etc. an Extranet is similar but provides controlled access to authorized customers vendors partners or other outsiders.
Ex. Workbench is an intranet, new Intellink is an extranet.
What is the concept of zero trust?
Zero trust is the assumption that threats will come from both inside and out, nobody is trusted regardless of position or location.
What is a NAC?
Network Access Control tech focuses on whether a system or device should be allowed to connect to a network.
What is the difference between agent vs. agentless based NAC?
Agent based NAC requires installation and adds complexity and maintenance but provides more control.
Agentless based NAC installations are lightweight and easier to handle for users whose machines may not be centrally managed, but it provides less detail.
What is Port Security?
Port Security allows you to limit the number of MAC addresses that can be used on a single port.
What are CAM tables and what do they do?
Content Addressable Memory tables map MAC addresses to IP addresses allowing a switch to send traffic to the correct port.
What is a CAM table overflow?
CAM table overflows
If the CAM table doesn’t have an entry, the switch will attempt to determine what port the address is on, broadcasting traffic to all ports if necessary. Attackers who can fill a CAM table can make switches fail over to broadcasting traffic making otherwise inaccessible traffic visible on their local port.
What is the job of a switch?
Switches take information that comes from one port and pass it along to another port.
What is a MAC address
A MAC address is essentially the physical equivalent of an IP address. Every network enabled device has a network adapter (NIC), and the MAC address is that devices unique hardwired address.
What is the best way to prevent CAM overflow attack?
- turn the fucking switch off
2. Port Security (limit the amount of MAC addresses each port can have)
What is a CAM table overflow attack?
CAM table overflow attack is when a flood of bogus MAC addresses is sent to the switch. The flood causes the switch to dump the valid addresses it has into it CAM database tables in attempt to make room for bogus info. After that happens, the switch’s default behavior is to broadcast private messages to all ports.
What is Loop Prevention?
Loop Prevention focuses on detecting loops and then disabling ports to prevent the loops from causing issues.
STP is a layer 2 network protocol used to prevent looping within a network.
What is a broadcast storm?
Broadcast storm occurs when a loop in a network causes traffic amplification to occur as switches try to figure out where traffic should be sent.
How to prevent broadcast storm?
storm prevention prevents broadcast packets from being amplified, which goes hand in hand with loop prevention. enable STP on switches and rate-limit broadcast traffic.
What is BPDU
Bridge Protocol Data Unit is a data message transmitted across a LAN to detect loops in the network.
What is BPDU Guard?
BPDU Guard protects STP by preventing ports that should not send BPDU messages from sending them.
What is DHCP Snooping?
DHCP snooping is a layer 2 security technology that drops DHCP traffic determined to be unacceptable. DHCP Snooping prevents unauthorized (rogue) DHCP servers from handing out IP addresses to clients. It can be configured to drop messages where the source MAC and the hardware MAC of a network card do not match.
DHCP Snooping occurs on SWITCHES!!!
What is a port mirror?
A port mirror sends a copy of all traffic sent to one switch port to another switch port for monitoring.
What is a Switch Port Analyzer (SPAN)?
port mirror sends copy of all traffic from one switch port to another switch port for monitoring
A SPAN does the same thing as a port mirror, but a SPAN can also combine traffic from multiple ports to a single port for analysis.
What is a VPN?
A virtual private network is a way to create a private network that allows endpoints to act as though they are on the same network.
It’s easy to think about a VPN as an encrypted tunnel, but encryption is NOT a requirement of a VPN tunnel.
What are the two types of VPNs?
IPSec VPN
SSL VPN
IPSec VPN
IPSec VPNs require a client and can operate in tunnel or transport mode.
operate at level 3 (network layer).
IPSec VPNs Tunnel vs. Transport Mode
In tunnel mode, entire packets of data sent to the other end of the VPN connection are protected.
In transport mode, the IP header is not protected but the IP payload is.
What is a SSL VPN?
A VPN that uses SSL or more commonly TLS.
Like IPSec VPNs, SSL VPNs can offer tunnel mode but can also be used without a client or specific endpoint configuration normally required for IPSec VPNs.
VPN Considerations: Remote or Site-to-Site?
Remote access VPNs are often used for traveling staff or remote workers, and are use “as needed”.
Site-to-Site VPNs are always on so if they disconnect they immediately try to reconnect.
VPN Considerations: Split Tunnel vs. Full Tunnel?
Full tunnel VPN sends all network traffic through the VPN tunnel, keeping it secure as it goes to the remote trusted network.
A split tunnel VPN only sends traffic intended for systems on the remote trusted network through the VPN tunnel. Split tunnel VPNs use less bandwidth, but the traffic is not protected by the VPN and cannot be monitored.
What is a jump server/jump box?
A jump box is a system on a network used to access and manage devices in a separate security zone.
Jump boxes are frequently used with SSH or RDP and should be configured to create and maintain a secure audit trail.
What is a load balancer?
Load balancers are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching.
What are the two major load balancer modes of operation?
Active/active
active/passive
Load balancers: active/active vs. active/passive
Active/Active LBs distribute the load among multiple systems that are online and in use at the same time.
Active/Passive LBs bring backup systems online when an active system is removed or fails to respond. this is more likely to be part of disaster recovery/business continuity system.
What is load balancer scheduling?
What are the most common methods?
load balancing algorithms that decide where traffic is sent to.
- round robin sends each request to servers by working through a list with each server receiving traffic in turn
- least connection sends traffic to the server with the fewest number of active connections.
- agent-based adaptive balancing monitors the load to determine a servers ability to respond and updates the load balancers traffic distribution based on agent reports.
- Source IP hashing uses a hash of the IP source to assign traffic to servers. This is essentially a randomization algorithm using client driven input.
Load Balancing Weighted Scheduling
weighted least - connection uses a least connection algorithm combined with a predetermined weight value for each server
fixed weighted - relies on a preassigned weight for each server, often based on capability or capacity.
weighted response time combines the server’s current response time with a weight value to assign it traffic
What is a proxy server?
A proxy is an intermediary between the client and the server.
Forward vs. Reverse Proxy
Forward proxies accept requests from clients and send them to servers.
Reverse proxies sit behind the firewall in a private network and direct clients to appropriate servers, and are used to help with load balancing and caching.
NAT Gateways
NAT gateway is a device that provides the network address translation and tracks which packets should be sent to each device. (home internet router). a NAT can act like a firewall.
NAT gateway vs. Proxy
NAT gateway works at the network layer (3) while a proxy works at the application layer (7). NAT is transparent to various apps, whereas a proxy must resort to the IP address of the proxy server.
Content/URL filter
Content filters are devices or software that allow or block traffic based on content rules. this can be done on proxies, firewalls, IPS, etc.
What is DLP
Data Loss Prevention is ensuring data isn’t extracted or inadvertently sent from a network. DLPs can use pattern matching, tagging, block traffic, send notifications, or force encryption.
What is IDS/IPS?
Intrusion Detection/Prevention Systems are used to detect threats and in the case of IPS, block them.
Both can be deployed in passive mode, where they can report but not take action. An IPS in passive mode is essentially an IDS.
What are the three IDS/IPS detection methods?
- Signature based (relies on hash or signatures of a known threat)
- Heuristic, or behavior based (specific patterns or actions that match threat behavior)
- Anomaly based detection (establishes baseline for an organization then flags when out of the ordinary behavior occurs).
What is an HSM?
Hardware Security Modules are used to generate, store, and manage cryptographic keys. They can also handle cryptographic processing allowing servers to offload CPU intensive tasks to dedicated hardware.
What is a firewall?
A firewall is a network security system that monitors and controls incoming and outbound network traffic based on predetermined security rules.
Stateless vs. Stateful Firewall
Stateless Firewalls (packet filters) filter every packet based on data such as the source, destination IP, port or protocol. They are the most basic type of firewall.
Stateful Firewalls (dynamic packet filters) can make decisions about traffic, allowing it to continue when approved rather than filtering every packet. Info is tracked in a state table.
What is a NGFW?
Next Generation Firewalls can be described as all in one network security devices. Capabilities include inline deep packet inspection, IDS/IPS functionality, antivirus and antimalware.
