Chapter 13: Securing the Network Flashcards
Link encryption
encrypts all the data along a specific communication path
E2EE
End-to-end encryption
End-to-end encryption
occurs at the session layer (or higher) and does not encrypt routing information, enabling attackers to learn more about a captured packet and where it is headed
TLS
Transport Layer Security
Transport Layer Security
E2EE protocol that provides confidentiality and data integrity for network communications
SSL
Secure Sockets Layer
Secure Sockets Layer
predecessor of TLS and is deprecated and considered insecure
VPN
virtual private network
virtual private network
secure, private connection through an untrusted network
PPTP
Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol
obsolete and insecure means of providing VPNs
L2TP
Layer 2 Tunneling Protocol
Layer 2 Tunneling Protocol
tunnels PPP traffic over various network types (IP, ATM, X.25) but does not encrypt the user traffic
IPSec
Internet Protocol Security
Internet Protocol Security
suite of protocols which provides authentication, integrity, and confidentiality protections to data at the network layer
TLS can be used to provide … connectivity at layer … in the … model
TLS can be used to provide VPN connectivity at layer 5 in the OSI model
web service
client/server system in which clients and servers communicate using HTTP over a network such as the Internet
SOA
service-oriented architecture
service-oriented architecture
a system as a set of interconnected but self-contained components which communicate with each other and with their clients through standardized protocols
API
application programming interfaces
application programming interfaces
establish a language which enables a system component to make a request from another component and then interpret that second component’s response
HTTP
Hypertext Transfer Protocol
Hypertext Transfer Protocol
TCP/IP-based communications protocol used for transferring data between a server and a client in a connectionless and stateless manner
HTTPS
HTTP Secure
HTTP Secure
HTTP running over TLS
SOAP
Simple Object Access Protocol
Simple Object Access Protocol
messaging protocol which uses XML over HTTP to enable clients to invoke processes on a remote host in a platform-agnostic way
WS-Security or WSS
Web Services Security
Web Services Security
a set of protocol extensions which provides message confidentiality, integrity, and authentication
SOAP security
enabled by Web Services Security
REST
Representational State Transfer
Representational State Transfer
an architectural pattern used to develop web services without using SOAP
DGA
domain generation algorithm
domain generation algorithm
produces seemingly random domain names in a way which is predictable by anyone who knows the algorithm
DNS tunneling
practice of encoding messages in one or a series of DNS queries or responses for exfiltrating or infiltrating data into an environment
DNS reflection attacks
send a query to a server while spoofing the source address of the intended target
DNS amplification attack
small queries result in very much larger responses
DNSSEC
Domain Name System Security Extensions
Domain Name System Security Extensions
a set of IETF standards which ensure the integrity of DNS records but not their confidentiality or availability
DoH
DNS over HTTPS
DNS over HTTPS
protect the privacy and confidentiality of DNS queries by sending them over HTTPS/TCP/IP instead of unsecured UDP/IP
E-mail spoofing
technique used by malicious users to forge emails to appear from a legitimate source
SASL
Simple Authentication and Security Layer
Simple Authentication and Security Layer
protocol-independent framework for performing authentication typically used in POP3 email systems
SPF
Sender Policy Framework
Sender Policy Framework
email validation system; prevents email spam by detecting email spoofing by verifying sender’s IP address
DKIM
DomainKeys Identified Mail
DomainKeys Identified Mail standard
allows email servers to digitally sign messages so that receiving server can ensure the message is from the domain it claims to be from
DMARC
Domain-based Message Authentication, Reporting and Conformance
DMARC systems
use both SPF and DKIM to protect email
S/MIME
Secure MIME
S/MIME standard
encrypts and digitally signs email; provides secure data transmissions
DNP3
Distributed Network Protocol 3
Distributed Network Protocol 3
multilayer communications protocol for SCADA systems, especially those in the power sector
CAN
Controller Area Network
Controller Area Network bus
multilayer protocol for microcontrollers and other embedded devices to communicate with each other on a shared bus
Converged protocols
started off independent and distinct from one another but converged to become one
FCoE
Fibre Channel over Ethernet
Fibre Channel over Ethernet
protocol encapsulation which allows Fibre Channel (FC) frames to ride over Ethernet networks
iSCSI
Internet Small Computer Systems Interface
Internet Small Computer Systems Interface protocol
encapsulates SCSI data in TCP segments so computer peripherals can be located at any physical distance from the computer they support
Network segmentation
the practice of dividing networks into smaller subnetworks
VLAN
virtual LAN
virtual LAN
set of devices which behave as though they are all directly connected to the same switch when they aren’t
VxLAN
virtual eXtensible LAN
Virtual eXtensible LAN
network virtualization technology which encapsulates layer 2 frames onto UDP (layer 4) datagrams for distribution anywhere in the world
SDN
software-defined networking
software-defined networking
networking approach which relies on distributed software to separate the control and forwarding planes of a network
SD-WAN
Software-defined wide area networking
software-defined wide area networking
use of software (instead of hardware) to control the connectivity, management, and services between distant sites in a manner similar to SDN but applied to WANs
VLAN hopping attack opportunity
an attacker is able to insert tagging values into network- and switch-based protocols with the goals of manipulating traffic at the data link layer
VLAN hopping
attackers gain access to traffic in various VLAN segments; attacker can have a system act as a switch; the system understands the tagging values used in the network and trunking protocols and can insert itself between other VLAN devices and gain access to the traffic going back and forth; attackers can insert tagging values to manipulate the control of traffic at this data link layer
Authentication Header protocol
provides data integrity, data origin authentication, protection from replay attacks
Encapsulating Security Payload protocol
provides confidentiality, data origin authentication, data integrity
Internet Security Association and Key Management Protocol
framework for security association creation and key exchange
Internet Key Exchange
provides authenticated keying material for use with ISAKMP
Secure Multipurpose Internet Mail Extensions
standard for encryption to provide secure data transmissions using public key infrastructure (PKI)
WS-Security is for SOAP
for web services confidentiality with SOAP; not RESTful web service
RESTful requires …. and uses … for confidentiality
RESTful uses HTTP and HTTP Secure (HTTPS) for confidentiality
What is a set of IETF standards for DNS records?
Domain Name System Security Extensions (DNSSEC) ensures integrity and authenticity of DNS records but not their confidentiality or availability
Best protection against email spoofing?
DMARC systems incorporate both SPF and DKIM to protect email
IMAP does or does not have email protections against spoofing
Internet Message Access Protocol (IMAP) does NOT have any built-in protections against email spoofing
Which is a multilayer protocol for use in SCADA systems?
DNP3 (Distributed Network Protocol 3 used in SCADA, specifically the power sector
Converged protocol FACTS
FCoE is a converged protocol, IP convergence addresses specific type of converged protocols, certain protocols are encapsulated within each other