Chapter 4 Flashcards
Securing Your Network
IDS
Intrusion detection systems monitor a network and send alerts when they detect suspicious events on a system or network.
IPS
Intrusion prevention systems react to attacks in progress and prevent them from reaching systems and networks.
HIDS
Host-based intrusion detection system
Software installed on a system to detect attacks
It protects local resources on the host
A host-based intrusion prevention system (HIPS) is an extension of HIDS
It is software installed on a system to detect and block attacks
NIDS
Network based intrusion detection system
A device that detects attacks and raises alerts
A NIDS is installed on network device, such as routers or firewalls, and monitors network traffic
Port Mirror
A monitoring port on a switch
All traffic going through the switch is also sent to the port mirror
Taps
Monitoring ports on a network device
IDSs use taps to capture traffic
Signature-based
A type of monitoring used on intrusion detection and intrusion prevention systems
It detects attacks based on known attack patterns documented as attack signatures
Heuristic/behavioral-based
A type of monitoring on intrusion detection and intrusion prevention systems
It detects attacks by comparing traffic against a baseline
It is also known as anomaly detection
NOC
Filler
False Negative
A security icident that isn’t detected or reported
As An example, A NIDS false negative occurs if an attack is active on the network but the NIDS does not raise an alert
NIPS
Network-based intrusion prevention system
A device that detects and stops attacks in progress
A NIPS is placed inline (In-Band) with traffic so that it can actively monitor data streams
Inline
A configuration that forces traffic to pass through a device
A NIPS is place inline, allowing it to prevent malicious traffic from entering a network
Sometimes called in-band, as opposed to out-of-band
Out-of-Band
A configuration that allows a device to collect traffic without the traffic passing through it
sometimes called passive, opposed to inline
ACLs
Access control lists are lists of rules used by routers and stateless firewalls
These devices use the ACL to control traffic based on networks, subnets, IP addresses, ports, and some protocols
SCADA
Supervisory control and data acquisition
A system used to control an ICS such as a power plant or water treatment facility
Ideally, a SCADA is within an isolated network
RATs
Remote access Trojans are malware that allows an attacker to tak control of a system from a remote location
DMZ
Demilitarized zone is a buffer zone between the internet and an internal network
Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network
SSL/TLS Accelerators
Devices used to handle TLS traffic
Servers can off-load TLS traffic to improve performance
SSL Deccryptors
Devices used to create separate SSL (or TLS) sessions
They allow other security devices to examine encrypted traffic sent to and from the Internet
SDN
A Software Defined Network is a method of using software and virtualization technologies to replace hardware routers
SDNs separate the data and control planes
Honeypot
A server designed to attract an attacker
It typically has weakened security encouraging attackers to investigate it
Honeynet
A group of honeypots in a network
Honeynets are often configured in virtual networks
IEEE 802.1x
An authentication protocol used in VPNs and wired and wireless networks
VPNs often implement it as a RADIUS server
Wired networks use it for port-based authentication
Wireless networks use it in Enterprise modee
IEEE 802.1x
An authentication protocol used in VPNs and wired and wireless networks
VPNs often implement it as a RADIUS server
Wired networks use it for port-based authentication
Wireless networks use it in Enterprise mode
WLAN
Filler
AP
An Access Point is a device that connects wireless clients to wireless networks
Sometimes called Wireless Access Point (WAP)
SSID
Service Set Identifier is the name of a wireless network
SSIDs can be set to broadcast so users can easily see it
Disabling SSID broadcast hides it from casual users
MAC Filtering
A form of network access control to allow or block access based on the MAC address
It is configured on switches for port security or on APs for wireless security
Antenna Types
Filler
Network Architecture Zones
Filler
WPA
Wi-Fi Protected Access is a legacy wireless security protocol
it has been superseded by WPA2
WPA2
Wi-Fi Protected Access II is a wireless security protocol
It supports CCMP for encryption, which is based on AES
It can use Open mode, a pre-shared key, or Enterprise mode
TKIP
Temporal Key Integrity Protocol is a legacy wireless security protocol
CCMP is the recommended replacement
AES
Advanced Encryption Standard is a strong symmetric block cipher that encrypts data in 128-bit blocks
AES can use key sizes of 128 bits, 192 bits, or 256 bits
PSK
Pre-shared key is a wireless mode that uses a pre-shared key (similar to a password or passphrase) for security
Compare with Enterprise and Open modes
Enterprise
A wireless mode that uses an 802.1x server for security
It forces users to authenticate with a username and password
Compare with Open and PSK modes
Authentication Protocols
Filler
Disassociation Attck
An attack that removes wireless clients from a wireless network
WPS
Wi-Fi Protected Setup is a method that allows users to easily configure a wireless network, often by using only a PIN
WPS brute force attacks can discover the PIN
WPS Attack
An attack against an AP
A WPS attack discovers the eight-digit WPS PIN and uses it to discover the AP passphrase
Rouge AP
An unauthorized AP
It can be placed by an attacker or an employee who hasn’t obtained permission to do so
Evil Twin
A type of rouge AP
An evil twin has the same SSID as a legitimate AP
Jamming
A DoS attack against wireless networks
It transmits noise on the same frequency used by a wireless network
IV Attack
An Initialization Vector attack is a wireless attack that attempts to discover the IV
Legacy wireless security protocols are susceptible to IV attacks
NFC Attack
An attack against mobile devices that use near field communication (NFC)
NFC is a group of standards that allow mobile devices to communicate with nearby mobile devices
Bluejacking
An attack against Bluetooth device
It is the practices of sending unsolicited messages to nearby Bluetooth devices
Bluesnarfing
An attack against Bluetooth devices
Attackers gain unauthorized access to Bluetooth devices and can access all the data on the device
Replay Attack
An attack where the data is captured and replayed
Attackers typically modify data before replaying it
RFID
Filler
RFID Attack
Attacks against radio-frequency identification (RFID) systems
Some common RFID attacks are eavesdropping, replay, and DoS
VPN
Virtual Private Networks are a method that provides access to a private network over a public network such as the internet
VPN concentrators are dedicated devices used to provide VPN access to large groups of users
NICs
Filler
Remote Access VPN
Filler
IPsec
Internet Protocol Security is a suite of protocols used to encrypt data-in-transit that can operate in both tunnel mode and transport mode
It uses Tunnel mode for VPN traffic and Transport mode in private networks
Authentication (AH)
Authentication Header is an option within IPsec to provide authentication and integrity
Encryption (ESP)
Encapsulating Security Payload is an option within IPsec to provide confidentiality, integrity, and authentication
TLS
Transport Layer Security is the replacement for SSL
TLS is used to encrypt data-in-transit
Like SSL, it uses certificates issued by CAs
SSTP
Filler
TLS Tunneling
Filler
Split Tunnel
An encrypted connection used with VPNs
A split tunnel only encrypts traffic going to private UP addresses used in the private network
Full Tunnel
An encrypted connection used with VPNs
When a user is connected to a VPN, all traffic from the user is encrypted
UTM
Unified threat management is a group of security controls combined in a single solution
UTM appliances can inspect data streams for malicious content and block it
NAC
Network access control is a system that inspects clients to ensure they are healthy
Agents inspect clients and agents can be permanent or dissolvable (also known as agentless)
Site-to-Site VPNs
Filler
Always-On VPN
Filler
Identity and Access Services
Filler
