Chapter 4 Securing your network Flashcards
What is a HIDS, where are they found? and what do they do?
Host-based intrusion detection software, can be installed on any host i.e computer, server. It monitors network traffic and applications on that host passing through the NIC. It may detect traffic traditional anti-virus software misses.
What is a NIDS? what does it do and how?
Network-intrusion detection system, installed on network devices (switches, routers, firewalls), uses sensors to gather information (sensor placement depends on what information you want). Monitors activity on the network (not individual devices).
Signature vs heuristic based detection?
Signature = known attacks, detected by a signature created for each attack.
Heuristic = takes performance baseline, looks @ deviations
Honeypot vs Honeynet vs Honeyfile what are they
Honeypot is a server that looks appealing, may have some protection, attracts attackers. Honeynet is a group of honeypots set up with VM. Honeyfile is an attractive looking file, i.e passwords.doc. In this way we can gain some intel on attackers, particularly useful for zero day attacks.
What is telemetry and thus fake telemtry?
Collecting information (statistical data)/measurements and forwarding it to a centralized system. Fake = sending incorrect.
How would you determine (through what process and tools) where wireless deadpoints might be?
Conducting wireless footprinting and doing a site survey using heatmaps to assess for low connectivity.
Does a PSk provide authentication for a wireless network?
No, authentication proves a users credentials
How does WPA2 authenticate people?
Using enterprise mode, a RADIUS server (a 802.1X) assesses a database of accounts with credentials
What is an improvement / replacement to WPA2? How?
WPA3 - instead of a PSK uses SAE (Simultaneous authentication of equals), incorporating a better cryptographic protocol. Also supports enterprise. Using a RADIUS server.
What is EAP? and the versions of it?
EAP is the extensible authentication protocol, a framework for general guidance on authentication methods. EAP, PEAP, EAP-FAST, EAP-TLS and TTLS.
Briefly describes differences between EAP, PEAP, EAP-FAST, EAP-TLS, TTLS.
EAP - provides a method for two systems to authenticate using a Pairwise Master Key (PMK).
PEAP - is EAP with a encapsulating tunnel using TLS, certificate required on server (but not client)
EAP-TLS - Like PEAP, more secure, certificate on client and server
EAP-TTLS - like PEAP, more auth methods, cert on server not client.
EAP-FAST - more flexible authentication methods. Certs optional
What is the usefulness of 802.1X IEEE
Unused ports still require authentication to be used. Prevents rogue devices from connecting.
Which wireless AP protocols should be avoided?
WPA and WEP
Describe -
Rogue access point
Evil Twin
Wireless dissociation
RAP - A ‘rogue’ installed AP
Evil twin - A RAP with a similar / same SSID
Wireless disassociation attacks, also known as deauthentication attacks, are wireless network attacks that target the 802.11 Wi-Fi protocol. The attack involves sending forged deauthentication frames to a wireless access point or client device, causing the device to disconnect from the network.
Dissociation vs jamming attacks
Dissociation is when an attacker spoofs the MAC address, sending a termination frame to the AP to remove it from the network.
Jamming typically prevents all users from connecting - attackers transmit ‘noise’ or another signal on the same frequency to shut it down.