Chapter 4 Securing Your Network Flashcards
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) inspect traffic using the same functionality as a protocol analyzer.
A host-based IDS (HIDS) can detect attacks on local systems such as workstations and servers.
The HIDS protects local resources on the host and can detect some malware that isn’t detected by traditional antivirus software. A network-based IDS (NIDS) detects attacks on networks.
A signature-based IDS or IPS uses signatures to detect known attacks or vulnerabilities.
Heuristic-based or behavioral-based IDSs (also called anomaly-based IDSs) require a baseline and detect attacks based on anomalies or when traffic is outside expected boundaries.
A false positive incorrectly raises an alert indicating an attack when an attack is not active. False positives increase the workload of administrators. A false negative is when an attack is active, but not reported.
An IPS is similar to an active IDS except that it’s placed inline with the traffic (sometimes called in-band) and can stop attacks before they reach the internal network.
An IPS can actively monitor data streams, detect malicious content, and prevent it from reaching a network. In contrast, an IDS is out-of-band.
IDSs and IPSs can also protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks.
SSL/ TLS accelerators are dedicated hardware devices that handle Transport Layer Security (TLS) traffic. Other devices, such as a web server, can off-load TLS traffic handling to the accelerator.
SSL decryptors allow an organization to inspect traffic, even when traffic is using SSL or TLS.
A software defined network (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches. It separates the data and control planes.
Honeypots and honeynets appear to have valuable data and attempt to divert attackers away from live networks. Security personnel use them to observe current attack methodologies and gather intelligence on attacks.
An 802.1x server provides strong port security using port-based authentication. It prevents rogue devices from connecting to a network by ensuring that only authorized clients can connect.
Wireless access points (APs) connect wireless clients to a wired network.
A fat AP, also known as a stand-alone AP, includes everything needed to connect wireless clients to a wireless network.
Thin APs are controller-based APs. A controller configures and manages a thin AP.
The service set identifier (SSID) is the name of the wireless network. Disabling the SSID broadcast hides a wireless network from casual users.
You can restrict access to wireless networks with media access control (MAC) filtering. However, attackers can discover authorized MACs and spoof an authorized MAC address.
Most WAPs have omnidirectional antennas. Directional antennas have narrower beams and longer ranges.
An ad hoc wireless network is two or more devices connected together without an AP.
Wi-Fi Protected Access (WPA) can use Temporal Key Integrity Protocol (TKIP) or Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). Both WPA and TKIP have been deprecated.
Personal mode uses a pre-shared key (PSK). It is easy to implement and is used in many smaller wireless networks.
Personal mode uses a pre-shared key (PSK). It is easy to implement and is used in many smaller wireless networks.
Open mode doesn’t use a PSK or an 802.1x server. Many hot spots use Open mode when providing free wireless access to customers.
802.1x servers use one of the Extensible Authentication Protocol (EAP) versions, such as Protected EAP (PEAP), EAP-Tunneled TLS (EAP-TTLS), EAP-TLS, or EAP-Flexible Authentication via Secure Tunneling (EAP-FAST).
The most secure EAP method is EAP-TLS, and it requires a certificate on the server and on each of the wireless clients. PEAP
PEAP and EAP-TTLS require a certificate on the server, but not the client. PEAP is often implemented with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).
LEAP is proprietary to Cisco and does not require a certificate. Cisco designed EAP-FAST to replace Lightweight EAP (LEAP).
A captive portal forces wireless clients to complete a process, such as acknowledging a policy or paying for access, before it grants them access to the network.
A disassociation attack effectively removes a wireless client from a wireless network, forcing it to reauthenticate.
Wi-Fi Protected Setup (WPS) allows users to easily configure a wireless device by pressing a button or entering a short PIN. WPS is not secure. A WPS attack can discover the PIN within hours. It then uses the PIN to discover the passphrase.
A rogue access point (rogue AP) is an AP placed within a network without official authorization. An evil twin is a rogue access point with the same SSID as a legitimate access point.
A jamming attack floods a wireless frequency with noise, blocking wireless traffic.
An initialization vector (IV) attack attempts to discover the IV and uses it to discover the passphrase.
Near field communication (NFC) attacks use an NFC reader to read data from mobile devices.
Bluejacking is the practice of sending unsolicited messages to a phone. Bluesnarfing is the unauthorized access to, or theft of information from, a Bluetooth device.
In a wireless replay attack, an attacker captures data sent between two entities, modifies it, and then impersonates one of the parties by replaying the data. WPA2 using CCMP and AES prevents wireless replay attacks.
Radio-frequency identification (RFID) attacks include eavesdropping, replay, and DoS.
A virtual private network (VPN) provides access to private networks via a public network, such as the Internet. VPN concentrators are dedicated devices that provide secure remote access to remote users.
IPsec is a common tunneling protocol used with VPNs. It secures traffic within a tunnel. IPsec provides authentication with an Authentication Header (AH). Encapsulating Security Payload (ESP) encrypts VPN traffic and provides confidentiality, integrity, and authentication.
IPsec Tunnel mode encrypts the entire IP packet used in the internal network. IPsec Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs.
Some VPNs use TLS to encrypt traffic within the VPN tunnel.
A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN’s private network.
Site-to-site VPNs provide secure access between two networks. These can be on-demand VPNs or always-on VPNs.
Mobile devices can also use always-on VPNs to protect traffic when users connect to public hot spots.
Network access control (NAC) inspects clients for specific health conditions such as up-to-date antivirus software, and can redirect unhealthy clients to a remediation network.
A permanent NAC agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client. A dissolvable NAC agent (sometimes called agentless) is downloaded and run on the client when the client logs on, and deleted after the session ends. Dissolvable agents are commonly used for employee-owned mobile devices.
