Chapter 4 Securing Your Network Flashcards
What does IDS stand for?
Intrusion Detection System
What does IPS stand for?
Intrusion Prevention System
What does an IDS do?
An IDS monitors a network and send alerts when they detect suspicious events on a system or network.
What does an IPS do?
An IPS reacts to attacks in progress and prevent them from reaching systems and networks.
What does HIDS stand for?
Host-based Intrusion Detection System
What does an HIDS do?
An HIDS provides protection to the individual host and can detect potential attacks and protect critical operating system files.
Describe the logistics of an HIDS
An HIDS is additional software installed on a system such as a workstation or server.
What is the primary goal for an HIDS?
To monitor traffic
True or False : An HIDS can help with detecting malware?
True
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection in addition to traditional antivirus software.
What does NIDS stand for?
Network-based Intrusion Detection System
What does an NIDS do?
An NIDS monitors activity on the network.
List some devices NIDS sensors and collectors would be installed on
Routers, Firewalls
True or False: An NIDS can decrypt/encrypt network traffic
False
An NIDS can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.
What does a tap or port mirror do and how is this beneficial for NIDS?
Allows administrators to send all traffic to a single port. It can be used as a tap to send all switch data to a sensor or collector, and forward this to a NIDS.
True or False: An IDS can prevent an intrusion
False
An IDS can only detect an intrusion
What is an attack?
Any attempt to compromise CIA - confidentiality, integrity, and/or availability
What are the two primary methods of detection?
Signature-based and heuristic ( behavioral-based)
What does a signature-based IDS do?
A signature-based IDS uses a database of known vulnerabilities or known attack patterns.
What does a heurist(behavioral-based) IDS do?
A heuristic(behavioral-based) IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified in the baseline), it gives an alert indicating a potential attack.
What is a zero-day exploit?
A zero-day exploit is where there is no patch available for the vulnerability
How does an IDS utilize logs?
An IDS analyzes logs (real-time or regular intervals) to provide insight on trends which detect a pattern of attacks and provide insight into how to better protect a network.
What triggers an IDS to report an alert or an alarm?
Rules configured within the IDS
____ is an alert or alarm on an event that is nonthreatening, benign, or harmless
A false positive
____ is when an attacker is actively attacking the network, but the system does not detect it.
A false negative
What is inline/in-band monitoring?
Monitoring of traffic passing thru with potential to block
____ is considered inline/in-band monitoring
An IPS
What is out-of-band/passive monitoring?
Monitoring of traffic but not able to block
____ is considered out-of-band/passive monitoring
An IDS
What does an SSL/TLS accelerator do?
It frees up the primary computer’s resources, such as CPU power and RAM by performing the process of establishing the HTTPS session, negotiating the best security supported by both the client and the server, sharing encryption keys, and encrypting session data
What does an SSL Decryptor do?
Intermediary device that establishes HTTPS connections between all end points and decrypts traffic to monitor for suspicious and malicious activity
What does SDN stand for?
Software Defined Network
What does an SDN do?
An SDN separates data plane and control plane traffic through virtualization and not physical network devices
What is the data plane?
The data plane is the part of the network that carries the traffic
What is the control plane?
The control plane is the logic used to direct network traffic
What is a honeypot?
A honeypot is a server that is not tightened and secure or extremely vulnerable to attacks to serve as a diversion for attackers.
What are the two primary goals of a honeypot?
- Divert attackers from the live network
2. Allow observation of an attacker
What is a honeynet?
A group of honeypot servers within a separate network zone but accessible from an orgs primary network
_____ is a port-based authentication protocol
IEEE 802.1x
In wireless networking what does AP/WAP stand for?
Access point/wireless access point
True or false: All wireless routers are APs
True
True or false: All APs are routers
False
What is a fat AP?
An AP which includes everything needed to connect wireless clients to a wireless network. It typically includes features such as a routing component, NAT, DHCP, wireless security options, access control lists (ACLs), and more.
True or False: Fat APs must be configured separately from each other
True
What is a thin AP?
An AP that is managed by a controller and is not stand-alone
What are the two primary radio bands used in wireless networks?
2.4gHz and 5.0gHz
____ channels are more likely to overlap with other wireless devices and this interference affects overall performance.
Wider
In wireless networks, what does SSID stand for?
Service Set Identifier
What does SSID represent?
The name of the wireless network
True or False: It’s a good idea to change the name of a default SSID. Explain why.
True
If a default SSID is left it could provide an attacker with details that he/she could leverage to exploit vulnerabilities
How would an attacker be able to determine the SSID of a wireless network if the broadcast is disabled?
Using a protocol analyzer, an attacker can view the probe frame responses which contain the SSID information.
_____ is a form of network access control used with port security on switches that can be used to restrict access to wireless networks.
MAC filtering
____ is the most commonly used antenna on APs and wireless devices
Omnidirectional antennas
Adjusting the _____ affects the range of the AP
Power level
What is a guest network used for?
A guest network is typically a wireless network used to provide guests with Internet access.
An ____ network is where wireless devices connect to each other without an AP on an as needed basis
Ad-hoc
What does WPA stand for?
Wi-Fi Protected Access
What does TKIP stand for and what is it?
Temporary Key Integrity Protocol
It is an older encryption protocol with WPA but should no longer be used
What does CCMP stand for and what is it?
Cipher Block Chaining Message Authentication Code Protocol
It is a newer encryption protocol that replaced TKIP for use with WPA2
What does AES stand for and what is it?
Advanced Encryption Standard
It is a very strong and efficient encryption algorithm
What does PSK stand for and what is it?
Pre-shared key
Its a mode where users access a wireless network with a PSK or passphrase (a form of authorization)
What is the difference between PSK and enterprise mode?
PSK only allows for authorization where as enterprise mode is for authentication and authorization. Each user has a unique set of credentials to authenticate with.
To configure an AP in enterprise mode, what information do you need?
An IP address assigned to an 802.1x RADIUS server
A port number used by the RADIUS server
A shared secret which is similar to a password
What is open mode?
A wireless mode where no security configuration is implemented and allows all users to access the AP
What does EAP stand for and what is it?
Extensible Authentication Protocol
An authentication framework that provides general guidance for authentication methods.
What does PMK stand for and what is it?
Pairwise Master Key
A secure encryption key used for two systems to encrypt all data transmitted between them
What is EAP-FAST?
Extensible authentication protocol - flexible authentication via secure tunneling
Created by CISCO to replace light EAP (LEAP). Supports certificates (optional)
What is PEAP?
Protected EAP
A protocol which protects the communication channel by encapsulating and encrypting the EAP conversation in a TLS tunnel. Requires a cert on the server but not on the client. MS-CHAPv2
What is EAP-Tunneled TLS EAP-TTLS?
Extension of PEAP which allows systems to use older authentication methods such as Password Authentication Protocol (PAP) within a TLS tunnel. Requires cert on the server but not on the clients
What is EAP-TLS?
Most secure EAP standards and widely implemented. Requires certs on both server and client
What is RADIUS federation?
Where two or more entities share the same identity management system through use of RADIUS.
A ____ ____ is a technical solution that forces clients using web browser to complete a specific process before it allows them access to the network
Captive portal
What are some common examples of captive portals?
- Free Internet Access through AUP (acceptable use policy) which allows guests to have access to the internet
- Paid internet access - when attempting to access the internet redirected to a captive portal to pay
- Alternative to IEEE 802.1x server since it (IEEE 802.1x server) is expensive
What is a disassociation attack?
An attack which effectively removes a wireless client from a wireless network forcing them to reauthenticate. An attacker sends a disassociation frame to the AP spoofing the client’s MAC address
What does WPS stand for and what does it do?
Wi-Fi Protected Setup
Allows users to configure wireless devices without typing in the passphrase. Users can configure devices by pressing buttons or by entering a short eight digit PIN
What is a WPS attack?
When an attacker keeps trying different PINs until it succeeds (brute force attack). Recommended to disable on APs
What is a rogue AP?
An AP placed in a network without official authorization
What is an evil twin?
A rogue access point with the same SSID as a legitimate access point.
What is a jamming attack?
When an attacker transmit noise or another radio signal on the same frequency used by a wireless network interfering with the wireless transmissions
What are some ways to overcome a jamming attack?
Using a different channel (although the attacker can also switch channels)
Increasing the power level
What is a wireless initialization vector attack?
An attack that attempts to discover the pre-shared key from the IV
When is an IV attack successful?
When an encryption system reuses the same IV. In many IV attacks the attacker uses packet injection techniques to add additional packets into the data stream.
An eavesdropping attack is a form of what?
NFC attack
What happens during an eavesdropping attack?
The NFC reader uses an antenna to boost its range, and intercepts the data transfer between two other devices.
What is bluetooth?
Bluetooth is a short-range wireless system used in personal area networks (PANs) and within networks.
A __ is a network of devices close to a single person
Personal Area Network (PAN)
What is Bluejacking?
The practice of sending unsolicited messages to nearby Bluetooth devices. Typically text but can be images or sounds.
What is Bluesnarfing?
Unauthorized access to or theft of information from a Bluetooth device
What is bluebugging?
Similar to Bluesnarfing but in addition to gaining full access to the device the attacker installs a backdoor allowing them to listen in on phone conversations, enable call forwarding, send messages, etc.
What is a replay attack?
When an attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data.
True or False: WPA2 using CCMP and AES are vulnerable to replay attacks
False
WPA2 using CCMP and AES is not vulnerable to replay attacks but WPA with TKIP is
What does RFID stand for and what is it?
Radio Frequency Identification
RFID systems include a reader and tag used to track and manage inventory, assets, etc.
What is RFID sniffing/eavesdropping?
When an attacker listens on the same frequency that the RFID transmits data on and exfiltrates data
What is an RFID replay attack?
When an attacker performs eavesdropping and then captures data transferring between entities and impersonates one of the parties
What is an RFID DoS attack?
Attempts to disrupt services i.e. by launching a jamming or interference attack, flooding the frequency
What does VPN stand for and what does it do?
Virtual Private Network
Allows users to access private networks via a public network
What is a VPN concentrator?
It is a dedicated device used for VPNs which includes all the services needed to create a VPN including strong encryption and authentication techniques and supports many clients.
Where in the network is a VPN concentrator typically located?
In the DMZ
What are two ways IPSec provides security?
Authentication and encryption
How does IPSec handle authentication?
IPSec includes an authentication header (AH) to allow each of the hosts in the IPSec conversation to authenticate with each other before exchanging data. Using protocol 51.
How does IPSec handle encryption?
IPSec includes encapsulating security payload (ESP) to encrypt the data and provide confidentiality. Using protocol 50.
What does IKE stand for and what is it?
Internet Key Exchange
Used in IPsec over port 500 to authenticate clients in the IPsec conversation. Creates security associations (SAs) for the VPN and uses these to set up a secure channel between the client and the VPN server
What does SSTP stand for and what does it do?
Secure Socket Tunneling Protocol
It encrypts VPN traffic using TLS over port 443
What are the benefits for using SSTP?
Provides administrators with flexibility and rarely requires opening additional ports. Good alternative when the VPN tunnel must go through a device using NAT and IPsec is not feasible
What is a split tunnel VPN?
Filter traffic based on criteria. If meets criteria send traffic through VPN tunnel otherwise send to public internet
What is a full tunnel VPN?
Where all traffic goes through the encrypted tunnel while the user is connected to the VPN.
What is a disadvantage of full tunnel VPN?
It can be slow due to the additional hops the traffic makes and since it has to be decrypted and encrypted
What is a site-to-site VPN?
Where two VPN servers act as gateways for two networks separated geographically.
What is an always-on VPN?
When a VPN connection is persistent. The opposite is that the VPN connection is only established when a user connects to a remote system.
What does NAC stand for and what is it?
Network Access Control
Method of control to ensure that clients meet predetermined characteristics prior to accessing a network.
What are common health conditions checked by a NAC?
Up-to-date antivirus software, including updated signature definitions
Up-to-date operating system, including current patches and fixes
Firewall enabled on the client
What are authentication agents and what do the do?
They inspect NAC clients to check different conditions on a computer and document the status in a statement of health
What is a remediation (quarantine) network?
An intermediary network which a client/host is directed to if the computer fails health check conditions. The remediation network provides access to resources the client can use to get healthy.
What is a permanent agent?
A persistent agent installed on the client and stays on the client.
What is a dissolvable agent?
A non-persistent agent which is downloaded and run on the client when the client logs on remotely. Removed either after performing health check or end of remote session. Often used on mobile devices
What does PAP stand for and what is it?
Password authentication Protocol
A protocol used with Point-to-Point Protocol (PPP) to authenticate clients.
A significant weakness of ___ is that it sends passwords over a network in cleartext, representing a significant security risk.
PAP
What does CHAP stand for and what is it?
Challenge Handshake Authorization Protocol
A protocol that uses PPP to authenticate clients but is more secure than PAP. Client hashes a shared secret with a nonce (number used once)
What is a benefit of MS-CHAPv2?
It allows for mutual authentication. Client to server and server to client
What does RADIUS stand for and what is it?
Remote Authentication Dial-In User Service
A centralized authentication service
Does RADIUS use TCP or UDP?
UDP
What does TACACS+ stand for and what is it?
Terminal Access Controller Access-Control System
Cisco alternative to RADIUS
Which system encrypts the entire authentication process?
TACACS+
Which system uses multiple challenges and responses between the client and server?
TACACS+
_____ is an extension of RADIUS that can work with EAP
Diameter
What does AAA stand for?
Authentication Authorization Accounting
RADIUS, TACACS+, and Diameter are considered ____ protocols because they provide authentication, authorization, and accounting
AAA