Chapter 9 Network Security Implementation Flashcards
a framework for controlling access to computing resources. The remote networking protocols RADIUS, TACACS, TACACS+, and Diameter all have their own implementations
Authentication, Authorization, and Accounting (AAA)
the method of uniquely validating a particular entity or individual’s credentials
Authentication
Authentication Factors:
- Something you know, such as a password
- Something you have, such as a token or access card
- Something you are, including physical characteristics, such as fingerprints or a retina pattern.
- Somewhere you are or are not
- Something you do, for example a keystroke logger that measures how hard you press the keys while typing, or how long the keys remain pressed.
any authentication scheme that requires validation of at least two of the possible authentication factors.
Multifactor Authentication (MFA)
is an authentication scheme that requires validation of two authentication factors.
Two-factor authentication
is a mechanism where a single user authentication provides access to all the devices or applications where the user has permission. The user need not enter multiple passwords each time he wants to access a device.
Single sign-on (SSO)
a directory service protocol that defines how a client can access information, perform operations, and share directory data on a directory server.
Lightweight Directory Access Protocol (LDAP)
an electronic document that associates credentials with a public key. The certificate validates the certificate holder’s identity and is also a way to distribute the holder’s public key.
Certificates
is a popular open-source authentication protocol that is based on a time-sensitive ticket granting system. To use an SSO method in which the user enters access credentials that are then passed to the authentication server, which contains an access list and permitted access credentials.
Kerberos
Kerberos authentication process:
- A user logs on to the domain.
- The user requests a Ticket Granting Ticket (TGT) from the Ticket Granting Service (TGS) on the authenticating server.
- The authenticating server responds with a time-stamped TGT.
- The user presents the TGT back to the authenticating server and requests a service ticket to access a specific resource.
- The authenticating server responds with a service ticket.
- The user presents the service ticket to the resource.
- The resource authenticates the user and allows access.
is a protocol that enables a server to provide standardized, centralized authentication for remote users. only encrypts passwords
Remote Authentication Dial-In User Service (RADIUS)
are authentication protocols that prived centralized authentication and authorization services for remote users. includes process-wide encryption for authenticating, whereas RADIUS encrypts only passwords. uses TCP instead of UDP and supports multiple protocols
Terminal Access Controller Access Control System (TACACS) and (TACACS+)
the backbone of Microsoft’s Remote Desktop system. Its capabilities include data encryption, remote audio and printing, access to local files, and redirection of the host’s disk drives and peripheral ports. Listens on port 3389
Remote Desktop Protocol (RDP)
is a platform-independent desktop sharing system. client and server software is available for almost any operating system
Virtual Network Computing (VNC)
is a general term for the collected protocols, policies, and hardware that govern access on network interconnections. Scans devices for conformance and allows or quarantines updates to meet policy standards
Network Access Control (NAC)
is a standard for securing networks by implementing Extensible Authentication Protocol (EAP) as the authentication protocol over either a wired or wireless Ethernet LAN
IEEE 802.1x
IEEE 802.1x characteristics include:
Employs an authentication service, such as RADIUS, to secure clients.
It is an IEEE standard used to provide a Port-based Network Access Control (PNAC), using the 802.11 protocols.
802.1x uses EAP to provide user authentication against a directory service
a set of data (user names, passwords, time and date, IP addresses, media access control (MAC) addresses, and so on) that is used to control access to a resource such as a device, file, or network.
Access Control List (ACL)
Type of Firewall
the simplest implementation of a firewall and work at the Network Layer (Layer 3) of the OSI model. Are usually part of a router.
Packet Filters
Type of Firewall
work at the Session Layer (Layer 5) of the OSI model by monitoring the condition, or state, of the connection.
Stateful Inspection Firewall
Type of Firewall
work at the Application Layer (Layer 7) of the OSI model and require incoming and outgoing packets to have a proxy to access services. Also known as Application-level gateways.
Proxy Firewalls
combine the functions of a packet filter, a stateful inspections firewall, and a proxy firewall. They operate on all three OSI layers, Network, Session and Application, simultaneously.
Hybrid Firewall
is a network security solution that is used to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console. can be network appliances or a cloud service
Unified Threat Management (UTM)
are protocols that do not expose data and/or credentials in cleartext, so they are less likely to allow for the credentials or data to be viewed and captured by someone else
Secure Protocols
Used for managing devices on IP networks. Version 3 added cryptographic security to secure data and user credentials
Simple Network Management Protocol version3 (SNMPv3)
Protocols that Aren’t Secure:
FTP Telent POP3 IMAP SNMP V1 and V2
Guidelines for Securing Ports and Services
- Determine which ports are currently open
- Determine which of the open ports are required to be open
- Close any ports that are not required to be open
- Determine which services are currently running
- Determine which of the running services are required
- Disable any services which are not required
is an analysis technique that determines the coverage area of a wireless network, identifies any sources of interference, and establishes other characteristics of the coverage area.
Site Survey
Wireless Network Security Considerations:
- The administrator should specify an SSID manually
- Another method of securing a wireless connection is by disabling the broadcast of the SSID of the wireless device.
- Do not use WPS (WiFi Protected Setup). If any devices on your network have WPS, disable it. When purchasing devices, try to obtain devices that do not include WPS.
encrypts wireless communications. has many well-known security flaws.
Wired Equivalent Privacy (WEP)
encrypts wireless communications, making them less vulnerable to unauthorized access. It offers better security than WEP. Temporal Key Integrity Protocol (TKIP) is what provides the encryption for the WPA protocol.
Wi-Fi Protected Access (WPA)
This is the one that should be used. The use of CCMP-AES is an improvement in encryption over TKIP-RC4 because instead of just checking the integrity of the key, AES is an encryption algorithm.
WPA2
is an Extensible Authentication Protocol (EAP) protocol that extends TLS by providing authentication that is as strong as TLS, but it does not require that each user be issued a certificate.
Transport Layer Security (TLS)Tunneled Transport Layer Security (TTLS)
Wireless Authentication Methods:
is often used in conjunction with 802.1x. The wireless client is allowed to make an unauthenticated association with the AP, but until the user logs on, the client cannot connect to the network
Open System
Wireless Authentication Methods:
is used for WPA-Personal and WPA2-Personal. The key needs to be shared by the communicating parties before it can be used. PSKs are more often found in the use on home wireless networks. The EAP authentication method authenticates a user and not the station. This is an enterprise implementation that is done with a RADIUS server.
Shared-key
is a protocol that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
Extensible Authentication Protocol (EAP)
was designed to replace the Lightweight EAP (LEAP). It addresses LEAP vulnerabilities through the use of TLS tunneling using a Protected Access Credential (PAC)
EAP-FAST- (Flexible Authentication via Secure Tunneling)
is a widely supported feature in wireless routers and cards provides robust security.
EAP-TLS- (Transport Layer Security)
similar to EAP-TLS, was proposed as an open standard by a coalition made up of Cisco Systems, Microsoft, and RSA Security.
PEAP (Protected Extensible Authentication Protocol)
A public-access or guest network often presents a web page users must view and acknowledge before they are granted network access
Captive Portals
is a method of defining virtual geographical boundaries using GPS or RFID. When a mobile device with GPS or RFID capabilities enabled crosses into or out of the geofenced area, an event can be triggered.
Geofencing
This is an unauthorized wireless access point on a corporate or private network. They are not detected easily and can allow private network access to many unauthorized users with the proper devices
Rogue Access Point
a rogue access point on a network that appear to be legitimate. Although an evil twin can be installed both on corporate or private networks, typically they are found in public Wi-Fi hotspots where users do not connect transparently and automatically as they do in a corporate network, but rather select available networks from a list.
Evil Twin
The act of searching for instances of wireless networks by using wireless tracking devices such as tablets, mobile phones, or laptops
War Driving
The act of using symbols to mark off a sidewalk or wall to indicate that there is an open wireless network that may be offering Internet access. It can also be an online list of open networks.
War Chalking
is an unpredictable random number used to make sure that when the same message is encrypted twice, the ciphertext is always different. It is fairly easy, using automated tools and a replay attack, to extract enough IV data to crack the WEP key in just a few minutes.
Initialization Vector (IV attack)
This is a method used by attackers to send out unwanted Bluetooth signals from tablets, mobile phones, and laptops to other Bluetooth-enabled devices. With the advanced technology available today, attackers can send out unsolicited messages along with images and video.
Bluejacking
This is a method in which attackers gain access to unauthorized information on a wireless device by using a Bluetooth connection within the 30-foot Bluetooth transmission limit. Exploitation of private information including email messages, contact information, calendar entries, images, videos, and any data stored on the device
Bluesnarfing
A collection of previously issued patches and hotfixes, usually meant to be applied to one component of a device, such as the web browser or a particular service
Rollup
A patch management program might include the following:
- An individual responsible for subscribing to and reviewing vendor and security patches and updating newsletters
- A review and triage of the updates into urgent, important, and non-critical categories
- An offline patch-test environment where urgent and important patches can be installed and tested for functionality and impact.
When done electronically it is called flashing. Provides support for new hardware. Fixes bugs that prevent the operating system from installing or running properly.
Firmware Upgrades
Key-based encryption types:
- Shared-key or symmetric- encryption systems, the same key is used both to encode and to decode the message. The secret key must be communicated securely between the two parties involved in the communication.
- Key-pair or asymmetric- encryption systems, each party has two keys: a public key, which anyone can obtain, and a private key known only to the individual. Anyone can use the public key to encrypt data, only the holder of the associated private key can decrypt it.
a server that issues certificates and the associated public/private key pairs
Certificate Authority (CA)
File Integrity Management Measures:
a security setting that determines the level of access a user or group account has to a particular resource.
Permission
File Integrity Management Measures:
Certificates and Encryption
-
File Integrity Management Measures:
a process or function that transforms plaintext into ciphertext that cannot be directly decrypted. The result of the hashing process is called a hash, hash value, or message digest.
File Hashing
File Integrity Management Measures:
is a file-encryption tool available on Windows devices that have partitions formatted with the NT File System. Encrypts file data by using digital certificates.
Encrypting File System (EFS)
File Integrity Management Measures:
Hardware-based, used on devices known as self-encrypting drives (SED), ensures that storage devices are encrypted at the hardware level in order to avoid relying on software solutions. This encryption is invisible to the user and is not susceptible to attacks targeting encryption provided by applications or operating systems.
Whole drive encryption
also known as separation of duties, is implemented as a policy that states that no one person should have too much power or responsibility
Role Separation
On Cisco switches you can use this to prevent protected ports from forwarding traffic to any other protected port on the switch. Using various commands you can configure Spanning Tree, Flood Guard and MAC address filtering
Switch Port Protection
VLAN Hopping Prevention Methods:
- Switch Spoofing- Turn off trunking on all ports unless trunking is specifically required on a certain port.
- Double Tagging- Make sure that user ports and native VLAN trunk ports are different.
a small section of a private network that is located between two firewalls and made available for public access. Enables external clients to access data on a private systems, such as web servers, without compromising the security of the internal network as a whole.
Demilitarized Zone (DMZ)
Segmentation for Network Elements:
SCADA/ICS: SCADA and ICS networks are in this segment. They may be impractical to upgrade and thus will not have the latest security.
Honeynet: Only devices that are used as honeypots are in this segment. A honeypot is a device that is set to detect, deflect, or counteract attempts at unauthorized use of the device or network. A honeynet is a special type of honeypot, a specific network segment populated with, and only with honeypots
in order to keep internal addresses private, this is used to conceal internal IP addresses from external networks. A router is configured with a single public IP address on its external interface and an internal address on its internal interface. When static, an internal IP address is mapped to a single specific public IP address. In dynamic, a single internal address is mapped to the first available public IP address in an address pool.
Network Address Translation (NAT)
is a subset of dynamic NAT functionality that maps one or more private IP addresses to one public IP address by using multiple ports. Also known as overloading.
Port Address Translation (PAT)
an attack authorized by the owner of a computing device or a network, with the purpose of finding security weaknesses that could be exploited by a real attacker
Penetration Testing
software or hardware, or a combination of both, that scans, audits, and monitors the security infrastructure for signs of attacks in progress and automates the intrusion detection process.
Intrusion Detection System (IDS)
an inline security device that monitors suspicious network and/or device traffic and reacts in real time to block it.
Intrusion Protection System (IPS)
