Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Sec+ > Lesson 10 > Flashcards

Lesson 10 Flashcards

1
Q

Packet Filtering Firewalls

A

arliest type of network firewall. All firewalls can still
perform this basic function.

  • *****Enforce a network access control list (ACL)
  • Act to deny (block or drop), log, or accept a packet
  • Inspect headers of individual packets
    * Source and destination IP address
    * Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on)
    * Source and destination port numbers (TCP or UDP application type)
  • Inbound, outbound, or both
  • Stateless operation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Stateless operation

A

(packet filtering firewall)
This means that it does not preserve
information about network sessions.

This type of filtering requires the least
processing effort, but it can be vulnerable to attacks that are spread over a sequence
of packets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Stateful Inspection Firewalls

A

State table stores connection information

A stateful inspection firewall addresses these problems by tracking information about
the session established between two hosts, or blocking malicious attempts to start a
bogus session. The vast majority of firewalls now incorporate some level of stateful
inspection capability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

iptable

A

linux tool that allow you to edit rules on your firewall (drop, accept, etc) See slide 6 for sample ip table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Firewall impllementation

A
  1. Firewall appliances (physical appliance
    •Routed (layer 3)
    •Bridged/transparent (layer 2)
    •Router/firewall
  2. Application-based firewalls
    •Host-based (personal)
    •Application firewall
    •Network operating system (NOS) firewall
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Types of Firewall Appliances

A

appliance firewall is a stand-alone hardware firewall deployed to monitor traffic
passing into and out of a network zone. A firewall appliance can be deployed in two
ways:

•Routed (layer 3) - the firewall performs forwarding between subnets. Each interface
on the firewall connects to a different subnet and represents a different security
zone.
•Bridged/transparent (layer 2) - the firewall inspects traffic passing between two nodes, such
as a router and a switch.
•Router/firewall - SOHO. Built into the router. but usually the router is meant first as a router and secondarily as a firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Application-based firewalls

A

Host-based (personal) - software firewal runing on a single host

Application firewall—software designed to run on a server to protect a particular
application

Network operating system (NOS) firewall— protects a server. a software-based firewall running
under a network server OS, such as Windows or Linux. The server would function as
a gateway or proxy for a network segment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Forward Proxy Servers

A

Proxy opens connections with external servers on behalf of internal clients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Transparrent vs non-transparent proxy

A

non-transparent proxy means that the client must be configured with the proxy
server address and port number to use it. The port on which the proxy server
accepts client connections is often configured as port 8080.auto
• A transparent (or forced or intercepting) proxy intercepts client traffic without
the client having to be reconfigured. A transparent proxy must be implemented on a
switch or router or other inline network appliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reverse proxy server

A

Proxy opens connections with internal servers on behalf of external clients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Access Control Lists

A
  • Least access - minimum amoiunt of traffic allowed for a service
  • Top to bottom processing order - order of rules
  • Implicit deny - deny everyting that does fit rules
  • Explicit deny all
  • Criteria for rules (tuples) - parameters within a rule
  • Documenting and testing configuration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Network address translation (NAT)

A

translates private to public IP addresses and public to proviate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Static and dynamic source NAT

A

perform 1:1 mappings between private (“inside
local”) network address and public (“inside global”) addresses. These mappings can
be static or dynamically assigned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Overloaded NAT/Network Address Port Translation (NAPT)/Port Address
Translation (PAT)—

A

provides a means for multiple private IP addresses to be mapped onto a single public address. For

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Virtual Firewalls

A

Hypervisor-based
•Filtering built into the hypervisor or cloud service

Virtual appliance
•Deployed as a virtual machine to the cloud

Multiple context
•Firewall appliance running multiple instances

•East-west security design and microsegmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Main purpose of Virutal firewals

A

to support the east-west security and zero-trust

microsegmentation design paradigms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Open source vs proprietary firewalls

A

Source code inspection and supply chain issues
• Wholly proprietary appliance OS
• partially proprietary - UNIX or Linux kernel with proprietary features
• Wholly open-source

•Support arrangements and subscription features should be considered…as well as access to threat feeds etc

18
Q

intrusion detection system (IDS)

A

is a means of using software tools to provide

real-time analysis of either network traffic or system and application logs

19
Q

networkbased IDS (NIDS)

A

captures traffic via a packet sniffer, referred to as a sensor.

Passive detection/alerting*

20
Q

Network-Based Intrusion Prevention Systems

A
  • Intrusion prevention system (IPS)
  • Active response to threats
    * Reset session
    * Apply firewall filters on the flyto shun traffic
    * Bandwidth throttling
    * Packet modification
    * Run a script or other process
  • Anti-virus scanning/content filtering
  • Inline placement—risk of failure
21
Q

Signature-Based Detection

A
  • Analysis engine
  • Signature-based detection
    • Pattern matching
    • Database of known attack signatures
    • Must be updated with latest definitions/plug-ins/feeds
    • **Many attack tools do not conform to specific signatures
22
Q

Behavior and Anomaly-Based Detection

A

Computer learns behaviors. ….could protected against zero day attached…a lot of false positives and false negatives until it leanrs

  • Behavioral-based detection
  • Train sensor with baseline normal behavior to recognize anomalous behavior •Network behaviorand anomaly detection (NBAD)
    * Heuristics (learning from experience)
    * Machine learning assisted analysis

Anomaly-based detection as irregularity in packet construction

23
Q

Next-generation firewall

A

•Application-aware filtering, user account-based filtering, IPS, cloud inspection, …

24
Q

Unified threat management (UTM)

A
  • Combining security controls into single agent and management platforms
  • Firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway, …
25
Q

Content/URL filter

A
  • Focuses on user traffic
  • Content block lists and allow lists
  • Time-based restrictions to browsing
  • also known as….Secure web gateway (SWG)
26
Q

Host based Intrusion detection system (HIDS)

A

A host-based IDS (HIDS) captures information from a single host, such as a server,router, or firewall.

The core ability isto capture and analyze log files

One of the core features of HIDS is file integrity monitoring (FIM).

27
Q

file integrity monitoring (FIM).

A

One of the core features of hos.t-based IDS (HIDS)
•Cryptographic hash or file signature verifies integrity of files
•Compare hashes manually or verify signature with publisher’s public key
•Windows File Protection/sfc
•Tripwire and OSSEC

28
Q

Web Application Firewalls (WAF)

A

designed specifically to protect software running
on web servers and their backend databases from code injection and DoS attacks.

  • Able to inspect code in HTTP packets
  • Matches suspicious code to vulnerability database
  • Can be implemented as software on host or as appliance
29
Q

Monitoring Services

A

Packet capture
•Sniffers and flow analysis
•Traffic and protocol statistics
•Packet analysis

Network monitors
•Appliance state data
•Heartbeat availability monitoring

Logs
•System logs to diagnose availability issues
•Security logs to audit access

30
Q

Packet capture

A
  • Sniffers and flow analysis
  • Traffic and protocol statistics
  • Packet analysis
31
Q

Network monitors

A
  • Appliance state data

* Heartbeat availability monitoring

32
Q

Logs

A
  • System logs to diagnose availability issues

* Security logs to audit access

33
Q

Security Information and Event Management (SIEM)

A

Software designed to assist with managing security data inputs and provide reporting
and alerting is often described as security information and event management
(SIEM). The core function of an SIEM tool is to aggregate traffic data and logs.
- Log Collection
- Log Aggregation
- Alanaysis and Report Review

34
Q

Log Collection (SIEM)

A

Agent-based
•Local agent (host) to forward logs (installed)

Listener/collector
•Protocol-based remote log forwarding (syslog) (configured)

Sensor
•Packet capture and traffic flow data. SIEM also collects packet data

35
Q

Log Aggregation (SIEM)

A
  • Consolidation of multiple log formats to facilitate search/query and correlation
  • Normalization of fields
  • Time synchronization
36
Q

Analysis and Report review (SIEM)

A
  • Correlation
    * Relating security data and threat intelligence
    * Alerting of indicators of compromise (IOC)
    * Basic rules versus machine learning
  • User and entity behavioranalytics (UEBA)
    * Sentiment analysis
    * Machine interpretation of natural language
    * Emotion AI
  • Security orchestration, automation, response (SOAR)
37
Q

•Correlation

A
  • Relating security data and threat intelligence
    * Alerting of indicators of compromise (IOC)
    * Basic rules versus machine learning
38
Q

•User and entity behavior analytics (UEBA)

A

solution supports identification of malicious
behaviors from comparison to a baseline. As the name suggests, the analytics software
tracks user account behavior across different devices and cloud services.

39
Q

•Security orchestration, automation, response (SOAR)

A

designed as a solution to

the problem of the volume of alerts overwhelming analysts’ ability to respond.

40
Q

•Sentiment analysis

A

•Machine interpretation of natural language
•Emotion AI
…i.e. monitoring social media for disgruntled customers complaining etc

41
Q

File Manipulation (SIEM)

A

While SIEM can automate many functions of log collection and review, you may also
have to manually prepare data using a Linux command line.

  • cat
    • View contents of one or more files
  • headand tail
    • View first and last lines of file
  • logger
    * Write input to system log
42
Q

ReRegular Expressions and grep

A

i didn’t really understand these but these are more log commands

Sec+ (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions