Lesson 10 - Implementing Network Security Appliances Flashcards

1
Q
A

Packet Filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A type of firewall that does not preserve information about the connection between two hosts. Often used to describe packet-filtering firewalls.

A

Stateless Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

A

Stateful Inspection Firewall
Stateful inspection can occur at two layers: transport (layer 4) and application (layer 7).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information about sessions between hosts that is gathered by a stateful firewall.

A

State Table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.

A

Application Aware Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

a command line utility provided by many Linux distributions that allows administrators to edit the rules enforced by the Linux kernel firewall

A

iptables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A stateful rule that allows any traffic that is part of an established or related session.

A

ctstate rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance’s firmware.

A

Appliance Firewall
Routed (layer 3)—the firewall performs forwarding between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone.
Bridged (layer 2)—the firewall inspects traffic passing between two nodes, such as a router and a switch. This is also referred to as transparent mode. The firewall does not have an IP interface (except for configuration management). It bridges the Ethernet interfaces between the two nodes. Despite performing forwarding at layer 2, the firewall can still inspect and filter traffic on the basis of the full range of packet headers. The typical use case for a transparent firewall is to deploy it without having to reconfigure subnets and reassign IP addresses on other devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware

A

Router Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A software application running on a single host and designed to protect only that host.

A

Host-based firewall (or personal firewall)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Software designed to run on a server to protect a particular application such as a web server or SQL server.

A

Application firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.

A

Network operating system (NOS) firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.

A

Proxy Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A forward proxy provides for protocol-specific outbound traffic. For example, you might deploy a web proxy that enables client computers on the LAN to connect to websites and secure websites on the Internet. This is a forward proxy that services TCP ports 80 and 443 for outbound traffic.

A

Forward Proxy Servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.

A

caching engines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A server that redirects requests and responses for clients configured with the proxy address and port.

A

non-transparent proxy
A non-transparent proxy means that the client must be configured with the proxy server address and port number to use it. The port on which the proxy server accepts client connections is often configured as port 8080.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.

A

transparent (or forced or intercepting) proxy
A transparent (or forced or intercepting) proxy intercepts client traffic without the client having to be reconfigured. A transparent proxy must be implemented on a switch or router or other inline network appliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A type of proxy server that protects servers from direct contact with client requests.

A

reverse proxy
A reverse proxy server provides for protocol-specific inbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.

A

Implicit Deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.

A

Network Address Translation (NAT)
10.0.0.0 to 10.255.255.255 (Class A private address range).
172.16.0.0 to 172.31.255.255 (Class B private address range).
192.168.0.0 to 192.168.255.255 (Class C private address range).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications.

A

Overloaded NAT/Network Address Port Translation (NAPT)/Port Address Translation (PAT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A process in which a router takes requests from the Internet for a particular application (such as HTTP) and sends them to a designated host on the LAN.

A

Destination NAT/port forwarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

firewalls are usually deployed within data centers and cloud services.

A

Virtual Firewall
Virtual firewalls are usually deployed within data centers and cloud services. A virtual firewall can be implemented in three different ways:
Hypervisor-based—this means that filtering functionality is built into the hypervisor or cloud provisioning tool. You can use the cloud’s web app or application programming interface (API) to write access control lists (ACLs) for traffic arriving or leaving a virtual host or virtual network.
Virtual appliance—this refers to deploying a vendor firewall appliance instance using virtualization, in the same way you might deploy a Windows or Linux guest OS.
Multiple context—this refers to multiple virtual firewall instances running on a hardware firewall appliance. Each context has a separate interface and can perform a distinct filtering role.

24
Q

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

A

Intrusion Detection System (IDS)

25
Q

A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.

A

Network-based IDS (NIDS)

26
Q

An open source NIDS. A subscription (“oinkcode”) is required to obtain up to date rulesets, which allows the detection engine to identify the very latest threats. Non-subscribers can obtain community-authored rulesets.

A

Snort

27
Q

Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch.

A

SPAN (switched port analyzer)/mirror port

28
Q

A hardware device inserted into a cable to copy frames for analysis.

A

Test Access Point (TAP)

29
Q

An IDS that can actively block attacks.

A

Intrusion Prevention System (IPS)
IPS appliances are positioned like firewalls at the border between two network zones. As with proxy servers, the appliances are “inline” with the network, meaning that all traffic passes through them (also making them a single point-of-failure if there is no fault tolerance mechanism). This means that they need to be able to cope with high bandwidths and process each packet very quickly to avoid slowing down the network.

30
Q

A network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.

A

Signature-based detection
Signature-based detection (or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.

31
Q

A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.

A

Behavioral-based detection
Behavioral-based detection means that the engine is trained to recognize baseline “normal” traffic or events. Anything that deviates from this baseline (outside a defined level of tolerance) generates an incident. The idea is that the software will be able to identify zero day attacks, insider threats, and other malicious activity for which there is single signature.

32
Q

there are two general classes of behavior-based detection products that utilize machine learning:

A

User and entity behavior analytics (UEBA)—these products scan indicators from multiple intrusion detection and log sources to identify anomalies. They are often integrated with security information and event management (SIEM) platforms.
Network traffic analysis (NTA)—these products are closer to IDS and NBAD in that they apply analysis techniques only to network streams, rather than multiple network and log data sources.

33
Q

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.

A

heuristics
An network behavior and anomaly detection (NBAD) engine uses heuristics (meaning to learn from experience) to generate a statistical model of what baseline normal traffic looks like. It may develop several profiles to model network use at different times of the day.

34
Q

In security scanning, a case that is reported when it should not be.

A

false positive
A false positive is where legitimate behavior generates an alert

35
Q

In security scanning, a case that is not reported when it should be.

A

false negative
a false negative is where malicious activity is not alerted.

36
Q

mean specifically looking for irregularities in the use of protocols.

A

anomaly-based detection
For example, the engine may check packet headers or the exchange of packets in a session against RFC standards and generate an alert if they deviate from strict RFC compliance.

37
Q

Host or network firewall capable of parsing application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, content-sensitive ACLs can be developed.

A

next-generation firewall (NGFW)

38
Q

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

A

Unified Threat Management (UTM)
Unified threat management (UTM) refers to a security product that centralizes many types of security controls—firewall, anti-malware, network intrusion prevention, spam filtering, content filtering, data loss prevention, VPN, cloud access gateway—into a single appliance.

39
Q

A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

A

Content/URL Filter

40
Q

A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

A

Content Filter
Content filters are now usually implemented as a class of product called a secure web gateway (SWG).

41
Q

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

A

secure web gateway (SWG).

42
Q

A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state.

A

host-based IDS (HIDS)

43
Q

A type of software that reviews system files to ensure that they have not been tampered with.

A

file integrity monitoring (FIM)

44
Q

A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.

A

web application firewall (WAF)

45
Q

Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).

A

network monitor

46
Q

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

A

security information and event management (SIEM)

47
Q

There are three main types of log collection:

A

Agent-based
Listener/collector - Syslog
Sensor

48
Q

A network appliance that gathers or receives log and/or state data from other network systems.

A

Listener/collector

49
Q

Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements.

A

Sentiment Analysis
The typical use case for sentiment analysis is to monitor social media for brand “incidents,” such as a disgruntled customer announcing on Twitter what poor customer service they have just received.

50
Q

designed as a solution to the problem of the volume of alerts overwhelming analysts’ ability to respond.

A

SOAR
Security Orchestration, Automation, and Response
A SOAR may be implemented as a standalone technology or integrated with a SIEM—often referred to as a next-gen SIEM.

51
Q

Linux command to view and combine (concatenate) files.

A

command cat

52
Q

Linux utility for showing the first lines in a file.

A

head

53
Q

Linux utility for showing the last lines in a file.

A

tail commands

54
Q

Linux utility that writes data to the system log.

A

logger command

55
Q

A group of characters that describe how to execute a specific search pattern on a given text.

A

regular expression (regex)

56
Q

Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.

A

grep command