Module 1: Security Technology: Firewall and VPN Flashcards
1
Q
This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.
A
access control
2
Q
This is a security technique that regulates who or what can view or use resources in a computing environment.
A
access control
3
Q
This is a fundamental concept in security that minimizes risk to the business or organization.
A
access control
4
Q
It is the allowing, restricting, and denying access to resources.
A
access control
5
Q
What is the difference between authorization and access?
A
Access refers to the “means” while authorization refers to the “permission”.
6
Q
This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
A
owner
7
Q
A person who maintains the security of a system, perhaps by adding and removing access by user accounts.
aka. administrator
A
custodian
8
Q
A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.
A
end user
9
Q
They perform operations on objects or the assets.
A
subjects (users or procesess acting for users)
10
Q
The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.
A
mandatory access control (MAC)
11
Q
They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)
A
nondiscretionary access control
12
Q
Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.
A
discretionary access control (DAC)
13
Q
This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.
A
discretionary access control
14
Q
This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.
A
lattice-based access control (LBAC)
15
Q
Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.
A
Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.
16
Q
____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.
A
role-based
17
Q
Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.
A
task-based access control
18
Q
What are the access control mechanisms
A
- identification
- authentication
- authorization
- accountability
19
Q
access control mechanism
A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.
I am a user of the system
A
identification
20
Q
access control mechanism
It is the process of validating an unauthenticated entity’s purported identity.
I can prove I am a user of the system
A
authentication
21
Q
access control mechanism
There are three widely used authentication mechanisms, or authentication factors:
A
- something you know
- something you have
- something you are
22
Q
access control mechanism
This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.
Here’s what I can do with the system
A
autherization
23
Q
An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.
A
access control matrix
24
Q
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
A
asynchronous token
25
An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.
dumb card
26
A plain-language phrase, typically longer than a password, from which a virtual password is derived.
passphrase
27
A secret word or combination of characters that only the user should know; it is used to authenticate the user.
password
28
An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
smart card
29
In access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.
strong authentication
30
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
synchronous token
31
The derivative of a passphrase
virtual password
32
This is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some differences between the various other standards.
The Common Criteria for Information Technology Security Evaluation, aka Common Criteria or just CC
33
The system being evaluated
target of evaluation (ToE)
34
User-generated specification for security requirements
protection profile (PP)
35
Document describing the ToE’s security properties
security target (ST)
36
Catalog of a product’s security functions
security functional requirements (SFRs)
37
The rating or grading of a ToE after evaluation
evaluation assurance levels (EALs)
38
How many levels does the evaluation assurance level typically have?
EAL1 - 7
39
This is a “state machine reference model”—in other words, a
model of an automated system that is able to manipulate its state or status over time.
Bell-LaPadula (BLP) confidentiality model
40
This is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.
Biba integrity model
41
Unauthorized or unintended methods of communications hidden inside a computer system.
covert channels
42
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.
reference monitor
43
TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.
storage channels
44
TCSEC-defined covert channels that communicate by managing the relative timing of events.
timing channels
45
Under the Trusted Computer System Evaluation Criteria (TCSEC), this is the combination of all hardware, firmware, and software responsible for enforcing the security policy.
trusted computing base (TCB)
46
This model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The model’s change control principles are:
x No changes by unauthorized subjects
x No unauthorized changes by authorized subjects
x The maintenance of internal and external consistency
Clark-Wilson integrity model
47
This means that the system does what it is expected to do every time, without exception.
internal consistency
48
This means that the data in the system is consistent with similar data in the outside world.
external consistency
49
Data item with protected integrity.
Constrained data item (CDI)
50
Data not controlled by Clark-Wilson; nonvalidated input or any output
Unconstrained data item
51
Procedure that scans data and confirms its integrity
Integrity verification procedure (IVP)
52
Procedure that only allows changes to a constrained data item
Transformation procedure (TP):
53
This model has three parts: a set of objects, a set of subjects, and a set of rights.
Graham-Denning access control model
54
This model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not allow.
Harrison-Ruzzo-Ullman (HRU) model
55
This model is commonly known as a Chinese Wall, is designed to prevent a conflict of interest between two parties.
Brewer-Nash model
56
Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
address restrictions
57
A firewall type that can react to network traffic and create or modify configuration rules to adapt.
dynamic packet-filtering firewall
58
In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.
firewall
59
A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
packet-filtering firewall
60
A tabular record of the state and context of each packet in a conversation between an internal and external user or system. This is used to expedite traffic filtering.
state table
61
A firewall type that keeps track of each network
connection between internal and external systems using a state table and that expedites the filtering of those communications.
stateful packet inspection (SPI) firewall aka stateful inspection firewall
62
A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.
static packet-filtering firewall
63
The system of networks inside the organization that contains its information assets and is under the organization’s control.
trusted network
64
The system of networks outside the organization over which the organization has no control. The Internet is an example of this.
untrusted network
65
This is simply a computer containing two network cards.
firewall
66
# True or false?
The computer is initially configured to not allow any traffic to pass from one card to another.
True
67
The firewall may be a:
* Separate computer system
* Software service running on an
existing router or server
* Separate network containing a
number of supporting devices.
68
The firewall is categorized by:
* Their processing type
* Their evolutional generation
* The way they are implemented
69
Firewalls by Processing Type
* Packet Filtering Firewalls
* Application Gateway Firewalls
* Circuit Gateways
* MAC Layer Firewalls
* Hybrids
70
Traffic on network is broken down into ____.
packets (smaller message units)
71
Each packet must hold at least two addresses: the ____ and that of the ____.
Each packet must hold at least two addresses: that of the **sender** and that of the **recipient**.
72
# True or false?
Packet filtering protects a local network from desired invasion depending upon the predefined rules
True
73
Packet filtering controls (allows or drops) packet or data transfer based on the following standards:
* The address the packet is coming from.
* The address the packet is going to.
* The application protocols or rules set to transfer the data.
74
A device capable of functioning both as a firewall and an application layer proxy server.
application layer proxy firewall aka application firewall
75
An intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher level of risk.
demilitarized zone (DMZ)
76
A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers.
| aka cache servers
proxy server
77
A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.
reverse proxy
78
This is a type of firewall that provides application-level control over network traffic.
application gateway firewall
79
These can be used to deny access to the resources of private networks to distrusted users over the Internet.
application gateways
80
This is a device placed between an external, untrusted network and an internal, trusted network.
| Aka sacrificial host
bastion host
81
This serves as the sole target for attack and should therefore be thoroughly secured.
bastion host
| aka single bastion host
82
A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
extranet
83
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.
network address translation (NAT)
84
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.
port address translation (PAT)
85
A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.
screened host architecture
86
A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.
screened subnet architecture
87
A firewall that provides User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) connection security.
circuit-level gateways
88
Works between an Open Systems Interconnection (OSI) network model’s transport and application layers such as the session layer.
circuit gateways
89
Unlike application gateways, these monitor TCP data packet handshaking and session fulfillment of firewall rules and policies.
circuit gateways
90
What does ISO mean?
international organization for standardization
91
What does OSI mean?
open system interconnection
92
The ____ of the ISO-OSI Data Link layer is concerned with ____ addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.
The **MAC sublayer** of the ISO-OSI Data Link layer is concerned with **MAC** addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.
93
This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question.
MAC layer firewalls
94
This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.
MAC layer firewall
95
This combines the elements of other types of firewalls that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways
hybrid firewalls
96
These are static packet-filtering firewalls.
first generation firewalls
97
These are simple networking devices that filter packets according to their headers as the packets travel to and from the ogranization's network.
first generation firewall / static packet filtering firewall
98
These are application-level firewalls or proxy servers
second generation firewalls
99
These are dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.
second generation firewalls / application-level firewalls or proxy servers
100
These are stateful inspection firewalls
third generation firewalls
101
These monitors the state of active connections and uses the information to permit the network packets through the firewall.
third generation firewall / stateful inspection firewalls
102
These are dynamic packet-filtering firewalls
fourth generation firewalls
103
These firewalls allow only a particular packet with a particular source, destination, and port address to enter.
fourth generation firewalls / dynamic packet-filtering firewalls
104
These are kernel proxy firewalls.
fifth generation firewalls
105
These are integrated into an operating system's core to provide multiple levels of session and packet evaluation
fifth generation firewalls / kernel proxy firewalls
106
What are the 4 firewalls by structure?
- commercial appliances
- commercial systems
- small office - home office appliances
- residential (consumer) software
107
These are standalone self-contained combination of computing hardware and software. These devices frequently have many of the features of a general-purpose computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of being compromised.
commercial appliances
| aka commercial grade firewall appliances
108
These variant operating systems are tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.
commercial appliances
109
This consists of application software that is configured for the firewall application and run on a general-purpose computer.
commercial systems
| aka commercial grade firewall systems
110
These systems exploit the fact that firewalls are essentially applications software packages that use common general purpose network connections to move data from one network to another.
commercial systems
111
One of the most effective methods improving computing security in the small office home office appliances setting is by means of this type of firewall by structure.
small office / home office firewall
| aka soho or residential grade firewall
112
Another method of protecting the user is to install a software directly on the user system. Many people have implemented this ____, some of which also provide antivirus or inclusion detection capabilities. But unfortunately, they may not be as fully protected as they think.
residential (consumer) software
113
These are implementations of cryptographic technology. It is a private data network that uses the public telecommunications infrastructure to create a means for private communication via a tunneling protocol coupled with security procedures.
virtual private networks (VPNs)
114
These are commonly used to securely extend an organization’s internal network connections to remote locations.
virtual private networks (VPNs)
115
This is a combination of trusted and secure VPN implementations. Combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.
hybrid VPN
116
This is a VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. They use that same security protocol like IPSec to encrypt traffic transmitted across unsecured public networks like the Internet.
secure VPN
117
This also known as legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
trusted VPN
118
A private, secure network operated over a public and insecure network. This keeps the content of the network messages hidden from observers who may have access to public traffic.
VPN
119
A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following:
- encapsulation of incoming and outgoing data
- encryption of incoming and outgoing data
- authentication
120
What does IPSec stand for?
internet protocol security
121
This is the dominant protocol used in VPNs. It uses either **transport mode** or **tunnel mode**. It can be used as a standalone protocol or coupled with the Layer Two Tunneling Protocol (L2TP)
IPSec
122
In this mode, the data within the IP packet is encrypted, but the header information is not. This allows the users to establish a secure link directly with the remote host, encrypting only the data content of the packet.
transport mode
123
This mode eliminates the need for special servers and tunneling software, and allows end users to transmit traffic from anywhere, which is especially useful for traveling or telecommuting employees.
transport mode
124
# Transport mode VPNs have 2 popular uses
Two end users can communicate directly, encrypting and decrypting their communications as needed. Each machine acts as the end-node VPN server and client.
end-to-end support of encrypted data
125
# Transport mode VPNs have 2 popular uses
This allows the teleworker’s system to work as if it were a part of the local area network. The VPN server in this example acts as an intermediate node, encrypting traffic from the secure intranet and transmitting it to the remote client, and decrypting traffic from the remote client and transmitting it to its final destination.
remote access worker or teleworker connects to an office network over the Internet by connecting to a VPN server on the perimeter
126
Establishes two perimeter tunnel servers to encrypt all traffic that will traverse unsecured network.
tunnel mode
127
Entire client package is encrypted and added as data portion of packet, from one tunneling server to another.
tunnel mode
128
Primary benefit to this mode is that an intercepted packet reveals nothing about the true destination system.
tunnel mode
129
This is an example of tunnel mode VPN
Microsoft’s Internet Security and Acceleration (ISA) server
