Module 1: Security Technology: Firewall and VPN Flashcards
This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.
access control
This is a security technique that regulates who or what can view or use resources in a computing environment.
access control
This is a fundamental concept in security that minimizes risk to the business or organization.
access control
It is the allowing, restricting, and denying access to resources.
access control
What is the difference between authorization and access?
Access refers to the “means” while authorization refers to the “permission”.
This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
owner
A person who maintains the security of a system, perhaps by adding and removing access by user accounts.
aka. administrator
custodian
A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.
end user
They perform operations on objects or the assets.
subjects (users or procesess acting for users)
The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.
mandatory access control (MAC)
They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)
nondiscretionary access control
Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.
discretionary access control (DAC)
This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.
discretionary access control
This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.
lattice-based access control (LBAC)
Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.
Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.
____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.
role-based
Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.
task-based access control
What are the access control mechanisms
- identification
- authentication
- authorization
- accountability
access control mechanism
A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.
I am a user of the system
identification
access control mechanism
It is the process of validating an unauthenticated entity’s purported identity.
I can prove I am a user of the system
authentication
access control mechanism
There are three widely used authentication mechanisms, or authentication factors:
- something you know
- something you have
- something you are
access control mechanism
This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.
Here’s what I can do with the system
autherization
An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.
access control matrix
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
asynchronous token
An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.
dumb card
A plain-language phrase, typically longer than a password, from which a virtual password is derived.
passphrase
A secret word or combination of characters that only the user should know; it is used to authenticate the user.
password
An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
smart card
In access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.
strong authentication
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
synchronous token
The derivative of a passphrase
virtual password
This is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some differences between the various other standards.
The Common Criteria for Information Technology Security Evaluation, aka Common Criteria or just CC
The system being evaluated
target of evaluation (ToE)
User-generated specification for security requirements
protection profile (PP)
Document describing the ToE’s security properties
security target (ST)
Catalog of a product’s security functions
security functional requirements (SFRs)
The rating or grading of a ToE after evaluation
evaluation assurance levels (EALs)
How many levels does the evaluation assurance level typically have?
EAL1 - 7
This is a “state machine reference model”—in other words, a
model of an automated system that is able to manipulate its state or status over time.
Bell-LaPadula (BLP) confidentiality model
This is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.
Biba integrity model
Unauthorized or unintended methods of communications hidden inside a computer system.
covert channels
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.
reference monitor
TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.
storage channels
TCSEC-defined covert channels that communicate by managing the relative timing of events.
timing channels
Under the Trusted Computer System Evaluation Criteria (TCSEC), this is the combination of all hardware, firmware, and software responsible for enforcing the security policy.
trusted computing base (TCB)
This model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The model’s change control principles are:
x No changes by unauthorized subjects
x No unauthorized changes by authorized subjects
x The maintenance of internal and external consistency
Clark-Wilson integrity model
This means that the system does what it is expected to do every time, without exception.
internal consistency
This means that the data in the system is consistent with similar data in the outside world.
external consistency
Data item with protected integrity.
Constrained data item (CDI)
Data not controlled by Clark-Wilson; nonvalidated input or any output
Unconstrained data item
Procedure that scans data and confirms its integrity
Integrity verification procedure (IVP)
Procedure that only allows changes to a constrained data item
Transformation procedure (TP):
This model has three parts: a set of objects, a set of subjects, and a set of rights.
Graham-Denning access control model
This model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not allow.
Harrison-Ruzzo-Ullman (HRU) model
This model is commonly known as a Chinese Wall, is designed to prevent a conflict of interest between two parties.
Brewer-Nash model
Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
address restrictions
A firewall type that can react to network traffic and create or modify configuration rules to adapt.
dynamic packet-filtering firewall
In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.
firewall
A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
packet-filtering firewall
A tabular record of the state and context of each packet in a conversation between an internal and external user or system. This is used to expedite traffic filtering.
state table
A firewall type that keeps track of each network
connection between internal and external systems using a state table and that expedites the filtering of those communications.
stateful packet inspection (SPI) firewall aka stateful inspection firewall
A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.
static packet-filtering firewall
The system of networks inside the organization that contains its information assets and is under the organization’s control.
trusted network
The system of networks outside the organization over which the organization has no control. The Internet is an example of this.
untrusted network
This is simply a computer containing two network cards.
firewall
True or false?
The computer is initially configured to not allow any traffic to pass from one card to another.
True
The firewall may be a:
- Separate computer system
- Software service running on an
existing router or server - Separate network containing a
number of supporting devices.
The firewall is categorized by:
- Their processing type
- Their evolutional generation
- The way they are implemented
Firewalls by Processing Type
- Packet Filtering Firewalls
- Application Gateway Firewalls
- Circuit Gateways
- MAC Layer Firewalls
- Hybrids
Traffic on network is broken down into ____.
packets (smaller message units)
Each packet must hold at least two addresses: the ____ and that of the ____.
Each packet must hold at least two addresses: that of the sender and that of the recipient.
True or false?
Packet filtering protects a local network from desired invasion depending upon the predefined rules
True
Packet filtering controls (allows or drops) packet or data transfer based on the following standards:
- The address the packet is coming from.
- The address the packet is going to.
- The application protocols or rules set to transfer the data.
A device capable of functioning both as a firewall and an application layer proxy server.
application layer proxy firewall aka application firewall
An intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher level of risk.
demilitarized zone (DMZ)
A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers.
aka cache servers
proxy server
A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.
reverse proxy
This is a type of firewall that provides application-level control over network traffic.
application gateway firewall
These can be used to deny access to the resources of private networks to distrusted users over the Internet.
application gateways
This is a device placed between an external, untrusted network and an internal, trusted network.
Aka sacrificial host
bastion host
This serves as the sole target for attack and should therefore be thoroughly secured.
bastion host
aka single bastion host
A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
extranet
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.
network address translation (NAT)
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.
port address translation (PAT)
A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.
screened host architecture
A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.
screened subnet architecture
A firewall that provides User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) connection security.
circuit-level gateways
Works between an Open Systems Interconnection (OSI) network model’s transport and application layers such as the session layer.
circuit gateways
Unlike application gateways, these monitor TCP data packet handshaking and session fulfillment of firewall rules and policies.
circuit gateways
What does ISO mean?
international organization for standardization
What does OSI mean?
open system interconnection
The ____ of the ISO-OSI Data Link layer is concerned with ____ addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.
The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.
This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question.
MAC layer firewalls
This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.
MAC layer firewall
This combines the elements of other types of firewalls that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways
hybrid firewalls
These are static packet-filtering firewalls.
first generation firewalls
These are simple networking devices that filter packets according to their headers as the packets travel to and from the ogranization’s network.
first generation firewall / static packet filtering firewall
These are application-level firewalls or proxy servers
second generation firewalls
These are dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.
second generation firewalls / application-level firewalls or proxy servers
These are stateful inspection firewalls
third generation firewalls
These monitors the state of active connections and uses the information to permit the network packets through the firewall.
third generation firewall / stateful inspection firewalls
These are dynamic packet-filtering firewalls
fourth generation firewalls
These firewalls allow only a particular packet with a particular source, destination, and port address to enter.
fourth generation firewalls / dynamic packet-filtering firewalls
These are kernel proxy firewalls.
fifth generation firewalls
These are integrated into an operating system’s core to provide multiple levels of session and packet evaluation
fifth generation firewalls / kernel proxy firewalls
What are the 4 firewalls by structure?
- commercial appliances
- commercial systems
- small office - home office appliances
- residential (consumer) software
These are standalone self-contained combination of computing hardware and software. These devices frequently have many of the features of a general-purpose computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of being compromised.
commercial appliances
aka commercial grade firewall appliances
These variant operating systems are tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.
commercial appliances
This consists of application software that is configured for the firewall application and run on a general-purpose computer.
commercial systems
aka commercial grade firewall systems
These systems exploit the fact that firewalls are essentially applications software packages that use common general purpose network connections to move data from one network to another.
commercial systems
One of the most effective methods improving computing security in the small office home office appliances setting is by means of this type of firewall by structure.
small office / home office firewall
aka soho or residential grade firewall
Another method of protecting the user is to install a software directly on the user system. Many people have implemented this ____, some of which also provide antivirus or inclusion detection capabilities. But unfortunately, they may not be as fully protected as they think.
residential (consumer) software
These are implementations of cryptographic technology. It is a private data network that uses the public telecommunications infrastructure to create a means for private communication via a tunneling protocol coupled with security procedures.
virtual private networks (VPNs)
These are commonly used to securely extend an organization’s internal network connections to remote locations.
virtual private networks (VPNs)
This is a combination of trusted and secure VPN implementations. Combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.
hybrid VPN
This is a VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. They use that same security protocol like IPSec to encrypt traffic transmitted across unsecured public networks like the Internet.
secure VPN
This also known as legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
trusted VPN
A private, secure network operated over a public and insecure network. This keeps the content of the network messages hidden from observers who may have access to public traffic.
VPN
A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following:
- encapsulation of incoming and outgoing data
- encryption of incoming and outgoing data
- authentication
What does IPSec stand for?
internet protocol security
This is the dominant protocol used in VPNs. It uses either transport mode or tunnel mode. It can be used as a standalone protocol or coupled with the Layer Two Tunneling Protocol (L2TP)
IPSec
In this mode, the data within the IP packet is encrypted, but the header information is not. This allows the users to establish a secure link directly with the remote host, encrypting only the data content of the packet.
transport mode
This mode eliminates the need for special servers and tunneling software, and allows end users to transmit traffic from anywhere, which is especially useful for traveling or telecommuting employees.
transport mode
Transport mode VPNs have 2 popular uses
Two end users can communicate directly, encrypting and decrypting their communications as needed. Each machine acts as the end-node VPN server and client.
end-to-end support of encrypted data
Transport mode VPNs have 2 popular uses
This allows the teleworker’s system to work as if it were a part of the local area network. The VPN server in this example acts as an intermediate node, encrypting traffic from the secure intranet and transmitting it to the remote client, and decrypting traffic from the remote client and transmitting it to its final destination.
remote access worker or teleworker connects to an office network over the Internet by connecting to a VPN server on the perimeter
Establishes two perimeter tunnel servers to encrypt all traffic that will traverse unsecured network.
tunnel mode
Entire client package is encrypted and added as data portion of packet, from one tunneling server to another.
tunnel mode
Primary benefit to this mode is that an intercepted packet reveals nothing about the true destination system.
tunnel mode
This is an example of tunnel mode VPN
Microsoft’s Internet Security and Acceleration (ISA) server
