Module 4 - 03-3 Flashcards
Network hardening
What does Network hardening focus on (3)?
Network-related security hardening:
- Port filtering
- Network access privileges
- Encryption over networks
What are some network hardening tasks that are performed regularly (4)?
- Firewall rules maintenance
- Network log analysis
- Patch updates
- Server backups
Define Network log analysis
The process of examining network logs to identify events of interest
Define Security Information and Event Management tool (SIEM)
An application that collects and analyzes log data to monitor critical activities in an organization
What is a SIEM dashboard interface sometimes called?
A single pane of glass
What are some network hardening tasks that are performed once (3)?
- Port filtering on firewalls
- Network access privileges
- Encryption for communication
Define and explain Port filtering
A firewall function that blocks or allows certain port numbers to limit unwanted communication.
A basic principle is that the only ports that are needed are the ones that are allowed.
Any port that isn’t being used by the normal network operations should be disallowed.
This protects against port vulnerabilities.
Networks should be set up with the most up-to-date wireless protocols available and older wireless protocols should be disabled.
Explain Network Access Privilege
Security analysts also use network segmentation to create isolated subnets for different departments in an organization.
This is done so the issues in each subnet don’t spread across the whole company and only specified users are given access to the part of the network that they require for their role.
Network segmentation may also be used to separate different security zones. Any restricted zone on a network containing highly classified or confidential data should be separate from the rest of the network.
Explain Encryption for communication
All network communication should be encrypted using the latest encryption standards.
Encryption standards are rules or methods used to conceal outgoing data and uncover or decrypt incoming data.
Data in restricted zones should have much higher encryption standards, which makes them more difficult to access.
A _____ is an application that collects and analyzes log data to monitor critical activities in an organization.
- Baseline configuration
- Security Information and Event Management tool (SIEM)
- Port filter
- Network log analysis
Security Information and Event Management tool (SIEM)
What is the approach of adding layers of security to a network referred to as?
Defense in depth
What devices are normally used to secure a Network (4)?
- Firewall
- Intrusion Detection System (IDS)
- Intrusion Prevention System (IPS)
- Security Incident and Event Management tool (SIEM)
Explain how a Firewall secures a network
Firewalls allow or block traffic based on a set of rules.
As data packets enter a network, the packet header is inspected and allowed or denied based on its port number.
Next Generation Firewalls (NGFWs) are also able to inspect packet payloads.
Each system should have its own firewall, regardless of the network firewall.
What does IDS stand for?
Intrusion Detection System (IDS)
Define IDS
An application that monitors system activity and alerts on possible intrusions.
An IDS alerts administrators based on the signature of malicious traffic.
Explain how an Intrusion Detection System secures a network
The IDS is configured to detect known attacks.
IDS systems often sniff data packets as they move across the network and analyze them for the characteristics of known attacks.
Some IDS systems review not only for signatures of known attacks, but also for anomalies that could be the sign of malicious activity.
When the IDS discovers an anomaly, it sends an alert to the network administrator who can then investigate further.
The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies.
New and sophisticated attacks might not be caught.
The other limitation is that the IDS doesn’t actually stop the incoming traffic if it detects something awry.
It’s up to the network administrator to catch the malicious activity before it does anything damaging to the network.
When combined with a firewall, an IDS adds another layer of defense.
The IDS is placed behind the firewall and before entering the LAN, which allows the IDS to analyze data streams after network traffic that is disallowed by the firewall has been filtered out.
This is done to reduce noise in IDS alerts, also referred to as false positives.
What does IPS stand for?
Intrusion Prevention System (IPS)
Define IPS
An application that monitors system activity for intrusive activity and takes action to stop the activity.
It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator.
Explain how an Intrusion Prevention System secures a network
An IPS searches for signatures of known attacks and data anomalies.
An IPS reports the anomaly to security analysts and blocks a specific sender or drops network packets that seem suspect.
The IPS (like an IDS) sits behind the firewall in the network architecture.
This offers a high level of security because risky data streams are disrupted before they even reach sensitive parts of the network.
However, one potential limitation is that it is inline:
If it breaks, the connection between the private network and the internet breaks.
Another limitation of IPS is the possibility of false positives, which can result in legitimate traffic getting dropped.
Explain how a Full packet capture devices secures a network
Full packet capture devices can be incredibly useful for network administrators and security professionals.
These devices allow you to record and analyze all of the data that is transmitted over your network.
They also aid in investigating alerts created by an IDS.
What does SIEM stand for?
Security Information and Event Management system (SIEM)
Define SIEM
An application that collects and analyzes log data to monitor critical activities in an organization
Explain how a Security Information and Event Management tool secures a network
SIEM tools work in real time to report suspicious activity in a centralized dashboard.
SIEM tools additionally analyze network log data sourced from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs.
SIEM tools are a way to aggregate security event data so that it all appears in one place for security analysts to analyze.
This is referred to as a single pane of glass.
What are the Advantages and Disadvantages of a Firewall?
Advantages:
A firewall allows or blocks traffic based on a set of rules.
Disadvantages:
A firewall is only able to filter packets based on information provided in the header of the packets.
What are the Advantages and Disadvantages of a Intrusion Detection System (IDS)?
Advantages:
An IDS detects and alerts admins about possible intrusions, attacks, and other malicious traffic.
Disadvantages:
An IDS can only scan for known attacks or obvious anomalies; new and sophisticated attacks might not be caught. It doesn’t actually stop the incoming traffic.
What are the Advantages and Disadvantages of a Intrusion Prevention System (IPS)?
Advantages:
An IPS monitors system activity for intrusions and anomalies and takes action to stop them.
Disadvantages:
An IPS is an inline appliance. If it fails, the connection between the private network and the internet breaks. It might detect false positives and block legitimate traffic.
What are the Advantages and Disadvantages of a Security Information and Event Management (SIEM)?
Advantages:
A SIEM tool collects and analyzes log data from multiple network machines. It aggregates security events for monitoring in a central dashboard.
Disadvantages:
A SIEM tool only reports on possible security issues. It does not take any actions to stop or prevent suspicious events.
Security teams can use _____ to examine network logs and identify events of interest.
- security information and event management (SIEM) tools
- baseline configuration
- network segmentation
- port filtering
security information and event management (SIEM) tools
SIEM tools collect and analyze log data to monitor critical activities in an organization.
What is a basic principle of port filtering?
- Disallow ports that are used by normal network operations.
- Allow ports that are used by normal network operations.
- Block all ports in a network.
- Allow users access to only areas of the network that are required for their role.
A basic principle of port filtering is to allow ports that are used by normal network operations. Any port that is not being used by the normal network operations should be disallowed to protect against vulnerabilities.
Allow ports that are used by normal network operations.
A basic principle of port filtering is to allow ports that are used by normal network operations. Any port that is not being used by the normal network operations should be disallowed to protect against vulnerabilities.
A security professional creates different subnets for the various departments in their business, ensuring users have access that is appropriate for their particular roles. What does this scenario describe?
- Network segmentation
- Patch updates
- Firewall maintenance
- Network log analysis
Network segmentation
This scenario describes network segmentation, which involves creating isolated subnets for different departments in an organization.
Data in restricted zones should have the same encryption standards as data in other zones.
- True
- False
False
Restricted zones on a network, which contain highly classified or confidential data, should have much higher encryption standards than data in other zones to make them more difficult to access.
