Module 4: Securing Your Networks Flashcards
Network Hardening
General Overview:
Network hardening is the process of securing network devices and infrastructure against attacks by minimizing vulnerabilities and implementing robust security measures.
Simplified Breakdown:
Like reinforcing a building with stronger locks and alarms.
Involves configuring devices (routers, switches, firewalls) securely, updating firmware, and reducing unnecessary services.
Relevant Examples:
Updating router firmware to patch vulnerabilities.
Disabling unused ports on a network switch.
Implementing access controls to restrict unauthorized device connections.
Key Points:
Firmware Updates: Regular patching to fix vulnerabilities.
Disable Unused Services: Reduces attack surface.
Access Controls: Enforce least privilege for network devices.
Network Segmentation: Isolates sensitive parts of the network.
DHCP Snooping
General Overview:
DHCP Snooping is a security feature that helps prevent unauthorized (rogue) DHCP servers from assigning IP addresses on a network by validating DHCP messages.
Simplified Breakdown:
Think of it as a bouncer who only allows verified devices to assign network addresses.
It maintains a trusted list of DHCP servers to block rogue servers.
Relevant Examples:
In a corporate network, DHCP Snooping prevents a rogue device from giving out fake IP addresses that could lead to man-in-the-middle attacks.
It is configured on network switches to filter out unauthorized DHCP traffic.
Key Points:
Rogue Server Prevention: Blocks unauthorized DHCP servers.
Trusted Database: Maintains a list of valid DHCP servers.
Improves Network Integrity: Prevents IP conflicts and spoofing.
Dynamic ARP Inspection (DAI)
General Overview:
Dynamic ARP Inspection is a security feature that validates ARP packets on the network to prevent ARP spoofing/poisoning attacks, ensuring that only legitimate ARP replies are accepted.
Simplified Breakdown:
It acts like a guard that checks if a person’s ID matches their face before letting them enter.
It compares ARP messages against a trusted database (often built using DHCP Snooping).
Relevant Examples:
Protecting a company network from an attacker who sends fake ARP replies to intercept data.
Used in environments where network integrity is critical, such as financial institutions.
Key Points:
Prevents ARP Spoofing: Blocks fake ARP messages.
Works with DHCP Snooping: Uses trusted IP-MAC bindings.
Enhances Data Integrity: Protects against man-in-the-middle attacks.
Flashcard 4: Flood Guards
General Overview:
Flood Guards are security mechanisms designed to protect networks from Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks by detecting and controlling abnormal traffic surges.
Simplified Breakdown:
Think of Flood Guards as traffic controllers who limit excessive vehicle entry onto a road.
They monitor traffic patterns and block excessive requests that could overwhelm network resources.
Relevant Examples:
A firewall configured with flood protection stops a SYN flood attack by limiting connection attempts.
Cloud services using flood guards to mitigate high-volume attack traffic.
Key Points:
Traffic Limiting: Prevents network overload.
DoS/DDoS Protection: Stops flooding attacks.
Real-Time Monitoring: Continuously inspects traffic for abnormalities
EAP-TLS
General Overview:
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is a wireless network authentication method that uses digital certificates for mutual authentication between a client and a server.
Simplified Breakdown:
Like a secure handshake where both parties show ID (certificates) before talking.
Provides strong security by ensuring both sides are verified.
Relevant Examples:
Used in enterprise Wi-Fi (WPA2-Enterprise) to securely authenticate employee devices.
Employed in VPNs for mutual authentication before establishing a secure tunnel.
Key Points:
Mutual Authentication: Both client and server verify each other.
Certificate-Based: Uses digital certificates instead of passwords.
Strong Security: Protects against impersonation and unauthorized access.
WEP Encryption and Why You Shouldn’t Use It
General Overview:
WEP (Wired Equivalent Privacy) is an early wireless security protocol that attempts to secure Wi-Fi networks but has significant vulnerabilities making it easily breakable.
Simplified Breakdown:
WEP is like using a cheap lock that can be picked quickly.
Its outdated encryption and weak key management render it insecure.
Relevant Examples:
Hackers can crack WEP encryption in minutes using freely available tools.
Replacing WEP with WPA2 or WPA3 is recommended for secure Wi-Fi.
Key Points:
Weak Encryption: Uses RC4 with small IVs.
Vulnerable to Brute-Force: Easily cracked due to weak key generation.
Obsolete: Modern networks should use WPA2 or WPA3.
Flood Guards
General Overview:
Flood Guards are security mechanisms designed to protect networks from Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks by detecting and controlling abnormal traffic surges.
Simplified Breakdown:
Think of Flood Guards as traffic controllers who limit excessive vehicle entry onto a road.
They monitor traffic patterns and block excessive requests that could overwhelm network resources.
Relevant Examples:
A firewall configured with flood protection stops a SYN flood attack by limiting connection attempts.
Cloud services using flood guards to mitigate high-volume attack traffic.
Key Points:
Traffic Limiting: Prevents network overload.
DoS/DDoS Protection: Stops flooding attacks.
Real-Time Monitoring: Continuously inspects traffic for abnormalities.
WPA
General Overview:
WPA (Wi-Fi Protected Access) is an improved wireless security protocol developed to replace WEP. It introduced stronger encryption (using TKIP) but has been largely superseded by WPA2.
Simplified Breakdown:
WPA is like an upgraded lock, offering better security than WEP.
Uses temporary encryption keys that change frequently (TKIP).
Relevant Examples:
Early Wi-Fi networks moved from WEP to WPA to mitigate vulnerabilities.
WPA is still seen in older devices, but WPA2 is the standard for modern security.
Key Points:
Improved Security Over WEP: Introduces TKIP.
Temporary Keys: Frequent key changes add security.
Legacy Technology: Mostly replaced by WPA2.
TKIP
General Overview:
TKIP (Temporal Key Integrity Protocol) is an encryption protocol used in WPA that dynamically changes encryption keys to enhance security compared to WEP.
Simplified Breakdown:
TKIP is like frequently changing the combination on your lock to keep it secure.
It was designed as a stopgap solution to address WEP’s weaknesses.
Relevant Examples:
Networks using WPA initially relied on TKIP until WPA2 introduced AES.
Although better than WEP, TKIP is now considered less secure than AES-based methods.
Key Points:
Dynamic Keying: Changes encryption keys frequently.
Interim Solution: Used in WPA before WPA2’s AES.
Less Secure Today: Replaced by AES (CCMP) in WPA2.
WPA2
General Overview:
WPA2 (Wi-Fi Protected Access 2) is the current standard for securing wireless networks. It uses AES encryption (via CCMP) for robust security and offers both personal (PSK) and enterprise (802.1X) modes.
Simplified Breakdown:
WPA2 is like a state-of-the-art security system for Wi-Fi.
It employs strong encryption (AES) and can be used with unique passwords or enterprise authentication.
Relevant Examples:
Home networks commonly use WPA2-Personal for secure Wi-Fi access.
Businesses use WPA2-Enterprise with a RADIUS server for enhanced security.
Key Points:
AES Encryption: Uses AES via CCMP for strong security.
Two Modes: Personal (PSK) and Enterprise (802.1X).
Industry Standard: Widely adopted for secure Wi-Fi networks.
CCMP
General Overview:
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is the encryption protocol used in WPA2. It provides both data confidentiality and integrity using AES.
Simplified Breakdown:
CCMP is like a double-layer security system that both locks and checks the integrity of your data.
It ensures that data is not only encrypted but also that it hasn’t been altered.
Relevant Examples:
WPA2 networks use CCMP to protect sensitive data in home and corporate environments.
Security professionals rely on CCMP to prevent unauthorized data tampering.
Key Points:
AES-Based: Uses the strong AES cipher.
Dual Protection: Provides encryption and authentication.
Reliable Security: Preferred over older methods like TKIP.
PTK
General Overview:
The Pairwise Transient Key (PTK) is a temporary encryption key generated during the WPA/WPA2 four-way handshake. It ensures a unique, secure session between a client and an access point.
Simplified Breakdown:
PTK is like a unique session password generated every time you connect to Wi-Fi.
It protects each session with its own encryption key.
Relevant Examples:
Every time a laptop connects to a WPA2 network, a new PTK is generated.
PTK prevents attackers from reusing old encryption keys to decrypt current sessions.
Key Points:
Session-Specific: Unique key for each connection.
Derived During Handshake: Created using the four-way handshake.
Enhances Security: Prevents key reuse and replay attacks.
Packet Sniffing (Packet Capture)
General Overview:
Packet sniffing, or packet capture, involves intercepting and analyzing network packets as they traverse a network. It’s used for troubleshooting, performance monitoring, and security analysis.
Simplified Breakdown:
Imagine intercepting and reading snippets of letters as they are sent over a network.
It helps network administrators diagnose issues and detect malicious activities.
Relevant Examples:
A network engineer uses Wireshark to troubleshoot connectivity issues.
Security professionals use tcpdump to capture and analyze traffic during a suspected breach.
Key Points:
Captures Data Packets: Allows real-time analysis of network traffic.
Tools: Wireshark (GUI) and tcpdump (CLI).
Dual Use: Useful for both troubleshooting and security monitoring.
Promiscuous Mode
General Overview:
Promiscuous mode is a configuration for network interfaces that allows them to capture all network traffic, not just traffic addressed to that device.
Simplified Breakdown:
Like a radio that can tune into every conversation on a channel.
Essential for network analysis and packet sniffing.
Relevant Examples:
A network admin uses Wireshark in promiscuous mode to capture all traffic on a network segment.
Used in forensic investigations to analyze data flow and detect anomalies.
Key Points:
Broad Capture: Receives all packets on the network segment.
Used with Analysis Tools: Commonly paired with Wireshark or tcpdump.
Security Risk: May be exploited for unauthorized monitoring if not secured.
Port Mirroring
General Overview:
Port mirroring is a network switch feature that duplicates the traffic from one or more ports or VLANs to a designated monitoring port for analysis.
Simplified Breakdown:
Think of it as a copier that sends a duplicate of all network traffic from one port to another.
Helps with monitoring and troubleshooting without interrupting regular traffic.
Relevant Examples:
A security analyst uses port mirroring to send traffic from a critical server to a monitoring system.
IT teams use it to diagnose network issues or detect intrusions by analyzing mirrored traffic.
Key Points:
Traffic Duplication: Copies traffic to a monitoring port.
Used for Diagnostics: Helps in performance and security analysis.
Non-Intrusive: Does not interfere with live traffic.
Monitor Mode
General Overview:
Monitor mode is a wireless network mode that allows a Wi-Fi adapter to capture all wireless traffic in its vicinity, regardless of the destination.
Simplified Breakdown:
Like turning on a “super-listening” mode on your Wi-Fi card to capture every wireless conversation around you.
Used primarily for network diagnostics and security testing.
Relevant Examples:
Penetration testers use monitor mode to detect unauthorized devices on a wireless network.
IT professionals analyze Wi-Fi performance and interference using tools that leverage monitor mode.
Key Points:
Captures All Traffic: Intercepts all wireless packets in range.
Used for Security Testing: Helps identify vulnerabilities and rogue devices.
Different from Promiscuous Mode: Specifically for wireless networks.
Wireshark vs. Tcpdump
General Overview:
Wireshark and tcpdump are both tools used for packet capture and network analysis. Wireshark offers a graphical interface with deep packet inspection, while tcpdump is a lightweight, command-line tool.
Simplified Breakdown:
Wireshark: Like a microscope with a screen, it visually displays packet details.
Tcpdump: A text-based tool for quick captures and filtering.
Relevant Examples:
Wireshark: Used by network administrators for in-depth analysis of HTTP, FTP, and other protocols.
Tcpdump: Preferred for remote debugging on servers or when resources are limited.
Key Points:
Wireshark: GUI-based, deep analysis, filters and decodes protocols.
Tcpdump: CLI-based, lightweight, effective for quick captures.
Both Output: Can save packets in .pcap format for further analysis.
Unified Threat Management (UTM)
General Overview:
Unified Threat Management (UTM) integrates multiple security tools—such as firewalls, IDS/IPS, antivirus, and VPNs—into one comprehensive solution with a centralized management interface.
Simplified Breakdown:
UTM is like a security toolbox that combines many tools into one device.
It simplifies network security by providing multiple protection layers from a single console.
Relevant Examples:
A small business deploys a UTM appliance to handle firewall, antivirus, and content filtering.
Enterprises use UTM to streamline security management and reporting across multiple sites.
Key Points:
Integrated Security: Combines multiple tools into one solution.
Centralized Management: Simplifies monitoring and updates.
Cost-Effective: Can reduce expenses by replacing multiple separate systems.
Risks: May create a single point of failure if not properly redundant.
Home Network Security
General Overview:
Home network security involves measures to protect personal and corporate data when employees access company resources from their home networks. It addresses vulnerabilities unique to residential environments.
Simplified Breakdown:
Think of it as securing your home with locks, alarms, and surveillance, but for your Wi-Fi and connected devices.
Includes updating default credentials, using strong encryption, and isolating guest devices.
Relevant Examples:
An employee working from home uses a guest network for visitors while keeping sensitive work devices on a secure network.
A company requires the use of a VPN for remote access to ensure data remains encrypted over the internet.
Key Points:
Strong Passwords & Encryption: Change default settings and use WPA2/WPA3.
Network Segmentation: Use guest networks to isolate untrusted devices.
VPN Usage: Secure remote access to corporate resources.
Regular Firmware Updates: Keep routers and devices up to date.
Intrusion Detection and Prevention Systems (IDPS)
General Overview:
IDPS are security systems designed to monitor, detect, and optionally prevent network intrusions or malicious activities. IDS focuses on detecting and alerting, whereas IPS takes action to block attacks.
Simplified Breakdown:
IDS: Like a security camera that watches and alerts.
IPS: Like a security guard that actively stops intruders.
Relevant Examples:
An IDS alerts IT staff to suspicious traffic that might indicate a potential breach.
An IPS blocks a detected attack (e.g., a DDoS attempt) in real time.
Key Points:
Detection vs. Prevention: IDS alerts; IPS blocks.
Real-Time Monitoring: Constantly analyzes network traffic.
Signature & Anomaly Based: Uses known patterns and behavioral analysis.
Integral to Network Security: Complements firewalls and other security measures.
Signatures in Intrusion Detection
General Overview:
Signatures in cybersecurity are unique patterns or “fingerprints” of known threats used by security systems to detect malicious activity.
Simplified Breakdown:
Like matching a fingerprint to identify a criminal, signatures match patterns in data to flag known attacks.
Used primarily in IDS/IPS and antivirus software.
Relevant Examples:
An IDS uses a virus signature to detect and alert on malware.
Network security tools match packet patterns against known signatures to block DoS attacks.
Key Points:
Signature-Based Detection: Effective for known threats.
Regular Updates Needed: Signature databases must be updated to catch new threats.
Limitation: Cannot detect new, unknown (zero-day) attacks.
