Module 9 Flashcards
What is a firewall?
- Hardware or software that is designed to limit the spread of malware.
- uses bidirectional inspection to examine both outgoing and incoming network packets
List some examples of firewall rules:
- Source address*. The source address is the location of the origination of the packet (where the packet is from). Addresses generally can be indicated by a specific IP address or range of addresses, an IP mask, the MAC address, or host name.
- Destination address*. This is the address the connection is attempting to reach (where the packet is going to). Destination addresses can be indicated in the same way as the source address.
- Source port*. The source port is the TCP/IP port number used to send packets of data. Options for setting the source port often include a specific port number or a range of numbers.
- Destination port*. This setting gives the port on the remote computer or device that the packets will use. Options are the same as for the source port.
- Protocol.* The protocol defines the network protocol (such as TCP, UDP, TCP or UDP, ICMP, or IP) used when sending or receiving packets of data.
- Direction. This is the direction of traffic for the data packet (Incoming*, Outgoing, or Both).
- Priority*. The priority determines the order in which the rule is applied.
- Time*. Rules can be set so they are active only during a scheduled time.
- Context*. A rule can be created that is unique for specific circumstances (contexts). For example, different rules may be in effect depending on whether a laptop is on-site or is remote
What is a policy based firewall?
- This type of firewall allows more generic statements instead of specific rules.
What is content/URL filtering?
- A process used by a firewall to monitor websites accessed through HTTP to create custom filtering profiles.
What is stateful vs stateless packeting? (in terms of firewalls)
- Stateless packeting: A firewall that looks at the incoming packet and permits or denies it based on specific conditions.
- Stateful packeting: A firewall that keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the conditions.
What is the difference between open-source firewalls and proprietary firewalls?
- Open-source firewalls: A firewall that is freely available.
- Proprietary firewalls: A firewall that is owned by an entity who has an exclusive right to it.
What is the difference between a hardware firewall vs a software firewall?
- Software firewall:A firewall that runs as a program or service on a device, such as a computer or router.
- Hardware firewall: A firewall that runs on a separate device.
What is the difference between a host, appliance, and virtual firewall?
- Host-based firewall: A software firewall that runs as a program on the local device to block or filter traffic coming into and out of the computer.
- Appliance Firewall: A separate hardware device designed to protect an entire network.
- Virtual Firewall: A firewall that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible.
What is a web application firewall?
A firewall that filters by examining the applications using HTTP. (type of specialized firewall)
What is a Network address translation (NAT)?
A cloudbased technology that performs NAT translations for cloud services. (type of specialized firewall)
What is next generation firewall?
A firewall that has additional functionality beyond a traditional firewall such as the ability to filter packets based on applications. (type of specialized firewall)
What is unified threat management?
An integrated device that combines several security functions.
What is a forward proxy?
- A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
- (devices act as substitutes on behalf of the primary device)
- Can intercept malware before it reaches internal endpoint
What is a reverse proxy?
- A proxy that routes requests coming from an external network to the correct internal server.
What is a honeypot?
- A computer located in an area with limited security that serves as “bait” to threat actors and is intentionally configured with security vulnerabilities.
- Generally has two goals:
- Deflect: Deflect threat actors’ attention away from legitimate servers by encouraging them to spend their time and energy on the decoy server
- Discover: trick threat actors into revealing their attack techniques.
What is the difference between a low interaction honeypot and a high interaction honeypot?
- Low interaction honeypot: only records login attempts and provides information on the threat actor’s IP address of origin
- High interaction honeypot: configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations of real data files (collects information on attack techniques for example)
What is a honeynet?
A network set up with intentional vulnerabilities.
What is a DNS sinkhole?
A technique that changes a normal DNS request to a preconfigured IP address pointing to a device that will drop all received packets.
What is the difference between an intrusion detection system vs an intrusion prevention system? (IDS vs IPS)
- Intrusion detection system (IDS): Can detect attacks as they occur
- Intrusion prevention system (IPS): Attempts to block the attack
What is an inline system?
A system that is connected directly to the network and monitors the flow of data as it occurs.
What is a passive system?
A system that is connected to a device that receives a copy of network traffic.
What is in band management vs out bound management? (referring to IDS systems)
- In band management: through the network itself by using network protocols and tools
- Out bound management: using an independent and dedicated channel to reach the device.
What are the four monitoring methodologies?
- Anomaly monitoring: creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from the baseline, an alarm is raised. (used by IDS)
- signature-based monitoring: examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
- Behavioral monitoring: uses the normal processes and actions as the standard and compares actions against it.
- heuristic monitoring: uses an algorithm to determine if a threat exists.