Module 9

Question 1

What is a firewall?

Answer 1

• Hardware or software that is designed to limit the spread of malware.
  
  • uses bidirectional inspection to examine both outgoing and incoming network packets

Question 2

List some examples of firewall rules:

Answer 2

• Source address*. The source address is the location of the origination of the packet (where the packet is from). Addresses generally can be indicated by a specific IP address or range of addresses, an IP mask, the MAC address, or host name.
• Destination address*. This is the address the connection is attempting to reach (where the packet is going to). Destination addresses can be indicated in the same way as the source address.
• Source port*. The source port is the TCP/IP port number used to send packets of data. Options for setting the source port often include a specific port number or a range of numbers.
• Destination port*. This setting gives the port on the remote computer or device that the packets will use. Options are the same as for the source port.
• Protocol.* The protocol defines the network protocol (such as TCP, UDP, TCP or UDP, ICMP, or IP) used when sending or receiving packets of data.
• Direction. This is the direction of traffic for the data packet (Incoming*, Outgoing, or Both).
• Priority*. The priority determines the order in which the rule is applied.
• Time*. Rules can be set so they are active only during a scheduled time.
• Context*. A rule can be created that is unique for specific circumstances (contexts). For example, different rules may be in effect depending on whether a laptop is on-site or is remote

Question 3

What is a policy based firewall?

Answer 3

• This type of firewall allows more generic statements instead of specific rules.

Question 4

What is content/URL filtering?

Answer 4

• A process used by a firewall to monitor websites accessed through HTTP to create custom filtering profiles.

Question 5

What is stateful vs stateless packeting? (in terms of firewalls)

Answer 5

• Stateless packeting: A firewall that looks at the incoming packet and permits or denies it based on specific conditions.
• Stateful packeting: A firewall that keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the conditions.

Question 6

What is the difference between open-source firewalls and proprietary firewalls?

Answer 6

• Open-source firewalls: A firewall that is freely available.
• Proprietary firewalls: A firewall that is owned by an entity who has an exclusive right to it.

Question 7

What is the difference between a hardware firewall vs a software firewall?

Answer 7

• Software firewall:A firewall that runs as a program or service on a device, such as a computer or router.
• Hardware firewall: A firewall that runs on a separate device.

Question 8

What is the difference between a host, appliance, and virtual firewall?

Answer 8

• Host-based firewall: A software firewall that runs as a program on the local device to block or filter traffic coming into and out of the computer.
• Appliance Firewall: A separate hardware device designed to protect an entire network.
• Virtual Firewall: A firewall that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible.

Question 9

What is a web application firewall?

Answer 9

A firewall that filters by examining the applications using HTTP. (type of specialized firewall)

Question 10

What is a Network address translation (NAT)?

Answer 10

A cloudbased technology that performs NAT translations for cloud services. (type of specialized firewall)

Question 11

What is next generation firewall?

Answer 11

A firewall that has additional functionality beyond a traditional firewall such as the ability to filter packets based on applications. (type of specialized firewall)

Question 12

What is unified threat management?

Answer 12

An integrated device that combines several security functions.

Question 13

What is a forward proxy?

Answer 13

• A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
  
  • (devices act as substitutes on behalf of the primary device)
• Can intercept malware before it reaches internal endpoint

Question 14

What is a reverse proxy?

Answer 14

• A proxy that routes requests coming from an external network to the correct internal server.

Question 15

What is a honeypot?

Answer 15

• A computer located in an area with limited security that serves as “bait” to threat actors and is intentionally configured with security vulnerabilities.
• Generally has two goals:
  
  1. Deflect: Deflect threat actors’ attention away from legitimate servers by encouraging them to spend their time and energy on the decoy server
  2. Discover: trick threat actors into revealing their attack techniques.

Question 16

What is the difference between a low interaction honeypot and a high interaction honeypot?

Answer 16

• Low interaction honeypot: only records login attempts and provides information on the threat actor’s IP address of origin
• High interaction honeypot: configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations of real data files (collects information on attack techniques for example)

Question 17

What is a honeynet?

Answer 17

A network set up with intentional vulnerabilities.

Question 18

What is a DNS sinkhole?

Answer 18

A technique that changes a normal DNS request to a preconfigured IP address pointing to a device that will drop all received packets.

Question 19

What is the difference between an intrusion detection system vs an intrusion prevention system? (IDS vs IPS)

Answer 19

• Intrusion detection system (IDS): Can detect attacks as they occur
• Intrusion prevention system (IPS): Attempts to block the attack

Question 20

What is an inline system?

Answer 20

A system that is connected directly to the network and monitors the flow of data as it occurs.

Question 21

What is a passive system?

Answer 21

A system that is connected to a device that receives a copy of network traffic.

Question 22

What is in band management vs out bound management? (referring to IDS systems)

Answer 22

• In band management: through the network itself by using network protocols and tools
• Out bound management: using an independent and dedicated channel to reach the device.

Question 23

What are the four monitoring methodologies?

Answer 23

1. Anomaly monitoring: creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from the baseline, an alarm is raised. (used by IDS)
2. signature-based monitoring: examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
3. Behavioral monitoring: uses the normal processes and actions as the standard and compares actions against it.
4. heuristic monitoring: uses an algorithm to determine if a threat exists.

Question 24

What is a network intrusion detection system (NIDS)?

Answer 24

A technology that watches for attacks on the network and reports back to a central device.

Question 25

What is a network intrusion prevention system (NIPS)?

Answer 25

A technology that monitors network traffic to immediately react to block a malicious attack.

Question 26

What is a hardware security model (HSM)?

Answer 26

removable external cryptographic device.

Question 27

What is a network hardware security module?

Answer 27

A special trusted network computer that performs cryptographic operations.

Question 28

What is a secure baseline configuration?

Answer 28

A set of security settings that are the initial starting point and the minimum settings.

Question 29

Standard naming conventions

Answer 29

Using the same conventions for assigning names to appliances.

Question 30

What is an internet protocol schema?

Answer 30

A standard guide for assigning IP addresses to devices.

Question 31

What are diagrams?

Answer 31

A visual mapping of security appliances.

Question 32

What is access control list (ACL)?

Answer 32

• A set of permissions or rules attached to an object that administer its availability by granting or denying access.
  
  • Includes Filesystem ACLs (filter access to files and directories on an endpoints) and Networking ACLs (filter access to a network)

Question 33

What is a virtual private network (VPN)?

Answer 33

A technology that enables the use of an unsecured public network as if it were a secure private network.

Question 34

What is a remote access VPN?

Answer 34

A user-to-LAN VPN connection for remote users.

Question 35

What is a site to site VPN?

Answer 35

A VPN connection in which multiple sites can connect to other sites over the Internet.

Question 36

What is an always-on VPN?

Answer 36

A VPN that allows the user to stay connected at all times instead of connecting and disconnecting from it.

Question 37

What is a full tunnel and split tunnel in relation to VPNs?

Answer 37

• Full Tunnel: A VPN technology in which all traffic is sent to the VPN concentrator and is protected.
• Split Tunnel: A VPN technology in which only some traffic is sent to the VPN concentrator and is protected, while other traffic directly accesses the Internet.

Question 38

What is Layer 2 Tunneling Protocol (L2TP)?

Answer 38

A VPN protocol that does not offer any encryption or protection so it is usually paired with IPsec.

Question 39

What is network access control (NAC)?

Answer 39

• A technique that examines the current state of a system or network device before it is allowed to connect to the network.
  
  • Some NAC’s use agents: Software that is installed on endpoints to gather information for a NAC.

Question 40

What is data loss prevention (DLP)?

Answer 40

• A system of security tools used to recognize and identify data that is critical to the organization and ensure it is protected. (rights management)
  
  • Uses tools such as:
    
    • content inspection to look at security levels of data
    • Index Matching
    • Masking creates a copy of the original data but obfuscating (making unintelligible) any sensitive elements
    • Tokenization: obfuscates sensitive data elements, such as an account number, into a random string of characters (token)The original sensitive data element and the corresponding token are then stored in a database called a token vault

Question 41

What is route security?

Answer 41

The trust of packets sent through a router.

Question 42

What is broadcast storm prevention?

Answer 42

• Steps that can be taken to avert a broadcast storm, such as using loop prevention (technology that uses the IEEE 802.1d standard spanning-tree protocol (STP) to avert a network loop.)

Question 43

What is spanning tree protocol?

Answer 43

uses an algorithm that creates a hierarchical “tree” layout that spans the entire network. It determines all the redundant paths that a switch has to communicate, recognizes the best path, and then blocks out all other paths.

Question 44

What is BPDU Guard? (t bridge protocol data units)

Answer 44

A feature on a switch that creates an alert when a BPDU is received from an endpoint.

Question 45

What is DHCP snooping?

Answer 45

A security technology in a switch that drops unacceptable DHCP traffic.

Question 46

What is port TAP (test access point)?

Answer 46

A device that transmits the send and receive data streams simultaneously on separate dedicated channels so that all data arrives at the monitoring tool in real time.

Question 47

What is port mirroring/port scanning?

Answer 47

A technology on a managed switch that copies traffic that occurs on some or all ports to a designated monitoring port on the switch.

Question 48

List some examples of devices that can be place on a network to gather information:

Answer 48

• network sensors to monitor traffic (for network intrusion detection and prevention devices), collectors to gather traffic (for SIEM devices), and aggregators to combine multiple network connections into a single link.

Question 49

What is a monitoring service?

Answer 49

An external third-party service that can provide additional resources to assist an organization in their cybersecurity defenses.

Question 50

What is a file integrity monitor?

Answer 50

A system that detects any changes within the files that may indicate a cyberattack.

Question 51

What is Quality of Service (QoS)?

Answer 51

A set of network technologies used to guarantee a network’s ability to dependably serve resources and high-priority applications to endpoints.

Question 52

What is zero trust?

Answer 52

A strategic initiative about networks that is designed to prevent successful attacks by eliminating the concept of trust from an organization’s network architecture.

Question 53

What is a virtual LAN (VLAN)?

Answer 53

A technology that allows scattered users to be logically grouped together even though they may be attached to different switches.

Question 54

What is demilitarized zone (DMZ)?

Answer 54

functions as a separate network that rests outside the secure network perimeter: untrusted outside users can access the DMZ but cannot enter the secure network.

Question 55

What is load balancing?

Answer 55

A technology that can help to evenly distribute work across a network. (includes active-active and active-passive configuration)

Question 56

What is active-passive configuration?

Answer 56

A configuration in which the primary load balancer distributes the network traffic to the most suitable server while the secondary load balancer operates in a “listening mode.”

Question 57

What is active-active configuration?

Answer 57

A configuration in which all load balancers are always active.

Question 58

What is a virtual IP (VIP) address?

Answer 58

An IP address and a specific port number that can be used to reference different physical servers.

Question 59

What is session persistence?

Answer 59

process in which a load balancer creates a link between an endpoint and a specific network server for the duration of a session.