network security and defence Flashcards
what is a worm
a standalone malicious program that self-replicates throughout the network without needed to attach itself to other files and programs
what do worms mostly target
systems and network resources
what is a virus
a program that attaches itself to other programs or files and requires user interaction to activate and spread
what makes viruses slightly better than worms
spreads slower and relies on human interaction
what do viruses usually target
files and programs
what are 0 day vulnerabilities
undiscovered vulnerabilities in the system
what are firewalls
software or applications at the networks gateway that filters information that is sent and received from outside the network
what do firewalls do
restrict access between protected networks (internal) and others (external e.g. the internet)
protects the internal network from malicious attempts and users truing to use unauthorised internet services
what are the four types of firewalls
packet filtering firewall
stateful inspection firewall
proxy firewall
application layer firewall
what does the packet filtering firewall do
applies rules to incoming packets based on the ip or port number
it can forward or discard the packets
it can be configured to filter packets going both in and out of the network
what does the stateful inspection firewall do
inspects packets and tracks connection states e.g. tcp handshakes
it uses the ongoing record/state table to make a decision
what do we mean by the stateful inspection firewall tracking connection states
it determines if the packet is at the start, a part of , or not qa part of the connection
what does the proxy firewall do
acts as a middleman between the client and server and proxies all the traffic
how does the proxy firewall work
it processes requests by setting up a connection to the request service on behalf of the user
what are two negatives of the proxy firewall
has low performance
may become a bottleneck
what are two benefits of the proxy firewall
provides deep inspection
can filter application layer content
what does the application layer firewall do
designed to protect a website or app by checking application level traffic
can be configured to support only specific apps and features in an app
what is intrusion detection
network security technology that monitors abnormal activities and security threats and issues alarms on time
what is an intrusion detection system (ids)
an app that implements intrusion detection
what are the four roles that the ids carries out
monitoring
detection
alert
logging
how does the ids carry out monitoring
it analyses traffic and system activity in real time
how does the ids carry out detection
via signature, anomaly, and specification based detection
signature detection
identify known attack patterns
since it compares to signatures you must capture attacks first to create the pattern database
what is a negative of signature detection
doesnt detect 0 day attacks
what are two positives of signature detection
accurate and fewer false alarms
anomaly detection
identify abnormal behaviour
must first establish normal behaviour by observing the system/network hen identify deviations
what is a positive of anomaly detection
can detect unknown attacks
what are two negatives of anomaly detection
lots of false alarms
limited by the training data
specification-based detection
uses predetermined universal profiles developed by security managers that have accepted definitions of benign activity
how does the ids carry out alerting
tells admins when the threats are detected
how does the ids carry out logging
record activities for later analysis and forensics
what is an ethical issue with intrusion detection
privacy concerns as it monitors the entire network
what are the three types of intrusion detection
network based ids; nids
host based ids; hids
hybrid ids
network based ids
deployed in the network to monitor traffic
host based ids
deployed on a host to monitor system logs and detects malicious activities
hybrid ids
combines the benefits of nids and hids
what is the difference between the ids and ips ( intrusion preventin system)
ids monitors and alarms whilst the ips takes blocking and isolation measures when a threat is detected
what are four security protocols
vpn; virtual private network
tls; transport layer security
ssl; secure socket layer
ipsec; internet protocol security
what is ipsec
a protocol suite for protecting ip communications and provide data security via encryption, authentication and integrity protection at the network layer
what are the three protocols used in ipsec
ah; authentication header
esp; encapsulating security payload
sa; security association
authentication header
checks of the data comes from a trusted source and hasnt been changed
encapsulating security payload
authenticates and encrypts data
security association
defiens security parameters used in ipsec communication
e.g. shared keys, protocol mode
what are the two operation modes in ipsec
transport
tunnel
transport mode (ipsec)
operates on payload/data of the og packet so only the payload is encrypted and the header stays the same
what is transport mode usually used for
end to end communication
tunnel mode (ipsec)
the og packet is encapsulated into a new one and the payload of it is the og packet
what is tunnel mode usually used for
network to network/ host to network communication
e.g. vpn
what is the communication initiation process for ipsec
we need to create and share cryptographic keys via the internal key exchange (ike)
how does the internal key exchange work in ipsec (phase 1 and 2)
1: the sender exchanges proposals for security services (e.g. the encryption algorithm)
then the sender and receiver agree on a collection of parameters that the two devices use
2: devices between the sender and receiver choose which protocol (ah / esp) and algorithm to use
what is the secure socket layer (ssl)
an encryption protocol used to protect network communication
how does ssl work
it establishes an encrypted connection between the client and sever ensuring confidentiality integrity and identitiy authentication of data during transmission via the handshake protocol
what are the steps in the handshake protocol
negotiate encryption algorithm to be used
establish a shares session
authenticate server
authenticate client (optional)
complete session and can now start communicating with secure data transmission
transport layer security (tls)
an encryption protocol used to protect network communication security
what are the three protocols used in tls
tls handshake protocol
tls record protocol
tls alert protocol
tls handshake protocol
uses asymmetric cryptography
varies based on the key exchange algorithm but similar to ssl handhsake
tls record protocol
splits data into smaller records which are all encrypted and transferred separately
tls alert protocol
conveys errors/ warning info
what to vpns do
virtual private network; establishes a secure connection via a public network (e.g. the internet) and allows users to remotely access private network resources
how does vpn work
it creates an encrypted tunnel between the users device and the target network therefore data cannot be eavesdropped or tampered with during transmissin
what are the steps used in vpn
connect to the vpn
authenticate the users identity
establish an encrypted tunnel
transmit data through it
user accesses the resources through the tunnel
when do we use ipsec with a vpn
when using a site-to-site vpn
connecting two or more private networks
what do we use ssl/tls with a vpn
remote access vpn; encrypted tunnel ensure confidentiality and data integrity
