Network Security - Objective 4 Flashcards
Common concepts, attack types, network hardening, remote access methods, physical security
Type of encryption used by WPA
RC4 (Rivest Cipher 4)
Geofencing
Uses GPS or RFID to define real-world boundaries where barriers can be active or passive
NAC
Network Access Control
Permits or denies access to the network based on a device’s characteristics
Difference between active & passive geofencing
Whether an alert is sent or only a log created
Wireless client isolation a.k.a. AP isolation
Devices on a wireless network can’t communicate with each other
Guest network isolation
The guest network does not have access to other networks on the access point
Encryption protocol used by SNMP3
DES
CRAM-MD5
MD5 variant used in email systems
DAC
Discretionary Access Control
An access control method where access is determined by the owner of the resource
MAC
(not the address)
Mandatory Access Control
An access control policy where the computer system gets to decide who gets access to what objects
RBAC
Role-based Access Control
Access model that is controlled by the system but focuses on a set of permissions versus an individuals permissions
Zero-Trust
A security framework that requires users to be authenticated and authorized before being granted access to applications or data
Transport layer protocols used by RADIUS & TACACS+, respectively
UDP & TCP
802.1x
A standardized framework that’s used for port-based network access control (NAC) on both wired and wireless networks
3-roles in 802.1x authentication
- supplicant
- Authenticator
- authentication server
3 examples of devices that can act as an authenticator in an 802.1X network
- Switch
- WAP
- VPN concentrator
EAP
Extensible Authentication Protocol [actually a series of them]
Allows for numerous different mechanisms of authentication performed using 802.1x
EAP-MD5
Utilizes simple passwords and the challenge handshake
authentication process to provide remote access
authentication
EAP-TLS
Uses public key infrastructure with a digital certificate
being installed on both the client and the server
EAP-TTLS
Requires a digital certificate on the server and a password
on the client for its authentication
EAP-FAST
EAP Flexible Authentication via Secure Tunneling
Uses a protected access credential to establish mutual
authentication between devices
PEAP
Protected EAP
Uses server certificates and Microsoft’s Active Directory
databases to authenticate a client’s password
Reason to disable dynamic switchport mode on your switchports
To prevent switch spoofing
RD Gateway
Remote Desktop Gateway
A server role that uses RDP over HTTPS & port 443 to provide a connection using the SSL/TLS protocols for remote users accessing an internal network
3 things an RD gateway does for remote access
- create an encrypted connection
- control access to network resources based on permissions and group policies
- Monitor the status of the gateway and any RDP connection passing through the gateway
4 remote access authentication protocols
- PAP unencrypted, not used
- CHAP
- MS-CHAP
- EAP can use more than just UN/PW (Use EAP/TLS in conjunction with a RADIUS or TACACS+ server)
VNC
Virtual Network Computing
Designed for thin client architecture and things like virtual desktop infrastructure (VDI)
2 ways of accessing a virtual desktop
- web browser
- specialized thin client device that uses a PXE network boot image that loads up a specialized client that can connect to the centralized server
Difference between full tunnel & split tunnel VPN
Full tunnel routes & encrypts all traffic & split only does the traffic bound for the headquarters. Which you use determines which network you are logically a part of & therefore can access the resources of.
When not to use a split tunnel VPN
On an untrusted Wi-Fi network
Clientless VPN
VPN in a web browser (https)
Protocol used instead of SSL or TLS for streaming or VoIP data in a VPN
DTLS datagram transport layer security
L2TP
Layer 2 Tunneling Protocol
Early tunneling protocol - no native encryption
L2F
Layer 2 Forwarding
Unused now (Cisco tunneling protocol for the P2P protocol)
PPTP
A pro and a con
Point-to-Point Tunneling Protocol
Supports dial-up networks but also lacks native security features except when used with Microsoft Windows
IPSec
IP Security
Provides authentication and encryption of packets to create a secure encrypted communication path between two computers
4 protocols used to establish VPN connection
- L2TP
- L2F
- PPTP
- IPSec
What is a SIEM
Security Information and Event Management
Provides real-time or near-real-time analysis of security alerts generated by network hardware & applications
When should log analysis occur?
Regularly
5 functions performed by SIEM
- Log collection
- Normalization
- Correlation
- Aggregation
- Reporting
SIEM normalization
Maps log messages into a common data model, enabling the organization to connect and analyze related events
SIEM correlation
Links the logs and events from different systems or
applications into a single data feed
SIEM aggregation
Reduces the volume of event data by consolidating duplicate
event records and merging them into a single record
X
Y
How a SIEM takes data
Using the Syslog protocol (UDP 514 or TCP 1468), & with it classified on a scale of 0-7
Port Security
Prevents unauthorized access to a switchport by identifying and limiting the MAC addresses of the hosts that are allowed. Can be done statically, dynamically, or both.
2 Ways port security can create a list of authorized MAC addresses
- static configuration
- dynamic learning
Port Security static configuration
Allows an administrator to define the static MAC addresses to use on a given switchport
Port Security dynamic learning
Defines a maximum number of MAC addresses for a port and blocks new devices that are not on the learned list
A.k.a. Sticky MAC
DAI
Dynamic ARP Inspection
Validates the address resolution protocol, or ARP, packets in your network
How an ARP database is built
From replies to ARP requests
DHCP snooping
Provides security by
- inspecting DHCP traffic
- filtering untrusted DHCP messages
- building and maintaining a DHCP snooping binding table
2 things to configure to allow DHCP snooping
Switches and VLANs
RA-Guard
IPv6 Router Advertisement Guard
Mitigates attack vectors based on forged ICMPv6 router advertisement messages
What OSI layer does RA-guard operate at?
Layer 2
CPP
Control Plane Policing
Configures a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches
2 types of attacks mitigated by SNMPv3
- on-path/MITM
- replay
3 different types of VLANS
- Primary
- Secondary isolated
- Secondary community
Secondary isolated VLAN
Switchports can only reach
the primary VLAN
Secondary community VLAN
Switchports can communicate with each other and the primary VLAN
Promiscuous Port (P-Port)
Can communicate with anything connected to the primary or secondary VLANs
Default VLAN is known as…
VLAN 1
Native VLAN
VLAN where untagged traffic is put once it is received on a trunk port. It is also the default VLAN.
9 things to secure SNMP
- Use v3
- Whitelist the MIB
- Use authPriv
- Strong passwords for admins
- Roll separation between polling/receiving traps (for reading)
- Users & groups (for writing)
- ACLs
- Patching
- Separate management network
ACL line entry for an implicit deny
deny ip any any
Is it better to use explicit allow or deny when configuring MAC filtering?
Allow
9 things to help secure wireless networks
- MAC filtering
- Antenna placement
- Antenna power levels
- Pre-shared keys with strong passwords
- Guest network isolation
- Wireless client isolation
- EAP instead of pre-shared key
- Geofencing
- Captive portals
7 considerations with IoT
- Understand your endpoints
- Track & manage your devices
- Patch vulnerabilities
- Conduct test & evaluation before adding to the production network
- Change default credentials
- Use encryption protocols
- Segment IoT devices
2 things CPP helps protect a network from
- Reconnaissance
- DoS
Geofencing
Uses GPS or RFID to define real-world boundaries where barriers can be active or passive
CVE
Common Vulnerabilities Exposures
A list of publicly disclosed information, security, vulnerabilities, and exposures
Remote Desktop Gateway
Provides a secure connection using the SSL/TLS protocols to the server via RDP
In-Band Management
Technology that enables managed devices to be managed by any authorized host that is connected to a non-management network.
Out-of-Band Management
Method to connect to and administer a managed device that does not use a standard user-network connected host as the administrative console.
E.g. computer connected to the consul port of a switch or use of a management network
LDAP
Lightweight Directory Access Protocol
A database used to centralize information about your clients and your objects on your network
How LDAP performs authentication
Validation of a username and password against an LDAP server
Kerberos
Performs secure, mutual authentication and authorization within a Windows environment
How 802.1x usually provides authentication
EAP provides authentication credentials which are checked against a Radius, LDAP, or TACACS+ server
File transfer protocol that supports resuming interrupted transfers
SFTP
Attacks stateless firewalls vulnerable to
DoS and IP spoofing
Where stateless firewalls are best used
An internal network
Biggest difference between RDP and VNC
RDP is a resource-sharing method. Multiple users can independently connect to the same device.
VNC is a screen-sharing method. A remote user can control a device while the local user can watch (and does not lose the ability to control the device). It is useful for tech support and education.
TACACS+
Terminal Access Controller Access Control System
A network security protocol used for AAA services
3 servers often placed in screened subnets
Email
Web
FTP
4 ways IPSs identify intrusions
- Signatures (exact)
- Anomalies (compared to baseline)
- Behaviors (not exact signatures but more general)
- Heuristics (AI learning your network)
Technique commonly used in man-in-the-middle attacks
ARP poisoning
Private VLAN
A.K.A port isolation
A technique where a VLAN contains switch ports that are restricted to
using a single uplink
- Primary
- Secondary isolated
- Secondary community
3 common methods of captive portal implementation
- HTTP redirect
- ICMP redirect
- DNS redirect
Authentication protocol designed to send data over insecure networks while using strong native encryption
Kerberos
Discovery protocols
Protocols that can get detailed information such as the IP addresses, system version, and device information from supporting devices directly
3 primary discovery protocols
- Simple network management protocol (SNMP)
- Link layer discovery protocol (LLDP)
- Ping
