Part2 (ch 10-14) Flashcards
packet filtering firewall
configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users
stateful inspection firewall
tracks info about sessions, blocks malware attempts to start bogus sessions
Application Aware Firewalls
OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)
Appliance Firewall
Monitor traffic passing into & out of a network zone
OSI-2 or OSI-3
Network Operating System (NOS) firewall
Software-based firewall as a gateway/proxy for a network segment
Host-based (personal firewall) firewall
protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network
non-transparent proxy
vs
transparent (forced/intercepting) proxy
Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet
Forward vs Reverse proxy server
Forward sends traffic
Reverse gets inbound (external) traffic
NIDS
Network Intrusion Detection System
capture network traffic with a sniffer
detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations
Signature-based detection
(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
Behavioral-based detection
recognize baseline traffic or events
heuristics
model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected
User and entity behavior analytics (UEBA)
scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
WAF
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes, malware likely caused it
What is the purpose of SIEM?
products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
Does Syslog perform all the functions of a SIEM?
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
What is SOAR for?
with SIEM, automates scan & analyze alerts that would overwhelm an analyst
DNS & DHCP
While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names
Domain hijacking
attackers gets company trade name (typo)
DNS Poisoning
screws with IP for FQDN
Man-in-the-middle - LAN+ARP Poisoning = spoof
DNS Client Cache - HOSTS, redirect traffic
DNS Server cache - DoS, corrupt records