Part2 (ch 10-14) Flashcards
packet filtering firewall
configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users
stateful inspection firewall
tracks info about sessions, blocks malware attempts to start bogus sessions
Application Aware Firewalls
OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)
Appliance Firewall
Monitor traffic passing into & out of a network zone
OSI-2 or OSI-3
Network Operating System (NOS) firewall
Software-based firewall as a gateway/proxy for a network segment
Host-based (personal firewall) firewall
protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network
non-transparent proxy
vs
transparent (forced/intercepting) proxy
Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet
Forward vs Reverse proxy server
Forward sends traffic
Reverse gets inbound (external) traffic
NIDS
Network Intrusion Detection System
capture network traffic with a sniffer
detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations
Signature-based detection
(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
Behavioral-based detection
recognize baseline traffic or events
heuristics
model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected
User and entity behavior analytics (UEBA)
scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.