Part2 (ch 10-14) Flashcards
packet filtering firewall
configured with ACL
stateless - doesn’t keep info about sessions
Shield IP address from external users
stateful inspection firewall
tracks info about sessions, blocks malware attempts to start bogus sessions
Application Aware Firewalls
OSI-7
Protects data at the highest layer of the protocol stack
Protects an app (ie sql server database)
also all firewalls perform filtering (IP, port,…)
Appliance Firewall
Monitor traffic passing into & out of a network zone
OSI-2 or OSI-3
Network Operating System (NOS) firewall
Software-based firewall as a gateway/proxy for a network segment
Host-based (personal firewall) firewall
protects the host only, uses ACL packet filtering, allow or deny processes from accessing a network
non-transparent proxy
vs
transparent (forced/intercepting) proxy
Client must be configured, modifies requests
Client doesn’t need to be reconfigured or modify request
Both sit between computer & internet
Forward vs Reverse proxy server
Forward sends traffic
Reverse gets inbound (external) traffic
NIDS
Network Intrusion Detection System
capture network traffic with a sniffer
detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations
Signature-based detection
(or pattern-matching) means that the engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
Behavioral-based detection
recognize baseline traffic or events
heuristics
model of baseline traffic
false positive - legit behavior creates an alert
false negative - malware not detected
User and entity behavior analytics (UEBA)
scan indicators from multiple intrusion detection and log sources to identify anomalies
Work with SIEM
What is the best option for monitoring traffic passing from host-to-host on the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
What sort of maintenance must be performed on signature-based monitoring software?
Installing definition/signature updates and removing definitions that are not relevant to the hosts or services running on your network.
WAF
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications. It can be configured with signatures of known attacks against applications, such as injection-based attacks or scanning attacks.
If a Windows system file fails a file integrity check, should you suspect a malware infection?
Yes, malware likely caused it
What is the purpose of SIEM?
products aggregate IDS alerts and host logs from multiple sources, then perform correlation analysis on the observables collected to identify indicators of compromise and alert administrators to potential incidents.
Does Syslog perform all the functions of a SIEM?
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/normalize the log data or run correlation rules to identify alertable events.
What is the difference between a sensor and a collector, in the context of SIEM?
A SIEM collector parses input (such as log files or packet traces) into a standard format that can be recorded within the SIEM and interpreted for event correlation. A sensor collects data from the network media.
What is SOAR for?
with SIEM, automates scan & analyze alerts that would overwhelm an analyst
DNS & DHCP
While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names
Domain hijacking
attackers gets company trade name (typo)
DNS Poisoning
screws with IP for FQDN
Man-in-the-middle - LAN+ARP Poisoning = spoof
DNS Client Cache - HOSTS, redirect traffic
DNS Server cache - DoS, corrupt records
What vulnerabilities does a rogue DHCP server expose users to?
Denial of service (providing an invalid address configuration) and spoofing (providing a malicious address configuration—one that points to a malicious DNS, for instance)
DNSSEC
prevent spoofing & poisoning
Simple Network Management Protocol (SNMP)
How to secure SNMPv2 service?
framework for management and monitoring for devices on IP network
Configure strong community names and use access control lists to restrict management operations to known hosts.
What are the advantages of SASL over LDAPS?
The Simple Authentication and Security Layer (SASL) allows a choice of authentication providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via simple binding. Also, SASL is the standards-based means of configuring LDAP security.
cipher suites
algorithms supported by both the client and server to perform the different encryption and hashing operations required by the protocol. Prior to TLS 1.3,
a cipher suite would be written in the following form:
ECDHE-RSA-AES128-GCM-SHA256
SFTP
SMTP
SSH File Transfer (fixes FTP privacy used by HTTP)
Simple Mail Transfer Protocol - TLS
ESP
Encapsulation Security Payload - CIA encrypts packet IPSec modes: Transport - Payload encrypted Tunnel - IP Packet (head+payload) encrypted
OOB - out of band
in-band shares traffic use VLAN
OOB - more secure but costly to separate network infrastructure
What is Microsoft’s TLS VPN solution?
The Secure Sockets Tunneling Protocol (SSTP)
AH
Authentication Header (AH) provides message authentication and integrity but not confidentiality
Which protocol is often used in conjunction with IPSec to provide a remote access client VPN with
user authentication?
Layer 2 Tunneling Protocol (L2TP).
hardware Root of Trust (RoT)
trust anchor or a secure substation able to provide attestation (trusted by receiver)
Scan boot metrics & OS files to verify signatures
What is TPM used for?
Its a cryptoprocessor (Hardware storing encryption keys) that establishes RoT
asymmetric key
Secure Boot
Measured Boot
Boot Attestation
Check for malicious OS hijacks
TPM, kernel code, check each startup component
boot log shows compromise
Why are OS-enforced file access controls not sufficient in the event of the loss or theft of a computer or mobile device?
File-level, full disk encryption (FDE), or self-encrypting drives (SED) mitigate this by requiring the presence of the user’s decryption key to read the data.
