Section 12 - Perimeter Security Flashcards
When we discuss perimeter security, we’re focused on the…?
outer layer of our defense-in-depth posture for our networks.
This is the boundary where we segment our LAN from the WAN and fro the Internet at large.
These are primarily used to section off and protect one network from another.
Firewall
What are the three main types of firewalls?
Software-based
Hardware-based
Embedded firewalls
These firewalls run as a piece of software on a host or a server.
Software-based
These firewalls are a standalone device that’s actually an appliance that’s installed on your network.
Hardware-based
*** It looks like another switch or another router that goes into your network stack.
These firewalls work as a single function out of many on a single device. It’s one piece of the larger device that does many different functions.
Embedded firewall
This is going to inspect each packet as it passes through the firewall, and it’ll accept it or reject it based on the rules that it’s been given.
Packet Filtering
** This relies on the firewall’s configuration and the access control list that’s been installed.
What are the two types of packet filtering?
Stateless
Stateful
This type of packet filtering is going to accept or reject packets based on the IP address and the port number that was requested.
stateless packet filtering
*** So if you’re running a web server and you requested to come in on port 80, it would allow that. However, if you requested to come in on port 53 it would be denied because that port is not on the ACL.
This type of packet filtering is going to keep track of requests that leave through the firewall.
Stateful packet filtering
*** So, if I make a request from a host through the firewall, it will temporarily open up a port number that I made the request from, some random high port number like 50,000 or 56,000.
By using __ __ __, you can almost entirely eliminate IP spoofing as a threat because the firewall is going to inspect the header of each packet being received. It’s then going to compare that against what it was expecting based on the request that recently went out, and then, it’s going to make its accept or reject decisions based on this additional information.
stateful packet inspection
This is going to filter traffic according to the port, whether it’s a TCP or UDP port.
NAT filtering
*** This can be done by matching the incoming traffic to the requesting IP, and by matching the incoming traffic to the requesting IP address and port.
This is going to apply security mechanisms to specific applications such as FDP or Telnet.
Instead of blocking traffic based on the Telnet port instead it’s going to inspect each packet an determine which application it was meant for, and if it finds out that it was meant for Telnet, it would block it because that was unauthorized.
ALG
Application-Layer Gateway
AKA - Layer 7 Firewalls
This works at the session layer of the OSI model and applies security mechanisms when a TCP or UDP connection is first established. Once that connection is established, the packets can then be sent or received without any further inspection or checks because all of that was done during the session establishment.
Circuit-level Gateway
This is going to filter out computers and prevent them from accessing beyond the firewall based on their MAC addresses.
MAC Filtering
*** This is used as part of your local area network before it gets out into the routing and layer 3 logical addresses that go out beyond the network.
In an ___ ___ ___, you can either explicitly allow, explicitly deny, or implicitly deny traffic that’s sent or received through the firewall.
access control list
When I talk about explicit allow, this means…?
That traffic should be allowed to enter or leave the network because the rule allows for it to happen
When I talk about explicit deny, this means…?
That traffic should not be allowed to enter or leave the network because this rule says so.
Most newer firewalls are set to ___ ___ by default now.
implicitly deny
*** This means that the ACL assumes if it’s not on the explicit allow it will deny access.
This is installed on a server in your environment and it provides traffic control in the data that’s being sent to and from your web applications.
WAF
Web Application Firewall
*** These are useful in helping to mitigate threats like cross-site scripting and SQL injection attacks because these web application firewalls are designed to specifically look for these type of threats and block them.
This is a device that acts as a middle man for your clients.
Proxy servers
*** For example, if you’re at work and you wanted to connect to diontraining.com, your work computer’s likely going to go from itself to a proxy server within your company’s LAN. And then, that proxy server makes the connection to Dion Training to get the information that you requested. And then it will hand it back to you. This middle man approach allows the company to log everything that’s being requested, who made them, and to filter out things they don’t want you to access.
What are the four different types of proxies in use today?
- IP Proxy
- Caching Proxy
- Content Filter
- Web Security Gateways
This proxy is used to secure a network by keeping machines behind it anonymous.
IP Proxy
*** This makes it to where the server doesn’t know know what particular computer is actually connected to it from your network. All the server can see is the proxy itself. This is because your proxy is using NAT to translate your request from your machine into a request from the proxy.
This proxy is used to attempt to serve clients requests without actually connecting to the remote server each time.
Caching Proxy
*** Let’s say that you went to my website at diontraining.com, and then your coworker, five minutes later, tried to go to diontraining.com, just like you did. Well, the proxy, if it’s using a cache, is going to be able to keep a copy of my webpage from the first time it fulfilled your request. Then, when your coworker requested it, it would simply give it from its cache instead of going and getting a new copy from my site. This will allow your company to save on bandwidth costs, and increase the speed of delivery for your coworker, because it already has it locally, inside your network.
What is the most common type of caching proxy?
HTTP Proxy
This attempts to cache the web pages that are visited by users
Most caching proxies only keep a copy of the information they get for about…?
24 hours
The installation and configuration of a caching proxy in your web browser is possible through…?
A file called PAC - Proxy Auto Configuration file.
This contains the settings needed for a host to connect to the proxy server.
These are used in large organizations as a way to prevent users from getting to stuff that they don’t want you to access at work.
Internet Content Filter
This type of proxy acts as a go-between for devices that will scan them for viruses, filter out contents like ads, and then can act as a data loss prevention device as well.
It’s looking at what’s being sent out of the network, and what is coming back into the network to ensure that it aligns with your organization’s policies.
Web Security Gateway
These are used to attract and trap potential attackers to counteract any attempts to unauthorized access to your organization’s network.
Honeypots and honeynets
This is generally a single computer, but it could also be a file, a group of files, or an area of unused IP address space that might be considered attractive to a would-be attacker.
Honeypot
This is one or more computers, servers, or an area of the network used to attract an attacker.
Honeynet
** This is often deemed necessary when a single honeypot is not sufficient for your purposes.
Honeypots and honeynets are often used for the purpose of…?
research
*** to try to learn about attackers
This designed to protect data by conducting content inspection of your data as it’s being sent out of your organization’s network.
DLP
Data Loss Prevention
*** This is also often referred to as ILP (Information Leak Protection) or EPS (Extrusion Prevention Systems)
DLPs are used to ensure your data stays within your network, that it isn’t leaked to outsiders, and that the privacy of your confidential data remains private.
DLP systems are installed as a __ DLP or a __ DLP.
network-based DLP
cloud-based DLP
*** For example, for DION’s cloud-based DLP anytime an employee tries to send out information outside of their own domain through email, that email is flagged and they have to verify that they understand the data is being sent outside of Dion Training. DLPs can also be configured to automatically detect when particular emails should be flagged based off of keywords or a no-no list. It all depends on how you customize your DLP.
This is a type of IDS that attempts to detect malicious network activities, for example, port scans and denial of service attacks.
Network Intrusion Detection System
NIDS
*** This is a device placed either before the firewall so that it can be directly exposed to all of the traffic that’s coming in or right behind the firewall.
Generally, your NIDS will be placed into what’s known as ___ mode.
This allows it to see all of the traffic that cross the network instead of just the traffic that’s destined for its own Mac address.
promiscuous mode
A NIDS can only detect, monitor and alert on traffic based or signature based rules or heuristics which means it won’t..?
actually stop an attack from occurring
*** all your NIDS is doing is logging it and letting you know about it
This is a type of IPS that is designed to inspect traffic and based on its configuration or security policy, it can also remove, detain or redirect that malicious traffic.
Network Intrusion Prevention System
NIPS
*** This means that it can detect AND stop the ongoing attack by blocking the IP address that’s causing issues or shutting down the connection.
What does it mean when a device on NIPS is a “fail open”?
This means that the NIPS is going to simply let all of the traffic through it whenever it fails.
What does it mean when a device on NIPS is a “fail close”?
The device is going to block all traffic if it fails for some reason. This means it will create a denial of service condition for your entire network.
** For this reason, most networks opt for a fail open NIPS and rely on other defensive layers to provide protection.
An addiitional benefit to a NIPS or NIDS system is that it has a built in…?
protocol analyzer
**These are used to capture packets which allows an admin to conduct analysis on packet and better troubleshoot and secure their network by seeing patterns in the packet captures.
This is a combination of network security devices and technologies that are added to a network to better protect it.
Simply, a single device that combines many other devices and technologies into it.
For example, your UTM might includ a firewall, NIDS/NIPS, content filter/proxy, antivirus or anti-malware and a data loss prevention system.
UTM
Unified Threat Management
*** This makes it easier on the user to manage as they’re all accessed through one graphical user interface.
Also known as a NGFW (Next Gen Firewall)
