Section 15: Security Technologies

Question 1

Firewall

Answer 1

Uses a set of rules defining the traffic types permitted or denied through device

Question 2

Stateful Firewall

Answer 2

Inspects traffic as part of a session and recognizes where the traffic originated

Question 3

NGFW

Answer 3

NextGen Firewall (OSI Levels 5, 6, 7, using DPI Deep Packet Inspection)
▪ Third-generation firewall that conducts deep packet inspection and packet filtering

Question 4

ACL

Answer 4

Access Control List
▪ Set of rules applied to router interfaces that permit or deny certain traffic
● Switch - Will be based on MAC address
● Router - Will be based on IP address
● Firewall - Will be based on IP address or port
Using criterion based on:
▪ Source/destination IP
▪ Source/destination port
▪ Source/destination MAC

Question 5

Firewall Zone

Answer 5

Inside - Corporate/Local network
Outside - Internet
DMZ - Devices that with restricted access from the outside zone (like web servers).

Question 6

UTM

Answer 6

Unified Threat Management Device (Border device. Physical, Virtualized, or Cloud Solution)
▪ Combines firewall, router, intrusion detection/prevention system, anti-malware, and other features into a single device

Question 7

IDS

Answer 7

Intrusion Detection System

Question 8

IPS

Answer 8

Intrusion Prevention System

Question 9

IDS / IPS Signature-based Detection

Answer 9

Signature contains strings of bytes (a pattern) that triggers detection

Question 10

IDS / IPS Policy-based Detection

Answer 10

Relies on specific declaration of the security policy

Question 11

IDS / IPS Statistical Anomaly-based Detection

Answer 11

Watches traffic patterns to build baseline.

Question 12

IDS / IPS Non-statistical Anomaly-based Detection

Answer 12

Administrator defines the patterns/baseline.

Question 13

Network-based (NIDS/NIPS)

Answer 13

A network device protects entire network

Question 14

Host-based (HIDS/HIPS)

Answer 14

Software-based and installed on servers and clients

Question 15

Remote Access: Telnet / Port

Answer 15

Port 23
▪ Sends text-based commands to remote devices and is a very old networking protocol
▪ Telnet should never be used to connect to secure devices

Question 16

Remote Access: Secure Shell (SSH) / Port

Answer 16

Port 22
▪ Encrypts everything that is being sent and received between the client and the server

Question 17

Remote Access: Remote Desktop Protocol (RDP)

Answer 17

Port 3389
▪ Provides graphical interface to connect to another computer over a network connection (Use VPN or RDG for security)

Question 18

Remote Access: Remote Desktop Gateway (RDG)

Answer 18

▪ Provides a secure connection using the SSL/TLS protocols to the server via RDP (Use for Win 2008 or later OSs)
● Create an encryption connection (No need for VPN)
● Control access to network resources based on permissions and group roles
● Maintain and enforce authorization policies
● Monitor the status of the gateway and any RDP connections passing through the gateway

Question 19

Remote Access: Virtual Private Network (VPN)

Answer 19

▪ Establishes a secure connection between a client and a server over an untrusted public network like the Internet

Question 20

Remote Access: Virtual Network Computing (VNC) / Port

Answer 20

Port 5900
▪ Designed for thin client architectures and things like Virtual Desktop Infrastructure (VDI)

Question 21

Remote Access: Virtual Desktop Infrastructure (VDI)

Answer 21

▪ Hosts a desktop environment on a centralized server
▪ Desktop as a Service (DaaS)

Question 22

Remote Access: In-Band Management

Answer 22

▪ Managing devices using Telnet or SSH protocols over the network

Question 23

Remote Access: Out-of-Band Management

Answer 23

▪ Connecting to and configuring different network devices using an alternate path or management network

Question 24

Remote Access Technologies Authentication Considerations

Answer 24

▪ Confirms and validates a user’s identity
▪ Gives the user proper permissions to access a resource

Question 25

Remote Access Authentication: PAP

Answer 25

Password Authentication Protocol (PAP) ▪ Sends usernames and passwords in plain text for authentication

Question 26

Remote Access Authentication: CHAP

Answer 26

Challenge Handshake Authentication Protocol (CHAP) ▪ Sends the client a string of random text called a challenge which is then encrypted using a password and sent back to the server

Question 27

Remote Access Authentication: MS-CHAP

Answer 27

▪ Microsoft proprietary version of CHAP that provides stronger encryption keys and mutual authentication

Question 28

Remote Access Authentication: EAP

Answer 28

Extensible Authentication Protocol (EAP) ▪ Allows for more secure authentication methods to be used instead of just a username and a password (Smart Card, Kerberos,...) ▪ Use EAP/TLS in conjunction with a RADIUS or TACACS+ server

Question 29

VPN / Types

Answer 29

Virtual Private Network -Extends a private network across a public network and enables sending and receiving data as if connected on that private network. Three Main Types of VPN: ▪ Site to site - Connect two office ▪ Client to site - Single remote user to ▪ Clientless - Web browsing

Question 30

VPN Communication Method: Full Tunnel

Answer 30

▪ Routes and encrypts all network requests through the VPN connection back to the headquarters - Best for security

Question 31

VPN Communication Method: Split Tunnel

Answer 31

▪ Routes and encrypts only the traffic bound for the headquarters over the VPN, and sends the rest of the traffic to the regular Internet - Best for performance

Question 32

VPN: Clientless

Answer 32

▪ Creates a secure, remote-access VPN tunnel using a web browser without requiring a software or hardware client

Question 33

Secure Socket Layer (SSL)

Answer 33

▪ Provides cryptography and reliability using the upper layers of the OSI model, specifically Layers 5, 6, and 7 ▪ Less Secure so Clientless VPNs are moving toward TLS

Question 34

Transport Layer Security (TLS)

Answer 34

▪ Provides secure web browsing over HTTPS ▪ SSL and TLS use TCP to establish their secure connections between a client and a server (Slower because of the TCP overhead. Could opt. for DTLS.)

Question 35

Datagram Transport Layer Security (DTLS)

Answer 35

▪ UDP-based version of the TLS protocol which operates a bit faster due to having less overhead (Better for Video Streaming, VOIP)

Question 36

VPN Protocol: Layer 2 Tunneling Protocol (L2TP)

Answer 36

Older protocol. Lacks security features like encryption by default and needs to be combined with an extra encryption layer for protection (Still used when used with an encryption protocol.)

Question 37

VPN Protocol: Layer 2 Forwarding (L2F)

Answer 37

Older protocol. Provides a tunneling protocol for the P2P protocol but also lacks native security and encryption features (Not used much)

Question 38

VPN Protocol: Point-to-Point Tunneling Protocol (PPTP)

Answer 38

Supports dial-up networks but also lacks native security features (Microsoft added security features so it is considered pretty secure when used with Windows.)

Question 39

VPN Protocol: IP Security (IPSec)

Answer 39

▪ Provides authentication and encryption of packets to create a secure encrypted communication path between two computers. Most widely used protocol suite used with VPNs.

Question 40

IPSec 5 Step Process

Answer 40

1. Key exchange request 2. IKE (Internet Key Exchange) Phase 1: Main mode or aggressive mode 3. IKE Phase 2 4. Data transfer 5. Tunnel termination

Question 41

Data Transfer Method: Transport Mode

Answer 41

▪ Uses packet’s original IP header (header not protected) and used for client-to-site VPNs ▪ Works well if cannot increase packet size. By default, maximum transmission unit (MTU) size in most networks is 1500 bytes

Question 42

Data Transfer Method: Tunneling Mode

Answer 42

▪ Encapsulates the entire packet and puts another header on top of it ▪ For site-to-site VPNs, you may need to allow jumbo frames

Question 43

AH

Answer 43

Authentication Header ▪ Provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks. (No confidentiality of the data.)

Question 44

ESP

Answer 44

Encapsulating Security Payload (No protection for the header.) ▪ Provides authentication, integrity, replay protection, and data confidentiality ▪ In transport mode, use AH to provide integrity for the TCP header and ESP to encrypt it ▪ In tunneling mode, use AH and ESP to provide integrity and encryption of the end payload

Question 45

SNMP

Answer 45

Simple Network Management Protocol (SNMP) is used to send and receive data from managed devices back to a centralized network management station. (Message Types: ▪ Set (Manager to agent request to change value of variable or list of variables.), ▪ Get (Manager to agent to retrieve variable), ▪ Trap (Unsolicited. Sent asynchronously as notifications from agent to manager. Event or alarms.) messages)

Question 46

Syslog

Answer 46

System Logging Protocol (Syslog) - Sends system log or event messages to a central server, called a syslog server ● Security Information Management (SIM) ● Security Event Management (SEM) ● Security Information and Event Management (SIEM)

Question 47

Syslog Level 0

Answer 47

Emergency

Question 48

Syslog Level 1

Answer 48

Alert

Question 49

Syslog Level 2

Answer 49

Critical

Question 50

Syslog Level 3

Answer 50

Error

Question 51

Syslog Level 4

Answer 51

Warning

Question 52

Syslog Level 5

Answer 52

Notice

Question 53

Syslog Level 6

Answer 53

Information

Question 54

Syslog Level 7

Answer 54

Debugging

Question 55

SIEM

Answer 55

Security Information and Event Management (SIEM) ▪ Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications ▪ Uses Syslog protocol to collect data using UDP Port 514 / TCP Port 1468 ▪ Data will be classified based on log level 0-7 ▪ The SIEM will Normalize, Correlate, Aggregate data for further analysis.