Section 15: Security Technologies Flashcards
Firewall
Uses a set of rules defining the traffic types permitted or denied through device
Stateful Firewall
Inspects traffic as part of a session and recognizes where the traffic originated
NGFW
NextGen Firewall (OSI Levels 5, 6, 7, using DPI Deep Packet Inspection)
▪ Third-generation firewall that conducts deep packet inspection and packet filtering
ACL
Access Control List
▪ Set of rules applied to router interfaces that permit or deny certain traffic
● Switch - Will be based on MAC address
● Router - Will be based on IP address
● Firewall - Will be based on IP address or port
Using criterion based on:
▪ Source/destination IP
▪ Source/destination port
▪ Source/destination MAC
Firewall Zone
Inside - Corporate/Local network
Outside - Internet
DMZ - Devices that with restricted access from the outside zone (like web servers).
UTM
Unified Threat Management Device (Border device. Physical, Virtualized, or Cloud Solution)
▪ Combines firewall, router, intrusion detection/prevention system, anti-malware, and other features into a single device
IDS
Intrusion Detection System
IPS
Intrusion Prevention System
IDS / IPS Signature-based Detection
Signature contains strings of bytes (a pattern) that triggers detection
IDS / IPS Policy-based Detection
Relies on specific declaration of the security policy
IDS / IPS Statistical Anomaly-based Detection
Watches traffic patterns to build baseline.
IDS / IPS Non-statistical Anomaly-based Detection
Administrator defines the patterns/baseline.
Network-based (NIDS/NIPS)
A network device protects entire network
Host-based (HIDS/HIPS)
Software-based and installed on servers and clients
Remote Access: Telnet / Port
Port 23
▪ Sends text-based commands to remote devices and is a very old networking protocol
▪ Telnet should never be used to connect to secure devices
Remote Access: Secure Shell (SSH) / Port
Port 22
▪ Encrypts everything that is being sent and received between the client and the server
Remote Access: Remote Desktop Protocol (RDP)
Port 3389
▪ Provides graphical interface to connect to another computer over a network connection (Use VPN or RDG for security)
Remote Access: Remote Desktop Gateway (RDG)
▪ Provides a secure connection using the SSL/TLS protocols to the server via RDP (Use for Win 2008 or later OSs)
● Create an encryption connection (No need for VPN)
● Control access to network resources based on permissions and group roles
● Maintain and enforce authorization policies
● Monitor the status of the gateway and any RDP connections passing through the gateway
Remote Access: Virtual Private Network (VPN)
▪ Establishes a secure connection between a client and a server over an untrusted public network like the Internet
Remote Access: Virtual Network Computing (VNC) / Port
Port 5900
▪ Designed for thin client architectures and things like Virtual Desktop Infrastructure (VDI)
Remote Access: Virtual Desktop Infrastructure (VDI)
▪ Hosts a desktop environment on a centralized server
▪ Desktop as a Service (DaaS)
Remote Access: In-Band Management
▪ Managing devices using Telnet or SSH protocols over the network
Remote Access: Out-of-Band Management
▪ Connecting to and configuring different network devices using an alternate path or management network
Remote Access Technologies Authentication Considerations
▪ Confirms and validates a user’s identity
▪ Gives the user proper permissions to access a resource
Remote Access Authentication: PAP
Password Authentication Protocol (PAP)
▪ Sends usernames and passwords in plain text for authentication
Remote Access Authentication: CHAP
Challenge Handshake Authentication Protocol (CHAP)
▪ Sends the client a string of random text called a challenge which is then encrypted using a password and sent back to the server
Remote Access Authentication: MS-CHAP
▪ Microsoft proprietary version of CHAP that provides stronger encryption keys and mutual authentication
Remote Access Authentication: EAP
Extensible Authentication Protocol (EAP)
▪ Allows for more secure authentication methods to be used instead of just a username and a password (Smart Card, Kerberos,…)
▪ Use EAP/TLS in conjunction with a RADIUS or TACACS+ server
VPN / Types
Virtual Private Network -Extends a private network across a public network and enables sending and receiving data as if connected on that private network.
Three Main Types of VPN:
▪ Site to site - Connect two office
▪ Client to site - Single remote user to
▪ Clientless - Web browsing
VPN Communication Method: Full Tunnel
▪ Routes and encrypts all network requests through the VPN connection back to the headquarters
- Best for security
VPN Communication Method: Split Tunnel
▪ Routes and encrypts only the traffic bound for the headquarters over the VPN, and sends the rest of the traffic to the regular Internet
- Best for performance
VPN: Clientless
▪ Creates a secure, remote-access VPN tunnel using a web browser without requiring a software or hardware client
Secure Socket Layer (SSL)
▪ Provides cryptography and reliability using the upper layers of the OSI model, specifically Layers 5, 6, and 7
▪ Less Secure so Clientless VPNs are moving toward TLS
Transport Layer Security (TLS)
▪ Provides secure web browsing over HTTPS
▪ SSL and TLS use TCP to establish their secure connections between a client and a server (Slower because of the TCP overhead. Could opt. for DTLS.)
Datagram Transport Layer Security (DTLS)
▪ UDP-based version of the TLS protocol which operates a bit faster due to having less overhead (Better for Video Streaming, VOIP)
VPN Protocol: Layer 2 Tunneling Protocol (L2TP)
Older protocol. Lacks security features like encryption by default and needs to be combined with an extra encryption layer for protection (Still used when used with an encryption protocol.)
VPN Protocol: Layer 2 Forwarding (L2F)
Older protocol. Provides a tunneling protocol for the P2P protocol but also lacks native security and encryption features (Not used much)
VPN Protocol: Point-to-Point Tunneling Protocol (PPTP)
Supports dial-up networks but also lacks native security features
(Microsoft added security features so it is considered pretty secure when used with Windows.)
VPN Protocol: IP Security (IPSec)
▪ Provides authentication and encryption of packets to create a secure encrypted communication path between two computers. Most widely used protocol suite used with VPNs.
IPSec 5 Step Process
- Key exchange request
- IKE (Internet Key Exchange) Phase 1: Main mode or aggressive mode
- IKE Phase 2
- Data transfer
- Tunnel termination
Data Transfer Method: Transport Mode
▪ Uses packet’s original IP header (header not protected) and used for client-to-site VPNs
▪ Works well if cannot increase packet size. By default, maximum transmission unit (MTU) size in most networks is 1500 bytes
Data Transfer Method: Tunneling Mode
▪ Encapsulates the entire packet and puts another header on top of it
▪ For site-to-site VPNs, you may need to allow jumbo frames
AH
Authentication Header
▪ Provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks. (No confidentiality of the data.)
ESP
Encapsulating Security Payload (No protection for the header.)
▪ Provides authentication, integrity, replay protection, and data confidentiality
▪ In transport mode, use AH to provide integrity for the TCP header and ESP to encrypt it
▪ In tunneling mode, use AH and ESP to provide integrity and encryption of the end payload
SNMP
Simple Network Management Protocol (SNMP) is used to send and receive data from managed devices back to a centralized network management station.
(Message Types:
▪ Set (Manager to agent request to change value of variable or list of variables.),
▪ Get (Manager to agent to retrieve variable),
▪ Trap (Unsolicited. Sent asynchronously as notifications from agent to manager. Event or alarms.) messages)
Syslog
System Logging Protocol (Syslog) - Sends system log or event messages to a central server, called a syslog server
● Security Information Management (SIM)
● Security Event Management (SEM)
● Security Information and Event Management (SIEM)
Syslog Level 0
Emergency
Syslog Level 1
Alert
Syslog Level 2
Critical
Syslog Level 3
Error
Syslog Level 4
Warning
Syslog Level 5
Notice
Syslog Level 6
Information
Syslog Level 7
Debugging
SIEM
Security Information and Event Management (SIEM)
▪ Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications
▪ Uses Syslog protocol to collect data using UDP Port 514 / TCP Port 1468
▪ Data will be classified based on log level 0-7
▪ The SIEM will Normalize, Correlate, Aggregate data for further analysis.
