Securing & Supporting the Network Flashcards
1
Q
Firewall
A
Filters (permits or denies) traffic based on a set of criteria
Rules created for inbound and outbound connections
Network Based or Host-Based
2
Q
Network Based Firewall
A
Physical hardware on the edge of the network
Usually also a router or just in line filter
Usually capable of NAT (Network Address Translation) because they’re internet facing devices
3
Q
Host-Based Firewall
A
Software on a computer like Windows Firewall
Controls which applications and ports are allowed to talk inbound and outbound on an individual workstation or host computer
4
Q
Dedicated Network Firewalls
A
Can provide multiple security services
Firewalling, VPN services, Anti-Malware, Content Filtering
Usually for corporate environments
This is called UTM (Unified Threat Management)
5
Q
UTM
A
Unified Threat Management
A device that provides multiple security services like Firewalling, VPN services, Anti-Malware, Content Filtering
6
Q
ACL
A
Access Control List
Used on routers and firewalls to create a list of rules for permitting and denying traffic. Can define the protocol such as IP, Source network, destination network, and the TCP/UDP port # for matching traffic
7
Q
Stateless Firewall
A
Employs only Access Control Lists to control inbound and outbound traffic
Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections
8
Q
Stateful Firewall
A
Keeps track of connections and can allow return traffic as long as it was first generated from inside the network
Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections
9
Q
Deep Packet Inspection
A
Advanced Firewalls are capable of inspecting the contents of packets
Allows a firewall to determine the context of the connection (what it’s really doing) “What is the purpose of this traffic?”
10
Q
Application Aware Firewall
A
AKA Context Aware Firewall
Can understand what devices, and what services and applications, the packets are for
Makes Network Based anti-malware possible
Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going
11
Q
Context Aware Firewall
A
AKA Application Aware Firewall
Can understand what devices, and what services and applications, the packets are for
Makes Network Based anti-malware possible
Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going
12
Q
VPN
A
Virtual Private Network
Establishes a private network connection over public networks and incorporates encryption to protect the tunnels between two end points
Normally incorporates encryption to protect the VPN tunnel
Host to Host VPN
Site to Site VPN
13
Q
VPN Concentrator
A
Virtual Private Network Concentrator
A vpn concentrator is a device that is dedicated to handling large amounts of VPN connections. Most of the time the firewall also acts as a VPN Concentrator, but it could be a separate device
14
Q
VPN Protocols
A
PPTP (Point-to-Point Tunneling Protocol)
GRE Tunnel (Generic Routing Encapsulation Tunnel)
IPSec (Internet Protocol Security)
SSL VPN (Secure Sockets Layer VPN)
15
Q
PPTP
A
Point-to-Point Tunneling Protocol)
VPN Protocol
Uses PPP for authentication and modified GRE (Generic Routing Encapsulation) for the tunnel. No inherent encryption, unsecure, mostly obsolete
16
Q
GRE Tunnel
A
Generic Routing Encapsulation Tunnel
VPN Protocol
Used with routers to create a generic tunnel. In combination with IPSec (Internet Protocol Security) to create an encrypted VPN Tunnel
17
Q
IPSec
A
Internet Protocol Security
VPN Protocol
Provides a method for authentication and negotiation of crypto keys. Uses IKE (Internet Key Exchange) to negotiate the key and ISAKMP (Internet Security Association and Key Management Protocol) for key exchange
Authentication Algorithms: HMAC-MD5, HMAC-SHA-1
Encrypted Algorithms: DES, 2DES, Blowfish, AES
18
Q
SSL VPN
A
Secure Socket Layer Virtual Private Network
Uses SSL to establish VPN connectivity. For host to site VPN. A web browser can be used to connect the VPN which is easier for VPN users.
NOT for site to site
19
Q
Network Segmentation
A
An architecture that divides a network into smaller sections or subnets
20
Q
DMZ
A
Demilitarized Zone
Private network that sits between a private LAN and the public internet
Used to expose webservers and other servers to the public internet without exposing the private LAN to the internet
If a machine on the DMZ becomes compromised the attacker will not have access to the LAN
Web servers place on the DMZ server with port 80 open from the outside to the DMZ only
21
Q
Honey Pot
A
a host that is exposed or partially exposed to invite attacks while monitoring and collecting information
22
Q
Honey Net
A
an entire network that is made to seem like a live production environment with weak security that invites attacks for monitoring purposes
23
Q
Testing Lab
A
Separated from the production network
Useful for :
Testing patches and updates before deploying to the production network
Test new/different hardware/software set ups
Test fixes to complex problems
Train others on lab equipment without interfering with the production network
24
Q
VLANs
A
Virtual Local Area Networks
Used for applying segmentation across the entire network and implement security in different ways for each VLAN
Can set up ACL that apply to each VLAN Gateway
25
Malware
Software written specifically to harm and infect a host system.
Includes viruses, worms, trojan horses, spyware, adware, ransomware, etc.
26
Compromised System
A host, server, network node, or other computer system that has been infected with malware or otherwise successfully attacked and exploited.
Compromised system sometimes give themselves
27
Attacks and Threats
Most attacks are performed by compromising computers with Malware that is designed to perform a specific type of attack
DoS (denial of Service)
DDos (Distributed Denial of Service)
28
DoS
Denial of Service
Floods the target with traffic
29
DDoS
Distributed Denial of Service
Bonet, zombie computers, coordinated attack, target cannot handle all the traffic and it goes offline
30
Smurf Attack
DDoS attack
Floods the target with spoofed ICMP (Internet Control Message Protocol) which spoofs the source IP on ICMP or on the ping
Attacker sends an IP directed broadcast ping to large networks with a spoofed IP source of the target victim and the ICMP replies to the target causing a DDoS attack
Most modern routers have directed broadcast turned off by default
31
VLAN Hopping
Virtual Local Area Network Hopping
A malicious user on one VLAN gains access to traffic on another VLAN that it shouldn't have access to
Either acts as trunking switch (switch spoofing) or double tags its Frames with two VLANS
Can also exploit VoIP (Voice over IP) ports as they use data VLAN and voice VLAN
32
MITM
Main in the Middel attack
An attacker causes traffic between two endpoints to be sent through the attacker
Attacker can then intercept and manipulate the data
Could be on a local LAN with a malicious user or via the public internet
Many kinds of MITM attacks:
ARP Poisoning
Session Hijacking
33
ARP Poisoning
MITM attack
Malicious user poisons the ARP cache of devices communicating with each other so that their layer 2 frames will be redirected to a machine used to intercept the communication
34
Session Hijacking
MITM Attack
Malicious user intercepts the authentication cookies for an unsecure (HTTP port 80) web session and gains access to the web session
Various methods, may require the attacker to be in the same broadcast domain as the target or includes cross-site scripting and browser jacking malware that allows attackers to hijack session remotely
35
Brute Force Attack
Attack uses cracking softrware, disctionary lists, and other username and password lists with the hope of eventually getting the correct combination
36
Zero-Day Attachs
Attackers using new exploits that are not made public, leaving organizations unprotected from the exploit until it's exposed and patched / mitigated
37
Social Engineering
Attackers trick people and use their trust to gain access to systems and critical or private information such as usernames, passwords, accounts numbers, ip addresses, etc.
Phishing, spear phishing, baiting, tailgating, dumpster diving
Use a shredder
Security policies, procedures and end user awareness training are the best ways to stop most social engineering attempts
38
Spear Phishing
Specific email, like your boss's emailB
39
Baiting
Trojan horse malware on flash drive hoping someone will plug it in
40
Vulnerabilities
Unnecessary programs and services running on a machine (Bit Torrent Emule)
Open TCP/UDP ports
Old or unpatched systems
Clear text credentials and unencrypted channels
Unsecure protocols: Telnet, http, slip, ftp, tftp, snmpv1, smnpv2
41
RF Emanating / Emanations / EMR
Sensitive systems should be protected from potential snooping/eavesdropping on RF emanations and the TEMPEST standards can be followed to ensure the proper RF shielding is in place
42
Ransomeware
Attackers use a form of Malware that encrypts all files on the device, holding them hostage for ransom
If ransom is not paid the files will never be decrypted
43
Phising
Attacker uses electronic communication (like email) to obtain information such as usernames and passwords, bank information, etc.
Phishing emails are disguised as official email from a trusted source and usually attempt to make you click on a link
44
Deauthentication
Attacker deauthenticates (logs out) a user
Wifi deauthentication attack
Attacker sends deactivation frame AP
Users gets kicked off and attacker can have user reconnect to evil twin access point
Sniff the WPAv 4 way handshake upon user reconnecting
Hijack the wifi connection
Mount a MITM attack
45
Insider Threat
Malicious employee
Trusted person on the inside who takes advantage of their network access to cause harm or steal data
To identify, check weird login times, downloading large amounts of data, etc.
46
Logic Bomb
Malicious code that sets off a mlicious function or activity when certain conditions are met
Called a bomb because it is set off or triggered by some condition or certain time
Code, inserted bye an employee, that deletes certain files if they are terminated from the company
47
NAC
Network Access Control
Define authorized nodes and MAC addresses
Performs posture assessment on connecting hosts for things like antivirus and places them in quarantine if they fail the posture assessment
Persistent agent -- reoccuring scanning
Non-persistent -- one time scan
48
Anti-malware Software
Host based:
Cloud server based:
Network based
No single type of anti-malware protection is the best option, it's best to use multiple forms of anti-malware implementations to provide a wider coverage
49
Host based Anti-malware
Installed directly on the host computer
All the devices need to signatures updated constantly which is hard to mange
Large organization requires an anti-malware server to track, push and manage updates
50
Cloud server based Anti-Malware
Centralized anti-malware service that runs in the cloud or on a local server
inbound outbound communication requests are examined
Easy to Manage
51
Network based Anti-Malware
runs on firewalls or other nodes that process internet traffic like proxy servers
All traffic that passes through it is examined and uses signatures to identify malware
Doesn't require any software on the host - the entire network is protected
52
Arp Inspection
Switch Security
With dynamic ARP Inspection (DAI) switches can intercept all ARP requests and replies and determine the validity of the IP to MAC binding
Drops invalid and spoofed ARP packets
Prevents ARP poisioning / spoofing and some MITM attack
53
DHCP Snooping
Switch Security
Identifies trusted DHCP servers
Acts like DHCP firewall between the servers and hosts
Filters all abnormal/ invalid DHCP traffic
54
MAC Filtering
Switch Security
Switches can keep a list of MAC addresses to permit or deny access
55
Port Security
Switch Security
Allows only specified MAC addresses to use the switch port
IF an invalid MAC address is connected the switch port will shut down
56
VLANS
Virtual Local Area Connections
Switch Security
VLANS allow us to segment the network into smaller parts and apply security to each VLAN seperately
Can restrict which VLANS can talk to each other and restrict other network access with VLAN ACL (Access Control List)
57
SSH
Secure Protocol that encrypts terminal session
TCP port 22
58
SNMP v3
Secure Protocol that uses user/password, hashes and encrypts the SNMP traffic (Simple network management protocol)
tcp port 161
59
SFTP
Secure File Transfer Protool
Secure Protocol
uses SSH to encrypt file transfer
tcp port 22 (same as SSH as it's using SSH)
60
HTTPS
Hyper-Text Transfer Protocol Secure
Secure Protocol
uses SSL/TLS encrypts web session
tcp port 443 (for both SSL/TLS)
61
IPSec
Internet Protocol Security
Secure Protocol
VPN tunnel encryption (up to AES (Advanced Encryption Standards))
tcp port 500
62
Telnet
Insecure Protocol
Clear text terminal
tcp port 23
63
SNMP v 1/2
Simple Network Message Protocol
Insecure Protocol
unsecure network management
tcp port 161
64
FTP
File Transfer Protocol
Insecure Protocol
unsecure file transfer
tcp port 20 and 21
65
HTTP
Hyper-text Transfer Protocol
Insecure Protocol
unsecure web session
tcp port 80P
66
PPTP
Point-to-Point Tunneling Protocol VPN
unencrypted vpn
tcp port 1723
67
802.1x
User Authentication (Extensive user authentication)
Users have zero network access until authenticated
68
802.1x Protocols
PPP (Point to Point Protocol)
PAP (Password Authentication Protocol, clear text)
MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)
Username and password authentications
Used for remote server access, VPNs, etc.
69
Kerberos
Centralized network authentication system
Used with Windows domain client authentication
Cane be used to secure any service requests
70
SSO
Single Sign On
Allows access to multiple systems with a single set of credentials
Creds from a directory server provide access to multiple applications
LDAP) (Light weight directory access protocol)
Authentication token passed to configured SSO application
71
Multi-Factor Authentication
Two factor authentication, adds a one time password texted to your phone, Security Qs, OPINS, Biometrics, physical token, mobile phone token.
Five factors of MFA
Something you know -- PIN, username and password, seurity questions
something you have - phone, authenticator token, usb memory stick, etc
something you are - finger print, retina scan, voice signatures
somewhere you are - factor based on your location, geolocation, ip address
somethingn you do - typing techniques, hand written signature, techniques in writting, hand drawn patterns
72
Mantraps
Separate room before you go into the main facility
Area to check you for security before you go into a building
Room usually has a locking mechanism
73
Network CLosets and Locked Racks
Put locked server racks into locked closets
74
Video Monitoring
IP Cams or CCTV
75
Door Access Controls
Keypads and cipher locks
proximity readers / key fob
Biometric scans
76
Security Guards
To keep things secure
77
IDS
Intrusion Detection System
IDS analyzes traffic that passes through the network, if it sees something abnormal it sends an alert
78
HIDS
Host based Intrusion detection
On computers
79
NIDS
Network based Intrusion detection
On network
80
IPS
Intrusion Prevention System
Actively defends the network and sends alerts
81
Risk Management
About Assessing and minimizing risk
82
Security Policies
Outlines the security standards of the network.
Requires users to sign AUP (Acceptable Use Policy) before they can use the network
83
Security Controls
Enforces security policies
Good end user training is one of the best security measures
84
Patch Management
Helps to keep on top of patches and updates
85
Vulnerability Scanning
Assesses network security
86
PEN Testing
Penetration testing
Assesses network security
87
First Responders
First person on the scene of a computer crime
Must preserve and safe guard the digital evidence
Must also follow escalation policy and document the scene after securing the area
88
eDiscovery
Electronic Discovery
Identifying, discovering, collecting, and exchanging ESI (Electronically Stored Information)
Digital documents, emails, texts, audio, video, databases, voicemail, spreadsheets, websites, any kind of electronic information
89
Evidence / Data Collection
Only a digital Forensics expert should attempt recovery
90
Storage Imaging / Duplication
Copies of the data can be made for preservation
Only perform imaging if authorized to do so
91
Handling the Evidence
Chain of Custody - evidence must be handled carefully, record all changes of hands, and should be traceable all the way back to the original scene
Data Transport - keep evidence away from magnetic fields, speakers, magnets, radio transmitters, etc. package during travel and prevent shock and vibration, and document all transportation activities
92
Forensic Report
Evidence is examined and analyzed
Report provided after digital forensics completed
Written case report to present gathered information
May be provided by authorities or forensic analysists
93
Legal Hold
If organization becomes part of an investigation a legal hold may be placed on the computer systems and data
Provided notice from legal counsel in anticipation of litigation
Includes precise instructions to preserve digital records, tape backups, archived media and other types of ESI (electronically stored information)
In this case, data must not be destroyed
94
Change Management
A formal process to introduce change in a controlled and coordinated manner
Ensures changes are properly communicated
Attempts to prevent downtime or outage of system
95
Change Request
First document the reason for change
Submit a request for this change
Request should include:
Configuration Procedures
Potential Impact of Change
Notification Process
Rollback Process
96
Approval and IMplementation
Approval process differs based on the size, impact, and urgency
Maintenance window must be established for implementation
Impacted users must be notified of the change
97
Documentation
After successful implementation of the change, update all documents
Network configurations, additions to the network diagram, and changes to physical locations
98
Business Continuity
A plan to ensure an organization has a speedy recovery and can continue to operate after a business disruption
Includes Disaster Recovery, mainly concerning IT systems
99
Disaster Recovery Plan
Documented process to recover and protect a business IT infrastructure in the event of a natural or man-made disaster
DR Data Center
Network Redundancy
Fail over procedures
Storage archives and Backups
Hot Sites / Cold Sites
Power Redundancy
Fire suppression systems
100
NOC
Network Operations Center
Where network administrators monitor and manage the network
Network health visuals in real time
Automated alerting and after hours paging
Focal point for troubleshooting and maintaining the network devices like routers, switches, firewalls, etc.
101
Ping Monitoring
Reachability statistics
Up/Down status
102
SNMP Monitoring and Graphing
Simple Network Messaging System
Reachability stats
Up/Down status
Interface Bandwidth graphic
SNMP Traps
103
NetFlow and sFlow
Cisco Proprietary, based on IP (Internet Protocol), layer 3 and some layer 2
sFlow is in layer 2
104
Servers and software for network management
There are many servers and software
Paid:
SolarWinds NPM
Cisco Prime Infrastructure
What's up Gold
Free:
Nagios
Spiceworks
Cacti
105
Syslogs
(system logs)
able to receive system level event logs from network infrastructure devices. Normal/standard to have a syslog server on the network to capture this type of info
106
Configuration Management
How and why to back up device configs
Automated backup jobs or manually set them up in CLI
Once the configuration is backed up it can be used for new devices, or in case the configuration is ever erased or changed
107
Authentication
AAA
Authentication - is the user a valid user
Authorization - what activity is the user authorized to do
Accounting - what did the user do while they were logged in
108
Remote Authentication
We can authentication remotely using TACACS (Terminal Access Controller Access-Control System) or RADIUS
109
Plugs/Connectors
Power plugs and connectors must match, especially with voltage
110
UPS
Uninterrupted power source unit provides temporary battery back up for racks/hardware
111
Power Redundancy
Primary Power, battery backups, generators
112
Rack Mounting
Be aware of airflow and placement for optimal air flow
Label - ports, circuits, patch panel, hardware
Use a naming convention
113
Rack Monitoring and Security
mointoring systems provide environmental mointoring and security such as door switches and video surveillance
Motion detectors
Fire/smoke/gas detectors
door switch
airflow
temperature
humidity
leaks
video surveillance
web managemnt
alerts via network/email
114
ICS
Industrial Control System
Monitors, automates, and enables human controls of industrial processes
Enables speed, responsiveness, and reliability in production and industrial controls
Encompasses DCS and Scada
115
DCS
Distributed Control System
A closed, complete, working integrated and tested ICS system (reliable and secure)
Typically less vulnerable to cyber security attacks than SCADA based systems
116
SCADA
Supervisory Control and Data Acquisition System
System for monitoring and controlling industrial and manufacturing equipment
Uses PLCs (Programmable Logical Controllers) for controlling machines, equipment, valves, etc.
Electrical, water, oil, gas, automotive, manufacturing, mass transit, traffic signals
Provides ICS (Industrial Control System) over long distance and interfaces with many types of systems and networks
117
Basic SCADA Components
Machine - industrial machines controlled by SCADA
PLCs (Programmable Logic Controllers) industrial digital computers, control switches, valves, etc.
RTU (Remote Terminal Unit) - remote long distance PLC
ICS Server (Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units
HMI (Human Machine Interface) - enables monitoring and control by a human
118
PLCs
(Programmable Logic Controllers) industrial digital computers, control switches, valves, etc.
119
RTU
(Remote Terminal Unit) - remote long distance PLC
120
ICS Server
(Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units
121
HMI
(Human Machine Interface) - enables monitoring and control by a human
122
Asset Management
Track and manage device inventory and the employees that end user devices are assigned to
123
Network Diagrams
Useful for many things including planning for network upgrades and installs
124
IP Address Utilization
Document IP Address utilization and create complete list of all private and public network ID's and IP address assignments
125
Vendor Documents and Contracts
SLA (Service Level Agreement)
SOW (Statement of Work)
MSA (Master Service Agreement)
MOU (Memorandum of Understanding)
126
SLA
(Service Level Agreement)
Defines the aspect of a service provided by a service provider such as quality and availability and responsibility
127
SOW
(Statement of Work)
Defines work to be accomplished during a project
Usually between a consultant/provider and a customer
128
MSA
(Master Service Agreement)
Payment Terms, warranties, intellectual property
129
MOU
(Memorandum of Understanding)
Multi-party agreement indicating a common line of action
Not legally binding
130
Small Office LAN Deployment
Implementation Considerations
List of requirements
Device types and requirements
Environment Limitations
Compatiblity Requirements
Wired/Wireless Considerations
Security Considerations
131
List of requirements
Create a list of requirements
how many users and work areas
power over ethernet support needed
how many computers will be on the network
wireless access needed
servers and domain services required
LAN cabling needs
closets for LAN Equpiment and patch panel
local internet access or coming from remote site
private WAN for connecttivity
host to host or site to site vpn needed
132
Device Types / Requirements
Based on the requirements, what network devices do we need?
Create a diagram
133
LAN Requirements
Map out the connections needed and determine size of switch
Determine if multiples switches will be needed and their locations
WLAN: Determine SSIDs (business, guest) and numbers/location of WAPS
134
WAN Requirements
If Private WAN connectivity is required then a router will be needed that can accept the wan connection and run the required protocols
135
Internet Requirements
A basic business grade router/firewall can be use for SOHO internet connectivity
If VPN access is required a more robust firewall/router will be needed
136
Environmental Limitations
Space
Where to place things
Cooling of equipment
Plenum space where cables need to be placed
Enough power available for the equipment
137
Equipment Limitations
How much room does the equipment allow for growth
What types of protocols and technologies does the equipment support
Does the equipment contain expansion modules
How will you manage the equipment remotely
What type of remote access can use set up
138
Compatibility Requirements
Everything must be compatible and work together flawlessly
Ethernet LAN consider bandwidth capabilities
Don' create unnecessary bottlenecks
Carefully choose WAN connections
Fiber Optics and SPFS (optical transceiver module) types must match
139
Wired / Wireless Considerations
Follow standards for wired connectivity
Ethernet distance limitation is 100 meters
Structured LAN cabling can be out sourced
Follow structured cabling standards
WAP placement - best coverage
Be sure to have enough WAPS
Other WLANs can conflict (some channels used)
140
Security Considerations
Physical security - keep the equipment safe
LAN Security - implement switch security features WAN
Security - protect internet connection with an ACL (Access Control List)
Routers and hardware firewalls may not have an ACL (Access Control List) configured by default
Do not connect to the internet unprotected (without an ACL)
Hosts should be running software firewalls (default with windows)
Wireless security - hide ssids, use wPA3, consider adding another form of authentication
Administrator passwords - only administrators should have these. Do not share passwords over regular email or other unsecure messaging platforms
141
