Securing & Supporting the Network Flashcards

1
Q

Firewall

A

Filters (permits or denies) traffic based on a set of criteria

Rules created for inbound and outbound connections

Network Based or Host-Based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Network Based Firewall

A

Physical hardware on the edge of the network

Usually also a router or just in line filter

Usually capable of NAT (Network Address Translation) because they’re internet facing devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Host-Based Firewall

A

Software on a computer like Windows Firewall

Controls which applications and ports are allowed to talk inbound and outbound on an individual workstation or host computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dedicated Network Firewalls

A

Can provide multiple security services

Firewalling, VPN services, Anti-Malware, Content Filtering

Usually for corporate environments

This is called UTM (Unified Threat Management)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

UTM

A

Unified Threat Management

A device that provides multiple security services like Firewalling, VPN services, Anti-Malware, Content Filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ACL

A

Access Control List

Used on routers and firewalls to create a list of rules for permitting and denying traffic. Can define the protocol such as IP, Source network, destination network, and the TCP/UDP port # for matching traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Stateless Firewall

A

Employs only Access Control Lists to control inbound and outbound traffic

Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Stateful Firewall

A

Keeps track of connections and can allow return traffic as long as it was first generated from inside the network

Modern Firewalls are both stateful and stateless because they use ACLs and also keep track of connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Deep Packet Inspection

A

Advanced Firewalls are capable of inspecting the contents of packets

Allows a firewall to determine the context of the connection (what it’s really doing) “What is the purpose of this traffic?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Application Aware Firewall

A

AKA Context Aware Firewall

Can understand what devices, and what services and applications, the packets are for

Makes Network Based anti-malware possible

Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Context Aware Firewall

A

AKA Application Aware Firewall

Can understand what devices, and what services and applications, the packets are for

Makes Network Based anti-malware possible

Decisions can be made on what is deep inside the packets rather than just where its coming from and where it’s going

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

VPN

A

Virtual Private Network

Establishes a private network connection over public networks and incorporates encryption to protect the tunnels between two end points

Normally incorporates encryption to protect the VPN tunnel

Host to Host VPN
Site to Site VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

VPN Concentrator

A

Virtual Private Network Concentrator

A vpn concentrator is a device that is dedicated to handling large amounts of VPN connections. Most of the time the firewall also acts as a VPN Concentrator, but it could be a separate device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

VPN Protocols

A

PPTP (Point-to-Point Tunneling Protocol)
GRE Tunnel (Generic Routing Encapsulation Tunnel)
IPSec (Internet Protocol Security)
SSL VPN (Secure Sockets Layer VPN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PPTP

A

Point-to-Point Tunneling Protocol)

VPN Protocol

Uses PPP for authentication and modified GRE (Generic Routing Encapsulation) for the tunnel. No inherent encryption, unsecure, mostly obsolete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

GRE Tunnel

A

Generic Routing Encapsulation Tunnel
VPN Protocol

Used with routers to create a generic tunnel. In combination with IPSec (Internet Protocol Security) to create an encrypted VPN Tunnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IPSec

A

Internet Protocol Security

VPN Protocol

Provides a method for authentication and negotiation of crypto keys. Uses IKE (Internet Key Exchange) to negotiate the key and ISAKMP (Internet Security Association and Key Management Protocol) for key exchange

Authentication Algorithms: HMAC-MD5, HMAC-SHA-1

Encrypted Algorithms: DES, 2DES, Blowfish, AES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

SSL VPN

A

Secure Socket Layer Virtual Private Network

Uses SSL to establish VPN connectivity. For host to site VPN. A web browser can be used to connect the VPN which is easier for VPN users.

NOT for site to site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Network Segmentation

A

An architecture that divides a network into smaller sections or subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

DMZ

A

Demilitarized Zone

Private network that sits between a private LAN and the public internet

Used to expose webservers and other servers to the public internet without exposing the private LAN to the internet

If a machine on the DMZ becomes compromised the attacker will not have access to the LAN

Web servers place on the DMZ server with port 80 open from the outside to the DMZ only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Honey Pot

A

a host that is exposed or partially exposed to invite attacks while monitoring and collecting information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Honey Net

A

an entire network that is made to seem like a live production environment with weak security that invites attacks for monitoring purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Testing Lab

A

Separated from the production network

Useful for :
Testing patches and updates before deploying to the production network
Test new/different hardware/software set ups
Test fixes to complex problems
Train others on lab equipment without interfering with the production network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

VLANs

A

Virtual Local Area Networks

Used for applying segmentation across the entire network and implement security in different ways for each VLAN

Can set up ACL that apply to each VLAN Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Malware
Software written specifically to harm and infect a host system. Includes viruses, worms, trojan horses, spyware, adware, ransomware, etc.
26
Compromised System
A host, server, network node, or other computer system that has been infected with malware or otherwise successfully attacked and exploited. Compromised system sometimes give themselves
27
Attacks and Threats
Most attacks are performed by compromising computers with Malware that is designed to perform a specific type of attack DoS (denial of Service) DDos (Distributed Denial of Service)
28
DoS
Denial of Service Floods the target with traffic
29
DDoS
Distributed Denial of Service Bonet, zombie computers, coordinated attack, target cannot handle all the traffic and it goes offline
30
Smurf Attack
DDoS attack Floods the target with spoofed ICMP (Internet Control Message Protocol) which spoofs the source IP on ICMP or on the ping Attacker sends an IP directed broadcast ping to large networks with a spoofed IP source of the target victim and the ICMP replies to the target causing a DDoS attack Most modern routers have directed broadcast turned off by default
31
VLAN Hopping
Virtual Local Area Network Hopping A malicious user on one VLAN gains access to traffic on another VLAN that it shouldn't have access to Either acts as trunking switch (switch spoofing) or double tags its Frames with two VLANS Can also exploit VoIP (Voice over IP) ports as they use data VLAN and voice VLAN
32
MITM
Main in the Middel attack An attacker causes traffic between two endpoints to be sent through the attacker Attacker can then intercept and manipulate the data Could be on a local LAN with a malicious user or via the public internet Many kinds of MITM attacks: ARP Poisoning Session Hijacking
33
ARP Poisoning
MITM attack Malicious user poisons the ARP cache of devices communicating with each other so that their layer 2 frames will be redirected to a machine used to intercept the communication
34
Session Hijacking
MITM Attack Malicious user intercepts the authentication cookies for an unsecure (HTTP port 80) web session and gains access to the web session Various methods, may require the attacker to be in the same broadcast domain as the target or includes cross-site scripting and browser jacking malware that allows attackers to hijack session remotely
35
Brute Force Attack
Attack uses cracking softrware, disctionary lists, and other username and password lists with the hope of eventually getting the correct combination
36
Zero-Day Attachs
Attackers using new exploits that are not made public, leaving organizations unprotected from the exploit until it's exposed and patched / mitigated
37
Social Engineering
Attackers trick people and use their trust to gain access to systems and critical or private information such as usernames, passwords, accounts numbers, ip addresses, etc. Phishing, spear phishing, baiting, tailgating, dumpster diving Use a shredder Security policies, procedures and end user awareness training are the best ways to stop most social engineering attempts
38
Spear Phishing
Specific email, like your boss's emailB
39
Baiting
Trojan horse malware on flash drive hoping someone will plug it in
40
Vulnerabilities
Unnecessary programs and services running on a machine (Bit Torrent Emule) Open TCP/UDP ports Old or unpatched systems Clear text credentials and unencrypted channels Unsecure protocols: Telnet, http, slip, ftp, tftp, snmpv1, smnpv2
41
RF Emanating / Emanations / EMR
Sensitive systems should be protected from potential snooping/eavesdropping on RF emanations and the TEMPEST standards can be followed to ensure the proper RF shielding is in place
42
Ransomeware
Attackers use a form of Malware that encrypts all files on the device, holding them hostage for ransom If ransom is not paid the files will never be decrypted
43
Phising
Attacker uses electronic communication (like email) to obtain information such as usernames and passwords, bank information, etc. Phishing emails are disguised as official email from a trusted source and usually attempt to make you click on a link
44
Deauthentication
Attacker deauthenticates (logs out) a user Wifi deauthentication attack Attacker sends deactivation frame AP Users gets kicked off and attacker can have user reconnect to evil twin access point Sniff the WPAv 4 way handshake upon user reconnecting Hijack the wifi connection Mount a MITM attack
45
Insider Threat
Malicious employee Trusted person on the inside who takes advantage of their network access to cause harm or steal data To identify, check weird login times, downloading large amounts of data, etc.
46
Logic Bomb
Malicious code that sets off a mlicious function or activity when certain conditions are met Called a bomb because it is set off or triggered by some condition or certain time Code, inserted bye an employee, that deletes certain files if they are terminated from the company
47
NAC
Network Access Control Define authorized nodes and MAC addresses Performs posture assessment on connecting hosts for things like antivirus and places them in quarantine if they fail the posture assessment Persistent agent -- reoccuring scanning Non-persistent -- one time scan
48
Anti-malware Software
Host based: Cloud server based: Network based No single type of anti-malware protection is the best option, it's best to use multiple forms of anti-malware implementations to provide a wider coverage
49
Host based Anti-malware
Installed directly on the host computer All the devices need to signatures updated constantly which is hard to mange Large organization requires an anti-malware server to track, push and manage updates
50
Cloud server based Anti-Malware
Centralized anti-malware service that runs in the cloud or on a local server inbound outbound communication requests are examined Easy to Manage
51
Network based Anti-Malware
runs on firewalls or other nodes that process internet traffic like proxy servers All traffic that passes through it is examined and uses signatures to identify malware Doesn't require any software on the host - the entire network is protected
52
Arp Inspection
Switch Security With dynamic ARP Inspection (DAI) switches can intercept all ARP requests and replies and determine the validity of the IP to MAC binding Drops invalid and spoofed ARP packets Prevents ARP poisioning / spoofing and some MITM attack
53
DHCP Snooping
Switch Security Identifies trusted DHCP servers Acts like DHCP firewall between the servers and hosts Filters all abnormal/ invalid DHCP traffic
54
MAC Filtering
Switch Security Switches can keep a list of MAC addresses to permit or deny access
55
Port Security
Switch Security Allows only specified MAC addresses to use the switch port IF an invalid MAC address is connected the switch port will shut down
56
VLANS
Virtual Local Area Connections Switch Security VLANS allow us to segment the network into smaller parts and apply security to each VLAN seperately Can restrict which VLANS can talk to each other and restrict other network access with VLAN ACL (Access Control List)
57
SSH
Secure Protocol that encrypts terminal session TCP port 22
58
SNMP v3
Secure Protocol that uses user/password, hashes and encrypts the SNMP traffic (Simple network management protocol) tcp port 161
59
SFTP
Secure File Transfer Protool Secure Protocol uses SSH to encrypt file transfer tcp port 22 (same as SSH as it's using SSH)
60
HTTPS
Hyper-Text Transfer Protocol Secure Secure Protocol uses SSL/TLS encrypts web session tcp port 443 (for both SSL/TLS)
61
IPSec
Internet Protocol Security Secure Protocol VPN tunnel encryption (up to AES (Advanced Encryption Standards)) tcp port 500
62
Telnet
Insecure Protocol Clear text terminal tcp port 23
63
SNMP v 1/2
Simple Network Message Protocol Insecure Protocol unsecure network management tcp port 161
64
FTP
File Transfer Protocol Insecure Protocol unsecure file transfer tcp port 20 and 21
65
HTTP
Hyper-text Transfer Protocol Insecure Protocol unsecure web session tcp port 80P
66
PPTP
Point-to-Point Tunneling Protocol VPN unencrypted vpn tcp port 1723
67
802.1x
User Authentication (Extensive user authentication) Users have zero network access until authenticated
68
802.1x Protocols
PPP (Point to Point Protocol) PAP (Password Authentication Protocol, clear text) MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) Username and password authentications Used for remote server access, VPNs, etc.
69
Kerberos
Centralized network authentication system Used with Windows domain client authentication Cane be used to secure any service requests
70
SSO
Single Sign On Allows access to multiple systems with a single set of credentials Creds from a directory server provide access to multiple applications LDAP) (Light weight directory access protocol) Authentication token passed to configured SSO application
71
Multi-Factor Authentication
Two factor authentication, adds a one time password texted to your phone, Security Qs, OPINS, Biometrics, physical token, mobile phone token. Five factors of MFA Something you know -- PIN, username and password, seurity questions something you have - phone, authenticator token, usb memory stick, etc something you are - finger print, retina scan, voice signatures somewhere you are - factor based on your location, geolocation, ip address somethingn you do - typing techniques, hand written signature, techniques in writting, hand drawn patterns
72
Mantraps
Separate room before you go into the main facility Area to check you for security before you go into a building Room usually has a locking mechanism
73
Network CLosets and Locked Racks
Put locked server racks into locked closets
74
Video Monitoring
IP Cams or CCTV
75
Door Access Controls
Keypads and cipher locks proximity readers / key fob Biometric scans
76
Security Guards
To keep things secure
77
IDS
Intrusion Detection System IDS analyzes traffic that passes through the network, if it sees something abnormal it sends an alert
78
HIDS
Host based Intrusion detection On computers
79
NIDS
Network based Intrusion detection On network
80
IPS
Intrusion Prevention System Actively defends the network and sends alerts
81
Risk Management
About Assessing and minimizing risk
82
Security Policies
Outlines the security standards of the network. Requires users to sign AUP (Acceptable Use Policy) before they can use the network
83
Security Controls
Enforces security policies Good end user training is one of the best security measures
84
Patch Management
Helps to keep on top of patches and updates
85
Vulnerability Scanning
Assesses network security
86
PEN Testing
Penetration testing Assesses network security
87
First Responders
First person on the scene of a computer crime Must preserve and safe guard the digital evidence Must also follow escalation policy and document the scene after securing the area
88
eDiscovery
Electronic Discovery Identifying, discovering, collecting, and exchanging ESI (Electronically Stored Information) Digital documents, emails, texts, audio, video, databases, voicemail, spreadsheets, websites, any kind of electronic information
89
Evidence / Data Collection
Only a digital Forensics expert should attempt recovery
90
Storage Imaging / Duplication
Copies of the data can be made for preservation Only perform imaging if authorized to do so
91
Handling the Evidence
Chain of Custody - evidence must be handled carefully, record all changes of hands, and should be traceable all the way back to the original scene Data Transport - keep evidence away from magnetic fields, speakers, magnets, radio transmitters, etc. package during travel and prevent shock and vibration, and document all transportation activities
92
Forensic Report
Evidence is examined and analyzed Report provided after digital forensics completed Written case report to present gathered information May be provided by authorities or forensic analysists
93
Legal Hold
If organization becomes part of an investigation a legal hold may be placed on the computer systems and data Provided notice from legal counsel in anticipation of litigation Includes precise instructions to preserve digital records, tape backups, archived media and other types of ESI (electronically stored information) In this case, data must not be destroyed
94
Change Management
A formal process to introduce change in a controlled and coordinated manner Ensures changes are properly communicated Attempts to prevent downtime or outage of system
95
Change Request
First document the reason for change Submit a request for this change Request should include: Configuration Procedures Potential Impact of Change Notification Process Rollback Process
96
Approval and IMplementation
Approval process differs based on the size, impact, and urgency Maintenance window must be established for implementation Impacted users must be notified of the change
97
Documentation
After successful implementation of the change, update all documents Network configurations, additions to the network diagram, and changes to physical locations
98
Business Continuity
A plan to ensure an organization has a speedy recovery and can continue to operate after a business disruption Includes Disaster Recovery, mainly concerning IT systems
99
Disaster Recovery Plan
Documented process to recover and protect a business IT infrastructure in the event of a natural or man-made disaster DR Data Center Network Redundancy Fail over procedures Storage archives and Backups Hot Sites / Cold Sites Power Redundancy Fire suppression systems
100
NOC
Network Operations Center Where network administrators monitor and manage the network Network health visuals in real time Automated alerting and after hours paging Focal point for troubleshooting and maintaining the network devices like routers, switches, firewalls, etc.
101
Ping Monitoring
Reachability statistics Up/Down status
102
SNMP Monitoring and Graphing
Simple Network Messaging System Reachability stats Up/Down status Interface Bandwidth graphic SNMP Traps
103
NetFlow and sFlow
Cisco Proprietary, based on IP (Internet Protocol), layer 3 and some layer 2 sFlow is in layer 2
104
Servers and software for network management
There are many servers and software Paid: SolarWinds NPM Cisco Prime Infrastructure What's up Gold Free: Nagios Spiceworks Cacti
105
Syslogs
(system logs) able to receive system level event logs from network infrastructure devices. Normal/standard to have a syslog server on the network to capture this type of info
106
Configuration Management
How and why to back up device configs Automated backup jobs or manually set them up in CLI Once the configuration is backed up it can be used for new devices, or in case the configuration is ever erased or changed
107
Authentication
AAA Authentication - is the user a valid user Authorization - what activity is the user authorized to do Accounting - what did the user do while they were logged in
108
Remote Authentication
We can authentication remotely using TACACS (Terminal Access Controller Access-Control System) or RADIUS
109
Plugs/Connectors
Power plugs and connectors must match, especially with voltage
110
UPS
Uninterrupted power source unit provides temporary battery back up for racks/hardware
111
Power Redundancy
Primary Power, battery backups, generators
112
Rack Mounting
Be aware of airflow and placement for optimal air flow Label - ports, circuits, patch panel, hardware Use a naming convention
113
Rack Monitoring and Security
mointoring systems provide environmental mointoring and security such as door switches and video surveillance Motion detectors Fire/smoke/gas detectors door switch airflow temperature humidity leaks video surveillance web managemnt alerts via network/email
114
ICS
Industrial Control System Monitors, automates, and enables human controls of industrial processes Enables speed, responsiveness, and reliability in production and industrial controls Encompasses DCS and Scada
115
DCS
Distributed Control System A closed, complete, working integrated and tested ICS system (reliable and secure) Typically less vulnerable to cyber security attacks than SCADA based systems
116
SCADA
Supervisory Control and Data Acquisition System System for monitoring and controlling industrial and manufacturing equipment Uses PLCs (Programmable Logical Controllers) for controlling machines, equipment, valves, etc. Electrical, water, oil, gas, automotive, manufacturing, mass transit, traffic signals Provides ICS (Industrial Control System) over long distance and interfaces with many types of systems and networks
117
Basic SCADA Components
Machine - industrial machines controlled by SCADA PLCs (Programmable Logic Controllers) industrial digital computers, control switches, valves, etc. RTU (Remote Terminal Unit) - remote long distance PLC ICS Server (Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units HMI (Human Machine Interface) - enables monitoring and control by a human
118
PLCs
(Programmable Logic Controllers) industrial digital computers, control switches, valves, etc.
119
RTU
(Remote Terminal Unit) - remote long distance PLC
120
ICS Server
(Industrial Control System) - Runs SCADA software to control PLC (Programmable Logic Controllers) and control units
121
HMI
(Human Machine Interface) - enables monitoring and control by a human
122
Asset Management
Track and manage device inventory and the employees that end user devices are assigned to
123
Network Diagrams
Useful for many things including planning for network upgrades and installs
124
IP Address Utilization
Document IP Address utilization and create complete list of all private and public network ID's and IP address assignments
125
Vendor Documents and Contracts
SLA (Service Level Agreement) SOW (Statement of Work) MSA (Master Service Agreement) MOU (Memorandum of Understanding)
126
SLA
(Service Level Agreement) Defines the aspect of a service provided by a service provider such as quality and availability and responsibility
127
SOW
(Statement of Work) Defines work to be accomplished during a project Usually between a consultant/provider and a customer
128
MSA
(Master Service Agreement) Payment Terms, warranties, intellectual property
129
MOU
(Memorandum of Understanding) Multi-party agreement indicating a common line of action Not legally binding
130
Small Office LAN Deployment
Implementation Considerations List of requirements Device types and requirements Environment Limitations Compatiblity Requirements Wired/Wireless Considerations Security Considerations
131
List of requirements
Create a list of requirements how many users and work areas power over ethernet support needed how many computers will be on the network wireless access needed servers and domain services required LAN cabling needs closets for LAN Equpiment and patch panel local internet access or coming from remote site private WAN for connecttivity host to host or site to site vpn needed
132
Device Types / Requirements
Based on the requirements, what network devices do we need? Create a diagram
133
LAN Requirements
Map out the connections needed and determine size of switch Determine if multiples switches will be needed and their locations WLAN: Determine SSIDs (business, guest) and numbers/location of WAPS
134
WAN Requirements
If Private WAN connectivity is required then a router will be needed that can accept the wan connection and run the required protocols
135
Internet Requirements
A basic business grade router/firewall can be use for SOHO internet connectivity If VPN access is required a more robust firewall/router will be needed
136
Environmental Limitations
Space Where to place things Cooling of equipment Plenum space where cables need to be placed Enough power available for the equipment
137
Equipment Limitations
How much room does the equipment allow for growth What types of protocols and technologies does the equipment support Does the equipment contain expansion modules How will you manage the equipment remotely What type of remote access can use set up
138
Compatibility Requirements
Everything must be compatible and work together flawlessly Ethernet LAN consider bandwidth capabilities Don' create unnecessary bottlenecks Carefully choose WAN connections Fiber Optics and SPFS (optical transceiver module) types must match
139
Wired / Wireless Considerations
Follow standards for wired connectivity Ethernet distance limitation is 100 meters Structured LAN cabling can be out sourced Follow structured cabling standards WAP placement - best coverage Be sure to have enough WAPS Other WLANs can conflict (some channels used)
140
Security Considerations
Physical security - keep the equipment safe LAN Security - implement switch security features WAN Security - protect internet connection with an ACL (Access Control List) Routers and hardware firewalls may not have an ACL (Access Control List) configured by default Do not connect to the internet unprotected (without an ACL) Hosts should be running software firewalls (default with windows) Wireless security - hide ssids, use wPA3, consider adding another form of authentication Administrator passwords - only administrators should have these. Do not share passwords over regular email or other unsecure messaging platforms
141