Securing Your Network Flashcards
Difference between IDS and IPS
IDS - identify threats and provides alerts
IPS - Identify threats and reacts to threats
Difference between HIDS and NIDS
HIDS - host based and traffics goes through a NIC
NIDS - Network based
The two types of detection methods used in IDS
Signature-based aka definition
Heuristic / behavioral based aka anomaly
The difference between SYN flood guard and flood guard on a switch
SYN Flood guard - Usually included in firewalls
Flood Guard on switch - Used to prevent MAC flood attacks.
Difference between false positives and false negatives in regards to IDS
False Positive - An alarm or alert on an event that is non-threatening.
False Negative - When an attack is occurring but the IDS does not identify the threat.
What is the threshold range of IDS. What is the result of the threshold being to low or to high
1 to 1000.
Too Low - IDS will raise too many alerts on events that are legitimate.
Too High - IDS will fail to identify threats
Intrusion system that is in-line aka in-band
IPS
Intrusion system that collects data passively or out-of-band
IDS
Intrusion system that have protocol analyzer capabilities
Both IDS and IPS
What is the disadvantage of an active NIDS
It blocks an attack only after the attack has started
Hardware devices that focus on handling TLS traffic. Allows systems to off-load encryption workload to a separate hardware device to alleviate stress on computer resources.
SSL/TLS Accelerator
Used in conjunction with NIPS to mitigate threats that use encryption technologies.
SSL Decryptors
It uses virtualization technologies to separate data and control planes within a network. Commonly used with ABAC.
SDN - Software Defined Network
A port based authentication protocol that authenticates prior to granting access to a network
IEEE 802.1x
Methods used to authenticate VPN clients before they connect
Implement IEEE 802.1x as Remote Authentication Dial-In User Service (RADIUS) or Diameter Server
The two distinctions of wireless AP
- All wireless routers are AP’s
- Not all AP’s are wireless routers
A stand alone, intelligent, or autonomous AP, includes everything needed to connect wireless clients to a wireless network
Fat AP
Is not a stand alone AP
Thin AP or controller-based AP
This identified an AP or wireless network
SSID - Service Set Identifier
Disabling SSID is a sure way to deny an attacker from finding a network. True or False
False. Makes it more difficult but an attacker can find it.
How would an attacker over-ride MAC Filtering.
An attacker could sniff an allowed mac address and spoof the address.
A strong security protocol for wireless networks
WPA2
What is the replacement for WPA
WPA2 aka 802.11i
What encryption method does WPA and WPA2 use
WPA - Temporal Key Integrity Protocol (TKIP)
WPA2 - Chaining Message Authentication Code Protocol (CCMP)
Strong encryption based on Advanced Encryption Standard (AES)
CCMP - Chaining Message Authentication Code Protocol
Description of PSK, Enterprise, and Open modes
WPA/WPA2 modes.
PSK - Pre-shared Keys - uses a passphrase. Provides authorization without authentication.
Enterprise - Uses 802.1x server and RADIUS to provide authorization with authentication.
Open - Open access. No security is enabled for network access
What is the RADIUS port
1812 but some use vendors use 1645
What are the 6 Authentication Protocols
EAP - creates secure encryption key aka Pairwise Master Key
EAP FAST - Cisco -supports certificates (optional)
PEAP - Encrypts EAP with TLS. Requires certificate on Server
EAP-TTLS - Extension of PEAP. Requires certificate on 802.1x server.
EAP TLS - Most secure. Requires certificates on 802.1x server and each of the wireless clients
RADIUS Federation -
A technical solution that forces clients using web browsers to complete a specific process before it is allowed access to a network.
Captive Portal
What two security protocols are considered the strongest for wireless networks.
WPA2 using CCMP
A type of attack that removes a wireless client form a wireless network.
Disassociation Attack
This allows users to configure wireless devices without typing in a passphrase. It is also susceptible to brute attacks and therefore should be disabled.
WPS - Wifi Protected Setup
Difference between a Rogue AP and an Evil Twin
Rogue AP - Illegal Access Point
Evil Twin - Deliberately set up to look like a legitimate Access Point.
A DOS attack that prevents users from connecting to a wireless network by transmitting noise or another radio frequency on the same frequency as the network.
Jamming Attack
A type of attack that attempts to discover the pre-shared key from the IV. WEP is susceptible. The attack is successful when an encryption system reuses the IV.
Initiation Vector attack.
A type of attack that eavesdrops communication between mobile devices
NFC Attack - Near Field Communication
Define Bluejacking, Bluesnarfing, Bluebugging
Bluejacking - unauthorized messages are sent to devices. Harmless
Bluesnarfing - attacker gains access to information on bluetooth device
Bluebugging - attacker gains access and control of device.
A type of attack that captures data between two entities and modifies to impersonate the data of one of the entitites
Replay Attack - WPA and TKIP is susceptible to this attack.
RFID attacks include the following
Sniffing or eavesdropping
Replay
DoS
A dedicated device use by large organization to provide VPN capabilities
VPN Concentrator - placed in the DMZ.
A method of encrypting data in transit that support both transit and tunnel mode.
IPsec
IPsec support two modes. Which is one is used in a VPN.
Transit and Tunnel. Tunnel mode is used for VPN’s
IPsec. Provides security in three ways. What are they.
AH - Authentication Header. Port id 51. Provides Authentication and Integrity.
Encryption - Encapsulating Security Payload (ESP). Port ID 50. ESP provides Authentication, Integrity, and Confidentiality
IKE - Internet Key Exchange - UDP port 500 to authenticate clients.
What tunneling protocol uses TLS. What port?
Secure Socket Tunneling Protocol. TCP 443.
Split Tunnel vs Full Tunnel
Split - IPsec configured to determine what traffic should be encrypted.
Full - All traffic is encrypted.
A VPN configuration model in which two networks separated geographically are connected by two VPN Servers
Site to Site VPN’s
VPN configuration that can be both site to site and remote access VPN
Always on VPN
Provides a way to monitor and inspect computers to mitigate risks of remote access to a private network. Can inspect internal clients.
NAC - Network Access Control
What happens when client doesn’t meet health conditions set forth by a NAC.
Client goes to remediation network aka quarantine network
A type of NAC agent that is installed on a client and stays on the client in order to streamline NAC from remote connections
Permanent Agent
A type of NAC agent that is downloaded and run on the client when the client logs on remotely
Dissolvable Agent.
What are the 7 remote access authentication mechanisms
PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
MSCHAP
MSCHAPv2
(RADIUS) Remote Authentication Dial-In User Service
DIAMETER
Terminal Access Controller Access-Control System Plus (TACACS+)
What is PAP
Password Authentication Protocol - uses Point to Point Protocol (PPP) and not secure because data is sent clear text
What is CHAP
Challenge Handshake Authentication Protocol uses PPP but is more secure because it uses hashing.
What is MS-CHAP and MS-CHAPv2
Microsoft version of CHAP. CHAPv2 does mutual authentication.
What is RADIUS
A centralized authentication service. Can also be used with 802.1x server with WPA enterprise mode.
What is TACACS+
Terminal Access Controller Access-Control System Plus - Cisco alternative to RADIUS but encrypts entire authentication process and uses multiple challenges and responses between client and server. Can be used with Kerberos.
What is Diameter
An extension of RADIUS and has more capabilities. It uses TCP instead of UDP.
What remote access authentication systems are AAA protocols
AAA - Authentication Authorization Accounting.
RADIUS
Diameter
TACACS+
Kerberos is not. It doesn’t do accounting.
