Security Technologies (1.5, 2.1, 3.1, 4.1, 4.3 & 4.4) Flashcards
Firewall
o Uses a set of rules defining the traffic types permitted or denied through device
▪ Software or hardware
▪ Virtual or physical
▪ Host-based or network-based
▪ Can perform Network Address Translation (NAT) and/or Port Address
Translation (PAT)
Stateful Firewall
▪ Inspects traffic as part of a session and recognizes where the traffic
originated
NextGen Firewall (NGFW)
▪ Third-generation firewall that conducts deep packet inspection and
packet filtering
Access Control List (ACL)
▪ Set of rules applied to router interfaces that permit or deny certain traffic
Switch
o MAC address
Router
o IP address
Switch Firewall
o IP address or port
▪ Source/destination IP
▪ Source/destination port
▪ Source/destination MAC
Firewall Zone
▪ Firewall interface in which you can set up rules
Inside
o Connects to corporate LAN
Outside
o Connects to the Internet
Demilitarized Zone (DMZ)
o Connects to devices that should have restricted access
from the outside zone (like web servers)
Unified Threat Management (UTM) Device
▪ Combines firewall, router, intrusion detection/prevention system, antimalware, and other features into a single device
Signature-based Detection
▪ Signature contains strings of bytes (a pattern) that triggers detection
Policy-based Detection
▪ Relies on specific declaration of the security policy
Statistical Anomaly-based Detection
▪ Watches traffic patterns to build baseline
Non-statistical Anomaly-based Detection
▪ Administrator defines the patterns/baseline
Network-based (NIDS/NIPS)
o A network device protects entire network
Host-based (HIDS/HIPS)
o Software-based and installed on servers and clients
▪ Network and host-based systems can work together for a more complete
protection
Telnet Port 23
▪ Sends text-based commands to remote devices and is a very old
networking protocol
▪ Telnet should never be used to connect to secure devices
Secure Shell (SSH) Port 22
▪ Encrypts everything that is being sent and received between the client
and the server
Remote Desktop Protocol (RDP) Port 3389
▪ Provides graphical interface to connect to another computer over a
network connection
Remote Desktop Gateway (RDG)
▪ Provides a secure connection using the SSL/TLS protocols to the server
via RDP
● Create an encryption connection
● Control access to network resources based on permissions and
group roles
● Maintain and enforce authorization policies
● Monitor the status of the gateway and any RDP connections
passing through the gateway
Virtual Private Network (VPN)
▪ Establishes a secure connection between a client and a server over an
untrusted public network like the Internet
Virtual Network Computing (VNC) Port 5900
▪ Designed for thin client architectures and things like Virtual Desktop
Infrastructure (VDI)
Virtual Desktop Infrastructure (VDI)
▪ Hosts a desktop environment on a centralized server
▪ Desktop as a Service (DaaS)
In-Band Management
▪ Managing devices using Telnet or SSH protocols over the network
Out-of-Band Management
▪ Connecting to and configuring different network devices using an
alternate path or management network
▪ Prevents a regular user’s machine from connecting to the management
interfaces of your devices
▪ Out-of-band networks add additional costs to the organization
Authentication
▪ Confirms and validates a user’s identity
▪ Gives the user proper permissions to access a resource
Password Authentication Protocol (PAP)
▪ Sends usernames and passwords in plain text for authentication
Challenge Handshake Authentication Protocol (CHAP)
▪ Sends the client a string of random text called a challenge which is then
encrypted using a password and sent back to the server
MS-CHAP
▪ Microsoft proprietary version that provides stronger encryption keys and
mutual authentication
Extensible Authentication Protocol (EAP)
▪ Allows for more secure authentication methods to be used instead of just
a username and a password
▪ Use EAP/TLS in conjunction with a RADIUS or TACACS+ server
Virtual Private Networks (VPNs)
o Extends a private network across a public network and enables sending and
receiving data across shared or public networks
▪ Site to site
▪ Client to site
▪ Clientless
Virtual Private Networks (VPNs)
o Extends a private network across a public network and enables sending and
receiving data across shared or public networks
▪ Site to site
▪ Client to site
▪ Clientless
Full Tunnel VPN
▪ Routes and encrypts all network requests through the VPN connection
back to the headquarters
Split Tunnel VPN
▪ Routes and encrypts only the traffic bound for the headquarters over the
VPN, and sends the rest of the traffic to the regular Internet
● For best security, use a full tunnel
● For best performance, use a split tunnel
Clientless VPN
ientless VPN
▪ Creates a secure, remote-access VPN tunnel using a web browser without
requiring a software or hardware client
Secure Socket Layer (SSL)
▪ Provides cryptography and reliability using the upper layers of the OSI
model, specifically Layers 5, 6, and 7
Transport Layer Security (TLS)
▪ Provides secure web browsing over HTTP
▪ SSL and TLS use TCP to establish their secure connections between a
client and a server
Datagram Transport Layer Security (DTLS)
▪ UDP-based version of the TLS protocol which operates a bit faster due to
having less overhead
Layer 2 Tunneling Protocol (L2TP)
▪ Lacks security features like encryption by default and needs to be
combined with an extra encryption layer for protection
Layer 2 Forwarding (L2F)
▪ Provides a tunneling protocol for the P2P protocol but also lacks native
security and encryption features
Point-to-Point Tunneling Protocol (PPTP)
▪ Supports dial-up networks but also lacks native security features except
when used with Microsoft Windows
IP Security (IPSec)
▪ Provides authentication and encryption of packets to create a secure
encrypted communication path between two computers
IP Security (IPSec)
o Provides authentication and encryption of data packets to create an secure
encrypted communication path between two computers
Confidentiality
● Using data encryption
Integrity
● Ensuring data is not modified in transit
Authentication
● Verifying parties are who they claim to be
Anti-Replay
● Checking sequence numbers on all packets prior to transmission o Key exchange request o IKE Phase 1 o IKE Phase 2 o Data transfer o Tunnel termination
Main Mode
▪ Conducts three two-way exchanges between the peers, from the initiator
to the receiver
First Exchange
o Agrees upon which algorithms and hashes will be used to
secure the IKE communications throughout the process
Second Exchange
o Uses a Diffie-Hellman exchange to generate shared secret
keying material so that the two parties can prove their
identities
Third Exchange
o Verifies the identity of the other side by looking at an
encrypted form of the other peer’s IP address
Authentication methods used
▪ Encryption and hash algorithms used
▪ Diffie-Hellman groups used
▪ Expiration of the IKE SA
▪ Shared secret key values for the encryption algorithms
Aggressive Mode
▪ Uses fewer exchanges, resulting in fewer packets and faster initial
connection than main mode
● Diffie-Hellman public key
● Signed random number
● Identity packet
● Negotiate the IPSec SA parameters protected by an existing IKE SA
● Establish IPSec SA
● Periodically renegotiate IPSec SAs to maintain security
● Perform additional Diffie-Hellman exchanges, if needed
Quick Mode
▪ Only occurs after IKE already established the secure tunnel in Phase 1
using either main or aggressive mode
Diffie-Hellman Key Exchange
▪ Allows two systems that don’t know each other to be able to exchange
keys and trust each other
● PC1 sends traffic to PC2 and then RTR1 initiates creation of IPSec
tunnel
● RTR1 and RTR2 negotiate Security Association (SA) to form IKE
Phase 1 tunnel (ISAKMP tunnel)
● IKE Phase 2 tunnel (IPSec tunnel) is negotiated and set up
● Tunnel is established and information is securely sent between
PC1 and PC2
● IPSec tunnel is torn down and the IPSec SA is deleted
Transport Mode
▪ Uses packet’s original IP header and used for client-to-site VPNs
▪ By default, maximum transmission unit (MTU) size in most networks is
1500 bytes
Tunneling Mode
▪ Encapsulates the entire packet and puts another header on top of it
▪ For site-to-site VPNs, you may need to allow jumbo frames
● Transport
o Client to site
● Tunneling
o Site to site
Authentication Header (AH)
▪ Provides connectionless data integrity and data origin authentication for
IP datagrams and provides protection against replay attacks
Encapsulating Security Payload (ESP)
▪ Provides authentication, integrity, replay protection, and data
confidentiality
▪ In transport mode, use AH to provide integrity for the TCP header and
ESP to encrypt it
▪ In tunneling mode, use AH and ESP to provide integrity and encryption of
the end payload
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol (SNMP) is used to send and receive data
from managed devices back to a centralized network management station
Managed Device
▪ Any device that can communicate with an SNMP manager known as the
management information base (MIB)
Granular
▪ Sent trap messages get a unique objective identifier to distinguish each
message as a unique message being received
Management Information Base (MIB)
▪ The structure of the management data of a device subsystem using a
hierarchical namespace containing object identifiers
Verbose
▪ SNMP traps may be configured to contain all the information about a
given alert or event as a payload
SNMPv1 and SNMPv2
▪ Use a community string to give them access to the device as their security
mechanism
▪ Default community strings of public (read-only) or private (read-write)
devices are considered a security risk
SNMPv3
▪ Provides three security enhancements which added integrity,
authentication, and confidentiality to the SNMP protocol
Integrity
o message hashing
Authentication
o source validation
PoE+ 802.3at Confidentiality
o DES 56-bit encryption
System Logging Protocol (Syslog)
▪ Sends system log or event messages to a central server, called a syslog
server
● Security Information Management (SIM)
● Security Event Management (SEM)
● Security Information and Event Management (SIEM)
Client
▪ Device sending the log information to the syslog server
Server
▪ Receives and stores the logs from all of the clients
Traffic Log
▪ Contains information about the traffic flows on the network
▪ Traffic logs allow for investigation of any abnormalities
Audit Log/ Audit Trail
▪ Contains a sequence of events for a particular activity
Application Log
▪ Contains information about software running on a client or server
● Informational
● Warning
● Error
Security Log
▪ Contains information about the security of a client or server
System Log
▪ Contains information about the operating system itself
Security Information and Event Management (SIEM)
o Provides real-time or near-real-time analysis of security alerts generated by
network hardware and applications
- Gathers logs and data from all sorts of different systems
Log Collection
o Provides important forensic tools and helps address
compliance reporting requirements
Normalization
o Maps log messages into a common data model, enabling the
organization to connect and analyze related events
Correlation
o Links the logs and events from different systems or
applications into a single data feed
Aggregation
o Reduces the volume of event data by consolidating duplicate
event records and merging them into a single record
Reporting
o Presents the correlated, aggregated event data in real-time
monitoring dashboards for analysts or long-term summaries
for management
▪ Software
▪ Hardware
▪ Managed service
▪ Log all relevant events and filter out anything that is considered to be
irrelevant data
▪ Establish and document the scope of the events
▪ Develop use cases to define a threat
▪ Plan incident responses for given scenarios or events
▪ Establish a ticketing process to track all the flagged events
▪ Schedule regular threat hunting with cybersecurity analysts
▪ Provide auditors and analysts an evidence trail
▪ Syslog protocol using UDP Port 514 or TCP Port 1468
