Security Technologies Flashcards
Firewall
Uses a set of rules defining the traffic types permitted or denied through device
▪ Software or hardware
▪ Virtual or physical
▪ Host-based or network-based
▪ Can perform Network Address Translation (NAT) and/or Port Address
Translation (PAT)
Stateful Firewall
Inspects traffic as part of a session and recognizes where the traffic
originated
NextGen Firewall (NGFW)
Third-generation firewall that conducts deep packet inspection and
packet filtering
Access Control List (ACL)
Set of rules applied to router interfaces that permit or deny certain traffic
● Switch
o MAC address
● Router
o IP address
Switch Firewall
o IP address or port
▪ Source/destination IP
▪ Source/destination port
▪ Source/destination MAC
Firewall Zone
▪ Firewall interface in which you can set up rules
● Inside
o Connects to corporate LAN
● Outside
o Connects to the Internet
● Demilitarized Zone (DMZ)
o Connects to devices that should have restricted access
from the outside zone (like web servers)
Unified Threat Management (UTM) Device
▪ Combines firewall, router, intrusion detection/prevention system, antimalware, and other features into a single device
Signature-based Detection
Signature contains strings of bytes (a pattern) that triggers detection
Policy-based Detection
▪ Relies on specific declaration of the security policy
Statistical Anomaly-based Detection
Watches traffic patterns to build baseline
Non-statistical Anomaly-based Detection
▪ Administrator defines the patterns/baseline
● Network-based (NIDS/NIPS)
o A network device protects entire network
● Host-based (HIDS/HIPS)
o Software-based and installed on servers and clients
▪ Network and host-based systems can work together for a more complete
protection
Telnet Port 23
Sends text-based commands to remote devices and is a very old
networking protocol
▪ Telnet should never be used to connect to secure devices
Secure Shell (SSH) Port 22
Encrypts everything that is being sent and received between the client
and the server
Remote Desktop Protocol (RDP) Port 3389
Provides graphical interface to connect to another computer over a
network connection
o Remote Desktop Gateway (RDG)
▪ Provides a secure connection using the SSL/TLS protocols to the server
via RDP
● Create an encryption connection
● Control access to network resources based on permissions and
group roles
● Maintain and enforce authorization policies
● Monitor the status of the gateway and any RDP connections
passing through the gateway
Virtual Private Network (VPN)
▪ Establishes a secure connection between a client and a server over an
untrusted public network like the Internet
o In-Band Management
Managing devices using Telnet or SSH protocols over the network
Out-of-Band Management
▪ Connecting to and configuring different network devices using an
alternate path or management network
▪ Prevents a regular user’s machine from connecting to the management
interfaces of your devices
▪ Out-of-band networks add additional costs to the organization
Password Authentication Protocol (PAP)
Sends usernames and passwords in plain text for authentication
Challenge Handshake Authentication Protocol (CHAP)
Sends the client a string of random text called a challenge which is then
encrypted using a password and sent back to the server
MS-CHAP
▪ Microsoft proprietary version that provides stronger encryption keys and
mutual authentication
Extensible Authentication Protocol (EAP)
Allows for more secure authentication methods to be used instead of just
a username and a password
▪ Use EAP/TLS in conjunction with a RADIUS or TACACS+ server
Virtual Private Networks (VPNs)
o Extends a private network across a public network and enables sending and
receiving data across shared or public networks
▪ Site to site
▪ Client to site
▪ Clientless
Full Tunnel VPN
Routes and encrypts all network requests through the VPN connection
back to the headquarters
Split Tunnel VPN
▪ Routes and encrypts only the traffic bound for the headquarters over the
VPN, and sends the rest of the traffic to the regular Internet
● For best security, use a full tunnel
● For best performance, use a split tunnel
Clientless VPN
Creates a secure, remote-access VPN tunnel using a web browser without
requiring a software or hardware client
o Secure Socket Layer (SSL)
Provides cryptography and reliability using the upper layers of the OSI
model, specifically Layers 5, 6, and 7
Transport Layer Security (TLS)
▪ Provides secure web browsing over HTTPS
▪ SSL and TLS use TCP to establish their secure connections between a
client and a server
Datagram Transport Layer Security (DTLS)
UDP-based version of the TLS protocol which operates a bit faster due to
having less overhead
Layer 2 Tunneling Protocol (L2TP)
Lacks security features like encryption by default and needs to be
combined with an extra encryption layer for protection
Point-to-Point Tunneling Protocol (PPTP)
Supports dial-up networks but also lacks native security features except
when used with Microsoft Windows
IP Security (IPSec)
Provides authentication and encryption of packets to create a secure
encrypted communication path between two computers
Main Mode
Conducts three two-way exchanges between the peers, from the initiator
to the receiver
● First Exchange
o Agrees upon which algorithms and hashes will be used to
secure the IKE communications throughout the process
● Second Exchange
o Uses a Diffie-Hellman exchange to generate shared secret
keying material so that the two parties can prove their
identities
● Third Exchange
o Verifies the identity of the other side by looking at an
encrypted form of the other peer’s IP address
Authentication methods used
▪ Encryption and hash algorithms used
▪ Diffie-Hellman groups used
▪ Expiration of the IKE SA
▪ Shared secret key values for the encryption algorithms
Quick Mode
Only occurs after IKE already established the secure tunnel in Phase 1
using either main or aggressive mode
Aggressive Mode
▪ Uses fewer exchanges, resulting in fewer packets and faster initial
connection than main mode
● Diffie-Hellman public key
● Signed random number
● Identity packet
● Negotiate the IPSec SA parameters protected by an existing IKE SA
● Establish IPSec SA
● Periodically renegotiate IPSec SAs to maintain security
● Perform additional Diffie-Hellman exchanges, if needed
Diffie-Hellman Key Exchange
▪ Allows two systems that don’t know each other to be able to exchange
keys and trust each other
● PC1 sends traffic to PC2 and then RTR1 initiates creation of IPSec
tunnel
Transport Mode
Uses packet’s original IP header and used for client-to-site VPNs
▪ By default, maximum transmission unit (MTU) size in most networks is
1500 bytes
Tunneling Mode
Encapsulates the entire packet and puts another header on top of it
▪ For site-to-site VPNs, you may need to allow jumbo frames
● Transport
o Client to site
● Tunneling
o Site to site
Simple Network Management Protocol (SNMP)
o Managed Device
Any device that can communicate with an SNMP manager known as the
management information base (MIB)
o Simple Network Management Protocol (SNMP) is used to send and receive data
from managed devices back to a centralized network management station
o Granular
Management Information Base (MIB)
The structure of the management data of a device subsystem using a
hierarchical namespace containing object identifiers
Verbose
SNMP traps may be configured to contain all the information about a
given alert or event as a payload
SNMPv1 and SNMPv2
Use a community string to give them access to the device as their security
mechanism
▪ Default community strings of public (read-only) or private (read-write)
devices are considered a security risk
SNMPv3
Provides three security enhancements which added integrity,
authentication, and confidentiality to the SNMP protocol
● Integrity
o message hashing
● Authentication
o source validation
● PoE+ 802.3at Confidentiality
o DES 56-bit encryption
● Network Logging
o System Logging Protocol (Syslog)
▪ Sends system log or event messages to a central server, called a syslog
server
● Security Information Management (SIM)
● Security Event Management (SEM)
● Security Information and Event Management (SIEM)
Traffic Log
▪ Contains information about the traffic flows on the network
▪ Traffic logs allow for investigation of any abnormalities
Application Log
Contains information about software running on a client or server
● Informational
● Warning
● Error
Security Information and Event Management (SIEM)
o Provides real-time or near-real-time analysis of security alerts generated by
network hardware and applications
