Technologies, Architecture & Design Flashcards
Network Address Translation (NAT)
an IPv4 technique used to link private IP addresses to public ones.
Access control list (ACL)
Lists of users and their permitted actions. Can be identified by ID, network address, or token.
Application-based vs. network-based Firewall
- App-based firewalls look at traffic and block/allow actions within applications (even web-connected ones).
- Network-based firewalls are, um, network-based and look at IP addresses and ports.
Implicit deny
if it isn’t explicitly allowed, then deny it.
Rule-based management
To define desired operational states so that they can be represented as rules.
VPN concentrator
A VPN concentrator is a way of managing multiple VPN conversations on a network while keeping them isolated from each other.
IPSec
IPSEC is a set protocols for securely exchanging packets at the network layer (layer 3)
Tunnel Mode
Tunnel-mode means that the data, as well as source and destination addresses are encrypted.
Transport Mode
Transport mode encrypts only the data, allowing an observer to see that a transmission is happening. The original IP header is exposed.
Authentication Headers (AH)
Authentication Headers (AH) are a type of header extension that ensure data integrity and authenticity of the data’s origin.
Encapsulating Security Payload (ESP)
Encapsulating Security Payload (ESP) header extensions provide confidentiality but do not help with data integrity.
Split Tunnel vs. Full Tunnel
- Split-tunnel VPNs do not route all traffic through the VPN. This helps avoid bottlenecks that might come from encrypting all traffic. -
- All traffic going over VPN is called a full tunnel VPN.
Transport Layer Security (TLS)
Transport Layer Security (TLS) can be used for VPNs, to exchange keys and create secure tunnels for communication.
Always-on VPN
“Always on” VPNs are pre-configured and always on, by default.
NIPS
Network-based intrusion prevention systems. NIPS can take automated action to block an attack, as determined by pre-set rules.
NIDS
NIDS stands for a network-based intrusion detection system. These detect, log and respond to unauthorized network usage. This can be in real-time or after the fact.
Signature Based (IDS)
An IDS can be signature-based, meaning it detects intrusion based on known signature definitions.
Heuristic/Behavioral (IPS/IDS)
This means that “normal” behavior is defined, and behavior that is outside of those bounds is considered malicious or bad.
This can have a high false-positive rate
Anomaly (IDS)
Anomaly-based is similar and looks for traffic that is anomalous based on known “normal” behavior.
Inline vs. Passive (IDS)
IDS can be inline, meaning it monitors data as it flows through the device, or passive, meaning that it copies off the data and examines it offline.
In-Band vs. Out-of-Band (IDS)
It can be in-band, meaning that it examines data and can take actions within that system (if something looks bad, don’t send it along). Out-of-band cannot.
Security Information and Event Management (SIEM)
- SIEM stands for security information and event management.
- SIEM systems are hardware and software meant to analyze aggregated security data.
Agreggation (SIEM)
Aggregation of data: event logs, firewall logs security, application logs.
Correlation (SIEM)
Correlation, meaning that events or behaviors can be related based on time, common events, etc.
Automated Alert and Triggers (SIEM)
Automated alerts and triggers: you can set rules to alert you based on certain patterns. Your SIEMS can have automated reactions, too.
Time Synchronization (SIEM)
SIEMs can render events in UTC and local time(s).
Event deduplication (SIEM)
SIEMs can remove redundant event info so that the signal-to-noise ratio is better.
Data Loss Prevention (DLP)
DLP (Data Loss prevention) refers to methods of detecting and preventing unauthorized transfers of data across an organization
USB Blocking (DLP)
USB blocking: either physically disabling the points, or a software-based solution.
Cloud Based (DLP)
Cloud-based DLP gets harder, since you have to move _some _data to and from the cloud.
E-Mail (DLP)
Organizations might disallow or scan email attachments.
Network access control (NAC)
- To help large organizations to manage network connections.
- Network Access Protection (NAP) is the Microsoft option, Network Admission Control (NAC) is the Cisco option.
Dissolvable vs. permanent (NAC)
NAP or NAC related agents can be permanent deployed to a host. They an also be dissolvable, meaning that they are used (and discarded) on an as-needed basis.
Host Health Checks (NAC)
Run health checks on a host before letting it connect to the network.
Mail Gateway
- Mail gateways are machines that process email packets on a network.
-They also filter spam, manage data loss and handle encryption.
Spam Filter
Gateways can filter spam through blacklisting known spam sources.
Bridge
- Bridges work at the layer 2 level and connect two separate network segments.
- This can play into security concerns because traffic separation can keep sensitive information more sequestered.
SSL/TLS Accelerator
Encryption takes time and processing power. SSL/TLS accelerators are dedicated devices that help alleviate encryption bottlenecks within organizations.
SSL Decryptor
SSL decryptors allow for traffic screening. They’re effectively a man-in-the-middle attack, and decrypt information, check it, and then re-encrypt and forward it.
Media Gateway
Media gateways are machines meant to handle different media protocols, including translating from one protocol to another.
Hardware Security Module
Hardware security modules (HSMs) are devices meant to manage or store encryption keys.
