Week 6 - Network Secuty Defence Flashcards

Learn about VPNs, TLS, Firewalls and other netowkr security protocols.

1
Q

What is a VPN?

A

A security mechanism that assists in communications over a public or insecure network by making it more secure. It does so by temporarily extending a private network across a public one to send communications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are two common uses of VPN?

A

Remote access and site-to-site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain remote access

A

Remote access let’s single users connect to the protected company network while not currently on that network. Commonly used when a user working remotely or from home.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain site-to-site

A

Site-to-site supports connections between two protected company networks. Commonly used when a company has two networks (e.g. A network for each company branch/location) and they need to access each others resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the three types of VPN?

A

1 Trusted
2 Secure
3 Hybrid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain how a Trusted VPN works.

A

A private dedicated line maintained by a provider, that can be leased to customers to create customisable secure private networks that can only be used by the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain how a Secure VPN works.

A

Uses protocols and encryption to ensure safe and secure communication between the intented parties over aa untrusted public network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why do we use Secure VPNs over Trusted VPNs?

A

Because Trusted VPNs are very expensive to maintain, and the Internet has become more commonplace as the primary public network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain what a Hybrid VPN is.

A

It is a combination of Trusted and Secure VPN techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What security mechanisms are used in Secure VPNs?

A

1 Authentication
2 Tunneling
3 Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What happens during the authentication protocol stage of Secure VPNs?

A

The client sends a request to the VPN server for a connection to be made.
The VPN server asks the client to identify themselves.
The client authenticates themselves.
If authentication is valid, then the VPN can move forward.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What happens during the Tunnelling stage of Secure VPNs?

A

The VPN creates a tunnel on the network.
The data packet is encapsulated in another packet which is addressed using the IP address of the target server.
The data packet is sent through the tunnel to the other network.
The other network removes the layer of encapsulation and extracts the local address in the packet and delivers it to the correct user on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens during the encryption stage of Secure VPNs?

A

Packets sent through the tunnel created by the VPN are still encrypted with an encryption protocol. This is because although tunnel are secure, they can still be sniffed. The encryption happens in either transport mode or tunnel mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is transport mode encryption?

A

Encryption is performed as the data packet is created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is tunnel mode encryption?

A

When encryption happens as the data packet is being transmitted through the tunnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a digital certificate?

A

A collection of data which associates a public key with a server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a certificate authority?

A

A trusted third party who verifies a server belongs to the entity claiming it using a digital certificate and associates the public key with that server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a certificate signing request?

A

A request made by an entity to a certificate authority when they want to create a new server. It is a block of text nornalinng in ASN 1. It contains a public key, the name for the server, the organisation name, the unit/department which is responsible for the server, as well as some other lesser data like details of the person responsible for the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does ASN stand for?

A

Abstract syntax notation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What data is contained in digital certificate?

A

A name, the time frame which it is valid for, who it was issued by, the owners public key, and the certificate authority who signs the certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does a certificate authority do when they receive a certificate signing request?

A

They first make authenticate the server and public key belongs to the entity who send the request. This can be done many ways, e.g. Domain validation. Once validated, the authority can take the public key provided in the request and associate it with that company and the certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is domain validation?

A

When an email is sent to an admin response for a specific domain, the email should include an authentication token or link. If the link is used then the admin has proved they have a level of access to that domain and thus are validated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How does a client know that a certificate is valid and how to trust the certificate authority?

A

Because computers come pre-installed with a number of certificate on the OS, including VeriSign. This means that the computer already has the public key for VeriSign and thus can encrypt/decrypt valid data from VeriSign.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is TLS?

A

A protocol that allows a client to communicate with a server safely to agree on a symmetric key for encryption and to allow the client to authenticate the server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Where is TLS commonly used?

A

The Internet, to deliver secure https pages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is TLS the succesor to?

A

SSL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What does TLS stand for?

A

Transport Layer Security.

28
Q

What process does TLS use to allow a key to be agreed?

A

It does so by completing a handshake process between the client and server.

29
Q

Explain what happens during a handshake in TLS.

A

The client sends a hello message to the server. This contains the supported cypher suites of the client, and bunch of possible key shares.

When the server receives this, it sends a ‘server hello’ message. This contains a chosen cypher from the clients list of cypher suites, a key share, its digital certificate, and a finished message. The digital certificate and the finished message are encrypted with a chosen symmetric key.

When the client receives this it calculates the symmetric key from the agreed upon cypher as well as the key shares the server sent back. It then uses this agreed upon key to decrypt the digital certificate and finished message to authenticate the server by verifying the certificate.

After that if the client is satisfied with the servers authentication it can then send a encrypted message back to end the handshake and/or to request information or a service from the server.

The server can then send back the encrypted answer to that request.

30
Q

What are supported cypher suites?

A

The cryptography protocols that the client can support. This can include key exchange algorithms, RSA, PSS, Hash function etc.

31
Q

What is a list of key shares?

A

They are a list of values that can be used to agree upon a key over an unsecured channel.

32
Q

What is forward secrecy?

A

A feature that means if at any point a key is compromised, the attacker cannot decrypt any previous communications. This because the key are effemiral, which means that the keys are only used in the context of that communication and no other communication sessions.

33
Q

What are the advantages to TLS 1.3?

A

Forward secrecy

Increased security compared to other versions of TLS

34
Q

Why is TLS 1.3 more secure than its previous versions?

A

It doesn’t allow for the use of less secure cryptographic protocol cyphers.

35
Q

What are Firewalls?

A

A defense mechanism in place to protect networks that prevents incoming attacks to that network/client. You can imagine it as a barrier between your network and an outside unsecure network or channels. They can be impmemted as software or hardware.

36
Q

What are the two types of approaches to Firewalls?

A

Packet filtering approach

Proxy based approach

37
Q

What is packet filtering?

A

When a firewall filters through inbound and outbound traffic of a network to look for any malious packets. It does this by putting certain rules on the traffic, which evaluate a packet and determine whether it should be able to pass through the firewall. It does this by looking at packet data like its destination, origin and the ptotocol used to send it.

38
Q

What are the three things that can happen to a packet going through a a firewall?

A

Accepted - it is determined as safe and can pass through the firewall
Denied - it is determined as not safe and sent back to the sender
Dropped - it is determined as not safe and removed from existence

39
Q

Why might a firewall drop a packet instead of denying it?

A

It takes resources and bandwidth to send the packet back to the sender which can mean its more trouble than its worth, so it is often dropped instead.

40
Q

Who is normally responsible for a firewall?

A

The security administrator.

41
Q

How are firewall rules created?

A

A policies must be created first by the security admin, which is then converted into technical statements which can be used by the firewall as rules.

42
Q

What does a firewall rule contain?

A
A name
A protocol
Source IP and port
Destination IP and port
Whether to allow or deny this kind of packet
43
Q

What must you keep in mind when creating rules?

A

You must create a default rule that is applied to a packet if no other rules apply to it.

You must make sure rules do not conflict each other. You can’t have one rule saying certain traffic shiold be allow while another says that same traffic should be denied.

44
Q

What is the proxy based approach for Firewalls?

A

A proxy server is used to act as an intermediatary between two networks. Requests are made to the proxy to gain access to the other network, and if the proxy deems the request safe, it passes the packets on. It allows confidentiality between networks by hiding the internal bits of a network from the outside world. A external network will only ever make communication with the proxy server not the internal network.

45
Q

How many proxy servers does a network need?

A

It needs a server for every services that it provides.

46
Q

What does the proxy sever ask the client making an access request to the internal network?

A

What does it want access to and to verify who they are. If the client does both of these, the proxy server can decide whether not to pass on its packets.

47
Q

What are some proxy firewall operations?

A

Host IP address hiding
Header destruction
Protocol enforcement

48
Q

What is Host IP address hiding?

A

When a proxy sever adds its own IP header to a packet so that the internal networks IP is hidden within the packet. This means any ‘sniffers’ will only see the proxys IP.

49
Q

What is header destruction?

A

When a proxy server prevents IP header sniffing by destroying the original packets header and replaces it with its own IP header.

50
Q

What is protocol enforcement?

A

When a proxy server enforces the security of port numbers, by ensuring things that prot numbers are doing what they are supposed to be doing and are not spoofed. For example checking that port 80 should be dealing with https requests and it only dealing with one application per server.

51
Q

What is a DMZ?

A

A Demilitarised Zone is a part of a protected network which is in place between the network and an untrusted external network and manage ‘routes’ between them and provides an extra layer of security by be segregating the internal network from the external networks.

52
Q

What architecture does a DMZ use to provide additional security?

A

It uses a two firewall architecture, which means that there is one firewall between it and the internal network and another firewall between it and the external network.

53
Q

How do the network access each other in a DMZ approach?

A

Internal networks must pass the internal firewall to access the DMZ, and external networks must pass the external firewall to access the DMZ.
These communications do not go past the DMZ to the other networks as it might risk security (The respe tive Firewalls are set to not let them through). Therefore the DMZ provides the necessary resoucres/services/information from the other network to the network requesting them.

54
Q

What does an IDS do?

A

A intrusion detection system automates the process of monoritubg the network for suspicious behaviour and potential violations. It takes necessary steps to prevent those violations before or while they are happening. This combination of measures is referred to as an IDPS technology.

It can also record information about observed incidents, notify admins about incidents and produce reports about the incident.

55
Q

What is the definition of an incident in terms of computer security?

A

It is a suspected, optional or confirmed violation of computer security policies, acceptable use policies and/or standard security practices.

56
Q

Give some examples of a type of security incident?

A

DoS
Malware
Unauthorised access

57
Q

What is an IDPS technology?

A

1) A security technology that detects security events and violations on a network and 2) try to prevent it.

58
Q

Where are IDPS systems normally implemented?

A

Within a firewall.

59
Q

What are the disadvantages of IDS?

A

It cannot protect against:
o An internal threat
o Social engineering and manipulation of internal users
o Misconfiguration of administrative data

60
Q

What is an SIEM?

A

A security information and event management system is a system that aggregates data from different systems in an organization in order to analysis it and catch potential incidents or cyberattacks. It can alert users when attacks are happening too.

61
Q

Why are SIEM not used as much as they should be?

A

They are cost and resource expensive and it can often be different to resolve problems using SIEM.

62
Q

What are the 4 steps in the SIEM process?

A
  1. Collect data from various sources (e.g. Network devices, servers etc.)
  2. Normalise and aggregate collected data
  3. Analyse the data to discover and etect threats
  4. Pinpoint security breaches and alert organisation.
63
Q

What are the two primary capabilities that SIEM provides an incident reponse team?

A

Reporting and forensic data about the incident

Alerts based on analytics that match a certain rule set, indicating a security issue

64
Q

What is another common use for SIEM instead of data security in organisations?

A

To help the client follow compliance for regulations like HIPAA, PCI, SOX, and GDPR.

65
Q

What are some limitations of SIEM systems?

A

They cannot accurately analyse data without context. If they do not know the context of the data, then they may create alerts for every single piece of suspicious activity, but if given context might realise that some activities were completely warented. This can leads to false alerts.