Lesson 10 Implementing Network Security Appliances

Question 1

What is Packet filtering

Answer 1

A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept

Question 2

What is Ingress traffic filtering

Answer 2

the concept of firewalling traffic entering a network from an external source such as the Internet

Question 3

What is a stateless firewall?

Answer 3

A type of firewall that does not preserve information about the connection between two hosts

Question 4

What is a stateful inspection?

Answer 4

A technique used in firewalls to analyze packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security

Question 5

What is a state table?

Answer 5

Information about sessions between hosts that is gathered by a stateful firewall

Question 6

What is an appliance firewall?

Answer 6

A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance’s firmware.

Question 7

What does a layer 3 firewall do

Answer 7

performs forwarding between subnets. Each interface on the firewall connects to a different subnet and represents a different security zone

Question 8

What does the Layer 2 firewall do

Answer 8

inspects traffic passing between two nodes, inspect and filter traffic on the basis of the full range of packet headers

Question 9

What is a router firewall

Answer 9

A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.

Question 10

Host-based firewall / personal firewall

Answer 10

implemented as a software application running on a single host designed to protect that host only. As well as enforcing packet filtering ACLs, a personal firewall can be used to allow or deny software processes from accessing the network

Question 11

Application Firewall

Answer 11

Software designed to run on a server to protect a particular application such as a web server or SQL server.

Question 12

Network Operating system firewall (NOS)

Answer 12

A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.

Question 13

What is a proxy server

Answer 13

A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.

Question 14

What is a forward proxy

Answer 14

provides for protocol-specific outbound traffic. For example, you might deploy a web proxy that enables client computers on the LAN to connect to websites and secure websites on the Internet. This is a forward proxy that services TCP ports 80 and 443 for outbound traffic

Question 15

caching engines

Answer 15

A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.

Question 16

What is a multipurpose proxy

Answer 16

A proxy configured with filters for multiple protocol types such as HTTP,FTP, and SMTP

Question 17

What is a transparent proxy

Answer 17

A server that redirects requests and responses for clients configured with the proxy address and port.

Question 18

What port does a non-transparent proxy listen on

Answer 18

port 8080

Question 19

transparent (or forced or intercepting) proxy

Answer 19

A server that redirects requests and responses without the client being explicitly configured to use it. Also referred to as a forced or intercepting proxy.

Question 20

What is a reverse proxy

Answer 20

A type of proxy server that protects servers from direct contact with client requests.

Question 21

What are some filter ruleset principles for a packet filtering firewall

Answer 21

1. Block incoming requests from internal or private Ip addresses that have been spoofed
2. Block incoming requests from protocols that should only be functioning at a local network level, such as ICMP, DHCP, or routing protocol traffic
3. Use penetration testing to confirm the configuration is secure. Log access attempts and monitor the logs for suspicious activity
4. Take the usual steps to secure the hardware on which the firewall is running and use of the management interface

Question 22

What is an Intrusion detection system (IDS)

Answer 22

a means of using software tools to provide real-time analysis of either network traffic or system and application logs.

Question 23

What is a Network Based IDS (NIDS)

Answer 23

captures traffic via a packet sniffer, referred to as a sensor. It analyzes the packets to identify malicious traffic and displays alerts to a console or dashboard.

Question 24

What is a NDIS used to identify

Answer 24

used to identify and log hosts and applications and to detect attack signatures, password guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and policy violations

Question 25

What is a snort

Answer 25

An open source NIDS, allows the detection engine to identify the very latest threats.

Question 26

What is a Test access point(tap)

Answer 26

A hardware device inserted into a cable to copy frames for analysis.

Question 27

What is an Active tap?

Answer 27

performs signal regeneration

Question 28

What is an Intrusion Prevention System (IPS)

Answer 28

can provide an active response to any network threats that it matches

Question 29

What is a Behavioral-based detection system

Answer 29

A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences

Question 30

What is heuristics?

Answer 30

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious

Question 31

User and entity behavior analytics (UEBA)

Answer 31

scan indicators from multiple intrusion detection and log sources to identify anomalies. They are often integrated with security information and event management (SIEM) platforms.

Question 32

Network traffic analysis (NTA)

Answer 32

apply analysis techniques only to network streams, rather than multiple network and log data sources

Question 33

Next Generation Firewall (NGFW)

Answer 33

Host or network firewall capable of parsing application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, content-sensitive ACLs can be developed

Question 34

Unified threat management (UTM)

Answer 34

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

Question 35

Secure Web gateway (SWG)

Answer 35

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

Question 36

Host-based IDS (HIDS)

Answer 36

A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system’s state.

Question 37

File integrity monitoring (FIM)

Answer 37

A type of software that reviews system files to ensure that they have not been tampered with.

Question 38

Web application firewall (WAF)

Answer 38

A firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.

Question 39

Network Monitor

Answer 39

Auditing software that collects status and configuration information from network devices. Many products are based on the Simple Network Management Protocol (SNMP).

Question 40

security information and event management (SIEM)

Answer 40

A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications

Question 41

What is the first task of the SIEM

Answer 41

to collect data inputs from multiple sources

Question 42

What are the three types of log collection

Answer 42

Agent-based
Listener/collector
Syslog
Sensor

Question 43

Agent based log collection

Answer 43

As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage.

Question 44

listener/collector log collection

Answer 44

push updates to the SIEM server using a protocol such as syslog or SNMP. A process runs on the management server to parse and normalize each log/monitoring source.

Question 45

Syslog log collection

Answer 45

allows for centralized collection of events from multiple sources. It also provides an open format for event logging messages, and as such has become a de facto standard for logging of events from distributed systems. For example, syslog messages can be generated by Cisco routers and switches, as well as servers and workstations

Question 46

Sensor log collection

Answer 46

collect packet captures and traffic flow data from sniffers.

Question 47

Log aggregation

Answer 47

refers to normalizing data from different sources so that it is consistent and searchable.