Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CP2414 Network Security > Week 7 - Network Access Control and Cloud Security > Flashcards

Week 7 - Network Access Control and Cloud Security Flashcards

1
Q

What are the 3 categories of components in NAC

A

Three Categories of Components:
1. Access Requestor (AR):
- Definition: Devices requesting access to the network (also known as supplicants or clients).
- Examples: Endpoint devices like computers and mobile phones.
- Functions: Initiates user authentication, establishes session keys, and facilitates communication.

  1. Network Access Server (NAS):
    • Definition: Servers responsible for handling user access requests and enforcing network access policies.
    • Functions: Performs user authentication, verifies claimed identities, and establishes session keys for secure communication.
  2. Policy Server:
    • Definition: Central server responsible for enforcing network access policies and ensuring compliance.
    • Functions: Checks whether the AR’s software meets specific requirements, determines access levels for ARs, and grants appropriate permissions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

What is NAC?

A

NAC (Network Access Control):
- Definition: An umbrella term for managing access to a network.
- Functions:
1. Authenticates user log-in.
2. Determines user’s data access and permissions for actions.
3. Examines the health of the user’s endpoint devices (e.g., computers, mobile phones).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 4 commonly used network access enforcement methods?

A

Network Enforcement Methods:

  1. IEEE 802.1X:
    • Description: The most commonly implemented solution for network access control (NAC).
    • Function: Operates at the link layer, enforcing authorization before assigning an IP address to a port.
    • Authentication: Uses the Extensible Authentication Protocol (EAP) for the authentication process.
  2. Virtual Local Area Networks (VLANs):
    • Description: Logical subgroups within a LAN that segregate network traffic.
    • Function: Network Access Server (NAS) directs Access Requestors (ARs) to different VLANs based on their needs.
    • Flexibility: ARs may belong to multiple VLANs, allowing for granular control over network access.
  3. Firewall:
    • Description: A form of NAC that regulates network traffic between an enterprise network and ARs.
    • Function: Allows or denies network traffic based on predefined rules, enhancing network security.
  4. DHCP (Dynamic Host Configuration Protocol) Management:
    • Description: Enables the dynamic allocation of IP addresses to devices on a network.
    • NAC Enforcement: Occurs at the IP layer, based on subnet and IP assignment.
    • Function: Helps in managing IP address allocation and enforcing network access policies based on assigned IP addresses.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a EAP?

A

EAP (Extensible Authentication Protocol):

  • Definition: EAP is defined in RFC 3748 as a framework for network access and authentication protocols.
  • Extensibility:
    • Allows encapsulation of various authentication methods between an Access Requestor (AR) and an Authentication Server.
  • Supported Networks:
    • EAP works on:
      • Point-to-point links
      • LANs
      • Other types of networks

This extensible nature and broad compatibility make EAP a versatile choice for implementing authentication in diverse network environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the goal of EAP message exchange?

A

A: The goal of EAP message exchange is to achieve successful authentication, which occurs when:

  • The Authenticator decides to allow access by the peer.
  • The peer decides to use this access.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the components of an EAP message?

A

EAP Message Structure:

  • Types of EAP Messages:
    • Request (1)
    • Response (2)
    • Success (3)
    • Failure (4)
  • Identifier:
    • Purpose: Match a pair of Request and Response messages.
  • Length:
    • Purpose: Indicates the length of a message.
  • Data:
    • Purpose: Contains information related to authentication.
    • Note: Success and Failure messages do not include a Data field.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the general ideas of IEEE 802.1X Port-Based NAC?

A

IEEE 802.1X Port-Based NAC:

  • Provides network access control functions for LANs.
  • Terminology:
    • Supplicant == peer (in EAP): Represents the device seeking network access.
    • Network access point == authenticator (in EAP): Represents the network entity controlling access to the network.
  • Uncontrolled port:
    • Purpose: Allows the exchange of Protocol Data Units (PDUs) between Supplicant and Authentication Server (AS), regardless of the authentication state.
  • Controlled port:
    • Purpose: Reserved for authorized exchanges, ensuring that only authenticated devices can communicate on the network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a EAPOL?

A

EAPOL, or EAP over LAN, is an essential element defined in IEEE 802.1X for network access control. It operates at the network layers and utilizes Ethernet or Wi-Fi at the data link layer. EAPOL facilitates communication between a supplicant (device seeking network access) and an authenticator (network entity controlling access). Its primary function is to support the exchange of EAP packets for authentication purposes within LAN environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the common EAPOL data frame types?

A

EAPOL-EAP (EAP over LAN - EAP):
- Definition: Contains an encapsulated EAP packet, including:
- Protocol version (of EAPOL)
- Packet type (Start, EAP, Key, or Logoff)
- Packet body length
- Packet body (the payload of the packet)

EAPOL-Start:
- Purpose: A supplicant can issue this packet instead of waiting for a challenge from the authenticator.
- Function: Indicates to the authenticator that the supplicant is ready and can determine whether an authenticator is present.

EAPOL-Logoff:
- Purpose: Used to return the state of the port to unauthorized when the supplicant is finished using the network.

EAPOL-Key:
- Purpose: Used to exchange cryptographic keying information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is cloud computing?

A

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the three service models in cloud computing?

A

Software-as-a-Service (SaaS):
- Definition: The service provided by the provider is the software running on a cloud infrastructure.
- Explanation: Users access and use the software via the internet, without needing to install or run it on their local machines.

Platform-as-a-Service (PaaS):
- Definition: The service provided by the provider is the development or deployment platform (environment) running on a cloud infrastructure.
- Explanation: Users can develop, test, and deploy applications without managing the underlying infrastructure, which could be a database or an operating system.

Infrastructure-as-a-Service (IaaS):
- Definition: The service provided by the provider is the infrastructure (fundamental computing resources), allowing customers to deploy and run any arbitrary software, including operating systems, on a cloud infrastructure.
- Explanation: Users have control over the virtualized computing resources such as processors, storage, and networks, and can deploy and manage their own applications and operating systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the five essential characteristics in cloud computing?

A

Broad Network Access:
- Definition: Capabilities available over the network.
- Explanation: Services and resources accessible from various devices and locations.

Rapid Elasticity:
- Definition: Computing resources occupied based on requirements.
- Explanation: Resources can be rapidly scaled up or down to meet changing demand.

Measured Service:
- Definition: Resource usage monitored, controlled, and reported.
- Explanation: Usage of resources tracked for billing, optimization, and performance monitoring.

On-Demand Self-Service:
- Definition: Automatic assignment of required resources.
- Explanation: Users can provision and manage resources independently without manual intervention.

Resource Pooling:
- Definition: Provider’s resources pooled for multiple clients.
- Explanation: Resources such as storage and processing shared among users, maximizing efficiency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 4 deployment methods in cloud computing?

A

Public Cloud:
- Definition: Available to the general public.
- Ownership: Owned by organizations for selling cloud services.
- Responsibility: Providers are responsible for both cloud infrastructure and control of data.

Private Cloud:
- Definition: Operated solely by an organization.
- Ownership: Owned and operated by the organization.
- Responsibility: Providers are only responsible for cloud infrastructure.

Hybrid Cloud:
- Definition: A composition of several public and private clouds.
- Composition: Public clouds provide some services, while private clouds provide others.
- Flexibility: Organizations can leverage the benefits of both public and private clouds.

Community Cloud:
- Definition: The cloud infrastructure is shared by several organizations.
- Usage: Designed to meet the needs of a specific community or group of organizations.
- Collaboration: Allows organizations within the community to share resources and achieve common goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Who are the five major actors in the NIST Cloud Computing Reference Architecture

A

Cloud Consumer:
- Definition: Entity or individual who uses cloud services.
- Role: Consumes cloud services provided by cloud providers.

Cloud Provider (CP):
- Definition: Organization that offers cloud services.
- Role: Provides cloud infrastructure, platforms, or software to cloud consumers.

Cloud Auditor:
- Definition: Conducts independent assessments of cloud services, information system operations, performance, and security of the cloud implementation.
- Role: Ensures compliance, reliability, and security of cloud services for cloud consumers.

Cloud Broker:
- Definition: Manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers.
- Role: Acts as an intermediary between cloud consumers and providers to optimize cloud service delivery and manage relationships.

Cloud Carrier:
- Definition: Provides connectivity and transport of cloud services from CPs to cloud consumers.
- Role: Facilitates the transmission of data and services between cloud providers and consumers by providing network connectivity and transport services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the common cloud security risks and countermeasures?

A

Insecure Interfaces and APIs:
- Risk: Security of cloud computing relies on the security of APIs.
- Countermeasures:
- Analyze the security model of cloud provider (CP) interfaces.
- Ensure strong authentication and access controls are implemented alongside encrypted transmission.
- Understand the dependency chain associated with the API.

Malicious Insiders:
- Risk: Insiders within cloud providers pose security threats.
- Countermeasures:
- Enforce strict supply chain management and conduct comprehensive supplier assessments.
- Specify human resource requirements in legal contracts.
- Require transparency into information security practices and compliance reporting.
- Establish security breach notification processes.

Shared Technology Issues:
- Risk: Weak isolation properties of shared infrastructure in IaaS environments.
- Countermeasures:
- Implement security best practices for installation/configuration.
- Monitor environments for unauthorized changes/activity.
- Promote strong authentication and access control for administrative access.
- Enforce SLAs for patching and vulnerability remediation.
- Conduct vulnerability scanning and configuration audits.

Data Loss or Leakage:
- Risk: Data on shared storage are vulnerable.
- Countermeasures:
- Implement strong API access control.
- Encrypt and protect the integrity of data in transit.
- Analyze data protection at both design and runtime.
- Implement strong key generation, storage, management, and destruction practices.

Account or Service Hijacking:
- Risk: Attackers can obtain user privilege with stolen credentials.
- Countermeasures:
- Prohibit sharing of account credentials.
- Use strong two-factor authentication techniques.
- Employ proactive monitoring to detect unauthorized activity.
- Understand CP security policies and SLAs.

Unknown Risk Profile:
- Risk: Cloud infrastructures may gain more control over user data.
- Countermeasures:
- Disclose applicable logs and data.
- Provide partial/full disclosure of infrastructure details (e.g., patch levels, firewalls).
- Implement monitoring and alerting on necessary information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the two models of deploying databases in cloud computing environments?

A

Multi-Instance Model:
- Description: Each cloud subscriber (client/user/customer) has a unique Database Management System (DBMS) running on a dedicated virtual machine.
- Control: Subscribers have complete control over role definition, user authorization, and other administrative tasks related to security within their own instance.
- Key Characteristics:
- Dedicated DBMS for each subscriber.
- Enhanced control and customization options.
- Increased isolation and security.

Multi-Tenant Model:
- Description: Predefined database environment shared across multiple tenants (subscribers) by tagging data with a subscriber identifier.
- Control: Relies on the cloud provider to establish and maintain a secure database environment.
- Key Characteristics:
- Shared database environment among multiple tenants.
- Tagging data with subscriber identifiers for segregation.
- Reliance on cloud provider for security measures and maintenance.

15
Q

What are the data protection solutions? Explain.

A

Data Protection Solutions:

  1. Straightforward Solution:
    • Description: Encrypt the entire database. When accessing the database, download it to local machines for use.
    • Strengths:
      • Provides a high level of security by encrypting all data.
    • Weaknesses:
      • Lack of flexibility as accessing data requires downloading the entire database.
      • Increases complexity for managing and synchronizing data across multiple devices.
  2. Enhanced Solution:
    • Description: Work with the database in its encrypted form, without the need to download it locally.
    • Strengths:
      • Maintains data security by working directly with encrypted data.
      • Allows for more flexibility and agility in accessing and manipulating data.
    • Considerations:
      • Requires appropriate encryption and decryption mechanisms to be integrated into applications or database management systems.
      • May require additional computational resources for encryption and decryption processes.
16
Q

What is SecaaS?

A

Security Services Provided by Cloud Providers to Enterprises:

Cloud providers offer various security services to enterprises to enhance their cybersecurity posture. These services typically fall under the umbrella of Security as a Service (SecaaS) and may include:

  1. Authentication:
    • Provision of authentication mechanisms such as multi-factor authentication (MFA) and single sign-on (SSO) to verify the identities of users accessing cloud services.
  2. Antivirus:
    • Deployment and management of antivirus software to detect and remove malicious software (viruses, worms, etc.) from systems and networks.
  3. Antimalware/Anti-spyware:
    • Protection against malware and spyware threats by deploying specialized software to detect, prevent, and remove such malicious programs.
  4. Intrusion Detection:
    • Monitoring of network traffic and system activities to identify and respond to potential security breaches or unauthorized access attempts.
  5. Security Event Management:
    • Collection, analysis, and correlation of security events and logs from various sources to detect and respond to security incidents effectively.

Note: SecaaS is a segment of the Software as a Service (SaaS) model, where security-related services are delivered over the cloud to subscribers on a subscription basis. These services are designed to address specific security needs and can be tailored to the requirements of individual enterprises.

17
Q

What are the Cloud Security Alliance Identified Services:

A

Cloud Security Alliance Identified Services:

  1. Identity and Access Management (IAM):
    • Function: Verify the identity of entities and grant access based on verified identities.
  2. Data Loss Prevention:
    • Function: Monitor, protect, and verify the security of data at rest, in motion, and in use to prevent data loss or leakage.
  3. Web Security:
    • Function: Real-time protection including policy enforcement, data backup, traffic control, and Web access control to secure web applications and services.
  4. Email Security:
    • Function: Control over inbound and outbound emails to prevent phishing, malware, and unauthorized data transfer.
  5. Security Assessments:
    • Function: Third-party audits of cloud services to assess and verify compliance with security standards and best practices.
  6. Intrusion Management:
    • Function: Implementation of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to detect and prevent unauthorized access attempts.
  7. Security Information and Event Management (SIEM):
    • Function: Aggregates log and event data from virtual and real networks, applications, and systems to detect and respond to security incidents.
  8. Encryption:
    • Function: Provides pervasive encryption for data at rest in the cloud, email traffic, client-specific network management information, and identity information.
  9. Business Continuity and Disaster Recovery:
    • Function: Ensures operational resiliency in the event of any service interruptions or disasters by implementing backup and recovery mechanisms.
  10. Network Security:
    • Function: Implements security measures to protect the cloud network infrastructure, including firewalls, intrusion detection/prevention systems, and VPNs.

CP2414 Network Security (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions