2-Technologies and Tools Flashcards
What is the purpose of a Firewall?
To isolate one network from another
Are firewalls hardware or software based?
They can be either
How can firewalls be used internally?
They can segment one area from another i.e. PCI from R&D
What types of Firewalls exist?
Packet Filtering
Proxy Firewall
Stateful Packet Inspection Firewall
Web Application Firewall
What does a Packet Filtering firewall do?
Allows or blocks traffic based on port (i.e. HTTP on port 80)
No intelligence, but easy to setup.
What does a Proxy firewall do?
Dual-homed firewall
Segments internal users from outside world
Masks IP address using NAT
Cache requests to improve perceived speed
What does a Stateful Packet Inspection firewall do?
Examines packets and keeps packet table of every communication channel
SPI tracks the entire conversation
Only allows packets from known active connections
Possible to attack by overloading the State Table
What does a Web Application Firewall do?
Operates at the application layer
designed with granular rules specifically to analyze traffic to web servers and prevent typical attacks such as SQL injection, XSS, Forged HTTP requests
What is a VPN?
Creates a private network across a public network utilizing tunneling protocols such as L2TP, PPTP, IPSEC
What is IPSeC?
Internet Security Protocol used to encrypt VPN traffic
What is an Authentication Header?
Provides authentication and integrity by adding a header to the packet
What is Encapsulating Secure Payload?
Provides confidentiality
Header, trailer and check value added to packet (ICV)
What is a NIDS?
Network Intrusion Detection System
Logs alerts and events
Allows for reactive response/research
What is a NIPS?
Network Intrusion Prevention System
Enables prevention (blocking IP, etc.)
False positives could be an issue
What can NIDS and NIPS be used for?
Log, alert and/or take action when suspicious activity occurs on network.
What is the difference between active and passive systems?
Active systems can take action to prevent an attack
Passive systems record activity for later analysis
What are the components of a NIDS or NIPS and what is their purpose?
Alert - message generated by analyzer indicating an “interesting” event
Analyzer - processes data collected from one or more sensors and looks for suspicious activity
Data Source - raw data being analyzed - log files, audit logs, system logs, network traffic, etc.
Event - indication that suspicious activity may have occurred (can trigger an Alert or notification)
Manager - IDS console used to manage the system
Notification - Process by which operator is alerted to an event or incident
Operator - User, admin, etc.
Sensor - primary data collection point for the IDS
What are the four approaches to IDS?
Behaviour Based - variations in behaviour, increased traffic, etc.
Signature Based - uses attack signatures and audit trails
Anomaly Detection - learns what is normal
Heuristic - utilizes algorithms
What is Passive Response?
Logging issues for later analysis
Notifying admin or kick off some type of workflow
Shunning or ignoring the attack
What is Active Response?
Issue some type of action
Block Ports
Reset Connections
Configuration changes
What is Deception?
Using a honeypot.
What is a Router?
Connects different networks together and routes traffic between them
Can provide firewall functionality
What is the difference between a static and dynamic route?
Static are programmed manually
Dynamic are learned as routers communicate with each other
What are four common routing protocols?
RIP
EIGRP
OSPF
BGP
What are switches?
Multiport connectivity devices that improve network efficiency
What is Port Security?
Can configure a switch so that it only learns one MAC address per port (can be set to trigger alert)
Can be used in conjunction with 802.1x to strengthen security at the wall jack
What is 802.1x Authentication?
Extensible Authentication Access Protocol over LAN
Form of port security
Allows only EAPOL traffic over port until client authenticates with a RADIUS authentication server
What is Loop Protection?
Layer 3 routers implement TTL
Each router hop decrements the TTL
Packet dropped once TTL expires
What is Spanning Tree Protocol?
Typically enabled to prevent layer 2 loops
Switches can also “clamp down” once broadcasts hit a certain percentage
What are Load Balancers?
Dynamically balance the load between devices
Typically servers but can be other devices as well
Hardware or software based
What are the Load Balancing methods?
Affinity
Round-Robin
What is a Web Security Gateway?
Proxy server with advanced features such as virus scanning, DLP, etc.
Can enable granular access to websites, block sites, etc.
What are some basic ways to secure a wireless access point?
Don’t broadcast SSID
MAC filtering
Common Sense administration
What is SIEM?
Security Information and Event Management (SIEM) Software suites that provide: Data aggregation Correlation Automated alerting and triggers Time synchronization Event deduplication Logs/WORM
What is DLP?
Data Loss Prevention
Detects potential breaches and exfiltration of data
What are common methods of DLP?
Endpoint detection (in use) Network Traffic (in transit) Data Storage (at rest) Email USB Cloud-based