Security+ 5 Flashcards
MAC flooding: Switches have memory set aside to store the MAC address to the port translation table, known as the Content Addressable Memory table, or CAM table. A MAC flood can send numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch. If this is successful, the switch changes state to what is known as fail-open mode. At this point, the switch broadcasts data on all ports the way a hub does. This means two things: First, that network bandwidth will be dramatically reduced, and second, that a mischievous person could now use a protocol analyzer, running in promiscuous mode, to capture data from any other computer on the network.
MAC Flooding …
Network address translation (NAT) is the process of changing an IP address while it is in transit across a router. This is usually implemented so that one larger address space (private) can be remapped to another address space, or single IP address (public).
(NAC) does this by setting the rules by which connections to a network are governed. Computers attempting to connect to a network are denied access unless they comply with rules pertaining to levels of antivirus protection, system updates, etc … Persistent agents are installed on the target device and can be used over and over again. Dissolvable agents provide for one-time authentication and are then deleted. Agentless NAC systems are also available but they offer less control and fewer inspection capabilities.
NAT/NAC
(CASB)—a software tool or service that acts as the gatekeeper between the two, allowing the company to extend the reach of its security policies beyond its internal infrastructure.
To secure file servers (and the rest of the servers on this list), employ hardening, updating, anti-malware applications, software-based firewalls, hardware-based intrusion detection systems (HIDSs), and encryption, and be sure to monitor the server regularly.
A network controller is a server that acts as a central repository of user accounts and computer accounts on the network. All users log in to this server. For Windows domain controller, really the only way to keep it protected (aside from the preventive measures mentioned for file servers) is to install specific security update hot patches for the OS, even if the latest service pack has been installed.
info …
Email Servers : New attacks and exploits are constantly surfacing because e-mail servers are a common and big target with a large attack surface. For spam, a hardware-based spam filter is most effective (such as one from Barracuda), but software-based filters can also help. To protect the integrity and confidentiality of e-mail-based data, an admin should consider DLP and encryption. Security could also come in the form of secure POP3 and secure SMTP. While TLS is normally used as a secure channel for the e-mail connection, text and metadata can at times be sent as clear text. A solution to this is for the operating system to use a symmetrical key to encrypt the data payload.
Email Servers info …
FTP : TCP port 21 (secure version FTPS ports 989/990)
SSH : TCP/UDP port 22
Telnet : TCP/UDP port 23
SMTP : TCP port 25 (secure SMTP w/SSL/TLS port 465/587)
TACACS+ : TCP/UDP port 49
DNS : TCP/UDP port 53
TFTP : UDP port 69
HTTP : TCP port 80
Kerberos : TCP/UDP port 88
POP3 : TCP port 110 (secure POP3 w/TLS/SSL port 995)
NNTP : TCP port 119 (transports Usenet articles)
RPC/epmap/dcom-scm : TCP/UDP port 135 (locates DCOM ports also known as RPC)
NetBIOS : TCP/UDP port 137-139
IMAP : TCP port 143 (secure port 993)
SNMP : UDP port 161
SNMPTRAP : TCP/UDP port 162
LDAP : TCP/UDP port 389 (secure port 636)
SMB : TCP port 445
Syslog : UDP port 514 (secure port 6514)
ISCSI : TCP port 860
Ms-sql-s : TCP port 1433 (opens queries to Microsoft SQL server)
L2TP : UDP port 1701 (VPN w/no security often used w/IPsec)
PPTP : TCP/UDP port 1723 (VPN w/built in security)
RADIUS : UDP ports 1812/1813
FCIP : TCP/UDP port 3225 (Fibre Channel)
RDP : TCP/UDP port 3389
Diameter : TCP/SCTP port 3868 (AAA protocol can replace RADIUS)
Ports and Protocols Etc …
In explicit mode, the FTPS client must explicitly request security from an FTPS server and then mutually agree on the type of encryption to be used. In implicit mode, there is no negotiation, and the client is expected to already know the type of encryption used by the server. In general, implicit mode is considered to be more secure than explicit mode.
Fraggle: Similar to the Smurf attack, but the traffic sent is UDP echoes. The traffic is directed to port 7 (Echo) and port 19 (CHARGEN). To protect against this attack, again, configure routers not to forward packets directed to broadcast addresses, employ network filtering, and disable ports 7 and 19. These ports are not normally used in most networks.
info #2 …
DNS amplification attack. Amplification attacks generate a high volume of packets ultimately intended to flood a target website. In the case of a DNS amplification attack, the attacker initiates DNS requests with a spoofed source IP address. The attacker relies on reflection; responses are not sent back to the attacker, but are instead sent “back” to the victim server. Because the DNS response is larger than the DNS request (usually), it amplifies the amount of data being passed to the victim. An attacker can use a small number of systems with little bandwidth to create a sizable attack. However, a DNS amplification attack can also be accomplished with the aid of a botnet, which has proven to be devastating to sections of the Internet during the period when the attack was carried out. The primary way of preventing this attack is to block spoofed source packets. It can also be prevented by blocking specific DNS servers, blocking open recursive relay servers, rate limiting, and updating one’s own DNS server(s) often. Finally, make use of the Domain Name System Security Extensions (DNSSEC), which are specifications that provide for origin authentication and data integrity.
DNS Amplification Attack …
A DNS sinkhole is a DNS server that can be configured to hand out false information to bots, and can detect and block malicious traffic by redirecting it to nonroutable addresses. However, the sinkhole can also be used maliciously to redirect unwary users to unwanted IP addresses and domains. A DNS blackhole is similar; it can be used to identify domains used by spammers, domains that contain malware, and so on, and block traffic to those domains. It can also be remotely triggered (known as a RTBH). A DNS blackhole list (DNSBL) is a published list of IP addresses within DNS that contains the addresses of computers and networks involved in spamming and other malicious activity such as DDoS attacks initiated by botnets. The list can be downloaded and used on an organization’s DNS server to help block zombie computers and botnets.
DNS Sinkhole …
Session theft: Can be accomplished by making use of packet header manipulation (see Lesson 5, “Application Security”) or by stealing a cookie from the client computer, which authenticates the client computer to a server. This is done at the application layer, and the cookies involved are often based off their corresponding web applications (such as WWW sessions). This can be combated by using encryption and long random numbers for the session key, and regeneration of the session after a successful login. The Challenge Handshake Authentication Protocol (CHAP) can also be employed to require clients to periodically re-authenticate. However, session hijacking can also occur at the network layer—for example, TCP/IP hijacking.
Session Theft …
Blind hijacking: When an attacker blindly injects data into a data stream without being able to see whether the injection was successful. The attacker could be attempting to create a new administrator account or gain access to one.
Watering hole attack: This targeted attack is when an attacker profiles the websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site (also known as a pivot attack). The user is then redirected to a site with some sort of exploit code.
info #3 …
