Chapter 12 Network Security Flashcards
1
Q
What is Defense in Depth?
A
Defense in depth is using multiple layers of security controls to ensure the failure of a single control is unlikely to cause a breach.
2
Q
What is purpose of the OSI model?
A
The purpose of the OSI model is to conceptually describe how devices and software operate together through networks
3
Q
OSI Model Structure
A
The 7 layers are divided into two groups, the host layers and media layers. Layers 1-3 are the media layers used to transmit bits that make up network traffic. Layers 4-7 are the host layers that ensure data transmission is reliable and manageable.
- Physical Layer
- Data Link Layer
- Network Layer
- Transport Layer
- Session Layer
- Presentation Layer
- Application Layer
4
Q
What is Network Segmentation?
A
Network Segmentation is the division of networks into logical or physical groups. The most common concept used for network segmentation is a VLAN. These included DMZs, intranets, and extranets.
5
Q
What is a DMZ?
A
a DMZ is a perimeter network that protects and adds an extra layer of security to an organizations internal LAN from untrusted traffic.
6
Q
Intranet vs. Extranet
A
Intranet is a network where employees communicate, collaborate, etc. an Extranet is similar but provides controlled access to authorized customers vendors partners or other outsiders.
Ex. Workbench is an intranet, new Intellink is an extranet.
7
Q
What is the concept of zero trust?
A
Zero trust is the assumption that threats will come from both inside and out, nobody is trusted regardless of position or location.
8
Q
What is a NAC?
A
Network Access Control tech focuses on whether a system or device should be allowed to connect to a network.
9
Q
What is the difference between agent vs. agentless based NAC?
A
Agent based NAC requires installation and adds complexity and maintenance but provides more control.
Agentless based NAC installations are lightweight and easier to handle for users whose machines may not be centrally managed, but it provides less detail.
10
Q
What is Port Security?
A
Port Security allows you to limit the number of MAC addresses that can be used on a single port.
11
Q
What are CAM tables and what do they do?
A
Content Addressable Memory tables map MAC addresses to IP addresses allowing a switch to send traffic to the correct port.
12
Q
What is a CAM table overflow?
A
CAM table overflows
If the CAM table doesn’t have an entry, the switch will attempt to determine what port the address is on, broadcasting traffic to all ports if necessary. Attackers who can fill a CAM table can make switches fail over to broadcasting traffic making otherwise inaccessible traffic visible on their local port.
13
Q
What is the job of a switch?
A
Switches take information that comes from one port and pass it along to another port.
14
Q
What is a MAC address
A
A MAC address is essentially the physical equivalent of an IP address. Every network enabled device has a network adapter (NIC), and the MAC address is that devices unique hardwired address.
15
Q
What is the best way to prevent CAM overflow attack?
A
- turn the fucking switch off
2. Port Security (limit the amount of MAC addresses each port can have)
16
Q
What is a CAM table overflow attack?
A
CAM table overflow attack is when a flood of bogus MAC addresses is sent to the switch. The flood causes the switch to dump the valid addresses it has into it CAM database tables in attempt to make room for bogus info. After that happens, the switch’s default behavior is to broadcast private messages to all ports.
17
Q
What is Loop Prevention?
A
Loop Prevention focuses on detecting loops and then disabling ports to prevent the loops from causing issues.
STP is a layer 2 network protocol used to prevent looping within a network.
18
Q
What is a broadcast storm?
A
Broadcast storm occurs when a loop in a network causes traffic amplification to occur as switches try to figure out where traffic should be sent.
19
Q
How to prevent broadcast storm?
A
storm prevention prevents broadcast packets from being amplified, which goes hand in hand with loop prevention. enable STP on switches and rate-limit broadcast traffic.
20
Q
What is BPDU
A
Bridge Protocol Data Unit is a data message transmitted across a LAN to detect loops in the network.
21
Q
What is BPDU Guard?
A
BPDU Guard protects STP by preventing ports that should not send BPDU messages from sending them.
22
Q
What is DHCP Snooping?
A
DHCP snooping is a layer 2 security technology that drops DHCP traffic determined to be unacceptable. DHCP Snooping prevents unauthorized (rogue) DHCP servers from handing out IP addresses to clients. It can be configured to drop messages where the source MAC and the hardware MAC of a network card do not match.
DHCP Snooping occurs on SWITCHES!!!
23
Q
What is a port mirror?
A
A port mirror sends a copy of all traffic sent to one switch port to another switch port for monitoring.
24
Q
What is a Switch Port Analyzer (SPAN)?
port mirror sends copy of all traffic from one switch port to another switch port for monitoring
A
A SPAN does the same thing as a port mirror, but a SPAN can also combine traffic from multiple ports to a single port for analysis.
25
What is a VPN?
A virtual private network is a way to create a private network that allows endpoints to act as though they are on the same network.
It's easy to think about a VPN as an encrypted tunnel, but encryption is NOT a requirement of a VPN tunnel.
26
What are the two types of VPNs?
IPSec VPN
| SSL VPN
27
IPSec VPN
IPSec VPNs require a client and can operate in tunnel or transport mode.
operate at level 3 (network layer).
28
IPSec VPNs Tunnel vs. Transport Mode
In tunnel mode, entire packets of data sent to the other end of the VPN connection are protected.
In transport mode, the IP header is not protected but the IP payload is.
29
What is a SSL VPN?
A VPN that uses SSL or more commonly TLS.
Like IPSec VPNs, SSL VPNs can offer tunnel mode but can also be used without a client or specific endpoint configuration normally required for IPSec VPNs.
30
VPN Considerations: Remote or Site-to-Site?
Remote access VPNs are often used for traveling staff or remote workers, and are use "as needed".
Site-to-Site VPNs are always on so if they disconnect they immediately try to reconnect.
31
VPN Considerations: Split Tunnel vs. Full Tunnel?
Full tunnel VPN sends all network traffic through the VPN tunnel, keeping it secure as it goes to the remote trusted network.
A split tunnel VPN only sends traffic intended for systems on the remote trusted network through the VPN tunnel. Split tunnel VPNs use less bandwidth, but the traffic is not protected by the VPN and cannot be monitored.
32
What is a jump server/jump box?
A jump box is a system on a network used to access and manage devices in a separate security zone.
Jump boxes are frequently used with SSH or RDP and should be configured to create and maintain a secure audit trail.
33
What is a load balancer?
Load balancers are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching.
34
What are the two major load balancer modes of operation?
Active/active
| active/passive
35
Load balancers: active/active vs. active/passive
Active/Active LBs distribute the load among multiple systems that are online and in use at the same time.
Active/Passive LBs bring backup systems online when an active system is removed or fails to respond. this is more likely to be part of disaster recovery/business continuity system.
36
What is load balancer scheduling?
| What are the most common methods?
load balancing algorithms that decide where traffic is sent to.
- round robin sends each request to servers by working through a list with each server receiving traffic in turn
- least connection sends traffic to the server with the fewest number of active connections.
- agent-based adaptive balancing monitors the load to determine a servers ability to respond and updates the load balancers traffic distribution based on agent reports.
- Source IP hashing uses a hash of the IP source to assign traffic to servers. This is essentially a randomization algorithm using client driven input.
37
Load Balancing Weighted Scheduling
weighted least - connection uses a least connection algorithm combined with a predetermined weight value for each server
fixed weighted - relies on a preassigned weight for each server, often based on capability or capacity.
weighted response time combines the server's current response time with a weight value to assign it traffic
38
What is a proxy server?
A proxy is an intermediary between the client and the server.
39
Forward vs. Reverse Proxy
Forward proxies accept requests from clients and send them to servers.
Reverse proxies sit behind the firewall in a private network and direct clients to appropriate servers, and are used to help with load balancing and caching.
40
NAT Gateways
NAT gateway is a device that provides the network address translation and tracks which packets should be sent to each device. (home internet router). a NAT can act like a firewall.
41
NAT gateway vs. Proxy
NAT gateway works at the network layer (3) while a proxy works at the application layer (7). NAT is transparent to various apps, whereas a proxy must resort to the IP address of the proxy server.
42
Content/URL filter
Content filters are devices or software that allow or block traffic based on content rules. this can be done on proxies, firewalls, IPS, etc.
43
What is DLP
Data Loss Prevention is ensuring data isn't extracted or inadvertently sent from a network. DLPs can use pattern matching, tagging, block traffic, send notifications, or force encryption.
44
What is IDS/IPS?
Intrusion Detection/Prevention Systems are used to detect threats and in the case of IPS, block them.
Both can be deployed in passive mode, where they can report but not take action. An IPS in passive mode is essentially an IDS.
45
What are the three IDS/IPS detection methods?
1. Signature based (relies on hash or signatures of a known threat)
2. Heuristic, or behavior based (specific patterns or actions that match threat behavior)
3. Anomaly based detection (establishes baseline for an organization then flags when out of the ordinary behavior occurs).
46
What is an HSM?
Hardware Security Modules are used to generate, store, and manage cryptographic keys. They can also handle cryptographic processing allowing servers to offload CPU intensive tasks to dedicated hardware.
47
What is a firewall?
A firewall is a network security system that monitors and controls incoming and outbound network traffic based on predetermined security rules.
48
Stateless vs. Stateful Firewall
Stateless Firewalls (packet filters) filter every packet based on data such as the source, destination IP, port or protocol. They are the most basic type of firewall.
Stateful Firewalls (dynamic packet filters) can make decisions about traffic, allowing it to continue when approved rather than filtering every packet. Info is tracked in a state table.
49
What is a NGFW?
Next Generation Firewalls can be described as all in one network security devices. Capabilities include inline deep packet inspection, IDS/IPS functionality, antivirus and antimalware.
50
What is a WAF?
Web Application Firewalls help protect apps by filtering and monitoring HTTP traffic between apps and and the internet. WAFs can help protect agains XSRF/XSS, File Inclusion, SQL injection. Think of a WAF as a firewall combined with a IPS. Layer 7 defense (application layer).
51
What is a UTM?
Unified Threat Management devices include firewalls, IDS/IPS, antimalware, URL and email filtering and security, DLP, VPN.
InfoSec approach where a single hardware/software installation provides multiple security functions.
52
UTM vs. NGFW
UTM appliances provide out of the box policies, management and deployment, while NGFW appliances cater to organizations that wish to customize security policies and prefer manual reporting and management.
53
What is Out of Band Management?
out of band management is having a separate means of accessing administrative interface. This is a separate channel of communication that does not travel over the usual data stream.
54
What are ACLs
Access Control LIsts are set rules used to filter or control network traffic. ACLs are closely tied to firewalls. Cloud services provide network ACLs, VPCs can do the same.
55
What is QoS?
Quality of Service is the ability to ensure an application service or network traffic is prioritized and able to meet its designed purposes. Can allow delivery of important traffic even if network is under attack.
56
Route Security
Remember that the internet is made up of independent interconnected networks and there is no single authority responsible for it. Internet routing protocols negotiate and monitor routes.
57
What is the purpose of routing protocols?
Networks rely on routing protocols to determine which path traffic should take to other networks. Network routing protocols include BGP, RIP, OSPF, and EIGRP. s
58
What is DNS?
Domain Name System is the phonebook of the internet. DNS translates domain names into IPs.
59
What is DNSSEC?
DNSSEC is a security extension used to close some of the gap on DNS since DNS itself is not a secure protocol.
60
What is a DNS Sinkhole?
DNS sinkholes are servers configured to provide incorrect answers to specific DNS queries. this allows admins to cause malicious and unwanted domains to resolve to a harmless address, and can allow logging to help identify infected systems.
61
What is SSL/TLS?
SSLTLS is an encryption protocol for establishing a secure link between network computers.
62
What are ephemeral keys?
A key is called ephemeral if it is generated for each execution of a key establishment process. in ephemeral diffie-hellman exchanges, each connection receives a unique temporary key. This way, if the key is compromised, past or future communications remain secure.
63
IPv4 vs. IPv6
IPv6 relies on ICMP far more heavily which means habitual security practices is a bad idea.
64
What is ICMP?
Internet Control Message Protocol is a supporting protocol in the IP suite. It is the supporting protocol for the IP suite. it is used by network devices to send error messages and operational information.
65
Monitoring Services Tiers
1. Validate whether a service port is open and responding.
2. Interact with the service and identify a valid response.
3. Look for indicators of likely failure and use broad range of data to identify pending problems.
66
What is the best File Integrity Monitor?
Tripwire
67
What is a honeypot?
System intentionally configured to look vulnerable but are heavily instrumented and monitored systems that will document everything an attacker does while retaining copies of every file and command they use.
68
What is a honeynet?
A honeynet is a network of honeypots set up and instrumented to collect info about network attacks.
69
What is a honeyfile?
Honeyfiles are intentionally attractive files that contain unique data left in an area an attacker is likely to visit if their attack succeeds. This way if the data from the honeyfile is detected leaving the network or later found outside the network, the company knows they've been breached.
70
What is fake telemetry data?
fake telemetry data is part of deception efforts and provides additional targets for attackers, same concept as a honeyfile.
71
What are secure protocols for voice and video?
videoconferencing often relies on HTTPS, but secure versions of SIP (SIPS) and RTP (SRTP) are also used.
72
What is a secure replacement for Network Time Protocol (NTP)?
NTS, but it's not widely in use. NTS relies on TLS. it does not protect the actual time data, but focuses on authentication.
73
What are secure email and web traffic protocols?
Secure versions include HTTPS, IMAPS (993), POPS (995), DMARC, DKIM, and SPF.
74
What are secure file transfer protocols?
Unsecure FTP has been replaced by HTTPS (443), SFTP (22) and FTPS (989/990).
75
What is a secure directory protocol and what port is it on?
LDAPS, port 636.
| LDAPS is LDAP wrapped in TLS which offers confidentiality and integrity protection.
76
What replaced telnet and what ports are each on?
Telnet (port 23) was replaced by SSH (secure shell) which is on port 22.
Remote access tech, including shell access, was one done by telnet is now replaced by SSH. Microsoft RDP (3389) is encrypted and can be used as well.
77
What is a secure alternative to domain name resolution and what port?
DNSSEC port 53
| **Domain name resolution remains a security challenge.
78
What routing and switching protocols are available?
BGP is unsecure
79
What is a network allocation protocol?
DHCP port 67/68 does NOT offer a secure protocol, network protection relies on detection and response rather than a secure protocol.
80
What protocols lack secure options?
DHCP, NTP, BGP.
81
What is DNSSEC?
DNS security extension, ensures DNS info is not malicious but does not provide confidentiality. It uses digital signatures, and can be used to build a chain of trust for IPSec keys or SSH fingerprints.
82
What is SNMPv3?
Simple Network Management Protocol version 3 improves on previous versions of SNMP (161,162) by providing authentication, integrity validation, and confidentiality via encryption.
83
What is SNMP?
simple network management protocol is an internet protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.
port 161-162
84
what is SSH
SecureShell is used for remote console access to devices and is a secure alternative to telnet.
Often used as a tunneling protocol, or to support others like SFTP. can use SSH keys, which are used for authentication.
85
What is HTTPS?
Underlying HTTP protocol relies on TLS to provide security.
86
What is SRTP?
Secure Real Time Protocol is a secure version of RTP, which is designed to provide audio and video stream via networks.
Does so by using encryption and authentication to reduce the chances of successful attacks like replay and DoS.
87
What are unsecured email protocols?
Unsecured POP (110) and IMAP (143,993) are still in use, with secure versions wrapped in TLS.
88
What is S/MIME?
Secure Email Protocol
Secure Multipurpose Internet Mail Extension provides the ability to encrypt and sign MIME data providing for CIA & non-rep.
89
Why is S/MIME not in widespread use?
it REQUIRES a certificate.
90
What is the most commonly used email access protocol?
HTTPS, because most email is accessed via the web.
91
What are secure FTP protocols?
SFTP (22) and FTPS (989/990)
FTPS uses TLS
SFTP uses SSH
SFTP is easier to get through firewalls since FTPS can require additional ports.
92
What are the two IPSec protocols in Sec+?
AH and ESP
| Authentication Header and Encapsulated Payload
93
What is AH?
Authentication Header is an IPSec protocol that uses hashing and shared secret key to ensure integrity of data and validate senders by authentication of IP packets. Ensures IP payload and headers are protected.
94
What is ESP?
Encapsulated Security Payload is an IPSec protocol that operates in tunnel or transport mode. In tunnel it protects entire packet. In transport it only protects the payload.
*If ESP is used with AH, it can cause issues for networks that need to change IP or port info.
95
How is IPSec used with VPNs?
IPSec can be used for a VPN in tunnel mode to create a secure connection between two locations.
96
What is an On-Path Attack (man in the middle)?
attackers are between two devices (user and server) and intercept or modify communications between the two. This can be used for SSL Stripping. Think of this like a relay.
97
What is SSL Stripping?
Also known as SSL/HTTP downgrade, SSL Stripping is an attack that removes TLS encryption or otherwise downgrades to a less secure protocol.
98
Where is SSL Stripping most common?
SSL stripping is most common on open wireless networks.
99
Whats the best way to protect against SSL Stripping?
Protect against SSL stripping by configuring system to expect certificates from known CAs.
HTTP Strict Transport Security (HSTS) can be used to prevent downgrades and cookie jacking.
100
What is is a browser based attack?
An on path attack that relies on a trojan to access and modify information sent and received by the users browser.
101
How to protect against browser based on path attack?
Since they require a trojan as a browser plug-in or a proxy, system level security defenses like antimalware tools and system configuration and monitoring.
102
What is domain hijacking?
Changing the registration of the domain.
The result is that the domain settings and config can be changed by an attacker allowing them to take action while appearing to be the legitimate domain holder.
103
What is DNS poisoning?
| also known as DNS spoofing or DNS cache poisoning
when corrupt DNS data is introduced in the DNS cache, causing the name server to return an incorrect result (IP address).
Once a malicious DNS is in the cache, it'll continue to be used until cache is updated. This way it can continue to function even if discovered by IPS/IDS. DNSSEC can help prevent.
104
What is a URL redirection attack?
A vulnerability which allows attacker to force users to an untrusted external site. This is usually done by inserting alternate IP addresses into a systems host file.
105
There are THREE data link layer (2) attacks listed in exam outline. What are they?
ARP address resolution protocol (communication protocol)
MAC Flooding
MAC Cloning
106
What is ARP?
Address Resolution Protocol, is a communications protocol used for discovering link layer address such as a MAC address associated with a given layer address like an IP.
ARP essentially translates/pairs MAC addresses with IP addresses.
107
What type of attack can ARP poisoning be used to initiate?
On-Path attacks by relaying traffic to the target system
| DDoS by causing traffic not to reach destination
108
What tool can detect ARP poisoning?
Wireshark
109
What is MAC flooding?
MAC flooding targets switches by sending so many MAC addresses to the switch that the CAM or MAC table is filled.
110
What can be used to prevent MAC flooding?
Port security, by limiting the amount of MAC addresses that can be learned.
NAC or network Authentication and Authorization can help.
111
What is MAC Cloning?
duplicating MAC address of a device.
112
What tools can help detect MAC cloning?
NAC or other machine authentication and validation can help identify systems that are presenting cloned or spurious MACs.
113
What are the two network based DDoS attack types?
volume based and protocol based
114
What type of attack from chapter 3 does a network based DDoS attack employ?
large scale botnet
115
How can you prevent DDoS attacks?
If your ISP doesn't have DDoS prevention, ensure that your network border security devices do.
116
What is a Volume Based DDoS Attack?
focuses on sheer amount of traffic causing a DoS condition. this can be done with ICMP or UDP floods.
117
UDP vs ICMP packet flood (volume DDoS attack)
UDP doesn't require 3 way handshake like TCP. can be detected by IPS/IDS, manual detection can be done using packet analyzer. (tcpdump or Wireshark).
ICMP is rate limited. ICMP floods, also called ping floods, send massive amounts of traffic that the host will attempt to process.
118
How can an ICMP flood be detected?
manual detection, IPS/IDS.
119
What are protocol based DDoS attacks?
protocol based network DDoS attacks focus on the underlying protocols. the most common is SYN flood.
120
What is an SYN flood?
A network DDoS attack. SYN floods send the first step in a three way handshake and do not respond to the SYN-ACK, thus consuming TCP stack resources.
121
What is an older protocol DDoS attack that's not used anymore?
Ping of death, which targeted TCP stacks. it sent a ping packet too large to be handled.
122
How can you identify a SYN DDoS Attack?
reviewing aimed traffic and noticing the massive numbers of SYN packets being sent without completed handshake.
123
What is OT Attack?
Operational Technology is a DDoS Attack.
OT is the software and hardware that controls devices in factories, powerplants, etc.
OT DDoS is the same as previous DDoS attacks, but the important thing to remember is that OT will typically have less reporting, management, and built-in security.
124
How to prevent OT Attack?
Use isolated VLANS
Limiting ingress/egress of network traffic
preventing unknown devices from being added to VLAN
instrumenting networks
