Chapter 15 - Supplement - Sheet1 Flashcards Preview

CompTIA Network+ > Chapter 15 - Supplement - Sheet1 > Flashcards

Flashcards in Chapter 15 - Supplement - Sheet1 Deck (40)
Loading flashcards...

Public Network

Network that everyone has access to


Private network

network that only select people (perhaps on an ACL) have access to


Network-Based Firewall

what companies use to protect their private network from
public networks. The defining characteristic of this type of firewall is that it’s designed
to protect an entire network of computers instead of just one system. Usually a combination of hardware and software


Host-based Firewall

implemented on a single
machine so it protects only that one machine. This type of firewall is usually a software



Access Control Lists. These reside on your routers and determine by IP addresses which machines are allowed to use those routers and in what direction


What types of attacks to ACLs mitigate against

IP address spoofing inbound, IP address spoofing outbound, DoS TCP SYN attacks, DoS Smurf attacks


How do ACLs mitigate against threats

Using TCP intercept to address DoS TCP SYN attacks, Filtering ICMP messages, inbound, Filtering ICMP messages, outbound, Filtering Traceroute


Standard ACLs

Use only the source IP address to determine allow/deny. Allowing a single IP address allows it to transmit any protocol, any port.


Extended ACLs

Make allow/deny decisions based on more than the source IP


Standard rules for ACLs

Deny any addresses from your internal networks to enter your internal network; Deny any local host addresses (; Deny any reserved private addresses.; Deny any addresses in the IP multicast address range (


Port security

Managing switch security (layer 2) to manage risk on internal networks.


2 examples of port security

Using MAC address filtering to ensure that only a specific address can use a specific port. Using MAC address filtering to ensure that only a group of MAC addresses can access a sensitive area of the network.


Packet Filtering

the ability of a router or a firewall to discard packets that don’t
meet the right criteria


dynamic packet filtering

Firewalls use dynamic packet filtering to ensure that the packets
they forward match sessions initiated on their private side by something called a dynamic
state list or state table, which keeps track of all communication sessions between stations
from inside and outside the firewall


Types of proxies

IP proxy, Web (HTTP) proxy, FTP Proxy, SMTP Proxy,


2 types of network layer firewalls

Statefull and Stateless


Stateless Packet Filter

a basic packet filter doesn’t care about whether the packet it
is examining is stand-alone or part of a bigger message stream. That type of packet filter
is said to be stateless. susceptible to various DoS attacks and IP spoofing


Advantage of stateless over statful firewall

Uses less memory


Stateful packet filtering

stateful firewall is one that keeps track of the various
data streams passing through it. If a packet that is a part of an established connection hits
the firewall, it’s passed through. New packets are subjected to the rules as specified in the


Firewall Scanning Services

Most firewalls are capable of performing scanning services, which means that they scan different
types of incoming traffic in an effort to detect problems. For example, firewalls can
scan incoming HTTP traffic to look for viruses or spyware, or they can scan email looking
for spam



Intrusion Detection System. keeps track of all activity on your network so you can see if
someone has been trespassing


2 ways IDS systems can detect attacks or intrusions

misuse-detection IDS (MD-IDS), anomaly-detection IDS (AD-IDS).



The IDS sends up an alarm only if it recognizes
the fingerprints typical of attackers



An AD-IDS basically watches for
anything out of the ordinary; if it discovers fingerprints where there shouldn’t be any, it will
send out an alert


2 common IDS implementations

Network-Based IDS (Most Common), Host-Based IDS


Well-known vulnerability scanners

NESSUS, NMAP (Network mapper)


Where can a DMZ be placed

A demilitarized zone (DMZ) can be located outside
a firewall, connected directly to the Internet. However, it can also be placed after the


Which two levels of the OSI model can firewalls operate on?

Application, Network


Which level of the OSI model does port security on switches operate on?

Data Link



An intrusion prevention system (IPS) is like an IDS, but with two key differences.
First, it learns what is “normal” on the network and can react to abnormalities even if
they’re not part of the signature database. Second, it can issue an active response such as
shutting down a port, resetting connections, or attempting to lull the attacker into a trap.