Chapter 4 - Securing Your Network Flashcards
HIDS
Host-based Intrusion Detection System. Can monitor all traffic on a single host system such as a server or workstation, and in some cases can detect malicious activity missed by antivirus software.
NIDS
Network-based Intrusion Detection System. Monitors activity on the network perimeter. An admin installs NIDS sensors or collectors on network devices such as switches, routers or firewalls which gather info and report to a central monitoring network appliance hosting a NIDS console.
A NIDS console is installed on a network appliance whereas sensors are installed on network devices like switches, routers or firewalls.
*Cannot detect anomalies on individual servers or workstations unless the anomalies cause a significant difference in network traffic.
Port mirror
Or port spanning - allows admins to configure switches to send all traffic the switch receives to a single port, which you can then use as a tap to send all switch data to a sensor or collector and forward this to a NIDS console.
Signature-based IDS
Monitors based on a database of known vulnerabilities or attack patterns, ie. a SYN flood attack.
Heuristic/Behavioral Detection
also called anomaly-based. Starts by identifying a network’s baseline regular operation or normal behavior, creating a performance baseline under normal operating conditions.
Then it continuously monitors traffic and compares current network behavior against the baseline, giving an alert of a potential attack when it detects abnormal activity.
SYN Flood Attack
DoS attack where an attacker sends multiple SYN packets but never completes the 3rd part of the 3 way handshake with the last ACK packet.
Each uncompleted session consumes resources on the server and can crash the server.
Some servers reserve a certain number of resources for connections, and once the attack consumes these resources the system blocks additional connections.
Honeypot
A sweet-looking server designed to look sweet to the attacker. It’s a server that is left open or appears to have been locked down sloppily, allowing an attacker relatively easy access. The intent is for the server to look like an easy target so the attacker spends his time in the honeypot instead of in a live network. In short it diverts the attacker away from the live network.
Helps (1) deceive attackers and (2) allow observation of an attacker
IDS/IPS
Intrusion Prevention System / Intrusion Detection System.
IDS and IPS need to set the threshold high enough to minimize false positives and false negatives.
IPS = Incline with traffic (traffic passes through it). PREVENTATIVE CONTROL
IDS = out of band
Both have protocol analyzer abilities. IPS can detect/react to/prevent attacks.
IPS and IDS can detect a SYN flood attack and IPS can prevent the attack. Firewalls also often include a SYN flood guard that can detect them and take steps to close the open sessions.
Honeynet
A group of honeypots within a separate network or zone but accessible from an organization’s primary network.
Often created by admins using multiple virtual servers contained within a single physical server. A server creating 6 additional virtual servers will appears as 7 systems on a subnet, and an attacker won’t be able to easily determine if the servers are physical or virtual.
Deceive and disrupt!
Honeyfile
A file designed to attract the attention of an attacker such as “passwords.txt” to deceive attackers.
Fake telemetry
Telemetry refers to collecting information such as statistical data and measurements and forwarding it to a centralize system for processing, used in water management, pol and gas drilling systems etc.
FAKE TELEMETRY corrupts the data sent to monitoring systems and can disrupt a system. EX: natural gas telemetry being disrupted - as usage rises, the pressure drops, and the delivery system automatically raises pressure to ensure customers receive a steady stream of gas. Can be dangerous if disrupted.
WLAN
Wireless Local Area Network.
-WAP: Wireless Access Point. Connects wireless clients to a wired network. Many now have routing capabilities. Vendors now market WAPs with routing capabilities as wireless routers, but there is a distinction:
- All wireless routers are APs. These are APs with an extra capability - routing
- Not all APs are wireless routers. Many APs do not have additional capabilites. They provide connectivity for wireless clients to a wired network but do not have routing capabilities.
SSID
Service set identifier. Simply the wireless network name.
MAC filtering
Media Access Control filtering has to do with port security for switches, you can also enable MAC security on routers. Can restrict access to a wireless network to specific clients.
However, an attacker could use a sniffer to discover allowed MAC addresses and circumvent this.
MAC Cloning
changing the MAC on a PC or device to the same MAC as the WAN port on an internet-facing router, or changing your MAC to that of an authorized system to bypass MAC filtering.
Wifi analyzer
a method of performing a site survey which identifies activity on channels within the wireless spectrum and analyzes activity on the 2.4-GHz and 5-GHz frequency ranges.
Heat map
Another site survey tool, which gives you a color-coded representation of wireless signals, ie red may show where the wireless signals are strongest, blue the weakest, where you have dead spots etc.
Footprinting
Wireless footprinting creates a detailed diagram of APs and hotspots within an organization.
WPA2
Wifi Protected Access 2 replaced earlier, weaker cryptographic protocols like WEP (Wired Equivalent Privacy) and WPA, and uses strong cryptographic protocols like AES (Advanced Encryption Standard) and CCMP (Counter-mode/CBC-MAC Protocol).
PSK vs Enterprise
WPA2 can operate either in open, PSK (pre-shared key) or Enterprise modes. Open mode doesn’t use any security.
PSK mode has users access wireless network anonymously with PSK or passphrase. Doesn’t provide authentication.
Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network. Uses a 802.1X server, often implemented as a RADIUS server, which accesesses a database of accounts. If users don’t hage proper credentials, Enterprise mode blocks their access.
The 802.1X server can also provide certificate-based authentication to increase the security of the authentication process.
RADIUS server
Remote Authentication Dial-In User Service server is an authentication server commonly used in networking, particularly in enterprise Wifi environments. Like a guard in front of a building checking IDs.
When you select Enterprise mode, you need to provide 3 pieces of info:
-RADIUS server IP address
-RADIUS port. Default is 1812. Need to enter same port the server is using.
-Shared secret. Similar to a password, different than the user’s password.
WPA3 and SAE
WPA3 is the newest wireless cryptographic protocol and uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2. Just a different secure key exchange protocol, based on Dragonfly key exchange algorithm, and prevents attackers from capturing authentication messages and attempting to crack the PSK.
Wireless Authentication Protocols
Many are built on Extensible Authentication Protocol (EAP), an authentication frameworks that provides general guidance for authentication methods.
-EAP: provides a method for 2 systems to create a secure encryption key, also known as a Pairwise Master Key (PMK).
-PEAP: Protected EAP, adds an extra layer of security to EAP by encapsulating and encrypting the EAP conversation in a TLS tunnel. Requires a certificate on the server but not the client.
-EAP-FAST: secure replacement for Lightweight EAP (LEAP), supports optional certificates.
-EAP-TLS: one of the most secure EAP standards, only difference with PEAP is EAP-TLS requires certificates on the 802.1X server and the clients.
-EAP-TTLS: uses tunneled TLS, is an extension of PEAP allowing systems to use some older authentication methods such as PAP (Password Authentication Protocol) within a TLS tunnel. Requires certificate on the 802.1x server but not the clients.
-RADIUS Federation: often used for SSO, includes two or more entities that share the same identity management system. User can log on once, and access shared resources with the other entity without logging on again. You can similarly create a federation with 802.1X and RADIUS servers.
NOTE:
-EAP-FAST supports digital certificates but they are optional.
-PEAP and EAP-TTLS require a certificate on the server but not the clients
-EAP-TLS requires certificates on both the server and clients.
*A CA must issue certificates so an organization must either purchase certificates from a public CA or implement a private CA within the network.
IEEE 802.1X
A port-based authentication protocol that requires users or devices to authenticate when they connect to a specific wireless access point or specific physical port.
