Domain 4 Flashcards
1
Q
Open System Interconnections (OSI)
A
The Open System Interconnections (OSI) reference model was defined in 1984 and published as ISO/IEC 7498-1 The (OSI) reference model is structured into 7 layers: - Layer 7 - Application. - Layer 6 - Presentation. - Layer 5 - Session. - Layer 4 - Transport. - Layer 3 - Network. - Layer 2 - Data Link. - Layer 1 - Physical.
2
Q
The TCP/IP Model
A
The TCP/IP Model (also known as the Department of Defence - DoD) reference model, is structured into four layers:
- Layer 1: Link Layer
- Layer 2: Internet Layer
- Layer 3: Transport Layer
- Layer 4: Application Layer.
3
Q
Layers Characteristics
A
Layers reference specific functions.
- Layers provide Encapsulation
- Layers provide Abstraction
- Layers provide decoupling.
4
Q
IP Convergence
A
IP Convergence is the use of the Internet Protocol (IP) for transmitting different types of traffic (e.g. voice, data, music, video, TC, teleconferencing) over single network.
- Introduces standardization.
- Reduces the number of service Providers.
- Reduces the number of service providers.
5
Q
Non-IP Networking
A
TCP/IP is the communications protocol of the Internet. To transverse the Internet, non-IP networking protocols must either be encapsulated. translatable, or used for non-Internet niche purpose.
6
Q
Multi-protocol Label Switching (MPLS)
A
Multi-protocol Label Switching (MPLS) is a scalable, protocol- independent transport technique for high performance networks.
- Operates between OSI Layers 2 and 3
- Data packets are assigned labels (tags)
- MPLS label edge routers (LER) make packet-forwarding decisions based on the short packet-label contents and quality of service (QoS) requirements.
7
Q
Distributed Network Protocol (DNP3)
A
Distributed Network Protocol (DNP3) is an open standard-based communications protocol used between components in process automation systems.
- Operates at Layers 2, 4 and 7.
- Used primarily in the electric, water, waste water transportation, oil, and gas industries.
- DNP3 was developed to meet the need fro a standard protocol that would allow SCADA system components developed by differing vendors.
8
Q
Fiber Channel over Ethernet (FCoE)
A
Fiber Channel over Ethernet (FCoE) is a Layer 2 standard-based protocol that allows Fibre Channel frames to be carried over Ethernet links.
- FCoE, network (IP), and storage (iSCSI) data traffic can be consolidated using a single network.
- FCoE is not routable at the IP layer.
9
Q
Wireless Modes
A
- Ad Hoc: peer-to-peer relationship.
- Infrastructure Mode: topology includes wireless devices, access points, and wired routes connected to the Internet.
10
Q
WPAN
A
Wireless Personal Area Network A.K.A Bluetooth. 802.15 Standard.
Interconnects devices within a limited range (e.g. keyboards)
11
Q
WLAN
A
Wireless Local Area Network.
802.11 Standard
12
Q
WMAN
A
Wireless Metropolitan Area Network.
802.16 Standard.
13
Q
WWAN
A
Wireless Wan Area Network.
Point-to-Point microwave links.
14
Q
802.11
A
Rate: 2 Mbps
Frequency: 2.4 GHz
Distance: 100m
15
Q
802.11b
A
Rate: 11 Mbps
Frequency: 2.4 GHz
Distance: 140m
16
Q
802.11a
A
Rate: 54 Mbps
Frequency: 5.0 GHz
Distance: 120m
17
Q
802.11g
A
Rate: 54 Mbps
Frequency: 2.4 GHz
Distance: 140m
18
Q
802.11n
A
Rate: 150 Mbps
Frequency: 2.4 GHz / 5.0 GHz
Distance: 250m
19
Q
802.11i
A
Security for 802.11 technologies.
20
Q
802.11e
A
Quality of Service (QoS) for priority and time sensitive data.
21
Q
802.11 Security Protocols
A
- WEB
- WPA
- WPA2
22
Q
WEP
A
- Authentication: Preshared key (PSK) or open.
- Key: 64- or 128-bit key . All users and services use the same key.
- Encryption: RC4 Stream Cipher
- Integrity: 32-bit CRC Hash
- Status: Insecure
23
Q
WPA
A
- Authentication: Enterprise RADIUS, Certificate or Personal PSK
- Key: Separate keys (TKIP) 256-bit key
- Encryption: RC4 Stream Cipher
- Integrity: 64-bit MIC
- Status: Temporary Fix. Superseded by WPA2
24
Q
WPA2
A
- Authentication: Enterprise RADIUS, Certificate or Personal PSK
- Key: Separate keys 256-bit key and block size.
- Encryption: AES Block Cipher
- Integrity: CCMP
- Status: Current standard Vulnerability if using Wi-Fi Protected Setup (WPS)
25
Wi-Fi Protected Setup
Created by the Wi-Fi alliance and introduced in 2006, the goal was to make it easy to add new devices to an existing network without entering long passphrases.
- The PIN flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the networks WPA.WPA2 per-shared key .
26
War Driving
War Driving is the physical scanning for unprotected wireless networks.
27
War Chalking
War Chalking is marking a physical area to indicate a free, open, and/or insecure wireless network access point.
28
Bluejacking
Bluejacking - Bluetooth Discovery.
| - Enables an attacker to send an unsolicited/unwanted message to a Bluetooth device.
29
Bluesnarfing
Bluesnarfing - Bluetooth Authentication.
| - Discovering and connecting to a Bluetooth device with weak or non-existent authentication requirements.
30
Blueborne
Blueborne - Device Takeover
| - Exploits protocol weakness.
31
NFC (Near Field Communication) Bump
NFC (Near Field Communication) Bump
| - Enables an NFC-enabled attacker to connect to an NFC device by being in close enough range.
32
Evil Twin
Rogue access point with the same SSID,
- Enables an attacker to "trick" a user into connecting to a an attacker controlled network.
- May also impersonate a "captive portal" to capture credentials and/or payment information.
- Can be used as a stepping store to a MiTM attack
33
Transmission Characteristics.
- Throughput
- Signal Strength
- Environmental sensitivity (EMI and RFI)
- Temperature fluctuations.
- Interceptions capabilities (emanation)
34
Emanations Secuirty (EMSEC)
Attacker scan use radio signals, sounds, and vibrations, to obtain information. Protection mechanisms include shielding, filtering, and masking.
- Fiber optic has no electromagnetic protection standards.
35
TEMPEST
TEMPEST is a National Security Agency and NATO emanation certification program that includes both classified and unclassified protection standards.
36
Ethernet
Ethernet is defacto physical layer networking technology.
- Ethernet is a Carrier Sense Multiple Access / Collision Detection (CSMA/CD) Protocol.
- Current versions include Fast Ethernet (100 Mbps), Gigabit Ethernet (up to 100 Gbit/s) and Terabit Ethernet (above 100 Gbit/s).
37
Hubs
Hubs re-transmit a signal received on one connection point to all ports. Level 1 devices.
38
Repeaters
Repeaters amplify signals. Level 1 devices.
39
Bridges / Wireless Access Points
Bridges, Wireless Access Points filter traffic based on MAC address, amplify signals, and can connect dissimilar media.
40
Switch
Switches are used to create connections between two ports and eliminate collisions.
41
Routers
Routers forward packets using IP addresses and routing protocols.
42
Port Security
Port Security is a dynamic feature that can be used to limit and identify the MAC addresses of the stations that allow access to the same physical network.
43
Virtual Local Area Networks (VLAN)
Virtual Local Area Networks (VLAN) management allows for the software configuration of endpoints to be logically grouped together even if they are not attached to the same network switch.
44
Network Latency
Network Latency is an expression of how much time it takes for a packet of data to get from one designated point to another.
45
Throughput
Throughput is the quality of useful work made by the system per unit of time.
46
Network-based IDS/IPS
Network-based IDS/IPS analyzes and reports on network traffic. A network-based IPS (NIPS) can take responsive action.
A network IDS/NIPS can be situated out-of-band or in-band.
47
Firewalls
The primary objective of a firewall is to isolate network segments by controlling ingress and egress access.
- Firewalls are preventive controls because they can be configured to restrict ingress and egress network traffic, repel known attacks, manage nonreturnable IP addresses, and anonymize internal addresses.
- Firewalls can also be detective controls, because they can be configured to log events and to send alerts.
48
Firewall Security Features
- Packet Filtering
- Access Control List
- State
- Application layer Filtering
- Network Address Translation.
49
Types of Firewall Filters
- Malware
- File Type
- Anti-Spam
- Message Content
- DLP
- URL
50
Proxy Server
A Proxy Server is an intermediary machine, between a client and a server, which is used to filter or cache requests made by the client.
- A proxy server can be single purpose - supporting one protocol, (e.g http) or multi-purpose - supporting multiple protocols.
51
Normal / Forward Proxy
```
The Clients (browsers) are configured to send requests to the proxy server.
- The proxy server receives the requests, fetches the content and stores a copy for future use (Cache)
```
52
Transparent Proxy
The same as forward proxy except that the client (browser) does not need to be configured. The proxy server resides on the gateway and intercepts requests.
53
Reverse Proxy
A Reverse Proxy appears to the client just like an ordinary web server.
- The proxy caches all the static answers from the web server and replies to the clients from its cache to reduce the load on the web server.
- This type of setup is also known as Web Server Acceleration.
54
Web Security Gateway
A Web Security Gateway is an appliance that operates as a proxy and can filter content, enforce rules, and inspector malicious content at the application level.
55
A network Segment within a trusted segment
Enclave
56
Network Access Control (NAC)
Network Access Control (NAC) is an agent or agentless approach to network security that attempts to unify endpoint security technology, user or system authentication, and network security enforcement.
57
NAC Agents
- Persistent or Permanent: Installed on a device and runs continuously.
- Dissolvable: Downloads and runs when required. (one time authentication and then disappears).
- Agentless: Integrates with a directory services (e.g. Active Directory)
58
NAC Policies
NAC pre-admission policies determines if a device is allowed on the network and if so, what segment based on host health (e.g. AV, patch level, firewall and IDS status, configuration settings)
- NAC post-admission policies regulate and restrict access once the connection is allowed.
59
Endpoint Firewalls
Endpoint Firewalls (known as local, host-based, or software firewall) is a proactive boundary for the local device that monitors and restricts ingress and egress access.
60
Endpoint IDS/IPS
Endpoint IDS/IPS (known as HIDS) monitors and analyzes local behavior as well as network connectivity and can (if IPS functionality is available) be configured to take a corresponding action.
61
Voice over IP (VoIP)
Voice over IP (VoIP) is the transmission of voice traffic over IP-based networks instead of using traditional analog circuits.
62
IP Convergence
IP as the standard transport for transmitting all information.
63
IP Telephony
Full suite of VoIP enabled services previously provided by a PBX.
64
H.323
H.323 was the first widely adopted and open ViIP protocol.
65
Session Initiation Protocol
Session Initiation Protocol (SIP) is designed to manage multimedia connections such as VoIP, video calls, and instant messaging over IP.
- SIP provides integrity protection by utilizing MD5.
66
Real-time Transmission Protocol (RTP)
VoIP uses Real-time Transmission Protocol (RTP) which does not guarantee delivery but is designed to requires re-delivery of packet.
67
Secure Real-Transport Protocol (SRTP)
Secure Real-Transport Protocol (SRTP) is an extension of RTP that incorporates enhanced security features. Uses encryption and authentication to minimize risk of denial of service and replay attacks.
68
VoIP Security
- Enclave VoIP servers.
- Implement VoIP servers.
- Disable unnecessary services on VoIP devices.
- Include servers in vulnerability and patch management program.
- Include VoIP in threat intelligence program.
- Vendor SLA
69
Content distribution network (CDN)
A Content distribution network (CDN) is a large distributed system of servers, Internet Service providers, and network operations.
- The goal of CDN is to serve content to end users with high availability and high performance.
70
Remote Access Applications
- Telnet
- Secure Shell (SSH)
- Remote Desktop Software (RDP)
- Virtual Private Network (VPN)
71
Telnet
Telnet facilitates the connection to a remote system and the execution of commands.
- Telnet provides basic authentication.
- Telnet communication is in clear text.
- Port TCP 23.
72
Secure Shell (SSH)
SSH facilitates the connection to a remote system and the execution of commands.
- SSH creates a secure encrypted tunnel to the remote system.
- Port TCP 22.
73
Remote Desktop Software (RDP)
Software or OS feature that allows a desktop environment to be run remotely.
74
Virtual Private Network (VPN)
VPN in a secure private connection between two endpoints.
75
VPN Tunneling
VPNs isolate the network frames from the surrounding networking using a process known as encapsulation or tunneling.
- Full Tunneling allow the routing of some traffic over the VPN while letting other traffic directly access the internet.
- Split Tunneling: allows the routing of some traffic over the CPN while letting other traffic directly access the internet.
76
VPN Protocols
- PPTP
- L2TP
- SSL
- IPsec
77
PPTP
Microsoft's implementation of secure communication over a VPN.
- Designed to secure Point-to-Point (PPP)
- No longer considered secure.
78
L2TP
Cisco's implementation of secure communication over a VPN.
- Combines Layer 2 Forwarding and PPTP
- Can be used on IP and non-IP networks.
79
SSL
Uses SSL or its successor TLS for single or multiple connections using a browser.
- User connects to a SSL gateway or endpoint.
- SSL VPN Portal is a single connection to multiple services.
80
IPsec
Defacto standard for IP based VPNs.
- Host-to-host, host-to-site, and site-to-site connections,
- Uses cryptography to provide authentication, integrity, confidentiality, and non-repudiation.
81
IPsec Modes
- Transport Mode.
| - Tunnel Mode.
82
Transport Mode IPsec
Transport Mode use used for end-to-end communication between client and server.
- The IP payload is encrypted
- Transport is the default mode of IPsec.
83
Tunnel Mode IPsec
Tunnel Mode is used between server-server , server-gateway, or gateway-gateway.
- The entire Packet is encrypted.
84
Authentication Header (AH)
Integrity, Origin Authentication, Replay Attack Protection (HMAC)
85
Encapsulation Security Payload (ESP)
Integirty, origin Authentication, Replay Attack protection, and Confidentiality (HMAC & Symmetric Encryption).
86
Internet Key Exchange (IKE)
Device authentication and establishing security association.
87
Security Association (SA)
A negotiation that includes the algorithms that will be used, key length, and key information.
88
Security Parameter Index (SPI)
Security Association Identifier.
89
Always-on VPN
An Always-on VPN starts automatically as soon as a client device recognizes an internet connection.
- Connection and authentication are transparent to the user.
- Non- Compliant devices are rejected.
90
Secure Socket Layer (SSL)
Secure Socket Layer (SSL) is used to establish a secure communication channel between two TCP sessions by negotiation. Default SSL port is 443.
91
Transport Layer Security (TLS)
Transport Layer Security (TLS) is used to establish a secure communication channel between two TCP sessions using a cryptographic key exchange. Default TLS port is 443.
TLS is the successor and recommended replacement for SSL. TLS 1.1 or higher should be used. TLS 1.o has been broken.
92
SSL/TLS Accelerators
SSL/TLS encryption / decryption is a processor intensive operation.
- SSL/TLS Application Specific Integrated Circuits (ASICS) are processes that are specifically designed to perform SSL?TLS operations.
- SSL/TLS Accelerator is an ASIC appliance that sits between a user and server, accepting SSL/TLS connections from the client and sending them via private network to the server encrypted.
93
SSL Decryptors
SSL Decryptors are controversial perimeter devices (either built into the firewall or standalone appliance) used to decrypt SSL/TLS packets, inspect the contents, re-encrypt, and forward the packet.
94
Hypertext Transfer Protocol (HTTP)
Hypertext Transfer Protocol (HTTP) is the underlying protocol used by websites and defines what actions browsers and web-servers should take in response to commands. HTTP is a clear text protocol and subject to eavesdropping, reply and MiTM attacks.
95
Hypertext Transfer Protocol (HTTPS)
Hypertext Transfer Protocol (HTTPS) is an extension to HTTP that adds support for SSL and TLS in order to encrypt communication between a browser and a website (TCP Port 443)
96
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is used for file access, file transfer, and file management. Authentication data payload are transmitted in clear text and subject to eavesdropping, relay, and MiTM attacks.
97
File Transfer Protocol Secure (FTPS)
File Transfer Protocol Secure (FTPS) is an extension of FTP that adds support for SSL and TLS in order to encrypt the file transfer channel (TCP port 990 or 21)
- Don't confuse FTPS with SFTP. SFTP uses SSH on port 22.
98
Secure POP3
POP3 is used to receive email from an email server to a local email account.
- Downloaded files are removed from the email server (default).
- POP3 allows clear text authentication (port 110)
- Secure POP3 is an extension of POP3 that supports SSL/TLS for secure login (port 995)
99
Secure IMAP
IMAP is used to receive email from an email server to a local email account.
- Downloaded files remain on the email server - important if you use multiple devices to access email.
- IMAP allows clear text authentication (port 143)
- Secure IMAP is an extension of IMAP that supports SSL/TLS for secure login (port 993)
100
S/MIME
S/MIME is a protocol for sending digitally signed and encrypted emails.
- Encryption (confidentiality) and digital signature (integrity and non-repudiation)
101
Server Virtualization
Server Virtualization allocates the resources of the host to guest server (virtual) computers.
- The physical host computer hardware has processor, memory, storage, and networking components. Specialized software dynamically allocates resources.
- Guest computers (virtual machines) act exactly as though they are physical machines each with independent operating systems, applications, and network connections.
102
Hypervisors
Hypervisors are software or firmware components that can visualize systems resources.
103
Type 1 Hypervisors
Type 1 (bare metal/native) hypervisors run directly on the system hardware. Direct access to hardware. No operating system to load as the hypervisor is the operating system.
104
Type 2 Hypervisors
Type 2 Hypervisors run on a host operating system that provides virtualization services.
105
Network Virtualization (NSX)
Network Virtualization (NSX) is the complete reproduction of physical network in software.
- Network virtualization presents logical networking devices and services (e.g. logical ports, switches, routers, firewalls, load balancers, VPNs).
- Virtual networks offer the sam features and guarantees of physical network with the operational benefits and hardware independence of virtualization.
106
Desktop Virtualization (VDI)
Virtual Desktop Infrastructure (VDI) is virtualization technology that hosts a desktop operating system on a centralized server in a data center.
- Persistent VDI provides each user with his on her own desktop image.
- Nonpersistent VDI provides a pool of uniform desktops that users can access when needed.
107
VM Sprawl
Virtualization Sprawl occurs when the number of virtual machines is out of control - potentially unmanaged, unnecessary, and not in compliance with licensing agreements.
108
VM Scape
A virtual machine escape occurs when a virtual machine and the host operating system interact. This should never happen.
