2602 - Chp 7

¡Supera tus tareas y exámenes ahora con Quizwiz!

1.Firewalls 2.Host-based intrusion detection systems/host-based intrusion prevention systems 3.Web servers 4. DHCP servers 5. VPN concentrators 6. Proxies 7. DNS 8. Email servers 9. Routers & Switches

. Network devices that provide the most beneficial security data, in order of importance (9)

"Read Only" and "Read/Write"

2 types of community strings

Application whitelisting, Removable media control, Advanced malware management

3 Security tools that can produce output to be analyzed

SNMP, DNS, FTP

3 basic TCP/IP protocols that relate to security are?

1. From a command prompt. (E.g. ls (list files), get (retrieve files from a server) 2. Using a web browser. (FTP://) 3. Using an FTP client. (E.g. FileZilla)

3 different methods for using FTP on a local computer

On-demand self-service Universal client support Invisible resource pooling Immediate elasticity Metered services

5 Cloud computing characteristics

SSL, TLS, SSH, HTTPS, S/MIME, SRTP, Ipsec

7 "other" security related TCP/IP protocols?

Domain Name System (DNS)

A TCP/IP protocol that resolves (maps) a symbolic name (Full Qualified Domain Name FQDN) with its corresponding IP address.

FTP Secure (FTPS)

A TCP/IP protocol that uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) to encrypt commands sent over the control port (Port 21) in an FTP session. -a combination of two technologies, FTP & SSL/TLS

Infrastructure as a Service (IaaS)

A cloud computing model in which customers have the highest level of control and can deploy and run their own software.

public cloud

A cloud in which the services and infrastructure are offered to all users with access provided remotely through the Internet.

Security as a Service (SECaaS)

A cloud model in which all security services are delivered from the cloud to the enterprise.

Platform as a Service (PaaS)

A cloud service in which consumers can install and run their own specialized applications on the cloud computing network.

private cloud

A cloud that is created and maintained on a private network.

community cloud

A cloud that is open only to specific organizations that have common concerns.

hybrid cloud

A combination of public and private clouds.

hosted services

A computing model in which servers, storage, and the supporting networking infrastructure are shared by multiple enterprises over a remote network connection.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

A cryptographic protocol that uses digital certificates to protect the e-mail messages.

Correlation engine

A device that aggregates and correlates content from different sources to uncover an attack.

Aggregation switch

A device used to combine multiple network connections into a single link. -load balancer is an example

guest system

A foreign virtual operating system.

DDoS mitigator

A hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks.

Type II hypervisor

A hypervisor that runs within a conventional operating system environment.

virtualization

A means of managing and presenting computer resources by function without regard to their physical layout or location.

Software as a Service (SaaS)

A model of cloud computing in which the vendor provides access to the vendor's software applications running on a cloud infrastructure.

cloud computing

A pay-per-use computing model in which customers pay only for the computing resources that they need, and the resources can be easily scaled.

Simple Network Management Protocol (SNMP)

A protocol used to monitor and manage network devices, such as routers, switches, and servers.

Secure FTP (SFTP)

A secure TCP/IP protocol that is used for transporting files by encrypting and compressing ALL data and commands. -Uses only a single TCP port

virtual machine escape protection

A security protection that prevents a virtual machine from directly interacting with the host operating system.

File Integrity Check (FIC)

A service that can monitor any changes made to computer files, such as the OS.

Cloud Access Security Broker (CASB)

A set of software tools or services that resides between the enterprises' on-premises infrastructure and the cloud provider's infrastructure to ensure that the security policies of the enterprise extend to their data in the cloud.

TFTP (Trivial File Transfer Protocol)

A simple version of FTP that uses UDP as the transport protocol, and does not require a logon to the remote host. -often used for the automated transfer of configuration files between devices

port mirroring

A technology that allows a network administrator to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch. -networks with light traffic

Advanced malware management

A third-party service that monitors a network for any unusual activity. (often use experience-based techniques such as heuristic monitoring)

Anonymous ftp or blind ftp

A type of FTP access that requires no account on a server, but rather can be accessed using "anonymous" as the user ID

host virtualization

A type of virtualization in which an entire operating system environment is simulated.

Type 1 hypervisor

Also known as a bare metal hypervisor it is a software program that acts as an operating system and also provides the ability to perform virtualization of other operating systems using the same computer.

Virtual Distributed Ethernet (VDE)

An Ethernet-compliant virtual network that can connect physical computers and/or virtual machines together.

DNS poisoning

An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.

Domain Name System Security Extensions (DNSSEC)

An extension to DNS that adds additional resource records and message header information, used to verify that DNS data has not been altered in transmission. -uses asymmetric cryptography -fully supported in BIND9 -widely implemented 89% of Top-level Domains used

Application Whitelisting

An inventory of applications and associated components (libraries, configuration files, etc.) that have been pre-approved and authorized to be active and present on the device.

File Transfer Protocol (FTP)

An unsecure TCP/IP protocol that is commonly used for transferring files.

TCP/IP Model

Application, transport, Internet, and network interface

Security access log

Can provide details regarding requests for specific files on a system

In the protected internal network using data collected from the logs of different hardware devices

Correlation engines should be placed where in the network?

In the network where they can monitor the largest stream of data

DDoS mitigator should be placed where in the network

1.information (logging the SW is starting) 2.warning (when config changes are made) 3.alert (an active attack has been blocked)

DEP events level of severity

TCP/IP port 53

DNS lookup port

agent; service

Each SNMP-managed device must have a/n _____________ or a ____________ that listens for commands and then executes them.

TCP port 21 (control port for passing ftp commands) TCP port 20 ((data)

FTP (File Transfer Protocol)

FTP passive mode

FTP mode not likely to be blocked by a firewall -PASV command

FTP active mode

FTP mode that is susceptible to being blocked by a firewall -port command

1. Does not use encryption 2. Man-in-the-middle attacks

FTP security vulnerabilities (2)

Although the control port (port 21) commands are encrypted, data port (port 20) commands may or may not be encrypted

FTPS weakness

Firewalls VPN concentrators Mail gateways NIDS NIPS SIEM devices

Hardware designed primarily for security

Event logs

Logs that can document any unsuccessful events and the most significant successful events.

Moar SDN info p.308

Moar SDN info p.308

Sensors

Monitors traffic for network intrusion detection and prevention devices

Source-routed packets

Packets with a source address internal to the network but that originates from outside the network

Log

Record of events that occur

IP (Internet Protocol)

Responsible for addressing packets so that they can be routed to their destination

Security log

Reveals the types of attacks that are being directed at the network and if any of the attacks where successful.

1. Cannot be used when mail is accessed through a web browser (instead of dedicated email application) 2. Makes it difficult to scan messages for malware since it encrypts everything

S/MIME (Secure/Multipurpose Internet Mail Extensions) limitations (2)

Community String

SNMP agents are protected with a password called a ?

Switches, routers, WAPs, some printers, copiers, fax machines, and even UPSs

SNMP can be found on what devices?

-default community for read-only and read-write were public and private, respectively -community strings were transmitted as cleartext

SNMPv1 & SNMPv2 security vulnerabilities

1.Voice/Video - Secure Real-time Transport Protocol (SRTP) 2.Time Sync - Network Time Protocol (NTP) 3. Email - S/MIME 4. Web Browsing - HTTPS 5. File Transfer - SFTP 6. Remote access - VPN 7. Domain Name Res. - DNS Security Ext. (DNSSEC) 8. Routing and switching - IP Security (IPSec) 9. Network address trans. - IPSec 10.Subscription Services - IPSec

Secure network protocol recommendations

In the network where the stream of data is largest, allowing them to view, gather, or block traffic

Sensors, collectors, and filters should be placed where in the network?

hypervisor

Software that creates and manages virtual machines on a server or on a local computer. Also called virtual machine manager (VMM).

Software Defined Network (SDN)

Software that virtualizes part of the physical network so that it can be more quickly and easily reconfigured.

Bridges Switches Routers Load balancers Proxies

Standard networking devices (5)

Hierachy (tree)

The DNS database is organized how?

SNMPv3

The current version of SNMP that supports authentication and encryption.

Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Security as a Service (SECaaS)

The four service models in cloud computing

TCP/IP (Transmission Control Protocol/Internet Protocol)

The most common protocol suite used today for local area networks (LANs) and the Internet.

BIND (Berkeley Internet Name Domain) BIND9

The most popular DNS server software. Free open source software that runs on Linux, UNIX, and Windows platforms. - Current version

host system

The native operating system to the hardware.

Virtual Desktop Infrastructure (VDI)

The process of running a user desktop inside a virtual machine that resides on a server for storing sensitive applications and data on a remote server that is accessed through a smartphone.

Pg. 292

The recommended placement for SSL/TLS accelerator?

virtual machine sprawl

The widespread proliferation of virtual machines without proper oversight or management.

read-only string

This type of community string allows information from the agent to be viewed

read-write string

This type of community string allows settings on the device to be changed.

Removable media control

Tools that can be used to restrict which removable media, such as USB flash drives, can be attached to a system.

FTP Secure (FTPS) Secure FTP (SFTP)

Two options for secure transmission over FTP

DNS transfer attack

Type of attack where an attacker asks the valid DNS server for a zone transfer. With this info the attacker can map the entire internal network of the organization supporting the DNS server.

Date & time Description Status Error codes Service name User responsible for launching

Type of event log info that can be recorded (6)

1. IP address that are being rejected and dropped 2. Probes to ports that have no application services running on them 3. Source-routed packets 4. Suspicious outbound connections 5. Unsuccessful logins

Type of items that can be examined in a firewall log (5)

Filters

Used to block traffic for Internet content filters

Collectors

Used to gather traffic for SIEM devices

Audit log

Used to record which user performed what actions

Because TCP/IP views the Network Interface layer as the point where the connection between the TCP/IP protocol and the networking hardware occurs.

Why is the physical layer omitted in the TCP/IP model?

Data Execution Prevention (DEP)

Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks.

on-demand self-service

a cloud computing characteristic; The consumer can make changes, such as increasing or decreasing computing resources, without requiring any human interaction from the service provider

invisible resource pooling

a cloud computing characteristic; The physical and virtual computing resources are pooled together to serve multiple, simultaneous consumers that are dynamically assigned or reassigned based on the consumers needs; the customer has little or no control or knowledge of the physical location of the resources

immediate elasticity

a cloud computing characteristic; computing resources can be increased or decreased quickly to meet demands.

metered services

a cloud computing characteristic; fees are based on the computing resources used

universal client support

a cloud computing characteristic; virtually any networked device can access the cloud computing resources

Network tap

a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. Sometimes it's used along with Wireshark to capture all the Network traffic. -better for networks with a large volume of traffic

cloud computing NIST definition

a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction

virtual machine

a simulated software-based emulation of a computer

container aka application cell

a virtualized environment that holds only the necessary OS components (such as binary files and libraries) that are needed for a specific application to run

Between routers and servers where they can detect and stop attacks directed at a server or application

aggregation switches should be placed where in the network

vlan

allows scattered users to be logically grouped together even though they are physically attached to different switches

cloud storage

an internet service that provides storage to computer users -no computational capabilities

control plane

consists of one or more SDN servers and performs the complex functions such as routing and security checks;also defines the data flows through the data plane -essentially an application running on a computer that can manage the physical plane

this is accomplished by separating the control plane from the data plane

how do SDNs virtualize parts of the physical network?

1.Multiple devices generating logs 2.Very large volume of data 3.Different log formats

issues in analyzing security data (3)

analytics-based approach

pg. 300

TCP (Transmission Control Protocol)

responsible for reliable packet transmission.

protocols

rules for communication

centralized device log analyzer

solution for log management designed to collect and consolidate logs from multiple sources for easy analysis.

virtualization, cloud computing, software defined networking

some applications and platforms that require special security considerations (3)

1. host availability 2.host elasticity 3.reduced cost 4. provides uninterrupted server access 5.security updates 6.snapshots 7. security control testing 8.segregation & isolation 9.sandboxing to test for malware

virtualization advantages


Conjuntos de estudio relacionados

UNC: SOCI 122: Chapter 3: Science and Sociology of Race

View Set

Chapter 2 Accounting for a service business

View Set

Ch. 21 Peripheral Nervous System

View Set

Chapter 1:P.O.W.E.R. Learning: Becoming an Expert Student

View Set