C480 - Lesson 10 CompTIA
A company has suffered a data breach. Investigators are able to establish exactly when the data breach occurred, but on checking the IDS logs, no evidence of the breach is present. What type of intrusion detection error condition is this?
A false negative.
What component does a network-based IDS use to scan traffic?
A sniffer or sensor.
Other than attempting to block access to sites based on content, what security options might be offered by Internet content filters?
Blocking access based on time of day or total usage.
What is shunning?
Configuring an IPS to set a temporary firewall rule to block the suspect IP address.
You are troubleshooting a connectivity problem with a network application server. Certain clients cannot connect to the service port. How could you rule out a network or remote client host firewall as the cause of the problem?
Connect to or scan the service port from the same segment with no host firewall running.
What sort of maintenance must be performed on signature-based monitoring software?
Definition/signature updates.
What is the default rule on a firewall?
Deny anything not permitted by the preceding rules.
(intrusion detection system) A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
IDS
What parameters can a layer 3 firewall ruleset use?
IP source and destination address, protocol type, and port number.
(intrusion prevention system) An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
IPS
A firewall capable of parsing Application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, contentsensitive ACLs can be developed. Also known as NGFW.
Layer 7 firewall
(next generation firewall) A firewall capable of parsing Application layer protocol headers and data (such as HTTP or SMTP) so that sophisticated, contentsensitive ACLs can be developed. Also known as a Layer 7 firewall.
NGFW
(network intrusion detection system) A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
NIDS
(Network Operating System) A software-based firewall running on a network server OS, such as Windows or Linux, so that the server can function as a gateway or proxy for a network segment.
NOS firewall
What OSI layer does an NGFW work at and why?
OSI layer 7 (Application) because the next generation firewall (NGFW) is configured with application-specific filters that can parse the contents of protocols such as HTTP, SMTP, or FTP.
Using iptables, in which chain would you create rules to block all outgoing traffic not meeting certain exceptions?
OUTPUT chain.
(single point of failure) A component or system that would cause a complete interruption of a service if it failed.
SPoF
Why would you deploy a reverse proxy?
To publish a web application without directly exposing the servers on the internal network to the Internet.
(Unified Threat Management) All-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and so on.
UTM
What is the main purpose of UTM?
Unified Threat Management (UTM) consolidates multiple security functions in a single appliance with a single management console.
(web application firewall) A firewall designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks.
WAF
Software capable of detecting and removing virus infections and (in most cases) other types of malware, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and so on.
anti-virus
A standalone hardware device that performs only the function of a firewall which is embedded into the appliance's firmware.
appliance firewall
A layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
application aware firewall
Software designed to run on a server to protect a particular application such as a web server or SQL server.
application firewall
A feature of many proxy servers that enables the servers to retain a copy of frequently requested web pages.
caching engine
Something that is identified by a scanner or other assessment tool as not being a vulnerability, when in fact it is.
false negative
Something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.
false positive
A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.
implicit deny
A proxy that is configured to filter and service several protocol types, as opposed to an application-specific proxy, which services only one application.
multipurpose proxy
A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
packet filtering
A firewall implemented as applications software running on the host, and can provide sophisticated filtering of network traffic as well as block processes at the application level. (See also host-based firewall.)
personal firewall
A server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.
proxy server
A type of proxy server that protects servers from direct contact with client requests.
reverse proxy server
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
router firewall
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address or session cookie.
session hijacking
Configuring an intrusion prevention system to set a temporary firewall rule to block the suspect IP address.
shunning
The basic function of a firewall, comparing network traffic to established rules, and preventing access to messages that do not conform to the rules.
traffic filtering
An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.
web security gateway