Chapter 2 Monitoring and Diagnosing Networks
load balancer
A device that distributes traffic intelligently among multiple computers.
Honeypot
A fake system desinged to divert attacker from your real system. Can be setup to logg and track information of attackers. This is a seperate system.
Packet Filter Firewalls
A firewall operating as a packet filter passes or blocks traffic based on the type of application. It doesnt examine the packet, it decides whether to pass it based on the packets addressing info
Air-Gap
A network security measure employed on one or more computers to ensure that a secure network is physically isolated. The name discribes a network that is physically seperated ( with a conceptual air gap) from all other networks.
Honeynet
A network that functions in the same manner as a honeypot. This is a fake network segment
service pack
A periodically released update to software from a manufacturer, consisting of requested enhancements and fixes for known bugs.
Zones
A zone is an individual area of the network that has been configured with a specific trust level. Furthermore, if a given zone is breached only that zone is affected, the entire network is not necessarily vulnerable.
Port mirroring
Ability to send a copy of inbound/outbound traffic to a monitoring server with IDSs or IPSs.
DMZ
Demilitarized Zone - A network segment between two firewalls. One is outward facing, connected to the outside world, the other inward facing, connected to internal network.
Segmentation
Dividing your network into zones based on security needs. Can segment using routers/switches, or by using virtual local area networks (VLANs)
Placing Security devices
Firewalls are placed at the networks perimeter, and also at every junction of a network segment. Must also place correlation engines within the network which analyze firwall logs.
Deployment of systems / hardware concepts
For applications the first step is a development enviornment, seperate from the operational enviornment. Used for desktop apps and web apps, where you can perform testing. For operating systems, and devices there should be a test enviornment (mini network). Next is staging, normally any addition to a network is deployed in stages, not just put out in the entire network. This is a best practice.
VPN / Tunneling
For the purpose of the exam only associate VPN with encryption and that it only allows authorized remote users. Virtual Private Network - is a private network that connects through a public network such as the internet, using a secure link / tunnel. Typically uses protocols such as layer 2 Tunneling Protocol, IPSec, or Point-to-Point Protocol (PPTP).
Administration Controls
Include all policies, procedures, and processes in place to support security.
Technical Controls
Include software and hardware; such as firewalls, VLANs, antimalware, IDSs, and IPSs.
ISMS
Information Security Management System - A broad term, used to describe a wide range of systems used to manage information security.
ISO
International Organization for Standardization - scource for international standards. Popular standards listed below: *ISO/IEC 2700:2013 - specifies requirements for establishing, implementing, maintaining and improving security management system. *ISO 27002 - recomends best practices for initiating, implementing, and maintaining information security management sytems (ISMSs). *ISO 27017 - Is a guidance for cloud security CLD.6.3.1 - This is an agreement on shared or devided security responsibilities between the customer and cloud provider. CLD.8.1.5 - This control addresses how assets are returned or removed fro mthe cloud when the contract is terminated. CLD.9.5.1 - This control states that the cloud provider must separate the customers virtual environment from other customers. CLD.9.5.2 - This control states that the customer and the cloud provider bothe must ensure the virtual machines are hardened. CLD.12.1.5 - It is solely the customers responsibility to define and manage administrative operations. CLD.12.4.5 - The cloud providers capabilities must enable the customer to monitor their own cloud environment CLD.13.1.4 - The virtual network environment must be configured so that it at least meets the security polocies of the physical environment.
IDS
Intrusion Detection System - A system that monitors the network for possible intrusions and logs that activity.
IPS
Intrusion Prevention System - A system that monitors the network for possilbe intrusions and logs that activity and then blocks the traffic that is suspected of being an attack.
NIST
National Institute of Standards and Technology - Is the source for many national standards in the United States. *NIST 800-12 provides broad overview of computer security (emphasizes system security throughout the system life cycle). NIST 800-14 describes common security principles that should be addressed within security policies.
NERC
North American Electric Reliability Corporation - Publishes standards for electrical power companies. *NERC CIP (Critical Infrastructure Protection) 007-6 : addresses patching of all systems. requires all registered entities to check for patches every 35 days (not like computer desktop systems).
OWASP
Open Web Application Security Project- An organization that maintains a list of the top 10 errors found in web applications.
PCI DSS
Payment Card Industry Data Security Standard -Set of standards that companies involved with debit and credit cards transactions must meet.
PII
Personally Identifiable Information - An info that could indentify a particular individual.
defense in depth
Security should never be completely focused on the networks borders. Should be using multiple layers of security to defend your assets.
ISA/IEC-62443
Series of standards that define procedures for implementing electronically secure industrial automation and control systems (IACSs).
SDN
Software Defined Network - The entire network, including all security devices, is virtualized. Allows easy segmentation of the network.
Correlation Engines
Software application that programmatically understands relationships, and can be used to analyze data logs of firewalls or other event logs.
SPI
Stateful Packet Inspection - A firewall that not only examines each packet but also remembers the recent previous packets.
SPI
Stateful Packet Inspection - The entire conversation between client and server is examined. This is a more sophisticated firewall that remembers what the recent previous packets from the same client contained.
Secure Baseline
The process of finding a baseline for any system, application, or service that is considered secure. Therefore if you make changes to the network you can compare it to the baseline in order to see if it measures up.
Control Diversity
This means you should not use one control method to address a security concer. Use multiple security controls.
Proxy Firewalls
Used to process requests from an outside network and any other network. It examines the data and makes rule based decisions. Can also hide the IP addresses.
Vendor Diversity
Using different vendors for seperate components within the network will help prevent attacks. Example, if you use the same vender for all computers and servers they will typically use the same security algorithm software. If you diversify then you have multiple security software protection on your network.
Intranets
Websites eccessible only within the company network. Examples: human resource info, company policies, and online training sites.
Extranets
allow authorized suppliers, customers, and other outsiders to access the firm's intranet
Distrubuted DoS (a security device)
detects DDoS attacks and stops them, or at least mitigates them.
VPN concentrator
hardware device used to create remote access VPNs; creates encrypted tunnel sessions between hosts
Operating system hardening
making the OS as secure as possible before adding antiviruses, firewalls, and sor forth. Includes patching the system, shutting down unneeded services, and remove unneeded software.
Sandbox
test enviornment that is completly isolated from the rest of the network.