Chapter 10: Implementing Network Security Appliances
A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function? A.) NAT gateway B.) Reverse proxy server C.)Virtual firewall D.) Access Control List (ACL)
A
What does NGFW stand for?
Application-aware next-generation firewall
These are configured on the principle of least access/least privilege.
Firewall access control lists (ACLs)
This often enact east-west security and zero-trust microsegmentation design paradigms.
Virtual Firewalls
Solution for NGFW and UTM lower throughput reduces availability.
to treat security solutions for server traffic differently from that for user traffic.
With this approach, data managers must install an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host, then sent to the SIEM server for analysis and storage.
Agent- based
What are the three main types of log collection for SIEM?
Agent-based, Listener/collector, and Sensor (sniffer)
A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss? A.)Passive test access point (TAP) B.) Active test access point (TAP) C.) Aggregation test access point (TAP) D.) Switched port analyzer (SPAN)/mirror port
A
This could cause high page file utilization but otherwise could indicate malware.
Insufficient physical memory
This is positioned like firewalls at borders between network zones, provide an active response to network threats.
Intrusion prevention systems (IPS)
These detection engines use heuristics to generate a statistical model of baseline normal traffic. The system generates false positives and false negatives until, over time, it improves its statistical model of normal activity. A false positive is where legitimate behavior generates an alert.
Network behavior and anomaly detection (NBAD)
This is deployed on the network edge, this protect servers from direct contact with client requests from a public network (the Internet).
Reverse Proxy Servers
This acts as a content filter, which applies user-focused filtering rules and also conducts threat analysis.
Secure web gateway (SWG)
The first task for this is to collect data inputs from multiple sources, including agent-based log collection, sensor or sniffer data, and listener/collector protocols, such as syslog and Simple Network Management Protocol (SNMP).
Security Information and Event Management (SIEM)
What does UTM stand for?
Unified Threat Management
This can inspect traffic as it passes from host-to-host or between virtual networks, rather than routing that traffic up to a firewall appliance and back
Virtual Firewalls
This translates between a local and public network by substituting private IPs for a public IP and forwarding the requests to the public Internet, thereby concealing private addressing schemes.
NAT (Network Address Translation) Gateway
One of the main disadvantages of this is that training and tuning are complex, which results in high false positive and false negative rates, especially during initial deployment.
Network-Based Intrusion Detection System (NIDS)
This appliance gathers or receives log and/or state data from other network systems, using a protocol, such as syslog or simple network management protocol (SNMP).
Listener/collector
A system admin configures this by specifying a group of rules that define the type of data packet, and the appropriate action to take when the packet matches the rule.
Packet Filtering Firewalls
This works on a store-and-forward model and deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on. A part of this process is removing suspicious content in the process of rebuilding the packet.
Proxy Server
How do you configures a packet filtering firewall?
by specifying a group of rules, called an Access Control List (ACL). Each rule defines a specific type of data packet and the appropriate action to take when a packet matches the rule.
Compare and analyze the types of firewalls available to differentiate between them. A.) Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3. B.) An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only. C.) A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host. D.) An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.
D
This should be configured to be append only so that existing entries cannot be modified. This also provides assurance to auditors that the logs have not been tampered with.
Log files
A network administrator is shopping for a security product to utilize to fine-tune existing firewall and appliance settings. Comparing product features, which type of product is most likely to satisfy the network administrator's needs? A.) Network-based intrusion detection system (NIDS) B.) Unified threat management (UTM) product C.) Network-based intrusion prevention system (IPS) D.) Network behavior and anomaly detection (NBAD) product
A
Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall. A.) An administrator configures an Access Control List (ACL) to deny access to IP addresses with specific sources B.) A firewall that maintains stateful information about the connection C.) A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern D.) A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall
A
This Proxy intercepts client traffic without the client having to reconfigure with the proxy server address. The network admin may implement this proxy on a switch, router, or other inline network appliance.
A Transparent (or forced or intercepting) Proxy
Because it performs an active function, this port sensor becomes a point of failure for the links in the event of power loss. When deploying an sensor, it is important to use a model with backup power options.
Active TAP
This refers to normalizing data from different sources so that it is consistent and searchable.
Aggregation
This is a stand-alone hardware firewall that monitors all traffic passing into and out of a network segment.
Appliance Firewall
This is a stand-alone hardware firewall that performs the function of a firewall only.
Appliance Firewall
This can inspect the contents of packets at the application layer and can analyze the HTTP headers. It also analyzes the HTML code present in HTTP packets, to try to identify code that matches a pattern in its threat database.
Application Firewall
This is also known as a stateful multilayer inspection or a deep packet inspection.
Application aware Firewall
Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task? A.) Packet capture B.) Analysis and report review C.) Data aggregation D.) Log collection
B
Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.) A.) Training and tuning are fairly simple, and there is a low chance of false positives and false negatives. B.) A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action. C.) Training and tuning are complex, and there is a high chance of false positive and negative rates. D.) A NIDS will identify attacks and block the traffic to stop the attack. The administrator will be able to review the reports for future prevention.
B and C
This detection software attempts to identify zero-day attacks, insider threats, and other malicious activity, for which there is a single signature that deviates from the baseline.
Behavioral-based detection
These detection engines are trained to recognize baseline "normal" traffic or events. Anything that deviates from this baseline generates an incident.
Behavioral-based detection engines
Which of the following considerations is most important when employing a signature-based intrusion detection system? A.) The system may produce false positives and block legitimate activity. B) The system must create a valid baseline signature of normal activity. C.) Signatures and rules must be kept up to date to protect against emerging threats. D.)Signatures and rules must be able to detect zero-day attacks.
C
A system administrator wants to ensure that logs will be accepted as an audit trail. Evaluate the requirements for logs to be accepted and recommend options the system administrator can take. (Select all that apply.) A.) Allow manual entries only by administrator accounts. B.) Administrators can only modify logs for clarity purposes. C.) Use a Write Once, Read Many (WORM) media. D.) Configure logs to be append-only to prevent modification
C and D
This restricts web use to only authorized sites. Examples schools restricting access to only sites that are .edu or to not allow sites that have adult-level content or restriction of workplace to only allowing sites that are for work purposes.
Content Filter
A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need? A.) Transparent proxy server B.) Non-transparent proxy server C.) Caching proxy server D.) Reverse proxy server
D
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding. A.) A rapid decrease in disk space has been logged. B.) High page file utilization has been logged. C.) High utilization when employees are not working has been logged without a scheduled activity. D.) Decreasing available bytes and increasing committed bytes have been logged.
D
Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM? A.) Agent-based B.) Listener/collector C.) Sensor (sniffer) D.) Artificial intelligence (AI)
D
What provides both summary statistics about bandwidth and protocol usage and the opportunity for detailed frame analysis.
Data captured from network sensors/sniffers plus netflow sources
This should be writable only by system processes or by secure accounts that are separate from other administrative accounts.
Log Files
These cannot be modified if they are to be used as an audit trail. Even administrators should not be able to modify these to ensure they are legitimate.
Logs
This typically associate an action with a particular user, satisfying non-repudiation
Logs
This is a process that takes up memory without subsequently freeing it up, which a worm or other type of malware can cause. Looking for decreasing available bytes and increasing committed bytes can detect this.
Memory Leak.
Analyzing these logs allows an administrator to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any identified threats.
NIDS logs
This can identify and log hosts and applications and detect attack signatures and other indicators of attack. An administrator can analyze logs to tune firewall rulesets, remove or block suspect hosts and processes, or deploy additional security controls to mitigate threats identified.
Network-Based Intrusion Detection System (NIDS)
This will not block the traffic during an attack, which is a disadvantage. If an administrator does not immediately review logs during an attack, a delay will occur and the attack will continue.
Network-Based Intrusion Detection System (NIDS)
This does not maintain stateful information about the connection between two hosts. The firewall analyzes each packet independently, with no record of previously processed packets.
Packet Filtering Firewalls
This operates at level 3 of the OSI model while circuit-level stateful inspection firewalls operate at layer 5 of the model
Packet Filtering Firewalls
With this port sensor the monitored port receives every frame—corrupt, malformed, or not—and load does not affect copying.
Passive TAP
This is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port.
Passive test access point (TAP)
This port sensor is not completely reliable, as frames with errors will not be mirrored and frames may be dropped under heavy load.
SPAN/mirror
This software can link individual events or data points (observables) into a meaningful indicator of risk, or Indicator of Compromise (IOC). Many of these solutions use artificial intelligence (AI) and machine learning as the basis for automated analysis.
Security Information and Event Management (SIEM)
This is a solution to the problem of the volume of alerts overwhelming analysts' ability to respond. A security engineer may implement this as a standalone technology or integrate it with a SIEM, using machine/deep learning techniques to enrich data for use in incident response and threat hunting.
Security orchestration, automation, and response (SOAR)
This detection (or pattern-matching) engine is loaded with a database of attack patterns or signatures. If traffic matches a pattern, then the engine generates an incident.
Signature-based detection
These (often called plug-ins or feeds) powering intrusion detection need updating regularly to provide protection against the latest threat types.
Signatures and rules- based Intrusion detection
Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions? A.)Signature-based detection system B.) Secure web gateway (SWG) C.) Network-based intrusion prevention system (IPS) D.) Active or passive test access point (TAP)
B
Analyze the following scenarios and determine which best simulates a content filter in action. (Select all that apply.) A.) A system has broken down a packet containing malicious content, and erases the suspicious content, before rebuilding the packet. B.) A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter. C.) A system administrator builds a set of rules based on information found in the source IP address to allow access to an intranet. D.) A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work
B and D
Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers. A.) SIEM is completely automated; it requires no manual data preparation. B.) SIEM logs ensure non-repudiation, whereas other logs cannot link a specific user to an action. C.) SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise. D.) SIEM addresses the issue of sheer volume of alerts, using machine learning to facilitate threat hunting.
C
True or False: A packet filtering firewall is stateless, and an application firewall is a software application running on a single host.
True
This product centralizes many types of security controls into a single appliance but it might not perform as well as software or a device with a single dedicated security function.
A Unified threat management (UTM)
This can drive correlation efforts for automated analysis.
AI and machine learning
This does not require a client-side configuration is called a transparent proxy server. In this type of server, the client is unaware of a proxy server, which redirects client requests without modification.
Caching Server
This port sensor rebuilds the upstream and downstream channels into a single channel, but these can drop frames under very heavy load.
Aggregation TAPs
This media will be acceptable to auditors as the logs cannot be modified once written to the software. This provides assurance that the logs contain accurate information for audits.
Write Once, Read Many (WORM)