Chapter 6 - Network Security Devices, Design, and Technology
Security and Information Event Management (SIEM)
A SIEM consolidates real-time monitoring and management of security information; analyzes and reports on security events.
Full Tunnel
A VPN technology in which all traffic is sent to the VPN concentrator and is protected.
Split Tunneling
A VPN technology in which only some traffic is sent to the VPN concentrator and is protected while other traffic directly accesses the Internet.
Forward Proxy
A computer or an application program that intercepts user requests from the internal network and processes that request on behalf of the user.
VPN Concentrator
A dedicated hardware device that aggregates hundreds or thousands of VPN connections.
Switches
A device that connects network hosts intelligently; can learn which device is connected to each of its ports; examines the MAC address of the device connected to that port - and stores addresses in a MAC address table.
Bridge
A network bridge is a hardware device or software that joins two separate computer networks (LANs or segments), to facilitate better communication. Operates at OSI Level 2
A SIEM can be:
A separate device; software that runs on a computer; a service that is provided by a third party.
Host Intrusion Detection System (HIDS)
A software-based application that can detect an attack as it occurs; installed on each system needing protection.
Application/Multipurpose Proxy
A special proxy server that "knows" the application protocols that it supports.
Application-Aware IDS
A specialized IDS that uses "contextual knowledge" in real time; it can know the version of the OS or which application is running as well as what vulnerabilities are present in the systems being protected.
Data Loss Prevention (DLP)
A system of security tools that is used to recognize and identify data that is critical to the organization; ensures that it is protected.
Remote-Access VPN
A user-to-LAN connection.
Layer 4 Balancers
Act upon data found in Network and Transport layer protocols.
A SIEM typically has what functions?
Aggregations, Correlation, Automated alerting and triggers, Time sync, Event duplication, and SIEM logs.
Virtual LAN (VLAN)
Allow scattered users to be logically grouped together, even if attached to different switches.
Always-on VPNs
Allow the user to always stay connected.
Firewall actions on packet
Allow, Drop, and Reject.
NAT
Allows private IP addresses to be used on the public internet; replaces private IPs with public IPs.
Different actions to take when a violation is detected by a DLP
Block the data, redirect it to an individual who cam to examine the request; quarantine the data; and alert a supervisor of the request.
Standard Network Devices
Bridges, switches, routers, load balancers, and proxies.
SIEM logs
Can be retained for future analysis.
Firewalls
Can be software-based or hardware-based; both types inspect packets and either accept or deny entry; Hardware firewalls tend to be more expensive and more difficult to configure and manage; software firewalls running on a device provide protection to that device only; all modern OSs include a software firewall, usually called a host-based firewall.
Intrusion Detection System (IDS)
Can detect attack as it occurs.
Time Synchronization
Can show the order of events.
Aggregation
Combines data from multiple data sources.
Anomaly-Based Monitoring
Compares current detected behavior with baseline.
Inline IDS
Connected directly to the network and monitors the flow of data as it occurs.
Passive IDS
Connected to a port on a switch, which receives a copy of network traffic.
DLP uses two types of sensors
DLP Network Sensors
Two common security zones
Demilitarized zones and using NAT to create zones.
Behavior-Based Monitoring
Detects abnormal actions by processes or programs, adaptive an proactive monitoring instead of reactive, and alerts user who decides whether to allow or block activity.
Dissolvable NAC Agent
Disappears after reporting information to the NAC.
Layer 7 Load Balancers
Distribute requests based on data found in Application layer protocols.
Transparent Proxy
Does not require any configuration on the user's computer.
Virtual Private Network (VPN)
Enables authorized users to use an unsecured public network as if it were a secure private network; all data transmitted between the remote device and the network is encrypted.
Network Access Control (NAC)
Examines the current state of a system or network device before it can connect to the network; any device that does not meet a specified set of criteria can connect only to a "quarantine" network where the security deficiencies are corrected.
Event Duplication
Filter multiple alerts into a single alarm.
Allow
Firewall action that lets a packet pass through.
Drop
Firewall action that prevents the packet from passing into the network and send no response to sender.
Reject
Firewall action that prevents the packet from passing into the network but send a message to the sender.
Routers
Forwared packets across different computer networks; operate at Network layer (layer 3); can filter out specific types of net traffic using ACLs.
Two types of VPN connections
Full tunnel and Split tunneling.
Load Balancers
Help evenly distribute work across a network; allocate requests among multiple devices; achieved through hardware or software.
IDS systems can be managed with two modes.
In-band, and out-of-band.
Advantages of Proxy Servers
Increased speed, reduced costs, improved management, and stronger security.
Automated Alerting and Triggers
Inform security personnel of critical issues.
Stateless Packet Filtering
Inspects incoming packet and permits or denies based on conditions set by the administrator.
Physical Network Segregation
Isolates the network so that it is not accessible by outsiders.
Stateful Packet Filtering
Keeps a record of the state of connection, makes decisions based on the connection and conditions.
Application-Aware IPS
Known which applications are running as well as the underlying OS.
Two categories of load balancers
Layer 4 Load balancers, layer 7 balancers.
Correlation
Looks for common characteristics.
Signature-Based Monitoring
Looks for well-known attack signature patterns.
What are proper security configurations for switches?
Loop prevention, and a flood guard.
Advantages with NAT
Masks IP addresses; attackers cant determine the actual IP address of the sender of a captured packet.
Two types of uses of DLP
Monitoring emails through a mail gateway, blocking the copying of files to a USB flash drive (USB blocking).
Mail Gateway
Monitors emails for unwanted content and prevents these messages from being delivered; can search for malware, spam, and phishing attacks on inbound emails, outbound emails can be searched for transmission of sensitive data.
Intrusion Prevention System (IPS)
Monitors network traffic to immediately block a malicious attack; similar to NIDS; "in-line" with firewall; allows NIPS to more quickly take action to block an attack.
Content Inspection
Most DLP systems use this; defined as a security analysis of the transaction within its approved context.
Site-to-Site
Multiple sites can connect to other sites over the internet.
What does NAC use?
NAC uses software "agents" to gather, information and report back (host agent health checks).
Two technologies that can help secure a network
Network Access Control and Data Loss Prevention
Application-Aware Firewalls
Operate at a higher level by identifying applications that send packets through the firewall and make decisions about actions to take; applications can be identified by application-based firewalls through predefined application signatures, header inspection, and payload analysis.
Flood Guard
Overflowing a switch with Ethernet frames that have been spoofed so that each frame contains a different source MAC address.
A NAC agent could be
Permanent NAC agent, Dissolvable NAC agent.
Network Security Hardware
Provides greater protection than standard networking devices.
Types of VPNs
Remote-Access VPN,
Different Scheduling protocols used in load balancers
Round-Robin, Affinity, and Other.
Reverse Proxy
Routes requests coming from an external network to the correct internal server.
Security Through Network Devices
Security can be achieved through using the security features found in standard networking devices as well as hardware designed primarily for security.
Rule-Based Firewalls contain info such as:
Source address, destination address, source port, and destination port.
Web Application Firewall
Special type of application-aware firewall that looks deeply into packets that carry HTTP traffic; can block specific sites or specific types of HTTP traffic that XSS and SQL Injection Attacks.
What does HIDS monitor?
System calls and file system access, it can recognize unauthorized registry modification, host input and output communications; detects anomalous activity.
Air Gap
The absence of any type of connection between devices
Endpoints
The end of the tunnel between VPN devices; may be software on local computer or a VPN concentrator.
Goal of NAC
To prevent computers with suboptimal security from potentially infecting other computers through the network.
Mail Gateway Email Systems
Two different TCP/IP systems in use: SMTP, POP/POP3, and IMAP.
Rule-Based Firewalls
Use a set of individual instructions to control actions; each rule is a separate instruction processed in sequence telling the firewall what action to take; rules are stored together in one or more text file(s) that are read when the firewall starts; rule-based systems are static in nature, cannot do anything other than what they have been configured to do.
Heuristic Monitoring
Uses experience-based techniques and an algorithm to see if a threat exists.
Out-of-Band Management
Using an independent and dedicated channel to reach the device.
Network Intrusion Detection System (NIDS)
Watches for attacks on the network; NIDS sensors installed on firewalls and routers gather information and report back to central device; NIDS can sound an alarm and log events.
DMZ
a separate network located outside secure network perimeter; untrusted outside users can access DMZ but not secure network.
In-band Management
through the network itself by using network protocols and tools.