Information and Cybersecurity Quiz 3

identification

: mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system

best practices for firewalls

All traffic from the trusted network is allowed out. The firewall device is never directly accessible from the public network. SMTP data is allowed to pass through the firewall but should be routed to a well-configured SMTP gateway to filter and route messaging traffic securely. All ICMP data should be denied. Telnet access to all internal servers from the public networks should be blocked. When Web services are offered outside the firewall, HTTP traffic should be denied from reaching your internal networks through the use of some form of proxy access or DMZ architecture.

extranets

DMZs can also create ____________—segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

architectures

Firewall devices can be configured in a number of network connection _______________

firewall rules

Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. This logical set is most commonly referred to as _____________, rule base, or firewall logic. Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.

configuring and managing firewalls

Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules that regulate its actions. The configuration of firewall policies can be complex and difficult. Configuring firewall policies is as much an art as a science. Each configuration rule must be carefully crafted, debugged, tested, and sorted. When configuring firewalls, keep one thing in mind: when security rules conflict with the performance of business, security often loses.

protecting remote connections

Installing Internetwork connections requires using leased lines or other data channels provided by common carriers, and therefore these connections are usually permanent and secured under the requirements of a formal service agreement. In the past, organizations provided remote connections exclusively through dial-up services like Remote Authentication Service (RAS). Since the Internet has become more widespread in recent years, other options such as virtual private networks (VPNs) have become more popular.

remote access

It is a widely held view that these unsecured, dial-up connection points represent a substantial exposure to attack. An attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points. A war dialer is an automatic phone-dialing program that dials every number in a configured range and checks to see if a person, answering machine, or modem picks up. Some technologies, such as RADIUS systems, TACACS, and CHAP password systems, have improved the authentication process.

addresses

MAC ____________ of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked

packet filtering routers

Most organizations with an Internet connection have a router as the interface to the Internet at the perimeter. Many of these routers can be configured to reject packets that the organization does not allow into the network. The drawbacks to this type of system include a lack of auditing and strong authentication, and the complexity of the access control lists used to filter the packets can grow and degrade network performance.

proxy (application gateway)

Since the ________ server is often placed in an unsecured area of the network or is placed in the DMZ, it, rather than the Web server, is exposed to the higher levels of risk from the less trusted networks. Additional filtering routers can be implemented behind the _________, listing access to the more secure internal system and thereby further protecting internal systems.

solutions

Technical control ______________ improve an organization's ability to balance making information readily available against increasing information's levels of confidentiality and integrity

screened subnet firewalls (with DMZ)

The dominant architecture used today provides a DMZ, which can be a dedicated port on the firewall device linking a single bastion host or it can be connected to a screened subnet. Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside (untrusted network) routed through external filtering router Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers

screened host firewalls

This architecture combines the packet filtering router with a separate, dedicated firewall, such as an application proxy server, allowing the router to prescreen packets to minimize the network traffic and load on the internal proxy. The application proxy examines an application layer protocol and performs the proxy services. This separate host is often referred to as a bastion host or sacrificial host; it can be a rich target for external attacks and should be very thoroughly secured.

objectives of the network organization's ability to develop and implement architectures budget available for function

What 3 factors determines which firewall configuration works the best for a particular organization?

separate computer systems software service running on existing router or server separate network containing supporting devices

What 3 things can a firewall be?

Encapsulation (of incoming and outgoing data) Encryption (of incoming and outgoing data) Authentication (of remote computer and (perhaps) remote user as well)

What 3 things must a VPN accomplish?

packet filtering application gateways circuit gateways MAC layer firewalls hybrids

What 5 processing modes can firewalls be categorized by?

static filtering dynamic filtering stateful inspection

What are 3 subsets of packet filtering firewalls?

smart card synchronous tokens asynchronous tokens

What are 3 things something a supplicant has?

for each authenticated user for members of a group across multiple systems

What are 3 ways authorization can be handled?

Protects DMZ systems and information from outside threats Protects the internal networks by limiting how external connections can gain access to internal systems

What are the 2 functions of screened subset performs?

trusted VPN secure VPN hybrid VPN (combines trusted and secure)

What are the 3 VPN technologies?

something a supplicant knows something a supplicant has something a supplicant is

What are the 3 authentication factors?

Class A Class B Class c

What are the 3 classes for reserved non routable address ranges?

AS (authentication server) KDC (key distribution center) TGBS (kerberos ticket granting service)

What are the 3 interacting services all of which use a database library on Kerberos?

IP (internet protocol) source and destination address direction (inbound or outbound) TCP (transmission control protocol) or UDP (user datagram protocol) source and destination port requests

What are the 3 restrictions most commonly implemented for packet filtering firewalls?

packet filtering routers screened host firewalls dual-homed firewalls screened subnet firewalls

What are the 4 common architectural implementations of firewalls?

source address destination address service (HTTP, SMTP, FTP, Telnet) Action (allow or deny)

What are the 4 parts of firewall rule and format?

appliances (most firewalls: stand-alone, self-contained systems) commercial-grade firewall system SOHO (small office/home office) firewall applications residential-grade firewall software

What are the 4 types os structured firewalls?

source address source port destination address destination port time remaining in seconds total time in seconds protocol

What are the 7 parts of state table entities?

processing mode development era intended structure

What are the three firewall categorization methods?

password passphrase

What are the two things something a supplicant knows?

relies upon individual characteristics strong authentication

What are two things something a supplicant is?

selecting

When ____________ the best firewall for an organization, you should consider a number of factors. The most important of these is the extent to which the firewall design provides the desired protection: What type of firewall technology offers the right balance between protection and cost for the needs of the organization? What features are included in the base price? What features are available at extra cost? Are all cost factors known? How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? Can the candidate firewall adapt to the growing network in the target organization? The second most important issue is cost.

software (SOHO)

With the ________________ option, the hacker is inside your computer, battling with a piece of ____________ that may not have been correctly installed, configured, patched, upgraded, or designed. If the _______________ happens to have a known vulnerability, the hacker could bypass it and then have unrestricted access to your system.

dual-homed host firewalls

With this approach, the bastion host contains two NICs: one connected to the external network and one connected to the internal network, providing an additional layer of protection by requiring all traffic to go through the firewall to move between the internal and external networks. Implementation of this architecture often makes use of NAT mapping—assigned IP addresses to special ranges of nonroutable internal IP addresses, creating yet another barrier to intrusion from external attackers.

first

________ generation firewalls are static packet filtering firewalls—simple networking devices that filter packets according to their headers as the packets travel to and from the organization's networks.

third

_________ generation firewalls are stateful inspection firewalls and monitor network connections between internal and external systems using state tables.

fifth

__________ generation firewalls are kernel proxy and are a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT.

hardware (SOHO)

___________ device, even if the hacker manages to crash the firewall system, your computer and information are still safely behind the now disabled connection, which is assigned a nonroutable IP address, making it virtually impossible to reach from the outside.

simple

___________ firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses examine one aspect of the packet header: the destination and source address. They enforce address restrictions, rules designed to prohibit packets with certain addresses or partial addresses from passing through the device. They accomplish this through access control lists (ACLs), which are created and modified by the firewall administrators. only allow or deny certain packets based on their address

second

___________ generation firewalls are application-level firewalls or proxy servers— dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.

fourth

___________ generation firewalls are dynamic packet filtering firewalls and allow only a particular packet with a particular source, destination, and port address to enter.

identifiers

______________ can be composite identifiers, concatenating elements-department codes, random numbers, or special characters to make them unique Some organizations generate random numbers

VPN

a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. are commonly used to extend securely an organization's internal network connections to remote locations beyond the trusted network.

password

a private word or combination of characters that only the user should know

passphrase

a series of characters, typically longer than a password, from which a virtual password is derived

dynamic filtering

allows the firewall to react to an emergent event and update or create rules to deal with the event. allows only a particular packet with a particular source, destination, and port address to enter through the firewall.

technical controls

are essential in enforcing policy for many IT functions that do not involve direct human control

hybrid firewalls

combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services or of packet filtering and circuit gateways. may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem

hybrid VPN

combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.

smart card

contains a computer chip that can verify and validate information

MAC layer firewalls

designed to operate at the media access control layer of the OSI network model. This gives these firewalls the ability to consider the specific host computer's identity in its filtering decisions.

accountability (audibility)

ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity Most often accomplished by means of system logs and database journals, and the auditing of these records Systems logs record specific information Logs have many uses

supplicant

entity that seeks a resource

packet filtering firewalls

examine the header information of data packets that come into a network.

class b (20 bit)

form: 172.16.0.0 to: 172.31.255.255 CIDR Mask: /12 or /16 decimal mask: 255.240.0.0 or 255.255.0.0

Application gateway (application-level firewall, or application firewall)

frequently installed on a dedicated computer, separate from the filtering router, but it is commonly used in conjunction with a filtering router. also known as a proxy server, since it runs special software that acts as a proxy for a service request.

class A (24 bit)

from: 10.0.0.0 to: 10.255.255.255 CIDR Mask: /8 Decimal Mask: 255.0.0.0

class c (16 bit)

from: 192.168.0.0 to: 192.168.255.255 CIDR Mask: /16 or /24 Decimal mask: 255.255.0.0 or 255.255.255.0

DACs (discretionary access controls)

implemented at the discretion or option of the data user

TACACS (terminal access controller access control system)

is a centralized database and validates the user's credentials at this TACACS server.

war dialer

is an automatic phone-dialing program that dials every number in a configured range and checks to see if a person, answering machine, or modem picks up.

diameter

is an emerging alternative derived from RADIUS

Sesame

is similar to Kerberos in that the user is first authenticated to an authentication server and receives a token. The token is then presented to a privilege attribute server (instead of a ticket granting service as in Kerberos) as proof of identity to gain a privilege attribute certificate (PAC). Uses public key encryption; adds additional and more sophisticated access control features; more scalable encryption systems; improved manageability; auditing features; delegation of responsibility for allowing access

(stateful inspection firewalls) stateful firewalls

keep track of each network connection between internal and external systems using a state table, can block incoming packets that are not responses to internal requests. disadvantage of this type of firewall is the additional processing required to manage and verify packets against the state table, which can leave the system vulnerable to a DoS or DDoS attack.

access control

method by which systems determine whether and how to admit a user into a trusted area of the organization

encryption

of incoming and outgoing data to keep the data contents private while in transit over the public network but usable by the client and server computers and/or the local networks on both ends of the VPN connection.

encapsulation

of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network, as well as be usable by the server network environment.

authentication

of the remote computer and, perhaps, the remote user as well. Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user.

circuit gateway firewall

operates at the transport layer. Connections are authorized based on addresses. do not usually look at data traffic flowing between one network and another, but they do prevent direct connections between one network and another. They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall, and then they allow only authorized traffic, such as a specific type of TCP connection for only authorized users, in these tunnels.

RADIUS (remote authentication dial-in user service system)

places the responsibility for authenticating each user in the central RADIUS server. When a remote access server receives a request for a network connection from a dial-up client, it passes the request along with the user's credentials to the RADIUS server, which then validates the credentials and passes the resulting decision (accept or deny) back to the accepting RAS.

firewall

prevents specific types of information from moving between the outside world, known as the untrusted network, and the inside world, known as the trusted network.

53

protocol: domain name services (DNS)

7 (port number)

protocol: echo

21

protocol: file transfer [control] (FTP)

20

protocol: file transfer [default data] [FTP]

80

protocol: hypertext transfer protocol (HTTP)

110

protocol: post office protocol 3 (POP 3)

25

protocol: simple mail transfer protocol (SMTP)

161

protocol: simple network management protocol (SNMP)

23

protocol: telnet

static filtering

requires that the filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed. allow entire sets of one type of packet to enter in response to authorized requests

content filter

software firewall—not a firewall—that allows administrators to restrict content access from within network It is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations or restricts users from receiving general types or specific examples of Internet content. Some refer to __________ __________ as reverse firewalls, as their primary focus is to restrict internal access to external material. In most common implementation models, the ________ _________ has two components: rating and filtering. The rating is like a set of firewall rules for Web sites and is common in residential _________ __________. The filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures. The most common __________ __________ restrict users from accessing Web sites with obvious non-business related material, such as pornography, or deny incoming spam e-mail.

non discretionary controls

strictly-enforced version of MACs that are managed by a central authority

RADIUS TACACS

systems that authenticate the credentials of users who are trying to access an organization's network via a dial-up connection.

transport mode (VPN)

the data within an IP packet is encrypted, but the header information is not. This allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet.

authorization

the matching of an authenticated entity to a list of information assets and corresponding access levels _______________ tickets

authentication

the process of validating a supplicant's purported identity

SOCKS

the protocol for handling TCP traffic via a proxy server A proprietary circuit-level proxy server that places special ____________ client-side agents on each workstation can require support and management resources beyond those of traditional firewalls

MACs (mandatory access controls)

use data classification schemes

secure VPN

use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet.

trusted VPN (VPN)

uses leased circuits from a service provider and conducts packet switching over these leased circuits.

Kerberos

uses symmetric key encryption to validate an individual user to various network resources. ___________ keeps a database containing the private keys of clients and servers—in the case of a client, this key is simply the client's encrypted password. The Kerberos system knows these private keys and can authenticate one network node (client or server) to another. provides secure third-party authentication

7 20 21 23 25 53 80 110 161

what are the 9 select well-known port numbers?

KDC

which generates and issues session keys.

AS

which is a Kerberos server that authenticates clients and servers.

TGS

which provides tickets to clients who request services. In Kerberos, a ticket is an identification card for a particular client that verifies to the server that the client is requesting services and that the client is a valid member of the Kerberos system and therefore authorized to receive services. The ticket consists of the client's name and network address, a ticket validation starting and ending time, and the session key, all encrypted in the private key of the server from which the client is requesting services.

state table

which tracks the state and context of each packet in the conversation by recording which station sent what packet and when.