Lesson 9: Installing and Configuring Security Appliances
Signature-Based Monitoring
A network monitoring system that uses an predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.
Heuristic Monitoring
A network monitoring system that uses known best practices and characteristics in order to identify and fix issues within the network.
DRDoS (distributed reflector DoS) attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor. Also called amplification attack.
Amplification Attack
A network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a DDoS attack by implementing an amplification factor; An attack that increases the amount of bandwidth sent to a victim.
Multipurpose Proxy
A proxy that is configured to filter and service several protocol types.
Session Affinity
A scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Also known as Source IP Affinity.
Proxy Server
A server that clears up the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance.
Botnet
A set of computers that has been infected by a control program called a bot that enables attackers to exploit the computers to mount attacks.
Sysinternals
A set of tools designed to assist with troubleshooting issues with Windows.
IDS (Intrusion Detection System)
A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.
Firewall
A software or hardware device that protects a system or network by blocking unwanted network traffic
DLP (Data Loss Prevention)
A software solution that detects and prevents sensitive information in a system or network from being stolen or otherwise falling into the wrong hands.
NOS Firewall
A software-based firewall running on a network server OS, so that the server can function as a gateway or proxy for a network segment.
SIEM (Security Information and Event Management)
A solution that provides real-time or near-realtime analysis of security alerts generated by network hardware and applications.
Appliance Firewall
A standalone hardware device that performs only the function of a firewall, which is embedded into the appliance's firmware.
NIDS (network intrusion detection system)
A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.
Deduplication
A technique for removing duplicate copies of repeated data. In SIEM, the removal of redundant information provided by several monitored systems.
Heuristics
A technique that forces past behavior to predict future behavior.
HIDS (host-based intrusion detection system)
A type of IDS that monitors a computer system for unexpected behavior or drastic changes to the system's state; A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.
Reverse Proxy Server
A type of proxy server that protects servers from direct contact with client requests.
FIM (file integrity monitoring)
A type of software that reviews system files to ensure that they have not been tampered with.
Load Balancer
A type of switch or router that distributes client requests between different resources, such as communications links or similarly configured servers. This provides fault tolerance and improves throughput.
Anti-Virus
Software to detect and remove viruses and other malware.
Circuit-Level Stateful Inspection Firewall
A Layer 5 firewall technology that tracks the active state of a connection, and can make decisions based on the contents of network traffic as it relates to the state of the connection.
Application Aware Firewall
A Layer 7 firewall technology that inspects packets at the Application layer of the OSI model.
Sinkhole Routing
A DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.
SYN Flooding
A DoS attack that floods the target system with connection requests that are not finalized.
Packet Filtering
A Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
Tap
A device used to eavesdrop on communications at the Physical layer. An Ethernet tap can be inserted between a switch and a node, while a passive tap can intercept emanations from unshielded cable.
Caching Engine
A feature of many proxy servers that allows the servers to keep a copy of frequently requested web pages.
Personal Firewall
A firewall implemented as applications software running on the host, and can provide sophisticated filtering of network traffic as well as block processes at the application level; firewall used for a home computer.
Host-Based Firewall
A firewall that only protects the computer on which it's installed
Router Firewall
A hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.
Clustering
A load balancing technique where a group of servers are configured as a unit and work together to provide network services.
RRDNS (Round Robin Domain Name System)
A load balancing technique where multiple DNS A records are created with the same name.
Audit log
A log that can track user authentication attempts; records the use of system privileges, such as creating a user account or modifying a file. Security log
Blackhole
A means of mitigating DoS or intrusion attacks by dropping (discarding) traffic.
Behavior-Based Monitoring
A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences.
Anomaly-Based Monitoring
A network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside the acceptable range.
UTM (Unified Threat Management)
All-in-one security appliances and technologies that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, Data Loss Prevention, content filtering, and so on.
Rule-Based Management
An adminsitration technique that relies on the principle of least privilege and implicit deny to restrict access to resources.
Web Security Gateway
An appliance/proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.
Content Filter
An application software used to selectively block access to certain websites; A software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).
IPS (Intrusion Prevention System)
An inline security device that monitors suspicious network and/or system traffic and reacts in real time to block it.
Behavioral-Based Detection
In IDSs and IPSs, an operation mode where the analysis engine recognizes baseline normal traffic and events, and generates an incident when an anomaly is detected.
Tuples
In a firewall rule, a related set of parameters that describe the rule and the traffic it is designed to allow or block.
Scheduling Algorithms
In load balancing, the code and metrics that determine which node is selected for processing each incoming request.
State Table
Information about sessions between hosts that is gathered by a stateful firewall; firewall security method that monitors the status of all the connections through the firewall.
Logs
OS and applications software can be configured to record data about activity on a computer. This can record information about events automatically.
Access log
Server applications such as Apache can log each connection or request for a resource.
Application Firewall
Software designed to run on a server to protect a particular application such as a web server or SQL server.
WAF (Web Application Firewall)
Specialized host firewall designed to prevent attacks against web applications such as SQL injection or XSS.
WORM media (write once read many)
Storage media used in SIEM to maintain the integrity of the security data being compiled.
NTP (Network Time Protocol)
TCP/IP application protocol allowing machines to synchronize to the same time clock that runs over UDP port 123.
Traffic Filtering
The basic function of a firewall, comparing network traffic to established rules, and preventing access to messages that do not conform to the rules; A method that allows only legitimate traffic through to the network.
Data Exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
Event log
The service on Windows-based operating systems that records events; These logs are used to diagnose errors and performance problems.