Network Security Devices, Design and Technology

Router

(computer science) a device that forwards data packets between computer networks

Simple Mail Transfer Protocol(SMTP)

-application level protocol used by clients to send email -uses port 25

DLP network sensors

-installed on the perimeter of the network to protect data in transit by monitoring all network traffic

SIEM Event Duplication

A SIEM feature that can help filter the multiple alerts into a single alarm.

SIEM logs

A SIEM feature that records events to be retained for future analysis and to show that the enterprise has complied with regulations.

Virtual LAN (VLAN)

A Technology that allows scattered users to be logically grouped together even though they are physically attached to different switches. This can reduce network traffic and provide a degree of security. VLANs can be isolated so that sensitive data is transported only to members of the VLAN.

Split Tunnel VPN

A VPN admin determines what traffic should use the encrypted tunnel

Always-on VPN

A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.

Forward Proxy

A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.

Reverse Proxy

A computer or an application program that routes incoming requests to the correct server.

Intrusion Detection System (IDS)

A device designed to be active security; it can detect an attack as it occurs.

VPN Concentrator

A device that aggregates hundreds or thousands of VPN connections.

False Negative

A failure of an IDS to detect an actual attack

Stateful Packet Filtering

A firewall technology that keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the rule base.

Stateless Packet Filtering

A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.

Application-Based Firewall

A firewall that functions at the OSI Application layer (Layer 7). Indentifies the apps thart send packets through the firewall and then makes decisions about the app instead of filtering the packets based on granular rule settings like the destination port or protocol

Host-Based Firewall

A firewall that only protects the computer on which it's installed.

Hardware Firewall

A hardware firewall is a physical filtering component that inspects data packets from the network before they reach computers and other devices on a network. A hardware firewall is a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance.

Loop Prevention

A method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.

Anomaly Monitoring

A monitoring technique used by an intrusion detection system (IDS) that creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from this baseline, an alarm is raised.

Signature-Based Monitoring

A monitoring technique used by an intrusion detection system (IDS) that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.

Behavioral-Monitoring

A monitoring technique used by an intrusion detection system (IDS) that uses the normal processes and actions as the standard and compares actions against it. Continuously analyzes the behavior of processes and programs on a system and alerts the user if it detects any abnormal actions at which point the user can decide whether to allow or block the activity

Dissolvable NAC Agent

A network access control (NAC) agent that disappears after reporting information to the NAC device.

permanent NAC agent

A network access control (NAC) agent that resides on end devices until uninstalled.

Post Office Protocol (POP)

A protocol used to retrieve email from a mail server. POP3 is a later iteration of the POP protocol, and can be used with or without SMTP. Port 110

Transparent Proxy

A proxy that does not require any configuration on the user's computer.

Virtual IP

A single IP address shared by multiple systems by using a different port number for each

Host-Based Intrusion Detection System (HIDS)

A software-based application that runs on a local host computer that can detect an attack as it occurs.

Application/multipurpose proxy

A special proxy server that knows the application protocols that it supports.

Web Application Firewall

A special type of application-aware firewall that looks at the applications using HTTP. Provides strong protection for web servers

Host Based Intrusion Prevention System (HIPS)

A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers and responding based on a rule set.

Mail Gateway

A system that monitors emails for unwanted content and prevents these messages from being delivered.

Network Access Control (NAC)

A technique that examines the current state of a system or network device before it is allowed to connect to the network.

Virtual Private Network (VPN)

A technology that enables authorized users to use unsecured public network, such as the Internet, as if it were a secure private network. Encrypts all data that is transmitted between the remote device and the network

Intrusion Prevention System (IPS)

A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity.

Network Intrusion Prevention System (NIPS)

A technology that monitors network traffic to immediately react to block a malicious attack by following established rules

Network Intrusion Detection System (NIDS)

A technology that watches for attacks on the network and reports back to a central device.

Security and Information Event Management (SIEM)

A two-part process consisting of security event monitoring (SEM), which performs real-time monitoring of security events, and security information management (SIM), where the monitoring log files are reviewed and analyzed by automated and human interpreters.

Site-To-Site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

Network-Based Firewall

Additional software installed to monitor, filter and log traffic. Has multiple NIC's installed

False Positive

Alarms raised when theres not actual abnormal behavior

Firewall Actions

Allow- let the packet pass through Drop - Prevent the packet from passing into the network and send no response to the user Reject - Prevent the packet from passing into the network but send a message to the sender that the destination cannot be reached Ask - Inquire what action to take

In-Band IDS

An intrusion detection system (IDS) implemented through the network itself by using network protocols and tools.

Passive IDS

An intrusion detection system (IDS) that is connected to a port on a switch in which data is fed to it.

Inline IDS

An intrusion detection system (IDS) that is directly connected to the network and monitors the flow of data as it occurs.

Out-of-Band IDS

An intrusion detection system (IDS) that uses an independent and dedicated channel to reach the device.

load balancing

Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.

Physical Network Segregation

Isolating the network so that it is not accessible by outsiders.

Implicit Deny

Rejecting access unless a condition is explicitly met.

host agent health checks

Reports sent by network access control (NAC) "agents" installed on devices to gather information and report back to the NAC device.

Affinity Scheduling

Scheduling protocol that distributes the load based on which devices can handle the load more efficiently

DLP agent sensors

Sensors installed on each host device and protect data in-use.

DLP storage sensors

Sensors on network storage devices are designed to protect data at-rest

Active-Passive Configuration

The primary load balancer distributes network traffic to the most suitable server while the secondary load balancer operates in listening mode

Round Robin

The rotation applies to all devices equally. Scheduling protocol

Network Address Translation (NAT)

Translates the private IP address to a public address for routing over the Internet

Internet Mail Access Protocol(IMAP)

Used for incoming mail. Remote email storage, can be used offline

Hueristic Monitoring

Uses an algorithm to determine if a threat exists. IDS is triggered if any app tries to scan multiple ports

Agentless NAC

When a device joins the domain and a user logs in, NAC uses Active Directory to scan the device to verify that it is in compliance.

Port Security

a Cisco switch feature that limits the number of MAC addresses allowed to communicate through a particular port

Firewall

a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

Software Firewall

a program that runs on a computer to allow or deny traffic between the computer and other device to which it is connected

Demilitarized Zone (DMZ)

a separate network located outside the organization's internal information system that permits controlled access from the internet

Data Loss Prevention (DLP)

a system of security tools that is used to recognize and identify data that is critical to the organization and ensure that it is protected. This protection involves monitoring who is using the data and how it is being accessed. DLP's goal is to protect data from unauthorized users.

Remote Access VPN

a user-to-LAN connection by remote users

Air Gap

absence of any type of connection between devices, in this case the secure network and another network.

SEIM Time Sychronization

alerts occur over a wide spectrum of time, SIEM time synchronization can show the order of the events.

active/active configuration

all load balancers are always active. Network traffic is combined and the load balancers then work together as a team

Full Tunnel VPN

all traffic goes through an encrypted tunnel while the user is connected

SEIM automated alerting and triggers

can inform security personnel of critical issues that need immediate attention. A sample trigger may be Alert when a firewall, router, or switch indicates 40 or more drop/reject packet events occur from the same IP source address occurring within 60 seconds.

Aggregation SIEM

combines data from multiple data sources (network security devices, servers, software applications, etc.) to build a comprehensive picture of attacks.

Network Bridge

device dividing traffic on a local area network

Network Switch

device providing a central connection point for cable from workstations

USB Blocking DLP

monitoring emails through a mail gateway and blocking the copying of files to a USB flash drive

Rule-Based Firewall

rules set by an administrator that tell the firewall precisely what action to take with each packet that comes through it

SEIM Correlation

searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source.