Network Security Devices, Design and Technology
Router
(computer science) a device that forwards data packets between computer networks
Simple Mail Transfer Protocol(SMTP)
-application level protocol used by clients to send email -uses port 25
DLP network sensors
-installed on the perimeter of the network to protect data in transit by monitoring all network traffic
SIEM Event Duplication
A SIEM feature that can help filter the multiple alerts into a single alarm.
SIEM logs
A SIEM feature that records events to be retained for future analysis and to show that the enterprise has complied with regulations.
Virtual LAN (VLAN)
A Technology that allows scattered users to be logically grouped together even though they are physically attached to different switches. This can reduce network traffic and provide a degree of security. VLANs can be isolated so that sensitive data is transported only to members of the VLAN.
Split Tunnel VPN
A VPN admin determines what traffic should use the encrypted tunnel
Always-on VPN
A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.
Forward Proxy
A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
Reverse Proxy
A computer or an application program that routes incoming requests to the correct server.
Intrusion Detection System (IDS)
A device designed to be active security; it can detect an attack as it occurs.
VPN Concentrator
A device that aggregates hundreds or thousands of VPN connections.
False Negative
A failure of an IDS to detect an actual attack
Stateful Packet Filtering
A firewall technology that keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the rule base.
Stateless Packet Filtering
A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.
Application-Based Firewall
A firewall that functions at the OSI Application layer (Layer 7). Indentifies the apps thart send packets through the firewall and then makes decisions about the app instead of filtering the packets based on granular rule settings like the destination port or protocol
Host-Based Firewall
A firewall that only protects the computer on which it's installed.
Hardware Firewall
A hardware firewall is a physical filtering component that inspects data packets from the network before they reach computers and other devices on a network. A hardware firewall is a free-standing unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance.
Loop Prevention
A method of preventing switching loop or bridge loop problems. Both STP and RSTP prevent switching loops.
Anomaly Monitoring
A monitoring technique used by an intrusion detection system (IDS) that creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from this baseline, an alarm is raised.
Signature-Based Monitoring
A monitoring technique used by an intrusion detection system (IDS) that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
Behavioral-Monitoring
A monitoring technique used by an intrusion detection system (IDS) that uses the normal processes and actions as the standard and compares actions against it. Continuously analyzes the behavior of processes and programs on a system and alerts the user if it detects any abnormal actions at which point the user can decide whether to allow or block the activity
Dissolvable NAC Agent
A network access control (NAC) agent that disappears after reporting information to the NAC device.
permanent NAC agent
A network access control (NAC) agent that resides on end devices until uninstalled.
Post Office Protocol (POP)
A protocol used to retrieve email from a mail server. POP3 is a later iteration of the POP protocol, and can be used with or without SMTP. Port 110
Transparent Proxy
A proxy that does not require any configuration on the user's computer.
Virtual IP
A single IP address shared by multiple systems by using a different port number for each
Host-Based Intrusion Detection System (HIDS)
A software-based application that runs on a local host computer that can detect an attack as it occurs.
Application/multipurpose proxy
A special proxy server that knows the application protocols that it supports.
Web Application Firewall
A special type of application-aware firewall that looks at the applications using HTTP. Provides strong protection for web servers
Host Based Intrusion Prevention System (HIPS)
A system that automatically responds to computer intrusions by monitoring activity on one or more individual PCs or servers and responding based on a rule set.
Mail Gateway
A system that monitors emails for unwanted content and prevents these messages from being delivered.
Network Access Control (NAC)
A technique that examines the current state of a system or network device before it is allowed to connect to the network.
Virtual Private Network (VPN)
A technology that enables authorized users to use unsecured public network, such as the Internet, as if it were a secure private network. Encrypts all data that is transmitted between the remote device and the network
Intrusion Prevention System (IPS)
A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity.
Network Intrusion Prevention System (NIPS)
A technology that monitors network traffic to immediately react to block a malicious attack by following established rules
Network Intrusion Detection System (NIDS)
A technology that watches for attacks on the network and reports back to a central device.
Security and Information Event Management (SIEM)
A two-part process consisting of security event monitoring (SEM), which performs real-time monitoring of security events, and security information management (SIM), where the monitoring log files are reviewed and analyzed by automated and human interpreters.
Site-To-Site VPN
A virtual private network in which multiple sites can connect to other sites over the Internet.
Network-Based Firewall
Additional software installed to monitor, filter and log traffic. Has multiple NIC's installed
False Positive
Alarms raised when theres not actual abnormal behavior
Firewall Actions
Allow- let the packet pass through Drop - Prevent the packet from passing into the network and send no response to the user Reject - Prevent the packet from passing into the network but send a message to the sender that the destination cannot be reached Ask - Inquire what action to take
In-Band IDS
An intrusion detection system (IDS) implemented through the network itself by using network protocols and tools.
Passive IDS
An intrusion detection system (IDS) that is connected to a port on a switch in which data is fed to it.
Inline IDS
An intrusion detection system (IDS) that is directly connected to the network and monitors the flow of data as it occurs.
Out-of-Band IDS
An intrusion detection system (IDS) that uses an independent and dedicated channel to reach the device.
load balancing
Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.
Physical Network Segregation
Isolating the network so that it is not accessible by outsiders.
Implicit Deny
Rejecting access unless a condition is explicitly met.
host agent health checks
Reports sent by network access control (NAC) "agents" installed on devices to gather information and report back to the NAC device.
Affinity Scheduling
Scheduling protocol that distributes the load based on which devices can handle the load more efficiently
DLP agent sensors
Sensors installed on each host device and protect data in-use.
DLP storage sensors
Sensors on network storage devices are designed to protect data at-rest
Active-Passive Configuration
The primary load balancer distributes network traffic to the most suitable server while the secondary load balancer operates in listening mode
Round Robin
The rotation applies to all devices equally. Scheduling protocol
Network Address Translation (NAT)
Translates the private IP address to a public address for routing over the Internet
Internet Mail Access Protocol(IMAP)
Used for incoming mail. Remote email storage, can be used offline
Hueristic Monitoring
Uses an algorithm to determine if a threat exists. IDS is triggered if any app tries to scan multiple ports
Agentless NAC
When a device joins the domain and a user logs in, NAC uses Active Directory to scan the device to verify that it is in compliance.
Port Security
a Cisco switch feature that limits the number of MAC addresses allowed to communicate through a particular port
Firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
Software Firewall
a program that runs on a computer to allow or deny traffic between the computer and other device to which it is connected
Demilitarized Zone (DMZ)
a separate network located outside the organization's internal information system that permits controlled access from the internet
Data Loss Prevention (DLP)
a system of security tools that is used to recognize and identify data that is critical to the organization and ensure that it is protected. This protection involves monitoring who is using the data and how it is being accessed. DLP's goal is to protect data from unauthorized users.
Remote Access VPN
a user-to-LAN connection by remote users
Air Gap
absence of any type of connection between devices, in this case the secure network and another network.
SEIM Time Sychronization
alerts occur over a wide spectrum of time, SIEM time synchronization can show the order of the events.
active/active configuration
all load balancers are always active. Network traffic is combined and the load balancers then work together as a team
Full Tunnel VPN
all traffic goes through an encrypted tunnel while the user is connected
SEIM automated alerting and triggers
can inform security personnel of critical issues that need immediate attention. A sample trigger may be Alert when a firewall, router, or switch indicates 40 or more drop/reject packet events occur from the same IP source address occurring within 60 seconds.
Aggregation SIEM
combines data from multiple data sources (network security devices, servers, software applications, etc.) to build a comprehensive picture of attacks.
Network Bridge
device dividing traffic on a local area network
Network Switch
device providing a central connection point for cable from workstations
USB Blocking DLP
monitoring emails through a mail gateway and blocking the copying of files to a USB flash drive
Rule-Based Firewall
rules set by an administrator that tell the firewall precisely what action to take with each packet that comes through it
SEIM Correlation
searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source.