Chapter 8 - Network Security
These characteristics make malware hard to detect
-encryption -stealth -polymorphism -time dependence
user awareness
A NGFW's ability to adapt to the class of a specific user or user group.
context aware
A NGFW's ability to adapt to various applications,users, and devices.
ACL (access control list)
A filter that instructs the router to permit or deny traffic according to different variables
network-based firewall
A firewall that is placed internally or externally to a private network monitoring the connection between the internet and the private network.
quarantine network
A network for devices to be separated from sensitive network resources until remediation steps can be completed.
Trojan horse
A program that disguises itself as something useful but actually harms a system.
bot
A program that runs automatically, without requiring a person to start or stop it.
packet-filtering firewall
A router that examines the header of every packet of data it receives to determine whether that type of packet is authorized to continue to its destination.
Implicit deny
A rule that ensures that any traffic that the ACL does not explicitly permit is denied by default
proxy service
A software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic
Firewall
A specialized device with specialized software that selectively filters or blocks traffic between networks.
IDS (intrusion detection system)
A stand-alone device or software running on a device, which might be managed from another computer on the network and is used to monitor network traffic and create alerts when suspicious activity happens.
Stateful firewall
Able to inspect each incoming packet to determine whether it belongs to a currently active connection and is a legitimate packet.
On a router...
An ACL is not automatically installed. It must be created manually and assigned to an interface.
persistent agent
An agent permanently installed on a device
nonpersistent agent (dissolvable agent)
An agent that remains on the device long enough to verify compliance and complete authentication, and then uninstalls
honeynet
An elaborate setup of several honeypots.
Malware
Any program or piece of code designed to intrude upon or harm a system or its resources.
file-infector viruses
Attach themselves to executable files. When the executable file runs, the virus copies itself to memory and attaches onto other executable files.
Users should
Be grouped according to their security levels and assigned additional rights that meet the needs of those groups.
content-filtering firewalls
Block designated types of traffic based on application data contained within packets.
PDoS attack (Permanent DoS)
Damages a router or switch's firmware beyond repair.
Honeypot
Decoy system that is purposely vulnerable and filled with what appears to be sensitive content.
AUP (Acceptable Use Policy)
Explains to users what they can and cannot do and penalties for violations.
Next Generation Firewalls (NGFW)
Have built-in Application Control features and are application aware, meaning they can monitor and limit the traffic of specific applications, including the application's vendor and digital signature.
RF(radio frequency) emanation
Layers 1-3 Condition created by the leaking of radio or electrical signals from computer equipment.
port scanner
Layers 1-3 Software that searches a node for open ports.
jamming
Layers 1-3 The attacker creates a high volume of illegitimate wireless traffic and overwhelms the wireless network.
ARP cache poisoning
Layers 1-3 When attackers use faked ARP replies to alter ARP tables in the network.
DDoS attack (distributed DoS)
Layers 4-7 A DoS attack that comes from several sources, known as zombies.
ping of death
Layers 4-7 A buffer overflow condition created by sending an ICMP packet that exceeded the maximum 65,535 bytes.
smurf attack
Layers 4-7 A hacker issues a flood of broadcast ping messages.
DHCP snooping
Layers 4-7 A security feature that checks and filters DHCP messages on the network.
Dynamic ARP inspection (DAI)
Layers 4-7 A security feature that detects faked ARP messages.
FTP Bounce
Layers 4-7 An attacker commands the FTP server to connect to a different computer and can scan the ports on other hosts and transmit malicious code.
IP spoofing
Layers 4-7 An outsider obtains an internal IP address to pretend they have authority to access an internal network from the Internet.
flashing
Layers 4-7 Commands sent to a user's machine via a chat session that cause the screen to fill with garbage characters and require them to terminate the chat session.
banner-grabbing attack
Layers 4-7 Hackers transmit bogus requests for connection to servers or applications in order to harvest useful information to guide their attack efforts.
backdoors
Layers 4-7 Security flaws that allow unauthorized users to gain access to the system.
man-in-the-middle (MitM) attack
Layers 4-7 When a person redirects or captures secure transmissions as they occur.
session hijacking attack
Layers 4-7 When a session key is stolen or intercepted, an attacker can take control of the session.
DRDoS attack (distributed reflector DoS)
Layers 4-7 a DDoS attack bounced off of uninfected computers called reflectors, achieved by spoofing.
Buffer overflow
Layers 4-7 A vulnerability of older operating systems. When a buffer's size is forced beyond its alloted space, causing a system crash.
DoS attack (Denial-of-service)
Layers 4-7 Occurs when a system becomes unable to function because it has been inundated with requests for services and can't respond to any of them.
domain local groups
Local groups that can be managed through Active Directory
Filters for an ACL
Network layer protocol Transport layer protocol Source IP address Destination IP address TCP or UDP port number
port mirroring
One port is configured to send a copy of all its traffic to a second port on the switch.
host-based firewalls
Only protect the computer on which they are installed.
Boot sector viruses
Positions its code in the boot sector of a computer's hard disk so that when the computer boots up, the virus runs in place of the computer's normal system files.
Worms
Programs that run independently and travel between computers and across networks.
Network viruses
Propagate themselves via network protocols, commands messaging programs, and data links. Designed to take advantage of network vulnerabilities.
NIDS (network based intrusion detection system)
Protects a network and is usually situated at the edge of the network or in a network's protective perimeter or DMZ.
reverse proxy
Provides services to Internet clients from servers on its own network.
HIDS (host-based intrusion detection system)
Runs on a single computer to alert about attacks to that one host
Network segmentation
Separating portions of the network to protect some resources while granting access to other resources.
agent
Software that monitor's a device's status regarding the security benchmarks to determine the device's compliance.
Packet-filtering firewalls might accept or deny traffic by certain criteria such as
Source and destination IP addresses Source and destination ports Flags set in the TCP header Transmissions that use the UDP or ICMP protocols A packet's status
IPS (intrusion prevention system)
Stands between the attacker and the network or host, and can prevent traffic from reaching the protected network or host.
SIEM (Security Information and Event Management)
Systems that can be configured to evaluate data from IDS,IPS, firewalls and proxy servers, and look for significant events that require attention.
Macro viruses
Takes the form of a macro which can be executed as the user works with a program.
virtual wire mode
The firewall is transparent to surrounding nodes as if it's just one part of the wire.
Firewall misconfiguration
The most common cause of firewall failure
proxy server
The network host that runs the proxy service
zombies
The owners are unaware that their computers are being used in a DDoS attack.
outbound traffic
Traffic attempting to exit a LAN
consent to monitoring form
a document that ensures that employees are made aware that their use of company equipment and accounts can be monitored and reviewed as needed for security purposes.
unintentional DoS attack
a friendly attack because it is not done with malicious intent.
Virus
a program that replicates itself with the intent to infect more computers,
Unified Threat Management (UTM)
a security strategy that combines multiple layers of security appliances and technologies into a single safety net.
Network access control (NAC)
employs network policies which determine the level and type of access granted to a device when it joins a network.
security policy
identifies your security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee.
spoofing
impersonating a source IP address
amplification attack
instigated using small,simple,requests that trigger very large responses from the target.
Stateless firewall
manages each incoming packet as a stand-alone entity without regard to currently active connections.
Logon restrictions
time of day, total time logged on, source address, and unsuccessful logon attempts