Security+ Chapter 4
WPA Enterprise Mode
more secure than personal or PSK and provides strong authentication when a 802.1x RADIUS server is deployed
Network Access Control Methods (host health)
- up to date antivirus software -up to date OS, current patches/fixes - FW enabled on the client - health agents installed - can restrict access of unhealthy clientsto a remediation network -can use NAC for VPN clients and for internal clients
Antenna Types
-OmniDirectional -Directional -can limit the range of an AP to a room or building by reducing AP's power level - will prevent unwanted connections by limiting ranges
Wireless Cryptographic Protocol Timeline
-WPA replaced WEP - WEP used TKIP -WPA has stronger AES -WPA2 replaed WPA and supports much stronger CCMP
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)
-most secure EAP standards - requires certs on the 902.1x RADIUS server and each of the wireless clients
Kereberos Benefits
-protects agais replay attacks by timestamping keys involved. - protects against MOM by requiring authentication every time a service is requested. The TGS has a password as does every user (mutual authentication)
Guest Network Architecture
-usuallly just email/website browsing. No network resource access. - basically just another access point on the same router
SYN flood attack
A DoS attack that uses IP spoofing to send a large number of packets requesting connections to the victim computer. These appear to be legitimate but in fact, reference a client system that is unable to respond. Initiating an TCP connection
Software Defined Networking (SDN)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane (logic to identify path) to manage network traffic on a more abstract level than through direct management of network components. - separate data plane as well (logis to block or allow) - commonly used with ABAC
IDS (Intrusion Detection System)
A dedicated device or software running on a workstation, server, or switch, which might be managed from another computer on the network, and is used to monitor network traffic and create alerts when suspicious activity happens within the network. - sends a notification via passive data collection considered out-of-band
Bluejacking
A method used by attackers to send out unwanted Bluetooth signals from PDAs, mobile phones, and laptops to other Bluetooth-enabled devices.
MAC filtering
A method used to filter out which computers can access the wireless network; the WAP does this by consulting a list of MAC addresses that have been previously entered. - Attacker can use a sniffer to discover allowed MAC addresses and circumvent the denial rule which makes if easy to spoof a MAC address
ad hoc network
A network created when two wireless devices connect to each other directly and securley.
HIDS (host-based intrusion detection system)
A passive IDS used to monitor an individual server or workstation. Protects local resources on the host such as the operating system files.
VPN concentrator
A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels. - usually a hardware device
IEEE 802.1x
A standard that authenticates users on a per-switch port basis by permitting access to valid users but effectively disabling the port if authentication fails. - prevents rogue devices from establishing a connection -used for wireless connection to a LAN or WAN via an EAP Tunnel
NIDS (network-based intrusion detection system)
A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). Here, it can detect many types of suspicious traffic patterns. Usually on network devices like firewalls and routers. unable to decrypt encrypted traffic (can only monitor plaintext)
Signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures, vulunerabilites, and anomolies.
NIPS (network-based intrusion prevention system)
An IPS that monitors the network. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. placed on the edge of the protected network (DMZ) to provide internal network protection
Encapsulating Security Payload (ESP)
An IPSec component that provides the same services as AH but also provides confidentiality, authentication, and integrity when sending data over a VPN. Uses protocol number 50 and port 500
thin access point
An access point with limited functionality. (It does not provide authentication or encryption.) Manged by a wireless controller which configures the AP
IPS (Intrusion Prevention System)
An active, inline security device that monitors the suspicious network and/ or system traffic and reacts in real-time to block it Also called a Network Intrusion Prevention System (NIPS). -considered in-line w/ traffic (passes thought it) aka in-band
IV attack
An attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except for the user or network.
mutual authentication
An authentication scheme in which both computers verify the credentials of each other and do so mulitple times throughout the connected session. Used by MS-CHAPv2 and Kerberos authenticiaon schemes.
PAP (Password Authentication Protocol)
An older authentication protocol where passwords are sent across the network in clear text. Rarely used today.
Challenge Handshake Authentication Protocol (CHAP)
An older three-way authentication handshake that is accomplished during the initial authentication and may be repeated anytime after the link has been established. - protects aginst replay attack -sends messages through an authenticated session
rogue access point
An unauthorized AP that allows an attacker to bypass many of the network security configurations and opens the network and its users to attacks.
SSL decryptors
Appliances that can decrypt SSL traffic and inspect it on the fly. - can be placed with a NIPS - can decrypt encrypted malware
RFID attacks
Attacks against radio-frequency identification (RFID) systems. Some common RFID attacks are eavesdropping, replay, and DoS.
EAP-FAST
Cisco designed replacement from LEAP that Cisco also designed. EAP-FAST supports certs but are optional
Attribute order in a X.500 directory
Common Name (CN) - Org. Unit (OU) - Org. (O) - Country (C) - Comain component (DC)
Wifi jamming Attack
DoS attack that overloads channel
HOTP
HMAC-based One-Time Password (HOTP). An open standard used for creating one-time passwords, similar to those used in tokens or key fobs. It combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. HOTP passwords do not expire until they are used. Susceptible to device sync errors and interception
Fat Access Point
Intelligent wireless access point that provides everything needed to manage wireless clients. Need to be configured individually.
Challenge Handshake Authentication Protocol (CHAP)
Like PAP, CHAP performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network.
Honeypots/honeynets
Machines that exist on the network, but do not contain sensitive or valuable data, and are meant to distract and occupy malicious or unauthorized intruders, as a means of delaying their attempts to access production data/assets. A number of machines of this kind, linked together as a network or subnet, are referred to as a "honeynet." - often placed in the DMZ
IPSec tunnel mode
One of two modes for IPSec. encrypts the entire IP packed use in the internal network and is the mode use with VPN's over the Internet. - intercept packet will reveal source IP and destination address of the VPN server but internal IP address remains hidden
Something you know
Password or PIN - saying a passphrase
PEAP (protected EAP)
Protected Extensible Authentication Protocol. PEAP provides an extra layer of protection for EAP. PEAP-TLS uses TLS to encrypt the authentication process by encapsulating and encrypting the EAP conversation in a Transport Layer Security (TLS) tunnel. Since TLS requires a certificate on the server but not clients, PEAP-TLS requires a certification authority (CA) to issue certificates.
Diameter
RADIUS extension and improvement with additional capabilites including securing transmissions with EAP
WPS attack (wifi protected setup)
Security exploit in which a WPS PIN is discovered by means of a brute force attack, giving the attacker access to the network's WPA2 key. The PIN feature in WPS should be disabled if possible.
Bluebugging
Taking control of a phone to make calls, send text messages, listen to calls, or read text messages.
Crossover Error Rate (CER)
The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.
Bluesnarfing
The unauthorized access of information from a wireless device through a Bluetooth connection.
Service Set Identifier (SSID)
The user-supplied network name of a WLAN; it can generally be alphanumeric from 2 to 32 characters. Best practice is to change name from default. Disableing can hide network from casual user but attack er can easily discover with a sniffer
What Protocols prevent wireless replay attacks?
WPA2 and CCMP
LM (LAN Manager) hash
a legacy format for storing Windows passwords that is considered very weak. Replaced by NTLM and NTLMv2
Permananet agent
are installed on devices/clients for host health purposes
Dissolvable agent (agentless)
are not installed on clients and are downloaded. Some remove themesleves immediately after they report back to the NAC or after the session ends. - often use to inspect employee owned mobile devices
false negative
attack is occuring but system does not detect it
OAuth2.0
authorization not authentications. Facilitrates a transfer of info of functionality between websites. Authorization is delegated to OAuth provider not the consumer or user.
WPA-open mode
doesnt use any security, no password
Wireless Access Point
enables devices to connect to a wireless network to communicate with each other like a router. - all wireless routers are AP's but not all AP' are wireless
Full Tunneling
encrypts all traffic after a user has connected to a VPN
TLS/SSL Accelerator
hardware that provides TLS encryption for common protocols like HTTPS - frees up resources like CPU and RAM - place close to related devices
false positive
incorrectly indicating an attack is occurring when an attack is not occurring.
IPSece transport mode
only encrypts the payload and is commonly used in private networks, but not with VPNs
split tunneling
only encrypts traffic destined for the VPN private network which is configured by an admin. Website search behind a split tunnel configuration - the traffic will not go through the encrypted tunnel and straight to the internet
TACACS+
proprietary CISCO alternative to RADIUS - can interact with Kerberos and MSAD
VPN (Virtual Private Network)
provides an encrypted network connection to a private network via the internet (public network)
RADIUS (Remote Authentication Dial-In user service
provides centralize auth for wireless remote access servers. - encrypts password packets, but not the entire auth process -uses UDP
OpenIDC
provides federation for applications
EAP (Extensible Authentication Protocol)
provides two systems to creat a seucure encryption key, Pairwise Master Key (good the entire session). Systems use key to encrypt all data transmitted. Both TKIP and AES-based CCMP use this - CCMP much stronger
Dissassociation Attack
removes wireless client from a wireless network, forcing it to reauthenticate
TOTP (Time-Based One-Time Password)
similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP expire after 30 seconds. Suseptible to device sync errors and interception
Behavioral-Based Detection
start w/ a performance baseline of normal behavior and than compare network traffic against this baseline. When traffic differs the IDS sends an alert.
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)
stronger than MS-CHAP due to mutual authentication. Client challenges before data is transmitted. Server challenges client. - helps make sure data goes to the right server/destination
Evil Twin Attack
the attacker is in the vicinity with a Wi-Fi-enabled computer and a separate connection to the Internet. Using a hotspotter—a device that detects wireless networks and provides information on them the attacker simulates a wireless access point with the same wireless network name, or SSID, as the one that authorized users expect. If the signal is strong enough, users will connect to the attacker's system instead of the real access point.
WPA- PSK mode
uses a pre-shared key and designed for home and small office networks and doesn't require an authentication server. Another name for a Wifi password