Security Plus Attempt 4 Vocab Review Guide 2.0
Tunnel Mode
IPSec can operate in two modes: tunnel mode and transport mode. In tunnel mode, IPSec provides encryption protection for both the payload and message header by encapsulating the entire original LAN protocol packet and adding its own temporary IPSec header (see Figure 2.3).
Transparent Proxy
If a client is not configured (Figure 2.16, left) to send queries directly to a proxy but the network routes outbound traffic to a proxy anyway, then a transparent proxy is in use. A nontransparent proxy is in use when a client is configured (Figure 2.16, right) to send outbound queries directly to a proxy.
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is used to negotiate and provide authenticated keying material (a common method of authentication) for security associations in a secured manner. The four major functional components of ISAKMP are authentication of communications peers, threat mitigation, security association creation and management, and cryptographic key establishment and management.
Logs/WORM (SEIM)
Logs need to be protected against accidental and intentional malicious change. Centralized logging services such as SIEM and Syslog can assist with protecting the integrity of logs through several techniques. One technique is to create additional duplicate copies of a log in various locations throughout the network. This is the primary log protection technique employed by centralized logging solutions. The primary log still resides on the original system, but a duplicate copy of the log is maintained on one or more log management servers. An additional technique can be to store the log copies on a WORM (write-once, read-many) storage device. These are storage media that prohibit the change of any data item once it has been written. Common examples of WORMs include optical discs and ROM chips, but WORM hard drives and tapes are also available.
MDM
Mobile device management is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Many MDM solutions support a wide range of devices and can operate across many service providers. You can use MDM to push or remove apps, manage data, and enforce configuration settings both over the air (across a carrier network) and over WiFi connections. MDM can be used to manage company-owned devices as well as personally owned devices (such as in a bring-your-own-device [BYOD] environment).
Custom Firmware
Mobile devices come preinstalled with a vendor- or telco-provided firmware or core operating system. The firmware can be updated by an upgrade provided by the vendor or telco. If a device is rooted or jailbroken, it can allow the user to install alternate custom firmware in place of the default firmware. Custom firmware may remove bloatware included by the vendor or telco, may add or remove features, and can streamline the OS to optimize performance. There are online discussion forums and communities that specialize in custom firmware for Apple and Android devices, such as xda-developers.com (be careful and include the dash in the name!) and howardforums.com. An organization should not allow users to operate mobile devices that have custom firmware unless that firmware is preapproved by the organization. Some custom firmware can be returned to a non-rooted state once the firmware install is completed.
Dissolvable vs. Permanent (NAC)
NAC agents can be either dissolvable or permanent. A dissolvable NAC agent is usually written in a web/mobile language, such as Java or ActiveX, and is downloaded and executed to each local machine when the specific management web page is accessed. The dissolvable NAC agent can be set to run once and then terminate, or it may remain resident in memory until the system reboots. A permanent NAC agent is installed onto the monitored system as a persistent software background service.
Rooting/Jailbreaking
Rooting or jailbreaking (the special term for rooting Apple devices) is the action of breaking the digital rights management (DRM) security on the bootloader of a mobile device in order to be able to operate the device with root or full system privileges. Most devices are locked in such a way as to limit end-user activity to that of a limited user. But a root user can manipulate the OS, enable or disable hardware features, and install software applications that are not available to the limited user. Rooting may enable a user to change the core operating system or operate apps that are unavailable in the standard app stores. However, this is not without its risks. Operating in rooted status also reduces security, since any executable also launches with full root privileges. There are many forms of malicious code that cannot gain footing on normal mode devices but that can easily take root (pun intended) when the user has rooted or jailbroken their device. An organization should prohibit the use of rooted devices on the company network or even access to company resources whenever possible. For some, a rooted device may provide benefits that exceed the risks, but such devices should be operated as stand-alone equipment and not as endpoint devices of a company network. Also, even users should consider keeping their personal information and credentials on a normal limited device and employ a second rooted device for those limited occasions when rooting is beneficial. Rooting a fully owned device is legal as of 2017, but the exemption to the Digital Millennium Copyright Act allowing for this will expire at the end of 2017. If other exemptions or new legislation do not reestablish the legality of rooting devices, then it will become illegal again starting in 2018. Be sure to review the legality of rooting devices before you attempt to do so. The legality of the issue may not change your mind about your decision, but you do need to be aware of the legality of the activity and the potential consequences. If you are caught crafting tools to help others root their devices, this is seen as a much more severe activity than rooting your own device. Even if rooting is legal, keep in mind that there are still some restrictions. First, it is only legal if you fully own the device; if you are in a one- or two-year contract with a hardware fee; or if you are in a lease-to-own contract and you do not fully own the device until that contract is fulfilled. Thus, it is illegal to root until you fully own the device. Second, legal root does not require a manufacturer, vendor, or telco to honor any warranty. In most cases, any form of system tampering, including rooting, voids your warranty. Rooting may also void your support contract or replacement contract. Third, rooting is actively suppressed by the telcos and some product vendors, Apple being the main example. A rooted device might not be allowed to operate over a telco network, or it might be prohibited from accessing resources, downloading apps, or receiving future updates.
Aggregation (SEIM)
SIEM performs aggregation of logs, event details, and system measurements pulled from the range of devices throughout the network into the centralized management server. This enables SIEM to monitor the entire IT infrastructure and provide administrators with insight into the health and stability of their network as a whole. Aggregation is essential to the benefits of SIEM.
Automated Alerting and Triggers (SEIM)
SIEM uses automated alerting and triggers to keep the network and security administrators informed of any event that may violate security or be deemed suspicious on the network. This is a key feature of SIEM, whose ability to proactively inform the IT staff of concerns before serious harm takes place is what makes it stand out as an essential enterprise tool.
SSL/TLS Accelerators
SSL accelerators or TLS accelerators are used to offload the operation of encryption to a dedicated hardware device. This frees up resources on a server or system itself while still maintaining the security of the connection. By allowing a dedicated SSL/TLS hardware accelerator to manage secure connections, more efficient encryption is available to more concurrent sessions.
SFTP
Secure FTP (SFTP) is a secured alternative to standard FTP. Standard FTP sends all data, including authentication traffic, in the clear. Thus, there is no confidentiality protection. SFTP encrypts both authentication and data traffic between the client and server by employing SSH to provide secure FTP communications. Thus, SFTP provides protection for both the authentication traffic and the data transfer occurring between a client and server. No matter what secure FTP solution is employed, both the server and the client must have the same solution. The client and the server must have compatible or interoperable FTP tools in order to establish a connection and support the exchange of files. Otherwise, FTP session establishment and subsequent file-transfer communications won't be possible.
Sideloading
Sideloading is the activity of installing an app onto a device by bringing the installer file to the device through some form of file transfer or USB storage method rather than installing from an app store. Sideloading is not possible on Apple iOS devices unless they are jailbroken. Sideloading is possible on Android devices if Install Apps From Unknown Sources is enabled. Most organizations should prohibit user sideloading, because it may be a means to bypass security restrictions imposed by an app store or the MDM.
SNMPv3
Simple Network Management Protocol (SNMP) is a standard network-management protocol supported by most network devices and TCP/IP-compliant hosts. These include routers, switches, bridges, WAPs, firewalls, VPN appliances, modems, printers, and so on. Through the use of a management console, you can use SNMP to interact with various network devices to obtain status information, performance data, statistics, and configuration details. Some devices support the modification of configuration settings through SNMP. Early versions of SNMP relied on plain-text transmission of community strings as authentication. Communities were named collections of network devices that SNMP management consoles could interact with. The original default community names were public and private. The latest version of SNMP allows for encrypted communications between devices and the management console, as well as robust authentication protection customized authentication factors. SNMP operates over UDP ports 161 and 162. UDP port 161 is used by the SNMP agent (that is, network device) to receive requests, and UDP port 162 is used by the management console to receive responses and notifications (also known as trap messages).
DNSSEC
The Domain Name System (DNS) is the hierarchical naming scheme used in both public and private networks. DNS links IP addresses and human-friendly fully qualified domain names (FQDNs) together. A FQDN consists of three main parts: Top-level domain (TLD)—The com in www.google.com Registered domain name—The google in www.google.com Subdomain(s) or hostname—The www in www.google.com The TLD can be any number of official options, including six of the original seven TLDs—com, org, edu, mil, gov, and net—as well as many newer ones, such as info, museum, telephone, mobi, biz, and so on. There are also country variations known as country codes. (See www.iana.org/domains/root/db/ for details on current TLDs and country codes.) (Note: The seventh original TLD was int, for international, which was replaced by the country codes.) The registered domain name must be officially registered with one of any number of approved domain registrars, such as Network Solutions or GoDaddy. The far-left section of an FQDN can be either a single hostname, such as www, ftp, and so on, or a multisectioned subdomain designation, such as server1.group3.bldg5.mycompany.com. The total length of an FQDN can't exceed 253 characters (including the dots). Any single section can't exceed 63 characters. FQDNs can only contain letters, numbers, and hyphens. Every registered domain name has an assigned authoritative name server. The authoritative name server hosts the original zone file for the domain. A zone file is the collection of resource records or details about the specific domain. There are dozens of possible resource records (see http://en.wikipedia.org/wiki/List_of_DNS_record_types); the most common are listed in Table 2.4. Originally, DNS was handled by a static local file known as the HOSTS file. This file still exists, but a dynamic DNS query system has mostly replaced it, especially for large private networks as well as the Internet. When client software points to a FQDN, the protocol stack initiates a DNS query in order to resolve the name into an IP address that can be used in the construction of the IP header. The resolution process first checks the local DNS cache to see if the answer is already known. The DNS cache consists of preloaded content from the local HOSTS file plus any DNS queries performed during the current boot session (that haven't timed out). If the needed answer isn't in the cache, a DNS query is sent to the DNS server indicated in the local IP configuration. The process of resolving the query is interesting and complex, but most of it isn't relevant to the Security+ exam. To explore DNS in more detail, see http://en.wikipedia.org/wiki/Domain_Name_System and http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html. DNS operates over TCP port 53 and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers for special manual queries, or when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries. Domain Name System Security Extensions (DNSSEC) is a security improvement to the existing DNS infrastructure. The primary function of DNSSEC is to provide reliable authentication between devices during DNS operations. DNSSEC has been implemented across a significant portion of the DNS system. Each DNS server is issued a digital certificate, which is then used to perform mutual certificate authentication. The goal of DNSSEC is to prevent a range of DNS abuses where false data can be injected into the resolution process. Once fully implemented, DNSSEC will significantly reduce server-focused DNS abuses.
HTTPS
The World Wide Web is a vast, global, ad hoc collection of online information and storefronts. The primary protocol that supports the Web is Hypertext Transfer Protocol (HTTP). HTTP enables the transmission of Hypertext Markup Language (HTML) documents (the base page elements of a website) and embedded multimedia components such as graphics and mobile code (see Figure 2.45). Without HTTP, there would be no Web. However, HTTP is an insecure protocol: it doesn't offer anything in the way of secure authentication or data encryption for web communications. Fortunately, numerous add-on protocols and mechanisms provide these and other security services to the information superhighway.
FTPS
The antiquated protocol of file transfer or exchange is File Transfer Protocol (FTP). This protocol is often used to move files between one system and another, either over the Internet or within private networks. Understanding the basics of FTP and the secured alternative file-transfer solutions is important for the Security+ exam. FTP is an in-the-clear file-exchange protocol. It's supported by any computer system that uses TCP/IP. An FTP server system is configured to allow authenticated or anonymous FTP clients to log on in order to upload or download files. FTP employs TCP ports 20 and 21 by default. Port 21 is used for session management, and port 20 is used for data transmission. There are two connection options for FTP: active and passive. Active FTP is the original method of FTP connection. The process of Active FTP is as follows: The client initiates the session management connection to the FTP server on TCP port 21 using a random source port number (such as 1060). The FTP server initiates the data transmission connection to the FTP client from TCP source port 20 to the client's port that is one increment above the client's original source port (such as 1061). This technique works only if the client is not protected by a firewall, proxy, or NAT function because it requires inbound initiation from the FTP server to the FTP client. In most cases today, since a firewall, proxy, or NAT is likely present, FTP is used in passive mode. The process of passive FTP is as follows: The client initiates the session management connection to the FTP server on TCP port 21 using a random source port number (such as 1060). The server selects a random port number to open in order to receive a second client-initiated connection (such as port 4081), and sends that number to the client over the existing communication session. The client initiates another connection to the FTP server for data transmission, using an incremented client source port number (such as 1061) to the server's suggested destination port number (such as 4081). The exchange of files is a common practice on the Internet, intranets, and extranets. FTP is an independent platform and thus makes file exchanges between different OSs simple. It's one of the common services deployed in a DMZ—an extension of a private network where Internet users can access services such as the Web and email—in order to provide controlled public access to company resources while still allowing internal clients to access the services. Because all FTP traffic is transmitted in the clear, it's vulnerable to packet sniffing and other forms of eavesdropping. It's important not to use the same user account and password on FTP that you use in a secure environment. Otherwise, if an attacker captures your FTP logon traffic, they also obtain the logon credentials needed to log into your secured network. Always use a separate and distinct user account for FTP logons. Sniffers and protocol analyzers are discussed in the "Understand protocol analyzers" section earlier in this chapter. Anonymous FTP is a form of nameless logon to an FTP server. Usually, visitors to an FTP site who wish to log on anonymously use the word anonymous as the logon name. They're then prompted to provide their email address as the password, but any text string suffices. Site administrators should carefully configure FTP servers that allow anonymous access. Anonymous users shouldn't be able to download (or, in many cases, view) any files uploaded by anonymous users. Anonymous upload and download should be enabled only if absolutely necessary. When possible, don't allow both authenticated and anonymous FTP logons on the same FTP site. Most FTP servers have anonymous FTP enabled by default, so usually it must be specifically disabled in order to limit access to authenticated users. If FTP upload is allowed—especially when anonymous FTP uploading is allowed—ensure that it isn't possible to access upload folders from a web URL. If you don't take this precaution, web visitors may be able to download files from the FTP site through HTTP, or they may be able to execute uploaded files. Both of these tactics are commonly used by hackers in a wide variety of intrusion attacks. Blind FTP is a configuration of anonymous FTP or authenticated FTP in which uploaded files are unseen and unreadable by visitors. Thus, users can upload files but not see the resulting uploads. Additionally, even if a user knows the exact pathname and filename of a file deposited onto your blind FTP site, the deposited files are write-only, and thus reading or downloading isn't possible. This ensures that your FTP site isn't overrun by file swappers using your system as a file-exchange point. File swappers often exchange illegal (unlicensed) copies of software, music, and movies through unsecured FTP servers. Uploaded files on a blind FTP server become accessible only after the administrator has either changed the files' permissions or moved them into a folder configured to allow downloads. FTPS is FTP Secure or FTP SSL, which indicates that it's a variation of FTP secured by SSL (or now TLS). This is an FTP service variation distinct from SSH-secured FTP (SFTP). Although in general use they're similar, in that both provide for cryptographically protected file transfers, they aren't interoperable. FTPS is supported by FTP servers in either an implicit or an explicit mode (FTPIS or FTPES, respectively). Implicit implies that the client must specifically challenge the FTPS server with a TLS/SSL ClientHello message. This assumes that only FTPS clients will connect. In order to allow traditional FTP clients to continue to operate over ports 20 (data channel) and 21 (control channel), FTPS is delegated to ports 990 (control channel) and 989 (data channel). It's important, however, to note that implicit mode is now considered deprecated. Explicit (FTPES) mode implies that the FTPS client must specifically request an FTPS connection on ports 20 and 21; otherwise, an insecure FTP connection will be attempted. More information regarding explicit mode is available in RFC 2228 and RFC 4218.
nmap
The command nmap is a network mapper or port scanner. The nmap tool can be used to perform a wide range of network discovery and enumeration functions, including ping sweeping, port scanning (Figure 2.31), application identification, operating system identification, firewall and IDS evasion, and a plethora of script functions to discover details about target applications and OSs. Zenmap is a GUI interface to nmap. Please experiment with the nmap command from your own system's command prompt. Use the command nmap -h to view the syntax details.
tcpdump
The command tool tcpdump is a raw packet-capturing utility (Figure 2.30) found on Linux. It can be used to capture packets into a capture file. It supports command-line capture filters in order to collect specific packets. The output capture file can be examined by a number of other tools, including GUI packet analysis utilities such as Wireshark. Experiment with the tcpdump command from your own system's command prompt. Use the command tcpdump /h to view the syntax details.
nslookup/dig
The command-line tools nslookup and dig are used to perform manual DNS queries. The nslookup tool is found on Windows, and the dig tool is on Linux. These tools initially perform queries against the system's configured DNS server. However, it is possible to refocus the tools to an alternate DNS server to perform queries. Experiment with the nslookup and dig commands from your own system's command prompt. On Windows, the nslookup tool can be used in interactive or noninteractive mode. The interactive mode allows for numerous sequential commands to be issued while inside the nslookup interface (Figure 2.26). To launch nslookup in interactive mode, issue the command nslookup and then, to see a list of syntax, enter ?. Noninteractive mode singular commands can be issued using command syntax. To view the syntax, enter nslookup -?. On Linux, issue the dig -? command to view the syntax of this tool.
CYOD
The concept of choose your own device (CYOD) provides users with a list of approved devices from which to select the device to implement. A CYOD can be implemented so that employees purchase their own devices from the approved list (a BYOD variant) or the company can purchase the devices for the employees (a COPE variant).
netcat
The netcat command is a flexible network utility used to write to or read from TCP and UDP network connections. Its command tool is just nc. This tool can be used to redirect standard input and output over network pathways, even for tools and utilities which do not have network capabilities natively. In addition to redirecting input and output, it can also be used as a basic port scanner (Figure 2.32), perform file transfers, act as a port listener, and even serve as a remote control backdoor. Please experiment with the nc command from your own system's command prompt. Use the command nc -h to view the syntax details. Netcat is getting increasingly difficult to find, as it is no longer a stand-alone project. To get the command, readers will need to either install nmap and get it bundled with that project, or install one of the forks like cryptocat.
base antenna
The standard straight or pole antenna is an omnidirectional antenna that can send and receive signals in all directions perpendicular to the line of the antenna itself. This is the type of antenna found on most base stations and some client devices. It's sometimes also called a base antenna or a rubber duck antenna (because most such antennas are covered in a flexible rubber coating).
Time Synchronization (SEIM)
Time synchronization is always an important element of security solution implementation, including SIEM, which can assist with maintaining the synchronization of the clocks on networked devices. Time synchronization is an important part of re-creating, or at least analyzing, the events of a violation. If the time stamps of log entries are not synchronized, it may be difficult, if not impossible, to actually determine the order in which the events occurred.
Time Synchronization
Time synchronization is an important element of security management as well as overall network and system management. Many essential functions and services are dependent on reliable time information. The protocol Network Time Protocol (NTP), which operates over UPD port 123, is used to synchronize system clocks with each other and with an external reliable time source. NTP is a plain-text protocol, so there is risk associated with using NTP on its own. There are NTP attacks that may simply eavesdrop on the time synchronization events. This can give an attacker more information about the systems on your network, since the NTP connection will disclose the source and destination addresses of the systems involved. While some cryptography is available in NTPv4, it is mostly for integrity checking and not for confidentiality. It may be necessary to implement IPSec or other VPN sessions between systems and then tunnel the NTP through the encrypted channel.
SSL/TLS
Transport Layer Security (TLS) is the updated replacement for the Netscape Corporation's SSL. TLS is generally the same as SSL, but it uses more secure cryptographic protocols and algorithms. It's currently the preferred protocol for securing a wide variety of Layer 5+ protocol-based communications. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to encrypt traffic between a web browser and a web server. Through the use of SSL or TLS, web surfers can make online purchases, interact with banks, and access private information without disclosing the contents of their communications. SSL and TLS can make web transactions private and secure. Although they aren't true VPN protocols, SSL and TLS operate in much the same manner as VPNs. SSL was originally developed by Netscape, but it quickly became an Internet standard and has been replaced by TLS. TLS is based on SSL, but the two aren't interoperable. SSL operates over TCP port 443, whereas TLS can operate over either of the default TCP ports, 443 and 80 (as does HTTP). In addition to web communications, SSL can be used to secure FTP, Network News Transfer Protocol (NNTP), email, Telnet, and other Application layer TCP/IP protocols. However, when SSL is used for protecting other application protocols, the destination port is different than that of HTTPS, which uses 443; other examples include SMTP over SSL at 465, IMAP over SSL at 993, and POP3 over SSL at 995. SSL/TLS can also be used to provide encrypted sessions for other Application layer protocols, such as Telnet, FTP, and email. SSL/TLS functions at the top of Layer 4 (the Transport layer) of the OSI model. Thus, any protocol in Layers 5-7 can be secured using SSL/TLS. When you use SSL/TLS to secure communications between a web browser and a web server, a multistep handshake process must be completed to establish the secured session: 1. The client requests a secure connection. 2. The server responds with its certificate, the name of its certificate authority (issuing CA), and its public key. 3. The client verifies the server's certificate, produces a session (symmetric) encryption key, encrypts the key with the server's public key, and sends the encrypted key to the server. 4. The server unpacks the session key and sends a summary of the session details to the client, encrypted with the session key. 5. The client reviews the summary and sends its own summary back to the server, likewise encrypted with the session key. 6. After both entities receive a matching session summary, secured SSL communications are initiated. SSL/TLS uses symmetric keys as the session keys. The session keys available for SSL include 40-bit and 128-bit strengths. TLS session keys can currently span between 128 bit and 256 bit.
TFTP
Trivial File Transfer Protocol (TFTP) is a simple file-exchange protocol that doesn't require authentication. It has fewer commands and capabilities than FTP (mostly PUT for uploading and GET for downloading). TFTP operates on UDP port 69. It can be used to host device-configuration files. This allows those devices to download their configuration if it's lost, such as due to a power failure. Thus essential network devices can self-restore quickly. However, this function is often replaced by a locally installed SD card or other flash memory product. TFTP is also used in multicasting to serve as a caching system for links that are otherwise unable to keep up with the default transmission speed of a multicast signal.
USB OTG
USB is a specification that allows a mobile device with a USB port to act as a host and use other standard peripheral USB equipment, such as storage devices, mice, keyboards, and digital cameras. USB OTG is a feature that can be disabled via MDM if it is perceived as a risk vector for mobile devices used within an organization.
SIEM
A centralized application to automate the monitoring of network systems is essential to many organizations. There are many terms used to describe such a solution, including Security Information and Event Management (SIEM), Security Information Management (SIM), and Security Event Management (SEM). An entire organization's IT infrastructure can be monitored through real-time event analysis using these types of enterprise-level monitoring systems. SIEM can use triggers or thresholds that oversee specific features, elements, or events that will send alerts or initiate alarms when specific values or levels are breached. This can be seen as a more advanced system than that provided by SNMP (Simple Network Management Console). SNMP focuses on pulling information from network devices; however, it can use trap messages to inform the management console when an event or threshold violation occurs on a monitored system. SIEMs can be used to monitor the activity of a cluster of email servers. As the email servers log events, the SIEM agent monitors the log for events of interest. If one is noticed, then the SIEM agent forwards the details of the event to the central management SIEM system. The master SIEM analysis engine determines the severity of the event and whether it relates to other recent events, and it may trigger either a notification to be sent to an administrator or an alarm requesting immediate response. An example of SIEM operating to prevent a problem from becoming significant enough to interrupt mission-critical communications would be if an email server begins to have a backlog of unprocessed messages due to a strong surge or increase in inbound messages. The SIEM can notice this change in normal operations and inform the administrators long before the situation becomes a DoS and the system fails to keep up with communications or begins to drop, delete, overwrite, or otherwise lose messages. SIEMs typically have a wide range of configuration options that allow IT personnel to select which events and occurrences are of importance to the organization. Thus, SIEM allows for customization of monitoring and alerting based on the organization's specific business processes, priorities, and risks. A SIEM solution will include agents for any type of server and may include hooks into network appliances, such as switches, routers, firewalls, IDSs, IPSs, VPNs, and WAPs (Figure 2.17). Thus, a SIEM is an important monitoring and analysis tool for large organizations with a wide variety of systems and devices. The reports from a SIEM solution will keep the IT and security staff informed of the overall state of the environment, and alarms and alerts will enable them to respond promptly to concerns or compromises. SIEM can often perform more tasks than just event monitoring; it can also serve as a NAC (network access control) solution by monitoring the configuration and patch status of systems throughout the network. SIEM can provide asset tracking, MAC monitoring, IP management, and system inventory oversight, and can even monitor for unauthorized software installations—whether implemented by a user or via malware infection.
Corporate-Owned
A corporate-owned mobile strategy is when the company purchases mobile devices that can support compliance with the security policy. These devices are to be used exclusively for company purposes, and users should not perform any personal tasks on them. This often requires workers to carry a second device for personal use.
LDAPS
A directory service is a managed list of network resources. It is effectively a network index or network telephone book of the systems and their shared resources. Through the use of a directory service, large networks are easier to navigate, manage, and secure. Active Directory from Microsoft, OpenLDAP, and legacy eDirectory (or NDS) from Novell are examples of directory services. All three are based on Lightweight Directory Access Protocol (LDAP). LDAP is a standardized protocol that enables clients to access resources within a directory service. A directory service is a network service that provides access to a central database of information, which contains detailed information about the resources available on a network. LDAP follows the x.500 standard, which defines what a directory service is and how it is to be constructed and organized (at least from a foundational infrastructure perspective). Clients can interact with directory service resources through LDAP by using authentication that consists of at least a username and password. LDAP directory structures are hierarchical data models that use branches like a tree and that have a clearly identified and defined root (see Figure 2.44). LDAP operates over TCP ports 389 (plain text) and 636 (secure). There are two connection mechanisms used for plain-text authentication. They are known by the terms anonymous bind (no authentication) and simple bind (plain-text password authentication). It's important to secure LDAP rather than allow it to operate in a plain-text insecure form. This is accomplished by enabling the Simple Authentication and Security Layer (SASL) on LDAP, which implements Transport Layer Security (TLS) on the authentication of clients as well as all data exchanges. This results in LDAP Secured (LDAPS). This isn't the only means to secure LDAP, but it's the method addressed on Security+.
Fat vs. Thin
A fat access point is a base station that is a fully managed wireless system, which operates as a stand-alone wireless solution. A thin access point is little more than a wireless transmitter/receiver, which must be managed from a separate external centralized management console. Most of the management functions have been shifted to an offloading management device so the wireless access point only has to handle the radio signals. The benefit of using thin access points is that management, security, routing, filtering, and more can be concentrated in one location, while there may be dozens or more deployed thin access points throughout a facility. Most fat access points require device-by-device configuration and thus are not as flexible for enterprise use
Flood Guard
A flood guard is a defense against flooding or massive-traffic DoS attacks. The purpose of a flood guard is to detect flooding activity and then automatically begin blocking it. This prevents this type of malicious traffic from entering a private network. Floods can be used in a variety of attack variations. One form of flood attack can be used to overload a switch in order to break VLAN segmentation. This is accomplished by flooding a switch with Ethernet frames with randomized source MAC addresses. The switch will attempt to add each newly discovered source MAC address to its CAM table. Once the CAM table is full, older entries will be dropped in order to make room for new entries. Once the CAM is full of only false addresses, the switch is unable to properly forward traffic, so it reverts to flooding mode, where it acts like a hub or a multiport repeater and sends each received Ethernet frame out of every port. This effectively violates VLAN segmentation, which relies on the switch only sending frames out the ports that are members of the correct VLAN. Flood guards are often effective at minimizing this risk, whether the attack origin is internal or external. The formal command floodguard in the Cisco IOS can be used to enable or disable Flood Defender, the Cisco solution that addresses flooding attacks.
Loop Prevention
A loop in networking terms is a transmission pathway that repeats itself. It's the network equivalent of going around in a circle. The problem with looping in a network environment is that it wastes resources, specifically network throughput capacity. Loops can occur at Layer 2 and at Layer 3, typically related to Ethernet and IP, respectively. Ethernet looping is resolved using the Spanning Tree Protocol (STP) on the bridges and switches of a network. STP learns all available paths and then makes traffic-management decisions that prevent looping pathways. Effectively, STP erects transmission blockades to prevent loops from being created. IP resolves looping using a different technique. Instead of preventing the use of pathways that cause looping, IP controls the distance a packet travels before it's discarded. So, instead of preventing loops, IP minimizes the amount of looping before packets are terminated. This is controlled using a countdown timer in the IP header, specifically the time-to-live (TTL) value. The TTL is set at an initial OS-specific default (for example, the Windows TTL is now 128 but was 32 in some older versions, whereas the TTL on Linux systems ranges from 64 to 255), and then each router decrements the TTL as it retransmits the IP packet. When a router receives a TTL that has a value of 1, that router stops forwarding the packet toward its destination and sends it back to the source address with an error message ("ICMP Type 11—Timeout Exceeded").
Network Scanners
A network scanner is usually a form of port scanner that adds enumeration techniques in order to inventory the devices found on a network. A network scanner can use a variety of detection techniques to discover the presence of a system on a network, whether a valid device or a rogue system. These techniques include ping sweeping, port scanning, and promiscuous mode detections. Ping sweeping is the activity of using ICMP Type 8 Echo Request packets to trigger ICMP Type 0 Echo Reply packets from any system within a specific subnet. However, only systems that are not filtering or ignoring ICMP will respond. Port scanning can be used to detect the presence of an open port. If an open port is detected, it means that there is a system present at the IP address probed. Open TCP ports will always respond with a SYN/ACK reply if they are sent a SYN-flagged initial packet. However, if port probes are sent too quickly, intelligent firewalls can block open port responses. Promiscuous mode detection is accomplished by sending out queries or requests but addressing them to a MAC address that is not in use on the network. Any NIC in normal mode will ignore the request, but NICs in promiscuous mode will accept the query and respond. This trick or technique will detect any system that is in promiscuous mode, but may otherwise not respond to other techniques.
PBX
A private branch exchange (PBX) (also known as telecom), shown in Figure 2.47, is a computer- or network-controlled telephone system. PBXs are deployed in large organizations; they offer a wide range of telephone services, features, and capabilities, including conference calls, call forwarding, paging, call logging, voicemail, call routing, and remote calling.
Site Surveys
A site survey is a formal assessment of wireless signal strength, quality, and interference using an RF signal detector. You perform a site survey by placing a wireless base station in a desired location and then collecting signal measurements from throughout the area. These measurements are overlaid onto a blueprint of the building to determine whether sufficient signal is present where needed while minimizing signals outside of the desired location. If the base station is adjusted, then the site survey should be repeated. The goal of a site survey is to maximize performance in the desired areas (such as within a home or office) while minimizing ease of access in external areas.
Layer 2 vs. Layer 3
A switch is normally a Layer 2 device since it manages traffic based on the MAC address. A switch can create VLANs to segment off communications to only members of the same VLAN. But when cross-VLAN communications are needed, a Layer 3 switch can be used; it provides routing between its own VLANs. Thus, a Layer 3 switch includes some router capabilities that it can offer to its VLANs.
SSL Decryptors
An SSL decryptor or TLS decryptor is a dedicated device used to decode secure communications for the purpose of filtering and monitoring. An SSL/TLS decryptor can be deployed in line or be used for out-of-band management. When deployed in line, the decryptor serves as an SSL/TLS offloader; it is where the encryption and decryption of a communication is handled rather than being managed by the Web or email server itself. Such an inline implementation also enables the use of load balancing to distribute communication loads across a number of hosting servers. An out-of-band monitoring tool only needs to decrypt communications for filtering rather than also needing to encrypt outbound messages. Such a configuration provides the filtering or IDS/IPS systems with a plain-text version of the communications
Active-Active
An active-active system is a form of load balancing that uses all available pathways or systems during normal operations. In the event of a failure of one or more of the pathways, the remaining active pathways must support the full load that was previously handled by all. This technique is used when the traffic levels or workload during normal operations need to be maximized, but reduced capacity will be tolerated during times of failure.
Agent vs. Agentless (NAC)
An agent-based system installs an assessment and monitoring software tool on each monitored system. The agents can be dissolvable or persistent/permanent. An agent-based system may be able to apply updates and configuration changes automatically, whereas an agentless system typically requires an administrator to manually resolve any discovered issues. Although agent-based systems provide more data, agentless systems are more trustworthy in the data they do provide, since they cannot be as easily compromised by malware
Application/Multipurpose
An application proxy or an application-specific proxy is a proxy server configured to handle the communications for a single application and its related protocols. For example, a web application proxy is designed to manage only HTTP- and HTTPS-based communications. An application proxy operates at Layer 7, where it is able to handle the payloads of a specific application and related application-layer protocols. A multipurpose proxy is not limited to a single application or set of protocols but can provide proxy functions for any application and protocol. A multipurpose proxy operates at Layers 3 and 4, where it manages communications based on IP address and/or port number.
In-Band vs. Out-of-Band
An in-band IDS is configured to monitor and filter both the pre-connect activities and the post-connect activities of each session. Pre-connect activities can include authentication as well as verifying compliance with minimal security requirements before a session is allowed to be established. Post-connect activities include traffic monitoring, content filtering, identity-based access controls, and ongoing verification that the connection that was granted is still valid and should be allowed to continue. An out-of-band IDS is configured to perform pre-connect activity monitoring, but then not be involved with any post-connect activity monitoring
Inline vs. Passive
An inline IPS has two interfaces and all traffic must traverse through the IPS. Traffic enters either interface, is evaluated by the IPS analysis engine, and then exits the other interface on its way to the destination. This technique enables the IPS to stop or block abusive traffic. A passive IDS or IPS uses a promiscuous mode NIC to eavesdrop on network communication. A passive IDS is often deployed off the SPAN (Switched Port Analyzer) port on a switch, where it receives a copy of every communication occurring across the switch. Sometimes this port is called the auditing port, IDS port, or mirror port. This type of monitoring allows only for reactive responses to discovered problems, rather than proactive responses
Anomaly-based detection
Anomaly-based detection (see Figure 2.12) watches the ongoing activity in the environment and looks for abnormal occurrences. An anomaly-based monitoring or detection method relies on definitions of all valid forms of activity. This database of known valid activity allows the tool to detect any and all anomalies. Anomaly-based detection is commonly used for protocols. Because all the valid and legal forms of a protocol are known and can be defined, any variations from those known valid constructions are seen as anomalies. Anomaly detection is very effective at stopping abnormal events. However, traffic or events falling within normal values doesn't necessarily mean the contents of that event or traffic aren't malicious in nature.
S/MIME
Because email is natively insecure, several encryption options have been developed to add security to email used over the Internet. Two of the most common solutions are Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP). S/MIME is an Internet standard for encrypting and digitally signing email. S/MIME takes the standard MIME element of email, which enables email to carry attachments and higher-order textual information (fonts, color, size, layout, and so on), and expands this to include message encryption. S/MIME uses a hybrid encryption system that combines RSA (an asymmetric encryption scheme) and AES (a symmetric encryption algorithm) to encrypt and protect email. S/MIME works by taking the original message from the server, encrypting it using a symmetric encryption key, and then attaching it to a new blank email. The symmetric encryption key is itself encrypted or enveloped using the recipient's public key, and then attached to the blank email as well. The new blank email includes the sender's and receiver's email addresses to control routing of the message to its destination. The receiver must then strip off the attachments, open the envelope using their private key to extract the symmetric key, and then decrypt the original message. When email encryption is used in this manner, confidentiality is protected. As shown in Figure 2.43, the basic process is as follows: 1. The sender's system generates a random symmetric key. 2. The sender encrypts the message with the random symmetric key. 3. The symmetric key is enveloped (encrypted) using the recipient's public key. 4. The message and the envelope are sent to the recipient. 5. The recipient opens (decrypts) the envelope using the recipient's private key to extract the symmetric key. 6. The recipient decrypts the message using the symmetric key. The process of encrypting email isn't complex; however, it's cumbersome in implementation. Fortunately, the native S/MIME support in most email clients automates the process. The only restriction to the S/MIME email solutions is that all communication partners must have compatible S/MIME products installed and use a common or compatible source for their asymmetric encryption key pairs. S/MIME is a standards-based email security solution. An example of a proprietary, open-source email security solution is Pretty Good Privacy (PGP). Please see this concept discussion in the Chapter 6 section "PGP/GPG."
Controller-Based vs. Standalone
Controller-based wireless access points are thin access points that are managed by a central controller. A stand-alone access point is a fat access point that handles all management functions locally on the device.
Correlation (SEIM)
Correlation is the comparison and analysis of logged events in order to find similarities or repeating occurrences. The correlation analysis performed by SIEM enables it to notice repeated breaches, trends toward failure, and other forms of escalating or recurring incidents.
DEP
Data execution prevention (DEP) is a memory security feature of many operating systems aimed at blocking a range of memory abuse attacks, including buffer overflows. DEP blocks the execution of code stored in areas of memory designated as data-only areas. However, DEP is not foolproof and some forms of buffer overflow attacks are unhampered by it. When DEP fails, there may not be any specific official output, log, or report of the situation. Some DEP solutions may create a memory abuse attempt log, but it may not record events that were designed to specifically violate the DEP protections. Often the only result is when an administrator happens to notice that malware or unauthorized code is executing on a system where DEP was present. The response should be to terminate the offending code and remove it from the system. If the means by which the code gained execution access to the system is determined, then additional patches or filters should be installed to prevent the exploitation of the same process.
Email and Web
Email and web communications can both be easily protected using TLS-encrypted forms of their respective protocols. See the discussions in the earlier sections "S/MIME," "SSL/TLS," "HTTPS," and "Secure POP/IMAP."
Firmware OTA Updates
Firmware OTA updates are upgrades, patches, and improvements to the existing firmware of a mobile device that are downloaded from the telco or vendor over the air (OTA). Some telcos do not count firmware downloads against data caps, but you may find downloading OTA updates over WiFi to be faster and more reliable anyway. Generally, as a mobile device owner, you should install new firmware OTA updates onto a device once they become available. However, some updates may alter the device configuration or interfere with MDM restrictions. Organizations should attempt to test new updates before allowing managed devices to receive them. There simply may need to be a waiting period established so the MDM vendor can update their management product to properly oversee the deployment and configuration of the new firmware update.
HSM
Hardware Security Module is a cryptoprocessor used to manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication. An HSM is often an add-on adapter or peripheral, or it can be a TCP/IP network device. HSMs include tamper protection to prevent their misuse even if an attacker gains physical access. HSMs provide an accelerated solution for large (2,048+ bit) asymmetric encryption calculations and a secure vault for key storage. Many certificate authority systems use HSMs to store certificates; ATM and POS bank terminals often employ proprietary HSMs; hardware SSL accelerators can include HSM support; and DNSSEC-compliant DNS servers use HSM for key and zone file storage. One common example of an HSM is the trusted platform module (TPM). This special chip found on many portable system motherboards can be used to store the master encryption key used for whole drive encryption.
Virtual IPs
Virtual IP addresses are sometimes used in load balancing; an IP address is perceived by clients and even assigned to a domain name, but the IP address is not actually assigned to a physical machine. Instead, as communications are received at the IP address, they are distributed in a load-balancing schedule to the actual systems operating on some other set of IP addresses.
Affinity
a configured preference for a client request to be sent to a specific server within the cluster or device cloud managed by the load balancer. Affinity is implemented using information gathered from layers below the Application layer (Layer 7) to preference a client request to a specific server. Persistence is when Application layer information is used to associate a client with a specific server. Although persistence is more accurate in ensuring that the desired server handles a specific client, implementation of persistence is not always possible, so affinity is used instead. Persistence ensures that a request is handled by a specific server, but affinity is an attempt to cause a server to handle a specific request.
Application-Based vs. Network-Based
a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a service and all users. It's intended to be an application-specific server-side firewall to prevent application-specific protocol and payload attacks. A web application firewall is an example of an application firewall. It's intended to be an application-specific firewall to prevent cross-site scripting, SQL injection, and other web application attacks. A network firewall is a hardware device, typically called an appliance, designed for general network filtering. A network firewall is designed to provide broad protection for an entire network. Both of these types of firewalls are important and may be relevant in many situations. Every network needs a network firewall. Many application servers need an application firewall. However, the use of an application firewall generally doesn't negate the need for a network firewall. You should use both types in a series to complement each other, rather than seeing them as competitive solutions.
Forward and Reverse Proxy
a standard proxy that acts as an intermediary or middleman for queries of external resources. A forward proxy handles queries from internal clients when accessing outside services. A reverse proxy provides the opposite function; it handles inbound requests from external systems to internally located services. A reverse proxy is similar to the functions of port forwarding and static NAT.
Exploitation Frameworks
a vulnerability scanner that is able to fully exploit the weaknesses it discovers. It can be an automated or manual exploit assessment tool. For example, Metasploit is an open-source exploitation framework, and Immunity Canvas and Core Impact are commercial exploitation frameworks. Often an exploitation framework allows for customization of the test elements as well as the crafting of new tests to deploy against your environment's targets. An exploitation framework does have additional risk compared to that of a vulnerability scanner, as it attempts to fully exploit any discovered weaknesses. Thus, it is important to make sure a reliable backup has been created and that an incident response policy (IRP) is in effect that can recover damaged data or systems promptly. The purpose or goal of an exploitation framework is not to intentionally cause harm, but the thoroughness of the philosophy of testing can inadvertently cause data loss or downtime. An exploitation framework is an advanced vulnerability scanner that should be used by system administrators and security administrators to stress-test the security stance of the IT infrastructure. Regular scans and evaluations using an exploitation framework will assist IT managers with finding and resolving security concerns before they are discovered by an attacker.
Stateful vs. Stateless
analyzes packets on an individual basis against the filtering ACLs. The context of the communication (that is, any previous packets) is not used to make an allow or deny decision on the current packet. A stateful firewall monitors the state or session of the communication; it evaluates previous packets and potentially other communications and conditions when making an allow or deny decision for the current packet. A stateful firewall considers the context of the communication, whereas a stateless firewall does not.
panel
antennas are flat devices that focus from only one side of the panel.
cantenna
are constructed from tubes with one sealed end. They focus along the direction of the open end of the tube. Some of the first cantennas were crafted from Pringles cans.
parabolic
are used to focus signals from very long distances or weak sources.
signature-based
compares event patterns against known attack patterns (signatures) stored in the IDS/IPS database. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures. However, the primary weakness of a signature-based system is that it's unable to detect new and unknown activities or events. Thus, new zero-day attacks are unseen by a signature-based system. As new attacks are discovered and the pattern database is improved, the deployed signature-based tools need to have their local databases updated.
Packet Filter
filters traffic based on basic identification items found in a network packet's header. This includes source and destination IP address, port numbers, and protocols used. Packet-filtering firewalls operate at the Network layer (Layer 3) and the Transport layer (Layer 4) of the Open Systems Interconnection (OSI) model.
Application-Level Gateway
filters traffic based on user access, group membership, the application or service used, or even the type of resources being transmitted. This type of firewall operates at the Application layer (Layer 7) of the OSI model. Such a firewall can be called a proxy. Application-level gateways are focused on the aspects of a specific appliance and protocol combination as well as the content of the conversation. An application-aware firewall provides filtering services for specific applications.
split tunnel
is a VPN configuration that allows a VPN-connected system to access both the organizational network over the VPN and the Internet directly at the same time. The split tunnel thus grants a simultaneously open connection to the Internet and the organizational network.
Remote authentication
is a catchphrase that refers to any mechanism used to verify the identity of remote users. Several well-known examples of remote authentication include RADIUS, TACACS, 802.1x, and Challenge Handshake Authentication Protocol (CHAP). Originally, remote authentication referred to solutions that supported authentication mechanisms for dial-up telecommuters. Today, it includes any authentication technology that can be used for remote users, whether connecting over dial-up, VPN, or wireless.
War dialing
is a common attack against dial-up modems on a company network. Such an attack dials all the numbers in a prefix range in order to locate modems connected to computer systems. Once attackers locate a modem that answers a computer call, they can focus their efforts on breaking through the logon security barrier.
padded cell
is a containment area that is activated only when an intrusion is detected.
Application control or application management
is a device management solution that limits which applications can be installed onto a device. It can also be used to force specific applications to be installed or to enforce the settings of certain applications, in order to support a security baseline or maintain other forms of compliance. Using application control can often reduce exposure to malicious applications by limiting the user's ability to install apps that come from unknown sources or that offer non-work-related features. Although security features must be enabled to have any beneficial effect, it's just as important to remove apps and disable features that aren't essential to business tasks or common personal use. The wider the range of enabled features and installed apps, the greater the chance that an exploitation or software flaw will cause harm to the device and/or the data it contains. Following common security practices, such as hardening, reduces the attack surface of mobile devices. In addition to managing the security of mobile devices, you need to focus on the applications and functions used on those devices. Most of the software security concerns on desktop or notebook systems apply to mobile devices just as much as common-sense security practices do.
modem
is a device that creates a network communication link between two computers (or networks) over a telephone line. Modems are one of the slowest remote-connection methods still widely supported by OSs. Most connections are limited to a maximum throughput of 56 Kbps. However, because portable systems can use them to connect to corporate offices using any available telephone line, modems will probably be around for years to come.
Configuration Compliance Scanner
is a form of manually operated NAC. It is a tool that quickly scans a system to check whether approved updates and patches are installed and whether the system is in compliance with security and general system configuration settings. A configuration compliance scanner should be used by system administrators on a regular basis to check for and monitor the settings status of the devices on the network
ANT
is a proprietary protocol owned by Garmin that is an open access multicast sensor network technology. It uses the 2.4 GHz frequency band to support interactions between sensor devices and management devices (such as a smartphone). It is similar in nature to Bluetooth LE (Low Energy), but with a primary focus on gathering data from low-power and low-bit-rate sensors. ANT is found in many fitness trackers, heart rate monitors, watches, cycling meters, and pedometers. ANT offers the ability to encrypt communications, but it is not always enabled. Some implementations of ANT, such as ANT+, do not offer any encryption options because they focus on cross-vendor interoperability rather than security. Similar to NFC, ANT has limited risk due to its current use limitations. However, always be cautious when using any plain text communications system.
SSH
is a secure replacement for Telnet and many of the Unix "r" tools, such as rlogon, rsh, rexec, and rcp. While Telnet provides remote access to a system at the expense of plain-text communication, SSH transmissions are cipher text and thus are protected from eavesdropping. SSH operates over TCP port 22. SSH is the protocol most frequently used with a terminal editor program such as HyperTerminal in Windows, Minicom in Linux, or PuTTY in both. An example of SSH use would involve remotely connecting to a switch or router in order to make configuration changes. SSH offers a means by which a secure command-line, text-only interface connection with a server, router, switch, or similar device can be established over any distance. You can perform many command-line or scriptable activities through the SSH connection, as shown in Figure 2.42. SSH transmits both authentication traffic and data in a secured encrypted form. Thus, no information is exchanged in clear text. SSH is a very flexible tool. It can be used as a secure Telnet replacement; it can be used to encrypt protocols similar to TLS, such as SFTP; and it can be used as a VPN protocol.
Protocol Analyzer
is a tool used to examine the contents of network traffic. Commonly known as a sniffer, a protocol analyzer can be a dedicated hardware device or software installed on a typical host system. In either case, a protocol analyzer is first a packet-capturing tool that can collect network traffic and store it in memory or on a storage device. Once a packet is captured, it can be analyzed either with complex automated tools and scripts or manually. A protocol analyzer usually places the NIC into promiscuous mode in order to see and capture all packets on the local network segment rather than just those with the destination MAC address of the computer's local NIC. In promiscuous mode, the NIC ignores the destination MAC addresses of packets and collects each one it sees. Once a network packet is collected, it's either saved to the hard drive in a log file or retained in memory in a buffer. The protocol analyzer can examine individual packets down to the binary level. Most analyzers or sniffers automatically parse out the contents of the header into an expandable outline form (Figure 2.20). Any configuration or setting can be easily seen in the header details. The payload of packets is often displayed in both hexadecimal and ASCII. Sniffers typically offer both capture filters and display filters. A capture filter is a set of rules to govern which packets are saved into the capture file or buffer and which are discarded. Capture filters are used to collect only packets of interest and keep the number of retained packets to a minimum. A display filter is used to show only those packets from the packet file or buffer that match your requirements. Display filters act like search queries to locate packets of interest. Protocol analyzers vary from simple raw packet-capturing tools to fully automated analysis engines. There are both open-source (such as Wireshark) and commercial (such as Omnipeek and NetScout) options. Protocol analyzers can be used to discover communication problems caused by hardware and software issues. They can detect protocol anomalies that may be due to misconfiguration, malfunction, or malicious intent. Often, when security administrators attempt to track down a network communication problem or discover the source of an attack, they use a protocol analyzer. Sniffer may either be a synonym for protocol analyzer or may mean a distinct type of product. A sniffer is generally a packet- (or frame-) capturing tool, whereas a protocol analyzer is able to decode and interpret packet/frame contents. A protocol analyzer is used by network administrators throughout their internal network, within a DMZ, and even on the open Internet to evaluate network communications. When there are odd or unexplained network events occurring, a protocol analyzer might be useful in capturing traffic related to the event to diagnose and troubleshoot the issue. Protocol analyzers can capture live traffic to assist administrators in determining the cause of communication failures or service and application issues based on header values and payload data.
Context-Aware Authentication
is an improvement on traditional authentication means. Contextual authentication evaluates the origin and context of a user's attempt to access a system. If the user originates from a known trusted system, such as a system inside the company facility, then a low-risk context is present and a modest level of authentication is mandated for gaining access. If the context and origin of the user is from an unknown device and/or external/unknown location, the context is high risk. The authentication system will then demand that the user traverse a more complex multifactor authentication gauntlet in order to gain access. Context-aware authentication is thus an adaptive authentication that may be able to reduce the burden of authentication during low-risk scenarios but thwart impersonation attempts during high-risk scenarios.
Media Gateway
is any device or service that converts data from one communication format to another. A media gateway is often located at the intersection of two different types of networks. Media gateways are commonly used with VoIP systems, where a conversion from IP-based communications to analog or digital is needed.
Round-Robin
is one of the basic forms of load balancing, in which each next request or load is handed to the next server in line. For example, if there are four servers, then the requests are distributed in order to server 1, then server 2, then server 3, then server 4, then again to server 1. This pattern is the same way you pass out cards to play games like poker or Go Fish.
Yagi
is similar in structure to a traditional roof TV antenna; it's crafted from a straight bar with cross sections to catch specific radio frequencies in the direction of the main bar.
Telephony
is the collection of methods by which telephone services are provided to an organization or the mechanisms by which an organization uses telephone services for either voice and/or data communications. Traditionally, telephony included plain old telephone service (POTS) or public switched telephone network (PSTN) service combined with modems. However, this has expanded to include PBX, VoIP, and VPN.
Content Management
is the control over mobile devices and their access to content hosted on company systems as well as controlling access to company data stored on mobile devices. Typically an MCM (mobile content management) system is used to control company resources and the means by which they are accessed or used on mobile devices. An MCM can take into account a device's capabilities, storage availability, screen size, bandwidth limitations, memory (RAM), and processor capabilities when rendering or sending data to mobile devices. The goal of a content management system for mobile devices is to maximize performance and work benefit while reducing complexity, confusion, and inconvenience. An MCM may also be tied to an MDM to ensure secure use of company data.
Containerization
is the next stage in the evolution of the virtualization trend for both internally hosted systems and cloud providers and services. A virtual machine-based system uses a hypervisor installed onto the bare metal of the host server and then operates a full guest operating system within each virtual machine, and each virtual machine often supports only a single primary application. This is very resource-wasteful design and reveals its origins as separate physical machines. Containerization is based on the concept of eliminating the duplication of OS elements and removing the hypervisor altogether. Instead, each application is placed into a container that includes only the actual resources needed to support the enclosed application. The containers run on a standard shared operating system. There is effectively a hypervisor replacement, generically known as the container engine, but it consumes far fewer resources than the hypervisor, because it simply facilitates OS resource and service access for the containerized applications. Containerization is able to provide 10 to 100 times more application density per physical server than that provided by hypervisor virtualization solutions. Containerization can be used in relation to mobile devices by hosting the primary OS on a containerization host in the company cloud so that the actual mobile device is only used as a remote control interface to the OS container rather than having the business apps and company data on the device itself.
Banner Grabbing
is the process of capturing the initial response or welcome message from a network service. A banner grab occurs when a request for data or identity is sent to a service on an open port and that service responds with information that may directly or indirectly reveal its identity. Often the banner discloses the application's identity, version information, and potentially much more. A common method of banner grabbing against web servers is to use the telnet client to send a plain-text query. This can be accomplished by opening a command prompt, typing telnet www.apache.org 80, pressing Enter, typing HEAD / HTTP/1.0, and pressing Enter a few more times. This should result in the display of an HTTP 200 OK message (Figure 2.22), which often includes a Server line that identifies the specific web server product in use. Banner grabbing is a common technique used by both hackers and researchers to learn more about an unknown system across a network connection. Banner grabbing can be used when an attacker or an administrator wishes to learn more about a targeted system. If a banner can be retrieved from a target system, it often includes details as to the product and version of the application running on a port as well as information regarding the underlying operating system.
Device security
is the range of potential security options or features that may be available for a mobile device. Not all portable electronic devices (PEDs) have good security features. But even if devices have security features, they're of no value unless they're enabled and properly configured. Be sure to consider the security options of a new device before you make a purchase decision.
Analytics
is the review, investigation, and understanding of the results from an IDS. An IDS will consider an event or traffic either benign or malicious and in turn will either trigger an alarm/response or not. This allows for four possible result states from an IDS; the first two are true positive and the latter two are true negative. The most desired is the true negative, in which only benign events are occurring and no alarms are sounding. The second most desired state is the true positive, when malicious events are occurring and the alarm is sounding.
SATCOM
satellite communication, is a means of audio and data transmission using satellites orbiting in near-earth orbit (Figure 2.37). SATCOM devices benefit from nearly complete service coverage, thanks to the broad footprint of a signal transmitted from 100+ miles above the surface of the planet. The data transmission speeds of SATCOM are rather poor compared to those of terrestrial solutions, but it may be the only available option in many remote locations. SATCOM communications are encrypted in most cases to prevent eavesdropping from others elsewhere in the transmission footprint of the signal from the satellite. However, the encryption is only applied to the communication between the portable device and the satellite and between the satellite and the ground station. Once the communication reaches the ground station, it is likely then transmitted over a landline, cellular, or data connection in plain text form. Always pre-encrypt any sensitive communications before sending them over a SATCOM connection.
HIDS
watches the audit trails and log files of a host system (see Figure 2.7). This type of IDS/IPS is limited to the auditing and logging capabilities of the host system (which includes the OS and installed applications and services). A host-based IDS/IPS can detect problems only if sufficient information is captured by the host's auditing capabilities. It's reliable for detecting attacks directed against a host, whether they originate from an external source or are perpetrated by a user locally logged into the host. Common examples of HIDSs are antivirus software, antispyware scanners, and security anomaly detectors.
