CH 10 Security in network designs
NGFW (Next Generation Firewall)
Have built in application control features and are application aware (monitor and limit the traffic of specific applications). adapt to the class of a specific user or user groups (adapt to the class of a specific user or user groups). may also be context aware. (adapt to various applications, users, devices).
HIDS (host-based intrusion detection system)
IDS implementations, ___________ runs on a single computer to alert about attacks to that one host. Might also include FIM (file integrity monitoring) which alerts when any changes made to files that shouldn't change.
NIDS (network-based intrusion detection system)
IDS implementations: protects a network and is usually situated at the edge of the network or in the DMZ (demilitarized zone). A networks protective perimeter
RSTP (Rapid Spanning Tree Protocol), MSTP (multiple spanning tree protocol), TRILL (transparent interconnection of lots of links), SPB (shortest path bridging)
Newer (faster) versions of STP are
TACACS+ (Terminal Access Control Access Control System+)
Offers the option of separating authentication, authorization, and auditing capabilities Differences from RADIUS: Relies on TCP, not UDP, at the Transport layer Proprietary protocol developed by Cisco Systems, Inc. Typically installed on a router or switch, rather than a server Encrypts all information transmitted for AAA
Implicit deny rule
On ACL if the packet does not match any criteria given the packet is dropped this is called
RADIUS (Remote Authentication Dial-In User Service)
Open-source and standardized by the IETF Runs in the Application layer and can use either UDP or TCP in the Transport layer Can operate as application on remote access server Or on dedicated RADIUS server Highly scalable May be used to authenticate wireless, mobile, and remote users RADIUS services are often combined with other network services on a single machine
Port Blocking
Prevents connection to and transmission completion through ports
BPDU (Bridge Protocol Data Units)
STP information is transmitted between switches via _______
firewalls and IDS/IPS systems (intrusion detection system) and (intrusion prevention system)
Specialized security devices are
IDS (Intrusion Detection System)
Stand-along device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall Monitors network traffic and generates alerts about suspicious activity Commonly exists as an embedded feature in UTM solutions or NGFWs
SIEM (Security Information and Event Management)
Systems that can be configured to evaluate all log data. it looks for significant events that require attention from the IT staff
RBAC (Role Based Access Control)
The most popular authorization method where administrators assign privilege's and permissions necessary for users to perform their duties. Admins. create groups associated with certain roles.
Packet-filtering firewall
The simplest form of a firewall is ________ firewall, it examines the header of every entering packet (inbound traffic), and can block traffic entering or exiting a LAN (Outbound traffic)
Root Bridge
The single bridge on a network selected by STP to provide the basis for all subsequent path calculations.
LDAP (Lightweight Directory Access Protocol)
The standard protocol for accessing an existing directory.
Supplicant, Authenticator, and Authentication Server
The three main EAP entities are
statistical anomaly detection and signature-based detection.
The two primary methods for detecting threats is
non-persistent and persistent
The two types of NAC agents are
BPDU guard (Bridge Protocol Data Unit guard)
This security precaution that must be configured on STP enabled interfaces blocks BPDUs on any port serving network hosts such as workstations and servers and ensures these devices aren't considered possible paths
BPDU filter
This security precaution that must be configured on STP enabled interfaces can be used to disable STP on specific ports
Root guard
This security precaution that must be configured on STP enabled interfaces prevents switches beyond the configured port from becoming the root bridge
Switches
To make networks more fault tolerant you should install multiple (redundant) ______ at critical junctures. A potential problem with redundant paths is traffic loops
True
True or false 2FA (two factor authentication) the user must provide something and know something
TRue
True or false a log file viewer can be installed to make it easier to monitor log files for interesting or suspicious events.
PEAP (Protected Extensible Authentication Protocol)
Tunnel-based Creates an encrypted TLS tunnel between the supplicant and the server
ACL (access control list)
Used by routers to decline forwarding certain packets Acts like a filter to instruct the router to permit or deny traffic according to one or more of the following variables: Network layer protocol (e.g., IP or ICMP), Transport layer protocol (e.g., TCP or UDP),. Source IP address, Destination IP address, TCP or UDP port number
layered security
Using multiple options for network security results in what
OSA (Open System Authentication) and SKA (shared key authentication)
WEP (wired equivalent privacy) offers two forms of authentication what are they
Directory service
_________ Maintains a database of account information, such as, usernames, passwords, and other authentication credentials. EX. AD, LDAP, 389 directory server.
SKA (Shared Key Authentication)
a WEP form of authentication All wireless access clients use the same key, which can then be used for encrypted transmissions.
OSA (Open System Authentication)
a WEP form of authentication where no key is used. the wireless access client, knowing only the access points SSID, requests authentication.
Reverse proxy
a ______ _____ provides services to internet clients from servers on its own network. provides identity protection for the server rather than the client. useful when multiple web servers are accessed through the same public IP address
Proxy server
a _______ ______ acts as an intermediary between external and internal networks. it screens all incoming and outgoing traffic. manages security at application layer . one of its important functions is preventing the outside world from discovering the addresses of the internal network.
SPB (Shortest Path Bridging)
a descendant of STP defined by IEEE 802.1aq standard. keeps all potential paths active while managing the flow of data across those paths to prevent loops.
Number of false positives logged
a drawback for IDS (intrusion detection system)
KDC (Key Distribution Center)
a kerberos term. the server that issues keys to clients during initial client authentication.
MFA (Multifactor Authentication)
an authentication process that requires two or more pieces of information
host-based firewalls
other types of firewalls only protect the computer on which they are installed these are known as
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
short for Counter Mode with CBC (Cipher Block Chaining) MAC (Message Authentication Code) Protocol. Improves wireless security for newer devices that can use WPA2. Helps ensure data confidentiality with both encryption and packet authentication by providing message integrity and encryption.
Statistical Anomaly detection
this method for detecting threats compares network traffic samples to predetermined baseline in order to detect anomalies
Signature-based detection
this method for detecting threats looks for identifiable patterns (signature) of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic.
Persistent agent
this type of NAC agent is permanently installed on a device
Non-persistent agent
this type of NAC agent remains on the device long enough to verify compliance and complete authentication and then uninstalls. also called a dissolvable agent.
True
true or false a firewalls location is between two interconnected private networks, between private and public networks (network based firewall), and you may also see firewall features integrated in routers, switches, and other network devices.
access-list
what command is used to assign a statement to an already installed ACL. the command must identify the ACL and include a permit or deny argument.
IPS (Intrusion Prevention System)
-Reacts to suspicious activity when alerted -Detects threat and prevents traffic from flowing to network -Based on originating IP address
packet-filtering firewall
-Source and destination IP addresses -Source and destination ports -Flags set in the TCP header -Transmissions using UDP or ICMP protocols -Packet's status as the first packet in new data stream, subsequent packet -Packet's status as inbound to, outbound from private -network This is the common criteria of
NIPS (network-based intrusion prevention system)
A ______ protects entire networks (an IPS type)
Stateful firewall
A _______ _______ manages each incoming packet as a stand alone entity without regard to active connections
Firewall
A ________ is a specialized device or software that selectively filters or blocks traffic between networks.
HIPS (host-based intrusion prevention system)
A ________ protects certain hosts (an IPS type)
NAC (Network Access Control)
A __________ solution employs a set of rules called network policies which determine the level and type of access granted to a device when it joins a network
content-filtering firewall
A _____________ _______ can block designated types of traffic based on application data contained within packets
Kerberos
A cross-platform authentication protocol that uses key encryption to verify the identity of clients to securely exchange information after a client logs on to a system.
SSO (Single Sign-On)
A form of authentication in which a client signs on one time to access multiple systems or resources. Primary advantage is convenience. disadvantage is that once authentication is cleared the user has access to numerous resources
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
A form of tunneled EAP Developed by Cisco and works similarly to PEAP (only faster) Uses PACs (Protected Access Credentials) stored on the supplicant device for speedier establishment of the TLS tunnel
AS (authentication service) and TGS (ticket granted service)
A kerberos server runs what two services
Principle
A kerberos term for a client or user
Ticket
A kerberos term: A temporary set of credentials that a client uses to prove to the other servers that its identity has been validated.
Authentication
A major element for controlling users access to a network in which a user provides their credentials (typically username and password)
Accounting
A major element for controlling users access to a network that logs users access and activities on the network
Authorization
A major element for controlling users access to a network where the ________ process determines what the user can and cannot do with network resources.
TRILL (Transparent Interconnection of Lots of Links)
A multipath, link-state protocol (using IS-IS ) developed by the IETF (a newer version of STP)
TKIP (Temporal Key Integrity Protocol)
A security protocol created by the IEEE 802.11i task group to replace WEP. encryption key generation and management scheme. A quick fix and is only offered today in order to provide compatibility with older wireless devices
UTM (unified threat management)
A security strategy that combines multiple layers of security appliances and technologies into a single safety net and requires a great deal of processing power.
Supplicant
An EAP entity when the device is requesting authentication
Authenticator
An EAP entity when the device that initiates the authentication process (wireless access point)
Authentication server
An EAP entity when the server performs the authentication
EAP (Extensible Authentication Protocol)
An authentication mechanism that provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own, but rather works with other encryption and authentication schemes to verify the credentials of clients and servers.
PSK (pre-shared key)
An authentication method for WPA or WPA2 that requires a passphrase for a device to be authenticated to the networks.
Authentication, Authorization, and Accounting
Controlling users' access to a network and its resources consists of three major elements. what are they?
RSTP (Rapid Spanning Tree Protocol) and MSTP (multiple spanning tree protocol)
Defined in IEEE 802.1w and originally 802.1s that can detect and correct for link failures in milliseconds.
STP (Spanning Tree Protocol)
Defined in IEEE standard 802.1D, Operates in Data Link layer. it prevents traffic loops by calculating paths avoiding potential loops. artificially blocking links completing loop. if a switch is removed ______ will recalculate the best loop-free data paths between the remaining switches
EAP-TLS
EAP that uses TLS encryption to protect communications. uses PKI certs. to exchange public keys and authenticate both supplicant and the server (called mutual authentication)
Firewall functions
Encryption User authentication Centralized management Easy rule establishment Content-filtering based on data contained in packets Logging, auditing capabilities Protect internal LAN's address identity Monitor packets according to existing traffic streams (stateful firewall) These are optional _________ ______