Ch 5
Physical monitoring tools
Report on physical conditions that can affect network function, such as temperature, humidity, or electrical power quality. Often part of overall environmental control or safety systems
Implicit Allow
Access is allowed unless a rule explicitly denies it. An ACL containing only explicit denials is called a blacklist.
Implicit Deny
Access is denied unless a rule explicitly allows it. An ACL containing only explicit allowances is often called a whitelist.
Manager
A software application used to manage agents. The manager is sometimes called a network management system (NMS), and the host that runs it a network management station.
Management Information Base (MIB)
A database containing OIDs for a managed device, arranged in a tree-like hierarchical fashion. The MIB is built into the agent, and a copy of its structure is imported into the NMS. This allows the two to communicate clearly about the device's functions.
Exploitation framework
A penetration testing tool rather than a vulnerability scanner. Exploitation frameworks are designed to develop and test exploits against vulnerable systems or applications, but they often can be used to scan more passively for vulnerabilities.
Port security
A switch feature that tracks device MAC addresses connected to each port on a switch, and allows or denies traffic based on source MAC addresses. This can be used to block unfamiliar addresses in order to keep rogue devices off the network, or to block inside attacks based on MAC spoofing. It can also prevent multiple MAC addresses from connecting to a single physical port, such as if a user attached an unauthorized hub or switch to a network drop. It's possible for an unauthorized device to spoof the MAC address of a legitimate one, so it's not strong security in itself, but it's still a useful security layer.
Object identifier (OID)
A unique number corresponding to an object, something that can be monitored on a managed device. For example, on a switch the up or down status of a particular interface might be an object, as would be its rate of incoming traffic. (The actual value of an object is called a variable.)
SNMPv3
Adds full cryptographic security to the protocol functions of SNMPv2c. This version doesn't change message formats and makes little change to the protocol itself outside of security features, but adds options for both authentication and encryption. SMNPv3 also defines some system elements differently for conceptual and documentation purposes. A manager and SNMP-enabled applications are combined into an NMS SNMP entity, while an agent and its MIB are combined into a Managed Node SNMP entity.
Response
Agent-to-manager replies to Get or Set PDUs. Get responses report the requested variables while Set responses acknowledge success or error conditions.
Log retention
All aggregated logs, critical or not, can be saved for later analysis or to comply with organizational or regulatory data retention policies.
Active-active
All redundant servers (or other resources) are constantly available and sharing the load. If one fails, its workload is distributed to remaining nodes. This is the usual load-balancing approach, but it only works if there is enough excess capacity to compensate for failed nodes. If a critical server crash overloads other servers, it might cause a cascading failure
WPA-Personal
Also called pre-shared key (PSK). Uses a 256-bit key manually distributed to each authorized user. The key can be directly entered as 64 hexadecimal digits, or in the form of an ASCII password between 8 and 63 characters. If the ASCII password is used, it's hashed using the SSID as a salt in order to create the key itself. WPA-Personal is convenient for small networks with few users, and if the password is long and random enough and the SSID unusual it's as secure as any method. The downside is that all users use the same key: this not only means that the key needs changed if any one user is compromised, but the new key also needs manually passed on to each user.
WPA-Enterprise
Also known as 802.1x mode. Connecting clients are allowed to communicate only to an external authentication server using EAP; by default EAP-TLS is used but a number of other standards are supported, such as PEAP, EAP-TTLS, or various proprietary protocols. Once clients are authenticated, they get full network access, but they never directly see the WPA encryption key so they can't share it. WPA-Enterprise is more work to set up, but since individual user credentials can be changed or removed, it's easier to maintain and keep secure.
False negative
An attack occurred, and the IDS mistook it for benign behavior. This is potentially disastrous, since the network could be compromised without anyone knowing.
True positive
An attack occurred, and the IDS recognized it. This is a good result: even if the attack itself is bad, it was recognized and can be addressed.
Correlation
Analyzes aggregated events in order to find useful data that might need additional human review. In particular, correlation engines work by finding relationships and trends within a large number of events, filtering out irrelevant data, and highlighting what is most likely to be of interest to administrators.
Top talkers/listeners
Analyzes the network over time to find what nodes are the most frequent transmitters (talkers) or recipients (listeners) of data. Useful not only for measuring normal traffic and detecting bottlenecks, but to find attack sources and targets, or to discover unexpected traffic patterns such as those caused by a rogue server or compromised device.
Configuration compliance scanner
Any scanner that can compare its findings to an audit file reflecting required security configuration details for the systems, services, or devices it scans. Any compliance issues are listed separately from or in addition to vulnerabilities. For example, you could use a compliance scanner to make sure that systems have correct password policies and event logging configured.
Password cracker
Attempts to decipher weak passwords, usually by guessing them very rapidly. Some are designed to repeatedly attempt to log into a service, but others are focused on deciphering encrypted messages or password files.
Network analyzer
Captures and analyzes network traffic. Can read packet headers to determine traffic patterns, or view protocol information in depth. Also known as a packet analyzer or protocol analyzer
Syslog
Collects system logs from network devices on a central server for analysis.
Message
Contains the name of the application or service which generated the message, as well as the message details themselves.
Header
Contains unique identification for the entry, such as a timestamp along with the generating device's hostname or IP address.
Severity level
Describes the severity of a logged event on a numerical scale so that logs can be filtered by importance
Facility
Describes the type of program that generated the message. Syslog servers can be configured to process messages from different facilities differently.
Encapsulating Security Payload (ESP)
Encrypts the packet payload itself, along with integrity and authentication information.
Analytic
Events describing exactly how programs and components are operating. Analytic logs are generated in large numbers, so are more difficult to look through without need. Hidden by default.
Forwarded Events
Events forwarded from other computers. To collect events from a remote computer, you must configure an event subscription relationship between both systems.
System
Events generated by Windows components, device drivers, and other system services. System event types are predetermined by Windows.
Application
Events logged by specific applications. What generates an event log, and what details are recorded, are up to the writer of the application.
Setup
Events related to application installations.
Debug
Events related to debugging and troubleshooting applications during development. Mostly intended for programmers. Hidden by default.
Operational
Events related to occurrences that don't represent well-defined errors. If they're associated with an application problem they can be used to troubleshoot, but they'll require more user interpretation.
Security
Events related to security features, such as failed or successful logon attempts, security policy changes, or resource use. Exactly what is logged is user-configurable. Uniquely, this log has two "event levels": Audit Success for successful security events (like a logon with proper credentials), and Audit Failure for unsuccessful events (like a logon with failed credentials).
Admin
Events relating to a problem that either has well-defined documentation or a clear error message troubleshooters can use to find a solution.
Interface monitor
Examines traffic over a specific network interface, for example one port on a router. Usually it's one component of software which monitors an entire network device, or even many devices across a network.
Web application vulnerability tester
Examines web server applications or even browsers for common vulnerabilities.
Aggregation
Gathers events from many sources throughout the network, including network devices, host operating systems, and applications, and consolidated so that they can be reviewed together. Effective aggregation often requires additional features such as: Time synchronization to compensate for mismatched time settings between devices and allow a clear timeline of events. Event deduplication to detect multiple instances of a single event (such as multiple copies sent of one event) and display it only once in the aggregated totals.
GRE
Generic Routing Encapsulation encapsulates almost any L3 protocol in a virtual point-to-point link. It's used for tunneling, but has no other VPN functions on its own; consequently, it's a common component in other VPN protocols
Alarms
High-priority notifications of an critical or ongoing incident needing quick response. Alarms actively notify network administrators or other relevant personnel, in order to ensure a quick human response to the incident. Alarms are an important feature of IDS and a number of other security and performance monitoring systems, but you need to integrate them into your organizational policies rather than handling them in an ad hoc manner. Not only do you need to make sure that alarms reliably reach the right people, but you need to have appropriate response procedures for each type of alarm.
SNMPv2c
Improves functionality and performance over v1, but uses different message formats and adds more PDU types, so it isn't directly backwards compatible. The original SNMPv2 included security features, but they were unpopular due to their complexity, so it was never widely adopted. SNMPv2c includes the other v2 functions, but uses the same community name authentication as v1.
Active-passive
In addition to any active nodes, there are one or more failover nodes that are left on standby until an active node fails, then immediately are activated. Active-passive configurations enforce excess capacity by leaving passive nodes deliberately idle until needed, and they can also escape some network attacks that might compromise multiple active nodes at once, but they require more additional hardware expense.
Trends
Instead of individually significant events, trends are the aggregate result of many minor events on the network, especially those which wouldn't need a response individually but taken as a whole form a meaningful pattern. One example of a short-term trend is a repeating pattern of TCP connection attempts representing a port scan against the network. A rise in phishing emails aimed at network users is a longer term trend. Trends can also represent changes in normal activity but still need a response: even if a sharp increase in normal web traffic is only because of a popular new service your company is providing, you'll still need to adjust your baseline traffic reports to reflect it.
L2TP/IPsec
Layer 2 Tunneling Protocol is an IETF standard based on elements of PPTP and Cisco's similar Layer 2 Forwarding protocol (L2F). Like PPTP it doesn't include encryption or authentication, but it's less limited in what protocols it uses for those functions, and unlike PPTP it even encrypts link negotiations. Most commonly L2TP uses RADIUS or TACACS+ authentication, and Internet Protocol Security (IPsec) encryption. That particular combination is called L2TP/IPsec, and is natively supported by most modern operating systems. When implemented correctly it can be very secure, but it uses a double encapsulation method that can hurt performance. A L2TP/IPSec VPN requires UDP ports 500 and 1701; if NAT traversal is required, it also needs UDP port 4500 to be open.
Alerts
Lower priority than alarms, alerts provide notice of changes in network conditions that may or may not need administrator response eventually, but aren't immediately critical. An alert still represents a specific event worthy of note. A system rebooting, a failed login attempt, or detection and successful quarantining of malware all would generate alerts. Alerts need to be recorded in a way that it's easy for administrators to review them and determine which need action.
Set
Manager-to-agent configuration commands. A SetRequest PDU changes the value of a single variable or list of variables.
Get
Manager-to-agent requests for information. A GetRequest PDU asks for the value of a single variable or list of variables, but a GetNextRequest series or GetBulkRequest can be used to walk through the entire MIB of a given agent without even knowing its full contents. Also known as polling.
Signature-based
Methods that look for behavior characteristic of known attacks. For example, the particular malformed packet used by a known worm might be on the list of suspicious signatures, as might a telnet attempt into the root account. Signature-based methods are great at stopping many known attacks, but they'll miss anything that's not on the list.
Anomaly-based (or heuristic)
Methods that look for behavior that looks unusual, at least relative to a normal baseline of past or expected behavior. Even if it doesn't directly match any signatures or misuse protocols, a traffic spike from a DDoS attack is an anomaly. So is a new kind of traffic not usually seen on the network, or a local user logging in from a foreign IP address. Heuristic detection is very difficult to design, and takes a lot of data gathering to be accurate, but of the three it's the most able to catch dangerous zero-day attacks against vulnerabilities no one even knew existed.
Stateful protocol analysis
Methods that use SPI or DPI to analyze traffic by examining the protocol it uses, and comparing to a profile of how that protocol is supposed to work. A single SYN packet isn't suspicious, but a sudden rush of them suggests a flood attack. Incoming packets that look like HTTP sessions at the network layer but are an entirely different protocol at the application layer would also be suspicious. Stateful protocol analysis can detect many attacks signature-based methods won't, but it's still only as good as the profiles. This is especially difficult with proprietary protocols that don't have full documentation available to the public.
Flood guard
More sophisticated switches that can examine packets on Layer 3 or higher can protect against additional network attacks. In addition to anti-spoofing ACLs, a popular feature is prevention against SYN floods and similar attacks. A switch with its flood guard enabled enforces a rate limit on communications which shouldn't be a constant part of network traffic, such as excessive SYN packets from a single IP address.
Internet Key Exchange (IKE)
Negotiates and authenticates SAs between two hosts and, exchanges encryption keys to set up a secure channel. It also manages existing SAs, and periodically replaces keys during a session. It's actually a specific implementation of the Internet Security Association and Key Management Protocol (ISAKMP) framework for key exchange.
SNMP management software
Often used for remotely managing network devices, but just as useful for gathering network information.
MAC filtering
On Ethernet networks this is another term for port security, but it's more commonly used for a similar feature on WAPs. It's still useful, but much easier to circumvent because a WAP transceiver only has one "port" and it's easier for an attacker to watch for legitimate MAC addresses to imitate.
PPTP
Point-to-Point Tunneling Protocol is a very basic VPN protocol developed by a vendor consortium including Microsoft, 3Com, and others. It encapsulates PPP packets over GRE to provide VPN tunneling features, allowing it to carry any protocol PPP can including IP, IPX, and NetBEUI. On its own, PPTP doesn't specify encryption or authentication methods, but rather relies on the vendor implementation to include those. Since it's a low level protocol it can be seamlessly applied to all sorts of network traffic, but its control functions require TCP port 1723 and GRE port 47 to be open on the firewall. The most common PPTP implementation is Microsoft's, which has been included in their operating systems since Windows 95. It supports PAP, CHAP, and MS-CHAP authentication, and Microsoft Point-toPoint Encryption (MPPE). Unfortunately, none of those methods provide very strong security, and more secure PPTP implementations aren't widely supported.
Port mirrors
Ports on a switch or other network device configured to copy traffic on other links, and forward it to a logging or analysis system.
PGP
Pretty Good Privacy was developed by Phil Zimmermann in 1991 and was the first public-key cryptography program available to the general public. In fact, at the time it led to a criminal investigation of Zimmermann for breaking the very restrictive rules the US government had at the time regarding strong encryption. PGP was originally designed for use on bulletin board services, but was easily adapted to email and other applications. Since OpenPGP certificates use web of trust model, anyone can create them freely; as a result, PGP is the more popular choice for encrypting email outside of enterprise environments,
Logs
Records kept by network hosts and devices about unusual, or even routine, network events.
Authentication Header (AH)
Provides data integrity and source authentication through cryptographic hashes of the packet contents and source identity. Also provides protection features for the IP header itself.
Port scanner
Rapidly scans ports on a host or entire subnet, and reports whether they're blocked, open, or hosting an active service. Port scanning works best for finding open TCP services, but there are UDP scanners as well. Port scanners are valuable for finding firewall issues, and rogue or unnecessary servers.
Alerts
Recognizes individual events or correlated trends that signify security incidents or other time-critical issues, and alerts security personnel. Alerts can be triggered by specific events such as system failures, or ongoing trends like individually innocuous events that might represent a spreading worm or other network attack. They can be sent to a dashboard in the software interface, or if more critical can be sent through other channels like email or SMS.
Agent
SNMP software running on a managed device. Originally managed devices were generally network equipment such as switches, routers, or servers; but they can be almost any IP device, including phones, cameras, and other hosts.
Database vulnerability tester
Scans database software for vulnerabilities.
Wireless scanner
Scans for available Wi-Fi networks and analyzes their security settings. Some can attempt to crack encryption while others just report openly visible network information.
Network mapper
Scans ports, but also gathers other system information about hosts on a subnet, such as host names, operating systems, and server applications. One way network mappers do this is by banner grabbing: reading routine packets from hosts or their responses to normal service requests. While these packets don't contain confidential material, if they reveal the host operating system or details on running services they can also reveal potential vulnerabilities.
SSH
Secure Shell has encryption, authentication, and tunneling features, so can be used as a sort of VPN. "A sort" is a good way to put it: it wasn't really meant for the purpose, and usually it's used for tunneling a single application at a time or for port forwarding. It's still useful in specific situations, and can provide fairly strong security. SSH itself operates on TCP port 22, but when used as a VPN it often opens other ports for particular applications.
S/MIME
Secure/Multipurpose Internet Mail Extensions adds public key encryption and signing to the MIME format used by most email messages. S/MIME uses X.509 certificates distributed by a CA; it's common to use separate private keys (and thus separate certificates) for encryption and signing, so that the encryption key can be held in escrow without compromising the nonrepudiation ability of the signing key. Most modern clients support S/MIME, but since it requires purchase and installation of certificates from a CA it's mostly used in enterprise environments with high security needs.
SIEM
Security Information and Event Management software actively monitors and reports on data collected by logging tools.
True negative
The event was benign, and triggered no alerts. This is a good result, since everything is quietly working properly.
False positive
The event was benign, but the IDS mistook it for an attack. This is bad: frequent false alarms can disrupt network function, cost administrators time, or just make people less alert when a real attack happens.
IP affinity
The load balancer tracks ongoing sessions based on the source IP address, and always routes their requests to the same server. It's easy to track, but has some limitations such as mobile clients that change IP addresses as they switch network connections.
Persistence
The load balancer uses session cookies to track ongoing sessions regardless of IP address. It might use the session cookie from the web server, or might issue one of its own.
SNMPv1
The original version of the protocol. SNMPv1 has no real security features: the community name string serves as a very simple form of authentication analogous to a password, but since it's transmitted in cleartext it's rather easy to compromise even if it's not easy to guess.
SSL/TLS
The same SSL/TLS protocols widely used in secure web servers can be used for tunneling, strong encryption, and certificate-based authentication. Since they're high level protocols, earlier and simpler SSL VPNs were fairly application-limited, but had the advantage of using a web browser rather than a separate client application. Newer implementations can tunnel the entire IP stack; while this approach doesn't fit neatly within OSI terminology, it can provide a robust and secure alternative to traditional L2TP/IPsec VPNs, often even with higher performance. SSL/TLS VPNs are available from many vendors, but their capabilities vary. Common examples include the open source OpenVPN, and Microsoft's Secure Socket Tunneling Protocol (SSTP). One benefit of SSL/TLS VPNs is that they often only need TCP port 443 to be opened, just like an HTTPS server. They also can limit access to the network, restricting the damage done by a compromised client.
Protocol analyzer
The same sort used in network monitoring. Captures and analyzes packets from the network to determine their protocols, analyze header info, or capture data. In scanning context, a protocol analyzer is commonly called a sniffer.
Loop protection
Traditional switches are limited in traffic direction abilities, so any physical loop in a Layer 2 network can cause a switching loop that causes traffic, especially broadcast traffic, to circulate uselessly until it shuts down the whole network. Many switches use switching protocols designed to specifically detect and disable redundant connections to prevent switching loops. While maliciously introduced loops aren't a common network attack, loop protection helps increase network availability by preventing accidental loops, and allows you to create redundant physical connections to increase availability in case one fails.
Trap
Unsolicited agent-to-manager reports about variable states, usually used to report significant changes of conditions without waiting for a GetRequest. The opposite of polling.
Wireless analyzers
Used to find congestion and reception on wireless networks. Also useful for mapping coverage areas and detecting rogue APs.
Analysis tools
Users can apply new search and correlation criteria at any time to apply to stored logs, performing rapid forensic analysis even on topics real-time analysis didn't identify.
WPA2
WPA2 is the final version of WPA, based on the final 802.11i standard. It has a few changes, but the biggest one is mandatory support for 128-bit AES-CCMP, the AES cipher using the Counter Mode Cipher Block Chaining mode of operation. AES was optional in many WPA devices, but not required. Likewise, WPA2 devices usually allow TKIP as an option. Since there are no known effective attacks against AES itself, WPA2 in AES-only mode is the strongest current encryption standard for Wi-Fi.
WPA
Wi-Fi Protected Access was included as part of the draft 802.11i standard, rushed a bit into service when WEP's critical limitations became obvious. It was designed to run on the same hardware as WEP, but with enhanced security. While most WPA devices support AES encryption, by default, WPA encrypts traffic using Temporal Key Integrity Protocol (TKIP), a different implementation of the RC4 cipher. Not only is the encryption key itself 128 bits, but it uses a different and more secure initialization vector along with a 64-bit MIC, and each data packet is sent using its own key. This protected it from the worst of the WEP attacks, but it still has some vulnerabilities. In practice, WPA with TKIP isn't actually considered broken like WEP is, but it's vulnerable enough that AES mode is preferred.
WPS
Wi-Fi Protected Setup was designed to make it easy for non-technical users of home networks to easily control network access. It's an addition to PSK mode, but also allows the key to be shared with a new device by other methods like a PIN, a push-button pairing mechanism, or NFC pairing. It's convenient, but it turned out to have a major security flaw. The PIN method, which is a mandatory part of the standard, turned out to be unexpectedly susceptible to brute force cracking; an attacker can solve any PIN in a matter of hours. While this might keep out casual freeloaders, that's no time at all for a determined intruder, so WPS is not recommended for real security.
WEP
Wired Equivalent Privacy was part of the original Wi-Fi standard. It uses the RC4 stream cipher, and it soon turned out to have some major problems. First, due to export restrictions of the time its default configuration was a 64-bit key: 24 bits of IV, 40 bits of actual encryption. Even at the time this wasn't very strong. The stronger WEP-128 option gave an effective 104 bits of work factor in theory, but weaknesses with the IV and other aspects of the protocol made it nearly as easy to break. A skillful attack can compromise either variety of WEP in seconds, so while current devices might still support it for compatibility reasons, it was removed from the Wi-Fi standard in 2004 and is never recommended for use.