Chapter 10: Defending networks / Module A: Network security Components
Content filters
A software application designed to restrict what information can reach the network, but instead of protecting against attacks, it's meant to control types of content. Keeps users from accessing porn for example. Monitors traffic based on pre-configured rules which can allow or deny specific content. Simpler ones are address-based, more sophisticated ones examine the content and look for keywords or patterns that are suspicious.
DHCP snooping
A switch feature that blocks traffic from untrusted DHCP servers.
Port Security
A switch feature that tracks device MAC addresses connected to each port on a switch, and allows or blocks traffic based on source MAC addresses.
Honeypot
A system designed to be attractive and accessible to attackers. It might be completely open or have an outwardly reasonable but flawed or inadequate level of security. In actuality it's a decoy: it has no valuable resources, and it's isolated from the rest of the network, so that compromising it won't even be helpful for mounting an inside attack. Instead it's monitored to gather information on attackers.
Screened subnet or perimeter network or demilitarized zone (DMZ)
Adds a third zone to network security; under the organization's direct control, but separate from, and less trusted than, the internal network. Traffic cannot pass freely from this zone to the internal network. Commonly outside-facing services are placed in this zone.
Endpoint security suite
Anti-malware applications can have a variety of features. you might use multiple products to protect a system or network or replace them with a multifunctional solution. Might include the following anti-malware features: Real time anti-virus detection Scheduled system scanning Malware removal Browser and email client protection File integrity monitor
Firewall
Any network element that uses pre-configured security rules to control network traffic.
Access Control List (ACL)
Attached to a resource, giving permissions, or rules about precisely who can access it.
Application Layer Firewalls or Layer 7 firewalls
Can require a lot more processing power, __________ ____________ ____________ can use deep packet inspection (DPI) to find irregularities SPI can miss. Often separate devices used alongside conventional firewalls and are devoted to particular applications and services on the network.
Control Plane Policing (CoPP)
Cisco IOS feature designed to prevent DoS and reconnaissance attacks that utilize the control plane of software defined networks.
Flood guard
More sophisticated switches that can examine packets on Layer 3 or higher can protect against additional network attacks. Enforces a rate limit on communications that shouldn't be a regular part of the network traffic such as excessive SYN packets from a single IP address
Routed firewalls
Most network based firewalls are __________ ___________, network hosts that can perform other routing functions. Routed firewalls have IP addresses and count as one routing hop.
data loss prevention
Software used to classify and protect your organizations confidential and critical data according to a set of rules.
State table
Stateful firewalls have to keep track of ongoing conversations in a ______ ________, terminate them when a host does, and time them out after they've been idle a while.
True negative
The event was benign and triggered no alerts. This is a good result since everything is quietly working corcorrectly.
False positive
The event was benign, but the IDS mistook it for an attack. This is bad: if it happens frequently it can disrupt network functions, cost administrators time, or just make people less alert when an actual attack happens
data exfiltration
The unauthorized transfer of data outside an organization.
Geofencing
The use of GPS, RFID, cellular, or wi-fi data to identify the location of a mobile device and compare it to a virtual fence around the area. A service with access to the devices location service can use its location to make access control decisions.
dual firewall
Uses two firewalls: a perimeter firewall that protects the screened subnet from the outside and an internal firewall that protects the intranet from the screened subnet. Provides defense in depth since a compromise of the outer firewall still leaves another layer of protection. Requires more labor and expense.
Stateless filtering
Every packet is treated in isolation and put through the same filtering rules: the firewall doesnt know or care whether a given packet is the start of a conversation, a reply, or the millionth in a lengthy session.
Anomaly based (or heuristic)
Methods that look for behavior that looks unusual, at least relative to a normal baseline of past or expected behavior. Even if it doesn't directly match any signatures or misuse protocols, a traffic spike from a DDoS attack is an anomaly. Complicated to design and take a lot of data gathering to be accurate. Most able to catch zero-day attacks of the three methods.
Stateful protocol analysis
Methods that use SPI or DPI to analyze traffic by examining the protocol it uses and comparing it to a profile of how that protocol is supposed to work. A single SYN packet isn't suspicious but a sudden rush of them suggests a flood attack. Can detect many attacks signature based methods won't but is only as good as the profiles. That is especially difficult with proprietary protocols that don't have complete documentation available to the public.
Intrusion Prevention System (IPS)
active protection system. while it still might keep logs and trigger alerts, they're defined by how they can actively block traffic, disconnect users, lock accounts, or whatever else they're permitted to do when an attack is detected. can protect damage being done before a human can respond, but can also harm network or system functions by acting on false positives. must be placed where it can block traffic or control system activities itself.
Remote browser isolation (RBI)
applies the zero trust principle to websites. The users local browser is nothing more than a streaming connection to a cloud based container that runs a web browser. the endpoint does not trust any websites or handle any external content - all browser-side scripts and content execute in the cloud based sandbox, and when the session ends the container is destroyed. Malicious websites never have the opportunity to compromise the endpoint.
Standard ACLs
can check only source IP addresses
Extended ACLs
can filter by many standards but are more processor intensive
Endpoint based DLP
can protect all data that passes through the endpoint its installed on, such as stored files, print jobs, encrypted network connections, and data copied to USB drives. It must be installed on each endpoint, and it can be compromised if the host is.
Loop guard
disables any port which is sending but not acknowledging BPDUs. It prevents switching loops caused by unidirectional links, such as when only one-half of a duplex fiber connection fails.
Zero Trust
even within the perimeter, all traffic is assumed hostile until proven otherwise. with no concept of trusted traffic flow, all communications must be restricted according to least-priveledge principles. Conceptual model rather than a network architecture.
edge control
examining packet origins to restrict outside traffic.
Agentless posture assessment
gathers information via existing operating system features such as Active Directory.
Bastion hosts
hardened, and secured as best as you possibly can against attackers, with all unnecessary services disabled to minimize their attack surface.
File integrity monitor
hashes system and application files then watches for unexpected changes.
Stateful filtering or stateful packet inspection (SPI)
inspects source and destination headers and possibly other TCP or UDP data to determine whether the current packet represents a new communication session or a continuation of an existing one.
De-perimeterized networks
on premises systems interface directly with cloud servers or personal mobile devices.
Intrusion Detection System (IDS)
passive monitoring system designed to keep administrators aware of malicious activity. Can record detected intrusions in a database and alert notifications but they rely on humans to take action. Doesn't have to be in the direct path of the network.
Network based systems (NIDS or NIPS)
placed directly on routers or other network choke points and focus primarily on detecting network attacks, probes, or other suspicious traffic on the network level.
Host based systems (HIDS or HIPS)
placed on individual hosts and devices to protect them. they can monitor traffic to and from their installed hosts, even data sent by encrypted protocols. they can also watch for suspicious user activities, changes to system files, or other signs of host based attacks. Anti-virus and anti-malware programs with real time monitoring are one example of this.
Network based DLP
placed on some network appliance such as a firewall or router. It can scan data passing through it, but it can't protect against local copying or encrypted data transfers.
persistent agent
posture assessments can require a lot of info about the client system, they're more complicated than entering user credentials. For this reason, they usually require clients to run an application which performs the necessary checks locally. This type runs automatically at operating system startup.
non-persistent agent
posture assessments can require a lot of info about the client system, they're more complicated than entering user credentials. For this reason, they usually require clients to run an application which performs the necessary checks locally. This type runs only during the login process.
BPDU filter
prevents a specific port from sending or receiving BPDUs, effectively disabling STP on that port. While useful at demarcation points, it can cause switching loops when enabled in the wrong place.
BPDU guard
prevents loops by disabling the port when it recieves a BPDU from another switch and requiring an administrator to reset it manually. Intended for non-trunking ports that shouldn't receive BPDUs and can keep rogue switches from joining the network.
Root Guard
prevents the wrong switches from being elected as a network root by excluding specific ports.
Network-based firewall
protects networks. It might be a specialized hardware device from a network equipment manufacturer like Cisco or Check Point. Can be centrally configured. They also easily block access to certain services from outside the network without disrupting their internal use.
Effective DLP
requires rules to identify thr nature and sensitivity of a given piece of data. the best way to do so is by tagging data with machine readable Metadata tags; it can also be set to recognize specific file types or data patterns, such as the format of a social security number or credit card number.
Fake telemetry
seems like regular network activity but serves no real purpose; listening attackers receive misleading information about the network.
MAC filtering
settings that let you control what devices can connect to the network based on their MAC addresses.
Host-based firewall
software running on a single host and protects just that host. Not usually separated from the host itself. Protect systems regardless of network conditions and prevent unwanted outbound traffic from Trojan horses or other unauthorized programs, even within the internal network.
Implicit Deny
Access is denied unless a rule specifically allows it. Often called a whitelist
ACL implicit allow/deny order
1. Packets are matched against each rule in order 2. The first rule that matches, allow, or deny, is immediately applied. No other rules are processed. 3. If no rules match, the implicit deny applies
honeyfiles
A file pretending to be legitimate, in order to detect malicious activity.
Microsegmentation
A more advanced for of segmentation that applies highly granular policies to specific workloads within the data center. Instead of installing firewalls and VLANs between all servers, it tends to use a higher-level virtualized approach; it is commonly combined with SDN. Can provide strong security for east-west traffic, but it requires careful planning and in-depth knowledge of network flaws.
Honeynet
A network of honeypots.
Dynamic ARP Inspection (DAI)
A security feature that validates ARP packets in a network. DAI intercepts, logs and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.
Guest network
A separate access point with its own SSID and login credentials. Logging in is similar to joining a DMZ: guest clients are on a separate network from internal clients and cant communicate with them directly. They can only use the WAP for internet access.
Guest network isolation
AP feature that creates a guest network with access to the internet, but not to any resources on the local LAN
Implicit Allow
Access is allowed unless a rule explicitly denies it. Often called a blacklist
Three-Homed Firewall
Also known as multihomed firewall. A firewall system connecting the three zones (inside, outside, and DMZ) such that traffic passing between any two zones is protected by the firewall. Thus, not only is the inside protected from both the outside and DMZ, the DMZ is protected from outside.
Core control
An ACL process in which packet destinations are examined (to control or restrict their paths through the network) and the internal network is broken into different security zones.
Wireless client isolation/AP isolation
An AP features that prevents direct communication between client devices on the same wireless networks where connected clients don't need to make direct connections to one another.
true positive
An attack has occurred, and the IDS recognized it. This is a good result: even if the attack itself is bad, it was recognized and can be addressed.
False negative
An attack occurred, and the IDS mistook it for benign behavior. This is potentially disastrous since the network could be compromised without anyone knowing.
Network Access Control (NAC) or Client control
Combining AAA systems with network segmentation and host-level security is sometimes called this. Security zones sometimes have to be implemented even on authenticated networks; even a trusted user might login with a compromised system.
dynamic packet filtering
Different rules can apply for continuing an existing session vs. starting a new one. The firewall can modify rules based on what it knows about the ongoing conversation. One of the most common uses is to block unsolicited inbound traffic but let outside hosts respond to connections initiated from the inside.
quarantined network
If a client fails a posture assessment its connected to this instead. It cant access sensitive network resources but instead is directed to download security updates and whatever else it needs.
Unified threat management (UTM) firewall
Isn't a concrete standard but rather the concept of putting a complete network security solution into a single centrally controlled system. Might have any combination of security features: firewall,IDPS,content filter, network based anti-malware, DLP, NAT, or proxy server, VPN endpoint, NAC with posture assessment, regulatory compliance checking, and more.
Signature-based detection
Methods that look for behavior characteristics of known attacks. Excellent at stopping Manu known attacks, but will miss anything not on the list.
posture assessment
Makes sure the client system meets specific security rules. It might verify that a client has appropriate antivirus software installed and that its operating system and relevant software are updated with the latest security updates.
Virtual wire firewalls, or transparent firewalls
Physical nodes but not logical nodes. They monitor traffic without routing, switching, or otherwise segmenting the L2 network.
Router Advertisement (RA) Guard
Similar to DHCP snooping, but designed to prevent misuse of the similar router advertisement features used for SLAAC on IPv6 networks.
Web Application Firewall
Sits between the network and a web server running web applications. Like a network layer firewall, it can be host-based software or a standalone hardware appliance. Specialized to protect against attacks targeting web servers and applications, such as forged HTTP requests, buffer overflows, SQL injection, and cross-site scripting.
deep packet inspection
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers
packet filtering
a process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet
