2.0 Enterprise Security Architecture
Virtual Network Computing (VNC)
A remote desktop control system that operates much like RDP but uses the Remote Frame Buffer protocol. 2.1
Screened Subnet
A screened subnet takes the screened host concept a step further. In this case, two firewalls are used, and traffic must be inspected at both firewalls before it can enter the internal network. This solution is called a screened subnet because there is a subnet between the two firewalls that can act as a DMZ for resources from the outside world. 2.1
Protocol Analyzer
Also called sniffers, these devices can capture raw data frames from a network. They can be used as security and performance tools. Many protocol analyzers can organize and graph the information they collect. Graphs are great for visually identifying trends and patterns. 2.1
Signature-Based Detection
A type of intrusion detection that compares traffic against preconfigured attack patterns known as signatures. 2.1
Bluetooth
A wireless technology that is used to create personal area networks (PANs) in the 2.4 GHz frequency. 2.2
Screened Host
a screened host firewall is placed between the final router and the internal network. When traffic comes into the router and is forwarded to the firewall, it is inspected before going into the internal network. This configuration is very similar to that of a dual-homed firewall; the difference is that the separation between the perimeter network and the internal network is logical rather than physical. There is only a single interface. 2.1
Host-Based IDS
a system responsible for detecting unauthorized access or attacks against systems and networks. A host-based IPS (HIPS) reacts and takes an action in response to a threat. 2.2
In-line Network Encryptor (INE)
also called a high-assurance Internet Protocol encryptor (HAIPE), is a Type I encryption device. Type I designation indicates that it is a system certified by the National Security Agency (NSA) for use in securing U.S. government classified documents. To achieve this designation, the system must use NSA-approved algorithms. Such systems are seen in government deployments, particularly those of the Department of Defense (DoD). 2.1
Switch
A device that improves performance over a hub because it eliminates collisions. 2.1
Sensor
A device used in a SCADA system, which typically has digital or analog I/O, and these signals are not in a form that can be easily communicated over long distances. 2.1
BACnet (Building Automation and Control Network)
A protocol used by HVAC systems, an application, network, and media access control (MAC) layer communications service. It can operate over a number of layer 2 protocols, including Ethernet. 2.1
Application Level Proxy
A proxy device that performs deep packet inspection. 2.1
Circuit-Level Proxy
A proxy that operate at the session layer (layer 5) of the OSI model. 2.1
Kernel Proxy Firewall
This type of firewall is an example of a fifth-generation firewall. It inspects a packet at every layer of the OSI model but does not introduce the same performance hit as an application-layer firewall because it does this at the kernel layer. It also follows the proxy model in that it stands between two systems and creates connections on their behalf. 2.1
Control Plane
A component of a router that carries signaling traffic originating from or destined for a router. This is the information that allows the routers to share information and build routing tables. 2.1
Virtual Local Area Network (VLAN)
A logical subdivision of a switch that segregates ports from one another as if they were in different LANs. 2.1
FTP
A protocol that provides file transfer services. 2.1
Measured Boot (Launch)
A detailed, reliable log created by anti-malware software or components that loaded prior to the anti-malware driver during startup. This log can be used by anti-malware software or an administrator in a business environment to validate whether there may be malware on the computer or evidence of tampering with boot components. 2.2
Database Activity Monitor (DAM)
2.1
Generic Routing Encapsulation (GRE)
2.1
Wireless Controller
A centralized appliance or software package that monitors, manages, and controls multiple wireless access points. 2.1
Unified Threat Management (UTM)
A device that combines a traditional firewall with content inspection and filtering, spam filtering, intrusion detection, and antivirus. 2.1
Configuration Lockdown
(sometimes also called system lockdown) is a setting that can be implemented on devices including servers, routers, switches, firewalls, and virtual hosts. You set it on a device after that device is correctly configured, and it prevents any changes to the configuration, even by users who formerly had the right to configure the device. This setting helps support change control. 2.1
Precise Methods
A DLP method that involves content registration and triggers almost no false-positive incidents. 2.2
Next Generation Firewall (NGFW)
A category of devices that attempt to address traffic inspection and application awareness shortcomings of a traditional stateful firewall, without hampering performance. 2.1
Three-Legged Firewall
A firewall configuration that has three interfaces: one connected to the untrusted network, one to the internal network, and the last to a part of the network called a DMZ. 2.1
Host-Based Firewalls
A firewall that resides on a single host and is designed to protect that host only. 2.2
Extensible Authentication Protocol (EAP)
A framework (rather than a single protocol) for port-based access control that uses the same three components used in RADIUS. 2.1
Data Leakage
A leak that occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently. 2.2
Access Control List (ACL)
A list of permissions attached to an object, including files, folders, servers, routers, and so on. Such rule sets can be implemented on firewalls, switches, and other infrastructure devices to control access. 2.1
Mesh Network
A network in which all nodes cooperate to relay data and are all connected to one another. To ensure complete availability, continuous connections are provided by using self-healing algorithms to route around broken or blocked paths. 2.1
Storage Area Network (SAN)
A network of high-capacity storage devices that are connected by a high-speed private network using storage-specific switches. 2.1
Virtual Private Network (VPN)
A network whose connections use an untrusted carrier network but provide protection of the information through strong authentication protocols and encryption mechanisms. 2.1
Password Authentication Protocol (PAP)
A protocol that provides authentication but with which the credentials are sent in cleartext and can be read with a sniffer. 2.1
Hypertext Transfer Protocol Secure (HTTPS)
A security protocol that layers HTTP on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP. 2.1
Virtual Switch
A software application or program that offers switching functionality to devices located in a virtual network. 2.1
Secure Boot
A standard developed by the PC industry to help ensure that a PC boots using only software that is trusted by the PC manufacturer. 2.2
802.1x
A standard that defines a framework for centralized port-based authentication. 2.1
Storage Keys
A storage key is versatile memory that contains the keys used to encrypt the computer's storage, including hard drives, USB flash drives, and so on. 2.2
Internet Protocol Security (IPSec)
A suite of protocols that establishes a secure channel between two devices. IPsec can provide encryption, data integrity, and system-based authentication, which makes it a flexible option for protecting transmissions. 2.1
Network Intrusion Prevention System (NIPS)
A system that can take action to prevent an attack from being realized. 2.1
Network Intrusion Detection System (NIDS)
A system that is designed to monitor network traffic and detect and report threats. 2.1
IPv6
An IP addressing scheme designed to provide a virtually unlimited number of IP addresses. It uses 128 bits rather than 32, as in IPv4, and it is represented in hexadecimal rather than dotted-decimal format. 2.1
6to4
An IPv4-to-IPv6 transition method that allows IPv6 sites to communicate with each other over an IPv4 network. 2.1
Teredo
An IPv4-to-IPv6 transition method that assigns addresses and creates host-to-host tunnels for unicast IPv6 traffic when IPv6 hosts are located behind IPv4 network address translators. 2.1
Dual Stack
An IPv4-to-IPv6 transition method that runs both IPv4 and IPv6 on networking devices. 2.1
Bluejacking
An attack in which unsolicited messages are sent to a Bluetooth-enabled device, often for the purpose of adding a business card to the victim's contact list. 2.2
Virtual Desktop Infrastructure (VDI)
An infrastructure that hosts desktop operating systems within a virtual environment in a centralized server. 2.2
Statistical Anomaly-Based Detection
An intrusion detection method that determines the normal network activity and alerts when anomalous (not normal) traffic is detected. 2.1
Stateful Protocol Analysis Detection
An intrusion detection method that identifies deviations by comparing observed events with predetermined profiles of generally accepted definitions of benign activity. 2.1
Challenge Handshake Authentication Protocol (CHAP)
CHAP solves the cleartext problem by operating without sending the credentials across the link. The server sends the client a set of random text called a challenge. The client encrypts the text with the password and sends it back. The server then decrypts it with the same password and compares the result with what was sent originally. If the results match, the server can be assured that the user or system possesses the correct password without ever needing to send it across the untrusted network. 2.1
Redundant Array of Inexpensive/Independent Disks (RAID)
RAID is a hard drive technology in which data is written across multiple disks in such a way that a disk can fail, and the data can be quickly made available by remaking disks in the array without resorting to a backup tape. 2.1
Service-Level Agreement (SLA)
SLAs are agreements about the ability of the support system to respond to problems within a certain time frame while providing an agreed level of service. These agreements can be internal (between departments) or external (with a service provider). Agreeing on the quickness with which various problems are addressed introduces some predictability to the response to problems; this ultimately supports the maintenance of access to resources. 2.1
Data loss Prevention Software
Software that attempts to prevent disclosure of sensitive data. 2.2
Trusted Platform Module (TPM) chip
TPM chip is a security chip installed on a computer's motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates. This chip provides services to protect passwords and encrypt drives and digital rights, making it much harder for attackers to gain access to the computers that have TPM chips enabled. 2.2
Endorsement Key (EK)
TPM persistent memory installed by the manufacturer that contains a public/private key pair. 2.2
Storage Root Keys (SRK)
TPM persistent memory that secures the keys stored in the TPM. 2.2
Platform Configuration Register (PCR)
TPM versatile memory that stores data hashes for the sealing function. 2.2
Attestation Identity Key (AIK)
TPM versatile memory which ensures the integrity of the endorsement key (EK). 2.2
Scrubbing
The act of deleting incriminating data from an audit log. 2.2
Mean Time to Repair (MTTR)
The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online. 2.1
Failsoft
The capability of a system to terminate noncritical processes when a failure occurs. 2.1
Failover
The capacity of a system to switch over to a backup system if a failure occurs in the primary system. 2.1
Management Plane
The component or plane on a networking device such as a router or switch that is used to administer the device. 2.1
Mean Time Between Failures (MBTF)
The estimated amount of time a device will operate before a failure occurs. This amount is calculated by the device vendor. System reliability is increased by a higher MTBF and lower MTTR. 2.1
Data Plane
The plane on a networking device such as a router or switch that carries user traffic. Also known as the forwarding plane. 2.1
Clustering
The process of providing load-balancing services by using multiple servers running the same application and data set. 2.1
Bastion Host
The term bastion host actually refers to the position of any device. If the device is exposed directly to the Internet or to any other untrusted network while screening the rest of the network from exposure, it is a bastion host. Whether the bastion host is a firewall, a DNS server, or a web server, all standard hardening procedures are especially important because this device is exposed. 2.1
Packet Filtering Firewall
These firewalls are the least detrimental to throughput as they only inspect the header of the packet for allowed IP addresses or port numbers. While performing this function slows traffic, it involves only looking at the beginning of the packet and making a quick decision to allow or disallow. 2.1
Proxy Firewall
This type of firewall stands between the internal and external sides of an internal-to-external connection and makes the connection on behalf of the endpoints. A firewall that is used in this fashion is called a forward proxy. With a proxy firewall, there is no direct connection; rather, the proxy firewall acts as a relay between the two endpoints. Proxy firewalls can operate at two different layers of the OSI model: 2.1
Bluesnarfing
Unauthorized access to a device using a Bluetooth connection. The attacker tries to access information on the device rather than send messages to the device. 2.2
Load Balancing
You can use load balancing to connect a single user to multiple APs for better coverage and increased data rate. 2.1
Orange Book
a collection of criteria based on the Bell-LaPadula model that is used to grade or rate the security offered by a computer system product. The Orange Book discusses topics such as covert channel analysis, trusted facility management, and trusted recovery. 2.2
Unified Extensible Firmware Interface (UEFI)
an alternative to using BIOS to interface between the software and the firmware of a system. Most images that support UEFI also support legacy BIOS services as well. Some of its advantages are: 2.2
Hardware Security Module (HSM)
an appliance that safeguards and manages digital keys used with strong authentication and provides crypto processing. It attaches directly to a computer or server. Among the functions of an HSM are: 2.1
Server-Based Application Virtualization
an application runs on servers. Users receive the application environment display through a remote client protocol, such as Microsoft Remote Desktop Protocol (RDP) or Citrix Independent Computing Architecture (ICA). Examples of terminal services include Remote Desktop Services and Citrix Presentation Server. 2.2
SOCKS Firewall
an example of a circuit-level firewall. It requires a SOCKS client on the computers. Many vendors have integrated their software with SOCKS to make it easier to use this type of firewall. 2.1
Trusted Operating System
an operating system that provides sufficient support for multilevel security and evidence of meeting a particular set of government requirements. The goal of designating operating systems as trusted was first brought forward by the Trusted Computer System Evaluation Criteria (TCSEC). 2.2
Secure Sockets Layer (SSL)
another option for creating secure connections to servers. It works at the application layer of the OSI model. It is used mainly to protect HTTP traffic or web servers. Its functionality is embedded in most browsers, and its use typically requires no action on the part of the user. 2.1
Web Application Firewall (WAF)
applies rule sets to an HTTP conversation. These rule sets cover common attack types to which these session types are susceptible. Among the common attacks they address are cross-site scripting and SQL injections. A WAF can be implemented as an appliance or as a server plug-in. While all traffic is usually funneled in-line through the device, some solutions monitor a port and operate out-of-band. 2.1
Data Interfaces
are used to pass regular data traffic and are not used for either local or remote management. The interfaces may operate at either layer 2 or layer 3, depending on the type of device (router or switch). These interfaces can also have ACLs defined at either layer. On routers, we call them access lists, and on switches, we call the concept port security. 2.2
Out of band
connected to a separate and isolated network that is not accessible from the local area network or the outside world. These interfaces are also typically live even when the device is off. OOB interfaces can be Ethernet or serial. 2.2
Dual-homed Firewall
has two network interfaces: one pointing to the internal network and another connected to the untrusted network. In many cases, routing between these interfaces is turned off. The firewall software will allow or deny traffic between the two interfaces based on the firewall rules configured by the administrator. 2.1
Client-Based Application Virtualization
the target application is packaged and streamed to the client PC. It has its own application computing environment that is isolated from the client OS and other applications. A representative example is Microsoft Application Virtualization (App-V). 2.2
Remote Desktop Protocol (RDP)
is a proprietary protocol developed by Microsoft that provides a graphical interface to connect to another computer over a network connection. Unlike Telnet and SSH, which allow only working from the command line, RDP enables you to work on a remote computer as if you were actually sitting at its console. 2.1
Trunk Link
links between switches and between routers and switches that carry the traffic of multiple VLANs. Normally when a hacker is trying to capture traffic with a protocol analyzer, she is confined to capturing only unicast data on the same switch port to which she is attached and only broadcasting and multicasting data from the same VLAN of which her port is a member. However, if a hacker is able to create a trunk link with one of your switches, she can now capture traffic in all VLANs on the trunk link. In most cases, it is difficult for her to do so, but on Cisco switches, it is possible for the hacker to take advantage of the operations of a protocol called Dynamic Trunking Protocol (DTP) to create a trunk link quite easily. 2.1
Definition Files
the files that make it possible for the software to identify the latest viruses. If a new virus is created that has not yet been identified in the list, you will not be protected until the virus definition is added and the new definition file is downloaded. 2.2
Access Control Lists (ACLs)
their inability to detect whether IP spoofing is occurring. IP address spoofing is a technique hackers use to hide their trail or to masquerade as another computer. A hacker alters the IP address as it appears in the packet. This can sometimes allow the packet to get through an ACL that is based on IP addresses. IP address spoofing can also be used to make a connection to a system that trusts only certain IP addresses or ranges of IP addresses. 2.2
Software Patches
updates released by vendors that either fix functional issues with or close security loopholes in operating systems, applications, and versions of firmware that run on network devices. 2.2
Management Interface
used for accessing devices remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device's internal network. Through a management interface, you can access the device over the network by using utilities such as SSH and Telnet. Simple Network Management Protocol (SNMP) can use a management interface to gather statistics from a device. 2.2
Security Information and Event Management (SIEM)
utilities receive information from log files of critical systems and centralize the collection and analysis of this data. SIEM technology is an intersection of two closely related technologies: security information management (SIM) and security event management (SEM). 2.1
Secure Shell (SSH)
was created to provide an encrypted method of performing these procedures. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively. It is a widely used replacement for Telnet and should be considered when performing remote management from the command line. 2.1