2602 - Chp 7
1.Firewalls 2.Host-based intrusion detection systems/host-based intrusion prevention systems 3.Web servers 4. DHCP servers 5. VPN concentrators 6. Proxies 7. DNS 8. Email servers 9. Routers & Switches
. Network devices that provide the most beneficial security data, in order of importance (9)
"Read Only" and "Read/Write"
2 types of community strings
Application whitelisting, Removable media control, Advanced malware management
3 Security tools that can produce output to be analyzed
SNMP, DNS, FTP
3 basic TCP/IP protocols that relate to security are?
1. From a command prompt. (E.g. ls (list files), get (retrieve files from a server) 2. Using a web browser. (FTP://) 3. Using an FTP client. (E.g. FileZilla)
3 different methods for using FTP on a local computer
On-demand self-service Universal client support Invisible resource pooling Immediate elasticity Metered services
5 Cloud computing characteristics
SSL, TLS, SSH, HTTPS, S/MIME, SRTP, Ipsec
7 "other" security related TCP/IP protocols?
Domain Name System (DNS)
A TCP/IP protocol that resolves (maps) a symbolic name (Full Qualified Domain Name FQDN) with its corresponding IP address.
FTP Secure (FTPS)
A TCP/IP protocol that uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) to encrypt commands sent over the control port (Port 21) in an FTP session. -a combination of two technologies, FTP & SSL/TLS
Infrastructure as a Service (IaaS)
A cloud computing model in which customers have the highest level of control and can deploy and run their own software.
public cloud
A cloud in which the services and infrastructure are offered to all users with access provided remotely through the Internet.
Security as a Service (SECaaS)
A cloud model in which all security services are delivered from the cloud to the enterprise.
Platform as a Service (PaaS)
A cloud service in which consumers can install and run their own specialized applications on the cloud computing network.
private cloud
A cloud that is created and maintained on a private network.
community cloud
A cloud that is open only to specific organizations that have common concerns.
hybrid cloud
A combination of public and private clouds.
hosted services
A computing model in which servers, storage, and the supporting networking infrastructure are shared by multiple enterprises over a remote network connection.
S/MIME (Secure/Multipurpose Internet Mail Extensions)
A cryptographic protocol that uses digital certificates to protect the e-mail messages.
Correlation engine
A device that aggregates and correlates content from different sources to uncover an attack.
Aggregation switch
A device used to combine multiple network connections into a single link. -load balancer is an example
guest system
A foreign virtual operating system.
DDoS mitigator
A hardware device that identifies and blocks real-time distributed denial of service (DDoS) attacks.
Type II hypervisor
A hypervisor that runs within a conventional operating system environment.
virtualization
A means of managing and presenting computer resources by function without regard to their physical layout or location.
Software as a Service (SaaS)
A model of cloud computing in which the vendor provides access to the vendor's software applications running on a cloud infrastructure.
cloud computing
A pay-per-use computing model in which customers pay only for the computing resources that they need, and the resources can be easily scaled.
Simple Network Management Protocol (SNMP)
A protocol used to monitor and manage network devices, such as routers, switches, and servers.
Secure FTP (SFTP)
A secure TCP/IP protocol that is used for transporting files by encrypting and compressing ALL data and commands. -Uses only a single TCP port
virtual machine escape protection
A security protection that prevents a virtual machine from directly interacting with the host operating system.
File Integrity Check (FIC)
A service that can monitor any changes made to computer files, such as the OS.
Cloud Access Security Broker (CASB)
A set of software tools or services that resides between the enterprises' on-premises infrastructure and the cloud provider's infrastructure to ensure that the security policies of the enterprise extend to their data in the cloud.
TFTP (Trivial File Transfer Protocol)
A simple version of FTP that uses UDP as the transport protocol, and does not require a logon to the remote host. -often used for the automated transfer of configuration files between devices
port mirroring
A technology that allows a network administrator to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch. -networks with light traffic
Advanced malware management
A third-party service that monitors a network for any unusual activity. (often use experience-based techniques such as heuristic monitoring)
Anonymous ftp or blind ftp
A type of FTP access that requires no account on a server, but rather can be accessed using "anonymous" as the user ID
host virtualization
A type of virtualization in which an entire operating system environment is simulated.
Type 1 hypervisor
Also known as a bare metal hypervisor it is a software program that acts as an operating system and also provides the ability to perform virtualization of other operating systems using the same computer.
Virtual Distributed Ethernet (VDE)
An Ethernet-compliant virtual network that can connect physical computers and/or virtual machines together.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.
Domain Name System Security Extensions (DNSSEC)
An extension to DNS that adds additional resource records and message header information, used to verify that DNS data has not been altered in transmission. -uses asymmetric cryptography -fully supported in BIND9 -widely implemented 89% of Top-level Domains used
Application Whitelisting
An inventory of applications and associated components (libraries, configuration files, etc.) that have been pre-approved and authorized to be active and present on the device.
File Transfer Protocol (FTP)
An unsecure TCP/IP protocol that is commonly used for transferring files.
TCP/IP Model
Application, transport, Internet, and network interface
Security access log
Can provide details regarding requests for specific files on a system
In the protected internal network using data collected from the logs of different hardware devices
Correlation engines should be placed where in the network?
In the network where they can monitor the largest stream of data
DDoS mitigator should be placed where in the network
1.information (logging the SW is starting) 2.warning (when config changes are made) 3.alert (an active attack has been blocked)
DEP events level of severity
TCP/IP port 53
DNS lookup port
agent; service
Each SNMP-managed device must have a/n _____________ or a ____________ that listens for commands and then executes them.
TCP port 21 (control port for passing ftp commands) TCP port 20 ((data)
FTP (File Transfer Protocol)
FTP passive mode
FTP mode not likely to be blocked by a firewall -PASV command
FTP active mode
FTP mode that is susceptible to being blocked by a firewall -port command
1. Does not use encryption 2. Man-in-the-middle attacks
FTP security vulnerabilities (2)
Although the control port (port 21) commands are encrypted, data port (port 20) commands may or may not be encrypted
FTPS weakness
Firewalls VPN concentrators Mail gateways NIDS NIPS SIEM devices
Hardware designed primarily for security
Event logs
Logs that can document any unsuccessful events and the most significant successful events.
Moar SDN info p.308
Moar SDN info p.308
Sensors
Monitors traffic for network intrusion detection and prevention devices
Source-routed packets
Packets with a source address internal to the network but that originates from outside the network
Log
Record of events that occur
IP (Internet Protocol)
Responsible for addressing packets so that they can be routed to their destination
Security log
Reveals the types of attacks that are being directed at the network and if any of the attacks where successful.
1. Cannot be used when mail is accessed through a web browser (instead of dedicated email application) 2. Makes it difficult to scan messages for malware since it encrypts everything
S/MIME (Secure/Multipurpose Internet Mail Extensions) limitations (2)
Community String
SNMP agents are protected with a password called a ?
Switches, routers, WAPs, some printers, copiers, fax machines, and even UPSs
SNMP can be found on what devices?
-default community for read-only and read-write were public and private, respectively -community strings were transmitted as cleartext
SNMPv1 & SNMPv2 security vulnerabilities
1.Voice/Video - Secure Real-time Transport Protocol (SRTP) 2.Time Sync - Network Time Protocol (NTP) 3. Email - S/MIME 4. Web Browsing - HTTPS 5. File Transfer - SFTP 6. Remote access - VPN 7. Domain Name Res. - DNS Security Ext. (DNSSEC) 8. Routing and switching - IP Security (IPSec) 9. Network address trans. - IPSec 10.Subscription Services - IPSec
Secure network protocol recommendations
In the network where the stream of data is largest, allowing them to view, gather, or block traffic
Sensors, collectors, and filters should be placed where in the network?
hypervisor
Software that creates and manages virtual machines on a server or on a local computer. Also called virtual machine manager (VMM).
Software Defined Network (SDN)
Software that virtualizes part of the physical network so that it can be more quickly and easily reconfigured.
Bridges Switches Routers Load balancers Proxies
Standard networking devices (5)
Hierachy (tree)
The DNS database is organized how?
SNMPv3
The current version of SNMP that supports authentication and encryption.
Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Security as a Service (SECaaS)
The four service models in cloud computing
TCP/IP (Transmission Control Protocol/Internet Protocol)
The most common protocol suite used today for local area networks (LANs) and the Internet.
BIND (Berkeley Internet Name Domain) BIND9
The most popular DNS server software. Free open source software that runs on Linux, UNIX, and Windows platforms. - Current version
host system
The native operating system to the hardware.
Virtual Desktop Infrastructure (VDI)
The process of running a user desktop inside a virtual machine that resides on a server for storing sensitive applications and data on a remote server that is accessed through a smartphone.
Pg. 292
The recommended placement for SSL/TLS accelerator?
virtual machine sprawl
The widespread proliferation of virtual machines without proper oversight or management.
read-only string
This type of community string allows information from the agent to be viewed
read-write string
This type of community string allows settings on the device to be changed.
Removable media control
Tools that can be used to restrict which removable media, such as USB flash drives, can be attached to a system.
FTP Secure (FTPS) Secure FTP (SFTP)
Two options for secure transmission over FTP
DNS transfer attack
Type of attack where an attacker asks the valid DNS server for a zone transfer. With this info the attacker can map the entire internal network of the organization supporting the DNS server.
Date & time Description Status Error codes Service name User responsible for launching
Type of event log info that can be recorded (6)
1. IP address that are being rejected and dropped 2. Probes to ports that have no application services running on them 3. Source-routed packets 4. Suspicious outbound connections 5. Unsuccessful logins
Type of items that can be examined in a firewall log (5)
Filters
Used to block traffic for Internet content filters
Collectors
Used to gather traffic for SIEM devices
Audit log
Used to record which user performed what actions
Because TCP/IP views the Network Interface layer as the point where the connection between the TCP/IP protocol and the networking hardware occurs.
Why is the physical layer omitted in the TCP/IP model?
Data Execution Prevention (DEP)
Windows feature that uses a combination of software and hardware to prevent the execution of code in unintended areas of memory to protect against buffer overflow attacks.
on-demand self-service
a cloud computing characteristic; The consumer can make changes, such as increasing or decreasing computing resources, without requiring any human interaction from the service provider
invisible resource pooling
a cloud computing characteristic; The physical and virtual computing resources are pooled together to serve multiple, simultaneous consumers that are dynamically assigned or reassigned based on the consumers needs; the customer has little or no control or knowledge of the physical location of the resources
immediate elasticity
a cloud computing characteristic; computing resources can be increased or decreased quickly to meet demands.
metered services
a cloud computing characteristic; fees are based on the computing resources used
universal client support
a cloud computing characteristic; virtually any networked device can access the cloud computing resources
Network tap
a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. Sometimes it's used along with Wireshark to capture all the Network traffic. -better for networks with a large volume of traffic
cloud computing NIST definition
a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
virtual machine
a simulated software-based emulation of a computer
container aka application cell
a virtualized environment that holds only the necessary OS components (such as binary files and libraries) that are needed for a specific application to run
Between routers and servers where they can detect and stop attacks directed at a server or application
aggregation switches should be placed where in the network
vlan
allows scattered users to be logically grouped together even though they are physically attached to different switches
cloud storage
an internet service that provides storage to computer users -no computational capabilities
control plane
consists of one or more SDN servers and performs the complex functions such as routing and security checks;also defines the data flows through the data plane -essentially an application running on a computer that can manage the physical plane
this is accomplished by separating the control plane from the data plane
how do SDNs virtualize parts of the physical network?
1.Multiple devices generating logs 2.Very large volume of data 3.Different log formats
issues in analyzing security data (3)
analytics-based approach
pg. 300
TCP (Transmission Control Protocol)
responsible for reliable packet transmission.
protocols
rules for communication
centralized device log analyzer
solution for log management designed to collect and consolidate logs from multiple sources for easy analysis.
virtualization, cloud computing, software defined networking
some applications and platforms that require special security considerations (3)
1. host availability 2.host elasticity 3.reduced cost 4. provides uninterrupted server access 5.security updates 6.snapshots 7. security control testing 8.segregation & isolation 9.sandboxing to test for malware
virtualization advantages