Ch 9. Network Security Appliances and Technologies
sinkhole
A "bottomless pit" designed to steer unwanted traffic away from its intended destination to another device, deceiving the threat actor into thinking the attack is successful.
Layer 2 Tunneling Protocol (L2TP)
A VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that provides encryption.
full tunnel
A VPN technology in which all traffic is sent to the VPN concentrator and is protected.
Access Control List (ACL)
A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.
network address translation gateway
A cloud-based technology that performs NAT translations for cloud services. Can also make the IP addresses of internal devices.
Split Tunnel
A computer networking concept which allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections.
Forward Proxy
A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.
reverse proxy
A computer or an application program that routes incoming requests to the correct server.
Statement of Health (SoH)
A declaration from an NAP-enabled client computer about its status on having items such as antivirus protection and security updates installed.
Intrusion Detection System (IDS)
A device designed to be active security; it can detect an attack as it occurs.
software firewall
A firewall consisting of software that you can install on any computer, as opposed to the software built into a hardware firewall. Also called personal firewalls because they are designed to be installed on individual desktop computers. (16)
stateless packet filtering
A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.
Session Persistence
A load balancer creates a link between an endpoint and a specific network server for the duration of the session.
Data Masking
A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training
Jump Box
A minimally configured admin server within the DMZ, running only essential protocols and ports.
port mirroring
A monitoring technique in which one port on a switch is configured to send a copy of all its traffic to a second port.
signature-based monitoring
A monitoring technique used by an IDS that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.
heuristic monitoring
A monitoring technique used by an IDS that uses an algorithm to determine if a threat exists.
anomaly monitoring
A monitoring technique used by an intrusion detection system (IDS) that creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from this baseline, an alarm is raised.
Behavioral Monitoring
A monitoring technique used by an intrusion detection system (IDS) that uses the normal processes and actions as the standard and compares actions against it.
dissolvable NAC agent
A network access control (NAC) agent that disappears after reporting information to the NAC device.
Agentless NAC
A network access control (NAC) agent that is not installed on an endpoint device but is embedded within a Microsoft Windows Active Directory domain controller.
permanent NAC agent
A network access control (NAC) agent that resides on end devices until uninstalled.
hardware firewall
A network appliance dedicated to the purpose of acting as a firewall. This appliance can have multiple interfaces for connecting to areas of a network requiring varying levels of security.
Honeynet
A network of honeypots.
Configuration Management
A process that ensures that the descriptions of a project's products are correct and complete
DHCP snooping
A security feature on switches whereby DHCP messages on the network are checked and filtered.
Appliance Firewall
A separate hardware device designed to protect an entire network
Baseline Configuration
A set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. Used as a basis for future builds, releases, and/or changes. (NIST)
Web Application Firewall
A special type of firewall that looks more deeply into packets that carry HTTP traffic.
internet protocol schema
A standard guide for assigning IP addresses to devices.
Zero Trust
A strategic initiative about networks that is designed to prevent successful attacks. Attempts to eliminate the concept of trust from an organization's network architecture.
Data Loss Prevention (DLP)
A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.
Network Access Control (NAC)
A technique that examines the current state of a system or network device before it is allowed to connect to the network.
Remote Access VPN
A user-to-LAN virtual private network connection used by remote users.
Virtual LAN (VLAN)
A virtual network that is implemented to segment the network, reduce collisions, organize the network, boost performance, and, hopefully, increase security.
site-to-site VPN
A virtual private network in which multiple sites can connect to other sites over the Internet.
Access technologies
Access control list, VPN, network access control, and data loss prevention.
active/active configuration
All load balancers are always active and work together as a team.
MAC flooding
An attacker can overflow the switch's address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices
Port spanning
Another name for port mirroring
DNS Sinkhole
Changes a normal DNS request to a pre-configured IP address that points to a firewall with a rule of Deny set to all packets.
inline system
Connects directly to the network and monitors the flow of traffic
honeyfiles
Data files that are imitations of real data
Spanning Tree Protocol (STP)
Defined by the IEEE 802.1D standard, it allows a network to have redundant Layer 2 connections, while logical preventing a loop, which could lead to symptoms such as broadcast storms and MAC address table corruption.
High interaction honeypot
Designed to capture a lot of info. Loaded with fake software and data.
Low interaction honeypot
Designed with few features. Only records login attempts and provides information on the threat actors IP address.
affinity scheduling protocol
Distributes the load based on which devices can handle the load more efficiently.
load balancing
Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.
index matching
Documents that have been identified as needing protection are analyzed by the DLP system and complex computations are conducted based on the analysis. Thereafter, if even a small part of that document is leaked, the DLP system can recognize the snippet as being from a protected document. This is an example of how DLP uses __________________.
Standard Naming Convention
Easier to identify resource location and purpose. Reduces time to troubleshoot events and issues. Reduces time to onboard/train new personnel.
North-South traffic
Endpoint-to-server traffic that moves between the data center and an unsecured location outside of the data center network.
MAC address spoofing
If two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address of their device to match the target device's MAC address.
Statefull Packet Filtering
Looks at packets in context, ensuring rules are followed, any packets outside of usual behaviour automatically blocked
Quality of Service (QoS)
Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use.
Active-Passive Configuration
Primary load balancer distributes network traffic while the secondary load balancer operates in a "listening mode". The passive load balancer will step in if needed.
next generation firewall (NGFW)
Provides additional functionality including application filtering, deep packet inspection, URL filtering, and intrusion prevention services.
firewall rules
Rules that determine whether particular traffic should pass through or be blocked. Top-down format with most important at top and implicit deny last rule. If implicit deny at top then everything will be blocked.
virtual firewall
Runs in the cloud, designed for settings.
host-based firewall
Software that is installed on a single system to specifically guard against networking attacks.
workgroup switches
Switches that are connected directly to the devices on the network.
core switches
Switches that reside at the top of the hierarchy and carry traffic between switches.
File Integrity Monitors
Tech that detects any changes within the files that may indicate a cyberattack.
Loop Protection
Technique to prevent broadcast storms by using the IEEE 802.1d standard spanning-tree algorithm (STA).
fake telemetry
Telemetry is the collection of data such as how certain software features are used, app crashes, gen usage states, and behavior.
Rights Management
The authority of the owner of the data to impose restrictions on its use
East-West traffic
The movement of data from one server to another server within a data center
Tokenization
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Round Robin Scheduling Protocol
The rotation applies to all devices evenly.
Switch Port Analyzer (SPAN)
The tool used in port mirroring
port TAP(test access point)
Transmits the send/receive data streams simultaneously on separate dedicated channels so that all data arrives at the monitoring tool in real time.
Bridge Protocol Data Unit (BPDU)
Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol
content inspection
____ is defined as a security analysis of the transaction within its approved context.
Health Registration Authority (HRA)
a NAP component that can obtain health certificates from client computers when the IPSec enforcement method is in use
Firewall
a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
network hardware security module
a special trusted network computer that performs cryptographic operations
The four monitoring methodologies?
anomaly-base, signature-based, behavior-base, heuistic
Unified Threat Management (UTM)
comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software
Honeypots
computers baited with fake data and purposely left vulnerable to study how intruders operate to prepare stronger defenses
passive system
connected to a port on the switch, which receives a copy of network traffic
Broadcast storms can be prevented with ____.
loop protection
in-band management
through the network itself by using network protocols and tools
Intrusion Prevention System (IPS)
type of IDS that also takes action against intrusion attempts
out-of-band management
uses an independent and dedicated channel to reach the device.