Ch 9. Network Security Appliances and Technologies

sinkhole

A "bottomless pit" designed to steer unwanted traffic away from its intended destination to another device, deceiving the threat actor into thinking the attack is successful.

Layer 2 Tunneling Protocol (L2TP)

A VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that provides encryption.

full tunnel

A VPN technology in which all traffic is sent to the VPN concentrator and is protected.

Access Control List (ACL)

A clearly defined list of permissions that specifies what actions an authenticated user may perform on a shared resource.

network address translation gateway

A cloud-based technology that performs NAT translations for cloud services. Can also make the IP addresses of internal devices.

Split Tunnel

A computer networking concept which allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections.

Forward Proxy

A computer or an application program that intercepts user requests from the internal secure network and then processes those requests on behalf of the users.

reverse proxy

A computer or an application program that routes incoming requests to the correct server.

Statement of Health (SoH)

A declaration from an NAP-enabled client computer about its status on having items such as antivirus protection and security updates installed.

Intrusion Detection System (IDS)

A device designed to be active security; it can detect an attack as it occurs.

software firewall

A firewall consisting of software that you can install on any computer, as opposed to the software built into a hardware firewall. Also called personal firewalls because they are designed to be installed on individual desktop computers. (16)

stateless packet filtering

A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.

Session Persistence

A load balancer creates a link between an endpoint and a specific network server for the duration of the session.

Data Masking

A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training

Jump Box

A minimally configured admin server within the DMZ, running only essential protocols and ports.

port mirroring

A monitoring technique in which one port on a switch is configured to send a copy of all its traffic to a second port.

signature-based monitoring

A monitoring technique used by an IDS that examines network traffic to look for well-known patterns and compares the activities against a predefined signature.

heuristic monitoring

A monitoring technique used by an IDS that uses an algorithm to determine if a threat exists.

anomaly monitoring

A monitoring technique used by an intrusion detection system (IDS) that creates a baseline of normal activities and compares actions against the baseline. Whenever there is a significant deviation from this baseline, an alarm is raised.

Behavioral Monitoring

A monitoring technique used by an intrusion detection system (IDS) that uses the normal processes and actions as the standard and compares actions against it.

dissolvable NAC agent

A network access control (NAC) agent that disappears after reporting information to the NAC device.

Agentless NAC

A network access control (NAC) agent that is not installed on an endpoint device but is embedded within a Microsoft Windows Active Directory domain controller.

permanent NAC agent

A network access control (NAC) agent that resides on end devices until uninstalled.

hardware firewall

A network appliance dedicated to the purpose of acting as a firewall. This appliance can have multiple interfaces for connecting to areas of a network requiring varying levels of security.

Honeynet

A network of honeypots.

Configuration Management

A process that ensures that the descriptions of a project's products are correct and complete

DHCP snooping

A security feature on switches whereby DHCP messages on the network are checked and filtered.

Appliance Firewall

A separate hardware device designed to protect an entire network

Baseline Configuration

A set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. Used as a basis for future builds, releases, and/or changes. (NIST)

Web Application Firewall

A special type of firewall that looks more deeply into packets that carry HTTP traffic.

internet protocol schema

A standard guide for assigning IP addresses to devices.

Zero Trust

A strategic initiative about networks that is designed to prevent successful attacks. Attempts to eliminate the concept of trust from an organization's network architecture.

Data Loss Prevention (DLP)

A system that can identify critical data, monitor how it is being accessed, and protect it from unauthorized users.

Network Access Control (NAC)

A technique that examines the current state of a system or network device before it is allowed to connect to the network.

Remote Access VPN

A user-to-LAN virtual private network connection used by remote users.

Virtual LAN (VLAN)

A virtual network that is implemented to segment the network, reduce collisions, organize the network, boost performance, and, hopefully, increase security.

site-to-site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

Access technologies

Access control list, VPN, network access control, and data loss prevention.

active/active configuration

All load balancers are always active and work together as a team.

MAC flooding

An attacker can overflow the switch's address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices

Port spanning

Another name for port mirroring

DNS Sinkhole

Changes a normal DNS request to a pre-configured IP address that points to a firewall with a rule of Deny set to all packets.

inline system

Connects directly to the network and monitors the flow of traffic

honeyfiles

Data files that are imitations of real data

Spanning Tree Protocol (STP)

Defined by the IEEE 802.1D standard, it allows a network to have redundant Layer 2 connections, while logical preventing a loop, which could lead to symptoms such as broadcast storms and MAC address table corruption.

High interaction honeypot

Designed to capture a lot of info. Loaded with fake software and data.

Low interaction honeypot

Designed with few features. Only records login attempts and provides information on the threat actors IP address.

affinity scheduling protocol

Distributes the load based on which devices can handle the load more efficiently.

load balancing

Distributing a computing or networking workload across multiple systems to avoid congestion and slow performance.

index matching

Documents that have been identified as needing protection are analyzed by the DLP system and complex computations are conducted based on the analysis. Thereafter, if even a small part of that document is leaked, the DLP system can recognize the snippet as being from a protected document. This is an example of how DLP uses __________________.

Standard Naming Convention

Easier to identify resource location and purpose. Reduces time to troubleshoot events and issues. Reduces time to onboard/train new personnel.

North-South traffic

Endpoint-to-server traffic that moves between the data center and an unsecured location outside of the data center network.

MAC address spoofing

If two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address of their device to match the target device's MAC address.

Statefull Packet Filtering

Looks at packets in context, ensuring rules are followed, any packets outside of usual behaviour automatically blocked

Quality of Service (QoS)

Policies that control how much bandwidth a protocol, PC, user, VLAN, or IP address may use.

Active-Passive Configuration

Primary load balancer distributes network traffic while the secondary load balancer operates in a "listening mode". The passive load balancer will step in if needed.

next generation firewall (NGFW)

Provides additional functionality including application filtering, deep packet inspection, URL filtering, and intrusion prevention services.

firewall rules

Rules that determine whether particular traffic should pass through or be blocked. Top-down format with most important at top and implicit deny last rule. If implicit deny at top then everything will be blocked.

virtual firewall

Runs in the cloud, designed for settings.

host-based firewall

Software that is installed on a single system to specifically guard against networking attacks.

workgroup switches

Switches that are connected directly to the devices on the network.

core switches

Switches that reside at the top of the hierarchy and carry traffic between switches.

File Integrity Monitors

Tech that detects any changes within the files that may indicate a cyberattack.

Loop Protection

Technique to prevent broadcast storms by using the IEEE 802.1d standard spanning-tree algorithm (STA).

fake telemetry

Telemetry is the collection of data such as how certain software features are used, app crashes, gen usage states, and behavior.

Rights Management

The authority of the owner of the data to impose restrictions on its use

East-West traffic

The movement of data from one server to another server within a data center

Tokenization

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.

Round Robin Scheduling Protocol

The rotation applies to all devices evenly.

Switch Port Analyzer (SPAN)

The tool used in port mirroring

port TAP(test access point)

Transmits the send/receive data streams simultaneously on separate dedicated channels so that all data arrives at the monitoring tool in real time.

Bridge Protocol Data Unit (BPDU)

Used by switches to share information with other switches that are participating in the Spanning-Tree Protocol

content inspection

____ is defined as a security analysis of the transaction within its approved context.

Health Registration Authority (HRA)

a NAP component that can obtain health certificates from client computers when the IPSec enforcement method is in use

Firewall

a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

network hardware security module

a special trusted network computer that performs cryptographic operations

The four monitoring methodologies?

anomaly-base, signature-based, behavior-base, heuistic

Unified Threat Management (UTM)

comprehensive security management tool that combines multiple security tools, including firewalls, virtual private networks, intrusion detection systems, and web content filtering and anti-spam software

Honeypots

computers baited with fake data and purposely left vulnerable to study how intruders operate to prepare stronger defenses

passive system

connected to a port on the switch, which receives a copy of network traffic

Broadcast storms can be prevented with ____.

loop protection

in-band management

through the network itself by using network protocols and tools

Intrusion Prevention System (IPS)

type of IDS that also takes action against intrusion attempts

out-of-band management

uses an independent and dedicated channel to reach the device.