Chapter 6 - Network Security Devices, Design, and Technology

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Security and Information Event Management (SIEM)

A SIEM consolidates real-time monitoring and management of security information; analyzes and reports on security events.

Full Tunnel

A VPN technology in which all traffic is sent to the VPN concentrator and is protected.

Split Tunneling

A VPN technology in which only some traffic is sent to the VPN concentrator and is protected while other traffic directly accesses the Internet.

Forward Proxy

A computer or an application program that intercepts user requests from the internal network and processes that request on behalf of the user.

VPN Concentrator

A dedicated hardware device that aggregates hundreds or thousands of VPN connections.

Switches

A device that connects network hosts intelligently; can learn which device is connected to each of its ports; examines the MAC address of the device connected to that port - and stores addresses in a MAC address table.

Bridge

A network bridge is a hardware device or software that joins two separate computer networks (LANs or segments), to facilitate better communication. Operates at OSI Level 2

A SIEM can be:

A separate device; software that runs on a computer; a service that is provided by a third party.

Host Intrusion Detection System (HIDS)

A software-based application that can detect an attack as it occurs; installed on each system needing protection.

Application/Multipurpose Proxy

A special proxy server that "knows" the application protocols that it supports.

Application-Aware IDS

A specialized IDS that uses "contextual knowledge" in real time; it can know the version of the OS or which application is running as well as what vulnerabilities are present in the systems being protected.

Data Loss Prevention (DLP)

A system of security tools that is used to recognize and identify data that is critical to the organization; ensures that it is protected.

Remote-Access VPN

A user-to-LAN connection.

Layer 4 Balancers

Act upon data found in Network and Transport layer protocols.

A SIEM typically has what functions?

Aggregations, Correlation, Automated alerting and triggers, Time sync, Event duplication, and SIEM logs.

Virtual LAN (VLAN)

Allow scattered users to be logically grouped together, even if attached to different switches.

Always-on VPNs

Allow the user to always stay connected.

Firewall actions on packet

Allow, Drop, and Reject.

NAT

Allows private IP addresses to be used on the public internet; replaces private IPs with public IPs.

Different actions to take when a violation is detected by a DLP

Block the data, redirect it to an individual who cam to examine the request; quarantine the data; and alert a supervisor of the request.

Standard Network Devices

Bridges, switches, routers, load balancers, and proxies.

SIEM logs

Can be retained for future analysis.

Firewalls

Can be software-based or hardware-based; both types inspect packets and either accept or deny entry; Hardware firewalls tend to be more expensive and more difficult to configure and manage; software firewalls running on a device provide protection to that device only; all modern OSs include a software firewall, usually called a host-based firewall.

Intrusion Detection System (IDS)

Can detect attack as it occurs.

Time Synchronization

Can show the order of events.

Aggregation

Combines data from multiple data sources.

Anomaly-Based Monitoring

Compares current detected behavior with baseline.

Inline IDS

Connected directly to the network and monitors the flow of data as it occurs.

Passive IDS

Connected to a port on a switch, which receives a copy of network traffic.

DLP uses two types of sensors

DLP Network Sensors

Two common security zones

Demilitarized zones and using NAT to create zones.

Behavior-Based Monitoring

Detects abnormal actions by processes or programs, adaptive an proactive monitoring instead of reactive, and alerts user who decides whether to allow or block activity.

Dissolvable NAC Agent

Disappears after reporting information to the NAC.

Layer 7 Load Balancers

Distribute requests based on data found in Application layer protocols.

Transparent Proxy

Does not require any configuration on the user's computer.

Virtual Private Network (VPN)

Enables authorized users to use an unsecured public network as if it were a secure private network; all data transmitted between the remote device and the network is encrypted.

Network Access Control (NAC)

Examines the current state of a system or network device before it can connect to the network; any device that does not meet a specified set of criteria can connect only to a "quarantine" network where the security deficiencies are corrected.

Event Duplication

Filter multiple alerts into a single alarm.

Allow

Firewall action that lets a packet pass through.

Drop

Firewall action that prevents the packet from passing into the network and send no response to sender.

Reject

Firewall action that prevents the packet from passing into the network but send a message to the sender.

Routers

Forwared packets across different computer networks; operate at Network layer (layer 3); can filter out specific types of net traffic using ACLs.

Two types of VPN connections

Full tunnel and Split tunneling.

Load Balancers

Help evenly distribute work across a network; allocate requests among multiple devices; achieved through hardware or software.

IDS systems can be managed with two modes.

In-band, and out-of-band.

Advantages of Proxy Servers

Increased speed, reduced costs, improved management, and stronger security.

Automated Alerting and Triggers

Inform security personnel of critical issues.

Stateless Packet Filtering

Inspects incoming packet and permits or denies based on conditions set by the administrator.

Physical Network Segregation

Isolates the network so that it is not accessible by outsiders.

Stateful Packet Filtering

Keeps a record of the state of connection, makes decisions based on the connection and conditions.

Application-Aware IPS

Known which applications are running as well as the underlying OS.

Two categories of load balancers

Layer 4 Load balancers, layer 7 balancers.

Correlation

Looks for common characteristics.

Signature-Based Monitoring

Looks for well-known attack signature patterns.

What are proper security configurations for switches?

Loop prevention, and a flood guard.

Advantages with NAT

Masks IP addresses; attackers cant determine the actual IP address of the sender of a captured packet.

Two types of uses of DLP

Monitoring emails through a mail gateway, blocking the copying of files to a USB flash drive (USB blocking).

Mail Gateway

Monitors emails for unwanted content and prevents these messages from being delivered; can search for malware, spam, and phishing attacks on inbound emails, outbound emails can be searched for transmission of sensitive data.

Intrusion Prevention System (IPS)

Monitors network traffic to immediately block a malicious attack; similar to NIDS; "in-line" with firewall; allows NIPS to more quickly take action to block an attack.

Content Inspection

Most DLP systems use this; defined as a security analysis of the transaction within its approved context.

Site-to-Site

Multiple sites can connect to other sites over the internet.

What does NAC use?

NAC uses software "agents" to gather, information and report back (host agent health checks).

Two technologies that can help secure a network

Network Access Control and Data Loss Prevention

Application-Aware Firewalls

Operate at a higher level by identifying applications that send packets through the firewall and make decisions about actions to take; applications can be identified by application-based firewalls through predefined application signatures, header inspection, and payload analysis.

Flood Guard

Overflowing a switch with Ethernet frames that have been spoofed so that each frame contains a different source MAC address.

A NAC agent could be

Permanent NAC agent, Dissolvable NAC agent.

Network Security Hardware

Provides greater protection than standard networking devices.

Types of VPNs

Remote-Access VPN,

Different Scheduling protocols used in load balancers

Round-Robin, Affinity, and Other.

Reverse Proxy

Routes requests coming from an external network to the correct internal server.

Security Through Network Devices

Security can be achieved through using the security features found in standard networking devices as well as hardware designed primarily for security.

Rule-Based Firewalls contain info such as:

Source address, destination address, source port, and destination port.

Web Application Firewall

Special type of application-aware firewall that looks deeply into packets that carry HTTP traffic; can block specific sites or specific types of HTTP traffic that XSS and SQL Injection Attacks.

What does HIDS monitor?

System calls and file system access, it can recognize unauthorized registry modification, host input and output communications; detects anomalous activity.

Air Gap

The absence of any type of connection between devices

Endpoints

The end of the tunnel between VPN devices; may be software on local computer or a VPN concentrator.

Goal of NAC

To prevent computers with suboptimal security from potentially infecting other computers through the network.

Mail Gateway Email Systems

Two different TCP/IP systems in use: SMTP, POP/POP3, and IMAP.

Rule-Based Firewalls

Use a set of individual instructions to control actions; each rule is a separate instruction processed in sequence telling the firewall what action to take; rules are stored together in one or more text file(s) that are read when the firewall starts; rule-based systems are static in nature, cannot do anything other than what they have been configured to do.

Heuristic Monitoring

Uses experience-based techniques and an algorithm to see if a threat exists.

Out-of-Band Management

Using an independent and dedicated channel to reach the device.

Network Intrusion Detection System (NIDS)

Watches for attacks on the network; NIDS sensors installed on firewalls and routers gather information and report back to central device; NIDS can sound an alarm and log events.

DMZ

a separate network located outside secure network perimeter; untrusted outside users can access DMZ but not secure network.

In-band Management

through the network itself by using network protocols and tools.


Set pelajaran terkait

Wong Ch 16:Health Problems of School-Age Children and Adolescents

View Set

Community Health ATI - Practice Questions

View Set

AP Human Geography - End of Chp 2 (also the first like 15 terms are off the notes, rest is off the book!!!)

View Set

MyProgrammingLab - Chapter 8: A Second Look at Classes and Objects (Tony Gaddis)

View Set

E-ship Management Final (comprehensive highlights)

View Set