computer networking Semester 2 Unit 10
TACACS+ (Terminal Access Controller Access Control System Plus)
A Cisco proprietary protocol that provides AAA services.
AAA (authentication, authorization, and accounting)
A category of protocols that establish a client's identity, authorize a user for certain privileges on a system or network, and keep an account of the client's system or network usage.
iptables
A command-line firewall utility for Linux systems.
Kerberos
A cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system.
MAC address table
A database configured manually or dynamically that stores MAC addresses allowed on a network.
security token
A device or piece of software used for authentication that stores or generates information, such as a series of numbers or letters, known only to its authorized user.
stateful firewall
A firewall capable of examining an incoming packet to determine whether it belongs to a currently active connection and is, therefore, a legitimate packet.
network-based firewall
A firewall configured and positioned to protect an entire network.
Layer 7 firewalls
A firewall innovation that monitors and limits the traffic of specific applications, adapts to the class of users or user groups, and adapts to the context of various applications, users, and devices.
NGFWs (Next Generation Firewalls)
A firewall innovation that monitors and limits the traffic of specific applications, adapts to the class of users or user groups, and adapts to the context of various applications, users, and devices.
content-filtering firewall
A firewall that can block designated types of traffic from entering a protected network based on application data contained within packets
stateless firewall
A firewall that manages each incoming packet as a stand-alone entity without regard to currently active connections.
host-based firewalls
A firewall that only protects the computer on which it's installed.
EAP-TLS
A form of EAP that uses TLS encryption to protect communications.
SSO (single sign-on)
A form of authentication in which a client signs on once to access multiple systems or resources.
2FA (two-factor authentication)
A form of identity verification where the user must provide something and know something.
EAP-FAST (EAP Flexible Authentication via Secure Tunneling)
A form of tunneled EAP developed by Cisco that uses PACs (Protected Access Credentials), which are somewhat similar to cookies that websites store on a user's computer to track their activities
EAP-FAST (EAP-Flexible Authentication via Secure Tunneling)
A form of tunneled EAP developed by Cisco that uses PACs (Protected Access Credentials), which are somewhat similar to cookies that websites store on a user's computer to track their activities.
domain local group
A group of workstations that is centrally managed via Active Directory for the entire network
domain local groups
A group of workstations that is centrally managed via Active Directory for the entire network.
ACL (access control list)
A list of statements used by a router or other device to permit or deny the forwarding of traffic on a network based on one or more criteria.
alert
A message generated when a pre-defined event occurs, which is then logged by the system.
notification
A message sent to IT personnel via email, text, or some other method that is triggered by the occurrence of a predefined event.
RBAC (role-based access control)
A method of access control where a network administrator assigns only the privileges and permissions necessary for a user to perform the role required by an organization.
DAC (discretionary access control)
A method of access control where users decide for themselves who has access to that user's resources.
port mirroring
A monitoring technique in which one port on a switch is configured to send a copy of all its traffic to a second port.
quarantine network
A network segment that is situated separately from sensitive network resources and might limit the amount of time a device can remain connected to the network.
RADIUS (Remote Authentication Dial-In User Service)
A popular protocol for providing centralized AAA services for multiple users.
AES (Advanced Encryption Standard)
A private key encryption algorithm that uses a sophisticated family of ciphers along with multiple stages of data transformation
root guard
A restriction that prevents switches beyond the configured port from becoming the root bridge.
network policies
A rule or set of rules that determines the level and type of access granted to a device when it joins a network.
CCMP (Counter Mode with CBC[Cipher Block Chaining] MAC [Message Authentication Code] Protocol)
A security method used in WPA2 that helps ensure data confidentiality by providing message integrity and encryption services
CCMP
A security method used in WPA2 that helps ensure data confidentiality by providing message integrity and encryption services.
UTM (Unified Threat Management)
A security strategy that combines multiple layers of security appliances and technologies into a single safety net.
FIM (file integrity monitoring)
A security technique that alerts the system of any changes made to files that shouldn't change, such as operating system files.
proxy server
A server acting as an intermediary between the external and internal networks, screening all incoming and outgoing traffic.
PAP (Password Authentication Protocol)
A simple authentication protocol that operates over PPP.
BPDU guard
A software configuration on a switch's access ports that blocks certain types of BPDUs from being sent to or received by the devices, such as workstations and servers, connected to these ports.
BPDU filter
A software configuration that can be used to disable STP on specific ports, such as the port leading to the network's demarc. A BPDU filter prevents access to network links that should not be considered when plotting STP paths in a network.
agent
A software routine that collects data about a managed device's operation or compliance with security benchmarks, and provides this information to a network management application.
IPS (intrusion prevention system)
A stand-alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall that stands in-line between an attacker and the targeted network or host, and can prevent traffic from reaching that network or host.
IDS (intrusion detection system)
A stand-alone device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall. It monitors network traffic, generating alerts about suspicious activity.
STP (Spanning Tree Protocol)
A switching protocol defined by the IEEE standard 802.1D that functions at the Data Link layer and prevents traffic loops by artificially blocking the links that would complete a loop.
NAC (network access control)
A technology solution that balances the need for network access with the demands of network security by employing a set of network policies to determine the level and type of access granted to a device when it joins a network.
PEAP (Protected EAP)
A tunnel-based form of EAP that creates an encrypted TLS tunnel between the supplicant and the server before proceeding with the usual EAP process.
NIDS (network-based intrusion detection system)
A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's DMZ.
HIDS (host-based intrusion detection system)
A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host.
NIPS (network-based intrusion prevention system)
A type of intrusion prevention that protects an entire network and is situated at the edge of the network or in a network's DMZ.
HIPS (host-based intrusion prevention system)
A type of intrusion prevention that runs on a single computer, such as a client or server, to intercept and help prevent attacks against that one host.
BPDU (Bridge Protocol Data Unit)
A type of network message that transmits STP information between switches
BPDUs (Bridge Protocol Data Units)
A type of network message that transmits STP information between switches.
802.1X
A vendor-independent IEEE standard for securing transmission between nodes according to the transmission's port, whether physical or logical. 802.1X, also known as EAPoL, is commonly used with RADIUS authentication.
persistent agent
Agent software that is permanently installed on a device and that can provide robust security measures such as remote wipe, virus scanning, and mass messaging.
nonpersistent agent
Agent software that remains on a device long enough to verify compliance and complete authentication, and then uninstalls.
implicit deny
An ACL rule which ensures that any traffic the ACL does not explicitly permit is denied by default.
EAP (Extensible Authentication Protocol)
An authentication mechanism that provides the framework for authenticating clients and servers. It does not perform encryption or authentication on its own, but rather works with other encryption and authentication schemes to verify the credentials of clients and servers.
PSK
An authentication method for WPA or WPA2 that requires a passphrase for a device to be authenticated to the network.
agentless authentication
An authentication process in which the user is authenticated rather than the device. The device is then scanned to determine compliance with access control requirements.
MFA (multifactor authentication)
An authentication process that requires information from two or more categories of authentication factors.
MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)
An authentication protocol provided with Windows operating systems that follows the CHAP model, but uses stronger encryption, uses different encryption keys for transmission and reception, and requires mutual authentication between two computers.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
An authentication protocol provided with Windows operating systems that uses a three-way handshake to verify a client's credentials and encrypts passwords with a challenge text.
CHAP (Challenge Handshake Authentication Protocol)
An authentication protocol that operates over PPP and also encrypts usernames and passwords for transmission.
Geofencing
An authentication restriction that determines a client's geographic location to enforce a virtual security perimeter.
mutual authentication
An authentication scheme in which both computers verify the credentials of each other.
TKIP (Temporal Key Integrity Protocol)
An encryption key generation and management scheme used by WPA.
RC4 (Rivest Cipher 4)
An insecure encryption cipher that is still widely used.
OSA (Open System Authentication)
An insecure form of authentication used by WEP where no key is used at all.
SKA (Shared Key Authentication)
An insecure form of authentication where all wireless access clients use the same key, which can then be used for encrypted transmissions.
SPB (Shortest Path Bridging)
As described in IEEE's 802.1aq standard, a descendent of the Spanning Tree Protocol that keeps all potential paths active while managing the flow of data across those paths to prevent loops.
RSTP (Rapid Spanning Tree Protocol)
As described in IEEE's 802.1w standard, a version of the Spanning Tree Protocol that can detect and correct for link failures in milliseconds.
-message integrity -encryption
CCMP helps ensure data confidentiality with both encryption and packet authentication by providing:
signatures
Identifiable patterns of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic.
supplicant
In EAP, the device requesting authentication.
authenticator
In Kerberos authentication, the user's time stamp encrypted with the session key. The authenticator is used to help the service verify that a user's ticket is valid.
ticket
In Kerberos terminology, a temporary set of credentials that a client uses to prove its identity has been validated by the authentication service.
principal
In Kerberos terminology, a user or client.
KDC (Key Distribution Center)
In Kerberos terminology, the server that issues keys to clients during initial client authentication.
accounting
In the context of network security, the process of logging users' access and activities on a network.
role separation
In the context of role-based access control, a security technique that allows a user to be a member of only a single user group at a time in order to perform any tasks.
password policy
Minimum requirements defined on a system for user passwords.
-RSTP (Rapid Spanning Tree Protocol) -TRILL -SPB (Shortest Path Bridging) -some switch manufacturers
New versions of STP include what?
access control
One or more security techniques for managing users' access to a network and its resources.
SIEM (Security Information and Event Management)
Software that can be configured to evaluate data logs from IDS, IPS, firewalls, and proxy servers in order to detect significant events that require the attention of IT staff according to predefined rules.
-message integrity -key distribution -encryption
TKIP accomplished three significant improvements:
authentication server
The authority on computer names and their IP addresses for computers in their domains.
signature management
The process of regularly updating the signatures used to monitor a network's traffic.
authorization
The process that determines what a user can and cannot do with network resources
root bridge
The single bridge on a network selected by STP to provide the basis for all subsequent path calculations.
-authentication -authorization -accounting
The three components required to manage access control to a network and its resources
-something you know -something you have -something you are -somewhere you are -something you do
There are five categories of authentication factors covered by the CompTIA Network+ exam
-change default usernames -require user passwords -allow only a single logon
What are some important security policy adjustments
-applications aware -user aware -context aware
What are some innovative features of Layer 7 firewalls?
-statistical anomaly detection -signature-based detection
What are the two primary methods for detecting threats on the network?
-AS (authentication service) -TGS (ticket-granting service)
What are the two services a Kerberos server runs?
-Wi-Fi Protected Access 2 (WPA2) -Wi-Fi Protected Access (WPA) -Wired Equivalent Privacy (WEP)
Wireless security must be enabled on all your devices by using one or more of the following methods:
-time of day -total time logged on -source address -unsuccessful logon attempts -geographic location
additional authentication restrictions that strengthen network security:
-low security -convenience varies -reliable back up access
advantages and disadvantages to usernames and passwords being stored locally
Encryption
prevents people from using eavesdropping technology, such as a protocol analyzer (packet sniffer), to capture packets-data can also be secured with this to prevent someone who has gained physical access to a computer from being able to use the data
-challenge -response -accept/reject
steps that use a three way handshake
Virtual private network (VPN)
uses the internet to give users or branch offices secure access to a company's network resources