CH3 includes 2.1 only
implicit deny
A condition that states that unless otherwise given, the permission will be denied. all firewalls operate on this principle
passive response
A nonactive response, such as **logging. Passive response is the most common type of response to many intrusions. In general, passive responses are the easiest to develop and implement.
alarm
A notification that an unusual condition EXISTS and should be investigated
proxy firewall
A proxy server that also acts as a firewall, blocking network access from external networks protect from outside and hiding Ips make rule based decisions better than packet filtering becuase increased intelligence. isolating the user from the external network.
active response
A response generated in real time.
signature based system
A system that acts based on the digital signature it sees and offers no repudiation to increase the integrity of a message.
stateful inspection
A system that acts based on the digital signature it sees and offers no repudiation to increase the integrity of a message. stateful packet inspection (SPI) filtering. - but SPI tracks all convo while packet filtering only lookas at current packet records kept of packets and path after they are gone
proxy server
A type of server that makes a single Internet connection and services requests on behalf of many users.
HSM
Hardware Security module A software or appliance stand-alone used to enhance security and commonly used with PKI systems.
SSL
Secure Sockets Layer A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer.
SSL/TLS Accelerators
Secure Sockets Layer) is the acronym commonly used, whether the technology in use is really SSL or its replacement TLS (Transport Layer Security). Since encrypting data is very processor intensive, accelerators can be used to offload the ******PUBLIC KEY encryption to a hardware accelerator, which is a separate plug-in card (usually into a PCI slot).
SIEM
Security information and event management software combines security information management (SIM) and security event management (SEM) functions to provide real-time analysis of security alerts.
SSID
Service Set identifier 802.11 wireless networks use the SSID to identify all systems belonging to the same network, and client stations must be configured with the SSID to be authenticated to the AP. AP might broadcast
reverse proxy
also known as a "surrogate." This is an internal-facing server used as a front-end to control (and protect) access to a server on a private network. The reverse scenario is used for tasks like load-balancing, authentication, decryption, and caching.
analyzer
The component or process that analyzes the data collected by the sensor. looks for suspicious activity among all the data collected
AP
The point at which access to a network is accomplished. This term is often used in relation to a wireless access point. (WAP) can be said to be fat or thin and controller-based or stand-alone.
alert
An indication that an unusual condition COULD exist and should be investigated. ex. when an excessive amouont of Internet Control Message Protocol (ICMP) traffic is occurring
TLS
Transport Layer Security enhances and replaces SSL popular with VPNs SSL VPN whether SSL or TLS used also OpenVPN or WebVPN
TPM
Trusted Platform module be used to assist with hash key generation. name assigned to a chip that can store **CRYPTOGRAPHIC KEYS passwords, or certificates. can be used to protect smartphones and devices other than PCs as well.
site-to-site
VPNs can be used to connect LANs together across the Internet or other public networks
remote access
VPNs used on a much smaller scale to offer security to remote users
Infrastructure - purpose
Your network's____________ is the backbone of your systems and network operations. The ____________ includes all of the hardware, software, physical security, and operational security methods in place.
transparent proxy
a proxy that does not modify the request or response beyond what is required for proxy authentication and identification." most between client and internet non-transparent modifies the req.
ACL
access control list a table or data file that specifies whether a user or a group has access to a specific resource on a computer or network used by routers deter attacks that rely on a source PI
security topology
access methods, security, and technologies used.
proxy
acts on behalf of another A type of system that prevents direct communication between a client and a host by acting as an intermediary.
NAC 3 parts
agent (running to verify device, performs HHC) host health check permanant or dissolvable (agent always on or no)
forward proxy
most proxies act like this front facing are used to retrieve data on behalf of the clients they serve.
SEM
security event management
SIEM
security information and event management products provide real-time analysis of security alerts that are flagged by network appliances and software applications (aggregation) also correlates events automated alert and trigger criteria event deduplication logs/WORM time synchronization
SIM
security information management
IPSec Transport mode
encrypts ONLY the payload.
deception active response
fool attacker into thinking the attack is succeeding while the system monitors activity and potentially redirects to a system designed to be broken (honeypot)
gap controls
gap controls that fill in the coverage between other types of vuln mitigation techniques(compensate for holes in coverage)
Hardware Security module
hardware-based encryption added on to software based encypt enable/disable TPM
key management
he management of all aspects of cryptographic keys in a cryptosystem, including key generation, exchange, storage, use, destruction and replacement.
HIDS
host based IDS designed to run as software on a host computer system. **HIDS can read memory NIDs cant An intrusion detection system that is host based. An alternative is an intrusion detection system that is network based. problems: 1. If the system is compromised, the log files to which the IDS reports may become corrupt or inaccurate. 2. If the system is compromised, the log files to which the IDS reports may become corrupt or inaccurate.
shunning
ignoring an attack common even though violates security policy note in log and move on
active passive LB
in which case there is one primary server and the secondary one is in listening mode—able to activate and start splitting the load when needed if the first server becomes overwhelmed. one listen
Band selection/width
interference or other difficulties many APs let you choose strength meter
scheduling LB
is a key issue with load balancing: determining how to split up the work and distribute it across servers. round robbin and affinity
behavior based detection
looks for variations in behavior such as unusually high traffic, policy violations, and so on. By looking for deviations in behavior, it is able to recognize potential threats and to respond quickly to them.
SIgnal Strength.. AP
make sure that you are not reaching beyond your network and allowing someone to connect who should not.
clustering
method of balancing loads and providing fault tolerance
affinity-based load balancing
method of scheduling commonly used with load balancing **like services are sent to like servers. SIMILAR
round-robin load balancing
method of scheduling commonly used with load balancing **the first client request is sent to the first group of servers; the second is sent to the second; and so on. ORDER
logs to check in linux for intrusion
/var/log/failog /var/log/lastlog /var/log/messages /var/log/wtmp
firewall
A combination of hardware and software filters placed between trusted and untrusted networks intended to protect a network from attack by hackers who could gain access through public networks, including the Internet. *application based or network based network based use ACLs
application-level proxy
A device or software that recognizes application-specific commands and offers granular control over them.
switch
A network device that can replace a router or hub in a local network and get data from a source to a destination. ****used internally because the switching they do is based on MAC addresses that are not routable. Routers, on the other hand, route based on IP address. multiport device that improves network efficiency and security **best of hubs and routers combined or not Switching allows for higher speeds.
Key terms in IDS
Activity Administrator Alert Analyzer Data Source Event Manager notification Operator Sensor Behavior based Detection Signature-Based Detection Anomaly Detection Heuristic *most orgs have an escalation chart.. admin rarely at the top but still reposible for keeping incidents under control
all-in-one appliance
An appliance that performs multiple functions. also UTM, unified threat management and NGFW next gen firewall
AH
Authentication Header **provides the authentication and integrity checking for data packets An IPSec header used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays.
port security
Be sure to secure switches, disable unused ports, and be on the lookout or aware of the following: DHCP snooping, ARP inspection, MAC address filtering, and VLAN assignments Securing switches, disabling unused ports, and using commonsense solutions can go far in improving network security.
ESP
Encapsulating Security Payload *****provides encryption services. An IPSec header used to provide a mix of security services in IPv4 and IPv6. _____can be used alone or in combination with the IP Authentication Header (AH).
IPSec
Internet protocol Security A set of protocols that enable encryption, authentication, and integrity over IP. IPSec is commonly used with virtual private networks (VPNs) and operates at Layer 3... offers more encryption to address security concerns with VPNs composed of 2 mutally exclusive protocols AH and ESP
IDS
Intrusion detection System Tools that identify attacks using defined rules or logic and are considered passive. An ___ can be network based or host based.
IPS
Intrusion prevention System Tools that respond to attacks using defined rules or logic and are considered active. An ____ can be network based or host based.
Infrastructure -key components
Key components of your ________________ include devices such as routers, firewalls, switches, and the other devices used in the network.
Logs/WORM
Long-term storage of log files is built into many implementations as well as ********write-once-read-many (WORM) protection: information, once written, cannot be modified, thus assuring that the data cannot be tampered with once it is written to the device.
flood guards
Since switches can be subject to DoS attacks, _____________ _____________ are used to look for and prevent malicious traffic from bringing the switch to a halt.
anitspoofing
Software programs utilizing an ACL in order to deter attacks that rely on source IP address spoofing work by performing switch port, MAC address, and/or source address verification.
STP
Spanning Tree Protocol enable bridge/switch interfaces to be assigned a value that is then used to control the learning process and **PREVENT LOOPS
SSID broadcast
an access point's broadcasting of a network name
antenna placement
an be crucial in allowing clients to reach the access point. closer is better.. building materials may block
event
an occurrence—or continuous occurrence—in a data source that indicates that a suspicious activity has occurred may generate an alert
AD-IDS
anomaly detection intrusion detection system' looks for deviations from a pattern of normal network traffic. acts accordingly
SSL Decryptors
another layer of security decrypt encrypted traffic, inspect, rencrypt and send on **INSPECTION OF ENCRYPTED
signature based detection
commonly known as misuse-detection IDS (MD-IDS), is primarily focused on evaluating attacks based on attack signatures and audit trails.
manager
component or process the operator uses to manage the IDS or IPS The IDS/IPS console is a manager. Configuration changes in the IDS/IPS are made by communicating with the IDS manager.
active active LB
configuration means that more than one load balancing server is working at all times to handle the load/requests as they come in. both act
Full Tunnel
configuration of a VPN tunnel ALL requests are routed and encrypted through the VPN more secure better
Split Tunnel
configuration of a VPN tunnel only SOME (usually all incoming requests) are routed and encrypted over the VPN. better for low bandwith
DLP
data loss prevention Any systems that identify, monitor, and protect data to prevent it from unauthorized use, modification, destruction, egress, or exfiltration from a location. block USB, cloud based, email (limited app)
stateless inspection
don't keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. stateful.. records kept
MAC filtering
each host is identified by its MAC address and allowed (or denied) access based on that, can increase security dramatically.
activity
element of a data source that is of interest to the operator. This could include a specific occurrence of a type of activity that is suspicious. An example might be a TCP connection request that occurs repeatedly from the same IP address.
active vs passive response
much like the difference between a security guard and a security camera. All a security camera can do is record what occurs; it cannot react to any incident. A security guard can take action. This is the same with IDSs. A passive IDS simply records what occurs; an active IDS—or IPS—takes action. ***active responses are the LEAST commonly implemented. Those that are the most effective are the costliest and the hardest to put into practice, not to mention the trouble you can get into following a "we-attack-those-who-attack-us" strategy
NAC
network access control The set of standards defined by the network for clients attempting to access it so only known dev can access it Usually, NAC requires that clients be virus free and adhere to specified policies before allowing them on the network.
NIDS
network based IDS An approach to an intrusion detection system (IDS); it attaches the system to a point in the network where it can monitor and report on all network traffic. focus on signature then ACT **HIDS can read memory NIDs cant in ffront or behind firewall placement determines what data will be analyzed attach to switch hub or tap
NIPS
network intrusion prevention system An intrusion prevention system that is network based.
loop
occur when more than one bridge or switch is implemented on the network. prevent: technologies such as the Spanning Tree Protocol (STP) enable bridge/switch interfaces to be assigned a value that is then used to control the learning process and prevent loops.
administrator
person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS. alarm levels, historical logging
port spanning
port mirroring copies the traffic from all ports to a single port and disallows bidirectional traffic on that port. Cisco's Switched Port Analyzer (SPAN) is one example of a port-spanning implementation.
router
primary instrument used for connectivity between two or more networks based on IP addresses not MAC providing a path between the networks. Each connection has its own address (or more) and appears as a valid address in its respective network STORE INFO about the networks to which they're connected. in routing tables. Routing tables contain information about known hosts on both sides of the router.
encapsulation
process of enclosing data in a packet
notification
process or method by which the IDS/IPS manager the operator aware of an alert MAKE AWARE
packet filtering
pure packet filtering has no real intelligence. It allows data to pass through a port if that port is configured and otherwise discards it—it doesn't examine the packets. Stateful packet filtering, however, has intelligence in that it keeps track of every communications channel.
data source
raw information that the IDS or IPS uses to detect suspicious activity. The data source may include audit files, system logs, or the network traffic as it occurs.
event deduplication
removing multiple reports on the same instance and then act based on automated alert and trigger criteria
Fat/thin APs
sometimes still referred to as autonomous APs, need to be manually configured with network and security settings. Then they are essentially left alone to serve clients until they can no longer function. an evolutionary change to fat ones and allow for configuration remotely using a controller (typically rack mounted). Since thin clients do not need to be manually configured, they can be easily reconfigured—and monitored—on the fly
Switch: layer 2 vs Layer 3
switch can work at Layer 2 (the data link layer) or Layer 3 (the network layer) of the OSI model A multilayer switch is one that can operate at both Layer 2 and Layer 3 of the OSI model, which means that the multilayer device can operate as both a switch and a router. .
sensor
the IDS component that collects data from the data source and passes it to the analyzer for analysis. ______________ is a primary data collection point for the IDS/IPS.
IPSec Tunneling mode
the data or payload and **message headers are encrypted. better encryption
"hardware-only" solutions
the hardware still runs some sort of software. It may be hardened and in ROM to prevent tampering, and it may be customized—but software is present nonetheless.
operator
the person primarily responsible for the IDS/IPS. The operator can be a user, administrator, and so on, as long as they're the primary person responsible.
STandalone APs/ controller based
thick access points (as opposed to thin) and do not require a controller whereas controller-based access points use that controller for centralized management, updates, policy settings, and a variety of other functions.
Virtual IPs ......... LB
to achieve load balancing across multiple interfaces for both inbound and outbound workloads provides more flexibility than the DNS-based load balancing methods but:s really a connection-based solution as opposed to a load-based solution
Aways-on VPN
traditional is passive sitting and waiting (remote user) *user is already authenticated and able to use as needed. They are popular with mobile devices where persistent connections are common and thus are sometimes alternatively referred to as mobile VPNs.
Bridge
used to ***divide larger networks into smaller sections by sitting between two physical network segments and managing the flow of data between the two. (look @MAC addresses/decide to fwd) can connect LANs OLD, replaced by switches(mltiport bridges)
Mail Gateway
used to route mail and perform OTHER functions such as : **encryption or DLP **spam filters - can scan in/out
dual -homed firewall
uses 2 NICs (networkinterface cards) one connected to outside one connected to inside network This setup segregates the two networks from each other and offers increased security. proxy
heursitic
uses ALGORITHMS to analyze the traffic passing through the network. As a general rule, heuristic systems require more tweaking and fine-tuning than the other types of detection systems to prevent FALSE POS
anomalies
variations from normal operations
WAF
web app firewall is a real-time appliance that applies a set of rules to block traffic to and from web servers and to try to prevent attacks. The rules of blocking can be customized, network based firewalls less focus and logic
Media gateways
web security gateway, act as a proxy to note red flags.. block known HTTPHTML exploits etc