CH3 includes 2.1 only

implicit deny

A condition that states that unless otherwise given, the permission will be denied. all firewalls operate on this principle

passive response

A nonactive response, such as **logging. Passive response is the most common type of response to many intrusions. In general, passive responses are the easiest to develop and implement.

alarm

A notification that an unusual condition EXISTS and should be investigated

proxy firewall

A proxy server that also acts as a firewall, blocking network access from external networks protect from outside and hiding Ips make rule based decisions better than packet filtering becuase increased intelligence. isolating the user from the external network.

active response

A response generated in real time.

signature based system

A system that acts based on the digital signature it sees and offers no repudiation to increase the integrity of a message.

stateful inspection

A system that acts based on the digital signature it sees and offers no repudiation to increase the integrity of a message. stateful packet inspection (SPI) filtering. - but SPI tracks all convo while packet filtering only lookas at current packet records kept of packets and path after they are gone

proxy server

A type of server that makes a single Internet connection and services requests on behalf of many users.

HSM

Hardware Security module A software or appliance stand-alone used to enhance security and commonly used with PKI systems.

SSL

Secure Sockets Layer A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer.

SSL/TLS Accelerators

Secure Sockets Layer) is the acronym commonly used, whether the technology in use is really SSL or its replacement TLS (Transport Layer Security). Since encrypting data is very processor intensive, accelerators can be used to offload the ******PUBLIC KEY encryption to a hardware accelerator, which is a separate plug-in card (usually into a PCI slot).

SIEM

Security information and event management software combines security information management (SIM) and security event management (SEM) functions to provide real-time analysis of security alerts.

SSID

Service Set identifier 802.11 wireless networks use the SSID to identify all systems belonging to the same network, and client stations must be configured with the SSID to be authenticated to the AP. AP might broadcast

reverse proxy

also known as a "surrogate." This is an internal-facing server used as a front-end to control (and protect) access to a server on a private network. The reverse scenario is used for tasks like load-balancing, authentication, decryption, and caching.

analyzer

The component or process that analyzes the data collected by the sensor. looks for suspicious activity among all the data collected

AP

The point at which access to a network is accomplished. This term is often used in relation to a wireless access point. (WAP) can be said to be fat or thin and controller-based or stand-alone.

alert

An indication that an unusual condition COULD exist and should be investigated. ex. when an excessive amouont of Internet Control Message Protocol (ICMP) traffic is occurring

TLS

Transport Layer Security enhances and replaces SSL popular with VPNs SSL VPN whether SSL or TLS used also OpenVPN or WebVPN

TPM

Trusted Platform module be used to assist with hash key generation. name assigned to a chip that can store **CRYPTOGRAPHIC KEYS passwords, or certificates. can be used to protect smartphones and devices other than PCs as well.

site-to-site

VPNs can be used to connect LANs together across the Internet or other public networks

remote access

VPNs used on a much smaller scale to offer security to remote users

Infrastructure - purpose

Your network's____________ is the backbone of your systems and network operations. The ____________ includes all of the hardware, software, physical security, and operational security methods in place.

transparent proxy

a proxy that does not modify the request or response beyond what is required for proxy authentication and identification." most between client and internet non-transparent modifies the req.

ACL

access control list a table or data file that specifies whether a user or a group has access to a specific resource on a computer or network used by routers deter attacks that rely on a source PI

security topology

access methods, security, and technologies used.

proxy

acts on behalf of another A type of system that prevents direct communication between a client and a host by acting as an intermediary.

NAC 3 parts

agent (running to verify device, performs HHC) host health check permanant or dissolvable (agent always on or no)

forward proxy

most proxies act like this front facing are used to retrieve data on behalf of the clients they serve.

SEM

security event management

SIEM

security information and event management products provide real-time analysis of security alerts that are flagged by network appliances and software applications (aggregation) also correlates events automated alert and trigger criteria event deduplication logs/WORM time synchronization

SIM

security information management

IPSec Transport mode

encrypts ONLY the payload.

deception active response

fool attacker into thinking the attack is succeeding while the system monitors activity and potentially redirects to a system designed to be broken (honeypot)

gap controls

gap controls that fill in the coverage between other types of vuln mitigation techniques(compensate for holes in coverage)

Hardware Security module

hardware-based encryption added on to software based encypt enable/disable TPM

key management

he management of all aspects of cryptographic keys in a cryptosystem, including key generation, exchange, storage, use, destruction and replacement.

HIDS

host based IDS designed to run as software on a host computer system. **HIDS can read memory NIDs cant An intrusion detection system that is host based. An alternative is an intrusion detection system that is network based. problems: 1. If the system is compromised, the log files to which the IDS reports may become corrupt or inaccurate. 2. If the system is compromised, the log files to which the IDS reports may become corrupt or inaccurate.

shunning

ignoring an attack common even though violates security policy note in log and move on

active passive LB

in which case there is one primary server and the secondary one is in listening mode—able to activate and start splitting the load when needed if the first server becomes overwhelmed. one listen

Band selection/width

interference or other difficulties many APs let you choose strength meter

scheduling LB

is a key issue with load balancing: determining how to split up the work and distribute it across servers. round robbin and affinity

behavior based detection

looks for variations in behavior such as unusually high traffic, policy violations, and so on. By looking for deviations in behavior, it is able to recognize potential threats and to respond quickly to them.

SIgnal Strength.. AP

make sure that you are not reaching beyond your network and allowing someone to connect who should not.

clustering

method of balancing loads and providing fault tolerance

affinity-based load balancing

method of scheduling commonly used with load balancing **like services are sent to like servers. SIMILAR

round-robin load balancing

method of scheduling commonly used with load balancing **the first client request is sent to the first group of servers; the second is sent to the second; and so on. ORDER

logs to check in linux for intrusion

/var/log/failog /var/log/lastlog /var/log/messages /var/log/wtmp

firewall

A combination of hardware and software filters placed between trusted and untrusted networks intended to protect a network from attack by hackers who could gain access through public networks, including the Internet. *application based or network based network based use ACLs

application-level proxy

A device or software that recognizes application-specific commands and offers granular control over them.

switch

A network device that can replace a router or hub in a local network and get data from a source to a destination. ****used internally because the switching they do is based on MAC addresses that are not routable. Routers, on the other hand, route based on IP address. multiport device that improves network efficiency and security **best of hubs and routers combined or not Switching allows for higher speeds.

Key terms in IDS

Activity Administrator Alert Analyzer Data Source Event Manager notification Operator Sensor Behavior based Detection Signature-Based Detection Anomaly Detection Heuristic *most orgs have an escalation chart.. admin rarely at the top but still reposible for keeping incidents under control

all-in-one appliance

An appliance that performs multiple functions. also UTM, unified threat management and NGFW next gen firewall

AH

Authentication Header **provides the authentication and integrity checking for data packets An IPSec header used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays.

port security

Be sure to secure switches, disable unused ports, and be on the lookout or aware of the following: DHCP snooping, ARP inspection, MAC address filtering, and VLAN assignments Securing switches, disabling unused ports, and using commonsense solutions can go far in improving network security.

ESP

Encapsulating Security Payload *****provides encryption services. An IPSec header used to provide a mix of security services in IPv4 and IPv6. _____can be used alone or in combination with the IP Authentication Header (AH).

IPSec

Internet protocol Security A set of protocols that enable encryption, authentication, and integrity over IP. IPSec is commonly used with virtual private networks (VPNs) and operates at Layer 3... offers more encryption to address security concerns with VPNs composed of 2 mutally exclusive protocols AH and ESP

IDS

Intrusion detection System Tools that identify attacks using defined rules or logic and are considered passive. An ___ can be network based or host based.

IPS

Intrusion prevention System Tools that respond to attacks using defined rules or logic and are considered active. An ____ can be network based or host based.

Infrastructure -key components

Key components of your ________________ include devices such as routers, firewalls, switches, and the other devices used in the network.

Logs/WORM

Long-term storage of log files is built into many implementations as well as ********write-once-read-many (WORM) protection: information, once written, cannot be modified, thus assuring that the data cannot be tampered with once it is written to the device.

flood guards

Since switches can be subject to DoS attacks, _____________ _____________ are used to look for and prevent malicious traffic from bringing the switch to a halt.

anitspoofing

Software programs utilizing an ACL in order to deter attacks that rely on source IP address spoofing work by performing switch port, MAC address, and/or source address verification.

STP

Spanning Tree Protocol enable bridge/switch interfaces to be assigned a value that is then used to control the learning process and **PREVENT LOOPS

SSID broadcast

an access point's broadcasting of a network name

antenna placement

an be crucial in allowing clients to reach the access point. closer is better.. building materials may block

event

an occurrence—or continuous occurrence—in a data source that indicates that a suspicious activity has occurred may generate an alert

AD-IDS

anomaly detection intrusion detection system' looks for deviations from a pattern of normal network traffic. acts accordingly

SSL Decryptors

another layer of security decrypt encrypted traffic, inspect, rencrypt and send on **INSPECTION OF ENCRYPTED

signature based detection

commonly known as misuse-detection IDS (MD-IDS), is primarily focused on evaluating attacks based on attack signatures and audit trails.

manager

component or process the operator uses to manage the IDS or IPS The IDS/IPS console is a manager. Configuration changes in the IDS/IPS are made by communicating with the IDS manager.

active active LB

configuration means that more than one load balancing server is working at all times to handle the load/requests as they come in. both act

Full Tunnel

configuration of a VPN tunnel ALL requests are routed and encrypted through the VPN more secure better

Split Tunnel

configuration of a VPN tunnel only SOME (usually all incoming requests) are routed and encrypted over the VPN. better for low bandwith

DLP

data loss prevention Any systems that identify, monitor, and protect data to prevent it from unauthorized use, modification, destruction, egress, or exfiltration from a location. block USB, cloud based, email (limited app)

stateless inspection

don't keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. stateful.. records kept

MAC filtering

each host is identified by its MAC address and allowed (or denied) access based on that, can increase security dramatically.

activity

element of a data source that is of interest to the operator. This could include a specific occurrence of a type of activity that is suspicious. An example might be a TCP connection request that occurs repeatedly from the same IP address.

active vs passive response

much like the difference between a security guard and a security camera. All a security camera can do is record what occurs; it cannot react to any incident. A security guard can take action. This is the same with IDSs. A passive IDS simply records what occurs; an active IDS—or IPS—takes action. ***active responses are the LEAST commonly implemented. Those that are the most effective are the costliest and the hardest to put into practice, not to mention the trouble you can get into following a "we-attack-those-who-attack-us" strategy

NAC

network access control The set of standards defined by the network for clients attempting to access it so only known dev can access it Usually, NAC requires that clients be virus free and adhere to specified policies before allowing them on the network.

NIDS

network based IDS An approach to an intrusion detection system (IDS); it attaches the system to a point in the network where it can monitor and report on all network traffic. focus on signature then ACT **HIDS can read memory NIDs cant in ffront or behind firewall placement determines what data will be analyzed attach to switch hub or tap

NIPS

network intrusion prevention system An intrusion prevention system that is network based.

loop

occur when more than one bridge or switch is implemented on the network. prevent: technologies such as the Spanning Tree Protocol (STP) enable bridge/switch interfaces to be assigned a value that is then used to control the learning process and prevent loops.

administrator

person responsible for setting the security policy for an organization and is responsible for making decisions about the deployment and configuration of the IDS. alarm levels, historical logging

port spanning

port mirroring copies the traffic from all ports to a single port and disallows bidirectional traffic on that port. Cisco's Switched Port Analyzer (SPAN) is one example of a port-spanning implementation.

router

primary instrument used for connectivity between two or more networks based on IP addresses not MAC providing a path between the networks. Each connection has its own address (or more) and appears as a valid address in its respective network STORE INFO about the networks to which they're connected. in routing tables. Routing tables contain information about known hosts on both sides of the router.

encapsulation

process of enclosing data in a packet

notification

process or method by which the IDS/IPS manager the operator aware of an alert MAKE AWARE

packet filtering

pure packet filtering has no real intelligence. It allows data to pass through a port if that port is configured and otherwise discards it—it doesn't examine the packets. Stateful packet filtering, however, has intelligence in that it keeps track of every communications channel.

data source

raw information that the IDS or IPS uses to detect suspicious activity. The data source may include audit files, system logs, or the network traffic as it occurs.

event deduplication

removing multiple reports on the same instance and then act based on automated alert and trigger criteria

Fat/thin APs

sometimes still referred to as autonomous APs, need to be manually configured with network and security settings. Then they are essentially left alone to serve clients until they can no longer function. an evolutionary change to fat ones and allow for configuration remotely using a controller (typically rack mounted). Since thin clients do not need to be manually configured, they can be easily reconfigured—and monitored—on the fly

Switch: layer 2 vs Layer 3

switch can work at Layer 2 (the data link layer) or Layer 3 (the network layer) of the OSI model A multilayer switch is one that can operate at both Layer 2 and Layer 3 of the OSI model, which means that the multilayer device can operate as both a switch and a router. .

sensor

the IDS component that collects data from the data source and passes it to the analyzer for analysis. ______________ is a primary data collection point for the IDS/IPS.

IPSec Tunneling mode

the data or payload and **message headers are encrypted. better encryption

"hardware-only" solutions

the hardware still runs some sort of software. It may be hardened and in ROM to prevent tampering, and it may be customized—but software is present nonetheless.

operator

the person primarily responsible for the IDS/IPS. The operator can be a user, administrator, and so on, as long as they're the primary person responsible.

STandalone APs/ controller based

thick access points (as opposed to thin) and do not require a controller whereas controller-based access points use that controller for centralized management, updates, policy settings, and a variety of other functions.

Virtual IPs ......... LB

to achieve load balancing across multiple interfaces for both inbound and outbound workloads provides more flexibility than the DNS-based load balancing methods but:s really a connection-based solution as opposed to a load-based solution

Aways-on VPN

traditional is passive sitting and waiting (remote user) *user is already authenticated and able to use as needed. They are popular with mobile devices where persistent connections are common and thus are sometimes alternatively referred to as mobile VPNs.

Bridge

used to ***divide larger networks into smaller sections by sitting between two physical network segments and managing the flow of data between the two. (look @MAC addresses/decide to fwd) can connect LANs OLD, replaced by switches(mltiport bridges)

Mail Gateway

used to route mail and perform OTHER functions such as : **encryption or DLP **spam filters - can scan in/out

dual -homed firewall

uses 2 NICs (networkinterface cards) one connected to outside one connected to inside network This setup segregates the two networks from each other and offers increased security. proxy

heursitic

uses ALGORITHMS to analyze the traffic passing through the network. As a general rule, heuristic systems require more tweaking and fine-tuning than the other types of detection systems to prevent FALSE POS

anomalies

variations from normal operations

WAF

web app firewall is a real-time appliance that applies a set of rules to block traffic to and from web servers and to try to prevent attacks. The rules of blocking can be customized, network based firewalls less focus and logic

Media gateways

web security gateway, act as a proxy to note red flags.. block known HTTPHTML exploits etc