ISA3300 chapter 12
IPSec has two components:.
(1) the IP Security protocol itself, which specifies the information to be added to an IP packet and indicates how to encrypt packet data; (2) the Internet Key Exchange (IKE), which uses asymmetric key exchange and negotiates the security associations
port
: A network channel or connection point in a data communications system.
certificate authority (CA)
: A third party that manages users' digital certificates and certifies their authenticity.
Remote Authentication Dial-In User Service (RADIUS):
A computer connection system that centralizes the management of user authentication by placing the responsibility for authenticating each user on a central authentication server.
symmetric encryption AKA private key encryption
A cryptographic method in which the same algorithm and secret key are used both to encipher and decipher the message
asymmetric encryption AKA public key encryption:
A cryptographic method that incorporates mathematical operations involving both a public key and a private key to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it.
XOR cipher conversion:
A cryptographic operation in which a bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream. The XOR function compares bits from each stream and replaces similar pairs with a "0" and dissimilar pairs with a "1."
transposition cipher AKA permutation cipher.
A cryptographic operation that involves simply rearranging the values within a block based on an established pattern.
Vernam cipher:
A cryptographic technique developed at AT&T and known as the "one-time pad," this cipher uses a set of characters for encryption operations only one time and then discards it.
Bluetooth:
A de facto industry standard for short-range wireless communications between wireless telephones and headsets, between PDAs and desktop computers, and between laptops.
application layer proxy firewall:
A device capable of functioning both as a firewall and an application layer proxy server.
bastion host AKA sacrificial host:
A device placed between an external, untrusted network and an internal, trusted network. Also known as a sacrificial host, as it serves as the sole target for attack and should therefore be thoroughly secured.
proxy firewall:
A device that provides both firewall and proxy services.
wireless access point (WAP):
A device used to connect wireless networking users and their devices to the rest of the organization's network(s). Also known as a Wi-Fi router.
screened-host architecture:
A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.
screened-subnet architecture:
A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.
single bastion host architecture:
A firewall architecture in which a single device performing firewall duties, such as packet filtering, serves as the only perimeter device providing protection between an organization's networks and the external network. This architecture can be implemented as a packet filtering router or as a firewall behind a non-filtering router.
deep packet inspection (DPI):
A firewall function that involves examining multiple protocol headers and even content of network traffic, all the way through the TCP/IP layers and including encrypted, compressed, or encoded data.
dynamic packet filtering firewall:
A firewall type that can react to network traffic and create or modify configuration rules to adapt.
stateful packet inspection (SPI) firewall AKA stateful inspection firewall:
A firewall type that keeps track of each network connection between internal and external systems using a state table, and that expedites the filtering of those communications.
total cost of ownership (TCO):
A measurement of the true cost of a device or application, which includes not only the purchase price, but annual maintenance or service agreements, the cost to train personnel to manage the device or application, the cost of systems administrators, and the cost to protect it.
honey net:
A monitored network or network segment that contains multiple honey pot systems.
dual-homed host:
A network configuration in which a device contains two network interfaces: one that is connected to the external network and one that is connected to the internal network. All traffic must go through the device to move between the internal and external networks.
packet filtering firewall:
A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
passphrase AKA virtual password:
A plain-language phrase, typically longer than a password, from which a virtual password is derived.
clipping level:
A predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to write the event to a log file and/or notify an administrator.
virtual private network (VPN):
A private, secure network operated over a public and insecure network. keeps the contents of the network messages hidden from observers who may have access to public traffic
cache server:
A proxy server or application-level firewall that stores the most recently accessed information in its internal caches, minimizing the demand on internal servers.
password:
A secret word or combination of characters that only the user should know; used to authenticate the user.
proxy server:
A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers. Some proxy servers are also cache servers.
Wired Equivalent Privacy (WEP):
A set of protocols designed to provide a basic level of security protection to wireless networks and to prevent unauthorized access or eavesdropping. WEP is part of the IEEE 802.11 wireless networking standard.
Wi-Fi Protected Access (WPA):
A set of protocols used to secure wireless networks; created by the Wi-Fi Alliance. Includes WPA and WPA2.
content filter:
A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network—for example, restricting user access to Web sites with material that is not related to business, such as pornography or entertainment.
monoalphabetic substitution:
A substitution cipher that incorporates only a single alphabet in the encryption process.
polyalphabetic substitution: .
A substitution cipher that incorporates two or more alphabets in the encryption process
state table:
A tabular record of the state and context of each packet in a conversation between an internal and external user or system. used to expedite traffic filtering.
port-address translation (PAT):
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.
network-address translation (NAT):
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.
application layer firewall:
Also known as a layer seven firewall, a device capable of examining the application layer of network traffic (for example, HTTP, SMTP, FTP) and filtering based upon its header content rather than the traffic IP headers.
honey pot:
An application that entices individuals who are illegally perusing the internal areas of a network by providing simulated rich content areas while the software notifies the administrator of the intrusion.
vulnerability scanner:
An application that examines systems connected to networks and their network traffic to identify exposed usernames and groups, open network shares, configuration problems, and other vulnerabilities in servers.
war driving:
An attacker technique of moving through a geographic area or building, actively scanning for open or unsecured WAPs.
dumb card:
An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.
asynchronous token:
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer- generated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
synchronous token:
An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
smart card:
An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
Kerberos:
An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises.
war-dialer:
An automatic phone-dialing program that dials every number in a configured range (e.g., 555-1000 to 555-2000) and checks whether a person, answering machine, or modem picks up.
substitution cipher:
An encryption method in which one value is substituted for another.
public key infrastructure (PKI):
An integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services that enables users to communicate securely through the use of digital certificates.
demilitarized zone (DMZ):
An intermediate area between a trusted network and an untrusted network that restricts access to internal systems.
trap and trace applications:
Applications that combine the function of honey pots or honey nets with the capability to track the attacker back through the network.
log files:
Collections of data stored by a system and used by administrators to audit systems performance and use both by authorized and unauthorized users.
Terminal Access Controller Access Control System (TACACS):
Commonly used in UNIX systems, a remote access authorization system based on a client/server configuration that makes use of a centralized data service in order to validate the user's credentials at the server.
Log Parsing
Dividing data within logs into specific values, as some log data may consist of a solid stream of data.
digital signatures:
Encrypted message components that can be mathematically proven to be authentic.
transport mode:
In IPSec, an encryption method in which only a packet's IP data is encrypted, not the IP headers themselves; this method allows intermediate nodes to read the source and destination addresses.
tunnel mode:
In IPSec, an encryption method in which the entire IP packet is encrypted and inserted as the payload in another IP packet. This requires other systems at the beginning and end of the tunnel to act as proxies to send and receive the encrypted packets and then transmit the packets to their ultimate destination.
agent AKA: sensor
In an IDPS, a piece of software that resides on a system and reports back to a management server.
firewall:
In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.
footprint:
In wireless networking, the geographic area in which there is sufficient signal strength to make a network connection.
security event information management (SEIM) systems:
Log management systems specifically tasked to collect log data from a number of servers or other network devices for the purpose of interpreting, filtering, correlating, analyzing, storing, and reporting the data.
Unified Threat Management (UTM):
Networking devices categorized by their ability to perform the work of multiple devices, such as a stateful packet inspection firewall, network intrusion detection and prevention system, content filter, spam filter, and malware scanner and filter.
Rivest-Shamir-Adleman (RSA)
One of the most popular public key cryptosystems is a proprietary model encryption algorithm developed for commercial use, has been integrated into Microsoft Internet Explorer and a number of other browsers
digital certificates:
Public key container files that allow PKI system components and end users to validate a public key and identify its owner
Event Aggregation
The consolidation of similar entries or related events within a log. critical for the organization to be able to handle the thousands of data points multiple servers will generate.
cryptology:
The field of science that encompasses cryptography and cryptanalysis.
intrusion detection and prevention system (IDPS):
The general term for a system with the capability both to detect and modify its configuration and environment to prevent intrusions. encompasses the functions of both intrusion detection systems and intrusion prevention technology.
Diffie-Hellman key exchange method:
The hybrid cryptosystem that pioneered the technology.
footprinting:
The organized research and investigation of Internet addresses owned or controlled by a target organization
IP Security (IPSec):
The primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including VPNs.
cryptography:
The process of making and using codes to secure information.
cryptanalysis:
The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption.
nonrepudiation:
The process of reversing public key encryption to verify that a message was sent by a specific sender and thus cannot be refuted.
false reject rate:
The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device. This failure is also known as a Type I error or a false negative.
false accept rate:
The rate at which fraudulent users or nonusers are allowed access to systems or areas as a result of a failure in the biometric device. This failure is also known as a Type II error or a false positive.
Event Filtering
The separation of "items of interest" from the rest of the data that the log collects.
trusted network:
The system of networks inside the organization that contains its information assets and is under the organization's control.
untrusted network:
The system of networks outside the organization over which it has no control. The Internet is an example of this
fingerprinting:
The systematic survey of a targeted organization's Internet addresses collected during the footprinting phase to identify the network services offered by the hosts in that range.
hybrid encryption system:
The use of asymmetric encryption to exchange symmetric keys so that two (or more) organizations can conduct quick, efficient, secure communications based on symmetric encryption.
biometrics:
The use of physiological characteristics to provide authentication for a provided identification. means "life measurement" in Greek.
port scanners:
Tools used both by attackers and defenders to identify or fingerprint active computers on a network, the active ports and services on those computers, the functions and roles of the machines, and other useful information.
E-Mail Security
Two of the more popular adaptations include Secure Multipurpose Internet Mail Extensions and Pretty Good Privacy.
WiMAX,
a certification mark that stands for "Worldwide Interoperability for Microwave Access." essentially an improvement on the technology developed for cellular telephones and modems.
Secure Shell (SSH)
a popular extension to the TCP/IP protocol suite. Sponsored by the IETF, it provides security for remote access connections over public networks by creating a secure and persistent connection. It provides authentication services between a client and a server and is used to secure replacement tools for terminal emulation, remote management, and file transfer applications.
Secure Hypertext Transfer Protocol (SHTTP)
an encrypted solution to the unsecured version of HTTP. It provides an alternative to the aforementioned protocols and can provide secure e-commerce transactions as well as encrypted Web pages for secure data transfer over the Web using a number of different algorithms.
packet sniffer
can provide a network administrator with valuable infor- mation to help diagnose and resolve networking issues. In the wrong hands, it can be used to eavesdrop on network traffic.
anomaly-based IDPS AKA behavior based IDPS
compares current data and traffic patterns to an established baseline of normalcy, looking for variance out of parameters.
signature-based AKA knowledge-based IDPS:
examines systems or network data in search of patterns that match known attack signatures.
Log generation
involves the configuration of systems to create logs as well as configuration changes needed to consolidate logs if this is desired.
Secure Sockets Layer (SSL)
provide security for online e-commerce transactions. It uses a number of algorithms but mainly relies on RSA for key transfer and IDEA, DES, or 3DES for encrypted symmetric key-based data transfer.
network-based IDPS (NIDPS):
resides on a computer or appliance connected to a segment of an organization's network and monitors traffic on that segment, looking for indications of ongoing or successful attacks.
host-based IDPS (HIDPS) AKA system integrity verifier:
resides on a particular computer or server, known as the host, and monitors activity only on that system. Also known as a system integrity verifier.
crossover error rate (CER) AKA equal error rate:
the point at which the rate of false rejections equals the rate of false acceptances. considered the optimal outcome for biometrics-based systems, as it represents balance between the two false error rates.
IP Security (IPSec)
the primary and now dominant cryptographic authentication and encryption product of the IETF's IP Protocol Security Working Group. It supports a variety of applications, just as SSH does. A framework for security development within the TCP/IP family of protocol standards, IPSec provides application support for all uses within TCP/IP, including VPNs.
Kerberos consists of three interacting services, all of which rely on a database library:
• Authentication Server (AS)—A Kerberos server that authenticates clients and servers. • Key Distribution Center (KDC)—Generates and issues session keys. • Kerberos Ticket Granting Service (TGS)—Provides tickets to clients who request services.
special, non-routable addresses have three possible ranges:
• Organizations that need very large numbers of local addresses can use the 10.x.x.x range, which has more than 16.5 million usable addresses. • Organizations that need a moderate number of addresses can use the 192.168.x.x range, which has more than 65,500 addresses. • Organizations with smaller needs can use the 172.16.0.0—172.16.15.0 range, which has approximately 4000 usable addresses.
There are three types of authentication mechanisms:
• Something a person knows (for example, a password or passphrase) • Something a person has (for example, a cryptographic token or smart card) • Something a person can produce (such as fingerprints, palm prints, hand topography, hand geometry, retina and iris scans; or a voice or signature that is analyzed using pat- tern recognition).