Security+ Domain 3.0

Start Studying!

Terms

undefined, object

copy deck

IDS: Intrusion Detection System - Specialized tool that knows how to read and interpret the contents of log files from routers, firewalls, servers, and other network devices; stores a database of known attack signitures and can compare patterns of activity, traffic or behavior; automatic action ranging from shutting down Internet links or specific servers to launching backtraces, and active attampts to indentify attackers and collect evidence.
Firewalls: When configured properly, firewalls block access to an internal network from the outside, and block users on the internal network from accessing potentially dangerous external networks or ports.
3 Firewall Technologies: Packet filtering, application layer gateways, and stateful inspection.
Packet Filtering Firewall: Network layer (OSI); designed to operate rapidly by either allowing or denying packets. 2 policies: "allow by default" and "deny by default".
Application layer gateway firewall: Operates at the Application layer (OSI); analyzes each packet and verifies that it contains the correct type of data for the specific application it is attempting to communicate with.
Stateful inspection firewalls: Check each packet to verify that it is an expected response to a current communications session; Network layer (OSI), but aware of the transport, session, presentation and application layers.
2 Modes of FTP: Active and Passive mode
Packet Filtering Firewall Benefits / Drawbacks: Benefits: speed, ease of use, transparent to network devices, most current routers support; Drawbacks: port is either open or closed, contents of each packet aren't understood beyond the header, packets can't be filtered by user name, only IP addresses.
Application Layer Gateway Firewall Benefits / Drawbacks: Benefits: application layer awareness, can determine whether data in the packet matches what port is expecting; Drawbacks: much slower than packet filters, limited set of predefined rules - custom rules must be defined.
Stateful Inspection Firewall Benefits: Benefits: much faster than application layer gateways, more secure, information is stored in a dynamically updated table.
ACL: Access Control List - It's capacity to control access is limited by the type of device and the control software written to guide the device. ACLs are controlled by device operator or administrator, not "owner" of resource. ACLs can control: protocols allowed, ports allowed, source and destination of connection, and interface type of conntection. ACLs concepts are similar to DACs.
Routers: Basically has 2 or more interfaces through which network traffic is forwarded or blocked; often used to segment networks into smaller subnets or to link multiple networks together; routers decide how and when to forward packets between networks based on routing tables.
Router Routing tables: Can be either static (each router is explicitly defined), and dynamic (where the router learns new routes by the use of routing protocols).
Router Security Benefit: Because routers segment networks, they limit the data flowing between segments, and therefore, limit the amount of data than can be obtained using a sniffer; also, routers have the ability to block spoofed packets (IP address in the header is different from the originating computer).
Swiches: While routers are used to join network segments, switches are used to create network segments; MAC addresses are used to route packets (layer 3 switches use network address instead though); switches eliminate packet collisions; control the amount of data that can be gathered by sniffers.
2 types of routing protocols: Link-state: OSPF (Open Shortest Path First); Distance-vector: RIP.
ARP Spoofing: Packets sent to a switch that can make it think an attacking system is a different system on the network and cause it to route packets intended for the target over to the attacker isntead.
RAS: Remote Access Service - common method of allowing users of a corporate network to access network resources either from home or on the road - provides additional functionality while increasing the risk of security breaches; RAS uses CHAP, MS-CHAP, PAP, SPAP, or EAP.
Mandatory Callback: Requires users to connect from a number the administrator has entered into the system. After initial connection and authentication, the server disconnects and dials the user's callback number.
RAS Security implementation: Use the most secure authentication method; encrypt communication between client and server; implement mandatory callback; block unnecessary protocols; use user ID; enforce strong passwords.
PBX: Private Branch eXchange - device that handles routing of internal and external telephone lines; allows company to have a limited number of external lines and an unlimited number of internal lines; controls costs.
PBX vulnerabilities: Designed to be maintained by offsite vendor - remote access methods are available; vulnerable to DoS attacks; Voicemail can be abused.
VPN: Virtual Private Network - allows users to create a secure tunnel through an unsecured network to connect to their corporate network. VPNs use a variety of protocols: IPSec, L2TP, PPTP, and SSH.
3 types of VPNs: Remote access VPN, Site-to-site intranet-based VPN, and Site-to-site extranet-based VPN.
Honeynets or honeypots: Systems that are deployed with the intended purpose of being compromised - excellent tool for distracting intruders fro mthe important systems on your network by luring them to a group of system where they can be detected.
2 types of IDS: System IDS: runs on each individual server on which the administrator wants to perform intrusion detection; Network IDS: performs intrusion detection across the network.
NIDSs Benefits and Drawbacks: Benefits: can detect attacks that may be occuring on multiple systems at the same time or catch someone doing a portscan on an entire system; some NIDSs support learning mode, which examines traffic and learns trends; Drawbacks: can be overloaded since they analyze every packet on the network.
Workstations: Typically one of the most vulnerable devices attached to a network; flaws or bugs in all workstation OSs provide ample opportunity for attackers to gain remote access to systems, to copy data from the workstations, or to monitor the traffic and gather passwords for access to more systems.
Coaxial Cable (Coax): One of the most vulnerable cabling methods in use - unstable and has no fault tolerance.
Thin Coax: Thinnet - uses RG-58 and has a 50-ohm resistance (TV cables are RG-59/75-ohm); uses T-connectors on NIC, BNC connectors on cables, barrel connectors to connect cable segments.
Thick Coax: Thicknet - twice as thick as thinnet; vampire taps are used to connect cable segments; 15-pin adapter unit interface (AUI) is connected to the vampire tap and the NIC is attached to the transceiver with a transceiver cable; 50-ohm resistor on both ends with one end grounded.
Vulnerabilities of Coax: DoS attack is easy to perform by cutting the cable or disconnecting a device; there is no way to prevent unauthorized connections (no hubs or switches are used); intruders can tap into the network either a T-connector or vampire tap.
UTP Cable: Vulnerable to EMI and RF (Radio Frequency Interference); both coax and UTP/STP are vulernable to eavesdropping because cables create a pulse that can be monitored and translated into the actual data using specialized devices.
Fiber Optic Cable: Can't succumb to typical eavesdropping without actually cutting the line and tapping in with a highly complex for of optical T-connector.
Plenum Cabling: Flame retardant and does not release toxic fumes. Required by some building codes to be used in overhead ceilings and in buildings over a certain height.
Removable Media Types: Tape, CDRs, hard drives, diskettes, flashcards, and smart cards.
Magnetic Tape: Primary drawback is that it's portable. To secure: encrypt the data being backed up, and protect is from being obtained by an intruder (use off-site storage).
CDRs: Not vulnerable to magnets, but are to being scratched.
Hard drives: Not truely considered removable media, but many newer systems support hot-swap chassis that allows drives to be quickly and easily removed. 2 main aspects: encryption and physical security.
Flashcards: Not susceptible to damage from magnetic fields and are less prone to wear out over time. CompactFlash, SmartMedia, Memory Sticks, PCMCIA type I and II, and memory cards. Can be damaged by static electricity - avoid holding while walking across plush carpet.
SmartCards: Broad range of devices that either allow you to store a small amount of data, or run some processing routines. Used primarily as a form of ID for devices with the capability to reading them. Designed to be tamper-proof. Immune to magnetic fields and static shock and physical abuse
Firewall: Hardware or software device used to keep undesirables electronically out of a network the same way that locked doors and server racks keep them physically away from a network. Traffic is filtered (both outbound and inbound) based on rules established by the firewall administrator.
Security Zone: Any portion of a network that has specific security concerns or requirements. Intranets, extranets, DMZs and VLANs are all security zones.
Firewall abilities: Block traffic based on certain rules; mask the presence of networks or hosts to the outside world; log and maintain audit trails of incoming and outgoing traffic; provide additional authentication methods.
Defense in Depth: Multiple layers of security
DMZ: Special section of the network, usually closest to the Internet, which uses switches, routers, and firewalls to allow access to public resources without allowing this traffic to reach the resources and computers in the private network.
Creation of DMZ: Layered DMZ implementation: systems are placed between 2 firewall devices with different rule sets; Multiple interface firewalls: add a third interface to the firewall and place the DMZ systems on that network segment
Hosts in DMZ: Accessed from both the internal network clients and public Internet clients - examples: DNS servers, Web servers, FTP servers, E-mail relaying, and intrusion detection.
Bastion Host: System on the public side of a firewall which is exposed to attack.
Multiple Needs = Multiple Zones: Many organizations choose to implement a multiple segment structure to better manage and secure their different types of business information. 2 segments widely accepted are: segment dedicated to information storage, and segment specifically for the processing of business information.
Data Storage Zone: Used to hold information that the e-commerce application requires (inventory databases, pricing information, ordering details, etc). Web servers in the DMZ segment serve as the interface to the customers; they access the servers in the other 2 segments to gather the required information and process the requests.
Financial processing segment: Financial information from an order is tranferred to this segment - processes the payment requests to a credit card company, and then the information is stored in a database.
Problems with Multi-zone Networks: Firewall rule sets are often large, dynamic, and confusing, and the implemenation can be arduous and resource intensive. Creating and managing security controls such as firewall rules, IDS signatures and user access regulations is a large task. Best to start with deny-all strategies and permit only the services and network transactions required.
Intranet security: Make sure that the firewall is configured properly; block everything and open firewall on case-by-case basis; make sure the firewall will watch traffic that leaves that network; make sure the antivirus software is up to date; educate users; implement IPSec; conduct regular security audits; don't allow the installation of modems in any intranet computers.
VLANs: Equivalent to a broadcast domain. VLANs are a way to segment a network. Switches can be split to create multiple network segments; VLANs are logical area networks.
Typical VLAN characteristics: Each VLAN is like a physically separate switch; can span multiple swtiches; trunks carry traffic between each switch that is part of a VLAN (trunks are point-to-point links from one swtich to another); ISL and IEEE 802.1Q are trunking protocols.
NAT: Network Address Translation - feature of many firewalls, proxies, and routing systems; can hide IP addresses and network design; enables internal clients to use non-routable IP addresses; restricts traffic flow so that only traffic requested or initiated by an internal client can cross the NAT; sometimes called NAT firewall.
ICS: Internet Connection Sharing - simple form of NAT.
Tunneling: Used to create a virtual tunnel (point-to-point link) between you and your destination using an untrusted public network as the medium. All packets are encrypted and carry information designed to provide authentication and integrity; can withstand MITM attacks and packet replay; use PPTP and L2TP protocols. MPPE and IPSec are their encryption counterparts.
IDS & Firewall difference: IDS: device that monitors and inspects all inbound and outbound network traffic and identifies patterns that may indicate suspicious behavior. Firewall: inspects all inbound and outbound network traffic looking for disallowed types of connections.
3 Types of IDSs: Network-based, host-based, and application-based IDSs.
Network-based IDS: Monitors network backbones and looks for attack signitures. Pros: Monitor entire large network with only a few well-situated devices, little overhead, may be undetectable to attackers, little effort to install. Cons: May overlook attacks during peak traffic periods, may not be able to monitor switch-based networks effectively, can't analyze encrypted data, or report whether attempted attacks succeed or fail.
Host-based IDS: Pros: Can analyze hosts at high level of detail, can determine which process or users are involved in malicious activities, report to single centralized console, can detect attacks undetectable to network-based IDS, can examine encrypted traffic, data, storage, and activity, switch-based networks are OK, too. Cons: Data collection is per-host; can decrease network performance; host-based IDSs can be attacked and disabled by attacker; can be foiled by DoS attacks; consumes processing time, storage, memory, etc.
Application-based IDS: Pro: Detect attacks through analysis of application log files; can track unauthorized activity from individual users; can also work with encrypted data. Cons: can be more vulnerable to attacks than host-based IDSs; consume significant application and host resources.
Signiture detection (IDS): Database of traffic or activity patterns related to known attacks, which are called attack signitures.
Anomaly Detection (IDS): Uses rules or predefined concepts about normal and abnormal system activity (called heuristics) to distinguish anomalies from normal system behavior and monitors, reports on or blocks anomalies as they occur.
Signiture-based IDS characteristics: Pros: Examines ongoing traffic, activity, transactions, or behavior for matches with known patterns of events specific to known attacks; requires access to current database of signitures. Cons: Databases must be updated; may miss variations of known attacks; can also impose noticeable performance drags.
Anomaly-based IDS characteristics: Pros: Can observe when current behavior deviates statistically from the norm (baseline); abilities to detect new attacks that are neither known nor for which signitures have been created. Cons: Prone to false positives; imposes heavy processing overheads; takes a while to create statistically significant baselines (open to attack during this time).
IDS Security techniques: Breaks TCP connections by injecting reset packets into attackers connections causing attacks to fall apart; deploys automated packet filters to block routers or firewalls from forwarding attack packets to servers or hosts under attack; deploys automated disconnects for routers, firewalls, or servers; actively pursues reverse DNS lookups or other ways of attempting to establish hacker identity.
MSSP: Managed Security Services Providers - organizations that help their customers select, install, and maintain state-of-the-art security policies and technical infrastructures to match.
Honeypot: Computer system that is deliberately exposed to public access (usually on the Internet) for the express purpose of attracting and distracting attackers.
Honeynet: Network set up for the same purpose as a honeypot, where attackers not only find vulnerable services or servers but also find vulnerable routers, firewalls, and other network boundary devices, security applications.
Honeypot / Honeynet characteristics: Systems or devices used as lures are set up with only "out of the box" default installations; do not include sensitive information, so they can sometimes be compromised or destroyed; systems or devices used as lures contain deliberately tantalizing objects or resources (password files, files marked top secret); systems or devices used as lures also include or are monitored by passive applicatoins that can detect and report on attacks.
False positive: Triggered event that did not actually occur, and may be as innocuous as the download of a signiture database, or some unusual traffic-generated by a networked game.
False negative: More dangerous because they fail to alert you to an actual event;; product of a situation in which an attacker modifies the attack payload in order to subvert the detection engine.
Incidence Response: Collect further data and other evidence about the attack, its origin, and its methods. After terminating the attack, or upon discovering the evidence of the attack, all available steps must be taken to ensure that the chain of evidence is not lost; logs and audit files must be saved, and ports that have been exploited must be closed.
Rule of Least Priviledge: Method of file security, when you start with the most secure environment and then loosen the controls as needed.
Hardening: Can include concepts present in other security areas, such as locking doors, restricting physical access, and protecting systems from natural and unnatural disasters.
Updates (Firmware): It is always necessary to install and test firware updates in a non-production environment, to verify that the updates contain the necessary repairs.
Configuration: Basic devices are set for convenience and not for control and security. It's easier to operate some devices with just the default settings, but in many cases, there is a corresponding lost of security.
Enable / Disable services and protocols: It's important to evaluate the current needs and conditions of the network and infrastructure, and then begin to eliminate unnecessary services and protocols.
SACL: Static Access Control List - Configurations to maintain the settings on hardware devices in a network.
Email Server Hardening: Attack points in email servers are: email relay (unauthorized users can send email through email server), virus propagation, spamming, and storage limitations.
FTP Server Hardening: FTP servers are best operated in DMZ; contact from the internal network to the FTP server through the firewall should be restricted and controlled through ACL entries. Hardening: file system, isolate FTP directories, authorization and access control rules, regular review of logs, and regular review of directory content.
DNS Server Hardening: Restrict zone transfers - should only be made at designated servers; don't use HINFO records in the DNS server; cache poisoning (server is fed altered or spoofed records that are retained and then duplicated elsewhere).
DHCP Server Hardening: Administrators must apply the necessary patches, updates, service packs and hot fixes; node address, mask, gateway information, must be configured; control the creation of extra DHCP servers.
Data Repository: Include many types of storage systems that are interlinked in systems for maintenance and protection of data.
DEN: Directory Enabled Networks - model developed by Microsoft and Cisco to centralize control and manaagement of an entire network, rather than just controlling users and group assignements.
Directory Services: Novell's NDS and Windows Active Directory - both are based on X.500 standard (conventional LDAP directory service. LDAP/X.500 naming conventions: CN=Joe, O=His Company, C=US.
Hardening Databases: Use strong password on the "sa" account, and utilize Windows authentication instead of mised-mode authentication.
Oracle and SQL ports: Oracle: 1521, 1522, 1525, or 1529. SQL: 1433 and 1444

Start Studying!

Deck Info

Number of cards 91