Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
N+ 4.Security
4 > Network Security
| Question | Answer |
|---|---|
| CIA Triad | Confidentiality Availability Integrity |
| Confidentiality | - certain info should only be known to certain people - encryption - access controls |
| Integrity | - data is stored and transferred as intended - hashing - digsigs - certs - non-repudiation -- provides proof of integrity, can be asserted to be genuine |
| Availability | - info is accessible to authorized users - redundancy - fault tolerance - patching |
| Vulnerability | A weakness in a system |
| Threat | A vulnerability can be exploited by a threat |
| Zero-day | - vuln hasn't been detected or published |
| CVE | Common Vulnerabilities and Exposures |
| Exploits | Take advantage of a vuln |
| Least Privilege | Rights and permissions should be set to the bare minimum |
| RBAC | Role-Based Access Control |
| Zero Trust | Holistic approach - covers every device, every process, every person Everything must be verified...NOTHING IS TRUSTED!!! ;) |
| NVD | National Vuln DB |
| Defense in Depth | - firewall - screened subnet - hashing and salting pw's - authentication - IPS - VPN access - card/badge access - anti-virus / malware - security guard |
| Physical Segmentation | multiple units, separate infrastructure |
| Logical Separation | VLANs - cannot communicate between VLANs without a L3 device / router |
| Screened Subnet (DMZ) | - additional layer of security b/n the Internet and you - public access to public resources |
| Separation of Duties | - split knowledge -- no one person has all of the details Dual Control - two people must be present to perform the business function |
| NAC | Network Access Control - 802.1x - Port-based NAC -- you don't get access until you authenticate - we're talking about physical interfaces - extensive use of EAP and RADIUS - admin enable/disable -- disable unused ports - duplicate MAC address chk |
| EAP | Extensible Authentication Protocol |
| RADIUS | Remote Authentication Dial In User Service - centralize authentication of users NOTE: instead we might use LDAP or Active Directory |
| Local Authentication | - creds are stored on local device -- must be individually admined |
| MFA | Multi-factor Authentication - something you are - something you have - something you know - somewhere you are - something you do |
| TACACS+ | Terminal Access Controller Access-Control System :49 - probably CISCO |
| LDAP | Lightweight Directory Access Protocol - protocol for reading and writing dirs. over an IP network |
| Kerberos | :88 Authenticate one time - lots of backend ticketing - cryptographic tickets - no constant username and password input - probably Microsoft |
| IEEE 802.1X | Port based NAC - EAP integration - used in conjunction with an access db --RADIUS, LDAP, TACACS+ |
| SIEM | Security Info and Event Mgt -- logging of security events and info - Security alerts -- real-time info - Log aggregation and long-term storage - Data correlation -- link diverse data types - Forensic Analysis |
| On-path Network Attack | - formerly known as MITM - redirects your traffic and passes it on to the destination |
| ARP Poisoning (spoofing) | On-path attack on the local IP subnet - ARP has no security |
| DNS Poisoning | - Modify the DNS server - Modify the client host file -- host file takes precedent over DNS queries - Send a fake response to a valid DNS request -- real-time redirection -- on-path attack |
| Other On-Path Attacks | - session hijacking - HTTPS spoofing - WIFI eavesdropping |
| VLAN Hopping | - you only have access to your VLAN -- best practice - shouldn't be able to "Hop" to another VLAN |
| Switch Spoofing | - some switches support auto configuration -- is the switch port for a device or is it a trunk? - there's no authentication required -- pretend to be a switch -- send trunk negotiation - now you've got a trunk link to a switch |
| Double Tagging | - craft a packet that includes two VLAN tags - first native VLAN tag is removed by first switch - second fake tag is now visible to second switch - packet is forwarded to the target |
| Secure SNMP | - monitor and control servers, switches, routers, firewalls, and other services - V3 latest -- not all devices support -- added encrypted comms -V1/V2 no encrypt |
| RA (Router Advertisement) Guard | - IPv6 included periodic router announcements - switches can validate the RA messages |
| Port Security | - prevent unauthorized users from connecting to a switch interface - based on the source MAC address -- even if forwarded from elsewhere |
| Port Security Operation | - configure a max number of source MAC addresses on an interface - once you exceed the max, port sec activates |
| DAI | Dynamic ARP Inspection - ARP powerful but no built-in security - stops ARP poisioning at the switch level - relies on DHCP snooping for intel - intercept all ARP requests and responses |
| Control Plane Policing | - control plane manages the devices - protect against DoS or reconnaissance -- defines a QoS filter to protect the control plane - manage traffic |
| DHCP Snooping | - IP tracking on a layer 2 device (switch) - switch watches for DHCP conversations - filters invalid IP and DCHP info |
| Change Default VLAN | - all access ports (non trunk ports) are assigned to a VLAN - without additional security (802.1X), anyone connecting will be part of the default VLAN - assign unused interfaces to a specific non-routable, non-forwarding VLAN |
| ACLs | Access Control Lists - allow or disallow traffic based on tuples |
| MAC Filtering | - limit access through the physical hardware address |
| Wireless Isolation | - devices on an access point can't communicate with each other |
| WPA/2/3-Personal / WPA/2/3-PSK | - 2/3 with a pre-shared key - everyone uses the same 256-bit key |
| WPA/2/3-Enterprise / WPA/2/3-802.1X | - authenticates users individually with an authentication server (RADIUS) |
| EAP | Extensible Authentication Protocol - common to integrate on wireless networks using 802.1X |
| Geofencing | - restrict or allow features when the device is in a particular area |
| Captive Portal | - authentication to a network - access table recognizes a lack of auth -- redirects your web access to a captive portal |
| VPNs | - encrypted (private) data traversing a public network - Concentrator -- encryption/decryption access device often integrated in firewall |
| Client-to-site VPN | - on demand access from a remote device -- software connects to a VPN concentrator |
| Site-to-site VPN | - always on - firewalls often act as VPN concentrators |
| Clientless VPNs | - https v5 - includes API support - create a VPN tunnel without a separate VPN application |
| Full Tunnel | - all of the traffic b/n remote user and rest of world is all going through the existing VPNB concentrator |
| Split Tunnel | - VPN admin determines what traffic is sent of VPN and what traffic could be sent outside of the scope of the VPN tunnel |
| RDP | Remote Desktop Protocol - 3389 |
| VNC | Virtual Network Computing - 5900 |
| Remote Desktop Gateway | - combine a VPN with RDP - client connects to the RDG - RDG connects internally to RDP over tcp/3389 -- gateway is the proxy between the SSL tunnel and the RDP |
| SSH | Secure Shell - 22 - encrypted console communication |
| VDI | Virtual Desktop Infrastructure |
| vNIC | Virtual NIC - all communication in the desktop are local to the virtual desktop - no sensitive info sent from the local device |
Created by:
jwjwj
Popular Computers sets