click below
click below
Normal Size Small Size show me how
N+ 4.Security
4 > Network Security
Question | Answer |
---|---|
CIA Triad | Confidentiality Availability Integrity |
Confidentiality | - certain info should only be known to certain people - encryption - access controls |
Integrity | - data is stored and transferred as intended - hashing - digsigs - certs - non-repudiation -- provides proof of integrity, can be asserted to be genuine |
Availability | - info is accessible to authorized users - redundancy - fault tolerance - patching |
Vulnerability | A weakness in a system |
Threat | A vulnerability can be exploited by a threat |
Zero-day | - vuln hasn't been detected or published |
CVE | Common Vulnerabilities and Exposures |
Exploits | Take advantage of a vuln |
Least Privilege | Rights and permissions should be set to the bare minimum |
RBAC | Role-Based Access Control |
Zero Trust | Holistic approach - covers every device, every process, every person Everything must be verified...NOTHING IS TRUSTED!!! ;) |
NVD | National Vuln DB |
Defense in Depth | - firewall - screened subnet - hashing and salting pw's - authentication - IPS - VPN access - card/badge access - anti-virus / malware - security guard |
Physical Segmentation | multiple units, separate infrastructure |
Logical Separation | VLANs - cannot communicate between VLANs without a L3 device / router |
Screened Subnet (DMZ) | - additional layer of security b/n the Internet and you - public access to public resources |
Separation of Duties | - split knowledge -- no one person has all of the details Dual Control - two people must be present to perform the business function |
NAC | Network Access Control - 802.1x - Port-based NAC -- you don't get access until you authenticate - we're talking about physical interfaces - extensive use of EAP and RADIUS - admin enable/disable -- disable unused ports - duplicate MAC address chk |
EAP | Extensible Authentication Protocol |
RADIUS | Remote Authentication Dial In User Service - centralize authentication of users NOTE: instead we might use LDAP or Active Directory |
Local Authentication | - creds are stored on local device -- must be individually admined |
MFA | Multi-factor Authentication - something you are - something you have - something you know - somewhere you are - something you do |
TACACS+ | Terminal Access Controller Access-Control System :49 - probably CISCO |
LDAP | Lightweight Directory Access Protocol - protocol for reading and writing dirs. over an IP network |
Kerberos | :88 Authenticate one time - lots of backend ticketing - cryptographic tickets - no constant username and password input - probably Microsoft |
IEEE 802.1X | Port based NAC - EAP integration - used in conjunction with an access db --RADIUS, LDAP, TACACS+ |
SIEM | Security Info and Event Mgt -- logging of security events and info - Security alerts -- real-time info - Log aggregation and long-term storage - Data correlation -- link diverse data types - Forensic Analysis |
On-path Network Attack | - formerly known as MITM - redirects your traffic and passes it on to the destination |
ARP Poisoning (spoofing) | On-path attack on the local IP subnet - ARP has no security |
DNS Poisoning | - Modify the DNS server - Modify the client host file -- host file takes precedent over DNS queries - Send a fake response to a valid DNS request -- real-time redirection -- on-path attack |
Other On-Path Attacks | - session hijacking - HTTPS spoofing - WIFI eavesdropping |
VLAN Hopping | - you only have access to your VLAN -- best practice - shouldn't be able to "Hop" to another VLAN |
Switch Spoofing | - some switches support auto configuration -- is the switch port for a device or is it a trunk? - there's no authentication required -- pretend to be a switch -- send trunk negotiation - now you've got a trunk link to a switch |
Double Tagging | - craft a packet that includes two VLAN tags - first native VLAN tag is removed by first switch - second fake tag is now visible to second switch - packet is forwarded to the target |
Secure SNMP | - monitor and control servers, switches, routers, firewalls, and other services - V3 latest -- not all devices support -- added encrypted comms -V1/V2 no encrypt |
RA (Router Advertisement) Guard | - IPv6 included periodic router announcements - switches can validate the RA messages |
Port Security | - prevent unauthorized users from connecting to a switch interface - based on the source MAC address -- even if forwarded from elsewhere |
Port Security Operation | - configure a max number of source MAC addresses on an interface - once you exceed the max, port sec activates |
DAI | Dynamic ARP Inspection - ARP powerful but no built-in security - stops ARP poisioning at the switch level - relies on DHCP snooping for intel - intercept all ARP requests and responses |
Control Plane Policing | - control plane manages the devices - protect against DoS or reconnaissance -- defines a QoS filter to protect the control plane - manage traffic |
DHCP Snooping | - IP tracking on a layer 2 device (switch) - switch watches for DHCP conversations - filters invalid IP and DCHP info |
Change Default VLAN | - all access ports (non trunk ports) are assigned to a VLAN - without additional security (802.1X), anyone connecting will be part of the default VLAN - assign unused interfaces to a specific non-routable, non-forwarding VLAN |
ACLs | Access Control Lists - allow or disallow traffic based on tuples |
MAC Filtering | - limit access through the physical hardware address |
Wireless Isolation | - devices on an access point can't communicate with each other |
WPA/2/3-Personal / WPA/2/3-PSK | - 2/3 with a pre-shared key - everyone uses the same 256-bit key |
WPA/2/3-Enterprise / WPA/2/3-802.1X | - authenticates users individually with an authentication server (RADIUS) |
EAP | Extensible Authentication Protocol - common to integrate on wireless networks using 802.1X |
Geofencing | - restrict or allow features when the device is in a particular area |
Captive Portal | - authentication to a network - access table recognizes a lack of auth -- redirects your web access to a captive portal |
VPNs | - encrypted (private) data traversing a public network - Concentrator -- encryption/decryption access device often integrated in firewall |
Client-to-site VPN | - on demand access from a remote device -- software connects to a VPN concentrator |
Site-to-site VPN | - always on - firewalls often act as VPN concentrators |
Clientless VPNs | - https v5 - includes API support - create a VPN tunnel without a separate VPN application |
Full Tunnel | - all of the traffic b/n remote user and rest of world is all going through the existing VPNB concentrator |
Split Tunnel | - VPN admin determines what traffic is sent of VPN and what traffic could be sent outside of the scope of the VPN tunnel |
RDP | Remote Desktop Protocol - 3389 |
VNC | Virtual Network Computing - 5900 |
Remote Desktop Gateway | - combine a VPN with RDP - client connects to the RDG - RDG connects internally to RDP over tcp/3389 -- gateway is the proxy between the SSL tunnel and the RDP |
SSH | Secure Shell - 22 - encrypted console communication |
VDI | Virtual Desktop Infrastructure |
vNIC | Virtual NIC - all communication in the desktop are local to the virtual desktop - no sensitive info sent from the local device |