SECFND 11: Network Security Technologies Flashcards

1
Q

3 Phases of Attack Continuum

A

Before, During, After

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 attributes of “Before” attack continuum

A

Control, Enforce, Harden

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3 attributes of “During” attack continuum

A

Detect, Block, Defend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3 attributes of “After” attack continuum

A

Scope, Contain, Remediate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

“Before” characteristics

A

Identify what’s on the extended network to implement policies and controls to defend it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

“During” characteristics

A

Detect and block malware continuously

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

“After” characteristics

A

Reduce the impact of an attack by identifying point of entry, determining the scope, containing the threat, eliminating the risk of reinfection, and remediating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AAA protocols

A

RADIUS & TACACS+

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RADIUS port

A

UDP 1812 for auth, 1813, Accounting (or 1645 & 1646)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RADIUS encrypts…

A

Only the password in an access request packet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

TACACS+ port

A

TCP 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TACACS encrypts…

A

body of the packet (not the header)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IAM

A

Control users and devices connecting to the network. (NAC Like).

Contextual network attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NAD

A

network access device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

IAM benefit

A

Different levels of access and service based on the device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Firewall “routed mode”

A

Interfaces on multiple networks. Makes routing decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Firewall “transparent mode”

A

L2 “bump in the wire”. All interfaces on same network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Network taps monitor which pins

A

Tx. Requires two NICS. One for inbound, one for outbound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Other span port names

A

Port mirroring, port monitoring

20
Q

Steps to define SPAN port

A
  1. Define source port or VLAN. 2. Define destination
21
Q

RSPAN

A

Remote span

22
Q

RSPAN traffic

A

Flooded to dedicated VLAN

23
Q

IPS Anomaly detection

A

IPS learns and alerts on deviations from baseline

24
Q

Rule-based Detection

A

aka Signatures

25
Q

IPS Reputation-based detection

A

Informed decisions based on reputation of sources. Drop traffic before more significant inspection

26
Q

IPS installation methods

A

Appliance. Module installed in another device.

27
Q

IPS evasion techniques

A

Traffic Fragmentation, traffic substitution and insertion, Encryption and tunneling

28
Q

Traffic fragmentation techniques

A

Attacker fragments all IP traffic if IPS doesn’t perform reassembly. If it does, attacker fragments oddly to trick IPS.

Modify how TCP frame is segmented so IPS ignores. Can cause overwrite of segment.

29
Q

Traffic substitution

A

Substitute payload data with other data in a different format. Unicode for letters, spaces with tabs, case sensitivity

30
Q

Traffic insertion

A

Adding extra bytes to data

31
Q

Parts of:

alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS

A
Action (alert, drop, pass, etc.)
Protocol (TCP, UDP, ICMP, IP)
Source IP, Port
Direction <> or -> only
Destination IP, Port
32
Q

What does IPS rule body do?

A

Keyword, colon, argument. Can have multiple arguments

33
Q

Snort rule “Content” option

A

Set rules for specific content (sequence of characters or hex values).

34
Q

Snort rule “msg” and “sid”

A

Message to print and Snort ID

35
Q

WCCP

A

Web Cache Communication Protocol. WCCP is a protocol for communication between routers and Web caches.

36
Q

transparent proxy vs. explicit proxy

A

Transparent proxy doesn’t require client settings. Explicit proxy requires client config.

37
Q

Next Gen Firewall features

A

Application visibility and control, malware protection, URL filtering, SSL decryption, and next-generation IPS

38
Q

Threat Intelligence

A

Evidence based knowledge about existing or emerging threat to assets that informs response to the threat

39
Q

bogon

A

Bogus IP addresses

40
Q

Bro

A

Network analysis framework like IDS

41
Q

ELSA

A

Syslog framework

42
Q

OSSEC

A

Open Source IDS/HIDS

43
Q

Sguil

A

Network security monitoring. Event analysis

44
Q

Squert

A

Web app for Sguil

45
Q

Snort

A

IPS