The flashcards below were created by user
on FreezingBlue Flashcards.
What are some of the tools available that not only detect network threats but also take proactive steps to stop them from entering or leaving your network?
Firewalls, routers, switches, proxy servers, antispam filters, intrusion detection systems, web security gateways, and content filters.
Are like physical security walls that are situated between an organization's internal network and any external public networks such as the Internet. It protects an internal network from access by unauthorized users on an external network.
it controls and monitors access between different networks by filtering inbound and outbound traffic, manages access controls to requested locations, and typically blocks all services except those explicitly permitted by the administrator.
What are the 5 services and security features offered by firewalls?
- 1. Packet Filtering
- 2. Stateful inspection
- 3. Access and authentication control
- 4. Application layer filtering
- 5. Network address translation (NAT)
NOTE: The firewall implements security, authentication, and access controls at multiple levels while remaining completely transparent to internal users.
The firewall server analyzes each network packet destined for inside or outside the network; it can filter out dangerous malformed packets, attacks, and spoofed IP addresses to prevent unauthorized access. Packets are also analyzed and acted upon depending on the rules enabled by the administrator.
Ensures that the firewall maintains a record of the connections that pass through an monitors their state from when they are connected to when they close. This ensures the firewall is not only tracing packets but also analyzing the state of the entire connection. Depending on the access rules configuration, certain actions can be taken when an anomalous change of state occurs.
Stateful inspection of packets
The firewall can restrict access to networking services by source and destination IP address, type of service, time/day of the week, and also through authenticated access. Most firewalls have very flexible access control policies that can be fine-tuned by the administrator to secure access for specific users and networks.
Access and Authentication control
Firewalls can be aware of specific applications and services such as Domain Name Service (DNS) and SMTP e-mail. This allows a firewall to analyze network traffic and apply access rules that are specific to that application.
Application layer filtering
Most firewalls utilize NAT to map source IP addresses of outbound connections so that the connection appears to have originated from the firewall's address. This allows internal networks to be hidden behind a single Internet IP address with no additional registered address required.
Network address translation (NAT)
Is a network device that connects several networks together and relays data between them. It usually contains a number of network interfaces, where each represents a different network.
Router software contains a lot of the same protection found in firewalls, including packet filtering and access control lists. These enable you to control more carefully the protocols, services, ports, and source and destination of the information that flows through the router.
Is a network device used to segment networks into smaller, more manageable sections and relay packets between the segments. Can be used for security, load balancing, and performance improvements in a network.
A switch is able to inspect network packets and determine the source and destination to provide more efficient network flow and prevent network packets from one segment, including broadcasts, from passing on to other network segments and causing network collisions.
Is a network device that helps evenly distribute the flow of network traffic to other network devices. In larger networks that process thousands of network transactions per minute, this spreads the network load between each network device to ensure that network congestion and bottlenecks do not occur.
A Load Balancer
If a router receives too many network requests at one time, it can cause a bottleneck in processing requests and cause network delays. Other routers may not be receiving enough network traffic and are running at only partial capacity compared with what their resources are capable of. The load balancer is required to analyze the incoming requests and route the requests evenly between these servers.
Is a network server or device that accepts and forwards requests from clients to other servers. It preforms this function on behalf of the client. It is typically situated between the clients and the internet and it can be used to forward request for many types of traffic and data transfers such as web and FTP.
A Proxy Server
This protects the specific addresses of internal clients from being revealed to external servers and allows the proxy server to filter incoming and outgoing requests to prevent attacks and malware from reaching the client systems. The most commonly used type of proxy server is for web browsing.
How does a proxy server work?
A web client requests a specific uniform resource locator (URL) in their web browser that is sent to the proxy server. The web proxy server forwards the request to the destination website using its own IP address as the source of the request. When the date is retrieved, the proxy server may cache or content-filter the data and then return it to the requesting client. Web proxy servers are used primarily for the caching capability because it boost web performance. It allows the computer to remember the website for the next time the client requests it.
Can offer several layers of security protection against incoming messages from a wide scope of communications mediums.
All-in-one security appliances
scan data and/or header of a packet traversing the network, searching for signatures indicating the existence of viruses, worms, or spyware.
Is a type of network security service primarily targeted for email communications. It resides between your internal mail server and your firewall; they process any incoming and outgoing mail messages before they deliver the messages to their destination.
What are the 4 techniques used by anitspam filters?
- 1. Databases of known spam
- 2. Blacklists
- 3. URL block lists
- 4. Bayesian filtering
- 5. Reputation services
The antispam filter usually comes with a default version of this. This is useful for catching the most obvious forms of historical spam, but it cannot identify new types of spam. The default database provides a good base configuration but requires additional antispam techniques and training to detect new spam.
Database of known spam
Contain a list of mail server IP addresses that are known to send spam messages.
Blacklists (or Block lists) by comparing a connecting mail server to the backlist, the antispam filter can determine whether to block or allow the connection from the mail server if it appears on the list. The list is checked as the mail connection begins, typically using a DNS-based lookup to a blacklist server.
Spam messages often contain URLs that, when clicked, take you to a webpage that could be malicious in behavior and may contain spyware or malware, or else try to trick you into using your login credentials or credit card information for a phishing scam. The antispam filter compares the URLs extracted from a message with a list of known spam URLs.
URL block lists
This is an antispam technique that extracts tokens from spam messages and legitmate mail. These tokens are keywords and phrases that are statistically evaluated to determine the likelihood that a message is spam or legitimate mail. Is a techniques require scanning of inbound and outbound mail over a period of time to create a valid number of tokens that properly train the antispam filter to distinguish spam and legitimate messages.
The next generation of third-party block lists, this track mail servers and score them with a good or bad reputation, depending on the amount of spam and viruses sent from those mail server addresses.
An antispam filter queries the reputation service when it receives a mail connection, and if the sending mail server has a bad reputation, the filter can drop the connection before any transfer of mail occurs. This improves performance for the antispam filter, as it does not have to process any mail because the connection is rejected before any transfer of messages takes place.
Is a more complex device than a simple web proxy caching server. Beyond performing the basic tasks of a web proxy, it provides content filtering and application-level security to protect end users from accessing dangerous websites and downloading files that are infected with worms, spyware, or malware, or else from connecting to servers that host phishing and fraud sites.
Web security gateway
Greatly enhances the security of your network. It can monitor your network activity for suspicious behavior that can indicate if someone is trying to break in or damage your network. By proactively monitoring the network border, the detection system can immediately notify an administrator of the intrusion.
Intrusion Detection System
Can attempt to deal with the problem autonomously and either disconnect suspicious network connections or turn off network services that are being attacked.
Intrusion Prevention Systems (IPSs)
Intrusion attempts are dealt with immediately by shutting down network connections or services that are being attacked, within an IDS.
Active detection system
Where a IDS relies on notification to alert administrators of an intrusion?
Passive Detection System
examines network patterns, such as an unusual number of requests destined for a particular server or service, such as an FTP server. The headers of network packets can be analyzed for possible spoofing attempts or suspicious code that indicates a malformed packet. Corrupted packets and malformed data can bring down a web server that's vulnerable to such attacks.
Network IDS (NIDS)
NIDS generally consists of what three components?
- 1. Detection agent
- 2. Monitor
- 3. Notification system
Usually are physically installed in a network and are attached to core network devices, such as routers, firewalls, and switches. It can also be software agents that use network management protocols, such as the Simple Network Management Protocol (SNMP). They simply collect the data passing through the network and send it on to the network monitor for analysis.
Is fed information from the detection units and analyzes the network activity for suspicious behavior. This is the heart of the IDS, which collects information from the network, analyzes it, and then uses the notification system to warn of any problems. The monitor can utilize several methods, including heuristic-, behavior/anomaly-, rule-, and signature-based scanning, to detect network threats.
Is used for notification and alarms, which are sent to the administrator. Once the network monitor recognizes a threat, it writes to a log file and uses the notification system to send an alert, such as an e-mail or a Short Message Service (SMS) message, to an administrator. The notification system can usually be configured to allow for a variety of methods of communication.
An NIDS that actively attempts to prevent intrusions rather than just detect them.
Network intrusion prevention systems (NIPS)
The advantage of this method is that it can attempt to prevent the intrusion from continuing. Active detection prevents the suspicious activity from expanding into actual damage or data loss. This is a great advantage over passive detection systems, which merely log the incident or send an email to the administrator, who might not see the message for many hours before she can perform an preventive actions. By then, it could be too late.