Only $35.99/year

Terms in this set (81)

proxy server

A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network. Hosts on the private network contact the proxy server with an Internet Web site request. The proxy server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible to the client and the Internet connection. A proxy server can be configured to allow only outgoing Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the Internet via the proxy server.

A virtual private network (VPN) is a private network that users can connect to over a public network. Often a VPN is implemented with a firewall to allow remote employees to connect to local resources. A VPN concentrator is the device that creates the VPN.

An intrusion detection system (IDS) is a network device that detects network intrusion and either logs the intrusion or contacts the appropriate personnel.

An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and prevents the network intrusion. An IPS provides more security than an IDS because it actually provides prevention, not just detection.

An Internet gateway can also be referred to as a Web security gateway. Its purpose is to defend against advanced Web attacks at the gateway.

Firewalls, IDSs, IPSs, and proxies are often classified as application-aware devices because many of them can be configured to allow or deny traffic based on the application requesting access.
Web application firewall

The BEST solution to protect all traffic on an HTTP/HTTPS server is a Web application firewall. A Web application firewall can be implemented in hardware or software to protect a Web server from a cross-site scripting attack. A Web application firewall (WAF) provides security at the Application layer (Layer 7) of the OSI model.

None of the other solutions provides the same level of security as the Web application firewall.

The network firewall would be able to provide some protection, but it provides more services than you really need. In addition, because the network firewall protects the entire network, its performance could be degraded.

An intrusion detection system (IDS) does not really secure any devices. By definition, an IDS detects intrusions and sends out alerts when the intrusions occur.

Remember that security professionals should always keep a defense-in-depth or layered security approach in mind. Physical security is often considered the first layer of security and includes any mechanisms that protect the physical security of your facility. However, physical security is not enough to completely protect your assets. Once physical security is covered, then perimeter security and internal network security should be assessed. The last three aspects are host security, application security, and data security. Encompassing all of these layers is the personnel you use. Personnel can affect any layer of defense. Training personnel is key to ensuring that security is not compromised.
low maintenance

The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems.

By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets.

Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations.

An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private network Tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS.

The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations.

The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers.

For this scenario, you should configure the Wireless Network Mode option as follows:
Change the Wireless Network Mode setting to G-Only.
Change the Wireless Network Name (SSID) setting to Research.
Change the Wireless Channel setting to 5.
Change the Wireless SSID Broadcast setting to Disable.
For the Wireless Network Mode, the scenario specifically stated that you ONLY want to support 802.11g wireless devices on the network. Because the scenario also stated that you must use a non-overlapping channel, you must choose from channels 1, 5, 9, or 13 for an 802.11g network. Because channels 1 and 9 are already in use and channel 13 is not an option on the router, you must use channel 5. Note that 80211b wireless networks have four non-overlapping channels: 1, 6, 11, and 14.

Finally, the scenario stated that the network name should not be advertised, which means that the Wireless SSID Broadcast option should be set to Disable.

For testing purposes, you should understand how to configure a wireless router. This includes setting the network mode, the SSID name, and the channel used. You should also understand how to enable/disable SSID broadcast and how to configure MAC filtering.

Linksys has an online emulator that will allow you to view the different configurable screens for the various models. The link to the online emulator is given in the References section. When you access this site, you first select the model number you want to emulate. Then you will need to select the firmware version. The emulator will allow you to view all of the configurable screens for a Linksys wireless router. We suggest that you spend time familiarizing yourself with wireless configuration settings using this free tool.
IPSec can work in either tunnel mode or transport mode.
IPSec uses Encapsulation Security Payload (ESP) and Authentication Header (AH) as security protocols for encapsulation.
The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions.

Internet Protocol Security (IPSec) can operate in either tunnel mode or transport mode. In transport mode, only the message part of a packet (the payload) is encrypted by Encapsulating Security Payload (ESP). In IPSec tunnel mode, the entire packet including the packet header and the routing information is encrypted. IPSec tunnel mode provides a higher level of security than transport mode. Either of the two modes can be used to secure either gateway-to-gateway or host-to-gateway communication. If used in gateway-to-host communication, the gateway must act as the host.

IPSec uses ESP and Authentication Header (AH) as security protocols. AH provides the authentication mechanism, and ESP provides encryption, confidentiality, and message integrity.
IPSec sets up a secure channel that uses a strong encryption and authentication method between two network devices, such as routers, VPN concentrators, and firewalls.

IPSec can provide security between any two network devices running IPSec, but its chief implementation is in securing virtual private network (VPN) communications. IPSec provides security by protecting against traffic analysis and replay attacks. IPSec is primarily implemented for data communication between applications that transfer data in plain text. IPSec secures the network device against attacks through encryption and encapsulation.

The IPSec does not use the L2TP protocol to encrypt messages. L2TP is used for secure communication in VPN networks and is a hybrid of L2F and PPTP.

IPSec ensures integrity and confidentiality of IP transmissions, but cannot ensure availability of the information.
Antenna selection
Antenna placement
Access point power

Antenna selection (such as the use of directional versus omnidirectional antennas) plays an important role in protecting a wireless network. Using a directional antenna can limit the area that is covered by the antenna.

Antenna placement will also have an effect on the vulnerabilities of a wireless system. Antennas should be placed as far away from exterior walls as possible. Otherwise, the signal will go outside the building. This allows anyone outside the building to attach to your network. That is why RADIUS and other technologies are required for wireless networks.

The power of the access points should be adjusted to a level that is just strong enough for the operation of the network, but not so strong that signals escape to the outside of the building. You should reduce power levels for better security to ensure that the signal does not extend beyond its needed range.

The number of users and the speed of the connection will not cause external vulnerabilities to a wireless system. The number of user addresses is, however, a cause of external vulnerabilities.

Captive portals are a type of wireless access point that only permits Internet access to authenticated users. While an organization may want to deploy this solution, it is not necessary to assess this as an external vulnerability.

You should ensure that any wireless network that you deploy is properly protected from unauthorized users. Usually this just involves deploying the network using the WPA or WPA2 protocol. If you use WEP, unauthorized users can easily gain access to your network.

You should also be careful as to which internal resources are connected to the wireless network without deploying the appropriate security hardware, such as a firewall."

You should deploy 802.1x to allow remote employees to connect to internal resources via a RADIUS server. Implementing 802.1x would allow a company to reduce the exposure of sensitive systems to unmanaged devices on internal networks. 802.1x can also be used on wired networks to segment traffic intended for the wireless access point. For example, if a company has several conference rooms with wired network jacks that are used by both employees needing access to internal resources and guests needing access to the Internet only, you should implement 802.1x and VLANs. 802.1x is an good solution if you need to make sure that only devices authorized to access the network would be permitted to log in and utilize resources.

Flood guards are devices that protect against Denial of Service (DoS) attacks.

Unified threat management devices are devices that integrate a traditional firewall with network firewalling, intrusion prevention, antivirus (AV), anti-spam, VPN, content filtering, load balancing, data leak prevention and on-appliance reporting.

A virtual LAN (VLAN) is a virtual subnetwork that is configured using a switch. This allows administrators to isolate network clients on their own subnetwork.

Any remote employees that are allowed to access local resources should be given specialized security training. This training should include guidelines on the types of network that they can use. For example, remote users should NEVER access a corporate VPN or other resources over an unsecure wireless network. Accessing a VPN over open wireless can result in major security issues.

Internet Protocol Security (IPSec) is a security standard commonly implemented to create virtual private networks (VPNs). IPSec allows packets to be securely exchanged over the Internet Protocol (IP) at the Network layer (Layer 3) rather than at the Application layer (Layer 7) of the Open Systems Interconnection (OSI) model. The Internet Engineering Task Force (IETF) developed the standard, but Cisco has contributed to its emergence. Cisco routers have support for IPSec built into the product.

IPSec supports two encryption modes: transport and tunnel. Transport mode encrypts only the data portion of each packet, but not the header information. Tunnel mode encrypts both the header and the data. For IPSec to work, the sending and receiving devices must share a public key.

Exchange Data Interchange (EDI) is a protocol used to exchange business data in a standard format.

Secure Electronic Transfer (SET) is used to provide security for credit card transactions.

Secure Sockets Layer (SSL) is a security protocol that uses both encryption and authentication to protect data sent in network communications.

VPNs are sometimes commonly referred to as tunnels. A VPN essentially consists of a VPN server, authentication, and encryption. The VPN software encrypts the session information, as well as most message information, including File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) messages. The Data link layer information remains unaltered (Layer 2).

The most effective attack against an IPSec-based VPN is a man in the middle attack."
MAC filtering

To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection.

When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB.

A service-set identifier (SSID) broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network.

War driving is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system.

Rogue access points are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results:
CorpPrivate - Connected Channel 1 - 70dbm
CorpPublic - Connected Channel 5 - 80dbm
CorpResearch - Connected Channel 3 - 75dbm
CorpDev - Connected Channel 6 - 95dbm

Radio frequency interference (RFI) can cause wireless network problems. It can come from cordless phones, microwaves, and other equipment. For example, if your wireless network is frequently dropping connections, you could have a cordless phone interfering with the wireless access point.
Periodically complete a site survey.

You should periodically complete a site survey to ensure that no unauthorized wireless access points are established. Site surveys generally produce information on the types of systems in use, the protocols in use, and other critical information. You need to ensure that hackers cannot use site surveys to obtain this information. To protect against unauthorized site surveys, you should change the default Service Set Identifier (SSID) and disable SSID broadcasts. Immediately upon discovering a wireless access point using a site survey, you should physically locate the device and disconnect it. Site surveys are also used to analyze antenna placement.

To ensure that no unauthorized wireless access points are established, you should not change the two wireless networks to WPA2. This would increase the security for the two networks and prevent hackers from accessing the networks. However, it would not prevent an attacker from setting up a new wireless access point.

You should not disable SSID broadcasts for the two wireless networks to ensure that no unauthorized wireless access points are established. The reason you would disable SSID broadcasts is to protect a wireless network from hackers and to prevent unauthorized site surveys. Disabling the SSID broadcast on an existing network CANNOT prevent the establishment of new wireless access points.

When adding a new access point, you should ensure that you correctly configure the new access point, especially if other wireless access points are already in use in the area. If a new access point has intermittent problems with users connecting successfully and then being disconnected, the new access point could be interfering with an old access point. You would need to reconfigure the new access point.

There are three main types of site surveys:
Passive - a site survey application passively listens to wireless traffic to detect access points and measure signal strength and noise level. However, the wireless adapter being used for a survey is not associated with any WLANs. For system design purposes, one or more temporary access points are deployed to identify and quantify access point locations.
Active - the wireless adapter is associated with one or several access points to measure round-trip time, throughput rates, packet loss, and retransmissions. Active surveys are used to troubleshoot wireless networks or to verify performance post-deployment.
Predictive - a model of the RF environment, including location and RF characteristics of barriers like walls or large objects, is created using simulation tools. Therefore, temporary access points or signal sources can be used to gather information on propagation in the environment. The value of a predictive survey as a design tool versus a passive survey done with only a few access points is that modeled interference can be taken into account in the design."
SSL operates at the Network layer of the OSI model.

The secure sockets layer (SSL) protocol does not operate at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model. It operates at the Transport layer (Layer 4). It works in conjunction with the Hypertext Transfer Protocol (HTTP) that operates at the Session layer to provide secure HTTP connections.

SSL is used to protect Internet transactions. It was developed by Netscape. When SSL is used, the browser address will have the https:// prefix, instead of the http:// prefix.

SSL version 2 provides client-side authentication.

SSL with TLS supports both server and client authentication. SSL uses public key or symmetric encryption, and provides data encryption and sever authentication. To enable SSL to operate, the server and the client browser must have SSL enabled.

SSL has two possible session key lengths: 40 bit and 128 bit.

The main advantage of SSL is that SSL supports additional application layer protocols, such as FTP and NNTP. HTTP does not.

SSL establishes a secure communication connection between two TCP-based computers. Transport layer security (TLS) is a security protocol that combines SSL and other security protocols.

A common implementation of SSL is wireless transport layer security (WTLS) for wireless networks. WTLS transmission is required to traverse both wired and wireless networks. Therefore, the packets that are decrypted at the gateway are required to be re-encrypted with SSL for use over wired networks. This is a security loophole referred to as the Wap Gap security issue.

If SSL is being used to encrypt messages that are transmitted over the network, a major concern of the security professional is the networks that the message will travel that the company does not control.

Worldwide Internet security achieved a milestone with the signing of certificates associated with SSL.
You should implement the following firewall rules:
Source: - Destination: - Port: 22 - TCP - Allow
Source: - Destination: - Port: 443 - TCP - Allow
Source: - Destination: - Port: Any - TCP/UDP - Deny
The Research computer at can only connect to the file server if they are using the secure copy protocol (SCP). Because SCP operates over a secure shell (SSH) connection, it utilizes the same port as SSH, which is TCP port 22. Therefore, you should configure an Allow rule for the Research source with a destination of over TCP port 22.

TCP port 22 also handles secure file transfer protocol (SFTP) traffic and secure logins. UDP port 69 handles trivial file transfer protocol (TFTP).

The Sales computer at should only be allowed to connect to the Web server using HTTPS, which operates over TCP port 443. Therefore, you should configure an Allow rule for the source and destination on TCP port 443.

No other connections from the server network to the DMZ should be allowed. Therefore, you should configure a Deny rule from the server network, which is, to the DMZ network at TCP and UDP traffic should be denied on all (""any"") ports.

TCP port 21 handles file transfer protocol (FTP) traffic. TCP port 80 handles hypertext transfer protocol (HTTP) traffic. Allowing traffic on these ports will not meet the scenario requirements.

The first two rules can be configured in any order as long as both of them appear before the third rule. The Deny rule should be configured last to ensure that any of the allowed connections are not denied by the Deny rule.


Anomaly-based monitoring is most likely to produce a false alert. With anomaly-based monitoring, alerts occur where there are any deviations from normal behavior. Deviations from normal behavior will normally occur but are not always indications of a possible attack. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process.

Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring is more likely to give you a false sense of security rather than a false alert. Signature-based monitoring relies upon a database that contains the identities of possible attacks. This database is known as the signature database. Signature-based monitoring watches for intrusions that match a known identity or signature. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness.

Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. It is more susceptible to giving you a false sense of security. It is only as strong as the behaviors you have defined. If you do not properly define inappropriate behaviors, then attacks can occur. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring.
Permit all inbound TCP connections.

The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts, and drop all others.

In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts.

Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports.

Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used.

Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor"
Software as a Service

You should use Software as a Service (SaaS) to deploy the suite of applications. This will ensure on-demand, online access to the suite without the need for local installation. Another example of this type of cloud computing deployment is when a company needs to give employees access to a database but cannot invest in any more servers. WebMail is an example of this cloud computing type.

Virtualization hosts one or more operating systems (OSs) within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware and allows multiple OSs to work simultaneously on the same hardware. Virtualization would not be the best choice here because it would limit the number of users who could access the application suite. In addition, the performance of the virtual machine would decline as more users simultaneously access the application suite.

Platform as a Service (PaaS) is not the best choice here. PaaS is a platform that provides not only a deployment platform but also a value added solution stack and an application development platform. It provides customers with an operating system that is easy to configure. It is on-demand computing for customers.

Infrastructure as a Service (IaaS) is not the best choice in this situation. IaaS is a platform that provides computer and server infrastructure typically provided as a virtualization environment. The platform would provide the ability for consumers to scale their infrastructure up or down by demand and pay for the resources consumed. This cloud computing model provides the greatest flexibility but requires a greater setup and maintenance overhead than the other cloud computing models.

Cloud computing has three main models: SaaS, PaaS, and IaaS. The security control that is lost when using cloud computing is physical control of the data. The main difference between virtualization and cloud computing is location and ownership of the physical components. When virtualization is used, a company uses their own devices to set up a virtual machine. When cloud computing is used, a company pays for access to another company's devices.

Other cloud technologies that you need to be familiar with include the following:
Private cloud - a cloud infrastructure operated solely for a single organization that can be managed internally or by a third party, and hosted internally or externally
Public cloud - when the cloud is rendered over a network that is open for public use
Community cloud - shares infrastructure between several organizations from a specific community that can managed internally or by a third party, and hosted internally or externally
Hybrid cloud - two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models

A firewall is used to create a demilitarized zone (DMZ). A DMZ is a zone located between a company's internal network and the Internet that usually contains publically accessible servers. The DMZ implementation provides an extra security precaution to protect the resources on the company's internal network. Usually two firewalls are used to create a DMZ; one firewall resides between the public network and the DMZ, and another firewall resides between the DMZ and the private network.

A router is used to create individual subnetworks on an Ethernet network. Routers operate at the Network layer of the OSI model (layer 3). While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ.

An active hub is used to connect devices in a star topology. An active hub has circuitry that allows signal regeneration.

A passive hub connects devices in a star topology, but it does not provide any signal regeneration.

A firewall is classified as a rule-based access control device. Rules are configured on the firewall to allow or deny packets passage from one network to another. The configuration of the rules is one of the biggest concerns for a firewall, because the rules can be very complex. Misconfiguration can easily lead to security breaches. Applying detailed instructions to manage the flow of network traffic at the edge of the network is implemented using firewall rules. These rules can allow or prevent traffic based on port, protocol, MAC address, or direction. A default rule found in a firewall's access control list (ACL) is Deny all.

Filters are created according to the company's security policy.

To provide maximum file security, firewalls should not run the Network Information System (NIS) file system. Compilers should be deleted from firewalls.