Isolate one network from another.
A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules (CISCO).
Hardware (appliances), software, or both.
Network or host-based.
Passes or blocks traffic to specific ports or IP addresses based on rules.
Access Control List (ACL) filter.
Little intelligence / stateless.
Faster than stateful inspection.
Acts an an intermediary.
Stateful packet inspection.
Analyzes data flows and traffic patterns.
Dynamic access control decisions.
Records are kept using a state table that tracks every communications channel;
Remembers where the packet came from and where the next one should come from.
Configured to specify computers, programs, services, or ports/protocols.
Order of firewall rules matters.
Access or resource availability is restricted to only those that are explicitly granted access; all others are denied.
'Deny any any' (last firewall or ACL rule).
Explicit Deny - denied permission that is configured explicitly for that resource.
Implicit Allow - an allowed permission that is implied for that resource based on another explicit or implicit permission.
Explicit Allow - an allowed permission that is configured explicitly for that resource.
Controls input, output, and/or access from, to, or by an application or service based on categories, rules, or heuristics.
Deep packet inspection.
Function at Layer 7 of the OSI model.
Web Application Firewall (WAF)
Protects web applications from known attacks (injection, buffer overflows, etc)
Often included in other firewall types (Proxy, IDS/IPS).
Intrusion - any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources.
Intrusion Detection/Protection Systems
Like a burglar alarm - identify unauthorized activity, access, or anomalies.
Sensor - the IDS component that collects data from the data source and passes it to the analyzer.
Host-based (HIDS/HIPS)- on individual systems.
Network-based (NIDS/NIPS) - on the network borders.
IDS - Passive response
Shunning / Quarantine
IPS - Active Response
Terminating process or sessions.
Deception Active Response - Attacker believes the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a honeypot or logging system.
Signature Based (AKA Knowledge Based)
Detects known vulnerabilities.
Rules/updates provided by vendor.
Outside of normal bounds or established profile.
Potential for false positives.
Uses algorithms to analyze the activity / network traffic.
High initial overhead.
False Positive - Occurs when a typical or expected behavior is identified as irregular or malicious.
False Negative - Occurs when an alert that should have been generated did not happen.
Network Intrusion Detection / Protection Systems
Analysis used to be separate, now combined with firewalls.
Passive - traffic is mirrored to sensor.
Inline - with traffic flows and prevents attacks in real time. Could cause latency.
A VPN allows remote access into a network.
Single device to funnel all VPN access / connects VPN nodes.
Centralized authentication (RADIUS, Kerberos, Federated ID)
Network security through encryption.
Internet Protocol Security (IPSec)
Secure Sockets Layer (SSL)
Cannot be placed wherever they are needed.
Should be placed in the perimeter network near the gateway.
Provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol.
Functions within the IP/Network Layer (Layer 3).
Data tampering protection.
Two separate (mutually exclusive) protocols):
Authentication Header (AH) - authentication and integrity checking for data packets.
Encapsulating Security Payload (ESP) - encryption services.
Transport Mode: works to encrypt the message in the data packet.
Used mostly in host-to-host communications.
Tunneling Mode: works to encrypt the entire data packet, not just the message within the packet (transport).
Used mostly between gateways (Cisco routers or ASA firewalls) or at end-station to a gateway, the gateway acting as a proxy for the hosts behind it.
SSL (Secure Sockets Layer)
TLS (Transport Layer Security)
Known as a WebVPN - remote access through a website over SSL/TLS.
Point-to-point encrypted communications.
Full Tunnel - all requests are routed and encrypted through the VPN. More secure.
Split Tunnel - only some (usually incoming requests) are routed and encrypted over the VPN.
An all-in-one firewall appliance / single interface / single vendor.
Block websites based on category or URL.
Uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices upon initial access (an IEEE 802.1X Standard)
Access Requestor (AR): The device that requests access. Assessment of the device can be self-performed or delegated to another system.
Policy Decision Point (PDP): The system that assigns a policy based on the assessment. The PDP determines access.
Policy Enforcement Point (PEP): The device that enforces the policy. This device can be a switch, firewall, or router.
Agent vs Agentless
Is an agent application on the end-point?
Yes, for corporate -devices.
Host Health Checks
"Health" of the end-point.
Is AV enabled?
Dissolvable vs Permanent
SIEM tools collect, correlate, and display data feeds that support response activities.
Log aggregation on a centralized server.
Centrally managing security events.
Correlating and normalizing events for context and alerting.
Reporting on data gatehred from various applications.
Automated Alerting & Triggers
WORM - "Write-Once, Read-Many" protection.
AKA Data Leakage Protection
Prevent sensitive information from physically or logically leaving corporate systems.
Designed to detect and prevent unauthorized use and transmission of confidential information.
Network: Content-filtering (proxy).
System: Application white-listing.
Hardware: USB Blocking.
SSL Offloading - the process of shifting the burden of encrypting and decrypting traffic sent via SSL from the web server to another device.
Accepts SSL/TLS connections from the end-point and sends the connection to the server unencrypted.
Associated with load balancers.
Centralization and Routing
Proxy Servers (media)
Hardware-based encryption that manages digital keys, accelerates cryptographic processes, and provides strong access authentication.
Trusted Platform Module (TPM) used to assist with cryptographic key generation.