More on this book
Community
Kindle Notes & Highlights
Remember this Routers and stateless firewalls (or packet-filtering firewalls) perform basic filtering with an access control list (ACL). ACLs identify what traffic is allowed and what traffic is blocked. An ACL
can control traffic based on networks, subnets, IP addresses, ports, and some protocols. Implicit deny blocks all access that has not been explicitly granted. Routers and firewalls use implicit deny as the last rule in the access control list. Antispoofing methods block traffic using ACL rules.
network bridge connects multiple networks together and can be used instead of a router in some situations.
An aggregation switch connects multiple switches together in a network. Aggregate simply means that you are creating something larger from smaller elements.
A firewall filters incoming and outgoing traffic for a single host or between networks.
Remember this Host-based firewalls provide protection for individual hosts, such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities. Network-based firewalls are often dedicated servers or appliances and provide protection for the network.
Permission Protocol Source Destination Port • Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic. • Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic, effectively blocking ping and some other diagnostics that use ICMP. • Source. Traffic comes from a source IP address. You identify an IP address to allow or block traffic from a
...more
Remember this Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
A web application firewall (WAF) is a firewall specifically designed to protect a web application, which is commonly hosted on a web server.
Remember this A stateless firewall blocks traffic using an ACL. A stateful firewall blocks traffic based on the state of the packet within a session. Web application firewalls provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks and can include load-balancing features.
Intranet. An intranet is an internal network. People use the intranet to communicate and share content with each other. While it’s common for an intranet to include web servers, this isn’t a requirement. • Extranet. An extranet is part of a network that can be accessed by authorized entities from outside of the network. For example, it’s common for organizations to provide access to authorized business partners, customers, vendors, or others.
The demilitarized zone (DMZ) is a buffered zone between a private network and the Internet.
Remember this A DMZ is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the intranet (internal network).
Network Address Translation (NAT) is a protocol that translates public IP addresses to private IP addresses and private addresses back to public.
Static NAT. Static NAT uses a single public IP address
Dynamic NAT. Dynamic NAT uses multiple public IP addresses in a one-to-many mapping.
Remember this NAT translates public IP addresses to private IP addresses, and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP addresses while static NAT uses a single public IP address.
An airgap is a metaphor for physical isolation, indicating that there is a gap of air between an isolated system and other systems.
Remember this Virtual local area networks (VLANs) separate or segment traffic on physical networks and you can create multiple VLANs with a single Layer 3 switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location. VLANs are also used to separate traffic types, such as voice traffic on VLAN and data traffic on a separate VLAN.
Many networks use proxy servers (or forward proxy servers) to forward requests for services (such as HTTP or HTTPS) from clients.
Remember this A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers use URL filters to restrict access to certain sites, and can log user activity.
Unified threat management (UTM) is a single solution that combines multiple security controls.
Remember this A unified threat management (UTM) appliance combines multiple security controls into a single appliance. They can inspect data streams and often include URL filtering, malware inspection, and contention inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.
A mail gateway is a server that examines all incoming and outgoing email and attempts to reduce risks associated with email.
Remember this Administrators use SNMPv3 to manage and monitor network devices and SNMP uses UDP ports 161 and 162. It includes strong authentication mechanisms and is more secure
than earlier versions.
B.
C.
B.
D.
D.
D.
C.
D.
D.
A.
A.
A.
A.
C.
B.
A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or server.
network interface card (NIC).
A network-based intrusion detection system (NIDS) monitors
Remember this A HIDS can monitor all traffic on a single host system such as a server or a workstation. In some cases, it can detect malicious activity missed by antivirus software. A NIDS is installed on network devices, such as routers or firewalls, to monitor network traffic and detect network-based attacks. It can also use taps or port mirrors to capture traffic. A NIDS cannot monitor encrypted traffic and cannot monitor traffic on individual hosts.
Signature-based IDSs (also called definition-based) use a database of known vulnerabilities or known attack patterns.
Transmission Control Protocol (TCP) handshake
SYN Flood Attack (Sidebar) The SYN flood attack is a common denial-of-service (DoS) attack.
Remember this Signature-based detection identifies issues based on known attacks or vulnerabilities. Signature-based detection systems can detect known anomalies. Heuristic or behavior- based IDSs (also called anomaly-based) can detect unknown anomalies. They start with a performance baseline of normal behavior and then compare network traffic against this baseline. When traffic differs significantly from the baseline, the IDS sends an alert.
network operations center (NOC),
