Network Defense Elements & Firewalls

Questions and Answers

An organization wants to ensure only devices meeting specific security criteria can access their network. Which of the following network defenses would BEST accomplish this?

• Enforcing strict network segmentation policies to isolate sensitive resources.
• Utilizing Network Access Control (NAC) to verify device compliance. (correct)
• Implementing a comprehensive firewall solution with deep packet inspection.
• Deploying an Intrusion Detection System (IDS) to monitor for unauthorized access attempts.

A company's security policy states that all network traffic between the internal network and the Internet must be inspected at the application layer. Which type of firewall is MOST suitable for this requirement?

• Stateful Firewall
• Packet Filter Firewall
• Next-Generation Firewall (correct)
• Proxy Firewall

An organization is implementing network segmentation to improve security. Which strategy would BEST minimize the impact of a successful breach on one segment from spreading to others?

• Placing all servers in a single, highly monitored segment.
• Creating multiple VLANs (Virtual LANs) with restricted communication between them. (correct)
• Allowing unrestricted lateral movement for IT staff to facilitate troubleshooting.
• Using a single, centrally managed firewall for all network traffic.

A network administrator notices unusual traffic patterns and suspects a zero-day exploit is being used against a web server. Which defense mechanism would be MOST effective in mitigating this threat?

Anomaly-based Intrusion Prevention System (IPS). (D)

A company wants to allow remote employees to securely access internal resources over the Internet. Which of the following technologies is BEST suited for this purpose?

Virtual Private Network (VPN). (A)

An organization is concerned about insider threats and wants to monitor network traffic for malicious activity originating from within the network. Which security measure would be MOST effective?

Deploying a Host-based Intrusion Detection System (HIDS) on critical servers. (B)

A security analyst discovers a compromised IoT device on the network. What INITIAL step should they take to prevent further lateral movement from the device?

Quarantine the IoT device on a separate network segment. (A)

A company handles sensitive credit card data and must comply with PCI DSS. Which assessment method is MOST relevant to ensure ongoing compliance?

Security compliance assessment. (C)

Which activity is MOST representative of a penetration test rather than a vulnerability assessment?

Exploiting a known vulnerability to gain unauthorized access. (A)

What is the PRIMARY difference between an on-premises datacenter and a cloud infrastructure regarding security responsibilities?

In on-premises datacenters, the organization is responsible for all security aspects, while in the cloud, some responsibilities are shared with the provider. (D)

An organization is evaluating Cloud Service Providers (CSPs). Which of the following assurance methods would provide the MOST comprehensive insight into a CSP’s security posture?

Examining the CSP's System and Organization Controls (SOC) 2 report. (D)

A company wants to switch to a cloud-based solution where they manage the applications and data, but the provider manages everything else. Which cloud service model BEST fits these requirements?

Platform as a Service (PaaS) (A)

An organization needs a cloud deployment model that isolates resources for multiple distinct entities that share similar compliance or security needs. Which model is BEST suited?

Community Cloud (A)

What is the MOST important consideration when using compensating controls for IoT devices?

Ensuring that compensating controls do not interfere with the device's primary function. (C)

Which of the following security layers prevents direct network communication by masking IP addresses and repackaging traffic?

Proxy Firewall (A)

Which of the following is NOT an element of network defense?

Social Engineering (A)

What kind of information is included in an Access Control List (ACL)?

Source and destination IP addresses (B)

Which network security architecture divides a network into secure zones with specific access rules, enhancing control?

Network Segmentation (A)

What enhances cybersecurity by enforcing least privilege, creating barriers for attackers and containing the spread of breaches?

Network Segmentation (B)

What does network segmentation accomplish?

It limits the attack's range. (C)

What are Virtual LANs (VLANs)?

methods of segmentation implemented by configuring routers and switches. (C)

What does Software Defined Networking (SDN) provide?

better and more granular control (A)

What is the purpose of a demilitarized zone (DMZ)?

to create a buffer zone between an internal network and the outside world. (B)

What is the untrusted network that a Virtual Private Network (VPN) uses to encrypt an employees connection?

The internet (C)

What do organizations use Network Access Control (NAC) for?

to limit what devices can connect to their network. (B)

What do email filters and web filters examine?

an organization's emails and web traffic (C)

What is the PRIMARY difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?

IDS detects and reports, while IPS takes defensive action. (D)

Which of the following BEST describes a 'signature-based' detection method used in IDS/IPS systems?

Identifying attacks by matching known patterns or characteristics. (A)

What is a 'zero-day' vulnerability?

A vulnerability that is previously unknown to cyber professionals and product vendors. (D)

Which wireless security protocol is considered the MOST secure and the current best practice?

WPA3 (D)

An organization is developing a security policy for IoT devices. Which of the following aspects should be ADDRESSED in the policy?

All of the above (D)

Organizations use compensating controls for protection from what?

Lack of own built-in controls (B)

Besides staff interviews, what do security assessments involve?

review documentation and execute tests (B)

What does vulnerability assessment look at?

An organization from an internal and external perspective. (A)

Regarding operating an on-premise data center, what MUST organizations with data centers be responsible for?

the physical and environmental security of the facility, ensuring the protection and maintenance of their most vital assets. (B)

When organizations are creating a physical access control, what is their intention?

for preventing unauthenticated access (B)

Why do datacenters prefer to use gaseous fire suppression?

to minimize equipment damage (B)

Which is NOT a cloud deployment model?

Open Cloud (A)

Which item is often used to assist organizations in evaluating CSPs to determine if they meet their security and business requirements?

Service level agreement (B)

Flashcards

What is a Firewall?

Monitors and controls incoming/outgoing network traffic based on security rules.

How does a firewall enforce security policies?

Restricts network traffic to approved IP addresses and applications.

What is a Packet Filter?

ACL screens and regulates traffic based on packet header data, allowing or denying passage between interfaces.

What is a Proxy Firewall?

Prevents direct network communication by masking IP addresses, repackaging traffic, and enforcing security policies.

What is a Stateful/Dynamic Packet Filter?

Enhances packet filtering by tracking active communications and their history.

What is Network Segmentation?

Enhances cybersecurity by enforcing least privilege and creating barriers for attackers.

What is the primary benefit of network segmentation?

Implementing least privilege and enforcing zero trust at a granular level.

What are VLANs?

Method of segmentation that associates specific nodes with logical segments on a LAN.

What is Micro-segmentation?

Anything on the network can be its own segment, access controlled for any device/application.

What is a Demilitarized Zone (DMZ)?

Network segment between the organization's connection to the Internet and its internal networks.

What is a Virtual Private Network (VPN)?

Creates a secure connection to a private network through a public network.

What is Network Access Control (NAC)?

It allows organizations to limit what devices can connect to their network based on policy.

What do email filters do?

Examine inbound/outbound email traffic for phishing, spam, malware, and suspicious content.

What do web filters do?

Monitor traffic between web applications and the Internet and blocks malicious traffic.

What are Intrusion Detection/Protection Systems (IDS/IPS)?

Tools to detect if and when networks are under attack.

What is an Intrusion Detection System (IDS)?

IDs malicious activity and reports.

What is an Intrusion Protection System (IPS)?

Detects, reports, and automatically takes defensive action, like blocking traffic.

What do Network/Host-based IDS/IPS do?

Detects activity on networks, NIDS uses hardware/software, and HIDS monitors system-specific behaviors.

What is Signature-based detection?

Looks for known threats, relying on updated threat intelligence

What is Anomaly-based detection?

Detects new/unknown threats by recognizing irregular patterns using AI and machine learning.

What does Antivirus Software do?

Protects devices against attacks (viruses, malware, phishing).

What are Zero-Day Vulnerabilities?

Vulnerabilities, exploits or attacks that were previously unknown.

Why wireless networks are inherently less secure?

Less secure due to invisibility and extended physical boundaries.

What is the Internet of Things (IoT)?

A general term referring to the many kinds of physical devices that connect to the Internet or IP networks,

What are the Common IoT security issues?

IoT devices have inherent security vulnerabilities and are poorly implemented authentication mechanisms.

Why are Security Assessments important?

Regular security assessments are a vital part of an organization's network defense.

What does a Security Program Assessment do?

Evaluates the organization's security program.

What is a Vulnerability Assessment?

Comprehensive version of the same type of scanning a hacker does.

What is Penetration Testing?

Identify and exploit vulnerabilities to demonstrate potential impacts.

What are Security Compliance Assessments?

Must comply with legal and regulatory requirements

What are two main types of datacenter infrastructure?

On-premises and cloud infrastructure

Requires to operating an on-premises data center.

Management of various critical functions.

Datacenter models.

Hired directly or hires a third-party provider.

Requires Key physical security aspects.

Prevent unauthenticated access and controlling access.

Datacenter Environmental Protection goal?

Manage temperature and humidity

Datacenter System Redundancy is essential for?

Ensuring operational continuity

Benefits of power strategies.

Providing immediate, short-term power in the event of an outage.

What is cloud computing?

Enabling ubiquitos, convenient, on-demand network access to a shared pool of configurable computing.

What is on-demand self-service?

Ability to configure what is needed.

What is resources pooling?

Pooled across multiple consumers

Study Notes

Elements of Network Defenses

• Key components include Firewalls, network security architecture elements, network access control, email and web application filtering, network operations elements, wireless security, and IOT security

Firewalls

• Firewalls monitor and control incoming and outgoing network traffic based on predetermined security rules
• This creates secure network areas by allowing or blocking specific traffic
• Firewalls enforce corporate security policies by restricting network traffic to approved IP addresses and applications
• Firewalls control data that exits the corporate network
• Types of firewalls include packet filter, proxy, and stateful/dynamic packet filter, sometimes referred to as firewall generations 1, 2, and 3, respectively

Firewall Generations

• First generation firewalls involves Packet filters or port based firewalls, which either allow or block packets
• First generation firewalls determines application protocol but has no visibility into the payload and is unable to determine malicious code
• Second generation firewalls are stateful firewalls, observing network connections and actions suspicious behavior
• Second generation firewalls cannot distinguish between websites and applications
• Cannot block malicious packets if using acceptable protocols
• Third generation firewalls are also stateful, looking past ports and protocols to the application
• Third generation firewalls helps determine origination and destination of traffic, but is not able to look inside the data payload
• Fourth Generation firewalls, or next generation firewalls includes all the data security controls from past generations
• Fourth Generation adds Deep Packet Inspection (DPI), incorporates sandbox technology, and eliminates single point of entry into a network through segmentation
• Deep packet inspection (DPI) is an advanced method of examining and managing network traffic
• Sandbox Tech - A system that allows an untrusted application to run in a highly controlled environment where the application's permissions are restricted to an essential set of computer permissions

Firewall - Packet Filter

• Packet filters are simple, low-cost firewalls functioning as routers, using Access Control Lists (ACLs)
• Packet filters screen and regulate traffic based on packet header data, allowing or denying passage between interfaces
• ACL information includes source and destination IP addresses and port numbers, the protocol, and direction of traffic
• ACL example: Web traffic using HTTP can enter if it contains the destination IP address of the web server

Firewall - Proxy

• Proxy firewalls serve as intermediaries, preventing direct network communication by masking IP addresses
• They repackage traffic, enforce security policies, and thwart direct connections for enhanced cyber threat protection
• Proxies intercept and repackage all traffic, applying security policies and preventing direct connections, making it harder for cyber criminals to discover information

Firewall - Stateful/Dynamic Packet Filter

• Stateful/dynamic packet filters enhance basic packet filtering by tracking active communications, analyzing IP addresses, protocols, commands, and content of packets against previous interactions
• These firewalls recognize and allow ongoing authorized exchanges, blocking unfamiliar types
• They also monitor multiple connections and maintain comprehensive logs
• For example, knowing expected traffic during a web server connection, the firewall only allows appropriate traffic types

Network Security Architecture Elements

• Network segmentation divides a network into secure zones with specific access rules, enhancing control
• A demilitarized zone (DMZ) is a common segment
• VPNs and NACs offer additional security layers, each governing access differently

Network Segmentation

• Network segmentation organizes a network into smaller, controlled segments, improving security and performance by restricting access based on policies and user roles
• It enhances cybersecurity enforcing least privilege and creates barriers for attackers
• It also contains the spread of breaches
• Network segmentation helps to ensure sensitive systems like databases and Internet-facing servers are isolated and protected
• Segmentation helps implement least privilege
• Segmentation creates more barriers increasing the work factor of attacks
• Segmentation limits how far an attack can spread

Network Segmentation - Implementation

• Segmentation can be done physically, separating networks, or logically, creating virtual networks or VLANs
• Separate physical networks are accomplished using subnetting
• Subnetting breaks networks down into physical sections or subnets
• VLANs are implemented by configuring routers and switches and are used to associate specific nodes on the network with logical segments on a LAN
• Communication between VLANs is restricted via security policy configurable on routers and switches

Network Micro-Segmentation

• With micro-segmentation, anything on the network, device or application, can be its own segment
• Means access can be controlled for any device or application
• Software-defined networking (SDN) is required to implement micro-segmentation
• SDN frameworks provide better and more granular control and management

Demilitarized Zones (DMZ)

• A DMZ is a network segment positioned between the organization's connection to the Internet and its internal networks
• DMZs create a buffer zone and are bordered by two firewalls
• Email, web, and DNS servers are placed in the DMZ because they require Internet access
• Even though servers are "Internet-facing", they are still protected by a firewall
• Breaching the external firewall and compromising a system in the DMZ would require getting through the second one

Virtual Private Networks (VPN)

• VPNs use tunneling technology to secure connections to private networks through public ones such as the Internet
• VPNs encrypt and secure connections virtually, extending private networks to authorized users
• Remote users use VPNs to access resources on internal corporate networks as if directly connected
• VPNs involve extra steps and possible delays impacting performance
• Organizations use VPNs so employees can work from outside the office
• VPNs protect the route from an employee's computer to the office from sniffing or interception by hackers
• Safer home use of VPNs is as a direct internet connection through proxy
• VPNs allow for safely and anonymously using the Internet
• Hiding IP addresses to prevent cyber criminals from intercepting messages and tracking activity is another use of VPNs

Network Access Control (NAC)

• NACs limit what devices can connect to a network and checks computers to see if they meet certain criteria based on a policy
• Policies determine if computers with specific configuration settings, AV software, or up-to-date patches can connect
• NACs help keep the network free from devices introducing malware, hidden scripts, or prohibited software and prevent rogue devices from connecting

Email and Web Application Filtering

• Email filters examine inbound and outbound traffic for phishing, spam, malware, suspicious links, and disallowed attachments
• Malicious emails are blocked, quarantined, or automatically deleted, or manually inspected
• Web filters act as web firewalls by monitoring traffic between web applications and the Internet
• Web filters are based on configurable rules permitting benign traffic and prevent malicious traffic

Intrusion Detection/Prevention Systems (IDS/IPS)

• Both IDSs and IPSs tools are used to detect if networks are under attack
• Both deploy sensors throughout the network communicating with a centralized control or reporting system
• Centralized systems allow security staff to view indicators of malicious activity
• IPS not only detects and reports but also automatically takes defensive action in response to what the IPS sees

Network/Host-Based IDS/IPS

• Network-based IDS/IPS (NIDS) and host-based IDS/IPS (HIDS) use sensors/agents detecting malicious activity on networks and hosts, respectively
• NIDS uses specialized hardware or software, while HIDSs monitor system-specific behaviors
• IDS/IPS systems use signature and anomaly based detection
• Signature detection analyzes for known threats, relying on updated threat intelligence
• Anomaly detection uses AI and machine learning
• Anomaly-based systems also spot novel attacks

Antivirus Software

• Antivirus (AV) software protects devices against virus attacks
• AV products detect and remove malware and also protect computers against spam and phishing attacks
• AV software works by looking for behavior patterns or signatures stored in malware databases
• Software uses machine learning and heuristics detecting variations in known malware behaviors
• The threat environment is ever-changing which requires constantly updating software to stay up to date

Zero-Day Vulnerabilities, Exploits and Attacks

• Zero-day refers to previously unknown vulnerabilities, exploits/attacks
• Zero-day vulnerabilities are typically recently discovered in a product with no available fix
• Zero-day exploits are malware unknown to countermeasure organizations
• Zero-day attacks take advantage of all of the above
• Zero-day attacks are particularly troublesome

Wireless Security

• Because they are easily accessible, wireless networks are typically less secure than wired ones
• Wireless networks can often expand access and cybercriminals do not need to be inside a facility to gain entry
• Wireless evolved from Wired Equivalent Privacy (WEP) encryption (considered weak)
• WPA in 2003 had improved encryption
• WiFi Protected Access WPA2 offers robust security features such as robust (Advanced Encryption Standard) AES encryption
• Common secure protocols include WPA2/3

Internet of Things (IoT) Security

• The Internet of Things (IoT) refers to many physical devices connecting to the Internet or IP networks and those devices are often referred to as smart devices.
• IoT devices are used for home automation, manufacturing and associated control systems, medical and healthcare, infrastructure and power control systems, environmental monitoring, military communications and weapons systems, and more
• IoT devices have unique security issues because security is not typically built into these devices
• IoT devices often have inherent security vulnerabilities that can allow hackers to make unauthorized connections
• IoT products may not have been designed with security in mind, making them have poor security
• There is a lack of security features on the interface
• It can be difficult to implement physical security controls

Securing IoT devices

• IoT data breaches and cyberattacks can be prevented by implementing security policies, by keeping up to date patch management, and by using appropriate authentication
• Organizations can use compensating controls, and encryption

Security Assessments and Testing

• Regular security assessments are a vital part of network defense and regulatory compliance
• Assessments evaluate program components and the security program as a whole
• Some organizations opt for outside help
• External acessors establish assessment criteria and conduct staff interviews and documentation and execute tests
• Reported findings will need action and improvement and security measures need to be up-to-date

Security Program Assessment

• Assesses an organization's information security program and measures how well it is organized, operated and staffed
• The assessment reviews policies, staffing, and operational infrastructure
• It may have regulatory compliance review, security policy, security organization, Data security review and network security review, physical security reviews

Vulnerability Assessments and Scanning

• Vulnerability assessment is a comprehensive type of scanning a hacker would do
• The main difference between scans a hacker runs and assessments run by an organization is purpose/comprehensiveness
• Vulnerability tests run internal and external

Vulnerability Assessments Can Include:

• Network and system: Scan for devices/vulnerabilities
• Application security: Testing the coding errors on web applications
• Physical security: Testing physical protocols such as locks/cameras
• Human: testing employees ability to withstand malicious attacks

Penetration Testing

• Pentests actively exploits the vulnerabilities while assessments simply identify the weakness
• Pen testers emulate hackers when finding out how they might compromise an system
• Pen testers provide insight in reports
• Routine evaluation helps enhance security over time

Security Compliance Assessments

• Some organizations must follow certain ordinances
• Some must comply with business-related security, for example, meeting the Payment Card Industry (PCI) Data Security Standard (DSS)

Network Infrastructure

• The two main types of datacenter infrastructure models are On-premises and cloud
• The service is provisioned, managed, and utilized differently on each

On-Premises Datacenter Infrastructure

• Operating on-premises data centers require careful management and organizations are responsible for the physical and environmental security
• Key considerations include datacenter physical security, staffing Models, environmental protection, and Datacenter system redundancy

Staffing Models

• Data center personnel can be either Outsourced, or directly put in.
• Organizations can elect to hire in house manage to handle datacenter responsibilities which make
• This may include safety Officer, Facilities Manager, and IT

Outsource staffing Models

• Contracting managing responsibilities to a third party
• In many cases organizations outsource, it is owned by the organization, in others rented
• Must be critical that there is appropriate contracts in a place for govern/manage, such as SLA

Datacenter Physical Security

• Physical security aspects is operating a datacenter that must be thought about
• supply systems and segmentation are important
• badge systems and security alarms
• Organizations must ensure that supply is secure, and that is not tampered with to prevent interruption
• Segmentation must create different security/risk levels

Datacenter Environmental Protection

• Manageable temperature and humidity
• Overheating from excess heat
• It allows proper HVAC which mean is ventilation and air conditioning
• necessary tools would be fire suppression and fire detection tools
• Effective environmental control is vital due to the sensitivity of computer equipment.

Datacenter System Redundancy

• This is essential ensuring operational continuity
• Which involves backup power power supplies and vendor contracts for timely hardware replacement services
• Also Hardware and network infrastructure help to prevent loss/service
• For internet activity one should be contractually agreed upon.
• A alternate facility should be in place to ensure operational continuity.

Cloud Infrastructure

• NIST Defines Cloud to have "enabling ubiquitous. Convenient, on-Demand" network access
• It allows the use of a web browser to login web based application
• User do not have to mange hardware and equipment

Cloud Computing Characteristics

• NIST defines that is allows on demand self serves for the client
• It should come with Rapidly Elasticity - (increase or decreasing when the time is necessary)
• It has a self serve in part, where user are able to handle resources from some web portal.

Cloud Computing Charactertistics (cont)

• Resource should be used across multiple consumers
• broad network allow access
• Access is supported on different devices

Cloud Service Models

• Infrastructure as a Service involves a Pool where the CSP that clients can reach.
• the Csp manage the hosts
• The Customer handles virtual, os, development software they need
• Examples of laaS are cloud of MS azure
• Platform for service PaaS where customers are able to Test run and develope
• There are coding develop

Cloud Service Models Continued

• Software as a services involve the CSP provider being the host
• Its manage platform/infrastructure and the customer handles config
• examples are things like emails or social sites

Cloud Deployment Models

• Public cloud means there the resources run by a third party that charges a fee
• Common examples are aws, azure, and gcp
• Private cloud means a cloud for a business that has a dedicated cloud computing resources

Cloud deployment cont.

• Community Cloud means shared cloud with specific members
• Hybrid cloud is combination of different ones
• one operation might run prem cloud with Azure. GCP, or aws

Cloud Security Assurance

• its important to have a service provider to have good practices, as it might be outsourced
• They handle responsibilities such as hardware
• All responsibility is will may not cover the responsibilities
• The is provider might have function but will need to follow security

Cloud security consistence

• Challenges with other things
• must meet business requires
• Some may offer legal agreement, contracts
• often providers has legal contract in place