C480 Chapter 12 part 3

verickle's version from 2016-11-01 19:31


Question Answer
Acceptable use policy (AUP)Identifies what users of a network are and are not allowed to do on that network. For example, retrieving sports scores during working hours via an organization’s Internet connection might be deemed inappropriate by an AUP.
Access control list (ACL)Rules typically applied to router interfaces, which specify permitted and denied traffic.
Advanced Encryption Standard (AES)Released in 2001, AES is typically considered the preferred symmetric encryption algorithm. AES is available in 128-bit key, 192-bit key, and 256-bit key versions.
Asymmetric encryptionWith asymmetric encryption, the sender and receiver of a packet use different keys.
Authentication Header (AH)An IPsec protocol that provides authentication and integrity services. However, it does not provide encryption services.
Buffer overflowThis attack occurs when an attacker leverages a vulnerability in an application, causing data to be written to a memory area (that is, a buffer) that’s being used by a different application.
Challenge-Response Authentication Mechanism Message Digest 5 (CRAM-MD5)A common variant of HMAC frequently used in e-mail systems. Like CHAP, CRAM-MD5 only performs one-way authentication (the server authenticates the client).
Client-to-site VPNAlso known as a remote-access VPN, a client-to-site VPN interconnects a remote user with a site, as an alternative to dial-up or ISDN connectivity, at a reduced cost.
Demilitarized zone (DMZ)Often contains servers that should be accessible from the Internet. This approach would, for example, allow users on the Internet to initiate an e-mail or a web session coming into an organization’s e-mail or web server. However, other protocols would be blocked.
Denial of service (DoS)A DoS attack floods a system with an excessive amount of traffic or requests, which consumes the system’s processing resources and prevents the system from responding to many legitimate requests.
Distributed denial of service (DDoS)These attacks can increase the amount of traffic flooded to a target system. Specifically, an attacker compromises multiple systems, and those compromised systems, called zombies, can be instructed by the attacker to simultaneously launch a DDoS attack against a target system.
Encapsulating Security Payload (ESP)An IPsec protocol that provides authentication, integrity, and encryption services.
FTP bounceAn FTP bounce attack uses the FTP PORT command to covertly open a connection with a remote system. Specifically, an attacker connects to an FTP server and uses the PORT command to cause the FTP server to open a communications channel with the intended victim, which might allow a connection from the FTP server, while a connection directly from the attacker might be denied.
Generic Routing Encapsulation (GRE)A tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to various brands of routers at remote points over an Internet Protocol (IP) internetwork.
GNU privacy guard (GPG)A free variant of pretty good privacy (PGP), which is an asymmetric encryption algorithm.
Hardware firewallA network appliance dedicated to the purpose of acting as a firewall. This appliance can have multiple interfaces for connecting to areas of a network requiring varying levels of security.
Honey netA network containing more than one honey pot.
Host-based IPS (HIPS)A HIPS system is a computer running intrusion prevention software for the purpose of protecting the computer from attacks.
Internet Key Exchange (IKE)A protocol used to set up an IPsec session.
Internet Security Association and Key Management Protocol (ISAKMP)Negotiates parameters for an IPsec session.
Intrusion detection system (IDS)IDS devices can recognize the signature of a well-known attack and respond to stop the attack. However, an IDS sensor does not reside in-line with the traffic flow. Therefore, one or more malicious packets might reach an intended victim before the traffic flow is stopped by an IDS sensor.
Intrusion prevention system (IPS)IPS devices can recognize the signature of a well-known attack and respond to stop the attack. An IPS device resides in-line with the traffic flow, unlike an IDS sensor.
IP Security (IPsec)A type of VPN that provides confidentiality, integrity, and authentication.
KerberosA client-server authentication protocol that supports mutual authentication between a client and a server. Kerberos uses the concept of a trusted third party (a key distribution center) that hands out tickets to be used instead of a username and password combination.
Layer 2 Forwarding (L2F)A VPN protocol designed (by Cisco Systems) with the intent of providing a tunneling protocol for PPP. Like L2TP, L2F lacks native security features.
Layer 2 Tunneling Protocol (L2TP)A VPN protocol that lacks security features, such as encryption. However, L2TP can still be used for a secure VPN connection if it is combined with another protocol that provides encryption.
Multifactor authenticationSimilar to two-factor authentication, multifactor authentication requires two or more types of successful authentication before granting access to a network.
NessusA network-vulnerability scanner available from Tenable Network Security.
Network-based IDS (NIDS)A NIDS device is a network appliance dedicated to the purpose of acting as an IDS sensor.
Network-based IPS (NIPS)A NIPS device is a network appliance dedicated to the purpose of acting as an IPS sensor.
NmapA network-vulnerability scanner.
Point-to-Point Tunneling Protocol (PPTP)An older VPN protocol (that supported the dial-up networking feature in older versions of Microsoft Windows). Like L2TP and L2F, PPTP lacks native security features. However, Microsoft’s versions of PPTP bundled with various versions of Microsoft Windows were enhanced to offer security features.
Pretty good privacy (PGP)PGP is a widely deployed asymmetric encryption algorithm and is often used to encrypt e-mail traffic.
Public key infrastructure (PKI)A PKI system uses digital certificates and a certificate authority to allow secure communication across a public network.
Remote Authentication Dial-In User Service (RADIUS)A UDP-based protocol used to communicate with a AAA server. Unlike TACACS+, RADIUS does not encrypt an entire authentication packet, but only the password. However, RADIUS offers more robust accounting features than TACACS+. Also, RADIUS is a standards-based protocol, whereas TACACS+ is a Cisco proprietary protocol.
Remote-access VPNSee client-to-site VPN.
RSAA popular and widely deployed asymmetric encryption algorithm.
Secure Sockets Layer (SSL)Provides cryptography and reliability for upper layers (Layers 5–7) of the OSI model. SSL, which was introduced in 1995, has largely been replaced by Transport Layer Security (TLS). However, recent versions of SSL (for example, SSL 3.3) have been enhanced to be more comparable with TLS. Both SSL and TLS are able to provide secure web browsing via HTTPS.
Security association (SA)An agreement between the two IPsec peers about the cryptographic parameters to be used in an ISAKMP session.
Security policyA continually changing document that dictates a set of guidelines for network use. These guidelines complement organizational objectives by specifying rules for how a network is used.
Single sign-on (SSO)Allows a user to authenticate once to gain access to multiple systems, without requiring the user to independently authenticate with each system.
Site-to-site VPNInterconnects two sites, as an alternative to a leased line, at a reduced cost.
Social engineeringAttackers sometimes use social techniques (which often leverage people’s desire to be helpful) to obtain confidential information. For example, an attacker might pose as a member of an IT department and ask a company employ for her login credentials in order for the “IT staff to test the connection.” This type of attack is called social engineering.
Software firewallA computer running firewall software. For example, the software firewall could protect the computer itself (for example, preventing incoming connections to the computer). Alternatively, a software firewall could be a computer with more than one network interface card that runs firewall software to filter traffic flowing through the computer.
Stateful firewallInspects traffic leaving the inside network as it goes out to the Internet. Then, when returning traffic from the same session (as identified by source and destination IP addresses and port numbers) attempts to enter the inside network, the stateful firewall permits that traffic. The process of inspecting traffic to identify unique sessions is called stateful inspection.
Symmetric encryptionWith symmetric encryption, both the sender and the receiver of a packet use the same key (a shared key) for encryption and decryption.
Terminal Access Controller Access-Control System Plus (TACACS+)A TCP-based protocol used to communicate with a AAA server. Unlike RADIUS, TACACS+ encrypts an entire authentication packet rather than just the password. TACACS+ offers authentication features, but they are not as robust as the accounting features found in RADIUS. Also, unlike RADIUS, TACACS+ is a Cisco-proprietary protocol.
Two-factor authentication (TFA)Requires two types of authentication from a user seeking admission to a network. For example, a user might need to know something (for example, a password) and have something (for example, a specific fingerprint that can be checked with a biometric authentication device).
Unified threat management (UTM)A firewall or gateway that attempts to bundle multiple security functions into a single physical or logical device.
Virtual private network (VPN)Some VPNs can support secure communication between two sites over an untrusted network (for example, the Internet).