Final study guide - LosephCawtonJurtis/SEC-350 GitHub Wiki

Logging

  • accountability, who did what and when did they do it *normalize formatting have everything example source address having one name(srcip, attacker ip, srcaddr, or ip)
  1. rsyslog server
  2. rsyslog client

Network Segmentation

  • Flat network, everything can communicate, ssh everywhere, attacks can easilty traverse it, attacks aren't visible if they don't traverse a network appliance, rate and speed of infection and compromise is high
  • seperate SSH, SYSLog RDP so that it always originates from an isolated and protected space and traffic that violates this policy is extremely visible

Network Firewalls

Proxies

  • Types include Network based(forward proxy, Reverse proxy) and application based(Anonymizer: Tor i2P, BurpSuite, etc)
  • Load Balancing distribute traffic load via round robin, least connections, least bandwidth, connection source
  • Can filter unwanted traffic like certain Domains, files, Users, Time Durations,
  • Everything could be logged for report generation troubleshooting or investigating
  • Transparent or in-line proxy is a server that sits between your computer and the Internet and redirects your requests and responses without modifying them
  • A proxy that does modify requests and responses is a non-transparent proxy
  • Reduce bandwidth and improve response time by caching and reusing frequently requested web pages
  • Optimize data flows between clients and server and improve performance and caches frequently-used content to save bandwidth
  • Reduce server load and improve delivery speeds to clients by copying only the content being used rather than inefficently copying everything

add info about squid configs here <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Enterprise DNS https://datatracker.ietf.org/doc/html/rfc1035 get dripped on adam, I included a link to the RFC in my gihub which makes cheating legal now, idiot.

  • tcp and udp port 53

Public Key Infrastructure

  • CA stuff, I think I remember most of it and none of the slides stood out

Applocker

  • whitelist or blacklist applications for users and groups based on file identities
  • helps mitigate against unknown applications
  • helsp security and compliance
  • cannot replace actually security software like av or other, only useful in providing and additional layer in defense-in-depth
  • things that can be mitigated emails that include hidden prgrams, website that silently exploits a vulnerability to run an add-on or download or run applications from browser, opening a malicious document that tries to execute a program, running applications from removable media, installing applications without administration awareness
  • app locker rule types
  1. file hash, represents the system computed hash of a file
  2. Path Identifies an app by its location in the filesystem or on the network
  3. publisher identifies an app based on its digital signature
  • limitations, does not provide protection against files already opened in memory for non-execute, not suitable for businesses where application installation is not centralized through an approval process

VPN

  • uses corporate email, authentication, web, distributed file systems and shares, network resources
  • Use Cases/types, hosts-to-host, site-to-site, remote access
  1. site to site geographically seperated organization, establish a long term connection that makes site to site connectivitey transparent to end users(when someone in burlington accesses the montreal web sever)
  2. Remote access, teleworker who wants to access Exchange email just as if they were internall connected, access a terminal service session in order to use virtual corporate desktop, remote sysadmin who needs to access network management resources securely
  3. Host-to-Host not a common use case but can be done if you have a service(syslog or MySQL) you wish to secure between and app server and a remote database or log server and crypto is not baked in to those protocols.

user is somewhat aware of the encryption it is not transparent as they have to turn on the vpn

  • VPN types(actually this time) IPSEC based VPNs out of the box for windows, OSX CISCO, vyOS
  1. SSl Based BPNs openVPN, interesting example of tunnelling a lower level protocol over a higher level protocol 1.IPSECauthenticates or encrypts each ip packet, encapsulating security protocol, authentication header Zeek
  • passive opensource network traffic analyzer. it is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity
  • Uses NSM, Intrusion Detection, Network Investigations, Developing Solutions, Research image of supported protocols and working<<<<<<<<<<<<<<<<<<<<
  • working details, by default when zeek sees network traffic using an application protocol it knows about, it will log the details of those transactions to a file with a .log extension
  • it also gives a mechanism to create custom logic for processing the transactions in the traffic it is examining
  • treats the actions taken by a protocol as a series of events for which you can register hendlers written in Zeek code
  • quick configs are located in $PREFIX/etc/node.cfg for monitoring interface, $PREFIX/etc/networks.cfg for configureing the monitored environment, and $PREFIX/etc/broctl.cfg for configuring the email address to receive messages and a desired log archival frequency
  • to use BroControl enter broctl then [BroControl]> install and [BroControl]> start
  • generated and stored logs are under $PREFIX/logs/current logs image<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< running image<<<<<<<<<<<< making the assumption here that for usit would be ens160 or whatever our network adapters are named