This tutorial presents a collection of network security types, terms and definitions. This network security terminology collection will help you in learning the basic concepts of network security in computer network with possible security threats and solutions.
Port Blocking / Filtering
A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. Network layer firewalls tend to operate very fast, and transparently to users. Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port).
Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a router in their ability to filter packets.
Any normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server.
The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization , which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Encryption is part of a larger process of encoding and decoding messages to keep information secure. This process, though commonly called encryption, is more correctly called cryptography, is the use of mathematical transformations to protect data. Cryptography is primarily a software-based solution and, in most cases, should not include significant hardware costs. It is a key tool in protecting privacy as it allows only authorized parties to view the data. Encryption is also used to ensure data integrity, as it protects data from being modified or corrupted.
VLANs (Virtual Local Area Networks).
A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span multiple physical segments.A VLAN is a group of devices in the same broadcast domain or subnet. VLANs are good at logically separating traffic between different groups of users. VLANs contain/isolate broadcast traffic, where you need a router to move traffic between VLANs.
Logically speaking, VLANs are subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet.
Routers, or layer 3 devices, provide this boundary function. Each of these subnets requires a unique network number. And to move from one network number to another, you need a router. In the case of broadcast domains and switches, each of these separate broadcast domains is a separate VLAN; therefore, you still need a routing function to move traffic between different VLANs.
An extranet is a private network that uses Internet protocols, network connectivity, to securely share part of an organization\’s information or operations with suppliers, vendors, partners, customers or other businesses. An extranet can be viewed as part of a company\’s Intranet that is extended to users outside the company normally over the Internet. An extranet requires security and privacy. These can include firewalls, server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network.
- Extranets can improve organization productivity by automating processes that were previously done manually.
- Extranets allow organization or project information to be viewed at times convenient for business partners, customers, employees, suppliers and other stake-holders.
- Information on an extranet can be updated, edited and changed instantly. All authorised users therefore have immediate access to the most up-to-date information.
- Extranets can be expensive to implement and maintain within an organisation
- Security of extranets can be a big concern when dealing with valuable information.
- Extranets can reduce personal contact (face-to-face meetings) with customers and business partners. This could cause a lack of connections made between people and a company
Intranets differ from \”Extranets\” in that the former is generally restricted to employees of the organization while extranets can generally be accessed by customers, suppliers, or other approved parties. An intranet is a private computer network that uses Internet protocols, network connectivity, to securely share part of an organization\’s information or operations with its employees. Sometimes the term refers only to the most visible service, the internal website. The same concepts and technologies of the Internet such as clients and servers running on the Internet protocol suite are used to build an intranet. HTTP and other Internet protocols are commonly used as well, especially FTP and e-mail.
Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Antivirus software typically uses two different techniques to accomplish this:
- Examining files to look for known viruses matching definitions in a virus dictionary
- Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.
When the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:
- attempt to repair the file by removing the virus itself from the file
- quarantine the file
- delete the infected file.
Suspicious Behavior Approach:
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. Most antivirus software are not using this approach much today. Using this approach the antivirus software:
- Doesn\’t attempt to identify known viruses
- Monitors the behavior of all programs.
- If one program tries to write data to an executable program, the antivirus software can flag this suspicious behavior
- alert a user and ask what to do.
- Antivirus software could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.
- If the program seems to use self-modifying code or otherwise appears as a virus, one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.
Fault tolerance is the ability of a system to continue functioning when part of the system fails. Normally, fault tolerance is used in describing disk subsystems, but it can also apply to other parts of the system or the entire system. Fully fault-tolerant systems use redundant disk controllers and power supplies as well as fault-tolerant disk subsystems. You can also use an uninterruptible power supply (UPS) to safeguard against local power failure. Although the data is always available in a fault-tolerant system, you still need to make backups that are stored offsite to protect the data against disasters such as a fire.
Service interruptions on a network are not always the result of a computer or drive failure. Sometimes the network itself is to blame. For this reason, many larger internetworks are designed with redundant components that enable traffic to reach a given destination in more than one way. If a network cable is cut or broken, or if a router or switch fails, redundant equipment enables data to take another path to its destination. There are several ways to provide redundant paths. Typically, you have at least two routers or switches connected to each network, so that the computers can use either one as a gateway to the other segments. Example, you can build a network with two backbones. Each workstation can use either of the routers on its local segment as a gateway. You can also use this arrangement to balance the traffic on the two backbones by configuring half of the computers on each local area network (LAN) to use one of the routers as its default gateway and the other half to use the other router.
A redundant array of independent disks (RAID) is an example of a fault-tolerant storage device that uses data redundancy.
Redundant Array of Inexpensive (or Independent) Disks. A RAID array is a collection of drives which collectively act as a single storage system, which can tolerate the failure of a drive without losing data, and which can operate independently of each other.
Referred to as striping, is not redundant. Data is split across drives, resulting in higher data throughput. Since no redundant information is stored, performance is very good, but the failure of any disk in the array results in all data loss.
Referred to as mirroring with 2 hard drives. It provides redundancy by duplicating all data from one drive on another drive. Performance is better than a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drives are required.
Which uses Hamming error correction codes, is intended for use with drives which do not have built-in error detection. All SCSI drives support built-in error detection, so this level is not needed if using SCSI drives.
Stripes data at a byte level across several drives, with parity stored on one drive. It is otherwise similar to level 4. Byte-level striping requires hardware support for efficient use.
Stripes data at a block level across several drives, with parity stored on one drive. The parity information allows recovery from the failure of any single drive. Performance is very good for reads. Writes, however, require that parity data be updated each time. This slows small random writes, in particular, though large writes or sequential writes are fairly fast.
Striping with distributed parity. Similar to level 4, but distributes parity among the drives. No single disk is devoted to parity. This can speed small writes in multiprocessing systems. Because parity data must be distributed on each drive during reads, the performance for reads tends to be considerably lower than a level 4 array.
Most people think about disaster recovery in terms of restoration of the damaged network, but it’s actually less expensive to prevent a disaster than to restore one.
Fault tolerance is another term for redundancy. You can have redundant components within a server, redundant servers, and even redundant networks, in the case of a hot site. A fault-tolerant system simply has a spare part that takes over if another part fails. Fault tolerance can work for the following:
Some servers support error-correcting memory with a spare memory module to use in case of memory failure.
Network interface cards (NICs).
NICs can be redundant in two ways. They can share the network traffic, or one of the NICs can wait until the first fails before it kicks in.
Redundant Array of Inexpensive Disks (RAID).
Data is mirrored, shared, or striped across multiple disks. Pay attention to these versions of RAID:
Mirroring disks connected to a single hard disk controller, or duplexing disks connected to two different hard disk controllers.
A group of three or more disks is combined into a volume with the disk striped across the disks, and parity is used to ensure that if any one of the disks fails, the remaining disks will still have all data available.
One power supply takes over if the original fails.
Two or more servers are grouped to provide services as if the group were a single server. A cluster is transparent to end users. Usually, a server member of a cluster can take over for a failed partner with no impact on the network.
Backup / restore
A remote backup service, online backup service or managed backup service is a service that provides users with an online system for backing up and storing computer files. Managed backup providers are companies that have the software and server space for storing files.
Hot and cold spares
- A hot spare disk is running, ready to start working in the case of a failure.
- A cold spare disk is not running.
A hot spare is used as a failover mechanism to provide reliability in system configurations. The hot spare is active and connected as part of a working system. When a key component fails, the hot spare is switched into operation. Examples of hot spares are components such as networked printers, and hard disks. The equipment is powered on, or considered \”hot\”, but not actively functioning in the system. In the case of a disk drive, data is being mirrored so when the hot spare takes over, the system continues to operate with minimal or no downtime.
Hot Spare Disk
is a disk or group of disks used to automatically or manually, replace a failing or failed disk in a RAID configuration. The hot spare disk reduces the mean time to recovery (MTTR) for the RAID redundancy group, thus reducing the probability of a second disk failure and the resultant data loss that would occur in any singly redundant RAID (e.g., RAID-1, RAID-5, RAID-10).
Hot, warm and cold sites
A backup site is a location where a business can easily relocate following a disaster, such as fire, flood. There are three types of backup sites, including cold sites, warm sites, and hot sites. The differences between the types are determined by the costs and effort required to implement each.
Hot Site is a duplicate of the original site of the business, with full computer systems as well as near-complete backups of user data. Following a disaster, the hot site exists so that the business can relocate with minimal losses to normal operations. Ideally, a hot site will be up and running within a matter of hours. This type of backup site is the most expensive to operate.
Warm Site is a location where the business can relocate to after the disaster that is already stocked with computer hardware similar to that of the original site, but does not contain backed up copies of data and information.
Cold Site is the most inexpensive type of backup site for a business to operate. It does not include backed up copies of data and information from the its original location, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.
Security protocols protect a computer from attacks. To understand how security protocols work, you must first understand what types of attacks they protect against. Networks and data are vulnerable to both active attacks, in which information is altered or destroyed, and passive attacks, in which information is monitored. Attacks that you might encounter include the following:
This active attack takes place when data is interrupted in transit and modified before it reaches its destination, or when stored data is altered. This passive attack takes advantage of network traffic that is transmitted across the wire in clear text. The attacker simply uses a device that monitors traffic and \”listens in\” to discover information. You\’ll hear this term referred to as sniffing the wire, and sometimes as snooping.
IP address spoofing
One way to authenticate data is to check the IP address in data packets. If the IP address is valid, that data is allowed to pass into the private network. IP address spoofing is the process of changing the IP address so that data packets will be accepted. IP address spoofing can be used to modify or delete data, or to perpetuate an additional type of attack.
A hacker will obtain user IDs and passwords, or even encryption keys, to gain access to network data, which can then be altered, deleted, or even used to create another attack. This type of attack is usually done by asking unsuspecting users, reading sticky notes containing passwords that are posted next to computers, or sniffing the wire for password information. Sometimes a hacker will attempt to get hired at a company merely to obtain an ID and password with access rights to the network.
Denial of service
This active attack is intended to cause full or partial network outages so that people will not be able to use network resources and productivity will be affected. The attacker floods so many packets through the network or through specific resources that other users can\’t access those resources. The denial-of-service attack can also serve as a diversion while the hacker alters information or damages systems.
A virus is an attack on a system. It is a piece of software code that is buried inside a trusted application (or even an e-mail message) that invokes some action to wreak havoc on the computer or other network resources.
|Security Method||Type of Attack||Notes|
|Authentication||Password guessing attacks||Verifies the user\’s identity|
|Access control||Password pilfering||Protects sensitive data from access by the average user|
|Encryption||Data alteration||Prevents the content of the packets from being tampered with|
|Certificates||Eavesdropping||Transmits identity information securely|
|Firewalls||Denial of service (as well as others)||When configured correctly, can prevent many denial-of-service attacks|
|Signatures||Data alteration||Protects stored data from tampering|
|Public key infrastructure||Spoofing||Ensures that data received is from correct sender|
|Code authentication||Virus and other code attacks||Protects the computer from altered executables|
|Physical security||Password pilfering||Protects unauthorized persons from having access to authorized users and their IDs and passwords|
|Password policies||Password pilfering||Ensures that passwords are difficult to guess or otherwise decipher|
IPSec (Internet Protocol Security)
IPSec Is a set of protocols used to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion of each packet, but leaves the header untouched.
The more secure Tunnel mode encrypts both the header and the data portion.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley, which allows the receiver to obtain a public key and authenticate the sender using digital certificates. IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLS, operate from the transport layer up (OSI layers 4 – 7). This makes IPsec more flexible, as it can be used for protecting both TCP and UDP based protocols
L2TP (Layer 2 Tunneling Protocol)
Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks VPNs. L2TP is an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks. L2TP combines the best features of two other tunneling protocols:PPTP from Microsoft and L2F from Cisco Systems.
SSL (Secure Sockets Layer)
Secure Sockets Layer is a protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks by using a combination of public key, and bulk data encryption.
WEP (Wired Equivalent Privacy)
Wired Equivalent Privacy is a scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks. Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping.
WEP was intended to provide comparable confidentiality to a traditional wired network and thus it does not protect users of the network from each other.
WPA (Wi-Fi Protected Access)
A security protocol for wireless networks that builds on the basic foundations of WEP. It secures wireless data transmission by using a key similar to WEP, but the added strength of WPA is that the key changes dynamically. The changing key makes it much more difficult for a hacker to learn the key and gain access to the network.
WPA2 (Wi-Fi Protected Access 2)
WPA2 is the second generation of WPA security and provides a stronger encryption mechanism through Advanced Encryption Standard (AES), which is a requirement for some government users.
IEEE 802.11 also known by the brand Wi-Fi, denotes a set of Wireless LAN/WLAN standards developed by working group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). The term 802.11x is also used to denote this set of standards and is not to be mistaken for any one of its elements. There is no single 802.11x standard.
|Protocol||Release Date||Op. Frequency||Data Rate (Typ)||Data Rate (Max)||Range (Indoor)||Range (Outdoor)|
|802.11a||1999||5.15-5.35/5.47-5.725/5.725-5.875 GHz||25 Mbit/s||54 Mbit/s||~25 meters||~75 meters|
|802.11b||1999||2.4-2.5 GHz||6.5 Mbit/s||11 Mbit/s||~35 meters||~100 meters|
|802.11g||2003||2.4-2.5 GHz||25 Mbit/s||54 Mbit/s||~25 meters||~75 meters|
|802.11n||2007||2.4 GHz or 5 GHz bands||200 Mbit/s||540 Mbit/s||~50 meters||~125 meters|
Identify authentication protocols:
CHAP (Challenge Handshake Authentication Protocol)
Challenge Handshake Authentication Protocol is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
MS-CHAP Microsoft Challenge Handshake Authentication Protocol. MS-CHAP is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:
- The remote access server or the IAS server sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.
- The remote access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.
- The authenticator checks the response and, if valid, the user\’s credentials are authenticated.
PAP (Password Authentication Protocol)
Password Authentication Protocol uses plaintext passwords and is the least sophisticated authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.
RADIUS (Remote Authentication Dial-In User Service)
Is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.
Some ISPs (commonly modem, DSL, or wireless 802.11 services) require you to enter a username and password in order to connect on to the Internet. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device over the Point-to-Point Protocol (PPP), then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP.
If accepted, the server will then authorize access to the ISP system and select an IP address. RADIUS is also widely used by VoIP service providers.
Kerberos and EAP (Extensible Authentication Protocol)).
An authentication system, Kerberos is designed to enable two parties to exchange private information across an open network. It works by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages to identify the sender of the message.
Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point-to-Point connections. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. Recently, the WPA and WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.
Smart cards are gaining in popularity as a way to ensure secure authentication using a physical key. Smart cards are able to provide an interactive logon, secure e-mail messages, and authenticate access to network services.
Smart cards contain chips to store a user\’s private key and can also store logon information; public key certificates; and other information, depending on the smart card\’s usage. When a user needs to access a resource, the user inserts the smart card into a reader attached to the network. After typing in the user\’s personal identification number (PIN), the user is authenticated and can access network resources. The private key is automatically available for transparent access to encrypted information.
Smart cards require Public Key Infrastructure (PKI), a method of distributing encryption keys and certificates. In addition, each protected resource will require a smart-card reader. Some implementations of smart cards combine the smart card with employee badges so that employees need a single card for building and network access.
Remote access protocols and services:
RAS (Remote Access Service)
Remote Access Service A service that provides remote networking for telecommuters, mobile workers, and system administrators who monitor and manage servers at multiple branch offices. Users with RAS can dial in to remotely access their networks for services such as file and printer sharing, electronic mail, scheduling, and SQL database access.
PPP (Point-to-Point Protocol)
PPP is based on an open standard defined in RFCs 1332, 1661, and 2153. PPP works with asynchronous and synchronous serial connections as well as High-Speed Serial Interfaces (HSSI) and ISDN interfaces (BRI and PRI).
PPP has many more features than HDLC. Like HDLC, PPP defines a frame type and how two PPP devices communicate with each other, including the multiplexing of network and data link layer protocols across the same link. However, PPP also does the following:
- Performs dynamic configuration of links
- Allows for authentication
- Compresses packet headers
- Tests the quality of links
- Performs error detection and correction
- Allows multiple PPP physical connections to be bound together as a single logical connection (referred to as multilink)
PPP has three main components:
- Frame format (encapsulation)
- Link Control Protocol (LCP)
- Network Control Protocol (NCP)
Each of these three components plays an important role in the setup, configuration, and transfer of information across a PPP connection.
SLIP (Serial Line Internet Protocol)
An older industry standard that is part of Windows remote access client to ensure interoperability with other remote access software.
PPPoE (Point-to-Point Protocol over Ethernet)
Point-to-Point Protocol over Ethernet encapsulates PPP frames in Ethernet frames and is usually used in conjunction with ADSL services.
It gives you a lot of the familiar PPP features like authentication, encryption, and compression, but there’s a downside—it has a lower maximum transmission unit (MTU) than standard Ethernet does, and if your firewall isn’t solidly configured, this little attribute can really give you some grief! Still somewhat popular in the United States, PPPoE on Ethernet’s.
main feature is that it adds a direct connection to Ethernet interfaces while providing DSL support as well. It’s often used by many hosts on a shared Ethernet interface for opening PPP sessions to various destinations via at least one bridging modem.
PPTP (Point-to-Point Tunneling Protocol)
Networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet or other networks by dialing into an Internet service provider (ISP) or by connecting directly to the Internet. The Point-to-Point Tunneling Protocol (PPTP) tunnels, or encapsulates, IP, IPX, or NetBEUI traffic inside of IP packets. This means that users can remotely run applications that are dependent upon particular network protocols.
VPN (Virtual Private Network)
Virtual private network A remote LAN that can be accessed through the Internet by using PPTP (see above)
RDP (Remote Desktop Protocol)
Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a computer running Microsoft Terminal Services. Clients exist for most versions of Windows (including handheld versions), and other operating systems such as Linux, FreeBSD, Solaris Operating System and Mac OS X. The server listens by default on TCP port 3389.
- Version 4.0 was introduced with Terminal Services in Windows NT 4.0 Server, Terminal Server Edition.
- Version 5.0, introduced with Windows 2000 Server, added support for a number of features, including printing to local printers, and aimed to improve network bandwidth usage.
- Version 5.1, introduced with Windows XP Professional, included support for 24-bit color and sound.
- Version 5.2, introduced with Windows Server 2003, included support for console mode connections, a session directory, and local resource mapping.
- Version, 6.0, introduced with Windows Vista and Windows Server includes a significant number of new features, most notably being able to remotely access a single application instead of the entire desktop, and support for 32 bit color.
Prerequisites for 200-301
200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.
The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.
Full Version 200-301 Dumps