Thursday, January 12, 2012

CCDA 640-864 Official Cert Guide - Chapter 12 Summary


Network Security Overview
U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley or SOX): Focuses on the accuracy and controls imposed on a company’s financial records. This was passed as a U.S. federal law because of a number of corporate and accounting scandals.

Payment Card Industry (PCI) Data Security Standard (DSS): PCI is a data security standard that defines how to protect credit card holder data, including the storage and transfer of credit card holder information. Many retailers that accept credit cards have to meet PCI DSS standards or pay stiff penalties and are subject to regular and rigorous audits for PCI DSS compliance.

Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA): Provides protection against the sale of bank and account information that is regularly bought and sold by financial institutions. GLBA also guards against the practice of obtaining private information through false pretenses.

U.S. Health Insurance Portability and Accountability Act (HIPAA): Applies to the protection of private health information that is used electronically. The purpose is to enable better access to health information, reduce fraud, and lower the cost of health care in the United States.

EU Data Protection Directive 95/46/EC: Calls for the protection of people’s right to privacy with respect to the processing of personal data.
Reconnaissance: The goal of reconnaissance is to gather as much information as possible about the target host/network. Generally, this type of information gathering is done before an attack is carried out.

Gaining unauthorized access: Refers to the act of attacking or exploiting the target system or host. Operating systems, services, and physical access to the target host have known system vulnerabilities that the attacker can take advantage of and use to increase his or her privileges. Social engineering is another technique for obtaining confidential information from employees by manipulation. As a result of the attacker exploiting the host, confidential information can be read, changed, or deleted from the system.

Denial of service (DoS): DoS attacks aim to overwhelm resources such as memory, CPU, and bandwidth and thus impact the target system and deny legitimate user’s access. Distributed DoS (DDoS) attacks involve multiple sources working together to deliver the attack.

Feature Description
Feature
Verifies DHCP transitions and prevents rogue DHCP server from interfering with production traffic
DHCP snooping

Intercepts Address Resolution Protocol (ARP) packets and verifies that the packets have valid IP-to-MAC bindings
Dynamic ARP Inspection
(DAI)
Prevents unknown source addresses from using the network as a transport mechanism to carry out attacks
Unicast Reverse Path Forwarding (uRFP)

Controls what traffic is allowed on the network
Access control lists (ACL)

Controls the rate of bandwidth that incoming traffic, such as
ARP packets and DHCP requests
Rate limiting


When attackers change sensitive data without the proper authorization, this is called an integrity violation.

Confidentiality breaches occur when the attacker attempts to read sensitive information.

Security Policy and Process



Basic Approach of a Security Policy:
To help create a security policy, here is generally accepted approach from RFC 2196:
Step 1. Identify what you are trying to protect.
Step 2. Determine what you are trying to protect it from.
Step 3. Determine how likely the threats are.
Step 4. Implement measures that protect your assets in a cost-effective manner.
Step 5. Review the process continuously, and make improvements each time a weakness is found


PKI
  • It relies on asymmetric cryptography, which uses two different keys for encryption.
  • Public keys are used to encrypt and private keys to decrypt.
  • PKI requires a certificate to be issued by a certificate authority (CA) and is used by many e-commerce sites on the Internet.

VPN Description
VPN Name
Use AH and ESP to secure data; requires endpoints have IPsec software
Standard IPsec

Secure encrypted point-to-point GRE tunnels; on-demand spoke-to-spoke connectivity
Cisco DMVPN

Simplifies hub-and-spoke VPNs; need to reduce VPN management
Cisco Easy VPN
Enables routing and multicast traffic across an IPsec VPN; non-IP protocol and QoS support
Cisco GRE-based VPN
Encryption integration on IP and MPLS WANs; simplifies encryption
management using group keying; any-to-any connectivity
Cisco GET VPN


The IPsec suite is an open standard. IPsec uses the following protocols to perform various functions:
  • Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagram’s and provides protection against replay attacks.
  • Encapsulating Security Payloads (ESP) provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.





No comments:

Post a Comment