This is part five of a series of posts about the CCNA Cyber Ops certification, you can find the fourth part here. This post presents a few concepts used to help us secure our systems.

5.1 Identify the types of data provided by these technologies

• 5.1.a TCP Dump: a tool that displays network traffic
• 5.1.b NetFlow: NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. The basic output of NetFlow is a flow record.
• 5.1.c Next-Gen firewall:Cisco Firepower NGFW appliances combine our proven network firewall with the industry’s most effective next-gen IPS and advanced malware protection.
• 5.1.d Traditional stateful firewall: is a network firewall that tracks the operating state and characteristics of network connections traversing it.
• 5.1.e Application visibility and control: The Cisco Application Visibility and Control (AVC) solution is a suite of services in Cisco network devices that provides application-level classification, monitoring, and traffic control, to:
  • Improve business-critical application performance
  • Support capacity management and planning
  • Reduce network operating costs

• 5.1.f Web content filtering: A Web filter is a program that can screen an incoming Web page to determine whether some or all of it should not be displayed to the user. The data here comes in the form of a URL by browsing or a click on a link.
• 5.1.g Email content filtering: Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing. It uses advanced threat intelligence and a multilayered approach to protect inbound messages and sensitive outbound data. The data or message here comes in the form of an email.

5.2 Describe these types of data used in security monitoring

• 5.2.a Full packet capture: A packet consists of control information and user data, which is also known as the payload. Control information provides data for delivering the payload, for example: source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers. Actual packets collected by storing network traffic.
• 5.2.b Session data: Session data is the summary of the communication between two network devices. Also known as a conversation or a flow, this summary data is one of the most flexible and useful forms of NSM (Network Security Monitoring) data.
• 5.2.c Transaction data: application-specific records generated from network traffic. Logs deeper connection-level information, which may span multiple packets within a connection. Must have predefined templates for protocol formatting. Common for logging HTTP header/request information, SMTP command data, etc.
• 5.2.d Statistical data: Overall summaries or profiles of network traffic.
• 5.2.f Extracted content: Metadata. In a typical NSM deployment, this data would be captured through a network tap or switch. This type of data includes data streams, files, web pages contrary to the full content that would refer to the unfiltered collection of packets.
• 5.2.g Alert data: Judgments made by tools that inspect network traffic. Typically the result of finely-tuned signatures matching against packet content, and similar in nature to transaction data. This information, rather than being for logging purposes is intended to indicate discrete events which might be attacks.

5.3 Describe these concepts as they relate to security monitoring

• 5.3.a Access control list (ACL): specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. IP ACLs control whether routed packets are forwarded or blocked at the router interface. Your router examines each packet in order to determine whether to forward or drop the packet based on the criteria that you specify within the ACL. A Filesystem ACLs is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files.
• 5.3.b NAT/PAT: NAT (Network Address Translation) replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
• 5.3.c Tunneling: Tunneling is a technique that enables remote access users to connect to a variety of network resources (Corporate Home Gateways or an Internet Service Provider) through a public data network. In general, tunnels established through the public network are point-to-point (though a multipoint tunnel is possible) and link a remote user to some resource at the far end of the tunnel. Major tunneling protocols (ie: Layer 2 Tunneling Protocol (L2TP), Point to Point Tunneling Protocol (PPTP), and Layer 2 Forwarding (L2F)) encapsulate Layer 2 traffic from the remote user and send it across the public network to the far end of the tunnel where it is de-encapsulated and sent to its destination. The most significant benefit of Tunneling is that it allows for the creation of VPNs over public data networks to provide cost savings for both end users, who do not have to create dedicated networks, and for Service Providers, who can leverage their network investments across many VPN customers.
• 5.3.d TOR (The Onion Router): Tor aims to conceal its users’ identities and their online activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers around the globe.
• 5.3.e Encryption: is the process of encoding messages or information in such a way that only authorized parties can access it.
• 5.3.f P2P (Peer to Peer): in computing or networking is a distributed application architecture that partitions tasks or workloads between peers.
• 5.3.g Encapsulation: is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects.

• 5.3.h Load balancing: When a router learns multiple routes to a specific network via multiple routing processes (or routing protocols, such as RIP, RIPv2, IGRP, EIGRP, and OSPF), it installs the route with the lowest administrative distance in the routing table. In a more general sense it improves the distribution of workloads across multiple computing resources, such as computers, a computer cluster, network links, central processing units, or disk drives.

5.4 Describe these NextGen IPS event types

• 5.4.a Connection event: Connection events are the records of any connection that occurs in a monitored network.
• 5.4.b Intrusion event: When the system recognizes a packet that is potentially malicious.
• 5.4.c Host or endpoint event: events that happen the endpoints connected to your network.
• 5.4.d Network discovery event: Discovery events alert you to the activity on your network and provide you with the information you need to respond appropriately. They are triggered by the changes that your managed devices detect in the network segments they monitor.
• 5.4.e NetFlow event: significant events in the life of a flow, like creation tear-down, and flows denied by an access rule.

5.5 Describe the function of these protocols in the context of security monitoring

• 5.5.a DNS: is a globally distributed, scalable, hierarchical, and dynamic database that provides a mapping between hostnames, IP addresses (both IPv4 and IPv6), text records, mail exchange information (MX records), name server information (NS records), and security key information defined in Resource Records (RRs). DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. Flaws in the implementation of the DNS protocol allow it to be exploited and used for malicious activities like DOS and DDOS.
• 5.5.b NTP: Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. It is very valuable to have the correct time settings in the events logging systems, in this way the analysis of the events will be accurate.
• 5.5.c SMTP/POP/IMAP: The email servers and the way to connect to them influence heavily in the way monitoring and intrusion prevention are configured. The server that provides the service must be hardened and the connection and download method should be secured with the different methods we’ve read through the post.
• 5.5.d HTTP/HTTPS: The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.