5-1

Chapter 5

Network Defenses

Additional Resources

  1. IP Addressing and Subnetting for New Users

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml

  1. Virtual LAN

http://en.wikipedia.org/wiki/VLAN

  1. Demilitarized zone

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

  1. How Firewalls Work

http://www.howstuffworks.com/firewall.htm

  1. The Honeynet Project

http://www.honeynet.org/

  1. Snort – The de facto standard for intrusion detection/prevention

http://www.snort.org/

Key Terms

Ø  cache A temporary storage area.

Ø  classful addressing IP addresses that are split between the network and host portions set on the boundaries between the bytes.

Ø  convergence Unifying voice and data traffic over a single Internet Protocol (IP) network.

Ø  core switches Switches that reside at the top of the hierarchy and carry traffic between switches.

Ø  demilitarized zone (DMZ) A separate network that sits outside the secure network perimeter, often used to provide “outside services” such as Web service and e-mail.

Ø  honeypot A server intended to trap or trick attackers.

Ø  host intrusion prevention systems (HIPS) Intrusion prevention systems that are installed on local systems.

Ø  integrated network security hardware A hardware device that integrates multipurpose security appliances with a traditional network device such as a switch or router.

Ø  Internet content filters A technology to monitor Internet traffic and block access to preselected Web sites and files.

Ø  intrusion prevention system (IPS) A system that finds malicious traffic and deals with it immediately.

Ø  IP telephony Adding digital voice clients and new voice applications onto the IP network.

Ø  multiplexed Services such as voice, video, and data combined and transported under a universal format.

Ø  network access control (NAC) A technology that examines the current state of a system and corrects any deficiencies before it is allowed to connect to the network.

Ø  network address translation (NAT) A technology that hides the IP addresses of network devices from attackers.

Ø  network intrusion detection system (NIDS) A system to monitor and possibly prevent attempts to attack a local system.

Ø  network intrusion prevention systems (NIPS) Intrusion prevention systems that work to protect the entire network and all devices that are connected to it.

Ø  out-of-band Using a separate data stream.

Ø  port address translation (PAT) A variation of network address translation (NAT) that assigns a different TCP port number to each packet.

Ø  private addresses IP addresses that are not assigned to any specific user or organization but can be used by any user on the private internal network.

Ø  production honeypot A honeypot that is used mainly by organizations to capture limited information regarding attacks on that organization’s honeypot.

Ø  proxy server A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.

Ø  research honeypot A honeypot that is more complex and used primarily by research, military, and government organizations.

Ø  reverse proxy A device that routes incoming requests to the correct server.

Ø  rule base The rules that establishes what action the firewall should take when it receives a packet.

Ø  stateful packet filtering A firewall technology that keeps a record of the state of a connection between an internal computer and an external server and then makes decisions based on the connection as well as the rule base.

Ø  stateless packet filtering A firewall technology that looks at the incoming packet and permits or denies it based strictly on the rule base.

Ø  subnet addressing An IP addressing technique in which an IP address can be split anywhere within its 32 bits.

Ø  subnetting An IP addressing technique in which an IP address can be split anywhere within its 32 bits.

Ø  system call An instruction that interrupts the program being executed and requests a service from the operating system.

Ø  virtual LAN (VLAN) Segmenting a network by separating devices into logical groups.

Ø  Voice over IP (VoIP) A technology that places voice traffic onto an IP network.

Ø  workgroup switches Switches that are connected directly to the devices on the network.