5.3 Describe these concepts as they relate to security monitoring
- Access Control List: ACLs are used to filter traffic based on source and/or destination. Logs created by ACLs can be useful to monitor for certain types of traffic.
- NAT/PAT: Network Address Translation and Port Address Translation hide internal addresses behind public IP addresses. For security teams a mapping of these translations is important to be able to stitch together evidence from both sides of the transition.
- Tunneling: Tunneling using tools like GRE, VXLAN and IPSec encapsulate traffic making it able for the payload not to be seen by normal security measures
- TOR: The Onion Router is used to anonymize Internet traffic
- Encryption: Encryption is useful to protect data, but it also can be used to obfuscate attacks and malicious vectors.
- P2P: Peer to Peer traffic can indicate malicious traffic on a network.
- Encapsulation: Similar to Tunneling or encryption, encapsulation can hide malicious traffic.
- Load balancing: Load balancers send traffic to multiple servers to serve up content. Security teams must understand how they work and what vulnerabilities they may have.
5.4 Describe these NextGen IPS event types
- Connection Event: Logs the connections made by hosts seen by the IPS. Can be used to see what hosts have talked to which other hosts.
- Intrusion Event: Logs that show alerts for traffic that matches signatures for intrusion attempts.
- Host or endpoint event: Event logs that show HIPS alerts.
- Network Discovery event: Events that show how an IPS has learned about the hosts on the network by profiling the traffic.
- NetFlow event: Events triggered by NetFlow data.
5.5 Describe the function of these protocols in the context of security monitoring
- DNS: DNS must be monitored for both the information it can tell about malicious sites, but also that the DNS traffic isn’t being used for exfiltration.
- NTP: Network Time Protocol allows for time synchronization of devices. Time synchronization makes correlation of logs much easier.
- SMTP/POP/IMAP: Mail protocols must be monitored for malicious inbound traffic as well as for exfiltration of stolen data.
- HTTP/HTTPS: Web traffic can be used for malicious content and must be filtered and monitored.