CyberOps Chapter 24-25 Review

ACLs should only permit special types of ICMP messages to enter an internal network. Allowed ICMP traffic includes an ICMP reply, source quench, and any ICMP unreachable messages. All other ICMP traffic types should be denied.

Alert data consists of messages generated by intrusion prevention systems (IPSs) or intrusion detection systems (IDSs) in response to traffic that violates a rule or matches the signature of a known exploit. A network IDS (NIDS), such as Snort, comes configured with rules for known exploits.

HTTPS enables end-to-end encrypted network communication, which adds further challenges for network administrators to monitor the content of packets to catch malicious attacks.

Some malware uses DNS to communicate with command-and-control (CnC) servers to exfiltrate data in traffic that is disguised as normal DNS query traffic.

Syslog is important to security monitoring because network devices send periodic messages to the syslog server. These logs can be examined to detect inconsistencies and issues within the network.

An inline frame or iFrame is an HTML element that allows the browser to load a different web page from another source.

NAT/PAT maps multiple internal IP addresses with only a single or a few outside IP addresses breaking end-to-end flows. The result makes it difficult to log the inside device that is requesting and receiving the traffic. This is especially a problem with a NetFlow application because NetFlow flows are unidirectional and are defined by the addresses and ports that they share.

NTP uses UDP port number 123. Threat actors could use port 123 on NTP systems in order to direct DDoS attacks through vulnerabilities in client or server software.

Load balancing manager (LBM) devices distribute traffic between devices or network paths to prevent overwhelming network resources. LBM devices may send probes to different servers to detect that the servers are operating. These probes can appear to be suspicious traffic.