If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of advanced security devices used to secure networks.
For example, can you answer this practice test question?
Q. Of the following choices, what can you use to divert malicious attacks on your network away from valuable data to worthless, fabricated data?
A. IPS
B. Proxy server
C. Web application firewall
D. Honeypot
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
SSL/TLS Accelerators
SSL/TLS accelerators refer to hardware devices focused on handling Transport Layer Security (TLS) traffic. TLS is the designated replacement for Secure Sockets Layer (SSL), but many people are familiar with SSL terminology so you’ll continue to see it, even if the only protocol it’s using is TLS.
TLS provides encryption for many different protocols, including Hypertext Transfer Protocol Secure (HTTPS). HTTPS uses a certificate and asymmetric encryption. The process of establishing the HTTPS session, negotiating the best security supported by both the client and the server, sharing encryption keys, and encrypting session data all take a lot of time and resources. By off-loading this to another hardware device, it frees up the primary computer’s resources, such as CPU power and RAM.
When using an SSL accelerator, it’s best to place it as close as possible to related devices. For example, if you’re using an SSL accelerator to off-load HTTPS sessions for a web server, place the SSL accelerator close to the web server.
SSL Decryptors
Some organizations use SSL decryptors to combat many threats. For example, attackers are often using encryption to prevent inspection methods from detecting malware coming into a network.
As an example, imagine Homer innocently goes to a malicious web site. The web site establishes a secure HTTPS connection, and then downloads malware to Homer’s computer. Because the site is using HTTPS, the malware is encrypted while in transit. Even if an organization had the best content inspection methods and malware detection software, it wouldn’t detect the malware while it’s encrypted.
An SSL decryptor solves this problem. You would place it in the DMZ, and redirect all traffic to and from the Internet through it. Unencrypted data goes through the device without any modification. However, any attempts to establish an encrypted session prompt the SSL decryptor to create a separate SSL (or TLS) session.
When Homer innocently goes to a malicious web site, the traffic goes though the SSL decryptor. The SSL decryptor establishes an HTTPS session between it and Homer’s computer. It also establishes an HTTPS session between it and the web site. All data-in-transit is encrypted. However, the SSL decryptor can view the unencrypted data and inspect it.
SSL decryptors are often used with a NIPS. The NIPS is inline but malicious traffic can get through if it’s encrypted. The SSL decryptor allows the NIPS to inspect unencrypted traffic and prevent attacks.
Honeypots
A honeypot is a sweet-looking server—at least it’s intended to look sweet to the attacker, similar to how honey looks sweet to a bear. It’s a server that is left open or appears to have been sloppily locked down, allowing an attacker relatively easy access. The intent is for the server to look like an easy target so that the attacker spends his time in the honeypot instead of in a live network. In short, the honeypot diverts the attacker away from the live network.
As an example, a honeypot could be a web server designed to look like a live web server. It would have bogus data such as files and folders containing fabricated credit card transaction data. If an organization suspects it has a problem with a malicious insider, it can create an internal honeypot with bogus information on proprietary projects.
Honeypots typically have minimal protection that an attacker can easily bypass. If administrators don’t use any security, the honeypot might look suspicious to experienced attackers and they might simply avoid it.
Security personnel often use honeypots as a tool to gather intelligence on the attacker. Attackers are constantly modifying their methods to take advantage of different types of attacks. Some sophisticated attackers discover vulnerabilities before a patch is released (also known as a zero-day exploit, or zero-day vulnerability). In some cases, security professionals observe attackers launching zero-day vulnerability attacks against a honeypot.
Honeypots never hold any data that is valuable to the organization. The data may appear to be valuable to an attacker, but its disclosure is harmless. Honeypots have two primary goals:
- Divert attackers from the live network. If an attacker is spending time in the honeypot, he is not attacking live resources.
- Allow observation of an attacker. While an attacker is in the honeypot, security professionals can observe the attack and learn from the attacker’s methodologies. Honeypots can also help security professionals learn about zero-day exploits, or previously unknown attacks.
Q. Of the following choices, what can you use to divert malicious attacks on your network away from valuable data to worthless, fabricated data?
A. IPS
B. Proxy server
C. Web application firewall
D. Honeypot
Answer is D. A honeypot can divert malicious attacks to a harmless area of your network, such as away from production servers holding valid data.
An intrusion prevention system (IPS) can block attacks, but it doesn’t divert them.
A proxy server can filter and cache content from web pages, but it doesn’t divert attacks.