IDP - FN, TN, TP, FP

I have talked with a few security administrators that seem to struggle with the understanding of FN, TN, FP, TP. I have decided to try to create a simple method to remember.

True/False = This either CORRECTLY or INCORRECTLY identifies an attack
Positive/Negative = This performs and event that takes an ACTION or is ACTION-LESS

True Positive (TP) - A legitimate attack (CORRECTLY) which triggers an IDP to produce and alarm/alert or mitigate the risk (ACTION)

False Positive (FP) - An IDP believes there is an attack taking place (INCORRECTLY) and produces an alarm/alert or mitigates the risk (ACTION).This can cause disrupt legitimate traffic and flood your IDP with alerts drowning real alerts that may be taking place. Some traffic that may cause false positives include:

• Legitimate applications that do not follow RFC's 
• Legitimate traffic in one part of an organization that may not follow normal behaviors in another part of the organization causing alerts. 
• Signatures that we written poorly and identify both legitimate and illegitimate traffic. 

False Negative (FN) - There is an attack that has NOT been identified (INCORRECTLY) and no alarm/alert/mitigation was raised (ACTION-LESS). This causes a false sense of security. This can be caused for a variety of reason which may include:

• Signatures miss variations or poorly written
• Obfuscation of an attack on the fly -zero day
• Overloaded IDP 

True Negative - (TN) No attack has taken place (CORRECTLY) and no alarm raised (ACTION-LESS).

CCIE Security

I have just successfully passed the CCIE Security written exam at Cisco Live 2012. The exam was no cake walk and was very challenging. Although I studied all the material from the CCNP security track and read the Network Security Technologies and Solutions (CCIE Professional Development Series) book I did not take any of the CCNP Security exams. I took a little different approach to this CCIE then I took in the R&S track. I will be starting to do the practice labs and will go back to theory throughout the process to do each of the CCNP Security exams. I am hoping that this ensures that I perform the practice labs without fail and continue to cement the theory throughout the process.


Thoughts?

Zone-Based Firewall-Part 1 of 2-Basic Configuration

Great 60 minute video on zone-based firewalls by Solarwinds. Instructor Anthony Sequeira walks us through a couple of constructs and demonstrates the configuration.

ASA Packet Flow - Outside Interface to Inside Host

ASA Packet Flow - Inside Interface to Outside Host

Palo Alto Packet Processing

The flow starts with the initial "Packet Processing" ----> "Security Pre-Policy" ----> "Application" ----> "Security Policy" ----> "Post Policy Processing"

EAP Functionality and Requirements

Stream Ciphers Examples

Here is a list of some of the more common Stream Ciphers

SEAL (Software Encryption Algorithm)
RC4
DES and 3DES leveraging OFB (Output Feedback) or CFB (Cipher Feedback)

Block Ciphers Examples

Here is a list of some of the more common Block Ciphers

Blowfish
RSA
DES and 3DES leveraging ECB (Electronic Code Block) or CBC (Cipher Block Chaining)
AES
IDEA
Skipjack
SAFER (Secure and Fast Encryption Routine)

Symmetric and Asymmetric Algorithms - Basic Differences

Symmetric uses only one key for both encryption and decryption. Sender and receiver share the same shared secret to transfer data securely. Algorithms include DES, 3DES, AES, IDEA, RC2/4/5/6, and Blowfish. Also referred to as "secret key" encryption.

DES - 56bit keys
3DES - 112bit and 168bit keys
AES - 128bit, 192bit, and 256bit keys
IDEA (International Data Encryption Alogrithm) - 128bit keys
RC2 - 40bit and 64bit keys
RC4 - 1bit to 256bit keys
RC5 - 0bit to 2040bit keys
RC6 - 128bit, 192bit, and 256bit keys
Blowfish - 32bit to 448bit keys


Asymmetric uses one key for encryption and another key for decryption referred to as public key infrastructure encryption. Key lengths generally ranging from 512 to 4096bits.

Example of asymmetric encryption RSA,EIGamal, Eliptical Curves, and Diffie Hellman

Layer 2 Security Best Practices

Here are a couple of recommendations from Cisco when it comes to securing layer 2

• STP - Leverage Root Guard and BPDU Guard
• Shutdown unused ports
• Leverage DHCP snooping and DAI (Dynamic Arp Inspection)
• Disable unneeded services
• Use port security to restrict the number of MAC addresses that a port can learn
• Limit management access to a layer 2 switch
• Use SNMPv3
• Do not use the native VLAN to send user data. Create a native VLAN and do not add any ports to it.

This was not mentioned but I would also add PVLAN (Private VLANs) and VACL's where appropriate.

Question 181

What does "no setup express" accomplish?

Question 180

What is the difference between "auto", "force-authorized" and "force-unauthorized" in 802.1x?

Question 171

How do you delete RSA key pairs or a single RSA key pair?

Question 159

Create an ACL that allows WWW traffic to enter the external interface and no other traffic unless it is return traffic generated within the inside network. The return traffic can be UDP, TCP, and IP. You cannot use the keyword "established".
F0/0 - Inside
F0/1 - Outside

Question 158

How do you clear a dynamic access list?

Question 148

How would you prevent a router from returning its IP address during a Reconnaissance Attack.

Question 147

What is the difference between "ip verify unicast source reachable-via any" and "ip verify unicast source reachable-via rx"?

Question 146

How would you intercept and drop random TCP connections to servers 192.168.1.1, 192.168.2.2 as well as the network 10.0.1.0/24?

Question 126

What addresses are included in RFC 3330?