3 & 4 – Network Operations & Security

Question 1

What are some examples of Fault Tolerance?

Answer 1

RAID

UPS

Clustering

Load balancing

Any redundant hardware components or network paths

Question 2

What does “High Availability” mean?

Answer 2

Automatic fault tolerance such that there is essentially zero down time.

Question 3

What is NIC Teaming?

Answer 3

• Multiple network adapters combined in software to work as a single adapter.
• Used particularly in virtualization / SDN.
• Aggregates bandwidth and provides redundant paths.
• NICs communicate with each other to fail over when a NIC doesn’t respond.
• LBFO: Load Balancing / Fail Over.

Question 4

What is Port Aggregation?

Answer 4

Using multiple interfaces as a single port, which provides redundancy. If used across multiple switches, it provides fault tolerance.

Question 5

What is a Cold Site?

Answer 5

A recovery site.

• Has no hardware, no data, and no people.
• Just an empty location that you would need to bring everything to if the main site went down.

Question 6

What is a Warm Site?

Answer 6

A recovery site that functions somewhere between a cold site and a hot site.

• May have some hardware ready and waiting, but you would need to bring the data.
• Or, it may just have empty rack space, and you’d also need to bring hardware.

Question 7

What is a Hot Site?

Answer 7

A type of recovery site that is an exact (or, at least sufficient) replica of your main site.

• Has all necessary hardware. You buy two of everything, one for the main site and one for the hot site.
• Applications, software, and data are constantly updated via automated replication from the main site.

Question 8

What is MTTR?

Answer 8

Mean Time to Restore (or, Repair)

Question 9

What is MTBF?

Answer 9

Mean Time Between Failures

Question 10

What is an SLA?

Answer 10

Service Level Agreement

• Contractual recovery expectations. If there is an outage, it must be restored within a certain time.
• May include penalties for not meeting certain service levels.

Question 11

What is SIEM?

Answer 11

Security Information and Event Management

• Software or a device which allows you to consolidate logs and real-time monitoring data for long-term storage.
• Usually needs a lot of disk space.
• Can create reports, send out security alerts, and provide details for forensic analysis.

Question 12

What is a vulnerability scan?

Answer 12

Checks for vulnerabilities on your network, but is usually minimally invasive, unlike a penetration test.

• Runs a scan, identifies systems and security devices.
• Can test the network from both the inside and the outside.

Question 13

What are some examples of what a vulnerability scan is useful for identifying?

Answer 13

• Lack of security controls, such as no firewall or no AV.
• Misconfigurations, such as open shares or guest access.
• Application and service vulnerabilities
• Finds unknown devices on the network

Question 14

What is Syslog?

Answer 14

A standardized way to transfer log information from a variety of different devices to a centralized log receiver, often a SIEM.

Question 15

What is a MIB?

Answer 15

Management Information Base

• A database of data used for SNMP.
• MIB-II is the standardized database, that most devices use.
• Proprietary MIBs also exist. A MIB for a specific device can be provided to an SNMP system so it knows how to read that device’s SNMP metrics.

Question 16

What is IPSec?

Answer 16

Internet Protocol Security

• A remote access protocol.
• One of the most popular. Different vendors can be implemented together.
• Commonly used for Site-to-Site VPNs.
• Provides security at OSI Layer 3 (network)
• Authenticates and encrypts every packet.

Question 17

What is an SSL VPN?

Answer 17

• Commonly used for end-user / client-to-site VPN access.
• Uses the common SSL/TLS protocol (tcp/443), which is typically allowed through firewalls without requiring additional configuration.
• Uses software or clients built into the OS.

Question 18

What is a DTLS VPN?

Answer 18

Datagram Transport Layer Security

• Provides the security of SSL/TLS, but the speed of datagrams.
• Transport uses UDP instead of TCP.
• Useful for streaming and VoIP.

Question 19

What is Out-of-band management?

Answer 19

• Allows access to a device without using the external network.
• Usually a separate management interface, often a serial or USB connection.
• A modem could be connected to that interface, to allow remote access to the device over phone lines.

Question 20

What is a Console Router?

Answer 20

Out-of-band access for multiple devices.

• Connected to a modem to allow dial-in remote access.
• Multiple out-of-band management interfaces are connected to the Console Route to allow access.
• Also known as a Comm Server

Question 21

What is a Comm Server?

Answer 21

Another name for a Console Router.

Question 22

What is a Privileged User Agreement?

What are the related best practices?

Answer 22

• A signed agreement outlining the policies of privileged access to data.
• Since Network and System Admins have such high access, best practices are to:
• use non-privileged methods when possible and appropriate
• use privileged access only for assigned job duties

Question 23

What are On-Boarding and Off-Boarding policies?

Answer 23

Policies regarding when a new person is coming into an organization, and when an employee is leaving an organization.

Question 24

What is DLP?

Answer 24

Data Loss Prevention

• Policies relating to how sensitive information is appropriately handled.
• For example, requiring that medical information is encrypted a certain way when transferred.
• DLP solutions can monitor traffic and create alerts when a policy violation occurs.

Question 25

What should be included in an Incident Response Policy?

Answer 25

• How an incident is identified
• How an incident is categorized
• Who responds to an incident
• What process is followed

Question 26

What is an AUP?

Answer 26

Acceptable Use Policy

• Defines acceptable use of company assets.

Question 27

What is an NDA?

Answer 27

Non-Disclosure Agreement

• Legal agreement for confidentiality.
• Prevents the use and dissemination of confidential information.

Question 28

What is an MSDS?

Answer 28

Material Safety Data Sheet

Provides safety information for proper handling of materials and disposal of waste.

Question 29

What is TACACS?

Answer 29

Terminal Access Controller Access-Control System

• A remote authentication protocol.
• An alternative to RADIUS, and similar.
• Created to control access to dial-up lines to ARPANET.
• Not often used anymore.

Question 30

What is RADIUS?

Answer 30

Remote Authentication Dial-In User Service

• A remote authentication protocol (AAA protocol)
• Standard and widely used, available on almost any server OS
• Centralizes authentication for users to routers, switches, firewalls, servers, remote VPN access, etc.

Question 31

What is XTACACS?

Answer 31

Extended TACACS

• A proprietary, customized version of TACACS created by Cisco
• Provides additional support for accounting and auditing.
• Not often used anymore.

Question 32

What is TACACS+?

Answer 32

• The latest version of TACACS, and usually the only one still used today.
• Not backwards compatible
• Released as an open standard in 1993
• Adds more authentication requests and response codes.

Question 33

What is Kerberos?

Answer 33

A network authentication protocol

• Single sign-on feature: authenticate once, and you’re trusted by the system. No need to re-authenticate to everything separately.
• Mutual authentication: client authenticates to the server, and the server also authenticates to the client
• Also provides encryption, preventing man-in-the-middle or reply attacks.
• A standard since the 1980s, developed by MIT.
• Microsoft started using Kerberos in Windows 2000.

Question 34

What is “local authentication”?

Answer 34

A type of authentication in which credentials are stored on the local device, rather than any centralized database or directory.

For example, switches typically only use local authentication.

• Most devices include an initial local account, which has a default password.

Question 35

What are possible factors of MFA?

Answer 35

Multi-factor authentication

Factors could include:

• Something you are
• Something you have
• Something you know
• Somewhere you are
• Something you do

Question 36

What is NAC?

Answer 36

Network Access Control

A form of port-based access control (physical ports, not TCP/UDP ports). Requires authentication before allowing access to any interface on the switch.

IEEE 802.1X is the most common standard of NAC.

Question 37

What is Port Security, and how does it operate?

Answer 37

A method for preventing unauthorized connections to a switch interface, based on the source MAC address (even if it is forwarded from elsewhere).

• Configure the max number of MAC addresses allowed on an interface (Might just be a single MAC, and/or you might configure an allow list of specific MACs).
• The switch monitors the number of unique MACs
• Once the max is exceeded, port security activates. The default is usually to disable the interface.
• Also referred to as Flood Guard

Question 38

What is MAC filtering?

Answer 38

Limits access by MAC address, either through allow lists or block lists.

However, MACs are easy to spoof, so this is only security through obscurity.

Question 39

What is an ACL?

Answer 39

Access Control List

• Used to allow or deny traffic, or apply NAT, QoS, or other settings on the traffic.
• Usually configured on routers
• Can evaluate based on criteria such as Source, Destination, Port number, ICMP, etc.

Question 40

What are common types of Wireless Encryption (including historical)?

Answer 40

WEP

WPA

WPA2

Question 41

What is WPA?

Answer 41

Wi-Fi Protected Access

• Created in 2002 to replace WEP, which had a serious cryptographic weakness.
• Every packet gets a unique 128-bit encryption key
• Uses RC4 with TKIP.

Question 42

What is WEP?

Answer 42

Wired Equivalent Privacy

An old method for wireless encryption

Unsafe to use due to vulnerabilities and cryptographic weaknesses.

Question 43

What is TKIP?

Answer 43

Temporal Key Integrity Protocol

• Changes encryption key information constantly.
• Uses a sequence counter to protect against replay attacks.

• Uses as 64-bit Message Integrity Check to protect
against tampering.

• No longer used due to vulnerabilities; deprecated in the 802.11 standard in 2012.

Question 44

What is an IV?

Answer 44

Initialization Vector

Question 45

What is WPA2?

Answer 45

Replacement for WPA, beginning in 2004.

• Uses AES instead of RC4
• Uses CCMP instead of TKIP

Question 46

What is AES?

Answer 46

Advanced Encryption Standard

Question 47

What is CCMP?

Answer 47

Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

• Uses AES for data confidentiality
• Uses a 128-bit key and a 128-bit block size
• Requires additional computer resources
• Superior encryption than TKIP

Question 48

What is EAP?

Answer 48

Extensible Authentication Protocol

An authentication framework, allowing many different ways to authenticate.

Used by WPA and WPA2.

Question 49

What is EAP-FAST?

Answer 49

EAP Flexible Authentication via Secure Tunneling.

Question 50

What is PEAP?

Answer 50

Protected Extensible Authentication Protocol

• Encapsulates EAP in a TLS tunnel

Question 51

What is EAP-TLS?

Answer 51

EAP over TLS. Also available as EAP-TTLS, a tunneled version.

Strong security, widely adopted

Question 52

What is the difference between WPA2-Personal and WPA2-Enterprise?

Answer 52

Personal uses a pre-shared key; everyone uses the same key.

Enterprise authenticates uses an 802.1X authentication server, such as RADIUS. Everyone has their own credentials which can be changed or revoked individually.

Question 53

What is a logic bomb, and how should they be dealt with?

Answer 53

A type of malware that is set to take harmful effect under certain conditions, such as a specified time or event.

Because each is unique and has no predefined signature, they are best prevented by formal change control and automated change alerting.

Question 54

What is 802.1X?

Answer 54

IEEE 802.1X is the most common standard of Network Access Control.

A form of port-based access control (physical ports, not TCP/UDP ports). Requires authentication before allowing access to any interface on the switch.

Question 55

What is Wardriving?

Answer 55

Collecting information about area networks while driving / travelling, by using a WiFi monitor and GPS.

Question 56

What is a “deauthentication” attack?

Answer 56

An DOS attack that causes a device to disconnect from a resource, typically a wireless network, and prevents it from reconnecting.

Question 57

What is VLAN hopping?

Answer 57

Connecting to a VLAN other than the one you’re on.

Two primary methods:
• Switch spoofing
• Double tagging

Question 58

What is Double Tagging?

Answer 58

A form of VLAN hopping.

• The device sends traffic with multiple VLAN tags, to get through multiple switches. The first switch removes the first tag, but sends it to the next switch with the second tag.
• The communication is only one way, so no responses will be received back.
• Useful for a DOS.

Question 59

What is Switch Spoofing?

Answer 59

A form of VLAN hopping.

• Some switches support auto-configuration to determine if a port is connected to a device or a trunk.
• A device can take advantage of this by pretending to be a trunk link (a switch), which allows TX and RX with any VLAN.
• This can be prevented by disabling automatic trunk negotiation.

Question 60

What is ARP Poisoning?

Answer 60

Sending out ARP data that tells target systems that you have the MAC address which actually belongs to another device.

Used for Man-in-the-Middle attacks.

Question 61

What is the difference between a vulnerability and an exploit?

Answer 61

A vulnerability is a weakness in a system.

An exploit is an attack that takes advantage of that vulnerability.

Question 62

What is an out-of-band update?

Answer 62

An update released outside of the normal schedule, usually in emergency to address a zero-day exploit or important security discovery.

Question 63

What is file hashing?

Answer 63

A hash is a unique, short string of text that’s created by running an algorithm against a data source.

• The string is called a “message digest.”
• It allows you to verify the integrity of a downloaded file, because you can compare the downloaded file hash against the posted hash value.

Question 64

What is FIM?

Answer 64

File Integrity Monitoring

Monitors important OS and application files that should generally never change, and identifies when changes occur.

It can monitor constantly, or on demand.

Question 65

What are some examples of FIM?

Answer 65

• Windows: SFC (System File Checker
• Linux: Tripwire
• Many host-based IPS options that can monitor any system

Question 66

What is the difference between a vulnerability scan and a penetration test?

Answer 66

Unlike a vulnerability scan, a penetration test will actually attempt to exploit the vulnerabilities it finds.

Question 67

What is Flood Guard, and how does it operate?

Answer 67

Also known as Port Security.

A method for preventing unauthorized connections to a switch interface, based on the source MAC address (even if it is forwarded from elsewhere).

• Configure the max number of MAC addresses allowed on an interface (Might just be a single MAC, and/or you might configure an allow list of specific MACs).
• The switch monitors the number of unique MACs
• Once the max is exceeded, port security activates. The default is usually to disable the interface.

Question 68

What is DHCP Snooping?

Answer 68

Can be enabled on switches to help prevent rogue DHCP servers.

You configure certain interfaces on the switch as trusted, where you know your DHCP server connects. You would then configure the other interfaces as untrusted.

The switch then watches for DHCP conversations, and adds a list of trusted and untrusted devices to a table.

If the switch sees static IP addresses, rogue DHCP server responses, or other invalid traffic patterns, it can filter that traffic out.

Question 69

What is BPDU?

Answer 69

Bridge Data Protocol Unit

The Spanning Tree control procotol.

STP uses BPDU to communicate between all the different switches on the network.

Question 70

What is BPDU Guard?

Answer 70

When connecting a device to a network, STP convergence can take 20-30 before the new device is able to communicate.

When BPDU Guard is enabled on a particular switch interface, it will bypass the STP configuration phase so devices can connect and communicate immediately on that interface.

It works because non-switch devices should never send BPDU frames. If the switch detects BPDU frames from that interface, it will disable the interface to prevent a potential loop.

Question 71

What is PortFast?

Answer 71

Cisco’s name for BPDU Guard.

Question 72

How does STP determine which switch is the root bridge?

Answer 72

STP configures the root bridge automatically, but you can also configure it manually by setting a “root bridge priority.”

The switch with the lowest root bridge priority will be set as the root. (0 is the lowest priority option.)

If more than one switch has the same root bridge priority, STP will give priority to the one with the lowest MAC address.

Question 73

What is Root Guard?

Answer 73

A feature of Cisco switches, designed to prevent a rogue root bridge.

If you manually configured your root bridge, and it receives a superior BPDU on a root guard port, then root guard will change that interface to listening-only status, and show a “root-inconsistent” message, effectively disabling any inbound traffic from the rogue root interface.

Question 74

How can a network be segmented?

Answer 74

It can be segmented:

• Physically (using separate, disconnected devices),
• Logically (using VLANs),
• or Virtually (using virtual networks).

Question 75

What is an SOW?

Answer 75

Statement of Work

A document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines.

Question 76

What is a “legal hold”?

Answer 76

A legal hold is a process that an organization uses to preserve all forms of relevant information when litigation is anticipated.

For example: If a legal hold notice has been given to a backup service provider, the provider will not destroy old backups until the hold is lifted.

Question 77

What is LACP?

Answer 77

Link Aggregation Control Protocol

Configured on a switch to allow port aggregation.

Question 78

What is a Man Trap?

Answer 78

A man trap, like an air lock, is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.

In a manual man trap, a guard locks and unlocks each door in sequence.

Question 79

What is SHA-1?

Answer 79

Secure Hash Algorithm

a hashing function used for checking data integrity

Question 80

What is MD5?

Answer 80

Message Digest

a hashing function used for checking data integrity

Question 81

What are the most popular file hashing functions?

Answer 81

Secure Hash Algorithm (SHA) and Message Digest (MD) are a series of hashing functions used for checking data integrity (SHA-1 and MD5 are the most popular versions).