5.0 Network Architecture

Question 1

The selection and placement of media, devices, protocols/services, and data assets.

Answer 1

Network architecture

Question 2

The media, appliances, and addressing/forwarding protocols that support basic connectivity.

Answer 2

Network infrastructure

Question 3

Provides the addressing mechanism for logical networks and subnets.

Answer 3

Internet Protocol (IP)

Question 4

All the points at which a threat actor could gain access to hosts and services.

Answer 4

Attack surface

Question 5

this is a box with ports for incoming and outgoing network cabling and an inductor or optical splitter that physically copies the signal from the cabling to a monitor port. There are types for copper and fiber optic cabling

Answer 5

Test access point (TAP)

Question 6

this means that the sensor is attached to a specially configured port on a switch that receives copies of frames addressed to nominated access ports (or all the other ports). This method is not completely reliable. Frames with errors will not be mirrored , and frames may be dropped under heavy load.

Answer 6

SPAN (switched port analyzer)/mirror port

Question 7

control is one that does not require any sort of client or agent configuration or host data transfer to operate. For example, network traffic can be directed or copied to a sensor and scanned by an analysis engine

Answer 7

passive security

Question 8

that performs scanning must be configured with credentials and access permissions and exchange data with target hosts. An _____ that performs filtering requires hosts to be explicitly configured to use the control. This might mean installing agent software on the host or configuring network settings to use the control as a gateway

Answer 8

active security control

Question 9

Portions of the network or system that have specific security concerns or requirements.

Answer 9

Security zone

Question 10

A network that does not require a physical connection.

Answer 10

Wireless network

Question 11

A network that grants internet access only to guest users. A guest network has a firewall to regulate guest user access.

Answer 11

Guest network

Question 12

A host (honeypot), network (honeynet), file (honeyfile), or credential/token (honeytoken) set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

Answer 12

Honeynet

Question 13

A decentralized network that allows connections without a traditional base station or router. It allows users to connect two or more devices directly to each other for a specific purpose.

Answer 13

Ad hoc

Question 13

A temporary DNS record that redirects malicious traffic to a controlled IP address.

Answer 13

DNS sinkhole

Question 14

A hardened server that provides access to other hosts.

Answer 14

Jump server

Question 15

Agent-based web filtering involves installing a software agent on desktop computers, laptops, and mobile devices. The agents enforce compliance with the organization’s web filtering policies.

Answer 15

Agent-based filtering

Question 16

A network that contains publicly accessible resources and is located between the private network and an untrusted network, such as the internet. It is protected by a firewall.

Answer 16

Screened subnet

Question 17

A _______ acts on behalf of a client or user when attempting to access resources over the internet. The _______, in this position of an intermediary, provides a layer of protection to the client. A ______ works on a store-and-forward model. This means the ______deconstructs each packet, performs analysis, then rebuilds the packet and forwards it on, if it conforms to the rules it’s been configured with. Client computers connect to a specified point on the perimeter network for web access.
Benefits a ________ can provide:
Traffic management
Protection
Anonymity for users by masking their IP addresses
Caching engines
Content filtering
Content monitoring
Incoming network traffic distribution across multiple servers to help balance the load

Answer 17

Proxy server

Question 18

Internet content filter

Answer 18

Internet content filter

Question 19

Deception strategy that returns spoofed data in response to network probes.

Answer 19

Fake telemetry

Question 20

An appliance that combines many security functions into a single device.

Answer 20

All-in-one
security appliance

Question 21

A device that has the ability to analyze and manage network traffic based on the application-layer protocol.

Answer 21

Application-aware devices

Question 22

A ______ is a hardened server that provides access to other hosts. ________ are often used for administrative tasks where administrators connect to the _______ first and then use it to access other internal systems, like servers or devices. A ________ is primarily used to enhance security by controlling access to sensitive resources. It acts as a gateway to access certain systems that are kept isolated from the external network. The ________ is typically locked down and secured to a higher degree, ensuring that only authorized users can access it, reducing the risk of unauthorized access to critical systems.

Answer 22

Jump server

Question 23

A ________, while primarily used to distribute network traffic across multiple servers to optimize performance, can also serve as a security appliance in certain scenarios. A ______ distributes client requests across available server nodes in a farm or pool. This is used to provision services that can scale from light to heavy loads and to provide mitigation against denial-of-service attacks.

Answer 23

Load balancer

Question 24

There are two main types of load balancers:

Answer 24

Layer 4 — A layer 4 load balancer makes forwarding decisions on IP address and TCP/UPD port values, working at the transport layer of the OSI model.
Layer 7 — A layer 7 load balancer, or content switch, makes forwarding decisions based on application-level data, such as a request for a particular URL web address or data types like video or audio streaming, which requires more complex logic.

Question 25

Sensor

Answer 25

A packet sniffer is referred to as a _________. Typically, the packet capture sensor is placed behind a firewall or close to a server of particular importance. The idea is to identify malicious traffic that has managed to get past the firewall. A single sniffer can record a large amount of traffic data so it’s best to not put multiple sensors all over the network without provisioning the resources to manage them properly. Depending on network size and resources, one or only a few sensors are deployed to monitor key assets or network paths.
The traffic captured by each sensor is transferred to a host or appliance running an intrusion detection system (IDS), such as Snort, Suricata, or Zeek. When traffic matches a detection signature, the IDS raises an alert or generates a log entry but does not block the source host. This type of passive sensor does not slow down traffic and is undetectable by the attacker.
An IDS is used to identify and log hosts and applications and to detect password-guessing attempts, port scans, worms, backdoor applications, malformed packets or sessions, and other policy violations.

Question 26

An __________ incorporates multiple security functions into a single piece of hardware. Unified Threat Management, or UTM, is the most common all-in-one appliance.

UTM puts several key security components into a single device that’s usually managed using a web interface. A manufacturer subscription for updates may also be required.

Commonly implemented functionality of all-in-one-security devices include the following:
URL filtering—prevents users from accessing URL restricted categories.
Content inspection—helps ensure HTTP connections and content meet specified criteria. For example, many content filters actively monitor data streams by inspecting the packets in search of viruses, Trojans, worms, and other malicious code.
Spam filtering—reduces junk mail in mailboxes of users.
Firewall—can be configured with rules and used to log traffic to and from the network.
Intrusion detection system—An IDS sends an alert if a network attack is detected.
Intrusion prevention system—An IPS sends an alert if a network attack is detected or prevented.
A UTM usually includes networking features as well, such as the following:

Switch
Router
Traffic shaping management

Answer 26

All-in-one security appliance

Question 27

A wirelessly broadcasted network is used on most internal networks so that internal users do not require a physical connection to a router or switch.

Answer 27

Wireless

Question 28

A _______ network at an organization often grants internet access only to guest users, but it also has some type of firewall to regulate that access. There could be limited internal resources made available on a _______ network. Normally, it is just a way for guests to access the internet without being allowed on the intranet or internal network.

Answer 28

Guest

Question 29

is a private network (LAN) that employs internet information services for internal use only. For example, your company network might include web servers and email servers that are used by company employees.

Answer 29

Intranet

Question 30

is a special network created to trap potential attackers. _____ have vulnerabilities that lure attacks so that you can track their actions and protect your real network. _______ can generate extremely useful security information

Answer 30

Honeynet

Question 31

is a privately controlled network distinct from the intranet but located between the internet and a private LAN. An extranet is often used to grant resource access to business partners, suppliers, and even customers outside of the organization.

Answer 31

Extranet

Question 32

is a broadcasted network connection used within an organization. Users do not need a physical connection to a network port to connect to the intranet or internal resources. Instead, they use a wireless connection on their device to connect to a wireless access point.

Answer 32

Wireless Zone

Question 32

a deception strategy that returns spoofed data in response to network probes. ______ is defined as the collection of data at remote points and their automatic transmission to receiving equipment for monitoring. As such, organizations provide false data meant to deceive the attacker. This type of fake information might include fake credentials or fake IP address information. It might be an internal report detailing vulnerable systems that require updates when they are really honeypots designed to capture attacker information.

Answer 32

Fake Telemetry

Question 33

To work correctly, the malware must use the organization’s DNS server. If it uses a public DNS server or its own DNS server, this will not work. You can mitigate this by configuring firewalls to block DNS queries going outside the perimeter. A sinkhole does not prevent malware and cannot prevent malware execution or remove malware from the system.

Creating a sinkhole can take time. Even if obtained from trusted internet sources, it’s possible legitimate sites are used to forward malicious content. This could result in restrictions to legitimate websites. Therefore, sinkholes should be internal only. If attackers can access the DNS server externally, they can change entries in the sinkhole and use it to their benefit.

Answer 33

DNS Sinkhole disadvantages

Question 34

Any host that is exposed to attack and has been hardened or fortified against attack.

Answer 34

Bastion or sacrificial host

Question 35

A firewall device that typically has three network interfaces. One interface connects to the internet, one interface connects to the public subnet, and one interface connects to the private network.

Answer 35

Duel-homed gateway

Question 35

The router that is most external to the network and closest to the internet.

Answer 35

Screening router

Question 36

A device residing within the screened subnet that requires users to authenticate in order to access resources within the screened subnet or the intranet.

Answer 36

Screened host gateway

Question 37

Two-firewall screened subnet

Answer 37

A screened subnet uses two firewalls. The external firewall is connected to the internet and allows access to public resources. The internal firewall connects the screened subnet to the private network. With a screened subnet, if the outer firewall is compromised, the inner firewall still protects the private network

Question 37

A device, or software running on a device, that inspects network traffic and allows or blocks traffic based on a set of rules.

Answer 37

Firewall

Question 38

A firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.

Answer 38

Web application firewall (WAF)

Question 39

A network-based firewall inspects traffic as it flows between networks. For example, you can install a network-based firewall on the edge of your private network that connects to the internet to protect against attacks from internet hosts. Network-based firewalls are typically dedicated hardware devices.

Answer 39

Network firewall

Question 40

A basic packet filtering firewall is stateless. This means that it does not preserve information about network sessions. Each packet is analyzed independently, with no record of previously processed packets. This type of filtering requires the least processing effort, but it can be vulnerable to attacks spread over a sequence of packets. A stateless firewall can also introduce problems in traffic flow, especially when using some sort of load balancing or when clients or servers need to use dynamically assigned ports.

Answer 40

Stateless firewall

Question 41

A stateful inspection firewall tracks information about the session established between two hosts. All firewalls now incorporate some level of stateful inspection capability. Session data is stored in a state table. When a packet arrives, the firewall checks it to confirm whether it belongs to an existing connection. If it does not, it applies the ordinary packet filtering rules to determine whether to allow it. Once the connection has been allowed, the firewall usually allows traffic to pass unmonitored in order to conserve processing effort.

Answer 41

Stateful firewall

Question 42

A host-based firewall inspects traffic received by a host. Use a host-based firewall to protect against attacks when there is no network-based firewall, such as when you connect to the internet from a public location. Host-based firewalls are typically software programs. A host-based firewall can be configured to meet the security requirements of the specific host and add an additional layer of security even when a network firewall has been implemented.

Answer 42

Host-based firewall

Question 43

Layer 7 application-aware filtering, including inspection of Transport Layer Security (TLS) encrypted traffic.
Integration with network directories, facilitating per-user or per-role content and time-based filtering policies, providing better protection against an insider threat.
Intrusion prevention system (IPS) functionality. Next-generation firewalls can combine traditional firewall functionalities with advanced capabilities, such as deep packet inspection, intrusion prevention, and application awareness.
Integration with cloud networking.

Answer 43

Next-generation firewall

Question 44

performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this value in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality.

Answer 44

Authentication Header (AH)

Question 45

can be used to encrypt the packet rather than simply calculating an ICV. ESP attaches three fields to the packet: a header, a trailer (providing padding for the cryptographic function), and an Integrity Check Value. Unlike AH, ESP excludes the IP header when calculating the ICV.

Answer 45

Encapsulating Security Payload (ESP)

Question 46

Transport mode—is used to secure communications between hosts on a private network. When ESP is applied in transport mode, the IP header for each packet is not encrypted, just the payload data. If AH is used in transport mode, it can provide integrity for the IP header.

Tunnel mode—is used for communications between VPN sites across an unsecure network. With ESP, the whole IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header. AH has no use case in tunnel mode, as confidentiality is usually required.

Answer 46

IPSEC modes

Question 47

Phase I establishes the identity of the two peers and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Two methods of authenticating peers are commonly used:
Digital certificates —are issued to each peer by a mutually trusted certificate authority to identify one another.
Pre-shared key (group authentication) —is when the same passphrase is configured on both peers.
Phase II uses the secure channel created in Phase I to establish which ciphers and key sizes will be used with AH and/or ESP in the IPsec session.

Answer 47

IKE negotiations take place over two phases:

Question 48

The practice of encapsulating data from one protocol for safe transfer over another network such as the Internet.

Answer 48

Tunneling

Question 49

A early tunneling protocol developed by Cisco and Microsoft to support VPNs over PPP and TCP/IP. PPTP is highly vulnerable to password cracking attacks and considered obsolete.

Answer 49

Point-to-Point Tunneling Protocol
(PPTP)

Question 50

A tunneling protocol developed by Cisco to establish virtual private network connections over the internet.

Answer 50

Layer 2 Forwarding
(L2F)

Question 51

Network protocol suite used to secure data through authentication and encryption as the data travels across the network or the Internet.

Answer 51

Internet Protocol Security
(IPsec)

Question 52

A well-established protocol to secure IP protocols, such as HTTP and FTP. And can also be used to secure other application protocols and as a virtual private networking (VPN) solution.

Answer 52

Secure Sockets Layer
(SSL)

Question 53

Security protocol that uses certificates for authentication and encryption to protect web communications and other application protocols.

Answer 53

Transport Layer Security
(TLS)

Question 54

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level.

Answer 54

Network access control (NAC)

Question 55

Plan - A committee should convene and make decisions that define how NAC should work.
Define - The roles, identities, and permissions (policies) must be defined.
Apply - Once defined, the policies must be applied.
Review/Revise - As business needs change, the process must be reviewed to determine whether changes are required.

Answer 55

NAC Process

Question 56

A repository of vulnerabilities hosted by MITRE Corporation.

Answer 56

Common Vulnerabilities
and Exposures (CVEs)

Question 57

A switch feature that restricts connection to a given port based on the MAC address.

Answer 57

MAC filtering/port security

Question 58

A switch feature that follows the 802.1x protocol to allow only authenticated devices to connect.

Answer 58

Port authentication

Question 58

A security feature on some switches that filters out untrusted DHCP messages.

Answer 58

Dynamic Host Configuration protocol (DHCP) snooping

Question 59

A table maintained by a switch that contains MAC addresses and their corresponding port locations.

Answer 59

Content-addressable
memory (CAM) table

Question 60

An attack that overloads a switch’s MAC forwarding table to make the switch function like a hub.

Answer 60

MAC flooding

Question 61

A security feature on some switches that verifies each ARP request has a valid IP to MAC binding.

Answer 61

Dynamic ARP
Inspection (DAI)

Question 61

An attack in which the attacker’s MAC address is associated with the IP address of a target’s device.

Answer 61

ARP spoofing

Question 62

An attack in which the source MAC address is changed on frames sent by the attacker.

Answer 62

VLAN hopping

Question 63

An attack in which the attacking host adds two VLAN tags instead of one to the header of the frames that it transmits.

Answer 63

Double tagging

Question 64

An unsecure protocol that could allow unauthorized devices to modify a switch’s configuration.

Answer 64

Dynamic Trunking
Protocol (DTP)

Question 65

An attack in which the source MAC address is changed in the header of a frame

Answer 65

MAC spoofing