chap 5 - communication & network security Flashcards
define OSI 7-Layer model
- application –> data
- presentation –> data
- session –> Data
- transport –> Segments for end-to-end connection
- network –> Packets using the IP address
- data link -> frames using MAC address
- physical –> bites through cables
translate OSI to TCP/IP layers
- application + presentation + session –> application layer (Telnet/FTP/SMTP/DNS/RIP/SNMP)
- transport –> host to host transport (TCP/UDP)
- Network + data link –> internet layer (ARP/IP/IGMP/ICMP)
- data link + physical –> network interface layer (ethernet/token ring/ frame)
what are the step in cybersecurity kill chain
- reconnaissance
- weaponization
- delivery
- exploitation
- installation
- command & control
- actions on objectives
what are the different type of network topologies (physical layer)
- Bus -> central LAN cable to which all nodes connect advantage: adding is easy / node failure don’t affect network
disadvantage: if central LAN failure then entire network drop - Tree -> hierarchy of objects
advantage: adding is easy / node failure don’t affect network
disadvantage: if central LAN failure then entire network drop - Ring -> closed-loop with central point transmitted
advantage: use token - time stamp / used as LAN or network backbone
disadvantage: single point of failure (e.g., fiber distributed data interface (FDDI) use dual rings for failure) - Mesh -> mesh network connecting all nodes
advantage: high level of redundancy
disadvantage: expensive - star -> all nodes connected to a hub, switch or router (used in modern LAN)
advantage: fewer cable than mesh / easy to deploy
disadvantage: central connection is single point of failure
what is the role of a “carrier sense multiple access with collision detection (CSMA/CD)”
protocol allows devices to transmit data with minimum overhead, resulting in bandwidth efficiency
types of optical fiber cable
- single-mode: small diameter -> up to 100KM
- Multimode: large diameter -> up to 2KM
- plastic optical fiber (POF) -> up to 100m
what is a “modem”
“modulate” - “demodulate” devices used to modulate digital signals to analog wave and vis-versa
what are the types of digital subscriber lines (DSL)
- asymmetric DSL -> ADSL: downstream higher than upstream
- Rate-adaptive DSL -> RADSL: upstream based on quality line
- symmetric DSL -> SDSL: downstream & upstream are same
- Very high bite rate DSL -> VDSL high transmission (52mbps)
what is the role of a dynamic host configuration protocol (DHCP)
DHCP’s role is to assign IP address to devices
what OSI layer uses MAC address to redirect communications
Data link layer
what is Address Resolution Protocol (ARP)
used at the MAC layer to provide direct communication between 2 devices within the same LAN segment
what is a Point-to-point protocol (PPP) (PPPoE -> over Ethernet)
mechanism for establishing a layer 2 (data link) connection between 2 systems, e.g. internet service provider (ISP) and customer device
provides a standard method for transporting multiprotocol datagrams over point-to-point link
PPPoE: creates a virtual point to point connection
what is a Fibre channel over ethernet (FCoE)
provides a single layer 2 (data link) environment to manage
what is a contention-based protocol?
devices on network are competing for bandwidth, contention-based protocols are meant to avoid inference / collision:
- CSMA/CD: device on LAN that listen for a carrier before transmitting data
- Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA): better for wireless environment -> avoid collisions by first checking the media is clear for transmission
what is a layer 2 “bridge”
device that filter traffic between segments based on MAC addresses. additionally they amplify signals
what is a switch
layer 2 switch establishes on collision domain per port, enabling more efficient transmissions with CSMA/CD logic within ethernet
what is a Virtual Local Area Network (VLAN)
VLANs allow admin to use switches to create software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports
key threats to layer 2 (data link)
- MAC address spoofing
- MAC flooding -> DoS attack
- VLAN hopping -> 802.1Q attack
- Broadcast storms -> DoS attack
- Reconnaissance probes using MAC sniffing -> capture frames
key layer 2 (data link) counter measures to threats
- Proper NIC configuration
- Service monitoring (ARP/ DHCP)
- proper VLAN configuration
- proper switch port configuration
- Layer 2 IDS/IPS
what does layer 3 (network) uses to redirect communications
IP address
what are the 2 main goals of layer 3 (network)
- managing the logical addressing for networks
- forwarding packets to the correct logical network
what are the forms of transmission in layer 3 (network)
- Unicast -> 1-to-1 communication
- Broadcast -> one to many communication
- Multicast -> 1 host to a discrete group of host
- Anycast -> 1-to-1 transmission but uses services from group
- Geocast -> same as broadcast but restrictes destination of IP address geographically (think Netflix stream)
what are network layer protocols
- IPv4 provides a 32-bit address space
- IPv6 provides a 128-bit address space
Note: IPv4 and IPv6 use 2 different headers, therefore network cannot operate on both simultaneously
what are the 5 key network protocols and octet range
- class A -> 1-126 (subnet mask 255.0.0.0)
- class B -> 128-191 (subnet mask 255.255.0.0)
- class C -> 192-223 (subnet mask 255.255.255.0)
- class D -> 224-239 (subnet mask 255.255.255.255) -> for multi casting
- class E -> reserved for development & testing
what are the advantage of IPv6
- longer address field
- improved security
- improved QoS
what are routers most used for today
connect LAN to WAN
most basic security at layer 3 on router incl Access Control List (ACL) that approve/deny source and destination address. these routers are also called “boundary routers”, positioned on the DMZ
what are the 2 key meanings of Access Control List
routing: it is a table within a route’s memory that stores permitted
identity mgmt & access control: they are data structure that are usually keyed or indexed by user IDs and related those IDs to authorization information of various kind
what is the difference between routing protocol & routed protocol
Routing protocol: used by routers to communicate and coordinate with each other -> e.g., ICMP / IGMP
Routed protocols: define HOW data can be routed over a network. IPv4 and IPv6 are routed protocols
what protocol was created to increase WAN traffic efficiency (routing)
routing tables calculation for each packet use a lot of router computational resources creating latency.
“Multiprotocol label switching” (MPLS) is a WAN protocol design to increase WAN efficiency.
it operates on layer 2 (data link) and layer 3 (network)
what are the primary components of an MPLS network
- MPLS edge node
- label switching router (LSR)
- label switch path
what are the key advantages of MPLS
- traffic engineering
- multi-service network
- network resiliency
what are the key threats to layer 3 (network)
- routing (RIP) attack
- ICMP attack
- Ping flooding
- SMURF using
- IP address spoofing
- packet sniffing
what are the key countermeasures to protect layer 3 (network)
- SICMP
- properly config routers
- packet filtering and inspection -> NGFW
- router ACLs more effectively
- properly config VLAN
- layer 2 IDS/IPS
- zero trust architecture
- micro-segmenting LANs
what does layer 4 (transport) do
it delivers end-to-end services through segments transmitted in a stream of data and controls stream of data to relieve congestion
what are the 2 types of transport protocols (TCP/IP)
TCP - transmission control protocol - connection-oriented protocol -> provides packet sequencing
UDP - connectionless protocol -> does NOT support retransmission of packet
what are layer 4 protocols by group
- transport -> TCP UDP
- Names & directory services -> DNS / LDAP
- Network operational support & mgmt -> NTP / DHCP
- web page oriented -> HTTP / HTTPS
- email -> POP / IMAP SMTP
- admin & miscellaneous -> FTP / SSH / Telnet
how does TCP establish connection
using a three-way handshake
1a. SYNchronize
1b.SYN-ACKnowledge
2a. ACK
2b. Data ACK (using the connection…)
3a. FINish
3b. ACK + FINish
3c. ACK
what are the categories of TCP & UDP ports
- well-known ports -> 0-1023
- registered ports -> 1024-49151
- dynamic or private ports -> 49152-65535
primary use of 20/21
file transfer protocol -> FTP
primary use of 22
secure shell -> SSH
primary use of 23
Telnet
primary use of 25 or 587
SMTP
primary use of 37
TIME
primary use of 53
domain name services ->DNS
primary use of 69
Trivial file transfer protocol -> TFTP
primary use of 80
HTTP
primary use of 161
simple network mgmt protocol -> SNMP
primary use of 162
SNMP trap
primary use of 179
border gateway protocol
primary use of 443
HTTPS
traditional firewall vs. NextGen firewall
tradition:
- firewall / ports / IP address
- IDS / IPS
- web proxy
- antivirus gateway
- VPN
NextGen firewall
- IAM / Attributes
- anti-bot
- FaaS
- firewall / ports / IP address
- IDS / IPS
- web proxy
- antivirus gateway
- VPN
what are the main threat to layer 4 (transport)
- routing protocol attack
- ICMP attack - eg., ping flooding
- network time protocol desynch
- fraggle - UDP broadcast flood
- TCP sequence prediction
- IP address spoofing
- packet sniffing
- port scanning
what are the countermeasures for layer 4 (transport)
- TCP intercept & filtering
- DoS prevention services
- allowed & blocked list for IP address, URL, URI
- properly config TLS
- secure protocol for file transfer
- fingerprint scrubbing
what is the main goal of layer 5 (session layer)
provide logical persistent connection between peer hosts
responsible for creating, maintaining and tearing down the session
what are layer 5 (session) authentication protocols
- password authentication protocol (PAP)
- Challenge-handshake authentication protocol (CHAP)
- Extensible authentication protocol (EAP)
- protected extensible authentication protocol (PEAP)
what are the main threats to layer 5 (session)
- session hijack / MITM
- ARP / DNS / poisoning local hosts files
- secure shell (SSH) downgrade
- man-in-the-browser (MITB)
what are the main countermeasures to protect layer 5 (session)
- replace weak password authentication protocol
- ID mgmt & access control
- PKI implementation
- properly config DNS
- active monitoring
- IDS / IPS / SIEM alarms
what is the main goal of layer 6 (presentation)
consolidate the design of protocols and services
what are the main threats to layer 6 (presentation)
- data breach
- compromise integrity
- SMBs attack
- SSL attack
what are the main countermeasures to protect layer 6 (presentation)
- strong authentication & protection based apps
- monitor apps traffic
- secure application protection (WAF)
- zero trust architecture
what is the main goal of the layer 7 (application)
used by end-user to accomplish daily task and application usage
what are layer 7 (application) main type of protocol
- HTTP
- HTTPS - using TLS to create session
- DHCP
- DNS
- SNMP -> simple network mgmt protocol
- LDAP -> lightweight directory access protocol
what is Dynamic host configuration protocol (DHCP)
client/server application designed to assign IP addresses from a pool of pre-allotted addresses on a DHCP server
what are the common attributes for an LDAP entry level
- distinguished name (DN)
- relative distinguished name (RDN)
- common name (CN)
- domain component (DC)
-organizational unit (OU)
what is the goal of SNMP (simple network mgmt protocol)
designed to manage network infrastructure
what are the main threat to layer 7 (application)
- SQL injection
- encryption downgrade attempt
- rogue DHCP service / DNS poisoning / LDAP injection
- SNMP abuse
- HTTP flood -> DoS
- cross-site script attack
what are the main countermeasures to protect layer 7 (application)
- monitoring
- block suspect bots
- strong access control (MFA)
- deep inspection of app traffic
- secured apps protection (WAF / ADP)
- zero trust architecture
- strengthen end user skills
what are the main Internet Protocol (IP) issues
- authenticity
- confidentiality
- scripting
- social engineering
- spam over instant message
- legacy remote access
what is the advantage of Internet protocol secure (IPSec)
- authentication header (AH)
- encapsulating security payload (ESP) : Header / payload / trailer / authentication
what are some use case for NAC deployment
- medical device
- IoT devices
- incident response
- BYOD
- guest user and contractors
- cloud
- compliance
- mobile device
what is a port address translation (PAT)
extension to NAT, translate all addresses to one externally routable IP address
what are the main security implications of remote computing
- people issue
- networking & communication vulnerabilities
- attention from threat actors
- implementation issues
what is a circuit switched network?
uses a dedicated circuit between endpoints. neither endpoints starts communicating until the circuit is completely established
what is a network function virtualization and advantage
NFV’s objective is to decouple functions, such as firewall mgmt, intrusion detection, NAT or name service resolution, away from specific hardware implementation into software service
what are best practice in 3rd party mgmt
- policies for establishing, onboarding, monitoring, managing and offboarding 3rd party
- inventory of 3rd party relationship and evaluation against policies to identify risk
- apply monitoring & auditing practices
what is a DNS
convert IP addresses and domain names
what is ARP
convert between MAC address and IP address
what is NAT
convert between public IP and private IP addresses
how does IPsec provide secure channel (VPN)
IPsec uses authentication headers (AH) to provide authentication, integrity and non-repudiation, and Encapsulating Security Payload (ESP) to provide confidentiality
Sue’s employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do? Sue’s employer has asked her to use an IPsec VPN to connect to its network. When Sue connects, what does the IPsec VPN allow her to do?
Create a private encrypted network carried via a public network and act like she is on her employer’s internal network
Sonia recently removed an encrypted hard drive from a laptop and moved it to a new device because of a hardware failure. She is having difficulty accessing encrypted content on the drive despite the fact that she knows the user’s password. What hardware security feature is likely causing this problem?
TCB
The Trusted Platform Module (TPM) is a hardware security technique that stores an encryption key on a chip on the motherboard and prevents someone from accessing
Gordon is concerned about the possibility that hackers may be able to use the Van Eck radiation phenomenon to remotely read the contents of computer monitors in his facility. What technology would protect against this type of attack?
TEMPEST
The TEMPEST program creates technology that is not susceptible to Van Eck phreaking attacks because it reduces or suppresses natural electromagnetic emanations.
What important factor listed below differentiates Frame Relay from X.25?
Frame Relay supports multiple PVCs over a single WAN carrier connection.
During a security assessment of a wireless network, Jim discovers that LEAP is in use on a network using WPA. What recommendation should Jim make?
Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.
LEAP, the Lightweight Extensible Authentication Protocol. is a Cisco proprietary protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant security issues as well and should not be used. Any modern hardware should support WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and WPA2, would be a major step back in security for any network.
Ben has connected his laptop to his tablet PC using an 802.11g connection. What wireless network mode has he used to connect these devices?
Ad hoc mode
What common applications are associated with each of the following TCP ports: 23, 25, 143, and 515?
Telnet, SMTP, IMAP, and LPD
Which authentication protocol commonly used for PPP links encrypts both the username and password and uses a challenge/response dialog that cannot be replayed and periodically reauthenticates remote systems throughout its use in a session?
CHAP
The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers to authenticate remote clients. It encrypts both the username and password and performs periodic reauthentication while connected using techniques to prevent replay attacks.
If the VPN grants remote users the same access to network and system resources as local workstations have, what security issue should Chris raise?
VPN users should only connect from managed PCs.
Susan is deploying a routing protocol that maintains a list of destination networks with metrics that include the distance in hops to them and the direction traffic should be sent to them. What type of protocol is she using?
A distance-vector protocol
What network tool can be used to protect the identity of clients while providing Internet access by accepting client requests, altering the source addresses of the requests, mapping requests to clients, and sending the modified requests out to their destination?
A proxy
A proxy is a form of gateway that provide clients with a filtering, caching, or other service that protects their information from remote systems.
Which email security solution provides two major usage modes: (1) signed messages that provide integrity, sender authentication, and nonrepudiation; and (2) an enveloped message mode that provides integrity, sender authentication, and confidentiality?
S/MIME
S/MIME supports both signed messages and a secure envelope method. While the functionality of S/MIME can be replicated with other tools, the secure envelope is an S/MIME-specific concept.
What type of key does WEP use to encrypt wireless communications?
A predefined shared static key
WEP has a very weak security model that relies on a single, predefined, shared static key. This means that modern attacks can break WEP encryption in less than a minute.
The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol (RARP) operate at what layer of the OSI model?
Layer 2
ARP and RARP operate at the Data Link layer,
Which of the following is a converged protocol that allows storage mounts over TCP, and which is frequently used as a lower-cost alternative to Fibre Channel?
iSCSI
iSCSI is a converged protocol that allows location-independent file services over traditional network technologies.
In her role as an information security professional, Susan has been asked to identify areas where her organization’s wireless network may be accessible even though it isn’t intended to be. What should Susan do to determine where her organization’s wireless network is accessible?
A site survey
SMTP, HTTP, and SNMP all occur at what layer of the OSI model?
Layer 7
Application-specific protocols are handled at layer 7, the Application layer of the OSI model.
Lauren uses the ping utility to check whether a remote system is up as part of a penetration testing exercise. If she wants to filter ping out by protocol, what protocol should she filter out from her packet sniffer’s logs?
ICMP
Ping uses ICMP, the Internet Control Message Protocol, to determine whether a system responds and how many hops there are between the originating system and the remote system
Lauren wants to provide port-based authentication on her network to ensure that clients must authenticate before using the network. What technology is an appropriate solution for this requirement?
802.1x
802.1x provides port-based authentication and can be used with technologies like EAP, the Extensible Authentication Protocol.
There are four common VPN protocols. Which group of four below contains all of the common VPN protocols?
PPTP, L2F, L2TP, IPsec
What network technology is best described as a token-passing network that uses a pair of rings with traffic flowing in opposite directions?
FDDI
FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a pair of rings with traffic flowing in opposite directions
If your organization needs to allow attachments in email to support critical business processes, what are the two best options for helping to avoid security problems caused by attachments?
Train your users and use anti-malware tools.
Chris has been asked to choose between implementing PEAP and LEAP for wireless authentication. What should he choose, and why?
PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session
Which type of firewall can be described as “a device that filters traffic based on its source, destination and the port it is sent from or is going to”?
A static packet filtering firewall
Data streams occur at what three layers of the OSI model?
Application, Presentation, and Session
