Chapter 11: Securing TCP/IP

Question 1

What is nonrepudiation?

Answer 1

-data is same as originally sent, came from source I think it should have come from.

Question 2

What is authentication?

Answer 2

-verifcy whoever accesses the data is the person I want to access it.

Question 3

What is authorization?

Answer 3

-what a person who accesses the data can do with the data.

Question 4

What is a cipher?

Answer 4

-general term for a way to encrypt data.

Question 5

What is an algorithm?

Answer 5

mathematical formula underlies the cipher.

Question 6

What is a complete algorithm?

Answer 6

cipher and implementation of the cipher.

Question 7

What is ciphertext?

Answer 7

result from running cleartext through a key.

Question 8

what is a symmetric key algorithm?

Answer 8

uses same key to encrypt and decrypt

Question 9

What is asymmetric key algorithm?

Answer 9

-different keys for encryption.

Question 10

What is a block cipher?

Answer 10

encrypt data in single chuncks

Question 11

What is a stream cipher?

Answer 11

-encrypts data a single bit at a time.

Question 12

Describe DES.

Answer 12

Data encryption standard

• grandaddy of all TCP/IP symmetric-key algorithms.
• 64 bit block and 56-bit key.

Question 13

Describe AES.

Answer 13

Advanced Encryption Standard

• block cipher
• 128-bit block size
• 128, 192, 256-bit key size.
• used in applications from file encryption to wireless networking, to web sites.

Question 14

what is public-key cryptography?

Answer 14

-keys can exchange securely

Question 15

What is RSA?

Answer 15

Rivest Shamier Adleman

• improvement to Diffre-Hellman public-key cryptography
• enables secure digital signature.

Question 16

Describe the encryption at the different levels at OSI.

Answer 16

• Level 1: no common encryption
• level 2: scramble all data in ethernet frame except mac address info.
• layer 3: IPSEC: software that encrypts everything inside packet.
• layer 4: TCP/UDP do not offer encryption.
• layer 5: and 6: not comon for encryption.
• layer 7: SSL/TLS

Question 17

How is non-repudiation implemented?

Answer 17

• most cryptographic hash function

- results in checksum or digest.

Question 18

Describe MD5

Answer 18

Message-Digest Algorithm version 5

• some SMTP servers use this
• most popular hash function.
• CRAM-MD5: tool for server authentication.

Question 19

Describe SHA

Answer 19

Secure Hash algorithm

-sha-1 and sha-2

Question 20

What is a digital signature?

Answer 20

• generated by sender to message and private key

- person with matching publick key verifies it came from intended sender.

Question 21

What is PKI?

Answer 21

Public-key infrastructure

-certificate: standardized type of digital signature that includes signature of a third party.

Question 22

Describe PGP.

Answer 22

Pretty Good Privacy

• web of trust
• group of peers that trust each other.
• email encryption: you get a certificate.

Question 23

Decribe GPG>

Answer 23

GNU privacy guard

-alternate to PGP

Question 24

What is an ACL?

Answer 24

Access control list.

-defined list of permissions specify that an authenticated user may perform on a shared resource.

Question 25

What are three ACL access models?

Answer 25

• mandatory access control(MAC): every resource assigned a label.
• Discretionary access control(DAC): resource owner assigns access.
• Role-based access control(RBAC): most popular model and is an access based on role(group).

Question 26

What is PPP?

Answer 26

Point to point protocol.
-an authentication standard where 2 devices connect, authenticate with name/password, negotiate network protocol.

-RFC 1661: defines how PPP works.

Question 27

What are the phases of PPP?

Answer 27

• Link Dead; Link control protocol gets connection going
• link establishment
• Authentication: username/password
• Network layer protocol: negotiate layer 3 protocol. Network control protocol(NCP) makes proper connection.
• Termination.

Question 28

Describe PAP

Answer 28

Password authentication Protocol

-transmits username password in plaintext.

Question 29

Describe CHAP

Answer 29

Challenge Handshake Authentication Protocol

• more secure authentication routine
• hashes based on shared secret.

Question 30

Describe MS-CHAPv2.

Answer 30

• most common authentication for dial up.

- most security.

Question 31

What are three parts of AAA?

Answer 31

-authentication, authorization, and accounting.

Question 32

Describe authentication as it relates to AAA.

Answer 32

• present credential for access

- username/passwd, security token, retinal scan, digital certificate.

Question 33

Describe authorization as it relates to AAA.

Answer 33

• What computer can and cannot do.

- bandwidth limits, times of day, certain applications.

Question 34

Describe RADIUS.

Answer 34

Remote Authentication Dial-In User Service.

• used to support ISPs with thousands of modems.
• radius server, network access servers, systems that dial in.

Question 35

What does a Radius server do?

Answer 35

Internet Authentication Service(microsoft)
-FreeRadius(Unix/linux)
-authenticate on UDP port 1812/1813
or ports 1645/1646

Question 36

Describe TACACS+.

Answer 36

Terminal Access Controller Access Control System Plus

• single server stores ACL for all devices
• developed by CISCO to support AAA
• uses port 49 by default
• can use Kerberos as part of the authentication scheme.

Question 37

What port does TACACS+ work on?

Answer 37

port 49

Question 38

What port does radius use?

Answer 38

UDP port 1812/183 or 1645/1646

Question 39

Describe Kerberos.

Answer 39

no connection to PPP

-authentication protocol for TCP/IP networks with clients connecting to single authenticating server

Question 40

What port does Kerberos use

Answer 40

UDP or TCP port 88

Question 41

Describe a kerberos key distribution center(KDC)

Answer 41

• authentication server(AS)
• Ticket-Granting Service(TGS)
• after compares hash sends ticket granting ticket(TGT)
• client sends TGT to TGS for authorization.
• TGS sends token back to client called SID in winDNS.

Question 42

Descirbe EAP.

Answer 42

Extensible Authentication Protocol(EAP)

• single standard to allow two devices to authenticate.
• a PPP wrapper that EAP-compliante applications can use to accept one of many types of authentication.
• substantial use in wireless networks

Question 43

What is EAP-PSK?

Answer 43

• personal share key

- shared secret code stored on both WAP and client encrypted with AES.

Question 44

What is EAP-TLS?

Answer 44

• Transport layer security.
• use of RADIUS server
• mutual authentication, certificates on server and client.
• only on wireless networks.

Question 45

What is EAP-TTLS?

Answer 45

• Tunneled TLS

- Single server-side certificate.

Question 46

What is EAP-MD5?

Answer 46

-hashes for transfer of authentication details.

Question 47

What is LEAP?

Answer 47

Lightweight EAP

-used by Cisco wireless products.

Question 48

What is 802.1x?

Answer 48

EAP for ethernet networks.

• puts EAP inside of ethernet frame.
• port authentication NAC mechanism for networks.

Question 49

Describe SSH.

Answer 49

Secure shell

• use PKI in form of RSA key.
• server sends public key, client encrypts session id, negotion encryption.
• AES is popular, 3DES might be used.

Question 50

Describe publick keys to identify clients as it relates to SSH.

Answer 50

• non-interactive logins - turn off password logins.
• generate pair of RSA or DSA keys
• public key on server, public key on cient.

Question 51

Describe Tunnels as they relate to SSH.

Answer 51

• can tunnel for any tcpip application
• encrypted link between two programs on separate computers.
• freeSSHd server: any packet that enters encrypted tunnel(even unencrypted) automatically is encrypted.

Question 52

Describe SSL/TLS.

Answer 52

netscape created SSL.

Question 53

Describe TLS.

Answer 53

upgraed to SSL.

• SSL limited to HTML, FTP, SMTP and few others.
• TLS has no restrictions used in VOIP, VPNs, and webpages.

Question 54

Describe IPsec.

Answer 54

authenticate and encryption at layer 3.

Question 55

What is transport mode of IPsec?

Answer 55

-only payload of packet is encrypted.

Question 56

What is tunnel mode of IPsec?

Answer 56

-entire ip packet encrypted, encapsulated inside another IP packet.

Question 57

What is Authentication Header(AH) of IPsec?

Answer 57

-authentication

Question 58

What is ESP as it relates to IPsec?

Answer 58

Encapsulating Security Payload.

-authenticate and encryption

Question 59

What is ISAKMP?

Answer 59

Internet Security Association and Key management protocol.

-security associates.

Question 60

What is IKE and IKEv2 as it relates to IPSEC?

Answer 60

• Internet Key exchange: kerberized internet negotiation of keys(KINK)
• can encrypt data with MD5, SHA.

Question 61

What is SCP?

Answer 61

Secure copy protocol.
-transer data securely between two hosts.
doesnt have directory listing.

Question 62

What is SFTP?

Answer 62

Secure/SSH FTP.

• active FTP uses ports 20 and 21, creating two-session communication.
• SSH can only handle one session per tunnel.
• OpenSSH: group of secure programs made by OpenBSD
• WINSCP and Filezilla clients for SFTP server.

Question 63

What is SNMP?

Answer 63

-cacti.net queries SNMP

Question 64

What is LDAP?

Answer 64

-Lightweight directory access protocol.

Question 65

What port does LDAP use?

Answer 65

-port 389

Question 66

What port does NTP use?

Answer 66

port 123.