Chapter 11: Securing TCP/IP Flashcards
Plaintext/Cleartext
Data that is in an easily read or viewed format
Symmetric-Key Algorithm
Any encryption method that uses the same key for both encryption and decryption.
Assymetric-Key Algorithm
Any encryption method that uses different keys for encryption and decryption.
Block Cipher
- An encryption algorithm in which data is encrypted in “chunks” of a certain length at a time.
- Popular in wired networks
Stream Cipher
An encryption method that encrypts a single bit at a time.
Rivest Cipher 4 (RC4)
Was the dominant stream cipher for a time, but now is not.
Advanced Encryption Standard (AES)
A block cipher that uses a 128-bit block size and 128, 192, or 256 bit key size.
What is the most popular form of email encryption?
Public-Key Cryptography
Rivest Shamir Adleman (RSA)
An improved asymmetric cryptography algorithm that enables secure digital signatures.
IPsec
The Network layer encryption protocol.
Integrity
The process that guarantees that the data received is the same as originally sent.
Secure Hash Algorithm (SHA)
The primary family of cryptographic hash functions.
Two unsafe algorithms
SHA-1 and Message-Digest Algorithm version 5 (MD5)
Nonrepudiation
The receiver of info has a very high confidence that the sender of a piece of info truly is who the receiver thinks.
Digital Signature
An encrypted hash of a private encryption key that verifies a sender’s identity to those who receive encrypted data or messages.
Certificate
A standardized type of digital signature that includes the digital signature of a third party (like GoDaddy) that guarantees that who is passing out this certificate truly is who they say they are.
Public-Key Infrastructure (PKI)
The system for creating and distributing digital certificates using sites like GoDaddy, VeriSign, etc.
Authentication
The process of positively identifying users trying to access data.
Authorization
Defines what an authenticated user can do with data.
Network Access Control (NAC)
Control over information, people, access, machines, and everything in between
Access Control List (ACL)
A clearly defined list of permissions that specifies what an authenticated user may perform on a shared resource
Mandatory Access Control (MAC)
Authorization method in which every resource is assigned a label that defines its security level.
Discretionary Access Control (DAC)
Authorization method based on the idea that there is an owner of a resource who may at his or her discretion assign access to that resource.
Role-Based Access Control (RBAC)
Authorization method that defines a user’s access to a resource based on the roles the user plays in the network environment.
Point-to-Point Protocol (PPP)
Enables two point-to-point devices to connect, authenticate, and negotiate the network protocol the two devices will use.
The 5 Distinct Phases to a PPP Connection
1) Link Dead: No link yet.
2) Link Establishment: Link Control Protocol (LCP) communicates with the LCP on the other side of the PPP link.
3) Authentication: Username/Password
4) Network layer protocol: LCP uses a protocol called Network Control Protocol (NCP) to make proper connections
5) Termination
In a point-to-point connection, the side asking for the connection is the _______ and the other side is the ________.
Initiator, Authenticator
Password Authentication Protocol (PAP)
The oldest and most basic form of authentication.
Sends the passwords in cleartext!!
Challenge Handshake Authentication Protocol (CHAP)
A remote access authentication protocol that has the serving system challenge the remote client, which must provide an encrypted password.
MSCHAP
The most common authentication method for dial up.
Authentication, Authorization, and Accounting (AAA)
A security philosophy based upon the three words it is named with, ya know?
Remote Authentication Dial-In User Service (RADIUS)
- An AAA standard created to support ISP’s with hundreds or thousands of modems in hundreds of computers to connect to a single central database.
- Either UDP 1812/1813 or UDP 1645/1646
3 Devices of RADIUS
1) Radius Server that has access to usernames/passwords
2) Network Access Servers (NAS) that control the modems
3) A group of systems that dial into the network.
What is the Microsoft RADIUS server?
Internet Authentication Service (IAS)
What is the Linux RADIUS server?
FreeRADIUS
Terminal Access Controller Access Control System Plus (TACACS+)
- A protocol developed by Cisco to support AAA in a network with many routers and switches.
- TCP port 49
- Similar to RADIUS, but separates authorization, authentication and accounting.
Kerberos
An authentication standard designed to allow different operating systems and applications to authenticate each other.
Key Distribution Center (KDC)
System for granting authentication in Kerberos.
Two processes of KDC
1) Authentication Server (AS)
2) Ticket Granting Service (TGS)
In Windows, the security token is called a __________.
Security Identifier (SID)
EAP-PSK
- Most popular form of authentication in wireless networks.
- Uses a shared secret code (password or whatever) stored on the WAP and the clients
EAP-TLS
- A protocol that defines the use of a RADIUS server as well as mutual authentication, requiring certificates on both the server and every client.
- Only used on wireless networks
EAP-TTLS
A protocol similar to EAP-TTLS, but only uses a single server-side certificate.
LEAP
Proprietary EAP used almost exclusively by Cisco wireless products.
802.1X
- A port-authentication network access control mechanism for networks.
- Uses EAP
Tunnel
- An encrypted link between two programs on two separate computers
- SSH creates encrypted tunnels
SSL vs. TLS
SSL is limited to a few applications, whereas TLS is not limited (for the most part)
IPsec
An authentication and encryption protocol suite that works at the Internet/Network layer
Transport Mode of IPsec
Only the actual payload of the IP packet is encrypted, and the IP header info is readable.
Payload
The primary data that is sent from a source network device to a destination network device.
Tunnel Mode of IPsec
Entire IP packet is encrypted and encapsulated into another packet.
Authentication Header (AH)
IPsec protocol for authentication
Encapsulating Security Payload (ESP)
IPsec protocol involved in authentication and encryption
Internet Security Association and Key Management Protocol (ISAKMP)
IPsec protocol used for establishing security associations that define things like the protocol used for exchanging keys.
Two widely used key exchanging protocols
Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK)
Secure Copy Protocol (SCP)
One of the first protocols used to transfer data securely between two hosts.
Secure FTP (SFTP)
Designed as a replacement for FTP after SCP was discovered to suck.
OpenSSH
A series of secure programs developed to fix SSH’s limitation of only being able to handle one session per tunnel.
Simple Network Management Protocol (SNMP)
- A set of standards for communication with network devices in order to manage them.
- UDP port 161
Management Information Base (MIB)
SNMP’s version of a server
Cacti
An SNMP tool that enables you to query an SNMP-capable device for info.
Lightweight Directory Access Protocol (LDAP)
- Tool that programs use to query and change a database
- TCP port 389
Network Time Protocol (NTP)
- Gives the current time
- UDP port 123
WANs connect nodes, such as workstations, servers, printers, and other devices, in a small geographical area on a single network.
(A) True
(B) False
Answer : (B)
A bus topology WAN is often the best option for an organization with only a few sites and the capability to use dedicated circuits.
(A) True
(B) False
Answer : (A)
The carrier’s endpoint on a WAN is called the Data Communications Equipment (DCE).
(A) True
(B) False
Answer : (A)
T-1 cables cannot utilize straight through cables using the same wiring scheme as LAN patch cables.
(A) True
(B) False
Answer : (B)
In a PON setup, the system is considered passive because no repeaters or other devices intervene between the carrier and the customer.
(A) True
(B) False
Answer : (A)
The customer’s endpoint device on the WAN is called the __________________.
Answer : Data Terminal Equipment (DTE)
Multiplexing enables a single ____________ circuit to carry 24 channels, each capable of 64 Kbps throughput.
Answer : T-1
The ________________ distributes signals to multiple endpoints via fiber-optic cable, in the case of FTTP, or via copper or coax cable.
Answer : Optical Network Unit (ONU)
If the line between the carrier and the customer experiences significant errors on a T-1, a ____________ will report this fact to the carrier.
Answer : smart jack
In ATM, a packet is called a _____________ and always consists of 48 bytes of data plus a 5 byte header.Answer : cell
Answer : cell
In what type of topology is each site connected to two other sites, providing redundancy? (A) bus topology (B) ring topology (C) star topology (D) circle topology
Answer : (B)
What is the maximum throughput of a DS3 connection? (A) 1.544
(B) 3.152
(C) 44.736
(D) 274.176
Answer : (C)
How many channels exist in a T1 connection? (A) 1 (B) 24 (C) 48 (D) 96
Answer : (B)
In an ISDN connection, what is the size throughput did a single B channel provide? (A) 32 Kbps (B) 48 Kbps (C) 64 Kbps (D) 96 Kbps Answer : (C)
Answer : (C)
In a PON system, an OLT contains a splitter that splits each port into how many logical channels? (A) 16 (B) 32 (C) 64 (D) 96
Answer : (B)
What is the size of an ATM packet? (A) 48 bytes (B) 53 bytes (C) 64 bytes (D) 84 bytes
Answer : (B)
Which option below is an advantage of leasing a frame relay circuit over leasing a dedicated circuit?
(A) You are guaranteed to receive the maximum amount of bandwidth specified in the circuit contract (B) You pay only for the bandwidth you’ve used.
(C) The paths that your data will take are always known.
(D) Frame relay is a newly established network technology with more features than other technology.
Answer : (B)
What xDSL standard is the most popular? (A) VDSL (B) G.Lite (C) ADSL (D) HDSL
Answer : (C)
What xDSL version provides a maximum throughput of 24 Mbps downstream and 3.3 Mbps upstream? (A) VDSL (B) ADSL (C) ADSL2+M (D) HDSL
Answer : (C)
The DTE or endpoint device for a leased line is known as which device below? (A) CSU/DSU (B) cable modem (C) DSL modem (D) ISDN modem
Answer : (A)
What OC level is primarily used as a regional ISP backbone, and occasionally by very large hospitals, universities, or other major enterprises? (A) OC-3 (B) OC-12 (C) OC-48 (D) OC-96
Answer : (C)
What is the maximum amount of throughput provided by an OC-12? (A) 51.84 Mbps (B) 155.52 Mbps (C) 622.08 Mbps (D) 1244.16 Mbps
Answer : (C)
What is the frequency range of the C-band that is used by satellites? (A) 1.5 - 2.7 GHz (B) 2.7 - 3.5 GHz (C) 3.4 - 6.7 GHz (D) 12 - 18 GHz
Answer : (C)
What Layer 3 technology is employed by distance-vector routing protocols in which a router knows which of its interfaces a routing update and will not retransmit, or advertise, that same update on the same interface? (A) split horizon
(B) round robin
(C) reverse path check
(D) spanning tree protocol
Answer : (A)
What protocol is commonly used to aggregate / bond T-1 / T-3 lines? (A) STP (B) MLPPP (C) MPLS (D) PPTP
Answer : (B)
When copper cabling is used to carry T-1 traffic, what kind of connector is used? (A) RJ-11 (B) RJ-25 (C) RJ-45 D) RJ-48
Answer : (D)
When using frame relay, what is the name of the identifier that routers use to determine which circuit to send frames to? (A) SVC identifier (B) data link connection identifier (C) PVC identifier (D) frame path identifier
Answer : (B)
Which version of DOCSIS provides 38 Mbps per channel and requires a minimum of 4 channels to be used? (A) DOCSIS 1 (B) DOCSIS 2 (C) DOCSIS 3 (D) DOCSIS 4
Answer : (C)
The best 802.11n signal can travel approximately how far? (A) 1 mile
(B) 1/2 mile
C) 1/4 mile
(D) 300 feet
Answer : (C)
In metro settings, end-to-end, carrier-grade Ethernet networks can be established via what protocol? (A) Metro Carrier Transport (B) Carrier Ethernet Transport (C) Intra-city Ethernet (D) Ethernet SONET
Answer : (B)
A MAN connection is also known as which two terms below? (A) Ethernet MAN (B) Metro Ethernet (C) Carrier Ethernet (D) Packet MAN
Answer :
True or False: A WAN link is a connection between one WAN site and another site.
Answer: True
WANs that use the ____ topology are only practical for connecting fewer than four or five locations.
a. tiered
b. ring
c. star
d. mesh
Answer: B
In the point-to-multipoint structure of a PON, the single endpoint at the carrier’s central office is known as which of the following?
a. OLT
b. PON
c. ONU
d. FTTP
Answer: A .
True or False: PVCs are dedicated, individual links.
Answer: False
A ____ converts the T-Carrier frames into frames the LAN can interpret and vice versa.
a. smart jack
b. CSU
c. DSU
d. terminal adapter
Answer: C
True or False: Broadband cable relies on the PSTN for transmission medium.
Answer: False
____ communication occurs when the downstream throughput is higher than the upstream throughput.
a. DSU
b. CSU
c. Symmetrical
d. Asymmetrical
Answer: D
____ sets ATM apart from Ethernet.
a. Fixed packet size
b. Security
c. Wiring
d. Throughput
Answer: A
True or False: An advantage of SONET is its fault tolerance.
Answer: True
____ orbiting satellites are the type used by the most popular satellite Internet access service providers.
Answer: Geosynchronous
What is the lowest layer of the OSI model at which LANs and WANs support the same protocols? A. Layer 2 B. Layer 3 C. Layer 4 D. Layer 5
Answer: B. Layer 3
An organization can lease a private, _________________ that is not shared with other users,
or a _________________ that can be physically configured over shared lines in the carrier’s
cloud.
A. Permanent virtual circuit (PVC), switched virtual circuit (SVC)
B. Switched virtual circuit (SVC), dedicated line
C. Dedicated line, virtual circuit
D. Switched virtual circuit (SVC), permanent virtual circuit (PVC)
Answer: C. Dedicated line, virtual circuit
Which WAN topology always sends data directly from its origin to its destination? A. Bus topology B. Ring topology C. Star topology D. Mesh topology
Answer: D. Mesh topology
What protocol is used to bond multiple T-1s? A. LACP B. MLP C. TCP/IP D. SSH
Answer: B. MLP
What kind of device can monitor a connection at the demarc but cannot interpret data? A. CSU/DSU B. NID C. NIU D. Smart jack
Answer: D. Smart jack
What specification defined the standards for broadband cable? A. ATM B. Digital signal C. ANSI D. DOCSIS
Answer: D. DOCSIS
What technology allows a user to access the Internet through the wiring of a home? A. Ethernet over HDMI B. Broadband over power line C. Ethernet over power line D. Ethernet over SONET
Answer: C. Ethernet over power line
\_\_\_\_\_\_\_\_\_\_\_\_\_\_ in SONET are analogous to the \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ of T-carriers. A. Throughput, digital signal levels B. OC levels, digital signal levels C. QoS levels, OC levels D. OC levels, carrier levels
Answer: B. OC levels, digital signal levels
What IEEE committee established WiMAX technologies? A. 802.11 B. 802.3 C. 802.5 D. 802.16
Answer: D. 802.16
What method do ISPs use to purposely slow down bandwidth utilization by customers? A. Fair access B. Throttling C. Blocking D. Net neutrality
Answer: B. Throttling
