Chapter 11: Securing TCP/IP

Question 1

Plaintext/Cleartext

Answer 1

Data that is in an easily read or viewed format

Question 2

Symmetric-Key Algorithm

Answer 2

Any encryption method that uses the same key for both encryption and decryption.

Question 3

Assymetric-Key Algorithm

Answer 3

Any encryption method that uses different keys for encryption and decryption.

Question 4

Block Cipher

Answer 4

• An encryption algorithm in which data is encrypted in “chunks” of a certain length at a time.
• Popular in wired networks

Question 5

Stream Cipher

Answer 5

An encryption method that encrypts a single bit at a time.

Question 6

Rivest Cipher 4 (RC4)

Answer 6

Was the dominant stream cipher for a time, but now is not.

Question 7

Advanced Encryption Standard (AES)

Answer 7

A block cipher that uses a 128-bit block size and 128, 192, or 256 bit key size.

Question 8

What is the most popular form of email encryption?

Answer 8

Public-Key Cryptography

Question 9

Rivest Shamir Adleman (RSA)

Answer 9

An improved asymmetric cryptography algorithm that enables secure digital signatures.

Question 10

IPsec

Answer 10

The Network layer encryption protocol.

Question 11

Integrity

Answer 11

The process that guarantees that the data received is the same as originally sent.

Question 12

Secure Hash Algorithm (SHA)

Answer 12

The primary family of cryptographic hash functions.

Question 13

Two unsafe algorithms

Answer 13

SHA-1 and Message-Digest Algorithm version 5 (MD5)

Question 14

Nonrepudiation

Answer 14

The receiver of info has a very high confidence that the sender of a piece of info truly is who the receiver thinks.

Question 15

Digital Signature

Answer 15

An encrypted hash of a private encryption key that verifies a sender’s identity to those who receive encrypted data or messages.

Question 16

Certificate

Answer 16

A standardized type of digital signature that includes the digital signature of a third party (like GoDaddy) that guarantees that who is passing out this certificate truly is who they say they are.

Question 17

Public-Key Infrastructure (PKI)

Answer 17

The system for creating and distributing digital certificates using sites like GoDaddy, VeriSign, etc.

Question 18

Authentication

Answer 18

The process of positively identifying users trying to access data.

Question 19

Authorization

Answer 19

Defines what an authenticated user can do with data.

Question 20

Network Access Control (NAC)

Answer 20

Control over information, people, access, machines, and everything in between

Question 21

Access Control List (ACL)

Answer 21

A clearly defined list of permissions that specifies what an authenticated user may perform on a shared resource

Question 22

Mandatory Access Control (MAC)

Answer 22

Authorization method in which every resource is assigned a label that defines its security level.

Question 23

Discretionary Access Control (DAC)

Answer 23

Authorization method based on the idea that there is an owner of a resource who may at his or her discretion assign access to that resource.

Question 24

Role-Based Access Control (RBAC)

Answer 24

Authorization method that defines a user’s access to a resource based on the roles the user plays in the network environment.

Question 25

Point-to-Point Protocol (PPP)

Answer 25

Enables two point-to-point devices to connect, authenticate, and negotiate the network protocol the two devices will use.

Question 26

The 5 Distinct Phases to a PPP Connection

Answer 26

1) Link Dead: No link yet.
2) Link Establishment: Link Control Protocol (LCP) communicates with the LCP on the other side of the PPP link.
3) Authentication: Username/Password
4) Network layer protocol: LCP uses a protocol called Network Control Protocol (NCP) to make proper connections
5) Termination

Question 27

In a point-to-point connection, the side asking for the connection is the _______ and the other side is the ________.

Answer 27

Initiator, Authenticator

Question 28

Password Authentication Protocol (PAP)

Answer 28

The oldest and most basic form of authentication.

Sends the passwords in cleartext!!

Question 29

Challenge Handshake Authentication Protocol (CHAP)

Answer 29

A remote access authentication protocol that has the serving system challenge the remote client, which must provide an encrypted password.

Question 30

MSCHAP

Answer 30

The most common authentication method for dial up.

Question 31

Authentication, Authorization, and Accounting (AAA)

Answer 31

A security philosophy based upon the three words it is named with, ya know?

Question 32

Remote Authentication Dial-In User Service (RADIUS)

Answer 32

• An AAA standard created to support ISP’s with hundreds or thousands of modems in hundreds of computers to connect to a single central database.
• Either UDP 1812/1813 or UDP 1645/1646

Question 33

3 Devices of RADIUS

Answer 33

1) Radius Server that has access to usernames/passwords
2) Network Access Servers (NAS) that control the modems
3) A group of systems that dial into the network.

Question 34

What is the Microsoft RADIUS server?

Answer 34

Internet Authentication Service (IAS)

Question 35

What is the Linux RADIUS server?

Answer 35

FreeRADIUS

Question 36

Terminal Access Controller Access Control System Plus (TACACS+)

Answer 36

• A protocol developed by Cisco to support AAA in a network with many routers and switches.
• TCP port 49
• Similar to RADIUS, but separates authorization, authentication and accounting.

Question 37

Kerberos

Answer 37

An authentication standard designed to allow different operating systems and applications to authenticate each other.

Question 38

Key Distribution Center (KDC)

Answer 38

System for granting authentication in Kerberos.

Question 39

Two processes of KDC

Answer 39

1) Authentication Server (AS)

2) Ticket Granting Service (TGS)

Question 40

In Windows, the security token is called a __________.

Answer 40

Security Identifier (SID)

Question 41

EAP-PSK

Answer 41

• Most popular form of authentication in wireless networks.

- Uses a shared secret code (password or whatever) stored on the WAP and the clients

Question 42

EAP-TLS

Answer 42

• A protocol that defines the use of a RADIUS server as well as mutual authentication, requiring certificates on both the server and every client.
• Only used on wireless networks

Question 43

EAP-TTLS

Answer 43

A protocol similar to EAP-TTLS, but only uses a single server-side certificate.

Question 44

LEAP

Answer 44

Proprietary EAP used almost exclusively by Cisco wireless products.

Question 45

802.1X

Answer 45

• A port-authentication network access control mechanism for networks.
• Uses EAP

Question 46

Tunnel

Answer 46

• An encrypted link between two programs on two separate computers
• SSH creates encrypted tunnels

Question 47

SSL vs. TLS

Answer 47

SSL is limited to a few applications, whereas TLS is not limited (for the most part)

Question 48

IPsec

Answer 48

An authentication and encryption protocol suite that works at the Internet/Network layer

Question 49

Transport Mode of IPsec

Answer 49

Only the actual payload of the IP packet is encrypted, and the IP header info is readable.

Question 50

Payload

Answer 50

The primary data that is sent from a source network device to a destination network device.

Question 51

Tunnel Mode of IPsec

Answer 51

Entire IP packet is encrypted and encapsulated into another packet.

Question 52

Authentication Header (AH)

Answer 52

IPsec protocol for authentication

Question 53

Encapsulating Security Payload (ESP)

Answer 53

IPsec protocol involved in authentication and encryption

Question 54

Internet Security Association and Key Management Protocol (ISAKMP)

Answer 54

IPsec protocol used for establishing security associations that define things like the protocol used for exchanging keys.

Question 55

Two widely used key exchanging protocols

Answer 55

Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK)

Question 56

Secure Copy Protocol (SCP)

Answer 56

One of the first protocols used to transfer data securely between two hosts.

Question 57

Secure FTP (SFTP)

Answer 57

Designed as a replacement for FTP after SCP was discovered to suck.

Question 58

OpenSSH

Answer 58

A series of secure programs developed to fix SSH’s limitation of only being able to handle one session per tunnel.

Question 59

Simple Network Management Protocol (SNMP)

Answer 59

• A set of standards for communication with network devices in order to manage them.
• UDP port 161

Question 60

Management Information Base (MIB)

Answer 60

SNMP’s version of a server

Question 61

Cacti

Answer 61

An SNMP tool that enables you to query an SNMP-capable device for info.

Question 62

Lightweight Directory Access Protocol (LDAP)

Answer 62

• Tool that programs use to query and change a database

- TCP port 389

Question 63

Network Time Protocol (NTP)

Answer 63

• Gives the current time

- UDP port 123