Chapter 12

Question 1

Authentication Protocols

Answer 1

PAP - password auth; clear text
CHAP - challenge response
MS-CHAPv2 - more secure
EAP - framework that supports AAA such as RADIUS or TACACS+

Question 2

PPP (point-to-point)

Answer 2

Encapsulation protocol to transmit IP over dial-up or p-to-p; is an L2 protocol

Question 3

Phreaking

Answer 3

Attack on phone systems and VoIP
- circumvent the
telephone system to make free long-distance calls, alter the function
of telephone service, steal specialized services, and even cause
service disruptions

Question 4

Remote Access Security Policy

Answer 4

Must address the following:
- Remote connectivity technology - DSL, Internet, PSTN modem, cellular/mobile, etc
- Transmission protection
- Authentication protection
- User assistance (support)

Question 5

Secure Email Solutions

Answer 5

• S/MIME - use certificates (X.509); signed message (for sender authentication) and enveloped message (for receiver authentication)
• PGP - has wide Internet support
• DKIM (DomainKeys Identified Mail) - enables recipient server to check mail is really authorized by source domain
• (SPF) Sender Policy Framework - enables recipient to check with origin domain admin whether sender is authorized to send from domain
• DMARC (Domain-based message auth reporting and conformance) - DNS-based email authentication; specifies how to handle failed sender authentication
• STARTTLS - SMTP command to use TLS; secure TLS session over TCP 587
• SMTPS - TLS-encrypted form of STMP; if not supported, connection fails instead of downgrade to plaintext; TCP 465

Question 6

VPN

Answer 6

Transport mode - encrypt payload
Tunnel mode - encrypt header + payload

Site-to-site VPN - link 2 networks
Remote Access VPN - link user to network

Always-on - will auto-connect with link is available

Split-tunnel - org tunnel and Internet are separate
Full-tunnel - everything goes through tunnel

Question 7

VPN Protocols

Answer 7

PPTP - from dial-up PPP; same authen as PPP (PAP, CHAP, EAP, MS-CHAPv2); obsolete but some still support

L2TP - derived from PPTP and Cisco L2F; is a standard; uses 802.1X/EAP (AAA via RADIUS or TACACS+); UDP 1701

SSH - transport mode only when used as VPN

OpenVPN - uses TLS

IPSec:
- IP networks only
- AH - authentication header
- EP - encrypted payload, with min authen; re-authentication to prevent session hijacking
- HMAC - for message integrity
- IPComp - payload compression
- IKE - manage keys; has 3 elements:
- OAKLEY - key gen and exchange
- SKEME - key exchange mechanism
- ISAKMP - org and manage keys

Question 8

NAT66

Answer 8

NAT for IPv6; allow multiple internal IPs to share public IP

Question 9

Private IP ranges

Answer 9

10.x.x.x
172.16.x.x - 172.31.x.x
192.168.x.x

Publicly accessible routers will drop

Question 10

Automatic private IP addressing

Answer 10

169.254.x.x
Assigned if DHCP fails

Question 11

Circuit switch - permanent set up pre-determined path
Packet switch - each path segment changes

VC (virtual circuit) - virtual ciruit over packet switched network
- PVC - predetermined VC; open when needed, closed when not
- SVC - created each time packet needs to be sent

Question 12

Fiber Optics in WAN (backbone networks)

Answer 12

SONET (STS/OC)
SDH (STM)
- Use TDM

STS-1/OC-1, STM-0 = 51.84M
STS-3/OC-3, STM-1 = 155.52M
…… and so on