Chapter 12 - Network Security

Question 1

Defense-in-Depth

Answer 1

Defense-in-Depth, is a security concept stating that multiple security controls ensure that a failure in a single control or sometimes even multiple controls, is unlikely to cause a security breach.

Question 2

Attack Surface

Answer 2

An organization or device’s Attack Surface consists of the points at which an unauthorized user could gain access.

Question 3

Security Zone

Answer 3

Security Zones are network segments, physical or virtual network segments, or other components of an infrastructure that are able to be separate from less secure zones through logical or physical means.

Question 4

Failure Modes

Answer 4

Failure Modes refer to the state in which a device will be once it fails. A fail-open device will allow traffic to continue passing through upon failure while a fail-closed device will no longer allow traffic to pass through after failing.

Question 5

Reputation

Answer 5

Reputation describes services and data feeds that track IP addresses, domains, and hosts that engage in malicious activity.

Question 6

Software-Defined Networking (SDN)

Answer 6

Software-Defined Networking uses software-based network configuration to control networks. SDN designs rely on controllers that manage network devices and configurations, centrally managing the Software-Defined Network. This allows networks to be dynamically tuned based on performance metrics and other configuration settings, and to be customized as needed in a flexible way.

Question 7

Software-Defined Wide Area Network (SD-WAN)

Answer 7

A Software-Defined Wide Area Network is a virtual wide area network design that can combine multiple connectivity services for organizations. SD-WAN is commonly used with technologies like Multiprotocol Label Switching (MPLS), 4G and 5G, and broadband networks. SD-WAN can help by providing high availability and allowing for networks to route traffic based on application requirements while controlling costs by using less expensive connection methods when possible.

Question 8

Secure Access Service Edge (SASE)

Answer 8

Secure Access Service Edge combines virtual private networks, SD-WAN, and cloud-based security tools like firewalls, cloud access security brokers (CASBs), and zero-trust networks to provide secure access for devices regardless of their location.

Question 9

Screened Subnet/DMZ

Answer 9

Screened Subnets are network zones that contain systems that are exposed to less trusted areas (often the Internet).

Question 10

In a Zero-Trust network, what are the four components of the Control Plane?

Answer 10

1. Adaptive Identity (leverage context-bases authentication that considers data points such as where the user is logging in from or what device they are logging in from)
2. Threat Scope Reduction (limits the scope of what a subject can do or what access is permitted to a resource limits what can go wrong if an issue does occur)
3. Policy-Driven Access Control (policy engines rely on policies as they make decisions that are then enforced by the policy administrator and policy enforcement points)
4. Policy Administrator (executes decisions made by a policy engine)

Question 11

In a Zero-Trust network, what are the four components of the Data Plane?

Answer 11

1. Implicit Trust Zones (allow use and movement once a subject is authenticated by a zero trust policy engine)
2. Subjects and Systems (devices and users that are seeking access)
3. Policy Enforcement Points

Question 12

Network Access Control (NAC)

Answer 12

Network Access Control technologies focus on determining whether a system or device should be allowed to connect to a network. If it passes the requirements set for admission, NAC places it into an appropriate zone. NAC can use a software agent that is installed on the computer to perform these security checks or it can be agentless and run from a browser or by another means without installing software locally.

Question 13

Port Security

Answer 13

Port Security is a capability that allows you to limit the number of MAC addresses that can be used on a single port. This prevents problems such as MAC address spoofing, content-addressable memory (CAM) table overflows, and in some cases, plugging in additional devices to extend the network.

Question 14

IPSec VPN

Answer 14

IPSec VPNs operate at layer 3, require a client, and can operate in either tunnel mode or transport mode. In tunnel mode, entire packets of data sent to the other end of the VPN connection are protected. In transport mode, the IP header is not protected but the IP payload is.

Question 15

SSL VPN

Answer 15

SSL VPNs (although they actually use TLS) can either use a portal-based approach, where users access it via a web page and then access services through that connection, or they can offer a tunnel mode like IPSec VPNs. SSL VPNs can be used without a client installed.

Question 16

Full-Tunnel VPN

Answer 16

Full-Tunnel VPNs send all network traffic through the VPN tunnel, keeping it secure as it goes to the remote trusted network.

Question 17

Split-Tunnel VPN

Answer 17

Split-Tunnel VPNs only send traffic intended for systems on the remote trusted network through the VPN tunnel.

Question 18

Jump Server

Answer 18

Jump Servers are secure and monitored systems used to provide administrators with a way to securely operate in security zones of differing security levels. These servers are typically configured with the tools required for administrative work and is frequently accessed with SSH, RDP, or other remote desktop methods.

Question 19

Load Balancer

Answer 19

Load Balancers are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching. Load Balancers typically present a virtual IP (VIP), which clients send service requests to on a service port. The Load Balancer then distributes those requests to servers in a pool or group.

Question 20

Proxy Server

Answer 20

Proxy Servers accept and forward requests, centralizing the requests and allowing actions to be taken on the requests and responses. They can filter or modify traffic and cache data, and since they centralize requests, they can be used to support access restrictions by IP address or similar requirements.

Question 21

Forward Proxy

Answer 21

Forward Proxies are placed between clients and servers, and they accept requests from clients and send them forward to servers. Since Forward Proxies conceal the original client, they can anonymize traffic or provide access to resources that might be blocked by IP address or geographic location.

Question 22

Reverse Proxy

Answer 22

Reverse Proxies are placed between servers and clients, and they are used to help with load balancing and caching of content. Clients can thus query a single system but have traffic load spread to multiple systems or sites.

Question 23

Web Filter

Answer 23

Web Filters, sometimes called content filters, are centralized proxy devices or agent-based tools that allow or block traffic based on content rules. These can be as simple as conducting URL scanning and blocking specific URLs, domains or hosts, or they may be complex, with pattern matching, IP reputation, and other elements built into the filtering rules.

Question 24

Unified Threat Management (UTM)

Answer 24

Unified Threat Management devices frequently include firewall, IDS/IPS, anti-malware, URL and email filtering and security, data loss prevention, VPN, and security monitoring and analytics capabilities. The line between UTM and NGFW devices can be confusing, and the market continues to narrow the gaps between devices as each side offers additional features. UTM devices are typically used for an “out of box” solution where they can be quickly deployed and used, often for small to mid-sized organizations.

Question 25

Web Application Firewall (WAF)

Answer 25

Web Application Firewalls are security devices that are designed to intercept, analyze, and apply rules to web traffic, including tools such as database queries, APIs, and other web application tools.

Question 26

Honeypot

Answer 26

Honeypots are systems that are intentionally configured to appear to be vulnerable but that are actually heavily instrumented and monitored systems that will document everything an attacker does while retaining copies of every file and command they use.

Question 27

Honeyfile

Answer 27

Honeyfiles are intentionally attractive files that contain unique, detectable data that is left in an area that an attacker is likely to visit if they succeed in their attacks. If the data contained in a honeyfile is detected leaving the network, or is later discovered outside of the network, the organization knows that the system was breached.

Question 28

Honeytoken

Answer 28

Honeytokens are data that is intended to be attractive to attackers but which is used specifically to allow security professionals to track data. They may be entries in databases, files directories, or any other data asset that can be specifically identified. IDS, IPS, DLP and other systems are then configured to watch for Honeytokens that should not be sent outside the organization or accessed under normal circumstances because they are not actual organizational data.

Question 29

Out-of-Band Management

Answer 29

Out-of-Band Management is a separate means of accessing the administrative interface. Most implementations of Out-of-Band Management use a separate management VLAN or an entirely separate physical network for administration.

Question 30

DNS Filtering

Answer 30

DNS Filtering uses a list of prohibited domains, subdomains, and hosts and replaces the correct response with an alternate DNS response, often to an internal website that notes that the access was blocked and what to do about the block.

Question 31

DomainKeys Identified Mail (DKIM)

Answer 31

DKIM allows organizations to add content to messages to identify them as being from their domain. DKIM signs both the body of the message and elements of the header, helping to ensure that the message is actually from the organization it claims to be from. It adds a DKIM-Signature header, which can be checked against the public key that is stored in public DNS entries for DKIM-enabled organizations.

Question 32

Sender Policy Framework (SPF)

Answer 32

SPF is an email authentication technique that allows organizations to publish a list of their authorized email servers. SPF records are added to the DNS information for your domain, and they specify which systems are allowed to send email from that domain.

Question 33

Domain-based Message Authentication Reporting and Conformance (DMARC)

Answer 33

DMARC is a protocol that uses SPF and DKIM to determine whether an email message is authentic. DMARC records are published in DNS, but unlike DKIM and SPF, DMARC can be used to determine whether you should accept a message from a sender.

Question 34

Ephemeral Key

Answer 34

Ephemeral Keys are used in TLS. In ephemeral Diffie-Hellman key exchanges, each connection receives a unique, temporary key. That means that even if a key is compromised, communications that occurred in the past, or in the future in a new session, will not be exposed.

Question 35

File Integrity Monitor

Answer 35

File Integrity Monitors will detect changes to important files (often configuration files) and either report on them or restore them to normal. File Integrity Monitoring tools like Tripwire create a signature or fingerprint for a file, and then monitor the file and filesystem for changes to monitored files.

Question 36

DNS (Port #)

Answer 36

TCP/UDP 53

Question 37

DNSSEC (Port #)

Answer 37

TCP/UDP 53 (focuses on ensuring that DNS information is not modified; does not provide confidentiality)

Question 38

Telnet (Port #)

Answer 38

TCP 23

Question 39

SSH (Port #) [Secure]

Answer 39

TCP 22

Question 40

SNMP (Port #)

Answer 40

UDP 161 and 162

Question 41

SNMPv3 (Port #) [Secure]

Answer 41

UDP 161 and 162 (only the authPriv level uses encryption, therefore insecure implementations of SNMPv3 are still possible)

Question 42

RTP (Port #)

Answer 42

UDP 16384-32767

Question 43

SRTP (Port #) [Secure]

Answer 43

UDP 5004

Question 44

POP3 (Port #)

Answer 44

TCP 110

Question 45

Secure POP3 (Port #) [Secure]

Answer 45

TCP 995

Question 46

FTPS (Port #) [Secure]

Answer 46

TCP 21 in explicit mode
TCP 990 in implicit mode

Question 47

SFTP (Port #) [Secure]

Answer 47

TCP 22 (uses SSH)

Question 48

IMAP (Port #)

Answer 48

TCP 143

Question 49

IMAPS (Port #) [Secure]

Answer 49

TCP 993

Question 50

LDAP (Port #)

Answer 50

UDP AND TCP 389

Question 51

LDAPS (Port #) [Secure]

Answer 51

TCP 636

Question 52

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Answer 52

S/MIME provides the ability to encrypt and sign MIME data, the format used for email attachments. S/MIME requires a certificate for users to be able to send and receive S/MIME-protected messages.

Question 53

What are the two most significant components of the IPSec security protocol suite?

Answer 53

1. Authentication Header (AH) uses hashing and a shared secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent.
2. Encapsulating Security Payload (ESP) operates in either transport mode or tunnel mode. In tunnel mode, it provides integrity and authentication for the entire packet; in transport mode, it only protects the payload of the packet.

Question 54

SSL Stripping

Answer 54

An SSL Stripping attack uses an on-path attack when the HTTP request occurs, redirecting the rest of the communications through a system that an attacker controls, allowing the communication to be read or possibly modified.

Question 55

Domain Hijacking

Answer 55

Domain Hijacking changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering. The end result is the attacker being able to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder.

Question 56

DNS Poisoning

Answer 56

DNS Poisoning can be accomplished in multiple ways. One form is another form of the on-path attack where an attacker provides a DNS response while pretending to be an authoritative DNS server. DNS Poisoning can also involve poisoning the DNS cache on systems. Once a malicious DNS entry is in a system’s cache, it will continue to use that information until the cache is purged or updated.

Question 57

Credential Replay

Answer 57

Credential Replay attacks are a form of network attack that requires the attacker to be able to capture valid network data and to re-send it or delay it so that the attacker’s own use of the data is successful. A common version of this attack is to intercept and re-send authentication tokens for web services.

Question 58

Volume-Based Network DDoS Attacks

Answer 58

Volume-Based Network DDoS Attacks focus on the sheer amount of traffic causing a denial-of-service condition. Some Volume-Based DDoS Attacks rely on amplification techniques that leverage flaws or features in protocols and services to create significantly more traffic than the attacker sends. Some example of Volume-Based DDoS Attacks are UDP floods and ICMP floods.

Question 59

Protocol-Based Network DDoS Attacks

Answer 59

Protocol-Based Network DDoS Attacks focus on the underlying protocols used for networking. SYN floods send the first step in a three-way TCP handshake and do not respond to the SYN-ACK that is sent back, thus consuming TCP stack resources until they are exhausted.

Question 60

Amplified DDoS Attacks

Answer 60

Amplified DDoS Attacks take advantage of protocols that allow a small query to return large results like a DNS query. Spoofing a system’s IP address as part of a query can result in a DNS server sending much more traffic to the spoofed IP address than was sent to the DNS server originally, amplifying a small amount of traffic into a large response.

Question 61

Reflected DDoS Attacks

Answer 61

Reflected DDoS Attacks cause a legitimate service to conduct the attack, making it harder to know who the attacker is.