Chapter 12 Secure Communications and Network Attacks Flashcards

1
Q

What is Point to Point Protocol?

A

Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP over dial-up or point-to-point links. It is a data link layer protocol that allows for multivendor interoperability of WAN devices. Rarely found today, but was the foundation of which many modern protocols are based. Includes the assignment and management of IP addresses, management of synchronous communications, encapsulation, multiplexing, link configuration, link quality testing, error detection, and compression. It replaced Serial Line Internet protocol, which had no authentication and was only half duplex.

Origninal authentication options for PPP were:

–Password Authentication Protocol (PAP): Transmitted credentials in cleartext. Was simply a means to transport them from the client to the authentication server.

–Challenge Handshake Authentication Protocol (CHAP): Reforms authentication using a challenge-response dialogue that cannot be replayed. The challenge is a random number issued by the server; the client uses that along with the password hash to compute a one-way function derived response. It also periodically reauthenticated the remote system. Since it was based on MD5, no longer considered secure. Microsoft created MS-CHAPv2 with updated algorithms

–Extensible authentication protocol (EAP): A framework for authentication instead of an actual protocol. It allows customized authentication solutions, such as smartcards, tokens, and biometrics. It originally assumed secured pathways, and not all forms use encryption. 802.1X defines the use of encapsulated EAP to support a wide range of authentication options for LAN connections. The standard is formally known as the ““Port-Based Network Access Control,”” where port refers to any network link, not just physical ones. 802.1X is not a wireless technology, it is an authentication technology that can be used in WAPs, firewalls, routers, switches, proxies, Vpn gateways, and remote access servers. When it is in use, it makes a port-based decision on whether to allow or deny a connection. it is vulnerable to MiTm and hijacking attacks because authentication occurs after the connection is established. This can be addressed through periodic mid-session re authentication and implementing session encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the important EAP derivatives?

A

Lightweight Extensible Authentication Protocol (LEAP): Was a Cisco proprietary alternative to TKIP. Avoid it now.

Protected Extensible Authentication Protocol (PEAP): Encapsulates EAP in a TLS tunnel. Preferred to EAP because it has its own security. Supports mutual authentication.

Subscriber Identity Module (EAP-SIM) A means of authenticating mobile devices over GSM. Each device has a SIM card.

Flexible Authentication via Secure Tunneling (EAP-FAST): Cisco proprietary protocol proposed to replace LEAP, which is obsolete because of WPA2.

EAP-MD5 was an early EAP method; it is now deprecated.

EAP Protected One-Time Password (EAP-POTP): supports the use of OTP tokens in MfA for use in one-way and mutual authentication.

EAP TLS is an open IETF standard that is an implementation of the TLS protocol for use in protecting authentication traffic. It is most effective when both the client and server have a digital certificate.

EAP Tunneled TLS (EAP-TTLS) is an extension of EAP-TLS that creates a VPN-like tunnel between endpoints prior to authentication. This assures that even the username is not transmitted in clear text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is DISA?

A

Direct inward system access. It adds authentication requirements to all external connections to the PBX.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the four types of remote access?

A

Four types of remote access techniques:

—service specific (gives the ability to remotely control a single service, such as email);

—remote control (gives the user ability to fully control a remote system);

—remote note operation (establishing a direct connection via wireless, VPN, or dialup); and

—screen scraper (can refer to remote control, remote access, or remote desktop services, or to a technology allowing an automated tool to interact with a human interface)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does load balancing work?

A

Goal is to obtain a more optimal utilization, minimize response time, maximize throughput, and eliminate bottlenecks. Load balances accomplish this in various ways.

–Random choice: each packet or connection is assigned a destination randomly.
–Round robin—assigned to the next destination in order.
–Loading monitoring: device with the lowest current load is assigned.
–Referencing assigned based on a subjective preference or known capacity difference.
–Least connections: which one has the fewest active connections. Locality based on distance from the load balancer, or based on previous connections to the same client.

This can be done either through software or hardware, and can include features like caching, TLS offloading (removing encryption), compression, buffering, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe email security solutions.

A

S/MIME is an email security standard that offers authentication and confidentiality to email through public key encryption, digital envelopes, and digital signatures. Authentication is provided through X.509 digital certificates issued by trusted CAs. Privacy is issued through Public Key Cryptography standard (PKCS) encryption. Signed messages provide integrity, sender authentication, and nonrepudiation; enveloped messages add recipient authentication and confidentiality.

PGP is a peer-to-peer public-private key-based email system. It is not a standard but rather an independently developed product.

DomainKeys Identified Mail (DKIM) is a means to assert that a valid mail is sent by an organization through verification of domain name identity.

Sender Policy Framework (SPF) is a way that organizations can configure their SMTP servers to protect against spam and email spoofing. SPF checks that inbound messages originate from a host authorized to send them.

Domain Message Authentication Reporting and Comformance (DMARC) is a DNS-based email authentication system intended to protect against BEC, phishing, and other scams. Email servers can verify if a received message is valid via DNS-based instructions.

STARTTLS (aka explicit TLS or opportunistic TLS) will attempt to start up an encrypted connection with the target email server. The encrypted connection is on port 587. it can be used with IMAP connections; POP3 uses STLS commands.

Implicit SMTPS is the TLS-encrypted form of SMTP, which assumes the target server supports TLS. If it does, it opens a connection on TCP port 465. If not, connections are terminated.

Consider blocking all attachments or those with extensions known to be used for malicious activity. use email reputation filtering, which grad email services based on how often they are abused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a VPN concentrator?

A

Dedicated hardware device that is designed to support hundreds or thousands of connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is VPN tunneling?

A

The network communications process that protects the content of protocol packets by encapsulating them in packets of another protocol. As data is transmitted from one system to another across a VPN link, the normal LAN TCP/IP traffic is encapsulated in the VPN protocol. The VPN acts like a security envelope that provides special delivery capabilities and security. It is akin to sending a letter—you have your letter, the primary content protocol packet—and place it in an envelope.

Tunneling helps you bypass firewalls, gateways, proxies, and other traffic control devices. Tunneling is often used to enable communications between otherwise disconnected systems. It protects the contents of the inner packets by encasing, or wrapping, them in an authorized protocol. For example, the network might not make the primary protocol routable. Encapsulation is generally an insufficient means of communicating, as it introduces more error detection, handling, session management, etc. Larger/additional packets consume bandwidth. It’s not designed to handle broadcast traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between transport mode and tunnel mode?

A

VPNs can connect systems or individual devices. Transmitted data is only protected while within the VPN tunnel. Remote access servers or firewalls on the network border serve as start and end points, so traffic is unprotected within the source LAN and within the destination LAN.

For VPNs in transport mode, links are anchored at the individual hosts connected together. For example, with IPsec, there is encryption for the payload but not the header. This is known as a host-to-host VPN or an end-to-end encrypted VPN. Best to only use on a trusted network.

With tunnel mode, the links terminate at VPN devices on the boundaries of connected devices. IPsec would provide protection for both the payload and the header. It adds its own, unencrypted IPsec header. Tunnel mode can be used to connect two networks across the Internet (site-to-site VPN) or to allow two distant clients to connect into an office LAN (remote access VPN). A remote access VPN is a variety of site-to-site, and is also known as link encryption VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the difference between a split and a full tunnel?

A

A split tunnel allows VPN-connected clients to access both the organization network over the VPN and the Internet directly. This can be a security risk, since it allows an open pathway from the Internet to the internal network via the client. A full tunnel is a VPN configuration in which all of the client’s traffic is sent via the VPN link, and Internet-bound traffic is routed out via the normal network proxy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is PPTP?

A

Point to Point Tunneling Protocol is an obsolete encapsulation protocol developed from the dial-up Point to Point protocol. It operates at Layer 2 on TCP Port 1723 and is used on IP networks.

It offered authentication via PAP, CHAP, EAP or MS-CHAPv2. The initial tunnel negotiation process is not encrypted, meaning the session establishment packets include the IP address of the sender and receiver, as well as their usernnames and hashed passwords. Modern versions have adopted MS-CHAPv2, which supports encryption using MS point-to-point encryption (MPPE) and supports various secure authentication options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is L2TP?

A

Layer 2 Tunneling Protocol. Combined features of PPTP and Cisco’s Layer 2 Forwarding (L2F). It became an Internet standard. Uses UDP port 1701. Since it operates at Layer 2, it ca support any layer 3 networking protocol.

Can reply on PPP’s supported authentication protocols, including 802.1X. This allows L2TP to leverage available AAA servers, such as RADIUS or TACACS+. It does not offer native encryption but supports the use of payload encryption protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Can SSH be used as a VPN?

A

Yes, but it is limited to transport mode. OpenSSH is one example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is OpenVPN?

A

A TLS-based VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is IPsec?

A

AKA Internet Protocol Security. Standard of IP security extensions used as an add-on for IPv4 and integrated into IPv6. Only works with IP networks.

–Authentication Header (AH) provides assurances of message integrity and nonrepudiation. Primary authentication mechanism for IPsec, implements session access control, and prevents replay attacks.

–Encapsulating Security Payload (ESP) provides confidentiality and integrity. It provides encryption, limited authentication, and prevents replay attacks. ESP can establish its own links without AH and can operate in either transport mode or tunnel mode.

–Hash-based message authentication (HMAC) is the primary integrity mechanism.

–IP Payload Compression (IPComp) compresses data prior to encryption to speed up transmission.

IPsec uses PKI and symmetric cryptography. It uses Internet Key Exchange (IKE) to manage it. It consists of OAKLEY (a key generation and exchange protocol similar to DH), SKEME (Secure Key Exchange Mechanism, which is similar to a digital envelope), and ISAKMP (Internet Security Association and Key Management Protocol, which is used to organize and manage the security keys).

A security association is the agreed-on method of authentication and encryption used by two entities. Each IPsec VPNH used two security association one for encrypted transmission and one for reception. Thus, it has two simplex communication channels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe switching and virtual LANs.

A

Switches are the most common network management device. Operates primarily at Layer 2 but can operate at 3 or higher. An unmanaged switch has no configuration options; a managed switch may offer many.

All switches have four primary functions: learning, forwarding, dropping, and flooding:

–Learning is how a switch becomes aware of its local network. Each received inbound Ethernet frame is evaluated. The source MAC is checked against the content addressable memory (CAM) table. CAM is a mapping of MAC to port (physical port). If the MAC address is not there, it is added. Then it checks the destination MAC.
–If the address is correct, and the exit port is different than the entry port, the frame is forwarded.
–If the address is correct but it’s the same port, the frame is dropped.
–If the destination MAC is not on the CAM table, the switch sents to all known ports, aka flooding.

A VLAN is a hardware-imposed network segmentation created by switches. By default, all ports on a switch are on VLAN 1. As the switch admin changes the VLAN assignments, various ports can be grouped. VLANs can be assigned based on MAC, IP subnetting, specified protocols, or authentication. VLAN management is most typically used to distinguish between user traffic and management traffic, with VLAN 1 used for management traffic.

Communications on the same VLAN happen without issue, but to go between VLANs requires routing. You can use either an external router or the switch can have internal software (aka L3 switch or multilayer switch). VLANs are treated like subnets but are not. Switches create VLANs, while IP address and subnet mask assignments create subnets.

VLAN management is the use of VLANs for security or performance reasons. They can be used to isolate traffic between network segments. For example, you can not define a route between VLANs or specify a deny filter between certain VLANs. Any network segment that doesn’t need to communicate with another should not be allowed to do so–deny by default. VLANs let you do this without altering the physical topology. They are easy to implement, have little overhead, and can be physical or virtual.

Distributed virtual switches are becoming more common in cloud and virtual environments compared with standalone virtual switches. They are more easily centrally managed and can be configured using an infrastructure as code architecture.

VLANs reduce a network’s vulnerability to sniffers because a switch treats each VLAN as a separate network division. It’s the routing function that blocks Ethernet broadcasts between subnets and VLANs, because a router doesn’t forward layer 2 traffic. This protects against broadcast storms (a flood of unwanted Ethernet broadcast traffic). VLANs also offer port isolation or private ports. These are private VLANs configured to use a dedicated or reserved uplink port. The members of a private VLAN or port-isolated VLAN can only interact with each other and over the predetermined exit port. This occurs in hotels–each room is on a unique VLAN, so connections in the same room can communicate but different rooms cannot. All hae a path out to the internet (the uplink port).

If there are more devices than ports available, additional switches can be added. Switches can be linked together through their trunk ports. These are dedicated ports with higher bandwidth. Switches are typically linked with a crossover cable. If they are auto-MDIX enabled, they will automatically configure themselves.

17
Q

What is a MAC flooding attack?

A

The intentional abuse of a switch’s learning function to cause it to get stuck flooding. This is done by flooding a switch with Ethernet frames with randomized source MAC addresses. The switch will attempt to add each one to the CAM table. Once it is full, the CAM will drop older entries. Once it is full of fake addresses, it will be unable to forward traffic, so it reverts to flooding mode. This is distinct from ARP poisoning, as the attacker does not get into the path of communications between client and server. Instead, the attacker gets a copy of the communication. A defense against MAC flooding is often present on managed switches. MAC limiting restricts the number of MAC addresses that will be accepted into the CAM from each jack/port. A NIDS may also help identify MAC flooding.

18
Q

What are the private IP address ranges?

A

10.X.X.X

192.168.X.X

172.16.X.X to 172.31.X.X

19
Q

What is stateful NAT?

A

NAT operates by mapping requests made by internal clients, a client’s internal IP address, and the IP address contacted. When a request is received, it changes the source address in the packet from the client’s to the NAT server. This process is known as stateful.

20
Q

What are the key standards for fiber optic links?

A

Synchronous Digital Hierarchy (SDH) and Synchronous Optical Network (SONET) are the two key standards. SDH comes from ITU and SONET from the American National Standards Institute. Both use time division multiplexing.

STS (Synchronous Transport Signals) or OC (optical carrier) refers to SONET and Synchronous Transport Module to SDH.

STS 1/OC 1 = STM 0 = 54.84 mbps
STS 3/OC 3 = STM 1 = 155 mbps
STS 12/OC 12 = STM 4 = 622.08 mbps
STS 48/OC 48 = STM 16 = 2.488 gbps
STS 96/OC 96 = STM 32 = 4.876 gbps
STS-192/OC 192 = STM 64 = 9.953 gbps
STS 768/OC 768 = STM 256 = 39.813 gbps

Both standards support mesh and ring topologies. These fiber solutions are often implemented as the backbone of a telco service.

21
Q

What is automatic IP addressing?

A

Also known as link-local address assigment.. It assigns an address to a system in the event of a DHCP failure. It is primarily a Windows feature; no other OS had adopted this. It will assign an IP in the range from 169.254.0.1 to 169.254.255.255 and the default class B submask of 255.255.0.0. This allows it to communicate with clients on the same broadcast domain but not externally. If you see a client using an address in this range, look to see whether something is wrong.

22
Q

What is NAT T?

A

NAT Transversal. Designed to support tunneling.