chapter 3 Flashcards

Question

IMAP ports

Answer 1

Internet Message Access Protocol is used to store email on a mail server, and it allows users to organize and manage email in folders on the server. IMAP uses TCP port 143 for unencrypted connections and TCP port 993 for encrypted connections.

Answer 2

Hypertext Transfer Protocol (HTTP) transmits web traffic between web servers and browsers. HTTP uses unencrypted connections to transfer data over TCP port 80. Hypertext Transfer Protocol Secure (HTTPS) adds TLS encryption to protect that data from prying eyes and uses TCP port 443.

Answer 3

SMTP uses ports 25 and 587, POP3 uses 110 and 995, IMAP4 uses 143 and 993. HTTP and HTTPS use ports 80 and 443, respectively.

Answer 4

Sender Policy Framework uses DNS records to define which IP addresses are authorized to send emails on behalf of a domain.

Answer 5

DomainKeys Identified Mail uses public key cryptography to sign and verify an email’s domain and content.

Answer 6

builds on top of SPF and DKIM by allowing domain owners to set policies for how to handle emails that fail authentication checks and providing reporting mechanisms to monitor and improve email authentication performance.

Answer 7

Real-time Transport Protocol The Real-time Transport Protocol (RTP) delivers audio and video over IP networks. This includes Voice over Internet Protocol (VoIP) communications, streaming media, video teleconferencing applications, and devices using web-based push-to-talk

Answer 8

Secure Real-time Transport Protocol provides encryption, message authentication, and integrity for RTP.

Answer 9

Session Initiation Protocol is used to initiate, maintain, and terminate voice, video, and messaging sessions. SIP uses request and response messages when establishing a session. These messages are text, so it’s easy to read them if they are captured. After SIP establishes the session, RTP or SRTP transports the audio or video.

Answer 10

Remote Desktop Protocol. connect to other systems from remote locations.RDP uses TCP port 3389. A common reason users cannot connect to systems with RDP is that port 3389 is blocked on a host-based or network firewall.

Answer 11

OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers securely.It also supports the use of SCP and SFTP to transfer files securely. OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers securely. The ssh-keygen command creates a public/private key pair, and the ssh-copy-id command copies the public key to a remote server. The private key must always stay private.

Answer 12

Dynamic Host Configuration Protocol

Answer 13

This record holds the hostname and IPv4 address and is the most used record in a DNS server. A DNS client queries DNS with the name using a forward lookup request, and DNS responds with the IPv4 address from this record.

Answer 14

Also called a pointer record. It is the opposite of an A record. Instead of a DNS client querying DNS with the name, the DNS client queries DNS with the IP address. When configured to do so, the DNS server responds with the name. PTR records are optional, so these reverse lookups do not always work.

Answer 15

This record holds the hostname and IPv6 address. It’s like an A record except that it is for IPv6.

Answer 16

Also called mail exchange or mail exchanger. An MX record identifies a mail server used for email. The MX record is linked to the A record or AAAA record of a mail server. When there is more than one mail server, the one with the lowest preference number in the MX record is the primary mail server.

Answer 17

A canonical name, or alias, allows a single system to have multiple names associated with a single IP address. For example, a server named Server1 in the domain getcertifiedgetahead.com might have an alias of FileServer1 in the same domain.

Answer 18

The start of authority (SOA) record includes information about a domain or zone and some of its settings. For example, it includes the TTL (Time to Live) settings for DNS records. DNS clients use the TTL setting to determine how long to cache DNS results. TTL times are in seconds, and lower times cause clients to renew the records more often.

Answer 19

Domain Name System Security Extensions DNSSEC is a suite of extensions to DNS that provides validation for DNS responses.

Answer 20

Resource Record Signature The RRSIG provides data integrity and authentication for DNS replies.

Answer 21

another example of port security. In a simple implementation, the switch remembers the first one or two MAC addresses that connect to a port. It then blocks access to systems using any other MAC addresses. You can also manually configure each port to accept traffic only from a specific MAC address.

Answer 22

Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Answer 23

Spanning Tree Protocol provide both broadcast storm prevention and loop prevention for switches. Remember This! Broadcast storm and loop prevention such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected.

Answer 24

Rapid STP Rapid STP provide both broadcast storm prevention and loop prevention for switches. Remember This! Broadcast storm and loop prevention such as STP or RSTP is necessary to protect against switching loop problems, such as those caused when two ports of a switch are connected.

Answer 25

Bridge Protocol Data Unit (BPDU) STP Spanning Tree Protocol sends Bridge Protocol Data Unit (BPDU) messages in a network to detect loops.

Answer 26

Many switches support a BPDU Guard feature that is enabled on edge ports. It monitors the ports for any unwanted BPDU messages. If it receives any, it disables the port, effectively blocking the BPDU attack.

Answer 27

A router connects multiple network segments into a single network and routes traffic between the segments. Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment.

Answer 28

Access control lists (ACLs) are rules implemented on routers (and on firewalls) to identify what traffic is allowed and what traffic is denied. Rules within an ACL provide rule-based management for the router and control inbound and outbound traffic.

Answer 29

It indicates that all traffic that isn’t explicitly allowed is implicitly denied.

Answer 30

The route command is used to display or modify a system’s routing table on both Windows and Linux systems.

Answer 31

Using route print, you can see all the paths the system knows to other networks.

Answer 32

The Simple Network Management Protocol (SNMP) monitors and manages network devices, such as routers or switches.

Answer 33

SNMPv3 encrypts credentials before sending them over the wire. A common use case supported by SNMPv3 is to provide secure management of network devices. SNMPv3 uses UDP ports 161 and 162.

Answer 34

A firewall filters incoming and outgoing traffic for a single host or between networks. In other words, a firewall can ensure only specific types of traffic are allowed into a network or host, and only specific types of traffic are allowed out of a network or host.

Answer 35

A host-based firewall monitors traffic going in and out of a single host, such as a server or a workstation. Microsoft Defender

Answer 36

Stateless firewalls use rules implemented in ACLs to identify allowed and blocked traffic. They treat each network packet that they see as a new event and don’t track any information (or “state”) about previous network traffic. This is similar to how a router uses rules within ACLs. In fact, you can think of a router as a stateless firewall Firewalls use an implicit deny strategy to block all traffic that is not explicitly allowed. Although rules within ACLs look a little different depending on what hardware you’re using, they generally include the following elements: Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic. Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic, effectively blocking ping and some other diagnostics that use ICMP. Source. Traffic comes from a source IP address. You identify an IP address to allow or block traffic from a single IP address or from a range of IP addresses, such as from a single subnet. Wildcards such as any or all include all IP addresses. Destination. Traffic is addressed to a destination IP address. You identify an IP address to allow or block traffic to a Port or protocol. Port or protocol. Typically, you’ll often see a well-known port such as port 443 for HTTPS in a rule. However, some devices support codes such as HTTPS for HTTPS traffic.

Answer 37

Real-time Transport Protocol (RTP) delivers audio and video over IP networks. This includes Voice over Internet Protocol (VoIP) communications, streaming media, video teleconferencing applications, and devices using web-based push-to-talk

Answer 38

The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for RTP.

Answer 39

OpenSSH is a suite of tools that simplifies the use of SSH to connect to remote servers securely. It also supports the use of SCP and SFTP to transfer files securely. While OpenSSH is open source, many commercial products have integrated it into their applications.

Answer 40

This initiates an SSH connection to the remote server using the default SSH port of 22 and Maggie’s username on the client.

Answer 41

This creates a matched pair of a public and a private key similar to public/private key pairs used with certificates (described in Chapter 10). The keys are in two separate files. The file holding the public key can be shared, but the private key file must stay private. The names of the two files are: id_rsa.pub. This is the public key. You copy it to the remote server. id_rsa. This is the private key. It is stored on the client and must stay private.

Answer 42

copy the public key to the remote server

Answer 43

The command knows the public key file’s default location and where to copy it to on the remote server.

Answer 44

one of the primary methods of preventing DNS cache poisoning is with Domain Name System Security Extensions (DNSSEC)

Answer 45

Resource Record Signature (RRSIG), commonly referred to as a digital signature, to each record. The RRSIG provides data integrity and authentication for DNS replies. If a DNS server receives a DNSSEC-enabled response with digitally signed records, the DNS server knows that the response is valid.

Answer 46

One-to-one traffic. One host sends traffic to another host using a destination IP address. The host with the destination IP address will process the packet. Other hosts on the same network may see the packet, but they will not process it because it isn’t addressed to them.

Answer 47

One-to-all traffic. One host sends traffic to all other hosts on the subnet, using a broadcast address such as 255.255.255.255. Every host that receives broadcast traffic will process it. Switches pass broadcast traffic between their ports, but routers do not pass broadcast traffic.

Answer 48

Port security limits the computers that can connect to physical ports on a switch. At the most basic level, administrators disable unused ports. Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.

Answer 49

MAC filtering is another example of port security. In a simple implementation, the switch remembers the first one or two MAC addresses that connect to a port. It then blocks access to systems using any other MAC addresses.

Answer 50

A web application firewall (WAF) is a firewall specifically designed to protect a web application.

Answer 51

If a stateful firewall detects TCP traffic without a corresponding three-way handshake, it recognizes this as suspicious traffic and can block it. operate at the Transport layer of the OSI model, so they are also commonly referred to as Layer 4 firewalls.

Answer 52

next-generation fire wall

Answer 53

WAFs and NGFWs both analyze information about all layers of the OSI model, all the way through Layer 7, the Application layer. Therefore, they are often called Layer 7 firewalls.

Answer 54

system allows everything to pass through the system when it fails. In this approach, no security controls are enforced, but there is no disruption to network activity.

Answer 55

system allows nothing to pass through the system when it fails. In this approach, there is a significant disruption to network activity but no security policies are violated. security professionals prefer fail-closed systems because they limit risk.

Answer 56

An intranet is an internal network. People use the intranet to communicate and share content with each other. While it’s common for an intranet to include internal web servers, this isn’t a requirement.

Answer 57

An extranet is part of a network that can be accessed by authorized entities from outside of the network.

Answer 58

A screened subnet, also known as a demilitarized zone (DMZ), is a security zone between a private network and the Internet.

Answer 59

Network Address Translation is a protocol that translates public IP addresses to private IP addresses and private IP addresses back to public. A commonly used form of NAT is network address and port translation, commonly called Port Address Translation (PAT). NAT translates public IP addresses to private IP addresses and private IP addresses back to public. A common form of NAT is Port Address Translation. Dynamic NAT uses multiple public IP addresses, while static NAT uses a single public IP address.

Answer 60

Physical isolation ensures that one network isn’t connected to another network.

Answer 61

supervisory control and data acquisition (SCADA) systems. These are typically industrial control systems within large facilities such as power plants or water treatment facilities. While SCADA systems operate within their own network, it’s common to ensure that they are isolated from any other network.

Answer 62

An air gap provides physical isolation, with a gap of air between an isolated system and other systems. When considered literally, an air-gapped system is not connected to any other systems. As an example, many government agencies use both classified (red) and unclassified (black) networks. Strict rules ensure that these two systems are not connected to each other. Some rules require physical separation between red network cables and black network cables.

Answer 63

Within a network, east-west traffic refers to traffic between servers. Imagine looking at a network diagram of servers within a network. These usually show servers configured horizontally (or side-by-side), so traffic between servers travels east and west. In contrast, network diagrams typically show clients above or below the servers, and traffic between clients and servers is north-south.

Answer 64

Within a network, east-west traffic refers to traffic between servers. Imagine looking at a network diagram of servers within a network. These usually show servers configured horizontally (or side-by-side), so traffic between servers travels east and west. In contrast, network diagrams typically show clients above or below the servers, and traffic between clients and servers is north-south.

Answer 65

of firewalls, and the following sections discuss proxy servers and jump servers. All of these can be dedicated appliances or services added to another server.

Answer 66

Many networks use proxy servers (or forward proxy servers) to forward requests for services (such as HTTP or HTTPS) from clients. They can improve performance by caching content, and some proxy servers can restrict users’ access to inappropriate websites by filtering content. A proxy server is located on the edge of the network bordering the Internet and the intranet, as shown in Figure 3.5.

Answer 67

The proxy server increases the performance of Internet requests by caching each result received from the Internet. Any data that is in the proxy server’s cache doesn’t need to be retrieved from the Internet again to fulfill another client’s request. In this context, cache simply means “temporary storage.” Cache could be a dedicated area of RAM, or, in some situations, it could also be an area on a high-performance disk subsystem.

Answer 68

allows organizations to create block rules that restrict web use. Many third-party companies sell subscription lists for URL filtering. These sites scour the Internet for websites and categorize the sites based on what companies typically want to block. Categories may include sites known to contain malicious code as well as undesirable types of content, such as pornography or gambling. These filters can rely on several different factors when making categorization decisions, including keywords that appear on the site and the site’s reputation.

Answer 69

A proxy server forwards requests for services from a client. It provides caching to improve performance and reduce Internet bandwidth usage. Transparent proxy servers accept and forward requests without modifying them. Non-transparent proxy servers use URL filters to restrict access to certain sites. Both types can log user activity.

Answer 70

A unified threat management (UTM) appliance combines multiple security controls into a single appliance. It can inspect data streams and often includes URL filtering, malware inspection, and content inspection components. Many UTMs include a DDoS mitigator to block DDoS attacks.

Answer 71

A jump server (sometimes called a jump box) is a hardened server used to access and manage devices in a different security zone. As an example, if administrators want to administer servers in the screened subnet from the internal network, they could use a jump server. They could connect to the jump server and then access servers in the screened subnet through the jump server. ssh -J maggie@jump maggie@ca1 The -J switch tells ssh to connect to the jump server and then use TCP forwarding to connect to the CA server. While the preceding example used the jump server to connect to a server in the screened subnet, it’s also possible to use a jump server to connect to an internal network, such as a SCADA system network isolated with a VLAN.

Answer 72

Policy Enforcement Point

Answer 73

The system changes the way that it asks a user to authenticate based upon the context of the request. For example, a subject on a corporate computer system accessing the network from a corporate office may be only asked to verify their password, while a user in a coffee shop on a personal device may be subjected to multifactor authentication.

Answer 74

The Policy Engine (PE) decides whether to grant access to a resource for a given subject. The PE uses enterprise policy to grant, deny, or revoke access to the resource. The Policy Administrator (PA) is responsible for communicating the decisions made by the PE to the tools on the network that enforce those decisions, known as the Policy Enforcement Point (PEP). Together, the PE and the PA are known as the Policy Decision Point (PDP).

Answer 75

Secure access service edge (SASE) is a design philosophy closely related to ZTNA that brings together networking and security functions and delivers them as an integrated cloud service. SASE is a broader philosophy that builds upon zero-trust and adds additional security services, including: Firewall services Secure web gateway services Anti-malware services Intrusion prevention services Cloud access service broker (CASB) services Data loss prevention (DLP) services