Chapter 3 Flashcards
TCP IP has how many layers?
4
What are the layers of TCP/IP?
Application
Host to Host or Transport Layer
Internet Layer
Network Access Layer
Host to host is also known as
Transport
Network Access Layer is also known as
Link layer or Network Interface layer
TCP/IP host
Any device on network running the TCP IP protocol
Encapsulation
Method by which TCP/IP layers communicate
Application layer provides which protocols?
HTTP, HTTPS, FTP, SMTP
Host to host
consists of TCP and UDP. UDP is unreliable connectionless protocol, but faster. Responsible for acknowledging receipt of packets.
Internet Layer is responsible for
routing, IP addressing and packaging
IP
Internet protocol, part of Internet Layer.
Which layer checks accuracy?
TCP
Which layer checks if the destination is known?
IP
If a destination is unknown, where is it sent?
to the router, by IP
ICMP
Internet Control Message Protocol - Ping
ICMP is part of which layer?
Internet
Address Resolution Protocol is in which layer?
Internet
ARP does what?
Resolves IPs to MAC addresses
Network Access Layer
Communicates through network adapters to place packets on the physical network
FTP port
21
port 21
FTP
Port 22
SSH and SCP
Port 25
SMTP
SMTP port
25
port 110
POP3
POP3 port
110
DNS names port
Port 53
Port 53
Dns Names
Port 139
NetBios session
NetBIOS session port
139
IMAP port
143
Port 143
Imap
TCP Handshake Initiated by
client
Client sends sends first message containing
ISN - initial sequence number, and window size
window size
buffer
Server responds to initial TCP message
ISN and window size
Third part of TCP handshake
Client acknowledges ISN
UDP
Connectionless, used for video and voice
Tracert uses
ICMP
Subnetting secures the network by
confining traffic, reducing traffic and broadcasts
vlan does what
splits of segments of network, allows grouping of hosts by data sensitivity
PPTP
Tunneling protocol, vulnerable to sniffers, negotiating connection in clear
Layer 2 forwarding is a __ protocol
Tunnelling
Layer 2 forwarding was created as a protocol for
dial up
L2f should not be used for
WAN
L2F provides Authentication but not
encryption
Layer 2 tunneling protocol combines
L2f and PPTP
Layer 2 tunneling is encrypted?
No, but it can be
SSH was originally designed for
Unix
IPsec is used by ______ protocols
tunneling
IPSec has two modes
tunnel and transport
IPSec encrypts ____ in tunnel mode
payload and headers
IPSec encrypts ____ in transport mode
only the payload
NAC stands for
Network Access Control
NAC defines
criteria that a client must fulfill to access the network
what is an appliance?
A self contained device requiring little configuration
packet filter firewall blocks packets based on ____
ports
a packet filter firewall may authorize specific _____ to access certain ports
IP addresses
proxy firewalls are used to process requests from an ______ network
outside
proxy firewalls use _____ to hide IPs
NAT
Application level proxy firewall reads the actual _______
commands
stateful packet inspection firewall
uses intelligence to monitor sessions, stateless uses no intelligence and just blocks ports
what is a border router?
it connects wans and lans
wans and lans use the same/different protocols
different
Switches route packets using _____ addresses
MAC
For security reasons, all user interaction with the internet should be controlled through
a proxy server
IDS Activity
element of a data source that is of interest
IDS Alert
contains information about suspicious activity
IDS Analyzer
analyzes data collected by the sensor
IDS data source
raw information used to detect suspicious activity
IDS Event
occurrence indicating suspicious activity has occurred
IDS manager
console
IDS notification
how the manager tells the operator about an alert
IDS operator
person responsible for the IDS
IDS Sensor
Grabs raw material from the data sources
Behavior based IDS
variations in behavior such as unusually high traffic, policy violations
Signature based IDS
Misuse, attack signatures and audit trails
Anomaly detection IDS
spots deviation from a baseline
Heuristic IDS
uses algorithms to analyze traffic passing through the network
IPS
Intrusion Prevention System
IPS usually responds by
blocking offending IP address
Problem with IPS is _____
false positives
Best solution for a secure network is
place an IDS in front of AND behind a firewall
Network based IDS
attaches to a point in the network where it can report on all traffic
Logging
A passive response allowing administrators to evaluate the threat
Notification
A passive response relaying information to the IDS operator
Shunning
A passive response that ignores the threat
Terminating processes or sessions
an active response to a threat
IDS can connect to what devices
hub switch or tap
Network Configuration changes
active response of an IDS, closing ports or instructing a border router or firewall to close traffic
deception
active response of ids, send to honeypot
active responses are the least/most implemented
least
HIDS
Host-based IDS
HIDS are typically active/passive
passive
HIDS monitor network traffic t/f
False
faillog
log in unix that shows failed login attempts
lastlog
log in unix that shows last successful logins
messages log
in unix, searched with grep to find login related entries
wtmp
log in unix that shows authenticated users
packet sniffing is also known as
protocol analyzing
one of the best traffic analyzers is
snort
UTM
Unified Threat Management (appliance)
Smartscreen filter
phishing url blocker from IE
Web application firewall
appliance that blocks traffic to and from webservers
WAFs operate at the _____ level of the OSI model
highest
WAFs are similar to
IPS
WAFs are superior/inferior to IPSs
Superior
FTP uses TCP/UDP
Only TCP
SSH and SCP use TCP/UDP
both
SMTP uses TCP/UDP
Only TCP
HTTP uses TCP/UDP
both
POP3 uses TCP/UDP
only TCP
Netbios uses TCP/UDP
both
IMAP uses TCP/UDP
both
HTTPS uses TCP/UDP
TCP only
DNS name queries use TCP/UDP
UDP only
Dial up uses
PPP
