Chapter 3 Exploring network technologies and tools

Question 1

What does the Data Link Layer do? and what Level of the OSI(Open systems interconnection model) is it? How might attacks focus on this?

Answer 1

Ensuring data is sent to specific devices by adding a header to it. Including MAC (Source+destination). Attacks can disrupt it by faking a MAC address OR the ARP.

Question 2

How does TCP work? what are the steps? and what makes it special?

Answer 2

3 way handshake, sends a SYN, recieves a SYN/ACK and sends back an ACK. It guarantees delivery.

Question 3

What about UDP? steps? special?

Answer 3

Connectionless, no 3 way handshake, it finds the best route.

Question 4

At what stage of the process is ARP used?

Answer 4

Once it gets into the correct subnet, ARP then converts the IP into a MAC address of the appropriate device/host.

Question 5

What protocols for Voice (and the protocol that maintains, starts and terminates it)

Answer 5

SRTP, SIP (session initiation protocol)

Question 6

What protocols would be used for encrypting data in transit (file transferring) and which is the one protocol we don’t use anymore?

Answer 6

FTP, SSH, TLS, IPsec, SFTP (Ssh+ftp), FTPS (TLS+FTP), not in use anymore SSL (replaced by TLS)

Question 7

List the protocols used for emails and their ports as well as a small description of what they do.

Answer 7

SMTP (Simple Mail Transfer Protocol): TCP port 587 for encrypted emails. Between Clients to SMTP servers.

POP3 (Postoffice protocol v3): TCP Port 995. Between Servers to Clients.

IMAP4: Used for storing emails on an email server. TCP 993

HTTPS: for encrypting webtraffic, could be used if emails are sent from webservers to other webservers. Port 443.

Question 8

What protocol queries dictionaries? give an example and port number as well.

Answer 8

Lightweight directory access protocol (LDAP). Port TCP 389. Microsoft active directory. LDAP is encrypted with TLS (LDAPS).

Question 9

Port 3389

Answer 9

Remote Desktop Protocol

Question 10

Open source suite of tools used by many companies? What are some of it’s uses?

Answer 10

OpenSSH, may use to establish an ssh connection to remote servers, create a public+private key pair (ssh-keygen -t rsa), copy this public key to remote server, after this can connect without password.

Question 11

SNTP/NTP use case?

Answer 11

May be used for things like kerebos that requires times to be sync’d and accurate.

Question 12

What does DHCP do?

Answer 12

Dynamic Host Communication Protocol, used by routers and networks - assigns IP address, subnet mask, DNS servers etc to hosts.

Question 13

How does DHCP server work? 4 steps.

Answer 13

1. DHCP host asks a DHCP server for a lease.
2. Server answers, offers lease, gives IP etc.
3. DHCP client responds by requesting this lease.
4. DHCP ack lease, provides

Question 14

How is DNS poisoning prevented?

Answer 14

Through the use of DNSSEC, uses a digital signature to provide validation for DNS responses.

Question 15

Difference between Unicast and Broadcast traffic? and how do switches and routers differ?

Answer 15

Unicast directs traffic to a particular IP address. Other hosts will not process/recieve it. Broadcast is when traffic is sent from one to all devices on the subnet. Switches can pass broadcast traffic between ports, routers do not.

Question 16

How does a switch work initially and why are switches good from a security stand point?

Answer 16

Switches send out broadcast, learning the MAC addresses of each device on each port, updating it to a table. After this, switches relay information between ports, unicast traffic between port 3 and 4 will not be affected if a malicious analyzer is installed on port 1. Also increases efficiency.

Question 17

In security, what do ports present? issues? benefits?

Answer 17

Unusued ports can present challenges if someone connects. Ports can be filtered based on MAC to only accept connections from XYZ & limit how many connections per port.

Question 18

How to prevent switch loops? broadcast storms and loop prevention.

Answer 18

Using protocols called STP (Spanning tree protocol) and RapidSTP

Question 19

When preventing loops in a switch, how does it work?

Answer 19

STP sends out Bridge Protocol Data Unit (BPDU) messages which detect loops. It then shuts down or blocks traffic from switch ports sending redunant traffic.

Question 20

Physical vs logical ports?

Answer 20

Physical, can plug a cable into it. A logical is a port number within a packet, it identifies services or protocols.

Question 21

Describe Implicit deny and what context this is used for

Answer 21

Implicit deny is traffic that is not specified on an access control list, is denied. This is used within firewalls and routers.

Question 22

When do use the route command?

Answer 22

Any situation that you require a display or modification of a system’s routing table, it will show all the paths known by the computer to other networks.

Question 23

Host-based vs Network based firewalls?

Answer 23

Host based for hosts, servers or work stations. Network-based often dedicated servers and provide protection for the entire network.

Question 24

Stateless vs stateful differences

Answer 24

Stateless, does not care of state, works on ACLs. Stateful will examine traffic context, is it part of an established session, was there a 3 way handshake? really looks at the details of the packets.

Question 25

Where would a WAF be placed? and what does it do?

Answer 25

Between a webserver and the web clients. Provides strong protection for the webserver.

Question 26

What does a DMZ/Screen subnet do and where is it positioned?

Answer 26

It is a buffered zone between a private network and the internet. Between two firewalls (Internet - Firewall 1 - Screened subnet - Firewall 2 - Database servers & Private IPS)

Question 27

What kind of system needs to be physically separated and what is this called?

Answer 27

SCADA systems. Supervisory control and data aquisition (Industrial control systems). An air gap provides this physical isolation.

Question 28

Instead of isolating computers based on subnets, how would it be done for logical needs i.e departments?

Answer 28

Using a switch, creating a VLAN, or heavy traffic demanding things can have their own VLAN i.e VOIP.

Question 29

East west vs north south?

Answer 29

East west describes traffic between servers. North South between servers and a host.

Question 30

Devices aren’t trusted on this network by default, even if they have used it before, it is? Why?

Answer 30

A Zero trust network. Incase a computer is infected between logins. It may require MFA.

Question 31

Benefits of a proxy server?

Answer 31

Requests on behalf of, caches content (thus increasing performance), filters content

Question 32

Transparent vs non transparent proxy?

Answer 32

T will not modify requests, will cache. NT will modify, filter and cache.

Question 33

What is the configuration (set-up) of a reverse proxy and what is it used for?

Answer 33

Internet, Firewall1 - Reverse Proxy - Firewall2 - Webserver, traffic right to left. Benefits of protecting the webserver. Similarly, caches webpages and benefits performance,

Question 34

Describe the roles of a UTM

Answer 34

Unified threat manager, provides URL filtering, Malware inspection, content inspection (block spam, malicious content or specific things, VOIP), DDoS mitigator

Question 35

How might you increase security to specific resources in another network with different security needs? (clue: adding 1 thing)

Answer 35

A hardened jump server. Internal network, connect to jump, then access another network, maybe screened subnet and work on that server.

Question 36

What is SNMPv3 for?

Answer 36

Monitoring and managing network devices (routers, switches), modifying their configuration or receiving report statuses.

Question 37

Summarize:
Prevent switching loops?
Prevent BPDU attacks?
Prevent unauthorized users connecting to unused ports?
Increase segmentation of user computers on a network?

Answer 37

1. Implement STP/RSTP (Rapid spanning tree protocol)
2. Bridge protocol data unit guard will prevent attacks
3. MAC filtering, disabling unused ports.
4. Layer 3 switches support VLANs increasing segmentation

Question 38

Switch vs a router?

Answer 38

A switch connects hosts together, a router connects networks together

Question 39

How does a switch work when it first starts? i.e doesn’t know it’s ports/hosts.

Answer 39

It sends the packet it recieves to all hosts on the switch. They respond with their MAC address. It caches this. The right MAC address gets priority, future communications occur only on that port from thereon in.