Chapter 4 Securing your network

Question 1

What is a HIDS, where are they found? and what do they do?

Answer 1

Host-based intrusion detection software, can be installed on any host i.e computer, server. It monitors network traffic and applications on that host passing through the NIC. It may detect traffic traditional anti-virus software misses.

Question 2

What is a NIDS? what does it do and how?

Answer 2

Network-intrusion detection system, installed on network devices (switches, routers, firewalls), uses sensors to gather information (sensor placement depends on what information you want). Monitors activity on the network (not individual devices).

Question 3

Signature vs heuristic based detection?

Answer 3

Signature = known attacks, detected by a signature created for each attack.
Heuristic = takes performance baseline, looks @ deviations

Question 4

Honeypot vs Honeynet vs Honeyfile what are they

Answer 4

Honeypot is a server that looks appealing, may have some protection, attracts attackers. Honeynet is a group of honeypots set up with VM. Honeyfile is an attractive looking file, i.e passwords.doc. In this way we can gain some intel on attackers, particularly useful for zero day attacks.

Question 5

What is telemetry and thus fake telemtry?

Answer 5

Collecting information (statistical data)/measurements and forwarding it to a centralized system. Fake = sending incorrect.

Question 6

How would you determine (through what process and tools) where wireless deadpoints might be?

Answer 6

Conducting wireless footprinting and doing a site survey using heatmaps to assess for low connectivity.

Question 7

Does a PSk provide authentication for a wireless network?

Answer 7

No, authentication proves a users credentials

Question 8

How does WPA2 authenticate people?

Answer 8

Using enterprise mode, a RADIUS server (a 802.1X) assesses a database of accounts with credentials

Question 9

What is an improvement / replacement to WPA2? How?

Answer 9

WPA3 - instead of a PSK uses SAE (Simultaneous authentication of equals), incorporating a better cryptographic protocol. Also supports enterprise. Using a RADIUS server.

Question 10

What is EAP? and the versions of it?

Answer 10

EAP is the extensible authentication protocol, a framework for general guidance on authentication methods. EAP, PEAP, EAP-FAST, EAP-TLS and TTLS.

Question 11

Briefly describes differences between EAP, PEAP, EAP-FAST, EAP-TLS, TTLS.

Answer 11

EAP - provides a method for two systems to authenticate using a Pairwise Master Key (PMK).

PEAP - is EAP with a encapsulating tunnel using TLS, certificate required on server (but not client)

EAP-TLS - Like PEAP, more secure, certificate on client and server

EAP-TTLS - like PEAP, more auth methods, cert on server not client.

EAP-FAST - more flexible authentication methods. Certs optional

Question 12

What is the usefulness of 802.1X IEEE

Answer 12

Unused ports still require authentication to be used. Prevents rogue devices from connecting.

Question 13

Which wireless AP protocols should be avoided?

Answer 13

WPA and WEP

Question 14

Describe -
Rogue access point
Evil Twin
Wireless dissociation

Answer 14

RAP - A ‘rogue’ installed AP
Evil twin - A RAP with a similar / same SSID
Wireless disassociation attacks, also known as deauthentication attacks, are wireless network attacks that target the 802.11 Wi-Fi protocol. The attack involves sending forged deauthentication frames to a wireless access point or client device, causing the device to disconnect from the network.

Question 15

Dissociation vs jamming attacks

Answer 15

Dissociation is when an attacker spoofs the MAC address, sending a termination frame to the AP to remove it from the network.
Jamming typically prevents all users from connecting - attackers transmit ‘noise’ or another signal on the same frequency to shut it down.

Question 16

What is an RFID and how does an attack work?

Answer 16

Radio-frequency identification system. Data transmitted via frequency signals. Can be sniffed/eavesdropped, Replayed, DoS by being on the same frequency and protocols.

Question 17

Bluejacking vs bluesnarfing

Answer 17

Jacking - unsolicited messages to nearby bluetooth devices. Relatively harmless.
Snarfing - Unauthorized access / hijacking / stealing information.

Question 18

How to avoid a wireless replay attack?

Answer 18

Using updated cryptographic protocols (WPA2 and WPA3, not WEP or WPA).

Question 19

What are two modes/transport that people may investigate for wireless networks? and what is this type of research called?

Answer 19

Wardriving and warflying, driving or flying looking for wireless networks, it is part of passive reconnaissance (without actively engaging).

Question 20

What is the pathing a VPN must take and the servers it addresses?

Answer 20

VPN will connect to the internet, then to a VPN server usually within a screened subnet, from here, it will go through the following firewall to the internal network using an internal remote authentication dial-in user service (RADIUS) which contains the database, then sends to the internal LDAP for authentication.

Question 21

How does IPSEC provide security? and what are the two forms of IpSec ?

Answer 21

Ipsec provides authentication (an authentication header, giving auth and integrity), and encryption (encapsulating security payload providing confidentiality). Tunnel mode encrypts entire IP packet including the payload (data to be transmitted) and packet headers, which VPNS commonly use. Transport mode only encrypts the payload but not things like IP, used in private networks.

Question 22

Two protocols commonly used for VPN Tunnels?

Answer 22

IpSec (Tunnelled mode) and TLS

Question 23

Split vs full tunnel VPN?

Answer 23

Split tunnel - the user’s usage may be split between work and everything else. It is decided what is work, what isn’t. Work is tunnelled. Traffic going to this IP address is tunnelled only.
Full tunnel - everything is encrypted etc.

Question 24

Two networks (seperated geographically) require tunnels, what setup do they need?

Answer 24

They need two VPN servers that coordinate a site-to-site VPN creating a tunnel between them.

Question 25

If users use remote computers, how can we control/assess their pc’s aren’t infected before using VPNs?

Answer 25

Network access control checks, may look at firewall enabled? (HIDS?), operating system up to date?, antivirus up to date? it is usually in the form of an NAC client.

Question 26

VPN supported authentication and authorization? and a very brief description?

Answer 26

Password Aauthentication Protocol (authenticate, cleartext passwords, dial up mostly), CHAP Challenge handshake authentication protocol (like PAP, more secure, hashed+combined with number), RADIUS (a server, VPN gives it to server, VPN server doesn’t require database, centralized, easier to maintain), TACACS+ (like radius, more secure, encrypts user AND password, uses TACACS+ server).