Chapter 4 Securing your network Flashcards

1
Q

What is a HIDS, where are they found? and what do they do?

A

Host-based intrusion detection software, can be installed on any host i.e computer, server. It monitors network traffic and applications on that host passing through the NIC. It may detect traffic traditional anti-virus software misses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a NIDS? what does it do and how?

A

Network-intrusion detection system, installed on network devices (switches, routers, firewalls), uses sensors to gather information (sensor placement depends on what information you want). Monitors activity on the network (not individual devices).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Signature vs heuristic based detection?

A

Signature = known attacks, detected by a signature created for each attack.
Heuristic = takes performance baseline, looks @ deviations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Honeypot vs Honeynet vs Honeyfile what are they

A

Honeypot is a server that looks appealing, may have some protection, attracts attackers. Honeynet is a group of honeypots set up with VM. Honeyfile is an attractive looking file, i.e passwords.doc. In this way we can gain some intel on attackers, particularly useful for zero day attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is telemetry and thus fake telemtry?

A

Collecting information (statistical data)/measurements and forwarding it to a centralized system. Fake = sending incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How would you determine (through what process and tools) where wireless deadpoints might be?

A

Conducting wireless footprinting and doing a site survey using heatmaps to assess for low connectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Does a PSk provide authentication for a wireless network?

A

No, authentication proves a users credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does WPA2 authenticate people?

A

Using enterprise mode, a RADIUS server (a 802.1X) assesses a database of accounts with credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an improvement / replacement to WPA2? How?

A

WPA3 - instead of a PSK uses SAE (Simultaneous authentication of equals), incorporating a better cryptographic protocol. Also supports enterprise. Using a RADIUS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is EAP? and the versions of it?

A

EAP is the extensible authentication protocol, a framework for general guidance on authentication methods. EAP, PEAP, EAP-FAST, EAP-TLS and TTLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Briefly describes differences between EAP, PEAP, EAP-FAST, EAP-TLS, TTLS.

A

EAP - provides a method for two systems to authenticate using a Pairwise Master Key (PMK).

PEAP - is EAP with a encapsulating tunnel using TLS, certificate required on server (but not client)

EAP-TLS - Like PEAP, more secure, certificate on client and server

EAP-TTLS - like PEAP, more auth methods, cert on server not client.

EAP-FAST - more flexible authentication methods. Certs optional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the usefulness of 802.1X IEEE

A

Unused ports still require authentication to be used. Prevents rogue devices from connecting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which wireless AP protocols should be avoided?

A

WPA and WEP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe -
Rogue access point
Evil Twin
Wireless dissociation

A

RAP - A ‘rogue’ installed AP
Evil twin - A RAP with a similar / same SSID
Wireless disassociation attacks, also known as deauthentication attacks, are wireless network attacks that target the 802.11 Wi-Fi protocol. The attack involves sending forged deauthentication frames to a wireless access point or client device, causing the device to disconnect from the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Dissociation vs jamming attacks

A

Dissociation is when an attacker spoofs the MAC address, sending a termination frame to the AP to remove it from the network.
Jamming typically prevents all users from connecting - attackers transmit ‘noise’ or another signal on the same frequency to shut it down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an RFID and how does an attack work?

A

Radio-frequency identification system. Data transmitted via frequency signals. Can be sniffed/eavesdropped, Replayed, DoS by being on the same frequency and protocols.

17
Q

Bluejacking vs bluesnarfing

A

Jacking - unsolicited messages to nearby bluetooth devices. Relatively harmless.
Snarfing - Unauthorized access / hijacking / stealing information.

18
Q

How to avoid a wireless replay attack?

A

Using updated cryptographic protocols (WPA2 and WPA3, not WEP or WPA).

19
Q

What are two modes/transport that people may investigate for wireless networks? and what is this type of research called?

A

Wardriving and warflying, driving or flying looking for wireless networks, it is part of passive reconnaissance (without actively engaging).

20
Q

What is the pathing a VPN must take and the servers it addresses?

A

VPN will connect to the internet, then to a VPN server usually within a screened subnet, from here, it will go through the following firewall to the internal network using an internal remote authentication dial-in user service (RADIUS) which contains the database, then sends to the internal LDAP for authentication.

21
Q

How does IPSEC provide security? and what are the two forms of IpSec ?

A

Ipsec provides authentication (an authentication header, giving auth and integrity), and encryption (encapsulating security payload providing confidentiality). Tunnel mode encrypts entire IP packet including the payload (data to be transmitted) and packet headers, which VPNS commonly use. Transport mode only encrypts the payload but not things like IP, used in private networks.

22
Q

Two protocols commonly used for VPN Tunnels?

A

IpSec (Tunnelled mode) and TLS

23
Q

Split vs full tunnel VPN?

A

Split tunnel - the user’s usage may be split between work and everything else. It is decided what is work, what isn’t. Work is tunnelled. Traffic going to this IP address is tunnelled only.
Full tunnel - everything is encrypted etc.

24
Q

Two networks (seperated geographically) require tunnels, what setup do they need?

A

They need two VPN servers that coordinate a site-to-site VPN creating a tunnel between them.

25
Q

If users use remote computers, how can we control/assess their pc’s aren’t infected before using VPNs?

A

Network access control checks, may look at firewall enabled? (HIDS?), operating system up to date?, antivirus up to date? it is usually in the form of an NAC client.

26
Q

VPN supported authentication and authorization? and a very brief description?

A

Password Aauthentication Protocol (authenticate, cleartext passwords, dial up mostly), CHAP Challenge handshake authentication protocol (like PAP, more secure, hashed+combined with number), RADIUS (a server, VPN gives it to server, VPN server doesn’t require database, centralized, easier to maintain), TACACS+ (like radius, more secure, encrypts user AND password, uses TACACS+ server).

27
Q
A