Chapter 4 - Securing Your Network

Question 1

HIDS

Answer 1

Host-based Intrusion Detection System. Can monitor all traffic on a single host system such as a server or workstation, and in some cases can detect malicious activity missed by antivirus software.

Question 2

NIDS

Answer 2

Network-based Intrusion Detection System. Monitors activity on the network perimeter. An admin installs NIDS sensors or collectors on network devices such as switches, routers or firewalls which gather info and report to a central monitoring network appliance hosting a NIDS console.

A NIDS console is installed on a network appliance whereas sensors are installed on network devices like switches, routers or firewalls.

*Cannot detect anomalies on individual servers or workstations unless the anomalies cause a significant difference in network traffic.

Question 3

Port mirror

Answer 3

Or port spanning - allows admins to configure switches to send all traffic the switch receives to a single port, which you can then use as a tap to send all switch data to a sensor or collector and forward this to a NIDS console.

Question 4

Signature-based IDS

Answer 4

Monitors based on a database of known vulnerabilities or attack patterns, ie. a SYN flood attack.

Question 5

Heuristic/Behavioral Detection

Answer 5

also called anomaly-based. Starts by identifying a network’s baseline regular operation or normal behavior, creating a performance baseline under normal operating conditions.

Then it continuously monitors traffic and compares current network behavior against the baseline, giving an alert of a potential attack when it detects abnormal activity.

Question 6

SYN Flood Attack

Answer 6

DoS attack where an attacker sends multiple SYN packets but never completes the 3rd part of the 3 way handshake with the last ACK packet.

Each uncompleted session consumes resources on the server and can crash the server.

Some servers reserve a certain number of resources for connections, and once the attack consumes these resources the system blocks additional connections.

Question 7

Honeypot

Answer 7

A sweet-looking server designed to look sweet to the attacker. It’s a server that is left open or appears to have been locked down sloppily, allowing an attacker relatively easy access. The intent is for the server to look like an easy target so the attacker spends his time in the honeypot instead of in a live network. In short it diverts the attacker away from the live network.

Helps (1) deceive attackers and (2) allow observation of an attacker

Question 8

IDS/IPS

Answer 8

Intrusion Prevention System / Intrusion Detection System.

IDS and IPS need to set the threshold high enough to minimize false positives and false negatives.

IPS = Incline with traffic (traffic passes through it). PREVENTATIVE CONTROL

IDS = out of band
Both have protocol analyzer abilities. IPS can detect/react to/prevent attacks.

IPS and IDS can detect a SYN flood attack and IPS can prevent the attack. Firewalls also often include a SYN flood guard that can detect them and take steps to close the open sessions.

Question 9

Honeynet

Answer 9

A group of honeypots within a separate network or zone but accessible from an organization’s primary network.

Often created by admins using multiple virtual servers contained within a single physical server. A server creating 6 additional virtual servers will appears as 7 systems on a subnet, and an attacker won’t be able to easily determine if the servers are physical or virtual.

Deceive and disrupt!

Question 10

Honeyfile

Answer 10

A file designed to attract the attention of an attacker such as “passwords.txt” to deceive attackers.

Question 11

Fake telemetry

Answer 11

Telemetry refers to collecting information such as statistical data and measurements and forwarding it to a centralize system for processing, used in water management, pol and gas drilling systems etc.

FAKE TELEMETRY corrupts the data sent to monitoring systems and can disrupt a system. EX: natural gas telemetry being disrupted - as usage rises, the pressure drops, and the delivery system automatically raises pressure to ensure customers receive a steady stream of gas. Can be dangerous if disrupted.

Question 12

WLAN

Answer 12

Wireless Local Area Network.

-WAP: Wireless Access Point. Connects wireless clients to a wired network. Many now have routing capabilities. Vendors now market WAPs with routing capabilities as wireless routers, but there is a distinction:

1. All wireless routers are APs. These are APs with an extra capability - routing
2. Not all APs are wireless routers. Many APs do not have additional capabilites. They provide connectivity for wireless clients to a wired network but do not have routing capabilities.

Question 13

SSID

Answer 13

Service set identifier. Simply the wireless network name.

Question 14

MAC filtering

Answer 14

Media Access Control filtering has to do with port security for switches, you can also enable MAC security on routers. Can restrict access to a wireless network to specific clients.

However, an attacker could use a sniffer to discover allowed MAC addresses and circumvent this.

Question 15

MAC Cloning

Answer 15

changing the MAC on a PC or device to the same MAC as the WAN port on an internet-facing router, or changing your MAC to that of an authorized system to bypass MAC filtering.

Question 16

Wifi analyzer

Answer 16

a method of performing a site survey which identifies activity on channels within the wireless spectrum and analyzes activity on the 2.4-GHz and 5-GHz frequency ranges.

Question 17

Heat map

Answer 17

Another site survey tool, which gives you a color-coded representation of wireless signals, ie red may show where the wireless signals are strongest, blue the weakest, where you have dead spots etc.

Question 18

Footprinting

Answer 18

Wireless footprinting creates a detailed diagram of APs and hotspots within an organization.

Question 19

WPA2

Answer 19

Wifi Protected Access 2 replaced earlier, weaker cryptographic protocols like WEP (Wired Equivalent Privacy) and WPA, and uses strong cryptographic protocols like AES (Advanced Encryption Standard) and CCMP (Counter-mode/CBC-MAC Protocol).

Question 20

PSK vs Enterprise

Answer 20

WPA2 can operate either in open, PSK (pre-shared key) or Enterprise modes. Open mode doesn’t use any security.

PSK mode has users access wireless network anonymously with PSK or passphrase. Doesn’t provide authentication.

Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network. Uses a 802.1X server, often implemented as a RADIUS server, which accesesses a database of accounts. If users don’t hage proper credentials, Enterprise mode blocks their access.

The 802.1X server can also provide certificate-based authentication to increase the security of the authentication process.

Question 21

RADIUS server

Answer 21

Remote Authentication Dial-In User Service server is an authentication server commonly used in networking, particularly in enterprise Wifi environments. Like a guard in front of a building checking IDs.

When you select Enterprise mode, you need to provide 3 pieces of info:
-RADIUS server IP address
-RADIUS port. Default is 1812. Need to enter same port the server is using.
-Shared secret. Similar to a password, different than the user’s password.

Question 22

WPA3 and SAE

Answer 22

WPA3 is the newest wireless cryptographic protocol and uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2. Just a different secure key exchange protocol, based on Dragonfly key exchange algorithm, and prevents attackers from capturing authentication messages and attempting to crack the PSK.

Question 23

Wireless Authentication Protocols

Answer 23

Many are built on Extensible Authentication Protocol (EAP), an authentication frameworks that provides general guidance for authentication methods.

-EAP: provides a method for 2 systems to create a secure encryption key, also known as a Pairwise Master Key (PMK).

-PEAP: Protected EAP, adds an extra layer of security to EAP by encapsulating and encrypting the EAP conversation in a TLS tunnel. Requires a certificate on the server but not the client.

-EAP-FAST: secure replacement for Lightweight EAP (LEAP), supports optional certificates.

-EAP-TLS: one of the most secure EAP standards, only difference with PEAP is EAP-TLS requires certificates on the 802.1X server and the clients.

-EAP-TTLS: uses tunneled TLS, is an extension of PEAP allowing systems to use some older authentication methods such as PAP (Password Authentication Protocol) within a TLS tunnel. Requires certificate on the 802.1x server but not the clients.

-RADIUS Federation: often used for SSO, includes two or more entities that share the same identity management system. User can log on once, and access shared resources with the other entity without logging on again. You can similarly create a federation with 802.1X and RADIUS servers.

NOTE:
-EAP-FAST supports digital certificates but they are optional.
-PEAP and EAP-TTLS require a certificate on the server but not the clients
-EAP-TLS requires certificates on both the server and clients.

*A CA must issue certificates so an organization must either purchase certificates from a public CA or implement a private CA within the network.

Question 24

IEEE 802.1X

Answer 24

A port-based authentication protocol that requires users or devices to authenticate when they connect to a specific wireless access point or specific physical port.

Question 25

Captive portal

Answer 25

technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network, often agreeing to specific terms.
-Free or paid internet access, alternative to IEEE 802.1X

Question 26

Disassociation attack

Answer 26

Effectively removes a wireless client from a wireless network by sending a disassociation frame to the AP with a spoofed MAC address, and the AP deallocates all its memory for the connection.

Question 27

WPS

Answer 27

Wifi-Protected Setup, allows users to configure wireless devices without typing in the passphrase, using a PIN or pressing buttons on the AP and on the wireless device.

Susceptible to brute force attacks. Security experts recommend disabling WPS on all devices.

Question 28

Rogue AP

Answer 28

Rogue Access Point is an AP placed within a network without official authorization, maybe by an employee bypassing security or installed by an attacker.

Part of “shadow IT”, this AP will likely not be adequately managed, increasing vulnerabilities to the network.

Can be physically connected to network devices in a closet and act as a sniffer to capture traffic through the wired network device and then broadcast the traffic using the AP’s wireless capability, and can capture the exfiltrated data files while sitting in the parking lot.

Question 29

Evil twin

Answer 29

a rogue access point with the same SSID as a legitimate access point. An attacker can set up an AP using the SSID of a public wifi network in say a Starbucks and users will connect to this evil twin.

Question 30

Jamming attack

Answer 30

Attackers transmitting noise or another radio signal on the same frequency used by a wireless network, interfering with the wireless transmissions and can seriously degrade performance.

Type of DoS attack, usually prevents all users from connecting to a wireless network or lose association with an AP.

Question 31

IV attack

Answer 31

Initialization vector attack. An IV is a number used by encryption systems, and a wireless IV attack attempts to discover the pre-shared key after first discovering the IV.

If an encryption uses the same IV to encrypt data in transit, an IV attack can discover the IV easily. Often done via packet injection techniques.

Question 32

NFC attack

Answer 32

Near-Field Communication is a group of standards on mobile devices that allow them to communicate with other mobile devices when they are close to them, ie sharing photos or other data. Many POS systems use this technology with credit cards.

In a NFC attack, an attacker uses an NFC reader to capture data from another NFC device, sometimes in an eavesdropping attack with an antenna to boost the range, capturing a transaction. They can then do unauthorized charges on a credit card.

Question 33

RFID attack

Answer 33

Radio-Frequency Identifier include an RFID reader and RFID tags placed on objects, often used to track and manage inventory and any type of valuable assets including objects and animals.

Tags do not have a power source and instead include electronics that allow them to collect and user power to transmit data stored on the device, similar to how a proximity card receives a charge from a proximity card reader, with the distance being RFID transmitters can send to and from tags from a much greater distance.

Common RFID attacks
-Sniffing or eavesdropping. Since RFID transmits data over the air, an attacker can collect it by listening if they know the RFID system’s frequency and have a receiver tuned to that frequency. Attacker would need to know protocols used by the RFID system to interpret the data.

-Replay. Eavesdropping attacks allows the attacker to perform a replay attacl, ie stealing an object by placing a bogus attacker on another.

-DoS. If an attacker knows an RFID system’s frequency it’s possible to launch a jamming or interference attack, flooding the frequency with noise that prevents the RFID system from operating normally.

Question 34

Bluetooth attacks

Answer 34

Bluetooth is a short range wireless system used in personal area networks (PANs) and within networks.

-BLUEJACKING: sending unsolicited messages to nearby bluetooth devices. Typically text but can also be images or sounds. Relatively harmless but can cause confusion.

-BLUESNARFING: unauthorized access or theft of information from a Bluetooth device. These attacks can access information such as email, contact lists, calendars and text messages.

-BLUEBUGGING: like bluesnarfing but goes a step further and installs a backdoor. Attacker can have the phone call the attacker at any time allowing the attack to listen in on conversations within a room, enable call forwarding, sending messages and more.

Bluetooth devices uses MAC addresses and in Discovery mode the device broadcasts its MAC address, allowing other devices to see it and connect to it as with pairing devices. Attacks are rare today since you need to now manually pair devices, you can also use a Faraday cage.

Question 35

War driving and War flying

Answer 35

War driving: the practice of looking for a wireless network. More common in cars, or by walking around a large city. Attackers can discover wireless networks that they can exploit and often use directional antennas to detect wireless networks with weak signals.

War flying: similar, however instead people fly around in private plans, and some have intercepted wireless transmissions at altitudes of 2,500 feet, as those use 2.4GHz transmissions with can travel farther than 5GHz signals. Also there isn’t much interference between APs a wnd the planes. Can also use a drone with a little added hardware.

Question 36

VPN

Answer 36

Virtual Private Network, often used for remote access. Direct VPNs allow users to access private networks via a public network, ie the Internet, but can also be semiprivate leased line from a telecom company that can be leased to several companies.

*Access over a public network is a core security concern with VPNs, which are now a popular attack vector with more people working from home and connecting to company networks via direct access VPNs.

Different tunneling protocols encapsulate and encrypt the traffic to protect the data from unauthorized disclosure and prevent anyone from reading the data transferred through it.

Question 37

VPN Appliances

Answer 37

You can configure a VPN by enabling services on a sever, such as a Windows server, which can enable Direct Access VPN role and configure the Routing and Remote Access console, as long as the server has two NICs. One NIC is accessible from the Internet, the second provides access to the private network. Could work if you are only supporting a few VPN clients.

*Larger organizations often use a VPN appliance, which is a dedicated device used for VPN that contain all the services needed to create a secure VPN supporting many clients The appliance would normally be placed in a screened subnet with a firewall between the internet and screened subnet that forwards VPN traffic to the VPN appliance, such as a direct access VPN server, which is reachable via the public Internet.

The VPN server would often send the user’s credentials to a RADIUS server for authentication, which often passes the credentials on to another server to validate them, such as a LDAP server (a domain controller in Windows)

Question 38

IPSec as a Tunneling Protocll

Answer 38

IPSec encrypts data in transit and supports both tunnel mode and transport mode, with tunnel mode often used with VPNs.

ESP (Encapsulating Security Payload) provides confidentiality, integrity and authentication for VPN traffic, identified with protocol ID 50 for ESP. It uses IKE over port 500.

Question 39

Split vs full tunnel

Answer 39

A full tunnel encrypts all traffic after a user has connected to a VPN, while a split tunnel only encrypts traffic destined for the VPN’s private network.

TLS is often used to secure VPN channels, often encrypting VPN traffic using TLS over port 443, which provides flexibility for admins and doesn’t require opening additional firewall ports.

Question 40

Site to site VPN

Answer 40

includes 2 VPN servers that act as a gateway for two networks geographically. Doesn’t require additional steps from the user, can easily connect to servers in the HQ. The two VPN gateways connect to one another.

Traditional remote access VPN (also called host to gateway model) have end user making the direct connection to the VPN server and is very much aware of the process.

Question 41

Always on VPN

Answer 41

can be used with both site to site VPNs and direct access VPNs, contrary to on-demand VPN connection that is established when it’s needed. Can automatically connect when a computer is turned on or when a mobile device connects to the internet.

Question 42

L2TP

Answer 42

Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that is also used for VPNs, most recent version being L2TPv3. None of these versions use encryption so it is not used by itself for VPN traffic.

Instead data is encrypted with another protocol, like IPSec, then passed to L2TP for transport over VPN.

Question 43

HTML5 VPN Portal

Answer 43

Allows users to connect to the VPN using their web browser, using TLS to encrypt the session, but it can be very resource intensive.

Sometimes uses by organizations giving 1-2 users access to limited resources.

Question 44

NAC

Answer 44

Network Access Control, provides continuous security monitoring by inspecting computers and preventing them from connecting to the network if they don’t pass the inspection.

-Up to date antivirus
-Most recent OS patches
-Firewalls enabled

Can use for VPN clients and internal clients.

Question 45

Agent vs Agentless NAC

Answer 45

Agents on clients can be either permanent or dissolvable.

Permanent (persistent) agent = is installed on a client and stays on the client, using the agent when the client attempts to log on remotely.

Dissolvable agent = downloaded and runs on the client when the client logs on remotely. Collects the information it needs, identifies the client as healthy or not, and reports the status back to the NAC system. Some remove themselves immediately after reporting back to the NAC system, others remove themselves when the remote session ends.

Question 46

PAP

Answer 46

Password Authentication Protocol is an authentication method that uses Point-to-Point Protocol (PPP) to authenticate clients.

Weakness is it sends passwords over a network in cleartext. Previously used in dial-up connections, now used as a last resort,

Uses a password or PIN.

Question 47

CHAP

Answer 47

Challenge Handshake Authentication Protocol (CHAP) is another authentication protocol that also uses PPP and authenticates remote users but it is more secure than PAP because CHAP doesn’t send passwords over the network in cleartext.

The client and server both know a shared secret (similar to a password) used in the authentication process, but the client hashes the password after combining it with a nonce (number used once) provided by the server. This handshake process is used when the client initially tries to connect to the server and at different times during the connection.

Question 48

RADIUS

Answer 48

RADIUS (Remote Authentication Dial-In User Service) is a centralized authentication service.

Instead of each individual VPN server needing a separate database to identify who can authenticate, the VPN servers forward the authentication requests to a central RADIUS server, which can also be used as an 802.1X server with WPA2 Enterprise mode.

If you have multiple VPN servers you only have to update credentials one place, the RADIUS server.

RADIUS uses UDP and only encrypts password by default versus encrypting the entire authentication process.

RADIUS was created before EAP but does work with EAP and can use EAP to encrypt entire sessions.

Question 49

TACACS+

Answer 49

Terminal Access Controller Access-Control System Plus (TACACS+).

An alternative to RADIUS, provides 2 essential security benefits:
1. Encrypts the entire authentication profess.
2. Uses multiple challenges and responses between the client and server.

Can interact with Kerberos even though created by Cisco, so can be active in Microsoft AD environment, which uses Kerberos for authentication.

*Organizations also used TACACS+ for authentication of network devices, ie authenticating users before they’re able to access a configuration page for a router or switch.

Question 50

AAA protocols

Answer 50

AAA protocols provide authentication, authorization and accounting.

RADIUS, TACAS+ and Diameter are all considered AAA protocols because they provide all 3.