Chapter 4 Securing Your Network

Question 1

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) inspect traffic using the same functionality as a protocol analyzer.

Answer 1

A host-based IDS (HIDS) can detect attacks on local systems such as workstations and servers.

Question 2

The HIDS protects local resources on the host and can detect some malware that isn’t detected by traditional antivirus software. A network-based IDS (NIDS) detects attacks on networks.

Answer 2

A signature-based IDS or IPS uses signatures to detect known attacks or vulnerabilities.

Question 3

Heuristic-based or behavioral-based IDSs (also called anomaly-based IDSs) require a baseline and detect attacks based on anomalies or when traffic is outside expected boundaries.

Answer 3

A false positive incorrectly raises an alert indicating an attack when an attack is not active. False positives increase the workload of administrators. A false negative is when an attack is active, but not reported.

Question 4

An IPS is similar to an active IDS except that it’s placed inline with the traffic (sometimes called in-band) and can stop attacks before they reach the internal network.

Answer 4

An IPS can actively monitor data streams, detect malicious content, and prevent it from reaching a network. In contrast, an IDS is out-of-band.

Question 5

IDSs and IPSs can also protect internal private networks, such as private supervisory control and data acquisition (SCADA) networks.

Answer 5

SSL/ TLS accelerators are dedicated hardware devices that handle Transport Layer Security (TLS) traffic. Other devices, such as a web server, can off-load TLS traffic handling to the accelerator.

Question 6

SSL decryptors allow an organization to inspect traffic, even when traffic is using SSL or TLS.

Answer 6

A software defined network (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches. It separates the data and control planes.

Question 7

Honeypots and honeynets appear to have valuable data and attempt to divert attackers away from live networks. Security personnel use them to observe current attack methodologies and gather intelligence on attacks.

Answer 7

An 802.1x server provides strong port security using port-based authentication. It prevents rogue devices from connecting to a network by ensuring that only authorized clients can connect.

Question 8

Wireless access points (APs) connect wireless clients to a wired network.

Answer 8

A fat AP, also known as a stand-alone AP, includes everything needed to connect wireless clients to a wireless network.

Question 9

Thin APs are controller-based APs. A controller configures and manages a thin AP.

Answer 9

The service set identifier (SSID) is the name of the wireless network. Disabling the SSID broadcast hides a wireless network from casual users.

Question 10

You can restrict access to wireless networks with media access control (MAC) filtering. However, attackers can discover authorized MACs and spoof an authorized MAC address.

Answer 10

Most WAPs have omnidirectional antennas. Directional antennas have narrower beams and longer ranges.

Question 11

An ad hoc wireless network is two or more devices connected together without an AP.

Answer 11

Wi-Fi Protected Access (WPA) can use Temporal Key Integrity Protocol (TKIP) or Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). Both WPA and TKIP have been deprecated.

Question 12

Personal mode uses a pre-shared key (PSK). It is easy to implement and is used in many smaller wireless networks.

Answer 12

Personal mode uses a pre-shared key (PSK). It is easy to implement and is used in many smaller wireless networks.

Question 13

Open mode doesn’t use a PSK or an 802.1x server. Many hot spots use Open mode when providing free wireless access to customers.

Answer 13

802.1x servers use one of the Extensible Authentication Protocol (EAP) versions, such as Protected EAP (PEAP), EAP-Tunneled TLS (EAP-TTLS), EAP-TLS, or EAP-Flexible Authentication via Secure Tunneling (EAP-FAST).

Question 14

The most secure EAP method is EAP-TLS, and it requires a certificate on the server and on each of the wireless clients. PEAP

Answer 14

PEAP and EAP-TTLS require a certificate on the server, but not the client. PEAP is often implemented with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).

Question 15

LEAP is proprietary to Cisco and does not require a certificate. Cisco designed EAP-FAST to replace Lightweight EAP (LEAP).

Answer 15

A captive portal forces wireless clients to complete a process, such as acknowledging a policy or paying for access, before it grants them access to the network.

Question 16

A disassociation attack effectively removes a wireless client from a wireless network, forcing it to reauthenticate.

Answer 16

Wi-Fi Protected Setup (WPS) allows users to easily configure a wireless device by pressing a button or entering a short PIN. WPS is not secure. A WPS attack can discover the PIN within hours. It then uses the PIN to discover the passphrase.

Question 17

A rogue access point (rogue AP) is an AP placed within a network without official authorization. An evil twin is a rogue access point with the same SSID as a legitimate access point.

Answer 17

A jamming attack floods a wireless frequency with noise, blocking wireless traffic.

Question 18

An initialization vector (IV) attack attempts to discover the IV and uses it to discover the passphrase.

Answer 18

Near field communication (NFC) attacks use an NFC reader to read data from mobile devices.

Question 19

Bluejacking is the practice of sending unsolicited messages to a phone. Bluesnarfing is the unauthorized access to, or theft of information from, a Bluetooth device.

Answer 19

In a wireless replay attack, an attacker captures data sent between two entities, modifies it, and then impersonates one of the parties by replaying the data. WPA2 using CCMP and AES prevents wireless replay attacks.

Question 20

Radio-frequency identification (RFID) attacks include eavesdropping, replay, and DoS.

Answer 20

A virtual private network (VPN) provides access to private networks via a public network, such as the Internet. VPN concentrators are dedicated devices that provide secure remote access to remote users.

Question 21

IPsec is a common tunneling protocol used with VPNs. It secures traffic within a tunnel. IPsec provides authentication with an Authentication Header (AH). Encapsulating Security Payload (ESP) encrypts VPN traffic and provides confidentiality, integrity, and authentication.

Answer 21

IPsec Tunnel mode encrypts the entire IP packet used in the internal network. IPsec Transport mode only encrypts the payload and is commonly used in private networks, but not with VPNs.

Question 22

Some VPNs use TLS to encrypt traffic within the VPN tunnel.

Answer 22

A full tunnel encrypts all traffic after a user has connected to a VPN. A split tunnel only encrypts traffic destined for the VPN’s private network.

Question 23

Site-to-site VPNs provide secure access between two networks. These can be on-demand VPNs or always-on VPNs.

Answer 23

Mobile devices can also use always-on VPNs to protect traffic when users connect to public hot spots.

Question 24

Network access control (NAC) inspects clients for specific health conditions such as up-to-date antivirus software, and can redirect unhealthy clients to a remediation network.

Answer 24

A permanent NAC agent (sometimes called a persistent NAC agent) is installed on the client and stays on the client. A dissolvable NAC agent (sometimes called agentless) is downloaded and run on the client when the client logs on, and deleted after the session ends. Dissolvable agents are commonly used for employee-owned mobile devices.

Question 25

Remote access authentication is used when a user accesses a private network from a remote location, such as with a VPN connection.

Answer 25

Password Authentication Protocol (PAP) uses a password or PIN for authentication. A significant weakness is that PAP sends passwords across a network in cleartext.

Question 26

Challenge Handshake Authentication Protocol (CHAP) is more secure than PAP and uses a handshake process when authenticating clients.

Answer 26

MS-CHAP and MS-CHAPv2 are the Microsoft improvement over CHAP. MS-CHAPv2 provides mutual authentication.

Question 27

RADIUS provides central authentication for multiple remote access services. RADIUS relies on the use of shared secrets and only encrypts the password during the authentication process. It uses UDP.

Answer 27

TACACS + is used by some Cisco systems as an alternative to RADIUS. TACACS + uses TCP, encrypts the entire authentication process, and supports multiple challenges and responses.

Question 28

Diameter is an improvement over RADIUS. Diameter uses TCP, encrypts the entire authentication process, and supports many additional capabilities.

Answer 28

RADIUS, TACACS +, and Diameter are all authentication, authorization, and accounting (AAA) protocols.