Chapter 4 Securing Your Network

Question 1

What does IDS stand for?

Answer 1

Intrusion Detection System

Question 2

What does IPS stand for?

Answer 2

Intrusion Prevention System

Question 3

What does an IDS do?

Answer 3

An IDS monitors a network and send alerts when they detect suspicious events on a system or network.

Question 4

What does an IPS do?

Answer 4

An IPS reacts to attacks in progress and prevent them from reaching systems and networks.

Question 5

What does HIDS stand for?

Answer 5

Host-based Intrusion Detection System

Question 6

What does an HIDS do?

Answer 6

An HIDS provides protection to the individual host and can detect potential attacks and protect critical operating system files.

Question 7

Describe the logistics of an HIDS

Answer 7

An HIDS is additional software installed on a system such as a workstation or server.

Question 8

What is the primary goal for an HIDS?

Answer 8

To monitor traffic

Question 9

True or False : An HIDS can help with detecting malware?

Answer 9

True
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection in addition to traditional antivirus software.

Question 10

What does NIDS stand for?

Answer 10

Network-based Intrusion Detection System

Question 11

What does an NIDS do?

Answer 11

An NIDS monitors activity on the network.

Question 12

List some devices NIDS sensors and collectors would be installed on

Answer 12

Routers, Firewalls

Question 13

True or False: An NIDS can decrypt/encrypt network traffic

Answer 13

False

An NIDS can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.

Question 14

What does a tap or port mirror do and how is this beneficial for NIDS?

Answer 14

Allows administrators to send all traffic to a single port. It can be used as a tap to send all switch data to a sensor or collector, and forward this to a NIDS.

Question 15

True or False: An IDS can prevent an intrusion

Answer 15

False

An IDS can only detect an intrusion

Question 16

What is an attack?

Answer 16

Any attempt to compromise CIA - confidentiality, integrity, and/or availability

Question 17

What are the two primary methods of detection?

Answer 17

Signature-based and heuristic ( behavioral-based)

Question 18

What does a signature-based IDS do?

Answer 18

A signature-based IDS uses a database of known vulnerabilities or known attack patterns.

Question 19

What does a heurist(behavioral-based) IDS do?

Answer 19

A heuristic(behavioral-based) IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified in the baseline), it gives an alert indicating a potential attack.

Question 20

What is a zero-day exploit?

Answer 20

A zero-day exploit is where there is no patch available for the vulnerability

Question 21

How does an IDS utilize logs?

Answer 21

An IDS analyzes logs (real-time or regular intervals) to provide insight on trends which detect a pattern of attacks and provide insight into how to better protect a network.

Question 22

What triggers an IDS to report an alert or an alarm?

Answer 22

Rules configured within the IDS

Question 23

____ is an alert or alarm on an event that is nonthreatening, benign, or harmless

Answer 23

A false positive

Question 24

____ is when an attacker is actively attacking the network, but the system does not detect it.

Answer 24

A false negative

Question 25

What is inline/in-band monitoring?

Answer 25

Monitoring of traffic passing thru with potential to block

Question 26

____ is considered inline/in-band monitoring

Answer 26

An IPS

Question 27

What is out-of-band/passive monitoring?

Answer 27

Monitoring of traffic but not able to block

Question 28

____ is considered out-of-band/passive monitoring

Answer 28

An IDS

Question 29

What does an SSL/TLS accelerator do?

Answer 29

It frees up the primary computer’s resources, such as CPU power and RAM by performing the process of establishing the HTTPS session, negotiating the best security supported by both the client and the server, sharing encryption keys, and encrypting session data

Question 30

What does an SSL Decryptor do?

Answer 30

Intermediary device that establishes HTTPS connections between all end points and decrypts traffic to monitor for suspicious and malicious activity

Question 31

What does SDN stand for?

Answer 31

Software Defined Network

Question 32

What does an SDN do?

Answer 32

An SDN separates data plane and control plane traffic through virtualization and not physical network devices

Question 33

What is the data plane?

Answer 33

The data plane is the part of the network that carries the traffic

Question 34

What is the control plane?

Answer 34

The control plane is the logic used to direct network traffic

Question 35

What is a honeypot?

Answer 35

A honeypot is a server that is not tightened and secure or extremely vulnerable to attacks to serve as a diversion for attackers.

Question 36

What are the two primary goals of a honeypot?

Answer 36

1. Divert attackers from the live network

2. Allow observation of an attacker

Question 37

What is a honeynet?

Answer 37

A group of honeypot servers within a separate network zone but accessible from an orgs primary network

Question 38

_____ is a port-based authentication protocol

Answer 38

IEEE 802.1x

Question 39

In wireless networking what does AP/WAP stand for?

Answer 39

Access point/wireless access point

Question 40

True or false: All wireless routers are APs

Answer 40

True

Question 41

True or false: All APs are routers

Answer 41

False

Question 42

What is a fat AP?

Answer 42

An AP which includes everything needed to connect wireless clients to a wireless network. It typically includes features such as a routing component, NAT, DHCP, wireless security options, access control lists (ACLs), and more.

Question 43

True or False: Fat APs must be configured separately from each other

Answer 43

True

Question 44

What is a thin AP?

Answer 44

An AP that is managed by a controller and is not stand-alone

Question 45

What are the two primary radio bands used in wireless networks?

Answer 45

2.4gHz and 5.0gHz

Question 46

____ channels are more likely to overlap with other wireless devices and this interference affects overall performance.

Answer 46

Wider

Question 47

In wireless networks, what does SSID stand for?

Answer 47

Service Set Identifier

Question 48

What does SSID represent?

Answer 48

The name of the wireless network

Question 49

True or False: It’s a good idea to change the name of a default SSID. Explain why.

Answer 49

True
If a default SSID is left it could provide an attacker with details that he/she could leverage to exploit vulnerabilities

Question 50

How would an attacker be able to determine the SSID of a wireless network if the broadcast is disabled?

Answer 50

Using a protocol analyzer, an attacker can view the probe frame responses which contain the SSID information.

Question 51

_____ is a form of network access control used with port security on switches that can be used to restrict access to wireless networks.

Answer 51

MAC filtering

Question 52

____ is the most commonly used antenna on APs and wireless devices

Answer 52

Omnidirectional antennas

Question 53

Adjusting the _____ affects the range of the AP

Answer 53

Power level

Question 54

What is a guest network used for?

Answer 54

A guest network is typically a wireless network used to provide guests with Internet access.

Question 55

An ____ network is where wireless devices connect to each other without an AP on an as needed basis

Answer 55

Ad-hoc

Question 56

What does WPA stand for?

Answer 56

Wi-Fi Protected Access

Question 57

What does TKIP stand for and what is it?

Answer 57

Temporary Key Integrity Protocol

It is an older encryption protocol with WPA but should no longer be used

Question 58

What does CCMP stand for and what is it?

Answer 58

Cipher Block Chaining Message Authentication Code Protocol

It is a newer encryption protocol that replaced TKIP for use with WPA2

Question 59

What does AES stand for and what is it?

Answer 59

Advanced Encryption Standard

It is a very strong and efficient encryption algorithm

Question 60

What does PSK stand for and what is it?

Answer 60

Pre-shared key

Its a mode where users access a wireless network with a PSK or passphrase (a form of authorization)

Question 61

What is the difference between PSK and enterprise mode?

Answer 61

PSK only allows for authorization where as enterprise mode is for authentication and authorization. Each user has a unique set of credentials to authenticate with.

Question 62

To configure an AP in enterprise mode, what information do you need?

Answer 62

An IP address assigned to an 802.1x RADIUS server
A port number used by the RADIUS server
A shared secret which is similar to a password

Question 63

What is open mode?

Answer 63

A wireless mode where no security configuration is implemented and allows all users to access the AP

Question 64

What does EAP stand for and what is it?

Answer 64

Extensible Authentication Protocol

An authentication framework that provides general guidance for authentication methods.

Question 65

What does PMK stand for and what is it?

Answer 65

Pairwise Master Key

A secure encryption key used for two systems to encrypt all data transmitted between them

Question 66

What is EAP-FAST?

Answer 66

Extensible authentication protocol - flexible authentication via secure tunneling
Created by CISCO to replace light EAP (LEAP). Supports certificates (optional)

Question 67

What is PEAP?

Answer 67

Protected EAP
A protocol which protects the communication channel by encapsulating and encrypting the EAP conversation in a TLS tunnel. Requires a cert on the server but not on the client. MS-CHAPv2

Question 68

What is EAP-Tunneled TLS EAP-TTLS?

Answer 68

Extension of PEAP which allows systems to use older authentication methods such as Password Authentication Protocol (PAP) within a TLS tunnel. Requires cert on the server but not on the clients

Question 69

What is EAP-TLS?

Answer 69

Most secure EAP standards and widely implemented. Requires certs on both server and client

Question 70

What is RADIUS federation?

Answer 70

Where two or more entities share the same identity management system through use of RADIUS.

Question 71

A ____ ____ is a technical solution that forces clients using web browser to complete a specific process before it allows them access to the network

Answer 71

Captive portal

Question 72

What are some common examples of captive portals?

Answer 72

1. Free Internet Access through AUP (acceptable use policy) which allows guests to have access to the internet
2. Paid internet access - when attempting to access the internet redirected to a captive portal to pay
3. Alternative to IEEE 802.1x server since it (IEEE 802.1x server) is expensive

Question 73

What is a disassociation attack?

Answer 73

An attack which effectively removes a wireless client from a wireless network forcing them to reauthenticate. An attacker sends a disassociation frame to the AP spoofing the client’s MAC address

Question 74

What does WPS stand for and what does it do?

Answer 74

Wi-Fi Protected Setup
Allows users to configure wireless devices without typing in the passphrase. Users can configure devices by pressing buttons or by entering a short eight digit PIN

Question 75

What is a WPS attack?

Answer 75

When an attacker keeps trying different PINs until it succeeds (brute force attack). Recommended to disable on APs

Question 76

What is a rogue AP?

Answer 76

An AP placed in a network without official authorization

Question 77

What is an evil twin?

Answer 77

A rogue access point with the same SSID as a legitimate access point.

Question 78

What is a jamming attack?

Answer 78

When an attacker transmit noise or another radio signal on the same frequency used by a wireless network interfering with the wireless transmissions

Question 79

What are some ways to overcome a jamming attack?

Answer 79

Using a different channel (although the attacker can also switch channels)
Increasing the power level

Question 80

What is a wireless initialization vector attack?

Answer 80

An attack that attempts to discover the pre-shared key from the IV

Question 81

When is an IV attack successful?

Answer 81

When an encryption system reuses the same IV. In many IV attacks the attacker uses packet injection techniques to add additional packets into the data stream.

Question 82

An eavesdropping attack is a form of what?

Answer 82

NFC attack

Question 83

What happens during an eavesdropping attack?

Answer 83

The NFC reader uses an antenna to boost its range, and intercepts the data transfer between two other devices.

Question 84

What is bluetooth?

Answer 84

Bluetooth is a short-range wireless system used in personal area networks (PANs) and within networks.

Question 85

A __ is a network of devices close to a single person

Answer 85

Personal Area Network (PAN)

Question 86

What is Bluejacking?

Answer 86

The practice of sending unsolicited messages to nearby Bluetooth devices. Typically text but can be images or sounds.

Question 87

What is Bluesnarfing?

Answer 87

Unauthorized access to or theft of information from a Bluetooth device

Question 88

What is bluebugging?

Answer 88

Similar to Bluesnarfing but in addition to gaining full access to the device the attacker installs a backdoor allowing them to listen in on phone conversations, enable call forwarding, send messages, etc.

Question 89

What is a replay attack?

Answer 89

When an attacker captures data sent between two entities, modifies it, and then attempts to impersonate one of the parties by replaying the data.

Question 90

True or False: WPA2 using CCMP and AES are vulnerable to replay attacks

Answer 90

False

WPA2 using CCMP and AES is not vulnerable to replay attacks but WPA with TKIP is

Question 91

What does RFID stand for and what is it?

Answer 91

Radio Frequency Identification

RFID systems include a reader and tag used to track and manage inventory, assets, etc.

Question 92

What is RFID sniffing/eavesdropping?

Answer 92

When an attacker listens on the same frequency that the RFID transmits data on and exfiltrates data

Question 93

What is an RFID replay attack?

Answer 93

When an attacker performs eavesdropping and then captures data transferring between entities and impersonates one of the parties

Question 94

What is an RFID DoS attack?

Answer 94

Attempts to disrupt services i.e. by launching a jamming or interference attack, flooding the frequency

Question 95

What does VPN stand for and what does it do?

Answer 95

Virtual Private Network

Allows users to access private networks via a public network

Question 96

What is a VPN concentrator?

Answer 96

It is a dedicated device used for VPNs which includes all the services needed to create a VPN including strong encryption and authentication techniques and supports many clients.

Question 97

Where in the network is a VPN concentrator typically located?

Answer 97

In the DMZ

Question 98

What are two ways IPSec provides security?

Answer 98

Authentication and encryption

Question 99

How does IPSec handle authentication?

Answer 99

IPSec includes an authentication header (AH) to allow each of the hosts in the IPSec conversation to authenticate with each other before exchanging data. Using protocol 51.

Question 100

How does IPSec handle encryption?

Answer 100

IPSec includes encapsulating security payload (ESP) to encrypt the data and provide confidentiality. Using protocol 50.

Question 101

What does IKE stand for and what is it?

Answer 101

Internet Key Exchange
Used in IPsec over port 500 to authenticate clients in the IPsec conversation. Creates security associations (SAs) for the VPN and uses these to set up a secure channel between the client and the VPN server

Question 102

What does SSTP stand for and what does it do?

Answer 102

Secure Socket Tunneling Protocol

It encrypts VPN traffic using TLS over port 443

Question 103

What are the benefits for using SSTP?

Answer 103

Provides administrators with flexibility and rarely requires opening additional ports. Good alternative when the VPN tunnel must go through a device using NAT and IPsec is not feasible

Question 104

What is a split tunnel VPN?

Answer 104

Filter traffic based on criteria. If meets criteria send traffic through VPN tunnel otherwise send to public internet

Question 105

What is a full tunnel VPN?

Answer 105

Where all traffic goes through the encrypted tunnel while the user is connected to the VPN.

Question 106

What is a disadvantage of full tunnel VPN?

Answer 106

It can be slow due to the additional hops the traffic makes and since it has to be decrypted and encrypted

Question 107

What is a site-to-site VPN?

Answer 107

Where two VPN servers act as gateways for two networks separated geographically.

Question 108

What is an always-on VPN?

Answer 108

When a VPN connection is persistent. The opposite is that the VPN connection is only established when a user connects to a remote system.

Question 109

What does NAC stand for and what is it?

Answer 109

Network Access Control

Method of control to ensure that clients meet predetermined characteristics prior to accessing a network.

Question 110

What are common health conditions checked by a NAC?

Answer 110

Up-to-date antivirus software, including updated signature definitions
Up-to-date operating system, including current patches and fixes
Firewall enabled on the client

Question 111

What are authentication agents and what do the do?

Answer 111

They inspect NAC clients to check different conditions on a computer and document the status in a statement of health

Question 112

What is a remediation (quarantine) network?

Answer 112

An intermediary network which a client/host is directed to if the computer fails health check conditions. The remediation network provides access to resources the client can use to get healthy.

Question 113

What is a permanent agent?

Answer 113

A persistent agent installed on the client and stays on the client.

Question 114

What is a dissolvable agent?

Answer 114

A non-persistent agent which is downloaded and run on the client when the client logs on remotely. Removed either after performing health check or end of remote session. Often used on mobile devices

Question 115

What does PAP stand for and what is it?

Answer 115

Password authentication Protocol

A protocol used with Point-to-Point Protocol (PPP) to authenticate clients.

Question 116

A significant weakness of ___ is that it sends passwords over a network in cleartext, representing a significant security risk.

Answer 116

PAP

Question 117

What does CHAP stand for and what is it?

Answer 117

Challenge Handshake Authorization Protocol
A protocol that uses PPP to authenticate clients but is more secure than PAP. Client hashes a shared secret with a nonce (number used once)

Question 118

What is a benefit of MS-CHAPv2?

Answer 118

It allows for mutual authentication. Client to server and server to client

Question 119

What does RADIUS stand for and what is it?

Answer 119

Remote Authentication Dial-In User Service

A centralized authentication service

Question 120

Does RADIUS use TCP or UDP?

Answer 120

UDP

Question 121

What does TACACS+ stand for and what is it?

Answer 121

Terminal Access Controller Access-Control System

Cisco alternative to RADIUS

Question 122

Which system encrypts the entire authentication process?

Answer 122

TACACS+

Question 123

Which system uses multiple challenges and responses between the client and server?

Answer 123

TACACS+

Question 124

_____ is an extension of RADIUS that can work with EAP

Answer 124

Diameter

Question 125

What does AAA stand for?

Answer 125

Authentication Authorization Accounting

Question 126

RADIUS, TACACS+, and Diameter are considered ____ protocols because they provide authentication, authorization, and accounting

Answer 126

AAA