Chapter 6 & 7: Secure Network Configuration and Authentication

Question 1

Which protocols use PKI (4)

Answer 1

SSH
TLS
S/MIME
HTTP-Digest

Question 2

Which protocol is used by many directory service systems from multiple vendors and manages distributed information services across a network. In this context, a “directory” is a database that stores information about network users, systems, services, and so on.

Answer 2

Lightweight Directory Access Protocol (LDAP)

Question 3

What is Active Directory on Windows based on (2)

Answer 3

LDAP and Kerberos

Question 4

What is a session-layer API for network applications that is use for file and printer sharing as well as computer identification on local network segments

Answer 4

Netbios

Question 5

What protocol is used to remotely manage and monitor devices like routers and switches?

Answer 5

Simple Network Management Protocol (SNMP)

Question 6

What is an open set of standards based on the Remote Frame Buffer Protocol. Uses TCP port 4900+N where N is the display number.

Answer 6

VNC

Question 7

What is a simplified version of FTP designed for very lightweight applications, such as devices booting from the network. Uses UDP port 69.

Answer 7

Trivial File Transfer Protocol (TFTP)

Question 8

What is an improved version of WPA-Personal used by WPA3 which is still based on a shared password distributed to each authorized user, but the password is not used in key generation or exposed to the network in hashed form.

Answer 8

Simultaneous Authentication of Equals (SAE)

Question 9

Which VPN technology encapsulates almost any L3 protocol in a virtual point-to-point link and is used for tunneling.

Answer 9

Generic Routing Encapsulation (GRE)

Question 10

Which VPN technology encapsulates PPP packets over GRE to provide VPN tunneling features, but relies on vendor implementation to provide encryption and authentication. Uses TCP port 1723 and GRE port 47

Answer 10

Point-to-point Tunneling Protocol (PPTP)

Question 11

Which VPN technology is an IETF standard based on elements of PPTP and Cisco’s similar protocol. Uses RADIUS or TACACS+ authentication and IPSec encryption. Requires UDP port 500 and 1701.

Answer 11

L2TP/IPSec

Question 12

Which VPN technology It

provides similar functionality to L2TP/IPsec while offering higher performance and better firewall traversal.

Answer 12

IKEv2/IPSec

Question 13

Which encryption technology is often associated with VPNs, but can provide end-to-end level 3 security on any IP network. It is comprised on three protocols to provide authentication and integrity. They’re all based on the idea of security associations (SAs)

Answer 13

IPSec

Question 14

Which IPSec component negotiates and authenticates SAs between two hosts and exchanges encryption keys to set up a secure channel.

Answer 14

Internet Key Exchange (IKE)

Question 15

Which IPSec component provides data integrity and source authentication through cryptographic hashes of the packet contents and source identity.

Answer 15

Authentication Header (AH)

Question 16

Which IPSec component encrypts the packet payload along with integrity and authentication information

Answer 16

Encapsulating Security Payload (ESP)

Question 17

During IKE negotiations, host, or pee, identities are established through what? (2)

Answer 17

preshared keys or X.509 certificates

Question 18

IPSec operates in what two modes?

Answer 18

Tunnel mode and Transport mode

Question 19

What is the purpose of a site survey

Answer 19

To determine existing wifi coverage areas and identify problems

Question 20

What are onboarding and offboarding procedures applied to?

Answer 20

devices added or removed from the network

Question 21

What is the term where one party has explicit trust relationship with two other parties, that can form an implied trust relationship between those two

Answer 21

Transitive trust

Question 22

What is the system that allows a authentication system to be shared across multiple systems or networks even if they’re not directly associated with each other. This makes SSO easier to implement.

Answer 22

Federated Identity Management

Question 23

What is the term for where users can authorize one service to access resources belonging to another service within the same federation

Answer 23

Access delegation

Question 24

Which PPP authentication protocol is the oldest and most widely supported standards. It uses a two-way handshake where the client presents user/pass and the server accept/rejects. This is only a one-way authentication and the exchange happens in plaintext.

Answer 24

Password Authentication Protocol (PAP)

Question 25

Which PPP authentication protocol uses a three-way handshake, with security provided by a shared secret. It also allows for periodic challenges during the session to prevent session hijacking.

Answer 25

Challenge-handshake Authentication Protocol (CHAP)

Question 26

Which PPP authentication extension can also be used for wireless authentication. This isn’t an authentication method in itself, but rather a message format and set of standard functions that can be used to support a wide variety of specific authentication methods. WPA-Enterprise networks combine 802.1X standard with some version of this for authentication.

Answer 26

Extensible Authentication Protocol (EAP)

Question 27

Which EAP extension uses client and server X.509 certs in the auth process, allowing high security.

Answer 27

EAP-TLS

Question 28

Which EAP extension only requires server certificates and the client authenticates securely with a password.

Answer 28

EAP-TTLS

Question 29

Which EAP extension is used by GSM cellular networks?

Answer 29

EAP-SIM

Question 30

Which EAP extension is a proprietary Cisco version based off MS-CHAP

Answer 30

Lightweight EAP (LEAP)

Question 31

Which EAP extension is a proprietary Cisco upgrade to LEAP

Answer 31

EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

Question 32

This is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. It provides a transport layer security structure where it is needed within EAP. It uses a public-key encryption certificate for this purpose. Server-side public-key certificates authenticate servers. It also supports authentication with usernames/passwords.

Answer 32

PEAP

Question 33

Which technology provides full AAA support to PPP and wireless. It communicates with a network access server (NAS) to provide AAA of the client, and then the NAS manages authorizing that user to network resources. Operates on UDP port 182.

Answer 33

Remote Authentication Dial-In User Service (RADIUS)

Question 34

Which technology has features similar to RADIUS with the following exceptions - Uses TCP port 49 - Encrypts entire access request packets - Combines authentication and authorization into a single step - Supports more non-IP protocols

Answer 34

Terminal Access Controller Access Control System (TACACS+)

Question 35

Which EAP extension prevents users from attaching unauthorized devices on the network. It is the underlying technology of WPA-Enterprise and WPA2-Enterprise. The protocol encapsulates EAP messages into EAP over LAN (EAPOL) frames and then relies on some back-end AAA server. Works with RADIUS, Diameter and TACACS+

Answer 35

802.1X

Question 36

Which system provides mutual authentication and encryption between clients and servers on a non-secure network. Nodes negotiate with each other on the words of this system operating as a trusted third-party.

Answer 36

Kerberos

Question 37

In Kerberos, each realm is controlled by what?

Answer 37

a Key Distribution Center (KDC)

Question 38

In Kerberos, what is the component of KDC that authenticates users and gives them a ticket granting ticket (TGT)

Answer 38

The Authentication Server (AS)

Question 39

In Kerberos, what is the component of KDC that validates TGT holders and issues them temporary credential tickets and session keys?

Answer 39

The ticket-granting service (TGS)

Question 40

What technology is an open XML-based standard that's used to exchange authentication and authorization information. It is used in many SSO environments.

Answer 40

Security Association Markup Language (SAML)

Question 41

What framework provides access delegation, allowing you to give authorization for something to use some, but not all, of you accounts?

Answer 41

OAuth

Question 42

What is a layer on top of OAuth framework that handles the SSO authentication between systems?

Answer 42

OpenID

Question 43

In Kerberos, messages are timestamped to prevent replay attacks. Therefore, what is required for authentication using Kerberos?

Answer 43

synchronized time

Question 44

WPA2 largest change is mandatory support for what encryption mode

Answer 44

128-bit AES-CCMP, the AES cipher using the Counter Mode/CBC-MAC mode of operation.