Communication and network security Flashcards
The most important protocol at Layer 2 is
the Address Resolution Protocol (ARP)
The most important protocol at Layer 2 is the Address Resolution Protocol (ARP). This might be thought of as a technology-independent protocol, as
one side deals with Media Access Control (MAC) addresses and the other with IP addresses; but it has no need to be involved with or aware of the details of the other communications protocols used at Layer 2.
At layer 2 two other protocols (aside from ARP) provide the mechanisms for establishing a Layer 2 connection between two systems, such as an internet service provider (ISP) and a customer device
PPP and PPPoE
Layer 2: What are polling protocols
In the polling protocols model, each station is permitted a specific amount of time when it has exclusive access to the infrastructure. As the number of devices on the network increases, the bandwidth available to each device degrades in a more predictable manner. This approach is often characterized as a deterministic network.
Layer 2: Name the two main contention based protocols
CSMA/CD and CSMA/CA
Layer 2: What are bridges
Bridges are Layer 2 devices that filter traffic between segments based on MAC addresses In addition, they amplify signals to facilitate physically larger networks.
Network administrators can use —— —— to connect dissimilar Layer 2 architectures, such as Ethernet to Token Ring.
translator bridges
A common type of bridge for many organizations is a wireless bridge based upon …
one of the IEEE 802.11 standards
Layer 2 Since VLANs acts as discrete networks, communications between VLANs must be enabled through
services at higher layers of the protocol stack (i.e., Layer 3/routers, Layer 6/gateways and other devices).
Virtual local area networks (VLANs) allow network administrators to use switches to create
software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports.
Layer 2: VLANs do not guarantee a network’s security. At first glance, it may seem that traffic cannot be intercepted because communication within a VLAN is restricted to member devices. However, there are attacks that allow a malicious user to see traffic from other VLANs. This is called
VLAN Hopping or 802.1Q attacks
Layer 3: Five different forms of transmission are defined at Layer 3
Unicast
Broadcast
Multicast
Anycast
Geocast
Layer 3: How is anycast different from unicast
Anycast provides a different approach to unicast, in that its intention is one-to-one transmission of data, but it uses the services of a group of devices to facilitate this. As a result, it’s often referred to as one-to-one-of-many. In effect, the “destination” address is a don’t care: the sending node wants somebody in its anycast group to receive the message and process it.
Layer 3: What is a common use of Anycast
Content distribution networks will use this to manage the push of continuous content to regional sub-distribution servers, for example.
Layer 3: IPv4 and IPv6 use a different packet header to provide addressing and other information, and thus
the same network cannot operate IPv4 and IPv6 simultaneously.
Layer 3: Why can the same network not operate IPv4 and IPv6
IPv4 and IPv6 use a different packet header to provide addressing and other information
Layer 3: How do we solve the problem of IPv4 not being on same network as IPv6
- Protocol and address translation is performed between network segments, which allows organizations a reasonably straightforward way to transition subnets or segments from IPv4 to IPv6.
- Dual stack: Uses specialized devices which can handle both protocols.
- Tunneling: Allows IPv6 to run in native mode on some segments of your network, while encapsulating those packets when they have to transit the IPv4 connections.
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.0.0.0
16,777,214
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.255.0.0
65,534
Layer 3: How many concurrently connected hosts can be inside a network with the subnet mask of 255.255.255.0
254
Layer 3: What is always in the form of 169.254.x.x where the values at x are automatically generated by using an offset algorithm and the real-time clock value
Automatic Private IP Addressing (APIPA)
Layer 3: How many addresses can ipv6 support
2 to the power of 128 (128 Bits)
Layer 3: Operating across both Layers 2 and 3 of the OSI model, this link-state routing protocol calculates the optimal path when communications between devices is initiated and informs its peers of the “label” for that route. Future communications use the label (without further lookups to determine the optimal path) to move the traffic.
Multiprotocol Label Switching (or MPLS)
Layer 3: The advantages of MPLS are significant. These include:
Traffic-engineering: The protocol provides much more control to network operators to determine where and how traffic is routed on their networks, improving capacity management, service prioritization and minimizing traffic congestion.
Multi-service networks: MPLS can support a variety of data transport services, as well as IP routing, across the same packet switched network infrastructure.
Network resiliency: Capabilities like MPLS Fast Reroute provides the ability to reroute traffic to meet QoS requirements for certain types of traffic. Despite these advantages, many organizations are choosing software-defined wide area networks (SD-WAN) as an alternative to MPLS because of the potential cost advantages. SD-WAN will be further developed in other chapters.
Layer 3: A number of protocols use the routing infrastructure but do not directly contribute to its operation (and hence are called routed protocols). Security professionals should be aware of two of these,
The Internet Control Message Protocol (ICMP) is used for the exchange of control messages between hosts and gateways and is used for diagnostic tools such as ping and traceroute.
Internet Group Management Protocol (IGMP) is used to manage multicasting groups that are a set of hosts anywhere on a network that are listening for a transmission.
Layer 3: Smurf attacks
using multiple attack platforms to attempt to overwhelm the target with echo requests
Layer 3: Threats at Layer 3 can exploit protocol or network vulnerabilities by means of
Routing (RIP) attacks
ICMP attacks
Ping flooding
Smurf attacks (using multiple attack platforms to attempt to overwhelm the target with echo requests)
IP address spoofing
Packet sniffing
Layer 3: Countermeasures at Layer 3 can include the following:
Securing ICMP
Proper router configuration
Better packet filtering and inspection (NGFW, perhaps)
Use router access control lists (ACLs) more effectively
Proper VLAN configuration
Layer 2 Intrusion detection/prevention
Move toward zero trust architecture
Microsegmentation of LAN
Layer 3: How is distance-vector different from link-state routing protocols?
Distance-vector calculates cost based upon hop count; link-state can use bandwidth.
Layer 3: Internet Group Management Protocol (IGMP) is used to send what kind of messages?
Multicast
Transport Layer protocols
TCP UDP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
2. Names and directory services
LDAP, DNS
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
3. Network operational support and management
DHCP, NTP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
4. Web page operation
HTTP, HTTPS
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
5. Email
POP IMAP SMTP
Transport Layer protocols can be informally grouped by their purpose or function into seven basic categories
6. Administrative and miscellaneous
FTP SSH Telnet
Level 4: On the Transport Layer what is port 20/21
File Transfer Protocol FTP
Level 4: On the Transport Layer what is port 23
Telnet
Level 4: On the Transport Layer what is port 25 or 587
SMTP (587 is secure via TLS)
Level 4: On the Transport Layer what is port 37
Time
Level 4: On the Transport Layer what is port 53
Domain Name Service (DNS)
Level 4: On the Transport Layer what is port 69
Trivial File Transfer Protocol (TFTP)
Level 4: On the Transport Layer what is port 161
Simple Network Management Protocol (SNMP)
Level 4: On the Transport Layer what is port 162
SNMP Trap
Level 4: On the Transport Layer what is port 179
Border Gateway Protocol
Level 4: Threats at the transport layer include
Routing protocol attacks (such as against RIP)
ICMP attacks, such as ping floods
Network Time Protocol (NTP) desynchronization attempts
Fraggle (UDP broadcast flood)
TCP sequence prediction
IP address spoofing, packet sniffing, and port scanning
Level 4 Counter measures at the transport layer include
TCP intercept and filtering
DoS prevention services
Using allowed and blocked lists for IP addresses, URLs, and URIs
More complete, properly configured use of TLS
Secure versions of all protocols for file transfer and shell program access (i.e., SFTP instead of file transfer protocol (FTP), SSH instead of Telnet)
Fingerprint scrubbing
What Layer 2 device connects two network segments together and then controls traffic flow between the two segments?
A Bridge While both bridges and switches operate at Layer 2, a bridge only has two ports and is used to connect segments. A switch, having more ports, learns what devices are connected to each port and switches traffic according to the destination address.
Where in the OSI are segments created?
Segments are created at Layer 4, packets at Layer 3, frames at Layer 2 and the signal or bits at Layer 1.
Where in the OSI are logical addresses translated to physical addresses?
It is through the Data Link Layer that the Address Resolution Protocol (ARP) maps logical to physical and physical to logical addresses. The other layers do not provide address translation.
ISO 7498-2 specifies that
no security services are provided in the Session Layer; therefore, it is imperative to address vulnerabilities revealed by applying security services either above or below the Session Layer.
Instead, use encryption services provided at other layers, such as VPNs (Transport and Network Layers), other bulk encryption (Transport Layer), Presentation Layer encryption services, or Application Layer protocols such as HTTPS.
Layer 5 Attacks against Session Layer activities are on the increase, as attackers seek to find additional paths across their target’s threat surfaces. These include but are not limited to:
Session hijack, man-in-the-middle (MITM)
ARP, DNS, and poisoning of local hosts files
SSH downgrade attempt
Man-in-the-Browser (MITB): Trojans in browser helpers, add-ons or other software
Layer 5 Countermeasures at the Session Layer include:
Replace weak password authentication protocols
Migrate to strong identity management and access control
Use PKI
Verify DNS is correctly configured
Active monitoring and alarm of Session Layer
More robust IDS, IPS (and SIEM alarms)
Session Layer protocols include the following:
PAP – Password authentication protocol
EAP – Extensible authentication protocol
PEAP – Protected extensible authentication protocol
CHAP – Challenge-handshake authentication protocol
Data conversion or bit order reversal and compression are other functions of the
Presentation layer
While typically discussed as a Layer 6 service, encryption services can be managed by
layers above and below layer 6
Commonly referenced Layer 6 encryption protocols include
TLS and Secure Multipurpose Internet Mail Extensions (S/MIME). Both protocols also use services normally associated with different layers of the OSI model.
Layer 6 common threats
Data integrity
Application access
Network Basic Input Output Systems (NetBIOS),
Server Message Blocks (SMB), and
SSL have been favorite targets of attackers.
Layer 6 Counter measures
Replace/upgrade apps using weak authentication or protection
Deep inspection of application traffic for:
Signs of attack?
Policy violations?
Migrate to more secure applications protection:
Web Application Firewall (WAF)
Applications Delivery Platform (ADP)
Migrate to zero trust architecture
True or False: The Presentation Layer is needed to translate the output from unlike systems to similar formats.
True
Which layer is the target-rich environment for hackers of all levels of sophistication.
The Application Layer
Threats at the application layer include
SQL injection
Encryption downgrade attempts
Rogue DHCP service, DNS poisoning, Lightweight Directory Access Protocol (LDAP) injection, or other attacks on address and name resolution services
Simple Network Management Protocol (SNMP) abuse
HTTP floods, DDoS, parameter tampering, or malformed input attacks on applications and web pages
Cross-site scripting attacks, session hijacks, malware (including drive-by malware attacks)
Layer 7 Countermeasures should include at a minimum:
Monitor and block access to suspicious or hazardous sites
Block known or suspected bots
Implement stronger access control (multifactor)
Perform deep inspection of application traffic
Migrate to more secure applications protection:
Web Application Firewall (WAF)
Applications Delivery Platform (ADP)
Migrate to zero trust architecture
Strengthen end users’ security skills and attitudes
What layer of the OSI is responsible for information formatting?
The Presentation Layer is responsible for compression and decompression, encryption and decryption and data formatting.
If a user lost a connection to a remote system, which layer of the OSI would attempt to re-establish the network connection?
The Session Layer establishes, maintains and tears down a communication between two nodes.
Which Lightweight Directory Access Protocol (LDAP) attribute defines a portion of a directory access protocol name that can resolve by Domain Name Service (DNS)?
A domain component is the only item that is an attribute of LDAP and that can be resolved by DNS.
___________ is a suite of protocols for communicating securely with IP by providing mechanisms for authentication and encryption.
IPSec
Because IPSec interprets the change of IP address within packet headers as an attack, ______ does not work well with IPSec.
NAT
Because IPSec interprets the change of IP address within packet headers as an attack, NAT does not work well with IPSec. To resolve the incompatibility of the two protocols, NAT-Transversal (NAT-T) does what?
encapsulates IPSec within UDP port 4500
In IPSec an ___________________ is used to prove the identity of the origin node and ensure that the transmitted data has not been tampered with.
Authentication Header
IP sec how does the Authentication Header work
Before each packet (headers + data) is transmitted, a hash value of the packet’s contents, that is based on a shared secret, is inserted in the last field of the AH.
In IPSec What is the Encapsulating Security Payload
The Encapsulating Security Payload (ESP) encrypts IP packets and ensures their integrity. ESP contains four sections:
Header: Contains information showing which security association to use and the packet sequence number. Like the AH, the ESP sequences every packet to thwart replay attacks.
Payload: The payload contains the encrypted part of the packet.
Trailer: May include padding (filler bytes) if required by the encryption algorithm or to align fields.
Authentication: If authentication is used, this field contains the integrity check value (hash) of the ESP packet.
A ____________ defines the mechanisms that an endpoint will use to communicate with its partner.
A security association (SA)
Endpoints communicate with IPSec using either
transport or tunnel mode
Internet key exchange (IKE) is one of the most widely used methods that allows two devices to …
“exchange” symmetric keys for the use of encrypting in AH or ESP.
IKE relies primarily on the use of either ________or the use of ___________
Diffie-Hellman-Merkle key exchange or the use of public key certificates.
This approach is often seen in SSO environments in which a single sign-on gets a user onto the organizational LAN (or WAN), from which they have visibility, if not access, to a significantly large fraction of the organization’s information systems and assets.
Trust but verify
a design approach, which recognizes that even the most robust access control systems have their weaknesses. In the extreme, it insists that every process or action a user attempts to take must be authenticated and authorized;
Zero trust
Zero trust networks are often __________, with firewalls (next generation or other) at nearly every connecting point
microsegmented networks
At what plane can you locate routers and switches in a software-defined network (SDN)?
Routers and switches are in the data plane.
What is 802.1X NAC
802.1X is a port-based network access control (or PNAC) protocol, which provides the authentication control for devices attempting to connect to both local area networks (LANs) and wireless local area networks (or WLANs).
Consisting of three components: the supplicant (users’ device), the authenticator (a switch or access point) and an authentication server. This protocol will provide many of the functions that are considered “NAC Best Practices.”
802.1X NAC
Currently there are a number of vendors and consortiums working on developing standards to provide interoperability for NAC devices and solutions, with perhaps the biggest three being
Cisco’s CNAC (Cisco network access control) architecture. Proprietary and hardware based
Microsoft’s NAP (network access protection) Software based
Trusted Computing Group’s (TNC) standard - vendor neutral standards and APIs
The adoption of RFC _____ in _______ provided an open standard for VoIP systems.
2453 1999
The adoption of RFC 2543 in 1999 provided an open standard for
VoIP systems.
Session Initiation Protocol (SIP) is designed to
manage multimedia connections
Wireless network communications are governed by the
IEEE 802.11
Do not confuse 802.11x with 802.1x — the first is a Wi-Fi standard and the second is
an authentication technology not related to wireless.
Authentication of wireless devices is often done with protocols such as
EAP, PEAP, and a lighter-weight version of PEAP called (predictably enough) LEAP
A virtual private network (VPN) is a point-to-point connection that
extends a private network across a public network.
Virtual Private Networks (VPNs) through Tunneling. Name three protocols
Point to point tunneling protocol PPTP
Layer 2 Tunneling protocol L2TP
SSL and TLS
SSL has been determined to be insecure, and therefore should not be used, it has been replaced by
Transport Layer Security (TLS),
True or false TLS VPNs are restricted to applications that use HTTP
False With the aid of plug-ins, such as Java, users can have access to back-end databases, and other non-web-based applications
TLS VPNs have several advantages over IPSec. .
- They are easier to deploy on client workstations than IPSec because they require a web browser only
- almost all networks permit outgoing HTTP.
- TLS VPNs can be operated through a proxy server.
– applications can restrict users’ access based on criteria, such as the network the user is on, which is useful for building extranets with several organisations.
