day 1

Question 1

network analysis tools and techniques

Answer 1

security specialists need continuous intelligence about the behavior of workstations, servers, network devices, and applications to efficiently monitor and enhance the security posture and operations of their network

Question 2

network baselining

Answer 2

a baseline is a statistical profile of a certain performance metric-network device or application utilization, response time, or volume

Question 3

historical baselines reflect traditional (normal) network operations. normal traffic includes:

Answer 3

• traffic type
• volume of each traffic type
• direction, flow of each traffic type

Question 4

detecting security breaches

Answer 4

in detecting security breaches, the most beneficial data sources will be those that give detailed network utilization and application volume of the network and its applications.

Question 5

baselining methods and techniques

Answer 5

• top to bottom network monitoring
• application monitoring
• detailed packet analysis
• continuous traffic capture
• threshold alarms
• packet analysis methodology

Question 6

top to bottom monitoring

Answer 6

a solution must provide the capability to see the network from a high-level holistic (summary) perspective to pinpoint trouble spots quickly

most used to least used

Question 7

application monitoring

Answer 7

types of application monitoring include:
well-known
web-based
complex
custom
unknown

Question 8

detailed packect analysis

Answer 8

detailed packet-level analysis allows the security specialist to identify the specific code used in an attack

Question 9

continuous traffic capture

Answer 9

solutions must supply a means to continuously capture and store a complete packet by packet network traffic audit trail for several days

Question 10

threshold alarms

Answer 10

threshold alarms can be set based upon the network baseline previously developed. These alarms alert the security specialist when a specific metric has been exceeded.

Question 11

packet analysis methodology

Answer 11

plan
deploy
capture
analyze
refine

Question 12

common network traffic

Answer 12

there are two basic categories of protocols:
binary-transmit commands as binary info
textual-transmit commands in a text format….HTTP, HTTPS, SMTP, POP, IMAP

Question 13

study protocols on page

Answer 13

do it!

Question 14

ethernet header

Answer 14

makes up the first 14 bytes of the ethernet frame (662)

Question 15

next protocol types

Answer 15

0800 IPv4
0806 ARP
86dd IPv6

values less than 1500 (or ones not listed above!) indicate a length field and is not a protocol

Question 16

filtering the ethernet header in wireshark

Answer 16

header. field operater value
eth. src ==
eth. dst ==
eth. addr ==

Question 17

tcp dump

Answer 17

syntax is:
tcpdump -nc 2 -e ip

lists the source:destination MAC followed by next protocol