Domain 4

Question 1

communications and internetworking

Answer 1

• bottom line is to exchange information and ideas so that they can get work done
• provide services by dealing with six basic questions
  - who needs to send it to who
  - what needs to be sent
  - where are both sender and recipient
  - why do they need to send or receive it
  - when must it be sent and received
  - how should it be sent
• the questions should be answered in terms of the security policy
• most used networking models
  - TCP IP model
  - OSI model
• goals for the network can be expressed as
  - provide reliable managed communication
  - isolate functions in the layers
  - use packets as the basis of communication
  - standardized routing addressing and control
  - allow layers beyond Internet working to add functionality
  - vendor agnostic scalable resilient
• internetworking describes how two different sets of servers and communication elements communicate and coordinate activities
• TCP IP model does not address sessions of any kind IE users logging on to remote servers
• TCP IP was created to provide straightforward means of establishing network communications
  - management of host to host communications and end to end transport
• OSI model broke down into two parts
  - media layers (lower 3)
  - host layers (top 4)

Question 2

What about models

Answer 2

• Threat surface is the largest at the application layer (on both models)
• vulnerability modeling and reduction efforts focus on the application not the underlying communication system
• Both models have forms that show up in elements of hardware firmware software and virtualized services
• US focuses heavily on TCP IP model while European and other international markets are the opposite

Question 3

threat modeling and Internetworking

Answer 3

• Hazards are not deliberately caused by an actor but have the potential for damage
  - caused by corrosion wear and tear or weather damage accidents utility power interruptions fire and smoke
  - mechanical and other systems damaged by errors or accidents during installation are hazards
• threats are deliberate actions taken with the intention and purpose of causing disruption for damage
  - include both inappropriate and malicious damage or disruption
• the key distinction between the two is intent

Question 4

Advanced persistent threat models

Answer 4

• refers to the term that demonstrates an unusually high level of technical and operational sophistication
• can span over months or years from initial Recon to completion
• often conducted by groups of attackers or organizations
• refer to the actors that conduct the threats to threats they represent and the attacks themselves
• SolarWinds was an attack against the US nuclear fuel industry spanning across multiple nuclear power stations and multiple companies and their supply and support chains
• Kill chains major operational phases
  - Reconnaissance
  - Weaponization
  - Delivery
  - Exploitation
  - Installation
  - command and control
  - actions on objectives

Question 5

OSI layer 2 data link layer

Answer 5

• immediate peers who can communicate with each other
• Strictly 1 to one Mac address to a specified receiver
• These two sub layers
  - mac Layer
  - logical link control provides the interface between the Mac and the logical addressing provided at the network layer

Question 6

Layer 2 protocols

Answer 6

• most important layer is the address resolution protocol (ARP)
  - used to provide direct communication between two devices within the same segment
• Point to point
• point to point over Ethernet
  - provide mechanisms for establishing the layer 2 connection
  - like the Internet service provider and the customer device

Question 7

address resolution protocol

Answer 7

• ARP spoofing involves spoofing traffic onto the network segment to cause one or more machines to erroneously update their local ARP cache

Question 8

Polling protocols

Answer 8

• each station is permitted a specific amount of time where they have exclusive access to the infrastructure
• the more devices the more the bandwidth degrades

Question 9

contention based protocols

Answer 9

• the absence of the polling mechanism means the devices must compete for bandwidth
• two general approaches to stopping this problem are
  - CSMA/CD
   they listen to a carrier before transmitting data if one is not detected it will be transmitted
   best suited to a bound network where physical connections must exist
   a part of the IEEE 802.3 standard
  - CSMA/CA
   best used in a wireless environment
   checks whether the media is clear for transmission it is it sends out a special control frame called the request to send (RTS)

Question 10

Layer 2 devices

Answer 10

• bridges
  - filter traffic between segments based on Mac addresses
  - can connect lans with unlike media types like connecting a UTP segment with a segment that uses coaxial cables
• switches
  - One collision domain per port

Question 11

Layer 2 threats and countermeasures

Answer 11

• Mac address spoofing
• V LAN hopping also known as 802.1 Q attacks
• broadcast storms

Question 12

OSI layer three network layer

Answer 12

• Home of the IP and IP addresses
• two primary purposes
  - managing the logical addressing for networks
  - forwarding packets to the correct logical network
• Make it possible to extend the physical limits for communication defined in the lower layers of the OSI model
• routers and routing ticket important role

Question 13

layer 3 concepts and architecture

Answer 13

• Five different forms of communication
  - Unicast
   one to one conversation
  - broadcast
   one to many conversation
   use by systems for administration functions
   major element in the product are handshaking
  - multicast
   one host to a discrete group of hosts
   designed to deliver a stream of traffic to only a designated subnet

Question 14

Internet Protocol networking

Answer 14

• subdivided into two parts the network number and the host
• network number can be assigned at the external organization and represents the organization’s network
• Class A uses the left most octet
• Class B uses the two leftmost octets
• the part of the address not used as the network number specifies the host
• Loop back address is used to provide a mechanism for self diagnosis and troubleshooting at the machine level
  - allows the network admin to treat a local machine as if it were remote machine and ping the network interface

Question 15

Layer 3 routing protocols

Answer 15

• Routing protocols
  - use my routers to communicate and coordinate with each other 5 handshaking the information needed to build and maintain routing tables
• routed protocols
  - routed protocols define how data can be routed over a network for example I PV 4 and I PV 6
  - does not define how they coordinate and communicate with each other

Question 16

Path vector protocols

Answer 16

• routing protocol that maintains the path information that gets updated
• used in the bellman Ford routing algorithm to avoid count to Infinity problems
• most important and widely used in the border gateway protocol (BGP)

BGP finds the best path for the data.. Mostly used by ISPs

Question 17

Link state protocols

Answer 17

• determine the most efficient path by knowing the connection speed congestion of the link availability to the link in total hops
• two typical states
  - intermediate system to intermediate system
  - open shortest path first
• calculate the shortest path to each node based on routing tables constructed by the router
• require substantial amounts of CPU cycles and memory to make the best decision

Question 18

multi protocol label switching

Answer 18

• designed to increase wan efficiency
• operator across layers 2 and 3
• standardized by the IETF RFC 3031
• primary components
  - edge node which connects a domain with a node that is outside of the domain
  - label switching router which is an old capable of forwarding the native layer 3 packets
  - label switch path the path through one or more LSR’s at one level of the hierarchy followed by packets

Maps : MPLS maps data packets to predefined routes
Paths: it created paths throguh the network
with
Label: Uses short labels instead of long network addresses to direct traffic
Speed: Makes routing faster by avoiding complex lookups

Question 19

advantages of MPLS

Answer 19

• provides more control to network operators to determine where and how traffic is routed
• multi service networks that can support a variety of data transport services
• network was easy

Question 20

OSI layer 4 transport layer

Answer 20

• provides two different mechanisms
  o TCP
  o UDP

Question 21

OSI layer five session layer

Answer 21

• Provide the logical connection between peer hosts
• responsible for creating maintaining and tearing down the session
• May not be needed depending on the type of information being communicated
• defined by a variety of standards such as ISO SP and x 225
• IEEE 802.1 X also defines authentication frameworks that support sessions creation and management

Question 22

OSI layer 5 protocols

Answer 22

• various authentication and tunneling protocols as well as remote procedure protocols
• authentication protocol
  - Password authentication protocol
  - authentication protocol
  - extensible authentication protocol
  - protected extensible authentication protocol
• tunneling
  - are supported by point to point tunneling protocol (PTPP)

Question 23

Layer 5 threats and countermeasures

Answer 23

• no specified security measures for this specific layer security must be addressed either above or below the session layer
• attacks
  - session hijacking
  - ARP DNS and poisoning local files
  - the christio downgrade
• countermeasures
  - replacing weak password authentication protocols
  - mitigating to strong identity management and access controls
  - using PKI
  - verifying DNS is correctly configured

Question 24

OSI layer 6 presentation layer

Answer 24

• Created before the creation of widespread adoption of Unicode
• created to standardize the process of serializing and deserializing the fields of the complex data structure

Question 25

Layer 6 technology and implementation

Answer 25

• Only true device that operates at the presentation layer is a gateway that’s used to connect two or more systems that operate with different protocols
  - for example I PV 4 to I PV 6 addressing conversion
• character data is typically represented
  - American standard code for information interchange (ASCII)
  - extended binary coded decimal interchange code (EBCDIC) or Unicode
• translation services are also necessary when considering thy different computing platforms
  - Mac to windows

Question 26

OSI layer 7 application

Answer 26

• Largest attack surface
• the application that users interact with do not reside at this layer however they make use of layer 7 services

Question 27

layer 7 concepts and architecture

Answer 27

• Supports the function of applications that run on the system
• All manners of human supported interfaces messaging and systems control and processes that require the use of networking capabilities
• Application programs make service requests via API’s or other means to request services of protocol application code

Question 28

Layer 7 technology and implementation

Answer 28

• HTTP
• HTTPS
• DNS
• DHCP
  - Established in RFC 2131
  - requires the client to transmit a DHCP discover packet on UDP port 67 requesting an address
  - if a server does not respond in a predetermined time it’s self assigned an IP address reference in the 169.254.X.X range
• SNMP
  - design to manage network infrastructure
  - allows the manager to retrieve get values of variables from the agent as well as set variables
  - most easily exploited vulnerability as a brute force attack on default or easy guessable passwords known as community strings
• LDAP

Question 29

Secure protocols

Answer 29

• Ipsec
• authentication header
• encapsulating security payload
• security associations
• transport and tunnel mode

Question 30

ipsec

Answer 30

• suite of protocols for communicating securely with IP
• provides authentication and encryption

Question 31

authentication header

Answer 31

• Use for proof of identity and integrity
• Ensures all authenticity and integrity but not confidentiality
• in transport mode it’s placed between the IP and the TCP header

Want to use more when confidentiality isnt a issue… Its like the tamper proof on a seal someone can still read it but you know when someone messes with it

Question 32

encapsulating security payload

Answer 32

• encrypt IP packets and ensures integrity
• contains 4 sections
  - header
  - payload encrypted part of the package
  - trailer
  - authentication

Encrypt - ensures data confidentiality by encrypting the payload
Secure - adds integrity and authenticity through authentication
Protect - protects against tampering and unauthorized

Question 33

security associations

Answer 33

• mechanisms that endpoints were used to communicate with their partner
• transmission One Direction only
• must use the second security association if you need two way communication
• defines the encryption and authentication algorithms and whether to use authentication header or ESP

Question 34

transport mode and tunnel mode

Answer 34

• Transport mode is used mostly for in and protection for example between clients and servers
• Tunnel mode the entire protected IP packet becomes a payload and a new IP packet header is added
• Transport on the Lan and Tunnel on the WAN

Question 35

Operation of hardware

Answer 35

• Root of trust relies on unchangeable trusted hardware component
• kernel mode is reserved for highly trustworthy functions within the OS which typically require direct manipulation of system hardware or virtual resources
• should have isolation reviews of functions from kernel functions to provide a critical boundary for access control
• Most rooted trust implementations have cryptographic mechanisms to guarantee the validity of the BIOS this is known as the trusted platform module
  - TPM has cryptographic keys installed on it

Question 36

Network access control devices

Answer 36

• They provide the network visibility needed for access security and may later be used for incident response
• They also provide isolation for non-compliant devices within the quarantine network
• should ensure that all devices wanting to join the network do so only when they comply with requirements
• Possible use cases for NAC devices
  - medical devices
  - IOT devices
  - incident response
  - BYOD
  - guest users and contractors
  - cloud
  - compliance and mobile devices
• Cisco’s identity service engine can be referenced and is considered an industry standard solution
• all mobile devices regardless of owners should go through onboarding process
  - because mobile devices are not capable of defending themselves
• should be capable of correlating information from threat sensors

Question 37

802.1 X PNAC

Answer 37

• 802.1 X == port based access control
• provides authentication control for devices
• 3 components
  - Supplicant (users device)
  - Authenticator (switch or access point)
  - authentication server
• key elements include
  - detection of devices
  - authentication of devices
  - authorization of devices
  - enforcement of security requirements
  - device scanning
  - onboarding setting or modifying the security settings
  - termination
  - cleaning up after session termination
• It can be slightly different between wired and wireless devices
  o wireless devices must first authenticate to the access point