Domain 4: Network Security

Question 1

What happens at the session layer?

Answer 1

The session layer manages sessions, which provide maintenance on connections. Mounting a file share via a network requires a number of maintenance sessions, such as remote procedure calls (RPCs), which exist at the session layer.

Question 2

What happens at the presentation layer?

Answer 2

The presentation layer presents data to the application and user in a comprehensible way. Presentation layer concepts include data conversion, characters sets such as ASCII, and image formats such as GIF (graphics interchange format), JPEG (joint photographic experts group), and TIFF (tagged image file format).

Question 3

What is the difference between T1, T3, E1 and E3?

Answer 3

• A T1 is a dedicated 1.544-megabit circuit that carries 24.64kbit/s DS0 (Digital Signal 0) channels.
• A T3 is 28 bundled T1s, forming a 44.736-megabit circuit.
• An E1 is a dedicated 2.048-megabit circuit that carries 30 channels.
• An E3 is 16 bundled E1s, forming a 34.368-megabit circuit.

Question 4

What is DNP3?

Answer 4

The distributed network protocol (DNP3) provides an open standard used primarily within the energy sector for interoperability between various vendors’ SCADA and
smart grid applications. Some protocols, such as SMTP, fit into one layer. DNP3 is a multilayer protocol and may be carried via TCP/IP (another multilayer protocol).
Recent improvements in DNP3 allow for “Secure Authentication,” which addresses challenges with the original specification that could have allowed, for example, spoofing or replay attacks. DNP3 became an IEEE standard in 2010, called IEEE 1815-2010 (now deprecated). It allowed preshared keys only. IEEE 1815-2012 is the
current standard; it supports public key infrastructure (PKI)

Question 5

What do WPA and WPA2 use for confidentiality and integrity?

Answer 5

RSN is also known as WPA2 (Wi-Fi Protected Access 2), a full implementation of 802.11i. By default, WPA2 uses AES encryption to provide confidentiality, and CCMP (counter mode CBC MAC protocol) to create a message integrity check (MIC), which provides integrity. The less secure WPA (without the “2”) is appropriate for access points that lack the power to implement the full 802.11i standard, providing a better security alternative to WEP. WPA uses RC4 for confidentiality and TKIP (Temporal Key Integrity Protocol) for integrity

Question 6

What is 802.1X?

Answer 6

802.1X is port-based network access control (PNAC) and includes extensible authentication protocol (EAP). EAP is an authentication framework that describes many specific authentication protocols. EAP provides authentication at layer 2 (it is port-based, like ports on a switch) before a node receives an IP address. It is available for both wired and wireless but is more commonly deployed on WLANs. An EAP client is called a supplicant, which requests authentication to an authentication server (AS)

Question 7

What is LEAP?

Answer 7

LEAP (lightweight extensible authentication protocol) is a Cisco-proprietary protocol released before 802.1X was finalized. LEAP has significant security flaws and should not be used

Question 8

What is EAP-TLS?

Answer 8

EAP-TLS (EAP-Transport Layer Security) uses PKI, requiring both server-side and clientside certificates. EAP-TLS establishes a secure TLS tunnel used for authentication. EAP-TLS is very secure due to the use of PKI but is complex and costly for the same reason. The other major versions of EAP attempt to create the same TLS tunnel without requiring a client-side certificate.

Question 9

What is EAP-TTLS?

Answer 9

EAP-TTLS (EAP Tunneled Transport Layer Security), developed by Funk Software and Certicom, simplifies EAP-TLS by dropping the client-side certificate requirement, allowing other authentication methods (such as passwords) for client-side authentication. EAP-TTLS is thus easier to deploy than EAP-TLS, but less secure when omitting the client-side certificate.

Question 10

What is PEAP?

Answer 10

PEAP (Protected EAP), developed by Cisco Systems, Microsoft, and RSA Security, is similar to and is a competitor of EAP-TTLS, as they both do not require client-side certificates.

Question 11

What is the IANA?

Answer 11

IANA (Internet Assigned Numbers Authority) governs the IP’s address allocation. IANA is a department of ICANN (Internet Corporation for Assigned Names and Numbers).

Question 12

What are the 5 RIRs?

Answer 12

• The world is divided into 5 RIR (Regional Internet Registry) regions and organizations:

The African Network Information Center (AFRINIC) serves Africa.[2]
The American Registry for Internet Numbers (ARIN) serves Antarctica, Canada, parts of the Caribbean, and the United States.[3]
The Asia-Pacific Network Information Centre (APNIC) serves East Asia, Oceania, South Asia, and Southeast Asia.[4]
The Latin America and Caribbean Network Information Centre (LACNIC) serves most of the Caribbean and all of Latin America.[5]
The Réseaux IP Européens Network Coordination Centre (RIPE NCC) serves Europe, Central Asia, Russia, and West Asia.[6]

Question 13

What is SDLC?

Answer 13

SDLC (Synchronous Data Link Control):

• A synchronous L2 WAN protocol that uses polling to transmit data.
• Polling is similar to token passing, but with the primary node polls secondary nodes, allowing them to transmit data when polled.
• Combined nodes can act as primary or secondary, but using NRM transmission only.

Question 14

What is HDLC?

Answer 14

HDLC (High-Level Data Link Control):

• The successor to SDLC.
• Adds error correction and flow control, and two additional modes (ARM/ABM).

Question 15

What are the three modes of HDLC?

Answer 15

The three modes of HDLC are:

• NRM (Normal Response Mode): Secondary nodes transmit when given permission by the primary only. Also used in SDLC.
• ARM (Asynchronous Response Mode): Secondary nodes may initiate communication with the primary node.
• ABM (Asynchronous Balanced Mode): When nodes act as primary or secondary, initiating transmissions without receiving permission. This is most commonly used mode

Question 16

What are the capabilities for first generation firewalls?

Answer 16

First generation: Packet filtering firewalls, OSI Layer 1-3.

- Packet filters act by inspecting the “packets” which are transferred between clients

Question 17

What are the capabilities of second generation firewalls?

Answer 17

Second generation: Stateful filtering firewalls, OSI Layer 1-4.
- Records all connections passing through and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection
Static rules are still used, these rules can now contain connection state as one of their criteria.

Question 18

What are the capabilities of third generation firewalls?

Answer 18

Third generation: Application layer firewalls, OSI Layer 7.

• The key benefit of application layer firewalls is that they can understand certain applications and protocols.
• They see the entire packet, the packet isn’t decrypted until layer 6, any other firewall can only inspect the packet, but not the payload.
• They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.

Question 19

What is a proxy server?

Answer 19

A proxy server can act as a firewall by responding to input packets in the manner of an application, while blocking other packets.
- A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user. Asia, Australia, New Zealand, and neighboring countries.

Question 20

What is a DTE? What is a DCE? How do the two work together?

Answer 20

DTE (Data terminal equipment):

• An end device often a desktop or a server (called tail circuits) that converts user information into signals or reconverts received signals.
• A DTE device communicates with the data DCE (Data Circuit-terminating Equipment).
• DCE is often a modem, it sits between the data terminal equipment (DTE) and a data transmission circuit.
• The DCE does the signal conversion, coding, and line clocking and may be a part of the DTE or intermediate equipment.
• Interfacing equipment may be required to couple the data terminal equipment (DTE) into a transmission circuit or channel and from a transmission circuit or channel into the DTE.
• The DCE is at the end of an ISP’s network, it connects to the customer DTE.

Question 21

Attackers are using Distributed Denial Of Service (DDOS) attacks on our organization using SYN flood. How does that attack work?

Answer 21

SYN floods are half open TCP (Transmission Control Protocol) sessions, client sends 1,000’s of SYN requests, but never the ACK.

Question 22

Which network topology did ARCNET use?

Answer 22

ARCNET (Attached Resource Computer Network): Used network tokens for traffic, no collisions. Used a Star topology. 2.5Mbps.

Question 23

An attacker is using Smurf attacks. They happen on which layer of the Open Systems Interconnection model (OSI model)?

Answer 23

The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address. ICMP is a layer 3 protocol.

Question 24

On our workstations, we are implementing new security measures. As part of that, we will start blocking TCP port 20. Which protocol are we blocking?

Answer 24

FTP (File Transfer Protocol): Uses TCP Port 20 for the data transfer - the actual data is sent here.

Question 25

What is a socket pair?

Answer 25

Socket Pairs (TCP): 2 sets of IP and Port (Source and Destination). This could be Source pair:192.168.0.6:49691 Destination pair: 195.122.177.218:https. Well-known ports are often translated, port 443 is https.

Question 26

We are moving to IPv6, and a friend of yours is at our helpdesk is asking, “In MAC/EUI-64 MAC addresses, how many bits is the unique device identifier?” What should you answer?

Answer 26

EUI/MAC-64 Mac addresses are 64 bits. The first 24 are the manufacturer identifier. The last 40 are unique and identifies the host.

Question 27

Our networking department is recommending we use a baseband solution for an implementation. Which of these is a KEY FEATURE of those?

Answer 27

Baseband networks have one channel, and can only send one signal at a time. Ethernet is baseband: “1000baseT” STP cable is a 1000 megabit, baseband, Shielded Twisted Pair cable.

Question 28

We are blocking unused ports on our servers as part of our server hardening. We have chosen to block UDP port 137. What are we blocking?

Answer 28

NetBIOS Name Service uses UDP port 137 and is used for name registration and resolution.

Question 29

We are blocking unused ports on our servers as part of our server hardening when we block TCP/UDP port 138. Which protocol are we blocking?

Answer 29

NetBIOS Datagram Service uses TCP/UCP port 138.

Question 30

What is the difference between baseband and broadband?

Answer 30

Baseband uses a direct current for a single communication channel. Broadband uses frequency modulation for multiple simultaneous signals.

Question 31

What are the six flags in the TCP header that are still commonly used?

Answer 31

XXUAPRSF. X flags are no longer used. Urgent, Acknowlegement, Push, Reset, Sync, and Finish.
Unskilled Attackers Pester Real Security Folk

Question 32

What is the IEEE standard for Bluetooth?

Answer 32

802.15

Question 33

What are the three standards-based forms of encryption of 802.11 wireless networks and the cryptography protocols related to each?

Answer 33

WEP (RC4), WPA (RC4, TKIP, LEAP), WPA-2 (AES/CCMP)

Question 34

What are the four layers of the TCP/IP model, and how to they relate to the OSI model?

Answer 34

Application (OSI 5-7)
Transport (OSI 4)
Internet (OSI 3)
Link (OSI 1 -2)

Question 35

What to ICMP fields are used in a successful ping?

Answer 35

8: echo request
0: echo reply