Lesson 11

Question 1

Network Address Allocation

Answer 1

Most networks use a mixture of static and dynamic address allocation.

Question 2

Dynamic Host Configuration Protocol (DHCP)

Answer 2

provides an automatic method for network address allocation.
- The key point about DHCP is that only one server should be offering addresses to any one group of hosts. If a rogue DHCP server is set up, it can
perform DoS (as client machines will obtain an incorrect TCP/IP configuration) or be
used to snoop network information.

Question 3

DHCP starvation

Answer 3

type of DoS attack where a rogue client repeatedly requests new IP addresses using spoofed MAC addresses, with
the aim of exhausting the IP address pool.

Enabling the DHCP snooping port security feature on a switch can mitigate rogue DHCP
attacks.

Question 4

DNS

Answer 4

Domain Name System (DNS) - esolves fully qualified domain names (FQDNs) to IP
addresses.

port 53

Question 5

Domain hijacking

Answer 5

Domain hijacking is an attack where an adversary acquires a domain for a company’s
trading name or trademark, or perhaps some spelling variation thereof.

Question 6

whois

Answer 6

(can help defend domain hijacking) The whois command can be

used to lookup domain registration information to try to detect misuse in other cases.

Question 7

Uniform Resource Locator (URL) redirection

Answer 7

URLredirection refers to the use of HTTP redirects to open a page other than the one
the user requested. This is often used for legitimate purposes—to send the user to a
login page or to send a mobile device browser to a responsive version of the site, for
instance. If the redirect is not properly validated by the web application, an attacker
can craft a phishing link that might appear legitimate to a naïve user, such as:

https: //trusted.foo/login.php?url=”https://
tru5ted. foo”

Question 8

Domain reputation

Answer 8

If your domain, website, or email servers have been hijacked, they are likely to be used
for spam or distributing malware. This will lead to complaints and the likelihood of the
domain being listed on a blacklist. You should set up monitoring using a site such as
talosintelligence.com/reputation_center to detect misuse early.

Question 9

DNS Poisoning

Answer 9

DNS poisoning is an attack that compromises the process by which clients query
name servers to locate the IP address for a FQDN.

These are ways to do dns poisoning. i didn’t really look into these:
•Man in the Middle
•Rogue DNS server intercepts queries
•DNS client cache poisoning
•HOSTS file
•DNS server cache poisoning
•Corrupt cached records on DNS servers
•Spoof responses to queries by exploiting weak transaction ID generation
•DNS authoritative name server impersonation

Question 10

DNS Security

Answer 10

• DNS server security
  
  • Fault tolerance
  • Authenticated recursive requests only
  • Access control
  • Patch management
  • Prevent footprinting
• DNS Security Extensions (DNSSEC)

Question 11

•DNS Security Extensions (DNSSEC)

Answer 11

help to mitigate against spoofing and poisoning
attacks by providing a validation process for DNS responses.

I left out some of the technical details

Question 12

network directory

Answer 12

lists the subjects (principally users, computers, and services) and
objects (such as directories and files) available on the network plus the permissions
that subjects have over objects. A directory facilitates authentication and authorization,
and it is critical that it be maintained as a highly secure service.

Question 13

LDAP

Answer 13

Most directory services
are based on the Lightweight Directory Access Protocol (LDAP), running over port
389. The basic protocol provides no security and all transmissions are in plaintext,
making it vulnerable to sniffing and man-in-the-middle attacks.

Authentication
(referred to as binding to the server) can be implemented in the following ways:
• No authentication—anonymous access is granted to the directory.
• Simple bind—the client must supply its distinguished name (DN) and password, but
these are passed as plaintext.
• Simple Authentication and Security Layer (SASL)—the client and server negotiate
the use of a supported authentication mechanism, such as Kerberos. The STARTTLS
command can be used to require encryption (sealing) and message integrity
(signing). This is the preferred mechanism for Microsoft’s Active Directory (AD)
implementation of LDAP.

Question 14

LDAPS

Answer 14

LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses
to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.

Question 15

Two levels of access on LDAP

Answer 15

read-onlyaccess (query) and
read/write access (update).

This is implemented using an access
control policy, but the precise mechanism is vendor-specific and not specified by the
LDAP standards documentation.

Question 16

Time Synchonization

Answer 16

Many applications on networks are time dependent and time critical.

Time critical services
    •Authentication
    •Logging
    •Task scheduling/backup
    •...

Network Time Protocol (NTP) [i have a seperate card for this
•Stratum 1 servers
•Stratum 2 servers
•Simple NTP (clients)

Question 17

NTP

Answer 17

Network Time Protocol (NTP)

* Stratum 1 servers - taken from an atomic clock (top level)
* Stratum 2 servers - most org will get ntp from stratum 2 servers - lower level
* Simple NTP (clients)  - Clients themselves usually obtain the time using modified form of the protocol (Simple NTP).

Question 18

Simple Network Management Protocol (SNMP)

Answer 18

is a widely used framework for
management and monitoring. SNMP consists of an SNMP monitor and agents

• Agent runs on devices (switches, routers, servers) and maintains management information base (MIB)
• Monitor - Agent notifies SNMP monitor of events (traps)
• SNMP v1 and v2 feature no or weak authentication and no privacy
• SNMP v3 encryption and authentication

Question 19

SNMP Versions

Answer 19

• SNMP v1 and v2 feature no or weak authentication and no privacy
• SNMP v3 encryption and authentication

Question 20

Web server

Answer 20

=http server

Question 21

HTTP

Answer 21

HTTP enables clients (typically web browsers) to request resources from an HTTP server.

Question 22

how does a client connect to an HTTP server

Answer 22

TCP - using a TCP port

Question 23

Http header and payload

Answer 23

Header - The response and request formats are defined in an HTTP header.

The HTTP payload - is usually used to serve HTML web pages, which are plain text files with coded tags
(HyperText Markup Language) describing how the page should be formatted.

Question 24

http forms mechanism and stateless

Answer 24

• Forms mechanism allows client to upload data to the server

* Stateless protocol (does not record sessions) but expandedwith cookies and scripting

Question 25

https

Answer 25

http used with ssl/tls

Question 26

SSL/TLS

Answer 26

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Communications secured using host certificates (CA)

typically used with http servers but can be used with other stuff like a VPN

Question 27

SSL/TLS versions

Answer 27

While the acronym SSL is still used, the Transport Layer Security versions are the onlyones that are safe to use.

• *TLS 1.3 is the latest version.
• 1.3 can prevent against downgrade attackes.

Question 28

How to implement TLS on a web server

Answer 28

To implement TLS, a server is assigned a digital certificate signed by some trusted
certificate authority (CA). The certificate proves the identity of the server (assuming that
the client trusts the CA) and validates the server’s public/private key pair. The server
uses its key pair and the TLS protocol to agree mutually supported ciphers with the
client and negotiate an encrypted communications session.

Question 29

Cipher Suites (TLS)

Answer 29

A cipher suite is the algorithms supported by both the client and server to perform thedifferent encryption and hashing operations required by the protocol.

TLS 1.3 uses simplified and shortened suites. somehow this is more secure…and prevents downgrading?

Question 30

API authentication

Answer 30

APIs can use more secure authentication
and authorization methods, such as SAML and OAuth

Thre was more on api considerartions but I didn’t understand. see slide 15,

Question 31

subscription services

Answer 31

susceptile to xml injection

News and information services
•Market and financial intelligence and information
•Security threat intelligence and information
•Reference and training materials
•Software applications and cloud services
•Provide secure access
•News feed security
•Really Simple Syndication (RSS)
•Atom

Question 32

SFTP

Answer 32

SSH FTP (SFTP) - Run FTP over SSH on port 22

Question 33

FTPS

Answer 33

FTP over SSL (FTPS)

Do I need this?
•Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an unsecure connection established over port 21 to a secure one
•Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP commands (port 990 for the control connection)

Question 34

two types of email protocols

Answer 34

• The Simple Mail Transfer Protocol (SMTP) specifies how mail is sent from one
system to another.

• (IMAP or POP3) A mailbox access protocol stores messages for users and allows them to download them to
client computers or manage them on the server.

Question 35

Secure SMTP

Answer 35

• STARTTLS—this is a command that upgrades an existing unsecure connection to use
TLS. This is also referred to as explicit TLS or opportunistic TLS.

• SMTPS—this establishes the secure connection before any SMTP commands (HELO,
for instance) are exchanged. This is also referred to as implicit TLS.

STARTTLS is more widley used

Question 36

Mailbox access protocols

Answer 36

• Post Office Protocol (POP3)
• Internet Message Access Protocol (IMAP)
  
  • Better mailbox management features than POP3
• Secure ports
  
  • POP3S TCP port 995
  • IMAPS TCP port 993

Question 37

Secure/Multipurpose Internet Mail Extensions (S/MIME).

Answer 37

Consequently, there is still a need for authentication and confidentiality
to be applied on a per-message basis. One means of doing this is called Secure/
Multipurpose Internet Mail Extensions (S/MIME).

• End-to-end encryption for message contents
• Authentication and confidentiality using PKI certificates
• Correspondents must exchange and trust certificates

Question 38

VTC and VOIP

Answer 38

Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC)

Question 39

Protocols handle these three areas

Answer 39

session control, data transport and QoS

Probably don’t spend a lot of time on this one

• Session control—used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the network),
availability advertising (whether a user is prepared to receive calls), negotiating session
parameters (such as use of audio/video), and session management and termination.
• Data transport—handles the delivery of the actual video or voice information.
• Quality of Service (QoS)—provides information about the connection to a QoS
system, which in turn ensures that voice or video communications are free from
problems such as dropped packets, delay, or jitter.

Question 40

Session Initiation Protocol (SIP)

Answer 40

used to handle session control (VOIP, VTC)

• Session control—used to establish, manage, and disestablish communications
sessions. They handle tasks such as user discovery (locating a user on the network),
availability advertising (whether a user is prepared to receive calls), negotiating session
parameters (such as use of audio/video), and session management and termination.

Question 41

SRTP and RTP

Answer 41

RTP (Real-time Transport Protocol (RTP). - provides the actual delivery of real time data (VOIP, VTC)

SRTP - provides Call data confidentiality

Question 42

two models of remote acceess architeecture (using vpn)

Answer 42

remote using the internet

branch office

Question 43

VPN

Answer 43

The VPN protocol establishes
a secure tunnel so that the contents are kept private, even when the packets pass over
ISPs’ routers.

Question 44

Point-to-Point Tunneling Protocol (PPTP)

Answer 44

Legacy. does not provide enough security

Question 45

Transport Layer Security (TLS) VPN (more commonly known as ssl vpn)

Answer 45

Good (not legacy) vpn protocol

• Use TLS to negotiate a secure connection, authenticated by PKI certificates
• Tunnel network traffic over TLS

Question 46

VPN examples

Answer 46

Open VPN
Microsoft’s Secure Sockets Tunneling Protocol (SSTP),
The Point-to-Point Protocol (PPP)

Question 47

Internet Protocol Security (IPSec)

Answer 47

Provides confidentiality and/or integrity

operates at the network layer (layer
3) of the OSI model, so it can be implemented without having to configure specific application support. (TLS operates at the application level

Question 48

two protocols of IPSec

Answer 48

Authentication Header (AH)
•Signs packet but does not encrypt payload
•Provides authentication/integrity only

Encapsulation Security Payload (ESP)
•Provides confidentiality and/or authentication/integrity

Question 49

IPSec Transport and Tunnel Modes

Answer 49

• Transport mode for host-to-host connections on a private network. Integrity only
• Tunnel mode between gateways across an unsecure network. Integrity and confidentiality

Question 50

Internet Key Exchange and Security Associations (SA)

Answer 50

IPSec’s encryption and hashing functions depend on a shared secret. The secretmust be communicated to both hosts and the hosts must confirm one another’s
identity (mutual authentication). Otherwise, the connection is vulnerable to man-inthe-middle and spoofing attacks.

The Internet Key Exchange (IKE) protocol handles
authentication and key exchange, referred to as Security Associations (SA).

Question 51

Layer 2 Tunneling Protocol and IKE v2

I didn’t fully get this. was tired

Answer 51

Layer 2 Tunneling Protocol/IPSec VPN
•Use IPSec for secure tunneling of Point-to-Point Protocol (PPP) frames
•Allows user authentication via EAP or CHAP

IKE v2
•Makes IPSec a standalone remote access VPN protocol
•Support for EAP user authentication methods
•Reduces number of setup messages
•Support multihoming on client device (switching between Wi-Fi and cellular data)
Layer 2 Tunneling Protocol and IKE v2
CompTIA

Question 52

Layer 2 Tunneling Protocol

Answer 52

This first version of IKE is optimized to ensure the mutual authentication of two peer
hosts, such as in a site-to-site VPN. On its own, it does not provide a simple means for
a client user account to authenticate to a remote network directory. Consequently,
for remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol
(L2TP) VPN protocol is often used.

Question 53

IKE v2

Answer 53

The drawbacks of the original version of IKE were addressed by an updated protocol.
IKE v2 has some additional features that have made the protocol popular for use as a
standalone remote access VPN solution.

Compared to L2TP/IPSec, using IKE v2 is more efficient.

Question 54

VPN Client Configuration

Answer 54

To configure a VPN client, you may need
- to install the client software if the VPN type is
not natively supported by the OS.
-You may
also need to deploy a client certificate that is trusted by the VPN concentrator to the
machine and make that available to the VPN client.
-In addition, you might need to
configure settings for how the VPN connection operates.

Question 55

Always-On VPN

Answer 55

Traditional remote access VPN solutions require the user to initiate the connection and
enter their authentication credentials. An always-on VPN means that the computer
establishes the VPN whenever an Internet connection over a trusted network is
detected, using the user’s cached credentials to authenticate. Microsoft has an Always-
On VPN solution for Windows Server and Windows 10 clients

Question 56

Split Tunnel versus Full Tunnel

Answer 56

The guide has a diagram that shows this better

Split tunnel—the client accesses the Internet directly using its “native” IP
configuration and DNS servers.

Full tunnel—Internet access is mediated by the corporate network, which will alter
the client’s IP address and DNS servers and may use a proxy.

Question 57

Remote Desktop

Answer 57

A remote access VPN joins the user’s PC or smartphone to the local network, via the
secure tunnel.

Another model for remote networking involves connecting to a host
within the local network over a remote administration protocol. A protocol such as
Secure Shell (SSH) only supports terminal access, but there are many other tools that
can connect to a graphical desktop.

A GUI remote administration tool sends screen and
audio data from the remote host to the client and transfers mouse and keyboard input
from the client to the remote host.

Question 58

GUI based remote desktop

Answer 58

A GUI remote administration tool sends screen and
audio data from the remote host to the client and transfers mouse and keyboard input
from the client to the remote host.

Question 59

Remote Desktop Protocol (RDP)

Answer 59

Microsoft’s Remote Desktop Protocol (RDP) can be used to access a physical machine
on a one-to-one basis. Alternatively, the site can operate a remote desktop gateway
that facilitates access to virtual desktops or individual apps running on the network
servers

• Connect to physical machines
• RDP gateway to virtual desktops and apps

Question 60

HTML5/clientless

Answer 60

• Access desktops and web applications from Internet via gateway to internal network
• Browser support for canvas element plus WebSockets

Traditionally, these remote desktop products require a client app. The canvas element
introduced in HTML5 allows a browser to draw and update a desktop with relatively
little lag. It can also handle audio. This is referred to as an HTML5 VPN or as a clientless
remote desktop gateway (guacamole.apache.org). This solution also uses a protocol
called WebSockets, which enables bidirectional messages to be sent between the
server and client without requiring the overhead of separate HTTP requests.

Question 61

REmote access management and secure admin workstation (SAWS)

Answer 61

Remote access management refers to the specific use case of using a secure channel to administer a network appliance or server.

The secure admin workstations (SAWs) used
to perform management functions must be tightly locked down, ideally installed with
no software other than that required to access the administrative channel—minimal
web browser, remote desktop client, or SSH virtual terminal, for instance. SAWs should
be denied Internet access or be restricted to a handful of approved vendor sites (for
patches, drivers, and support). The devices must also be subject to stringent access
control and auditing so that any misuse is detected at the earliest opportunity.

Question 62

Out-of-Band Management

Answer 62

Remote management methods can be described as either in-band or out-ofband
(OOB). An in-band management link is one that shares traffic with other
communications on the “production” network. A serial console or modem port on a
router is a physically out-of-band management method. When using a browser-based
management interface or a virtual terminal over Ethernet and IP, the link can be
made out-of-band by connecting the port used for management access to physically
separate network infrastructure. This can be costly to implement, but out-of-band
management is more secure and means that access to the device is preserved when
there are problems affecting the production network. With an in-band connection,
better security can be implemented by using a VLAN to isolate management traffic.
This makes it harder for potential eavesdroppers to view or modify traffic passing over
the management interface. This sort of virtual OOB does still mean that access could
be compromised by a system-wide network failure, however.

Question 63

Jump servers

Answer 63

One of the challenges of managing hosts that are exposed to the Internet, such as in
a DMZ or cloud virtual network, is to provide administrative access to the servers and
appliances located within it. On the one hand, a link is necessary; on the other, the administrative interface could be compromised and exploited as a pivot point into the rest of the network. Consequently, the management hosts permitted to access
administrative interfaces on hosts in the secure zone must be tightly controlled.
Configuring and auditing this type of control when there are many different servers
operating in the zone is complex.
One solution to this complexity is to add a single administration server, or jump
server, to the secure zone. The jump server only runs the necessary administrative
port and protocol (typically SSH or RDP). Administrators connect to the jump server
then use the jump server to connect to the admin interface on the application server.
The application server’s admin interface has a single entry in its ACL (the jump server)
and denies connection attempts from any other hosts.

Question 64

SSH

Answer 64

Secure Shell (SSH) is the principal means of obtaining secure remote access to a
command-line terminal. The main uses of SSH are for remote administration and
secure file transfer (SFTP).