Lesson 9

Question 1

Best practic network design and architecture guides

Answer 1

Cisco’s SAFE Architecture

Places in the Network

Question 2

Switch, vs hub, vs router

Answer 2

switch - mac addresses - connects computers within the same network

hub - dumb switch

router - IP address - connect computers/devices to eachtoerh and other networks

Question 3

Application protocols

Answer 3

http - defines the format of message through which web browsersand web servers communicat….

FTP - Tranfering files

SMTP - email servers

RTP (real time transport portocool) - network protocol for delivering autio and video over ip networks

DNS - you know what dns does

Question 4

Layer 2 forwarding and Layer 3 forwarding

Answer 4

The basic function of a network is to forward traffic from one node to another

Layer 2 - switches - mac addresses within a local networks

Layer 3 - mutiple subnets. ip addresses. routers

Question 5

ARP

Answer 5

• Address Resolution Protocol (ARP) -Map IP addresses to MAC addresses so that packets can be forwarded

Question 6

• Routing protocols

Answer 6

• Communicate routing table updates

Question 7

• Network segment and broadcast domain

Answer 7

A network segment is one where all the hosts attached to the segment can use local
(layer 2) forwarding to communicate freely with one another

The hosts are said to be withing broadcast domain

Question 8

• Implementing network segments

Answer 8

Assuming an Ethernet network, network segments can be established physically by
connecting all the hosts in one segment to one switch and all the hosts in another
segment to another switch. The two switches can be connected by a router and
the router can enforce network policies or access control lists (ACL) to restrict
communications between the two segments

Question 9

• Layer 3 subnets

Answer 9

Because enterprise networks typically feature hundreds of switching appliances and
network ports (not to mention wireless access and remote access), segmentation is
more likely to be enforced using virtual LANs (VLANs). Any given switch port can be
assigned to any VLAN in the same topology, regardless of the physical location of
the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical
divisions enforced by IP subnets at layer 3.
Network Topology and Zone

Question 10

segments, vlans, subnets

Answer 10

network segment seperated physically at layer two. VLANs seperated logically at layer 2 to simplify wiring. Layer 3 can map subnets to VLANs.

Question 11

zones

Answer 11

Zones represent isolated segments for hosts
that have the same security requirement, Traffic between zones is subject to filtering by
a firewall

Question 12

zone types

Answer 12

Intranet, Extranet, Internet

Intranet - private
Extranet - business parterns, suppliers, customers
Internet - allows annonymous access

Question 13

DMZs

Answer 13

• Demilitarized zones (DMZs) isolate hosts that are Internet-facing
• Communications through the DMZ should not be allowed
• Ideally use proxies to rebuild packets for forwarding

Question 14

Bastion Hosts

Answer 14

DMZs (because they are internet facing)

• Not fully trusted by internal network
• Run minimal services
• Do not store local network account credentials

Question 15

MitM

Answer 15

Man in the middle
MitM or on-path attack is where
the threat actor gains a position between two hosts, and transparently captures,
monitors, and relays all communication between the hosts.

For example, a MitM host could present a
workstation with a spoofed website form, to try to capture the user credential.

Question 16

How to seure against a MitM attack

Answer 16

mutual authentication, where both
hosts exchange secure credentials, but at layer 2 it is not always possible to put these
controls in place.

Question 17

MAC address cloning spponing

Answer 17

MAC hardware interface address - easy to change for a different value

Question 18

ARP

Answer 18

arp—display the local machine’s Address Resolution Protocol (ARP) cache.
The ARP cache shows the MAC address of the interface associated with each IP
address the local host has communicated with recently.

Question 19

arp poisoning

Answer 19

Broadcasting unsolicited ARP
replies to poison the cache of local
hosts with spoofed MAC address
• Attacker usually tries to
masquerade as default gateway (router)
- Attacher can either monitor and sent to the router or..
- perform a DoS attack by not forwarding the packets

Question 20

Mac flooding

Answer 20

• Overwhelm switch memory to
trigger unicast flooding (used to store the switches mac address table)
• Facilitates sniffing

Question 21

Loop Prevention

Answer 21

Ethernett switch (or bridge) - loopoing around and around. Prevented by Spanning Tree Protocol (STP)

Question 22

STP

Answer 22

Spanning Tree Protocol - prevents looping by setting up switches or bridges in a heirarchy

Question 23

Broadcast Storm

Answer 23

Looping results in a storm from an exponential increase in traffic

Storm control - A storm control setting on a switch is a backup mechanism to
rate-limit broadcast traffic above a certain threshold.

Question 24

BDPU Guard

Answer 24

• Configure switches to defeat attempts to
engineer a loop
• Portfast setting configured for access ports
• BPDU guard disables port if STP traffic is
detected

Question 25

Methods to prevent looping and broadcast storms

Answer 25

• spanning tree protocol
• Stom control configuration
• BDPU Guard

Question 26

Physical Port Security

Answer 26

•Secure switch hardware
• Physically disconnect unused 
ports
• Disable unused ports via 
management interface

Question 27

• MAC address limiting and filtering

Answer 27

Configuring MAC filtering on a switch means defining which MAC addresses are
allowed to connect to a particular port.
• Limit number of MAC changes

Question 28

DHCP

Answer 28

DHCP is the protocol that allows a server to assign IP address information to
a client when it connects to the network.

Question 29

DHCP Snooping

Answer 29

DHCP snooping inspects this traffic arriving on

access ports to ensure that a host is not trying to spoof its MAC address.

Question 30

Dynamic ARP Inspection

Answer 30

Can be configured along with DHCP Snooping

prevents a host attached to an untrusted port from flooding the segment
with gratuitous ARP replies.

Question 31

Ways to protect Ports

Answer 31

• Physical port security
• MAC address limiting and filtering
• DHCP snooping
• Dynamic ARP inspection

Question 32

Endpoint security

Answer 32

set of security procedures and technologies designed to restrict network access at a device level (DEFENSE IN DEPTH)…. dmz, in contrast, focus on perimeter security

Question 33

port-based network access control (PNAC)

Answer 33

PNAC means that the switch uses an AAA server to authenticate the
attached device before activating the port. Network access control (NAC) products
can extend the scope of authentication to allow administrators to devise policies or
profiles describing a minimum security configuration that devices must meet to be
granted network access. This is called a health policy

Question 34

Posture assessment

- Agent-based vs Agenless

Answer 34

process by which host health checks are performed against
a client device to verify compliance with the health policy. (Most NAC solutions do this)

Agent-based - Most NAC solutions use
client software called an agent to gather information about the device (Posture Assement…health policy
- persistiant - installed in the sofware
- nonloaded into memory
during posture assessment but is not installed on the device.

Agentless - useful when a lot of devices are use (IoT) but less detailed information available

Question 35

Network Access Control

Answer 35

Network Access Control
• Endpoint security/defense in 
depth
• IEEE 802.1X/port-based 
network access control (PNAC) 
• Can also enforce health policy
• Posture assessment
• Agent-based
• Persistent versus non-persistent
• Agentless
• Scanning software
• Device polling

Question 36

route injection

Answer 36

Spoofed routing information. Can redirect traffice to a spoofed website, send it to a black hole or DoD through looping

defend against route injection by configuring the how a router identifies peers, router appliance hardening, patch management

Question 37

SSID vs BSID

Answer 37

SSID = Each wireless network is identified
by its name

BSSID = Each WAP is identified by its MAC address

Question 38

Wireless Frequency bands and channels

Answer 38

Wireless networks can operate in either the 2.4 GHz or 5 GHz radio band. Each radio
band is divided into a number of channels, and each WAP must be configured to use
a specific channel.

Question 39

Co-channel interference (CCI) vs Adjacent channel interference (ACI)—

Answer 39

CCI - when two WAPs in close proximity use the same
channel

ACI - two waps on the same radio band but channels are to close together.

Question 40

Site Survey

Answer 40

used to measure signal strength and channel usage throughout the
area to cover.

Question 41

Wifi analyzer

Answer 41

The Wi-Fi
analyzer records information about the signal obtained at regularly spaced points as
the surveyor moves around the area.

Question 42

Heat map

Answer 42

site survye and wifi analyzer combined to create the heat map. where
a signal is strong (red) or weak (green/blue), and which channel is being used and
how they overlap.

Question 43

How to secure a wap

Answer 43

Where a site survey ensures availability, the confidentiality and integrity properties of
the network are ensured by configuring authentication and encryption. These settings
could be configured manually on each WAP, but this would be onerous in an enterprise
network with tens or hundreds of WAP.

Question 44

Wireless controller

Answer 44

Configuration of multi-WAP WLANs. Rather than configure each device individually, enterprise wireless solutions implement
wireless controllers for centralized management and monitoring. A controller can be
a hardware appliance or a software application run on a server.

Question 45

fat wap vs thin wap

Answer 45

Fat wap - An access point whose firmware contains enough processing logic to be able to
function autonomously and handle clients without the use of a wireless controller

Thin wap - ne that requires a wireless controller in order to function is
known as a thin WAP.

Question 46

Wap physical security

Answer 46

Controllers and access points must be made physically secure, as tampering could
allow a threat actor to insert a rogue/evil twin WAP to try to intercept logons. These
devices must be managed like switches and routers, using secure management
interfaces and strong administrative credentials.

Question 47

WPA V1

Answer 47

Wifi Protected Access WPA. for wifi protected access-

*No considered strong enough

WPA uses the RC4 stream cipher but adds a mechanism called the
Temporal Key Integrity Protocol (TKIP) to make it stronger. But that does not make it stronger. but not stron enough

Question 48

WEP

Answer 48

similar to WPA v1. not strong enough

Question 49

WPA2

Answer 49

Better that WPA v1 but still weaknesses found

Advanced Encryption Standard (AES) replaces RC4
•
Counter Mode with Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol (CCMP) replaces TKIP
•
Also enables enterprise authentication options

Question 50

WPA 3

Answer 50

Best. Because of weaknesses found in wpa 2, wpa 3 created

Question 51

Wifi authentication (WPA 2 vs WPA3

Answer 51

WPA2 pre-shared key authentication
Passphrase used to generate a pairwise master key (PMK)
•4-way handshake
•PMK is used to derive session keys
WPA3 personal authentication
•Password Authenticated Key Exchange (PAKE)
•Simultaneous Authentication of Equals (SAE) protocol replaces the 4-way handshake
•Dragonfly handshake

Question 52

WPS (Wifi protected Setup)

Answer 52

WPS is designed for residentintial uses to make it easer to secure WAPs

vulnerable to brute force attacks

The Easy Connect method, announced alongside WPA3, is intended to replace WPS as
a method of securely configuring client devices with the information required to access
a Wi-Fi network. Easy Connect is a brand name for the Device Provisioning Protocol
(DPP).

Question 53

EasyConnect and DPP

Answer 53

The Easy Connect method, announced alongside WPA3, is intended to replace WPS as
a method of securely configuring client devices with the information required to access
a Wi-Fi network. Easy Connect is a brand name for the Device Provisioning Protocol
(DPP).

Question 54

Open Authentication and Captive Portals

Answer 54

captive portal - used in hotels, etc

•
Use an access point without authentication (or encryption)
•
Secondary authentication via captive portal or splash page
•
Everything sent over link can be snooped
•
Use secure protocols for confidential data (HTTPS, Secure IMAP, FTPS)
•
Use a Virtual Private Network (VPN) to create a secure tunnel
•
Wi-Fi Enhanced Open

Question 55

Enterprise/IEEE 802.1X Authentication

Answer 55

•
Extensible Authentication Protocol (EAP) over Wireless (EAPoW)
•
Network directory authorization via RADIUS or TACACS+
•
User credential is used to generate session encryption key

Question 56

Extensible Authorization Protocol (EAP)

Answer 56

Designed to provide for interoperable security devices and software

Question 57

EAP-TLS

Answer 57

is one of the strongest types of authentication and is very widely supported.

• Transport Layer Security (TLS) to authenticate via device certificates/smart cards
• Both server and supplicant must have certificates
• Mutual authentication

Question 58

PEAP, EAP-TTLS, and EAP-FAST

Answer 58

Just remember these provide Secure tunneling for user credentials

• Protected EAP (PEAP)
• EAP with Tunneled TLS (EAP-TTLS)
• EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

Question 59

Radius Federation

Answer 59

Allows users for different organizations to log onto the same network
•Federated identity solution
•Mesh network for RADIUS servers operated by different institutions
•Eduroam - allows students of universities from several different countries to log on to the
networks of any of the participating institutions using the credentials stored by their
“home” university

Question 60

Rogue Access Point

Answer 60

(or Rogue WAP) is one that has been installed on the network without
authorization, whether with malicious intent or not. It is vital to periodically survey
the site to detect rogue WAPs.

A rogue WAP could also be used to capture user logon attempts, allow manin-
the-middle attacks, and allow access to private information.

Question 61

Evil Twin

Answer 61

Rogue access point (WAP) masquerading as a legit one.

• Use similar SSID
• Capture authentication information

Question 62

Wifi analyzers and rogue access points

Answer 62

wifie analyzers can detect Rogue WAPs

Question 63

Deauthentication attack and replay attack

and dissassociation attack

Answer 63

Deauthentication attacck - The use of a rogue WAP may be coupled with a deauthentication attack. This sends a
stream of spoofed frames to cause a client to deauthenticate from a WAP. The deauth
frames spoof the MAC address of the target station.

Replay attack - This might allow the attacker to
perform a replay attack aimed at recovering the network key or interpose a rogue WAP.

Dissassociation attack - similar to dauth attack, but causes it to just dissassociat rater then fully deauthenticate

Question 64

Configure Management Frame Protection (MFP/802.11w)

Answer 64

Protects against dissacosiation, deauthentication and replay attacks

Question 65

Intialization Vector (IV) attack

Answer 65

• Generate packets to strip IV ( IV salts the hash believe)

* KRACK/key reinstallation - is a way to do IV attack

Question 66

Jamming attack

Answer 66

A wireless network can be disrupted by interference from other radio sources.

• Environmental versus malicious interference
• Jamming attacks
  * Denial of service
  * Promote evil twin
• Use spectrum analyzer to locate source

Question 67

spectrum analyzer

Answer 67

locates source of jamming attacked or non-malicious jamming

Question 68

Distributed Denial of Service Attacks

Answer 68

comming from multiple sources (bots, botnet)

•Leverage bandwidth from compromised hosts/networks
•Handlers form a command and control (C&C) network
•Compromised hosts installed with bots that can run automated scripts
•Co-ordinated by the C&C network as a botnet
•Overwhelm with superior bandwidth (number of bots)
•
Consume resources with spoof session requests (SYN flood)

Question 69

Command and control network

Answer 69

coorditnates bots as a botnet (compromised hosts)

Question 70

Distributed Reflection DoS (DRDoS)

Answer 70

In a distributed reflection DoS (DRDoS) or amplification SYN flood attack, the threat
actor spoofs the victim’s IP address and attempts to open connections with multiple
servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly
consumes the victim’s available bandwidth.

Question 71

Types of Distributed Reflection DoS (DRDoS) or syn flood attacks

Answer 71

Ammplified Syn flood
Application attack
Operational technology (OT) network attackes

Question 72

Distributed Denial of Service Attack Mitigation

Answer 72

•
•Drop traffic to protect other hosts in the routing domain
•Access control list (ACL)
•remotely triggered blackhole (RTBH) - traffic goes no where
•Sinkhole routing - goes somewhere it can be annlyzed

•Cloud DDoS mitigation services

Question 73

Load balancer

Answer 73

Load balancing - multiple servers - balancing the load
- There are multiple ways of distibuting the load
- Ieach web server has an IP address
- The load balancer has an IP address - but we don’t want people to connect to the IP address
So we have another virtural IP address which represents the entire pool.

Question 74

Types of load balancers

Answer 74

• Layer 4 load balancer—basic load balancers make forwarding decisions on IP
address and TCP/UDP port values, working at the transport layer of the OSI model.

• Layer 7 load balancer (content switch)—as web applications have become more
complex, modern load balancers need to be able to make forwarding decisions
based on application-level data, such as a request for a particular URL or data types
like video or audio streaming. This requires more complex logic, but the processing
power of modern appliances is sufficient to deal with this.

Question 75

Scheduling (load balancer)
-types of scheduled
heatbeat or health check

Answer 75

• round robin - (simplest) - just picks the next node
• Fewest existing connections or the one with the best response time
• each method can weighted

Heartbeat or health check - The load balancer must also use some type of heartbeat or health check probe to verify
whether each node is available and under load or not. Layer 4 load balancers can only
make basic connectivity tests while layer 7 appliances can test the application’s state,
as opposed to only verifying host availability.

Question 76

Source IP Affinity and Session Persistence

This is part of load balancing

Answer 76

Source IP Affinitiy (or session affinity) - when a client establishes a session, it becomes stuck to the node that firstaccepted the request.

Session Persistence - Persistence typically works by setting a cookie, either on the node or injected
by the load balancer. This can be more reliable than source IP affinity, but requires the
browser to accept the cookie.

Question 77

Clustering

Answer 77

Failover
you can cluster load balancers (but also we servers)

Active/Passive vs Active Active (you know this)

Question 78

Quality of service vs fifo

Answer 78

Most network appliances process packets on a best effort and first in, first out (FIFO)
basis. Quality of Service (QoS) is a framework for prioritizing traffic based on its
characteristics. It is primarily used to support voice and video applications that require
a minimum level of bandwidth and are sensitive to latency and jitter.

Question 79

Latency vs Jitter (QoS)

Answer 79

Latency is the
time it takes for a transmission to reach the recipient,

Jitter is defined as being a variation in the delay, or an inconsistent rate of packet
delivery.