Messer - 3. Network Operations

Question 1

Describe the standard networking symbol for the following device:

Hub

Answer 1

Square w/ single arrow

Question 2

Describe the standard networking symbol for the following device:

Switch

Answer 2

Square with two arrows pointing one way, and two pointing other

[Switches replaced hub, so just remember that symbol is similar to hub’s, but more advanced]

Question 3

Describe the standard networking symbol for the following device:

Router

Answer 3

Circle w/ two arrows pointing in and two arrows pointing out

Question 4

Describe the standard networking symbol for the following device:

Layer 3 Switch

Answer 4

Square w/ circle in the middle and 8 arrows pointing outward from circle

[Remember that Layer 3 Switch is just a switch and a router combined in single device. Combines router’s circle with switch’s square]

Question 5

Describe the standard networking symbol for the following device:

Firewall

Answer 5

Brick Wall

Question 6

Describe the standard networking symbol for the following device:

IP Phone

Answer 6

Phone

Question 7

Describe the standard networking symbol for the following device:

Access Point

Answer 7

rectangle w/ what looks like two snakes intertwined horizontally

Question 8

Describe the standard networking symbol for the following device:

ATM Switch

Answer 8

Square with two sets of angled, double-sided arrows that intersect

[“A” for angled? But you have access point, too]

Question 9

What is a physical network diagram, and what should be included in one?

Answer 9

aka. Network map

A diagram that displays the physical infrastructure of a network, including the placement of switches, routers, servers, workstations, and even cabling. The physical network diagram will display items such as wide area
network (WAN) links and the speeds of these links.

Question 10

What is a logical network diagram, and what should be included in one?

Answer 10

A diagram that displays the software aspects of a network. This
includes application flow, domain controllers, Dynamic Host Configuration Protocol (DHCP) servers, Domain Name System (DNS) servers, and IP configuration of the network. Should document the location of these services and some of the core configuration, such as DHCP scopes, DNS domain names, organizational unit (OU) structure, and IP addresses. You should also document any virtual LANs (VLANs) that are being used on the network and which computers belong
to which VLANs.

Question 11

[skipping a lot of 3.1]

Answer 11

[skipping a lot of 3.1]

Question 12

What are MDF and IDF?

Answer 12

Two types of wiring closets.

• main distribution frame (MDF) - The main wiring closet for a network typically holds the majority of the network gear, including routers, switches, wiring, servers, and more. This is also typically the wiring closet where outside lines run into the network. One of the key components in the MDF is a primary patch panel. The network connector jacks attached to this patch panel lead out to the building for network connections.
• intermediate distribution frame (IDF) - Secondary wiring closets used in some networks. Connected to MDF using backbone cable. This backbone cable may be UTP, fiber, or even coaxial. In today’s high-speed networks, UTP Gigabit Ethernet or high-speed fiber are the media of choice.

Question 13

What is fault tolerance? Give examples.

Answer 13

The capability of any system to continue functioning after some part of the system has failed.

Examples of single-device fault tolerance would include RAID 1 and 5 (NOT RAID 0) for hard drives, redundant power supplies (e.g. UPS), redundant NICs, and backup ISP. [Notice all involve redundancy]

Examples of multiple device fault tolerance would include server farms / clusters with load balancing, and multiple network paths.

Question 14

What is high availability?

Answer 14

Refers to a system (e.g. a network, a server array or cluster, etc.) that is designed to avoid loss of service by reducing or managing failures and minimizing planned downtime. Generally involves maintaining a certain percentage of uptime and performance (e.g. 99.999% uptime), and may even be guaranteed in an SLA.

Question 15

What is the relationship between fault tolerance and high availability?

Answer 15

Getting mixed messages on this.

Some seem to be saying that fault tolerance is a means of ensuring high availability.

Others are saying that fault tolerance aims for zero downtime, while high availability is focused on delivering minimal downtime. [IBM, Cisco, and AWS seem to be saying this]

Question 16

What are the downside of fault tolerance and high availability?

Answer 16

Increased complexity and expense. Additional hardware, processes, and procedures.

Question 17

What is NIC teaming?

Answer 17

The combining of multiple network interface cards for performance (aggregated bandwidth) and redundancy (fault tolerance). Looks like a single adapter to OS.

According to Messer, NICS talk to each other, performing health checks. (Usually via multicast instead of broadcast.) Fails over if no response.

Can also be called NIC bonding, balancing, or aggregation

Question 18

What is port aggregation?

Answer 18

A feature of network switches that allows you to consolidate the bandwidth of multiple ports to provide more throughput to a system or device. And, of course, high availability. Provides fail-over in a similar way that NIC teaming does.

Port aggregation is also known as link aggregation, and is part of IEEE 802.3ad and IEEE 802.1AX.

Question 19

[Skipping power management in 3.2]

Answer 19

[Skipping power management in 3.2]

Question 20

Explain the difference between a cold site, hot site, and warm site.

Answer 20

These are alternative locations to continue business operations in case of a disaster.

• Cold site - Empty building. Might have racks, but not much else. No hardware, software, data, or staff.
• Hot site - Basically duplicates your entire operation. Duplicate hardware, software, and data that are constantly updated. Transition should be possible with the flip of a switch, and be completely transparent to users.
• Warm site - Middle ground between hot and cold site. Tends to be a spare location stocked with hardware, like networking equipment, servers, and backup devices. But you’d need the most recent backup restored to bring the software and data up to date.

Question 21

Name the four types of file backups.

Answer 21

Full, copy, incremental, and differential

Question 22

What is the archive bit?

Answer 22

A flag that is set on a file by an OS after it has been created or altered. Some backup methods reset the flag to indicate that it has been backed up.

Question 23

What is a full backup?

Answer 23

A backup in which files, regardless of whether they have been changed, are copied to the backup medium. In a full backup, the files’ archive bits are reset.

Question 24

What is a copy backup?

Answer 24

Normally, a backup of an entire hard drive. A copy backup is similar to a full backup, except that the copy backup does not alter the state of the archive bits on files.

Question 25

What is an incremental backup?

Answer 25

A backup of only files that have been created or changed since the last full or incremental backup. In an incremental backup, the archive bit is cleared to indicate that a file has been backed up.

Question 26

What is a differential backup?

Answer 26

A backup of only the data that has been created or changed since the previous full backup. In a differential backup, the state of the archive bits is not altered.

Question 27

Which file backup types clear / reset the archive bit, and which do not?

Answer 27

Full and incremental reset the archive bit

Copy and differential do not

Question 28

Which type of file backup has some repetition / redundancy in terms of what it’s backing up?

Answer 28

Differential

Question 29

What are the advantages / disadvantages of differential v. incremental.

Answer 29

Differential backups take a little longer and require more storage space. But simpler, quicker to do restores.

Question 30

What is MTTR?

Answer 30

mean time to recovery

How long it takes to repair a system or component after a failure occurs.

Question 31

What is MTBF?

Answer 31

mean time between failure

Predicted time between failures of a system or device.

[There’s also MTTF (Mean time to failure), which is similar but for non-recoverable devices. Mentioned in a book, but not on exam objectives]

Question 32

What is RTO?

Answer 32

Recovery time objective

A business continuity term for the amount of time allowable before a business function must be restored to a functional state after a failure. Management may say “We have an RTO of 45 minutes,” meaning
“we need the system recovered in 45 minutes—can you do it?”

Question 33

What is RPO?

Answer 33

Recovery point objective

A business continuity term to represent how much of a system is expected to be recovered. For example, your company may expect that when a system fails, you should be able to restore up to the point of failure, while another company may only expect recovery of data up to 24 hours prior to the point of failure.

Question 34

What is an SLA requirement?

Answer 34

Service Level Agreement

The level of service that your business has agreed to provide to its customers or internal users. The SLA requirements will dictate what disaster recovery techniques you invest in to meet the requirements. For example, the company intranet may be required 98 percent of the time, which means you may look into some load balancing to ensure you meet the requirement of 98 percent uptime.

Question 35

System logs from a wide array of devices (e.g. routers, switches, firewalls, servers, etc.) are often consolidated into a central location using the _______ protocol, and then viewed visually as graphs and reports in a _________.

Answer 35

syslog

SIEM ((Security Information and Event Management))

Question 36

What is a port scanner? Give an example.

Answer 36

A software-based security utility designed to search a network host for open ports on a TCP/IP-based network (e.g. Nmap)

Question 37

What are some of the functions that Nmap can perform?

Answer 37

• Port scan
  - Find devices and identify open ports
• Operating system scan
  - Discover the OS without logging in to a device
• Service scan
  - What service is available on a device? Name, version, details
• Additional scripts (allows you to create your own)
  - Nmap Scripting Engine (NSE) - extended capabilities, vulnerability scans

Question 38

What is a vulnerability scan? Give examples of popular vulnerability scanners.

Answer 38

Involves testing system against a database of known vulnerabilities to identify weaknesses and known security holes.

Vulnerability scanner may be a port scanner (e.g. Nmap), a network enumerator (which gathers network info such as hosts, connected devices, usernames, etc.), a web application, or even a worm.

Nessus and Retina are two of the better-known vulnerability scanners. SAINT and OpenVAS (which was originally based on Nessus) are also widely used.

Question 39

What are some things a vulnerability scan might uncover?

Answer 39

• Vulnerable OS components
• Servers and security devices added w/o your knowledge
• Lack of security controls (e.g. firewall, anti-virus, anti-malware)
• Misconfigurations (e.g. open shares, enabled guest access)
• Vulnerabilities in OS and applications (Especially new ones. Scanners regularly updated with signatures)

Question 40

What are three kinds of OS upgrade / patch?

Answer 40

• Service pack - applies large number of patches at once
• Monthly update - regular, incremental
• Out-of-band update (Emergency patches that don’t follow monthly update pattern. e.g. to fix zero-day vulnerabilities)

Question 41

What is it called when you remove a patch / upgrade?

Answer 41

downgrading or roll-back

Question 42

Describe three common port statuses and their expected responses.

Answer 42

Open / listening - host sends a reply indicating that a service is listening on the port

Closed - no process is listening on that port and access to this port will likely be denied [Note: a denial is a reply]

Blocked / filtered - no reply from the host, meaning that the port is not listening or the port is secured and filtered

[Not in Messer, but in ExamCram book]

Question 43

Define baselines. Explain their importance and and how they’re used.

Answer 43

A measure of performance that indicates how hard a network is working and where network resources are spent. The purpose of a baseline is to provide a basis of comparison over time.

This is not a one-time task. Rather, baselines should be taken from “captured” data and reviewed periodically to provide an accurate comparison. Visual graphing can be much more helpful in identifying trends than looking at raw data and log files.

Messer: You want to do this for different event categories like system, security, app, auth, cron, daemon, mail

Question 44

What is a protocol analyzer? Give examples.

Answer 44

Protocol analyzers capture every frame going through a network, and analyze network protocols such as TCP, UDP, HTTP, and FTP.

Help solve complex application issues, diagnose networking problems, alert to unused protocols, identify unwanted or malicious traffic, etc.

Can collect data over days, be used with large scale storage and big data analytics. Can be hardware or software based.

Ex: Wire Shark, Nmap

Question 45

What is a key difference between a protocol analyzer and a packet sniffer?

Answer 45

Both capture packets going across a network. But analyzer decodes it, translates into human-readable form.

Question 46

According to Messer, interface monitoring often provides first sign of a problem. What kind of problems can interface monitoring detect? Or said differently, which interface metrics should we be monitoring?

Answer 46

• Link status - Up or down? (May be problem on either side)
• Error rate - Problems with signal. (e.g. CRC error, run, giant) (CRC errors can indicate problem with cable or interface)
• Bandwidth utilization (e.g. congestion) Can look at per-interface network usage. Can see trends that will help with planning additional resources
• Discards / packet drops - No errors in the packet, but system could not process
• Interface resets - Packets are queued, but not sent. Connection is good, but line protocols aren’t talking.
• speed/duplex - Should match on both sides. Mismatch can cause unexpected throughput and late collisions. Auto-speed / auto-duplex not always best option

(A lot of this info can be viewed directly in OS, but if managing a large number of machines, may want to take advantage of SNMP)

Question 47

What does environmental monitoring entail?

Answer 47

Monitoring temperature and humidity conditions in server room, and for other key equipment . Humidity control prevents buildup of static electricity. When level drops much below 50%, electronic components become vulnerable to damage from electrostatic shock.

[Not in Messer videos, but saw on some practice exams. And it’s in ExamCram book]

Question 48

What does wireless monitoring entail? And what tools are used.

Answer 48

Monitoring wireless networks with wireless survey tools and wireless analyzers.

Wireless survey tools can be used to create heat maps showing the quantity and quality of wireless network coverage in areas. They can also allow you to see access points (including rogues) and security settings. These can be used to help you design and deploy an efficient network, and they can also be used (by you or others) to find weaknesses in your existing network (often marketed for this purpose as wireless analyzers).

[Not in Messer videos, but saw on some practice exams. And it’s in ExamCram book]

Question 49

SIEM stands for _________.

Answer 49

Security Information and Event Management

Question 50

What is a SIEM?

Answer 50

Software that allow you to monitor security information and events
from a single system in real time. Offers centralized monitoring and reporting of security information and events across a number of devices on the network. Usually consolidates logs from all your different devices (using syslog standard), and can monitor and create reports on all that logged information. Allows you to correlate / link diverse data types (e.g. You can see what services someone accessed after logging in). Allows forensic analysis, where you can gather details after a security event. Can rewind time and access details across different components.

Question 51

What is syslog

Answer 51

Syslog is a logging standard that can consolidate all logs for all your systems and devices ina central location (e.g. a dedicated syslog server). Often integrated into a SIEM. Will consume a LOT of disk space.

Question 52

Describe the main components of an SNMP-managed network, and how they work.

Answer 52

In an SNMP configuration, a central system known as a manager acts as the central communication point for all the SNMP-enabled devices on the network. On each device to be managed and monitored via SNMP, software called an SNMP agent is set up and configured with the manager’s IP address. Depending on the configuration, the SNMP manager then communicates with and retrieves information from the devices running the SNMP agent software. In addition, the agent can communicate the occurrence of certain events to the SNMP manager as they happen

[Messer doesn’t get into this, but the books do]

[See also MIB, an important component]

Question 53

What are trap messages?

Answer 53

Messages sent from an SNMP agent to the SNMP manager.

Question 54

MIB stands for ______.

Answer 54

Management Information Base

Question 55

What is a MIB?

Answer 55

A formatted text file that lists data objects used by a particular piece of SNMP equipment. It’s supplied by the device manufacturer. You load that file into the SNMP manager, which will then use that MIB data to interpret incoming messages from that device. (There are tens of thousands of different SNMP devices and a manager can’t natively understand them all.) [Similar concept as device driver]

Question 56

How can you view the contents of a MIB?

Answer 56

There are a number of MIB browsers available online that allow you to browse (or “walk”) a MIB.

Question 57

What is IPSec and how does it work?

Answer 57

A fairly new (and popular) security protocol [or set of protocols?] that can be used to encrypt all IP traffic between servers / sites, as well as take part in authentication services and ensure the integrity of data sent across an IP network.

Says one site:
IPsec VPN is one of two common VPN protocols, or set of standards used to establish a VPN connection. IPsec is set at the IP layer, and it is often used to allow secure, remote access to an entire network (rather than just a single device).

If an IPSec policy is enabled, you do NOT need to configure different encryption methods for each type of application you run on the computer. All IP traffic is encrypted by IPSec once the policy is implemented. For example, because IPSec encrypts all traffic, you do not need to configure a separate encryption technology for your web server, FTP server, and Telnet server. They all run on top of TCP/IP, so
IPSec can be used to secure traffic presented by each application.

[pronounced "eye pee sec"]
[Exam objectives have this listed under Remote Access Methods > VPN along with SSL/TLS/DTLS]
[Provides anti-replay security]
[Works on OSI Layer 3]
[Should probably re-write this]

Question 58

What are three protocols used by IPSec to work its magic?

Answer 58

• Encapsulation Security Payload (ESP) to encrypt traffic
• Authentication Header (AH) protocol for message integrity and authentication
• Internet Key Exchange (IKE) to exchange encryption keys between systems

[Some places only say two protocols - ESP and AH]

Question 59

What are the VPN technologies that can be used as an alternative to IPSec?

Answer 59

SSL / TLS / DTLS

Question 60

What are the two most common types of VPNs? And how does IPSec fit into this vs. SSL / TLS / DTLS?

Answer 60

IPSec commonly used for site-to-site VPN (or server-to-server or host-to-host). Encrypts traffic between sites through public Internet. [Or within an internal network??] Uses existing Internet connection, but with a private tunnel built between sites. No additional circuits or costs. (ex. divisions of a large company might use this. Individual clients do not need to have a VPN because the networks themselves support the VPN, w/ each gateway doing the work)

SSL / TLS / DTLS commonly used for client-to-site VPN (or host-to-site). Also called “remote access VPN”. Requires client software on end-user device. Maybe built in to existing operating system. ex. individual clients, such as telecommuters or travelers, connect to network remotely.

Question 61

SSL / TLS stands for ________.

Answer 61

Secure Sockets Layer / Transport Layer Security

Question 62

Discuss the history of SSL / TLS.

Answer 62

SSL was first created for use with Netscape web browser and is used with limited number of TCP/IP protocols (such as HTTP and FTP). TLS is not only an enhancement to SSL, but also a replacement, working with almost every TCP/IP protocol. Because of this, TLS is popular with VPNs and VoIP applications. The acronym “SSL” is often used, even when it’s technically TLS being used. SSL VPN is often called WebVPN and OpenVPN. (And again, it’s called SSL VPN even when it’s really TLS being used.)

Generally, SSL VPN uses thin clients built into OS. Can use a simple username and password to authenticate users.

Question 63

What is one of the big advantages of SSL / TLS over IPSec?

Answer 63

Uses common SSL/TLS protocol (tcp/443), which avoids running to most firewall issues, and doesn’t require extra configurations (e.g. NAT, digital certificates, shared passwords).

Question 64

DTLS VPN stands for ________.

Answer 64

Datagram Transport Layer Security VPN

Question 65

What are the differences between DTLS VPN and SSL VPN? (i.e. What are DTLS VPN’s advantages)

Answer 65

DTLS uses UDP instead of TCP. This gives you the security of SSL/TLS, but with the speed of datagrams.

TCP has some great features, but they bring extra overhead that might not always be needed. For example, you don’t need packet reordering or retransmission of lost / dropped data for streaming and VoIP. TCP just gets in the way.

Question 66

RDP stands for ________.

Answer 66

Remote Desktop Protocol

Question 67

What is Remote Desktop Protocol (RDP)?

Answer 67

A way to share a desktop from a remote location, as if you’re sitting right there at the keyboard. Commonly used by technical support. And scammers. Clients are available for Windows, Mac OS, LInux, and others.

Question 68

VNC stands for ________.

Answer 68

Virtual Network Computing

Question 69

What is Virtual Network Computing (VNC)?

Answer 69

A remote desktop technology that can be used to take control of a system in order to remotely manage it. In order to do this you must
install the VNC server on a system and then remotely connect to it from the VNC client. Clients are available for many operating systems, many of which are open source. Uses Remote Frame Buffer (RFB) protocol.

[Believe you might use this if trying to access a Mac]

Question 70

What is HTTPS/Management URL?

Answer 70

Many network devices such as printers, routers, and switches have the capabilities to be remotely managed across the network using a web-based interface. This is possible because the device has its own
management website that you connect to using the URL specified in the documentation for the device. For example, most home routers use the address of http://192.168.1.1

Question 71

What is out-of-band management?

Answer 71

A dedicated channel for monitoring, accessing, managing network devices (e.g. switches, routers) remotely and securely, even when the network is down and you can’t use telnet or SSH. Two common ways to do that:

• Modem - Dial-in to directly manage device over phone lines. Many devices have an AUX port that can be used to connect a modem.
• Console router / Communications server -For out-of-band access to multiple devices. Many devices have console port that gives you access to command-line interface so that you can administer device. Typically used to set initial configuration.

Question 72

What is a PUA?

Answer 72

privileged user agreement

Established, and agreed upon, rules of behavior that define what privileged users can and cannot do with their elevated permissions.

Question 73

What is DLP?

Answer 73

Data loss prevention

A set of policies and procedures that help prevent information leakage out of the company. e.g. you may have policies that specify to disable external USB drives on a system. Or you may have controls in place to prevent an employee from e-mailing sensitive information externally. Especially important for things like social security numbers, credit card numbers, medical records. Technological solutions on servers and network can watch for and alert on policy violations.

Question 74

What is BYOD?

Answer 74

Bring your own device

This policy specifies the rules for employees’ personally owned mobile devices (smartphones, laptops, tablets, and so on) that they bring into the workplace and use to interact with privileged company information and applications. Two things the policy needs to address are onboarding and offboarding.

Question 75

What is AUP?

Answer 75

Acceptable use policy

Documentation that specifies what is considered acceptable use of Internet, e-mail, and mobile devices such as smart phones. Employees are typically asked to sign an acceptable use agreement stating that they agree to the terms.

Question 76

What is a System Life Cycle policy?

Answer 76

Specifies the lifetime of a device or system and also include in that policy how to properly dispose of the system (called asset disposal). For example, you may specify that when the system has reached its
lifetime the hard drives have to be removed from the system for destruction (to prevent leakage of sensitive information that may be on the drive), and then the system can be donated.

Common for organizations to physically destroy these devices (e.g. shredded / pulverized by heavy machinery, drill / hammer through hard drive platters, electromagnetic degaussing to destroy drives and electronics, or incineration by fire)

Question 77

What is an SLA?

Answer 77

service level agreement

A contract between a provider of a service and the client that determines the quality of service that needs to be delivered. They stipulate the performance you can expect or demand by outlining the expectations a vendor has agreed to meet. They define what is possible to deliver and provide the contract to make sure what is delivered is what was promised.

SLA requirements are a common part of business continuity and disaster recovery.

(e.g. Comcast Business guarantees a certain amount of uptime)

[Some of these don’t actually belong here, but putting in anyway]

Question 78

What is an MOU?

Answer 78

memorandum of understanding

A document that defines an agreement between two parties in situations where a legal contract wouldn’t be appropriate. An MOU defines the duties the parties commit to perform for each other and a time frame for the MOU. An MOU is common between companies that have only occasional business relations with each other. For example, all of the hospitals in a city might generate an MOU to take on each
other’s patients in case of a disaster such as a fire or tornado. This MOU would define costs, contacts, logistics, and so forth.

Question 79

What is an MSA?

Answer 79

master service agreement

An agreement between two parties that identifies the terms of future transactions between the two parties. You can include standard terms defining the relationship in the MSA, but transaction specific terms can be negotiated per transaction. The general terms of the agreement do not need to be repeated with each transaction because they are in the MSA.

Question 80

What is a SOW?

Answer 80

statement of work

A document that describes the type of work, any deliverables, and the timeframe for the work to be completed, and is presented to a client to be agreed upon before the work is started.