Network Components

Question 1

What is access control?

Answer 1

The process of making resources available to accounts that should have access while limiting the access to only what’s required. This is typically done through an Access Control List ( ACL).

Question 2

What is a firewall?

Answer 2

It is a component consisting of hardware, software or both that is placed on computers and networks to help stop undesired access by the outside world. Its the first line of defense for a network and primarily functions to mitigate threats by monitoring traffic going to and from a network.

Question 3

What is the difference between stateful and stateless firewalls?

Answer 3

Stateless firewalls essentially works as a basic ACL filter and does not inspect traffic, just observes it and allows/denies based on ACL. Stateful firewalls perform a deeper inspection that analyzes traffic patterns and data flows. They are better at identifying unauthorized communication attempts.

Question 4

What is best practice for order of firewall rules?

Answer 4

Rules can be created for either inbound or outbound traffic. The order of the rules affects application. Most restrictive rules should be applied first and least restrictive should follow. Otherwise, if least restrictive is listed first, checking would stop at the first rule.

Question 5

What is implicit deny?

Answer 5

It is an access control practice where resource availability is restricted to only logins that are explicitly granted access. Implicit deny is typically used by default in firewall configurations. Access lists have an implicit deny at the end of the list - unless you explicitly permit traffic to pass, it won’t pass.

Question 6

What is the difference between application layer firewalls and network layer firewalls?

Answer 6

Application layer firewalls can examine application traffic and identify threats through deep pocket inspection techniques and function at layer 7 in OSI model. They are preferred to a network layer firewall.

Question 7

What is a VPN concentrator?

Answer 7

A VPN concentrator allows multiple external users to access internal network resources using secure features built into the device. It can encrypt WLAN or wired traffic when the security of login and pw info is paramount. It can prevent login and pw info from being captured. Also, a VPN concentrator allows ACLs to be applied to remote sessions.

Question 8

What is Internet Protocol Security (IPsec)?

Answer 8

IPsec secures transmissions between critical servers and clients. It offers authentication services and encapsulation of data through support of the Internet Key Exchange (IKE). Functions within the network layer of OSI model.

Question 9

IPsec: What is the difference between tunnel mode and transport mode?

Answer 9

Transport mode is used between endpoints (like a client and server) or between a gateway and endpoint (if gateway is being treated like an endpoint). Tunnel mode is default mode. It’s mostly used between gateways, like a router and a firewall.

Question 10

IPsec: What is an Authentication Header (AH)?

Answer 10

It provides authentication of the data’s sender as well as integrity and nonrepudiation. AH provides authentication for as much of the IP header as possible and for upper-level protocol data. Protocol 51.

Question 11

IPsec: What is Encapsulating Security Payload (ESP)

Answer 11

It supports authentication of the data’s sender and encryption of the data being transferred, along with confidentiality and integrity protection. Protocol 50.

Question 12

Difference with SSL/TLS VPNs and IPsec VPNs?

Answer 12

SSL/TLS VPNs have simple end-user implementation because they function via a browser and Internet connection. SSL/TLS are “always on” VPNs, meaning the user is always on the network.

Question 13

What are site-to-sites VPNs?

Answer 13

They are implemented based on IPsec policies assigned to VPN topologies. They connect entire networks to each other. VPN gateways are responsible for setting up and breaking down the encapsulation and encryption traffic.

Question 14

What is the difference between split tunnel and full tunnel mode for VPNs?

Answer 14

Full tunnel routes and encrypts all requests through the VPN. In split tunnel, internal traffic requests are routed over the VPN, other traffic like web and email traffic will directly access the internet. Split tunnel is ideal to reserve bandwidth while users are on the Internet and reduce the load on the VPN concentrator.

Question 15

What is an intrusion detection system (IDS)?

Answer 15

IDS analyzes data, identifies attacks, and responds to the intrusion by sending alerts. It can also identify unauthorized activity and attacks in progress within the network. There are two methods: knowledge-based and behavior-based detection

Question 16

What are 2 basic types of IDS?

Answer 16

Network IDS (NIDS) looks at the info exchanged between machines. They monitor the packet flow & attempt to locate packets that slipped through the firewall but shouldn’t have. Ideal for detecting DoS attacks and unauthorized user access.
The other type is host-based IDS (HIDS). These look at info that originates on the individual machines and monitors communications on a host-by-host basis to try and filter malicious data. Ideal at detecting unauthorized file modifications and user activity.

Question 17

What is an out-of-band device?

Answer 17

This type of device only listens passively and does not change or affect traffic. Essentially the system detects a potential security breach, logs the info, and signals an alert after the event occurs.

Question 18

What is a network intrusion prevention system (NIPS)?

Answer 18

NIPSs can be either hardware or software based. It differs from IDS in that it actually prevents attacks instead of just detecting the occurrence of an attack. NIPSs are designed to sit inline with traffic flows and prevent attacks in real time. It sits between the systems that need to be protected and the rest of the network. NIPS solutions can look at application layer protocols such as HTTP, FTP, SMTP. This is an in-band device.

Question 19

What is a signature-based detection method?

Answer 19

Only detects known signatures or patterns, so must be created for every suspicious activity. It’s a reactive method because an attack must be known before it can be added to database. Lower chance of false alarms compared to behavior-based methods.

Question 20

What is the difference between behavior and anomaly-based detection methods?

Answer 20

Both methods use a baseline for network behavior. Behavior-based, an established profile is used as a comparison to current activity and looks for evidence of compromise rather than an attack itself. In anomaly-based, after the application is trained, the established profile is used on real data to detect deviations. Training an application involves inputting and defining data criteria in a database. Heuristic-based methods are similar to anomaly and are rule-based and look for abnormal behavior. It’s rules are categorized by: benign, suspicious, or unknown. Anomaly is less specific.

Question 21

What is a false positive and a false negative?

Answer 21

A false positive is when a typical or expected behavior is identified as irregular or malicious. A false negative is when an alert that should have been generated did not occur.

Question 22

What does a router do?

Answer 22

A router receives info from a host and forwards it to its destination on the network or Internet. Routers maintain tables that are checked every time a packet needs to be redirected from one interface to another. These tables help speed up request resolution so packets can reach their destination more quickly. Routes can be added manually or automatically through a variety of protocols. It operates at the network level of OSI model.

Question 23

Explain ACLs in routers

Answer 23

Routers can filter packets by source address, destination address, protocol, and port. The filters are essentially ACLs. An ACL is the underlying data associated with a network resource that defines the access permission.

Question 24

How to prevent IP spoofing on a router?

Answer 24

There are antispoofing techniques, such as creating a set of access lists that deny access to private IP addresses and local host ranges from the Internet and also using strong protocol authentication.

Question 25

What does a switch do?

Answer 25

A switch makes packet forwarding decisions based on MAC addresses. They operate at the data link layer (layer 2) of OSI and typically connect computers to routers and wiring closets. The basic functions include filtering and forwarding frames, learning MAC addresses, and preventing loops. Managed switches are configurable and allow control over network traffic. Layer 3 switches can perform some functions of a router and give more flexibility than a layer 2 switch.

Question 26

What is port security?

Answer 26

It’s a layer 2 traffic control feature on switches. It can be configured to take one of three actions when detecting a violation: default shutdown mode, protect mode, restrict mode. Port security is a deterrent, not a reliable security feature. MAC addresses can be spoofed and multiple hosts can still easily be hidden behind a small router.

Question 27

What is a floodguard?

Answer 27

It’s an advanced firewall guard feature used to control network activity associated with DoS and DDoS attacks. It controls how authentication, accounting, and authorization service handles bad login attempts that are tying up connections. Allows firewall resources to automatically be reclaimed if the authentication subsystem runs out if resources, defeating DoS or DDoS.

Question 28

What is a bridge?

Answer 28

Typically used when two different network types need to be accessed. It provides some network layer functions, like route discovery, and forwarding at the data layer link.
Types of bridges:
Transparent basic bridge
Source routing bridge 
Transparent learning bridge
Transparent spanning bridge

Question 29

What is Spanning Tree Protocol (STP)?

Answer 29

On layer 2 devices. It’s a link management protocol that provides path redundancy while preventing undesirable loops in the network. STP is designed to detect and prevent loops. It also helps prevent loops on managed switches.

Question 30

What is a proxy server?

Answer 30

It’s a go between for the network and internet. Used for security, logging, and caching. There are several types if proxy servers: forward, reverse, transparent, caching, multipurpose, and application proxy servers

Question 31

What is the difference between a caching proxy server and a transparent proxy server?

Answer 31

A caching proxy server will filter through requirements and check local cache for for previously downloaded web pages each time the proxy server receives a request for Internet service (on ports 80 or 443). You can also block content from websites that you don’t want users to access. It has faster response times since stored locally and better utilizes bandwidth.
Transparent proxy server is a caching server that doesn’t require client side configuration - client is not aware of the proxy server. This proxy redirects client requests without modifying them. They can help reduce bandwidth and client configuration overhead in large networks. Ideal for schools and libraries. AKA inline, intercepting, or forced proxies

Question 32

What is a bastion host?

Answer 32

It’s an exposed server that provides public access to a critical service (like a proxy, web, or email server) that can be configured to isolate it from an internal network and to report attacks to network admin. It’s typically located in the DMZ.

Question 33

What is the difference between a web application and multipurpose proxy?

Answer 33

A web application proxy is used when a client and server are unable to connect due to some compatibility issue, like security authentication. Application proxies must support the application for which they are running the proxy function on and they do not encrypt data.
Multipurpose proxies (AKA universal application level gateways) can run various OSs and allow multiple protocols to pass through. They can convert between IPv4 and IPv6 addresses. Multipurpose proxy servers are used for caching, converting pass through traffic and handling access control.

Question 34

What is the difference between a reverse and forward proxy server?

Answer 34

Both forward and reverse proxy servers add a layer of security to the network by controlling to/from Internet traffic. They both act as an intermediary for requests between source and destination hosts.
A forward proxy controls traffic coming from clients on the internal network that are destined for hosts on the Internet. It enforces security on internal client computers with since client requests are required to pass through the proxy before accessing Internet resources.
Reverse proxy is a server side concept for caching static HTTP content when a server accepts requests from external Internal clients. It is meant to increase the efficiency and scalability of the web server by providing load balancing services. Used to enforce web app security snd mitigate data leaks.

Question 35

What is a load balancer?

Answer 35

It’s essentially a reverse proxy server configured in a cluster to provide scalability and high availability. It distributes the workload among multiple servers while providing a mechanism for server availability by health checking each server. The cluster appears as a single server to client. If a server or app fails, the load balancer will provide automatic failover to ensure continuous availability.

Question 36

What is session infinity?

Answer 36

A method where all requests in a session are sent to a specific app server by overriding the load balancing algorithm. It ensures all user requests during the session are sent to the same instance and enhances app performance by using in memory caching. AKA sticky sessions.

Question 37

What is an active/passive configuration for a load balancer?

Answer 37

All traffic is sent to the active server. If the active server goes down, the passive server is promoted to active.

Question 38

What is an active/active configuration for a load balancer?

Answer 38

Two or more servers work together to distribute the load to network servers.

Question 39

What is an access controller (AC)?

Answer 39

A physical device that communicates with each access point (AP). A centralized AC can provide management, configuration, encryption and policy settings for WLAN access points.

Question 40

What are the 3 main types of wireless APs?

Answer 40

1. Fat AP - (aka intelligent AP) is all inclusive and carries everything needed to manage wireless clients. Can be uses alone without an AC, which makes them expensive (powerful hardware needed)
2. Fit AP - A scaled down version of Fat, but needs an AC for control and management
3. Thin AP - (aka intelligent antennas) is a radio and an antenna controlled by a WLAN controller

Question 41

Why is antenna placement important?

Answer 41

Physical placement and transmit power adjustments can make it harder for intruders to stay connected to your APs.
Transmit power control is a mechanism used to prevent too much unwanted interference between wireless networks.

Question 42

What is MAC filtering?

Answer 42

It’s a security access control method where the MAC address is used to determine access to the network. Only devices with MAC addresses configured in the wireless router or AP are allowed to connect. It uses blacklists and whitelists.

Question 43

What do security info and event management (SIEM) tools do?

Answer 43

SIEM tools collects, correlate, and displays data feeds that support response activity. They have three main functions:

1. Centrally managing security events
2. Correlating and normalizing events for context and alerting
3. Reporting on data gathered from various applications

Question 44

What is aggregation?

Answer 44

Individual log sources can generate more than 100k events each day, so it’s important to consider how much to log. Aggregation reduces the event data load and improves efficiency by pulling data from many networks and consolidating it so important events are not missed.

Question 45

What is the main goal of using a correlation engine?

Answer 45

It’s to build events of interest (EOI) that can be flagged by other criteria or that allow for the creation of incident identification. The correlation engine uses techniques to create EOIs:
Pattern matching, anomaly detection, boolean logic, combo of boolean logic and context relevant data

Question 46

What is data loss prevention?

Answer 46

DLP is a way of detecting and preventing confidential data from being exfiltrated physically or logically from an organization by accident or on purpose. These systems are designed to detect and prevent unauthorized use and transmission of confidential info based on 3 states of data: in use (endpoint solution), in motion ( network solution), or at rest ( storage solution)

Question 47

How can DLP help in cloud implementation?

Answer 47

DLP can help with data migration control, data protection, and data leakage. Data leakage can occur when a data distributor gives sensitive data to a third party. Best practices to prevent this includes active data monitoring, encryption, policy-based access controls, and centralized administration.

Question 48

What does a network access control (NAC) do?

Answer 48

It secures the environment by examining the user’s machine and then granting/denying access based on results. Used for guest network services, endpoint baselining, identity aware networking, monitoring and containment.

Question 49

What are the components of NAC?

Answer 49

1. Access requestor (AR): Device that requests access
2. Policy decision point (PDP): System that assigns policy based on the assessment - determines what access should be granted
3. Policy enforcement point (PEP): Device that enforces policy

Question 50

NAC: What is agent integration?

Answer 50

Agents are installed on devices enrolled in NAC system. They report back to NAC policy server with detailed info about connected devices to enforce policies.

Question 51

What is a dissolvable agent?

Answer 51

AKA portal-based agents. Dissolvable agents provide one time authentication and then disappear after reporting info to NAC.

Question 52

What is agentless integration?

Answer 52

It’s implemented through embedded code within an Active Directory controller. NAC code verifies that the end device complies with the access policy when a user joins the domain, logs in, and logs out of domain.

Question 53

What is a SSL accelerator and decryptor?

Answer 53

SSL accelerator is a separate network appliance that acts as a intermediary between an user and a server. It accepts SSL connections from the user and sends the connection to the server unencrypted.
SSL decryptors decrypt the sessions and forwards the data to the appropriate device to inspect them. Analyzing the content is a joint effort that includes devices like IDS/IPS, firewalls, secure web gateways, and DLP solutions.

Question 54

What is a hardware security module (HSM)?

Answer 54

It’s a type of cryptoprocessor that manages digital keys, accelerates cryptographic processes, and provides strong access authentication for critical application encryption keys. Physically it comes in the form of slotted cards or external devices that can be attached directly to a network. They can also be embedded.