network hardening

Question 1

what are private vlan used for

Answer 1

PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from one another.

Question 2

primary / secondary community / secondary isolated vlan

Answer 2

The private VLAN always has one primary VLAN. Within the primary VLAN you will find the promiscuous port (connected to the router) . All other ports are able to communicate with the promiscuous port.

Within the primary VLAN you will encounter one or more secondary VLANs:

Community VLAN: All ports within the community VLAN are able to communicate with each other and the promiscuous port.

Isolated VLAN: All ports within the isolated VLAN are unable to communicate with each other but they can communicate with the promiscuous port.

Question 3

what is a private vlan

Answer 3

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting the broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member switch ports (called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other.

Question 4

P (prom/ promiscuous) port

Answer 4

Promiscuous trunk port—A promiscuous port is an trunk port connected to a router, firewall, server, or provider network that can communicate with all interfaces, including the isolated and community ports within a PVLAN.

Question 5

host ports (private vans)

Answer 5

c-ports (community)

I-port (isolated)

Question 6

DAI

Answer 6

Dynamic ARP Inspection (DAI) is a security feature in MS switches that protects networks against man-in-the-middle ARP spoofing attacks.

DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping table on the switch to validate ARP packets

Question 7

What is DHCP snooping?

Answer 7

DHCP snooping is a layer 2 security technology built into a switch that drops DHCP traffic determined to be unacceptable.

The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes.

Question 8

where is DHCP data stored?

Answer 8

in the DHCP snooping binding table (Mac add –> ip)

Question 9

IPv6 autoconfiguration process

Answer 9

An IPv6 clients can auto configure in 2 ways: either by receiving a periodic ICMP Neighbor Discover Router Advertisement packet or by sending out an ICMP Neighbor Discover Router Solicitation packet which will be responded to by the aforementioned ICMP ND RA packet.

This router advertisement packet will contain the Source Address and Prefix Information. A misconfigured device could advertise its own link-local address as the source address to perform a man-in-the-middle attack, or incorrect prefix information to perform a denial-of-service attack.

This attack is effective against networks running SLAAC and DHCPv6 because both rely on the ICMP ND RA packet to advertise the default gateway for a particular LAN segment.

Question 10

Router advertisement guard

Answer 10

The IPv6 RA L2 guard feature can filter router advertisements and runs on switches. This can be as simple as “don’t allow RAs on this interface” or complex with policies where router advertisements are only permitted when it matches certain criteria.

A Guard is configured on switches to block router advertisements from untrusted ports. This is used similarly to DHCP Snooping in IPv4 deployments. The process of implementing RA Guard it to create a policy and then apply it inbound on an interface.

Question 11

CoPP Control Plane Policing

Answer 11

QoS feature on routers and switches that limits certain types of traffic in order to protect the CPU (ex. limit IMCP packets to 8000b per second)

–> filtering and rate limiting

packets handled by the main cpu: routing protocols, VRRP, SNMP, SSH, AAA, syslog, isakmp,

Question 12

ACL best practices

Answer 12

1. block incoming requests from unknown private, loopback or multicast ranges
2. block incoming requests from protocols that should only be used internally (SMB file sharing)
3. block all IPv6 traffic or allow it to only use authorised hosts and ports (!dual stack misconfiguration)

Question 13

What security feature can help prevent an attacker from sending incorrect SLAAC information to a client?

Answer 13

Router Advertisement (RA) Guard is a Ethernet switch security feature that can prevent an attacker from sending RA messages into the attacker’s switch port. If the attacker were successful, they might convince a client that the attacker’s computer was the victim’s default gateway. Or, when an IPv6 endpoint was generating their IP address via SLAAC, they could receiving incorrect information about their network segment by the malicious RA messages.

Question 14

You are setting up a policy that allows employees to use their own devices to access internal resources from anywhere in the building, using the wireless network. You are going to use WPA2 encryption with 802.1X to authenticate users. You need to set up a centralized server that stores credentials and allows or denies network access based on username/password combination. Which protocol should the server run?

Answer 14

RADIUS (Remote Authentication Dial-in User Service) is an open standard that many devices can use to authenticate into a network. RADIUS works well with 802.1X and EAP (Extensible Authentication Protocol), which are protocols used for authenticating into wireless networks.

TACACS+ is, for the most part, Cisco proprietary and is commonly used on infrastructure devices.

Kerberos is an authentication protocol that leverages the use of tickets to authenticate network devices over unsecured networks.

Question 15

Which network authentication protocol supports single sign-on and uses tickets to determine admission to a resource?

Answer 15

Kerberos is an authentication protocol that leverages the use of tickets to authenticate network devices over unsecured networks. Kerberos also supports single sign on (SSO).

Question 16

Which of the following wireless security protocols uses RC4 with TKIP?

Answer 16

TKIP (Temporal Key Integrity Protocol) was created to quickly solve the security problems that arose with WEP. Although TKIP did solve some problems, there were still numerous problems that still existed. Thus, CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) was created. This protocol is based on AES and is used to remedy the weaknesses of WEP with TKIP.

Question 17

Which protocol replaces TKIP because of its many vulnerabilities?

Answer 17

CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) is an encryption protocol used with WPA2. CCMP replaced the functionality of TKIP (Temporal Key Integrity Protocol) in WPA2.

Question 18

Which type of attack involves spoofing a source address and making numerous small name resolution requests resulting in a large payload towards a device?

Answer 18

A DDOS (Distributed Denial of Service) amplification attack is an attack triggered by a botnet formed by computers infected with malware. When a C&C (Command and Control) sends a message to the botnet, the computers initiate a request to a server with a spoofed source IP address. Afterward, the server responds to the spoofed address thus turning a multitude of small requests into a large payload. This attack can be done with DNS (Domain Name System) or NTP (Network Time Protocol) servers. DNS poisoning involves manipulating packets containing DNS information, typically for malicious purposes.

Question 19

Nestor, a security administrator, wants to help prevent future attacks on the network. He wants to set up a dummy network in which network devices appear as if they contained legitimate information. With this, he wants to track how attackers might try to break into the systems and gather information on how to further protect the production network. Which of the following should Nestor implement?

Answer 19

A honeynet is a computer network that intentionally has vulnerabilities embedded into it for the sole reason of analyzing how an attacker would attempt to breach a network. Honeynets contain honeypots (A single system intentionally made unsecure to bait attackers). A honeypot isn’t the correct answer as a honeypot is just a single system; a honeypot isn’t a network of devices full of vulnerabilities

Question 20

You have been asked to secure network devices so that everyone must authenticate before modifying any parameters. You also want the access control to be granular and authorize only certain people to be able to change specific settings when necessary. You also need a centralized database to track usernames, device permissions, and accounting information. Which protocol should you use?

Answer 20

TACACS+ (Terminal Access Controller Access Control System Plus) works on the basis of the AAA framework to provide Authentication, granular Authorization, and accounting features.

RADIUS (Remote Authentication Dial In User Service) offers many of the same features as TACACS+ but doesn’t offer authorization features.

Single Sign-On (SSO) is used to allow a user to authenticate once and access various r
resources.

Kerberos is an authentication protocol that leverages the use of tickets to authenticate network devices over unsecured networks.

Question 21

What is a DNS amplification attack?

Answer 21

DNS amplification is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers.

DNS amplification is a type of reflection attack which manipulates publically-accessible domain name systems, making them flood a target with large quantities of UDP packets. Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.

Question 22

ARP poisoning can be prevented by which of the following?

Answer 22

Dynamic ARP Inspection (DAI) is used to inspect an ARP to make sure it is legitimate.

Question 23

Which of the following settings on a switch helps prevent a change of its current Root Bridge?

Answer 23

Root Guard is a switchport feature used to prevent another switch on the port which the feature is enabled on from changing its root bridge.

BPDU Guard is a Cisco feature that shuts down a port if a BPDU is received. This feature is useful in a situation where hosts are attached to a switch, as a user could accidentally plug in their own switch and cause a layer 2 loop.

Question 24

what is a BPDU ?

Answer 24

A bridge protocol data unit (BPDU) is a data message transmitted across a local area network to detect loops in network topologies. A BPDU contains information regarding ports, switches, port priority and addresses.

BPDUs contain the information necessary to configure and maintain spanning tree topology. They are not forwarded by switches, but the information is used by switches to calculate their own BPDUs for information passing.

Question 25

what is a root guard?

Answer 25

RootGuard will make sure you don’t accept a certain switch as a root bridge. BPDUs are sent and processed normally but if a switch suddenly sends a BPDU with a superior bridge ID you won’t accept it as the root bridge. Normally SW2 would become the root bridge because it has the best bridge ID, fortunately we have RootGuard on SW3 so it’s not going to happen!

Question 26

You want to configure an authentication protocol that allows employees to access various server resources. With simplicity in mind, you only want employees to authenticate once and not be prompted to authenticate again when accessing other servers in the network. Which of the following protocols should you implement to best achieve this?

Answer 26

Kerberos is an authentication protocol that leverages the use of tickets to authenticate network devices over unsecured networks. Kerberos is largely used in places where hosts need access to servers.

LDAP is an open standard protocol used for querying and accessing directory services. RADIUS (Remote Authentication Dial In User Service) offers many of the same features as TACACS+ but doesn’t offer authorization features.

Question 27

!!!

Which of the following features err-disables a switch port when a BPDU is received?

Answer 27

BPDU Guard is a Cisco feature that shuts down a port if a BPDU is received.

BPDU filter is a switchport feature that prevents sending and receiving of BPDUs on a port.

Question 28

What is the name of the device in 802.1X that serves as a proxy between the end device and the authentication server?

Answer 28

802.1X defines three parties: Supplicant, Authenticator, and Authentication Server. The supplicant provides authentication credentials, and this is typically a host. An Authenticator provides communication between the supplicant and authentication server. This device can be an AP (Access Point) or Switch. Finally, the Authentication server is a server that receives and responds to request to an authenticator, allowing or denying connection requests.