Network Hardening Techniques

Question 1

Footprinting

Answer 1

• Enumeration or information gathering attack
• Allows threat actor to discover topology and configuration of network and security.
• Can be done through social engineering or port scanning, eg.

Question 2

Fingerprinting

Answer 2

• Identifies OS types and versions

- uses port scans or responded from application servers

Question 3

On-Path attack

Answer 3

• Kind of spoofing attack
• Compromises connection between two hosts
• intercepts and relays communication between them
• Could modify information as well
• Man in the Middle attack

Question 4

MAC or IP Spoofing

Answer 4

• Host can arbitrarily select address and attempt to use it on network
• Used to get around control lists or impersonate a host
• Usually legit host must be disabled
• Also used in DoS attacks

Question 5

ARP Spoofing

Answer 5

• Broadcasting unsolicited ARP reply packets with source address that spoofs legit host or router
• All devices trust it because ARP has no security
• Usual target is subnets default gateway
• If successfully all traffic will be sent to attacker instead
• They could then read, manipulate or not forward packets for DoS attack.

Question 6

Rogue DHCP

Answer 6

• On-path attack run by launching rogue DHCP server
• Those communications are not authenticated so host will trust first it receives.
• Can then change DCHP options

Question 7

DNS Poisoning

Answer 7

• Compromises name resolution process
• Replace valid IP for trusted website with attacker IP
• They can then redirect traffic or steal information
• Can also be done by changing servers that resolving queries

Question 8

VLAN Hopping

Answer 8

• Designed to send traffic to wrong VLAN
• Can double tag frames to go to wrong VLAN
• This can be mitigated by ensuring native VLAN uses different ID to any other user accessible VLAN
• Can also be done by attaching device to network that spoofs operation of switch and creating trunk port.
• Can be mitigated by preventing auto-configuration of trunk ports

Question 9

Deauthentication attack

Answer 9

• Sends stream of spoofed management frames to disconnect from AP
• This may allow attacker to interpose evil twin AP or perform DoS attack
• Can be mitigated with MFP (802.11w)

Question 10

DDoS

Answer 10

• DoS attack launched by many hosts at once

- Can consume network bandwidth or resource exhaustion

Question 11

DRDoS

Answer 11

Distributed Reflection DoS/Amplification Attack

• Powerful type of TCP SYN flood attacks
• Spoofs Ip address and attempts to open connections with many servers
• Servers direct SYN/ACK to victim server
• Same thing can be done with responses to DNS requests

Question 12

Hardening

Answer 12

• Deploying devices in secure configuration
• Changing default passwords/enfrocing password requirements
• Role based acess
• Disable uneeded network services and protocols

Question 13

Endpoint security

Answer 13

• Security procedures at a device level

- Contrasts with perimeter security, but supplements it

Question 14

Disabling Switch Ports

Answer 14

• turning off uneeded switch ports or sending them to black hole VLAN
• Not the best method as it can introduce other errors
• Attacker can also potentially unplug device from active port

Question 15

MAC Filterintg and Dynamic ARP Inspection

Answer 15

• Defining MAC addresses that are permitted on particular port
• Attackers can use spoofed MACs
• ARP inspection prevents host attached to untrusted port from flooding with ARP replies

Question 16

DHCP Snooping

Answer 16

• Causes swithc to inspect DHCP traffic arriving on acces ports to ensure its MAC is not beeing spoofed
• Can also be used to stop rogue DHCP servers

Question 17

ND Inspection and RA Guard

Answer 17

• Perform similar fucntions to DAI and DHCP Snooping on IPV6

Question 18

Port Security

Answer 18

• Refers to PNAC ( Port based Network Access)
• Switch performs authentication before activiating port
• Device requesting acces is supplicant
• Authenticator (switch) enabled EAP over LAN and waits for authentication data
• Data is verified by authentication server like RADIUS

Question 19

PVLAN

Answer 19

Private VLAN

• Restrcits ability of hosts within VLAN from communicating with each other
• Used by hosting companies to stop servers owned by differnet companies from communicating

Question 20

Default VLAN

Answer 20

• VLAN with ID1
• All switch ports default to this
• Should be left unused and all unused ports should not be assigned to VLAN 1

Question 21

Native VLAN

Answer 21

• Where any untagged traffic is put when receiving frames over a trunk port
• Initally set with same VID as default VLAN
• This should be changed.

Question 22

Implicit Deny

Answer 22

• Default Rule on firewall

- Blocks all traffic not matched by a rule

Question 23

Tuple

Answer 23

• Parameter by which traffic is blocked or allowed on firewall

Question 24

Control Plan Policing

Answer 24

• Policy designed to mitigate risk from route processor vulnerabilities
• Malicious worms or tools may appear to be high priority traffic on the control plane
• This can place high demands on routers and switches managing control plane traffic
• ACLs and rate limiting can be used to address these issues

Question 25

PSKs

Answer 25

Preshared Keys

- Group authenticationi allwows stations to connect to network using passphrase

Question 26

EAP

Answer 26

Extensible Authetication Protocol

- Allows users to authenticate against a RADIUS server using regular network credentials