Network Logging and Monitoring

Question 1

Only routers can stop broadcast traffic. TRUE of FALSE?

Answer 1

False. Switches can too but not by default

Question 2

What’s the name of Microsoft’s graphical utility used to capture network traffic called? In order to use it what capability does your NIC need to have?

Answer 2

Network Monitor

NIC needs to operate in promiscuous mode

Question 3

What OSI layer does SNMP work at?

Answer 3

Layer 7

Question 4

SNMP agents send what kind of messages about them to the what?

Answer 4

SNMP Trap messages to the Network Management Station (NMS)

Question 5

The NMS solicits for what on an SNMP agent using what type of message?

Answer 5

Solicits for an Object ID (OID) using SNMP GET

Question 6

In SNMP, what are SET messages used for?

Answer 6

configuring agents

Question 7

What SNMP message gathers many types of info at once to cut down on multiple GET messages?

Answer 7

GET BULK

Question 8

Which version of SNMP uses plain-text authentication with MD5/SHA, no encryption and uses UDP by default?

Answer 8

SNMPv2c

Question 9

what utility allows you to log events based on 8 (0-7) severity levels?

Answer 9

syslog

Question 10

By default, what two places do all system messages and debug output generated by the IOS go out of?

Answer 10

Console Port and RAM buffer

Question 11

List the top 4 (by urgency) severity states by number and description

Answer 11

0 - Emergency (lowest level)
1 - Alert
2 - Critical
3 - Error

Question 12

List the lower 4 severity states by number and description

Answer 12

4 - Warning
5 - Notification
6 - Information
7 - Debugging

Question 13

If you configure severity level 03, what levels of severity will you be notified on?

Answer 13

0 through 3

Question 14

SIEM provides what?

Answer 14

real-time analysis of security alerts generated by network hardware applications

Question 15

Regarding security event management:
What term is used to describe the long-term storage, analysis and reporting on log data?
What term is used to describe the management of real-time monitoring and correlation of events?

Answer 15

Security Information Management (SIM)
Security Event Management
(SIM, SEM and SIEM are often used interchangeably)

Question 16

What software monitoring products are used exclusively by security network admins?

Answer 16

SIEM (security information and event management) software products

Question 17

When I a SIEM alert is triggered and notification generated, who typically addresses the problem?

Answer 17

The Security Operations Centre

Question 18

List the 3 types of system event logs?

Answer 18

1) Application
2) Security
3) System

Question 19

Windows Server 2008 offered what optional monitoring and optimization tool?

Answer 19

System Centre Operations Manager 2010

Question 20

Utilization cover what 3 things?

Answer 20

1) Wired/Wireless Bandwidth utilisation
2) Server/Host activity utilisation
3) wireless channel utilisation

Question 21

what standard, originally developed for the sendmail project and used by Unix facilitates the transmission of log entries generated by a device across an IP network to a message collector?

Answer 21

Syslog

Question 22

Which Microsoft tool checks the baseline configuration for it’s operating systems?

Answer 22

MS Baseline Security Analyzer (MBSA). But now replaced by Microsoft Security Compliance Toolkit (SCT)

Question 23

Which Microsoft application is used for all kinds of Microsoft OS and product updates and which is used for application patches?

Answer 23

WSUS (Windows Server Update Services) for OS updates

SCCM (Systems Centre Configuration Manager)

Question 24

log entry, sending an email, or sending a text message in response to an alert are forms of what?

Answer 24

Notifications

Question 25

What is being described below?
the database of the Object IDs published by the vendor of a network device that SNMP uses to collect data about the device.

Answer 25

Management Information Base of SNMP

Question 26

When capturing error rate measurements, what is actually measured?

Answer 26

How many frames are received where the CRC check fails

Question 27

What can bad connections on the receive pair or dirty optical connection cause?

Answer 27

High Error rate/CRC failures

Question 28

It’s common to see error rates on the transport layer when what mechanism is being used?

Answer 28

TCP offload. (e.g. used by iSCSI)

Question 29

Packet drops is a measurement at what layers?

Answer 29

Transport or Network!
At Network layer Collected as a percentage of total ICMP packets sent/lost
Transport layer uses an incremental counter.
High packet loss is a sign of network congestion or connectivity issue at sending host.

Question 30

Erroneous frames SENT can’t be measured because hosts don’t report it, what can be used as a proxy metric for it?

Answer 30

Error Rate