Network Security Fundamentals

Question 1

What are the layers in the Cisco three layer model?

Answer 1

The Cisco three-layer model, also known as the Cisco hierarchical network model, is a framework for designing scalable and reliable networks. It divides network infrastructure into three distinct layers, each with specific functions:

1. Core Layer:
   
   • Function: The backbone of the network, responsible for high-speed and reliable data transport. The core layer ensures fast and efficient movement of large volumes of data between different parts of the network.
   • Key Characteristics: High-speed switching, redundancy, and minimal latency. The core layer typically has a limited number of routing protocols and minimal filtering to maintain performance.
2. Distribution Layer:
   
   • Function: Acts as an intermediary between the core and access layers. The distribution layer is responsible for routing, filtering, and managing network policies. It controls the flow of data between the access layer (where end devices connect) and the core layer.
   • Key Characteristics: Policy enforcement, security filtering, VLAN management, and inter-VLAN routing. It often includes redundancy features and load balancing to maintain network stability.
3. Access Layer:
   
   • Function: The layer where end devices, such as computers, printers, and IP phones, connect to the network. It facilitates user access to the network and provides network services like authentication.
   • Key Characteristics: Port security, VLAN assignments, QoS (Quality of Service), and PoE (Power over Ethernet). The access layer focuses on providing connectivity and ensuring that devices are securely integrated into the network.

These three layers work together to create a scalable, manageable, and resilient network structure.

Question 2

What are the stages in the TCP/IP stack?

Answer 2

The TCP/IP stack, also known as the TCP/IP model or Internet protocol suite, consists of four layers that correspond to the various stages of data transmission over a network:

1. Application Layer:
   
   • Function: Provides network services directly to user applications. It handles high-level protocols and defines how applications communicate over the network.
   • Key Protocols: HTTP, FTP, SMTP, DNS, and others.
2. Transport Layer:
   
   • Function: Ensures reliable data transfer between devices. It manages the flow of data, error checking, and retransmissions.
   • Key Protocols: TCP (for reliable communication) and UDP (for faster, less reliable communication).
3. Internet Layer:
   
   • Function: Handles the logical addressing and routing of data packets across the network, ensuring they reach the correct destination.
   • Key Protocols: IP (Internet Protocol), ICMP (Internet Control Message Protocol), and ARP (Address Resolution Protocol).
4. Network Interface (Link) Layer:
   
   • Function: Manages the physical transmission of data over network hardware, such as cables and wireless signals. It handles the data link and physical layers of network communication.
   • Key Protocols: Ethernet, Wi-Fi (IEEE 802.11), and other protocols related to hardware interfaces.

These layers work together to facilitate the transmission of data across networks, from high-level application communication down to the physical movement of data packets.

Question 3

What are the layers in the OSI model?

Answer 3

The OSI (Open Systems Interconnection) model is a conceptual framework that standardises the functions of a telecommunication or computing system into seven distinct layers. Each layer serves a specific role in the process of network communication:

1. Physical Layer (Layer 1):
   
   • Function: Handles the physical connection between devices, including the transmission of raw binary data over a physical medium (such as cables or wireless signals). It defines hardware elements like cables, switches, and network interface cards.
2. Data Link Layer (Layer 2):
   
   • Function: Responsible for node-to-node data transfer and error detection/correction. It packages raw bits from the Physical Layer into frames and manages access to the physical medium.
   • Key Protocols: Ethernet, PPP (Point-to-Point Protocol), MAC (Media Access Control).
3. Network Layer (Layer 3):
   
   • Function: Manages logical addressing and routing of data packets across multiple networks. It determines the best path for data to travel from source to destination.
   • Key Protocols: IP (Internet Protocol), ICMP (Internet Control Message Protocol).
4. Transport Layer (Layer 4):
   
   • Function: Provides reliable data transfer between end systems, including error detection, data flow control, and retransmission of lost packets.
   • Key Protocols: TCP (Transmission Control Protocol), UDP (User Datagram Protocol).
5. Session Layer (Layer 5):
   
   • Function: Manages sessions or connections between applications, handling the opening, closing, and managing of communication sessions.
   • Key Concepts: Session establishment, maintenance, and termination.
6. Presentation Layer (Layer 6):
   
   • Function: Translates data between the application layer and the network format. It handles data encryption, compression, and formatting, ensuring that data is in a usable format.
   • Key Concepts: Data translation, encryption, and compression.
7. Application Layer (Layer 7):
   
   • Function: Provides network services directly to end-user applications. It is the layer closest to the user, where network interactions take place.
   • Key Protocols: HTTP, FTP, SMTP, DNS, and many others.

These seven layers work together to facilitate communication between devices over a network, with each layer serving a distinct role in the process.

Question 4

What are the two types of switches?

Answer 4

The two main types of switches in networking are:

1. Unmanaged Switches:
   
   • Function: These switches are simple, plug-and-play devices that require no configuration. They automatically direct traffic between devices on the same network without any user intervention. Unmanaged switches are typically used in small networks or for basic connectivity purposes where advanced features and control are not needed.
2. Managed Switches:
   
   • Function: Managed switches offer advanced features that allow for greater control and customisation of the network. These features include VLAN configuration, Quality of Service (QoS) settings, port mirroring, and remote management. Managed switches are used in larger or more complex networks where network performance, security, and monitoring are critical.

Both types of switches are essential in different networking scenarios, with unmanaged switches being more suitable for simple environments and managed switches for more complex, controlled, and scalable networks.

Question 5

What are the main functions of a network router?

Answer 5

Path Determination:
- Function: A router’s primary function is path determination, where it builds and maintains a routing table. This table acts as a database of known networks and the routes to reach them. The router uses this information to determine the most efficient path for data packets to travel from the source to the destination across different networks.

Packet Forwarding:
- Function: Another key function of a router is packet forwarding. When a router receives a data packet on one of its interfaces, it consults its routing table to decide the best interface to forward the packet to, ensuring it reaches its intended destination. This process allows the router to manage traffic efficiently and direct packets along the correct path in the network.

Question 6

What are the common vulnerabilities associated with network switches and routers?

Answer 6

Common Vulnerabilities Associated with Switches and Routers:

1. MAC Address Table Flooding (Switches):
   
   • Vulnerability: Managed switches can be vulnerable to MAC address table flooding, where an attacker overwhelms the switch’s table with fake MAC addresses. This causes the switch to function as a hub, broadcasting traffic to all devices on the network, which can then be intercepted through eavesdropping.
2. VLAN Manipulation (Switches):
   
   • Vulnerability: Attackers can exploit vulnerabilities in VLAN configurations to gain access to devices on other VLANs, effectively bypassing network segmentation and accessing sensitive data across different networks.
3. Service Exploits (Routers):
   
   • Vulnerability: Routers are susceptible to attacks on their services, such as discovery protocols that can be manipulated to reveal information about neighbouring networks and routers, potentially exposing the network to further attacks.
4. Buffer Overflows (Routers):
   
   • Vulnerability: Routers can be targeted with oversized ICMP echo requests (ping packets), leading to buffer overflow conditions. This can result in a denial of service (DoS) attack, causing the router to crash or become unresponsive.
5. Routing Table Manipulation (Routers):
   
   • Vulnerability: Attackers can manipulate routing protocol updates to alter routing tables within routers. This can lead to man-in-the-middle attacks or DoS attacks, disrupting network traffic and redirecting it through malicious paths.

These vulnerabilities highlight the importance of securing both switches and routers to prevent unauthorised access, data interception, and service disruptions within a network.

Question 7

What are the different types of network media and their associated vulnerabilities?

Answer 7

Types of Network Media and Their Vulnerabilities:

1. Twisted Pair Cable (Ethernet)
   
   • Description: Consists of pairs of copper wires twisted together to reduce electromagnetic interference. Commonly used in local area networks (LANs) for connecting devices like computers, switches, and routers.
   • Vulnerabilities:
     
     • Electromagnetic Interference (EMI): Susceptible to interference from nearby electrical equipment, which can degrade signal quality.
     • Physical Tapping: Can be physically tapped into, allowing an attacker to eavesdrop on communications.
     • Signal Attenuation: Over longer distances, the signal can weaken, leading to data loss or corruption.
2. Coaxial Cable
   
   • Description: A type of copper cable with a single central conductor, surrounded by an insulating layer, a metallic shield, and an outer protective layer. Used in older Ethernet networks and for cable TV.
   • Vulnerabilities:
     
     • Signal Leakage: Coaxial cables can leak signals, making them susceptible to interception.
     • Shared Medium: In older networks, the coaxial cable is a shared medium, meaning that all data is broadcast to all devices, increasing the risk of eavesdropping.
     • Physical Tapping: Like twisted pair, coaxial cables can also be tapped for unauthorised data capture.
3. Fibre Optic Cable
   
   • Description: Uses light to transmit data through glass or plastic fibres. It offers high bandwidth and is used in backbone connections, high-speed networks, and long-distance communication.
   • Vulnerabilities:
     
     • Physical Damage: Fibre optic cables are more fragile than copper cables and can be damaged easily, disrupting communication.
     • Tapping: While more difficult, fibre optic cables can be tapped using sophisticated methods, like bending the cable to leak light, though this often requires specialised equipment.
     • Signal Degradation: Fibre optics can suffer from signal loss due to bends or improper connections, though this is less of a security concern and more of a quality issue.
4. Wireless (Wi-Fi)
   
   • Description: Transmits data using radio waves over the air, allowing for mobility and flexibility in device placement within the network.
   • Vulnerabilities:
     
     • Eavesdropping: Wireless signals can be intercepted by any device within range, making it easier for attackers to capture data if not properly encrypted.
     • Interference: Wireless signals are prone to interference from other wireless devices, physical obstructions, and environmental factors, which can degrade performance and security.
     • Rogue Access Points: Attackers can set up rogue access points to intercept and manipulate network traffic, leading to potential data breaches.

Comparison of Vulnerability:
- Fibre Optic offers the highest security and resistance to eavesdropping but is more expensive and fragile.
- Wireless is the most vulnerable to eavesdropping and interference, requiring strong encryption and security protocols.
- Twisted Pair and Coaxial cables are moderately secure but can be physically tapped into, making physical security important.

Each type of network media has specific vulnerabilities, with fibre optic generally being the most secure, and wireless networks presenting the greatest risks if not properly protected.

Question 8

What are the three elements of information security?

Answer 8

• Logical Security: Safeguarding data within systems from threats that originate from software and communication channels.
• Physical Security: Securing the physical systems that store data and ensuring the safety of the individuals who use these systems.
• Premises Security: Ensuring the protection of people and property within a specific area, building, or facility.

Question 9

What are the three main threats to physical security?

Answer 9

• Environmental
• Technical
• Human threats

Question 10

What are the 4 categories of human-caused physical threats?

Answer 10

The four main human-caused physical threats are:

1. Unauthorised Access:
   
   • Individuals gaining entry to restricted areas without permission, potentially leading to theft, tampering, or sabotage of critical systems and data.
2. Vandalism:
   
   • Deliberate destruction or defacement of property, which can disrupt operations, damage equipment, and result in costly repairs or replacements.
3. Theft:
   
   • The stealing of valuable equipment, devices, or sensitive information, which can lead to data breaches, financial loss, and compromised security.
4. Misuse:
   
   • Improper or negligent use of systems, equipment, or access by authorized individuals, leading to unintended damage, data loss, or security vulnerabilities.

Question 11

What are the 4 main network threats?

Answer 11

The four main network threats are:

1. Service Disruption:
   
   • Preventing users from accessing services on a network through attacks such as Denial of Service (DoS) on servers, network devices, and links, which overwhelm resources and cause outages or slowdowns.
2. Information Theft:
   
   • Unlawful access to computers and servers to obtain confidential information for criminal purposes, such as stealing sensitive data through phishing, malware, or network intrusions.
3. Data Manipulation:
   
   • Gaining unauthorised access to systems to destroy, manipulate, or alter data, which can lead to data corruption, loss of integrity, or unauthorised changes to critical information.
4. Identity Theft:
   
   • Stealing personal information from systems to impersonate individuals and commit fraud, often involving the use of stolen credentials to gain unauthorised access to network resources.

Question 12

What are some common network vulnerabilities?

Answer 12

In addition to the vulnerabilities faced by end users and networking hardware that we’ve previously discussed, there are several other vulnerabilities within the network infrastructure that need our attention. These include:

• Network Services: Many services and protocols, such as FTP, HTTP, SMTP, and Telnet, are inherently insecure as they transmit unencrypted data across the network, making them susceptible to interception.
• Operating Systems: No operating system is completely secure. Some may offer better security features than others, but all are vulnerable to various types of attacks.
• User Accounts: Issues arise when usernames and passwords are transmitted insecurely, making them easy targets for interception. Additionally, weak passwords pose a significant security risk.
• Internet Services: Vulnerabilities can exist in web services and browsers, particularly when they are not updated regularly or use weak, unencrypted methods for data transmission. Additionally, outdated or vulnerable browser plug-ins, such as Java and JavaScript, can introduce further risks.
• Products: Software and hardware products may come with security flaws in their default settings, such as weak default passwords, which can be easily exploited.
• Misconfigured Network Equipment: Incorrect configurations or errors in routers, switches, and firewalls can lead to traffic being misdirected or unintentionally allowed into protected areas, compromising the network’s security.

Question 13

What are the 3 types of reconnaissance attack?

Answer 13

The three types of reconnaissance attacks are:

1. Internet Query:
   
   • Description: This type of reconnaissance involves using basic tools like search engines, ‘nslookup,’ and ‘whois’ to gather information about a target’s address space. Attackers can identify domain names, IP addresses, and other publicly available information about the victim’s network without directly interacting with it, making this a form of passive reconnaissance.
2. Ping Sweep:
   
   • Description: In this type of attack, tools such as ‘gping’ and other scanner software are used to discover active hosts within a network. After identifying potential targets through internet queries, attackers use ping sweeps to determine which hosts are live and responsive, setting the stage for further exploration. This technique involves direct interaction with the network, making it a form of active reconnaissance.
3. Port Scanning:
   
   • Description: Once active hosts are identified, attackers use tools like ‘nmap’ to scan for open ports on these hosts. By identifying open ports, attackers can find services that might be exploited if left unsecured. Different types of port scans (e.g., TCP, UDP, ACK, SYN) can reveal various details about the network’s services and vulnerabilities. This is another form of active reconnaissance that can be detected by security systems.

Question 14

What are the 3 types of DDoS attacks?

Answer 14

The three main types of Distributed Denial of Service (DDoS) attacks are:

1. Volume-Based Attacks:
   
   • Description: These attacks overwhelm the target network or server with massive amounts of traffic, consuming all available bandwidth. The goal is to saturate the bandwidth, making it impossible for legitimate users to access the service.
   • Examples: UDP floods, ICMP (ping) floods, and amplification attacks (e.g., DNS amplification).
2. Protocol Attacks:
   
   • Description: These attacks target specific network protocols and exploit weaknesses in how protocols handle data. By overwhelming protocol-specific resources such as connection tables or firewalls, the attacker can disrupt services.
   • Examples: SYN floods, fragmented packet attacks, and Ping of Death.
3. Application Layer Attacks:
   
   • Description: These attacks focus on the application layer (Layer 7 of the OSI model) and aim to overwhelm the application or web server with a high volume of requests. The goal is to exhaust the server’s resources, making the application or website unavailable to legitimate users.
   • Examples: HTTP floods, Slowloris attacks, and DNS query floods.

Each type of DDoS attack targets different aspects of a network or system, making them difficult to defend against without comprehensive security measures.

Question 15

What are the techniques used by routers to mitigate DoS attacks?

Answer 15

Routers employ several techniques to mitigate Denial of Service (DoS) attacks. These techniques help to identify, limit, and block malicious traffic, ensuring the network remains available to legitimate users. Here are some of the key techniques:

1. Rate Limiting:
   
   • Description: This technique limits the amount of traffic that can be sent or received by the router to prevent overwhelming it with excessive data. By capping the rate of incoming and outgoing traffic, rate limiting helps to reduce the impact of DoS attacks, particularly volume-based attacks.
2. Access Control Lists (ACLs):
   
   • Description: Routers can be configured with ACLs to filter and block malicious traffic. ACLs allow network administrators to specify which types of traffic are allowed or denied based on criteria such as IP addresses, protocols, or port numbers. By blocking traffic from known malicious sources or certain types of traffic commonly used in DoS attacks, ACLs help mitigate these threats.
3. Unicast Reverse Path Forwarding (uRPF):
   
   • Description: uRPF is a technique that helps prevent IP address spoofing, a common method used in DoS attacks. It works by checking the source IP address of incoming packets against the routing table. If the source address does not match the expected path, the packet is discarded. This helps to block spoofed traffic that could be part of a DoS attack.
4. Traffic Filtering and Scrubbing:
   
   • Description: Routers can be configured to inspect incoming traffic and filter out malicious packets before they reach the network. Scrubbing centres, often deployed at the ISP level, can also clean traffic by removing malicious data before it reaches the router, helping to mitigate large-scale DoS attacks.
5. Deep Packet Inspection (DPI):
   
   • Description: DPI is a more advanced technique that inspects the contents of packets rather than just the headers. By analysing the data within the packets, DPI can identify and block malicious traffic patterns associated with DoS attacks, including application-layer attacks.
6. Connection Limiting:
   
   • Description: Routers can limit the number of simultaneous connections to a server or application. This helps to prevent connection-oriented DoS attacks, such as SYN floods, by ensuring that the router or server does not get overwhelmed by too many connections at once.
7. Blackholing/Null Routing:
   
   • Description: In response to a DoS attack, a router can be configured to drop all traffic destined for a particular IP address (blackholing) or to redirect it to a null route (null routing). While this effectively removes the target from the network, it can prevent the DoS attack from impacting other parts of the network.
8. IP Source Guard:
   
   • Description: This technique helps to prevent IP spoofing attacks by ensuring that traffic on a router port has a valid source IP address. If the source IP does not match the expected address for that port, the traffic is blocked.

By implementing these techniques, routers can play a crucial role in protecting networks from various types of DoS attacks, helping to maintain service availability and network performance.

Question 16

What is Spoofing?

Answer 16

Spoofing is a cyberattack where an attacker disguises their identity or the source of communication to deceive systems or users, often to bypass security or steal data.

Categories:
1. Non-Blind Spoofing:
- Attacker has network access and can observe traffic, allowing them to craft legitimate-looking packets.

2. Blind Spoofing:
   
   • Attacker lacks network visibility and must guess information like sequence numbers, making the attack more challenging.

1. IP Spoofing:
   
   • Altering the source IP address to appear as if it comes from a trusted source, often used in DoS attacks.
2. DNS Spoofing:
   
   • Corrupting DNS caches to redirect users to malicious sites instead of legitimate ones.
3. ARP Spoofing:
   
   • Falsifying ARP messages to intercept or manipulate network traffic, often within a local network.

These techniques allow attackers to mask their identity and carry out malicious activities by exploiting different network protocols.

Question 17

What is a MiTM attack?

Answer 17

A Man-in-the-Middle (MitM) attack is a cyberattack where an attacker secretly intercepts and potentially alters communication between two parties who believe they are directly communicating with each other.

Key Points:
- Interception: The attacker captures data exchanged between two parties, such as login details or private messages.
- Impersonation: The attacker may pose as one or both parties to deceive them.
- Data Manipulation: The attacker can alter the communication, such as redirecting funds or injecting malicious content.

Examples:
- Wi-Fi Eavesdropping: Intercepting data over unsecured Wi-Fi.
- HTTPS Spoofing: Using a fake SSL/TLS certificate to view and alter secure communications.
- Email Interception: Capturing and modifying emails between parties.

MitM attacks are dangerous because they can be difficult to detect, allowing attackers to steal or manipulate sensitive information.

Question 18

What are the three types of firewall?

Answer 18

1. Packet Filter
- Description: A packet filter firewall examines each packet of data entering or leaving the network based on predefined rules. It checks the packet’s source and destination IP addresses, port numbers, and protocol types, allowing or blocking traffic based on this information.
- Key Point: It does not track the state of connections, making it faster but less secure than other types of firewalls.

2. Stateful Packet Inspection
- Description: A stateful packet inspection (SPI) firewall monitors the state of active connections and makes decisions based on the context of the traffic. It examines packet headers and tracks the state of connections (e.g., TCP streams) to ensure that incoming packets are part of an established session.
- Key Point: Provides better security by understanding the state of the traffic, preventing certain types of attacks that packet filters might miss.

3. Stateless Inspection
- Description: Stateless inspection firewalls, often referred to simply as packet filtering firewalls, inspect each packet in isolation without considering the state of the connection. They make decisions solely based on the packet’s individual characteristics, such as IP address, port number, and protocol.
- Key Point: Faster but less secure, as they do not track ongoing connections and can be more vulnerable to certain types of attacks.

Each type of firewall has its strengths and is suited to different network environments and security needs.

Question 19

What is an application gateway (proxy)?

Answer 19

An application gateway is often software running on a separate device, such as a firewall, to enhance security. However, there are also dedicated proxy devices (hardware or servers) that offer additional security features. There are different types of proxy servers:

• Transparent Proxy: This type of proxy receives and forwards data without altering it. It is commonly used to improve efficiency by caching content. Users on the network may be unaware that their traffic is being routed through the proxy.
• Anonymous Proxy: This proxy hides the IP address of the user but still identifies itself as a proxy. It helps maintain privacy while browsing the web and can prevent location-based tracking and targeted advertising. In some cases, anonymous proxies can also provide false IP address information, making it appear as though the user is accessing the internet from a different location.
• High Anonymity Proxy: An example of this is the Tor network, where the source IP address changes periodically, making it difficult to trace the user’s location and identity. This level of anonymity provides strong privacy protection.

Question 20

What are three types of firewall implementation?

Answer 20

The three types of firewall implementation are:

1. Host-Based Firewall
   
   • Description: Installed on individual computers or servers, controlling network traffic to and from that specific device.
   • Advantages: Provides granular control, easy to install, and customizable for the specific host.
   • Examples: Windows Defender Firewall, Norton Firewall.
2. Screened Host
   
   • Description: Combines a screening router with a bastion host. The router filters traffic and directs it to a secure host protected by a firewall.
   • Advantages: Adds an extra layer of security by isolating the internal network and providing centralised control.
   • Use Case: Suitable for small to medium-sized networks needing enhanced security.
3. Dual-Homed Firewall
   
   • Description: A firewall with two network interfaces, one for the internal network and one for the external network, acting as a secure gateway.
   • Advantages: Strong isolation between internal and external networks, enforcing strict security controls.
   • Use Case: Ideal for high-security environments like government or financial institutions.

Question 21

What are the two types of ACL implementations available on Cisco routers?

Answer 21

The two types of Access Control List (ACL) implementations available on Cisco routers are:

• Description: Standard ACLs filter network traffic based solely on the source IP address. They allow or deny traffic based on where it is coming from but do not consider the destination IP address or specific protocols.
• Use Case: Typically used to permit or deny traffic from specific IP addresses to a particular network or subnet.

• Description: Extended ACLs provide more granular control by filtering traffic based on multiple criteria, including source and destination IP addresses, protocols (e.g., TCP, UDP, ICMP), and port numbers.
• Use Case: Used when more detailed traffic filtering is required, such as controlling traffic based on specific protocols or port numbers, in addition to IP addresses.

These ACL types allow network administrators to implement varying levels of security and traffic control on Cisco routers.

Question 22

What are the two deployment methods used by IPS/IDS systems?

Answer 22

The two deployment methods used by IPS/IDS systems are:

1. Screened
   
   • Description: In this method, the IPS/IDS monitors traffic that has already passed through a screening device, such as a firewall. By filtering out irrelevant traffic beforehand, the system can focus on a reduced volume of data, leading to more accurate detection and analysis.
   • Use Case: Ideal for environments where precision is crucial, as the system can provide more accurate results by monitoring only the relevant, pre-screened traffic.
2. Unfiltered
   
   • Description: Here, the IPS/IDS monitors the stream of data before it reaches the screening device. Because it deals with a higher volume of unfiltered traffic, this method can be less reliable, as the system has to process and analyse all incoming data, which increases the risk of false positives or missed threats.
   • Use Case: Used in situations where monitoring all incoming traffic is necessary, but it may lead to more noise and less accurate detection due to the sheer volume of data being processed.

Question 23

What are the three types of honeypot?

Answer 23

The three types of honeypots are:

1. Production-Based Honeypot
   
   • Description: A production-based honeypot simulates real services or systems within a network, typically offering minimal interaction. It is used to detect and log basic attack attempts, such as scanning and automated exploits, without posing a significant risk to the actual network.
   • Use Case: Ideal for early detection of attacks in a live environment, helping to protect real systems by diverting attackers to the honeypot.
2. Research-Based Honeypot
   
   • Description: A research-based honeypot is designed for extensive interaction, simulating full-fledged operating systems or network environments. It allows attackers to engage deeply with the system, providing valuable insights into their tactics, techniques, and procedures (TTPs).
   • Use Case: Used primarily for in-depth research on attacker behaviour and to gather detailed intelligence on complex, targeted attacks.
3. Email (Spam) Based Honeypot
   
   • Description: An email-based honeypot is set up to capture and analyse spam emails. These honeypots are designed to attract spammers, collect spam messages, and identify trends, sources, and methods used by spammers.
   • Use Case: Useful for organisations aiming to study spam techniques, filter out spam emails more effectively, and improve email security.

Question 24

What are SIEM solutions and what are the benefits of their use?

Answer 24

SIEM solutions enhance threat detection, compliance, and security incident management through the gathering and analysis of real-time and historical security event data and sources. (McAfee, 2021).
McAfee defines the five key benefits of SIEM as:
1. Key to managing the strategic, tactical and operational aspects of threat hunting
2. reduced response times using enhanced situational awareness
3. better security integration and real-time visibility
4. better staffing of security resources
5. enhanced compliance with auditing and governance.

Question 25

What is switchport security?

Answer 25

Managed switches offer a user interface for configuration, enabling administrators to apply various hardening techniques such as:

• Disabling Ports: Shutting down unused ports prevents attackers from connecting directly to the LAN.
• MAC Filtering: Mapping device MAC addresses directly to specific switch ports to restrict access.
• MAC Address Duplication Detection: The switch monitors for duplicate MAC addresses, which can indicate a spoofing attack, and disables the affected port if detected.
• Port-Based Network Access Control (802.1x): This method provides enhanced control over port access, requiring users to authenticate before gaining access to the switch, offering stronger security than basic switchport security features.

A managed switch prevents switch flooding by implementing MAC address table limiting and port security features. In switch flooding attacks, an attacker overwhelms the switch with numerous fake MAC addresses, causing the switch’s MAC address table to overflow. This forces the switch to broadcast all incoming traffic to every port, leading to potential data interception.

To counter this, managed switches can limit the number of MAC addresses that can be learned on each port. When the limit is exceeded, the switch can take actions such as disabling the port or dropping additional packets, effectively preventing the flood and maintaining normal network operations.

Question 26

What are some of the common threats to wireless technologies and the associated mitigation strategies?

Answer 26

Piggybacking
Risk: Piggybacking occurs when unauthorised users connect to a wireless network without permission. This can lead to several risks, including reduced network performance due to the added load, unauthorised access to network resources, and potential legal or liability issues if the unauthorised user engages in illegal activities using the network.

Wireless Sniffing
Risk: Wireless sniffing involves intercepting data transmitted over a wireless network. Attackers use specialised software to capture unencrypted data packets, which can include sensitive information like login credentials, financial details, or private communications. This type of attack can lead to data breaches, identity theft, and other forms of cybercrime.

Evil Twin
Risk: An evil twin attack occurs when an attacker sets up a rogue wireless access point that mimics a legitimate one. Users may unknowingly connect to the malicious access point, allowing the attacker to intercept communications, steal sensitive data, or inject malicious content. This can lead to data theft, unauthorised access to systems, and the spread of malware.

Device Theft
Risk: The theft of wireless-enabled devices, such as smartphones, laptops, or tablets, poses significant security risks. A stolen device can provide the thief with access to sensitive information stored on the device or saved network credentials, which could allow unauthorised access to corporate networks or personal accounts. Additionally, if the device is not adequately protected with strong passwords or encryption, the risk of data compromise increases.

Mitigations include:

Passwords
Mitigation: Implementing strong, complex passwords for wireless networks and changing them regularly can help mitigate the risk of piggybacking and unauthorised access. It is also crucial to change default passwords on all wireless devices immediately after installation, as default passwords are widely known and can be easily exploited by attackers. Additionally, using multi-factor authentication (MFA) wherever possible adds an extra layer of security, making it more difficult for attackers to gain access even if passwords are compromised.

MAC Address Filtering
Mitigation: Enabling MAC address filtering allows only specified devices to connect to the network, reducing the chances of unauthorised devices gaining access. While not foolproof (as MAC addresses can be spoofed), it adds an additional barrier against unauthorised network access.

SSID Protection
Mitigation: Protecting the Service Set Identifier (SSID) by disabling SSID broadcasting can help prevent attackers from easily identifying and targeting your wireless network. Additionally, using a non-default SSID name that doesn’t reveal the network’s purpose or the organisation’s identity can make it less attractive to potential attackers.

Data Encryption
Mitigation: Implementing strong encryption protocols such as WPA3 for wireless networks ensures that any data transmitted over the network is encrypted, making it significantly more challenging for attackers to capture and decipher sensitive information through wireless sniffing or evil twin attacks.

Patching
Mitigation: Regularly updating and patching all wireless devices, including routers, access points, and connected devices, helps protect against known vulnerabilities that could be exploited by attackers. Keeping firmware and software up to date reduces the risk of device theft leading to unauthorised access or the exploitation of vulnerabilities.

Question 27

What is Network Segmentation?

Answer 27

Network segmentation is the practice of dividing a larger network into smaller, isolated segments or subnets. Each segment operates independently, with controlled access between them, often using firewalls, VLANs, or access control lists (ACLs).

How it protects a network:
1. Limits the spread of attacks: By isolating segments, if an attacker gains access to one segment, it’s more difficult for them to move laterally to other parts of the network.

2. Improves access control: Sensitive data and critical systems can be placed in more secure segments, limiting access to only authorised users.
3. Enhances monitoring: Segmentation allows for more focused monitoring and quicker detection of unusual activity within specific network segments.

Overall, network segmentation reduces the attack surface and helps contain potential security breaches, improving the overall security posture of the network.

Question 28

What is a DMZ (Demilitarised Zone)?

Answer 28

A DMZ (Demilitarised Zone) is a network segment that acts as a buffer zone between an organisation’s internal network and the external public internet. It is designed to expose public-facing services (such as web servers, email servers, and DNS servers) to the internet while keeping the internal network secure.

How it works:
- Isolation: The DMZ is isolated from both the internal network and the external internet. This isolation ensures that if the DMZ is compromised, attackers have a harder time reaching the internal network.

• Controlled Access: Firewalls are typically used to control and restrict the traffic between the DMZ, the internal network, and the internet. Only specific traffic is allowed to pass between these zones.

Purpose:
- Protect Internal Network: By placing public-facing services in the DMZ, the internal network is shielded from direct exposure to the internet, reducing the risk of external attacks.

• Secure Access to Services: The DMZ allows external users to access necessary services without compromising the security of the internal network.

In essence, a DMZ enhances network security by providing a controlled, isolated environment for services that need to be accessible from the internet, while protecting the internal network from potential threats.

Question 29

What is a VLAN and how does it work?

Answer 29

A Virtual Local Area Network (VLAN) is a logical subdivision of a physical network that groups together devices on separate physical LANs (Local Area Networks) as if they were on the same physical LAN. VLANs are used to improve network management, security, and performance by segmenting a network into smaller, more manageable sections.

How VLANs Work:

1. Segmentation:
   
   • Logical Grouping: VLANs allow network administrators to group devices logically, regardless of their physical location. For example, all devices belonging to a particular department (like HR, Sales, or IT) can be grouped into the same VLAN even if they are connected to different physical switches.
   • Isolation: Devices in one VLAN cannot communicate directly with devices in another VLAN without the help of a router or a Layer 3 switch, which adds a layer of security and reduces broadcast traffic.
2. Traffic Management:
   
   • Broadcast Domains: Each VLAN creates a separate broadcast domain, meaning that broadcast traffic within a VLAN is only shared with devices within that same VLAN. This reduces unnecessary traffic on other parts of the network.
   • Routing Between VLANs: To allow communication between VLANs, a Layer 3 device (like a router or a Layer 3 switch) is required to route traffic between them. This is known as “inter-VLAN routing.”
3. Implementation:
   
   • VLAN Tagging: On switches, VLANs are typically implemented using “VLAN tagging.” The most common tagging protocol is IEEE 802.1Q, which inserts a VLAN tag into the Ethernet frame to identify which VLAN the frame belongs to.
   • Access Ports and Trunk Ports:
     
     • Access Port: An access port on a switch is assigned to a single VLAN and can carry traffic for only that VLAN. Devices connected to an access port are unaware of VLANs and communicate as if they are on a traditional LAN.
     • Trunk Port: A trunk port can carry traffic for multiple VLANs simultaneously. It uses VLAN tags to differentiate which VLAN the traffic belongs to as it moves across the trunk link between switches or between a switch and a router.
4. Use Cases:
   
   • Network Security: VLANs can be used to segregate sensitive traffic (like financial data) from general network traffic, reducing the risk of exposure.
   • Improved Performance: By segmenting traffic into VLANs, broadcast traffic is reduced, which can improve overall network performance.
   • Simplified Network Management: VLANs make it easier to manage large networks by allowing logical grouping of devices and simplified configuration.

Consider a company with three departments: Sales, HR, and IT. Each department could be placed on its own VLAN (e.g., VLAN 10 for Sales, VLAN 20 for HR, and VLAN 30 for IT). Even if employees from these departments are located on different floors or in different buildings, they can be grouped into the same VLAN. This ensures that the broadcast traffic of each department stays within its own VLAN and doesn’t affect the other departments, improving both security and performance.

In summary, VLANs are a powerful tool for managing large networks, allowing for logical segmentation, improved security, and better control over network traffic.