Network Security Fundamentals

Question 1

OSI Model

Answer 1

7 Layers

Application
Presentation
Sessions
Transport
Network
Data Link
Phyiscal

Question 2

TCP/IP Model

Answer 2

4 Layers

Application
Transport
Internet
Network Access

Question 3

L7

Answer 3

Application Layer

This layer identifies and establishes availability of communication partners, determines resource availability, and synchronizes communication. Protocols that function at the Application layer include

FTP/HTTP/HTTPS/IMAP/POP3/SMTP/SMNP

Question 4

FTP

Answer 4

File Transfer Protocol (FTP): Used to copy files from one system to another on TCP ports 20 (the data port) and 21 (the control port)

L7

Question 5

HTTP

Answer 5

Hypertext Transfer Protocol (HTTP): Used for communication between web servers and web browsers on TCP port 80

L7

Question 6

HTTPS

Answer 6

Hypertext Transfer Protocol Secure (HTTPS): Used for Secure Sockets Layer/Transport Layer Security (SSL/TLS) encrypted communications between web servers and web browsers on TCP port 443 (and other ports, such as 8443)

L7

Question 7

IMAP

Answer 7

Internet Message Access Protocol (IMAP): A store-and-forward electronic mail protocol that allows an email client to access, manage, and synchronize email on a remote mail server on TCP and UDP port 143

L7

Question 8

POP3

Answer 8

Post Office Protocol Version 3 (POP3): An email retrieval protocol that allows an email client to access email on a remote mail server on TCP port 110

L7

Question 9

SMTP

Answer 9

Simple Mail Transfer Protocol (SMTP): Used to send and receive email across the internet on TCP/UDP port 25

L7

Question 10

SNMP

Answer 10

Simple Network Management Protocol (SNMP): Used to collect network information by polling stations and sending traps (or alerts) to a management station on TCP/UDP ports 161 (agent) and 162 (manager)

L7

Question 11

Telnet

Answer 11

Telnet: Provides terminal emulation for remote access to system resources on TCP/UDP port 23

L7

Question 12

L6

Answer 12

This layer provides coding and conversion functions (such as data representation, character conversion, data compression, and data encryption) to ensure that data sent from the Application layer of one system is compatible with the Application layer of the receiving system.

Question 13

ASCII

Answer 13

American Standard Code for Information Interchange (ASCII): A character-encoding scheme based on the English alphabet, consisting of 128 characters

L6

Question 14

EBCDIC

Answer 14

Extended Binary-Coded Decimal Interchange Coded (EBCDIC): An 8-bit character-encoding scheme mainly used on mainframe and midrange computers

Question 15

GIF

Answer 15

Graphics Interchange Format (GIF): A bitmap image format that allows up to 256 colors and is suitable for images or logos (but not photographs)

L6

Question 16

JPEG

Answer 16

Joint Photographic Experts Group (JPEG): A photographic compression method used to store and transmit photographs

L6

Question 17

MPEG

Answer 17

Motion Picture Experts Group (MPEG): An audio and video compression method used to store and transmit audio and video files

L6

Question 18

L5

Answer 18

`Session

This layer manages communication sessions (service requests and service responses) between networked systems, including connection establishment, data transfer, and connection release

Question 19

NFS

Answer 19

Network File System (NFS): Facilitates transparent user access to remote resources on a Unix-based TCP/IP network.

L5

Question 20

RPC

Answer 20

Remote procedure call (RPC): A client-server network redirection protocol

L5

Question 21

SSH

Answer 21

Secure Shell (SSH): Establishes an encrypted tunnel between a client and a server

L5

Question 22

SIP

Answer 22

Session Initiation Protocol (SIP): An open signaling protocol standard for establishing, managing, and terminating real-time communications (such as voice, video, and text) over large IP-based networks

L5

Question 23

L4

Answer 23

TRANSPORT

This layer provides transparent, reliable data transport and end-to-end transmission control. Specific Transport layer functions include:

Flow control: Manages data transmission between devices by ensuring that the transmitting device doesn’t send more data than the receiving device can process
Multiplexing: Enables data from multiple applications to be simultaneously transmitted over a single physical link
Virtual circuit management: Establishes, maintains, and terminates virtual circuits
Error checking and recovery: Detects transmission errors and takes action to resolve any errors that occur, such as requesting that data be retransmitted

TCP and UDP port numbers assigned to applications and services are defined at the Transport layer

Question 24

TCP

Answer 24

Transmission Control Protocol (TCP): A connection-oriented (a direct connection between network devices is established before data segments are transferred) protocol that provides reliable delivery (received segments are acknowledged, and retransmission of missing or corrupted segments is requested) of data. TCP connections are established via a three-way handshake. The additional overhead associated with connection establishment, acknowledgment, and error correction means that TCP is generally slower than connectionless protocols such as User Datagram Protocol (UDP).

L4

Question 25

UDP

Answer 25

User Datagram Protocol (UDP): A connectionless (a direct connection between network devices is not established before datagrams are transferred) protocol that provides best-effort delivery (received datagrams are not acknowledged and missing or corrupted datagrams are not requested) of data. UDP has no overhead associated with connection establishment, acknowledgment, sequencing, or error-checking and recovery. UDP is ideal for data that requires fast delivery, as long as that data isn’t sensitive to packet loss and doesn’t need to be fragmented. Applications that use UDP include Domain Name System (DNS), Simple Network Management Protocol (SNMP), and streaming audio or video. L4

Question 26

SCTP

Answer 26

Stream Control Transmission Protocol (SCTP): A message-oriented protocol (similar to UDP) that ensures reliable, in-sequence transport with congestion control (similar to TCP) L4

Question 27

L3

Answer 27

NETWORK This layer provides routing and related functions that enable data to be transported between systems on the same network or on interconnected networks. Routing protocols are defined at this layer. Logical addressing of devices on the network is accomplished at this layer using routed protocols such as Internet Protocol (IP). Routers operate at the Network layer of the OSI model.

Question 28

L2

Answer 28

DATA LINK This layer ensures that messages are delivered to the proper device across a physical network link. This layer also defines the networking protocol (for example, Ethernet) used to send and receive data between individual devices and formats messages from the preceding layers described into frames for transmission, handles point-to-point synchronization and error control, and can perform link encryption. Switches typically operate at Layer 2 of the OSI model (although multilayer switches that operate at different layers also exist). The Data Link layer is further divided into two sublayers:

Question 29

LLC

Answer 29

Logical Link Control (LLC): The LLC sublayer provides an interface for the MAC sublayer; manages the control, sequencing, and acknowledgment of frames being passed up to the Network layer or down to the Physical layer; and manages timing and flow control. L2

Question 30

MAC

Answer 30

Media access control (MAC): The MAC sublayer is responsible for framing and performs error control using a cyclic redundancy check (CRC), identifies MAC addresses, and controls media access. L2

Question 31

L1

Answer 31

PHYSICAL This layer sends and receives bits across the network medium (cabling or wireless links) from one device to another. It specifies the electrical, mechanical, and functional requirements of the network (including network topology, cabling and connectors, and interface types) and the process for converting bits to electrical (or light) signals that can be transmitted across the physical medium.

Question 32

Circuit Switching

Answer 32

In a circuit-switched network, a dedicated physical circuit path is established, maintained, and terminated between the sender and receiver across a network for each communications session. Before the development of the internet, most communications networks, such as telephone company networks, were circuit-switched.

Question 33

Packet Switching

Answer 33

The internet is a packet-switched network comprising hundreds of millions of routers and billions of servers and user endpoints. In a packet-switched network, devices share bandwidth on communications links to transport packets between a sender and a receiver across a network. This type of network is more resilient to error and congestion than circuit-switched networks.

Question 34

Packet Segmentation Workflow

Answer 34

1 . Send Block of Data to TCP Stack. 2. Determine Maximum Segment Size 3. Divide Data Blocks to send to IP Stack 4. Notify Server Operating System 5. IP Packet is Sent to Network Adapter

Question 35

L1 PDU

Answer 35

bitL

Question 36

L2 PDU

Answer 36

Frame

Question 37

L3 PDU

Answer 37

Packet

Question 38

L4 PDU

Answer 38

Segment or Datagram

Question 39

Class A Public & Private IP Range

Answer 39

Public IP Range: 1.0.0.0 to 127.0.0.0 First octet value range from 1 to 127 Private IP Range: 10.0.0.0 to 10.255.255.255 Subnet Mask: 255.0.0.0 (8 bits) Number of Networks: 126 Number of Hosts per Network: 16,777,214

Question 40

Class B Public & Private IP Address Range

Answer 40

Public IP Range: 128.0.0.0 to 191.255.0.0 First octet value range from 128 to 191 Private IP Range: 172.16.0.0 to 172.31.255.255 Subnet Mask: 255.255.0.0 (16 bits) Number of Networks: 16,382 Number of Hosts per Network: 65,534

Question 41

Class C Public & Private IP Address Range

Answer 41

Public IP Range: 192.0.0.0 to 223.255.255.0 First octet value range from 192 to 223 Private IP Range: 192.168.0.0 to 192.168.255.255 Subnet Mask: 255.255.255.0 (24 bits) Number of Networks: 2,097,150 Number of Hosts per Network: 254

Question 42

Class D IP Address Range

Answer 42

Range: 224.0.0.0 to 239.255.255.255 First octet value range from 224 to 239 Number of Networks: N/A Number of Hosts per Network: Multicasting

Question 43

Class E IP Address Class

Answer 43

Range: 240.0.0.0 to 255.255.255.255 First octet value range from 240 to 255 Number of Networks: N/A Number of Hosts per Network: Research/Reserved/Experimental

Question 44

What is the decimal representation of binary 1111 1101?

Answer 44

253

Question 45

Which class of address begins with the decimal 130 in the first octet?

Answer 45

Class B

Question 46

Which layer of the OSI model ensures that messages are delivered to the proper device across a physical network?

Answer 46

Data Link

Question 47

Which layer of the OSI model is responsible for transparent, reliable data transport and end-to-end transmission control?

Answer 47

Transport

Question 48

Which two protocols function at the Application layer of the OSI model? (Choose two.)

Answer 48

TCP and UDP

Question 49

In a packet-switched network, what is the main advantage compared to circuit-switched networks?

Answer 49

Higher resilience to error and congestion

Question 50

At which layer of the OSI model do routers primarily operate?

Answer 50

Network Layer 3

Question 51

Zero-Day Exploit

Answer 51

A zero-day exploit is a cyberattack that occurs against a new vulnerability that has not been fixed.

Question 52

Metamorphism

Answer 52

Metamorphism is a term to describe malware that is capable of changing its code and signature patterns with each iteration.

Question 53

Polymorphism

Answer 53

Polymorphism is a term to describe how malicious code can change in a variety of ways, including changing filenames or using encryption with variable keys, to avoid detection.

Question 54

4 Approaches to NDR

Answer 54

Signature Based Container Based Application Allow Listing Anomaly-Based

Question 55

If known Malware is signature is detected, what are the 3 available predefined actions?

Answer 55

1. Quarantine 2. Alert 3. Delete

Question 56

Signature-Based Anti-Malware Challenges?

Answer 56

1. Zero Day Attacks 2. Malware Variations 3. Advanced Malware

Question 57

Container-Based Endpoint Protection

Answer 57

wraps a protective virtual barrier around vulnerable processes while they are running. If a process is malicious, the container detects it and shuts it down, preventing it from damaging other legitimate processes or files on the endpoint.

Question 58

Requirements for Container-Based EDR?

Answer 58

- Computing Resources - Application Support

Question 59

Two types of anomaly detection methods?

Answer 59

1. Heuristic Based 2. Behavior Based

Question 60

Heuristic Based Detection

Answer 60

Detects anomalous packet and traffic patterns, such as port scans and host sweeps.

Question 61

Behavior-Based Detection

Answer 61

Evaluates an object based on its intended actions before it can actually execute that behavior

Question 62

Ransomware

Answer 62

a type of malware that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.

Question 63

Golden Image

Answer 63

Ensuring consistent configuration of devices across the organization.

Question 64

What does creating a 'golden image' entail?

Answer 64

Disable or remove OS features and services that are not needed. Installing current security updates Installing core applications.

Question 65

Different Types of Firewalls

Answer 65

1. Network 2. Host-Based Firewalls 3. Operating Systems Firewalls 4. Host-Based Intrusion Prevention Systems

Question 66

OS Firewalls

Answer 66

Firewalls installed as part of the Windows desktop or mobile OS. Netfilter & iptables is the most popular open source.

Question 67

HIPS

Answer 67

Host-Based Intrusion Prevention Systems Can be signature or anomaly-based. Can cause significant performance degradation on endpoints.

Question 68

Jailbreaking

Answer 68

Jailbreaking is the process of removing software restrictions imposed by Apple in order to install unauthorized applications or operating systems on Apple iPhones or iPads.

Question 69

Rooting

Answer 69

Rooting is the process of removing software restrictions imposed by Android device vendors in order to install unauthorized applications or operating systems on Android phones or tablets.

Question 70

DLP

Answer 70

Restrict what type of data can be stored on or transmitted from the device

Question 71

Policy Enforcement

Answer 71

Enforce security policies, such as those involving passcodes, encryption, lock-down security settings, jailbreaking, or rooting

Question 72

AD

Answer 72

Active Directory: A centralized directory service developed by Microsoft for Windows networks to provide authentication and authorization of users and network resources. Active Directory uses Lightweight Directory Access Protocol (LDAP), Kerberos, and the Domain Name System (DNS).

Question 73

Open LDAP

Answer 73

An open source, IP-based client-server protocol that provides access and manages directory information in TCP/IP networks.

Question 74

Configuration management

Answer 74

the formal process used by organizations to define and maintain standard configurations for applications, devices, and systems throughout their lifecycle.

Question 75

Network Baseline

Answer 75

A baseline provides quantifiable metrics that are periodically measured with various network performance monitoring tools, protocol analyzers, and packet sniffers.

Question 76

Network Documentation Steps

Answer 76

Step1 - Discover the Problem Step 2 - Evaluate the system confid against the baseline Step 3 - Track the possible solutions Step 4 - Execute a plan Step 5 - Check the results Step 6 - Verify the solution (if bad, go back to #2) Step 7 - Deploy the positive solution

Question 77

Which predefined malware signature action notifies the user that malware has been detected?

Answer 77

Alert

Question 78

Which type of endpoint protection wraps a protective virtual barrier around vulnerable processes while they are running?

Answer 78

Container-Based

Question 79

Which MDM capability requires passcodes, enables encryption, locks down security settings, and prevents jailbreaking or rooting?

Answer 79

Policy Enforcement

Question 80

What layer does the Stateful packet FW's operate in?

Answer 80

Layer 4

Question 81

What layer does the Application FW's operate in?

Answer 81

Layer 7

Question 82

Knowledge-Based Systems

Answer 82

A knowledge-based system uses a database of known vulnerabilities and attack profiles to identify intrusion attempts. Knowledge-based systems have lower false-alarm rates than behavior-based systems. But to be effective, knowledge based systems must be continually updated with new attack signatures.

Question 83

Behavior-Based Systems

Answer 83

A behavior-based system uses a baseline of normal network activity to identify unusual patterns or levels of network activity that might indicate an intrusion attempt. Behavior-based systems are better at detecting new attacks against unknown vulnerabilities. But behavior-based systems have a much higher false-positive rate than knowledge-based systems.

Question 84

IDS

Answer 84

Description and functionality: Is considered a passive system Monitors and analyzes network activity Sends alerts about potential attacks and vulnerabilities on the network Disadvantages: Doesn’t perform any preventive action to stop an attack

Question 85

Intrusion Prevention System (IPS)

Answer 85

Description and functionality: Is considered an active system Performs all of the functions of an IDS Automatically blocks or drops suspicious pattern-matching activity on the network in real time Disadvantages: Must be placed inline along a network boundary and is thus directly susceptible to attack itself Can trigger false alarms that inadvertently block authorized users and applications and must be properly identified and filtered A false positive occurs when legitimate traffic is improperly identified as malicious traffic. Can be used to deploy a denial-of-service (DoS) attack by flooding the IPS, thus blocking connections until no connection or bandwidth is available

Question 86

Web Content Filter Functionality

Answer 86

Web content filters match a web address (URL) against a database of websites, which is typically maintained by the individual security vendor that sells the web content filters and is provided as a subscription-based service.

Question 87

VPN

Answer 87

A VPN creates a secure, encrypted connection (or tunnel) across the internet between two endpoints. A client VPN establishes a secure connection between a user and an organization's network. A site-to-site VPN establishes a secure connection between two organizations' networks, usually geographically separated.

Question 88

Composition of VPNs

Answer 88

L2 Tunnel Protocol SSTP OpenVPN MPPE

Question 89

Layer 2 Tunneling Protocol (L2TP)

Answer 89

L2TP is supported by most operating systems (including mobile devices). Although L2TP provides no encryption by itself, it is considered secure when used with IPsec.

Question 90

Secure Socket Tunneling Protocol (SSTP)

Answer 90

Microsoft created SSTP as a VPN tunnel for transporting PPP or L2TP traffic through an SSL 3.0 channel. SSTP is primarily used for secure remote client VPN access, rather than for site-to-site VPN tunnels.

Question 91

OpenVPN

Answer 91

OpenVPN is a highly secure, open-source VPN implementation that uses SSL/TLS encryption for key exchange. OpenVPN uses up to 256-bit encryption and can run over TCP or UDP. Although OpenVPN is not natively supported by most major operating systems, it has been ported to most major operating systems, including mobile device operating systems.

Question 92

Microsoft Point-to-Point Encryption (MPPE)

Answer 92

MPPE encrypts data in PPP-based dial-up connections and PPTP VPN connections. MPPE uses the RSA RC4 encryption algorithm to provide data confidentiality and supports 40-bit and 128-bit session keys.

Question 93

Point-to-Point Tunneling Protocol (PPTP)

Answer 93

PPTP is a basic VPN protocol that uses TCP port 1723 to establish communication with the VPN peer. PPTP then creates a Generic Routing Encapsulation (GRE) tunnel that transports encapsulated Point-to-Point Protocol (PPP) packets between the VPN peers.

Question 94

What is the least secure VPN protocol?

Answer 94

PPTP

Question 95

Internet Protocol Security (IPsec)

Answer 95

IPsec is a secure communications protocol that authenticates and encrypts IP packets in a communication session Requires VPN

Question 96

A security association (SA)

Answer 96

defines how two or more entities use IPsec to securely communicate over the network

Question 97

Secure Sockets Layer (SSL)

Answer 97

SSL is an asymmetric/symmetric encryption protocol that secures communication sessions. SSL has been superseded by TLS, although SSL is still the more commonly used terminology.

Question 98

Many organizations have replaced UTM appliances with what?

Answer 98

NGFWs

Question 99

Which VPN technology has become the standard method of connecting remote endpoint devices back to the enterprise network?

Answer 99

SSL

Question 100

Which type of system automatically blocks or drops suspicious, pattern-matching activity on the network in real time?

Answer 100

IPS

Question 101

Which type of firewall operates up to Layer 4 (transport layer) of the OSI model and inspects individual packet headers to determine source and destination IP address, protocol (TCP, UDP, ICMP), and port number?

Answer 101

Packet Filtering