Network security operations

Question 1

a barrier that intercepts and inspects traffic moving from one area of the network to another

Answer 1

A network firewall

Question 2

a firewall that operates at Layers 3 and 4 of the OSI network model: network and transport. In most networks today, that equates to the IP address (Layer 3) and the TCP or UDP port number (Layer 4) of the traffic passing through the firewall

Answer 2

packet filter

Question 3

These firewalls inspect incoming (ingress) and outgoing (egress) traffic and compare the following attributes to a database of packet filter rules that determine if the firewall will forward (allow) or drop (deny) the traffic:

Answer 3

Protocol (typically IP)
Source IP Address
Destination IP Address
Source TCP or UDP port number
Destination TCP or UDP port number

Question 4

These firewalls are only concerned with the address label (header) of the packets and perform no level of inspection on the contents of the packet (the payload).

Answer 4

This means that potentially dangerous payloads could pass through a packet filter without being detected as long as the source and destination values were approved by the firewall rules.

Question 5

a device that operates as a middleman between two or more systems to help conceal the true identity of the client and server

Answer 5

circuit-level gateway
The gateway may change the IP address and the TCP/UDP port number of the traffic to allow two networks to communicate that otherwise could not (for example, your home network and the internet).

Question 6

Circuit-level gateways are the foundation of

Answer 6

network address translation (NAT) and port address translation (PAT), which are commonly used in firewalls to allow private IP address ranges to communicate on the internet.

Question 7

feature allows a firewall to identify traffic as conversational and automatically create temporary firewall rules to permit the response traffic to flow back to the sender. In this way, instead of maintaining a multitude of rules, you only need to create a firewall rule that allows the communication to begin.

Answer 7

stateful inspection
To reduce the number of firewall rules needed to support TCP communication

Question 8

proxy servers that could act as a middleman, reading and parsing the traffic payload, and then forwarding it on to the intended destination if the payload was safe. This behavior was later incorporated into firewalls to provide a deeper level of inspection.

Answer 8

application-aware firewalls, or Layer-7 firewalls because application is the seventh layer of the OSI model.

Question 9

What is the purpose of a firewall?

Answer 9

To restrict traffic from entering (ingress) or exiting (egress) a network

Question 10

A system administrator wants to protect the local network from untrustworthy external traffic. Which device should this system administrator implement?

Answer 10

firewall
is a barrier that intercepts and inspects traffic moving from one network to another.

Question 11

Which three levels of the OSI model does stateful inspection require?

Answer 11

Layers 3, 4, and 5
In order for a firewall to understand whether there is a conversation going on between two endpoints, it must be able to analyze the address (Layer 3), it must be able to analyze the type of traffic—usually TCP or UDP—which requires Layer 4 inspection, and it must be able to analyze Layer 5 data in order to recognize that a session has been requested and established.

Question 12

advanced security solutions that can identify malicious traffic based on a database of known behaviors and payload signatures.

Answer 12

Intrusion detection systems (IDS) and intrusion prevention systems (IPS)

Question 13

monitor the network to detect threats,

Answer 13

IDS
are not always physical appliances. They are also available as virtual appliances and as host-based IPS/IDS applications, which can be installed on your servers or workstations.

Question 14

intercept and block threats.

Answer 14

IPS
are not always physical appliances. They are also available as virtual appliances and as host-based IPS/IDS applications, which can be installed on your servers or workstations.

Question 15

IDS & IPS both types of systems can be configured to operate in ___, which is where they attach to the network as listening devices only.

Answer 15

tap mode
tap mode works well for IDS devices because they are passive listeners on the network and are designed to alert a network administrator if they detect any suspicious behavior.

Question 16

For an IPS device to stop traffic, it must be positioned in the middle of the traffic stream,

Answer 16

line mode.
IPS devices have many network ports that are designed to operate as input/output pairs. The network administrator will physically route cables through the IPS device to create choke points in the network

Question 17

the file is blocked based on how often that type of file is found to carry viruses or malware.

Answer 17

method known as reputation-based protection.
A good example of this is when IPS devices and firewalls block executable (EXE) attachments or downloads.

Question 18

a set of public web servers connected to a dedicated network switch that is connected to your firewall by one network cable. You acquire an IPS device so that you can scan the traffic entering and leaving that network. To do so, you will disconnect the existing cable that connects the switch to the firewall and then place the IPS device in-line by connecting the firewall to one of the ports in an input/output pair and the switch to the other port in the pair…next…

Answer 18

The IPS device bridges the traffic and appears invisible on the network, yet it is actually inspecting every packet and copying it from one cable to the other.

Question 19

IDS

Answer 19

Monitors the network to detect threats
 Listens passively on the network
 Alerts network admin of any detected suspicious behavior

Question 20

IPS

Answer 20

Intercepts and blocks threats
 Has many network ports to operate as input/output pairs
 Has cables routed physically through devices to create choke points

Question 21

Both IDS & IPS

Answer 21

Identifies malicious traffic
 Available as virtual and host-based applications
 Can be configured to operate in tap mode

Question 22

IDS Deployment

Answer 22

 Suspicious traffic comes into the switch
 Intrusion system inspects traffic and alerts admin of suspicious packets
 An alarm is sent to admin’s management system

Question 23

IPS Deployment

Answer 23

 Suspicious traffic comes in
 An intrusion system blocks suspicious packets before it gets to the switch

Question 24

Wiretapping is a Layer 1 threat because

Answer 24

it involves tampering with the physical cables of a victim’s network.
Fiber optic cables use light waves instead of electrons and therefore do not emit an EMF signature that can be captured and interpreted.

Question 25

is susceptible to electronic sniffing or listening devices because the electrons flowing through the cables create a perceptible electromagnetic field (EMF).

Answer 25

Copper-based wiring, such as Category 6 cabling,

Question 26

physical vulnerabilities and threats as Layer 1 risks

Answer 26

check the security of the locks on the doors to the data center, equipment racks, and wiring closets throughout your building.

Question 27

Protocols at Layer 2 define how computers can share access to a common medium, such as a wired or wireless network.

Answer 27

This includes protocols such as 802.3 Ethernet and 802.11 Wi-Fi.

Question 28

Layer 3: Network
Ping attacks

Answer 28

are typically intended to disrupt communication on the network. However, an attacker can also use ping for information gathering.
For example, the ping sweep attack sends pings to a large number of IP addresses to detect which computers are online and may, therefore, be susceptible to other attacks. Fortunately, these attacks can be easily mitigated by using a packet-filtering firewall.

Question 29

Layer 3: Network
Spoofing attack

Answer 29

can occur at both Layer 2 and Layer 3. The goal of a spoofing attack is to impersonate another computer’s IP or its Layer 2 media access control (MAC) address. The attacker configures a network card on their computer to impersonate the victim’s computer, then sends a special frame onto the network that directs Ethernet switches to forward the victim’s traffic, specifically traffic that was originally destined for the victim’s IP or MAC address. Intrusion prevention systems (IPS) are best able to prevent this type of attack.

Question 30

TCP is a

Answer 30

connection-oriented protocol & provides delivery confirmation for data sent between two computers. If the sender does not receive confirmation of the delivery, it will retransmit the data to ensure it is eventually received

Question 31

UDP is

Answer 31

connectionless.
works more like standard mail. You place the letter in your outgoing mail without any confirmation that it will arrive, and the receiver is under no obligation to alert you if they get the message.

Question 32

Layer 4: Transport
port scanner attack

Answer 32

as the name implies, allows the attacker to scan the victim’s computer for open ports that they could later attack. A packet-filtering firewall is an appropriate defense against port scanners.

Question 33

Layer 4: Transport
When a service is run on a computer, that service will open specific ports at the transport layer to allow the service to receive incoming connections from other computers. For example,

Answer 33

the DNS service opens TCP port 53 to allow computers to perform name-to-address resolution

Question 34

Layer 4: Transport
port redirection

Answer 34

In some cases, network administrators redirect a commonly known port number such as TCP port 80, which runs HTTP, to a less expected port number such as TCP port 8080, in hopes of obscuring or hiding the fact that the computer is running a web server and while it may fool a novice attacker, simply changing the port number of a service will not fool a more advanced attacker. In this case, obscurity is not security.

Question 35

is used by computers to execute functions and procedures on other computers, such as a central server launching a program or print job

Answer 35

remote procedure call (RPC) is an example protocol at Layer 5

Question 36

is the process of writing data in a particular manner, such as a standardized file format like XML or GIF

Answer 36

encoding

Question 37

Encryption

Answer 37

is the process of concealing data, and despite its name, is commonly performed at the Presentation layer using Transport Layer Security (TLS), the replacement for the now deprecated SSL protocol commonly used to secure web pages

Question 38

The attack is named after the fact that the attacker becomes the man-in-the-middle of the conversation, able to see everything the victim does without encryption.Many of these attacks can be mitigated using an

Answer 38

Application-layer proxy or an IPS, though training the users about fake security certificates is equally important.

Question 39

SQL Injection Attack

Answer 39

Security solution: Leverage a reverse proxy system and scan incoming packets for
malicious behavior.
 OSI Layer: Application (7)

Question 40

Man-in-the-Middle Attack

Answer 40

Security solution: Mitigate by using an application-layer proxy or an IPS, and train users
about fake security certificates.
 OSI Layer: Presentation (6)

Question 41

RPC Attack

Answer 41

Security solution: Mitigate with regular OS and application patching.
 OSI Layer: Session (5)

Question 42

Port Scanner

Answer 42

Security solution: Mitigate by using a packet-filtering firewall.
 OSI Layer: Transport (4)

Question 43

Ping Sweep Attack

Answer 43

Security solution: Mitigate by using a packet-filtering firewall.
 OSI Layer: Network (3)

Question 44

VLAN Hopping

Answer 44

Security solution: Configure the VLAN tagging per the switch vendor’s recommendation.
 OSI Layer: Data Link (2)

Question 45

Wiretapping

Answer 45

Security solution: Look for physical vulnerabilities, check the locks on doors, racks, and
wiring closets.
 OSI Layer: Physical (1)

Question 46

unencrypted

Answer 46

data is referred to as being sent or stored in the clear, meaning that the data can be read by anyone who intercepts the communication or accesses the unencrypted file.

Question 47

Encrypted

Answer 47

data is referred to as ciphertext because the proper term for an encryption algorithm is a cipher. These ciphers come in many forms and rely on different types of keys to encrypt and decrypt the data.

Question 48

symmetric key

Answer 48

If the cipher uses the same key to encrypt the data as it does to decrypt the data, the cipher is said to use a

Question 49

asymmetric key pair

Answer 49

if the keys are different, the cipher is said to use an asymmetric key pair, one key to encrypt the data and another to decrypt it.

Question 50

Symmetric Key Encryption

Answer 50

also known as private key encryption, uses the same key to encrypt the data as it does to decrypt the data, meaning that when used for data transmissions, symmetric key encryption requires that both the sender and the receiver possess the same cipher key.

Question 51

Symmetric Key Encryption weakest link

Answer 51

The sender and receiver must somehow exchange the secret key with each other before encrypting any data. It is during this key exchange that the encryption is most vulnerable. If an attacker were to intercept the key, the attacker could decrypt the data and even send a forged message by re-encrypting the data using that same key

Question 52

is an asymmetric key solution that allows two parties to exchange encrypted data without having first exchanged a private or shared key with one another

Answer 52

In PKI systems, each party that could either send or receive encrypted data must first create a key pair consisting of a public key and a private key. The key pair is created using an algorithm that enables one key to decrypt ciphertext that the other key has encrypted. Once the pair is created, the public key is published to a public repository, whereas the private key is kept secret by the owner of the key. If you wish to send this person an encrypted file, you would retrieve their public key from the internet and then use it to encrypt the file. You could then send the encrypted file to the person or even post it for them to download. The only way to decrypt the file is to use the recipient’s private key, which should be stored in a very safe place.

Question 53

a new breed of asymmetric key creation was unveiled: elliptic curve cryptography (ECC)

Answer 53

ECC uses the algebraic structure of elliptic curves to create a key that is even smaller than traditional asymmetric keys, yet it is substantially more difficult to crack without the aid of quantum computers.
y^2 = x^3 + ax + b

Question 54

End-to-end encryption

Answer 54

When the data is both encrypted in transit and at rest, means that the data is never stored or transmitted in the clear.

Question 55

Secure Sockets Layer (SSL)

Answer 55

Though SSL was deprecated in 2015, TLS provides similar functionality with more robust security

Question 56

Transport Layer Security (TLS)

Answer 56

TLS creates a secure channel over the internet between a client computer and a server by exchanging a public key in the form of a certificate. The certificate has a public key that is stored on the webserver and presented to the public whenever a user connects to the website. The private key is also stored on the webserver but is kept secret and protected.

Question 57

Internet protocol security (IPsec)

Answer 57

provides an authentication and encryption solution that secures IP network traffic at Layer 3 of the OSI model. This is in contrast to the TLS protocol discussed above, which operates at Layer 6. TLS also differs in that it provides a PKI encryption method commonly used to encrypt web pages or data sent between one client and one server.

Question 58

IPsec, on the other hand, is commonly used to create

Answer 58

virtual private network (VPN) tunnels across the internet or other untrusted networks to allow many computers to communicate with each other.

Question 59

IPsec traffic is encapsulated and this hides

Answer 59

the fact that the packets are flowing across an untrusted network, such as the internet, and gives the client computers the illusion that they are directly connected to one another or at least within the same network.

Question 60

IPsec is composed of the Authentication Header (AH) protocol,

Answer 60

which provides data integrity for the connection, the encapsulating security payload (ESP), which provides encryption for the connection, and the security associations (SA), which define the algorithms to be used and the key exchange method.

Question 61

the most secure algorithm for storing and encrypting data at rest is

Answer 61

the Advanced Encryption Standard (AES), a symmetric key cipher that makes use of different key and block sizes and creates a near-impenetrable encryption

Question 62

What is a characteristic of symmetric key encryption?

Answer 62

Use of a shared key is a characteristic of symmetric key encryption.

Question 63

Which encryption application provides authentication and encryption services that are commonly used to create VPN tunnels at OSI Layer 3?

Answer 63

IPSec

Question 64

What is the result of the encryption process?

Answer 64

Encrypted plaintext is called ciphertext.

Question 65

What is the fastest encryption method for bulk encryption of data?

Answer 65

Symmetric key encryption is the fastest encryption method because it uses a single key to encrypt and decrypt the data