Networks/Network Security (Ch. 3,4)

Question 1

OSI Model

Answer 1

_ open systems interconnection model layers (mnemonic: “all people seem to need data processing” – know layer numbers too)
_ (1) physical - hardware
_ (2) data link - switches that format data into data frames and route between systems on a local network using MAC addresses
_ (3) network - introduces IP addresses, routing between systems not on the same local network
_ (4) transport - end-to-end communication (e.g. TCP, UDP)
_ (5) session - establishes and manages sessions between apps
_ (6) presentation - translates data into standard format, provides encryption, compression, other data transformation
_ (7) application - provides network services to apps

Question 2

TCP

Answer 2

_ transmission control protocol
_ 3-way handshake (client sends SYN, server sends SYN/ACK, client sends ACK)

Question 3

UDP

Answer 3

_ user datagram protocol
_ connectionless (no 3-way handshake)
_ DoS attacks often use UDP

Question 4

IP

Answer 4

_ internet protocol
_ IPv4 - 32 bits, dot-delimited numbers
_ IPv6 - 128 bits, colon-delimited hex

Question 5

ICMP

Answer 5

_ internet control message protocol
_ tests basic connectivity
_ includes tools like ping and traceroute
_ DoS often uses ICMP
_ firewalls and routers often block to prevent DoS

Question 6

TFTP

Answer 6

_ trivial file transfer protocol
_ transfers small amounts by FTP
_ used for comms with some devices
_ usually disabled to prevent attacks

Question 7

TLS

Answer 7

_ transport layer security
_ replaced SSL

Question 8

IPsec

Answer 8

_ internet protocol security
_ encrypts IP payload traffic
_ includes authentication header

Question 9

SSH and SFTP port

Answer 9

22

Question 10

HTTPS/TLS port

Answer 10

443

Question 11

IMAP ports

Answer 11

_ internet message access protocol
_ 143 plaintext
_ 993 TCP

Question 12

SMTP ports

Answer 12

_ simple main transfer protocol
_ 25 plaintext
_ 587 TLS (SMTPS)

Question 13

POP3 ports

Answer 13

_ post office protocol
_ 110 plaintext
_ 995 TCP

Question 14

Email gateway

Answer 14

_ network device or software app that filters external mail for an internal mail system

Question 15

AD DS

Answer 15

_ Microsoft Active Directory Domain Services
_ uses TLS-encrypted LDAP
_ uses Kerberos for authentication

Question 16

RTP/SRTP

Answer 16

_ real-time transport protocol
_ for audio and video over IP
_ includes VoIP
_ SRTP secures transmission

Question 17

SIP

Answer 17

_ session initiation protocol
_ inits and manages voice/video sessions
_ establishes RTP/SRTP connection in cleartext

Question 18

RDP

Answer 18

_ remote desktop protocol

Question 19

OpenSSH

Answer 19

_ suite of tools that simplify use of SSH
_ supports SCP and SFTP

Question 20

Create SSH key pair

Answer 20

_ ssh-keygen -t rsa
_ creates “id_rsa.pub”, the public key
_ creates “id_rsa”, the private key
_ use “ssh-copy-id” to copy public key to remove server

Question 21

Private IPv4 addresses

Answer 21

_ any of form 10.x.y.z
_ 172.16.y.z - 172.31.y.z
_ 192.168.y.z
_ routers block all traffic from or to private IP addresses

Question 22

Unique local IPv6 addresses

Answer 22

_ start with prefix FC00

Question 23

DNS port

Answer 23

_ 53, for both TCP and UDP

Question 24

DNS zone record types

Answer 24

_ A - host record for IPv4
_ AAAA - host record for IPv6
_ PTR - pointer record, used to provide reverse lookup from IP to domain name
_ MX - mail exchange record identifying a mail server
_ CNAME - canonical name record (aka alias record), assigns additional domains to an IP
_ SOA - start of authority record, providing domain or zon info such as TTL

Question 25

TTL

Answer 25

_ time to live
_ duration of a DNS cache entry in seconds

Question 26

DNS poisoning

Answer 26

_ replacing a DNS cache entry to an IP, causing domains to incorrectly resolve to the false IP
_ happens on the DNS server (DNS pharming is the client attack)

Question 27

DNSSEC

Answer 27

_ domain name system security extensions
_ adds a digital signature to each DNS cache entry, providing integrity and authentication to DNS replies
_ helps prevent DNS poisoning

Question 28

Unicast

Answer 28

_ 1-to-1 traffic between IP addresses (intervening hosts may see the data, but they won’t process it)
_ can’t be captured by a protocol analyzer

Question 29

broadcast

Answer 29

_ 1-to-all traffic, sending traffic to all other hosts on a subnet using a broadcast address
_ 255.255.255.255 is an example broadcast address
_ every host processes broadcast traffic
_ switches pass broadcast traffic but not routers

Question 30

switch

Answer 30

_ devices connect to a switch’s physical ports
_ internally connects ports
_ when it receives a packet from a port, it knows the MAC address of the device at that port
_ to send a packet to a MAC address for which it doesn’t have a port mapping, it sends packet to all ports
_ can limit MAC addresses per port for security

Question 31

hub

Answer 31

_ broadcasts received data to all ports
_ switches provide better security

Question 32

Switching loop

Answer 32

_ where output of one switch port enters another port of the switch
_ when looped data is broadcast, called a “broadcast storm”
_ can degrade performance
_ Spanning Tree Protocol (STP) can prevent this
_ Rapid STP can also prevent this
_ without prevention, easy to slow network to a crawl by connection two ports, such as within a conference room

Question 33

BPDU

Answer 33

_ bridge protocol data unit
_ sent by STP (spanning tree protocol) to detect loops
_ edge ports should not be able to send this; if they do, problem discovered

Question 34

router

Answer 34

_ routes traffic between network segments
_ don’t pass broadcasts between networks
_ each segment also called a “broadcast domain”
_ can implement ACL rules based on IP and port

Question 35

Implicit deny

Answer 35

_ principle of ACLs by which all traffic that isn’t explicitly allowed is implicitly denied
_ the last rule of an ACL, if not the default behavior
_ routers and firewalls include the implicit deny rule

Question 36

Default gateway

Answer 36

_ IP address of the router on the network
_ typically provides a path to the Internet

Question 37

route command

Answer 37

_ shows known paths to other networks
_ shows the default gateway

Question 38

SNMP

Answer 38

_ simple network management protocol
_ monitors and manages network devices such as routers and switches
_ can monitor device config
_ can have devices report status
_ can install agents on devices
_ only use SNMPv3, as it encrypts credentials
_ SNPMPv3 uses ports 161 and 162

Question 39

Host-based firewall

Answer 39

_ monitors traffic to and from a single host (server or workstation)
_ many OSs provide a software-based firewall

Question 40

Network-based firewall

Answer 40

_ usually a network appliance
_ has 2 or more NICs

Question 41

Stateless firewall

Answer 41

_ applies ACL rules to traffic
_ a router is a stateless firewall
_ rules may specify protocol, source, destination, and port, in addition to the associated permission. Source and destination can include wildcards

Question 42

Stateful firewall

Answer 42

_ bases decisions on traffic context or state
_ tracks sessions (e.g. after TCP handshake)
_ blocks traffic not part of a session
_ operate on transport layer (layer 4)

Question 43

WAF

Answer 43

_ web application firewall
_ placed between web server and clients
_ can protect against XSS and other attacks
_ provides HTTP security on top of network security provided by a network firewall
_ analyzes all layers of firewall, so called a “layer 7 firewall”

Question 44

First generation firewall

Answer 44

_ packet-filtering firewall
_ stateless
_ based decisions per packet

Question 45

Second generation firewall

Answer 45

_ stateful
_ evaluates based on session state

Question 46

NGFW

Answer 46

_ next-generation firewall
_ understand traffic for various apps
_ provides app-level inspection
_ performs content filtering and URL filtering
_ analyzes all layers of firewall, so called a “layer 7 firewall”

Question 47

Failure modes

Answer 47

_ fail-open system - everything passes through when system fails, so no traffic disruption, but also no security
_ fail-closed system - nothing passes through when system fails, traffic disruption but provides security

Question 48

Security zones

Answer 48

_ portion of network with its own security characterization

Question 49

Screened subnet

Answer 49

_ aka demilitarized zone (DMZ)
_ security zone between private network and the Internet
_ by a firewall on both external and internal sides
_ contains servers that are to be available to the Internet, such as mail server, web server, and CA server

Question 50

NAT

Answer 50

_ network address translation
_ translates public IP addresses to private IP addresses and back to public addresses
_ hosted by a NAT gateway
_ prevents public IPs from having to be purchased for each client
_ hides internal computers from the Internet
_ not compatible with IPsec

Question 51

Static NAT

Answer 51

_ maps a private IP to a single public IP

Question 52

Dynamic NAT

Answer 52

_ maps multiple public IPs, choosing based on load

Question 53

ICS

Answer 53

_ industrial control system

Question 54

SCADA

Answer 54

_ supervisory control and data acquisition
_ typically for industrial control
_ physically isolated from other networks
_ has embedded systems that control an ICS
_ e.g. for power plants, manufacturing plants, etc.

Question 55

Air-gapped system

Answer 55

_ a system or network that is not connected to any other system

Question 56

Network segmentation

Answer 56

_ routers segment traffic between networks

Question 57

subnetting

Answer 57

_ dividing large address ranges into smaller ranges

Question 58

VLAN

Answer 58

_ virtual local area network
_ uses switches to group computers into a virtual network, rather than just by using cabling
_ dynamically reconfigurable
_ can separate traffic type (e.g. minimize traffic by putting those who use VoIP on their own VLAN)

Question 59

East-west traffic

Answer 59

_ traffic between servers
_ diagrams usually show servers side-by-side with clients above or below them

Question 60

Proxy server

Answer 60

_ aka forward proxy server
_ forwards requests from client to servers
_ serves a private network forwarding to the Internet
_ performs intermediary services, such as caching or filtering
_ admins configure clients to use proxy servers for specific protocols

Question 61

Agent-based proxies

Answer 61

_ sit on each computer, proxying from there

Question 62

Reverse proxy

Answer 62

_ accepts requests from the Internet
_ usually the front end for web server, which can therefore be behind a firewall
_ caches web pages to improve performance

Question 63

Load balancer

Answer 63

_ a kind of reverse proxy server
_ forwards to multiple backend web servers

Question 64

Transparent vs non-transparent proxy servers

Answer 64

_ transparent proxy servers forward requests without modifying them.
_ non-transparent proxy servers filter out access to specify URLs.

Question 65

UTM

Answer 65

_ unified threat management
_ security service bundles
_ available within a single appliance
_ might do URL filtering (like a proxy server)
_ might do malware/content inspection
_ might mitigate DDoS (the way an IPS does)
_ placed at boundary with the Internet

Question 66

Jump server

Answer 66

_ aka jump box
_ a hardened server used to access and manage devices in a different security zone
_ often allows a passwordless SSH login for connecting to a remote server
_ e.g. to connect to a device via a jump server, enter “ssh -J maggie@jump maggie@ca1”, which has the jump server TCP-forward to the CA server
_ target systems should only allow connections from the jump server

Question 67

ZTNA

Answer 67

_ zero trust network access
_ trust decisions are not based on location (e.g. within the same local network)
_ use authentication and policy-based access control

Question 68

Adaptive identity authentication

Answer 68

_ means of authentication may vary by user location

Question 69

Control and data planes

Answer 69

_ control plane controls and configures the network
_ data plane is where users and software communicate

Question 70

PEP

Answer 70

_ policy enforcement point
_ used in zero trust networks as a gatekeeper for accessing resources
_ uses adaptive identity authentication

Question 71

Components of a zero-trust control plane

Answer 71

_ PE (policy engine) - decides whether to grant resources to a given subject
_ PA (policy administrator) - communicates decisions made by the PE to the tools that enforce those decisions, specifically the PEP
_ PEP (policy enforcement point) - gatekeeper for accessing resources, using adaptive identity authentication, enforcing authorization in the data plane

Question 72

SASE

Answer 72

_ secure access service edge
_ cloud service that builds on zero-trust
_ provides firewall services
_ provides secure web gateway services
_ provides anti-malware service
_ provides intrusion prevention services
_ provides cloud access broker (CASB) services
_ provides data loss prevention (DLP) services

Question 73

Intranet vs. extranet

Answer 73

_ intranet is for internal users
_ extranet is for internal users and authorized external users

Question 74

IPS

Answer 74

_ intrusion prevention system
_ a kind of intrusion detection system (IDS)
_ reacts to attacks in progress to prevent them from reaching systems and networks
_ “in-line” with traffic (all traffic passes through)
_ can block traffic

Question 75

HIDS

Answer 75

_ host-based intrusion detection system
_ software installed on workstation or server
_ monitors traffic passing through the NIC
_ many also monitor application traffic
_ some monitor log files or system resources
_ can detect malware that antivirus programs might miss

Question 76

Port tapping

Answer 76

_ aka port mirroring
_ configuration of a switch or router that sends all traffic to a single port, where it can be monitored

Question 77

NIDS

Answer 77

_ network-based intrusion detection system
_ admin installs NIDS sensors (aka collectors) on network devices to gather info and report to the NIDS
_ often includes a sensor on a port tap
_ can only analyze plaintext traffic
_ provides a monitoring console

Question 78

Signature-based IDS

Answer 78

_ aka definition-based IDS
_ uses a database of known vulnerabilities or known attack patterns

Question 79

Trend-based detection

Answer 79

_ aka anomaly detection
_ compares current network behavior to a previously established baseline behavior
_ can be effective at discovering zero-day exploits, which don’t yet have signatures
_ admin should establish a new baseline every time they make a significant change to the network
_ rules assign thresholds at which point to consider recurrence of a behavior an attack

Question 80

SYN flood attack

Answer 80

_ DoS attack
_ attacker sends many SYN packets without ever ACKing the returned SYN/ACK packets
_ a server can limit the number of resources made available to connections to prevent it from crashing due to running out of resources
_ IDS can detect this, IPS can stop it
_ a firewall can also guard against SYN flood attacks

Question 81

IDS aggregator

Answer 81

_ stores log entries from dissimilar systems
_ IDS analyzes they log entries for insights
_ logs may be collected in batches or in realtime

Question 82

NOC

Answer 82

_ network operations center

Question 83

NIPS

Answer 83

_ network intrusion prevention system

Question 84

RAT

Answer 84

_ remote access trojan
_ allows outsiders to work inside a network
_ reason to have IDS/IPS even within an assumed-secure network

Question 85

honeypot

Answer 85

_ server with intentional vulnerabilities and fake data
_ allows security to gather info on attackers

Question 86

honeyfile

Answer 86

_ file designed to attract an attacker by its file name

Question 87

honeytoken

Answer 87

_ a fake datum or record maintained to see where else it ends up
_ if it ends up anywhere else, it was stolen

Question 88

WLAN

Answer 88

_ wireless local area network

Question 89

AP

Answer 89

_ wireless access point
_ connects wireless clients to a wired network
_ can also be routers, in which case both wired ports and wireless connections use an internal switch

Question 90

SSID

Answer 90

_ service set identifier
_ name of a wireless network
_ default SSIDs tell attackers what type of AP it is
_ broadcasts of SSID tell users of your device but can be disabled

Question 91

MAC filtering

Answer 91

_ restricts access to allowed MAC addresses
_ a wireless sniffer can discover the allowed MAC addresses, telling attacker what MAC to use

Question 92

MAC address cloning

Answer 92

_ allows a workstation to use the MAC of its internet-facing router

Question 93

Wireless footprinting

Answer 93

_ detailed diagram of wireless APs, hotspots, and dead spots

Question 94

WEP and WPA

Answer 94

_ Wired Equivalent Privacy
_ Wi-Fi Protected Access
_ poor security
_ no longer used

Question 95

RADIUS

Answer 95

_ remote authentication dial-in user service
_ aka diameter server
_ central authentication service VPNs can use
_ helps companies having many offices with different VPN servers
_ usually accesses an LDAP server
_ during sign-on, only encrypts password
_ uses EAP to encrypt sessions

Question 96

WPA2

Answer 96

_ Wi-Fi Protected Access 2
_ uses CCMP to protect traffic
_ CCMP is based Advanced Encryption Standard (AES)
_ not the best security available
_ has modes: open (cleartext), anonymous pre-shared key (PSK), or enterprise (authenticates with a RADIUS/802.1X server)
_ enterprise mode requires the RADIUS IP and port, and a shared secret
_ home networks typically use PSK

Question 97

WPA3

Answer 97

_ Wi-Fi Protected Access 3
_ enhanced open mode - allows unauthenticated users but encrypts data (replaces WPA2 open mode)
_ simultaneous authentication of equals (SAE) mode - uses a passphrase plus additional security (replaces WPA2 PSK mode)
_ enterprise mode - supports RADIUS server w/ individual authentication

Question 98

EAP

Answer 98

_ extensible authentication protocol
_ allows two systems to create a secure encryption key (aka pairwise master key or PMK)
_ Uses a pairwise transient key (PTK) to encrypt data between devices
_ used in CCMP

Question 99

PEAP

Answer 99

_ protected EAP
_ builds on EAP
_ encapsulates communication in a TLS tunnel
_ requires the server to have a certificate
_ helps compensate for lack of physical security

Question 100

EAP-FAST

Answer 100

_ EAP-flexible authentication via secure tunneling
_ secure replacement for Cisco’s LEAP (Lightweight EAP)
_ supports protected access credential (PAC) instead of certifications

Question 101

EAP-TLS

Answer 101

_ EAP transport layer security
_ “one of the most secure EAP standards”
_ like PEAP but also requires clients to have certificates

Question 102

EAP-TTLS

Answer 102

_ EAP-tunneled TLS
_ extension of EAP-TLS
_ allows older auth methods such as PAP
_ only requires a certificate on the server

Question 103

RADIUS federation

Answer 103

_ single-sign-on federated access

Question 104

IEEE 802.1X

Answer 104

_ a port-based authentication protocol
_ requires authentication to a wireless AP or a physical port
_ block access to network if not authenticated
_ prevents port access from being sufficient to send traffic over a network
_ used in both wireless and wired networks
_ used in VPNs
_ can be used in VLANs to control access to resources

Question 105

Captive portal

Answer 105

_ way of forcing web browsers to complete a process before giving them access to a network
_ common for free internet access points
_ cheaper alternative authentication than 802.1X

Question 106

Disassociation attack

Answer 106

_ a client ends its association with an AP by sending a “disassociation frame” that includes the client’s MAC address
_ any device on the network can sniff the MAC and send the dissociation frame to disconnect any device
_ some hotels do this with wireless hotpots to force customers to use their paid internet service

Question 107

WPS

Answer 107

_ Wi-Fi Protected Setup
_ allows users to configure wireless devices without typing in a passphrase
_ users press buttons or enter a PIN
_ susceptible to brute-force attacks with WPA2
_ safe with WPA3
_ experts recommend disabling WPS

Question 108

Rogue access point

Answer 108

_ aka counterfeit access point

Question 109

Data exfiltration

Answer 109

_ unauthorized transfer of data to a location controlled by an attacker

Question 110

Evil twin

Answer 110

_ rogue access point with the same SSID as (or similar to) a legit access point
_ when set up in a public area, users may connect to it instead of the desired AP
_ wireless scanners can detect evil twins during site surveys

Question 111

Jamming attack

Answer 111

_ transmits noise or other radio data on the frequency used by the wireless network

Question 112

IV attack

Answer 112

_ initialization vector attack
_ some encryption systems require pre-sharing a key
_ the smaller the key, the more likely it will eventually get reused
_ an attack can add data to the network to force cycling through keys faster, until the attacker’s guessed key works

Question 113

NFC attack

Answer 113

_ near field communication (NFC) attack
_ contactless near-device communication
_ an antennae can boost NFC range to allow an attacker to intercept

Question 114

RFID attack

Answer 114

_ radio-frequency identification attack
_ RFID tags are placed on inventory to manage it
_ various obvious attacks

Question 115

bluejacking

Answer 115

_ sends unsolicited messages to bluetooth devices
_ annoying but harmless

Question 116

bluesnarfing

Answer 116

_ unauthorized access to or theft of info from a bluetooth device

Question 117

bluebugging

Answer 117

_ a kind of bluesnarfing
_ attacker installs a backdoor to have the device call the attacker at any time to listen in on conversations in a room or on a phone call
_ can enable call forwarding, send messages, etc.

Question 118

Bluetooth pairing

Answer 118

_ manual pairing of bluetooth devices eliminates most attacks

Question 119

War driving

Answer 119

_ practice of looking for vulnerable wireless networks
_ used by attackers in cars or walking around a city
_ useful for finding vulnerabilities as part of an audit

Question 120

War flying

Answer 120

_ war driving done from planes or drones

Question 121

VPN concentrator

Answer 121

_ dedicated device providing services need for a VPN
_ typically goes in the screened subnet, selectively routing external (firewall-provided) traffic to the intranet

Question 122

VPN server

Answer 122

_ software equivalent of a VPN concentrator
_ uses RADIUS for authentication, which might delegate to LDAP
_ implements IPsec tunnel mode

Question 123

IPsec tunnel mode

Answer 123

_ encrypts entire IP packets, including headers
_ internal IP and MAC addresses are encrypted
_ attacker can only see address of client and address of the VPN server

Question 124

IPsec transport mode

Answer 124

_ only encrypts payload
_ includes authentication header

Question 125

Split vs full tunnel

Answer 125

_ split tunnel allows client to hit Internet directly, only tunneling for internal resources
_ full tunnels all traffic

Question 126

NAC

Answer 126

_ network access control
_ continuously monitors computers
_ blocks computer access to network if it doesn’t pass inspection (health checks such as using a firewall, OS is up-to-date and patched, using antivirus software)
_ good for controlling access from 3rd party computers or devices
_ useful on VPNs where random devices connect
_ can redirect unhealthy clients to a “remediation network”

Question 127

PAP

Answer 127

_ password authentication protocol
_ used with PPP (point-to-point protocol)
_ sends passwords in cleartext
_ was used with dial-up connections

Question 128

CHAP

Answer 128

_ challenge handshake authentication protocol
_ uses PPP
_ client and server hashes password with a shared secret and nonce (number used once)

Question 129

TACACS+

Answer 129

_ alternative to RADIUS
_ encrypts entire authentication process, not just password
_ unlike RADIUS, uses multiple challenges to authenticate
_ can interact with Kerberos
_ can authenticate users before they access a router or switch

Question 130

AAA protocols

Answer 130

_ provide authentication, authorization, and accounting
_ e.g. RADIUS, TACACS+, Diameter
_ (Kerberos doesn’t provide accounting services on its own)