Sec+ Chapter 12: Network Security

Question 1

Defense in depth

Answer 1

Medieval army attacking a castle analogy

Security principle that says environments must be built around multiple controls to ensure that one failure in a single control, or multiple controls, won’t cause a security breach

Question 2

OSI Model

Answer 2

Open systems interconnection model

From the bottom-up

1) Physical

2) Data

3) Network

4) Transport

5) Session

6) Presentation

7) Application

Question 3

Network segmentation

Answer 3

The act of dividing up a network into logical, virtual, or physical groupings

Question 4

VLAN

Answer 4

Virtual LAN

A broadcast domain that’s segmented at OSI layer 2 (data)

Switches and other devices are used to create VLANs

Question 5

DMZ

Answer 5

Demilitarized zone / screened subnet

Network zones containing systems that are exposed to less trusted areas

Commonly used to contain web services or other internet-facing devices

Question 6

Intranet

Answer 6

Internal network protected from external access

Employees only for internal or VPN access only

Question 7

Extranet

Answer 7

Network set up for external access, usually by partners or customers rather than the public at large

Unlike a DMZ, this usually requires additional authentication to gain access

Question 8

Zero trust

Answer 8

A concept that says nobody should be trusted, regardless of if they’re an internal or external person or system

Question 9

Zero trust network

Answer 9

A network that includes security between systems as well as at security boundaries

Question 10

NAC

Answer 10

Network access control / network admissions control

NAC validates security status for systems and allows or disallows connection to a network

Rules for access can be based on user, group, location, application, etc

Question 11

Agent based NAC

Answer 11

Requires installation and adds complexity and maintenance

Provides greater insight and control

Question 12

Agentless NAC

Answer 12

Lightweight installs, easier to handle for machines that aren’t centrally managed or have devices that don’t support NAC agent

Provides less detail and can’t be scheduled

Question 13

Port security

Answer 13

Limiting the number of MACs that can be used on a single port

Prevents MAC spoofing, content addressable memory (CAM) table overflows, and extending network through additional devices

Question 14

CAM table

Answer 14

Content addressable memory table

Maps MAC addresses to IP addresses which allows switches to send traffic to the correct port

Question 15

CAM table attack vector

Answer 15

Attackers who can fill CAM tables can make switches fail over to broadcasting traffic, making otherwise inaccessible traffic visible on their local port

Effectively turns the switch into a hub without any intelligence for where frames should be sent

All frames are sent to all interfaces on the switch

Question 16

Loop protection

Answer 16

Detecting loops and disabling ports to prevent loops from causing issues

Question 17

STP

Answer 17

Spanning tree protocol

A common way to implement loop control on layer 2 networks

STP is also great at finding problems in a network

EX: An outage occurs, and you lose connectivity on a network path

STP constantly monitors itself and can go into convergence mode to examine what interfaces are available based on an outage

It can work around the problem, maintain comms on the network, and still prevent loops

Question 18

Broadcast storm control

Answer 18

AKA Storm control

Prevents broadcast packets from being amplified as they traverse a network

Occurs when a loop in a network causes traffic amplification as switches attempt to figure out where traffic should be sent

Limit the number of broadcasts per second, control multicast or unicast, or manage the change over normal traffic patterns

Question 19

BPDU guard

Answer 19

Bridge protocol data unit guard

STP takes 20-30 sec before it understands what path to use when a new device is connected to the network

It has to perform the same checks every time we plug in

Instead of the delay, we can configure the switch to let it know the only thing plugging in is an end station

Bypass the STP listening and learning, plug device in and instantly start communicating on the network

The issue is someone could plug in with another switch, and there would be a loop over that connection

To get the speed with port fast and security of STP, configure BPDU guard on the switch

BPDU is the primary protocol used by STP

Switch will constantly watch comms coming from interfaces, and if an interface ever sends a BPDU frame it recognizes a switch could be on the other side of comm

Port fast is then disabled before a loop can occur

Question 20

DHCP snooping

Answer 20

Someone can plug in a DHCP server not authorized to be on the network, which creates DoS or security issue

Switches have software that look for these problems though called DHCP snooping

Switch is configured with a list of trusted interfaces, but also other untrusted interfaces

Switch watches for DHCP conversations, and if it appears from an untrusted interface, the switch filters out the conversation and disallows it from being sent

Question 21

SPAN

Answer 21

Switched port analyzer

Does the same as port mirror, but can combine traffic from multiple ports to a single port for analysis

Question 22

Port mirror

Answer 22

Sends a copy of all traffic sent to one switch port to another switch port for monitoring

Question 23

VPN

Answer 23

Virtual private network

Creates a virtual network link across a public network that allows endpoints to act as if they’re on the same network

Encryption is not a requirement, but often used in the tunnel

Question 24

IPSec VPN

Answer 24

Internet protocol security VPN

Allows authentication and encryption over a layer 3 network, and also supports packet signing along with encryption

This allows for secure data, but anti replay built into the conversation

Two core IPSec protocols:

1) AH (authentication header): No encryption, hash of the packet and a shared key, adds AH to the packet header

Provides data integrity with hash
Guarantee origin of data with authentication key
Prevents replay attacks with sequence numbers

2) ESP (encapsulation security payload): Encryption with AES, hash with SHA 256, and authenticates

In most implementations, this will be combined with AH to make sure the data gets through the network without alteration

Two modes:

1) Tunnel mode: entire packet sent is protected

2) Transport mode: IP header not protected, but IP payload is

Question 25

SSL VPN

Answer 25

Current implementation actually uses TLS, not SSL and comms over port 443

It’s either:

1) Portal based: Users access through web page and then access services

2) Tunnel mode: IPSec VPN, entire packet sent is protected

Question 26

L2TP VPN

Answer 26

Layer 2 tunneling protocol VPN

Many site to site VPNs are implemented with L2TP

Connects two networks together as if they’re on same layer 2 network but it’s happening through a layer 3 network

Doesn’t provide encryption, just provides tunnels

Often combined with IPSec for security

Question 27

Site to site VPN

Answer 27

Used to create a secure network channel between two or more sites

Typically, they’re always on since they extend an org’s network

Firewalls often serve as the VPN concentrators

Question 28

Remote access VPN

Answer 28

Used mainly by remote workers in as-needed mode and are turned on when they need specific resources, systems, or trusted connection

Question 29

Full tunnel VPN

Answer 29

All data and network traffic is sent through an encrypted tunnel to the VPN concentrator, and the user can’t break out of that tunnel to send information to another device directly

Data is sent to VPN concentrator which decides where that information needs to go before sending back to the remote user

Question 30

Split tunnel VPN

Answer 30

The admin of the VPN can configure some information to go through the tunnel, and other information can go outside the tunnel

Traffic doesn’t need to go through the full tunnel to communicate with devices that aren’t on the tunnel

Question 31

Jump server

Answer 31

A highly secure, hardened, and monitored device that spans two or more networks, allowing users to connect to it from one network and then “jump” to another

SSH, tunnel, VPN to other devices on the network

Question 32

Load balancer

Answer 32

Distributes traffic to multiple systems, provides redundancy, and allows for ease of upgrades and patching

Question 33

Proxy server

Answer 33

A device that sits between the users and the rest of the network

Accepts and forwards requests, centralizing the requests and allowing actions to be taken on the requests and responses

Useful for caching info, access control, URL filters, content scanning

Question 34

Forward proxies

Answer 34

Accepts client requests, forwards to server, receives answer, validates, and sends user copy of the response

Conceals original client and can anonymize traffic or provide access to resources blocked by IP or location

Commonly used to protect and control user access to the internet

Question 35

Reverse proxies

Answer 35

Users from internet hit a proxy to gain access to internal services on your network

Proxy examines requests from users, if not malicious and valid, sends requests to webserver and gets response, sends copy of answer to user on the internet

Question 36

NAT

Answer 36

Network address translation

Allows a pool of addresses to be translated to one or more external addresses

EX: Allow many private IPs to use a single public IP to access internet

Question 37

NAT gateway

Answer 37

In-home router

A network tool that provides private IPs and uses NAT to allow a single public IP to serve many devices behind the router

By default blocks all inbound access

Question 38

Content filters

Answer 38

Allows or blocks traffic based on specific content rules

Simple rules: blocked URLs, domains, etc

Complex rules: Blocked by IP reputation, pattern matching, etc

Question 39

DLP solutions

Answer 39

Data loss prevention solutions

Ensure data isn’t extracted or accidentally sent from a network

Frequently pairs agents on systems with filtering capability at the network border, email services, and exfiltration points

Question 40

IDS

Answer 40

Intrusion detection system

Detects threats in your network and alerts you

Can’t take direct action

Question 41

IPS

Answer 41

Intrusion prevention system

Detects threats in your network and takes direct action to stop them

Question 42

Stateless firewalls

Answer 42

Does not keep track of traffic flows, and needs a rule base that covers all comms in both directions

Each packet is individually examined, regardless of past history

Traffic sent outside of an active session will traverse a stateless firewall

Not smart, has no idea about requests and responses, always defaults to its existing rule base

Question 43

Stateful firewalls

Answer 43

Almost all firewalls today are stateful, and much more intelligent about how they allow traffic through a network

Stateful remembers the “state” of the session and creates a state table about a particular flow as it takes place

Watches all traffic between systems and allows comms to continue only once they’ve been approved vs reviewing every packet

Provides more context to make security decisions

Question 44

NGFW

Answer 44

Next gen firewall

Application layer OSI firewalls

Often replace UTMs

Firewall with more features like IDS, IPS, antimalware, etc

Question 45

WAF

Answer 45

Web app firewall

Not like a normal firewall, it’s specifically built for web apps and applies rules to HTTP/S conversations

Inspects traffic sent to web servers, looks for attacks and patterns, and applies rules based on what it sees

Question 46

UTM

Answer 46

Unified threat management

An all in one security appliance, AKA web security gateway

Devices that include firewall, IDS/IPS, antimalware, URL and email filtering, DLP, VPN, and security analytics

Question 47

ACL

Answer 47

Access control list

A set of rules used to filter or control network traffic on a firewall

The series of variables that you choose are called tuples, and they’re groupings of information

Evaluates characteristics like src IP, dst IP, port, app, etc to match rules in ACL, looks at disposition, and allows or denies

Usually top to bottom in ACL decision logic, so place specific rules at the top of the list and general at the bottom

Question 48

QoS

Answer 48

Quality of service

A set of controls that allows us to prioritize network traffic to make it through a network, even when it’s under attack or congested

Question 49

BGP

+

Answer 49

Border gateway protocol

No strong security built in, which leads to accidental or purposeful BGP hijacking. Router adverts itself and ends up redirecting internet traffic through itself

Question 50

OSPF

+

Answer 50

Open shortest path first

Some security like MD5 based authentication

Doesn’t secure actual data, but does validate that the data is complete and from the proper router

Question 51

EIGRP

+

Answer 51

Enhanced interior gateway routing protocol

Cisco-proprietary protocol that provides authentication and helps prevent attackers from sending false routing messages

Question 52

Routing security

Answer 52

Networks rely on routing protocols to determine what path traffic should take to other networks

Attackers will target routing protocols in order to intercept traffic, cause loop outages, DoS, MITM, congest networks, etc

Question 53

DNS

Answer 53

Domain name system protocol / port 53

NOT SECURE - UNENCRYPTED AND UNPROTECTED

Question 54

How to secure DNS?

Answer 54

Config DNS server to prevent zone transfers, turn on DNS logging, block DNS reqs to malicious domains

Domain name system security extensions (DNSSEC)

DNS sinkhole

Question 55

DNS Sinkhole

Answer 55

A DNS that hands out incorrect IPs

When a client requests an IP of an FQDN, this gives back incorrect or invalid information about the service

If attackers implement DNS sinkholes, they can redirect users to locations or create DoS

More commonly used to provide intel for the security pro

We know that users will visit known malicious sites if they’re infected with malware

Instead of letting them communicate with a malicious, external server, we instead configure a DNS sinkhole

If anyone ever requests the IP of a malicious site, we provide it with an IP for a machine inside our location that we can then create a report on to ID who’s infected with malware within our org

This is often a feature of IPS or NGFW

If someone tries to communicate to a known malicious site, the DNS sinkhole will send an IP that redirects them to a known good site

Also creates an alarm for the security team at the org to know a particular device is infected

Infected device can’t comm with C2 and security team can clear that out before it spreads

Question 56

File integrity monitor

Answer 56

Detects changes in files or systems that should never change, and reports on them, or restores them to normal

EX: Tripwire, Windows System File Checker (SFC)

Question 57

Honeypot

Answer 57

A system intentionally configured to appear vulnerable, but are heavily instrumented and monitored to document everything an attacker does trying to access it

Question 58

Honeynet

Answer 58

Networks set up and instrumented to collect information about network attacks

Multiple honeypots where you can gather info from multiple sources

An attacker may start on one server and go to other, or multiple attackers arrive at one time performing different functions on different honeypots

Question 59

Honeyfile

Answer 59

A file that contains unique, detectable data left in an area an attacker is likely to find

If the data is discovered outside the network, the org knows they’ve been breached

Lives inside the honeypot and honeynet

EX: a passwords.txt file

Question 60

Fake telemetry data

Answer 60

Machine learning takes big data and identifies patterns and info within the large data source

To have this ML understand what we’re looking for, we need to train it with actual data

Feed it malware, ransomware, viruses, etc that will show the ML what bad or malicious data looks like

ML then understands what it’s looking for and how to ID malware from the way it operates vs a specific signature

Attackers know this, so they add their own fake telemetry into the data to make the ML think the malware is actually something good

They can send the fake telemetry into the machine, and once the training is over, they can send their malware and it’ll pass

Question 61

DNS

Answer 61

Domain name system

OG port: UDP/TCP 53

Secure option: DNSSEC

Secure port: UPD/TCP 53

Question 62

FTP

Answer 62

FTPS / file transfer protocol secure

OG port: TCP 21 (and 20)

Secure port: TCP 21 (explicit) 990 (implicit)

Note: Using TLS

SFTP / secure file transfer protocol

OG port: TCP 21 (and 20)

Secure port: TCP 22 (SSH)

Note: Using SSH

Question 63

HTTP

Answer 63

Hypertext transfer protocol

OG port: TCP 80

Secure option: HTTPS

Secure port: 443

Note: Using TLS

Question 64

IMAP

Answer 64

Internet message access protocol

OG port: TCP 143

Secure option: IMAPS

Secure port: TCP 993

Note: Using TLS

Question 65

LDAP

Answer 65

Lightweight directory access protocol

OG port: UDP / TCP 389

Secure option: LDAPS

Secure port: TCP 636

Note: Using TLS

Question 66

POP3

Answer 66

Post office protocol v3

OG port: TCP 100

Secure option: POP3

Secure port: TCP 995 - secure POP3

Note: Using TLS

Question 67

RTP

Answer 67

Real time transport protocol

OG port: UDP 16384-32767

Secure option: SRTP

Secure port: UDP 5004

Question 68

SNMP

Answer 68

Simple network management protocol

OG port: UDP 161 / 162

Secure option: SNMPv3

Secure port: UDP 161 / 162

Question 69

Telnet

Answer 69

OG port: TCP 23

Secure option: SSH

Secure port: TCP 22

Question 70

S/MIME

Answer 70

Secure multipurpose mail exchange protocol

Provides the ability to encrypt and sign MIME data, the format used for email attachments

Requires a certificate for users to be able to send and receive

Question 71

IPSec

Answer 71

Internet protocol security

An entire suit of security protocols used to encrypt and authenticate IP traffic

Question 72

AH

Answer 72

Authentication header - IPSec

Uses hashing and shared secret key to ensure integrity of data

Validates senders by authenticating IP packets sent

Ensures IP payload and headers protected

Question 73

ESP

Answer 73

Encapsulated Security Payload - IPSec

Tunnel mode: Provides integrity and authentication for entire packet

Transport mode: Only protects payload

Question 74

MITM

Answer 74

Man in the middle / on path attack

Attackers cause traffic to be relayed through their own system or device

They eavesdrop or even alter comms as they wish

Question 75

SSL stripping

Answer 75

Combines an on-path attack with a downgrade attack, attacker must sit in the middle of the conversation with proxy server, ARP spoof, rogue WiFi hotspot, etc

They’re able to strip the S from HTTPS so the traffic isn’t encrypted anymore, removes the TLS

EX:

1) Victim sends HTTP request for web page

2) Attacker intercepts traffic, sends unchanged HTTP to server

3) Server sends request back to attacker saying let’s do HTTPS instead of HTTP

4) Attacker sends back the HTTPS to the server

5) This sets an encrypted channel between attacker and server, but not victim and attacker

6) Server sends HTTPS to attacker, who decrypts it

7) Sends HTTP page back to victim

8) Victim might send login requests, information, etc that attacker sees

9) Attacker sees, but forwards HTTPS back to server

10) This goes on and on and on for as long as the attacker wants

Question 76

MITB

Answer 76

Man in the browser / on-path browser

This relies on a Trojan or other malware that’s inserted into a victim’s browser

The malware will run on their machine and automate the processes

Huge advantage for the attacker, as any encrypted data on the network will show as unencrypted since you’re on the same computer

EX: Malware sits, waits for you to log into your bank, and then grabs credentials, keystrokes, etc and then transfers money, modifies your account, etc

Question 77

Domain hijacking

Answer 77

Changes the registration of a domain so that the domain’s settings and configs can be changed by an attacker

Can intercept traffic, send and receive email, etc while appearing as legit domain holder

Attacker might brute force your password on the account, phish the info, gain access to email, etc

Question 78

DNS poisoning

Answer 78

Where attackers redirect web traffic to an attacker’s website, often a fake webserver or phishing website, by:

1) Modifying DNS cache

2) MITM / on path and modify DNS queries sent to a client

3) Modify DNS information on the legit DNS server

Question 79

URL redirection

Answer 79

Insert alternate IPs into a system’s host file

When the system looks up a site via DNS, they use the host file first and will use the modified IP instead of the true IP

Question 80

Domain reputation

Answer 80

Information about whether or not your domain is a trusted email sender, or if it spams

Question 81

ARP poisoning

Answer 81

Address resolution protocol poisoning

Sends unprompted, malicious ARP packets and MAC address to machines on a network that it wants to poison

Since ARP has no security, that message is received and interpreted, changes it’s ARP cache information, and then sends traffic to the new MAC address

Attacker then performs the same poisoning to the router, and anything sent from victim to router is relayed through the attacker’s machine

Question 82

MAC flooding

Answer 82

Media access control flooding

Targets switches (layer 2 attack) that sends so many MACs to the switch that the CAM table gets overfull

Flooding results in switch sending traffic out to all ports to ensure traffic keeps flowing

Question 83

MAC cloning

Answer 83

Media access control cloning

Duplicate the MAC address of a device

Question 84

Volume based DDoS

Answer 84

Sends an insane amount of traffic to deny service

EX: UDP and ICMP floods

Question 85

Protocol based DDoS

Answer 85

Focuses on the underlying protocols used for networking

EX: SYN flood, ping of death, smurf attack, Christmas tree

Question 86

OT DDoS

Answer 86

Operation technology DDoS

DDoS on software / hardware that controls devices and systems in buildings, factories, powerplants, etc

Similar to network DDoS, but different detection methods and can be harder to ID

Question 87

theHarvester

Answer 87

OSINT gathering tool that can get emails, domains, usernames, etc using search engines

Question 88

MAC address

Answer 88

Media access control address

Every adapter card has a different, unique MAC

48 bits long / 6 bytes written in hex

First 3 bytes are the OUI (organizationally unique identifier), or the manufacturer portion of the MAC

The last 3 bytes are the serial number, which is incremented by the manufacturer

Question 89

SSL / TLS Inspection

Answer 89

There might be malicious information encrypted inside SSL/TLS that we want to block from coming into our network

Since it’s encrypted, inspection lets us view what’s inside

This can’t be done easily, and must be specially configured, but it’s very useful to maintain security

It’s all based on trust. Your browser trusts the device its connecting to and is able to encrypt end to end

With inspection, we put ourselves in the middle but continue to have the trust on both client and server side

Question 90

Active/ active load balancer modes

Answer 90

Active/active == All servers active, if one fails the others pick up the load and keep going with no interruption

Question 91

Load balancer affinity

Answer 91

Certain apps require that users communicate to exactly the same server

In those situations, load balancers will always distribute that comm to the same server

Usually tracked using session IDs, or combo of IPs and port numbers

Question 92

Active/passive load balancer modes

Answer 92

Active/passive == when some of the servers are actively in use, and others are in standby mode

If one fails, other devices can move into active and provide services

Question 93

Load balancer scheduling modes

Answer 93

1) Round robin: Each server is selected in turn

2) Least connection: Server with lowest use gets request

3) Agent-based adaptive balancing: Updates traffic distro based on agent’s report on server’s ability to respond

4) Source IP hashing: Assigns traffic based on hash of source IP

5) Weighted least: Uses least connection algo combined with predetermined weight for each server

6) Fixed weighted: Preassigned weight for each server based on capability or capacity

7) Weighted response time: Assigns traffic based on server’s current response time

Question 94

IPS identification

Answer 94

1) Signature based: looks for matches

2) Anomaly based: Examines normal traffic and what changes with the flow

3) Behavior based: Recognizes certain behavior like what an SQL injection looks like when accessing a db

4) Heuristics: Use AI and ML to understand how network operates and ID malware based on the large data and intel

Question 95

traceroute

Answer 95

Linux command that maps an entire path between two devices know exactly what routers are between point A and B

Information displayed is received by routers on the network by ICMP TTL exceeded error messages

You send packets to the network, causes routers to create error message and send it back to you

FYI, not all devices will reply with ICMP time exceeded messages, some firewalls filter ICMP which could cause gaps

In Windows: tracert, sends ICMP echo requests (aka a ping command) but running in Windows can be difficult because outgoing ICMP is commonly filtered

Use command options to modify how you specify the protocols used

Question 96

nslookup / dig

Answer 96

Windows and Linux

Query a DNS server to determine names and IPs

Slowly being deprecated in favor of dig (domain information groper)

dig has added functionality, probably your first choice now but needs to be installed in Windows

Question 97

ifconfig / ipconfig

Question 98

pathping

Answer 98

Windows command that merges ping and traceroute

Runs a traceroute to a destination IP to determine what routes are between your local device and the other one

Once that’s done, pathping measures the round trip and packet loss at each hop

Question 99

route

Answer 99

Windows: route print

Linux: netstat -r

Know what the next route is outside the network, or what other routes are configured on a device

Question 100

arp -a

Answer 100

Check the ARP table for known MAC addresses

Question 101

curl

Answer 101

Client URL

Gets the raw data for web pages, FTP, emails, databases, etc

Question 102

IP scanners

Answer 102

Search a network for IP addresses

Many different techniques like ARP if you’re on the local subnet

If not, you can use ICMP requests (ping), TCP ACK, ICMP timestamp requests

A response means more recon can be done with tools like nmap and hping

Question 103

hping

Answer 103

TCP/IP packet assembler and analyzer

A ping that can send almost anything

Unlike a simple ping command, you can modify almost everything about the packet like IP, TCP, UDP, and ICMP values

Question 104

sn1per

Answer 104

A recon tool that combines multiple tools into a single framework

dnsenum, metasploit, nmpa, theHarvester, etc

Highly intrusive, know what you’re doing with this one

Question 105

scanless

Answer 105

A port scan proxy that lets you run port scans from a different host

Question 106

Cuckoo

Answer 106

A sandbox for malware, where you can safely test files in an isolated and secure environment