SECFND 11: Network Security Technologies

Question 1

3 Phases of Attack Continuum

Answer 1

Before, During, After

Question 2

3 attributes of “Before” attack continuum

Answer 2

Control, Enforce, Harden

Question 3

3 attributes of “During” attack continuum

Answer 3

Detect, Block, Defend

Question 4

3 attributes of “After” attack continuum

Answer 4

Scope, Contain, Remediate

Question 5

“Before” characteristics

Answer 5

Identify what’s on the extended network to implement policies and controls to defend it

Question 6

“During” characteristics

Answer 6

Detect and block malware continuously

Question 7

“After” characteristics

Answer 7

Reduce the impact of an attack by identifying point of entry, determining the scope, containing the threat, eliminating the risk of reinfection, and remediating

Question 8

AAA protocols

Answer 8

RADIUS & TACACS+

Question 9

RADIUS port

Answer 9

UDP 1812 for auth, 1813, Accounting (or 1645 & 1646)

Question 10

RADIUS encrypts…

Answer 10

Only the password in an access request packet

Question 11

TACACS+ port

Answer 11

TCP 49

Question 12

TACACS encrypts…

Answer 12

body of the packet (not the header)

Question 13

IAM

Answer 13

Control users and devices connecting to the network. (NAC Like).

Contextual network attributes

Question 14

NAD

Answer 14

network access device

Question 15

IAM benefit

Answer 15

Different levels of access and service based on the device.

Question 16

Firewall “routed mode”

Answer 16

Interfaces on multiple networks. Makes routing decision

Question 17

Firewall “transparent mode”

Answer 17

L2 “bump in the wire”. All interfaces on same network

Question 18

Network taps monitor which pins

Answer 18

Tx. Requires two NICS. One for inbound, one for outbound

Question 19

Other span port names

Answer 19

Port mirroring, port monitoring

Question 20

Steps to define SPAN port

Answer 20

1. Define source port or VLAN. 2. Define destination

Question 21

RSPAN

Answer 21

Remote span

Question 22

RSPAN traffic

Answer 22

Flooded to dedicated VLAN

Question 23

IPS Anomaly detection

Answer 23

IPS learns and alerts on deviations from baseline

Question 24

Rule-based Detection

Answer 24

aka Signatures

Question 25

IPS Reputation-based detection

Answer 25

Informed decisions based on reputation of sources. Drop traffic before more significant inspection

Question 26

IPS installation methods

Answer 26

Appliance. Module installed in another device.

Question 27

IPS evasion techniques

Answer 27

Traffic Fragmentation, traffic substitution and insertion, Encryption and tunneling

Question 28

Traffic fragmentation techniques

Answer 28

Attacker fragments all IP traffic if IPS doesn't perform reassembly. If it does, attacker fragments oddly to trick IPS. Modify how TCP frame is segmented so IPS ignores. Can cause overwrite of segment.

Question 29

Traffic substitution

Answer 29

Substitute payload data with other data in a different format. Unicode for letters, spaces with tabs, case sensitivity

Question 30

Traffic insertion

Answer 30

Adding extra bytes to data

Question 31

Parts of: | alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS

Answer 31

``` Action (alert, drop, pass, etc.) Protocol (TCP, UDP, ICMP, IP) Source IP, Port Direction <> or -> only Destination IP, Port ```

Question 32

What does IPS rule body do?

Answer 32

Keyword, colon, argument. Can have multiple arguments

Question 33

Snort rule "Content" option

Answer 33

Set rules for specific content (sequence of characters or hex values).

Question 34

Snort rule "msg" and "sid"

Answer 34

Message to print and Snort ID

Question 35

WCCP

Answer 35

Web Cache Communication Protocol. WCCP is a protocol for communication between routers and Web caches.

Question 36

transparent proxy vs. explicit proxy

Answer 36

Transparent proxy doesn't require client settings. Explicit proxy requires client config.

Question 37

Next Gen Firewall features

Answer 37

Application visibility and control, malware protection, URL filtering, SSL decryption, and next-generation IPS

Question 38

Threat Intelligence

Answer 38

Evidence based knowledge about existing or emerging threat to assets that informs response to the threat

Question 39

bogon

Answer 39

Bogus IP addresses

Question 40

Bro

Answer 40

Network analysis framework like IDS

Question 41

ELSA

Answer 41

Syslog framework

Question 42

OSSEC

Answer 42

Open Source IDS/HIDS

Question 43

Sguil

Answer 43

Network security monitoring. Event analysis

Question 44

Squert

Answer 44

Web app for Sguil

Question 45

Snort

Answer 45

IPS