Section 1: Network Security Essentials Flashcards

1.1

1
Q

Architecture: Conceptual Network Design

A

documents the network profile selected to meet the defined requirements for the network. It includes a network profile alternatives evaluation, with supporting risk assessment, and a preliminary configuration design expressed as a network generic level component schematic showing the technologies and standards selected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Architecture: Logical Network Design

A

a virtual representation of a network that appears to the user as an entirely separate and self-contained network even though it might physically be only a portion of a larger network or a local area network. It might also be an entity that has been created out of multiple separate networks and made to appear as a single network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Architecture: Physical Network Design

A

the interconnected structure of a local area network (LAN). The method employed to connect the physical devices on the network with the cables, and the type of cabling used, all constitute the physical topology. Should include OS, versions, any physical limitations or circumstances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Architecture: Communication flow

A

Every Data exchange, control message any thing should be diagramed regardless of its purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Architecture: Data location

A

diagram every last file of your valuable data resides

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threat Enumeration, and mapping

A

as a process which to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

Enumeration is used to gather the below
Usernames, Group names
Hostnames
Network shares and services
IP tables and routing tables
Service settings and Audit configurations
Application and banners
SNMP and DNS Details

Defining Threat Agents

Defining network vulnderabilities

Identifying Critical data

identifying the greatest commonalities between all to focus network hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Threat agent

A

capable and motivated group capable of compromising the network.

  1. how active
  2. what motivates them

cyber criminals
cyber espionage
hacktivist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Router Attacks: Denial of Service

A

Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings.
The attack involves flooding the victim’s network with request packets, knowing that the network will respond with an equal number of reply packets. Additional methods for bringing down a target with ICMP requests include the use of custom tools or code, such as hping and scapy.
This strains both the incoming and outgoing channels of the network, consuming significant bandwidth and resulting in a denial of service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Router Attacks: distributed denial-of-service (DDoS)

A

uses a number of hosts to overwhelm a server, causing a website to experience a complete system crash. This type of denial-of-service attack is perpetrated by hackers to target large-scale, far-reaching and popular websites in an effort to disable them, either temporarily or permanently. This is often done by bombarding the targeted server with information requests, which disables the main system and prevents it from operating. This leaves the site’s users unable to access the targeted website.
DDoS differs from a denial-of-service (DoS) attack in that it uses several hosts to bombard a server, whereas in a DoS attack, a single host is used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Router Attacks: Packet Sniffing

A

a utility that sniffs without modifying the network’s packets in any way. By comparison, a firewall sees all of a computer’s packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic. Utilizes promiscuity setting in a network adapter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Router Attacks: Packet Misrouting

A

kind of packet mistreatment attack. In such attack a malicious router misroute packets so that triangle routing is formed. This kind of attacks is very difficult to detect, and the problem is considered as an open problem. In this paper, how this kind of attacks can be launched by router configurations is discussed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Router Attacks: Cross-Site Scripting

A

also known as XSS, is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Using MAC XXS and location services to locate someone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Router Attacks: Cross-site request forgery

A

also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user’s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. The script can also be used to take over a router, but resetting the system generally gets rid of the script unless it is saved to startup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Router Attacks: SYN Flood

A

Uses TCP 3way handshake as a vecter:. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it “knows” that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it “knows” that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Router Attacks: TCP Reset Attack

A

also known as “forged TCP resets”, “spoofed TCP reset packets” or “TCP reset attacks”, is a way to tamper and terminate the Internet connection by sending forged TCP reset packet. This tampering technique can be used by a firewall in goodwill, or abused by a malicious attacker to interrupt Internet connections.
The Great Firewall of China is known to use TCP reset attack to interfere with and block connections, as a major method to carry out Internet censorship.
In a stream of packets of a TCP connection, each packet contains a TCP header. Each of these headers contains a bit known as the “reset” (RST) flag. In most packets this bit is set to 0 and has no effect; however, if this bit is set to 1, it indicates to the receiving computer that the computer should immediately stop using the TCP connection; it should not send any more packets using the connection’s identifying numbers, called ports, and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset basically kills a TCP connection instantly.
In the scenario above, the TCP reset bit was sent by a computer that was one of the connection endpoints. It is possible for a 3rd computer to monitor the TCP packets on the connection and then send a “forged” packet containing a TCP reset to one or both endpoints. The headers in the forged packet must indicate, falsely, that it came from an endpoint, not the forger. This information includes the endpoint IP addresses and port numbers. Every field in the IP and TCP headers must be set to a convincing forged value for the fake reset to trick the endpoint into closing the TCP connection. Properly formatted forged TCP resets can be a very effective way to disrupt any TCP connection that the forger can monitor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Router Attacks: routing table poisonin

A

modification of routing tables. An attacker can do this by maliciously modifying the routing information update packets sent by routers. This is a challenging and important problem, as a routing table is the basis of routing in the Internet. Any false entry in a routing table could lead to significant consequences, such as congestion, an overwhelmed host, looping, illegal access to data, and network partition. Two types of routing table poisoning attacks are the link attack and the router attack. A link attack occurs when a hacker gets access to a link and thereby intercepts, interrupts, or modifies routing messages on packets. Link attacks act similarly on both the link-state and the distance-vector protocols. If an attacker succeeds in placing an attack in a link-state routing protocol, a router
may send incorrect updates about its neighbors or remain silent even if the link state of its neighbor has changed. The attack through a link can be so severe that the attacker can program a router to either drop packets from a victim or readdress packets to a victim, resulting in a lower throughput of the network. Sometimes, a router can stop an intended packet from being forwarded further. However, since more than one path to any destination exists, the packet ultimately reaches its destination. Router attacks may affect the link-state protocol or even the distance-vector protocol. If link-state protocol routers are attacked, they become malicious. They may add a nonexisting link to a routing table, delete an existing link, or even change the cost of a link. This attack may cause a router to simply ignore the updates sent by its neighbors, leading to a serious impact on the operability of the network traffic flow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Switch Attacks: CDP Manipulation

A

CDP Manipulation attacks are a very common yet easily avoidable type of attack that is advanced solely because of the configuration of the switch itself. On Cisco switches, Cisco Discovery Protocol (CDP) is enabled by default. Any and all packet data that is transmitted via CDP is sent in clear text and is unauthenticated.

In the image below a packet sniffer has used a network protocol analyzer named wireshark to capture network traffic. It can be seen that this packet holds important device information and can be used to create a network topology that could aid in larger scale attacks that could potentially crash an entire network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Switch Attacks: MAC Flooding

A

a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.[1]
The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name.
After launching a successful MAC flooding attack, a malicious user can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack.
MAC flooding can also be used as a rudimentary VLAN hopping attack.[2]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Switch Attacks: DHCP Spoofing

A

DHCP Spoofing Attack
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading information:
Wrong default gateway – Attacker provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
Wrong DNS server – Attacker provides an incorrect DNS server address pointing the user to a nefarious website.
Wrong IP address – Attacker provides an invalid default gateway IP address and creates a DoS attack on the DHCP client.

20
Q

Switch Attacks: STP Manipulation

A

an attacker connects to a switch port and either directly themselves, or through the use of a rogue switch, attempts to manipulate Spanning Tree Protocol (STP) parameters to become the root bridge. Because the root bridge is responsible for calculating the spanning tree from topology changes advertised by non-root bridges, attackers see a variety of frames that they would normally not see.

To perform this attack, the attacker needs only to inject BPDU frames with a Bridge ID (BID) that is lower than the current root bridge into the network. Recall that the BID is made up of a 16-bit Bridge Priority + 48-bit MAC address. If the attacker selects a bridge priority (range 0–65535) that is lower than the existing root bridge, they will become root. The default priority for a Cisco Catalyst switch is 32768. The attacker could simply guess this, or they could find out what the priority is for the STP root bridge by using a protocol analyzer on a switch port, recognizing that such multicast traffic is flooded by the switch.

21
Q

Switch Attacks: VLAN Hopping

A

a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.
In a switch spoofing attack, an attacking host imitates a trunking switch[1] by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
double tagging attack, an attacker connected to an 802.1Q-enabled port prepends two VLAN tags to a frame that it transmits. The frame (externally tagged with VLAN ID that the attacker’s port is really a member of) is forwarded without the first tag because it is the native VLAN of a trunk interface. The second tag is then visible to the second switch that the frame encounters. This second VLAN tag indicates that the frame is destined for a target host on a second switch. The frame is then sent to the target host as though it originated on the target VLAN, effectively bypassing the network mechanisms that logically isolate VLANs from one another.[3] However, possible replies are not forwarded to the attacking host (unidirectional flow).

22
Q

Switch Attacks: Telnet Attack

A

Uses TCP SYN for a Telnet to create a DoS.

23
Q

Network Design: Segmentation

A

splitting up collision and broadcast domains

24
Q

Network Design: Segmentation, Control at multiple layers

A

vlans etc to further segment networks, but must remain managabable

25
Q

Network Design: Segmentation, Least Privilege Rule

A

access based on need to know

26
Q

Network Design: Segmentation, Based on Security requirements

A

zoning based on security: define zones based where sensitive info resides.

27
Q

Network Design: Segmentation, Whitelisting

A

instead of block all bad things, only allow what is needed.

28
Q

Network Design: Protected Enclave

A

sipr nipr jwics

29
Q

Network Design: Software Defined Networking SDN Micro-Segmentation

A

traffic between any two end points can be analyzed and filtered based on a set policy

30
Q

Network Design: Network Architectural Design:

Prioritized Protection of Key Resources

A

To avoid Being overwhelmed by Security Vulnerabilities;
Create a separation of between desktops and critical data on severs;
create separation between desktops to avoid recon, and worn-type propagation between them
LAN w/ desktops should be considered hostile and allowed only minimum data to operate
Servers separated by firewalls from each other and desktops

31
Q

Network Design: Network Architectural Design:
Data Flow Analysis:
Aids with Incident Responce

A

or NetFlow developed to provide monitoring and troubleshooting capabilities within the network. … NetFlow is a network protocol developed by Cisco for the collection and monitoring of network traffic flow data generated by NetFlow-enabled routers and switches.
Info stored also allows you to expedite response and handling

32
Q

Network Design: Network Architectural Design:
Data Flow Analysis:
Provides Situational Analysis

A

allows you to see whats going on outside of the perimeter; smart phones, Voip laptops; servers, and virtualized infrastructure

33
Q

Network Design: Network Architectural Design:
Data Flow Analysis:
Reduces Cost of Network Monitoring

A

the more distributed your net, the more the greater the value of netflow will provide. Only a few commands entered on the router to network visibility at the specific location

34
Q

Network Design: Network Architectural Design:
Data Flow Analysis:
Enables Attack Detection

A

relies on algorithms instead and behavior rather than signature matching. This allows you to detect attacks that may not have a signature yet. sometimes referred to as Zero-Day attacks

35
Q

Network Design: Objective 1of4:

Provide Appropriate access from the internal network to the internet

A

webserver that displays company info, mail server, and DNS servers that host records of company domain need to be accessible from the internet with limited access from the net to our network

36
Q

Network Design: Objective 2of4:

Protect the internal network from external attack

A

However, only these servers need accessible externally by the public, and the defenses must designed to protect the rest of the Local net from attack

37
Q

Network Design: Objective 3of4:

Defence-in-Depth

A

Defense-in-Depth, or multiple layers of prot. to guard against a single security component using

38
Q

Network Design: Objective 4of4:

Control the flow of information between systems

A

the principal of resource separation used on the internal network

39
Q

Network Design: Network Sections 1of4:

Public

A

segmentation least access and remain functional:

These resources reside on the internet, and from the internal net, they cannot be trusted

40
Q

Network Design: Network Sections 2of4:

Semi-Public (DMZ):

A

segmentation least access and remain functional:
These resources are our contributers, web publications, email messages, DNS records. Semi-Public servers must be reachable from the LAN and might also have access across the internet

41
Q

Network Design: Network Sections 3of4:

Middleware

A

segmentation least access and remain functional: DMZ from the LAN; proxy servers to block unauth access; provides extra defense because connections between the DMZ and the LAN are HIGH RISK

42
Q

Network Design: Network Sections 4of4:

Private

A

segmentation least access and remain functional:

Internal Systems that we have no desire to allow public access.

43
Q

Network Design: Network Sections: Goals of Network Design 1of3:
Internet visibility

A

any system with www visibility must reside on the DMZ and cannot contain sensitive info

44
Q

Network Design: Network Sections: Goals of Network Design 2of3:
Not visible to the Internet

A

any system with Sensitive data must reside on the private LAN and not be visible to the www

45
Q

Network Design: Network Sections: Goals of Network Design 3of3:
Access thru a proxy on the middleware tier

A

The only way the DMZ system can communicate with the private LAN is thru a proxy on the middleware tier

46
Q

Network Design: Network Sections: Goals of Network Design: optimal places for a firewall:

A
  1. from private systems to the www
  2. from private systems to the semi-public servers
  3. from semi-public servers to the www
  4. from the internet to semi-public servers