Section 11 - Network Security

Question 1

What does “OSI” stand for?

Answer 1

Open Systems Interconnection

Question 2

This is used to explain how network communications occur between a host and a remote device over a local area network or a LAN.

Answer 2

OSI Model

*** This is very useful to help us categorize different communication protocols that are used in networks, and gives us a common lexicon that we can use to describe the function of different devices.

Question 3

What is a helpful mnemonic that can be used to represent the seven layers of the OSI model?

Answer 3

Please - Physical
Do - Data Link
Not - Network
Throw - Transport
Sausage - Session
Pizza - Presentation
Away - Application

*** going from bottom to the top.

Question 4

What is the first layer of the OSI model?

Answer 4

Physical Layer

This is the layer that represents the actual network cables and radio waves that are used to carry data over a network. Data carried over the network at the physical layer is known as bits.

Ex - fiber optic, copper, or coaxial cable, Wi-Fi, Bluetooth, hubs, repeaters, etc.

Question 5

What is the second layer of the OSI model?

Answer 5

Data Link Layer

This layer describes how a connection is established, maintained, and transferred over that physical layer. Addressing here is done using physical addresses, like the MAC address. Bits are grouped into frames and then sent over the network.

Ex - MAC addresses, switches, bridges.

Question 6

How is a switch different than a hub?

Answer 6

Switches use MAC addresses as their form of physical addressing. This allows a switch to decide where to send that frame of information based on the MAC address it’s designed to go to. And so, it’s smarter than a hub because it will decide where that particular frame goes as opposed to just repeating it out every single port that it has.

Question 7

What is the third layer of the OSI model?

Answer 7

Network Layer

This is where logical addressing is actually performed. routing and switching information between hosts, the network and the internetworks. This is the layer where the frames are taken and grouped into packets.

Ex - IP addresses and routers (as these are used to connect to all of our networks together)

Question 8

What is the fourth layer of the OSI model?

Answer 8

Transport Layer

Manages and ensures transmission of the packets occur from the host to the destination it wants. This uses either TCP or UDP. At this point, our packets are now grouped into segments (TCP) or datagrams (UDP).

Question 9

What is the difference between TCP and UDP?

Answer 9

TCP has that three-way handshake, and it says, hey I’m ready to send you something, okay I’m ready to be sent something. All right, let’s start sending it. And then they send the information. With UDP, on the other hand, it’s just fire and forget, we send a bunch of information and we just hope it gets there.

Question 10

What is the fifth layer of the OSI model?

Answer 10

Session Layer

This layer manages the establishment, termination, and synchronization of a session over the network.

Question 11

What is the sixth layer of the OSI model?

Answer 11

Presentation Layer

This layer is focused on translating the information into a format that both the sender and the receiver are going to understand.

*** after all, data is nothing but ones and zeroes which is not a language that most people can decipher. The presentation layer helps translates that information into a format that can be understood.

Ex - JPGs, PNG files, encryption.

Question 12

What is the seventh layer of the OSI model?

Answer 12

Application Layer

This is the layer where the message is originally created and sent from. This is where the user is really starting to interact with the network by using the OSI model.

EX - HTTP for web pages, SMTP for emails, and FTP for file transfer.

Question 13

This was used to separate physical LANs or WANs into two logical networks, or connect two logical networks together.

Answer 13

Bridge

*** These came after hubs because they were dumb and causing a lot of collisions and slowed down the network.

Question 14

Essentially, every single port on a ___ acts as if it was a bridged hub on each one.

Answer 14

switch

*** This means that it improves the data transfer and security through the intelligent use of MAC addresses, being able to figure out where a device is and only sending information out that particular port of the switch and ignoring the rest.

Question 15

Switches are subject to three main types of attack. What are they?

Answer 15

MAC Flooding
MAC spoofing
Physical Tampering

Question 16

This is an attempt to overwhelm the limited switch memory that’s set aside to store the MAC addresses for each port, and this is known as the content addressable memory (CAM).

Answer 16

MAC Flooding

*** If a switch is flooded, it can fail-open and begin to start acting like a hub and broadcasting data out every single port.

Question 17

This occurs when an attack masks their own MAC address to pretend that they are having the MAC address of some other machine on the network.

Answer 17

MAC spoofing

*** By switching your MAC address to a known or allowed device, you can gain access to a network bypassing the access control list (ACL).

Question 18

This occurs when an attacker attempts to gain physical access to the switch.

Answer 18

Physical Tampering

Question 19

Switches operate at layer two of the OSI model by making their decisions based on MAC addresses, ___ operate at layer three, making their decisions based on IP addresses.

Answer 19

routers

Question 20

Routers are used to connect…?

Answer 20

two or more networks to form an internetwork

Question 21

___ ___ ___ can be configured on the router’s interface to control the flow of traffic into or out of a certain part of the network.

Answer 21

Access Control List (ACL)

Question 22

These are a set of rules that will either permit or deny traffic based upon certain characteristics, like its source or destination IP address, the source or destination port number associated with it and the application or service being run.

Answer 22

ACLs

Question 23

Most networks are segmented into at least three different zones:

Answer 23

LAN
WAN
DMZ

Question 24

This segment can be secured using private IPs, using anti-malware programs, and by placing your clients behind a router and its associated ACLs.

Answer 24

LANs

Question 25

This segment should be monitored and firewalled to secure your networks against the threats that those contain. The internet is the world’s largest version of this.

Answer 25

WAN

Question 26

The TLS tunnels that are used in HTTPS connection are a type of ___.

Answer 26

VPN

*** So anytime you go to a website and you see that secure lock, there’s actually a VPN being used between your web browser and the web server you’re visiting.

Question 27

The most common security zone that is used is what is known as…?

Answer 27

DMZ

De-Militarized Zone

Question 28

This zone is focused on providing controlled access to publicly available servers that are hosted within your organizational network.

Answer 28

DMZ

*** For example, if you’re self hosting your web server and email servers inside your organization, it’s a best practice to place them within your DMZ because it is a tightly controlled zone with proper access control rules which allows you to maintain precise control of the traffic that’s going to be allowed between the inside, your LAN, the outside, the WAN, and the DMZ portions of the network.

Question 29

What is the purpose of a security zone?

Answer 29

Like a DMZ, this creates a separation of critical assets. Not all devices in your network require the same level of protection.

Question 30

This is a specialized type of DMZ that’s created for your partner organizations to access over a wide area network.

Answer 30

Extranet

*** This acts much like a DMZ, but it’s not publicly accessible.

Question 31

This is something that allows you to expand your internet network within your organization across multiple areas.

Answer 31

Intranet

Question 32

What does it mean to be “internet-facing”?

Answer 32

Like an internet-facing host or server, this means that it accepts inbound connections from the internet.

*** For example, if you have a web server in your DMZ, that is an internet-facing host.

Question 33

What is a DMZ?

Answer 33

Demilitarized Zone

A segment isolated from the rest of a private network by one or more firewalls that accepts connections from the internet over designated ports.

*** Anything behind the DMZ is invisible to the outside network. So if you did a scan of the network from the outside you would not see all of the PC’s inside of the inside zone.

Question 34

What should you put in your DMZ?

Answer 34

Anything that somebody from the internet needs access to, should be placed in your DMZ.

This includes email, web server, communication servers, proxy servers or remote access servers. Anything that provides public services or even extranet capabilities.

Question 35

Any kind of hosts that you put in the DMZ should be what we consider a ___ ___. This is a host or server that is not configured with any services that run on the local network.

Answer 35

bastion host

Question 36

How do you configure your devices once in the DMZ?

Answer 36

A jumpbox

This is a hardened server that provides access to other hosts within the DMZ.

Question 37

A lot of people use ___ ___ as a jumpbox because you can have it hardened and secured, you can use it for the time you need, and then destroy it and rebuild a new one.

Answer 37

virtual machine

Question 38

What is “NAC”?

Answer 38

Network Access Control

A device is scanned to determined its current state of security prior to it being allowed access to your network.

Question 39

NACs can be used on computer within your internet network physically located in your building or they can be connected to devices ____ through a ___

Answer 39

remotely
VPN

Question 40

NACs can be run either using ___ or ___ Agents.

Answer 40

Persistent
Non-Persistent

Question 41

This is a piece of software that’s installed on a device that’s requesting access to the network.

Answer 41

Persistent Agents

Question 42

This uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan.

Answer 42

Non-Persistent Agents

Question 43

NACs can be offered as a ____ or a ___ solution.

Answer 43

hardware
software

Question 44

One of the most commonly used NAC mechanisms is called the…?

Answer 44

IEEE Standard 802.1x

*** This is a port-based NAC

Question 45

This adds a layer of separation to our networks without requiring us to buy additional switches that have to be configured and installed on the network.

Answer 45

VLAN

Virtual Local Area Networks

These are implemented to segment our network, reduce collision, organize our networks, boost performance and increase security.

*** Switches can provide the ability to create these

Question 46

What have attackers created in regards to VLAN?

Answer 46

VLAN Hopping

This allows them to break out of our VLANs and access other VLAN data

Question 47

There are a couple of methods to allow attackers to VLAN hop. What are they?

Answer 47

Switch Spoofing
Double Tagging

Question 48

In this attack, an attacker essentially configures their device to pretend that it’s a switch and they connect to a switch port to negotiate a trunk link and break out of the VLAN.

Answer 48

Switch Spoofing

Question 49

As traffic goes across a switch, it reads the outermost VLAN tag first, strips it off, and then routes the traffic to the proper VLAN. In this attack, though, an attacker actually adds two VLAN tags, an outer tag and an inner tag, so as traffic goes through the first switch, it removes the outer tag and is then forwarded to the destination of the inner tag.

Answer 49

Double Tagging

Question 50

This is the act of creating subnetworks logically through the manipulation of IP addresses.

Answer 50

Subnetting

** So, if i take a large chunk of IPs, like a 256 block, I can break it down into four blocks of 64 IPs, or eight blocks of 32 IPs, however you want o break it down in your subnetting.

Question 51

What are the benefits of subnetting?

Answer 51

1. It allows us to more efficiently use the IP address space that we’ve been given.
2. It’s going to reduce the broadcast traffic and the number of collisions, because there’s less hosts on a given network.
3. It can increase security by making our networks more compartmentalized and allows them to be in smaller sections.

Question 52

This is the process of changing an IP address while it transits across a router.

Answer 52

NAT

Network Address Translation

** This was used because we want to conserve public IP addresses because they were limited in IPv4. From a security point of view, we can also hide our internal networks from attackers.

Question 53

The most commonly used type of NAT is what we call…?

Answer 53

PAT

Port Address Translation

Question 54

This is where we have a single public IP address assigned to a router and all of the private IP addresses that are assigned inside to our host.

Answer 54

PAT

*** This is most likely what you are using inside your small office or home office network.

Question 55

How do NATs assist in hiding your internal network from attackers?

Answer 55

Now, when a host wants to communicate out over the WAN, it’s going to send the request to the router and the router is then going to forward the request out to the Internet, to the server that it’s trying to get to on behalf of the host. And when it does this, it keeps track of the translation it does by using a unique random high port number for each request. This means if the attacker is getting your network from the outside, they are only going to see that single public IP address of the router and they are not going to see the fact that you have one, five, ten, or 100 hosts inside of your network, and they are not going to be able to exactly know how many devices there are or what kind they are.

Question 56

What are private IP ranges?

Answer 56

Class A - anything that starts with 10. 10.0.0.0-10.255.255.255

Class B - Addresses that start with 172.16.0.0-172.31.0.0

Class C - 192.168.0.0-192.168.255.255 (this is most likely what you’ll use at home)

Question 57

If it starts with a 192.168. then it is a…?

Answer 57

Private IP address

** These cannot be transmitted over the internet. Instead, once it hits your external router, it’s going to use either a PAT or NAT to give it a public IP address and a port number to send the information out to the internet and then receive it back.

Question 58

This is a term used for a device that provides voice communication to your end users.

Answer 58

Telephony devices

*** This was used in networks to make connections with the outside world such as through your modem. A modem was an old device that we used to use to allow us to modulate and demodulate digital information into an analog signal, like AOL (dial up).

Question 59

This is when an attacker starts dialing random phone numbers to see if any modems would answer on the other side.

Answer 59

War Dialing

*** The best to prevent this is by using a callback feature.

Question 60

What does the “callback feature” do?

Answer 60

Your modem would be set so that when somebody calls in, they would then hangup and the modem, if it recognizes that phone number based on caller ID will then call them back and initiate the connection.

Question 61

This is the telephone system that runs all of the internal phone lines for your company.

Answer 61

PBX System

Public Branch Exchange

** If you’re sitting in your office and you want to call your accountant inside the office and you dial the last four digits of his phone number only to get him, that internal call is being routed through your PBX system.

You’re going to find this much more often in your networks than you are going to find modems. However, they are commonly being replaced with VoIP.

Question 62

This works by relying on IP phones, software and __ gateways.

Answer 62

VoIP

Voice Over Internet Protocol

Question 63

This is simply a device that looks like a regular telephone but takes a network cable into it as opposed to a phone cable.

Answer 63

IP phone

*** This will connect back to the VoIP gateway, which will make the conversation happen between your phone and the remote destination that you’re trying to call.