Securing Your Network

Question 1

Difference between IDS and IPS

Answer 1

IDS - identify threats and provides alerts

IPS - Identify threats and reacts to threats

Question 2

Difference between HIDS and NIDS

Answer 2

HIDS - host based and traffics goes through a NIC

NIDS - Network based

Question 3

The two types of detection methods used in IDS

Answer 3

Signature-based aka definition

Heuristic / behavioral based aka anomaly

Question 4

The difference between SYN flood guard and flood guard on a switch

Answer 4

SYN Flood guard - Usually included in firewalls

Flood Guard on switch - Used to prevent MAC flood attacks.

Question 5

Difference between false positives and false negatives in regards to IDS

Answer 5

False Positive - An alarm or alert on an event that is non-threatening.

False Negative - When an attack is occurring but the IDS does not identify the threat.

Question 6

What is the threshold range of IDS. What is the result of the threshold being to low or to high

Answer 6

1 to 1000.
Too Low - IDS will raise too many alerts on events that are legitimate.
Too High - IDS will fail to identify threats

Question 7

Intrusion system that is in-line aka in-band

Answer 7

IPS

Question 8

Intrusion system that collects data passively or out-of-band

Answer 8

IDS

Question 9

Intrusion system that have protocol analyzer capabilities

Answer 9

Both IDS and IPS

Question 10

What is the disadvantage of an active NIDS

Answer 10

It blocks an attack only after the attack has started

Question 11

Hardware devices that focus on handling TLS traffic. Allows systems to off-load encryption workload to a separate hardware device to alleviate stress on computer resources.

Answer 11

SSL/TLS Accelerator

Question 12

Used in conjunction with NIPS to mitigate threats that use encryption technologies.

Answer 12

SSL Decryptors

Question 13

It uses virtualization technologies to separate data and control planes within a network. Commonly used with ABAC.

Answer 13

SDN - Software Defined Network

Question 14

A port based authentication protocol that authenticates prior to granting access to a network

Answer 14

IEEE 802.1x

Question 15

Methods used to authenticate VPN clients before they connect

Answer 15

Implement IEEE 802.1x as Remote Authentication Dial-In User Service (RADIUS) or Diameter Server

Question 16

The two distinctions of wireless AP

Answer 16

• All wireless routers are AP’s

- Not all AP’s are wireless routers

Question 17

A stand alone, intelligent, or autonomous AP, includes everything needed to connect wireless clients to a wireless network

Answer 17

Fat AP

Question 18

Is not a stand alone AP

Answer 18

Thin AP or controller-based AP

Question 19

This identified an AP or wireless network

Answer 19

SSID - Service Set Identifier

Question 20

Disabling SSID is a sure way to deny an attacker from finding a network. True or False

Answer 20

False. Makes it more difficult but an attacker can find it.

Question 21

How would an attacker over-ride MAC Filtering.

Answer 21

An attacker could sniff an allowed mac address and spoof the address.

Question 22

A strong security protocol for wireless networks

Answer 22

WPA2

Question 23

What is the replacement for WPA

Answer 23

WPA2 aka 802.11i

Question 24

What encryption method does WPA and WPA2 use

Answer 24

WPA - Temporal Key Integrity Protocol (TKIP)

WPA2 - Chaining Message Authentication Code Protocol (CCMP)

Question 25

Strong encryption based on Advanced Encryption Standard (AES)

Answer 25

CCMP - Chaining Message Authentication Code Protocol

Question 26

Description of PSK, Enterprise, and Open modes

Answer 26

WPA/WPA2 modes. PSK - Pre-shared Keys - uses a passphrase. Provides authorization without authentication. Enterprise - Uses 802.1x server and RADIUS to provide authorization with authentication. Open - Open access. No security is enabled for network access

Question 27

What is the RADIUS port

Answer 27

1812 but some use vendors use 1645

Question 28

What are the 6 Authentication Protocols

Answer 28

EAP - creates secure encryption key aka Pairwise Master Key EAP FAST - Cisco -supports certificates (optional) PEAP - Encrypts EAP with TLS. Requires certificate on Server EAP-TTLS - Extension of PEAP. Requires certificate on 802.1x server. EAP TLS - Most secure. Requires certificates on 802.1x server and each of the wireless clients RADIUS Federation -

Question 29

A technical solution that forces clients using web browsers to complete a specific process before it is allowed access to a network.

Answer 29

Captive Portal

Question 30

What two security protocols are considered the strongest for wireless networks.

Answer 30

WPA2 using CCMP

Question 31

A type of attack that removes a wireless client form a wireless network.

Answer 31

Disassociation Attack

Question 32

This allows users to configure wireless devices without typing in a passphrase. It is also susceptible to brute attacks and therefore should be disabled.

Answer 32

WPS - Wifi Protected Setup

Question 33

Difference between a Rogue AP and an Evil Twin

Answer 33

Rogue AP - Illegal Access Point | Evil Twin - Deliberately set up to look like a legitimate Access Point.

Question 34

A DOS attack that prevents users from connecting to a wireless network by transmitting noise or another radio frequency on the same frequency as the network.

Answer 34

Jamming Attack

Question 35

A type of attack that attempts to discover the pre-shared key from the IV. WEP is susceptible. The attack is successful when an encryption system reuses the IV.

Answer 35

Initiation Vector attack.

Question 36

A type of attack that eavesdrops communication between mobile devices

Answer 36

NFC Attack - Near Field Communication

Question 37

Define Bluejacking, Bluesnarfing, Bluebugging

Answer 37

Bluejacking - unauthorized messages are sent to devices. Harmless Bluesnarfing - attacker gains access to information on bluetooth device Bluebugging - attacker gains access and control of device.

Question 38

A type of attack that captures data between two entities and modifies to impersonate the data of one of the entitites

Answer 38

Replay Attack - WPA and TKIP is susceptible to this attack.

Question 39

RFID attacks include the following

Answer 39

Sniffing or eavesdropping Replay DoS

Question 40

A dedicated device use by large organization to provide VPN capabilities

Answer 40

VPN Concentrator - placed in the DMZ.

Question 41

A method of encrypting data in transit that support both transit and tunnel mode.

Answer 41

IPsec

Question 42

IPsec support two modes. Which is one is used in a VPN.

Answer 42

Transit and Tunnel. Tunnel mode is used for VPN's

Question 43

IPsec. Provides security in three ways. What are they.

Answer 43

AH - Authentication Header. Port id 51. Provides Authentication and Integrity. Encryption - Encapsulating Security Payload (ESP). Port ID 50. ESP provides Authentication, Integrity, and Confidentiality IKE - Internet Key Exchange - UDP port 500 to authenticate clients.

Question 44

What tunneling protocol uses TLS. What port?

Answer 44

Secure Socket Tunneling Protocol. TCP 443.

Question 45

Split Tunnel vs Full Tunnel

Answer 45

Split - IPsec configured to determine what traffic should be encrypted. Full - All traffic is encrypted.

Question 46

A VPN configuration model in which two networks separated geographically are connected by two VPN Servers

Answer 46

Site to Site VPN's

Question 47

VPN configuration that can be both site to site and remote access VPN

Answer 47

Always on VPN

Question 48

Provides a way to monitor and inspect computers to mitigate risks of remote access to a private network. Can inspect internal clients.

Answer 48

NAC - Network Access Control

Question 49

What happens when client doesn't meet health conditions set forth by a NAC.

Answer 49

Client goes to remediation network aka quarantine network

Question 50

A type of NAC agent that is installed on a client and stays on the client in order to streamline NAC from remote connections

Answer 50

Permanent Agent

Question 51

A type of NAC agent that is downloaded and run on the client when the client logs on remotely

Answer 51

Dissolvable Agent.

Question 52

What are the 7 remote access authentication mechanisms

Answer 52

PAP - Password Authentication Protocol CHAP - Challenge Handshake Authentication Protocol MSCHAP MSCHAPv2 (RADIUS) Remote Authentication Dial-In User Service DIAMETER Terminal Access Controller Access-Control System Plus (TACACS+)

Question 53

What is PAP

Answer 53

Password Authentication Protocol - uses Point to Point Protocol (PPP) and not secure because data is sent clear text

Question 54

What is CHAP

Answer 54

Challenge Handshake Authentication Protocol uses PPP but is more secure because it uses hashing.

Question 55

What is MS-CHAP and MS-CHAPv2

Answer 55

Microsoft version of CHAP. CHAPv2 does mutual authentication.

Question 56

What is RADIUS

Answer 56

A centralized authentication service. Can also be used with 802.1x server with WPA enterprise mode.

Question 57

What is TACACS+

Answer 57

Terminal Access Controller Access-Control System Plus - Cisco alternative to RADIUS but encrypts entire authentication process and uses multiple challenges and responses between client and server. Can be used with Kerberos.

Question 58

What is Diameter

Answer 58

An extension of RADIUS and has more capabilities. It uses TCP instead of UDP.

Question 59

What remote access authentication systems are AAA protocols

Answer 59

AAA - Authentication Authorization Accounting. RADIUS Diameter TACACS+ Kerberos is not. It doesn't do accounting.