Week 6 - Network Secuty Defence

Question 1

What is a VPN?

Answer 1

A security mechanism that assists in communications over a public or insecure network by making it more secure. It does so by temporarily extending a private network across a public one to send communications.

Question 2

What are two common uses of VPN?

Answer 2

Remote access and site-to-site.

Question 3

Explain remote access

Answer 3

Remote access let’s single users connect to the protected company network while not currently on that network. Commonly used when a user working remotely or from home.

Question 4

Explain site-to-site

Answer 4

Site-to-site supports connections between two protected company networks. Commonly used when a company has two networks (e.g. A network for each company branch/location) and they need to access each others resources.

Question 5

What are the three types of VPN?

Answer 5

1 Trusted
2 Secure
3 Hybrid

Question 6

Explain how a Trusted VPN works.

Answer 6

A private dedicated line maintained by a provider, that can be leased to customers to create customisable secure private networks that can only be used by the customer.

Question 7

Explain how a Secure VPN works.

Answer 7

Uses protocols and encryption to ensure safe and secure communication between the intented parties over aa untrusted public network.

Question 8

Why do we use Secure VPNs over Trusted VPNs?

Answer 8

Because Trusted VPNs are very expensive to maintain, and the Internet has become more commonplace as the primary public network.

Question 9

Explain what a Hybrid VPN is.

Answer 9

It is a combination of Trusted and Secure VPN techniques.

Question 10

What security mechanisms are used in Secure VPNs?

Answer 10

1 Authentication
2 Tunneling
3 Encryption

Question 11

What happens during the authentication protocol stage of Secure VPNs?

Answer 11

The client sends a request to the VPN server for a connection to be made.
The VPN server asks the client to identify themselves.
The client authenticates themselves.
If authentication is valid, then the VPN can move forward.

Question 12

What happens during the Tunnelling stage of Secure VPNs?

Answer 12

The VPN creates a tunnel on the network.
The data packet is encapsulated in another packet which is addressed using the IP address of the target server.
The data packet is sent through the tunnel to the other network.
The other network removes the layer of encapsulation and extracts the local address in the packet and delivers it to the correct user on the network.

Question 13

What happens during the encryption stage of Secure VPNs?

Answer 13

Packets sent through the tunnel created by the VPN are still encrypted with an encryption protocol. This is because although tunnel are secure, they can still be sniffed. The encryption happens in either transport mode or tunnel mode.

Question 14

What is transport mode encryption?

Answer 14

Encryption is performed as the data packet is created.

Question 15

What is tunnel mode encryption?

Answer 15

When encryption happens as the data packet is being transmitted through the tunnel.

Question 16

What is a digital certificate?

Answer 16

A collection of data which associates a public key with a server.

Question 17

What is a certificate authority?

Answer 17

A trusted third party who verifies a server belongs to the entity claiming it using a digital certificate and associates the public key with that server.

Question 18

What is a certificate signing request?

Answer 18

A request made by an entity to a certificate authority when they want to create a new server. It is a block of text nornalinng in ASN 1. It contains a public key, the name for the server, the organisation name, the unit/department which is responsible for the server, as well as some other lesser data like details of the person responsible for the server.

Question 19

What does ASN stand for?

Answer 19

Abstract syntax notation.

Question 20

What data is contained in digital certificate?

Answer 20

A name, the time frame which it is valid for, who it was issued by, the owners public key, and the certificate authority who signs the certificate.

Question 21

What does a certificate authority do when they receive a certificate signing request?

Answer 21

They first make authenticate the server and public key belongs to the entity who send the request. This can be done many ways, e.g. Domain validation. Once validated, the authority can take the public key provided in the request and associate it with that company and the certificate.

Question 22

What is domain validation?

Answer 22

When an email is sent to an admin response for a specific domain, the email should include an authentication token or link. If the link is used then the admin has proved they have a level of access to that domain and thus are validated.

Question 23

How does a client know that a certificate is valid and how to trust the certificate authority?

Answer 23

Because computers come pre-installed with a number of certificate on the OS, including VeriSign. This means that the computer already has the public key for VeriSign and thus can encrypt/decrypt valid data from VeriSign.

Question 24

What is TLS?

Answer 24

A protocol that allows a client to communicate with a server safely to agree on a symmetric key for encryption and to allow the client to authenticate the server.

Question 25

Where is TLS commonly used?

Answer 25

The Internet, to deliver secure https pages.

Question 26

What is TLS the succesor to?

Answer 26

SSL.

Question 27

What does TLS stand for?

Answer 27

Transport Layer Security.

Question 28

What process does TLS use to allow a key to be agreed?

Answer 28

It does so by completing a handshake process between the client and server.

Question 29

Explain what happens during a handshake in TLS.

Answer 29

The client sends a hello message to the server. This contains the supported cypher suites of the client, and bunch of possible key shares.

When the server receives this, it sends a ‘server hello’ message. This contains a chosen cypher from the clients list of cypher suites, a key share, its digital certificate, and a finished message. The digital certificate and the finished message are encrypted with a chosen symmetric key.

When the client receives this it calculates the symmetric key from the agreed upon cypher as well as the key shares the server sent back. It then uses this agreed upon key to decrypt the digital certificate and finished message to authenticate the server by verifying the certificate.

After that if the client is satisfied with the servers authentication it can then send a encrypted message back to end the handshake and/or to request information or a service from the server.

The server can then send back the encrypted answer to that request.

Question 30

What are supported cypher suites?

Answer 30

The cryptography protocols that the client can support. This can include key exchange algorithms, RSA, PSS, Hash function etc.

Question 31

What is a list of key shares?

Answer 31

They are a list of values that can be used to agree upon a key over an unsecured channel.

Question 32

What is forward secrecy?

Answer 32

A feature that means if at any point a key is compromised, the attacker cannot decrypt any previous communications. This because the key are effemiral, which means that the keys are only used in the context of that communication and no other communication sessions.

Question 33

What are the advantages to TLS 1.3?

Answer 33

Forward secrecy

Increased security compared to other versions of TLS

Question 34

Why is TLS 1.3 more secure than its previous versions?

Answer 34

It doesn’t allow for the use of less secure cryptographic protocol cyphers.

Question 35

What are Firewalls?

Answer 35

A defense mechanism in place to protect networks that prevents incoming attacks to that network/client. You can imagine it as a barrier between your network and an outside unsecure network or channels. They can be impmemted as software or hardware.

Question 36

What are the two types of approaches to Firewalls?

Answer 36

Packet filtering approach

Proxy based approach

Question 37

What is packet filtering?

Answer 37

When a firewall filters through inbound and outbound traffic of a network to look for any malious packets. It does this by putting certain rules on the traffic, which evaluate a packet and determine whether it should be able to pass through the firewall. It does this by looking at packet data like its destination, origin and the ptotocol used to send it.

Question 38

What are the three things that can happen to a packet going through a a firewall?

Answer 38

Accepted - it is determined as safe and can pass through the firewall
Denied - it is determined as not safe and sent back to the sender
Dropped - it is determined as not safe and removed from existence

Question 39

Why might a firewall drop a packet instead of denying it?

Answer 39

It takes resources and bandwidth to send the packet back to the sender which can mean its more trouble than its worth, so it is often dropped instead.

Question 40

Who is normally responsible for a firewall?

Answer 40

The security administrator.

Question 41

How are firewall rules created?

Answer 41

A policies must be created first by the security admin, which is then converted into technical statements which can be used by the firewall as rules.

Question 42

What does a firewall rule contain?

Answer 42

A name
A protocol
Source IP and port
Destination IP and port
Whether to allow or deny this kind of packet

Question 43

What must you keep in mind when creating rules?

Answer 43

You must create a default rule that is applied to a packet if no other rules apply to it.

You must make sure rules do not conflict each other. You can’t have one rule saying certain traffic shiold be allow while another says that same traffic should be denied.

Question 44

What is the proxy based approach for Firewalls?

Answer 44

A proxy server is used to act as an intermediatary between two networks. Requests are made to the proxy to gain access to the other network, and if the proxy deems the request safe, it passes the packets on. It allows confidentiality between networks by hiding the internal bits of a network from the outside world. A external network will only ever make communication with the proxy server not the internal network.

Question 45

How many proxy servers does a network need?

Answer 45

It needs a server for every services that it provides.

Question 46

What does the proxy sever ask the client making an access request to the internal network?

Answer 46

What does it want access to and to verify who they are. If the client does both of these, the proxy server can decide whether not to pass on its packets.

Question 47

What are some proxy firewall operations?

Answer 47

Host IP address hiding
Header destruction
Protocol enforcement

Question 48

What is Host IP address hiding?

Answer 48

When a proxy sever adds its own IP header to a packet so that the internal networks IP is hidden within the packet. This means any ‘sniffers’ will only see the proxys IP.

Question 49

What is header destruction?

Answer 49

When a proxy server prevents IP header sniffing by destroying the original packets header and replaces it with its own IP header.

Question 50

What is protocol enforcement?

Answer 50

When a proxy server enforces the security of port numbers, by ensuring things that prot numbers are doing what they are supposed to be doing and are not spoofed. For example checking that port 80 should be dealing with https requests and it only dealing with one application per server.

Question 51

What is a DMZ?

Answer 51

A Demilitarised Zone is a part of a protected network which is in place between the network and an untrusted external network and manage ‘routes’ between them and provides an extra layer of security by be segregating the internal network from the external networks.

Question 52

What architecture does a DMZ use to provide additional security?

Answer 52

It uses a two firewall architecture, which means that there is one firewall between it and the internal network and another firewall between it and the external network.

Question 53

How do the network access each other in a DMZ approach?

Answer 53

Internal networks must pass the internal firewall to access the DMZ, and external networks must pass the external firewall to access the DMZ.
These communications do not go past the DMZ to the other networks as it might risk security (The respe tive Firewalls are set to not let them through). Therefore the DMZ provides the necessary resoucres/services/information from the other network to the network requesting them.

Question 54

What does an IDS do?

Answer 54

A intrusion detection system automates the process of monoritubg the network for suspicious behaviour and potential violations. It takes necessary steps to prevent those violations before or while they are happening. This combination of measures is referred to as an IDPS technology.

It can also record information about observed incidents, notify admins about incidents and produce reports about the incident.

Question 55

What is the definition of an incident in terms of computer security?

Answer 55

It is a suspected, optional or confirmed violation of computer security policies, acceptable use policies and/or standard security practices.

Question 56

Give some examples of a type of security incident?

Answer 56

DoS
Malware
Unauthorised access

Question 57

What is an IDPS technology?

Answer 57

1) A security technology that detects security events and violations on a network and 2) try to prevent it.

Question 58

Where are IDPS systems normally implemented?

Answer 58

Within a firewall.

Question 59

What are the disadvantages of IDS?

Answer 59

It cannot protect against:
o An internal threat
o Social engineering and manipulation of internal users
o Misconfiguration of administrative data

Question 60

What is an SIEM?

Answer 60

A security information and event management system is a system that aggregates data from different systems in an organization in order to analysis it and catch potential incidents or cyberattacks. It can alert users when attacks are happening too.

Question 61

Why are SIEM not used as much as they should be?

Answer 61

They are cost and resource expensive and it can often be different to resolve problems using SIEM.

Question 62

What are the 4 steps in the SIEM process?

Answer 62

1. Collect data from various sources (e.g. Network devices, servers etc.)
2. Normalise and aggregate collected data
3. Analyse the data to discover and etect threats
4. Pinpoint security breaches and alert organisation.

Question 63

What are the two primary capabilities that SIEM provides an incident reponse team?

Answer 63

Reporting and forensic data about the incident

Alerts based on analytics that match a certain rule set, indicating a security issue

Question 64

What is another common use for SIEM instead of data security in organisations?

Answer 64

To help the client follow compliance for regulations like HIPAA, PCI, SOX, and GDPR.

Question 65

What are some limitations of SIEM systems?

Answer 65

They cannot accurately analyse data without context. If they do not know the context of the data, then they may create alerts for every single piece of suspicious activity, but if given context might realise that some activities were completely warented. This can leads to false alerts.