Section 7: Delving into Network and Security Concepts

Question 1

What is the purpose of a web application firewall, and where is it normally placed?

Answer 1

Web Application Firewall (WAF) is normally installed on or before a web server. It’s job is to protect web apps from attack.

Question 2

What is Implicit Deny, and which two devices does it effect?

Answer 2

Used by both the firewall and the router. If there is no allow rule, they get the last rule, which is deny all.

Question 3

What is the firewall that does content filtering, URL filtering, and malware inspection?

Answer 3

Unified Threat Management (UTM), provides value for money.

Question 4

Which network device connects two networks?

Answer 4

Router. Works at Layer 3, Network Layer.

Question 5

Which type of internal device connects users on the same network?

Answer 5

Switch. Normally in a star topology. Works at Layer 2, Data Link Layer.

Question 6

Which type of device hides the internal network from hackers on the internet?

Answer 6

Network Address Translator (NAT).

Question 7

What does an inline NIPS do?

Answer 7

Screens incoming traffic.

Question 8

Which type of IPS protects virtual machines from attack?

Answer 8

Host-Based IPS (HIPS). Installed on the guest VM or computer.

Question 9

Which type of of IPS is placed behind the firewall as an additional layer of security?

Answer 9

Network-Based IPS (NIPS). Prevents unauthorized access to the network.

Question 10

If you don’t have a NIDS on your network, which device can passively monitor network traffic?

Answer 10

NIPS can fulfill functionality of a NIDS.

Question 11

What is the difference between a signature and anomaly-based NIDS?

Answer 11

Signature-based: works off a known of variants.

Anomaly-based: starts with the database and can learn about new patterns or threats. Also known as heuristic.

Question 12

What is the passive device that sits on your internal network?

Answer 12

NIDS. Can detect changes to your network using sensors and collectors.

Question 13

If you receive an alert that server 1 has a virus, and you inspect the server to find there are no viruses, what is this known as?

Answer 13

False positive.

Question 14

How can you prevent someone from accessing a medical center’s network by plugging their laptop into a port in the waiting room?

Answer 14

Enable port security, where you turn the port off on the switch.

Question 15

How can you prevent someone from plugging a rouge access point into your network?

Answer 15

Enable 802.1x, which ensures that the device is authenticated before being able to use the port.

Question 16

How do 802.1x and port security differ? Which one gives me more functionality?

Answer 16

A managed switch uses 802.1x, which authenticates the device but does not disable the port.

Port security disables the port.

Question 17

What is the purpose of web caching on a proxy server?

Answer 17

Keeps copies of the web pages locally, ensuring faster access to the web pages and preventing the need to open a session to the internet.

Question 18

What is the purpose of a VPN?

Answer 18

Create a tunnel across unsafe networks from home or a hotel to the workplace.

Question 19

What happens in the IKE phase of a VPN session?

Answer 19

Diffie Hellman, using port 500, sets up a secure session before the data is transferred.

Question 20

What is the purpose of a VPN concentrator?

Answer 20

Set up a secure session for a VPN.

Question 21

What is the most secure VPN tunneling protocol?

Answer 21

L2TP/IPSec. Uses AES encryption for the ESP.

Question 22

What modes would you use in a L2TP/IPSec tunnel over the internet and then internally?

Answer 22

Internet: Tunnel mode
Internal: Transport mode (between internal hosts)

Question 23

Which VPN session type would you use on a site-to-site VPN?

Answer 23

Always-on mode (as opposed to dial-on-demand). Can be used to create a point-to-point connection between the main and remote sites.

Question 24

What network device should you use to manage a high volume of web traffic?

Answer 24

Load balancer. Sends requests to the least-utilized node that is healthy.

Question 25

What type of network is used by a virtual network so that the route requests are forwarded to a controller?

Answer 25

Software-Defined Networking (SDN).

Question 26

What is the purpose of a screened subnet, and what type of web server is located there?

Answer 26

Boundary layer that hosts an extranet server. Sometimes known as extranet zone. Used to be called the DMZ.

Question 27

If you want to find out what attack methods a potential hacker is using, what do you need to set up?

Answer 27

Honeypot: a website with lower security to monitor the attack methods being used and then harden your actual web server against potential attacks.

Question 28

What is the purpose of network access control? Name two agents that it uses.

Answer 28

Ensures that devices connecting to your network are fully patched.

1. Permanent
2. Dissolvable (single-use)

Question 29

What type of device can be used to automate the collection of log files across many different devices?

Answer 29

SIEM server, which can correlate log files from many devices and notify you of potential attacks. Syslog server can also collect log files.

Question 30

If you wanted to back up data to a backup device but, at the same time, prevent someone from deleting the data, what device do you need to use?

Answer 30

Write-One Read-Many (WORM) Drive.

Question 31

Explain the port mirror process and name another device that could be used for the same process.

Answer 31

Makes a copy of the data going to a port and diverts it to another device for analysis.

A TAP can be used for the same purpose, but is more expensive.

Question 32

What type of records are created by DNSSEC?

Answer 32

RRSIG records are created for each DNS host and a DNSKEY record used to sign the KSK or ZSK.

Question 33

What are the two portions of an IPSec packet?

Answer 33

1. Authenticated Header (AH), uses either SHA-1 or MD5
2. Encapsulated Payload (ESP), uses DES, 3DES or AES

Question 34

How can you tell whether your laptop fails to get an IP address from a DHCP server?

Answer 34

You would receive a 169.254.x.x IP address, known as APIPA, which could be caused by network connectivity or resource exhaustion.

Question 35

What type of IP address is 2001:123A:0000:0000:aBC0:00AB:0DCS:0023 and how can you simplify it?

Answer 35

IPv6. Simplified by changing leading zeros to 2001:123A::aBC0:AB:dCS:23

Question 36

What is the benefit of an HTML 5 VPN?

Answer 36

No infrastructure needs to be setup as it uses certificates for encryption.

Question 37

What mode is an L2TP/IPSec VPN if it encrypts both the header and the payload?

Answer 37

Tunnel mode, which would be used externally.

Question 38

What is the purpose of a jump server?

Answer 38

Allows an administrator to connect remotely to the network. Can be placed in a screen subnet or LAN.

Question 39

What is load balancing persistence or affinity?

Answer 39

Where the host is sent to the same server for the session.

Question 40

What is the downside to using two load balancers in an active/active mode?

Answer 40

Both load balancers are working close to capacity. If one fails, the users would find that traffic is slower.

Question 41

Three different groups of workers are in an open plan office, and they are all connected to the same physical switch. What can be done to isolate them from each other?

Answer 41

A VLAN can be used for departmental isolation on the same switch.

Question 42

How does East-West traffic operate?

Answer 42

Moves laterally between servers within a data center.

Question 43

What is a zero-trust network and where is it likely to be used?

Answer 43

Where every user or device must prove their identity before accessing the network. This would be used in the cloud.

Question 44

Why would someone use Angry IP?

Answer 44

Angry IP is an IP scanner that would scan an IP range to determine hosts that are active or inactive.

Question 45

When can you use curl or nmap?

Answer 45

Banner grabbing: a technique used to gain information about a computer system on a network and the services running on its open ports.

Question 46

When would someone use the Harvester tool?

Answer 46

Collect email addresses of a particular domain from search engines like Google.

Question 47

How can an attacker find the DNS records from your domain?

Answer 47

Use the dnsenum tool.

Question 48

Why would you use the scanless tool?

Answer 48

Allows anonymous port scanning so that it cannot be traced back to you.

Question 49

What tools can you use as a sandbox to analyze files for malware?

Answer 49

Cuckoo, or create a virtual sandbox.

Question 50

What is the purpose of DHCP snooping?

Answer 50

Prevent rogue DHCP servers from operating openly on your network.

Question 51

What are the two main reasons why you would receive an APIPA address of 169.254.1.1?

Answer 51

1. Resource exhaustion (DHCP server has run out of IP addresses)
2. Network connectivity between client and DHCP server