Module 14 Flashcards

1
Q

is considered to be the weakest link in the network system.

A

Layer 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Includes MAC table overflow (also called MAC Address Flooding) Attacks.

A

MAC Table Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Includes VLAN hopping and VLAN double‐tagging attacks. It also includes attacks between devices on a common VLAN.

A

VLAN Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Includes DHCP starvation and DHCP spoofing attacks.

A

DHCP Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Includes ARP spoofing and ARP poisoning attacks.

A

ARP Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Includes MAC Address and IP address spoofing attacks.

A

Address Spoofing Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Includes Spanning Tree Protocol manipulation attacks.

A

STP Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The following strategies are recommended:

A

*Always use secure variants of these protocols such as SSH, SCP, and SSL.
*Consider using out-of-band (OOB) management.
*Use a dedicated management VLAN where nothing but management traffic
resides.
*Use ACLs to filter unwanted access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

pyramid

A

port security
dhcp snooping
dai
ipsg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

prevents many types of attacks including MAC table overflow attacks and DHCP
starvation attacks.

A

Port Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

prevents DHCP starvation and DHCP spoofing attacks by rogue DHCP servers.

A

DHCP spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

prevents ARP spoofing and ARP poisoning attacks.

A

Dynamic ARP Inspection (DAI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

prevents MAC and IP address spoofing attacks

A

IP Source Guard (IPSG)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If Layer 2 is disrupted by a cyber attack, all layers above it will be affected.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

It is important to protect Layer 2 by always using secure variants of protocols such as

In addition, ___ should be used to filter unwanted access.

A

SSH, SCP, and SSL.

ACLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

are available on Cisco switches to directly mitigate Layer 2 attacks.

A

Port security, DHCP Snooping, DAI, and IP Source Guard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

One type of Layer 2 attack floods the switch with frames with __

A

random MAC source addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

___ can quickly overwhelm the MAC table of a switch causing a MAC table overflow exploit.

A

Threat actor tools such as macof

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A simple but effective way to prevent Layer 2 attacks is to

A

shutdown all unused ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

is a simple way to directly address MAC address overflow attacks.

A

Port security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

attacks enable threat actors to access VLANs that they are not authorized to access.

A

VLAN hopping and VLAN double-tagging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In ____, a threat actor connects a host computer to a switch and then attempts to negotiate the switchport to become trunk using DTP.

A

VLAN hopping attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In _____, a threat actor adds a false VLAN tag to malicious traffic in addition to the legitimate tag.

A

VLAN double-tagging attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

can be vulnerable to PVLAN proxy attacks.

A

Private VLAN promiscuous ports

25
Q

PVLAN proxy attacks can be mitigated through the use of

A

access control lists.

26
Q

Two types of DHCP attacks are

A

DHCP starvation and DHCP spoofing.

27
Q

The goal of the DHCP starvation attack is

A

DoS for connecting clients.

28
Q

A___ occurs when a rogue DHCP server is connected to the network and
provides false IP configuration parameters to legitimate clients.

A

DHCP spoofing attack

29
Q

Both DHCP attacks are mitigated by implementing

A

DHCP snooping.

30
Q

Any host can claim to be the owner of any IP and MAC address.

A

True

31
Q

occur when threat actors alter the MAC address of their host to match another known MAC address of a target host.

A

MAC address spoofing attacks

32
Q

__, which requires DHCP snooping to be enabled, can mitigate ARP spoofing by ensuring that
only valid ARP Requests and Replies are sent into the network.

A

DAI

33
Q

is when a rogue PC hijacks a valid IP address of a neighbor, or a uses a random IP address.

A

IP address spoofing

34
Q

To protect against MAC and IP address spoofing, configure ___ operates like DAI, but it
looks at every packet, not just the ARP packets.

A

IPSG

35
Q

is a loop-prevention network protocol that allows for redundancy while creating a loop-free
Layer 2 topology.

A

STP

36
Q

Threat actors can manipulate the STP to conduct an attack by

A

spoofing the root bridge and
changing the topology of a network.

37
Q

Cisco switches have a number of STP stability mechanisms such as

A

PortFast, BPDU Guard, Root Guard, and Loop Guard.

38
Q

What type of attack occurs when a threat actor sends packets with false MAC or IP addresses?

A

Address spoofing occurs when a threat actor sends packets that have false MAC or IP addresses.

39
Q

What type of attack sends false address requests to a server until all addresses are used and none are available for legitimate users?

A

DHCP attacks include DHCP starvation which is an attack in which false requests are made to a DHCP server until all available addresses are exhausted.

39
Q

What prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks?

A

Port Security prevents many types of attack including CAM table overflow attacks and DHCP starvation attacks.

40
Q

What prevents DHCP starvation and spoofing attacks?

A

DHCP Snooping prevents DHCP starvation and DHCP spoofing attacks.

41
Q

What prevents MAC and IP address spoofing attacks?

A

IP Source Guard helps prevent MAC and IP address spoofing attacks.

42
Q

Which statement describes STP?

A

STP is used to prevent Layer 2 loops on Ethernet LANs.

43
Q

Without STP on the Ethernet LAN, which three types of frames could cause a catastrophic loop in the network? (Choose three.)

A

Without STP enabled, unknown unicast, multicast, and broadcast frames could loop endlessly on the network, causing catastrophic network failure.

44
Q

What device is elected by the Spanning Tree Algorithm? All other switches determine a single least-cost path to this device.

A

The STP algorithm elects a root bridge on the LAN. All other switches calculate the lowest cost path to the root bridge.

45
Q

What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports?

A

control

PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.

46
Q

A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?

A

it checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body

DAI can be configured to check for both destination or source MAC and IP addresses:

Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

47
Q

What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?

A

enable port security

A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.

48
Q

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

A

dhcp starvation

DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

49
Q

When security is a concern, which OSI Layer is considered to be the weakest link in a network system?​

A

layer 2

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.

50
Q

If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge?

A

the layer 2 address with the lowest hexadecimal value

When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.​

51
Q

Which statement describes the behavior of a switch when the MAC address table is full?

A

it treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN

When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.

52
Q

A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation?

A

MAC address table overflow

Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.

53
Q

What determines which switch becomes the STP root bridge for a given VLAN?

A

the lowest bridge ID

STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.

54
Q

What action can a network administrator take to help mitigate the threat of VLAN hopping attacks?

A

disable automatic trunking negotiation

There are two methods for mitigating VLAN hopping attacks:
disabling automatic trunking negotiation on switchports
turning trunking off on all unused nontrunk switchport

55
Q

Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)

A

port security

dhcp snooping

Cisco provides solutions to help mitigate Layer 2 attacks including these:
IP Source Guard (IPSG) - prevents MAC and IP address spoofing attacks
Dynamic ARP Inspection (DAI) - prevents ARP spoofing and ARP poisoning attacks
DHCP Snooping - prevents DHCP starvation and SHCP spoofing attacks
Port Security - prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks
Web Security Appliance (WSA) is a mitigation technology for web-based threats.

56
Q

What is the only type of port that an isolated port can forward traffic to on a private VLAN?

A

a promiscuous port

PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified
with three types of PVLAN ports:
Promiscuous ports that can forward traffic to all other ports
Isolated ports that can only forward traffic to promiscuous ports
Community ports that can forward traffic to other community ports and promiscuous ports

57
Q

What additional security measure must be enabled along with IP Source Guard to protect against address spoofing?

A

dhcp snooping

Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.