5 - Network Configuration

Question 1

Network Analyst

Answer 1

• Monitor, analyze, detect, and respond to events/incidents within infrastructure devices and netflow
• ID security risk and develop mitigation plans

Question 2

Network Baseline

Answer 2

Defines what normal network conditions and traffic looks like

Can be used to test for abnormal conditions, rapidly deploy new networks, and ensure network is working as designed

Question 3

Cyber Threat Intelligence (CTI)

Answer 3

• Knowledge about adversaries and their motivations, intentions, and methods
• Enables orgs to deploy measures to detect, mitigate, and possibly prevent attacks

Question 4

Network Artifacts
– Definition
– Examples

Answer 4

• Piece of network traffic data that may be relevant to an investigation
• Helps develop network/host signatures
• Examples:
  – Logs
  – Files/directories
  – Registry Keys

Question 5

Network Triage

Answer 5

• Sorting network violations into groups based on:
  – Response to Outages
  – Level of Compromise (CAT levels)
  – Leverages Artifacts
  – Mission Critical Systems
• Helps analyst/unit prioritize important systems

Question 6

Sandbox

Answer 6

• Controlled environment used to test suspicious/malicious software without endangering entire network

Question 7

IDS
– Definition
– Examples

Answer 7

Intrusion Detection System

• Passively monitors network or systems for malicious activity/violations.
  May send alerts for detections but does NOT prevent them.
• Does not affect existing systems/infrastructure
• Examples:
  – Snort
  – Suricata
  – Wireshark

Question 8

IPS
– Definition
– Examples

Answer 8

Intrusion Prevention System

• Detects and blocks possible network intrusion.
  – Placed in-line with network traffic
• Examples:
  – Snort
  – Suricata

Question 9

SIEM

Answer 9

Security Info & Event Management

• Group of technologies which aggregates relevant data from multiple sources to provide birds-eye view of a network and help identify deviations from the norm.
• Examples:
  – ELK
  – Splunk
  – AlienVault
  – SolarWinds

Question 10

Network Source Data Types
– 3 Types

Answer 10

• Full Packet Capture
• NetFlow & Related Flow-Based Collections
• Log Files

Question 11

Full-Packet Capture
– Definition
– File formats
– Benefits
– Drawbacks

Answer 11

• File containing all original packet data as seen at collection point
• Extension Formats:
  – *.pcap
  – *.pcapng
  – *.cap
  – *.dmp
• Benefits
  – Holy Grail of network data collection
  – Facilitates deep analysis long after communication occurred
  – Variety of tools available to examine pcap files with different approaches
• Drawbacks
  – Files can become extremely large
  – Limited availability due to legal constraints
  – Limited usefulness due to encryption

Question 12

NetFlow
– Definition
– Benefits
– Drawbacks

Answer 12

• Summary of network communication as seen at collection point
• No content, just summary and metadata
• Useful for quick triage
• Benefits
  – Requires less storage
  – Faster analysis process
  – Fewer privacy concerns
  – Analysis process applies equally to all protocols
• Drawbacks
  – Low level analysis may not be possible w/o content
  – Many collection platforms require training/licenses

Question 13

Log Files
– Definition
– Benefits
– Drawbacks

Answer 13

• Application or platform-centric files describing activities handled or observed by the log creator
• Benefits
  – Widely available
  – Processes often in place to analyze them
  – May be aggregated for centralized analysis
• Drawbacks
  – Varying levels of detail and formats
  – Often requires additional data to corroborate findings
  – If not aggregated, can be time consuming to find and analyze

Question 14

Port Mirror (switch)
– Definition
– Benefits
– Drawbacks

Answer 14

• “Software tap” that duplicates packets from one switch port to another
  – Sometimes called a SPAN (Switch Port Analyzer) port
• Benefits
  – Simple to set up (quick config change, no downtime)
  – Switch presence maximizes flexibility of platform placement
• Drawbacks
  – Only half-duplex, so may experience data loss with high-traffic networks

Question 15

Router Netflow Export
– Definition
– Benefits
– Drawbacks

Answer 15

• Export router netflow data for external analysis
• Benefits
  – Only requires simple config change (little to no downtime)
  – NetFlow is already collected, only needs to be exported
• Drawbacks
  – Generally does not provide ability to perform full-packet capture

Question 16

Layer 7 Devices (Network data collection)
– Definition
– Examples
– Benefits
– Drawbacks

Answer 16

• Any platform with control of or purview over a network link
  – May provide any of the 3 types of Network Data, depending on the device
• Examples:
  – Web proxies
  – Load balancers
  – DHCP & DNS Servers
• Benefits
  – May offer many perspectives on the same incident
• Drawbacks
  – Logs may come in varying formats and levels of detail
  – May require intensive parsing & analysis
  – Platforms often scattered across enterprise
  – Requires solid aggregation plan/platform

Question 17

Tap
– Definition
– Benefits
– Drawbacks

Answer 17

• Hardware device which duplicates data streams and may send them to a capture/observation platform
• “Aggregating” tap merges both directions of traffic
• “Regenerating” tap duplicates data streams and sends to multiple physical ports
• Benefits
  – Specifically designed for network traffic capture
  – Engineered for performance and reliability
  – Most taps fail open during power loss
• Drawbacks
  – Expensive
  – Downtime during installation

Question 18

Network-Based Processing Workflows
– List 6

Answer 18

• Establish Baselines
• Ingest and Distill
• Reduce and Filter
• Analyze and Explore
• Extract Indicators and Objects
• Scope and Scale

Question 19

Establish Baselines
– Goal
– Details

Answer 19

• Establish normal pattern of behaviour to help ID abnormal patterns.
• Established before, during, and after a mission
• Determines cycles based on time and date
• Determine typical cycles of traffic
  – Top-talking hosts
  – Ports/protocols
  – GET vs POST ratios

Question 20

Ingest and Distill
– Goal
– Details

Answer 20

• Prepare for analysis and derive data that will more easily facilitate the rest of the analytic workflow
• Log source Data
• Distill pcap files to other data types
• Split data into time-based chunks
• Load data into analytic platforms

Question 21

Reduce & Filter
– Goal
– Details

Answer 21

• Reduce volume of input data
• Use known indicators and data points to reduce data volume
  – IP addresses
  – Ports/protocols
  – Time frames
  – Volume calculations
  – Domain names
  – Hostnames
• Build filters to reduce visible data

Question 22

Analyze and Explore
– Goal
– Details

Answer 22

• ID traffic/artifacts that support investigative goals/hypotheses
• Analyze reduced data for suspicious traffic
  – Content
  – Context
  – Anomalies
  – Consistencies
• Look for protocol anomalies
• Compare to baseline to ID deviations

Question 23

Extract Indicators & Objects
– Goal
– Details

Answer 23

• Find artifacts that help ID malicious activity
• Look for:
  – field values
  – byte sequences
  – files
  – other objects
• Maintain artifact collection
• Includes obs about network traffic itself or nature of communications
• Extract artifacts
• Protect/share data IAW policies and security constraints

Question 24

Scope & Scale
– Goal
– Details

Answer 24

• Search more broadly within source data for behaviour that matches known indicators
• Scale up search w/ large-scale platforms/tools
• ID additional suspicious endpoints
• Pass indicators to security ops

Question 25

Wireshark

Answer 25

Deep, protocol-aware packet exploration and analysis tool

Can extract over 140,000 data fields

Question 26

TCPDump

Answer 26

Log or parse network traffic, similar to wireshark

Question 27

Bro NSM

Answer 27

Creates log files to document observed network traffic

Question 28

Snort/Suricata

Answer 28

Performs real-time traffic analysis and packet logging on IP networks

May work as an IDS or an IPS

Can detect variety of attacks/probes using sigantures

Question 29

NetworkMiner

Answer 29

Protocol-aware object extraction tool that writes files to a disk

May trigger host defenses when writing files to disk

Network data fields can be exported to CSV

Question 30

Cisco Hierarchical Network Design
– 3 Layers

Answer 30

Access (lowest)
Distribution (middle)
Core (Highest)

Question 31

Core Layer (Cisco Hierarchical Network Design)

Answer 31

• Aggregates distribution switches in large LANs
• Provides high forwarding rates

Question 32

Distribution Layer (Cisco Hierarchical Network Design)

Answer 32

• Aggregation point for access switches
• Does not connect directly to end-user devices
• Provides redundancy and interconnectivity

Question 33

Access Layer (Cisco Hierarchical Network Design)

Answer 33

• Connection point for end user devices
• Does not typically connect to other access switches
• Controls access to intranet resources

Question 34

OS used by switches

Answer 34

Internetwork Operationg System (IOS)

Question 35

3 Ways to access switch CLI

Answer 35

• Console - physical port
• Telnet - IP network
• SSH - IP network

Question 36

Four types of switch memory

Answer 36

• ROM
• Flash
• NVRAM
• RAM

Question 37

Location of startup-config

Answer 37

NVRAM

Question 38

Location of Running-config

Answer 38

RAM

Question 39

VLAN
- Advantages
- equals…

Answer 39

• Advantages
  – Segmentation
  – Flexibility
  – Security
• Equals…
  – Broadcast Domain
  – Subnet
  – Logical Network
  – LAN
• By nature, they inhibit communication between VLANs

Question 40

802.1Q
– What is it
– Tagging method
– # VLANs supported
– Spanning Tree
– Multi-vendor support
– Native VLAN

Answer 40

• VLAN Trunking protocol
• Handles frame tagging (inserts 4 bytes into OG frame, modifies FCS)
• Supports 4096 VLANs (4094 in practice)
• Mono Spanning Tree
• IEEE Open Standard
• Uses native VLAN

Question 41

ISL
– What is it
– Tagging method
– # VLANs supported
– Spanning Tree
– Multi-vendor support
– Native VLAN

Answer 41

• Inter-switch link; alternative to 802.1Q
• Adds 26 byte header and 4 byte trailer to tag VLANs
• Supports 1000 VLANs
• Uses Per VLAN Spanning Tree
• Cisco Proprietary
• Does not use native VLAN

Question 42

DTP

Answer 42

• Dynamic Trunk Protocol
• Handles negotiation of trunk links

Question 43

Trunk Modes

Answer 43

• Trunk - Permanent trunk mode
• Access - Permanent non-trunk mode
• Dynamic Desirable - Port actively tries to convert link to trunk link
  – Becomes a trunk if neighbor is set to trunk, desirable, or auto
• Dynamic Auto - Port is willing to convert to trunk link
  – Becomes trunk if neighbor port is set to desirable
• NoNegotiate - Permanent trunk mode, prevents port from generating DTP frames

Question 44

EtherChannel

Answer 44

• Allows parallel links (up to 8 ports) to function as one single link
• Increases bandwidth
• Reduces convergence and provides redundancy

Question 45

VTP
– Features
– Modes (do they configure, vlan range, do they forward, do they sync)
– Items required to forward updates

Answer 45

• Features
  – Advertises VLAN config info (trunk ports only)
  – Maintains VLAN config throughout domain
• Modes
  – Server - Configure VLANs 1-1005; Originates, forwards, and syncs updates
  – Client - Supports but does not configure VLANs 1-1005; forwards and syncs updates
  – Transparent - Configures VLANs 1-4094; forwards updates
• Matching VTP Domain name and password

Question 46

Difference between VTP v1, v2, and v3

Answer 46

• Only v3 can be in “Off” mode
• v1 does not support Token Ring or Unrecognized TLVs
• v2 and v3 do not check VTP version before forwarding updates in transparent mode
• v1 does not support consistency checks
• v3 supports extended VLAN range
• v3 supports private VLANs
• v3 supports database propagation
• v3 encrypts password

Question 47

VTP operation
– General operation info
– Requirements to function
– VLAN config storage

Answer 47

• General:
  – Advertisements sent as multicast frames every 5 min, or if there is a change
  – servers/clients sync to latest revision num
• Function Requirements:
  – Links set up with ISL or 802.1Q
  – VTP domain name and password (if set) match
• Config Storage
  – vlan.dat in flash memory

Question 48

Spanning Tree Protocol
– Purpose
– Features/Enhancements

Answer 48

• Prevents loops and provides path redundancy
• Prevents broadcast storms
• Stabilizes MAC table
• Eliminates multiple frame transmission
• Portfast
  – Minimizes wait time
• BPDU Guard
  – Enabled by default
  – Prevents switch operation on specified port (access mode or unused/disabled ports)
  – Port goes into err-disabled mode when BPDUs detected
• Root Guard
  – Enables BPDUs on specified port
  – Ignores superior BPDU messages (prevents rogue switch taking over as root bridge)

Question 49

BPDU (Spanning Tree Protocol)
– What is it
– Types
– Contains
– Default Priority

Answer 49

• Bridge Protocol Data Unit
• 3 Types
  – Config BPDU
  – Topology Change Notification (TCN)
  – Topology Change Acknowledgement (TCA)
• Contains Bridge ID
  – Unique ID
  – Bridge Priority (2 bytes) and Bridge MAC (6 Bytes)
  – Default priority is 32768
  – Root bridge has lowest priority num
  – If priority is the same, lowest MAC wins

Question 50

Spanning Tree Protocol States
– 5 states

Answer 50

• Blocking
• Listening (15 sec)
  – Topology change detected
  – Does not forward frames
  – Inactive MACs removed from CAM table
• Learning (15 sec)
  – Does not forward frames
  – Switch adds new MACs to CAM table
• Forwarding
• Disabled (off)

Question 51

Spanning Tree Protocol Versions

Answer 51

• IEEE 802.1D
  – 1 instance for all VLANs
  – Slow (up to 50 sec) convergence
• Per VLAN ST (PVST)
  – 1 instance per VLAN
  – Supports ISL; PVST+ supports 802.1Q
  – Cisco Proprietary
• IEEE 802.1w (Rapid STP)
  – Faster (<10 sec) convergence
  – 1 instance for all VLANs
• Per VLAN RST
  – 1 RSTP Instance per VLAN
• IEEE 802.1s
  – Multiple Spanning Tree Protocol
  – Inspired by CISCO’s MISTP
  – Multiple VLANs mapped to single instance of ST

Question 52

Spanning Tree protocol
– How it works

Answer 52

• Elect root bridge (one per network)
  – All interfaces forwarding
  – All ports are designated ports
• Elect root port (one per device) for non-root bridge
  – Lowest cost back to root bridge
• Elect designated port for each network segment
  – Lowest cost back to root bridge
• Cost determined by bandwidth
• STP recalculates after MAXAGE timer expires

Question 53

Rapid Spanning Tree Protocol
– State Differences
– MaxAge Difference
– Convergence Info
– Additional Port Definitions

Answer 53

• Only has Discarding, Learning, and Forwarding states
• MaxAge is 6 sec vs 20 in STP
• Listening state removed, learning state time reduced
• Convergence < 10 sec
  – All switches generate/send Hello BPDUs
  – States no longer based on timers
  – Portfast now referred to as Edge Ports
• Designates an Alternate Port
  – Primary alternate for a root port
• Designates a Backup Port
  – Backup for an Alternate Port

Question 54

Sub-interface

Answer 54

• Router equivalent of SVI
• Single interface may be divided into multiple sub interfaces to carry traffic for multiple VLANs

Question 55

Inter-VLAN routing

Answer 55

• Must define a default gateway

Question 56

DHCP Relay

Answer 56

• IP Helper-address
• Client server application to forward broadcast requests
  – Converts broadcast into unicast to DHCP server
• Allows DHCP requests to leave the LAN subnet (VLAN)

Question 57

Router on a stick

Answer 57

• Single router w/ one interface
• Performs ISL/802.1Q trunking paired w/ sub interfaces to route VLAN traffic

Question 58

SVI (Switch Virtual Interface)

Answer 58

• Layer 3 presence of a VLAN
• Virtual port, only existing in switch software
• Allows inter-VLAN routing
• Layer 2 VLAN must exist for this to function

Question 59

HSRP (Hot Standby Routing Protocol)

Answer 59

• Designed to support failover of IP traffic
• Multiple routers (standby/HSRP group) appear as a single virtual router for hosts on the LAN
  – One router at a time is selected as the active router. Only the active router forwards packets
  – Active router is the one with highest HSRP priority
  – A backup for the active router is selected as the standby router
• Preempt enables a router to resume the active role
• Hold timer should be at least 3 times hello timer

Question 60

Port security

Answer 60

• Limits MAC address on switch ports
  – NOT used on dynamic ports
• Can either be static (manually specified MACs) or dynamic (limit # of hosts per port)
• Static MACs saved to running-config
• Dynamic MACs not saved in running-config
  – Enabling Sticky allows dynamic MACs to be stored in running-config, essentially making them static

Question 61

Switchport Security Violations
- 3 types

Answer 61

• Protected
  – Known MACs may continue sending traffic
  – No notification
• Restricted
  – Known MACs may continue sending traffic
  – Notification (SNMP) sent and violation counter incremented
• Shutdown
  – Default mode
  – Notification sent
  – Interface switched to err-disabled state

Question 62

SSH

Answer 62

• Uses up to 2048-bit ciphers and RSA encryption

Question 63

AAA
– What is it
– Radius vs TACACS+

Answer 63

• Authentication, Authorization, and Accounting
• Radius
  – UDP
  – Encrypts only PW
  – Open source, less granular authorization control
• TACACS+
  – TCP port 49
  – Encrypts full payload of each packet
  – Cisco proprietary, very granular authorization control

Question 64

Routed Port

Answer 64

• Switch port using the no switchport command
• Acts like a port on a normal router

Question 65

Routing Requirements

Answer 65

• Know destination address
• ID sources to learn from
• Discover possible routes
• Select best route
• Maintain/verify routing info

Question 66

Types of routing

Answer 66

• Static
  – Static route
  – Static default route
• Dynamic
  – OSPF
  – EIGRP

Question 67

Static Routing

Answer 67

• Manually configured
• Simplest form on small networks but complicated and not feasible in large
• Classful and Classless
• Hub and Spoke design
• Must configure routes for both directions
• Static Default route uses gateway of last resort
  – Any traffic that doesn’t match another defined route gets sent to gateway of last resort

Question 68

Dynamic Routing
– General Info
– Advantages
– Disadvantages

Answer 68

• Routing information exchanged between routers
• Can load balance between multiple paths with equal/unequal costs
• Advantages
  – Suitable for any topology using multiple routers
  – Independent of network size
  – Automatically adapts to reroute traffic (if possible)
• Disadvantages
  – Can be complex to set up
  – Less secure due to broadcast and multicast updates
  – Route depends on current topology
  – Requires additional resources (CPU, memory, bandwidth)

Question 69

Routing protocol Classifications
– classified based on purpose (2), operation (3), or behaviour (2)

Answer 69

• Purpose
  – Interior Gateway Protocol (IGP) - Routing within an autonomous system (AS) (intra-AS routing)
  – Exterior Gateway Protocol (EGP) - Routing between Autonomous systems (AS) (inter-AS routing)
• Operations
  – Distance Vector - Routes advertised by providing distance and vector
  – Link-state - Each node in network constructs a connectivity map, then independently calculates the best paths. Good for large hierarchical networks needing fast convergence
  – Path-vector - Essentially distance vector protocol that analyzes the path itself to guarantee loop-free path
• Behaviour
  – Classful (legacy) - Do not send subnet mask info in routing updates. Create problems in discontiguous networks
  – Classless - Include subnet mask info in routing updates. Support VLSM and CIDR

Question 70

IPv4 Routing Protocols
- 7 protocols

Answer 70

• RIPv1: IGP, Distance Vector, Classful
• IGRP: IGP, Distance Vector, Classful, Cisco-developed
• RIPv2: IGP, Distance Vector, Classless
• EIGRP: IGP, Distance Vector, Classless, Cisco-developed (can also be classful)
• OSPF: IGP, Link-state, Classless
• IS-IS: IGP, Link-state, Classless
• BGP: EGP, Path-vector, Classless

Question 71

Autonomous System

Answer 71

Collection of routers under a common administration such as company or organization

Question 72

Discontiguous Network

Answer 72

Network in which subnets from the same classful major network address are separated by a different classful network address

Question 73

Administrative Distance

Answer 73

• Used by routers to select the best path when multiple routes exist from different routing protocols
• Defines reliability of a protocol
• Some default values:
  – Connected interface - 0
  – Static route - 1
  – EIGRP summary route - 5
  – BGP - 20
  – Internal EIGRP - 90
  – OSPF - 110
  – Unknown - 255

Question 74

Distance Vector Routing Protocols

Answer 74

• Routing updates shared between neighbors
• Router is aware of networks on its own interfaces and those that can be reached through neighbors
• Some protocols send periodic updates
  – RIP sends updates to 255.255.255.255 (v1) or multicast 224.0.0.9 (v2) every 30 seconds

Question 75

Routing Information Protocol (RIP)
– Metric info
– Timers

Answer 75

• Distance Metric: Hop Count
  – Max allowed is 15
  – 16 is infinity metric (host unreachable)
• Susceptible to loops and the “count to infinity” problem
• Timers, since last update
  – 240 sec Flush
  – 180 Sec Invalid
  – 180 sec Hold down (starts after invalid timer ends)

Question 76

Split Horizon

Answer 76

• Method of preventing routing loops
• Routing info for a given packet is never sent back in the direction from which it was received

Question 77

OSPF
– algorithm
– states (8)
– method of sharing routes

Answer 77

• Utilizes shortest path first (SPF) algorithm
• States:
  – Down
  – Init
  – 2-way
  – DR Election
  – ExStart
  – Exchange
  – Loading
  – Full
• Propagates LSAs rather than routing table updates
• LSAs flooded to all OSPF routers in the area

Question 78

EIGRP
– details
– metric
– path determination

Answer 78

• Rapid convergence
• Reduced bandwidth
• Uses “5 Ks” to calculate Metric (distance)
  – K1: Bandwidth
  – K2: Load
  – K3: Delay
  – K4/K5: Reliability
• Feasibility condition (feasible/calculated distance > reported/advertised distance) is used to detect paths with loops
• Successor is route with lowest metric that meets feasibility condition
• Feasible successor is a secondary route that also meets feasibility condition
• Use auto-summary to summarize subnets into classful addresses

Question 79

Access Control List
– Types (3)
– Number Ranges
– Details

Answer 79

Types

• Standard
  – Checks source address
  – Permits/denies all protocols
  – Number range 1-99, 1300-1999
• Extended
  – Checks both source and destination
  – Permits/denies specific protocols
  – Can also specify conditions for specific ports
  – Number Range 100-199, 2000-2699
• Named
  – Can be standard or extended, just uses name instead of number to identify
• Uses wildcard mask for filtering subnets
• Most restrictive statements should go at top of ACL

Question 80

Domino Effect

Answer 80

• If a network layer is compromised, all network layers above it are also compromised
  – Ex: if data link layer is compromised, the network, transport, and application layers are also compromised

Question 81

CAM Overflow
– What is it
– Mitigation

Answer 81

• Attacker floods CAM table with thousands of MAC addresses, causing it to fill up. When this happens, the switch starts to flood any traffic from new hosts out all ports
• Essentially turns a switch into a hub
• May be mitigated with port security or MAC address monitoring

Question 82

ARP Spoofing
– what is it
– mitigation

Answer 82

• Attacker pretends to be default gateway and sends out a gratuitous ARP, so all users send traffic through the attacker instead of the real default gateway
• Only works within one VLAN
• May be mitigated with:
  – Static ARP table on critical stations
  – ARP ACL
  – Private VLANs

Question 83

VLAN Hopping

Answer 83

Can occur in two ways:

• Switch Spoofing - Attacker configures device to work as trunk port. Switch will then trunk all available VLANs to that device
  – Mitigated by switching port to access mode, or setting nonegotiate
• Double tagging - Second 802.1q tag is added in front of the first
  – Only works with native VLANs

Question 84

IPSEC
– what’s it used for
– what does it provide

Answer 84

• Security protocol used with VPNs
• Operates at layer 3
• Provides:
  – Confidentiality
  – Integrity
  – Authentication
  – Anti-replay

Question 85

IPSEC Stages

Answer 85

• Interesting Traffic initiates IPSEC process
• IKE Phase 1
  – IKE Authenticates Peers
  – Negotiates security association (SA) policy
  – Perform authenticated Diffie-Hellman exchange
  – Establishes secure channel
  – Two modes, Main and Aggressive
• IKE Phase 2
  – Negotiates IPSEC SA parameters
  – SAs periodically renegotiated for security
  – Performs DH exchange if perfect forward secrecy is desired
  – Security protocol is selected (Authentication Header or Encapsulation Security Payload)
• Data Transfer - Data transferred between IPSEC peers
• IPSEC Tunnel Termination - IPSEC SAs terminate through deletion or timeout

Question 86

IP Payload Compression Protocol (IPComp)

Answer 86

Reduces amount of data sent in IPSEC

Question 87

IPSEC “Interesting Traffic”

Answer 87

• Determined as part of security policy
• Access lists used to determine interesting traffic in Cisco routers and PIX firewalls

Question 88

Items shared in IPSEC IKE Phase 1

Answer 88

• Encryption algorithms (DES, 3DES, AES)
• Authentication Algorithms (MD5, SHA)
• Diffie-Hellman Group
• Preshared key or RSA/DSA certs

Question 89

Authentication Header (AH) Protocol

Answer 89

• Allows verification of authenticity and integrity of content as well as origin of packet
  – Only does source authentication and content integrity

Question 90

Encapsulating Security Payload (ESP)

Answer 90

• Encrypts entire IP packet allows for authenticating its content
• Ensures privacy (encryption), source authentication, and content integrity (authentication)

Question 91

IPSEC Modes
- two modes

Answer 91

• Tunnel - Encrypts both payload and header and appends new header
• Transport - Encrypts only payload and leaves header unencrypted

Question 92

NAT IP Address names

Answer 92

• Inside Local - Local network, private IP
• Inside Global - Local Network, public IP
• Outside Global - Other network, public IP
• Outside Local - Other network, private IP

Question 93

NAT Types

Answer 93

• Static NAT
  – One to One mapping of private IP to public IP
  – Useful when device needs to be accessible from the internet
• Dynamic NAT
  – Mapping of private IP address to a public IP from a group of public IPs (NAT pool)
• PAT (overloaded NAT)
  – Map multiple private IP addresses to single public IP (most common today)

Question 94

Major Wireless Topologies

Answer 94

• WPAN (personal area network)
  – 802.15.1 (bluetooth)
  – 20-30 ft
• WLAN
  – 802.11 (wifi)
  – up to 300 ft
• WMAN (metropolitan area network)
  – 802.16 (wi-max)
  – up to 30 miles
• WWAN (wide area network)
  – Mobile networks (CDMA/LET)
  – Worldwide coverage

Question 95

WLAN components

Answer 95

• Access Point
  – RF Transceiver
  – Processor/software
  – Antennas
• User device w/ NIC
• Router
• Repeater (optional)

Question 96

WLAN operating modes
– 2 modes

Answer 96

• Infrastructure Mode
  – Clients communicate through access point
• Ad hoc mode
  – Clients communicate directly with one another (peer to peer)

Question 97

Infrastructure Access Point Modes
– 4 modes

Answer 97

• Root
  – Default mode
  – Each AP wired into LAN
• Bridge
  – AP connects two or more physically separate network segments
  – Multi-point or point to point
  – Only one root bridge, all non-root bridges must pass traffic through root
• Repeater
  – Re-broadcasts data to extend range of network
• Scanner
  – Scans nearby wireless signals
  – Used for wireless IDS, Troubleshooting, and wi-fi setup

Question 98

802.11 Network Architecture
– 3 Types

Answer 98

• Basic Service Set (BSS)
  – One AP, one or more clients
  – Most common
  – Uses BSSID – 48 bits, MAC of BSS AP
  – Network advertised with SSID
• Extended Service Set (ESS)
  – Connects two or more BSS together
  – Uses common SSID to allow roaming between APs (ESSID)
• Independent Basic Service Set (IBSS)
  – Ad hoc or peer-to-peer mode
  – No AP, only clients
  – Not an infrastructure mode
  – Only one client may transmit at a time, and all must be on same frequency

Question 99

Wireless Residential Devices

Answer 99

• AP and router (one device)
• Cable modem/DSL (may be included in AP)
• Easy to configure
• Commonly referred to as SOHO devices

Question 100

Beacon Frame

Answer 100

Information sent by WAPs containing SSID, data rates, etc)

Question 101

Probes (802.11 term)

Answer 101

• Client looking for SSID
• Directed probe requests will always trigger a response including properly configured SSID, making disabling SSID broadcast very weak security

Question 102

Hidden Node Problem

Answer 102

If two nodes A and B are physically blocked from one another’s radiation patterns, and both start transmitting to node C simultaneously, their signals will collide and they will be unable to detect the collision and the transmitted signals will become corrupted

Question 103

MAC filtering (Wireless security)

Answer 103

Can easily be bypassed with MAC spoofing

Question 104

WEP

Answer 104

• Wired Equivalent Privacy
• Encrypts all data in the frame including headers
• Very weak
• Uses RC4 encryption
• Does not protect against forgery or replay attacks

Question 105

WPA1

Answer 105

• Replaced WEP
• Utilizes TKIP (Temporal Key Integrity Protocol)
  – Based on RC4
  – Each packet has unique encryption key
  – Includes Message Integrity Check and Rekeying mEchanism
  – Considered obsolete

Question 106

WPA2

Answer 106

• Replaced WPA1
• Uses Cipher Block Chaining Message Authentication Code Mode Protocol (CCMP)
  – Uses AES encryption
• Supports TKIP for backwards compatibility
• 802.11i
• Two types
  – Personal - Pre shared key, SOHO use
  – Enterprise - Authentication server, for enterprise use; 802.1X standard

Question 107

WAP3

Answer 107

• Released Jan 2018
• Individual devices will not share encryption key w/ other devices
• Up to 192 bit encryption if needed
• Setup mode for IOT and no screen devices
• Must be connected to de-authenticate

Question 108

SSL VPN

Answer 108

• Does not require installation and config of client software (unlike IPSEC VPN)
• User connects to SSL VPN via web browser
• SSL VPN server is encrypted with SSL or TLS

Question 109

Collapsed Core network model

Answer 109

First two layers of Cisco Hierarchy (Access and distribution)

Used for smaller networks not requiring the core to be a separate level