Ch4: Securing Your Network

Question 1

HIDS

Answer 1

Host-based intrusion detection system can monitor all traffic on a single host system to detect malicious activity

Question 2

NIDS

Answer 2

Network-based intrusion detection system is installed on network devices such as routers or firewalls to monitor network traffic and detect network-based attacks. Cannot monitor encrypted traffic or traffic on individual hosts

Question 3

TCP handshake sequence

Answer 3

SYN, SYN/ACK, ACK

Question 4

SYN flood attack

Answer 4

Attacker sends multiple SYN packets but never completes the handshake with an ACK

Question 5

Signature-based detection (IDSs)

Answer 5

Identifies issues based on known attacks or vulnerabilities and can detect known anomalies

Question 6

Heuristic/Behavioral-based detection (IDSs)

Answer 6

Can detect unknown anomalies by starting with a performance baseline of normal behavior and comparing network traffic against it to detect abnormal behavior

Question 7

False positive

Answer 7

Indicates an attack is occurring when no attack is active (increases admins workload)

Question 8

False negative

Answer 8

System does not detect or report an attack that is actually occurring

Question 9

An IPS can…

Answer 9

detect, react, and prevent attacks. It can actively monitor data streams, detect malicious content, and stop attacks in progress.

Question 10

An IDS can…

Answer 10

monitor and respond to an attack

Question 11

IPS and IDS collect data differently because…

Answer 11

IPS is inline with the traffic - all traffic passes through the IPS (in-band). IDS collects data passively, not inline with the traffic (out-of-band)

Question 12

IPS is what type of control?

Answer 12

Preventive control

Question 13

Honeypot

Answer 13

A “sweet”-looking server that has been left open or unsecured in order to divert attackers from the live network or allow observation of the attacker

Question 14

Honeynet

Answer 14

A group of honeypots within a separate network or zone, but accessible from an organization’s primary network

Question 15

IEEE 802.1x

Answer 15

Port-based authentication protocol that ensures only authorized clients can connect to a network

Question 16

Fat AP

Answer 16

A stand-alone access point that is managed independently

Question 17

Thin AP

Answer 17

A controller-based AP managed by a wireless controller. The controller configures the AP

Question 18

SSID

Answer 18

Service set identifier identifies the name of the wireless network (you should change the name so it’s not ‘Netgear’)

Question 19

SSID Broadcasting

Answer 19

You can disable the SSID broadcast to hide the network from casual users, but it will not be hidden from an attacker with a wireless sniffer (and is not more secure)

Question 20

MAC filtering

Answer 20

Can restrict access to a wireless network to specific clients

Question 21

To bypass MAC filtering…

Answer 21

use a wireless sniffer to discover the allowed MAC addresses, then configure your NIC to have one of the allowed MACs (spoof it)

Question 22

Easy way to limit the range of an AP

Answer 22

Reduce the AP’s power level so people outside the intended area will be out of range

Question 23

WPA

Answer 23

Wi-Fi Protected Access provided an immediate replacement for WEP and originally used TKIP. Later implementations support the stronger AES encryption

Question 24

TKIP

Answer 24

Temporary Key Integrity Protocol is an older encryption protocol used with WPA (deprecated by IEEE due to security issues)

Question 25

WPA2

Answer 25

Permanent replacement for WEP and WPA. Supports CCMP (based on AES) which is much stronger than TKIP

Question 26

CCMP

Answer 26

Cipher Block Chaining Message Authentication Code Protocol

Question 27

PSK

Answer 27

Pre-shared key. Does not provide individual authentication

Question 28

Why does PSK not provide authentication?

Answer 28

Authentication is proving a user's identity by using credentials. PSK is a pre-shared key or password. Simply providing a password with no username provides authorization but no authentication since no user's identity was proven

Question 29

What modes can WPA and WPA2 operate in?

Answer 29

PSK or Enterprise mode (or Open mode)

Question 30

Open mode

Answer 30

No security, allows all users to use the AP

Question 31

Enterprise mode

Answer 31

Provides strong authentication. Uses an 802.1x server

Question 32

EAP

Answer 32

Extensible Authentication Protocol is an authentication framework that provides general guidance for authentication methods

Question 33

EAP-FAST

Answer 33

EAP-Flexible Authentication via Secure Tunneling supports certificates, but they are optional

Question 34

PEAP

Answer 34

Protected EAP encapsulates and encrypts the EAP conversation in a TLS tunnel. PEAP requires a certificate on the server, but not the clients

Question 35

EAP-TTLS

Answer 35

EAP-Tunneled TLS is an extension of PEAP allowing systems to use some older authentication methods (like PAP) within a TLS tunnel. Requires a certificate on the 802.1x server but not the clients

Question 36

EAP-TLS

Answer 36

One of the most secure EAP standards. Requires certificates on the 802.1x server and on each of the wireless clients

Question 37

Disassociation attack

Answer 37

Removes a wireless client from a wireless network, forcing it to reauthenticate

Question 38

WPS

Answer 38

Wi-Fi Protected Setup allows users to configure wireless devices by pressing buttons OR entering an 8-digit PIN

Question 39

WPS attack

Answer 39

Brute forces the 8-digit PIN within hours, then uses it to discover the passphrase

Question 40

Rogue AP

Answer 40

Provides access to unauthorized users and are often used to capture and exfiltrate data

Question 41

Evil twin

Answer 41

Rouge AP using the same SSID as a legitimate AP

Question 42

Bluejacking

Answer 42

Unauthorized sending of text messages to a nearby Bluetooth device

Question 43

Bluesnarfing

Answer 43

Unauthorized access to, or theft of information from, a Bluetooth device

Question 44

Prevent bluejacking and bluesnarfing by

Answer 44

Ensuring devices cannot be paired without manual user intervention

Question 45

Replay attack

Answer 45

Attacker captures data sent between two entities, modifies it, and attempts to impersonate on of the parties by resending the data

Question 46

Prevent network replay attacks by using

Answer 46

WPA2 with CCMP/AES. TKIP is vulnerable to replay attacks

Question 47

RFID attacks

Answer 47

Eavesdropping, replay, and DoS

Question 48

VPN

Answer 48

Virtual private network provides remote access to a private network via a public network.

Question 49

VPN concentrators

Answer 49

Dedicated devices used for VPNs that include all services needed to create a secure VPN supporting many clients

Question 50

IPsec

Answer 50

Internet protocol security is a secure encryption protocol used with VPNs

Question 51

ESP

Answer 51

Encapsulating Security Payload provides confidentiality, integrity, and authentication for VPN traffic

Question 52

IPsec Tunnel Mode

Answer 52

Used for VPN traffic, has protocol ID 50 for ESP

Question 53

IPsec authenticates clients using

Answer 53

IKE (Internet Key Exchange) over port 500

Question 54

Full tunnel

Answer 54

Encrypts all traffic after a user has connected to a VPN

Question 55

Split tunnel

Answer 55

Only encrypts traffic destined for the VPN's private network

Question 56

NAC

Answer 56

Network access control includes methods to inspect clients for health, like having up-to-date AV software. NAC can restrict access of unhealthy clients to a remediation network. NAC can be used for VPN or internal clients

Question 57

NAC agents

Answer 57

Permanent agents are installed on the clients. Dissolvable agents are not installed and are often used to inspect employee-owned mobile devices

Question 58

PAP

Answer 58

Password Authentication Protocol uses a password or PIN, but send the information over a network in plaintext, making it susceptible to sniffing attacks.

Question 59

CHAP

Answer 59

Challenge Handshake Authentication Protocol is more secure than PAP because passwords are not sent over the network in cleartext

Question 60

Centralized authentication services

Answer 60

RADIUS, TACACS+, Diameter

Question 61

TACACS+

Answer 61

Proprietary to Cisco but can be used with Kerberos

Question 62

Diameter

Answer 62

Improvement over RADIUS and supports many additional capabilities like securing transmissions with EAP