Chapter 6 The Basic LAN Flashcards
(117 cards)
1
Q
What is the role of the Physical Layer?
A
It handles the physical transmission of raw data bits over a communication channel.
2
Q
What does the Data Link Layer do?
A
It provides error-free transmission of data frames over a physical link and handles flow control.
3
Q
What is the purpose of the Network Layer?
A
It enables routing and logical addressing, allowing packets to be properly routed across multiple networks.
4
Q
What does the Transport Layer do?
A
It ensures reliable delivery of data by providing error recovery, flow control, and segmentation of data into smaller units.
5
Q
What is the role of the Session Layer?
A
It establishes, manages, and terminates sessions between applications, providing synchronization and checkpointing.
6
Q
What does the Presentation Layer handle?
A
It is responsible for data formatting, encryption, compression, and translation between different data formats.
7
Q
What is the purpose of the Application Layer?
A
It provides network services directly to end-users and applications, such as email, web browsing, and file transfer.
8
Q
What is Address Resolution Protocol (ARP)?
A
ARP is a protocol used to map IP addresses to the MAC addresses of network interfaces.
9
Q
Which layer of the OSI model does ARP operate at?
A
ARP operates at the Data Link Layer (Layer 2) of the OSI model.
10
Q
What is the purpose of ARP?
A
ARP allows devices on a local area network (LAN) to discover and communicate with each other using MAC addresses.
11
Q
What is a MAC address?
A
A MAC address, also known as a physical address, is a unique 48-bit hexadecimal identifier assigned to network interfaces.
12
Q
What type of networks does ARP apply to?
A
ARP applies to local area networks (LANs) where devices communicate using MAC addresses.
13
Q
What information does an ARP packet contain?
A
An ARP packet includes the source MAC address, source IP address, destination MAC address, and destination IP address.
14
Q
How does ARP work?
A
When a device wants to communicate with another device on the same LAN, it sends an ARP request to discover the MAC address associated with a given IP address. The destination device replies with an ARP response containing its MAC address.
15
Q
What is ARP cache poisoning?
A
ARP cache poisoning, also known as an ARP spoofing attack, is a type of man-in-the-middle attack where an attacker alters the ARP cache of a device to redirect network traffic through their system.
16
Q
How can ARP cache poisoning be mitigated?
A
Mitigation measures include using static ARP cache entries, implementing network access controls, employing multifactor authentication, and applying conditional access policies.
17
Q
Which layer of the OSI model is responsible for MAC addresses?
A
MAC addresses are handled at the Data Link Layer (Layer 2) of the OSI model.
18
Q
What is a Layer 2 attack?
A
A Layer 2 attack refers to attacks that exploit vulnerabilities in the Data Link Layer (Layer 2) of the OSI model, specifically related to MAC addresses.
19
Q
What is a MAC address flooding attack?
A
A MAC address flooding attack involves sending a flood of forged packets with spoofed MAC addresses to overwhelm a switch, causing it to behave like a hub and broadcast all traffic to every switch port.
20
Q
What is a broadcast storm?
A
A broadcast storm, also known as a switching loop, is a situation where excessive amounts of network traffic flood the network, usually caused by faulty switches, failing network cards, or redundant network links.
21
Q
How can MAC address flooding attacks be mitigated?
A
Mitigation measures for MAC address flooding attacks include limiting network access through MAC address filtering, using static MAC address assignments, and disabling unused switch ports.
22
Q
How can broadcast storms be mitigated?
A
Broadcast storms can be mitigated by implementing Spanning Tree Protocol (STP) to prevent switching loops, enabling features like Bridge Protocol Data Unit Guard (BPDU Guard), and ensuring proper network configuration.
23
Q
What are the security risks associated with Layer 2 attacks?
A
Layer 2 attacks can expose sensitive network traffic, compromise network integrity, and disrupt network operations, posing significant security risks to an organization.
24
Q
What is MAC address filtering?
A
MAC address filtering is a security measure that allows only specific MAC addresses to access the network, limiting unauthorized devices from connecting.
25
What is Spanning Tree Protocol (STP)?
Spanning Tree Protocol (STP) is a network protocol that prevents switching loops and ensures a loop-free topology by dynamically managing redundant network paths.
26
What is Bridge Protocol Data Unit Guard (BPDU Guard)?
BPDU Guard is a feature that prevents unauthorized switches from being connected to a network, protecting against potential switching loops and network disruptions.
27
What is the importance of network access controls and proper network configuration?
Network access controls and proper network configuration help prevent unauthorized access, mitigate Layer 2 attacks, and maintain network security and stability.
28
What is the concept of zero trust in IT security?
Zero trust refers to the approach of not automatically trusting anyone or anything, including insiders, and implementing strict security measures to protect the network.
29
What are insider threats?
Insider threats refer to security risks posed by individuals within an organization who have authorized access to the network and may intentionally or unintentionally compromise its security.
30
How can insider threats be mitigated?
Mitigation measures for insider threats include providing security awareness training to employees, implementing intrusion detection and prevention systems, and monitoring for suspicious activities.
31
Why is having a network diagram important for network security?
A network diagram provides an overview of the network infrastructure, enabling effective incident response, troubleshooting, and security management.
32
What are some best practices for network planning and preparation?
Best practices for network planning include using standardized naming conventions for devices, implementing VLANs for network segmentation, configuring screened subnets for publicly reachable services, and enforcing strict firewall rules.
33
What is a VLAN (Virtual Local Area Network)?
A VLAN is a virtual network created within a physical network infrastructure that allows for network segmentation, isolation, and improved security by separating devices into different logical networks.
34
What is a screened subnet?
A screened subnet, also known as a demilitarized zone (DMZ), is a separate network segment where publicly accessible services are placed, with strict firewall rules to control traffic between the DMZ and the internal network.
35
How does zero trust apply to network security?
Zero trust principles emphasize the need for continuous authentication, authorization, and verification of all devices and users accessing the network, regardless of their location or insider status.
36
Why are standardized naming conventions and IP address schemes important for network security?
Standardized naming conventions and IP address schemes improve network manageability, troubleshooting, and security incident response by providing consistency and easy identification of devices and their roles.
37
What is the role of firewalls in network security?
Firewalls act as a barrier between networks, enforcing security policies and controlling traffic flow to protect against unauthorized access and potential threats from the internet or other networks.
38
What is load balancing in the context of app availability?
Load balancing refers to distributing client traffic across multiple backend servers running the same app, improving performance and increasing availability
39
How does a load balancer work?
Clients connect to the load balancer, which selects the least busy backend server from a pool to handle the client's request, ensuring even distribution of workload and providing redundancy.
40
What is auto scaling in a load balancing configuration?
Auto scaling allows the load balancer to dynamically add or remove backend servers based on the demand for incoming client requests, optimizing resource utilization and scaling the environment horizontally.
41
What is session persistence in load balancing?
Session persistence, also known as sticky sessions, ensures that a client remains connected to the same backend server for the duration of a session, maintaining session-related data and providing a consistent experience.
42
What are the different scheduling methods in load balancing?
The scheduling methods include Round-Robin (requests are sent sequentially to backend servers), Least Connection (requests are sent to the least busy server), and Weighted (servers are assigned relative weights to distribute traffic).
43
What is an active-active load balancing configuration?
An active-active configuration refers to multiple backend servers being actively available simultaneously, handling client requests in parallel, without any servers being in standby mode.
44
What is an active-passive load balancing configuration?
An active-passive configuration involves one active backend server handling client requests, while the standby servers remain idle until the active server becomes unresponsive or overwhelmed, at which point a standby server takes over.
45
How can load balancing improve app availability?
Load balancing enhances availability by distributing client traffic across multiple servers, providing redundancy and failover capabilities in case of server failures or high traffic loads.
46
What are the considerations for load balancer configuration?
Factors to consider include the type of load balancer (hardware or software-based), the application's specific needs, session persistence requirements, scheduling methods, and the ability to scale horizontally or vertically.
47
How does load balancing contribute to the CIA security triad?
Load balancing improves availability by ensuring that apps are accessible and responsive to client requests, contributing to the "A" (availability) aspect of the CIA security triad.
48
What is network access control (NAC)?
Network access control is a security solution that enforces policies to control and manage device access to a network, considering factors such as device type, location, firewall status, and anti-malware tools.
49
How does IEEE 802.1X contribute to network access control?
IEEE 802.1X is a port-based network access control protocol that enables authentication of devices connecting to network switches, VPN concentrators, or wireless routers, helping to enforce access control policies.
50
What is the purpose of DHCP (Dynamic Host Configuration Protocol)?
DHCP automatically assigns unique IP addresses and network configuration parameters to devices connecting to a network, eliminating the need for manual configuration. However, it can be exploited by malicious users to distribute false information.
51
How can DHCP snooping mitigate rogue DHCP server attacks?
DHCP snooping is a network switch feature that allows the switch to only trust DHCP traffic from known, trusted DHCP servers. It helps prevent unauthorized DHCP servers from distributing false configuration information on the network.
52
What is the concept of a jump server (or jump box)?
A jump server is a secure intermediary server with both a public interface for remote administration and a private interface to connect to internal servers with private IP addresses. It provides a secure access point to manage internal servers without exposing them directly to the public internet.
53
How can network access control solutions improve network security?
Network access control solutions enforce access policies, restrict unauthorized access, and prevent attacks like rogue DHCP servers. They provide visibility and control over network devices, enhancing network security and reducing the risk of unauthorized access or malicious activity.
54
What factors can be considered in a network access control policy?
A network access control policy can consider device type, operating system, device location, firewall status, anti-malware tools, and other parameters to determine whether to allow or deny network access to a device.
55
What is the significance of multilayered security in network access control?
Multilayered security combines different security measures, such as device authentication, firewall rules, and anti-malware tools, to provide a comprehensive defense against unauthorized access and mitigate potential threats in the network.
56
What are the benefits of using IEEE 802.1X in network access control?
IEEE 802.1X provides strong device authentication and port-based access control, ensuring that only authorized devices can connect to the network. It enhances network security by preventing unauthorized access and protecting against rogue devices.
57
How does DHCP snooping contribute to network security?
DHCP snooping helps prevent rogue DHCP server attacks by allowing network switches to validate and filter DHCP traffic. It ensures that DHCP configuration information comes from trusted sources, reducing the risk of unauthorized or malicious network configuration.
58
What is a honeypot?
A honeypot is a decoy or fake system intentionally made to appear vulnerable to attract malicious activity. It allows for tracking and analysis of malicious user behavior, including their methods of attack and potential compromise.
59
How should a honeypot be deployed to ensure security?
A honeypot should be set up in a sandbox environment, such as a virtual machine, that is isolated from production networks and real servers. This prevents the risk of compromising critical systems and ensures the honeypot can be closely monitored.
60
What can be learned from a honeypot?
By analyzing a honeypot, one can gather statistics and telemetry on malicious user activity, including brute force password attempts, unauthorized access, installation of backdoors, and attempts at lateral movement within a network.
61
Why is centralized log forwarding important for honeypots?
Centralized log forwarding ensures that honeypot logs are securely stored in a separate location, even if an attacker compromises the honeypot and attempts to erase logs. It provides a backup of the captured data for analysis and investigation.
62
What is a honey file?
A honey file is an individual file designed to appear enticing to an attacker. It is monitored using trigger alarms and file integrity monitoring to track any activity related to the file, such as unauthorized access, modifications, or deletion.
63
What is a honeynet?
A honeynet is a collection of honeypots deployed on a network. It allows for the monitoring and analysis of malicious activity across multiple decoy systems, providing a broader understanding of attacker techniques and behaviors.
64
How can a honeypot be configured to mimic different systems?
Honeypots can be configured to emulate various systems, such as different versions of Windows servers, Linux servers, UNIX hosts, or even industrial control equipment. This enhances the realism and attractability of the honeypot to potential attackers.
65
Why should honeypot logs be stored externally?
Storing honeypot logs externally ensures their integrity and availability even if the honeypot itself is compromised or tampered with. It enables detailed analysis and forensic investigations without the risk of losing valuable data.
66
How can honeypots be used to enhance network security?
Honeypots provide insights into attacker tactics, techniques, and procedures (TTPs), allowing organizations to strengthen their defenses, identify vulnerabilities, and develop effective countermeasures to protect their production networks.
67
What are some considerations for deploying a honeypot securely?
Deploy honeypots in isolated environments, use centralized log forwarding, maintain backups of honeypot logs, monitor and analyze captured data, and ensure proper permissions and access controls are in place to protect the honeypot and its surrounding systems.
68
What is a firewall?
A firewall is a security device or software that controls and monitors network traffic based on predetermined rules. It acts as a barrier between trusted and untrusted networks, allowing or denying traffic based on defined access control policies.
69
What are the different forms of firewalls?
Firewalls can be hardware appliances, physical devices connected to a network, or virtual machine appliances acting as firewalls. They can also be host-based firewalls, such as Windows Defender, that run on individual devices.
70
What are access control lists (ACLs) in the context of firewalls?
Access control lists (ACLs) are rules configured within a firewall to allow or deny network traffic. They define criteria based on factors such as IP addresses, port numbers, and protocols to determine how traffic is handled.
71
What is a packet filtering firewall?
A packet filtering firewall operates at the network layer (layer 3) or transport layer (layer 4) of the OSI model. It examines packets based on factors like IP addresses, port numbers, and protocol types (TCP, UDP, ICMP) to allow or deny traffic.
72
What is the difference between a stateful and stateless packet filtering firewall?
A stateful packet filtering firewall not only analyzes individual packets but also tracks entire sessions. It maintains information about established connections, enabling more sophisticated filtering based on the context of a session. In contrast, a stateless firewall examines each packet independently without session awareness.
73
What are some criteria used in configuring packet filtering firewall rules?
Packet filtering firewall rules can be based on source and destination IP addresses, source and destination port numbers, protocol types (TCP, UDP, ICMP), and even MAC addresses (layer 2).
74
What is a network security group (NSG)?
A network security group (NSG) is a collection of firewall rules that can be associated with virtual machine interfaces or entire subnets in cloud environments. It enables the configuration of inbound and outbound traffic rules to control network access.
75
What is an application layer (Layer 7) firewall?
An application layer firewall operates at Layer 7 of the OSI model, focusing on application-specific protocols like HTTP. It can analyze packet payloads, HTTP details, URLs, and more to provide granular control and protection against web application attacks.
76
What are some common web application attacks protected by a web application firewall (WAF)?
A web application firewall (WAF) protects against common web application attacks such as cross-site scripting (XSS), cryptographic downgrade attacks, directory traversal, SQL injection, and more. It helps prevent unauthorized access, data breaches, and other malicious activities.
77
Why is it important to understand the OSI model when configuring and discussing firewalls?
The OSI model provides a framework for understanding the different layers of network communication. Understanding the OSI model helps in determining which layer a specific firewall operates on, what factors it can analyze, and what types of attacks it can mitigate.
78
What is a proxy server?
A proxy server acts as an intermediary between client devices and the internet. It can be used to fetch content on behalf of internal users (forward proxy) or protect and route incoming connections to internal servers (reverse proxy).
79
What is a forward proxy?
A forward proxy sits between internal users and the internet, fetching requested content on their behalf. It hides the IP addresses of internal clients and can be configured as a transparent proxy, where clients point to the proxy server as their default gateway.
80
What is a transparent proxy configuration?
A transparent proxy configuration involves setting the proxy server as the default gateway for internal clients, eliminating the need for individual client configurations. It simplifies the setup but requires proper network routing and configuration.
81
What is caching in the context of a forward proxy?
Caching is a feature of forward proxies where the proxy server stores fetched internet content. This allows subsequent requests for the same content to be served locally by the proxy server, improving response times.
82
What is a reverse proxy?
A reverse proxy protects servers by acting as an intermediary between external internet clients and internal servers. It forwards external requests to the appropriate internal server based on the public IP address and port configured on the reverse proxy.
83
How does a reverse proxy enhance security?
A reverse proxy hides the true identity and location of internal servers by mapping external requests to internal IP addresses and ports. It helps protect servers from direct exposure to the internet and can provide additional security features such as SSL/TLS termination and load balancing.
84
What is load balancing in the context of a reverse proxy?
Load balancing is a feature often found in reverse proxies. It distributes incoming requests across multiple internal servers, improving performance, scalability, and availability of services.
85
What is SSL/TLS offloading or termination?
SSL/TLS offloading or termination is a feature of reverse proxies where the proxy server handles the encryption and decryption of SSL/TLS traffic on behalf of backend servers. This relieves the backend servers from the processing burden, allowing them to focus on other tasks.
86
What are some additional security components that can be included in a reverse proxy?
Reverse proxies can include additional security components such as access control, authentication, and application-level security features like web application firewalls (WAFs). These components enhance the security of the protected services.
87
What is the key difference between a forward proxy and a reverse proxy?
A forward proxy sits between internal users and the internet, fetching content on their behalf. A reverse proxy sits between external internet clients and internal servers, forwarding requests to the appropriate server and protecting the servers from direct exposure to the internet.
88
What is Port Address Translation (PAT)?
Port Address Translation (PAT) is a method of network address translation that allows multiple internal devices to access the internet using a single public IP address. It maps each internal device's private IP address to a unique port number on the public IP address.
89
How does PAT differ from a forward proxy?
PAT operates at layer 4 of the OSI model and does not require authentication or caching. It allows internal clients to access the internet using a single public IP address. A forward proxy operates at layer 7 and can require authentication, perform caching, and act as an intermediary between internal clients and the internet.
90
What is Network Address Translation (NAT)?
Network Address Translation (NAT) is a method of translating IP addresses and port numbers between internal and external networks. It is commonly used to allow internet clients to access internal services by mapping a public IP address and port to an internal private IP address and port.
91
How does a reverse proxy differ from NAT?
A reverse proxy operates at layer 7 and is used to protect internal services by acting as an intermediary between external clients and internal servers. It hides the internal IP addresses of servers and allows connections to be made using a public IP address and port. NAT operates at layer 4 and translates IP addresses and port numbers between internal and external networks.
92
What is the purpose of Port Address Translation (PAT)?
The purpose of PAT is to allow multiple internal devices to access the internet using a single public IP address. It provides a way to hide the true identities of internal clients and conserve public IP addresses.
93
What is the purpose of Network Address Translation (NAT)?
The purpose of NAT is to allow internet clients to access internal services by translating the IP addresses and port numbers between the internal and external networks. It provides a way to hide the internal IP addresses of servers and allows connections to be made using a public IP address and port.
94
How does a PAT router maintain translation tables?
A PAT router maintains translation tables in its memory. These tables map each internal device's private IP address and port number to the shared public IP address and a unique port number. This allows the router to track and manage multiple client sessions using a single public IP address.
95
How does a NAT device perform IP and port mapping?
A NAT device maps a public IP address and port to an internal private IP address and port. It maintains translation tables to associate external client connections with the corresponding internal server addresses. This enables external clients to connect to internal services using the public IP address and port.
96
What is the role of a reverse proxy in network security?
A reverse proxy enhances network security by hiding the internal IP addresses of servers and acting as a protective barrier between external clients and internal services. It can perform authentication, SSL/TLS termination, load balancing, and other security functions to protect the internal servers from direct exposure to the internet.
97
What are the key differences between PAT and NAT?
PAT operates at layer 4 and allows multiple internal devices to access the internet using a single public IP address. NAT operates at layer 3 and translates IP addresses and port numbers between internal and external networks. PAT is used for outbound connections, while NAT is used for both inbound and outbound connections.
98
What is a Virtual Private Network (VPN)?
A VPN is a secure communication tunnel that allows for encrypted traffic over an untrusted network. It provides a point-to-point encryption tunnel through which traffic can be transmitted securely.
99
How does a VPN provide security?
A VPN encrypts the traffic that passes through it, protecting it from unauthorized access or interception. It allows for secure communication over an untrusted network, such as the internet.
100
What are the authentication methods used in VPNs?
VPN authentication can be done using various methods, including username and password, multifactor authentication, smart cards with PINs, device certificates, or hardware/software tokens. Multifactor authentication is recommended for enhanced security.
101
What are the two main types of VPN tunneling protocols?
The two main types of VPN tunneling protocols are Layer 2 Tunneling Protocol (L2TP) and Secure Socket Layer/Transport Layer Security (SSL/TLS). L2TP operates at layer 2 of the OSI model and is often used with IPsec for encryption. SSL/TLS VPNs use the HTTPS port (port 443) and are firewall-friendly.
102
How does an Always-On VPN configuration benefit sysadmins?
An Always-On VPN configuration allows devices to establish a VPN connection automatically upon startup, providing centralized control for sysadmins to apply updates and patches to remote devices. It simplifies the management of remote devices and ensures their connection to the VPN.
103
What is split tunneling in VPNs?
Split tunneling is an option in VPN configurations that allows users to access both the internet and internal resources simultaneously. When split tunneling is enabled, internet traffic goes through the user's local internet connection, while internal resource access goes through the VPN tunnel.
104
What is a client-to-site VPN?
A client-to-site VPN is a type of VPN where individual client devices establish an encrypted tunnel to a remote network. It enables remote users to access resources on the remote network securely. Client devices require VPN client software for establishing the connection.
105
What is a site-to-site VPN?
A site-to-site VPN is a type of VPN that connects two or more networks (typically branch offices) over the internet securely. Each site has a VPN appliance, and the VPN tunnel is established between these appliances. Client devices do not require VPN client software in a site-to-site VPN.
106
What are the benefits of a site-to-site VPN?
Site-to-site VPNs provide secure connectivity between remote networks, allowing for seamless communication and resource sharing. They eliminate the need for individual client VPN configurations and ensure the privacy and integrity of data transmitted between sites.
107
What are the key features of VPNs?
VPNs provide secure communication over untrusted networks, encrypt traffic, authenticate users, establish encrypted tunnels, and protect data privacy and integrity. They enable remote access to networks and secure communication between sites or individuals.
108
What are intrusion detection systems (IDS) and intrusion prevention system (IPS) sensors?
IDS and IPS sensors are appliances or software configurations that monitor network and host activity for suspicious behavior. IDS detects and alerts, while IPS can take action to prevent or stop suspicious activity.
109
Why is network placement crucial for IDS/IPS sensors?
Proper network placement ensures that IDS/IPS sensors can capture and analyze all network traffic effectively. In a switched environment, the switch port needs to be configured to forward or copy all traffic to the sensor to ensure comprehensive monitoring.
110
What is an inline sensor in the context of IDS/IPS?
An inline sensor refers to an IDS/IPS sensor placed on the network where it receives all traffic and can actively monitor and analyze it. It allows for real-time detection and prevention of suspicious activity.
111
How does encryption impact network intrusion detection?
Encrypted traffic can pose challenges for network intrusion detection as it cannot be analyzed in its encrypted form. IDS configurations often require decryption keys to decrypt and analyze encrypted traffic, but this can impact performance due to the additional processing overhead.
112
What is signature-based intrusion detection?
Signature-based intrusion detection involves looking for known patterns of malicious behavior. It relies on predefined signatures or patterns of known attacks or anomalies to identify and alert on suspicious network or host activity.
113
What is unified threat management (UTM)?
Unified Threat Management (UTM) refers to network security devices or appliances that offer multiple security functionalities in a single solution. These functionalities may include firewall, content filtering, intrusion detection/prevention, VPN, antivirus, spam filtering, and more.
114
How can IDS/IPS sensors report alerts?
IDS/IPS sensors can generate alerts that can be sent to administrators via email, text messages, or integrated with centralized security information and event monitoring (SIEM) systems. Centralized reporting allows for efficient monitoring and management of alerts.
115
How can IDS/IPS sensors be configured using open-source software like Snort?
Snort is an open-source intrusion detection and prevention system. It can be installed on Linux or Windows machines. Snort uses rule-based configurations, where custom rules can be defined to detect specific network traffic patterns or behavior. The sensor can generate alerts when those patterns are detected.
116
What is the importance of testing IDS/IPS configurations?
Testing IDS/IPS configurations helps ensure their effectiveness and identifies any configuration errors or issues. By simulating various network activities or attacks, administrators can verify if alerts are generated appropriately and fine-tune the configurations as needed.
117
What is the role of IDS/IPS in an organization's security posture?
IDS/IPS plays a crucial role in detecting and preventing unauthorized activities on the network. By continuously monitoring network and host activity, IDS/IPS sensors help identify potential threats and security incidents, allowing organizations to take proactive measures to protect their systems and data.
