CHAPTER 6_Telecommunications and Network Security Flashcards Preview

CISSP_TEST > CHAPTER 6_Telecommunications and Network Security > Flashcards

Flashcards in CHAPTER 6_Telecommunications and Network Security Deck (500):
1

Guaranteed service

Ensures specific data throughput at a guaranteed speed. Time-sensitive traffic (voice and video) is assigned this classification.

2

Point-to-point protocol (PPP)

Point-to-point protocol (PPP) is similar to HDLC in that it is a data link protocol that carries out framing and encapsulation for point-to-point connections. A point-to-point connection means there is one connection between one device (point) and another device (point). If the systems on your LAN use the Ethernet protocol, what happens when a system needs to communicate to a server at your ISP for Internet connectivity? This is not an Ethernet connection, so how do the systems know how to communicate with each other if they cannot use Ethernet as their data link protocol? They use a data link protocol they do understand. Telecommunication devices commonly use PPP as their data link protocol.

3

Bootstrap Protocol (BOOTP)

The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP provides for diskless workstations. The diskless workstation can receive its IP address, the name server address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP usually provides more functionality to diskless workstations than does RARP.

4

Digging Deeper into SIP

As stated earlier, SIP is a signaling protocol widely used for VoIP communications sessions. It is used in applications such as video conferencing, multimedia, instant messaging, and online gaming. It is analogous to the SS7 protocol used in PSTN networks and supports features present in traditional telephony systems.

5

Attenuation

Gradual loss in intensity of any kind of flux through a medium. As an electrical signal travels down a cable, the signal can degrade and distort or corrupt the data it is carrying.

6

Unshielded twisted pair

Cabling in which copper wires are twisted together for the purposes of canceling out EMI from external sources. UTP cables are found in many Ethernet networks and telephone systems.

7

Instant messaging spam (SPIM)

Instant messaging spam (SPIM) is a type of spamming that uses instant messengers for this malicious act. Although this kind of spamming is not as common as e-mail spamming, it is certainly increasing over time. The fact that firewalls are unable to block SPIM has made it more attractive for spammers. One way to prevent SPIM is to enable the option of receiving instant messages only from a known list of users.

8

Single mode

Small glass core, and are used for high-speed data transmission over long distances. They are less susceptible to attenuation than multimode fibers.

9

FHSS vs. DSSS

FHSS vs. DSSS FHSS uses only a portion of the total bandwidth available at any one time, while the DSSS technology uses all of the available bandwidth continuously. DSSS spreads the signals over a wider frequency band, whereas FHSS uses a narrow band carrier.

10

Internet Message Access Protocol (IMAP)

Internet Message Access Protocol (IMAP) is also an Internet protocol that enables users to access mail on a mail server. IMAP provides all the functionalities of POP, but has more capabilities. If a user is using POP, when he accesses his mail server to see if he has received any new messages, all messages are automatically downloaded to his computer. Once the messages are downloaded from the POP server, they are usually deleted from that server, depending upon the configuration. POP can cause frustration for mobile users because the messages are automatically pushed down to their computer or device and they may not have the necessary space to hold all the messages. This is especially true for mobile devices that can be used to access e-mail servers. This is also inconvenient for people checking their mail on other people’s computers. If Christina checks her e-mail on Jessica’s computer, all of Christina’s new mail could be downloaded to Jessica’s computer.

11

Media Access Technologies

The physical topology of a network is the lower layer, or foundation, of a network. It determines what type of media will be used and how the media will be connected between different systems. Media access technologies deal with how these systems communicate over this media and are usually represented in protocols, NIC drivers, and interfaces. LAN access technologies set up the rules of how computers will communicate on a network, how errors are handled, the maximum transmission unit (MTU) size of frames, and much more. These rules enable all computers and devices to communicate and recover from problems, and enable users to be productive in accomplishing their networking tasks. Each participating entity needs to know how to communicate properly so all other systems will understand the transmissions, instructions, and requests. This is taken care of by the LAN media access technology.

12

User Agent Server (UAS)

SIP consists of two major components: the User Agent Client (UAC) and User Agent Server (UAS). The UAC is the application that creates the SIP requests for initiating a communication session. UACs are generally messaging tools and soft-phone applications that are used to place VoIP calls. The UAS is the SIP server, which is responsible for handling all routing and signaling involved in VoIP calls.

13

Interior Gateway Routing Protocol

IGRP is a distance-vector routing protocol that was developed by, and is proprietary to, Cisco Systems. Whereas RIP uses one criterion to find the best path between the source and destination, IGRP uses five criteria to make a "best route" decision. A network administrator can set weights on these different metrics so that the protocol works best in that specific environment.

14

Light sources

Convert electrical signal into light signal

15

DHCPACK message

The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby the DHCP server assigns the IP address lease to the DHCP client.

16

IP next generation (IPng)

IPv6, also called IP next generation (IPng), not only has a larger address space than IPv4 to support more IP addresses; it has some capabilities that IPv4 does not and it accomplishes some of the same tasks differently. All of the specifics of the new functions within IPv6 are beyond the scope of this book, but we will look at a few of them, because IPv6 is the way of the future. IPv6 allows for scoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example. IPv6 has Internet Protocol Security (IPSec) integrated into the protocol stack, which provides end-to-end secure transmission and authentication. IPv6 has more flexibility and routing capabilities and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions. The protocol offers autoconfiguration, which makes administration much easier, and it does not require network address translation (NAT) to extend its address space.

17

LAN and WAN Protocols

Communication error rates are lower in LAN environments than in WAN environments, which makes sense when you compare the complexity of each environment. WAN traffic may have to travel hundreds or thousands of miles and pass through several different types of devices, cables, and protocols. Because of this difference, most LAN MAC protocols are connectionless and most WAN communication protocols are connection oriented. Connection-oriented protocols provide reliable transmission because they have the capability of error detection and correction.

18

Time-division multiplexing (TDM)

A type of multiplexing in which two or more bit streams or signals are transferred apparently simultaneously as subchannels in one communication channel, but are physically taking turns on the single channel.

19

11. Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers?

  A. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks.

  B. The access layer connects the customer’s equipment to a service provider’s core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network.

  C. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers.

  D. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

11. D. The access layer connects the customer’s equipment to a service provider’s aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

20

Asynchronous Transfer Mode (ATM)

The next evolutionary step in telecommunications history is Asynchronous Transfer Mode (ATM). ATM encapsulates data in fixed cells and can be used to deliver data over a SONET network. The analogy of a highway and cars is used to describe the SONET and ATM relationship. SONET is the highway that provides the foundation (or network) for the cars—the ATM packets—to travel on.

21

Post Office Protocol (POP)

Post Office Protocol (POP) is an Internet mail server protocol that supports incoming and outgoing messages. A mail server that uses the POP protocol, apart from storing and forwarding e-mail messages, works with SMTP to move messages between mail servers.

22

The industry had to come up with other ways to allow millions of users to be able to use this finite resource (frequency range) in a flexible manner. Over time, mobile wireless has been made up of progressively more complex and more powerful "multiple access" technologies, listed here:

  • Frequency division multiple access (FDMA)
  • Time division multiple access (TDMA)
  • Code division multiple access (CDMA)
  • Orthogonal frequency division multiple access (OFDMA)

23

17. What takes place at the session layer?

  A. Dialog control

  B. Routing

  C. Packet sequencing

  D. Addressing

17. A. The session layer is responsible for controlling how applications communicate, not how computers communicate. Not all applications use protocols that work at the session layer, so this layer is not always used in networking functions. A session layer protocol will set up the connection to the other application logically and control the dialog going back and forth. Session layer protocols allow applications to keep track of the dialog.

24

Virtual firewall

A firewall that runs within a virtualized environment and monitors and controls traffic as it passes through virtual machines. The firewall can be a traditional firewall running within a guest virtual machine or a component of a hypervisor.

25

Dual-homed

Dual-Homed Firewall Dual-homed refers to a device that has two interfaces: one facing the external network and the other facing the internal network. If firewall software is installed on a dual-homed device, and it usually is, the underlying operating system should have packet forwarding and routing turned off for security reasons. If they are enabled, the computer may not apply the necessary ACLs, rules, or other restrictions required of a firewall. When a packet comes to the external NIC from an un-trusted network on a dual-homed firewall and the operating system has forwarding enabled, the operating system will forward the traffic instead of passing it up to the firewall software for inspection.

26

14. Which of the following protocols work in the following layers: application, data link, network, and transport?

  A. FTP, ARP, TCP, and UDP

  B. FTP, ICMP, IP, and UDP

  C. TFTP, ARP, IP, and UDP

  D. TFTP, RARP, IP, and ICMP

14. C. Different protocols have different functionalities. The OSI model is an attempt to describe conceptually where these different functionalities take place in a networking stack. The model attempts to draw boxes around reality to help people better understand the stack. Each layer has a specific functionality and has several different protocols that can live at that layer and carry out that specific functionality. These listed protocols work at these associated layers: TFTP (application), ARP (data link), IP (network), and UDP (transport).

27

Mobile Phone Security

Most corporations do not incorporate the use of portable devices and mobile cell phone technologies into their security policies or overarching security program. This was all right when phones were just phones, but today they are small computers that can connect to web sites and various devices, and thus are new entry points for malicious activities.

28

Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) is basically IP’s "messenger boy." ICMP delivers status messages, reports errors, replies to certain requests, reports routing information, and is used to test connectivity and troubleshoot problems on IP networks.

29

Some of the best practices pertaining to WLAN implementations are as follows:

  • Change the default SSID. Each AP comes with a preconfigured default SSID value.
  • Disable "broadcast SSID" on the AP. Most APs allow for this to be turned off.
  • Implement another layer of authentication (RADIUS, Kerberos). Before the user can access the network, require him to authenticate.
  • Physically put the AP at the center of the building. The AP has a specific zone of coverage it can provide.
  • Logically put the AP in a DMZ with a firewall between the DMZ and internal network. Allow the firewall to investigate the traffic before it gets to the wired network.
  • Implement VPN for wireless devices to use. This adds another layer of protection for data being transmitted.
  • Configure the AP to allow only known MAC addresses into the network. Allow only known devices to authenticate. But remember that these MAC addresses are sent in cleartext, so an attacker could capture them and masquerade himself as an authenticated device.
  • Carry out penetration tests on the WLAN. Use the tools described in this section to identify APs and attempt to break the current encryption scheme being used.
  • Move to a product that follows the 802.11i standard.

30

Multistation Access Unit (MAU)

Like Ethernet, Token Ring is a LAN media access technology that enables the communication and sharing of networking resources. The Token Ring technology was originally developed by IBM and then defined by the IEEE 802.5 standard. It uses a token-passing technology with a star-configured topology. The ring part of the name pertains to how the signals travel, which is in a logical ring. Each computer is connected to a central hub, called a Multistation Access Unit (MAU). Physically, the topology can be a star, but the signals and transmissions are passed in a logical ring.

31

Frequency-division multiplexing (FDM)

  • An available wireless spectrum is used to move data.
  • Available frequency band is divided into narrow frequency bands and used to have multiple parallel channels for data transfer.

32

Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom’s boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

37. Which of the following is the best solution to meet the company’s need for broadband wireless connectivity?

  A. WiMAX

  B. IEEE 802.12

  C. WPA2

  D. IEEE 802.15

37. A. IEEE 802.16 is a MAN wireless standard that allows for wireless traffic to cover a wide geographical area. This technology is also referred to as broadband wireless access. The commercial name for 802.16 is WiMAX.

33

7. Which of the following correctly describes Bluejacking?

A. Bluejacking is a harmful, malicious attack.

B. It is the process of taking over another portable device via a Bluetooth-enabled device

C. It is commonly used to send contact information.

D. The term was coined by the use of a Bluetooth device and the act of hijacking another device.

Extended Questions:

CORRECT C. Bluetooth is vulnerable to an attack called Bluejacking, which entails an attacker sending an unsolicited message to a device that is Bluetooth-enabled. Bluejackers look for a receiving device, such as a mobile device or laptop, and then send a message to it. Often, the Bluejacker is trying to send their business card to be added to the victim’s contact list in their address book. The countermeasure is to put the Bluetooth-enabled device into nondiscoverable mode so that others cannot identify this device in the first place. If you receive some type of message this way, just look around you. Bluetooth only works within a ten-meter distance, so it is coming from someone close by.

WRONG A is incorrect because Bluejacking is actually a harmless nuisance rather than a malicious attack. It is the act of sending unsolicited messages to Bluetooth-enabled devices. The first act took place in a bank in which the attacker polled the network and found an active Nokia phone. He then sent the message "Buy Ericcson."

WRONG B is incorrect because Bluejacking does not involve taking over another device. It does not give the attacker control of the target device. Rather, the Bluejacker simply sends an unsolicited message to the Bluetooth-enabled device. These messages are usually text only, but it is possible to also send images or sounds. Victims are often unfamiliar with Bluejacking and may think their phone is malfunctioning or that they have been attacked by a virus or hijacked by a Trojan horse.

WRONG D is incorrect because the term Bluejacking has nothing to do with hijacking, which means to take over something. The name Bluejacking was invented by a Malaysian IT consultant who sent the message "Buy Ericsson" to another Bluetooth-enabled device.

34

Packet Filtering Firewalls

I don’t like this packet. Oh, but I like this packet. I don’t like this packet. This other packet is okay.

Packet filtering is a firewall technology that makes access decisions based upon network-level protocol header values. The device that is carrying out packet filtering processes is configured with ACLs, which dictate the type of traffic that is allowed into and out of specific networks.

35

Internet Group Management Protocol (IGMP)

Internet Group Management Protocol (IGMP) is used to report multicast group memberships to routers. When a user chooses to accept multicast traffic, she becomes a member of a particular multicast group. IGMP is the mechanism that allows her computer to inform the local routers that she is part of this group and to send traffic with a specific multicast address to her system. IGMP can be used for online streaming video and gaming activities. The protocol allows for efficient use of the necessary resources when supporting these types of applications.

36

Frame Relay

Why are there so many paths to choose from?

For a long time, many companies used dedicated links to communicate with other companies. Company A had a pipeline to company B that provided a certain bandwidth 24 hours a day and was not used by any other entities. This was great because only the two companies could use the line, so a certain level of bandwidth was always available, but it was expensive and most companies did not use the full bandwidth each and every hour the link was available. Thus, the companies spent a lot of money for a service they did not use all the time. Today, instead of using dedicated lines, companies then turned to frame relay.

37

star topology

In a star topology, all nodes connect to a central device such as a switch. Each node has a dedicated link to the central device. The central device needs to provide enough throughput that it does not turn out to be a detrimental bottleneck for the network as a whole. Because a central device is required, it is a potential single point of failure, so redundancy may need to be implemented. Switches can be configured in flat or hierarchical implementations so larger organizations can use them.

38

Internet Control Message Protocol (ICMP)

A core protocol of the IP suite used to send status and error messages.

39

Digital subscriber line (DSL)

Digital subscriber line (DSL) is another type of high-speed connection technology used to connect a home or business to the service provider’s central office. It can provide 6 to 30 times higher bandwidth speeds than ISDN and analog technologies. It uses existing phone lines and provides a 24-hour connection to the Internet. This does indeed sound better than sliced bread, but only certain people can get this service because you have to be within a 2.5-mile radius of the DSL service provider’s equipment. As the distance between a residence and the central office increases, the transmission rates for DSL decrease.

40

local area network (LAN)

A local area network (LAN) is a network that provides shared communication and resources in a relatively small area. What defines a LAN, as compared to a WAN, depends on the physical medium, encapsulation protocols, and media access technology. For example, a LAN could use 10Base-T cabling, TCP/IP protocols, and Ethernet media access technology, and it could enable users who are in the same local building to communicate. A WAN, on the other hand, could use fiber-optic cabling, the L2TP encapsulation protocol, and ATM media access technology, and could enable users from one building to communicate with users in another building in another state (or country). A WAN connects LANs over great distances geographically. Most of the differences between these technologies are found at the data link layer.

41

Summary of Tunneling Protocols : Point-to-Point Tunneling Protocol (PPTP):

  • Works in a client/server model
  • Extends and protects PPP connections
  • Works at the data link layer
  • Transmits over IP networks only

42

Subnet

Logical subdivision of a network that improves network administration and helps reduce network traffic congestion. Process of segmenting a network into smaller networks through the use of an addressing scheme made up of network and host portions.

43

Wormhole attack

This takes place when an attacker captures packets at one location in the network and tunnels them to another location in the network for a second attacker to use against a target system.

44

Internet Protocol (IP)

Core protocol of the TCP/IP suite. Provides packet construction, addressing, and routing functionality.

45

Digital subscriber line (DSL)

Digital subscriber line (DSL) is another type of high-speed connection technology used to connect a home or business to the service provider’s central office. It can provide 6 to 30 times higher bandwidth speeds than ISDN and analog technologies. It uses existing phone lines and provides a 24-hour connection to the Internet. This does indeed sound better than sliced bread, but only certain people can get this service because you have to be within a 2.5-mile radius of the DSL service provider’s equipment. As the distance between a residence and the central office increases, the transmission rates for DSL decrease.

46

bridge

A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

47

12. Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec?

  A. Authentication header protocol provides data integrity, data origin authentication, and protection from replay attacks.

  B. Encapsulating security payloads protocol provides confidentiality, data origin authentication, and data integrity.

  C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange.

  D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.

12. D. Authentication header protocol provides data integrity, data origin authentication, and protection from replay attacks. Encapsulating security payloads protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. Internet Key Exchange provides authenticated keying material for use with the Internet Security Association and Key Management Protocol.

48

Wave-division multiplexing (WDM)

Multiplying the available capacity of optical fibers through use of parallel channels, with each channel on a dedicated wavelength of light. The bandwidth of an optical fiber can be divided into as many as 160 channels.

49

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

29. Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic?

  A. SNMP v3

  B. L2TP

  C. CHAP

  D. Dynamic packet filtering firewall

29. A. SNMP versions 1 and 2 send their community string values in cleartext, but with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic.

50

High-Speed Serial Interface (HSSI)

High-Speed Serial Interface (HSSI) is an interface used to connect multiplexers and routers to high-speed communications services such as ATM and frame relay. It supports speeds up to 52 Mbps, as in T3 WAN connections, which are usually integrated with router and multiplex devices to provide serial interfaces to the WAN. These interfaces define the electrical and physical interfaces to be used by DTE/DCE devices; thus, HSSI works at the physical layer.

51

carrier sense multiple access with collision detection (CSMA/CD)

A transmission is called a carrier, so if a computer is transmitting frames, it is performing a carrier activity. When computers use the carrier sense multiple access with collision detection (CSMA/CD) protocol, they monitor the transmission activity, or carrier activity, on the wire so they can determine when would be the best time to transmit data. Each node monitors the wire continuously and waits until the wire is free before it transmits its data. As an analogy, consider several people gathered in a group talking here and there about this and that. If a person wants to talk, she usually listens to the current conversation and waits for a break before she proceeds to talk. If she does not wait for the first person to stop talking, she will be speaking at the same time as the other person, and the people around them may not be able to understand fully what each is trying to say.

52

Intermediate System to Intermediate System (IS-IS)

Link-state protocol that allows each router to independently build a database of a network’s topology. Similar to the OSPF protocol, it computes the best path for traffic to travel. It is a classless and hierarchical routing protocol that is vendor neutral.

53

If the proper countermeasures are not put into place, then an attacker can gain access to a wealth of device-oriented data that can be used in her follow-up attacks. The following are just some data sets held within MIB SNMP objects that attackers would be interested in:

  • .server.svSvcTable.svSvcEntry.svSvcName
  • .server.svShareTable.svShareEntry.svShareName
  • .server.sv.ShareTable.svShareEntry.svSharePath
  • .server.sv.ShareTable.svShareEntry.svShareComment
  • .server.svUserTable.svUserEntry.svUserName
  • .domain.domPrimaryDomain

54

screened-subnet

Screened Subnet A screened-subnet architecture adds another layer of security to the screened-host architecture. The external firewall screens the traffic entering the DMZ network. However, instead of the firewall then redirecting the traffic to the internal network, an interior firewall also filters the traffic. The use of these two physical firewalls creates a DMZ.

55

Generation 2½ (2.5G):

  • Higher bandwidth than 2G
  • "Always on" technology for e-mail and pages

56

T-carriers

Dedicated lines that can carry voice and data information over trunk lines. It is a general term for any of several digitally multiplexed telecommunications carrier systems.

57

Voice over IP (VoIP)

The set of protocols, technologies, methodologies, and transmission techniques involved in the delivery of voice data and multimedia sessions over IP-based networks.

58

Presentation Layer

You will now be transformed into something that everyone can understand.

The presentation layer, layer 6, receives information from the application layer protocol and puts it in a format all computers following the OSI model can understand. This layer provides a common means of representing data in a structure that can be properly processed by the end system. This means that when a user creates a Word document and sends it out to several people, it does not matter whether the receiving computers have different word processing programs; each of these computers will be able to receive this file and understand and present it to its user as a document. It is the data representation processing that is done at the presentation layer that enables this to take place. For example, when a Windows 7 computer receives a file from another computer system, information within the file’s header indicates what type of file it is. The Windows 7 operating system has a list of file types it understands and a table describing what program should be used to open and manipulate each of these file types. For example, the sender could create a Word file in Word 2010, while the receiver uses Open Office. The receiver can open this file because the presentation layer on the sender’s system converted the file to American Standard Code for Information Interchange (ASCII), and the receiver’s computer knows it opens these types of files with its word processor, Open Office.

59

The following list addresses some of the issues that need to be understood as they pertain to firewalls:

  • Most of the time a distributed approach needs to be used to control all network access points, which cannot happen through the use of just one firewall.
  • Firewalls can present a potential bottleneck to the flow of traffic and a single point of failure threat.
  • Most firewalls do not provide protection from malware and can be fooled by the more sophisticated attack types.
  • Firewalls do not protect against sniffers or rogue wireless access points, and provide little protection against insider attacks.

60

Physical : Network interface cards and drivers convert bits into electrical signals and control the physical aspects of data transmission, including optical, electrical, and mechanical requirements. The following are some of the standard interfaces at this layer:

  • EIA-422, EIA-423, RS-449, RS-485
  • 10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T, 1000BASE-T, 1000BASE-SX
  • Integrated Services Digital Network (ISDN)
  • Digital subscriber line (DSL)
  • Synchronous Optical Networking (SONET)

61

Frequency division multiple access (FDMA)

Frequency division multiple access (FDMA) was the earliest multiple access technology put into practice. The available frequency range is divided into sub-bands (channels), and one channel is assigned to each subscriber (cell phone). The subscriber has exclusive use of that channel while the call is made, or until the call is terminated or handed off; no other calls or conversations can be made on that channel during that call. Using FDMA in this way, multiple users can share the frequency range without the risk of interference between the simultaneous calls. FMDA was used in the first generation (1G) of cellular networks. 1G mobile various implementations, such as Advanced Mobile Phone System (AMPS), Total Access Communication System (TACS), and Nordic Mobile Telephone (NMT), used FDMA.

62

Synchronous communication

Transmission sequencing technology that uses a clocking pulse or timing scheme for data transfer synchronization.

63

Repeaters

A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

64

Summary of Tunneling Protocols : Layer 2 Tunneling Protocol (L2TP):

  • Hybrid of L2F and PPTP
  • Extends and protects PPP connections
  • Works at the data link layer
  • Transmits over multiple types of networks, not just IP
  • Combined with IPSec for security

65

IPv6

IP version 6 is the successor to IP version 4 and provides 128-bit addressing, integrated IPSec security protocol, simplified header formats, and some automated configuration.

66

Differentiated service

Compared to best-effort service, traffic that is assigned this classification has more bandwidth, shorter delays, and fewer dropped frames.

67

Cabling Problems

Cables are extremely important within networks, and when they experience problems, the whole network could experience problems. This section addresses some of the more common cabling issues many networks experience.

68

Public-switched telephone network (PSTN)

The public circuit-switched telephone network, which is made up of telephone lines, fiber-optic cables, cellular networks, communications satellites, and undersea telephone cables and allows all phone-to-phone communication. It was a fixed-line analog telephone system, but is now almost entirely digital and includes mobile as well as fixed telephones.

69

Screened host

A firewall that communicates directly with a perimeter router and the internal network. The router carries out filtering activities on the traffic before it reaches the firewall.

70

proxy

A proxy is a middleman. It intercepts and inspects messages before delivering them to the intended recipients. Suppose you need to give a box and a message to the president of the United States. You couldn’t just walk up to the president and hand over these items. Instead, you would have to go through a middleman, likely the Secret Service, who would accept the box and message and thoroughly inspect the box to ensure nothing dangerous was inside. This is what a proxy firewall does—it accepts messages either entering or leaving a network, inspects them for malicious information, and, when it decides the messages are okay, passes the data on to the destination computer.

71

Firewall Architecture

Firewalls are great, but where do we put them?

Firewalls can be placed in a number of areas on a network to meet particular needs. They can protect an internal network from an external network and act as a choke point for all traffic. A firewall can be used to segment and partition network sections and enforce access controls between two or more subnets. Firewalls can also be used to provide a DMZ architecture. And as covered in the previous section, the right firewall type needs to be placed in the right location. Organizations have common needs for firewalls; hence, they keep them in similar places on their networks. We will see more on this topic in the following sections.

72

Packet filtering was the first generation of firewalls and it is the most rudimentary type of all of the firewall technologies. The filters only have the capability of reviewing protocol header information at the network and transport levels and carrying out PERMIT or DENY actions on individual packets. This means the filters can make access decisions based upon the following basic criteria:

  • Source and destination IP addresses
  • Source and destination port numbers
  • Protocol types
  • Inbound and outbound traffic direction

73

First generation (1G):

  • Analog services
  • Voice service only

74

Serial Line Internet Protocol (SLIP)

PPP replaced Serial Line Internet Protocol (SLIP), an older protocol that was used to encapsulate data to be sent over serial connection links. PPP has several capabilities that SLIP does not have:

75

Vishing (voice and phishing)

Social engineering activity over the telephone system, most often using features facilitated by VoIP, to gain unauthorized access to sensitive data.

76

Dynamic ports

Registered ports are 1024 to 49151, which can be registered with the Internet Corporation for Assigned Names and Numbers (ICANN) for a particular use. Vendors register specific ports to map to their proprietary software. Dynamic ports are 49152 to 65535 and are available to be used by any application on an "as needed" basis.

77

Fraggle attack

A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic to IP broadcast addresses.

78

High-Speed Serial Interface (HSSI)

High-Speed Serial Interface (HSSI) is an interface used to connect multiplexers and routers to high-speed communications services such as ATM and frame relay. It supports speeds up to 52 Mbps, as in T3 WAN connections, which are usually integrated with router and multiplex devices to provide serial interfaces to the WAN. These interfaces define the electrical and physical interfaces to be used by DTE/DCE devices; thus, HSSI works at the physical layer.

79

IP Addressing

Take a right at the router and a left at the access server. I live at 10.10.2.3.

Each node on a network must have a unique IP address. Today, the most commonly used version of IP is IP version 4 (IPv4), but its addresses are in such high demand that their supply has started to run out. IP version 6 (IPv6) was created to address this shortage. (IPv6 also has many security features built into it that are not part of IPv4.) IPv6 is covered later in this chapter.

80

Asynchronous communication

Transmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmit a variable amount of data in a periodic fashion.

81

Attacks at Different Layers

As we examine the different layers of a common network stack, we will also look at the specific attack types that can take place at each layer. One concept to understand at this point is that a network can be used as a channel for an attack or the network can be the target of an attack. If the network is a channel for an attack, this means the attacker is using the network as a resource. For example, when an attacker sends a virus from one system to another system, the virus travels through the network channel. If an attacker carries out a denial of service (DoS) attack, which sends a large amount of bogus traffic over a network link to bog it down, then the network itself is the target. As you will see throughout this chapter, it is important to understand how attacks take place and where they take place so that the correct countermeasures can be put into place.

82

Networking Devices : Several types of devices are used in LANs, MANs, and WANs to provide intercommunication among computers and networks. We need to have physical devices throughout the network to actually use all the protocols and services we have covered up to this point. The different networking devices vary according to their functionality, capabilities, intelligence, and network placement. We will look at the following devices:

  • Repeaters
  • Bridges
  • Routers
  • Switches

83

15. Which of the following does not describe IP telephony security?

A. VoIP networks should be protected with the same security controls used on a data network.

B. Softphones are more secure than IP phones.

C. As endpoints, IP phones can become the target of attacks.

D. The current Internet architecture over which voice is transmitted is less secure than physical phone lines.

Extended Questions:

CORRECT B. IP softphones should be used with caution. A softphone is a software application that allows the user to make phone calls via a computer over the Internet. A softphone, which replaces dedicated hardware, behaves like a traditional telephone. It can be used with a headset connected to a PC’s sound card or with a USB phone. Skype is an example of a softphone application. Compared to hardware-based IP phones, softphones make an IP network more vulnerable. However, softphones are no worse than any other interactive Internet application. In addition, data-centered malware can more easily enter a network via softphones because they do not separate voice traffic from data as do IP phones.

WRONG A is incorrect because the statement correctly describes IP telephony network security. An IP telephony network uses the same technology as a traditional IP network, only it can support voice applications. Therefore, the IP telephony network is susceptible to the same vulnerabilities as a traditional IP network and should be protected accordingly. This means the IP telephony network should be engineered to have the proper security.

WRONG C is incorrect because the statement is true. IP phones on an IP telephony network are the equivalent of a workstation on a data network in terms of their vulnerability to attack. Thus, IP phones should be protected with many of the same security controls that are implemented in a traditional workstation. For example, default administrator passwords should be changed. Unnecessary remote access features should be disabled. Logging should be enabled and the firmware upgrade process should be secured.

WRONG D is incorrect because the statement is true. For the most part, the current Internet architecture over which voice is transmitted is less secure than physical phone lines. Physical phone lines provide point-to-point connections, which are harder to tap into than the software-based tunnels that make up most of the Internet. This is an important factor to take into consideration when securing an IP telephony network because the network is now transmitting two invaluable assets—data and voice. It is not unusual for personally identifiable information, financial information, and other sensitive data to be spoken over the phone. Intercepting this information over an IP telephony network is as easy as intercepting regular data. Now voice traffic needs to be encrypted, too.

84

Unspecified Bit Rate (UBR)

A connectionless channel that does not promise a specific data throughput rate. Customers cannot, and do not need to, control their traffic rate.

85

Spanning Tree Algorithm (STA)

Many bridges use the Spanning Tree Algorithm (STA), which adds more intelligence to the bridges. STA ensures that frames do not circle networks forever, provides redundant paths in case a bridge goes down, assigns unique identifiers to each bridge, assigns priority values to these bridges, and calculates path costs. This creates much more efficient frame-forwarding processes by each bridge. STA also enables an administrator to indicate whether he wants traffic to travel certain paths instead of others.

86

wrap

Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data traveling clockwise and is used for regular data transmission. The second ring transmits data in a counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two rings can be joined.

87

6. Which of the following can take place if an attacker can insert tagging values into network-and switch-based protocols with the goal of manipulating traffic at the data link layer?

  A. Open relay manipulation

  B. VLAN hopping attack

  C. Hypervisor denial-of-service attack

  D. Smurf attack

6. B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at this data link layer.

88

Types of Transmission

Physical data transmission can happen in different ways (analog or digital); can use different synchronization schemes (synchronous or asynchronous); can use either one sole channel over a transmission medium (baseband) or several different channels over a transmission medium (broadband); and transmission can take place as electrical voltage, radiowave, microwave, or infrared signals. These transmission types and their characteristics are described in the following sections.

89

Temporal Key Integrity Protocol (TKIP)

IEEE came out with a standard that deals with the security issues of the original 802.11 standard, which is called IEEE 802.11i. This standard employs different approaches that provide much more security and protection than the methods used in the original 802.11 standard. This enhancement of security is accomplished through specific protocols, technologies, and algorithms. The first protocol is Temporal Key Integrity Protocol (TKIP), which is backwards-compatible with the WLAN devices based upon the original 802.11 standard. TKIP actually works with WEP by feeding it keying material, which is data to be used for generating new dynamic keys. The new standard also integrated 802.1X port authentication and EAP authentication methods.

90

X.25

X.25 is an older WAN protocol that defines how devices and networks establish and maintain connections. Like frame relay, X.25 is a switching technology that uses carrier switches to provide connectivity for many different networks. It also provides an any-to-any connection, meaning many users use the same service simultaneously. Subscribers are charged based on the amount of bandwidth they use, unlike dedicated links, for which a flat fee is charged.

91

Some of the security measures that should be put into place for dial-up connections include:

  • Configure the remote access server to call back the initiating phone number to ensure it is a valid and approved number.
  • Modems should be configured to answer after a predetermined number of rings to counter war dialers.
  • Disable or remove modems if not in use.
  • All modems should be consolidated into one location and managed centrally if possible.
  • Use of two-factor authentication, VPNs, and personal firewalls should be implemented for remote access connections.

92

Primary Rate Interface (PRI)

Analog telecommunication signals use a full channel for communication, but ISDN can break up this channel into multiple channels to move various types of data, and provide full-duplex communication and a higher level of control and error handling. ISDN provides two basic services: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). BRI has two B channels that enable data to be transferred and one D channel that provides for call setup, connection management, error control, caller ID, and more. The bandwidth available with BRI is 144 Kbps, whereas dial-up modems can provide only 56 Kbps.

93

Optical Wireless

Optical wireless is the combined use of two technologies: radio-frequency (RF) wireless and optical fiber. Long-range links are provided by optical fiber cables, and links from the long-range end-points to end users are accomplished by RF wireless transmitters. The local links can be provided by laser systems, also known as free-space optics (FSO), rather than by RF wireless. FSO is a point-to-point optical connection supporting very high rates in outdoor environments. These types of wireless transmissions are hard to intercept and do not require a license to deploy. While older versions of optical wireless used to be negatively affected by weather conditions, currently all-weather optical wireless systems are continuously becoming available.

94

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

32. Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers?

  A. TCP sequence hijacking is taking place.

  B. Source routing is not restricted.

  C. Fragment attacks are underway.

  D. Attacker is tunneling communication through PPP.

32. B. Source routing means the packet decides how to get to its destination, not the routers in between the source and destination computer. Source routing moves a packet throughout a network on a predetermined path. To make sure none of this misrouting happens, many firewalls are configured to check for source routing information within the packet and deny it if it is present.

95

5. Which of the following protocols is considered connection-oriented?

  A. IP

  B. ICMP

  C. UDP

  D. TCP

5. D. TCP is the only connection-oriented protocol listed. A connection-oriented protocol provides reliable connectivity and data transmission, while a connectionless protocol provides unreliable connections and does not promise or ensure data transmission.

96

Metro Ethernet

A data link technology that is used as a metropolitan area network to connect customer networks to larger service networks or the Internet. Businesses can also use Metro Ethernet to connect distributed locations to their intranet.

97

Simple Authentication and Security Layer (SASL)

A framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols and allows any authentication mechanism supported by SASL to be used in any application protocol that uses SASL.

98

stateful

Most NAT implementations are stateful, meaning they keep track of a communication between the internal host and an external host until that session is ended. The NAT device needs to remember the internal IP address and port to send the reply messages back. This stateful characteristic is similar to stateful-inspection firewalls, but NAT does not perform scans on the incoming packets to look for malicious characteristics. Instead, NAT is a service usually performed on routers or gateway devices within a company’s screened subnet.

99

Application

The protocols at the application layer handle file transfer, virtual terminals, network management, and fulfilling networking requests of applications. A few of the protocols that work at this layer include

100

Single-attached concentrator (SAC)

Concentrator that connects an SAS device to the primary ring

101

Encapsulating Security Payload (ESP)

  B. Encapsulating Security Payload (ESP) provides confidentiality, data-origin authentication, and data integrity.

102

Cell phone cloning

Cell phone cloning has been around for many years, and this activity won’t stop any time soon. A regular cell phone can be stolen and then reprogrammed with someone else’s access credentials. This is a common activity used by organized crime rings and drug dealers who do not want their information readily available to law enforcement. Global System Mobile (GSM) phones use a Subscriber Identity Module (SIM) chip, which contains authentication data, phone numbers, saved messages, and more. Before a GSM phone can gain access to the cellular network, the SIM must be present in the phone. Attackers are cloning these SIM chips so they can make fraudulent calls on the cell phone owner’s account.

103

bastion host

A system is considered a bastion host if it is a highly exposed device that is most likely to be targeted by attackers. The closer any system is to an untrusted network, as in the Internet, the more it is considered a target candidate since it has a smaller number of layers of protection guarding it. If a system is on the public side of a DMZ or is directly connected to an untrusted network, it is considered a bastion host; thus, it needs to be extremely locked down.

104

Multiservice Access Technologies

Voice in a packet. What will they think of next?

Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators. The regular phone system is based on a circuit-switched, voice-centric network, called the public-switched telephone network (PSTN). The PSTN uses circuit switching instead of packet switching. When a phone call is made, the call is placed at the PSTN interface, which is the user’s telephone. This telephone is connected to the telephone company’s local loop via copper wiring. Once the signals for this phone call reach the telephone company’s central office (the end of the local loop), they are part of the telephone company’s circuit-switching world. A connection is made between the source and the destination, and as long as the call is in session, the data flows through the same switches.

105

RJ-11

is often used for terminating telephone wires.

106

Intra-Site Automatic Tunnel Addressing Protocol

An IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

107

Wave-division multiplexing (WDM)

  • Used in fiber optic communication.
  • Multiplexes a number of optical carrier signals onto a single optical fiber.

108

repeater

A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

109

state table

A stateful firewall is like a nosy neighbor who gets into people’s business and conversations. She keeps track of the suspicious cars that come into the neighborhood, who is out of town for the week, and the postman who stays a little too long at the neighbor lady’s house. This can be annoying until your house is burglarized. Then you and the police will want to talk to the nosy neighbor, because she knows everything going on in the neighborhood and would be the one most likely to know something unusual happened. A stateful inspection firewall is nosier than a regular filtering device because it keeps track of what computers say to each other. This requires that the firewall maintain a state table, which is like a score sheet of who said what to whom.

110

E-mail spoofing

Activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Since SMTP does not provide any authentication, it is easy to impersonate and forge e-mails.

111

3. Which of the following is not a characteristic of the IEEE 802.11a standard?

  A. It works in the 5GHz range.

  B. It uses the OFDM spread spectrum technology.

  C. It provides 52 Mbps in bandwidth.

  D. It covers a smaller distance than 802.11b.

3. C. The IEEE standard 802.11a uses the OFDM spread spectrum technology, works in the 5GHz frequency band, and provides bandwidth of up to 54 Mbps. The operating range is smaller because it works at a higher frequency.

112

Open Shortest Path First

OSPF uses link-state algorithms to send out routing table information. The use of these algorithms allows for smaller, more frequent routing table updates to take place. This provides a more stable network than RIP, but requires more memory and CPU resources to support this extra processing. OSPF allows for a hierarchical routing network that has a backbone link connecting all subnets together. OSPF has replaced RIP in many networks today. Authentication can take place with cleartext passwords or hashed passwords, or you can choose to configure no authentication on the routers using this protocol.

113

Multimode

Large glass cores, and are able to carry more data than single-core fibers, though they are best for shorter distances because of their higher attenuation levels.

114

Value-added network (VAN)

A hosted EDI service offering that acts as an intermediary between business partners sharing standards-based or proprietary data via shared business processes.

115

Single-attachment station (SAS)

Attaches to only one ring (the primary) through a concentrator

116

Teardrop attack

Malformed fragments are created by the attacker, and once they are reassembled, they could cause the victim system to become unstable.

117

BNC (British Naval Connector)

is often used for terminating coaxial cables. It is used to connect various types of radio, television, and other radio-frequency electronic equipment. (Also referred to as Bayonet Neill-Concelman connector.)

118

Cable Modems

We already have a cable running to your house, so just buy this extra service for Internet connectivity.

The cable television companies have been delivering television services to homes for years, and then they started delivering data transmission services for users who have cable modems and want to connect to the Internet at high speeds.

119

Type of Service

NOTE IP provides addressing, packet fragmentation, and packet timeouts. To ensure that packets do not continually traverse a network forever, IP provides a Time to Live (TTL) value that is decremented every time the packet passes through a router. IP can also provide a Type of Service (ToS) capability, which means it can prioritize different packets for time-sensitive functions.

120

Spanning Tree Protocol (STP)

A network protocol that ensures a loop-free topology for any bridged Ethernet LAN and allows redundant links to be available in case connection links go down.

121

Network Control Protocols

PPP carries out several functions, including the encapsulation of multiprotocol packets; it has a Link Control Protocol (LCP) that establishes, configures, and maintains the connection; Network Control Protocols (NCPs) are used for network layer protocol configuration; and it provides user authentication capabilities through Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP) protocols.

122

9. Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3?

  A. Data link, session, application, transport, and network

  B. Data link, transport, application, session, and network

  C. Network, session, application, network, and transport

  D. Network, transport, application, session, and presentation

9. A. The OSI model is made up of seven layers: application (layer 7), presentation (layer 6), session (layer 5), transport (layer 4), network (layer 3), data link (layer 2), and physical (layer 1).

123

Remote Connectivity

I need to talk to you, but I am way over here!

Remote connectivity covers several technologies that enable remote and home users to connect to networks that will grant them access to network resources that help them perform their tasks. Most of the time, these users must first gain access to the Internet through an ISP, which sets up a connection to the destination network.

124

User Agent Server (UAS)

SIP consists of two major components: the User Agent Client (UAC) and User Agent Server (UAS). The UAC is the application that creates the SIP requests for initiating a communication session. UACs are generally messaging tools and soft-phone applications that are used to place VoIP calls. The UAS is the SIP server, which is responsible for handling all routing and signaling involved in VoIP calls.

125

6to4

Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to communicate if their traffic has to transverse an IPv4 network.

126

Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP) is also supported by PPP. Actually, EAP is not a specific authentication protocol as are PAP and CHAP. Instead, it provides a framework to enable many types of authentication techniques to be used when establishing network connections. As the name states, it extends the authentication possibilities from the norm (PAP and CHAP) to other methods, such as one-time passwords, token cards, biometrics, Kerberos, digital certificates, and future mechanisms. So when a user connects to an authentication server and both have EAP capabilities, they can negotiate between a longer list of possible authentication methods.

127

30. Which of the following best describes the difference between a virtual firewall that works in bridge mode versus one that is embedded into a hypervisor?

A. Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a host system.

B. Bridge-mode virtual firewall allows the firewall to monitor individual network links, and hypervisor integration allows the firewall to monitor all activities taking place within a guest system.

C. Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a guest system.

D. Bridge-mode virtual firewall allows the firewall to monitor individual guest systems, and hypervisor integration allows the firewall to monitor all activities taking place within a network system.

Extended Questions:

CORRECT A. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor of a virtualized environment. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the host system.

WRONG B is incorrect because bridge-mode virtual firewall allows the firewall to monitor individual traffic links between hosts, not network links. Hypervisor integration allows the firewall to monitor all activities taking place within a host system, not a guest system.

WRONG C is incorrect because bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a host system, not a guest system. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the system.

WRONG D is incorrect because a bridge-mode virtual firewall allows the firewall to monitor individual traffic between guest systems, and hypervisor integration allows the firewall to monitor all activities taking place within a host system, not a network system.

128

Simple Network Management Protocol (SNMP)

A protocol within the IP suite that is used for network device management activities through the use of a structure that uses managers, agents, and Management Information Bases.

129

Session Initiation Protocol (SIP)

When a phone call is made, the connection has to be set up, signaling has to be controlled, and the session has to be torn down. This takes place through the Signaling System 7 (SS7) protocol. When Voice over IP (VoIP) is used, it employs the Session Initiation Protocol (SIP), which sets up and breaks down the call sessions, just as SS7 does for non-IP phone calls. SIP is an application layer protocol that can work over TCP or UDP. SIP provides the foundation to allow the more complex phone-line features that SS7 provides, such as causing a phone to ring, dialing a phone number, generating busy signals, and so on.

130

Service Set ID (SSID)

Any hosts that wish to participate within a particular WLAN must be configured with the proper Service Set ID (SSID). Various hosts can be segmented into different WLANs by using different SSIDs. The reasons to segment a WLAN into portions are the same reasons wired systems are segmented on a network: the users require access to different resources, have different business functions, or have different levels of trust.

131

Bluetooth wireless

The Bluetooth wireless technology is actually based upon a portion of the 802.15 standard. It has a 1-to 3-Mbps transfer rate and works in a range of approximately ten meters. If you have a cell phone and a PDA that are both Bluetooth-enabled and both have calendar functionality, you could have them update each other without any need to connect them physically. If you added some information to your cell phone contacts list and task list, for example, you could just place the phone close to your PDA. The PDA would sense that the other device was nearby, and it would then attempt to set up a network connection with it. Once the connection was made, synchronization between the two devices would take place, and the PDA would add the new contacts list and task list data. Bluetooth works in the frequency range of other 802.11 devices (2.4GHz).

132

Wide Area Networks

LAN technologies provide communication capabilities over a small geographic area, whereas wide area network (WAN) technologies are used when communication needs to travel over a larger geographical area. LAN technologies encompass how a computer puts its data onto a network cable, the rules and protocols of how that data are formatted and transmitted, how errors are handled, and how the destination computer picks up this data from the cable. When a computer on one network needs to communicate with a network on the other side of the country or in a different country altogether, WAN technologies kick in.

133

Functions and Protocols in the OSI Model

For the exam, you will need to know the functionality that takes place at the different layers of the OSI model, along with specific protocols that work at each layer. The following is a quick overview of each layer and its components.

134

13. Systems that are built on the OSI framework are considered open systems. What does this mean?

  A. They do not have authentication mechanisms configured by default.

  B. They have interoperability issues.

  C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems.

  D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.

13. C. An open system is a system that has been developed based on standardized protocols and interfaces. Following these standards allows the systems to interoperate more effectively with other systems that follow the same standards.

135

Gateway

Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.

136

Dual-homed firewall

This device has two interfaces and sits between an untrusted network and trusted network to provide secure access. A multihomed device just means it has multiple interfaces. Firewalls that have multiple interfaces allow for networks to be segmented based upon security zone, with unique security configurations.

137

The following is a quick snapshot of telecommunications history:

  • Copper lines carry purely analog signals.
  • T1 lines carry up to 24 conversations.
  • T3 lines carry up to 28 T1 lines.
  • Fiber optics and the SONET network.
  • ATM over SONET.

138

Enhanced Interior Gateway Routing Protocol

EIGRP is a Cisco proprietary and advanced distance-vector routing protocol. It allows for faster router table updates than its predecessor IGRP and minimizes routing instability, which can occur after topology changes. Routers exchange messages that contain information about bandwidth, delay, load, reliability, and maximum transmission unit (MTU) of the path to each destination as known by the advertising router.

139

Carrier sense multiple access with collision detection

A media access control method that uses a carrier sensing scheme. When a transmitting system detects another signal while transmitting a frame, it stops transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying to resend the frame. This reduces collisions on a network.

140

circuit-level proxy

A circuit-level proxy creates a connection (circuit) between the two communicating systems. It works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot "look into" the contents of a packet; thus, it does not carry out deep-packet inspection. It can only make access decisions based upon protocol header and session information that is available to it. While this means that it cannot provide as much protection as an application-level proxy, because it does not have to understand application layer protocols, it is considered application independent. So it cannot provide the detail-oriented protection that a proxy that works at a higher level can, but this allows it to provide a broader range of protection where application layer proxies may not be appropriate or available.

141

electronic data interchange (EDI)

An extranet extends outside the bounds of the company’s network to enable two or more companies to share common information and resources. Business partners commonly set up extranets to accommodate business-to-business communication. An extranet enables business partners to work on projects together; share marketing information; communicate and work collaboratively on issues; post orders; and share catalogs, pricing structures, and information on upcoming events. Trading partners often use electronic data interchange (EDI), which provides structure and organization to electronic documents, orders, invoices, purchase orders, and a data flow. EDI has evolved into web-based technologies to provide easy access and easier methods of communication.

142

Data Link Layer

As we continue down the protocol stack, we are getting closer to the actual transmission channel (i.e., network wire) over which all these data will travel. The outer format of the data packet changes slightly at each layer, and it comes to a point where it needs to be translated into the LAN or wide area network (WAN) technology binary format for proper line transmission. This happens at the data link layer, layer 2.

143

Open Systems Interconnection (OSI) model

International standardization of system-based network communication through a modular seven-layer architecture.

144

The following lists current private IP address ranges:

  • 10.0.0.0-10.255.255.255 Class A network
  • 172.16.0.0-172.31.255.255 Class B networks
  • 192.168.0.0-192.168.255.255 Class C networks

145

Internet Message Access Protocol (IMAP)

An Internet standard protocol used by e-mail clients to retrieve e-mail from a remote server. E-mail clients using IMAP generally leave messages on the server until the user explicitly deletes them.

146

Code division multiple access (CDMA)

Code division multiple access (CDMA) was developed after FDMA, and as the term "code" implies, CDMA assigns a unique code to each voice call or data transmission to uniquely identify it from all other transmissions sent over the cellular network. In a CDMA "spread spectrum" network, calls are spread throughout the entire radio-frequency band. CDMA permits every user of the network to simultaneously use every channel in the network. At the same time, a particular cell can simultaneously interact with multiple other cells. These features make CDMA a very powerful technology. It is the main technology for the mobile cellular networks that presently dominate the wireless space.

147

E-mail Threats

E-mail spoofing is a technique used by malicious users to forge an e-mail to make it appear to be from a legitimate source. Usually, such e-mails appear to be from known and trusted e-mail addresses when they are actually generated from a malicious source. This technique is widely used by attackers these days for spamming and phishing purposes. An attacker tries to acquire the target’s sensitive information, such as username and password or bank account credentials. Sometimes, the e-mail messages contain a link of a known web site when it is actually a fake web site used to trick the user into revealing his information.

148

Best-effort service

No guarantee of throughput, delay, or delivery. Traffic that has priority classifications goes before traffic that has been assigned this classification. Most of the traffic that travels on the Internet has this classification.

149

Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.

28. Which of the following is the best and most cost-effective countermeasure for Grace’s team to put into place?

  A. Network address translation

  B. Disallowing unnecessary ICMP traffic coming from untrusted networks

  C. Application-based proxy firewall

  D. Screened subnet using two firewalls from two different vendors.

28. B. The attack description is a Smurf attack. In this situation the attacker sends an ICMP Echo Request packet with a spoofed source address to a victim’s network broadcast address. This means that each system on the victim’s subnet receives an ICMP Echo Request packet. Each system then replies to that request with an ICMP Echo Response packet to the spoof address provided in the packets—which is the victim’s address. All of these response packets go to the victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how to process. Filtering out unnecessary ICMP traffic is the cheapest solution.

150

Time division multiple access (TDMA)

Time division multiple access (TDMA) increases the speed and efficiency of the cellular network by taking the radio-frequency spectrum channels and dividing them into time slots. At various time periods, multiple users can share the same channel; the systems within the cell swap from one user to another user, in effect, reusing the available frequencies. TDMA increased speeds and service quality. A common example of TDMA in action is a conversation. One person talks for a time then quits, and then a different person talks. In TDMA systems, time is divided into frames. Each frame is divided into slots. TDMA requires that each slot’s start and end time are known to both the source and the destination. Mobile communication systems such as Global System for Mobile Communication (GSM), Digital AMPS (D-AMPS), and Personal Digital Cellular (PDC) use TDMA.

151

switched virtual circuits (SVCs)

Unlike PVCs, switched virtual circuits (SVCs) require steps similar to a dial-up and connection procedure. The difference is that a permanent path is set up for PVC frames, whereas when SVCs are used, a circuit must be built. It is similar to setting up a phone call over the public network. During the setup procedure, the required bandwidth is requested, the destination computer is contacted and must accept the call, a path is determined, and forwarding information is programmed into each switch along the SVC’s path. SVCs are used for teleconferencing, establishing temporary connections to remote sites, data replication, and voice calls. Once the connection is no longer needed, the circuit is torn down and the switches forget it ever existed.

152

1. Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer?

A. LCL and MAC; IEEE 802.2 and 802.3

B. LCL and MAC; IEEE 802.1 and 802.3

C. Network and MAC; IEEE 802.1 and 802.3

D. LLC and MAC; IEE E 802.2 and 802.3

Extended Questions:

CORRECT D. The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack.

WRONG A is incorrect because LCL is a distracter. The correct acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of network protocols within a multipoint network and their transportation over the same network media.

WRONG B is incorrect because LCL is a distracter. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is defined in the IEEE 802.2 specification, not 802.1. The IEEE 802.1 specifications are concerned with protocol layers above the MAC and LLC layers. It addresses LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security, etc.

WRONG C is incorrect because network is not a sublayer of the data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC sits between the network layer (the layer immediately above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 802.2 specification, not IEEE 802.1. As just explained, 802.1 standards address areas of LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security. The IEEE 802.1 group’s four active task groups are Internetworking, Security, Audio/Video Bridging, and Data Center Bridging.

153

asymmetric services

DSL offers several types of services. With symmetric services, traffic flows at the same speed upstream and downstream (to and from the Internet or destination). With asymmetric services, the downstream speed is much higher than the upstream speed. In most situations, an asymmetric connection is fine for residence users because they usually download items from the Web much more often than they upload data.

154

26. IPv6 has many new and different characteristics and functionality compared to IPv4. Which of the following is an incorrect functionality or characteristic of IPv6?

i.   IPv6 allows for nonscoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example.

ii.  IPv6 has IPSec integrated into the protocol stack, which provides application-based secure transmission and authentication.

iii.  IPv6 has more flexibility and routing capabilities compared to IPv4 and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions.

iv. The protocol offers autoconfiguration, which makes administration much easier compared to IPv4, and it does not require network address translation (NAT) to extend its address space.

A. i, iii

B. i, ii

C. ii, iii

D. ii, iv

Extended Questions:

CORRECT B. IPv6 allows for scoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example. IPv6 has IPSec integrated into the protocol stack, which provides end-to-end secure transmission and authentication.

WRONG A is incorrect. IPv6 allows for scoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example. IPv6 has more flexibility and routing capabilities and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions.

WRONG C is incorrect. IPv6 has more flexibility and routing capabilities and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions. IPv6 has IPSec integrated into the protocol stack, which provides end-to-end secure transmission and authentication.

WRONG D is incorrect because IPv6 has IPSec integrated into the protocol stack, which provides end-to-end secure transmission and authentication. The protocol offers autoconfiguration, which makes administration much easier, and it does not require network address translation (NAT) to extend its address space.

155

Forwarding Tables

You go that way. And you—you go this way!

A bridge must know how to get a frame to its destination—that is, it must know to which port the frame must be sent and where the destination host is located. Years ago, network administrators had to type route paths into bridges so the bridges had static paths indicating where to pass frames that were headed for different destinations. This was a tedious task and prone to errors. Today, bridges use transparent bridging.

156

DNS zone transfer

The process of replicating the databases containing the DNS data across a set of DNS servers.

157

The IPv6 specification, as outlined in RFC 2460, lays out the differences and benefits of IPv6 over IPv4. A few of the differences are as follows:

  • IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler autoconfiguration of addresses.

158

16. When an organization splits naming zones, the names of its hosts that are only accessible from an intranet are hidden from the Internet. Which of the following best describes why this is done?

A. To prevent attackers from accessing servers

B. To prevent the manipulation of the hosts file

C. To avoid providing attackers with valuable information that can be used to prepare an attack

D. To avoid providing attackers with information needed for cybersquatting

Extended Questions:

CORRECT C. Many companies have their own internal DNS servers to resolve their internal hostnames. These companies usually also use the DNS servers at their ISPs to resolve hostnames on the Internet. An internal DNS server can be used to resolve hostnames on the entire network, but usually more than one DNS server is used so that the load can be split up and so that redundancy and fault tolerance are in place. Within DNS servers, networks are split into zones. One zone may contain all hostnames for the marketing and accounting departments, and another zone may contain hostnames for the administration, research, and legal departments. It is a good idea to split DNS zones when possible so that the names of hosts that are accessible only from an intranet are not visible from the Internet. This information is valuable to an attacker who is planning an attack because it can lead to other information, such as the network structure, organizational structure, or server operating systems.

WRONG A is incorrect because this is not the best answer for this question. Naming zones are split up so that attackers cannot learn information about internal systems, such as names, IP addresses, functions, and so on. One of the secondary attacks after exploiting a DNS server could be accessing a server in an unauthorized manner, but ensuring unauthorized access just to servers is not the main reason to split DNS zones.

WRONG B is incorrect because splitting naming zones has to do with how DNS servers are set up to resolve hostnames, not manipulate the hosts file. The hosts file can be manipulated for a number of reasons, both for good and bad. The hosts file always maps the hostname localhost to the IP address 127.0.0.1 (this is the loopback network interface, which is defined in RFC 3330), as well as other hosts. Some viruses add invalid IP addresses of antivirus vendors to the hosts file to avoid detection. By adding frequently visited IP addresses to the hosts file, you can increase the speed of Web browsing. You can also block spyware and ad networks by adding lists of spyware and ad network sites to the hosts file and mapping them to the loopback network interface. This way, these sites always point back to the user’s machine and the sites cannot be reached.

WRONG D is incorrect because hackers do not need information on a DNS server to carry out cybersquatting. Cybersquatting occurs when an attacker purchases a well-known brand or company name, or variation thereof, as a domain name with the goal of selling it to the rightful owner. In the meantime, the company can be misrepresented to the public. The only way an organization can avoid cybersquatting is by registering adjacent domains and variations on the domain, or by trademark litigation.

159

Single point of failure for traffic

Some type of redundancy should be put into place.

160

Analog signals

Continuously varying electromagnetic wave that represents and transmits data. Carrier signals vary by amplification and frequency.

161

Cleanup rule

Last rule in rule-base that drops and logs any traffic that does not meet preceding rules.

162

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

33. Which of the following best describes the firewall configuration issues Sean’s team member is describing?

  A. Clean-up rule, stealth rule

  B. Stealth rule, silent rule

  C. Silent rule, negate rule

  D. Stealth rule, silent rule

33. C. The following describes the different firewall rule types:

Silent rule Drop "noisy" traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.

Stealth rule Disallows access to firewall software from unauthorized systems.

Cleanup rule The last rule in the rule base, which drops and logs any traffic that does not meet the preceding rules.

Negate rule Used instead of the broad and permissive "any rules." Negate rules provide tighter permission rights by specifying what system can be accessed and how.

163

Dedicated Links

A dedicated link is also called a leased line or point-to-point link. It is one single link that is pre-established for the purposes of WAN communications between two destinations. It is dedicated, meaning only the destination points can communicate with each other. This link is not shared by any other entities at any time. This was the main way companies communicated in the past, because not as many choices were available as there are today. Establishing a dedicated link is a good idea for two locations that will communicate often and require fast transmission and a specific bandwidth, but it is expensive compared to other possible technologies that enable several companies to share the same bandwidth and also share the cost. This does not mean that dedicated lines are not in use; they definitely are used, but many other options are now available, including X.25, frame relay, MPLS, and ATM technologies.

164

DHCPREQUEST message

The client sends the initial DHCP server that responded to its request a DHCP Request message.

165

Spanning Tree Algorithm (STA)

Many bridges use the Spanning Tree Algorithm (STA), which adds more intelligence to the bridges. STA ensures that frames do not circle networks forever, provides redundant paths in case a bridge goes down, assigns unique identifiers to each bridge, assigns priority values to these bridges, and calculates path costs. This creates much more efficient frame-forwarding processes by each bridge. STA also enables an administrator to indicate whether he wants traffic to travel certain paths instead of others.

166

Some of the weaknesses of packet filtering firewalls are as follows:

  • They cannot prevent attacks that employ application-specific vulnerabilities or functions.
  • The logging functionality present in packet filtering firewalls is limited.
  • Most packet filtering firewalls do not support advanced user authentication schemes.
  • Many packet filtering firewalls cannot detect spoofed addresses.
  • They may not be able to detect packet fragmentation attacks.

167

Wormhole Attack

An attacker can capture a packet at one location in the network and tunnel it to another location in the network. In this type of attack, there are two attackers, one at each end of the tunnel (referred to as a wormhole). Attacker A could capture an authentication token that is being sent to an authentication server, and then send this token to the other attacker, who then uses it to gain unauthorized access to a resource. This can take place on a wired or wireless network, but it is easier to carry out on a wireless network because the attacker does not need to actually penetrate a physical wire.

168

Even with all of these issues and potential vulnerabilities, many companies allow their employees to use this technology because it allows quick and effective communication to take place. So, if you absolutely have to allow this technology in your environment, there are some things you should do to help reduce your threat level. The following are best practices for protecting an environment from these types of security breaches:

  • Establish a security policy specifying IM usage restrictions.
  • Implement an integrated antivirus/firewall product on all computers.
  • Configure firewalls to block unwanted IM traffic.
  • Patch IM software to ensure that the most secure versions are running.
  • Implement corporate IM servers so internal employees communicate within the organization’s network only.
  • Only allow IM client software that provides encryption capabilities if protection of this type of traffic is required.

169

It is important to understand the following characteristics of these firewall architecture types:

Dual-homed:

  • A single computer with separate NICs connected to each network.
  • Used to divide an internal trusted network from an external untrusted network.
  • Must disable a computer’s forwarding and routing functionality so the two networks are truly segregated.

170

electronic data interchange (EDI)

An extranet extends outside the bounds of the company’s network to enable two or more companies to share common information and resources. Business partners commonly set up extranets to accommodate business-to-business communication. An extranet enables business partners to work on projects together; share marketing information; communicate and work collaboratively on issues; post orders; and share catalogs, pricing structures, and information on upcoming events. Trading partners often use electronic data interchange (EDI), which provides structure and organization to electronic documents, orders, invoices, purchase orders, and a data flow. EDI has evolved into web-based technologies to provide easy access and easier methods of communication.

171

Synchronous Digital Hierarchy (SDH)

The Europeans have a different infrastructure and chose to use Synchronous Digital Hierarchy (SDH), which supports E1 lines (2.048 Mbps) and E3 lines (34.368 Mbps). SONET is the standard for North America, while SDH is the standard for the rest of the world. SDH and SONET are similar but just different enough to be incompatible. For communication to take place between SDH and SONET lines, a gateway must do the proper signaling translation.

172

IP fragmentation

Exploitation of fragmentation and reassembly flaws within IP, which causes DoS.

173

kernel proxy firewall

A kernel proxy firewall is considered a fifth-generation firewall. It differs from all the previously discussed firewall technologies because it creates dynamic, customized network stacks when a packet needs to be evaluated.

174

Address Resolution Protocol (ARP)

A networking protocol used for resolution of network layer IP addresses into link layer MAC addresses.

175

Plenum cables

Cable is jacketed with a fire-retardant plastic cover that does not release toxic chemicals when burned.

176

Overlapping fragment attack

Used to subvert packet filters that do not reassemble packet fragments before inspection. A malicious fragment overwrites a previously approved fragment and executes an attack on the victim’s system.

177

War dialing

When a specialized program is used to automatically scan a list of telephone numbers to search for computers for the purposes of exploitation and hacking.

178

Virtualized Firewalls

Even virtualized environments need protection.

A lot of the network functionality we have covered up to this point can take place in virtual environments. Most people understand that a host system can have virtual guest systems running on it, which allow for multiple operating systems to run on the same hardware platform simultaneously. But the industry has advanced much further than this when it comes to virtualized technology. Routers and switches can be virtualized, which means you do not actually purchase a piece of hardware and plug it into your network, but instead you can deploy software products that carry out routing and switching functionality.

179

public-switched telephone network (PSTN)

Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators. The regular phone system is based on a circuit-switched, voice-centric network, called the public-switched telephone network (PSTN). The PSTN uses circuit switching instead of packet switching. When a phone call is made, the call is placed at the PSTN interface, which is the user’s telephone. This telephone is connected to the telephone company’s local loop via copper wiring. Once the signals for this phone call reach the telephone company’s central office (the end of the local loop), they are part of the telephone company’s circuit-switching world. A connection is made between the source and the destination, and as long as the call is in session, the data flows through the same switches.

180

emulated

A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available. Honeypot systems can get an attacker’s attention by advertising themselves as easy targets to compromise. They are configured to look like regular company systems so that attackers will be drawn to them like bears are to honey.

181

Broadband and Baseband

How many channels can you shove into this one wire?

So analog transmission means that data is being moved as waves, and digital transmission means that data is being moved as discrete electric pulses. Synchronous transmission means that two devices control their conversations with a clocking mechanism, and asynchronous means that systems use start and stop bits for communication synchronization. Now let’s look at how many individual communication sessions can take place at one time.

182

Secure Sockets Layer (SSL)

A newer VPN technology is Secure Sockets Layer (SSL), which works at even higher layers in the OSI model than the previously covered VPN protocols. SSL works at the transport and session layers of the network stack and is used mainly to protect HTTP traffic. SSL capabilities are already embedded into most web browsers, so the deployment and interoperability issues are minimal.

183

Star topology

Network consists of one central device, which acts as a conduit to transmit messages. The central device, to which all other nodes are connected, provides a common connection point for all nodes.

184

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

23. What type of client ports should Don make sure the institution’s software is using when client-to-server communication needs to take place?

  A. Well known

  B. Registered

  C. Dynamic

  D. Free

23. C. Well-known ports are mapped to commonly used services (HTTP, FTP, etc.). Registered ports are 1,024-49,151, and vendors register specific ports to map to their proprietary software. Dynamic ports (private ports) are available for use by any application.

185

chipping

Direct Sequence Spread Spectrum Direct sequence spread spectrum (DSSS) takes a different approach by applying sub-bits to a message. The sub-bits are used by the sending system to generate a different format of the data before the data are transmitted. The receiving end uses these sub-bits to reassemble the signal into the original data format. The sub-bits are called chips, and the sequence of how the sub-bits are applied is referred to as the chipping code.

186

Circuit switching:

  • Connection-oriented virtual links.
  • Traffic travels in a predictable and constant manner.
  • Fixed delays.
  • Usually carries voice-oriented data.

187

Asymmetric DSL (ADSL)

Data travel downstream faster than upstream. Upstream speeds are 128 Kbps to 384 Kbps, and downstream speeds can be as fast as 768 Kbps. Generally used by residential users.

188

Dial-up Connections

Since almost every house and office had a telephone line running to it already, the first type of remote connectivity technology that was used took advantage of this in-place infrastructure. Modems were added to computers that needed to communicate with other computers over telecommunication lines.

189

15. Which of the following allows for the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the needs of dynamic computing workloads?

  A. Software as a Service

  B. Network convergence

  C. IEEE 802.1x

  D. RAID

15. B. Network convergence means the combining of server, storage, and network capabilities into a single framework. This helps to decrease the costs and complexity of running data centers and has accelerated the evolution of cloud computing. Converged infrastructures provide the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the needs of dynamic computing workloads.

190

Variable Bit Rate (VBR)

A connection-oriented channel best used for delay-insensitive applications because the data throughput flow is uneven. Customers specify their required peak and sustained rate of data throughput.

191

9. IP telephony networks require the same security measures as those implemented on an IP data network. Which of the following is unique to IP telephony?

A. Limiting IP sessions going through media gateways

B. Identification of rogue devices

C. Implementation of authentication

D. Encryption of packets containing sensitive information

Extended Questions:

CORRECT A. A media gateway is the translation unit between disparate telecommunications networks. VoIP Media Gateways perform the conversion between Time Division Multiplexing (TDM) voice to Voice over Internet Protocol (VoIP). As a security measure, the number of calls via media gateways should be limited. Otherwise, media gateways are vulnerable to denial-of-service attacks, hijacking, and other types of attacks.

WRONG B is incorrect because it is necessary to identify rogue devices on both IP telephony and data networks. On IP telephony networks, it is necessary to look specifically for rogue IP phones and softphones. Rogue means that these devices are unauthorized. They are therefore not managed or secured by IT and can introduce additional risk to the network. A common rogue device found on data networks is wireless access points. A rogue access point can provide an entry to the network for unauthorized users.

WRONG C is incorrect because authentication is recommended for both data and voice networks. In both cases, authentication allows you to register users and equipment on the network so that you can verify they are who they say they are when they try to connect to the network. Authentication also allows you to deny access to users and devices that are not authorized.

WRONG D is incorrect because sensitive data can be transmitted on either a voice or data network and should be encrypted in both cases. Eavesdropping is a very real threat for VoIP networks. Consider all the sales meetings, management meetings, financial meetings, etc., that are conducted over the phone. Every word that is spoken in those meetings is vulnerable to eavesdropping. Encrypting voice data is one of the best ways to protect this sensitive data.

192

Application Layer

Hand me your information. I will take it from here.

The application layer, layer 7, works closest to the user and provides file transmissions, message exchanges, terminal sessions, and much more. This layer does not include the actual applications, but rather the protocols that support the applications. When an application needs to send data over the network, it passes instructions and the data to the protocols that support it at the application layer. This layer processes and properly formats the data and passes the same down to the next layer within the OSI model. This happens until the data the application layer constructed contain the essential information from each layer necessary to transmit the data over the network. The data are then put on the network cable and are transmitted until they arrive at the destination computer.

193

4. Two commonly used networking protocols are TCP and UPD. Which of the following correctly describes the two?

A. TCP provides best-effort delivery, and UDP sets up a virtual connection with the destination.

B. TCP provides more services and is more reliable in data transmission, whereas UDP takes less resources and overhead to transmit data.

C. TCP provides more services and is more reliable, but UDP provides more security services.

D. TCP is reliable, and UDP deals with flow control and ACKs.

Extended Questions:

CORRECT B. Two main protocols within the TCP/IP stack work at the transport layer: TCP and UDP. TCP is a reliable and connection-oriented protocol, which means it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. TCP is referred to as a connection-oriented protocol because, before any user data is actually sent, handshaking takes place between the two systems that want to communicate. Once the handshaking completes successfully, a virtual connection is set up between the two systems. UDP is considered a connectionless protocol because it does not go through these steps. Instead, UDP sends out messages without first contacting the destination computer and does not know whether the packets were received properly or dropped. TCP provides a full-duplex, reliable communication mechanism, and if any packets are lost or damaged, they are re-sent; however, TCP requires a lot of system overhead when compared to UDP. If a programmer knows data dropped during transmission is not detrimental to the application, he may choose to use UDP because it is faster and requires fewer resources.

WRONG A is incorrect because the descriptions are backward. UDP is a connectionless protocol that does not send or receive acknowledgments when a datagram is received. It does not ensure that data arrives at its destination. It provides best-effort delivery. TCP is a connection-oriented protocol; thus, it performs handshaking and develops a virtual connection with the destination computer. It ensures data arrives at its destination.

WRONG C is incorrect because UDP does not provide security services. However, TCP is more reliable and provides more services than UDP. Unlike UDP, TCP ensures that packets reach their destinations, returns ACKs when a packet is received, and is a reliable protocol. It supports flow and congestion control, and error detection and correction.

WRONG D is incorrect because the description of UDP describes TCP. UDP does not return ACKs and does not guarantee that a packet will reach its destination. It is an unreliable protocol. Furthermore, the destination computer does not communicate back to the source computer about flow control through UDP.

194

8. Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component?

  A. Orthogonal frequency division

  B. Unified threat management modem

  C. Virtual firewall

  D. Internet Security Association and Key Management Protocol

8. C. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the one system.

195

Half-duplex

Communication takes place in both directions, but only one application can send information at a time.

196

Tom’s company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom’s team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom’s boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution.

36. Which of the following solutions is best to meet the company’s need to protect wireless traffic?

  A. EAP-TLS

  B. EAP-PEAP

  C. LEAP

  D. EAP-TTLS

36. D. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. EAP-TTLS is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each wireless device be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

197

Baseband transmission

Uses the full bandwidth for only one communication channel and has a low data transfer rate compared to broadband.

198

Subnetting

Subnetting allows large IP ranges to be divided into smaller, logical, and more tangible network segments. Consider an organization with several divisions, such as IT, Accounting, HR, and so on. Creating subnets for each division breaks the networks into logical partitions that route traffic directly to recipients without dispersing data all over the network. This drastically reduces the traffic load across the network, reducing the possibility of network congestion and excessive broadcast packets in the network. Implementing network security policies is also much more effective across logically categorized subnets with a demarcated perimeter, as compared to a large, cluttered, and complex network.

199

19. Today, satellites are used to provide wireless connectivity between different locations. What two prerequisites are needed for two different locations to communicate via satellite links?

A. They must be connected via a phone line and have access to a modem.

B. They must be within the satellite’s line of site and footprint.

C. They must have broadband and a satellite in low Earth orbit.

D. They must have a transponder and be within the satellite’s footprint.

Extended Questions:

CORRECT B. For two different locations to communicate via satellite links, they must be within the satellite’s line of sight and footprint (area covered by the satellite). The sender of information modulates the data onto a radio signal that is transmitted to the satellite. A transponder on the satellite receives this signal, amplifies it, and relays it to the receiver. The receiver must have a certain type of antenna, which is one of those circular, dish-like components on top of buildings. The antenna contains one or more microwave receivers, depending upon how many satellites it is accepting data from. The size of the footprint depends upon the type of satellite being used. It can be as large as a country or only a few hundred feet in circumference.

WRONG A is incorrect because a phone line and a modem are not wireless. However, in most cases satellite broadband is a hybrid system that uses a regular phone line and modem-like technologies for data and requests sent from the user’s machine, but employs a satellite link to send data to the user.

WRONG C is incorrect because the satellite provides broadband transmission. It is commonly used for television channels and PC Internet access. While it is certainly necessary to have a satellite in orbit, and those in low Earth orbit are commonly used for two-way paging, international cellular communication, TV stations, and Internet use, it is not the best answer to this question.

WRONG D is incorrect because the two locations do not require a transponder. The transponder is on the satellite itself. The transponder receives a signal, amplifies it, and sends it to the receiver. However, it is necessary for the two locations to be within the satellite’s footprint.

200

application layer

The application layer, layer 7, works closest to the user and provides file transmissions, message exchanges, terminal sessions, and much more. This layer does not include the actual applications, but rather the protocols that support the applications. When an application needs to send data over the network, it passes instructions and the data to the protocols that support it at the application layer. This layer processes and properly formats the data and passes the same down to the next layer within the OSI model. This happens until the data the application layer constructed contain the essential information from each layer necessary to transmit the data over the network. The data are then put on the network cable and are transmitted until they arrive at the destination computer.

201

Spread Spectrum Types : This technology transmits data by "spreading" it over a broad range of frequencies:

  • FHSS moves data by changing frequencies.
  • DSSS takes a different approach by applying sub-bits to a message and uses all of the available frequencies at the same time.

202

wireless personal area network (WPAN)

This standard deals with a much smaller geographical network, which is referred to as a wireless personal area network (WPAN). This technology allows for connectivity to take place among local devices, such as a computer communicating with a wireless keyboard, a cellular phone communicating with a computer, or a headset communicating with another device. The goal here—as with all wireless technologies—is to allow for data transfer without all of those pesky cables.

203

Software as a Service (SaaS)

Software as a Service (SaaS) Provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network-based access to a single copy of an application created specifically for SaaS distribution and use.

204

WLAN Security

The first WLAN standard, IEEE 802.11, had a tremendous number of security flaws. These were found within the core standard itself, as well as in different implementations of this standard. The three core deficiencies with WEP are the use of static encryption keys, the ineffective use of initialization vectors, and the lack of packet integrity assurance. The WEP protocol uses the RC4 algorithm, which is a stream-symmetric cipher. Symmetric means the sender and receiver must use the exact same key for encryption and decryption purposes. The 802.11 standard does not stipulate how to update these keys through an automated process, so in most environments, the RC4 symmetric keys are never changed out. And usually all of the wireless devices and the AP share the exact same key. This is like having everyone in your company use the exact same password. Not a good idea. So that is the first issue—static WEP encryption keys on all devices.

205

12. Which of the following incorrectly describes how routing commonly takes place on the Internet?

A. EGP is used in the areas "between" each AS.

B. Regions of nodes that share characteristics and behaviors are called ASs.

C. CAs are specific nodes that are responsible for routing to nodes outside of their region.

D. Each AS uses IGP to perform routing functionality.

Extended Questions:

CORRECT C. A CA, or Certificate Authority, is a trusted third party that provides digital certificates for use in a public key infrastructure. Certificate Authorities have nothing to do with routing. A PKI environment provides a hierarchical trust model but does not deal with routing of traffic.

WRONG A is incorrect because the statement is true. The Exterior Gateway Protocol (EGP) functions between each autonomous system (AS). The architecture of the Internet that supports these various ASs is created so that no entity that needs to connect to a specific AS has to know or understand the interior protocols that can be used. Instead, for ASs to communicate, they just have to be using the same exterior routing protocols.

WRONG B is incorrect because the statement is true; regions of nodes (networks) that share characteristics and behaviors are called autonomous systems (ASs). These ASs are independently controlled by different corporations and organizations. An AS is made up of computers and devices, which are administered by a single entity and use a common Interior Gateway Protocol (IGP). The boundaries of these ASs are delineated by border routers. These routers connect to the border routers of other ASs and run interior and exterior routing protocols. Internal routers connect to other routers within the same AS and run interior routing protocols. So, in reality, the Internet is just a network made up of ASs and routing protocols.

WRONG D is incorrect because Interior Gateway Protocol (IGP) handles routing tasks within each AS. There are two categories of IGPs: distance-vector routing protocols and link-state routing protocols. Distance-vector routing protocols include Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP). Routers using these protocols do not possess information about the entire network topology. Nodes using link-state routing protocols, on the other hand, possess information about the complete network topology. Examples of these protocols include Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS).

206

orthogonal frequency-division multiplexing (OFDM)

While not considered an official "spread spectrum" technology, the next step in trying to move even more data over wireless frequency signals came in the form of orthogonal frequency-division multiplexing (OFDM). OFDM is a digital multicarrier modulation scheme that compacts multiple modulated carriers tightly together, reducing the required bandwidth. The modulated signals are orthogonal (perpendicular) and do not interfere with each other. OFDM uses a composite of narrow channel bands to enhance its performance in high-frequency bands. OFDM is officially a multiplexing technology and not a spread spectrum technology, but is used in a similar manner.

207

E-Carriers

E-carriers are similar to T-carrier telecommunication connections, where a single physical wire pair can be used to carry many simultaneous voice conversations by time-division multiplexing. Within this technology 30 channels interleave eight bits of data in a frame. While the T-carrier and E-carrier technologies are similar, they are not interoperable. E-carriers are used by European countries.

208

Link-state routing protocol

A routing protocol used in packet-switching networks where each router constructs a map of the connectivity within the network and calculates the best logical paths, which form its routing table.

209

Sender Policy Framework (SPF)

An e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses.

210

Summary of Tunneling Protocols : IPSec:

  • Handles multiple VPN connections at the same time
  • Provides secure authentication and encryption
  • Supports only IP networks
  • Focuses on LAN-to-LAN communication rather than user-to-user
  • Works at the network layer, and provides security on top of IP

211

Switched Multimegabit Data Service (SMDS)

Switched Multimegabit Data Service (SMDS) is a high-speed packet-switched technology used to enable customers to extend their LANs across MANs and WANs. When a company has an office in one state that needs to communicate with an office in a different state, for example, the two LANs can use this packet-switching protocol to communicate across the already established public network. This protocol is connectionless and can provide bandwidth on demand.

212

Data-Over-Cable Service Interface Specifications (DOCSIS)

Most cable providers comply with Data-Over-Cable Service Interface Specifications (DOCSIS), which is an international telecommunications standard that allows for the addition of high-speed data transfer to an existing cable TV (CATV) system. DOCSIS includes MAC layer security services in its Baseline Privacy Interface/Security (BPI/SEC) specifications. This protects individual user traffic by encrypting the data as they travel over the provider’s infrastructure.

213

Ethernet

Common LAN media access technology standardized by IEEE 802.3. Uses 48-bit MAC addressing, works in contention-based networks, and has extended outside of just LAN environments.

214

SSL Portal VPNs

An individual uses a single standard SSL connection to a web site to securely access multiple network services. The web site accessed is typically called a portal because it is a single location that provides access to other resources. The remote user accesses the SSL VPN gateway using a web browser, is authenticated, and is then presented with a web page that acts as the portal to the other services.

215

Switched Multimegabit Data Service (SMDS)

Switched Multimegabit Data Service (SMDS) is a high-speed packet-switched technology used to enable customers to extend their LANs across MANs and WANs. When a company has an office in one state that needs to communicate with an office in a different state, for example, the two LANs can use this packet-switching protocol to communicate across the already established public network. This protocol is connectionless and can provide bandwidth on demand.

216

19. Which of the following is not a characteristic of the Protected Extensible Authentication Protocol?

  A. Authentication protocol used in wireless networks and point-to-point connections

  B. Designed to provide authentication for 802.11 WLANs

  C. Designed to support 802.1X port access control and transport layer security

  D. Designed to support password-protected connections

19. D. PEAP (Protected Extensible Authentication Protocol) is a version of EAP and is an authentication protocol used in wireless networks and point-to-point connections. PEAP is designed to provide authentication for 802.11 WLANs, which support 802.1X port access control and TLS. It is a protocol that encapsulates EAP within a potentially encrypted and authenticated TLS tunnel.

217

Code division multiple access (CDMA)

Code division multiple access (CDMA) was developed after FDMA, and as the term "code" implies, CDMA assigns a unique code to each voice call or data transmission to uniquely identify it from all other transmissions sent over the cellular network. In a CDMA "spread spectrum" network, calls are spread throughout the entire radio-frequency band. CDMA permits every user of the network to simultaneously use every channel in the network. At the same time, a particular cell can simultaneously interact with multiple other cells. These features make CDMA a very powerful technology. It is the main technology for the mobile cellular networks that presently dominate the wireless space.

218

2. How does TKIP provide more protection for WLAN environments?

  A. It uses the AES algorithm.

  B. It decreases the IV size and uses the AES algorithm.

  C. It adds more keying material.

  D. It uses MAC and IP filtering.

2. C. The TKIP protocol actually works with WEP by feeding it keying material, which is data to be used for generating random keystreams. TKIP increases the IV size, ensures it is random for each packet, and adds the sender’s MAC address to the keying material.

219

value-added network (VAN)

A value-added network (VAN) is an EDI infrastructure developed and maintained by a service bureau. A Wal-Mart store tracks its inventory by having employees scan bar codes on individual items. When the inventory of an item becomes low, a Wal-Mart employee sends a request for more of that specific item. This request goes to a mailbox at a VAN that Wal-Mart pays to use, and the request is then pushed out to a supplier that provides this type of inventory for Wal-Mart. Because Wal-Mart (and other stores) deals with thousands of suppliers, using a VAN simplifies the ordering process: instead of an employee having to track down the right supplier and submit a purchase order, this all happens in the background through an automated EDI network, which is managed by a VAN company for use by other companies.

220

Sender Policy Framework (SPF)

Another way to deal with the problem of forged e-mail messages is by using Sender Policy Framework (SPF), which is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing by verifying the sender’s IP address. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific SPF record in DNS. Mail exchanges use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

221

Third generation (3G):

  • Integration of voice and data
  • Packet-switched technology, instead of circuit-switched

222

broadband

A baseband technology uses the entire communication channel for its transmission, whereas a broadband technology divides the communication channel into individual and independent subchannels so that different types of data can be transmitted simultaneously. Baseband permits only one signal to be transmitted at a time, whereas broadband carries several signals over different subchannels. For example, a coaxial cable TV (CATV) system is a broadband technology that delivers multiple television channels over the same cable. This system can also provide home users with Internet access, but these data are transmitted at a different frequency spectrum than the TV channels.

223

Address Resolution Protocol

This IP does me no good! I need a MAC!

On a TCP/IP network, each computer and network device requires a unique IP address and a unique physical hardware address. Each NIC has a unique physical address that is programmed into the ROM chips on the card by the manufacturer. The physical address is also referred to as the Media Access Control (MAC) address. The network layer works with and understands IP addresses, and the data link layer works with and understands physical MAC addresses. So, how do these two types of addresses work together since they operate at different layers?

224

Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.

27. Which of the following is the best type of fiber that should be implemented in this scenario?

  A. Single mode

  B. Multimode

  C. Optical carrier

  D. SONET

27. B. In single mode, a small glass core is used for high-speed data transmission over long distances. This scenario specifies campus building-to-building connections, which are usually short distances. In multimode, a large glass core is used and is able to carry more data than single-mode fibers, though they are best for shorter distances because of their higher attenuation levels.

225

SMTP authentication (SMTP-AUTH)

SMTP authentication (SMTP-AUTH) was developed to provide an access control mechanism. This extension comprises an authentication feature that allows clients to authenticate to the mail server before an e-mail is sent. Servers using the SMTP-AUTH extension are configured in such a manner that their clients are obliged to use the extension so that the sender can be authenticated.

226

4. Why are switched infrastructures safer environments than routed networks?

  A. It is more difficult to sniff traffic since the computers have virtual private connections.

  B. They are just as unsafe as nonswitched environments.

  C. The data link encryption does not permit wiretapping.

  D. Switches are more intelligent than bridges and implement security mechanisms.

4. A. Switched environments use switches to allow different network segments and/or systems to communicate. When this communication takes place, a virtual connection is set up between the communicating devices. Since it is a dedicated connection, broadcast and collision data are not available to other systems, as in an environment that uses purely bridges and routers.

227

Domain Name Service (DNS)

Imagine how hard it would be to use the Internet if we had to remember actual specific IP addresses to get to various websites. The Domain Name Service (DNS) is a method of resolving hostnames to IP addresses so names can be used instead of IP addresses within networked environments.

228

Data-Over-Cable Service Interface Specifications (DOCSIS)

Most cable providers comply with Data-Over-Cable Service Interface Specifications (DOCSIS), which is an international telecommunications standard that allows for the addition of high-speed data transfer to an existing cable TV (CATV) system. DOCSIS includes MAC layer security services in its Baseline Privacy Interface/Security (BPI/SEC) specifications. This protects individual user traffic by encrypting the data as they travel over the provider’s infrastructure.

229

local area network (LAN)

A local area network (LAN) is a network that provides shared communication and resources in a relatively small area. What defines a LAN, as compared to a WAN, depends on the physical medium, encapsulation protocols, and media access technology. For example, a LAN could use 10Base-T cabling, TCP/IP protocols, and Ethernet media access technology, and it could enable users who are in the same local building to communicate. A WAN, on the other hand, could use fiber-optic cabling, the L2TP encapsulation protocol, and ATM media access technology, and could enable users from one building to communicate with users in another building in another state (or country). A WAN connects LANs over great distances geographically. Most of the differences between these technologies are found at the data link layer.

230

10. Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information?

A. Persistent XSS vulnerability

B. Nonpersistent XSS vulnerability

C. Second-order vulnerability

D. DOM-based vulnerability

Extended Questions:

CORRECT B. XSS attacks enable an attacker to inject their malicious code into vulnerable Web pages. When an unsuspecting user visits the infected page, the malicious code executes on the victim’s browser and may lead to stolen cookies, hijacked sessions, malware execution, bypassed access control, or aid in exploiting browser vulnerabilities. There are three different XSS vulnerabilities: persistent, nonpersistent, and DOM-based. A nonpersistent vulnerability (also called a reflected vulnerability) occurs when an attacker tricks the victim into opening a URL programmed with a rogue script to steal the victim’s sensitive information, such as a cookie or session ID. The principle behind this attack lies in exploiting the lack of proper input or output validation on dynamic Web sites. An XSS attack such as this can potentially cause damage on a huge scale. The stolen cookies can lead to compromised Web mail systems, flooded blogs, and disclosed bank accounts. Most of the phishing attacks are caused by XSS vulnerabilities.

WRONG A is incorrect because a persistent vulnerability is targeted at Web sites that allow users to input data that is stored in a database or similar location, such as a forum or message board. The code for this type of attack can be rendered automatically without the need of luring a user to a third party Web site. The best way to overcome the XSS vulnerability is through secure programming practices. Web application developers must ensure that every user input is filtered. Only a limited set of known and secure characters should be allowed for user input.

WRONG C is incorrect because a second-order vulnerability is another name for a persistent XSS vulnerability, which targets Web sites that allow users to input data that is stored in a database.

WRONG D is incorrect because in a DOM-based XSS vulnerability the attacker uses the Document Object Model (DOM) environment to modify the original client-side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code. Thus, cross-site attacks can be used to exploit vulnerabilities in the victim’s Web browser. Once the system is successfully compromised by the attacker, he may further penetrate into other systems on the network or execute scripts that may spread through the internal network. As for the client’s side, the most effective way to prevent XSS attacks is to disable scripting language support in the browser. If this is not feasible, then content filtering proxy servers may be used.

231

H.323 Gateways

The ITU-T recommendations cover a wide variety of multimedia communication services. H.323 is part of this family of recommendations, but it is also a standard that deals with video, real-time audio, and data packet-based transmissions where multiple users can be involved with the data exchange. An H.323 environment features terminals, which can be telephones or computers with telephony software, gateways that connect this environment to the PSTN, multipoint control units, and gatekeepers that manage calls and functionality.

232

Digital Subscriber Line (DSL)

A set of technologies that provide Internet access by transmitting digital data over the wires of a local telephone network. DSL is used to digitize the "last mile" and provide fast Internet connectivity.

233

Cloud computing

The delivery of computer processing capabilities as a service rather than as a product, whereby shared resources, software, and information are provided to end users as a utility. Offerings are usually bundled as an infrastructure, platform, or software.

234

Rate-Adaptive Digital Subscriber Line (RADSL)

Rate-adaptive feature that will adjust the transmission speed to match the quality and the length of the line.

235

DHCP snooping

A series of techniques applied to ensure the security of an existing DHCP infrastructure through tracking physical locations, ensuring only authorized DHCP servers are accessible, and hosts use only addresses assigned to them.

236

Synchronous Data Link Control (SDLC)

Synchronous Data Link Control (SDLC) is a protocol used in networks that use dedicated, leased lines with permanent physical connections. It is used mainly for communications with IBM hosts within a Systems Network Architecture (SNA). Developed by IBM in the 1970s, SDLC is a bit-oriented, synchronous protocol that has evolved into other communication protocols, such as HDLC, Link Access Procedure (LAP), and Link Access Procedure-Balanced (LAPB).

237

Private Branch Exchange (PBX)

A telephone exchange that serves a particular business, makes connections among the internal telephones, and connects them to the public-switched telephone network (PSTN) via trunk lines.

238

Address Resolution Protocol (ARP)

MAC and IP addresses must be properly mapped so they can be correctly resolved. This happens through the Address Resolution Protocol (ARP). When the data link layer receives a frame, the network layer has already attached the destination IP address to it, but the data link layer cannot understand the IP address and thus invokes ARP for help. ARP broadcasts a frame requesting the MAC address that corresponds with the destination IP address. Each computer on the subnet receives this broadcast frame, and all but the computer that has the requested IP address ignore it. The computer that has the destination IP address responds with its MAC address. Now ARP knows what hardware address corresponds with that specific IP address. The data link layer takes the frame, adds the hardware address to it, and passes it on to the physical layer, which enables the frame to hit the wire and go to the destination computer. ARP maps the hardware address and associated IP address and stores this mapping in its table for a predefined amount of time. This caching is done so that when another frame destined for the same IP address needs to hit the wire, ARP does not need to broadcast its request again. It just looks in its table for this information.

239

41. Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11 standard. Which of the following provides the correct characteristics of Wi-Fi Protected Access 2 (WPA2)?

  A. IEEE 802.1X, WEP, MAC

  B. IEEE 802.1X, EAP, TKIP

  C. IEEE 802.1X, EAP, WEP

  D. IEEE 802.1X, EAP, CCMP

41. D. Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access control, EAP or preshared keys for authentication, and AES in Counter-Mode/CBC-MAC Protocol (CCMP) for encryption.

240

The types of firewalls we will review are

  • Packet filtering
  • Stateful
  • Proxy
  • Dynamic packet filtering
  • Kernel proxy

241

Broadband transmission

Divides the bandwidth of a communication channel into many channels, enabling different types of data to be transmitted at one time.

242

RTP Control Protocol (RTCP)

RTP is a session layer protocol that carries data in media stream format, as in audio and video, and is used extensively in VoIP, telephony, video conferencing, and other multimedia streaming technologies. It provides end-to-end delivery services and is commonly run over the transport layer protocol UDP. RTP Control Protocol (RTCP) is used in conjunction with RTP and is also considered a session layer protocol. It provides out-of-band statistics and control information to provide feedback on QoS levels of individual streaming multimedia sessions.

243

How Many Protocols Do We Need?

If you are new to networking, all of these protocols can get quite confusing. For example, this chapter has already covered the following data link protocols: Ethernet, Token Ring, FDDI, ATM, frame relay, SDLC, HDLC, and now PPP and we have not even gotten to PPTP, Wi-Fi, or WiMAX. Why in the world do we need so many data link protocols?

244

Copper Distributed Data Interface (CDDI)

A version of FDDI, Copper Distributed Data Interface (CDDI), can work over UTP cabling. Whereas FDDI would be used more as a MAN, CDDI can be used within a LAN environment to connect network segments.

245

Point-to-point protocol (PPP)

Point-to-point protocol (PPP) is similar to HDLC in that it is a data link protocol that carries out framing and encapsulation for point-to-point connections. A point-to-point connection means there is one connection between one device (point) and another device (point). If the systems on your LAN use the Ethernet protocol, what happens when a system needs to communicate to a server at your ISP for Internet connectivity? This is not an Ethernet connection, so how do the systems know how to communicate with each other if they cannot use Ethernet as their data link protocol? They use a data link protocol they do understand. Telecommunication devices commonly use PPP as their data link protocol.

246

1. What does it mean if someone says they were a victim of a Bluejacking attack?

  A. An unsolicited message was sent.

  B. A cell phone was cloned.

  C. An IM channel introduced a worm.

  D. Traffic was analyzed.

1. A. Bluejacking occurs when someone sends an unsolicited message to a device that is Bluetooth-enabled. Bluejackers look for a receiving device (phone, PDA, tablet PC, laptop) and then send a message to it. Often, the Bluejacker is trying to send someone else their business card, which will be added to the victim’s contact list in their address book.

247

The following shows some of the most commonly used protocols and the ports to which they are usually mapped:

  • Telnet port 23
  • SMTP port 25
  • HTTP port 80
  • SNMP ports 161 and 162
  • FTP ports 21 and 20

248

Internet Control Message Protocol (ICMP)

The Internet Control Message Protocol (ICMP) is basically IP’s "messenger boy." ICMP delivers status messages, reports errors, replies to certain requests, reports routing information, and is used to test connectivity and troubleshoot problems on IP networks.

249

Ping of Death

A DoS attack type on a computer that involves sending malformed or oversized ICMP packets to a target.

250

Integrated Services Digital Network (ISDN)

A circuit-switched telephone network system technology designed to allow digital transmission of voice and data over ordinary telephone copper wires.

251

IP Telephony Issues

VoIP’s integration with the TCP/IP protocol has brought about immense security challenges because it allows malicious users to bring their TCP/IP experience into this relatively new platform, where they can probe for flaws in both the architecture and the VoIP systems. Also involved are the traditional security issues associated with networks, such as unauthorized access, exploitation of communication protocols, and the spreading of malware. The promise of financial benefit derived from stolen call time is a strong incentive for most attackers. In short, the VoIP telephony network faces all the flaws that traditional computer networks have faced. Moreover, VoIP devices follow architectures similar to traditional computers—that is, they use operating systems, communicate through Internet protocols, and provide a combination of services and applications.

252

Electronic data interchange (EDI)

The structured transmission of data between organizations. It is considered to describe the rigorously standardized format of electronic documents and commonly used in supply chains between customers, vendors, and suppliers.

253

Mobile Technology Generations

Like many technologies, the mobile communication technology has gone through several different generations.

254

extends

Extensible Authentication Protocol (EAP) is also supported by PPP. Actually, EAP is not a specific authentication protocol as are PAP and CHAP. Instead, it provides a framework to enable many types of authentication techniques to be used when establishing network connections. As the name states, it extends the authentication possibilities from the norm (PAP and CHAP) to other methods, such as one-time passwords, token cards, biometrics, Kerberos, digital certificates, and future mechanisms. So when a user connects to an authentication server and both have EAP capabilities, they can negotiate between a longer list of possible authentication methods.

255

Dual-attachment station (DAS)

Has two ports and each port provides a connection for both the primary and the secondary rings

256

Satellites

Today, satellites are used to provide wireless connectivity between different locations. For two different locations to communicate via satellite links, they must be within the satellite’s line of sight and footprint (area covered by the satellite). The sender of information (ground station) modulates the data onto a radio signal that is transmitted to the satellite. A transponder on the satellite receives this signal, amplifies it, and relays it to the receiver. The receiver must have a type of antenna—one of those circular, dishlike things we see on top of buildings. The antenna contains one or more microwave receivers, depending upon how many satellites it is accepting data from.

257

Bastion Host

This guy is going to get hit first; he’d better be tough.

A system is considered a bastion host if it is a highly exposed device that is most likely to be targeted by attackers. The closer any system is to an untrusted network, as in the Internet, the more it is considered a target candidate since it has a smaller number of layers of protection guarding it. If a system is on the public side of a DMZ or is directly connected to an untrusted network, it is considered a bastion host; thus, it needs to be extremely locked down.

258

Real-time Transport Protocol (RTP)

Used to transmit audio and video over IP-based networks. It is used in conjunction with the RTCP. RTP transmits the media data, and RTCP is used to monitor transmission statistics and QoS, and aids synchronization of multiple data streams.

259

TCP/IP model

Standardization of device-based network communication through a modular four-layer architecture. Specific to the IP suite, created in 1970 by an agency of the U.S. Department of Defense (DoD).

260

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

39. Which of the following is the best countermeasure for the attack type addressed in the scenario?

  A. DNSSEC

  B. IPSec

  C. Split server configurations

  D. Disabling zone transfers

39. A. DNSSEC protects DNS servers from forged DNS information, which is commonly used to carry out DNS cache poisoning attacks. If DNSSEC is implemented, then all responses that the server receives will be verified through digital signatures. This helps to ensure that an attacker cannot provide a DNS server with incorrect information, which would point the victim to a malicious web site.

261

Generation 3.5 G (3GPP)

  • Higher data rates
  • Use of OFDMA technology

262

time-division multiplexing (TDM)

These lines can have multiplex functionality through time-division multiplexing (TDM). What does this multiplexing stuff really mean? Consider a T1 line, which can multiplex up to 24 channels. If a company has a PBX connected to a T1 line, which in turn connects to the telephone company switching office, 24 calls can be chopped up and placed on the T1 line and transferred to the switching office. If this company did not use a T1 line, it would need 24 individual twisted pairs of wire to handle this many calls.

263

13. Both de facto and proprietary interior protocols are in use today. Which of the following is a proprietary interior protocol that chooses the best path between the source and destination?

A. IGRP

B. RIP

C. BGP

D. OSPF

Extended Questions:

CORRECT A. Interior Gateway Routing Protocol (IGRP) is a distance-vector routing protocol that was developed by, and is proprietary to, Cisco Systems. Whereas Routing Information Protocol (RIP) uses one criterion to find the best path between the source and the destination, IGRP uses five criteria to make a "best route" decision. A network administrator can set weights on these different metrics so that the protocol works best in that specific environment.

WRONG B is incorrect because Routing Information Protocol (RIP) is not proprietary. RIP is a standard that outlines how routers exchange routing table data and is considered a distance-vector protocol, which means it calculates the shortest distance between the source and the destination. It is considered a legacy protocol, because of its slow performance and lack of functionality. It should only be used in small networks. RIP version 1 has no authentication, and RIP version 2 sends passwords in clear text or hashed with MD5.

WRONG C is incorrect because the Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP). BGP enables routers on different ASs to share routing information to ensure effective and efficient routing between the different networks. BGP is commonly used by Internet service providers to route data from one location to the next on the Internet.

WRONG D is incorrect because Open Shortest Path First (OSPF) is not proprietary. OSPF uses link-state algorithms to send out routing table information. The use of these algorithms allows for smaller, more frequent routing table updates to take place. This provides a more stable network than RIP but requires more memory and CPU resources to support this extra processing. OSPF allows for a hierarchical routing network that has a backbone link connecting all subnets together. OSPF is the preferred protocol and has replaced RIP in many networks today. Authentication can take place with clear text passwords or hashed passwords, or you can choose to configure no authentication on the routers using this protocol.

264

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) was released to the networking world in 1988 to help with the growing demand of managing network IP devices. Companies use many types of products that use SNMP to view the status of their network, traffic flows, and the hosts within the network. Since these tasks are commonly carried out using graphical user interface (GUI)-based applications, many people do not have a full understanding of how the protocol actually works. The protocol is important to understand because it can provide a wealth of information to attackers, and you should understand the amount of information that is available to the ones who wish to do you harm, how they actually access this data, and what can be done with it.

265

The following list outlines the functions of a bridge:

  • Segments a large network into smaller, more controllable pieces.
  • Uses filtering based on MAC addresses.
  • Joins different types of network links while retaining the same broadcast domain.
  • Isolates collision domains within the same broadcast domain.
  • Bridging functionality can take place locally within a LAN or remotely to connect two distant LANs.
  • Can translate between protocol types.

266

Teredo

Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to communicate if their traffic has to transverse an IPv4 network, but also performs its function behind NAT devices.

267

electronic mail

A popular type of gateway is an electronic mail gateway. Because several e-mail vendors have their own syntax, message format, and way of dealing with message transmission, e-mail gateways are needed to convert messages between e-mail server software. For example, suppose that David, whose corporate network uses Sendmail, writes an e-mail message to Dan, whose corporate network uses Microsoft Exchange. The e-mail gateway will convert the message into a standard that all mail servers understand—usually X.400—and pass it on to Dan’s mail server.

268

The data, IP, and network relationship can be compared to the relationship between a letter and the postal system:

  • Data = Letter
  • IP = Addressed envelope
  • Network = Postal system

269

source routing

If source routing is allowed, the packets contain the necessary information within them to tell the bridge or router where they should go. The packets hold the forwarding information so they can find their way to their destination without needing bridges and routers to dictate their paths. If the computer wants to dictate its forwarding information instead of depending on a bridge, how does it know the correct route to the destination computer? The source computer sends out explorer packets that arrive at the destination computer. These packets contain the route information the packets had to take to get to the destination, including what bridges and/or routers they had to pass through. The destination computer then sends these packets back to the source computer, and the source computer strips out the routing information, inserts it into the packets, and sends them on to the destination.

270

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

25. What should Don’s team put into place to stop the masquerading attacks that have been taking place?

  A. Dynamic packet filter firewall

  B. ARP spoofing protection

  C. Disable unnecessary ICMP traffic at edge routers

  D. SRPC

25. D. Basic RPC does not have authentication capabilities, which allow for masquerading attacks to take place. Secure RPC (SRPC) can be implemented, which requires authentication to take place before remote systems can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets.

271

Instant Messaging Spam

Instant messaging spam (SPIM) is a type of spamming that uses instant messengers for this malicious act. Although this kind of spamming is not as common as e-mail spamming, it is certainly increasing over time. The fact that firewalls are unable to block SPIM has made it more attractive for spammers. One way to prevent SPIM is to enable the option of receiving instant messages only from a known list of users.

272

Application-Level vs. Circuit-Level Proxy Firewall Characteristics : Characteristics of circuit-level proxy firewalls:

  • Do not require a proxy for each and every protocol.
  • Do not provide the deep-inspection capabilities of an application layer proxy.
  • Provide security for a wider range of protocols.

273

Dynamic mapping

The NAT software has a pool of IP addresses, but instead of statically mapping a public address to a specific private address, it works on a first-come, first-served basis. So if Bob needs to communicate over the Internet, his system makes a request to the NAT server. The NAT server takes the first IP address on the list and maps it to Bob’s private address. The balancing act is to estimate how many computers will most likely need to communicate outside the internal network at one time. This estimate is the number of public addresses the company purchases, instead of purchasing one public address for each computer.

274

Negate rule

Used instead of the broad and permissive "any rules." Negate rules provide tighter permission rights by specifying what system can be accessed and how.

275

War Driving for WLANs

A common attack on wireless networks is war driving, which is when one or more people either walk or drive around with a wireless device equipped with the necessary equipment and software with the intent of identifying APs and breaking into them. Traditionally, this activity has taken place by using a laptop and driving in the proximity of buildings that have WLANs implemented, but today even smart phones can be used for this type of attack.

276

27. Hanna is a new security manager for a computer consulting company. She has found out that the company has lost intellectual property in the past because malicious employees installed rogue devices on the network, which were used to capture sensitive traffic. Hanna needs to implement a solution that ensures only authorized devices are allowed access to the company network. Which of the following IEEE standards was developed for this type of protection?

A. IEEE 802.1AR

B. IEEE 802.1AE

C. IEEE 802.1AF

D. IEEE 802.1XR

Extended Questions:

CORRECT A. The IEEE 802.1AR standard specifies unique per-device identifiers (DevID) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers. A verifiable unique device identity allows establishment of the trustworthiness of devices; thus, it facilitates secure device provisioning. A secure device identifier (DevID) is cryptographically bound to a device and supports authentication of the device’s identity. Locally significant identities can be securely associated with an initial manufacturer-provisioned DevID and used in provisioning and authentication protocols to allow a network administrator to establish the trustworthiness of a device and select appropriate policies for transmission and reception of data and control protocols to and from the device.

WRONG B is incorrect because 802.1AE is the IEEE MAC Security standard (MACSec), which defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication. Where a VPN connection provides protection at the higher networking layers, MACSec provides hop-by-hop protection at layer 2.

WRONG C is incorrect because 802.1AR provides a unique ID for a device. 802.1AE provides data encryption, integrity, and origin authentication functionality. 802.1AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an 802.1X EAP-TLS framework.

WRONG D is incorrect because this is a distracter answer. This is not a valid standard.

277

18. Which of the following is not a benefit of VoIP?

A. Cost

B. Convergence

C. Flexibility

D. Security

Extended Questions:

CORRECT D. Voice over Internet Protocol (VoIP) refers to transmission technologies that deliver voice communications over IP networks. IP telephony uses technologies that are similar to TCP/IP, so its vulnerabilities are also similar. The voice system is vulnerable to application manipulation (such as toll fraud and blocking), unauthorized administrative access, and poor implementation. In terms of the network and media, it is also vulnerable to denial-of-service attacks against the gateways and network resources. Eavesdropping is also a concern, since data traffic is sent in cleartext unless it is encrypted.

WRONG A is incorrect because cost is a benefit of VoIP. Using VoIP means a company has to pay for and maintain only one network, instead of one network dedicated to data transmission and another network dedicated to voice transmission. Telephony features such as conference calling, call forwarding, and automatic redial are free from open-source VoIP implementations, while traditional telecommunications companies charge extra for them. And, finally, VoIP costs are lower because of the way they are billed. VoIP calls are billed per megabyte, while regular telephone calls are billed by the minute. In general, it is cheaper to send data over the Internet for a given period of time than it is to use the regular telephone for that same amount of time.

WRONG B is incorrect because convergence is a benefit of VoIP. Convergence refers to the merging of the traditional IP network with the traditional analog phone network. This is a benefit because a company no longer has to pay for and maintain separate networks for data and voice. However, while convergence saves money and administration overhead, certain security issues must be understood and dealt with.

WRONG C is incorrect because flexibility is a benefit of VoIP. The technology easily supports multiple telephone calls over a single Internet broadband connection without having to add extra lines. It also offers location independence. All that is needed to obtain a WAN or MAN phone connection to a VoIP provider is an adequate Internet connection. VoIP can also be integrated with other Internet services, such as video conversation, file exchange during a call, and audio conferencing.

278

Nonplenum

Nonplenum cables usually have a polyvinyl chloride (PVC) jacket covering, whereas plenum-rated cables have jacket covers made of fluoropolymers. When setting up a network or extending an existing network, it is important you know which wire types are required in which situation.

279

Open mail relay

An SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.

280

Classless Interdomain Routing

Variable-length subnet masking, which allows a network to be divided into different-sized subnets. The goal is to increase the efficiency of the use of IP addresses since classful addressing schemes commonly end up in unused addresses.

281

2. Which of the following is not an effective countermeasure against spam?

A. Open mail relay servers

B. Properly configured mail relay servers

C. Filtering on an e-mail gateway

D. Filtering on the client

Extended Questions:

CORRECT A. An open mail relay server is not an effective countermeasure against spam; in fact, spammers often use them to distribute spam, as they allow an attacker to mask their identity. An open mail relay is an SMTP server that is configured to allow inbound SMTP connections from anyone and to anyone on the Internet. This is how the Internet was originally set up, but many relays are now properly configured to prevent attackers from using them to distribute spam or pornography.

WRONG B is incorrect because a properly configured mail relay server only allows e-mail that is destined and originating from known users to pass through it. In this way, a closed mail relay server helps prevent the distribution of spam. In order to be considered closed, an SMTP server should be configured to accept and forward messages from local IP addresses to local mailboxes, from local IP addresses to nonlocal mailboxes, from known and trusted IP addresses to local mailboxes, and from clients that are authenticated and authorized. Servers that are left open are considered to be the result of poor systems administration.

WRONG C is incorrect because implementing spam filters on an e-mail gateway is the most common countermeasure against spam. Doing so helps protect network and server capacity, reduces the risk of legitimate e-mail being discarded, and saves users time. A number of commercial spam filters based on a variety of algorithms are available. The filtering software accepts e-mail as its input and either forwards the message unchanged to the recipient, redirects the message for delivery elsewhere, or discards the message.

WRONG D is incorrect because filtering on the client is a countermeasure against spam. In fact, filtering can take place at the gateway, which is the most popular method, on the e-mail server, or on the client. There are also different methods of filtering. Filtering based on keywords was once a popular method but has since become obsolete because it is prone to false positives and spammers can easily bypass them. Now more sophisticated filters are used. These are based on statistical analysis or analysis of e-mail traffic patterns.

282

Honeypots

Systems that entice with the goal of protecting critical production systems. If two or more honeypots are used together, this is considered a honeynet.

283

Token ring

LAN medium access technology that controls network communication traffic through the use of token frames. This technology has been mostly replaced by Ethernet.

284

Platform as a Service (PaaS)

Platform as a Service (PaaS) Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the "raw IT network," PaaS is the software environment that runs on top of the IT network.

285

Reverse Address Resolution Protocol (RARP)

Diskless workstations do not have a full operating system but have just enough code to know how to boot up and broadcast for an IP address, and they may have a pointer to the server that holds the operating system. The diskless workstation knows its hardware address, so it broadcasts this information so that a listening server can assign it the correct IP address. As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but only the RARP server responds. Once the RARP server receives this request, it looks in its table to see which IP address matches the broadcast hardware address. The server then sends a message that contains its IP address back to the requesting computer. The system now has an IP address and can function on the network.

286

Dynamic Host Configuration Protocol (DHCP)

A network configuration service for hosts on IP networks. It provides IP addressing, DNS server, subnet mask, and other important network configuration data to each host through automation.

287

Management Information Base (MIB)

The agent is a piece of software that runs on a network device, which is commonly integrated into the operating system. The agent has a list of objects that it is to keep track of, which is held in a database-like structure called the Management Information Base (MIB). An MIB is a logical grouping of managed objects that contain data used for specific management tasks and status checks.

288

supernetting

If the traditional subnet masks are used, they are referred to as classful or classical IP addresses. If an organization needs to create subnets that do not follow these traditional sizes, then it would use classless IP addresses. This just means a different subnet mask would be used to define the network and host portions of the addresses. After it became clear that available IP addresses were running out as more individuals and corporations participated on the Internet, classless interdomain routing (CIDR) was created. A Class B address range is usually too large for most companies, and a Class C address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes as necessary. CIDR is the method to specify more flexible IP address classes. CIDR is also referred to as supernetting.

289

fiber-optic

Because it uses glass, fiber-optic cabling has higher transmission speeds that allow signals to travel over longer distances. Fiber cabling is not as affected by attenuation and EMI when compared to cabling that uses copper. It does not radiate signals, as does UTP cabling, and is difficult to eavesdrop on; therefore, fiber-optic cabling is much more secure than UTP, STP, or coaxial.

290

Vishing

Vishing is an attack type that is similar to phishing because it attempts to trick and persuade victims to reveal sensitive information through a social engineering attack. A victim may receive a pre-recorded message on their phone that indicates that there has been suspicious activity on their credit card, bank account, or other financial account. The victim is told to call a specific telephone number, where he must key in identification information. The identification information is commonly the associated account number, PIN, and/or password value. The victim thinks this data is being sent to a trusted source, as in their bank, but it is actually being recorded by an attacker who uses it for some type of fraudulent activity.

291

Internet Key Exchange (IKE)

  D. Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP.

292

Dynamic Host Configuration Protocol (DHCP)

A computer can receive its IP addresses in a few different ways when it first boots up. If it has a statically assigned address, nothing needs to happen. It already has the configuration settings it needs to communicate and work on the intended network. If a computer depends upon a Dynamic Host Configuration Protocol (DHCP) server to assign it the correct IP address, it boots up and makes a request to the DHCP server. The DHCP server assigns the IP address, and everyone is happy.

293

Silent rule

Drop "noisy" traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant.

294

Second generation (2G):

  • Primarily voice, some low-speed data (circuit switched)
  • Phones were smaller in size
  • Added functionality of e-mail, paging, and caller ID

295

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

31. Which of the following is the best countermeasure that John’s team should implement to protect from improper caching issues?

  A. PKI

  B. DHCP snooping

  C. ARP protection

  D. DNSSEC

31. D. When a DNS server receives an improper (potentially malicious) name resolution response, it will cache it and provide it to all the hosts it serves unless DNSSEC is implemented. If DNSSEC were enabled on a DNS server, then the server would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server.

296

Layer 3 and 4 Switches

I want my switch to do everything, even make muffins.

Layer 2 switches only have the intelligence to forward a frame based on its MAC address and do not have a higher understanding of the network as a whole. A layer 3 switch has the intelligence of a router. It not only can route packets based on their IP addresses, but also can choose routes based on availability and performance. A layer 3 switch is basically a router on steroids because it moves the route lookup functionality to the more efficient switching hardware level.

297

Network Protocols and Services

Some protocols, such as UDP, TCP, IP, and IGMP, were addressed in earlier sections. Networks are made up of these and many other types of protocols that provide an array of functionality. Networks are also made up of many different services, as in DHCP, DNS, e-mail, and others. The services that network infrastructure components provide directly support the functionality required of the users of the network. Protocols usually provide a communication channel for these services to use so that they can carry out their jobs. Networks are complex because there are layers of protocols and services that all work together simultaneously and hopefully seamlessly. We will cover some of the core protocols and services that are used in all networks today.

298

Autonomous system (AS)

A collection of connected IP routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet. They are uniquely identified as individual networks on the Internet.

299

Border Gateway Protocol (BGP)

The protocol that carries out core routing decisions on the Internet. It maintains a table of IP networks, or "prefixes," which designate network reachability among autonomous systems (ASs).

300

Session hijacking

Attack method that allows an attacker to overtake and control a communication session between two systems.

301

Carrier sense multiple access with collision avoidance

A media access control method that uses a carrier sensing scheme. A system wishing to transmit data has to first listen to the channel for a predetermined amount of time to determine whether or not another system is transmitting on the channel. If the channel is sensed as "idle," then the system is permitted to begin the transmission process. If the channel is sensed as "busy," the system defers its transmission for a random period of time.

302

Data throughput

NOTE Bandwidth refers to the number of electrical pulses that can be transmitted over a link within a second, and these electrical pulses carry individual bits of information. Bandwidth is the data transfer capability of a connection and is commonly associated with the amount of available frequencies and speed of a link. Data throughput is the actual amount of data that can be carried over this connection. Data throughput values can be higher than bandwidth values if compression mechanisms are implemented. But if links are highly congested or there are interference issues, the data throughput values can be lower. Both bandwidth and data throughput are measured in bits per second.

303

Smurf attack

A DDoS attack type on a computer that floods the target system with spoofed broadcast ICMP packets.

304

Screened subnet:

• External router filters (screens) traffic before it enters the subnet. Traffic headed toward the internal network then goes through two firewalls.

305

Cable modems

Cable modems provide high-speed access, up to 50 Mbps, to the Internet through existing cable coaxial and fiber lines. The cable modem provides upstream and downstream conversions.

306

Domain Name System (DNS)

A hierarchical distributed naming system for computers, services, or any resource connected to an IP-based network. It associates various pieces of information with domain names assigned to each of the participating entities.

307

TCP/IP Model

Transmission Control Protocol/Internet Protocol (TCP/IP) is a suite of protocols that governs the way data travel from one device to another. Besides its eponymous two main protocols, TCP/IP includes other protocols as well, which we will cover in this chapter.

308

Summary of Tunneling Protocols : Secure Sockets Layer (SSL):

  • Works at the transport layer and protects mainly web-based traffic
  • Granular access control and configuration are available
  • Easy deployment since SSL is already embedded into web browsers
  • Can only protect a small number of protocol types, thus is not an infrastructure-level VPN solution

309

Distance-vector routing protocol

A routing protocol that calculates paths based on the distance (or number of hops) and a vector (a direction).

310

28. There are common cloud computing service models. _______________ usually requires companies to deploy their own operating systems, applications, and software onto the provided infrastructure. _________________ is the software environment that runs on top of the infrastructure. In the __________ model the provider commonly gives the customers network-based access to a single copy of an application.

A. Platform as a Service, Infrastructure as a Service, Software as a Service

B. Platform as a Service, Platform as Software, Application as a Service

C. Infrastructure as a Service, Application as a Service, Software as a Service

D. Infrastructure as a Service, Platform as Software, Software as a Service

Extended Questions:

CORRECT D. The most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

WRONG A is incorrect because these items are not in the correct order. Infrastructure as a Service (IaaS) is when cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them.

WRONG B is incorrect because the most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). There are no models called Platform as Software or Application as a Service. These are distracters. Platform as a Service (PaaS) is when cloud providers deliver a computing platform, which can include an operating system, database, and Web server as a holistic execution environment. Where IaaS is the "raw IT network," PaaS is the software environment that runs on top of the IT network.

WRONG C is incorrect because the most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). There is no model called Platform as Software. With Software as a Service (SaaS), the provider gives users access to specific application software (CRM, e-mail, games). The provider gives the customers network-based access to a single copy of an application created specifically for SaaS distribution and use.

311

Media access control (MAC)

Data communication protocol sublayer of the data link layer specified in the OSI model. It provides hardware addressing and channel access control mechanisms that make it possible for several nodes to communicate within a multiple-access network that incorporates a shared medium.

312

H.323

A standard that addresses call signaling and control, multimedia transport and control, and bandwidth control for point-to-point and multipoint conferences.

313

Application-Level vs. Circuit-Level Proxy Firewall Characteristics : Characteristics of application-level proxy firewalls:

  • Each protocol that is to be monitored must have a unique proxy.
  • Provides more protection than circuit-level proxy firewalls.
  • Require more processing per packet and thus are slower than a circuit-level proxy firewall.

314

ad hoc WLAN

An ad hoc WLAN has no APs; the wireless devices communicate with each other through their wireless NICs instead of going through a centralized device. To construct an ad hoc network, wireless client software is installed on contributing hosts and configured for peer-to-peer operation mode. Then, the user clicks Network Neighborhood in a Windows platform and the software searches for other hosts operating in this similar mode and shows them to the user.

315

Routing Information Protocol

RIP is a standard that outlines how routers exchange routing table data and is considered a distance-vector protocol, which means it calculates the shortest distance between the source and destination. It is considered a legacy protocol because of its slow performance and lack of functionality. It should only be used in small networks. RIP version 1 has no authentication, and RIP version 2 sends passwords in cleartext or hashed with MD5.

316

Static mapping

The NAT software has a pool of public IP addresses configured. Each private address is statically mapped to a specific public address. So computer A always receives the public address x, computer B always receives the public address y, and so on. This is generally used for servers that need to keep the same public address at all times.

317

Network Topology

How should we connect all these devices together?

The physical arrangement of computers and devices is called a network topology. Topology refers to the manner in which a network is physically connected and shows the layout of resources and systems. A difference exists between the physical network topology and the logical topology. A network can be configured as a physical star but work logically as a ring, as in the Token Ring technology.

318

Bluetooth Wireless

The Bluetooth wireless technology is actually based upon a portion of the 802.15 standard. It has a 1-to 3-Mbps transfer rate and works in a range of approximately ten meters. If you have a cell phone and a PDA that are both Bluetooth-enabled and both have calendar functionality, you could have them update each other without any need to connect them physically. If you added some information to your cell phone contacts list and task list, for example, you could just place the phone close to your PDA. The PDA would sense that the other device was nearby, and it would then attempt to set up a network connection with it. Once the connection was made, synchronization between the two devices would take place, and the PDA would add the new contacts list and task list data. Bluetooth works in the frequency range of other 802.11 devices (2.4GHz).

319

Protocol

A network protocol is a standard set of rules that determines how systems will communicate across networks. Two different systems that use the same protocol can communicate and understand each other despite their differences, similar to how two people can communicate and understand each other by using the same language.

320

VoIP Security Measures Broken Down : Hackers can intercept incoming and outgoing calls, carry out DoS attacks, spoof phone calls, and eavesdrop on sensitive conversations. Many of the countermeasures to these types of attacks are the same ones used with traditional data-oriented networks:

  • Keep patches updated on each network device involved with VoIP transmissions:
  • Identify unidentified or rogue telephony devices:
  • Install and maintain
  • Disable unnecessary ports and services on routers, switches, PCs, and IP telephones.
  • Employ real-time monitoring that looks for attacks, tunneling, and abusive call patterns through IDS/IPS.

321

Application-level proxies

Application-level proxies inspect the packet up through the application layer. Where a circuit-level proxy only has insight up to the session layer, an application-level proxy understands the packet as a whole and can make access decisions based on the content of the packets. They understand various services and protocols and the commands that are used by them. An application-level proxy can distinguish between an FTP GET command and an FTP PUT command, for example, and make access decisions based on this granular level of information; on the other hand, packet filtering firewalls and circuit-level proxies can allow or deny FTP requests only as a whole, not by the commands used within the FTP protocol.

322

stateless inspection

Packet filtering is also known as stateless inspection because the device does not understand the context that the packets are working within. This means that the device does not have the capability to understand the "full picture" of the communication that is taking place between two systems, but can only focus on individual packet characteristics. As we will see in a later section, stateful firewalls understand and keep track of a full communication session, not just the individual packets that make it up. Stateless firewalls make their decisions for each packet based solely on the data contained in that individual packet. Stateful firewalls accumulate data about the packets they see and use that data in an attempt to match incoming and outgoing packets to determine which packets may be part of the same network communications session. By evaluating a packet in the larger context of a network communications session, a stateful firewall has much more complete information than a stateless firewall and can therefore more readily recognize and reject packets that may be part of a network protocol-based attack.

323

Virtual local area network (VLAN)

A group of hosts that communicate as if they were attached to the same broadcast domain, regardless of their physical location. VLAN membership can be configured through software instead of physically relocating devices or connections, which allows for easier centralized management.

324

Multiprotocol Label Switching (MPLS)

A networking technology that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table.

325

Quality of Service (QoS)

Quality of Service Quality of Service (QoS) is a capability that allows a protocol to distinguish between different classes of messages and assign priority levels. Some applications, such as video conferencing, are time sensitive, meaning delays would cause unacceptable performance of the application. A technology that provides QoS allows an administrator to assign a priority level to time-sensitive traffic. The protocol then ensures this type of traffic has a specific or minimum rate of delivery.

326

Dynamic Packet Filtering

When an internal system needs to communicate to an entity outside its trusted network, it must choose a source port so the receiving system knows how to respond properly. Ports up to 1023 are called well-known ports and are reserved for server-side services. The sending system must choose a dynamic port higher than 1023 when it sets up a connection with another entity. The dynamic packet-filtering firewall then creates an ACL that allows the external entity to communicate with the internal system via this high port. If this were not an available option for your dynamic packet-filtering firewall, you would have to allow "punch holes" in your firewalls for all ports above 1023, because the client side chooses these ports dynamically and the firewall would never know exactly on which port to allow or disallow traffic.

327

Streaming Protocols

RTP is a session layer protocol that carries data in media stream format, as in audio and video, and is used extensively in VoIP, telephony, video conferencing, and other multimedia streaming technologies. It provides end-to-end delivery services and is commonly run over the transport layer protocol UDP. RTP Control Protocol (RTCP) is used in conjunction with RTP and is also considered a session layer protocol. It provides out-of-band statistics and control information to provide feedback on QoS levels of individual streaming multimedia sessions.

328

T-Carriers

T-carriers are dedicated lines that can carry voice and data information over trunk lines. They were developed by AT&T and were initially implemented in the early 1960s to support pulse-code modulation (PCM) voice transmission. This was first used to digitize the voice over a dedicated, two-point, high-capacity connection line. The most commonly used T-carriers are T1 lines and T3 lines. Both are digital circuits that multiplex several individual channels into a higher-speed channel.

329

Fiber Distributed Data Interface (FDDI)

Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data traveling clockwise and is used for regular data transmission. The second ring transmits data in a counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two rings can be joined.

330

SSL Tunnel VPNs

An individual uses a web browser to securely access multiple network services, including applications and protocols that are not web-based, through an SSL tunnel. This commonly requires custom programming to allow the services to be accessible through a web-based connection.

331

Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean’s team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems.

34. Which of the following best describes why Sean’s team wants to put in the mentioned countermeasure for the most commonly attacked systems?

  A. Prevent production system hijacking

  B. Reduce DoS attack effects

  C. Gather statistics during the process of an attack

  D. Increase forensic capabilities

34. B. A tarpit is commonly a piece of software configured to emulate a vulnerable, running service. Once the attackers start to send packets to this "service," the connection to the victim system seems to be live and ongoing, but the response from the victim system is slow and the connection may time out. Most attacks and scanning activities take place through automated tools that require quick responses from their victim systems. If the victim systems do not reply or are very slow to reply, the automated tools may not be successful because the protocol connection times out. This can reduce the effects of a DoS attack.

332

6. Several different tunneling protocols can be used in dial-up situations. Which of the following would be best to use as a VPN tunneling solution?

A. L2P

B. PPTP

C. IPSec

D. L2TP

Extended Questions:

CORRECT B. A virtual private network (VPN) is a secure, private connection through a public network or an otherwise unsecure environment. It is a private connection because the encryption and tunneling protocols are used to ensure the confidentiality and integrity of the data in transit. It is important to remember that VPN technology requires a tunnel to work, and it assumes encryption. The protocols that can be used for VPNs are Point-to-Point Tunneling Protocol (PPTP), IPSec, and L2TP. Point-to-Point Tunneling Protocol (PPTP), a Microsoft protocol, allows remote users to set up a PPP connection to a local ISP and then create a secure VPN to their destination. PPTP has been the de facto industry-standard tunneling protocol for years, but the new de facto standard for VPNs is IPSec. PPTP is designed for client/server connectivity and establishes a single point-to-point connection between two computers. It works at the data link layer and transmits only over IP networks.

WRONG A is incorrect because L2P does not exist. This is a distracter answer.

WRONG C is incorrect because although IPSec is one of the three primary VPN tunneling protocols, it is not used over dial-up connections. It supports only IP networks and works at the network layer, providing security on top of IP. IPSec handles multiple connections at the same time, and provides secure authentication and encryption.

WRONG D is incorrect because L2TP is not a tunneling protocol that works over a dial-up connection. L2TP is a tunneling protocol that can extend a VPN over various WAN network types (IP, X.25, frame relay). A hybrid of L2F and PPTP, L2TP works at the data link layer and transmits over multiple types of networks, not just IP. However, it must be combined with IPSec for security so it is not considered a VPN solution by itself.

333

Single point of compromise

If the UTM is successfully hacked, there may not have other layers deployed for protection.

334

Multistation Access Unit (MAU)

Like Ethernet, Token Ring is a LAN media access technology that enables the communication and sharing of networking resources. The Token Ring technology was originally developed by IBM and then defined by the IEEE 802.5 standard. It uses a token-passing technology with a star-configured topology. The ring part of the name pertains to how the signals travel, which is in a logical ring. Each computer is connected to a central hub, called a Multistation Access Unit (MAU). Physically, the topology can be a star, but the signals and transmissions are passed in a logical ring.

335

VLAN hopping

An exploit that allows an attacker on a VLAN to gain access to traffic on other VLANs that would normally not be accessible.

336

Password Authentication Protocol (PAP)

Password Authentication Protocol (PAP) is used by remote users to authenticate over PPP connections. It provides identification and authentication of the user who is attempting to access a network from a remote system. This protocol requires a user to enter a password before being authenticated. The password and the username credentials are sent over the network to the authentication server after a connection has been established via PPP. The authentication server has a database of user credentials that are compared to the supplied credentials to authenticate users.

337

DNS Threats

As stated earlier, not every DNS server knows the IP address of every hostname it is asked to resolve. When a request for a hostname-to-IP address mapping arrives at a DNS server (server A), the server reviews its resource records to see if it has the necessary information to fulfill this request. If the server does not have a resource record for this hostname, it forwards the request to another DNS server (server B), which in turn reviews its resource records and, if it has the mapping information, sends the information back to server A. Server A caches this hostname-to-IP address mapping in its memory (in case another client requests it) and sends the information on to the requesting client.

338

Synchronous Data Link Control (SDLC)

Synchronous Data Link Control (SDLC) is a protocol used in networks that use dedicated, leased lines with permanent physical connections. It is used mainly for communications with IBM hosts within a Systems Network Architecture (SNA). Developed by IBM in the 1970s, SDLC is a bit-oriented, synchronous protocol that has evolved into other communication protocols, such as HDLC, Link Access Procedure (LAP), and Link Access Procedure-Balanced (LAPB).

339

Cable modem

A device that provides bidirectional data communication via radio frequency channels on cable TV infrastructures. Cable modems are primarily used to deliver broadband Internet access to homes.

340

Bluesnarfing

NOTE Bluesnarfing is the unauthorized access from a wireless device through a Bluetooth connection. This allows access to a calendar, contact list, e-mails, and text messages, and on some phones users can copy pictures and private videos.

341

High-Bit-Rate DSL (HDSL)

Provides T1 (1.544 Mbps) speeds over regular copper phone wire without the use of repeaters. Requires two twisted pairs of wires, which many voice-grade UTP lines do not have.

342

16. What takes place at the data link layer?

  A. End-to-end connection

  B. Dialog control

  C. Framing

  D. Data syntax

16. C. The data link layer, in most cases, is the only layer that understands the environment in which the system is working, whether it be Ethernet, Token Ring, wireless, or a connection to a WAN link. This layer adds the necessary headers and trailers to the frame. Other systems on the same type of network using the same technology understand only the specific header and trailer format used in their data link technology.

343

IEEE 802.1AR

The IEEE 802.1AR standard specifies unique per-device identifiers (DevID) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers. A verifiable unique device identity allows establishment of the trustworthiness of devices, and thus facilitates secure device provisioning.

344

Media Access Control (MAC)

The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC, defined in the IEEE 802.2 specification, communicates with the protocol immediately above it, the network layer. The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer.

345

Constant Bit Rate (CBR)

A connection-oriented channel that provides a consistent data throughput for time-sensitive applications, such as voice and video applications. Customers specify the necessary bandwidth requirement at connection setup.

346

Media Sharing

There are 150 devices on this network. How can they all use this one network wire properly?

No matter what type of media access technology is being used, the main resource that has to be shared by all systems and devices on the network is the network transmission channel. This transmission channel could be Token Ring over coaxial cabling, Ethernet over UTP, FDDI over fiber, or Wi-Fi over a frequency spectrum. There must be methods in place to make sure that each system gets access to the channel, that the system’s data is not corrupted during transmission, and that there is a way to control traffic in peak times.

347

network address translation (NAT)

However, IP addresses have become scarce (until the full adoption of IPv6) and expensive. So some smart people came up with network address translation (NAT), which enables a network that does not follow the Internet’s addressing scheme to communicate over the Internet.

348

Wireless Communications

When two people are talking, they are using wireless communication because their vocal cords are altering airwaves, which are signals that travel with no cables attached to another person. Wireless communication involves transmitting signals via radio waves through air and space, which also alters airwaves.

349

Layer 2 Security Standards

As frames pass from one network device to another device, attackers can sniff the data; modify the headers; redirect the traffic; spoof traffic; carry out man-in-the-middle attacks, DoS attacks, and replay attacks; and indulge in other malicious activities. It has become necessary to secure network traffic at the frame level, which is layer 2 of the OSI model.

350

permanent virtual circuit (PVC)

Frame relay (and X.25) forwards frames across virtual circuits. These circuits can be either permanent, meaning they are programmed in advance, or switched, meaning the circuit is quickly built when it is needed and torn down when it is no longer needed. The permanent virtual circuit (PVC) works like a private line for a customer with an agreed-upon bandwidth availability. When a customer decides to pay for the committed rate, a PVC is programmed for that customer to ensure it will always receive a certain amount of bandwidth.

351

Intranets and Extranets

We kind of trust you, but not really. We’re going to put you on the extranet.

Web technologies and their uses have exploded with functionality, capability, and popularity. Companies set up internal web sites for centralized business information such as employee phone numbers, policies, events, news, and operations instructions. Many companies have also implemented web-based terminals that enable employees to perform their daily tasks, access centralized databases, make transactions, collaborate on projects, access global calendars, use videoconferencing tools and whiteboard applications, and obtain often-used technical or marketing data.

352

Transmission Methods

A packet may need to be sent to only one workstation, to a set of workstations, or to all workstations on a particular subnet. If a packet needs to go from the source computer to one particular system, a unicast transmission method is used. If the packet needs to go to a specific group of systems, the sending system uses the multicast method. If a system wants all computers on its subnet to receive a message, it will use the broadcast method.

353

Routers

Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts.

354

Firewalls

Firewalls are used to restrict access to one network from another network. Most companies use firewalls to restrict access to their networks from the Internet. They may also use firewalls to restrict one internal network segment from accessing another internal segment. For example, if the security administrator wants to make sure employees cannot access the research and development network, he would place a firewall between this network and all other networks and configure the firewall to allow only the type of traffic he deems acceptable.

355

Crosstalk

A signal on one channel of a transmission creates an undesired effect in another channel by interacting with it. The signal from one cable "spills over" into another cable.

356

Bastion host

A highly exposed device that will most likely be targeted for attacks, and thus should be properly locked down.

357

Switching

Dedicated links have one single path to traverse; thus, there is no complexity when it comes to determining how to get packets to different destinations. Only two points of reference are needed when a packet leaves one network and heads toward the other. It gets much more complicated when thousands of networks are connected to each other, which is often when switching comes into play.

358

BRI ISDN

This implementation operates over existing copper lines at the local loop and provides digital voice and data channels. It uses two B channels and one D channel with a combined bandwidth of 144 Kbps and is generally used for home subscribers.

359

SYN flood

DoS attack where an attacker sends a succession of SYN packets with the goal of overwhelming the victim system so that it is unresponsive to legitimate traffic.

360

IPSec

IPSec is covered in Chapter 7 from a cryptography point of view, so we will cover it from a VPN point of view here. IPSec is a suite of protocols that was developed to specifically protect IP traffic. IPv4 does not have any integrated security, so IPSec was developed to "bolt onto" IP and secure the data the protocol transmits. Where PPTP and L2TP work at the data link layer, IPSec works at the network layer of the OSI model.

361

Available Bit Rate (ABR)

A connection-oriented channel that allows the bit rate to be adjusted. Customers are given the bandwidth that remains after a guaranteed service rate has been met.

362

iterated tunneling

IPSec can be configured to provide transport adjacency, which just means that more than one security protocol (ESP and AH) is used in a VPN tunnel. IPSec can also be configured to provide iterated tunneling, in which an IPSec tunnel is tunneled through another IPSec tunnel, as shown in the following diagram. Iterated tunneling would be used if the traffic needed different levels of protection at different junctions of its path. For example, if the IPSec tunnel started from an internal host to an internal border router, this may not require encryption, so only the AH protocol would be used. But when that data travel from that border router throughout the Internet to another network, then the data require more protection. So the first packets travel through a semisecure tunnel until they get ready to hit the Internet and then they go through a very secure second tunnel.

363

PRI ISDN

This implementation has up to 23 B channels and 1 D channel, at 64 Kbps per channel. The total bandwidth is equivalent to a T1, which is 1.544 Mbps. This would be more suitable for a company that requires a higher amount of bandwidth compared to BRI ISDN.

364

Post Office Protocol (POP)

An Internet standard protocol used by e-mail clients to retrieve e-mail from a remote server and supports simple download-and-delete requirements for access to remote mailboxes.

365

wide area network (WAN)

LAN technologies provide communication capabilities over a small geographic area, whereas wide area network (WAN) technologies are used when communication needs to travel over a larger geographical area. LAN technologies encompass how a computer puts its data onto a network cable, the rules and protocols of how that data are formatted and transmitted, how errors are handled, and how the destination computer picks up this data from the cable. When a computer on one network needs to communicate with a network on the other side of the country or in a different country altogether, WAN technologies kick in.

366

Symmetric DSL (SDSL)

Data travel upstream and downstream at the same rate. Bandwidth can range between 192 Kbps and 1.1 Mbps. Used mainly for business applications that require high speeds in both directions.

367

Simple Mail Transfer Protocol (SMTP)

An Internet standard protocol for electronic mail (e-mail) transmission across IP-based networks.

368

Reverse Address Resolution Protocol (RARP) and Bootstrap Protocol (BootP)

Networking protocols used by host computers to request the IP address from an administrative configuration server.

369

Session Initiation Protocol (SIP)

The signaling protocol widely used for controlling communication, as in voice and video calls over IP-based networks.

370

PPP replaced Serial Line Internet Protocol (SLIP), an older protocol that was used to encapsulate data to be sent over serial connection links. PPP has several capabilities that SLIP does not have:

  • Implements header and data compression for efficiency and better use of bandwidth
  • Implements error correction
  • Supports different authentication methods
  • Can encapsulate protocols other than just IP
  • Does not require both ends to have an IP address assigned before data transfer can occur

371

physical layer

The physical layer, layer 1, converts bits into voltage for transmission. Signals and voltage schemes have different meanings for different LAN and WAN technologies, as covered earlier. If a user sends data through his dial-up software and out his modem onto a telephone line, the data format, electrical signals, and control functionality are much different than if that user sends data through the NIC and onto a unshielded twisted pair (UTP) wire for LAN communication. The mechanisms that control this data going onto the telephone line, or the UTP wire, work at the physical layer. This layer controls synchronization, data rates, line noise, and transmission techniques. Specifications for the physical layer include the timing of voltage changes, voltage levels, and the physical connectors for electrical, optical, and mechanical transmission.

372

High-level Data Link Control (HDLC)

High-level Data Link Control (HDLC) is a protocol that is also a bit-oriented link layer protocol and is used for serial device-to-device WAN communication. HDLC is an extension of SDLC, which was mainly used in SNA environments. SDLC basically died out as the mainframe environments using SNA reduced greatly in numbers. HDLC stayed around and evolved.

373

Stealth rule

Disallows access to firewall software from unauthorized systems.

374

Ports

Software construct that allows for application-or service-specific communication between systems on a network. Ports are broken down into categories: well known (0-1023), registered (1024-49151), and dynamic (49152-65535).

375

Bus topology

Systems are connected to a single transmission channel (i.e., network cable), forming a linear construct.

376

Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place.

24. Which of the following is a cost-effective countermeasure that Don’s team should implement?

  A. Stateful firewall

  B. Network address translation

  C. SYN proxy

  D. IPv6

24. C. A half-open attack is a type of DoS that is also referred to as a SYN flood. To thwart this type of attack, you can use SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a piece of software that resides between the sender and receiver, and only sends TCP traffic to the receiving system if the TCP handshake process completes successfully.

377

Fourth generation (4G)

  • Based on an all-IP packet-switched network
  • Data exchange at 100 Mbps-1 Gbps

378

Carrier-Sensing and Token-Passing Access Methods

Overall, carrier-sensing access methods are faster than token-passing access methods, but the former do have the problem of collisions. A network segment with many devices can cause too many collisions and slow down the network’s performance. Token-passing technologies do not have problems with collisions, but they do not perform at the speed of carrier-sensing technologies. Network routers can help significantly in isolating the network resources for both the CSMA/CD and the token-passing methods.

379

14. Which of the following categories of routing protocols builds a topology database of the network?

A. Dynamic

B. Distance-vector

C. Link-state

D. Static

Extended Questions:

CORRECT C. Routing protocols indicate how routers talk to each other. Routing protocols circulate information that enables routers to choose a route between two nodes on a network. Routers then choose a route with the use of a routing algorithm. Each router has knowledge of the networks it is directly attached to. This information is shared with immediate neighbors, then throughout the network, via a routing protocol. Thus, routers learn about the topology of the network. Two main types of routing protocols are used: distance-vector and link-state routing. Link-state routing protocols build a more accurate routing table than distance-vector protocols because they build a topology database of the network. Link-state routing protocols look at more variables than just the number of hops between two destinations. They use packet size, link speed, delay, loading, and reliability as the variables in their algorithms to determine the best routes for packets to take.

WRONG A is incorrect because a dynamic routing protocol does not build a topology database of the network. However, a link-state routing table (which does build a topology database of the network) is classified as a dynamic routing protocol because it discovers routes and builds a routing table. Routers use these tables to make decisions on the best route for the packets they receive. A dynamic routing protocol can change the entries in the routing table based on changes that take place to the different routes. When a router that is using a dynamic routing protocol finds out that a route has gone down or is congested, it sends an update message to the other routers around it. The other routers use this information to update their routing table, with the goal of providing efficient routing functionality.

WRONG B is incorrect because distance-vector routing protocols do not build a topology database of the network. Routing protocols are classified as either distance-vector or link-state. Distance-vector routing protocols make their routing decisions based on the distance (or number of hops) and a vector (a direction). The protocol takes these variables and uses them with an algorithm to determine the best route for a packet. Distance-vector routing protocols build a less accurate routing table than link-state because distance-vector routing protocols use fewer variables to determine the best route.

WRONG D is incorrect because a static routing protocol does not build a topology database of the network. Routing protocols can be either dynamic or static. Whereas a dynamic routing protocol can discover routes and build a routing table on its own, a static routing table requires the administrator to manually configure the router’s routing table.

380

22. An effective method to shield networks from unauthenticated DHCP clients is through the use of___________on network switches.

  A. DHCP snooping

  B. DHCP protection

  C. DHCP shielding

  D. DHCP caching

22. A. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses. Also, advance network switches now have the capability to direct clients toward legitimate DHCP servers to get IP addresses and to restrict rogue systems from becoming DHCP servers on the network.

381

public-switched telephone network (PSTN)

Multiservice access technologies combine several types of communication categories (data, voice, and video) over one transmission line. This provides higher performance, reduced operational costs, and greater flexibility, integration, and control for administrators. The regular phone system is based on a circuit-switched, voice-centric network, called the public-switched telephone network (PSTN). The PSTN uses circuit switching instead of packet switching. When a phone call is made, the call is placed at the PSTN interface, which is the user’s telephone. This telephone is connected to the telephone company’s local loop via copper wiring. Once the signals for this phone call reach the telephone company’s central office (the end of the local loop), they are part of the telephone company’s circuit-switching world. A connection is made between the source and the destination, and as long as the call is in session, the data flows through the same switches.

382

17. Which of the following best describes why e-mail spoofing is easily executed?

A. SMTP lacks an adequate authentication mechanism.

B. Administrators often forget to configure an SMTP server to prevent inbound SMTP connections for domains it doesn’t serve.

C. Keyword filtering is technically obsolete.

D. Blacklists are undependable.

Extended Questions:

CORRECT A. E-mail spoofing is easy to execute because SMTP lacks an adequate authentication mechanism. An attacker can spoof e-mail sender addresses by sending a TELNET command to port 25 of a mail server followed by a number of SMTP commands. Spammers use e-mail spoofing to obfuscate their identity. Oftentimes, the purported sender of a spam e-mail is actually another victim of spam whose e-mail address has been sold to or harvested by a spammer.

WRONG B is incorrect because the answer alludes to open mail relay servers. The failure to configure an SMTP server to prevent SMTP connections for domains it doesn’t serve is not a common mistake. It is well known that an open mail relay allows spammers to hide their identity and is a principal tool in the distribution of spam. Open mail relays are, therefore, considered a sign of bad system administration. An open relay is not required for e-mail spoofing.

WRONG C is incorrect because keyword filtering is a countermeasure that can be used to help suppress spam. While keyword filtering by itself was popular at one time, it is no longer an effective countermeasure when used just by itself. Keyword filtering is prone to false positives and spammers have found creative ways to work around it. For example, keywords may be intentionally misspelled or one or two letters of a common word swapped with a special character.

WRONG D is incorrect because blacklists list open mail relay servers that are known for sending spam. Administrators can use blacklists to prevent the delivery of e-mail originating from those hosts in an effort to suppress spam. However, blacklists cannot be depended upon for complete protection because they are often managed by private organizations and individuals according to their own rules.

383

Password Authentication Protocol (PAP)

Password Authentication Protocol (PAP) is used by remote users to authenticate over PPP connections. It provides identification and authentication of the user who is attempting to access a network from a remote system. This protocol requires a user to enter a password before being authenticated. The password and the username credentials are sent over the network to the authentication server after a connection has been established via PPP. The authentication server has a database of user credentials that are compared to the supplied credentials to authenticate users.

384

Statistical time-division multiplexing (STDM)

Transmitting several types of data simultaneously across a single transmission line. STDM technologies analyze statistics related to the typical workload of each input device and make real-time decisions on how much time each device should be allocated for data transmission.

385

Telecommunications

Telecommunications is the electrical transmission of data among systems, whether through analog, digital, or wireless transmission types. The data can flow through copper wires; coaxial cable; airwaves; the telephone company’s public-switched telephone network (PSTN); and a service provider’s fiber cables, switches, and routers. Definitive lines exist between the media used for transmission, the technologies, the protocols, and whose equipment is being used. However, the definitive lines get blurry when one follows how data created on a user’s workstation flows within seconds through a complex path of Ethernet cables, to a router that divides the company’s network and the rest of the world, through the Asynchronous Transfer Mode (ATM) switch provided by the service provider, to the many switches the packets transverse throughout the ATM cloud, on to another company’s network, through its router, and to another user’s workstation. Each piece is interesting, but when they are all integrated and work together, it is awesome.

386

Ports Types

Port numbers up to 1023 (0 to 1023) are called well-known ports, and almost every computer in the world has the exact same protocol mapped to the exact same port number. That is why they are called well known—everyone follows this same standardized approach. This means that on almost every computer, port 25 is mapped to SMTP, port 21 is mapped to FTP, port 80 is mapped to HTTP, and so on. This mapping between lower-numbered ports and specific protocols is a de facto standard, which just means that we all do this and that we do not have a standards body dictating that it absolutely has to be done this way. The fact that almost everyone follows this approach translates to more interoperability among systems all over the world.

387

DHCPOFFER message

This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers.

388

Orthogonal frequency division multiple access (OFDMA)

Orthogonal frequency division multiple access (OFDMA) is derived from a combination of FDMA and TDMA. In earlier implementations of FDMA, the different frequencies for each channel were widely spaced to allow analog hardware to separate the different channels. In OFDMA, each of the channels is subdivided into a set of closely spaced orthogonal frequencies with narrow bandwidths (subchannels). Each of the different subchannels can be transmitted and received simultaneously in a multiple input and output (MIMO) manner. The use of orthogonal frequencies and MIMO allows signal processing techniques to reduce the impacts of any interference between different subchannels and to correct for channel impairments, such as noise and selective frequency fading. 4G requires that OFDMA be used.

389

Synchronous Optical Networking (SONET) and Synchronous Digital Hierarchy (SDH)

Standardized multiplexing protocols that transfer multiple digital bit streams over optical fiber and allow for simultaneous transportation of many different circuits of differing origin within a single framing protocol.

390

Simple Authentication and Security Layer (SASL)

POP has gone through a few version updates and is currently on POP3. POP3 has the capability to integrate Simple Authentication and Security Layer (SASL). SASL is a protocol-independent framework for performing authentication. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.

391

E-mail Authorization

POP has gone through a few version updates and is currently on POP3. POP3 has the capability to integrate Simple Authentication and Security Layer (SASL). SASL is a protocol-independent framework for performing authentication. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.

392

Asynchronous Transfer Mode (ATM)

Asynchronous Transfer Mode (ATM) is another switching technology, but instead of being a packet-switching method, it uses a cell-switching method. ATM is a high-speed networking technology used for LAN, MAN, WAN, and service provider connections. Like frame relay, it is a connection-oriented switching technology, and creates and uses a fixed channel. IP is an example of a connectionless technology. Within the TCP/IP protocol suite, IP is connectionless and TCP is connection oriented. This means IP segments can be quickly and easily routed and switched without each router or switch in between having to worry about whether the data actually made it to its destination—that is TCP’s job. TCP works at the source and destination ends to ensure data were properly transmitted, and it resends data that ran into some type of problem and did not get delivered properly. When using ATM or frame relay, the devices in between the source and destination have to ensure that data get to where they need to go, unlike when a purely connectionless protocol is being used.

393

Gateways

Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.

394

Networking Foundations

We really need to connect all of these resources together.

Most users on a network need to use the same type of resources, such as print servers, portals, file servers, Internet connectivity, etc. Why not just string all the systems together and have these resources available to all? Great idea! We’ll call it networking!

395

What’s in a Name? : The terms "IP telephony" and "Voice over IP" are used interchangeably:

  • The term "VoIP" is widely used to refer to the actual services offered: caller ID, QoS, voicemail, and so on.
  • IP telephony is an umbrella term for all real-time applications over IP, including voice over instant messaging (IM) and videoconferencing.

396

20. Brad is a security manager at Thingamabobs Inc. He is preparing a presentation for his company’s executives on the risks of using instant messaging (IM) and his reasons for wanting to prohibit its use on the company network. Which of the following should not be included in his presentation?

A. Sensitive data and files can be transferred from system to system over IM.

B. Users can receive information—including malware—from an attacker posing as a legitimate sender.

C. IM use can be stopped by simply blocking specific ports on the network firewalls.

D. A security policy is needed specifying IM usage restrictions.

Extended Questions:

CORRECT C. Instant messaging (IM) allows people to communicate with one another through a type of real-time and personal chat room. It alerts individuals when someone who is on their "buddy list" has accessed the intranet/Internet so that they can send text messages back and forth in real time. The technology also allows for files to be transferred from system to system. The technology is made up of clients and servers. The user installs an IM client (AOL, ICQ, Yahoo Messenger, and so on) and is assigned a unique identifier. This user gives out this unique identifier to people whom she wants to communicate with via IM. Blocking specific ports on the firewalls is not usually effective because the IM traffic may be using common ports that need to be open (HTTP port 80 and FTP port 21). Many of the IM clients autoconfigure themselves to work on another port if their default port is unavailable and blocked by the firewall.

WRONG A is incorrect because in addition to text messages, instant messaging allows for files to be transferred from system to system. These files could contain sensitive information, putting the company at business and legal risk. And, of course, sharing files over IM can eat up network bandwidth and impact network performance as a result.

WRONG B is incorrect because the statement is true. Because of the lack of strong authentication, accounts can be spoofed so that the receiver accepts information from a malicious user instead of the legitimate sender. There have also been numerous buffer overflow and malformed packet attacks that have been successful with different IM clients. These attacks are usually carried out with the goal of obtaining unauthorized access to the victim’s system.

WRONG D is incorrect because Brad should include in his presentation the need for a security policy specifying IM usage restrictions. This is just one of several best practices for protecting an environment from IM-related security breaches. Other best practices include implementing an integrated antivirus/firewall product on all computers, configuring firewalls to block IM traffic, upgrading IM software to more secure versions, and implementing corporate IM servers so that internal employees communicate within the organization’s network only.

397

Multiplexing

A method of combining multiple channels of data over a single transmission line.

398

self-healing

SONET is self-healing, meaning that if a break in the line occurs, it can use a backup redundant ring to ensure transmission continues. All SONET lines and rings are fully redundant. The redundant line waits in the wings in case anything happens to the primary ring.

399

Session Layer

I don’t want to talk to another computer. I want to talk to an application.

When two applications need to communicate or transfer data between themselves, a connection may need to be set up between them. The session layer, layer 5, is responsible for establishing a connection between the two applications, maintaining it during the transfer of data, and controlling the release of this connection. A good analogy for the functionality within this layer is a telephone conversation. When Kandy wants to call a friend, she uses the telephone. The telephone network circuitry and protocols set up the connection over the telephone lines and maintain that communication path, and when Kandy hangs up, they release all the resources they were using to keep that connection open.

400

Data Link : The protocols at the data link layer convert data into LAN or WAN frames for transmission and define how a computer accesses a network. This layer is divided into the Logical Link Control (LLC) and the Media Access Control (MAC) sublayers. Some protocols that work at this layer include the following:

  • Address Resolution Protocol (ARP)
  • Reverse Address Resolution Protocol (RARP)
  • Point-to-Point Protocol (PPP)
  • Serial Line Internet Protocol (SLIP)
  • Ethernet
  • Token Ring
  • FDDI
  • ATM

401

bus topology

In a simple bus topology, a single cable runs the entire length of the network. Nodes are attached to the network through drop points on this cable. Data communications transmit the length of the medium, and each packet transmitted has the capability of being "looked at" by all nodes. Each node decides to accept or ignore the packet, depending upon the packet’s destination address.

402

Secure Sockets Layer (SSL)

A newer VPN technology is Secure Sockets Layer (SSL), which works at even higher layers in the OSI model than the previously covered VPN protocols. SSL works at the transport and session layers of the network stack and is used mainly to protect HTTP traffic. SSL capabilities are already embedded into most web browsers, so the deployment and interoperability issues are minimal.

403

Very High-Data-Rate Digital Subscriber Line (VDSL)

VDSL is basically ADSL at much higher data rates (13 Mbps downstream and 2 Mbps upstream). It is capable of supporting high-bandwidth applications such as HDTV, telephone services (voice over IP), and general Internet access over a single connection.

404

Metropolitan area network (MAN)

A network that usually spans a city or a large campus, interconnects a number of LANs using a high-capacity backbone technology, and provides up-link services to WANs or the Internet.

405

Ring topology

Each system connects to two other systems, forming a single, unidirectional network pathway for signals, thus forming a ring.

406

split DNS

Organizations should implement split DNS, which means a DNS server in the DMZ handles external hostname-to-IP resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed by being "Internet facing." The internal DNS server should only contain resource records for the internal computer systems, and the external DNS server should only contain resource records for the systems the organization wants the outside world to be able to connect to. If the external DNS server is compromised and it has the resource records for all of the internal systems, now the attacker has a lot of "inside knowledge" and can carry out targeted attacks. External DNS servers should only contain information on the systems within the DMZ that the organization wants others on the Internet to be able to communicate with (web servers, external mail server, etc.).

407

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

40. Which of the following technologies should Lance’s team investigate for increased authentication efforts?

  A. Challenge handshake protocol

  B. Simple Authentication and Security Layer

  C. IEEE 802.2 AB

  D. EAP-SSL

40. B. Simple Authentication and Security Layer is a protocol-independent authentication framework. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.

408

Instant messaging spam (SPIM)

Instant messaging spam (SPIM) is a type of spamming that uses instant messengers for this malicious act. Although this kind of spamming is not as common as e-mail spamming, it is certainly increasing over time. The fact that firewalls are unable to block SPIM has made it more attractive for spammers. One way to prevent SPIM is to enable the option of receiving instant messages only from a known list of users.

409

Mesh topology

Network where each system must not only capture and disseminate its own data, but also serve as a relay for other systems; that is, it must collaborate to propagate the data in the network.

410

Copper Distributed Data Interface (CDDI)

A version of FDDI, Copper Distributed Data Interface (CDDI), can work over UTP cabling. Whereas FDDI would be used more as a MAN, CDDI can be used within a LAN environment to connect network segments.

411

Fiber Distributed Data Interface

Ring-based token network protocol that was derived from the IEEE 802.4 token bus timed token protocol. It can work in LAN or MAN environments and provides fault tolerance through dual-ring architecture.

412

Domain Name Service

I don’t understand numbers. I understand words.

Imagine how hard it would be to use the Internet if we had to remember actual specific IP addresses to get to various websites. The Domain Name Service (DNS) is a method of resolving hostnames to IP addresses so names can be used instead of IP addresses within networked environments.

413

Authentication Protocols

Hey, how do I know you are who you say you are?

Password Authentication Protocol (PAP) is used by remote users to authenticate over PPP connections. It provides identification and authentication of the user who is attempting to access a network from a remote system. This protocol requires a user to enter a password before being authenticated. The password and the username credentials are sent over the network to the authentication server after a connection has been established via PPP. The authentication server has a database of user credentials that are compared to the supplied credentials to authenticate users.

414

IEEE 802. 1AR

Standard that specifies unique per-device identifiers (DevID) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers.

415

Network address translation (NAT)

The process of modifying IP address information in packet headers while in transit across a traffic routing device, with the goal of reducing the demand for public IP addresses.

416

20. The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP.

  A. Session Initiation Protocol

  B. Real-time Transport Protocol

  C. SS7

  D. VoIP

20. A. The Session Initiation Protocol (SIP) is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP. The protocol can be used for creating, modifying, and terminating two-party (unicast) or multiparty (multicast) sessions consisting of one or several media streams.

417

Proxy server

A system that acts as an intermediary for requests from clients seeking resources from other sources. A client connects to the proxy server, requesting some service, and the proxy server evaluates the request according to its filtering rules and makes the connection on behalf of the client. Proxies can be open or carry out forwarding or reverse forwarding capabilities.

418

Carrier sense multiple access with collision avoidance (CSMA/CA)

Carrier sense multiple access with collision avoidance (CSMA/CA) is a medium-sharing method in which each computer signals its intent to transmit data before it actually does so. This tells all other computers on the network not to transmit data right now because doing so could cause a collision. Basically, a system listens to the shared medium to determine whether it is busy or free. Once the system identifies that the "coast is clear" and it can put its data on the wire, it sends out a broadcast to all other systems, telling them it is going to transmit information. It is similar to saying, "Everyone shut up. I am going to talk now." Each system will wait a period of time before attempting to transmit data to ensure collisions do not take place. The wireless LAN technology 802.11 uses CSMA/CA for its media access functionality.

419

Internet Group Management Protocol (IGMP)

Used by systems and adjacent routers on IP networks to establish and maintain multicast group memberships.

420

Ethernet is defined by the following characteristics:

  • Contention-based technology (all resources use the same shared communication medium)
  • Uses broadcast and collision domains
  • Uses the carrier sense multiple access with collision detection (CSMA/CD) access method
  • Supports full duplex communication
  • Can use coaxial, twisted-pair, or fiber-optic cabling types
  • Is defined by standard IEEE 802.3

421

Network Address Translation

I have one address I would like to share with everyone!

When computers need to communicate with each other, they must use the same type of addressing scheme so everyone understands how to find and talk to one another. The Internet uses the IP address scheme as discussed earlier in the chapter, and any computer or network that wants to communicate with other users on the network must conform to this scheme; otherwise, that computer will sit in a virtual room with only itself to talk to.

422

Frequency division multiple access (FDMA)

Frequency division multiple access (FDMA) was the earliest multiple access technology put into practice. The available frequency range is divided into sub-bands (channels), and one channel is assigned to each subscriber (cell phone). The subscriber has exclusive use of that channel while the call is made, or until the call is terminated or handed off; no other calls or conversations can be made on that channel during that call. Using FDMA in this way, multiple users can share the frequency range without the risk of interference between the simultaneous calls. FMDA was used in the first generation (1G) of cellular networks. 1G mobile various implementations, such as Advanced Mobile Phone System (AMPS), Total Access Communication System (TACS), and Nordic Mobile Telephone (NMT), used FDMA.

423

3. Robert is responsible for implementing a common architecture used when customers need to access confidential information through Internet connections. Which of the following best describes this type of architecture?

A. Two-tiered model

B. Screened host

C. Three-tiered model

D. Public and private DNS zones

Extended Questions:

CORRECT C. Many of today’s e-commerce architectures use a three-tiered architecture approach. The three-tier architecture is a client-server architecture in which the user interface, functional process logic, and data storage run as independent components that are developed and maintained, often on separate platforms. The three-tier architecture allows for any one of the tiers to be upgraded or modified as needed without affecting the other two tiers because of its modularity. In the case of e-commerce, the presentation layer is a front-end Web server that users interact with. It can serve both static and cached dynamic content. The business logic layer is where the request is reformatted and processed. This is commonly a dynamic content processing and generation-level application server. The data storage is where the sensitive data is held. It is a backend database that holds both the data and the database management system software that is used to manage and provide access to the data. The separate tiers may be connected with middleware and run on separate physical servers.

WRONG A is incorrect because two-tiered, or client-server, describes an architecture in which a server provides services to one or more clients that request those services. Many of today’s business applications and Internet protocols use the client-server model. This architecture uses two systems: a client and a server. The client is one tier and the server is another tier, hence the two-tier architecture. Each instance of the client software is connected to one or more servers. The client sends its information request to a server, which processes the request and returns the data to the client. A three-tier architecture is a better approach for protecting sensitive information when requests are coming in from the Internet. It provides one extra tier that an attacker must exploit to gain access to the sensitive data being held on the backend server.

WRONG B is incorrect because a screened host architecture means that one firewall is in place to protect one server, which is basically a one-tier architecture. An external, public-facing firewall screens the requests coming in from an untrusted network as in the Internet. If the one tier, the only firewall, is compromised, then the attacker can gain access to the sensitive data that resides on the server relatively easily.

WRONG D is incorrect because while separating DNS servers into public and private servers provides protection, it is not an actual architecture used for the purpose requested in the question. Organizations should implement split DNS (public and private facing), which means a DNS server in the DMZ handles external resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed to Internet connections.

424

Digital signals

Binary digits are represented and transmitted as discrete electrical pulses. Signaling allows for higher data transfer rates and high data integrity compared to analog signaling.

425

Frequency-division multiplexing (FDM)

Dividing available bandwidth into a series of nonoverlapping frequency sub-bands that are then assigned to each communicating source and user pair. FDM is inherently an analog technology.

426

Source routing

Allows a sender of a packet to specify the route the packet takes through the network versus routers determining the path.

427

21. Which of the following is not one of the stages of the DHCP lease process?

i. Discover

ii. Offer

iii. Request

  iv. Acknowledgment

  A. All of them

  B. None of them

  C. i, ii

  D. ii, iii

21. B. The four-step DHCP lease process is:

DHCPDISCOVER message This message is used to request an IP address lease from a DHCP server.

DHCPOFFER message This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers.

DHCPREQUEST message The client sends the initial DHCP server that responded to its request a DHCP Request message.

DHCPACK message The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby the DHCP server assigns the IP address lease to the DHCP client.

428

network layer

The main responsibilities of the network layer, layer 3, are to insert information into the packet’s header so it can be properly addressed and routed, and then to actually route the packets to their proper destination. In a network, many routes can lead to one destination. The protocols at the network layer must determine the best path for the packet to take. Routing protocols build and maintain their routing tables. These tables are maps of the network, and when a packet must be sent from computer A to computer M, the protocols check the routing table, add the necessary information to the packet’s header, and send it on its way.

429

Virtual Router Redundancy Protocol

VRRP is used in networks that require high availability where routers as points of failure cannot be tolerated. It is designed to increase the availability of the default gateway by advertising a "virtual router" as a default gateway. Two physical routers (primary and secondary) are mapped to one virtual router. If one of the physical routers fails, the other router takes over the workload.

430

Packet switching:

  • Packets can use many different dynamic paths to get to the same destination.
  • Traffic is usually bursty in nature.
  • Variable delays.
  • Usually carries data-oriented data.

431

Always Connected

Unlike dial-up modems and ISDN connections, DSL lines and cable modems are connected to the Internet and "live" all the time. No dial-up steps are required. This can cause a security issue because many hackers look for just these types of connections. Systems using these types of connections are always online and available for scanning, probing, hacking, and attacking. These systems are also often used in DDoS attacks. Because the systems are on all the time, attackers plant Trojan horses that lie dormant until they get the command from the attacker to launch an attack against a victim. Many of the DDoS attacks use as their accomplices systems with DSL and cable modems, and usually the owner of the computer has no idea their system is being used to attack another system.

432

Border Gateway Protocol (BGP)

The exterior routing protocols used by routers connecting different ASs are generically referred to as exterior gateway protocols (EGPs). The Border Gateway Protocol (BGP) enables routers on different ASs to share routing information to ensure effective and efficient routing between the different AS networks. BGP is commonly used by Internet service providers to route data from one location to the next on the Internet.

433

IEEE 802. 1AE (MACSec)

Standard that specifies a set of protocols to meet the security requirements for protecting data traversing Ethernet LANs.

434

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) Cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them.

435

Instant messaging (IM)

Instant messaging (IM) allows people to communicate with one another through a type of real-time, bidirectional exchange. IM provides instantaneous transmissions of text-based messages between people with shared client software. Most of the communication takes place in text-based format, but some IM software allows for voice and video data to be passed back and forth also. Several instant messaging services offer video calling features, Voice over IP, and web conferencing capabilities. Many instant messaging applications offer functions like file transfer, contact lists, and the ability to maintain several simultaneous conversations.

436

Wide area network (WAN)

A telecommunication network that covers a broad area and allows a business to effectively carry out its daily function, regardless of location.

437

war driving

A common attack on wireless networks is war driving, which is when one or more people either walk or drive around with a wireless device equipped with the necessary equipment and software with the intent of identifying APs and breaking into them. Traditionally, this activity has taken place by using a laptop and driving in the proximity of buildings that have WLANs implemented, but today even smart phones can be used for this type of attack.

438

Fire Rating of Cables

This cable smells funny when it’s on fire.

Just as buildings must meet certain fire codes, so must wiring schemes. A lot of companies string their network wires in drop ceilings—the space between the ceiling and the next floor—or under raised floors. This hides the cables and prevents people from tripping over them. However, when wires are strung in places like this, they are more likely to catch on fire without anyone knowing about it. Some cables produce hazardous gases when on fire that would spread throughout the building quickly. Network cabling that is placed in these types of areas, called plenum space, must meet a specific fire rating to ensure it will not produce and release harmful chemicals in case of a fire. A ventilation system’s components are usually located in this plenum space, so if toxic chemicals were to get into that area, they could easily spread throughout the building in minutes.

439

Communication Characteristics

  • Synchronous
  • Asynchronous

440

Bus Topology

In a simple bus topology, a single cable runs the entire length of the network. Nodes are attached to the network through drop points on this cable. Data communications transmit the length of the medium, and each packet transmitted has the capability of being "looked at" by all nodes. Each node decides to accept or ignore the packet, depending upon the packet’s destination address.

441

11. Angela wants to group together computers by department to make it easier for them to share network resources. Which of the following will allow her to group computers logically?

A. VLAN

B. Open network architecture

C. Intranet

D. VAN

Extended Questions:

CORRECT A. Virtual LANs (VLANs) enable the logical separation and grouping of computers based on resource requirements, security, or business needs in spite of the standard physical location of the systems. This technology allows Angela to logically place all computers within the same department on the same VLAN network so that all users can receive the same broadcast messages and can access the same types of resources, regardless of their physical location. This means that computers can be grouped together even if they are not located on the same network.

WRONG B is incorrect because open network describes technologies that can make up a network. It is one that no vendor owns, that is not proprietary, and that can easily integrate various technologies and vendor implementations of those technologies. The OSI model provides a framework for developing products that will work within an open network architecture. Vendors use the OSI model as a blueprint and develop their own protocols and interfaces to produce functionality that is different from that of other vendors. However, because these vendors use the OSI model as their starting place, integration of other vendor products is an easier task, and the interoperability issues are less burdensome than if the vendors had developed their own networking framework from scratch.

WRONG C is incorrect because an intranet is a private network that a company uses when it wants to use the Internet and Web-based technologies for internal networks. The company has Web servers and client machines using Web browsers, and it uses the TCP/IP protocol suite. The Web pages are written in HTML or XML, and are accessed via HTTP.

WRONG D is incorrect because a value-added network (VAN) is an electronic data interchange (EDI) infrastructure developed and maintained by a service bureau. Here’s an example of how a VAN works: A retail store such as Target tracks its inventory by having employees scan bar codes on individual items. When the inventory of an item—such as garden hoses—becomes low, an employee sends a request for more garden hoses. The request goes to a mailbox at a VAN that Target pays to use, and the request is then pushed out to the garden hose supplier. Because Target deals with thousands of suppliers, using a VAN simplifies the ordering process. There is no need to manually track down the right supplier and submit a purchase order.

442

Frequency hopping spread spectrum (FHSS)

Frequency Hopping Spread Spectrum Frequency hopping spread spectrum (FHSS) takes the total amount of bandwidth (spectrum) and splits it into smaller subchannels. The sender and receiver work at one of these subchannels for a specific amount of time and then move to another subchannel. The sender puts the first piece of data on one frequency, the second on a different frequency, and so on. The FHSS algorithm determines the individual frequencies that will be used and in what order, and this is referred to as the sender and receiver’s hop sequence.

443

Light detector

Converts light signal back into electrical signal

444

Packet filtering

Packet filtering is a firewall technology that makes access decisions based upon network-level protocol header values. The device that is carrying out packet filtering processes is configured with ACLs, which dictate the type of traffic that is allowed into and out of specific networks.

445

value-added network (VAN)

A value-added network (VAN) is an EDI infrastructure developed and maintained by a service bureau. A Wal-Mart store tracks its inventory by having employees scan bar codes on individual items. When the inventory of an item becomes low, a Wal-Mart employee sends a request for more of that specific item. This request goes to a mailbox at a VAN that Wal-Mart pays to use, and the request is then pushed out to a supplier that provides this type of inventory for Wal-Mart. Because Wal-Mart (and other stores) deals with thousands of suppliers, using a VAN simplifies the ordering process: instead of an employee having to track down the right supplier and submit a purchase order, this all happens in the background through an automated EDI network, which is managed by a VAN company for use by other companies.

446

Port address translation (PAT)

The company owns and uses only one public IP address for all systems that need to communicate outside the internal network. How in the world could all computers use the exact same IP address? Good question. Here’s an example: The NAT device has an IP address of 127.50.41.3. When computer A needs to communicate with a system on the Internet, the NAT device documents this computer’s private address and source port number (10.10.44.3; port 43,887). The NAT device changes the IP address in the computer’s packet header to 127.50.41.3, with the source port 40,000. When computer B also needs to communicate with a system on the Internet, the NAT device documents the private address and source port number (10.10.44.15; port 23,398) and changes the header information to 127.50.41.3 with source port 40,001. So when a system responds to computer A, the packet first goes to the NAT device, which looks up the port number 40,000 and sees that it maps to computer A’s real information. So the NAT device changes the header information to address 10.10.44.3 and port 43,887 and sends it to computer A for processing. A company can save a lot more money by using PAT, because the company needs to buy only a few public IP addresses, which are used by all systems in the network.

447

Network : The responsibilities of the network layer protocols include internetworking service, addressing, and routing. The following lists some of the protocols that work at this layer:

  • Internet Protocol (IP)
  • Internet Control Message Protocol (ICMP)
  • Internet Group Management Protocol (IGMP)
  • Routing Information Protocol (RIP)
  • Open Shortest Path First (OSPF)
  • Internetwork Packet Exchange (IPX)

448

29. ____________ is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.

A. Resource records

B. Zone transfer

C. DNSSEC

D. Resource transfer

Extended Questions:

CORRECT C. DNSSEC is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing services provided by the DNS as used on IP networks.

WRONG A is incorrect because a DNS server contains records that map hostnames to IP addresses, which are referred to as resource records. When a user’s computer needs to resolve a hostname to an IP address, it looks to its networking settings to find its DNS server. The computer then sends a request containing the hostname to the DNS server for resolution. The DNS server looks at its resource records and finds the record with this particular hostname, retrieves the address, and replies to the computer with the corresponding IP address.

WRONG B is incorrect because primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers.

WRONG D is incorrect because it is a distracter answer.

449

Internet Security Association and Key Management Protocol (ISAKMP)

  C. Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange.

450

DNS Splitting

Organizations should implement split DNS, which means a DNS server in the DMZ handles external hostname-to-IP resolution requests, while an internal DNS server handles only internal requests. This helps ensure that the internal DNS has layers of protection and is not exposed by being "Internet facing." The internal DNS server should only contain resource records for the internal computer systems, and the external DNS server should only contain resource records for the systems the organization wants the outside world to be able to connect to. If the external DNS server is compromised and it has the resource records for all of the internal systems, now the attacker has a lot of "inside knowledge" and can carry out targeted attacks. External DNS servers should only contain information on the systems within the DMZ that the organization wants others on the Internet to be able to communicate with (web servers, external mail server, etc.).

451

Time division multiple access (TDMA)

Time division multiple access (TDMA) increases the speed and efficiency of the cellular network by taking the radio-frequency spectrum channels and dividing them into time slots. At various time periods, multiple users can share the same channel; the systems within the cell swap from one user to another user, in effect, reusing the available frequencies. TDMA increased speeds and service quality. A common example of TDMA in action is a conversation. One person talks for a time then quits, and then a different person talks. In TDMA systems, time is divided into frames. Each frame is divided into slots. TDMA requires that each slot’s start and end time are known to both the source and the destination. Mobile communication systems such as Global System for Mobile Communication (GSM), Digital AMPS (D-AMPS), and Personal Digital Cellular (PDC) use TDMA.

452

Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server.

26. Which of the following is most likely the issue that Grace’s team experienced when their systems went offline?

  A. Three critical systems were connected to a dual-attached station.

  B. Three critical systems were connected to a single-attached station.

  C. The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems.

  D. The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings.

26. B. A single-attachment station (SAS) is attached to only one ring (the primary) through a concentrator. If the primary goes down, it is not connected to the backup secondary ring. A dual-attachment station (DAS) has two ports and each port provides a connection for both the primary and the secondary rings.

453

Broadband ISDN (BISDN)

This implementation can handle many different types of services simultaneously and is mainly used within telecommunications carrier backbones. When BISDN is used within a backbone, ATM is commonly employed to encapsulate data at the data link layer into cells, which travel over a SONET network.

454

10. Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes?

  A. Network convergence

  B. Security as a service

  C. Unified Threat Management

  D. Integrated convergence management

10. C. It has become very challenging to manage the long laundry list of security solutions almost every network needs to have in place. The list includes, but is not limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering, data leak prevention, VPN capabilities, and continuous monitoring and reporting. Unified Threat Management (UTM) appliance products have been developed that provide all (or many) of these functionalities into a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network’s security from a holistic point of view.

455

Transmission Control Protocol (TCP)

Core protocol of the TCP/IP suite, which provides connection-oriented, end-to-end, reliable network connectivity.

456

token

A token-passing technology is one in which a device cannot put data on the network wire without having possession of a token, a control frame that travels in a logical circle and is "picked up" when a system needs to communicate. This is different from Ethernet, in which all the devices attempt to communicate at the same time. This is why Ethernet is referred to as a "chatty protocol" and has collisions. Token Ring does not endure collisions, since only one system can communicate at a time, but this also means communication takes place more slowly compared to Ethernet.

457

We will then dive into the three main firewall architectures, which are

  • Screened host
  • Multihome
  • Screened subnet

458

Star Topology

In a star topology, all nodes connect to a central device such as a switch. Each node has a dedicated link to the central device. The central device needs to provide enough throughput that it does not turn out to be a detrimental bottleneck for the network as a whole. Because a central device is required, it is a potential single point of failure, so redundancy may need to be implemented. Switches can be configured in flat or hierarchical implementations so larger organizations can use them.

459

Presentation : The services of the presentation layer handle translation into standard formats, data compression and decompression, and data encryption and decryption. No protocols work at this layer, just services. The following lists some of the presentation layer standards:

  • American Standard Code for Information Interchange (ASCII)
  • Extended Binary-Coded Decimal Interchange Mode (EBCDIC)
  • Tagged Image File Format (TIFF)
  • Joint Photographic Experts Group (JPEG)
  • Motion Picture Experts Group (MPEG)
  • Musical Instrument Digital Interface (MIDI)

460

7. Which of the following proxies cannot make access decisions based upon protocol commands?

  A. Application

  B. Packet filtering

  C. Circuit

  D. Stateful

7. C. Application and circuit are the only types of proxy-based firewall solutions listed here. The others do not use proxies. Circuit-based proxy firewalls make decisions based on header information, not the protocol’s command structure. Application-based proxies are the only ones that understand this level of granularity about the individual protocols.

461

Shielded twisted pair

Twisted-pair cables are often shielded in an attempt to prevent RFI and EMI. This shielding can be applied to individual pairs or to the collection of pairs.

462

8. DNS is a popular target for attackers due to its strategic role on the Internet. What type of attack uses recursive queries to poison the cache of a DNS server?

A. DNS spoofing

B. Manipulation of the hosts file

C. Social engineering

D. Domain litigation

Extended Questions:

CORRECT A. DNS plays a strategic role in the transmission of traffic on the Internet. The DNS directs traffic to the appropriate address by mapping domain names to their corresponding IP addresses. DNS queries can be classified as either recursive or iterative. In a recursive query the DNS server often forwards the query to another server and returns the inquirer the proper response. In an iterative query, the DNS server responds with an address for another DNS server that might be able to answer the question, and the client then proceeds to ask the new DNS server. Attackers use recursive queries to poison the cache of a DNS server. In this manner, attackers can point systems to a Web site that they control and that contains malware or some other form of attack. Here’s how it works: An attacker sends a recursive query to a victim DNS server asking for the IP address of the domain www.logicalsecurity.com. The DNS server forwards the query to another DNS server. However, before the other DNS server responds, the attacker injects his own IP address. The victim server accepts the IP address and stores it in its cache for a specific period of time. The next time a system queries the server to resolve www.logicalsecurity.com to its IP address, the server will direct users to the attacker’s IP address. This is called DNS spoofing or DNS poisoning.

WRONG B is incorrect because manipulating the hosts file does not use recursive queries to poison the cache of a DNS server. A client first queries a hosts file before issuing a request to a DNS server. Some viruses add invalid IP addresses of antivirus vendors to the hosts file in order to prevent the download of virus definitions and prevent detection. This is an example of manipulating the hosts file.

WRONG C is incorrect because social engineering does not involve querying a DNS server. Social engineering refers to the manipulation of individuals for the purpose of gaining unauthorized access or information. Social engineering takes advantage of people’s desire to be helpful and/or trusting. It is a nontechnical attack that may use technology in its execution. For example, an attacker might pose as a user’s manager and send him a spoofed e-mail asking for the password to an application. The user, wanting to help and keep his manager’s favor, is likely to provide the password.

WRONG D is incorrect because domain litigation does not involve poisoning a DNS server’s cache. Domain names are subject to trademark risks, including the temporary unavailability or permanent loss of an established domain name. A victim company could lose its entire Internet presence as a result of domain litigation. Organizations concerned over the possibility of trademark disputes related to their domain name(s) should establish contingency plans. For example, a company may establish a second, unrelated domain that can still represent the company’s name.

463

Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network’s NAT device. Lance has also found out that caching attacks have been successful against the company’s public-facing DNS server. Lance has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options.

38. Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling?

  A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device.

  B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device.

  C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device.

  D. IPv6 should be disabled on all systems.

38. A. Teredo encapsulates IPv6 packets within UDP datagrams with IPv4 addressing. IPv6-aware systems behind the NAT device can be used as Teredo tunnel end-points even if they do not have a dedicated public IPv4 address.

464

Value-Added Networks

Many different types of companies use EDI for internal communication and for communication with other companies. A very common implementation is between a company and its supplier. For example, some supplier companies provide inventory to many different companies, such as Target, Wal-Mart, and Kmart. Many of these supplies are made in China and then shipped to a warehouse somewhere in a specific country, as in the United States. When Wal-Mart needs to order more inventory, it sends its request through an EDI network, which is basically an electronic form of our paper-based world. Instead of using paper purchase orders, receipts, and forms, EDI provides all of this digitally.

465

Screened subnet architecture

When two filtering devices are used to create a DMZ. The external device screens the traffic entering the DMZ network, and the internal filtering device screens the traffic before it enters the internal network.

466

Telecommunications Evolution

On the eighth day, God created the telephone.

Telephone systems have been around for about 100 years, and they started as copper-based analog systems. Central switching offices connected individual telephones manually (via human operators) at first, and later by using electronic switching equipment. After two telephones were connected, they had an end-to-end connection (end-to-end circuit). Multiple phone calls were divided up and placed on the same wire, which is called multiplexing. Multiplexing is a method of combining multiple channels of data over a single transmission path. The transmission is so fast and efficient that the ends do not realize they are sharing a line with many other entities. They think they have the line all to themselves.

467

Disadvantages of using application-level proxy firewalls:

  • Are not generally well suited to high-bandwidth or real-time applications.
  • Tend to be limited in terms of support for new network applications and protocols.
  • Create performance issues because of the necessary per-packet processing requirements.

468

How Do These Work Together?

If you are new to networking, it can be hard to understand how the OSI model, analog and digital, synchronous and asynchronous, and baseband and broadband technologies interrelate and differentiate. You can think of the OSI model as a structure to build different languages. If you and I are going to speak to each other in English, we have to follow the rules of this language to be able to understand each other. If we are going to speak French, we still have to follow the rules of language (OSI model), but the individual letters that make up the words are in a different order. The OSI model is a generic structure that can be used to define many different "languages" for devices to be able to talk to each other. Once we agree that we are going to communicate using English, I can speak my message to you, thus my words move over continuous airwaves (analog). Or I can choose to send my message to you through Morse code, which uses individual discrete values (digital). I can send you all of my words with no pauses or punctuation (synchronous) or insert pauses and punctuation (asynchronous). If I am the only one speaking to you at a time, this would be analogous to baseband. If I have ten of my friends speaking to you at one time, this would be broadband.

469

Wired Equivalent Privacy (WEP)

When an AP is configured to use SKA, the AP sends a random value to the wireless device. The device encrypts this value with its cryptographic key and returns it. The AP decrypts and extracts the response, and if it is the same as the original value, the device is authenticated. In this approach, the wireless device is authenticated to the network by proving it has the necessary encryption key. This method is based on the Wired Equivalent Privacy (WEP) protocol, which also enables data transfers to be encrypted.

470

Mobile Wireless Communication

Mobile wireless has now exploded into a trillion-dollar industry, with over 4.5 billion subscriptions, fueled by a succession of new technologies and by industry and international standard agreements.

471

Bootstrap Protocol (BOOTP)

The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP provides for diskless workstations. The diskless workstation can receive its IP address, the name server address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP usually provides more functionality to diskless workstations than does RARP.

472

Looking at computing as a service that can be purchased, rather than as a physical box, can offer the following advantages:

  • Organizations have more flexibility and agility in IT growth and functionality.
  • Cost of computing can be reduced since it is a shared delivery model. (Includes reduction of real-estate, electrical, operational, and personnel costs.)
  • Location independence can be achieved because the computing is not centralized and tied to a physical data center.
  • Applications and functionality can be more easily migrated from one physical server to another because environments are virtualized.
  • Improved reliability can be achieved for business continuity and disaster recovery without the need of dedicated backup site locations.
  • Scalability and elasticity of resources can be accomplished in near real time through automation.
  • Performance can increase as processing is shifted to available systems during peak loads.

473

High-level Data Link Control (HDLC)

High-level Data Link Control (HDLC) is a protocol that is also a bit-oriented link layer protocol and is used for serial device-to-device WAN communication. HDLC is an extension of SDLC, which was mainly used in SNA environments. SDLC basically died out as the mainframe environments using SNA reduced greatly in numbers. HDLC stayed around and evolved.

474

unshielded twisted pair (UTP)

Twisted-pair cabling has insulated copper wires surrounded by an outer protective jacket. If the cable has an outer foil shielding, it is referred to as shielded twisted pair (STP), which adds protection from radio frequency interference and electromagnetic interference. Twisted-pair cabling, which does not have this extra outer shielding, is called unshielded twisted pair (UTP).

475

Appliances

A firewall may take the form of either software installed on a regular computer using a regular operating system or a dedicated hardware appliance that has its own operating system. The second choice is usually more secure, because the vendor uses a stripped-down version of an operating system (usually Linux or BSD Unix). Operating systems are full of code and functionality that are not necessary for a firewall. This extra complexity opens the doors for vulnerabilities. If a hacker can exploit and bring down a company’s firewall, then the company is very exposed and in danger.

476

Attacks Using ICMP

Attacks Using ICMP The ICMP protocol was developed to send status messages, not to hold or transmit user data. But someone figured out how to insert some data inside of an ICMP packet, which can be used to communicate to an already compromised system. Loki is actually a client/server program used by hackers to set up back doors on systems. The attacker targets a computer and installs the server portion of the Loki software. This server portion "listens" on a port, which is the back door an attacker can use to access the system. To gain access and open a remote shell to this computer, an attacker sends commands inside of ICMP packets. This is usually successful, because most routers and firewalls are configured to allow ICMP traffic to come and go out of the network, based on the assumption that this is safe because ICMP was developed to not hold any data or a payload.

477

Network convergence

The combining of server, storage, and network capabilities into a single framework, which decreases the costs and complexity of data centers. Converged infrastructures provide the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the needs of dynamic computing workloads.

478

John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company’s knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data.

30. Which of the following unauthorized activities have most likely been taking place in this situation?

  A. Domain kiting

  B. Phishing

  C. Fraggle

  D. Zone transfer

30. D. The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Attackers can carry out zone transfers to gather very useful network information from victims’ DNS servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity.

479

Simplex

Communication takes place in one direction.

480

Integrated Services Digital Network (ISDN)

Integrated Services Digital Network (ISDN) is a technology provided by telephone companies and ISPs. This technology, and the necessary equipment, enable data, voice, and other types of traffic to travel over a medium in a digital manner previously used only for analog voice transmission. Telephone companies went all digital many years ago, except for the local loops, which consist of the copper wires that connect houses and businesses to their carrier provider’s central offices. These central offices contain the telephone company’s switching equipment, and it is here the analog-to-digital transformation takes place. However, the local loop is always analog, and is therefore slower. ISDN was developed to replace the aging telephone analog systems, but it has yet to catch on to the level expected.

481

DNSSEC

A set of extensions to DNS that provide to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types.

482

Asynchronous and Synchronous

It’s all about timing.

Analog and digital transmission technologies deal with the format in which data is moved from one system to another. Asynchronous and synchronous transmission types are similar to the cadence rules we use for conversation synchronization. Asynchronous and synchronous network technologies provide synchronization rules to govern how systems communicate to each other. If you have ever spoken over a satellite phone you have probably experienced problems with communication synchronization. You and the other person talking do not allow for the necessary delay that satellite communication requires, so you "speak over" one another. Once you figure out the delay in the connection, you resynchronize your timing so that only one person’s data (voice) is transmitting at one time so that each person can properly understand the full conversation. Proper pauses frame your words in a way to make them understandable.

483

One VPN solution is not necessarily better than the other; they just have their own focused purposes:

  • PPTP is used when a PPP connection needs to be extended through an IP-based network.
  • L2TP is used when a PPP connection needs to be extended through a non IP-based network.
  • IPSec is used to protect IP-based traffic and is commonly used in gateway-to-gateway connections.
  • SSL VPN is used when a specific application layer traffic type needs protection.

484

Orthogonal frequency division multiple access (OFDMA)

Orthogonal frequency division multiple access (OFDMA) is derived from a combination of FDMA and TDMA. In earlier implementations of FDMA, the different frequencies for each channel were widely spaced to allow analog hardware to separate the different channels. In OFDMA, each of the channels is subdivided into a set of closely spaced orthogonal frequencies with narrow bandwidths (subchannels). Each of the different subchannels can be transmitted and received simultaneously in a multiple input and output (MIMO) manner. The use of orthogonal frequencies and MIMO allows signal processing techniques to reduce the impacts of any interference between different subchannels and to correct for channel impairments, such as noise and selective frequency fading. 4G requires that OFDMA be used.

485

dial-on-demand routing (DDR)

The BRI service is common for residential use, and the PRI, which has 23 B channels and one D channel, is more commonly used in corporations. ISDN is not usually the primary telecommunications connection for companies, but it can be used as a backup in case the primary connection goes down. A company can also choose to implement dial-on-demand routing (DDR), which can work over ISDN. DDR allows a company to send WAN data over its existing telephone lines and use the public circuit-switched network as a temporary type of WAN link. It is usually implemented by companies that send out only a small amount of WAN traffic and is a much cheaper solution than a real WAN implementation. The connection activates when it is needed and then idles out.

486

Tying the Layers Together

Pick up all of these protocols from the floor and put them into a stack—a network stack.

The OSI model is used as a framework for many network-based products and is used by many types of vendors. Various types of devices and protocols work at different parts of this seven-layer model. The main reason that a Cisco switch, Microsoft web server, a Barracuda firewall, and a Belkin wireless access point can all communicate properly on one network is because they all work within the OSI model. They do not have their own individual ways of sending data; they follow a standardized manner of communication, which allows for interoperability and allows a network to be a network. If a product does not follow the OSI model, it will not be able to communicate with other devices on the network because the other devices will not understand its proprietary way of communicating.

487

shared key authentication (SKA)

The wireless device can authenticate to the AP in two main ways: open system authentication (OSA) and shared key authentication (SKA). OSA does not require the wireless device to prove to the AP it has a specific cryptographic key to allow for authentication purposes. In many cases, the wireless device needs to provide only the correct SSID value. In OSA implementations, all transactions are in cleartext because no encryption is involved. So an intruder can sniff the traffic, capture the necessary steps of authentication, and walk through the same steps to be authenticated and associated to an AP.

488

User Datagram Protocol (UDP)

Connectionless, unreliable transport layer protocol, which is considered a "best effort" protocol.

489

Point-to-Point Protocol

Point-to-point protocol (PPP) is similar to HDLC in that it is a data link protocol that carries out framing and encapsulation for point-to-point connections. A point-to-point connection means there is one connection between one device (point) and another device (point). If the systems on your LAN use the Ethernet protocol, what happens when a system needs to communicate to a server at your ISP for Internet connectivity? This is not an Ethernet connection, so how do the systems know how to communicate with each other if they cannot use Ethernet as their data link protocol? They use a data link protocol they do understand. Telecommunication devices commonly use PPP as their data link protocol.

490

Physical Layer

Everything ends up as electrical signals anyway.

The physical layer, layer 1, converts bits into voltage for transmission. Signals and voltage schemes have different meanings for different LAN and WAN technologies, as covered earlier. If a user sends data through his dial-up software and out his modem onto a telephone line, the data format, electrical signals, and control functionality are much different than if that user sends data through the NIC and onto a unshielded twisted pair (UTP) wire for LAN communication. The mechanisms that control this data going onto the telephone line, or the UTP wire, work at the physical layer. This layer controls synchronization, data rates, line noise, and transmission techniques. Specifications for the physical layer include the timing of voltage changes, voltage levels, and the physical connectors for electrical, optical, and mechanical transmission.

491

Private Branch Exchange (PBX)

Telephone companies use switching technologies to transmit phone calls to their destinations. A telephone company’s central office houses the switches that connect towns, cities, and metropolitan areas through the use of optical fiber rings. So, for example, when Dusty makes a phone call from his house, the call first hits the local central office of the telephone company that provides service to Dusty, and then the switch within that office decides whether it is a local or long-distance call and where it needs to go from there. A Private Branch Exchange (PBX) is a private telephone switch that is located on a company’s property. This switch performs some of the same switching tasks that take place at the telephone company’s central office. The PBX has a dedicated connection to its local telephone company’s central office, where more intelligent switching takes place.

492

Transport : The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. The following protocols work at this layer:

  • Transmission Control Protocol (TCP)
  • User Datagram Protocol (UDP)
  • Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
  • Sequenced Packet Exchange (SPX)

493

18. Which best describes the IP protocol?

  A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction

  B. A connectionless protocol that deals with the addressing and routing of packets

  C. A connection-oriented protocol that deals with the addressing and routing of packets

  D. A connection-oriented protocol that deals with sequencing, error detection, and flow control

18. B. The IP protocol is connectionless and works at the network layer. It adds source and destination addresses to a packet as it goes through its data encapsulation process. IP can also make routing decisions based on the destination address.

494

Network Layer

Many roads lead to Rome.

The main responsibilities of the network layer, layer 3, are to insert information into the packet’s header so it can be properly addressed and routed, and then to actually route the packets to their proper destination. In a network, many routes can lead to one destination. The protocols at the network layer must determine the best path for the packet to take. Routing protocols build and maintain their routing tables. These tables are maps of the network, and when a packet must be sent from computer A to computer M, the protocols check the routing table, add the necessary information to the packet’s header, and send it on its way.

495

RJ-45

is often used to terminate twisted-pair cables in Ethernet environments.

496

Proxy Firewalls

Meet my proxy. He will be our middleman.

A proxy is a middleman. It intercepts and inspects messages before delivering them to the intended recipients. Suppose you need to give a box and a message to the president of the United States. You couldn’t just walk up to the president and hand over these items. Instead, you would have to go through a middleman, likely the Secret Service, who would accept the box and message and thoroughly inspect the box to ensure nothing dangerous was inside. This is what a proxy firewall does—it accepts messages either entering or leaving a network, inspects them for malicious information, and, when it decides the messages are okay, passes the data on to the destination computer.

497

amplitudes

Signals are measured in frequency and amplitudes. The frequency of a signal dictates the amount of data that can be carried and how far. The higher the frequency, the more data the signal can carry, but the higher the frequency, the more susceptible the signal is to atmospheric interference. A higher frequency can carry more data, but over a shorter distance.

498

E-carriers

E-carriers are similar to T-carrier telecommunication connections, where a single physical wire pair can be used to carry many simultaneous voice conversations by time-division multiplexing. Within this technology 30 channels interleave eight bits of data in a frame. While the T-carrier and E-carrier technologies are similar, they are not interoperable. E-carriers are used by European countries.

499

Stateful-Inspection Firewall Characteristics : The following lists some important characteristics of a stateful-inspection firewall:

  • Maintains a state table that tracks each and every communication session
  • Provides a high degree of security and does not introduce the performance hit that application proxy firewalls introduce
  • Is scalable and transparent to users
  • Provides data for tracking connectionless protocols such as UDP and ICMP
  • Stores and updates the state and context of the data within the packets

500

Instant Messaging

Instant messaging (IM) allows people to communicate with one another through a type of real-time, bidirectional exchange. IM provides instantaneous transmissions of text-based messages between people with shared client software. Most of the communication takes place in text-based format, but some IM software allows for voice and video data to be passed back and forth also. Several instant messaging services offer video calling features, Voice over IP, and web conferencing capabilities. Many instant messaging applications offer functions like file transfer, contact lists, and the ability to maintain several simultaneous conversations.