Sec+ Chapter 12: Network Security

Question 1

Defense in depth

Answer 1

Medieval army attacking a castle analogy

Security principle that says environments must be built around multiple controls to ensure that one failure in a single control, or multiple controls, won’t cause a security breach

Question 2

OSI Model

Answer 2

Open systems interconnection model

From the bottom-up

1) Physical

2) Data

3) Network

4) Transport

5) Session

6) Presentation

7) Application

Question 3

Network segmentation

Answer 3

The act of dividing up a network into logical, virtual, or physical groupings

Question 4

VLAN

Answer 4

Virtual LAN

A broadcast domain that’s segmented at OSI layer 2 (data)

Switches and other devices are used to create VLANs

Question 5

DMZ

Answer 5

Demilitarized zone / screened subnet

Network zones containing systems that are exposed to less trusted areas

Commonly used to contain web services or other internet-facing devices

Question 6

Intranet

Answer 6

Internal network protected from external access

Employees only for internal or VPN access only

Question 7

Extranet

Answer 7

Network set up for external access, usually by partners or customers rather than the public at large

Unlike a DMZ, this usually requires additional authentication to gain access

Question 8

Zero trust

Answer 8

A concept that says nobody should be trusted, regardless of if they’re an internal or external person or system

Question 9

Zero trust network

Answer 9

A network that includes security between systems as well as at security boundaries

Question 10

NAC

Answer 10

Network access control / network admissions control

NAC validates security status for systems and allows or disallows connection to a network

Rules for access can be based on user, group, location, application, etc

Question 11

Agent based NAC

Answer 11

Requires installation and adds complexity and maintenance

Provides greater insight and control

Question 12

Agentless NAC

Answer 12

Lightweight installs, easier to handle for machines that aren’t centrally managed or have devices that don’t support NAC agent

Provides less detail and can’t be scheduled

Question 13

Port security

Answer 13

Limiting the number of MACs that can be used on a single port

Prevents MAC spoofing, content addressable memory (CAM) table overflows, and extending network through additional devices

Question 14

CAM table

Answer 14

Content addressable memory table

Maps MAC addresses to IP addresses which allows switches to send traffic to the correct port

Question 15

CAM table attack vector

Answer 15

Attackers who can fill CAM tables can make switches fail over to broadcasting traffic, making otherwise inaccessible traffic visible on their local port

Effectively turns the switch into a hub without any intelligence for where frames should be sent

All frames are sent to all interfaces on the switch

Question 16

Loop protection

Answer 16

Detecting loops and disabling ports to prevent loops from causing issues

Question 17

STP

Answer 17

Spanning tree protocol

A common way to implement loop control on layer 2 networks

STP is also great at finding problems in a network

EX: An outage occurs, and you lose connectivity on a network path

STP constantly monitors itself and can go into convergence mode to examine what interfaces are available based on an outage

It can work around the problem, maintain comms on the network, and still prevent loops

Question 18

Broadcast storm control

Answer 18

AKA Storm control

Prevents broadcast packets from being amplified as they traverse a network

Occurs when a loop in a network causes traffic amplification as switches attempt to figure out where traffic should be sent

Limit the number of broadcasts per second, control multicast or unicast, or manage the change over normal traffic patterns

Question 19

BPDU guard

Answer 19

Bridge protocol data unit guard

STP takes 20-30 sec before it understands what path to use when a new device is connected to the network

It has to perform the same checks every time we plug in

Instead of the delay, we can configure the switch to let it know the only thing plugging in is an end station

Bypass the STP listening and learning, plug device in and instantly start communicating on the network

The issue is someone could plug in with another switch, and there would be a loop over that connection

To get the speed with port fast and security of STP, configure BPDU guard on the switch

BPDU is the primary protocol used by STP

Switch will constantly watch comms coming from interfaces, and if an interface ever sends a BPDU frame it recognizes a switch could be on the other side of comm

Port fast is then disabled before a loop can occur

Question 20

DHCP snooping

Answer 20

Someone can plug in a DHCP server not authorized to be on the network, which creates DoS or security issue

Switches have software that look for these problems though called DHCP snooping

Switch is configured with a list of trusted interfaces, but also other untrusted interfaces

Switch watches for DHCP conversations, and if it appears from an untrusted interface, the switch filters out the conversation and disallows it from being sent

Question 21

SPAN

Answer 21

Switched port analyzer

Does the same as port mirror, but can combine traffic from multiple ports to a single port for analysis

Question 22

Port mirror

Answer 22

Sends a copy of all traffic sent to one switch port to another switch port for monitoring

Question 23

VPN

Answer 23

Virtual private network

Creates a virtual network link across a public network that allows endpoints to act as if they’re on the same network

Encryption is not a requirement, but often used in the tunnel

Question 24

IPSec VPN

Answer 24

Internet protocol security VPN

Allows authentication and encryption over a layer 3 network, and also supports packet signing along with encryption

This allows for secure data, but anti replay built into the conversation

Two core IPSec protocols:

1) AH (authentication header): No encryption, hash of the packet and a shared key, adds AH to the packet header

Provides data integrity with hash
Guarantee origin of data with authentication key
Prevents replay attacks with sequence numbers

2) ESP (encapsulation security payload): Encryption with AES, hash with SHA 256, and authenticates

In most implementations, this will be combined with AH to make sure the data gets through the network without alteration

Two modes:

1) Tunnel mode: entire packet sent is protected

2) Transport mode: IP header not protected, but IP payload is

Question 25

SSL VPN

Answer 25

Current implementation actually uses TLS, not SSL and comms over port 443 It's either: 1) Portal based: Users access through web page and then access services 2) Tunnel mode: IPSec VPN, entire packet sent is protected

Question 26

L2TP VPN

Answer 26

Layer 2 tunneling protocol VPN Many site to site VPNs are implemented with L2TP Connects two networks together as if they're on same layer 2 network but it's happening through a layer 3 network Doesn't provide encryption, just provides tunnels Often combined with IPSec for security

Question 27

Site to site VPN

Answer 27

Used to create a secure network channel between two or more sites Typically, they're always on since they extend an org's network Firewalls often serve as the VPN concentrators

Question 28

Remote access VPN

Answer 28

Used mainly by remote workers in as-needed mode and are turned on when they need specific resources, systems, or trusted connection

Question 29

Full tunnel VPN

Answer 29

All data and network traffic is sent through an encrypted tunnel to the VPN concentrator, and the user can't break out of that tunnel to send information to another device directly Data is sent to VPN concentrator which decides where that information needs to go before sending back to the remote user

Question 30

Split tunnel VPN

Answer 30

The admin of the VPN can configure some information to go through the tunnel, and other information can go outside the tunnel Traffic doesn't need to go through the full tunnel to communicate with devices that aren't on the tunnel

Question 31

Jump server

Answer 31

A highly secure, hardened, and monitored device that spans two or more networks, allowing users to connect to it from one network and then "jump" to another SSH, tunnel, VPN to other devices on the network

Question 32

Load balancer

Answer 32

Distributes traffic to multiple systems, provides redundancy, and allows for ease of upgrades and patching

Question 33

Proxy server

Answer 33

A device that sits between the users and the rest of the network Accepts and forwards requests, centralizing the requests and allowing actions to be taken on the requests and responses Useful for caching info, access control, URL filters, content scanning

Question 34

Forward proxies

Answer 34

Accepts client requests, forwards to server, receives answer, validates, and sends user copy of the response Conceals original client and can anonymize traffic or provide access to resources blocked by IP or location Commonly used to protect and control user access to the internet

Question 35

Reverse proxies

Answer 35

Users from internet hit a proxy to gain access to internal services on your network Proxy examines requests from users, if not malicious and valid, sends requests to webserver and gets response, sends copy of answer to user on the internet

Question 36

NAT

Answer 36

Network address translation Allows a pool of addresses to be translated to one or more external addresses EX: Allow many private IPs to use a single public IP to access internet

Question 37

NAT gateway

Answer 37

In-home router A network tool that provides private IPs and uses NAT to allow a single public IP to serve many devices behind the router By default blocks all inbound access

Question 38

Content filters

Answer 38

Allows or blocks traffic based on specific content rules Simple rules: blocked URLs, domains, etc Complex rules: Blocked by IP reputation, pattern matching, etc

Question 39

DLP solutions

Answer 39

Data loss prevention solutions Ensure data isn't extracted or accidentally sent from a network Frequently pairs agents on systems with filtering capability at the network border, email services, and exfiltration points

Question 40

IDS

Answer 40

Intrusion detection system Detects threats in your network and alerts you Can't take direct action

Question 41

IPS

Answer 41

Intrusion prevention system Detects threats in your network and takes direct action to stop them

Question 42

Stateless firewalls

Answer 42

Does not keep track of traffic flows, and needs a rule base that covers all comms in both directions Each packet is individually examined, regardless of past history Traffic sent outside of an active session will traverse a stateless firewall Not smart, has no idea about requests and responses, always defaults to its existing rule base

Question 43

Stateful firewalls

Answer 43

Almost all firewalls today are stateful, and much more intelligent about how they allow traffic through a network Stateful remembers the "state" of the session and creates a state table about a particular flow as it takes place Watches all traffic between systems and allows comms to continue only once they've been approved vs reviewing every packet Provides more context to make security decisions

Question 44

NGFW

Answer 44

Next gen firewall Application layer OSI firewalls Often replace UTMs Firewall with more features like IDS, IPS, antimalware, etc

Question 45

WAF

Answer 45

Web app firewall Not like a normal firewall, it's specifically built for web apps and applies rules to HTTP/S conversations Inspects traffic sent to web servers, looks for attacks and patterns, and applies rules based on what it sees

Question 46

UTM

Answer 46

Unified threat management An all in one security appliance, AKA web security gateway Devices that include firewall, IDS/IPS, antimalware, URL and email filtering, DLP, VPN, and security analytics

Question 47

ACL

Answer 47

Access control list A set of rules used to filter or control network traffic on a firewall The series of variables that you choose are called tuples, and they're groupings of information Evaluates characteristics like src IP, dst IP, port, app, etc to match rules in ACL, looks at disposition, and allows or denies Usually top to bottom in ACL decision logic, so place specific rules at the top of the list and general at the bottom

Question 48

QoS

Answer 48

Quality of service A set of controls that allows us to prioritize network traffic to make it through a network, even when it's under attack or congested

Question 49

BGP +

Answer 49

Border gateway protocol No strong security built in, which leads to accidental or purposeful BGP hijacking. Router adverts itself and ends up redirecting internet traffic through itself

Question 50

OSPF +

Answer 50

Open shortest path first Some security like MD5 based authentication Doesn't secure actual data, but does validate that the data is complete and from the proper router

Question 51

EIGRP +

Answer 51

Enhanced interior gateway routing protocol Cisco-proprietary protocol that provides authentication and helps prevent attackers from sending false routing messages

Question 52

Routing security

Answer 52

Networks rely on routing protocols to determine what path traffic should take to other networks Attackers will target routing protocols in order to intercept traffic, cause loop outages, DoS, MITM, congest networks, etc

Question 53

DNS

Answer 53

Domain name system protocol / port 53 NOT SECURE - UNENCRYPTED AND UNPROTECTED

Question 54

How to secure DNS?

Answer 54

Config DNS server to prevent zone transfers, turn on DNS logging, block DNS reqs to malicious domains Domain name system security extensions (DNSSEC) DNS sinkhole

Question 55

DNS Sinkhole

Answer 55

A DNS that hands out incorrect IPs When a client requests an IP of an FQDN, this gives back incorrect or invalid information about the service If attackers implement DNS sinkholes, they can redirect users to locations or create DoS More commonly used to provide intel for the security pro We know that users will visit known malicious sites if they're infected with malware Instead of letting them communicate with a malicious, external server, we instead configure a DNS sinkhole If anyone ever requests the IP of a malicious site, we provide it with an IP for a machine inside our location that we can then create a report on to ID who's infected with malware within our org This is often a feature of IPS or NGFW If someone tries to communicate to a known malicious site, the DNS sinkhole will send an IP that redirects them to a known good site Also creates an alarm for the security team at the org to know a particular device is infected Infected device can't comm with C2 and security team can clear that out before it spreads

Question 56

File integrity monitor

Answer 56

Detects changes in files or systems that should never change, and reports on them, or restores them to normal EX: Tripwire, Windows System File Checker (SFC)

Question 57

Honeypot

Answer 57

A system intentionally configured to appear vulnerable, but are heavily instrumented and monitored to document everything an attacker does trying to access it

Question 58

Honeynet

Answer 58

Networks set up and instrumented to collect information about network attacks Multiple honeypots where you can gather info from multiple sources An attacker may start on one server and go to other, or multiple attackers arrive at one time performing different functions on different honeypots

Question 59

Honeyfile

Answer 59

A file that contains unique, detectable data left in an area an attacker is likely to find If the data is discovered outside the network, the org knows they've been breached Lives inside the honeypot and honeynet EX: a passwords.txt file

Question 60

Fake telemetry data

Answer 60

Machine learning takes big data and identifies patterns and info within the large data source To have this ML understand what we're looking for, we need to train it with actual data Feed it malware, ransomware, viruses, etc that will show the ML what bad or malicious data looks like ML then understands what it's looking for and how to ID malware from the way it operates vs a specific signature Attackers know this, so they add their own fake telemetry into the data to make the ML think the malware is actually something good They can send the fake telemetry into the machine, and once the training is over, they can send their malware and it'll pass

Question 61

DNS

Answer 61

Domain name system OG port: UDP/TCP 53 Secure option: DNSSEC Secure port: UPD/TCP 53

Question 62

FTP

Answer 62

FTPS / file transfer protocol secure OG port: TCP 21 (and 20) Secure port: TCP 21 (explicit) 990 (implicit) Note: Using TLS SFTP / secure file transfer protocol OG port: TCP 21 (and 20) Secure port: TCP 22 (SSH) Note: Using SSH

Question 63

HTTP

Answer 63

Hypertext transfer protocol OG port: TCP 80 Secure option: HTTPS Secure port: 443 Note: Using TLS

Question 64

IMAP

Answer 64

Internet message access protocol OG port: TCP 143 Secure option: IMAPS Secure port: TCP 993 Note: Using TLS

Question 65

LDAP

Answer 65

Lightweight directory access protocol OG port: UDP / TCP 389 Secure option: LDAPS Secure port: TCP 636 Note: Using TLS

Question 66

POP3

Answer 66

Post office protocol v3 OG port: TCP 100 Secure option: POP3 Secure port: TCP 995 - secure POP3 Note: Using TLS

Question 67

RTP

Answer 67

Real time transport protocol OG port: UDP 16384-32767 Secure option: SRTP Secure port: UDP 5004

Question 68

SNMP

Answer 68

Simple network management protocol OG port: UDP 161 / 162 Secure option: SNMPv3 Secure port: UDP 161 / 162

Question 69

Telnet

Answer 69

OG port: TCP 23 Secure option: SSH Secure port: TCP 22

Question 70

S/MIME

Answer 70

Secure multipurpose mail exchange protocol Provides the ability to encrypt and sign MIME data, the format used for email attachments Requires a certificate for users to be able to send and receive

Question 71

IPSec

Answer 71

Internet protocol security An entire suit of security protocols used to encrypt and authenticate IP traffic

Question 72

AH

Answer 72

Authentication header - IPSec Uses hashing and shared secret key to ensure integrity of data Validates senders by authenticating IP packets sent Ensures IP payload and headers protected

Question 73

ESP

Answer 73

Encapsulated Security Payload - IPSec Tunnel mode: Provides integrity and authentication for entire packet Transport mode: Only protects payload

Question 74

MITM

Answer 74

Man in the middle / on path attack Attackers cause traffic to be relayed through their own system or device They eavesdrop or even alter comms as they wish

Question 75

SSL stripping

Answer 75

Combines an on-path attack with a downgrade attack, attacker must sit in the middle of the conversation with proxy server, ARP spoof, rogue WiFi hotspot, etc They're able to strip the S from HTTPS so the traffic isn't encrypted anymore, removes the TLS EX: 1) Victim sends HTTP request for web page 2) Attacker intercepts traffic, sends unchanged HTTP to server 3) Server sends request back to attacker saying let's do HTTPS instead of HTTP 4) Attacker sends back the HTTPS to the server 5) This sets an encrypted channel between attacker and server, but not victim and attacker 6) Server sends HTTPS to attacker, who decrypts it 7) Sends HTTP page back to victim 8) Victim might send login requests, information, etc that attacker sees 9) Attacker sees, but forwards HTTPS back to server 10) This goes on and on and on for as long as the attacker wants

Question 76

MITB

Answer 76

Man in the browser / on-path browser This relies on a Trojan or other malware that's inserted into a victim's browser The malware will run on their machine and automate the processes Huge advantage for the attacker, as any encrypted data on the network will show as unencrypted since you're on the same computer EX: Malware sits, waits for you to log into your bank, and then grabs credentials, keystrokes, etc and then transfers money, modifies your account, etc

Question 77

Domain hijacking

Answer 77

Changes the registration of a domain so that the domain's settings and configs can be changed by an attacker Can intercept traffic, send and receive email, etc while appearing as legit domain holder Attacker might brute force your password on the account, phish the info, gain access to email, etc

Question 78

DNS poisoning

Answer 78

Where attackers redirect web traffic to an attacker's website, often a fake webserver or phishing website, by: 1) Modifying DNS cache 2) MITM / on path and modify DNS queries sent to a client 3) Modify DNS information on the legit DNS server

Question 79

URL redirection

Answer 79

Insert alternate IPs into a system's host file When the system looks up a site via DNS, they use the host file first and will use the modified IP instead of the true IP

Question 80

Domain reputation

Answer 80

Information about whether or not your domain is a trusted email sender, or if it spams

Question 81

ARP poisoning

Answer 81

Address resolution protocol poisoning Sends unprompted, malicious ARP packets and MAC address to machines on a network that it wants to poison Since ARP has no security, that message is received and interpreted, changes it's ARP cache information, and then sends traffic to the new MAC address Attacker then performs the same poisoning to the router, and anything sent from victim to router is relayed through the attacker's machine

Question 82

MAC flooding

Answer 82

Media access control flooding Targets switches (layer 2 attack) that sends so many MACs to the switch that the CAM table gets overfull Flooding results in switch sending traffic out to all ports to ensure traffic keeps flowing

Question 83

MAC cloning

Answer 83

Media access control cloning Duplicate the MAC address of a device

Question 84

Volume based DDoS

Answer 84

Sends an insane amount of traffic to deny service EX: UDP and ICMP floods

Question 85

Protocol based DDoS

Answer 85

Focuses on the underlying protocols used for networking EX: SYN flood, ping of death, smurf attack, Christmas tree

Question 86

OT DDoS

Answer 86

Operation technology DDoS DDoS on software / hardware that controls devices and systems in buildings, factories, powerplants, etc Similar to network DDoS, but different detection methods and can be harder to ID

Question 87

theHarvester

Answer 87

OSINT gathering tool that can get emails, domains, usernames, etc using search engines

Question 88

MAC address

Answer 88

Media access control address Every adapter card has a different, unique MAC 48 bits long / 6 bytes written in hex First 3 bytes are the OUI (organizationally unique identifier), or the manufacturer portion of the MAC The last 3 bytes are the serial number, which is incremented by the manufacturer

Question 89

SSL / TLS Inspection

Answer 89

There might be malicious information encrypted inside SSL/TLS that we want to block from coming into our network Since it's encrypted, inspection lets us view what's inside This can't be done easily, and must be specially configured, but it's very useful to maintain security It's all based on trust. Your browser trusts the device its connecting to and is able to encrypt end to end With inspection, we put ourselves in the middle but continue to have the trust on both client and server side

Question 90

Active/ active load balancer modes

Answer 90

Active/active == All servers active, if one fails the others pick up the load and keep going with no interruption

Question 91

Load balancer affinity

Answer 91

Certain apps require that users communicate to exactly the same server In those situations, load balancers will always distribute that comm to the same server Usually tracked using session IDs, or combo of IPs and port numbers

Question 92

Active/passive load balancer modes

Answer 92

Active/passive == when some of the servers are actively in use, and others are in standby mode If one fails, other devices can move into active and provide services

Question 93

Load balancer scheduling modes

Answer 93

1) Round robin: Each server is selected in turn 2) Least connection: Server with lowest use gets request 3) Agent-based adaptive balancing: Updates traffic distro based on agent's report on server's ability to respond 4) Source IP hashing: Assigns traffic based on hash of source IP 5) Weighted least: Uses least connection algo combined with predetermined weight for each server 6) Fixed weighted: Preassigned weight for each server based on capability or capacity 7) Weighted response time: Assigns traffic based on server's current response time

Question 94

IPS identification

Answer 94

1) Signature based: looks for matches 2) Anomaly based: Examines normal traffic and what changes with the flow 3) Behavior based: Recognizes certain behavior like what an SQL injection looks like when accessing a db 4) Heuristics: Use AI and ML to understand how network operates and ID malware based on the large data and intel

Question 95

traceroute

Answer 95

Linux command that maps an entire path between two devices know exactly what routers are between point A and B Information displayed is received by routers on the network by ICMP TTL exceeded error messages You send packets to the network, causes routers to create error message and send it back to you FYI, not all devices will reply with ICMP time exceeded messages, some firewalls filter ICMP which could cause gaps In Windows: tracert, sends ICMP echo requests (aka a ping command) but running in Windows can be difficult because outgoing ICMP is commonly filtered Use command options to modify how you specify the protocols used

Question 96

nslookup / dig

Answer 96

Windows and Linux Query a DNS server to determine names and IPs Slowly being deprecated in favor of dig (domain information groper) dig has added functionality, probably your first choice now but needs to be installed in Windows

Question 97

ifconfig / ipconfig

Question 98

pathping

Answer 98

Windows command that merges ping and traceroute Runs a traceroute to a destination IP to determine what routes are between your local device and the other one Once that's done, pathping measures the round trip and packet loss at each hop

Question 99

route

Answer 99

Windows: route print Linux: netstat -r Know what the next route is outside the network, or what other routes are configured on a device

Question 100

arp -a

Answer 100

Check the ARP table for known MAC addresses

Question 101

curl

Answer 101

Client URL Gets the raw data for web pages, FTP, emails, databases, etc

Question 102

IP scanners

Answer 102

Search a network for IP addresses Many different techniques like ARP if you're on the local subnet If not, you can use ICMP requests (ping), TCP ACK, ICMP timestamp requests A response means more recon can be done with tools like nmap and hping

Question 103

hping

Answer 103

TCP/IP packet assembler and analyzer A ping that can send almost anything Unlike a simple ping command, you can modify almost everything about the packet like IP, TCP, UDP, and ICMP values

Question 104

sn1per

Answer 104

A recon tool that combines multiple tools into a single framework dnsenum, metasploit, nmpa, theHarvester, etc Highly intrusive, know what you're doing with this one

Question 105

scanless

Answer 105

A port scan proxy that lets you run port scans from a different host

Question 106

Cuckoo

Answer 106

A sandbox for malware, where you can safely test files in an isolated and secure environment