Security Technologies (1.5, 2.1, 3.1, 4.1, 4.3 & 4.4)

Question 1

Firewall

Answer 1

o Uses a set of rules defining the traffic types permitted or denied through device
▪ Software or hardware
▪ Virtual or physical
▪ Host-based or network-based
▪ Can perform Network Address Translation (NAT) and/or Port Address
Translation (PAT)

Question 2

Stateful Firewall

Answer 2

▪ Inspects traffic as part of a session and recognizes where the traffic
originated

Question 3

NextGen Firewall (NGFW)

Answer 3

▪ Third-generation firewall that conducts deep packet inspection and
packet filtering

Question 4

Access Control List (ACL)

Answer 4

▪ Set of rules applied to router interfaces that permit or deny certain traffic

Question 5

Switch

Answer 5

o MAC address

Question 6

Router

Answer 6

o IP address

Question 7

Switch Firewall

Answer 7

o IP address or port
▪ Source/destination IP
▪ Source/destination port
▪ Source/destination MAC

Question 8

Firewall Zone

Answer 8

▪ Firewall interface in which you can set up rules

Question 9

Inside

Answer 9

o Connects to corporate LAN

Question 10

Outside

Answer 10

o Connects to the Internet

Question 11

Demilitarized Zone (DMZ)

Answer 11

o Connects to devices that should have restricted access

from the outside zone (like web servers)

Question 12

Unified Threat Management (UTM) Device

Answer 12

▪ Combines firewall, router, intrusion detection/prevention system, antimalware, and other features into a single device

Question 13

Signature-based Detection

Answer 13

▪ Signature contains strings of bytes (a pattern) that triggers detection

Question 14

Policy-based Detection

Answer 14

▪ Relies on specific declaration of the security policy

Question 15

Statistical Anomaly-based Detection

Answer 15

▪ Watches traffic patterns to build baseline

Question 16

Non-statistical Anomaly-based Detection

Answer 16

▪ Administrator defines the patterns/baseline

Question 17

Network-based (NIDS/NIPS)

Answer 17

o A network device protects entire network

Question 18

Host-based (HIDS/HIPS)

Answer 18

o Software-based and installed on servers and clients
▪ Network and host-based systems can work together for a more complete
protection

Question 19

Telnet Port 23

Answer 19

▪ Sends text-based commands to remote devices and is a very old
networking protocol
▪ Telnet should never be used to connect to secure devices

Question 20

Secure Shell (SSH) Port 22

Answer 20

▪ Encrypts everything that is being sent and received between the client
and the server

Question 21

Remote Desktop Protocol (RDP) Port 3389

Answer 21

▪ Provides graphical interface to connect to another computer over a
network connection

Question 22

Remote Desktop Gateway (RDG)

Answer 22

▪ Provides a secure connection using the SSL/TLS protocols to the server
via RDP
● Create an encryption connection
● Control access to network resources based on permissions and
group roles
● Maintain and enforce authorization policies
● Monitor the status of the gateway and any RDP connections
passing through the gateway

Question 23

Virtual Private Network (VPN)

Answer 23

▪ Establishes a secure connection between a client and a server over an
untrusted public network like the Internet

Question 24

Virtual Network Computing (VNC) Port 5900

Answer 24

▪ Designed for thin client architectures and things like Virtual Desktop
Infrastructure (VDI)

Question 25

Virtual Desktop Infrastructure (VDI)

Answer 25

▪ Hosts a desktop environment on a centralized server | ▪ Desktop as a Service (DaaS)

Question 26

In-Band Management

Answer 26

▪ Managing devices using Telnet or SSH protocols over the network

Question 27

Out-of-Band Management

Answer 27

▪ Connecting to and configuring different network devices using an alternate path or management network ▪ Prevents a regular user’s machine from connecting to the management interfaces of your devices ▪ Out-of-band networks add additional costs to the organization

Question 28

Authentication

Answer 28

▪ Confirms and validates a user’s identity | ▪ Gives the user proper permissions to access a resource

Question 29

Password Authentication Protocol (PAP)

Answer 29

▪ Sends usernames and passwords in plain text for authentication

Question 30

Challenge Handshake Authentication Protocol (CHAP)

Answer 30

▪ Sends the client a string of random text called a challenge which is then encrypted using a password and sent back to the server

Question 31

MS-CHAP

Answer 31

▪ Microsoft proprietary version that provides stronger encryption keys and mutual authentication

Question 32

Extensible Authentication Protocol (EAP)

Answer 32

▪ Allows for more secure authentication methods to be used instead of just a username and a password ▪ Use EAP/TLS in conjunction with a RADIUS or TACACS+ server

Question 33

Virtual Private Networks (VPNs)

Answer 33

o Extends a private network across a public network and enables sending and receiving data across shared or public networks ▪ Site to site ▪ Client to site ▪ Clientless

Question 34

Virtual Private Networks (VPNs)

Answer 34

o Extends a private network across a public network and enables sending and receiving data across shared or public networks ▪ Site to site ▪ Client to site ▪ Clientless

Question 35

Full Tunnel VPN

Answer 35

▪ Routes and encrypts all network requests through the VPN connection back to the headquarters

Question 36

Split Tunnel VPN

Answer 36

▪ Routes and encrypts only the traffic bound for the headquarters over the VPN, and sends the rest of the traffic to the regular Internet ● For best security, use a full tunnel ● For best performance, use a split tunnel

Question 37

Clientless VPN

Answer 37

ientless VPN ▪ Creates a secure, remote-access VPN tunnel using a web browser without requiring a software or hardware client

Question 38

Secure Socket Layer (SSL)

Answer 38

▪ Provides cryptography and reliability using the upper layers of the OSI model, specifically Layers 5, 6, and 7

Question 39

Transport Layer Security (TLS)

Answer 39

▪ Provides secure web browsing over HTTP ▪ SSL and TLS use TCP to establish their secure connections between a client and a server

Question 40

Datagram Transport Layer Security (DTLS)

Answer 40

▪ UDP-based version of the TLS protocol which operates a bit faster due to having less overhead

Question 41

Layer 2 Tunneling Protocol (L2TP)

Answer 41

▪ Lacks security features like encryption by default and needs to be combined with an extra encryption layer for protection

Question 42

Layer 2 Forwarding (L2F)

Answer 42

▪ Provides a tunneling protocol for the P2P protocol but also lacks native security and encryption features

Question 43

Point-to-Point Tunneling Protocol (PPTP)

Answer 43

▪ Supports dial-up networks but also lacks native security features except when used with Microsoft Windows

Question 44

IP Security (IPSec)

Answer 44

▪ Provides authentication and encryption of packets to create a secure encrypted communication path between two computers

Question 45

IP Security (IPSec)

Answer 45

o Provides authentication and encryption of data packets to create an secure encrypted communication path between two computers

Question 46

Confidentiality

Answer 46

● Using data encryption

Question 47

Integrity

Answer 47

● Ensuring data is not modified in transit

Question 48

Authentication

Answer 48

● Verifying parties are who they claim to be

Question 49

Anti-Replay

Answer 49

``` ● Checking sequence numbers on all packets prior to transmission o Key exchange request o IKE Phase 1 o IKE Phase 2 o Data transfer o Tunnel termination ```

Question 50

Main Mode

Answer 50

▪ Conducts three two-way exchanges between the peers, from the initiator to the receiver

Question 51

First Exchange

Answer 51

o Agrees upon which algorithms and hashes will be used to | secure the IKE communications throughout the process

Question 52

Second Exchange

Answer 52

o Uses a Diffie-Hellman exchange to generate shared secret keying material so that the two parties can prove their identities

Question 53

Third Exchange

Answer 53

o Verifies the identity of the other side by looking at an | encrypted form of the other peer’s IP address

Question 54

Authentication methods used

Answer 54

▪ Encryption and hash algorithms used ▪ Diffie-Hellman groups used ▪ Expiration of the IKE SA ▪ Shared secret key values for the encryption algorithms

Question 55

Aggressive Mode

Answer 55

▪ Uses fewer exchanges, resulting in fewer packets and faster initial connection than main mode ● Diffie-Hellman public key ● Signed random number ● Identity packet ● Negotiate the IPSec SA parameters protected by an existing IKE SA ● Establish IPSec SA ● Periodically renegotiate IPSec SAs to maintain security ● Perform additional Diffie-Hellman exchanges, if needed

Question 56

Quick Mode

Answer 56

▪ Only occurs after IKE already established the secure tunnel in Phase 1 using either main or aggressive mode

Question 57

Diffie-Hellman Key Exchange

Answer 57

▪ Allows two systems that don’t know each other to be able to exchange keys and trust each other ● PC1 sends traffic to PC2 and then RTR1 initiates creation of IPSec tunnel ● RTR1 and RTR2 negotiate Security Association (SA) to form IKE Phase 1 tunnel (ISAKMP tunnel) ● IKE Phase 2 tunnel (IPSec tunnel) is negotiated and set up ● Tunnel is established and information is securely sent between PC1 and PC2 ● IPSec tunnel is torn down and the IPSec SA is deleted

Question 58

Transport Mode

Answer 58

▪ Uses packet’s original IP header and used for client-to-site VPNs ▪ By default, maximum transmission unit (MTU) size in most networks is 1500 bytes

Question 59

Tunneling Mode

Answer 59

▪ Encapsulates the entire packet and puts another header on top of it ▪ For site-to-site VPNs, you may need to allow jumbo frames ● Transport o Client to site ● Tunneling o Site to site

Question 60

Authentication Header (AH)

Answer 60

▪ Provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against replay attacks

Question 61

Encapsulating Security Payload (ESP)

Answer 61

▪ Provides authentication, integrity, replay protection, and data confidentiality ▪ In transport mode, use AH to provide integrity for the TCP header and ESP to encrypt it ▪ In tunneling mode, use AH and ESP to provide integrity and encryption of the end payload

Question 62

Simple Network Management Protocol (SNMP)

Answer 62

Simple Network Management Protocol (SNMP) is used to send and receive data from managed devices back to a centralized network management station

Question 63

Managed Device

Answer 63

▪ Any device that can communicate with an SNMP manager known as the management information base (MIB)

Question 64

Granular

Answer 64

▪ Sent trap messages get a unique objective identifier to distinguish each message as a unique message being received

Question 65

Management Information Base (MIB)

Answer 65

▪ The structure of the management data of a device subsystem using a hierarchical namespace containing object identifiers

Question 66

Verbose

Answer 66

▪ SNMP traps may be configured to contain all the information about a given alert or event as a payload

Question 67

SNMPv1 and SNMPv2

Answer 67

▪ Use a community string to give them access to the device as their security mechanism ▪ Default community strings of public (read-only) or private (read-write) devices are considered a security risk

Question 68

SNMPv3

Answer 68

▪ Provides three security enhancements which added integrity, authentication, and confidentiality to the SNMP protocol

Question 69

Integrity

Answer 69

o message hashing

Question 70

Authentication

Answer 70

o source validation

Question 71

PoE+ 802.3at Confidentiality

Answer 71

o DES 56-bit encryption

Question 72

System Logging Protocol (Syslog)

Answer 72

▪ Sends system log or event messages to a central server, called a syslog server ● Security Information Management (SIM) ● Security Event Management (SEM) ● Security Information and Event Management (SIEM)

Question 73

Client

Answer 73

▪ Device sending the log information to the syslog server

Question 74

Server

Answer 74

▪ Receives and stores the logs from all of the clients

Question 75

Traffic Log

Answer 75

▪ Contains information about the traffic flows on the network ▪ Traffic logs allow for investigation of any abnormalities

Question 76

Audit Log/ Audit Trail

Answer 76

▪ Contains a sequence of events for a particular activity

Question 77

Application Log

Answer 77

▪ Contains information about software running on a client or server ● Informational ● Warning ● Error

Question 78

Security Log

Answer 78

▪ Contains information about the security of a client or server

Question 79

System Log

Answer 79

▪ Contains information about the operating system itself

Question 80

Security Information and Event Management (SIEM)

Answer 80

o Provides real-time or near-real-time analysis of security alerts generated by network hardware and applications - Gathers logs and data from all sorts of different systems

Question 81

Log Collection

Answer 81

o Provides important forensic tools and helps address | compliance reporting requirements

Question 82

Normalization

Answer 82

o Maps log messages into a common data model, enabling the | organization to connect and analyze related events

Question 83

Correlation

Answer 83

o Links the logs and events from different systems or | applications into a single data feed

Question 84

Aggregation

Answer 84

o Reduces the volume of event data by consolidating duplicate event records and merging them into a single record

Question 85

Reporting

Answer 85

o Presents the correlated, aggregated event data in real-time monitoring dashboards for analysts or long-term summaries for management ▪ Software ▪ Hardware ▪ Managed service ▪ Log all relevant events and filter out anything that is considered to be irrelevant data ▪ Establish and document the scope of the events ▪ Develop use cases to define a threat ▪ Plan incident responses for given scenarios or events ▪ Establish a ticketing process to track all the flagged events ▪ Schedule regular threat hunting with cybersecurity analysts ▪ Provide auditors and analysts an evidence trail ▪ Syslog protocol using UDP Port 514 or TCP Port 1468