Topic 4 - Networks

Question 1

What is the formal definition of the TCP/IP Model?

Answer 1

It is a framework for communication over the computer network

Question 2

What are the 5 layers for the TCP/IP model, and what do they do?

Answer 2

Application Layer - Provides applications with standardised data exchange
Transport Layer - Responsible for end-to-end communications across the network, along with error control and flow control
Network Layer - Responsible for logical addressing, routing and path determination for IP packets from source to destination by identifying neighbours.
Data Link Layer - Encapsulates IP packets into data frame by adding MAC addresses and error checksum and provides data transmission between two devices attached to the same network
Physical Layer - Provides transmission of data using electrical or mechanical interfaces

Question 3

What are some key properties surrounding IP security?

Answer 3

IPs are connectionless and stateless
They provide best effort service
No delivery guarantee
No order guarantee

Question 4

How does IPSec work?

Answer 4

Two major mechanisms:
- Authentication Header: Authentication only
- Encapsulation Security Payload: Authentication & Encryption
Does not contains any mechanisms to prevent traffic analysis, as payload is encrypted

Question 5

How does the Encapsulation Security Payload work?

Answer 5

It includes an additional header within the IP packet that describes what encryption and authentication is in use

Question 6

What are some key properties of Security Parameter Index?

Answer 6

Stores security parameters e.g. crypto protocol and keys
Uses Diffie-Hellman for key exchange
The Index references the entry in a table that corresponds to the session’s parameters

Question 7

What are the differences between Transport and Tunnel modes for Encapsulation Security Payload?

Answer 7

Transport Mode:
- Encrypts packets, providing host-to-host encryption, but uses the original IP header
- Prevents contents being read, but doesn’t stop traffic analysis or manipulation of the header
Tunnel Mode:
- Protects some segment of a channel with encryption
- Provides some resistance to traffic analysis, and completely protects manipulation of the payload

Question 8

What layers make up a VPN?

Answer 8

IPSec ESP Tunnel Mode (Network Layer)
TLS (Application Layer)
SSH (Transport Layer)
WireGuard (Network Layer)

Question 9

What are the primary uses for a VPN?

Answer 9

Used to provide C/I/Auth for remote access to resources
Instrumental for remote working

Question 10

What is Address Resolution Protocol?

Answer 10

ARP is a protocol used in IPv4 to obtain physical MAC addresses for given IPs, and is used prior to constructing IP and TCP packets for communication

Question 11

What is ARP Cache Poisoning?

Answer 11

Send an unrequested ARP reply, and overwrite the MAC address in a hosts ARP cache with our own

Question 12

What type of attack is ARP Cache Poisoning considered as?

Answer 12

A man-in-the-middle attack

Question 13

How do you protect against ARP Cache Poisoning attacks?

Answer 13

OSs can be configured to use ARP differently, and can also ignore unsolicited ARP replies
Intrusion detection packages will include ARP spoofing protection

Question 14

How do Intrusion Detection packages protect against ARP Cache Poisoning Attacks?

Answer 14

They maintain a log of current MAC:IP assignments and ARP requests/replies
It allows the software to spot suspicious messages such as unsolicited ARP replies

Question 15

What is Domain Name System?

Answer 15

Domain Name System translates domain names into IP addresses
DNS resolvers will also cache the IPs for a while

Question 16

How does DNS Spoofing work?

Answer 16

If possible to poison the cache of a nameserver people are using, you can replace a website lookup with a different IP

Question 17

How can you implement DNS Spoofing?

Answer 17

Can be achieved through prior ARP cache Poisoning, a reply flood, or a Kaminsky attack

Question 18

How do you protect DNS?

Answer 18

Random query numbers protect against spoof replies
Randomising the source port as well can help
DNSSEC tackles DNS exploits by authenticating the name server and providing integrity for the messages

Question 19

How does TCP Sequence Prediction Attack work?

Answer 19

Sequence numbers are used to keep track of order of packets in TCP
Use that sequence to attack another separate machine

Question 20

How do you defend against a TCP Sequence Prediction Attack?

Answer 20

Use Randomised SNs
Use lower layer information
Configure your router/firewall to disallow external sources and IDS/IPS

Question 21

What is network segmentation, and why would you implement it?

Answer 21

Dividing computer networks into smaller parts
It’s mainly to provide damage control, and contain certain attacks to specific areas

Question 22

What makes a Zero Trust network different from standard networks?

Answer 22

Zero Trust networks contain no implicit trust
Everything must be verified on the network, regardless of if you’re in the internal network or the external

Question 23

What are some key areas of Zero Trust networks?

Answer 23

Explicit and manual authentication
Context-aware
Attribute/role-based access control
Least privilege
Network Segmentation

Question 24

What is the current standard for WiFi Security, and what are some of its properties?

Answer 24

WPA2
128-bit keys
Two levels - Personal (Pre-Shared Key) or Enterprise (unique credentials)

Question 25

What are some common threats to WiFi Security?

Answer 25

Packet-sniffing/eavesdropping Rogue Access Points - Copying SSID of existing network, relaying traffic Password Cracking on older WiFi Security Specific attack - KRACK

Question 26

What are some good practices for WiFi Security?

Answer 26

Strong authentication Regular updates Turn off WiFi Protected Setup (WPS) MAC Filtering Segment IoT/legacy devices into separate VLANs

Question 27

What is the formal definition of a Denial of Service attack?

Answer 27

A denial of service attack is an attempt to make a machine or network resource unavailable to its authorised/intended users

Question 28

How does a DoS attack work?

Answer 28

DoS usually involves flooding a machine with enough requests that it can't serve its legitimate purpose

Question 29

What is the differing factor between DoS attacks and Distributed DoS attacks?

Answer 29

DoS originates from one machine Distributed DoS originates from many machines at once

Question 30

What is a type of DoS Attack?

Answer 30

TCP Syn Flooding

Question 31

How does TCP Syn Flooding work?

Answer 31

Attacker initiates a genuine connection but then immediately breaks it Attackers never finish 3-way handshake Victim is then busy with the timeout Attacker initiates a large number of SYN requests Victim reaches its half-open connection limit Causes Denial of Service

Question 32

What are Amplification Attacks?

Answer 32

Amplification attacks utilise some aspect of a network protocol to increase the bandwidth of an attack

Question 33

What is a Smurf attack?

Answer 33

Smurf attacks broadcast an ICMP Ping request to a router, but with a spoofed IP belonging to the victim

Question 34

What is a Fraggle attack?

Answer 34

A Fraggle attack is identical in principle, using UDP echo packets

Question 35

What is DNS Amplification?

Answer 35

Recursive resolvers respond to DNS queries, then return a response. The response itself can be many times larger than the query was

Question 36

What would make a secure DNS resolver?

Answer 36

Use an authorised list of requesters, and having ISP allowing requests from only their customers Egress filtering - Questioning why an external IP is using their resolver

Question 37

What is NTP Amplification?

Answer 37

It is extremely similar to DNS Amplification, wherein the request returns a massive response from the server

Question 38

What is NTP?

Answer 38

NTP is a protocol for synchronising time between machines

Question 39

What is the formal definition of a Firewall?

Answer 39

It is a hardware and/or software system that prevents unauthorised access of packets from one network to another All data leaving any subnet must pass through it

Question 40

What are some key properties of a Firewall?

Answer 40

Implements 'single-point' security measures Security event monitoring through packet analysis and logging Network-based access control through implementation of a rule-set

Question 41

What are the two types of Firewall, and where are they located?

Answer 41

Network Firewalls - Placed between a subnet and the internet Host-based Firewalls - Placed on individual machines

Question 42

What is a DMZ in the context of Computer Security?

Answer 42

DMZ - Demilitarised Zone It is a small subnet that separates externally facing services from the internal network

Question 43

What is a Firewall's Basic Function?

Answer 43

It defends a network against parties accessing internal services It also restricts the access from inside the network to outside the network

Question 44

What is NAT?

Answer 44

Network Address Translation Hides the internal machines with private addresses

Question 45

Why aren't Firewalls enough of a protective measure nowadays?

Answer 45

Cannot protect against attacks that bypass the firewall e.g. Tunnelling Cannot protect against internal threats or insiders Network firewalls cannot always protect against the transfer of virus-infected programs or files

Question 46

What are Packet Filters?

Answer 46

It specifies what packets are allowed or dropped, and can govern both inbound and outbound traffic

Question 47

What are rules for Packet Filters based on?

Answer 47

Source/Destination IP TCP/UDP port numbers

Question 48

Where can Packet Filtering be implemented?

Answer 48

Can be implemented in a router by only examining packet headers

Question 49

What are Packet Filter Rules?

Answer 49

Rules are organised in chains, which are logical subgroups of rules They govern what can pass through the firewall

Question 50

What is IPTABLES?

Answer 50

IPTABLES is an application that provides access to the Linux firewall rule tables It configures the firewall, but isn't a firewall in itself

Question 51

How do Tables and Chains work in the context of Firewalls?

Answer 51

Chains are ordered lists of rules Matches result in a jump from one table of rules to the next, or to accepting the packet, depending on configuration

Question 52

What are the Default tables in IPTABLES?

Answer 52

Filter NAT Mangle - Packet Alteration Raw - Skips connection tracking

Question 53

What are the two types of Policies and what do they govern?

Answer 53

Permissive: - Allow everything except dangerous services Restrictive: - Block everything except designated useful services - More secure by default

Question 54

How would you implement Permissive policies or Restrictive Policies in a Firewall?

Answer 54

Permissive - Allow everything as default, and then implement rules that drop specific packets you're not looking for Restrictive - Deny everything by default, but let certain packets through that match specified rules

Question 55

What are some issues with Packet Filters?

Answer 55

Can't prevent attacks that employ application-specific vulnerabilities Do not support higher-level authentication schemes Easy to accidentally allow or deny packets incorrectly

Question 56

What are some advantages of Packet Filters?

Answer 56

Simple Low-level High assurance

Question 57

What are Stateful Packet Filters?

Answer 57

They work to understand replies and requests They dynamically generate rules They can support policies for a wider range of protocols

Question 58

What are Application-Level Gateways?

Answer 58

An application gateway considers the application layer protocol that is in use, and either denies or accepts packets depending on the protocol found to be in use

Question 59

What are Proxy Servers?

Answer 59

Proxy servers initiate a connection on our behalf They can block certain access and scan for malicious files or web pages

Question 60

What are some issues with Proxy Servers?

Answer 60

Large overhead per connection More expensive than packet filtering Configuration is complex A separate server is required for each service

Question 61

What is the implicit advantage of NAT?

Answer 61

The machine that uses it is almost totally hidden from the Internet Only established connections are forwarded to your internal machine This prevents any unsolicited attacks on random ports, but no other types of attacks

Question 62

What are Internet Threat Models?

Answer 62

It's a framework where the attacker isn't in control of the network, and the attacker hasn't got access to the target's OS, but they are able to intercept and manipulate internet traffic

Question 63

What are cookies?

Answer 63

Cookies are used to provide persistence, and are represented as small text files

Question 64

What types of cookies are there?

Answer 64

Session - Deleted when the browser exits, and contains no expiration date Persistent - Expires at a given time Secure - Can only be used over a HTTPS connection HTTP Only - Inaccessible from JS

Question 65

What vulnerabilities are present within Cookies?

Answer 65

Cookie stealing/hijacking: Gaining access to the information stored in a cookie, allowing them to impersonate that user and potentially gain unauthorised access to accounts or data Cookie poisoning: Modifying/tampering with a cookie, often to inject malicious code or data, which can lead to a variety of other security vulnerabilities

Question 66

What is Cross-Site Scripting (XSS)?

Answer 66

It is a type of injection attack, similar in many ways to an SQL Injection attack

Question 67

How does XSS work?

Answer 67

HTML is read by a browser and is a combination of content (text) and structure (html tags) If you are able to inject HTML structures into the content of a website, the browser will simply execute these e.g. script tags

Question 68

What is Reflected XSS?

Answer 68

Reflected XSS is a malicious URL that inserts an exploit directly into the page returned by a server

Question 69

What is Persistent XSS and what is an example target?

Answer 69

Persistent XSS is a type of XSS attack on websites that don't properly sanitise HTML tags from user input An example target is a blog post forum with comment sections

Question 70

How do you prevent XSS attacks?

Answer 70

Websites must aggressively escape HTML characters from any user input/output Locate all positions in which a website handles untrusted data, and escape appropriately depending on type of input

Question 71

What is Cross-Site Request Forgery (XSRF)?

Answer 71

If a user has already authenticated on a website, a malicious URL can then perform some actions on their account through the use of any relevant session cookies

Question 72

How do you prevent XSRF?

Answer 72

Mostly the same ways as preventing XSS attacks You can also use synchroniser tokens, which is a one-time token that a website form issues. This can then be used by the server to validate when the form is submitted

Question 73

What is TLS?

Answer 73

TLS is a protocol that provides authenticated and encrypted sessions

Question 74

What is SSL?

Answer 74

Secure Socket Layer is an older form of TLS

Question 75

What are the two primary layers within TLS?

Answer 75

Record Layer: - Using established symmetric keys and other session info, will encrypt application packets Handshake Layer: - Used to establish session keys, as well as authenticate either party, typically the server with a public key certificate

Question 76

How does the TLS Handshake go?

Answer 76

Client and server say 'hello' Pair agree on cipher suite Public key verification Key exchange Final checks Send application data

Question 77

What are the key properties of the 'hello' stage in the TLS Handshake?

Answer 77

The client and server establish which cipher suite will be used, as well as what TLS version is used. The initial connection is established using random numbers

Question 78

What does a Cipher Suite identify?

Answer 78

Cipher Suites identify the cryptographic primitives and other security parameters that will be used in that particular session

Question 79

What are the key properties of the 'Key Exchange' state in the TLS Handshake?

Answer 79

It includes both parts of the Diffie-Hellman key exchange It establishes secret data for later use, which is called the pre-master secret

Question 80

What are the key properties of the 'Public Key' stage in the TLS Handshake?

Answer 80

The public key is used to confirm the identity of the server. This includes the certificate alongside the public key. The signature is also computed with the private key

Question 81

What is different between the original TLS Handshake process and TLS V1.3?

Answer 81

The 1.3 handshake embeds much of the key exchange into the hello process The client guesses a key sharing algorithm within the hello process, and if the key share isn't supported, then the server sends a retry request. Encryption begins after the second message has been sent

Question 82

What is 0-RTT Resumption?

Answer 82

During application data, the server can send a pre-shared key for use next time

Question 83

What are some vulnerabilities of TLS?

Answer 83

Majority of problems are to do with the specific implementation of TLS in a system Protocol downgrade attacks can also be a concern, as many servers still allow weak cipher suites

Question 84

What is an advantage of TLS?

Answer 84

Man-in-the-middle vulnerabilities are usually countered using the public-key authentication step

Question 85

What is Public Key Infrastructure?

Answer 85

PKI is a framework that enables secure, trusted communication through the use of public-key cryptography

Question 86

How can we verify the security of a digital certificate used in a communication?

Answer 86

Use a trusted 3rd party in order to verify the ownership of a public key, which is primarily managed through Public Key Infrastructure

Question 87

How is a Digital Certificate created?

Answer 87

Using some subject details, the server creates a Certificate Signing Request (CSR) A Certification Authority (CA) uses this to then create and sign a certificate

Question 88

How does a server use the Digital Certificate?

Answer 88

The server can supply digital signatures using the public key, backed by the certificate when requested.

Question 89

What are Root Certificates?

Answer 89

These are your machine's local copy of a digital certificate

Question 90

Who manages Root Certificates?

Answer 90

Major OS vendors operate root certificate programs Mozilla maintains root certificate store for Linux and Firefox Chrome tends to use the OS store, with additions of its own Android, Java, etc... also ship with their own root stores

Question 91

What are the limitations of Public Key Infrastructure (PKI)?

Answer 91

Administrators use it badly e.g. wildcard certificates, poor server setup Over-reliance on a few key libraries Users don't understand it Once you trust a single CA, you trust every certificate signed by them If a private key is stolen, the certificate must be revoked Many clients do not properly check either CRLs or OCSP

Question 92

What must be checked during certificate verification?

Answer 92

The Certificate Revocation Lists, which contains a list of revoked certificates signed by the CA, and is publicly available via a URL

Question 93

What is an Open Certificate Status Policy (OCSP)?

Answer 93

It is a challenge-response in which a CA is polled for live revocation status It can be pre-obtained and reused for a period

Question 94

What alternatives are there to Public Key Infrastructure CAs?

Answer 94

Public CA: - Must for public websites - Choose a CA that supports what you need Self-signed: - Harder to deploy - May encourage bad practice Private CA: - More upfront work - Easier to deploy - As secure as PKI