IT Security: Defense against the digital dark arts. Week4: Securing Your Networks

What symmetric encryption algorithm does WPA2 use?

AES; WPA2 uses CCMP. This utilizes AES in counter mode, which turns a block cipher into a stream cipher.

What does Dynamic ARP Inspection protect against?

ARP Man-in-the-middle attacks; Dynamic ARP Inspection will watch for forged gratuitous ARP packets that don't correspond to the known mappings of IP addresses and MAC address, and drop the fake packets.

What does Dynamic ARP Inspection protect against?

ARP poisoning attacks; Dynamic ARP inspection protects against ARP poisoning attacks by watching for ARP packets. If an ARP packet doesn't match the table of MAC address and IP address mappings generated by DHCP snooping, the packet will be dropped as invalid or malicious.

What is the difference between an Intrusion Detection System and an Intrusion Prevention System?

An IDS can alert on detected attack traffic, but an IPS can actively block attack traffic; An IDS only detects intrusions or attacks, while an IPS can make changes to firewall rules to actively drop or block detected attack traffic.

What type of attacks does a flood guard protect against? Check all that apply. Malware infections DDos Attacks SYN floods Man-in-the-middle attacks

DDoS Attacks; A flood guard protects against attacks that overwhelm networking resources, like DoS attacks and SYN floods. You didn't select all the correct answers

How do you protect against rogue DHCP server attacks?

DHCP snooping; DHCP snooping prevents rogue DHCP server attacks. It does this by creating a mapping of IP addresses to switch ports and keeping track of authoritative DHCP servers.

A ______ can protect your network from DoS attacks.

Flood guard; Flood guards provide protection from DoS attacks by blocking common flood attack traffic when it's detected.

What kind of attack does IP Source Guard protect against?

IP Spoofing attacks; IP Source Guard protects against IP spoofing. It does this by dynamically generating ACLs for each switch port, only permitting traffic for the mapped IP address for that port.

What does IP Source Guard protect against?

IP spoofing attacks; IP Source Guard prevents an attacker from spoofing an IP address on the network. It does this by matching assigned IP addresses to switch ports, and dropping unauthorized traffic.

What could you use to sniff traffic on a switch?

Port mirroring; Port mirroring allows you to capture traffic on a switch port transparently, by sending a copy of traffic on the port to another port of your choosing.

What underlying symmetric encryption cipher does WEP use?

RC4; WEP uses the RC4 stream cipher.

What does DHCP Snooping protect against?

Rogue DHCP server attacks; DHCP snooping is designed to guard against rogue DHCP attacks. The switch can be configured to transmit DHCP responses only when they come from the DHCP server's port.

If you're connected to a switch and your NIC is in promiscuous mode, what traffic would you be able to capture? Check all that apply.

Traffic to and from your machine broadcast traffic; Since you're connected to a switch, you'd only see packets that are sent to your switch port, meaning traffic to or from your machine or broadcast packets.

What key lengths does WEP encryption support? Check all that apply.

WEP supports 64-bit and 128-bit encryption keys.

Select the most secure WiFi security configuration from below:

WPA2 Enterprise; WPA2 Enterprise would offer the highest level of security for a WiFi network. It offers the best encryption options for protecting data from eavesdropping third parties, and does not suffer from the manageability or authentication issues that WPA2 Personal has with a shared key mechanism. WPA2 Enterprise used with TLS certificates for authentication is one of the best solutions available.

What does tcpdump do? Select all that apply.

analyzes packets and provides a textual analysis captures packets; Tcpdump is a popular, lightweight command line tool for capturing packets and analyzing network traffic.

What does EAP-TLS use for mutual authentication of both the server and the client?

digital certificates; The client and server both present digital certificates, which allows both sides to authenticate the other, providing mutual authentication.

What traffic would an implicit deny firewall rule block?

everything not allowed; Implicit deny means that everything is blocked, unless it's explicitly allowed.

Why is it recommended to use both network-based and host-based firewalls? Check all that apply.

for protection for mobile devices, like laptops for protection against compromised hosts on the same network; Using both network- and host-based firewalls provides protection from external and internal threats. This also protects hosts that move between trusted and untrusted networks, like mobile devices and laptops.

How can you reduce the likelihood of WPS brute-force attacks? Check all that apply.

implement lockout periods for incorrect attempts disable WPS; Ideally, you should disable WPS entirely if you can. If you need to use it, then you should use a lockout period to block connection attempts after a number of incorrect ones.

What does a Network Intrusion Prevention System do when it detects an attack?

it blocks the traffic; An NIPS would make adjustments to firewall rules on the fly, and drop any malicious traffic detected.

What does wireshark do differently from tcpdump? Check all that apply.

it has a graphical interface it understands more application-level protocols; tcpdump is a command line utility, while wireshark has a powerful graphical interface. While tcpdump understands some application-layer protocols, wireshark expands on this with a much larger complement of protocols understood.

Why is normalizing log data important in a centralized logging setup? its difficult to analyze abnormal logs log normalizing detects potential attacks the data must be decrypted before sending it to the log server uniformly formatted logs are easier to store and analyze

its difficult to analyze abnormal logs; Incorrect Not quite. Normalization, in this context, means making the format of logs uniform between systems.

What are some of the weaknesses of the WEP scheme? Check all that apply.

its use of RC4 stream cipher its poor key generation methods its small IV pool size; The RC4 stream cipher had a number of design flaws and weaknesses. WEP also used a small IV value, causing frequent IV reuse. Lastly, the way that the encryption keys were generated was insecure.

The process of converting log entry fields into a standard format is called _______.

log normalization; Normalizing logs is the process of ensuring that all log fields are in a standardized format for analysis and search purposes.

What factors would limit your ability to capture packets? Check all that apply.

network interface not being in promiscuous or monitor mode access to the traffic in question; If your NIC isn't in monitor or promiscuous mode, it'll only capture packets sent by and sent to your host. In order to capture traffic, you need to be able to access the packets. So, being connected to a switch wouldn't allow you to capture other clients' traffic.

Using different VLANs for different network devices is an example of _______.

network separation; Using VLANs to keep different types of devices on different networks is an example of network separation.

What does tcpdump do?

performs packet capture and analysis; tcpdump captures and analyzes packets for you, interpreting the binary information contained in the packets and converting it into a human-readable format.

Compared to tcpdump, wireshark has a much wider range of supported _______.

protocols; Wireshark supports a very wide range of various networking protocols.

A reverse proxy is different from a proxy because a reverse proxy provides ______.

remote access; A reverse proxy can be used to allow remote access into a network.

What factors should you consider when designing an IDS installation? Check all that apply.

storage capacity traffic bandwidth; It's important to understand the amount of traffic the IDS would be analyzing. This ensures that the IDS system is capable of keeping up with the volume of traffic. Storage capacity is important to consider for logs and packet capture retention reasons.

A Network Intrusion Detection System watches for potentially malicious traffic and _______ when it detects an attack.

triggers alerts; A NIDS only alerts when it detects a potential attack.

What's the recommended way to protect a WPA2 network? Check all that apply.

use a long, complex passphrase; Because the SSID is used as a salt, it should be something unique to protect against rainbow table attacks. A long, complex password will protect against brute-force attacks.