Lesson 9: Network Security Design & Implementation

Port Ranges

- 0 - 1,023: Well known ports - 1,024 - 49,151: registered ports -49,152 - 65,535: dynamic ports

Network Ports

- 16 bit binary numbers - 65,536 possible values - allowable range 0-65,535

WPA2

- Encrypts with AES - Uses CCMP - Contains some vulnerabilities

Routers, Switches, and Bridges

- Normally Work at Layer 2 - Some switches work at Layer 3

WPA3

- Supports CCMP Uses SAE key exchange

POP Port

110

NetBIOS Port

137-139

Which one of the following ports is not normally used by email systems? 143 25 139 110

139

IMAP Port

143

FTP Port

21

SSH Port

22

SMTP Port

25

RDP Port

3389

HTTPS Port

443

What network port is used for SSL/TLS VPN connections? 88 80 443 1521

443

HTTP Port

80

DNS Sinkhole

A DNS server that gives out a false result for a domain name.

Always On VPN

A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.

tcpdump

A command-line protocol analyzer. Administrators use it to capture packets.

Proxy Server

A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.

honeyfiles

A file pretending to be legitimate, in order to detect malicious activity.

nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

nessus

A network-vulnerability scanner available from Tenable Network Security.

IP address

A number assigned to any item that is connected to the Internet. Separated by the network address and host address.

Zero Trust

A security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network.

Jump Box

A server that is used to access devices that have been placed in a secure network zone, such as a DMZ. The server spans the two networks to provide access from an administrative desktop to the managed device.

VPN concentrator

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels.

tcpreplay

A suite of free open source utilities for editing and replaying previously captured network traffic

SYN Flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.

SSL VPN

A type of VPN that uses SSL encryption. Clients connect to the VPN server using a standard Web browser, with the traffic secured using SSL. The two most common types of SSL VPNs are SSL portal VPNs and SSL tunnel VPNs.

WPS (Wi-Fi Protected Setup)

A user-friendly—but not very secure—security setting available on some consumer-grade APs. Part of the security involves requiring a PIN in order to access the AP's settings or to associate a new device with the network. The PIN can be easily cracked through a brute force attack, so this PIN feature should be disabled if possible.

Remote Access VPN

A user-to-LAN virtual private network connection used by remote users.

Site to site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

Evil Twin

A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.

SDN (Software Defined Networking)

Ability to control and manage network infrastructure programmatically and holistically. Networking devices have two functional planes of operation (control plane, data plane). Directly Programmable and Agile. Centrally managed, global view.

orphaned rules

Allow access to decommissioned systems and services

SNMP (Simple Network Management Protocol)

An Application-layer protocol used to exchange information between network devices.

static IP address

An IP address that is manually assigned to a device and remains constant until it is manually changed.

Authentication Header (AH)

An IPsec protocol that authenticates that packets received were sent from the source identified in the header of the packet. - Can be used together with ESP

Encapsulating Security Payload (ESP)

An IPsec protocol that provides authentication, integrity, and encryption services.\ - Can be used together with AH

NTP (Network Time Protocol)

An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals.

thin access point

An access point with limited functionality. (It does not provide authentication or encryption.)

User Data Protocol (UDP)

An alternative to TCP designed to establish low-latency and loss-tolerant connections between applications on the internet.

MAC Flood

An attack that sends numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch.

DNS poisoning

An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.

sn1per

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Split-tunnel VPN

An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.

Honeynet

An entire dummy network used to lure attackers.

wireshark

Application that captures and analyzes network packets

OSI Model

Application, Presentation, Session, Transport, Network, Data Link, Physical

Chris is attending a hacker convention and overhears someone talking about "force pairing" a mobile device. What type of attack is the individual discussing? Bluechalking Bluedriving Bluejacking Bluesnarfing

Bluesnarfing

In what mobile deployment model do users choose devices from a list of company-provided options? BYOD CYOD COPE BOPE

CYOD

netstat command

Can display a variety of information about IP-based connections on a Windows or UNIX host.

Which one of the following is a malware analysis tool? Splunk theHarvester Cuckoo Snort

Cuckoo

Fran's network recently suffered a botnet infestation and she would like to implement a control that limits the ability of botnets to reach their command-and-control servers. Which one of the following deception technologies would best meet this need? Honeynet DNS sinkhole Darknet Honeypot

DNS sinkhole

DMZ

Demilitarized Zone

VLAN Trunk Negotiation

Deny the use of automatic VLAN trunk negotiation to limit the effectiveness of VLAN hopping attacks

nslookup command

Displays information about DNS names and their corresponding IP addresses, and it can be used to diagnose DNS servers.(windows)

DNSSEC

Domain Name System Security Extensions. A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks.

What IPsec protocol provides confidentiality protection for the content of packets? ESP AH IKE ISAKMP

ESP

Stateless Firewall

Evaluates each connection independently

What technology allows administrators to pinpoint the location of a mobile device? TLS HTTPS SSL GPS

GPS

What type of packet do participating systems send during a Smurf attack? ICMP Status Check ICMP Echo Request ICMP Information Reply ICMP Timestamp

ICMP Echo Request

WPA (Wireless Protected Access)

Included a new security protocol, Temporal Key Integrity Protocol (TKIP)

Fat Access Point

Intelligent wireless access point that provides everything needed to manage wireless clients. Need to be configured individually.

ICMP

Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

IPsec

Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

Nancy is designing a security strategy for remote access. She would like to provide administrators with an intermediate box that they connect to before reaching sensitive systems. What type of service is Nancy planning? Honeynet Jump box Honeypot SSL acceleration

Jump box

What toolkit enables attackers to easily automate evil twin attacks? KARMA NIDS iStumbler HIPS

KARMA

VLAN

Layer 2 Requires VLAN Trunking Segments Network

ARP poisoning provides false _____ addresses. IPv6 MAC Whois IPv4

MAC

What technology provides the translation that assigns public IP addresses to privately addressed systems that wish to communicate on the Internet? NAT HTTP SSL TLS

NAT

East-West Traffic

Network traffic that traverses systems within a data center.

Fran is choosing an authentication protocol for her organization's wireless network. Which one of the following protocols is the most secure? EAP-MD5 PEAP LEAP TACACS

PEAP

DHCP snooping

Prevents rogue DHCP servers from impacting the network.

darknets

Private online community that is only open to those who belong to it.

Vic is planning a redesign of his organization's firewall strategy and is planning to issue an RFP for a firewall vendor. Which one of the following vendors would not be able to meet Vic's needs? Palo Alto Proofpoint Checkpoint Cisco

Proofpoint

Forward Proxy

Proxy that works on behalf of the client

Reverse Proxy

Proxy that works on behalf of the server

Cindy would like to transfer files between two systems over a network. Which one of the following protocols performs this action over a secure, encrypted connection? TFTP SSH FTP SCP

SCP

Which one of the following functions is not normally found in a UTM device? SSL termination firewall content filtering intrusion detection

SSL termination

What TCP flag indicates that a packet is requesting a new connection? PSH RST SYN URG

SYN

TCP Flags

SYN, ACK, FIN

What is the piece of software running on a device that enables it to connect to a NAC-protected network? SNMP agent Authenticator Authentication server Supplicant

Supplicant

Which one of the following is the most secure way for web servers and web browsers to communicate with each other? SSLv2 SSLv3 TLS SSLv1

TLS

Ad Hoc Network

Temporary networks that bypass security controls

IPv6

The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".

Stateful Firewall

Tracks open connections

What message can an SNMP agent send to a network management system to report an unusual event? SetRequest Response GetRequest Trap

Trap

(T/F) Apple devices running current versions of iOS and configured with a passcode or biometric authentication use full device encryption by default.

True

Dennis would like to capture the DNS traffic on his network using Wireshark. What port should he use in his capture filter to restrict his capture to DNS queries and responses? TCP 53 UDP 53 UDP 80 TCP 80

UDP 53

HTML5 VPN

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

curl command

Utility for command-line manipulation of URL-based protocol requests.

scanless

Utility that runs port scans through third-party websites to evade detection.

What technique should network administrators use on switches to limit the exposure of sensitive network traffic? VLAN pruning Spanning tree Loop prevention VLAN hopping

VLAN pruning

Brad is configuring a new wireless network for his small business. What wireless security standard should he use if he wishes the strongest possible security? WPA3 WEP WPA2 WPA

WPA3

Active/passive load balancing

When one server in a load balancing system is active and the others are stand-by.

Active/active load balancing

When servers in a load balancing system are all handling requests.

WEP (Wired Equivalent Privacy)

Wireless security protocol that uses a standard 40-bit encryption to scramble data packets. Does not provide complete end-to-end encryption and is vulnerable to attack.

Which one of the following tools is a protocol analyzer? Nessus Wireshark Ping Nmap

Wireshark

Transparent Proxy

Work without the client or server knowledge

How can you deploy WPS securely? Require physical access. Modify the WPS key. Rotate the WPS key. You cannot deploy WPS securely.

You cannot deploy WPS securely.

Shadowed rules

a rule that will never be executed because of the placement in the rule base

rogue access point

a wireless access point that gives unauthorized access to secure networks.

What router technology can be used to perform basic firewall functionality? access control lists IPS spanning tree flood guard

access control lists

Static Port Security

admin manually configures valid MAC adresses for each port

Full-tunnel VPN

all traffic goes through the encrypted tunnel while the user is connected to the VPN

Promiscuous rules

allow more access than necessary

Dynamic Host Configuration Protocol (DHCP)

allows dynamic IP address allocation so users do not have to have a preconfigured IP address to use the network

Gary would like to look up the MAC address associated with an IP address on his network. Which command can he use? nslookup ifconfig traceroute arp

arp

netcat command

can read or write information to the network. can be used to create an open connection on a device or to access a connection on a remote machine.

North-South Traffic

client to server traffic, between the data center and the rest of the network

Tom would like to retrieve a file from a remote web server but only has command-line access to the system where he would like to store the file. What command can he use to download the file directly without using a browser? curl sftp ftp ssh

curl

What is the preferred command for looking up IP addresses on a Linux system? ifconfig arp dig nslookup

dig

In what type of attack does the attacker steal a domain registration from the true owner? domain poisoning domain hijacking ARP poisoning typosquatting

domain hijacking

honeypots

false targets for computer criminals to attack

Which one of the following devices would not typically be found in a DMZ? load balancer web server file server SSL accelerator

file server

Ricky would like to separate his network into three distinct security zones. Which one of the following devices is best suited to that task? IPS firewall router switch

firewall

What technology can help prevent denial of service attacks on a network? VLAN pruning VLAN hopping BGP flood guard

flood guard

What command may be used to change the MAC address of a Linux system? ipconfig ifconfig arp mac

ifconfig

What security principle does a firewall implement with traffic when it does not have a rule that explicitly defines an action for that communication? least privilege separation of duties informed consent implicit deny

implicit deny

nc command

ioens raw network connections on mac and linux

Port Security

limit the devices that may connect to a network by MAC address

VLAN Pruning

limiting a VLANs ability to be transmitted on a trunk link.

ss command

linux network stats

Which one of the following devices helps networked services scale with increasing demand? proxy server firewall web security gateway load balancer

load balancer

cuckoo

malware analysis tool

Key _____ adds security to the use of encryption. management deletion escrow repudiation

management

the harvestor

mines the internet for domain information

Alyssa is conducting a penetration test and would like to send raw commands directly to a remote service. What command can she use to open a connection to the service where she may then type direct commands? nmap nc netstat arp

nc

Dylan would like to list all of the active network connections on a system. What command can he use? nmap netstat ipconfig nc

netstat

Nessus is an example of a _____ tool. port scanning network vulnerability scanning protocol analyzing web application vulnerability scanning

network vulnerability scanning

What type of firewall rule error occurs when a service is decommissioned but the related firewall rules are not removed? shadowed rule orphaned rule typographical error promiscuous rule

orphaned rule

The core issues around BYOD relate to _____. administration standards ownership process

ownership

What information is not found in network flow data? destination port packet content source address destination address

packet content

dig command

performs DNS lookup for linux and mac

What command sends ICMP Echo Request packets? ftp telnet ping ssh

ping

Nmap is an example of a _____ tool. network vulnerability scanning port scanning protocol analyzing web application vulnerability scanning

port scanning

What command displays the routing table on a system? ifconfig arp route ipconfig

route

What network device can connect together multiple networks? switch AP router wireless controller

router

What mobile connection method may best serve remote areas without a local infrastructure? NFC cellular WiFi satellite

satellite

Which one of the following techniques is useful in preventing replay attacks? session tokens full disk encryption mobile device management man-in-the-middle

session tokens

What term is used to describe loading apps onto a device without going through the official app store? jailbreaking rooting transforming sideloading

sideloading

Which one of the following network intrusion detection technologies requires frequent threat updates from the vendor? heuristic signature detection anomaly detection behavior-based

signature detection

Which one of the following devices carries VLANs on a network? router switch firewall hub

switch

Dynamic Port Security

switches memorize the first MAC address they see on each port and limit access to that address

What tool allows penetration testers to quickly gather large amounts of information about a domain? whois netstat arp theHarvester

theHarvester

What command may be used to determine the network path between two locations? tracert dig ping arp

tracert

Renee notices a suspicious individual moving around the vicinity of her company's buildings with a large antenna mounted in his car. Users are not reporting any problems with the network. What type of attack is likely taking place? war driving war chalking jamming WPS cracking

war driving

In what application control approach may users install only approved software on their devices? whitelist bluelist greylist blacklist

whitelist