Security+ SY0-601: Network Security Design & Implementation

Port Ranges

- 0 - 1,023: Well known ports - 1,024 - 49,151: registered ports -49,152 - 65,535: dynamic ports

Network Ports

- 16 bit binary numbers - 65,536 possible values - allowable range 0-65,535

WPA2

- Encrypts with AES - Uses CCMP - Contains some vulnerabilities

Routers, Switches, and Bridges

- Normally Work at Layer 2 - Some switches work at Layer 3

WPA3

- Supports CCMP Uses SAE key exchange

POP Port

110

NetBIOS Port

137-139

Which one of the following ports is not normally used by email systems? 143 25 139 110

139

IMAP Port

143

FTP Port

21

SSH Port

22

SMTP Port

25

RDP Port

3389

HTTPS Port

443

HTTP Port

80

DNS Sinkhole

A DNS server that gives out a false result for a domain name.

Always On VPN

A VPN that allows the user to always stay connected instead of connecting and disconnecting from it.

tcpdump

A command-line protocol analyzer. Administrators use it to capture packets.

Proxy Server

A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.

honeyfiles

A file pretending to be legitimate, in order to detect malicious activity.

nmap

A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner.

nessus

A network-vulnerability scanner available from Tenable Network Security.

IP address

A number assigned to any item that is connected to the Internet. Separated by the network address and host address.

Zero Trust

A security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network.

Jump Box

A server that is used to access devices that have been placed in a secure network zone, such as a DMZ. The server spans the two networks to provide access from an administrative desktop to the managed device.

VPN concentrator

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels.

tcpreplay

A suite of free open source utilities for editing and replaying previously captured network traffic

SYN Flood

A type of DoS where an attacker sends a large amount of SYN request packets to a server in an attempt to deny service.

SSL VPN

A type of VPN that uses SSL encryption. Clients connect to the VPN server using a standard Web browser, with the traffic secured using SSL. The two most common types of SSL VPNs are SSL portal VPNs and SSL tunnel VPNs.

WPS (Wi-Fi Protected Setup)

A user-friendly—but not very secure—security setting available on some consumer-grade APs. Part of the security involves requiring a PIN in order to access the AP's settings or to associate a new device with the network. The PIN can be easily cracked through a brute force attack, so this PIN feature should be disabled if possible.

Remote Access VPN

A user-to-LAN virtual private network connection used by remote users.

Site to site VPN

A virtual private network in which multiple sites can connect to other sites over the Internet.

Evil Twin

A wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information.

SDN (Software Defined Networking)

Ability to control and manage network infrastructure programmatically and holistically. Networking devices have two functional planes of operation (control plane, data plane). Directly Programmable and Agile. Centrally managed, global view.

orphaned rules

Allow access to decommissioned systems and services

SNMP (Simple Network Management Protocol)

An Application-layer protocol used to exchange information between network devices.

static IP address

An IP address that is manually assigned to a device and remains constant until it is manually changed.

Authentication Header (AH)

An IPsec protocol that authenticates that packets received were sent from the source identified in the header of the packet. - Can be used together with ESP

Encapsulating Security Payload (ESP)

An IPsec protocol that provides authentication, integrity, and encryption services.\ - Can be used together with AH

NTP (Network Time Protocol)

An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals.

thin access point

An access point with limited functionality. (It does not provide authentication or encryption.)

User Data Protocol (UDP)

An alternative to TCP designed to establish low-latency and loss-tolerant connections between applications on the internet.

MAC Flood

An attack that sends numerous packets to the switch, each of which has a different source MAC address, in an attempt to use up the memory on the switch.

DNS poisoning

An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device.

sn1per

An automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network

Split-tunnel VPN

An encrypted connection used with VPN's that only encrypts traffic going to private IP addresses used in the private network.

Honeynet

An entire dummy network used to lure attackers.

wireshark

Application that captures and analyzes network packets

OSI Model

Application, Presentation, Session, Transport, Network, Data Link, Physical

netstat command

Can display a variety of information about IP-based connections on a Windows or UNIX host.

DMZ

Demilitarized Zone

VLAN Trunk Negotiation

Deny the use of automatic VLAN trunk negotiation to limit the effectiveness of VLAN hopping attacks

nslookup command

Displays information about DNS names and their corresponding IP addresses, and it can be used to diagnose DNS servers.(windows)

DNSSEC

Domain Name System Security Extensions. A suite of specifications used to protect the integrity of DNS records and prevent DNS poisoning attacks.

Stateless Firewall

Evaluates each connection independently

WPA (Wireless Protected Access)

Included a new security protocol, Temporal Key Integrity Protocol (TKIP)

Fat Access Point

Intelligent wireless access point that provides everything needed to manage wireless clients. Need to be configured individually.

ICMP

Internet Control Message Protocol. Used for diagnostics such as ping. Many DoS attacks use ICMP. It is common to block ICMP at firewalls and routers. If ping fails, but other connectivity to a server succeeds, it indicates that ICMP is blocked.

IPsec

Internet Protocol Security. Used to encrypt traffic on the wire and can operate in both tunnel mode and transport mode. It uses tunnel mode for VPN traffic. IPsec is built into IPv6, but can also work with IPv4 and it includes both AH and ESP. AH provides authentication and integrity, and ESP provides confidentiality, integrity, and authentication. IPsec uses port 500 for IKE with VPN connections.

VLAN

Layer 2 Requires VLAN Trunking Segments Network

What technology provides the translation that assigns public IP addresses to privately addressed systems that wish to communicate on the Internet? NAT HTTP SSL TLS

NAT

East-West Traffic

Network traffic that traverses systems within a data center.

DHCP snooping

Prevents rogue DHCP servers from impacting the network.

darknets

Private online community that is only open to those who belong to it.

Forward Proxy

Proxy that works on behalf of the client

Reverse Proxy

Proxy that works on behalf of the server

What TCP flag indicates that a packet is requesting a new connection? PSH RST SYN URG

SYN

TCP Flags

SYN, ACK, FIN

Ad Hoc Network

Temporary networks that bypass security controls

IPv6

The Internet Protocol version 6 provides a large number of new addresses to route Internet traffic, using "from" and "to" addresses written as colon-hexadecimal notation, such as "fe80::42:acff:feaa:1bf0".

Stateful Firewall

Tracks open connections

Dennis would like to capture the DNS traffic on his network using Wireshark. What port should he use in his capture filter to restrict his capture to DNS queries and responses? TCP 53 UDP 53 UDP 80 TCP 80

UDP 53

HTML5 VPN

Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

curl command

Utility for command-line manipulation of URL-based protocol requests.

scanless

Utility that runs port scans through third-party websites to evade detection.

Active/passive load balancing

When one server in a load balancing system is active and the others are stand-by.

Active/active load balancing

When servers in a load balancing system are all handling requests.

WEP (Wired Equivalent Privacy)

Wireless security protocol that uses a standard 40-bit encryption to scramble data packets. Does not provide complete end-to-end encryption and is vulnerable to attack.

Transparent Proxy

Work without the client or server knowledge

Shadowed rules

a rule that will never be executed because of the placement in the rule base

rogue access point

a wireless access point that gives unauthorized access to secure networks.

Static Port Security

admin manually configures valid MAC adresses for each port

Full-tunnel VPN

all traffic goes through the encrypted tunnel while the user is connected to the VPN

Promiscuous rules

allow more access than necessary

Dynamic Host Configuration Protocol (DHCP)

allows dynamic IP address allocation so users do not have to have a preconfigured IP address to use the network

netcat command

can read or write information to the network. can be used to create an open connection on a device or to access a connection on a remote machine.

North-South Traffic

client to server traffic, between the data center and the rest of the network

honeypots

false targets for computer criminals to attack

Which one of the following devices would not typically be found in a DMZ? load balancer web server file server SSL accelerator

file server

Ricky would like to separate his network into three distinct security zones. Which one of the following devices is best suited to that task? IPS firewall router switch

firewall

nc command

ioens raw network connections on mac and linux

Port Security

limit the devices that may connect to a network by MAC address

VLAN Pruning

limiting a VLANs ability to be transmitted on a trunk link.

ss command

linux network stats

cuckoo

malware analysis tool

the harvestor

mines the internet for domain information

dig command

performs DNS lookup for linux and mac

What command sends ICMP Echo Request packets? ftp telnet ping ssh

ping

Which one of the following devices carries VLANs on a network? router switch firewall hub

switch

Dynamic Port Security

switches memorize the first MAC address they see on each port and limit access to that address