Chapter 11: Implementing Secure Network Protocols

A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation. A.) Tunnel mode because the whole IP packet is encrypted, and a new IP header is added. B.)Transport mode because the whole IP packet is encrypted, and a new IP header is added. C.) Tunnel mode because the payload is encrypted. D.) Transport mode because the payload is encrypted.

A

If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator's needs? A.) Secure/Multipurpose Internet Mail Extensions (S/MIME) B.) Secure Post Office Protocol v3 (POP3S) C.) Internet Message Access Protocol v4 (IMAP4) D.) Simple Mail Transfer Protocol (SMTP)

A

When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred? A.) Domain hijacking B.) Domain name system client cache (DNS) poisoning C.) Rogue dynamic host configuration protocol (DHCP) D.) Domain name system server cache (DNS) poisoning

A

A system administrator needs to implement a secure remote administration protocol and would like more information on Telnet. Evaluate and select the features of Telnet that the administrator should consider to accomplish this task. (Select all that apply.) A.) Telnet does not support direct file transfer. B.) Telnet uses TCP port 23. C.) Telnet is a secure option. D.) Telnet uses encryption to send passwords.

A and B

This is a mailbox protocol designed to store the messages delivered by SMTP on a server. When the client connects to the mailbox, POP3 downloads the messages to the recipient's email client.

Secure Post Office Protocol v3 (POP3S)

What addresses the privacy and integrity issues of FTP by encrypting the authentication and data transfer between client and server?

Secure shell file transfer protocol (SFTP)

This is used by Internet Message Access Protocol (IMAP) to connect clients. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously.

Port 143

This is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.

Port 25

This is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS).

Port 465

This versus 110, is used by mail clients (Message Submission Agents) to submit messages for delivery by an SMTP server.

Port 587

This authentication method uses the user's private key that is configured with a passphrase that the user must input to access the key.

Public Key

This will only block mail that is not addressed to a valid recipient.

Recipient filtering

This is Microsoft's protocol for operating remote connections to a Windows machine. RDP uses TCP port 3389.

Remote Desktop Protocol (RDP)

A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.) A.) The administrator should use SFTP to transfer files to and from the server remotely. B.) Guest accounts should have the permissions set for outside of the directory for browsing. C.) The administrator should remove sample pages as they may contain vulnerabilities. D.) The configuration templates contain vulnerabilities, and the administrator should not utilize them.

A and C

A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Analyze the types of attacks DHCP servers are prone to and determine which steps the system administrator should take to protect the server. (Select all that apply.) A. ) Use scanning and intrusion detection to pick up suspicious activity. B.) Disable DHCP snooping on switch access ports to block unauthorized servers. C.) Enable logging and review the logs for suspicious events. D.) Disable unused ports and perform regular physical inspections to look for unauthorized devices.

A, C and D

A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation. A.) Telnet B.) Secure Shell (SSH) C.) Remote Desktop Protocol (RDP) D.) Kerberos

B

An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation. A.) Domain Name System (DNS) B.) DNS Security Extension C.) DNS Footprinting D.) Dynamic Host Configuration Protocol (DHCP)

B

Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability? A.) TLS version 1.3 is backward compatible with earlier versions of transport layer security. B.) TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security. C.) TLS version 1.3 creates a secure link between the client and server using Secure Shell (SSH) over TCP port 22. D.) TLS1.3 can use more secure authentication and authorization methods, such as security association markup language (SAML) and open authorization (OAuth).

B

A company has noticed a large increase in spam that is using a significant amount of bandwidth. In addition, the company has concerns that confidential information is being emailed, which is a violation of company policy. Recommend the appropriate action to remedy the company's email problems. A.) Simple Mail Transfer Protocol (SMTP) B.) Mail exchanger C.) Mail gateway D.) Recipient filtering

C

An attacker modifies the HOSTS file to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred. A.) DNS server cache poisoning B.) DNS spoofing C.) DNS client cache poisoning D.) Pharming

C

An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators find incorrect host records in DNS. What do the administrators believe to be the root cause? A.) A server host has a poisoned arp cache. B.) Some user systems have invalid hosts file entries. C.) An attacker masquerades as an authoritative name server. D.) The domain servers have been hijacked.

C

A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.) A.) Port 110 should be used by mail clients to submit messages for delivery. B.) Port 143 should be used to connect clients. C.) Port 25 should be used for message relay. D.) Port 465 should be used for message submission over implicit TLS.

C and D

A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using. A.) Secure Shell B.) Telnet C.) Dynamic Host Configuration Protocol D.) Remote Desktop

D

Analyze the methods for authentication to a Secure Shell (SSH) and determine which statement best summarizes the host-based authentication method. A.) The user's private key is configured with a passphrase that must be input to access the key. B.) The client submits credentials that are verified by the SSH server using RADIUS. C.) The client submits a Ticket Granting Ticket (TGT) that is obtained when the user logged onto the workstation. D.) The client sends a request for authentication and the server generates a challenge with the public key.

D

This acts as a firewall between the server and untrusted hosts and should be enabled versus disabled.

DHCP snooping

This consists of the authoritative server for the zone creating a package of resource records (RRset) signed with a private key (Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can verify the signature.

DNS Security Extension (DNSSEC)

This means obtaining information about a private network by using its DNS server to perform a zone transfer (all of the records in a domain) to a rogue DNS.

DNS footprinting

This aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.

DNS server cache poisoning

This attack is a redirection attack that aims to corrupt the records held by the DNS server itself

DNS server cache poisoning

An attack that compromises/fakes the name resolution process.

DNS spoofing

This is a system for resolving host names and domain labels to IP addresses.

Domain Name Server (DNS)

This can be impacted if an attacker hijacks public servers. In this case, systems admin found invalid host records, which ruled out hijacking.

Domain Reputation

In this the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity.

Domain hijacking (or brandjacking)

This facilitates automatic network address allocation. If an attacker establishes a rogue DHCP, it can perform DoS or snoop on network information.

Dynamic Host Configuration Protocol (DHCP)

This file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic.

HOST

SSH uses _______________ to allow authentication to the SSH server. Which uses the Ticket Granting Ticket (TGT) method.

Kerberos

This is where the SMTP server is registered in Domain Name System (DNS).

Mail Exchanger (MX)

This can be added in a Demilitarized Zone (DMZ) that has spam filtering technology. This will prevent spam from reaching the user's mailbox and not affect the bandwidth or take up space on the server.

Mail Gateway

This can perform Data Loss Prevention (DLP) to act as an enforcer of policies by scanning messages to ensure that no data is being communicated in a way that is not compliant with policy.

Mail Gateway

This protocol is a standard for federated identity management to consider for secure application programming interfaces (APIs), not a TLS1.3 feature.

Open Authorization (OAuth)

This occurs when the attacker compromises the process of DNS resolution to replace the valid IP address for a trusted website.

Pharming Attack

This adds digital signatures and public key cryptography to mail communications. To use it, a sender and receiver exchange digital certificates signed by a certification authority (CA).

Secure/Multipurpose Internet Mail Extensions (S/MIME)

This is terminal emulation software to support a remote connection to another computer and uses TCP port 23 by default. It is not secure but can be used over a secure channel, such as an IPSec tunnel.

Telnet

System administrators typically install web servers with sample pages and scripts, along with supporting documentation. What's wrong with that?

The samples sometimes contain vulnerabilities, and administrators should remove them from the production server.

Configuring a TLS 1.2 server allows clients to __________________ to TLS 1.1 or 1.0 or SSL 3.0 if they do not support TLS 1.2. A man-in-the-middle can use this attack to try to force the use of a weak cipher suite and secure sockets layer (SSL)/TLS version.

downgrade

What should system administrator enable on switch access ports to prevent the use of unauthorized DHCP servers?

enable DHCP snooping

In this authentication, the server is configured with a list of authorized client public keys. The client requests authentication using one of these keys and the server generates a challenge with the public key.

host-based

What should the system administrator use to pick up suspicious activity?

scanning and intrusion detection

In this mode, the IP header for each packet is not encrypted, just the data (payload). This mode is used for secure communications on a private network (an end-to-end implementation).

transport mode

The technician should use this mode because the whole IP packet, including header and payload, is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN).

tunnel mode