Course 5 – IT Security: Defense Against the Digital Dark Arts

by
Contents hide
1 Week 4: Security Your Networks
2 PRACTICE QUIZ: SECURE NETWORK ARCHITECTURE
3 PRACTICE QUIZ: WIRELESS SECURITY
4 PRACTICE QUIZ: NETWORK MONITORING
5 PRACTICE QUIZ: WEEK FOUR PRACTICE QUIZ
Spread the love

Week 4: Security Your Networks

This week, we will be looking at secure network architecture. We will look at how security could be implemented within a network environment and the best practices to secure the company’s network. We will examine the risks that a wireless network poses and how to mitigate those risks. Also, we will discuss various ways to monitor network traffic and packet captures. By the end of this module, you will understand how VPNs, proxies, and reverse proxies function; how 802.1X is crucial for network security; why WPA/WPA2 is preferred over WEP; and how to use tcpdump to capture and analyze network packets. Therefore, while this module may seem too much, it is necessary for every IT Support Specialist to learn and create an understanding of such aspects.

Learning Objectives:

  • Implement security measures within a network environment.
  • Understand the risks associated with wireless networks and how to mitigate them.
  • Learn how to monitor network traffic and analyze packet captures.

PRACTICE QUIZ: SECURE NETWORK ARCHITECTURE

1. Why is normalizing log data important in a centralized logging setup?

  • It’s difficult to analyze abnormal logs.
  • Log normalizing detects potential attacks.
  • Uniformly formatted logs are easier to store and analyze. (CORRECT)
  • The data must be decrypted before sending it to the log server.

Nice work! The logs from different systems come in different formats, and it becomes very difficult to analyze them as one cohesive object. Log normalization converts these logs into a consolidated standard format and this makes it possible to share one unified structure for storage and efficient and effective searching and seamless analysis within a centralized logging system.

2. What type of attacks does a flood guard protect against? Check all that apply.

  • Malware infections
  • SYN floods (CORRECT)
  • DDoS attacks (CORRECT)
  • Man-in-the-middle attacks

You got it! Flood guard is a security feature that protects from attacks which overload network resources such as Denial-of-Service (DoS) or SYN floods. Activity-tracking protects from excessive or abnormal requests from depleting resources and ensuring resource availability on the network.

3. What does DHCP Snooping protect against?

  • DDoS attacks
  • Brute-force attacks
  • Data theft
  • Rogue DHCP server attacks (CORRECT)

Good job! DHCP snooping is a security feature preventing rogue DHCP attacks. This feature generally configures the network switch for monitoring DHCP traffic so that DHCP responses are only sent from trusted ports to legitimate DHCP servers. Therefore, it blocks unauthorized devices from acting as rogue DHCP servers and causing disruption to normal network operations.

4. What does Dynamic ARP Inspection protect against?

  • ARP poisoning attacks (CORRECT)
  • DDoS attacks
  • Malware infections
  • Rogue DHCP server attacks

That’s exactly right! Dynamic ARP Inspection (DAI) is indeed one of the tools that can save you from ARP poisoning attacks by watching ARP packets on the network, cross-referencing those packets with trusted MAC-to-IP address mappings built from DHCP snooping, and dropping packets if they do not match what has been established as trusted. Thus, the integrity of the network is ensured and spoofs by others cannot occur.

5. What does IP Source Guard protect against?

  • IP spoofing attacks (CORRECT)
  • Brute-force attacks
  • DDoS attacks
  • Rogue DHCP server attacks

Right on! With IPSG (IP source guard), the spoofing of IP addresses on a network has been kept at bay. The configuration of this product allows the association of assigned IP addresses with specific switch ports. All traffic originating from non-matching IP addresses or not corresponding to a certain port binding is dropped, thereby allowing only legitimate devices to communicate.

6. What does EAP-TLS use for mutual authentication of both the server and the client?

  • One-time passwords
  • Digital certificates (CORRECT)
  • Usernames and passwords
  • Biometrics

Yep! The two parties, that is, the client and the server, exchange and validate digital certificates in mutual authentication. This provides a method for them to verify each other’s identity, bringing about more secure communication. It is usually adopted in areas requiring strong authentication, like financial transactions or sensitive data exchanges.

7. Why is it recommended to use both network-based and host-based firewalls? Check all that apply.

  • For protection against DDoS attacks
  • For protection against man-in-the-middle attacks
  • For protection for mobile devices, like laptops (CORRECT)
  • For protection against compromised hosts on the same network (CORRECT)

Nice job! The general consensus is that a dual firewall protection strategy, using both network-based and host-based firewalls, offers comprehensive protection against both external and internal threats. The network firewalls protect the entire network by filtering traffic at the perimeter, while the host-based firewalls add an extra layer of protection to individual devices. This case applies especially to mobile devices like laptops and handhelds that can shift between trusted and untrusted networks, always keeping users secure, regardless of physical location.

PRACTICE QUIZ: WIRELESS SECURITY

1. What are some of the weaknesses of the WEP scheme? Check all that apply.

  • Its use of the RC4 stream cipher (CORRECT)
  • Its small IV pool size (CORRECT)
  • Its use of ASCII characters for passphrases
  • Its poor key generation methods (CORRECT)

You nailed it! It thus exhibited multicasting deficiencies as well as some design flaws and weaknesses, making the RC4 stream cipher exposed to cryptographic attacks. WEP used a small IV, which caused catastrophic reuse and made encrypted information easy to attack. Besides, the method used to generate encryption keys in WEP is also insecure and loosening the reliability and effectiveness of the protection of wireless networks.

2. What symmetric encryption algorithm does WPA2 use?

  • DSA
  • RSA
  • DES
  • AES (CORRECT)

Great work! WPA2 utilizes CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) as a means of achieving higher security level. CCMP effectively uses AES (Advanced Encryption Standard) in counter mode, which transforms the block cipher into a stream cipher. This ensures strong encryption and data integrity, which makes WPA2 significantly more secure than its ancestors like WEP and WPA.

3. How can you reduce the likelihood of WPS brute-force attacks? Check all that apply.

  • Use a very long and complex passphrase.
  • Update firewall rules.
  • Disable WPS. (CORRECT)
  • Implement lockout periods for incorrect attempts. (CORRECT)

Exactly! It is advisable to always disable WPS whenever possible. If you need to use it, introduce some lockup time to disallow any connection attempts after a certain number of failed attempts.

4. Select the most secure WiFi security configuration from below:

  • WPA personal
  • WPA enterprise
  • WEP 128 bit
  • None
  • WPA2 personal
  • WPA2 enterprise (CORRECT)

Exactly right! When it comes to providing maximum security on a Wi-Fi network, WPA2 Enterprise is the highest possible option that should be available. It offers strong encryption that’s highly robust and keeps the data trips free from any snooping while also avoiding most of the management as well as authentication challenges of the shared key system found in WPA2 Personal. This AP is though said to be strong and secured with one of the better standards available, namely TLS certificates for authentication.

PRACTICE QUIZ: NETWORK MONITORING

1. What does tcpdump do? Select all that apply.

  • Generates packets
  • Captures packets  (CORRECT)
  • Analyzes packets and provides a textual analysis  (CORRECT)
  • Encrypts your packets

Correct! Tcpdump is popularly used for capturing packets on analyzing network traffic. It is a light command line driven tool.

2. What does wireshark do differently from tcpdump? Check all that apply.

  • It can write packet captures to a file.
  • It has a graphical interface. (CORRECT)
  • It can capture packets and analyze them.
  • It understands more application-level protocols. (CORRECT)

Awesome job! Tcpdump is a command-line utility, whereas Wireshark provides a magnificent graphical interface. Tcpdump has a lot of application-layer protocols, but Wireshark has more protocols and extensive protocol analysis.

3. What factors should you consider when designing an IDS installation? Check all that apply.

  • Traffic bandwidth (CORRECT)
  • Storage capacity (CORRECT)
  • OS types in use
  • Internet connection speed

Wohoo! Crucial to a normal function of the IDS is the understanding of what volume of traffic the IDS will analyze, because it will help in ensuring the acceptance of traffic load. Additionally, consider storage capacities for logs and packet captures.

4. What is the difference between an Intrusion Detection System and an Intrusion Prevention System?

  • An IDS can detect malware activity on a network, but an IPS can’t
  • An IDS can alert on detected attack traffic, but an IPS can actively block attack traffic. (CORRECT)
  • They are the same thing.
  • An IDS can actively block attack traffic, while an IPS can only alert on detected attack traffic.

That’s exactly right! An IDS only detects intrusions or attacks, while an IPS can make changes to firewall rules to actively drop or block detected attack traffic.

5. What factors would limit your ability to capture packets? Check all that apply.

  • Network interface not being in promiscuous or monitor mode (CORRECT)
  • Anti-malware software
  • Encryption
  • Access to the traffic in question (CORRECT)

You got it! Your Network Interface Card (NIC) must be switched to either monitor or promiscuous mode in order for it to record packets other than the ones sent to and from your computer. Ultimately the traffic of other clients can be captured if those packets can be forked out; as every computer is connected to a hub or uses a switch which has port mirroring activated. Otherwise, connecting with a switch will only render an inability to capture other clients in the network.

PRACTICE QUIZ: WEEK FOUR PRACTICE QUIZ

1. What traffic would an implicit deny firewall rule block?

  • Everything not allowed (CORRECT)
  • Inbound traffic
  • Outbound traffic
  • Nothing unless blocked

You got it! Implicit denial means basically that all the traffic is blocked by default, allowing only explicitly allowed traffic through specific rules.

2. The process of converting log entry fields into a standard format is called _______.

  • Log auditing
  • Log analysis
  • Log encryption
  • Log normalization (CORRECT)

That’s correct! Normalizing logs is the process of transforming logs to a standard format across different sources and consistency between fields. This provides the capability to analyze, search, and correlate logs from different systems or devices.

3. A ______ can protect your network from DoS attacks.

  • DHCP Snooping
  • IP Source Guard
  • Flood Guard (CORRECT)
  • Dynamic ARP Inspection

Yep! Flood guards provide the capability of protection against denial-of-service attacks and permit detection and blocking of traffic cons associated with common flood attack, thus preventing congestion and outage of services.

4. Using different VLANs for different network devices is an example of _______.

  • Network Separation (CORRECT)
  • Implicit Denial
  • Remote Access
  • Network Encryption

Exactly! Network segmentation, through VLAN (virtual local area networks), creates a separate network for different types of devices. This is helpful for security purposes, reducing broadcast traffic, and improving performance.

5. How do you protect against rogue DHCP server attacks?

  • DHCP Snooping (CORRECT)
  • Dynamic ARP Inspection
  • Flood Guard
  • IP Source Guard

Nice job! DHCP snooping forges a safeguard against rogue DHCP server attacks by mapping IP addresses to switch ports while creating lists of trusted, authoritative DHCP servers. Consequently, it only allows genuine DHCP servers to assign IP addresses while securing the network against risks brought about by unauthorized DHCP servers.

6. What does Dynamic ARP Inspection protect against?

  • IP Spoofing attacks
  • DoS attacks
  • Rogue DHCP Server attacks
  • ARP Man-in-the-middle attacks (CORRECT)

Great work! Dynamic ARP Inspection (DAI) will detect fraudulent gratuitous ARP packets that do not match known IP to MAC address bindings and drop them. This would have the effect of preventing ARP spoofing attacks, and thus guarantee the integrity of the address resolution process on the network.

7. What kind of attack does IP Source Guard protect against?

  • DoS attacks
  • Rogue DHCP Server attacks
  • IP Spoofing attacks (CORRECT)
  • ARP Man-in-the-middle attacks

You nailed it! IP Source Guard is an ingress port security feature that prevents an IP address from being dynamically assigned and reapproves the current address. It performs three important functions: “prevents Spoofing with the help of a dynamic access control list that allows packets to be sent to a particular port from a single static address assigned to that port and blocks any other IPs from entering.”

8. A reverse proxy is different from a proxy because a reverse proxy provides ______.

  • Remote Access (CORRECT)
  • Authentication
  • DoS protection
  • Privacy

Correct! In the most general sense, a reverse proxy is a mechanism of providing remote access to a network while acting as an intermediary for external users of internal resources. It functions by forwarding requests for data from external clients to the appropriate backend server. Load balancing, security, and centralized management use of remotes are additional uses of the network remote access facility.

9. What underlying symmetric encryption cipher does WEP use?

  • RSA
  • RC4 (CORRECT)
  • DES
  • AES

Awesome! WEP uses the RC4 stream cipher.

10. What key lengths does WEP encryption support? Check all that apply.

  • 40-bit
  • 64-bit (CORRECT)
  • 128-bit (CORRECT)
  • 256-bit

Nice! WEP supports 64-bit and 128-bit encryption keys.

11. What’s the recommended way to protect a WPA2 network? Check all that apply.

  • Hide the SSID
  • Use WEP64
  • Use a long, complex passphrase (CORRECT)
  • Use a unique SSID (CORRECT)

That’s exactly right! Since this SSID will serve as a salt, it needs to be unique in order to help prevent rainbow table attacks. Furthermore, a long, complex password will harden the network against brute-force attack attempts, making it even harder for unauthorized individuals to access the network.

12. If you’re connected to a switch and your NIC is in promiscuous mode, what traffic would you be able to capture? Check all that apply.

  • All traffic on the switch
  • Traffic to and from your machine (CORRECT)
  • Broadcast traffic (CORRECT)
  • No traffic

Great job! Because you’re connected to a switch, you will view only those packets that are directed to your switch port, like the traffic to or from your machine or even broadcast packets. Because switches generally forward packets based on MAC addresses, they usually send data to only the relevant ports.

13. What could you use to sniff traffic on a switch?

  • Port Mirroring (CORRECT)
  • DHCP Snooping
  • Network hub
  • Promiscuous Mode

Yes! Port mirroring basically means capturing traffic over a switch port at one location and copying it to another port for analysis or monitoring purposes. In such a way, the traffic can be tracked without disturbing the data flow in the entire network.

14. What does tcpdump do?

  • Brute forces password databases
  • Performs packet capture and analysis (CORRECT)
  • Generates DDoS attack traffic
  • Handles packet injection

Indeed! Tcpdump is a network packet catcher and analyzer; it also converts binary data to a human-readable format. Hence, it can determine and evaluate contents coming from network traffic and can troubleshoot network problems.

15. Compared to tcpdump, wireshark has a much wider range of supported _______.

  • Protocols (CORRECT)
  • Languages
  • Packet types
  • Packet sizes

Yep! Wireshark supports a very wide range of various networking protocols.

16. A Network Intrusion Detection System watches for potentially malicious traffic and _______ when it detects an attack.

  • Triggers alerts (CORRECT)
  • Shuts down
  • Disables network access
  • Blocks traffic

Correct! A Network Intrusion Detection System (NIDS) will only generate alerts when such activities are detected on the network. It supervises network traffic for markers of harmful behavior. However, this doesn’t act against stopping or preventing such attacks.

17. What does a Network Intrusion Prevention System do when it detects an attack?

  • It does nothing.
  • It blocks the traffic. (CORRECT)
  • It attacks back.
  • It triggers an alert.

Exactly! A Network Intrusion Prevention System (NIPS) can modify firewall rules in real time and actively cut off malicious traffic as it becomes available. A NIDS typically has the task of making alerts only during an attack; however, a NIPS functions further to prevent the attack from reaching its target.

Leave a Comment