Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
59 Cards in this Set
- Front
- Back
In SSL/TLS, if digital enveloping is used for key exchange, which side creates the symmetric session key?
|
The client
|
|
SSL/TLS requires mutual authentication?
|
False
|
|
What is a collision?
|
Two or more separate strings producint the same hash.
|
|
What is a birthday attack?
|
Tries finding collisions
|
|
(k!)/((k^n)(k-n)!)=P, is the formula for the birthday attack.
what is k, n, and P? |
k = maximum number of hashes for the algorithm
n = sample space, # of hashes that will have to be created to find at least one match P = probability that the attacker will find at least one match |
|
The client decrypts the ticket and session key from the Authentication Server with the user's password.
|
True
|
|
In Kerberos, what is responsible for verifying a user's identity?
|
Authentication Server
|
|
What is the default encryption algorithm used for the current version of Kerberos?
|
AES
|
|
What is the most accurate form of biometrics?
|
Iris scanning
|
|
What is false acceptance rate?
|
Percentage of people who are identified or verified as matched to a template but should not be.
|
|
What is a False Rejection Rate?
|
Percentage of people who should be identified or verified as matches to a template but are not.
|
|
What is one method of creating a hash collision?
|
Compare passwords containing the same letters.
|
|
MD5 characteristics
|
128 bits
-all passwords create a 128 bit hash -finite# hashes, infinite # of passwords -can be cracked using collisions |
|
What layer is SSL on? What are 3 phases?
|
Layer 4
1. peer negotiation - algorithm support 2. public key encryption 3. symmetric cipher |
|
What is IPsec?
|
Layer 3, protects the packet and everything in it.(except IP address) Must be configured on both ends, can be expensive.
|
|
What are the 2 modes of IPsec?
|
Transport mode: host to host security
Tunnel mode: between gateways, less expensive |
|
What is ESP?
|
Encapsulating Security Payload, a header and trailer in the IPsec packet, illegal in North Korea.
|
|
What is IKE?
|
Internet Key Exchange, first part of IPsec, two parties create a secure connection, can set up multiple SAs safely. UDP 500, uses Diffie-Hellman
|
|
What is an IPsec SA?
|
Security Association, an agreement about what IPsec security methods and options two host or two IPsec gateways will use. Prevents Replay Attacks
|
|
What is MPLS?
|
Multi-Protocol Label Switching, layer 2.5, forwards labels. When traffic enters it is given a label, when exiting, label removed.
|
|
What are 4 advantages of MPLS?
|
1. speed - forwarding decision not at every hop
2. versatility - with different protocols 3. traffic engineering - classification of traffic 4. security |
|
What is MPLS LSR, LDP, VRF and LIB?
|
LSR - Label Switch Router
LDP - Label Distribution Protocol VRF - VPN Routing and Forwarding LIB - software used to store details of MPLS labels to be popped/pushed |
|
What are some MPLS security vulnerabilities?
|
1) Rogue Path Switching
2) Label Information Base Poisoning 3) Forwarding traffic from inside to outside 4) Infiltrate the LIB |
|
What is 802.1x?
|
Ethernet Port-Based Access Control, prevents illigitimate clients from associating with the network, uses a RADIUS authentication server to do authentication.
|
|
What are 3 advantages of 802.1x?
|
1) Reduces cost of each workgroup switch performing authentication
2) Consistency to authentication 3) Immediate access control changes |
|
What is EAP?
|
Extensible Authentication Protocol, governs the specifics of the authentication process from 802.1x.
|
|
What protocol is 802.1x extended to, to work in wireless?
|
802.11i
|
|
What are EAP-TLS and PEAP?
|
EAP-TLS is where the inner authentication uses TLS. Protected EAP lets you use any method of authentication including passwords and digital certificates. PEAP is favoured by the industry.
|
|
What is AAA?
|
Authentication - uses credentials to verify
Authorization - what permissions/resources can they access Auditing - log files, detecting attacks |
|
What is Mandatory Access Control (MAC)?
|
Nobody in the department has the ability to alter access control. Stronger security, difficult to implement.
|
|
What is Kerberos?
|
Interoperable Authentication System, uses centralized database to authenticate users and applications.
-Supports Authentication Forwarding -Supports method for Interrealm Authentication |
|
Should you use your authentication as a dedicated server?
|
Yes
|
|
Large Scale Kerberos? Small Scale Kerberos?
|
Bad, Good
|
|
What is Public Key Infrastructure?
|
PKI, identify certificates by means of CA, Certificate Authority.
|
|
What is Federated Identity Management?
|
System in which two companies can pass identity assertions to each other without allowing the other to access internal data.
|
|
What is Identity Management?
|
The centralized policy-based management of all information required for access to corporate systems by people, machines, programs, or other resources.
|
|
What is XML? What is SOAP?
|
-Extensible Markup Language, Defines data objects and structures.
-Simple Object Access Protocol, it is a means of exchanging these objects that are defined by XML. |
|
What is SAML?
|
Security Access Markup Language, protocol used to send assertions between firms
|
|
What are assertions?
|
Statements about the subject issued by authoritative entity.
|
|
Ingress? Egress?
|
Ingress is entering the network
Egress is leaving the network |
|
Stateless/Static Packet Filtering?
|
Filters packets, one at a time and individually.
|
|
Stateful Packet Filtering?
|
Is aware of the context of the packets, records information about TCP connections.
|
|
Application Gateway?
|
Layer 7 firewall, examines the connection between client-server apps, allows for user authentication, good for inbound connections
|
|
Circuit-level gateway?
|
Layer 5 firewall, similar to application gateway, less control, good for outbound connections
|
|
What is SOCKS v5?
|
Internet Protocol that facilitates the routing of network packets between client-server applications via proxy-server. Port TCP 1080
|
|
What do Bastion Hosts do?
|
-serves as a platform for app-level or circuit-level GWs
-only essential services are installed |
|
What is a fragmentation attack?
|
Process of breaking up IP packets into multiple packets in order to hide the information inside.
|
|
What is a Single-Bastion Inline?
|
Single router between internal/external networks.
|
|
What is a Single-Bastion T?
|
Same as Inline with with an interface to the DMZ
|
|
Double-Bastion Inline?
|
DMZ between Bastion FWs, used in large business and government organizations.
|
|
Are IPSs inline?
|
Yes
|
|
What is a Unified Threat Management System?
|
Complete package of security defenses. Checkpoint is the best.
|
|
What is Protocol Fidelity?
|
Trying to connect to a certain port using application A when the port is suppose to be using application B.
|
|
In MPLS, what is FEC?
|
Forwarding Equivalence Class, a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment.
|
|
What 4 transfer mediums can MPLS be used over?
|
1. Packet over Sonet (PoS)
2. Frame-Relay 3. Ethernet 4. Asychronous Transfer Mode (ATM) |
|
Using encapsulation security payload (ESP) within IPsec, provides confidentiality, authentication, and integrity?
|
True
|
|
What does MPLS use within the MPLS core network to forward client information instead of IPs?
|
Labels
|
|
What is a MPLS Route Distinguisher?
|
Used to distinguish the distinct VPN routes of separate customers.
|
|
Since MPLS in many deployments utilizes BGP to help distribute the Lable Distribution Protocol (LDP), this option offers a stringent _____________ mechanism, such as SHA-256 on the BGP deployment.
|
authentication
|