Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
81 Cards in this Set
- Front
- Back
Which statements about the OSI and DoD models are correct?
A. The DoD application layer performs the same functions as the OSI application layer. B. The DoD network access layer and OSI session layer perform the same function. C. The DoD Internet layer is the same as the OSI network model. D. The DoD network access layer performs the same functions as the OSI data link and physical layer. |
C. D. |
|
1. Operating on port 21, provides the uploading and downloading of data. 2. Operating on port 143, provides the retrieval of email messages. 3. Operating on port 22, provides a secure data exchange channel through encryption and authentication. 4. Operating on port 53 and using TCP or UDP, translates domain names into IP addresses. |
1. FTP 2. IMAP 3. SSH 4. DNS |
|
What are some features of TCP/IP
A. TCP/IP is network independent B. The network access layer is the lowest layer of TCP/IP C. The link layer allows TCP/IP to communicate with routers D. TCP/IP is an integrated addressing system E. The transport layer is the highest layer of TCP/IP |
A. B D. |
|
Application Layer |
User/Software applications. Responsible for displaying and receiving data for the user. - FTP, DHCP, DNS, HTTP, IMAP, LDAP, MGCP, NNTP, NTP, POP, ONC/RPC, RTP, RTSP, RIP, SIP, SMTP, SNMP, SSH, Telnet, TLS/SSL, XMPP
|
|
Presentation Layer |
Translate data for application/transmission - Encryption |
|
Session layer |
Manage connections - Establish/terminate |
|
Transport layer |
Transfer and manage data between hosts - includes reliability and error handling - client server or peer to peer - TCP, UDP, DCCP, SCTP, RSVP |
|
Network layer |
Transfer datagrams from one node to another - Routers and layer 3 switches |
|
Data link layer |
Data packets encoded/decoded; link between nodes established/maintained - ARP, NDP, OSPF, Tunnels (L2TP, PPP, MAC (Ethernet, DSL, ISDN, FDDI)s |
|
Physical layer |
Transmits data at the hardware level - data transmitted and received, electrical and physical specifications; electric impults, light, or radio frequency; |
|
DoD: - Application: App, pres, session - Transport: transport - Internet: network - Network Access: Data link and physical |
- Could be leveraged as the go to model world wide. AKA TCP/IP model - Developed by the department of defense |
|
Protocol Data Unit (PDU)
What is the PDU called at each level of the OSI model? |
The process of packaging data as it passes through each layer of the OSI model aka encapsulation.
Application: Data Presentation: Data Session: Data Transport: Segments Network: Packets Data Link: Frames Physical: Bits |
|
Upper layers |
Application Presentation Session |
|
Data flow layers |
Transport Network Data Link Physical |
|
TCP/IP can be categorized as: |
- An integrated addressing system - A routing-friendly design - Underlying networking independence - Scalability - Use of open standards and developemnt |
|
TCP/IP Model aka DoD Model |
Application Transport Internet Network Access |
|
Internet Control Messaging Protocol (ICMP) |
- Ping requests and Replies. Testing to see if connectivity is good between systems or networks or parts of networks. - Could be used by unauthorized users. - Can instruct routers that a subnet is no longer at a certain subnet. |
|
IPv6 |
- 128 bytes - 16 bits - Many attacks are not possible - DNS attacks are less likely because DNS accepting IPv6 should have the full DNSSec suite enabled. |
|
Dual Stacking |
- Running both IPv4 and IPv6 addresses at the same time. - Can also enable tunneling by encapsulating an IPv6 in an IPv4 packets. |
|
IPv6 security Model |
- IPSec, 802.1x, Router and FW ACLs, Authentication |
|
TCP (Transmission Control Protocol) UDP (User Datagram Protocol) |
- TCP requires an established connection before sending PDU information and it is reliable. Whereas, UDP will send PDUs at will making it less reliable but fast. UDP is used for broadcast and multicast, and TCP is used for unicast over an established connection. |
|
Lossless Lossy |
- TCP - UDP |
|
Socket |
- Is used for communication. TCP uses 2 sockets to send and receive. UDP can communicate with multiple devices through 1 socket. - TCP socket: TCP, IP, Port - UPD socket: UDP, IP, Port |
|
UDP Header |
- Source Port - Destination Port - UDP checksum - confirm validity and integrity of the data transmitted. |
|
Well known ports Ephemeral ports |
- 0 to 1023 - 1024 to 65,535 |
|
SSL Steps |
1. User accessing secure site 2. Check DNS records for IP address to find web-site host 3. Web site records found. Going to the host web server. 4. Requesting secure SSL connection from web site host 5. Host responds with valid SSL cert 6. Secure connection is now established. Transferred data is encrypted. |
|
TLS/SSL encrypt data between |
- at a lower level in the TCP/IP Application layer |
|
FTP secure SFTP SCP |
- Uses port 990 control communication between client and server, and port 989 to send and receive data. - SFTP uses port 22 - SCP uses port 22 |
|
Email: SMTP POP3 IMAP |
- port 25 - Port 110 can be used with or without smtp - Port 143 |
|
HTTP HTTPs |
- Port 80 - statless protocol - Port 443 - uses authentication and encryption |
|
NetBIOS: (network basic input output) Name service Datagram distribution services Session Services |
- Applications must register their own names, 16 bytes and the last 2 are reserved to define the network. - NBT protocol - Usually sessions run over TCP port 139, used to transfer larger amounts of data - Names and datagrams run in UDP ports 137 and 138. |
|
BootP TFTP NTP SNMP |
- uses UPD 67, available on dhcp servers, can be used to but without a disk drive and locate the IP of a workstation - UDP 69, sending small amounts of data, used to boot computers, xterms, and discless ws - UPD 123 network clock server - UDP 161, enables network devices to exchange network information, store info in NIBs, requests in the form of PDUs. |
|
IPSec Protocol |
- Designed to encrypt all traffic no matter the app - Transport only encrypts the data portion of Payload - Tunnel encrypts the data and the header info - AH - ESP
|
|
iSCSI (Internet Small Computer System Interface) |
- Transfers between data store facilities and the Internet |
|
Fiber channel |
- Hi speed data transfer tech - Fiber channel over Ethernet, frames encapsulated in ethernet networks. |
|
RDP aka Terminal Services |
- Port 3389 - The software must be running on the remote server. |
|
Identify correct statements about the OSI and DoD models.
A. The OSI network access layer is responsible for data transmission at the hardware level. B. The OSI session layer controls reliability and error handling C. The OSI presentation layer translates data for transmission D. The DoD Internet layer transfers datagrams from one node to another E. The DoD application layer is responsible for encryption and decryption. |
C. D. E. |
|
Which statement(s) about IPv4 an IPv6 are correct?
A. IPv4 addresses use 32 bit or 4 bytes for addressing. B. IPv6 addresses use eight 16 bit segments C. IPv6 is less vulnerable to DNS spoofing D. In IPv4 addressing, a double colon replaces zeros E. IPv6 is impervious to DoS attacks |
A. B. C. |
|
What are some functions of TCP and UDP?
A. UDP doesn't use specific ports B. UDP is less reliable than TCP D. UDP cannot broadcast data E. TCP sequences and retransmits messages |
B. C. E. |
|
1. A hacker uses a spoofed IP to ping network hosts. 2. Installed malware gains the same level of control as a legitimate application. 3. A hacker intrudes upon a conversation between hosts. 4. A botnet controls multiple systems that flood another system with network traffic. |
1. Smurf Attack 2. Privilege escalation 3. Man in the middle 4. DDoS |
|
How are assessment tools used to secure networks?
A. Vulnerability scanners are used to map network devices. B. OVAL is used to compare results with a standardized network map C. Port scanners are used to ping all active servers on a network D. Protocol analyzers are used to analyze a data packets destination and flags E. Vulnerability scanners are used to identify trojans and botnet malware. |
A. C. D. |
|
You are a network administrator. Which actions should you take to secure your network?
A. Implement a DMZ outside the network firewall. B. Use a system to check the status of all computers in a network and log the findings. C. Maintain unused employee accounts on a separate server. D. Implement a policy for regular software updates and patches E. Connect a device that uses EAP requests to a network switch. |
C. D. E. |
|
DoS & DDoS Attacks |
- Targeting software vulnerabilities - Create a diversion for other attacks - Incapacitating a server totally - Physical attacks as well
- Use ICMP, TCP, UDP to care out their deeds |
|
Smurf Attack |
- Spoof a servers IP then send a Ping request to a router that then broadcasts the request to the rest of the systems on that network. |
|
SYN Attacks: SYN flood attack Distributed reflection DDoS attack
|
* Sending a SYN packet from multiple computer simultaneously. - Sends a SYN packet and doesn't respond to the SYN ACK packet from the remote server so the remote server continues to send the SYN ACK. - Spoofs an IP address then attempts to open a request with multiple servers. Then those servers send a response back to the actual server. |
|
Fraggle Attack |
- similar to the smurf attack - attacker tries to find uncommon open ports then over whelm them. |
|
ARP poisoning |
- Broadcast an unsolicited ARP request from Alice and Bobs computer trusts this request. Then, all traffic Bob tries to send to Alice will be routed through the attacker first. |
|
Replay Attack |
Traffic is captured by the attacker then used by the attacker to impersonate the user. Generally login credentials. |
|
Privilege Escalation: Transitive attacks Client side attacks Christmas Tree attacks |
- captures the credentials used to log into a network share - Attack the client directly, through a vulnerability in a browser for example, instead of the server - All flags turned on SYN, ACK, PUSH, etc |
|
Water Hole |
- Research the sight - Infect the site - Users become infected |
|
Typo Squatting |
- Mistyping or misspelling a site that then takes you to anther site owned by an attacker. |
|
Password Attacks: Birthday Attack Rainbow Table |
- Hoping that two users will use the same password and end up with the exact same resulting hash function - Precomputed lists of tables made to reverse hashing functions |
|
Port Authentication |
Ensures only authed users have access to the network, using the IEEE 802.1x |
|
*EAP |
- EAP request is sent |
|
NAC |
Can be used to control who can access a network. These are predefined policies. Can be complicated and requires much planning. Must gather information from different devices across the network. Create a system that does this.
Authenticator, NAC policy server, RADIUS AAA (Authorization, Authentication, Accounting) server, DHCP server. |
|
NAC: Frameworks: |
- Cisco Network Admission Control - Uses IEEE 802.1x - Microsoft Network Access Protection - in win server. - Trusted Network Connect - a tpm chip records hashes of the machine state. Open source. |
|
NAC: Attacks |
- An attacker could run two VMs, one that meets requirements and one that doesn't. After authing to the network the attacker switches the machine that does not meet requirements. |
|
NAC: Post and Pre admission |
- Pre - tests that the device meets standards before getting on the network. - Post - checks the device after it has authed to the network to make sure that it continues to meet security measures. |
|
Initialization phase: Supplicant plugs into an authenticator, the authenticator then sends an EAP request, the supplicant then sends an EAP response that says it wants to get on the network. |
NA |
|
Network Hardening Topics |
Patches OS patches Password policies and strong passwords Account and password expiration close unused ports MAC limiting/filtering Defunct account removal Remove unused services Review user privileges Wifi/BYOD policies |
|
Vulnerability scanners |
map ports |
|
OVAL |
Standardizes the main activities of a vulnerability check in three steps. 1. It creates a representation of the benchmark state of a computer system. 2. It analyzes a system state against the benchmarked state 3. The application configures a report of the state of the system that was analyzed. |
|
Port Scanners |
- Most common - Which ports are open - Vulnerabilities on these ports - Netstat and Nmap |
|
Total number of ports? What are the port ranges? |
65535 - 0 to 1023 common ports - 1024 to 49151registered ports - 49152 to 65535 Dynamic ports |
|
FIN, PUSH, URG packets |
This is a christmas tree attack |
|
Port scans require a 3-way handshake |
SYN, SYN-ACK, ACK |
|
Stealth Scans |
Take advantage of vulnerabilities. The receiver response without making a connection. For example, an error message may be sent back, or if the service is running the attacker may not get a response back. |
|
Protocol Analyzers have two functions |
- Traffic Analysis and Packet capture, analysis, and transmission. - how: Plug into an existing device, or network tap. - inline with the network - TCPdump, wireshark, dsniff, skygrabber, cain and able, kisnet, and Microsoft network analyzer |
|
Protect against protocol analyzers |
- Encryption, this can get expensive, so you should chose which data to encrypt.
|
|
Banner grabbing |
Must perform a port scan to find open ports, then, start to banner grab. Look at software versions, types of software, etc. |
|
Passive and Active security |
- Both should be used in security - P: vulnerability anticipation - A: Vulnerability detection such as banner grabbing and port scanning. |
|
As the network security specialist for your organization, you're developing a network topology map so you can assess the network, analyze potential risks, and build a network defense strategy. |
Questions to follow: |
|
Match the OSI layer to their corresponding DoD layers. You may use each layer more than ounce.
1. Physical layer 2. Session layer 3. Presentation layer 4. Data link layer 5. Network layer |
1. Network access layer 2. Application layer 3. Application layer 4.Network access layer 5. Internet layer |
|
Which statements about the TCP/IP protocol suite are correct?
A. DNSSEC makes IPv6 more vulnerable to certain types of DoS attacks B. UNIX and the Winsock API communicate exclusively on the Transport layer C. Examples of ICMP control messages are Ping Requests and Ping Reply D. The highest layer in the TCP/IP protocol suite is the Application layer E. The binary for of IPv6 is 128 bits long |
C. D. E. |
|
Match each network protocol to its description.
A. UDP B. TCP C. NetBIOS D. SSL E. IMAP |
E. Retrieves email messages and operates on port 143. C. Working on UDP port 137, used by LANs to allow software on different hosts to communicate. B. Sequences messages, retransmits messages lost in transit, and uses data flow and congestion control. A. Fast and provides multicasting, but doesn't provide security, data integrity, or reliability. D. Uses secure tunneling encryption with protocols like HTTP and FTP to ensure network traffic is safe during transit. |
|
Match each network attack type with its corresponding description.
A. MITM B. Spoofing C. Christmas Tree attack D. SYN flood E. Smurf attack F. DDoS attack |
B. A hacker fakes his MAC address to gain access to a secure network. D. An attacker disrupts the TCP handshake process of a network and intercepts the response packet form the target server. F. A hacker utilizes a C&C server to instruct zombie computers to flood a web site with traffic. A. A hacker intercepts traffic on an existing connection between two different hosts. E. An attacker mimics the vicim's IP address and sends Ping Requests to multiple hosts. C. An attacker uses a TCP packet with the URG, PUSH, and FIN flags turned on and sends it to a router.
|
|
Which statements about port security are correct?
A. Attackers can simply plug into a network connection and gain access if ports aren't secured. B. Port authentication involves using IEEE 802.1x protocols to secure logical ports. C. Mobile devices don't represent a security threat because they don't have access to network ports. D. One method of increasing port security is to disable unused, open ports. E. Certain network switches can detect duplicate MAC addresses. |
A. D. E.
B. Incorrect - IEEE 801.1x is used for security and port authentication on physical ports and does not support security or authentication on logical ports such as TCP and IP.
|
|
Which descriptions of security and assessment tools are correct?
A. To protect network integrity and safety, vulnerability scanners are designed so they do not exploit network resources. B. Port scanners detect running services on open ports. C. OVAL is an open, interoperable language which can be used to detect network vulnerabilities, work with different applications, and share results with others. D. Sniffing is not a legitimate process and should never be employed by administrators. |
B. C. |
|
Label each description of a network attack according to its attack type.
A. Watering hole attack B. Replay attack C. Typo squatting D. Brute force attack |
A. A hacker infects a web site that an organization knows and trust with malware. C. A hacker tricks a user into navigating to a web site that has a similar name to a legitimate site. D. An attacker gains user passwords by using a computer(s) to run through all the possible combinations. B. A hacker uses information taken while spying on a session to gain unauthorized access. |
|
Which statements describe how security and assessment tools are used?
A. Packet sniffers analyze the flow of traffic between hosts. B. Netstat is used to analyze data packets for set flags. C. OVAL is used to create a benchmark of a system's state. D. Port scanning is initialized by using a two-way TCP/IP handshake. E. Sniffing is performed by connecting to network devices or taps. |
A. C. E. |
|
Which actions are examples of network security best practices?
A. Creating a document that lists which devices meet the minimum security requirements B. Running scanning software to detect running services on ports C. Enforcing a strong password policy D. Creating a NAC policy for a small business network E. Giving all wireless devices special access so they can access ports not used by PCs |
A. B. C.
|