Appendix A. Answers to Chapter Review Questions
Chapter 1
1. What is a target of opportunity?
Answer: A target of opportunity is one in which a vulnerability has been detected by an attacker, who decides to try an exploit because the target has allowed them to find it.
2. What is a target of choice?
Answer: A target of choice occurs when an attacker chooses you as a target. His reason is irrelevant because this is a mental commitment on the part of the attacker.
3. What is the purpose of footprinting?
Answer: Footprinting is the process an attacker takes to understand a target’s network and associated systems. This is a continuous process that is used throughout all planned attacks, and in which attackers are looking to gain as much information about the target as possible.
4. Which of the following are ways by which an attacker can gain access?
a. Operating system attacks
b. Application attacks
c. Misconfiguration attacks
d. Script attacks
e. All of the above
5. List four of the Network Security Organizations.
SANS
SCORE
Security Focus
ICAT
Center for Internet Security
6. Briefly explain why it is important for an attacker to cover his tracks.
Answer: Presuming that an attacker has compromised a system, the ability to remove the forensic evidence of his actions (in other words, cover his tracks) allows the attacker to utilize the compromised system at his leisure if the system administrator never knows they have been compromised.
7. Social engineering can be damaging without an overt attack ever happening. Explain why.
Answer: The purpose of social engineering is to trick a person into believing that the attacker is someone else and thereby allowing that person to believe that the attacker is entitled to sensitive information.
8. What kind of information might be found if an attacker dumpster dives at your place of work?
Answer: Perhaps there might be financial reports, customer lists, human resource information, or other sensitive data. The point here is to never “simply throw out” information that might have value.
9. DNS information gained through WHOIS is used for what kind of reconnaissance?
Answer: WHOIS information is used for passive reconnaissance.
10. What two free reconnaissance tools are available with most versions of the Windows operating system?
Chapter 2
1. How important is it to involve other departments and employees in the crafting of security policies?
Answer: Involving your fellow employees is crucial to a policy’s success. Their involvement allows everyone to understand and support the company’s commitment to security.
2. True or false: It is a well-known fact that users circumvent security policies that are too restrictive. Explain your answer.
Answer: Absolutely true. The tighter you create your security policies, the harder it is for users to function effectively. Therefore, you must balance security and productivity.
3. What are three things that you should keep in mind when writing or reviewing a security policy?
Answer: Determine who gets access to each area of your network
Determine what they can access and how
Balance trust between people and resources
Allow access based on the level of trust for users and resources
Use resources to ensure that trust is not violated
4. Why is it important to include an enforcement section in every security policy?
Answer: The enforcement section defines the penalty for failure to follow the policy. Dismissal is typically the most severe penalty, but in a few cases, criminal prosecution should be listed as an option.
5. An Acceptable Use Policy defines what kind of expectations for users?
Answer: An AUP defines the systems that are to be used for business purposes that serve the interests of the company, our clients, and our customers.
6. When and under what circumstances should you reveal your password to someone?
Answer: No one in a company should ever ask for your password; in the event of a technical difficulty, it will reset the password. Never reveal your password to anyone and, if asked, report the request to corporate security immediately.
7. Which of the following sample passwords would be considered effective when checked against the corporate password policy?
a. wolfpack
b. thomas67
c. simonisnot4
d. sJ8Dtt&efs
e. Missing$4u
Answer: D is clearly the correct answer because it has all the proper characteristics of a secure password as outlined in the password policy.
8. Define VPN and the role it can play within a company’s network infrastructure.
Answer: A network is constructed using a public network such as the Internet to connect systems to a main site, typically the headquarters. VPNs use encryption mechanisms to protect data that is transmitted across the Internet. Additional protections are put in place to ensure that only authorized users or devices can connect via a VPN.
9. VPNs support a technology called split tunneling: define this technology and explain whether it should be used in a network?
Answer: Split-tunneling is a method of configuring a VPN, and it is either on or off. Essentially, if split-tunneling is on, users are allowed to connect to the corporate network and the Internet simultaneously. This presents a danger to the corporate network’s security because an attacker was to take control of the computer creating a VPN to the corporate network; then the attacker can also gain access to the companies’ network via the VPN.
10. How frequently should security policies be updated or reviewed?
Answer: Ensure that your policies are updated annually, if not sooner, to reflect the changes of the past year.
Chapter 3
1. What are the six security design concepts you should consider when looking at the security technologies for securing your network?
Answer: Layered security, controlling access, role specific security, user awareness, monitoring, and keeping systems patched.
2. What rule is always implicitly present at the end of every packet filter?
3. When a device is performing stateful packet inspection what characteristics in a packet’s header are inspected, and why are they important?
Answer: Firewalls perform stateful packet inspection and monitor the IP header information to track the status of a connection.
4. What are some limitations of stateful packet inspection?
Answer: SPI cannot inspection/track every type of packet; for example, ICMP and UDP are not stateful.
5. Define the differences between public and private IP addresses.
Answer: Private addresses are for internal, non-Internet use. Public addresses are those used on the Internet.
6. Compare and contrast the three different version of NAT and identify which of them is the most commonly used.
Answer: Static, dynamic, and overloading. Refer to the bulleted list in the section, “Network Address Translation (NAT)” in Chapter 3 for a full comparison. Overloading is the most commonly used form of NAT.
7. What are the two types of proxy firewalls?
Answer: Standard and dynamic firewalls.
8. Why is content filtering so important to networking?
Answer: Content filtering protects a company by restricting harmful websites.
9. What is the potential value of PKI to securing a network and e-commerce?
Answer: Seamless global security.
10. AAA provides security for what aspect of a network?
11. Search the Internet and find three potential vendors that can offer an effective RADIUS solution. Describe what features about each are beneficial.
Answer: Cisco ACS and Funk Steel belted radius are two vendor-specific RADIUS solutions.
Chapter 4
1. How long, in bits, is the DES key?
2. In 3DES, the same key is used to encrypt at each of the three stages: True or false?
3. Define a hash in your own words.
Answer: By way of an analogy, a hash is a grinder that takes something recognizable, like beef or pork, hashes it, and ends up with something unique that is based on the original. In this case, it is hamburger or sausage.
4. What is used to create a digital signature?
5. Define authentication and provide an example.
Answer: Authentication is the process of identifying an individual or device based on the correct username/password combination.
6. Define authorization and provide an example.
Answer: Authorization defines what individuals are allowed to access; have they been authenticated?
7. A hash check occurs at what point in the operation of MD5?
Answer: When using a one-way hash operation like MD5, you can compare a calculated message digest against the received message digest to verify that the message has not been tampered with. This comparison is called a hash check.
8. Of the security protocols covered in this chapter, which of them use generic routing encapsulation (GRE)?
9. Describe several security benefits of L2TP.
Answer: Refer to the bulleted list in Chapter 4 under the “Benefits of L2TP” Section.
10. What are the three core SSH capabilities?
Answer: Secure command shell, secure file transfer, and secure port forwarding.
Chapter 5
1. Who needs a firewall?
Answer: Everyone connected to the Internet or with IT resources to protect needs a firewall. Depending on a router and ACLs is an incomplete solution in layering your network’s defense.
2. Why do I need a firewall?
Answer: A firewall provides protection for your network resources through technologies such as SPI, which is not possible with any other device.
3. Do I need a firewall?
Answer: Yes, yes, yes you need a firewall!
4. How is a firewall an extension of a security policy?
Answer: A firewall’s rules reflect the network security policy that your organization has as expressed in a written security policy.
5. What is the name of the table in a firewall that tracks connections?
6. What fundamental does a DMZ fulfill?
Answer: The DMZ protects Internet accessible servers and services.
7. What are four benefits of a DMZ?
Answer: Auditing of DMZ traffic, locating an Intrusion Detection System (IDS) on the DMZ, limiting routing updates between three interfaces, and locating DNS on the DMZ.
8. Can firewalls enforce password policies or prevent misuse of passwords by users?
Chapter 6
1. Because every company that connects to the Internet has a router, should you deploy security on those routers?
Answer: Definitely! You have the router and this book, and you need to protect your network; use the knowledge presented here to go out and start some packet screening at the router. Layered security is best!
2. What is the value of edge routers being used as choke points, and how effective can they be in increasing your network’s security?
Answer: The value of edge routers being configured as choke points is that they can prevent access to specific devices and applications in a performance-friendly way. This increase in security is typically provided through the use of standard and extended access control lists that can address traffic concerns at Layers 2, 3, and 4 of the OSI reference model.
3. What technology is at the heart of Cisco’s Firewall Feature Set IOS?
Answer: At the heart of Cisco’s Firewall Feature Set IOS is Context-Based Access Control (CBAC). CBAC is a stateful packet inspection engine that extends the router’s filtering capability to the application layer (Layer 7) of the OSI reference model.
4. How does the firewall feature set employ dynamic filtering of packets using ACLs?
Answer: CBAC allows return path filtering for TCP, UDP, and ICMP that creates dynamic stateful entries based on the bidirectional communication sessions in the filtering of access lists when a conversation is first established. CBAC allows these to be created provided there are permit statements in extended access lists that are unique; this eliminates the need to leave any statically open ports. In other words CBAC, opens ports dynamically only when traffic matches an ACL. The ports that are opened dynamically are limited in lifespan (the duration of the conversation) and only to specific to hosts, thus limiting the opportunity for external attacks.
5. Can the Cisco IOS IDS have multiple points of packet inspection?
Answer: Of course you can have multiple points of packet inspection in the form of ACLs. The only requirement of the FFS and CBAC is that the filtering must occur after the inspection. Having the FFS determine access based on conversation direction maintains the ability for the router to still function primarily as a router.
6. Temporary access control lists have timers associated with them. Define how they function based on protocol (ICMP, UDP, and TCP)?
Answer: ICMP and UDP sessions are removed based on configurable inactivity timers. TCP sessions are removed five seconds after the exchange of FIN packets. In the event of an RST packet, the session is terminated and corresponding ACL entries are removed immediately.
7. What is the difference between atomic and compound signatures?
Answer: Atomic signatures are concerned with attacks directed to single hosts, while compound signatures look at attacks that are directed to groups of machines.
8. What happens when an attacker uses chargen and echo together? How would you stop this from being able to occur in a Cisco router?
Answer: Pointing the “chargen” service at the “echo” service creates a loop that causes an enormous amount of traffic to be generated and eventually overwhelms the router’s CPU and RAM resources; therefore, this provides the makings of a very serious denial-of-service attack (DoS). The easiest way to prevent this kind of attack is to disable these services on the router. The commands to do so are no tcp-small-servers that disables echo, chargen, discard and daytime; and no udp-small-servers, which disables echo, chargen, and discard.
Chapter 7
1. Is it possible to have unencrypted VPNs?
Answer: Yes; in that case, other protocols are used to handle the encryption.
2. What are the three types of VPNs?
Answer: Site-to-site, extranet, and remote.
3. Select three VPN features and benefits and explain how your organization can directly benefit from each.
Answer: VPNs are secure, encrypt traffic, and can be used to link sites securely over the Internet.
4. VPN Concentrators are designed for many users—explain how many and when they should be used.
Answer: VPN concentrators are built to handle the requirements of VPNs and are available in models that are suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.
5. Does the VPN Client Software for PCs support Apple’s powerful new operating system, MAX OS X?
6. When does split tunneling occur?
Answer: Split tunneling occurs when a remote VPN user or site is allowed to access a public network (the Internet) at the same time that he accesses the private VPN network, without placing the public network traffic inside the tunnel first.
7. In relation to a datastream, what role does authentication play in securing it?
Answer: Authentication establishes the integrity of the data stream and ensures that it is not tampered with in transit. It also provides confirmation about data stream origin.
8. When tunneling data in IPSec, what are the three protocols that play a role in process?
Answer: GRE, IPSec, and ISAKMP.
9. In site-to-site VPNs, what are the two different encapsulating protocols and what are the differences between the two?
Answer: In site-to-site VPNs, the encapsulating protocol is usually IPSec or generic routing encapsulation (GRE). GRE includes information about what type of packet you are encapsulating and about the connection between the client and server. The difference depends on the level of security needed for the connection, with IPSec being more secure and GRE having greater functionality. IPSec can tunnel and encrypt IP packets, while GRE can tunnel IP and non-IP packets. When you need to send non-IP packets (such as IPX) over the tunnel, IPSec and GRE should be used together.
10. Name three of the benefits of IKE.
Answer: Eliminates the need to manually specify all the IPSec security parameters at both peers.
Allows you specify a lifetime for the IPSec SAs.
Allows encryption keys to change during IPSec sessions.
Allows IPSec to provide antireplay services.
Enables CA support for a manageable, scalable IPSec implementation.
Allows dynamic authentication of peers.
Chapter 8
1. How are the terms 802.11 and Wi-Fi used? In what ways are they different or similar?
Answer: These terms describe the IEEE wireless standard and are used interchangeably. Wi-Fi is the buzzword associated with the 802.11 standard.
2. What are the five benefits to organizations that would provide reasons for them to implement a wireless network?
Attractive Price—Deploying a wireless LAN can be cheaper than a wired LAN because you do not have the needs for wires; just hook up an access point and it can provide service to multiple computers.
Mobility—Boost user productivity with the convenience of allowing them to wirelessly connect to the network from any point within range of an access point.
Rapid and Flexible Deployment—Quickly extend a wired network with the ease of attaching an access point to a high-speed network connection.
Application Agnostic—As an extension of the wired network, wireless LANs work with all existing applications.
Performance—Wireless LAN offers a high-speed connection that, while equal to Ethernet, is quickly passing it in speed.
3. WarDriving is the most common means of searching for wireless networks. What is needed to conduct a WarDrive, and why is it so useful for attackers?
Answer: Ideally, an attacker conducting a WarDrive would need a program to detect wireless networks such as Net or Mac Stumbler installed on a Laptop. They can gain additional information through the use of a GPS device and an antenna.
4. What is one type of freely available wireless packet sniffers?
5. Are wireless networks vulnerable to the same types of denial of service attacks as wired network? Are they vulnerable to any additional attacks that wired networks are not?
Answer: Yes, and they are also susceptible to attacks that interfere with radio signals, such as jamming, because wireless networks are based on radio signals.
6. What are the four types of EAP available for use?
Answer: Following are the four commonly used EAP methods in use today:
• EAP-MD5
• EAP-Cisco Wireless (also known as LEAP)
• EAP-TLS
• EAP-TTLS
Chapter 9
1. When and who were the first to develop a commercial IDS?
Answer: Late in the 1980’s, members of the Haystack Project formed Haystack Labs as a commercial venture into developing Host-based Intrusion Detection.
2. What are the two types of IDS, and should they be deployed together or separately?
Answer: In general, two basic forms of IDS are in use today: Network-based and Host-based IDS. Both types of sensors offer different techniques for detecting and deferring malicious activity, and both should be deployed in correlation to provide the most effective enhancement to a layered defense strategy.
3. Define and discuss NIDS and the how and where they are effective in a network.
Answer: Network-Based Intrusion Detection Sensors, or NIDSs, reside directly on the network and watch all traffic traversing the network. NIDSs are effective at both watching for inbound/outbound traffic flows and traffic between hosts on or between local network segments. NIDSs are typically deployed in front of and behind firewalls and VPN gateways to measure the effectiveness of those security devices, and to interact with them in order to add more depth to the security of your network.
4. Define and discuss HIDSs and the how and where they are effective in a network.
Answer: Host-Based Intrusion Detection Sensors, or HIDSs, are specialized software applications that are installed on a computer (typically a server) to watch all inbound and outbound communication traffic to and from that server and monitor the file system for changes. HIDSs are extremely effective on mission critical, Internet-accessible application servers such as web or e-mail servers because they can watch the applications at its source to protect them.
5. When is anomaly detection the most effective and why?
Answer: Anomaly detection becomes most effective when coupled with protocol decoding, whereby the IDS knows what normal behavior is expected within certain protocols and responds if abnormal commands or requests are detected.
6. Which Intrusion Detection methodology also verifies application behavior?
7. List and define each of the two techniques an IDS can employ to prevent an attack.
Sniping—Allows the IDS to terminate a suspected attack through the use of a TCP reset packet or ICMP unreachable message.
Shunning—Allows the IDS to automatically configure your prescreening router or firewall to deny traffic based on what it has detected, thus shunning the connection.
8. List the three most important IDS limitations, in your opinion, and explain why you choose them.
Answer: Answer will spur classroom discussion.
9. Honeypots distract attackers from more valuable resources. True or false?
Chapter 10
1. The freely available tool known as Ettercap can perform what four types of packet sniffing?
Answer: Ettercap can perform four methods of sniffing: IP, MAC, ARP, and Public ARP.
2. Define what a DDoS is and how it functions.
Answer: A distributed denial-of-service attack generates the false traffic from multiple hosts across the Internet. A distributed denial of service (DDoS) attack uses multiple computers throughout the network that it has previously infected with a DDoS Daemon (program); these computers are then known as zombie computers.
3. Identify and explain three reasons that can result in a back door exploit being present on a system.
1. Deliberately placed by system developers to allow quick access during development and not turned off before release.
2. Placed by employees to facilitate performance of their duties because the “proper procedure” made them think that it made their jobs more difficult, so there must be a smarter and easier way. Users might not be as technical as your IT staff, and often they find back doors because they do not have a preconceived notion of how something should work.
3. Normal part of standard “default” operating system installs that have not been eliminated by “OS hardening,” such as retaining default user logon ID and password combinations. Again, here we see that vendors do not want technical support calls, so they make it as easy and open as possible. This means that your IT staff must review and harden every server.
4. Placed by disgruntled employees to allow access after termination. In many cases, an employee suspects that he is going to loss his job. This makes him feel angry and unappreciated, so he wants to ensure that he can strike back as needed when the time comes.
5. Created by the execution of malicious code, such as viruses or a Trojan horse that takes advantage of an operating system or application’s vulnerability.
4. Define the concept of firewalking.
Answer: Firewalking is concept and tool that allows the attacker to send specially crafted packets through a firewall to determine what ports and services are permitted through the firewall. An attacker with this knowledge can make his port scans hidden and thus map your network through your firewall.
5. Where should an external penetration and vulnerability assessment performed in your network?
Answer: External Penetration and Vulnerability Assessments are performed against your network at places where it interacts with the outside world.
6. When considering vulnerability scanners, why are a program’s ability to conduct an accurate scan crucial?
Answer: Scan and Detection Accuracy—Scans and reported vulnerabilities must be accurate with minimal false positives—defined as normal activity or configuration that the system mistakenly reports as malicious. The opposite also holds true, then; there can be no false negatives—defined as malicious activity that is not detected.