Appendix A. Answers to Review Questions
Chapter 1
1. What is a target of opportunity?
Answer: A target of opportunity is one in which a vulnerability has been detected by an attacker, who decides to try an exploit because the target has enabled him to find it.
2. What is a target of choice?
Answer: A target of choice occurs when attackers choose you as a target. Their reason is irrelevant because this is a mental commitment on the part of the attackers.
3. What is the purpose of footprinting?
Answer: Footprinting is the process attackers take to understand a target’s network and associated systems. This is a continuous process used throughout all planned attacks, and in which attackers want to gain as much information about the target as possible.
4. Which of the following are ways by which an attacker can gain access?
a. Operating system attacks
b. Application attacks
c. Misconfiguration attacks
d. Script attacks
e. All the above
Answer: E. All the above
5. List four network security organizations.
Answer: CERT
SANS
SCORE
Security Focus
ICAT
Center for Internet Security
6. Briefly explain why it is important for attackers to cover their tracks.
Answer: Presuming that attackers have compromised a system, the ability to remove the forensic evidence of their actions (in other words, cover their tracks) enables the attackers to use the compromised system at their leisure if the system administrators never know they have been compromised.
7. Social engineering can be damaging without an overt attack happening. Explain why.
Answer: The purpose of social engineering is to trick a person into believing that the attacker is someone else and thereby allowing that person to believe that the attacker is entitled to sensitive information.
8. What kind of information might be found if an attacker dumpster dives at your place of work?
Answer: Perhaps there might be financial reports, customer lists, human resource information, or other sensitive data. The point here is to never simply throw out information that might have value.
9. DNS information gained through WHOIS is used for what kind of reconnaissance?
Answer: WHOIS information is used for passive reconnaissance.
10. What two free reconnaissance tools are available with most versions of the Windows operating system?
Answer: Nbtstat and net view.
Chapter 2
1. How important is it to involve other departments and employees in the crafting of security policies?
Answer: Involving your fellow employees is crucial to a policy’s success. Their involvement allows everyone to understand and support the company’s commitment to security.
2. True or false: It is a well-known fact that users circumvent security policies that are too restrictive. Explain your answer.
Answer: Absolutely true. The tighter you create your security policies, the harder it is for users to function effectively. Therefore, you must balance security and productivity.
3. What are three things you should keep in mind when writing or reviewing a security policy?
Answer:
Determine who gets access to each area of your network.
Determine what they can access and how.
Balance trust between people and resources.
Allow access based on the level of trust for users and resources.
Use resources to ensure that trust is not violated.
4. Why is it important to include an enforcement section in every security policy?
Answer: The enforcement section defines the penalty for failure to follow the policy. Dismissal is typically the most severe penalty, but in a few cases, criminal prosecution should be listed as an option.
5. An Acceptable Use Policy defines what kind of expectations for users?
Answer: An AUP defines the systems to be used for business purposes that serve the interests of the company, your clients, and your customers.
6. When and under what circumstances should you reveal your password to someone?
Answer: No one in a company should ever ask for your password; if a technical difficulty occurs, the password will be reset. Never reveal your password to anyone and, if asked, immediately report the request to corporate security.
7. Which of the following sample passwords would be considered effective when checked against the corporate password policy?
a. wolfpack
b. thomas67
c. simonisnot4
d. sJ8Dtt&efs
e. Missing$4u
Answer: D is clearly the correct answer because it has all the proper characteristics of a secure password as outlined in the password policy.
8. Define VPN and the role it can play within a company’s network infrastructure.
Answer: A network is constructed using a public network such as the Internet to connect systems to a main site, typically the headquarters. VPNs use encryption mechanisms to protect data transmitted across the Internet. Additional protections are put in place to ensure that only authorized users or devices can connect via a VPN.
9. VPNs support a technology called split-tunneling. Define this technology and explain whether it should be used in a network.
Answer: Split-tunneling is a method of configuring a VPN, and it is either on or off. Essentially, if split-tunneling is on, users can connect to the corporate network and the Internet simultaneously. This presents a danger to the corporate network’s security because if an attacker were to take control of the computer creating a VPN to the corporate network, the attacker can also gain access to the company’s network via the VPN.
10. How frequently should security policies be updated or reviewed?
Answer: Ensure that your policies are updated annually, if not sooner, to reflect the changes of the past year.
Chapter 3
In lieu of review questions, Chapter 3, “Processes and Procedures,” provides a list of references including checklists, best practice links, security websites, and the like that are useful for those implementing network security. Refer to the end of Chapter 3 for more information.
Chapter 4
In lieu of review questions, Chapter 4, “Network Security Standards and Guidelines,” provides a comprehensive list of websites from Cisco, the NSA, and Microsoft related to network security standards and guidelines. Refer to the end of Chapter 4 for more information.
Chapter 5
1. What are the six security design concepts you should consider when looking at the security technologies for securing your network?
Answer: Layered security, controlling access, role-specific security, user awareness, monitoring, and keeping systems patched.
2. What rule is always implicitly present at the end of every packet filter?
Answer: Deny all packets.
3. When a device performs a stateful packet inspection, what characteristics in a packet’s header are inspected, and why are they important?
Answer: Firewalls perform a stateful packet inspection and monitor the IP header information to track the status of a connection.
4. What are some limitations of a stateful packet inspection?
Answer: SPI cannot inspection or track every type of packet; for example, ICMP and UDP are not stateful.
5. Define the differences between public and private IP addresses.
Answer: Private addresses are for internal, non-Internet use. Public addresses are those used on the Internet.
6. Compare and contrast the three different version of NAT, and identify which of them is the most commonly used.
Answer: Static, dynamic, and overloading. Refer to the bulleted list in the section “Network Address Translation (NAT)” in Chapter 5 for a full comparison. Overloading is the most commonly used form of NAT.
7. What are the two types of proxy firewalls?
Answer: Standard and dynamic firewalls.
8. Why is content filtering so important to networking?
Answer: Content filtering protects a company by restricting harmful websites.
9. What is the potential value of PKI to securing a network and e-commerce?
Answer: Seamless global security.
10. AAA provides security for what aspect of a network?
Answer: Network devices.
11. Search the Internet and find three potential vendors that can offer an effective RADIUS solution. Describe what features about each are beneficial.
Answer: Cisco ACS and Funk Steel belted RADIUS are two vendor-specific RADIUS solutions.
Chapter 6
1. How long, in bits, is the DES key?
Answer: 56 bits.
2. True or false: In 3DES, the same key is used to encrypt at each of the three stages.
Answer: True.
3. Define a hash in your own words.
Answer: By way of an analogy, a hash is a grinder that takes something recognizable, such as beef or pork, hashes it, and ends up with something unique that is based on the original. In this case, it is hamburger or sausage.
4. What creates a digital signature?
Answer: A hash.
5. Define authentication and provide an example.
Answer: Authentication is the process of identifying an individual or device based on the correct username/password combination.
6. Define authorization and provide an example.
Answer: Authorization defines what individuals are allowed to access. An example is the question “Have they been authenticated?”
7. A hash check occurs at what point in the operation of MD5?
Answer: When using a one-way hash operation such as MD5, you can compare a calculated message digest against the received message digest to verify that the message has not been tampered with. This comparison is called a hash check.
8. Of the security protocols covered in this chapter, which of them use generic routing encapsulation (GRE)?
Answer: PPTP and L2TP.
9. Describe several security benefits of L2TP.
Answer: Refer to the bulleted list in Chapter 4 in the “Benefits of L2TP” section.
10. What are the three core SSH capabilities?
Answer: Secure command shell, secure file transfer, and secure port forwarding.
Chapter 7
1. Who needs a firewall?
Answer: Everyone connected to the Internet or with IT resources to protect needs a firewall. Depending on a router and ACLs is an incomplete solution in layering your network’s defense.
2. Why do I need a firewall?
Answer: A firewall provides protection for your network resources through technologies such as SPI, which is not possible with any other device.
3. Do I need a firewall?
Answer: Yes, yes, yes; you need a firewall!
4. How is a firewall an extension of a security policy?
Answer: A firewall’s rules reflect the network security policy that your organization has expressed in a written security policy.
5. What is the name of the table in a firewall that tracks connections?
Answer: State table.
6. What fundamental does a DMZ fulfill?
Answer: The DMZ protects Internet-accessible servers and services.
7. What are four benefits of a DMZ?
Answer: Auditing of DMZ traffic, locating an intrusion detection system (IDS) on the DMZ, limiting routing updates between three interfaces, and locating DNS on the DMZ.
8. Can firewalls enforce password policies or prevent misuse of passwords by users?
Answer: No, they cannot.
9. Do firewalls guarantee that your network will be protected?
Answer: Firewalls do not provide any sort of guarantee that your network will be protected; they are a tool for your use in building the layers of defense and protection needed.
10. Are all firewalls created equal?
Answer: No, not all firewalls are created equal; they are created different. It behooves you to understand the role and responsibility of the firewall prior to making a purchasing decision.
Chapter 8
1. Because every company that connects to the Internet has a router, should you deploy security on those routers?
Answer: Definitely! You have the router and this book, and you need to protect your network; use the knowledge presented here to go out and start some packet screening at the router. Layered security is best!
2. What is the value of edge routers being used as choke points, and how effective can they be in increasing your network’s security?
Answer: The value of edge routers being configured as choke points is that they can prevent access to specific devices and applications in a performance-friendly way. This increase in security is typically provided through the use of standard and extended access control lists that can address traffic concerns at Layers 2, 3, and 4 of the OSI reference model.
3. Which four features from classic IOS Firewall features have been implemented in the Zone Based Policy Firewall?
Answer: Stateful packet inspection
VRF-aware Cisco IOS Firewall
URL filtering
Denial-of-service (DoS) mitigation
4. What are the two major changes to the way you configure IOS Firewall Inspection, compared to the Cisco IOS Class Firewall?
Answer: Introduction of the zone-based configuration or architecture and a new configuration policy language referred to as Cisco Policy Language (CPL).
5. Can the Cisco IOS IDS have multiple points of packet inspection?
Answer: Of course, you can have multiple points of packet inspection in the form of ACLs. The only requirement of the FFS and CBAC is that the filtering must occur after the inspection. Having the FFS determine access based on conversation direction maintains the capability for the router to still function primarily as a router.
6. Temporary access control lists have timers associated with them. Define how they function based on protocol (ICMP, UDP, and TCP).
Answer: ICMP and UDP sessions are removed based on configurable inactivity timers. TCP sessions are removed 5 seconds after the exchange of FIN packets. If an RST (reset) packet appears, the session is terminated and corresponding ACL entries are immediately removed.
7. What is the difference between atomic and compound signatures?
Answer: Atomic signatures are concerned with attacks directed to single hosts, whereas compound signatures look at attacks directed to groups of machines.
8. What happens when an attacker uses chargen and echo together? How would you stop this from occurring in a Cisco router?
Answer: Pointing the chargen service at the echo service creates a loop that causes an enormous amount of traffic to be generated and eventually overwhelms the router’s CPU and RAM resources; therefore, this provides the makings of a serious denial-of-service attack (DoS). The easiest way to prevent this kind of attack is to disable these services on the router.
The commands to do so are no tcp-small-servers, which disables echo, chargen, discard, and daytime, and no udp-small-servers, which disables echo, chargen, and discard.
Chapter 9
1. Can you have unencrypted VPNs?
Answer: Yes; in that case, other protocols are used to handle the encryption.
2. What are the three types of VPNs?
Answer: Site-to-site, extranet, and remote.
3. Select three VPN features and benefits, and explain how your organization can directly benefit from each.
Answer: VPNs are secure, encrypted traffic and can link sites securely over the Internet.
4. VPN concentrators are designed for many users—explain how many and when you should use them.
Answer: VPN concentrators are built to handle the requirements of VPNs and are available in models suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.
5. Does the VPN Client Software for PCs support Apple’s powerful new operating system, Mac OS X?
Answer: Yes.
6. When does split-tunneling occur?
Answer: Split-tunneling occurs when remote VPN users or sites are allowed to access a public network (the Internet) at the same time that they access the private VPN network, without placing the public network traffic inside the tunnel first.
7. In relation to a data stream, what role does authentication play in securing it?
Answer: Authentication establishes the integrity of the data stream and ensures that it is not tampered with in transit. It also provides confirmation about the data stream origin.
8. When tunneling data in IPsec, what are the three protocols that play a role in process?
Answer: GRE, IPSec, and ISAKMP.
9. In site-to-site VPNs, what are the two different encapsulating protocols and what are the differences between them?
Answer: In site-to-site VPNs, the encapsulating protocol is usually IPsec or generic routing encapsulation (GRE). GRE includes information about what type of packet you encapsulate and about the connection between the client and server. The difference depends on the level of security needed for the connection, with IPsec being more secure and GRE having greater functionality. IPsec can tunnel and encrypt IP packets, whereas GRE can tunnel IP and non-IP packets. When you need to send non-IP packets (such as IPX) over the tunnel, use IPsec and GRE together.
10. Name three of the benefits of IKE.
Answer: Eliminates the need to manually specify all the IPsec security parameters at both peers.
Enables you specify a lifetime for the IPsec SAs.
Enables encryption keys to change during IPsec sessions.
Enables IPsec to provide antireplay services.
Enables CA support for a manageable, scalable IPsec implementation.
Enables dynamic authentication of peers.
11. What is one important difference between SSL and AnyConnect VPNs?
Answer: AnyConnect is a client that lives on the ASA and downloads to your Mac or PC, whereas SSL is a certificate-based VPN hosted by the ASA
Chapter 10
1. How are the terms 802.11 and Wi-Fi used? In what ways are they different or similar?
Answer: These terms describe the IEEE wireless standard and are used interchangeably. Wi-Fi is the buzzword associated with the 802.11 standard.
2. What are the five benefits to organizations that would provide reasons for them to implement a wireless network?
Answer: Attractive price: Deploying a wireless LAN can be cheaper than a wired LAN because you do not need wires; just hook up an access point and it can provide service to multiple computers.
Mobility: Boost user productivity with the convenience of allowing them to wirelessly connect to the network from any point within range of an access point.
Rapid and flexible deployment: Quickly extend a wired network with the ease of attaching an access point to a high-speed network connection.
Application-agnostic: As an extension of the wired network, wireless LANs work with all existing applications.
Performance: Wireless LAN offers a high-speed connection that, although equal to Ethernet, is quickly passing it in speed.
3. Wardriving is the most common means of searching for wireless networks. What is needed to conduct a wardrive, and why is it so useful for attackers?
Answer: Ideally, attackers conducting a wardrive need a program to detect wireless networks such as Net or Mac Stumbler installed on a laptop. They can gain additional information through the use of a GPS device and an antenna.
4. What is one type of freely available wireless packet sniffer?
Answer: Ethereal.
5. Are wireless networks vulnerable to the same types of denial-of-service attacks as wired networks? Are they vulnerable to any additional attacks that wired networks are not?
Answer: Yes, and they are also susceptible to attacks that interfere with radio signals, such as jamming, because wireless networks are based on radio signals.
6. What are the four types of EAP available for use?
Answer: Following are the four commonly used EAP methods in use today: EAP-MD5, EAP-Cisco Wireless (also known as LEAP), EAP-TLS, and EAP-TTLS.
Chapter 11
1. When and who were the first to develop a commercial IDS?
Answer: Late in the 1980s, members of the Haystack Project formed Haystack Labs as a commercial venture into developing host-based intrusion detection.
2. What are the two types of IDSs, and should they be deployed together or separately?
Answer: In general, two basic forms of IDSs are in use today: network-based and host-based IDSs. Both types of sensors offer different techniques for detecting and deferring malicious activity, and both should be deployed in correlation to provide the most effective enhancement to a layered defense strategy.
3. Define and discuss NIDS and how and where they are effective in a network.
Answer: Network-based intrusion detection sensors, or NIDSs, reside directly on the network and watch all traffic traversing the network. NIDSs are effective at both watching for inbound or outbound traffic flows and traffic between hosts on or between local network segments. NIDSs are typically deployed in front of and behind firewalls and VPN gateways to measure the effectiveness of those security devices, and to interact with them to add more depth to the security of your network.
4. Define and discuss HIDSs and how and where they are effective in a network.
Answer: Host-based intrusion detection sensors, or HIDSs, are specialized software applications installed on a computer (typically a server) to watch all inbound and outbound communication traffic to and from that server and monitor the file system for changes. HIDSs are extremely effective on mission-critical, Internet-accessible application servers such as web or email servers because they can watch the applications at the source to protect them.
5. When is anomaly detection the most effective, and why?
Answer: Anomaly detection becomes most effective when coupled with protocol decoding, whereby the IDS knows what normal behavior is expected within certain protocols and responds if abnormal commands or requests are detected.
6. Which intrusion detection methodology also verifies application behavior?
Answer: Protocol analysis.
7. List and define each of the two techniques an IDS can employ to prevent an attack.
Answer: Sniping: Enables the IDS to terminate a suspected attack through the use of a TCP reset packet or ICMP unreachable message.
Shunning: Enables the IDS to automatically configure your prescreening router or firewall to deny traffic based on what it has detected, thus shunning the connection.
8. List the three most important IDS limitations, in your opinion, and explain why you choose them.
Answer: Answer will spur classroom discussion. Some items are
1. Complexity of implementation (HIDS versus NIDS)
2. Attack patterns and signature updates
3. False positives
9. True or false: Honeypots distract attackers from more valuable resources.
Answer: True.
Chapter 12
1. What is the difference between a Man-in-the-Middle attack and a denial-of-service attack?
Answer: Essentially, these attacks differ in two ways: maliciousness and results. A denial-of-service (DoS) attack occurs when an attacker sends multiple service requests to the victim’s computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks. A Man-in-the-Middle (MitM) attack occurs when intruders inject themselves into an ongoing dialog between two computers so that they can intercept and read messages being passed back and forth.
2. Define what a DDoS is and how it functions. How is that different from a standard DoS attack?
Answer: Quantity of devices sending the attack. Both are DoS attacks and use the same weapons against you (ICMP flood, SYN flood, teardrop attacks, and so on) but the Distributed Denial-of Service (DDoS) attack uses multiple systems to flood the bandwidth or resources of a targeted system, typically focused on one or more web servers. These systems are compromised by attackers using a variety of methods. Typically, a DoS/DDoS attack starts with someone downloading a Trojan onto one system in your network; that Trojan installs an agent that then replicates and installs agents on multiple machines within your network, effectively giving the attacker a botnet within your organization.
3. Name some common DoS attacks.
Answer: ICMP flood (smurf attack, ping flood, and ping of death), SYN flood, and teardrop attacks.
4. Identify and explain three reasons that can result in a back door exploit being present on a system.
Answer:
1. Deliberately placed by system developers to allow quick access during development and not turned off before release.
2. Placed by employees to facilitate performance of their duties because the “proper procedure” made them think that it made their jobs more difficult, so there must be a smarter and easier way. Users might not be as technical as your IT staff, and often they find back doors because they do not have a preconceived notion of how something should work.
3. Normal part of standard default operating system installs that have not been eliminated by OS hardening, such as retaining default user logon ID and password combinations. Again, here you see that vendors do not want technical support calls, so they make it as easy and open as possible. This means that your IT staff must review and harden every server.
4. Placed by disgruntled employees to allow access after termination. In many cases, an employee suspects that he is going to lose his job. This makes him feel angry and unappreciated, so he wants to ensure that he can strike back as needed when the time comes.
5. Created by the execution of malicious code, such as viruses or a Trojan horse that takes advantage of an operating system or application’s vulnerability.
5. Define the concept of firewalking.
Answer: Firewalking is a concept and tool that enables the attacker to send specially crafted packets through a firewall to determine what ports and services are permitted through the firewall. Attackers with this knowledge can make their port scans hidden and thus map your network through your firewall.
6. Where should an external penetration and vulnerability assessment be performed in your network?
Answer: External penetration and vulnerability assessments are performed against your network at places where it interacts with the outside world.
7. When considering vulnerability scanners, why are a program’s capability to conduct an accurate scan crucial?
Answer: Scan and detection accuracy. Scans and reported vulnerabilities must be accurate with minimal false positives, defined as normal activity, or a configuration that the system mistakenly reports as malicious. The opposite also holds true, then: There can be no false negatives, defined as malicious activity that is not detected.