Understanding Network Security

• A firewall is a system that is designed to protect a computer or a computer network from network-based attacks. A firewall does this by filtering the data packets traversing the network.
• Firewalls based on packet filtering inspect the data packets as they attempt to traverse the firewall, and based on rudimentary rules, such as permitting all outbound traffic while denying all inbound traffic, or blocking specific protocols from passing through the router, like telnet or FTP. 
• Instead of analyzing each individual packet, a circuit-level firewall monitors TCP/IP sessions by monitoring the TCP handshaking between packets to validate the session. 
• Application-level firewalls (also known as proxy servers) work by performing a deep inspection of application data as it traverses the firewall. Rules are set based on analyzing client requests and application responses, then enforcing correct application behavior. 
• Stateful multi-level firewalls are designed to provide the best features of both packet-filtering and application-level firewalls. 
• Virtual LANs (VLANs) were developed as an alternate solution to deploying multiple routers. VLANs are logical network segments used to create separate broadcast domains, but still allow the devices on the VLANs to communicate at Layer 2, without requiring a router. 
• Intrusion detection systems (IDS) are designed to detect unauthorized user activities, attacks, and network compromises. 
• An intrusion prevention system (IPS) is very similar to an IDS, except that, in addition to detecting and alerting, an IPS can also take action to prevent a breach from occurring.
• Honeypots, honeynets, and padded cells are complementary technologies to IDS/IPS deployments. A honeypot is a trap for hackers.
• A DMZ is a firewall configuration used to secure hosts on a network segment. In most DMZs, the hosts on the DMZ are connected behind a firewall which is also connected to a public network like the internet.
• Network Address Translation (NAT) is a technique used to modify the network address information of a host while traffic is traversing a router or firewall. This technique is used to hide the network information of a private network while allowing traffic to be transferred across a public network like the internet.
• DNS Security Extensions (DNSSEC) adds security provisions to DNS so that computers can verify that they have been directed to proper servers.
• Protocol spoofing is the misuse of a network protocol to perpetrate a hoax on a host or a network device. 
• The denial-of-service (DoS) attack floods the network being attacked with overwhelming amounts of traffic, shutting down the network infrastructure like a router or firewall. 
• A man-in-the-middle attack is a type of attack where the attacker breaks into the communication between the endpoints of a network connection. Once the attacker has broken into the communication stream, he can intercept data being transferred, or even inject false information into the data stream. 
• Backdoor attacks are attacks against an opening left in a functional piece of software that allows access to a system or software application without the owner’s knowledge. 
• A DNS poisoning attack is an attack against the cached information on a DNS server.
• A replay attack occurs when an attacker is able to capture an intact data stream from the network using a network sniffer, modify certain components of the data stream, and then replay the traffic back to the network to complete their attack. 
• A buffer overflow attack exploits poorly written code by injecting data into variable fields and leveraging the response to access information in the application. 
• SQL injection attacks are one of the oldest attacks against web applications using the SQL Server database application. 
• A wireless LAN (WLAN) allows users to connect to a network while allowing them to remain mobile. 
• The SSID (Service Set Identifier) is the name for the WLAN. A connecting host must know the SSID to connect. 
• WEP (Wired Equivalent Privacy) is an older wireless encryption protocol, which rapidly fell out of favor when a flaw with the encryption mechanism was found.
• WPA (Wi-Fi Protected Access) was designed as the interim successor to WEP. 
• WPA2 (Wi-Fi Protected Access version 2) is the standards-based version of WPA, except WPA2 implements all the IEEE 802.11i standards. 
• A MAC address is the unique hardware address of a network adapter. 
• By turning MAC filtering on, network access can be limited to only permitted systems by entering the MAC address information into the MAC filters. 

Multiple Choice 

Select the correct answer(s) for each of the following questions. 

1. Which of the following should be considered when deciding whether to use a software or hardware firewall? (Choose all that apply.) 

1. Host operating system 
2. Application conflicts 
3. Operating system version 
4. Firewall service efficiency 
5. Stability 

(a), (b), (e)

A firewall is a security device — computer hardware or software — that can help protect your network by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on your computer.

2. Which of the following are layers of the OSI model? (Choose all that apply.) 

1. Physical 
2. Control 
3. Application 
4. Network 
5. Encryption 

(a), (c), (d)

• Physical Layer
• Data Link Layer
• Network Layer
• Transport Layer
• Session Layer
• Presentation Layer
• Application Layer

3. Routing occurs at which layer of the OSI model? 

1. Physical 
2. Data-link 
3. Transport 
4. Session 
5. Network

(e)

Layer 3, the network layer, is most commonly known as the layer where routing takes place.

4. Which of the following are valid firewall types? (Choose all that apply.) 

1. Virtual 
2. Network 
3. Packet filtering 
4. IPsec 
5. Application 

(c), (e)

Four Types of Firewalls

• Packet filtering firewalls. Packet filtering firewalls are the oldest, most basic type of firewalls.
• Circuit-level gateways.
• Stateful inspection firewalls.
• Application-level gateways (proxy firewalls)

5. Which of the following are typically examined by a stateful inspection firewall? (Choose all that apply.) 

1. IP address of the sending host 
2. IP address of the receiving host 
3. IP address of the router d. Data packet type 
4. Data packet size 

(a), (b), (d)

A stateful firewall examines packet headers and, essentially, remembers something about them (generally source/destination IP address/ports). The firewall then uses this information when processing later packets.

6. Which of the following is an attack that relies on having a user execute a malicious script embedded in a web page? (Choose the best answer.) 

1. Man-in-the-middle 
2. Brute force 
3. Cross-site scripting 
4. SQL injection 

(c)

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.

7. A small business owner has purchased a new wireless access point and wants to ensure that only his systems are able to connect to the wireless. He enables MAC address filtering and puts the MAC addresses for all of his computers in the permitted table. This filtering occurs at which layer of the OSI model? 

1. Physical layer 
2. Data-link layer 
3. Network layer 
4. Transport layer 
5. Session layer 

(b)

8. A sales team for a medium-sized manufacturing company has just deployed a new e-commerce application to allow for the direct sale of products to its customers. To secure that solution, an application firewall is deployed. At which layer of the OSI model does the application firewall occur? 

1. Physical layer 
2. Data-link layer 
3. Network layer 
4. Presentation layer 
5. Application layer 

(b)

Layer 2 of The OSI Model: Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the physical layer.

9. Which of the following are password-based attacks? (Choose all that apply.) 

1. Replay 
2. Network sniffer 
3. Brute force 
4. Man-in-the-middle 
5. Dictionary 

(c), (e)

10. Which of the following is an attack that relies on the attacker being able to trick the sending host into thinking his system is the receiving host, and the receiving host into thinking his system is the sending host? (Choose the best answer.) 

1. Replay 
2. Brute force 
3. Man-in-the-middle 
4. Cross-site scripting 
5. SQL Injection

(c)

A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.

11. Which of the following are common uses for a VPN? (Choose all that apply.) 

1. Remote access 
2. Server isolation 
3. Intrusion detection 
4. Extranet connections 
5. Domain isolation 

(a), (d)

12. Which of the following are common types of routing protocols? (Choose all that apply.) 

1. Link vector 
2. Dynamic link 
3. Distance link 
4. Distance vector 
5. Link state 

(d), (e)

A routing protocol specifies how routers communicate with each other to distribute information that enables them to select routes between nodes on a computer network.

13. Which type of DoS attack uses large ICMP packets to cause an overflow of the memory buffers allocated for packets? 

1. SYN flood 
2. ICMP flood 
3. Ping of death 
4. HTTP flood

(c)

A ping of death attack sends multiple malformed or malicious pings to a computer.