A host-based intrusion detection system is additional software installed on a system such as a workstation or a server. It provides protection to the individual host and can detect potential attacks.
What does NIDS stand for and what does it do?
A network-based intrusion detection system monitors activity on the network. An admin installs NIDS sensors or collectors on network devices such as routers and firewalls and they relay information back to the central monitoring server hosting a nids controller.
What is a limitation of a network-based intrusion detection system (NIDS)?
A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic and it cannot decrypt encrypted traffic.
What is a Signature-based IDS also known as and how does it work?
Also known as a definition-based IDS, it uses a database of known vulnerabilities or known attack patterns.
What is a Heuristic/behavioral-based detection also known as and how does it function?
Also called anomaly-based detection and it starts by identifying normal operation or normal behavior of the network (baseline) and detects when anything deviates pass a set threshold.
What is an SDN and how does it work?
A software Defined Network (SDN) uses virtualization technologies to route traffic instead of using hardware routers and switches. Specifically separates the data planes and control planes within a network.
What type of access control is commonly used in an SDN?
Attribute-based access control (ABAC) is commonly used in a software-defined network (SDN)
What are the two primary goals of having a honeypot?
Divert attackers from the live network
Allow observation of an attacker.
What is IEEE 802.1x?
A port-based authentication protocol that requires users or devices to authenticate when they connect to a specific wireless access point or specific physical port. It can be implemented in both wireless and wired networks.
What does SSID stand for?
Service set identifier. Just the name of the wireless network.
What is the most commonly used wireless antenna on both APs and wireless devices?
omnidirectional or omni antenna
True or false, WEP (wired equivalent privacy) has known vulnerabilities and should not be used.
Temporal Key Integrity Protocol is an older encryption protocol used with WPA, and CCMP is a newer encryption protocol used with WPA2
What does AES stand for?
Advanced Encryption Standard.
What is Enterprise mode?
Forces users to authenticate with unique credentials before granting them access to the wireless network. Enterprise mode uses an 802.1x server.
What is a RADIUS server and what port does it operate on?
Remote Authentication Dial-In User Service is a networking protocol, operating on port 1812, that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service.
What does EAP stand for?
Extensible Authentication Protocol, an authentication framework that provides general guidance for authentication methods.
What does PEAP do?
Protected EAP (PEAP) provides an extra layer of protection for EAP by encapsulating and encrypts the EAP conversation in a TLS tunnel.
What is EAP-TTLS?
EAP-Tunneled TLS is an extension of PEAP, allowing systems to use some older authentication methods. This requires a certificate on the 802.1x server but not the clients.
What is EAP-TLS?
This is one of the most secure EAP standards and is widely implemented. The primary difference between PEAP and EAP-TLS is that it requires certificates on the 802.1x server and on each client.
What is EAP-FAST?
EAP-Flexible Authentication via Secure Tunneling is a Cisco Designed secure replacement for Lightweight EAP (LEAP) that Cisco designed. This EAP standard supports certificates, but they are optional.
What is a captive portal?
A technical solution that forces clients using web browsers to complete a specific process before it allows them access to the network.
What can companies use instead of Adding an 802.1x server due to costs?
Captive Portals
What are three common attacks for Bluetooth?
Bluejacking, bluesnarfing, and bluebugging.
What is bluejacking?
The practice of sending unsolicited messages to nearby Bluetooth devices. Either text, images, or videos.
What is bluesnarfing?
Unauthorized access to, or theft of information from a Bluetooth device. Can access information such as email, contacts, calendars, and text messages.
What is Bluebugging?
Bluebugging is like bluesnarfing, along with gaining access to a phone, the attacker installs a backdoor.
Which Wifi security and authentication protocol is not vulnerable to replay attacks?
WPA2 using CCMP and AES.
WPA using TKIP is vulnerable to replay attacks.
What does RFID stand for?
Radio-frequency identification.
(used in tags to track inventory or any other valuable assets: Pets and other stuff. )
Where would you want to place a VPN concentrator?
The DMZ
What network protocol suite supports both Tunnel mode and Transport mode?
IPsec (Internet Protocol Security)
What is the difference between Tunnel mode and Transport mode in IPsec?
Tunnel mode encrypts the entire IP packet using used in the internal network and is the mode used with VPNs transmitted over the internet. - Benefit is the internal IP address used within the internal network is encrypted and not visible to anyone.
Transport mode only encrypts the payload and is commonly used in private networks but not with VPNs. No need to hide internal IP's when the traffic is internal only
What are the two ways IPsec provides security?
Authentication - includes authentication header (AH)
Encryption - includes Encapsulating Security Payload (ESP) to encrypt the data and provide confidentiality.
How does IPsec use IKE? and what port?
IPsec uses Internal Key Exchange (IKE) over port 500 to authenticate clients in the IPsec conversation. IKE creates security association (SAs) for the VPN and uses these to set up a secure channel between the client and the VPN server.
What are some Common Health conditions checked by a NAC?
NAC = Network Access Control
Up-to-date antivirus software, including updated signature definitions
Up-to-date operating system, including current patches and fixes
Firewall enabled on the client
What happens if a client does not meet the health condition mandated by the NAC server?
The VPN server redirects the client to a remediation network (AKA the quarantine network). This network has the tools to get the systems healthy.
What does PAP stand for in remote access authentication mechanisms?
Password Authentication Protocol (PAP). PAP sends passwords in cleartext so PAP is used only as a last resort.
What does CHAP stand for in remote access authentication mechanisms?
Challenge Handshake Authentication Protocol (CHAP) uses a handshake process where the server challenges the client. The client then responds with an appropriate authentication information.
What does MS-CHAP stand for?
Microsoft CHAP
What is the difference between MS-CHAP and MS-CHAPv2?
MS-CHAPv2 includes improvements including the ability to perform mutual authentication.
What does TACTAC+ stand for?
Terminal Access Controller Access-Control System Plus is an alternative to RADIUS, but is proprietary to CISCO systems. Benefit is that it can interact with Kerberos.
What does RADIUS servers use?
UDP or TCP?
UDP - RADIUS includes logic to detect communication problems.
What does RADIUS not encrypt?
RADIUS only encrypts the password. There are alternatives that encrypt the entire authentication process.
What are the two important security benefits of using TACACS+ over RADIUS?
TACTAC+ encrypts the entire authentication process.
Uses multiple challenges and responses between the client and the server.
What is Diameter?
An extension of RADIUS and many organizations have switched to it. Uses TCP instead of UDP. It is also backwards compatible with RADIUS
What are 3 examples of AAA Portocols?
(Authentication, Authorization, Accounting)
