Network Defense (NetDef) Course Final Exam Answers

Explanation: When a layered defense-in-depth security approach is used, layers of security are placed through the organization-at the edge, within the network, and on endpoints. The layers work together to create the security architecture. In this environment, a failure of one safeguard does not affect the effectiveness of other safeguards.

Explanation: In a defense-in-depth approach, the edge router would form the first line of defense. The firewall would be the second line of defense followed by the internal router making up the third line of defense.

Explanation: Place the options in the following order:

Explanation: Wireless security depends on several industry standards and has progressed from WEP to WPA and finally WPA2.

Explanation: In comparing biometric systems, there are several important factors to consider including accuracy, speed or throughput rate, and acceptability to users.

Explanation: Two best practices for securing wireless networks are to encrypt the wireless traffic with WPA2 encryption and to keep the wireless router firmware updated. This prevents data from being readable by an attacker and fixes any known bugs and vulnerabilities in the router.

Explanation: Virtual LANs (VLANs) provide a logical segmentation by creating multiple broadcast domains on the same network switch. VLANs provide higher utilization of switch ports because a port could be associated to the necessary broadcast domain, and multiple broadcast domains can reside on the same switch. Network devices in one VLAN cannot communicate with devices in a different VLAN without the implementation of inter-VLAN routing.

Explanation: With the privilege escalation exploit, vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than either should have. After the higher privilege is granted, the threat actor can access sensitive information or take control of a system.

Explanation: The nondiscretionary access control model used the roles and responsibilities of the user as the basis for access decisions.

Explanation: Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802.1x and SIP; TACACS+ does not.

Explanation: Because the new deny ACE is a host address that falls within the existing 172.16.0.0 network that is permitted, the router rejects the command and displays an error message. For the new deny ACE to take effect, it must be manually configured by the administrator with a sequence number that is less than 10.

Explanation: For the purpose of applying an access list to a particular interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group IPv4 command. The direction in which the traffic is examined (in or out) is also required.

Explanation: An outbound ACL should be utilized when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.

Explanation: There are many differences between a stateless and stateful firewall.
Stateless firewalls:

• are susceptible to IP spoofing
• do not reliably filter fragmented packets
• use complex ACLs, which can be difficult to implement and maintain
• cannot dynamically filter certain services
• examine each packet individually rather than in the context of the state of a connection

Stateful firewalls:

• are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic
• strengthen packet filtering by providing more stringent control over security
• improve performance over packet filters or proxy servers
• defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source
• provide more log information than a packet filtering firewall

Explanation: With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:
Traffic originating from DMZ destined for the internal network is normally blocked.
Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.

Explanation: An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients.

Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.

Explanation: Designing ZPFs involves several steps:
Step 1 . Determine the zones – The administrator focuses on the separation of the network into zones. Zones establish the security borders of a network.
Step 2 . Establish policies between zones – For each pair of “source-destination” zones, define the sessions that clients in the source zones can request from servers in destination zones.
Step 3 . Design the physical infrastructure – After the zones have been identified, and the traffic requirements between them documented, the administrator must design the physical infrastructure. This includes dictating the number of devices between most-secure and least-secure zones and determining redundant devices.
Step 4 . Identify subsets within zones and merge traffic requirements – For each firewall device in the design, the administrator must identify zone subsets that are connected to its interfaces and merge the traffic requirements for those zones.

Explanation: The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time.

Explanation: The Security Guidance for Critical Areas of Focus in Cloud Computing v4 document developed by the Cloud Security Alliance (CSA) covers 14 domains of cloud security. Some of these domains are:

• Infrastructure Security – describes cloud-specific aspects of infrastructure security and the foundation for operating securely in the cloud.
• Data Security and Encryption – describes those controls related to securing the data itself, of which encryption is one of the most important.
• Application Security – provides guidance on how to securely build and deploy applications in cloud computing environments, specifically for PaaS and IaaS.
• Security as a Service – covers the continually evolving security services delivered from the cloud.

Explanation: Software-defined networks (SDN) enable new types of security controls and provide an overall gain for network security including:

• easy network isolation without the constraints of physical hardware
• SDN firewalls (security groups in cloud computing) apply to assets based on more flexible criteria than hardware firewalls

Explanation: SDKs, or Software Development Kits, provide a repository of useful code to make application development faster and cheaper.

Explanation: Hosting software development and distribution processes is an example of the PaaS model. In the shared security responsibility model, the cloud customer is responsible for data and endpoints security.

Explanation: The task to ensure that only authorized personnel can open a file is data confidentiality, which can be implemented with encryption. AES and 3DES are two encryption algorithms. HMAC can be used for ensuring origin authentication. MD5 and SHA-1 can be used to ensure data integrity.

Explanation: A digital certificate might need to be revoked if its key is compromised or it is no longer needed. The certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP), are two common methods to check a certificate revocation status.

Explanation: Technologies exist to confuse attackers by changing data and using techniques to hide the original data.

Explanation: Syslog is a daemon or service run on a server that accepts messages sent by network devices. These logs are frequently examined to detect inconsistencies and issues within the network.

Explanation: Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) are two application layer protocols that manage the content requests from clients and the responses from the web server. HTML (Hypertext Mark-up Language) is the encoding language that describes the content and display features of a web page. DNS is for domain name to IP address resolution. DHCP manages and provides dynamic IP configurations to clients.

Explanation: IMAP, SMTP, and POP3 are email protocols. SMTP is used to send data from a host to a server or to send data between servers. IMAP and POP3 are used to download email messages and can be responsible for bringing malware to the receiving host.

Explanation: The source of the output is Netflow.

Explanation: The Network Analysis Module of the Cisco Prime Infrastructure system and Wireshark have GUI interfaces and can display full packet captures. The tcpdump tool is a command-line packet analyzer.

Explanation: NetFlow efficiently provides an important set of services for IP applications including network traffic accounting, usage-based network billing, network planning, security, denial of service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.

Explanation: True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.

Explanation: Alerts can be classified as follows:

True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can be classified as:

True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.

Explanation: Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) developed by Sourcefire. It has the ability to perform real time traffic analysis and packet logging on Internet Protocol (IP) networks and can also be used to detect probes or attacks.