Networks - Sample Questions and Answers

 


1.22. What is a DMZ and why is it important?
DMZ stands for “demilitarized zone.” It is a term borrowed from the military that refers to a separate network setup between a company's private network and the public internet. If a company needs to allow internet access to a service, that service will run on a host in the DMZ. This 'buffer zone' is desirable because if a system in the DMZ is compromised, an attacker still has no access to the company's private network.
1.23. Define and describe a VPN.
VPN stands for Virtual Private Network. Using encryption software, it is possible to setup a secure, encrypted 'tunnel' between two points on a public network (like the internet). Once this link is established, those two points form a virtual private network, allowing secure communication to take place over an insecure medium.
1.24. Define and describe the two main types of VPNs in use on the internet today.
PPTP VPNs are based on the Point-to-Point Tunneling Protocol. This protocol is backed by a coalition of vendors, headed by Microsoft. Client and server software packages to implement this VPN solution are included with versions of Windows after Windows 98 OSR2. IPSec based VPNs are commonly implemented in hardware VPN solutions from companies like Cisco. IPsec supports two security schemes: Authentication Header (AH), which authenticates the sender of the data; and Encapsulating Security Payload (ESP), which supports sender authentication and payload encryption.
1.25. Define the private IPv4 subnets, and explain their importance to the security of a network.
In order to allow for easy adoption of TCP/IP inside corporate networks, without the possibility of address conflict with the internet, private IP subnets were created. These ranges of IP addresses are non-routable, meaning they are not valid on the internet.
Class A private IP range: 10.0.0.0 – 10.255.255.255
Class B private IP range: 172.16.0.0 – 172.31.0.0
Class C private IP range: 192.168.0.0 – 192.168.255.255
Adopting a private IP address space is recommended for a corporate network. This prevents any system on the internet from directly addressing any internal system. Internal systems are granted outside access by means of Network Address Translation or a proxy server.
1.26. Define NAT and describe the benefits.
NAT (Network Address Translation) is used most often in conjunction with a private IP subnet, a system running NAT will forward packets from one network to another, making all source packets appear as if they originate from the NAT system itself. When a reply is received, the reverse happens, with the NAT system rewriting the destination address to allow the packet to be delivered to the requester. This proxying of packets is an important security practice. It also allows a large number of systems to access an outside network through a single IP address.
1.27. Describe SSL and trusted third-party Certificate Authorities.
SSL (Secure Sockets Layer) was developed by Netscape to address the insecurities of HTTP communication. SSL is a protocol that allows for the encryption of HTTP sessions using key-based cryptography. On the internet, there is little in place to prove that someone is who they say they are. Just because you can make an encrypted connection to someone's online web store, that doesn't mean that they are a legitimate business. The business of Certificate Authorities has arisen to aid in authenticating these transactions. When a business purchases a certificate from a trusted Certificate Authority (like Verisign), that certificate is presented to every web browser that attempts to make a secure connection to the business' web site. If the web browser trusts the third party Certificate Authority, the connection is allowed. If not, the connection is denied. A list of the major Certificate Authorities is included with the major web browsers. The analogy for this connection is “I don't trust you, but I trust Verisign, and they tell me that you are who you say you are.”
1.28. What is the weakest point in every network?
People. Regardless of how good your firewall, intrusion detection systems, audits and personnel are, your employees will always be the weakest link in your network. Social engineering is a common way to attempt to exploit the people in a networking environment. Why should a cracker spend days attempting a brute force attack to discover a password, when he can call up a secretary, impersonate someone from the IT department, and get her to give him her password?
Every security policy should include basic security principals for every employee, such as:
1. Never give your password out over the phone or in email
2. Challenge any suspicious person you see in the office, etc.
1.29. What is a smurf attack, and how can it be prevented?
A smurf attack is a term for a common denial of service attack utilizing ICMP packets. An attacker will craft an ICMP echo packet appearing to originate from the victim's IP address. This packet will be sent to the broadcast address of another network. Since packets sent to a broadcast address are accepted by every system on a subnet, and since the standard response to an echo request is an echo reply, the victim soon finds his IP address flooded with ICMP echo replies from this network. The recommended way to thwart this kind of attack is to block access to broadcast addresses at each network's router.
1.30. What is a SYN flood, and how can it be prevented?
All TCP connections begin with a three-way handshake. This handshake consists of a SYN from the source, a SYN-ACK reply from the destination, and an ACK from the source. When a system receives a SYN packet, it allocates memory space to handle the connection, sends the SYN-ACK, and waits for the final ACK before communication can occur. This is what is known as a half-open connection.
A SYN flood occurs when an attacker sends a large amount of SYN requests to a system, spoofing the source IP address of the packets. This will cause the victim's system to send SYN-ACKs to systems that weren't expecting them, and will therefore not reply. As the spoofed packets continue to come in, the victim's system will continue to allocate memory to handle these half-open connections until eventually the memory of the system is exhausted and no more incoming connections are accepted.
There is currently no generally accepted solution for handling this kind of problem because it utilizes the very nature of TCP communication as opposed to exploiting vulnerability. The recommended solution is for originating networks to perform source-address verification on all outgoing packets, eliminating the possibility of a system on their network sending out packets with spoofed IP addresses.

 
   

Content Copyright Basandra Books 2011. All Rights Reserved.