Questions Flashcards

Question

The diagram and table above shows three hosts connected to a switch on interfaces A, B & C all in the same subnet. (i) Briefly explain what happens when host A needs to communicate with host B at the IP layer?

Answer 1

Host A broadcasts an ARP request for the MAC address associated with the IP address IB. When the switch and host B receive the ARP request they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA. When host B responds, the switch and host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB. (1) (ii) Briefly explain how host C can poison the ARP cache of the switch for host A and Host B and the result of this action? Host C can poison the ARP cache by broadcasting forged ARP responses with the bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA (or IB). Because host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, which is known as a Man in the Middle Attack. (iii) Briefly explain how this type of attack be mitigated? Answer Dynamic ARP inspection is a security feature that validates ARP packets in a network. DAI intercepts, logs and discards ARP packets based on valid IP-to-MAC address bindings stored in a trusted database (DHCP snooping and binding database). This capability protects the network from some M-I-T-M attacks. (1)

Answer 2

Answer Access controls is a security features that governs how users and processes communicate and interact with systems and resources. The primary objective of access control is to protect information and information systems from unauthorized access [confidentiality], modification[integrity] or disruption [availability].

Answer 3

Answer The principle of least privilege states that all users (employees, managers, directors) should be granted only the level of privilege to do their jobs and no more. Somewhat related to the principle of least privilege is the concept of “need to know” which means that users should get access only to data and systems that they need to do their job. Separation of duties is an administrative control that dictates that a single individual should not perform all critical or privilege level duties. Additionally, duties must be separated or divided among several individuals within the organisation. The goal is to safeguard against a single individual performing sufficiently critical or privileged actions that could damage a system or organisation as a whole. For example, a network administrator should not have the rights to alter logs on their systems.

Answer 4

Answer Identification is the is the process of providing the identity of a subject or user and is the first step in the AAA process.

Answer 5

Answer * Identity should be unique * Identity should be non-descriptive * Identities should be securely issued * Identities can be location based

Answer 6

Answer Authorization is the process of assigning authenticated subject’s permissions to carry out a specific operation. **An authorization policy should implement two concepts:** **Implicit deny:** If no rule is specified for the transaction of the subject/object the authorization policy should deny the transaction. **Need to know: ** A subject should be granted access to an object only if the access is needed

Answer 7

Answer Accounting is the process of auditing and monitoring what a user does once a specific resource is accessed. It is important to be aware of accounting as it is critical in the detection and investigation of cyber security breaches. When accounting is implemented an audit trail log is created and stored detailing when the user has accessed the resource, what the user did with that resource and when the user stopped using the resource.

Answer 8

Answer **Mandatory Access Control** Defined by policy and cannot be modified by the information owner. MAC is primarily used in highly secure environments that require a high degree of confidentiality. Subjects are assigned a security label indicating classification [top secret] and category [flight plans] of the resource. **Discretionary Access Control** DAC’s are defined by the owner of the object and used in commercial operating systems. The object owner builds an Access Control List that allows or denies access to the object based on the user’s unique identity. **Role Based Access Control** RBAC are based on a specific role or function. Administrators grant access rights and permissions to roles. **Rule Based Access Control** In a rule-based access control environment access is based on criteria that are independent of the user or group account. The rules are determined by the resource owner. **Attribute Based Access Control** Attribute based access control is a logical access control model that controls access to objects by evaluating rules against the attribute of entities operations and the environment relevant to the request.

Answer 9

Answer ip access-list standard Q1 permit 192.168.11.0 0.0.0.255 deny any ! interface GigabitEthernet0/0 ip address 192.168.30.1 255.255.255.0 ip access-group Q1a out

Answer 10

Answer ip access-list extended Q2 permit udp 192.168.10.0 0.0.0.255 host 192.168.31.12 eq domain permit tcp 192.168.10.0 0.0.0.255 host 192.168.31.12 eq 443 deny ip any any ! interface Serial0/0/0 ip address 10.10.1.1 255.255.255.252 ip access-group Q2 out

Answer 11

Answer ip access-list standard Q3 permit host 192.168.11.10 deny any ! enable secret 5 $1$mERr$TjKPmiquLyuWgX8fktHjh0 ! username admin secret 5 $1$mERr$C.klg7GUxOnQDtT9GgE0G1 ! ip ssh version 2 ip ssh authentication-retries 5 ip domain-name netsec.com crytpto key generate rsa general-keys modulus 1024 ! line vty 0 4 access-class Q3 in login local transport input ssh line vty 5 15 access-class Q3 in login local transport input ssh

Answer 12

ip access-list extended permit_upper permit ip 192.168.100.128 0.0.0.127 host 192.168.30.1 deny ip any any

Answer 13

ip access-list extended permit_lower permit ip 192.168.100.0 0.0.0.127 host 192.168.30.1 deny ip any any

Answer 14

ip access-list extended permit_odd permit icmp 192.168.100.1 0.0.0.254 host 192.168.30.1 deny ip any any

Answer 15

ip access-list extended permit_even permit icmp 192.168.100.0 0.0.0.254 host 192.168.30.1 deny ip any any

Answer 16

Answer: e) None of the above Explanation: The ACL contains only access-list 1 deny 172.16.4.0 0.0.0.255 and is applied outbound on G0/0/0. Because a standard ACL with only a deny statement has an implicit “deny any” at the end, all traffic destined out G0/0/0 (i.e., to 172.16.3.0/24) will be dropped, not just traffic sourced from 172.16.4.0/24. To meet the intention, the ACL must also include a permit for other traffic (e.g., access-list 1 permit any) while keeping the outbound placement close to the destination.

Answer 17

Answer: e) ACEs to prevent traffic from private address spaces Explanation: When applying inbound ACLs on an Internet-facing router interface, one of the key security measures is to block packets claiming to originate from private (RFC 1918) address ranges, such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. These addresses should never appear as source addresses on traffic coming from the Internet. If they do, it indicates IP spoofing, which is commonly used in attacks. Preventing this traffic protects against spoofed packets pretending to be from internal networks.

Answer 18

Answer: d) Router R1 interface g0/0/0 inbound Explanation: Extended ACLs should be placed as close to the source as possible. The “student users” subnet (192.168.1.32/27) enters the network via R1 G0/0/0. Applying the ACL inbound on that interface blocks student traffic destined for the student records subnet (192.168.1.96/27) before it traverses the rest of the network, while permitting all other traffic.

Answer 19

Answer: d) Odd IP addresses in the 192.168.100.0/24 network can ping Srv001 (192.168.30.1). e) All addresses in the 192.168.100.0/24 network can HTTP Srv001 (192.168.30.1). Explanation: The ACL denies ICMP from 192.168.100.0 0.0.0.254 to host 192.168.30.1. Wildcard 0.0.0.254 (binary 11111110) matches even host addresses only (LSB must be 0). Thus, even hosts cannot ping Srv001, while odd hosts can. The subsequent permit ip any any allows all other protocols (including HTTP) from all hosts.

Answer 20

Answer ACLs can be configured on routers or firewalls at the network perimeter to filter traffic based on source/destination IP addresses, ports, and protocols. By explicitly allowing only trusted traffic and denying all other traffic (using a “deny by default” approach), ACLs prevent unauthorized access, IP spoofing, and scanning attempts from reaching internal networks. They can also block traffic from known malicious sources or disallow risky protocols.

Answer 21

Answer The administrator can apply inbound ACLs on the perimeter router’s external interface to block traffic from untrusted or private IP ranges (e.g., RFC 1918 addresses), which helps prevent spoofing. They can also deny ICMP echo requests or TCP SYN packets to unused ports to reduce exposure to reconnaissance scans. Only required services such as HTTPS or VPN traffic should be explicitly permitted, with all other traffic implicitly denied.

Answer 22

Answer ACLs serve as a foundational control at the perimeter, enforcing basic traffic filtering to mitigate common threats based on source and destination IP addresses before more advanced inspection occurs. Network threats, such as IP spoofing and Denial of Service attacks can be mitigated by ACLs. For example, inbound packets should never be accepted from a range of address types, such as, all zeros’ addresses, broadcast addresses, local host addresses, automatic private Ip addresses, RFC1918 and IP multicast address range as these are likely spoofed. They restrict traffic flow based on IP, port, and protocol, preventing many low-level attacks. In a layered security model, ACLs complement firewalls and IPS by reducing unnecessary traffic load and acting as a first line of defence. However, ACLs are static and lack deep packet inspection, so they should be combined with dynamic tools like IPS and application firewalls for comprehensive protection.

Answer 23

Answer Allowed into the internal network: * Echo Reply: Allows users to ping external hosts. * Source Quench: Requests that the sender decrease the traffic rate of messages * Unreachable: Generated for packets that are administratively denied by an ACL Allowed to exit the network: * Echo: Allows users to ping external hosts * Prameter problem: Informs the host of packet header problems * Packet to big: Enables packet maximum transmission unit discovery * Source quench: Throttles down traffic when necessary

Answer 24

Objects are reusable components for use in configurations and make it easy to maintain configurations. The advantage is that when an object is modified, the change is automatically applied to all rules that use that specified object. Two types of network objects: Network object: Can contain a host, network IP address, range of IP addresses or a FQDN. Service Object: Contains a protocol and optional source / destination port.

Answer 25

To configure NAT a network object is required that identifies the source that has to be translated in dynamic NAT or host in a static Nat translation

Answer 26

Answer * The ASA uses a network mask (e.g., 255.255.255.0) and not a wildcard mask (e.g. 0.0.0.255). * ACLs are always named instead of numbered. * By default, interface security levels apply access control without an ACL configured

Answer 27

**Through-traffic filtering** - Traffic that is passing through the security appliance from one interface to another interface. The configuration is completed in two steps. The first step is to set up an ACL. The second step is to apply that ACL to an interface. **To-the-box-traffic filtering ** Also known as a management access rule, to-the-box-traffic filtering applies to traffic that terminates at the ASA. They are created to filter traffic that is destined for the control plane of the ASA. They are completed in one step but require an additional set of rules to implement access control. Note: Security Levels apply access control without an ACL configured.

Answer 28

ASA devices differ from their router counterparts because of interface security levels. By default, security levels apply access control without an ACL configured. For instance, traffic from a more secure interface, such as security level 100, is allowed to access less secure interfaces, such as level 0. Traffic from a less secure interface is blocked from accessing more secure interfaces. Access from a lower security level to a higher security level can be achieved through ACL’s. The security level default behaviour is to implicitly permit traffic from a higher security interface to a lower security interface outbound. Traffic is implicitly permitted between interfaces with the same security level if the ASA has been configured to globally permit this behaviour. Traffic from interfaces with lower security levels is implicitly denied to interfaces with higher security levels.

Answer 29

**Control network access for IP traffic** The ASA does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. **Identify traffic for AAA rules** AAA rules use access lists to identify traffic. **Identify addresses for NAT** Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended access list. **Establish VPN access** Extended access list can be used in VPN commands. **Identify traffic for Modular Policy Framework (MPF)** Access lists can be used to identify traffic in a class map, which is used for features that support MPF. Features that support MPF include TCP, general connection settings, and inspection.

Answer 30

ACL prevents hosts on 172.16.1.0/24 from accessing the 209.165.201.0/27 network. Internal hosts are permitted access to all other addresses. All other traffic is implicitly denied.

Answer 31

**Inside NAT: ** Typically deployed when a host from a higher security level has traffic destined for an lower security level. The ASA translates the internal host address into a global address. **Outside NAT: ** Used when traffic from a lower security interface is destined for a host on the higher security interface must be translated. Typically used to access services on the DMZ. **Bidirectional NAT: ** Indicates that both inside and outside NAT are used together.

Answer 32

Class Map: Identifies the traffic on which to perform an action Policy Map: Defines the action we are going to perform on the traffic. Service Policy: Defines where the action is performed.

Answer 33

* Configure an extended ACL to identify granular traffic (this may be optional) * Configure the class map to define interesting traffic * Configure a policy map to apply actions to the identified traffic * Configure a service policy to identify which interface should be activated for the service or if it should be activated globally.

Questions Flashcards

(58 cards)