Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :



Similar documents
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Securing Cisco Network Devices (SND)

CISCO IOS NETWORK SECURITY (IINS)

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

General Network Security

Chapter 1 The Principles of Auditing 1

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

IINS Implementing Cisco Network Security 3.0 (IINS)

Network Access Security. Lesson 10

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Introduction of Intrusion Detection Systems

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

IINS Implementing Cisco IOS Network Security Exam.

TABLE OF CONTENTS NETWORK SECURITY 2...1

Network Security and Firewall 1

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls, Tunnels, and Network Intrusion Detection

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Description: Objective: Attending students will learn:

Implementing Cisco IOS Network Security

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

8 steps to protect your Cisco router

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Internet Security Specialist Compaq Computer

information security and its Describe what drives the need for information security.

Network Security: Introduction

Lab Configure a PIX Firewall VPN

Case Study for Layer 3 Authentication and Encryption

INTRODUCTION TO FIREWALL SECURITY

Network Security Fundamentals

CCNP: Implementing Secure Converged Wide-area Networks

Common Remote Service Platform (crsp) Security Concept

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CS5008: Internet Computing

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

INTRUSION DETECTION SYSTEMS and Network Security

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 9 Firewalls and Intrusion Prevention Systems

Information Security Basic Concepts

Security and Access Control Lists (ACLs)

FIREWALLS & CBAC. philip.heimer@hh.se

Cisco Certified Security Professional (CCSP)

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and Intrusion Detection

Security Technology: Firewalls and VPNs

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

A Model Design of Network Security for Private and Public Data Transmission

Security vulnerabilities in the Internet and possible solutions

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

CSCI 454/554 Computer and Network Security. Final Exam Review

Networking for Caribbean Development

Firewalls and Network Defence

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Internet Key Exchange (IKE) EJ Jung

Firewalls. Chapter 3

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

8. Firewall Design & Implementation

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title

This chapter covers the following topics:

Certified Ethical Hacker Exam Version Comparison. Version Comparison

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Internet Security Firewalls

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Cisco Certified Security Professional (CCSP) 50 Cragwood Rd, Suite 350 South Plainfield, NJ 07080

Section 12 MUST BE COMPLETED BY: 4/22

74% 96 Action Items. Compliance

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

White Paper: Ensuring HIPAA Compliance by Implementing the Right Security Strategy

CCNA Security v1.0 Scope and Sequence

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

How To Pass A Credit Course At Florida State College At Jacksonville

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Securing Networks with PIX and ASA

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Lab Configure IOS Firewall IDS

(d-5273) CCIE Security v3.0 Written Exam Topics

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Firewalls & Intrusion Detection

Inspection of Encrypted HTTPS Traffic

Transcription:

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters) : Group: Welcome to the exam! READ THIS FIRST: Give the answers on the assignment paper. If you need more space, write on the back of the assignment paper, but remember: Write the answers to the questions and nothing more. You are allowed to answer in either ENGLISH or SWEDISH. GOOD LUCK! Ola Number of assignments: 20 Maximal number of points: 60 The grade limits are 30p to pass the exam (Grade 3), 42p for Grade 4, and 54p for Grade 5.

Assignment 1.(10p) What security solutions would you implement to secure the network? a. Threat Defense a.1. Stateful Inspection and packet filtering Filter network traffic to allow only valid traffic and services. a.2. Intrusion Prevention Systems Inline intrusion detection systems (IDS), which is better termed intrusion prevention systems (IPS), can be deployed at the network and host level to actively stop malicious traffic. a.3. Vulnerability patching Apply fixes or measures to stop the exploitation of known vulnerabilities. This includes turning off services that are not needed on every system. The fewer services that are enabled, the harder it is for hackers to gain access. b. Secure Connectivity b.1. Virtual Private Networks (VPNs) Hide traffic content to prevent unwanted disclosure to unauthorized or malicious individuals. c. Trust and Identity c.1. Authentication Give access to authorized users only. One example of this is using one-time passwords. c.2. Policy enforcement Assure users and end devices are in compliance with the corporate policy. What methods would you use to monitor the security?

Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files. Most operating systems include auditing functionality. System administrators for every host on the network must turn these on and take the time to check and interpret the log file entries. Passive methods include using intrusion detection system (IDS) devices to automatically detect intrusion. This method requires only a small number of network security administrators for monitoring. These systems can detect security violations in real time and can be configured to automatically respond before an intruder does any damage. An added benefit of network monitoring is the verification that the security devices implemented in Step 1 of the Security Wheel have been configured and are working properly. How would you test the security measures that you implemented in the Security and Monitoring Phases? In the testing phase of the Security Wheel, the security of the network is proactively tested. Specifically, the functionality of the security solutions implemented in Step 1 and the system auditing and intrusion detection methods implemented in Step 2 must be assured. Vulnerability assessment tools such as SATAN, Nessus, or NMAP are useful for periodically testing the network security measures at the network and host level. What does the Improve Phase actually involve? The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases, and developing and implementing improvement mechanisms that feed into the security policy and the securing phase in Step 1. To keep a network as secure as possible, the cycle of the Security Wheel must be continually repeated, because new network vulnerabilities and risks are created every day. Assignment 2.(10p) In what way does a security policy benefit a company? a. It provides a process to audit existing network security. b. It provides a general security framework for implementing network security. c. It defines which behavior is and is not allowed.

d. It often helps determine which tools and procedures are needed for the organization. e. It helps communicate consensus among a group of key decision makers and defines the responsibilities of users and administrators. f. It defines a process for handling network security incidents. g. It enables global security implementation and enforcement. h. It creates a basis for legal action if necessary. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization, including the following: Site security administrator. Information technology technical staff, such as staff from the computing center. Administrators of large user groups within the organization, such as business divisions or a computer science department within a university. Security incident response team. Representatives of the user groups affected by the security policy. Responsible management. Legal counsel, if needed. Assignment 3.(10p) The IT department for Widget Warehouse has a general understanding of security but they are very inexperienced with the various attacks an intruder can use to exploit their network resources. Create a list of various attacks intruders can use maliciously against the Widget Warehouse network. Also, provide a brief description of possible attacks, including their purpose. Attack name Description Password Attacks Trust Exploitation

Port Redirection Man-in-themiddle Attack Social Engineering Phishing DoS attacks DDoS attacks Worm, Virus, Trojan Horse

Assignment 4.(1p) During a new network implementation, the network engineering team realized that the original design was flawed. Which process can the team use to formally request an authorized amendment? optimization stakeholder inclusion post-design request change control operational reaction Assignment 5.(2p) Which two security components make up the security solution of trust and identity? (Choose two.) policy enforcement vulnerability patching virtual private network authentication usage accounting Assignment 6.(2p) The management of XYZ Company has asked the network administrator to recommend software to achieve two objectives: a) detect Trojan horse malware and prevent it from affecting desktop computers, and b) detect and prevent reconnaissance attacks such as port scanning and ping sweeps After careful consideration, the network administrator recommends Norton Anti- Virus Corporate Edition. Which objectives are achieved if this recommendation is implemented? Only objective (a) is achieved. Only objective (b) is achieved. Both objective (a) and objective (b) are achieved. Neither objective (a) nor objective (b) is achieved.

Assignment 7.(2p) A network administrator needs to configure authentication proxy on the perimeter router. Which three protocols can the administrator choose to trigger the authentication proxy process? (Choose three.) FTP HTTP DHCP ICMP SMTP Telnet Assignment 8.(3p) Which three are examples of DoS attacks? (Choose three.) man-in-the-middle CPU hogging ping of death masquerade targa.c Assignment 9.(3p) Which three are primary network security weaknesses? (Choose three.) transport weaknesses technological weaknesses configuration weaknesses coverage weaknesses security policy weaknesses

Assignment 10.(2p) On which two interfaces could a CBAC inspect list be placed to monitor traffic originating from the Internet and destined for the DMZ? (Choose two.) The CBAC inspect list could be placed on s0 in the out direction. The CBAC inspect list could be placed on s0 in the in direction. The CBAC inspect list could be placed on e0 in the out direction. The CBAC inspect list could be placed on e0 in the in direction. The CBAC inspect list could be placed on e1 in the out direction. The CBAC inspect list could be placed on e1 in the in direction. Assignment 11.(1p) Which method of detecting anomalies is used by the Cisco PIX IDS feature? signature heuristic artificial intelligence deterministic Assignment 12.(1p) During some testing, the PIX Security Appliance IDS was configured to exclude the ICMP Echo Reply signature. The Echo Reply Message Number is 400010 and its Signature ID is 2000. Which command should be executed to include the Echo Reply signature again? pixfirewall(config)# ip audit signature 400010 enable pixfirewall(config)# ip audit signature 2000 enable pixfirewall(config)# no ip audit signature 2000 disable pixfirewall(config)# no ip audit signature 400010 disable

Assignment 13.(1p) What is the name of an encryption system which uses the same key to encrypt and decrypt a message? Diffie-Hellman asymmetric encryption symmetric encryption MD5 SHA Assignment 14.(2p) The originator of a message derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the originator's public key. If the decrypted hash matches the re-computed hash, the message is genuine. What is being described? the incorrect use of a hash the use of a digital signature for origin authentication symmetric encryption for enhanced secrecy of data public key encryption for the secure encryption of data the use of a digital signature for data encryption Assignment 15.(2p) How will the IPSec process be initiated when IPSec is configured on a router? IPSec actively monitors all traffic and discards it if it is not in an IPSec policy. IPSec is initiated to establish a connection or discard traffic that is specifically denied by an ACL. IPSec is initiated to establish a connection or discard traffic that fails to match any ACL. IPSec is initiated when a packet triggers an ACL that defines traffic to be protected.

Assignment 16.(2p) Which two are IPSec security protocols? (Choose two.) SHA-1 MD5 ESP AH GRE L2TP Assignment 17.(1p) Which statement accurately describes a site-to-site VPN using pre-shared keys for the authentication of IPSec sessions? It is relatively simple to configure, and it scales well for large numbers of IPSec clients. It is relatively simple to configure, but it does not scale well for large numbers of IPSec clients. It is relatively complex to configure, but it scales well for large numbers of IPSec clients. It is relatively complex to configure, and it does not scale well for large numbers of IPSec clients. Assignment 18.(1p) For each unidirectional security association (SA) during IKE phase two, how many transform proposals are agreed upon by IPSec peers? 1 2 4 8 16

Assignment 19.(2p) The router VPNGATE serves as a Cisco Easy VPN Server. The network administrator entered the following command. What is the result of the configuration command? VPNGATE(config)# crypto isakmp keepalive 20 10 VPNGATE sends a hello message every 10 seconds. VPNGATE times out the IPSec tunnel after 20 seconds with no activity. VPNGATE sends a DPD message if the remote client doesn't respond to traffic. VPNGATE sends keepalives at random intervals to the remote client. Assignment 20.(2p) The first four steps in IKE peer authentication using pre-shared secrets are shown in the graphic. What is the fifth step? Peer B locally hashes the random value and the pre-shared secret and matches it against the received authenticated hash. Peer A and peer B are ready to begin communications. Peer A sends the authenticated hash back to peer B. Peer B randomly chooses a different random string and sends it to peer A.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information