CISSP - Domain 4: Communication and Network Security

-

Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a
packet-switching technology that provides a Committed Information Rate (CIR), which is
a minimum bandwidth guarantee provided by the service provider to customers. Finally,
Frame Relay requires a DTE/DCE at each connection point, with the DTE providing
access to the Frame Relay network, and a provider-supplied DCE, which transmits the
data over the network.

LEAP, the Lightweight Extensible Authentication Protocol, is a Cisco proprietary
protocol designed to handle problems with TKIP. Unfortunately, LEAP has significant
security issues as well and should not be used. Any modern hardware should support
WPA2 and technologies like PEAP or EAP-TLS. Using WEP, the predecessor to WPA and
WPA2, would be a major step back in security for any network.

In wireless connections, ad hoc mode directly connects two clients. It can be easy to
confuse this with stand-alone mode, which connects clients using a wireless access point
but not to wired resources like a central network. Infrastructure mode connects endpoints
to a central network, not directly to each other. Finally, wired extension mode uses a
wireless access point to link wireless clients to a wired network.

802.11 is a standard for wireless networks with various physical layer variants, often
called Wi-Fi or wireless LAN / WLAN.
802.1X is a standard for port-based network access control (NAC). It belongs to the
IEEE 802.1 family, defining (mostly) data link layer standards (bridging).
802.11 commonly uses 802.1X for client authentication, but apart from that they are
completely different things.

IMAP is more flexible and complex than POP3. POP is a simple protocol that only allows
downloading messages from your Inbox to your local computer. IMAP is much more advanced
and allows you the user to see all the folders on the mail server and the user can
organize the emails directly on the mail server.

Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum
(DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM) all use spread
spectrum techniques to transmit on more than one frequency at the same time.

The Challenge-Handshake Authentication Protocol, or CHAP, is used by PPP servers
to authenticate remote clients. It encrypts both the username and password and performs
periodic reauthentication while connected using techniques to prevent replay attacks.

The Remote Access Dial In User Service (RADIUS) protocol was originally designed
to support dial-up modem connections but is still commonly used for VPN-based
authentication. ESP and AH are IPsec protocols but do not provide authentication
services for other systems.

Distance-vector protocols use metrics including the direction and distance in hops to
remote networks to make decisions. A link-state routing protocol considers the shortest
distance to a remote network

A service set identifier (SSID) is a sequence of characters that uniquely names a wireless
local area network (WLAN). An SSID is sometimes referred to as a "network name." This name
allows stations to connect to the desired network when multiple independent networks
operate in the same physical area.

Beacon frames are transmitted periodically, they serve to announce the presence of a
wireless LAN and to synchronise the members of the service set.

A proxy is a form of gateway that provide clients with a filtering, caching, or other
service that protects their information from remote systems. A router connects networks,
while a firewall uses rules to limit traffic permitted through it. A gateway translates
between protocols.

DNS poisoning occurs when an attacker changes the domain name to IP address
mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when
an attacker sends false replies to a requesting system, beating valid replies from the
actual DNS server. ARP spoofing provides a false hardware address in response to queries
about an IP.

S/MIME supports both signed messages and a secure envelope method. While the
functionality of S/MIME can be replicated with other tools, the secure envelope is an
S/MIME-specific concept. MOSS, or MIME Object Security Services, and PEM can also
both provide authentication, confidentiality, integrity, and nonrepudiation, while DKIM,
or Domain Keys Identified Mail, is a domain validation tool

WEP has a very weak security model that relies on a single, predefined, shared static
key. This means that modern attacks can break WEP encryption in less than a minute

802.11n can operate at speeds over 200 Mbps, and it can operate on both the 2.4
and 5 GHz frequency range. 802.11g operates at 54 Mbps using the 2.4 GHz frequency
range, and 802.11ac is capable of 1 Gbps using the 5 GHz range. 802.11a and b are both
outdated and are unlikely to be encountered in modern network installations.

When a workstation or other device is connected simultaneously to both a secure
and a nonsecure network like the Internet, it may act as a bridge, bypassing the security
protections located at the edge of a corporate network

Direct Inward System Access uses access codes assigned to users to add a control layer
for external access and control of the PBX. If the codes are compromised, attackers can
make calls through the PBX or even control it. Not updating a PBX can lead to a range of
issues, but this question is looking for a DISA issue. Allowing only local calls and using
unpublished numbers are both security controls and might help keep the PBX more secure.

802.1x provides port-based authentication and can be used with technologies like
EAP, the Extensible Authentication Protocol. 802.11a is a wireless standard, 802.3 is the
standard for Ethernet, and 802.15.1 was the original Bluetooth IEEE standard.

SPIT stands for Spam over Internet Telephony and targets VoIP systems.

FDDI, or Fiber Distributed Data Interface, is a token-passing network that uses a
pair of rings with traffic flowing in opposite directions. It can bypass broken segments by
dropping the broken point and using the second, unbroken ring to continue to function.
Token Ring also uses tokens, but it does not use a dual loop. SONET is a protocol
for sending multiple optical streams over fiber, and a ring topology is a design, not a
technology.

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for
public key encryption and signing of MIME data.

Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity
to validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication,
integrity, nonrepudiation, and confidentiality, depending on how they are used

PBX Systems and most cordless phones for voice communications are prone to eavesdropping and
actually don't support or use encryption

VLAN hopping between the voice and computer VLANs can be accomplished when
devices share the same switch infrastructure. Using physically separate switches can
prevent this attack.

Data streams are associated with the Application, Presentation, and Session layers.
Once they reach the Transport layer, they become segments (TCP) or datagrams (UDP).
From there, they are converted to packets at the Network layer, frames at the Data Link
layer, and bits at the Physical layer.

A T3 (DS-3) line is capable of 44.736 Mbps. This is often referred to as 45 Mbps. A T1
is 1.544 Mbps, ATM is 155 Mbps, and ISDN is often 64 or 128 Kbps.

Since Bluetooth doesn’t provide strong encryption, it should only be used for activities
that are not confidential. Bluetooth PINs are four-digit codes that often default to 0000.
Turning it off and ensuring that your devices are not in discovery mode can help prevent
Bluetooth attacks.

The assignment of endpoint systems to VLANs is normally performed by a network switch.

Fibre Channel over Ethernet allows Fibre Channel communications over Ethernet
networks, allowing existing high-speed networks to be used to carry storage traffic. This
avoids the cost of a custom cable plant for a Fibre Channel implementation. MPLS, or
Multiprotocol Label Switching, is used for high performance networking

A teardrop attack uses fragmented packets to target a flaw in how the TCP stack on
a system handles fragment reassembly. If the attack is successful, the TCP stack fails,
resulting in a denial of service. Christmas tree attacks set all of the possible TCP flags on
a packet, thus “lighting it up like a Christmas tree.”

The Point-to-Point Protocol (PPP) is used for dial-up connections for modems, IDSN,
Frame Relay, and other technologies. It replaced SLIP in almost all cases

While non-IP protocols like IPX/SPX, NetBEUI, and AppleTalk are rare in modern
networks, they can present a challenge because many firewalls are not capable of filtering
them. This can create risks when they are necessary for an application or system’s function
because they may have to be passed without any inspection

PEAP encapsulates EAP in a TLS tunnel, providing strong encryption. LEAP is a Cisco proprietary
protocol that was originally designed to help deal with problems in WEP. LEAP’s protections
have been defeated, making it a poor choice.

Extensible Authentication Protocol is an authentication framework frequently used in network
and internet connections. PEAP (Protected Extensible Authentication Protocol) is a version
of EAP, the authentication protocol used in wireless networks and Point-to-Point connections.
PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local
area networks) that support 802.1X port access control.

L2TP can use IPsec to provide encryption of traffic, ensuring confidentiality of the
traffic carried via an L2TP VPN. PPTP sends the initial packets of a session in plaintext,
potentially including usernames and hashed passwords. PPTP does support EAP and was
designed to encapsulate PPP packets. All VPNs are point to point, and multipoint issues
are not a VPN problem.

Ethernet uses a bus topology. While devices may be physically connected to a switch in
a physical topology that looks like a star, systems using Ethernet can all transmit on the
bus simultaneously, possibly leading to collisions

WEP’s implementation of RC4 is weakened by its use of a static common key and a
limited number of initialization vectors

VLANs can be used to logically separate groups of network ports while still providing
access to an uplink (internet generally). Like a hotel analogy.

Comments

Post a Comment

Popular posts from this blog

CISSP - Domain 5: Identity and Access Management

-
Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC both is a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environmen...
Read more