Sunday, April 24, 2016

Network Security Interview Questions

Split tunneling allows what?
simultaneous access through the tunnel and outside the tunnel using same network adaptor

what type of key does AES use ?
same key is used by AES for encryption and decryption

Which ESP fields are not encrypted?
SPI and sequence number

Hair pinning allows what?
the packet comes in on single interface and routed out from the same interface which by default is not allowed on ASA.

What does crypto ACL do?
It identifies the traffic that should be encrypted.

A QM_IDLE ikev1 phase1 state means?

Ikev1 phase 1 tunnel is established

What is the command that is used to identify/list the port no.s used by various applications in Unix/Windows?
netstat -anb
-a is for show all
-n is for show numbers
-b is for show PID i.e Process IDs

Explain How does NAT/PAT work?
NAT means Network Address Translation, NAT helps the Private IP to route over the public Internet, its translate private IP to a public IP by one to one or many to one, PAT means Port Address Translation , its translate based on source port

How will request send by http browser from workstation to any website goes through router and come back to workstation and open web page. Explain how packets travel in term of ip protocols. ?
once a web site is entered in the address bar and enter key pressed the following process happens.

1. The system performs a check on the dns cache to check if there is any entry for the concerned domain name if yes goes to step 3.
2. the system performs a dns query for converting the domain name into ip by sending a query to the DNS server.
3. once a dns response for the query is received the initiates a 3 way handshake with destination ip on port 80 or 443.
4. client sends a sync to server, server sends a sync+ack to client. the client sends a ack to sync from the server.
5. once a 3 way hand shake is completed the browser presents the request to server.
6. based on the received request the server responds with requested file/data.
7. once the transmitting of data is completed the server sends a fin packet, then client sends a fin packet and connection gets terminated.

What is Domain Controller
A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources.
A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain

What is Digital Signatures?
Digital signature is an attachment to an electronic message used for security purpose. It is used to verify the authenticity of the sender.

What is Data encryption?
Data encryption ensures data safety and very important for confidential or critical data. It protect data from being read, altered or forged while transmission.

What is the Public Key Encryption?
Public key encryption use public and private key for encryption and decryption. In this mechanism, public key is used to encrypt messages and only the corresponding private key can be used to decrypt them. To encrypt a message, a sender has to know recipient’s public key.

What are Brute Force Attacks?
Brute forcing is a mechanism which is used by an attacker to break the encryption of data by applying a set of various key. Cryptanalyst has a set of number of keys and apply them one by one to the encryption algorithm until he get the right key.
In this example a cryptanalyst may apply bruteforcing to the value of msgID and read the user’s data.
In this the browser requesting for Displaymsg.asp page and sending msgID 87951 to the web server.

How do you use RSA for both authentication and secrecy?
RSA is a public key encryption algorithm. The RSA algorithms are based on the mathematical part that it is easy to find and multiply large prime numbers together, but it is extremely difficult to factor their product.
For authentication: One can encrypt the hash (MD4/SHA) of the data with a private key. This is known as digital signature.

If you are a victim of Denial of Service (Dos) then what you do?
The function of a denial of service attack is to flood its target machine with too much traffic and prevents it from being accessible to any other requests or providing services.
To prevent DoS attacks firewall can be configured as a relay; in this approach the firewall responds on behalf of the internal host. During the attack, the firewall responds to the SYN sent by the attacker; since the ACK never arrives, the firewall terminates the connection.
By Keeping protocols and Antivirus software up-to-date, we can prevent to be a victim of DoS. A regular scanning of the machine is also necessary in order to detect any anomalous behaviour.

What are the differences among encoding, encryption and hashing?
Encoding: Basically encoding is used to protect the integrity of data as it crosses through a communication network to keep its original message upon arriving. It is primarily an insecure function because it is easily reversible.
Encryption: Encryption is basically designed for confidentiality and data integrity and reversible only if you have the appropriate key.
Hashing: With hashing, the operation is one-way i.e. non-reversible. It takes an input (or , message ) and returns a fixed-size string, which is called the hash value.

What is Authentication Header and how it provides the protection to IP header?
Basically, Authentication Header protects IP header and provides the complete authenticity to the IP packets.
AH may work in two ways: transport mode and tunnel mode.
In tunnel mode; AH protects the IP header using two IP header layers inner and outer. Inner IP header is used to contain the source and destination addresses, and the outer IP header is used to contain the security gateway information.

What’s more secure, SSL or HTTPS?
Trick question: these are not mutually exclusive.
HTTPS runs over SSL (as it's name suggests, HTTP-over-SSL), not SSL over HTTP. First SSL session is established, then all HTTP data are wrapped into secured SSL packets before sending and after receiving.


The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

Which is more Secure SSL or TLS

In terms of security they both are consider equally secured
The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

(SSL and TLS vs HTTP)

HTTP protocol is used to request and recive the data and https in which the 's' is nothing but secure SSL which makes the http protocol request and receive activity encrypted so no middle man attacker can obtain the data easily.

If neither SSL nor TLS is used with HTTP

then your connection with the web server is unencrypted all the data will be sent in plaintext any middle man attacker can obtain and view that data.

so should go with SSL or TLS

well, both are same but TLS is more extensible and hoping to get more support in future and TLS is backward compatible.

SSL (Secure Socket Layer)

SSL was created by Netscape Communications Corporation back in 1994. It was designed to create a secure Internet communication via the Web. It is a standard protocol that encrypts communication between your browser and the server. It allows for private information like social security numbers, credit card details, and login credentials to be transferred easily over the Internet.
SSL utilizes two keys:
  • Public keys that are knowable by everyone.
  • Private keys known only by the person receiving the message.
The two keys work together to form an encrypted connection via the Web.
Being able to connect to a specific port requires a secure connection. As an example, you would use port 442 for HTTPS, 995 for secure POP, 993 for secure IMAP and so on. All of these ports are already set up on the server. They are ready to negotiate secure connections first, then they will proceed to do whatever else you need after that.

TLS (Transport Layer Security)

TLS is a type of protocol allowing communication between the Internet and client-server applications. It forms a secure communication via the Web for email, data transfers, and faxing.
TLS has two distinct layers:
  • TLS Record Protocol establishes a secure connection with encryption methods like data encryption standard.
  • TLS Handshake Protocol allows authentication for the servers and clients together. Before data can be exchanged, it has to convert cryptographic keys and algorithms.
This particular type of connection begins by contacting the server. Then, it switches to a secured method of communication after the initial handshake is successful. In the event the handshake fails, the connection will be terminated. One of the best examples of this is using the command STARTTLS that is used for an outbound email connection.
  • There are a number of benefits to using an SSL or TLS connection, such as:
  • Secured communication between the server and the browser
  • Ensured safety of your sensitive information
  • Encrypted user and website info
  • SEO benefits when conducting Google searches
  • Protection for your website from cyber attacks
  • A boost to your website's reputation online
  • Security for your software, documents and applications

HTTPS (Secure Hypertext Transport Protocol)

HTTPS is a secure version of HTTP. This ensures that any communication sent online is secured by the SSL/TLS connection. Any ongoing communication between the server and browser will be encrypted for your safety. It allows you to evaluate how secure the environment is. If you are looking to establish an HTTPS connection, you will have to first purchase an SSL certificate from someone you can trust. You don't want to purchase a certificate from just anyone. Look for a trusted certificate authority. Then, you need to install it on the proper server.
HTTPS is the code-text that is written using standard HTTPS format and secured with SSL/TLS to encrypt the HTTP text and ensure the communication is protected at all times.
There are a number of reasons to use an HTTPS connection:
  • It helps to establish a secure communication between server and browser
  • It secures websites against tampering activities or eavesdropping
  • It protects users from man-in-the-middle attacks
  • It is used worldwide by business of all sizes to process secure payment transactions
  • It is used by banking, healthcare, e-commerce, social media and government industries

If you had to both encrypt and compress data during transmission, which would you do first, and why?

Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.

What’s the difference between symmetric and public-key cryptography

single key vs. two keys, etc, etc.

In public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
You encrypt with the other person’s public key, and you sign with your own private.

What port does ping work over?
ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols

How exactly does traceroute/tracert work at the protocol level?
The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

Cryptographically speaking, what is the main method of building a shared secret over a public medium?

What’s the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol.
an encryption algorithm,
very slow for bulk data encryption
sender encrypts the data to be transferred using the public key of the recipient
receiver decrypts the encrypted data using his private key.

DH -
A method of exchanging cryptographic keys
establishes a shared secret that can be used for secret communications
vulnerable to man-in-middle attack

What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.

How would you implement a secure login field on a high traffic website where performance is a consideration?
present the login form via HTTPs. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP.

What are the various ways to handle account brute forcing?

Look for a discussion of account lockouts, IP restrictions, fail2ban, etc.

What is Cross-Site Request Forgery?

when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowledge. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. A victim just loading that page could potentially get logged out from, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

What’s the difference between HTTP and HTML?

Http is the networking/application protocol and the other is the markup language.

What exactly is Cross Site Scripting?
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application

What’s the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

What’s the difference between a threat, vulnerability, and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few different schools on this. Just look for solid answers that are self-consistent.

How would traceroute help you find out where a breakdown in communication is?
Tracert or traceroute, depending on the operating system, allows you to see exactly what routers you touch as you move along the chain of connections to your final destination. However, if you end up with a problem where you can’t connect or can’t ping your final destination, a tracert can help in that regard as you can tell exactly where the chain of connections stops. With this information, you can contact the correct people – whether it be your own firewall, your ISP, your destination’s ISP or somewhere in the middle.

Why would you want to use SSH from a Windows pc?
SSH (TCP port 22) is a secure connection used on many different systems and dedicated appliances. Routers, Switches, SFTP servers and unsecured programs being tunneled through this port all can be used to help harden a connection against eavesdropping. Despite the fact that most times when you hear about somebody ‘SSHing’ into a box it involves Linux, the SSH protocol itself is actually implemented on a wide variety of systems – though not by default on most Windows systems. Programs like PuTTY, Filezilla and others have Windows ports available, which allow Windows users the same ease-of-use connectivity to these devices as do Linux users.

What’s the difference between Symmetric and Asymmetric encryption?

Symmetric encryption uses the same key to encrypt and decrypt, while Asymmetric uses different

What is XSS?
Cross-site scripting, the nightmare of Javascript. Because Javascript can run pages locally on the client system as opposed to running everything on the server side, this can cause headaches for a programmer if variables can be changed directly on the client’s webpage. There are a number of ways to protect against this, the easiest of which is input validation.

How would you log in to Active Directory from a Linux or Mac box?
While it may sound odd, it is possible to access Active Directory from a non-Windows system. Active Directory uses an implementation of the SMB protocol, which can be accessed from a Linux or Mac system by using the Samba program. Depending on the version, this can allow for share access, printing, and even Active Directory membership.

What are salted hashes?
Salt at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks. For example, if a user uses the same password on two different systems, if they used the same hashing algorithm, they could end up with the same hash value. However, if even one of the systems uses salt with its hashes, the values will be different.

What are the three ways to authenticate a person?

Something they know (password), something they have (token), and something they are (biometrics). Two-factor authentication often times uses a password and token setup, although in some cases this can be a PIN and thumbprint.

You see a user logging in as root to perform basic functions. Is this a problem?
A Linux admin account (root) has many powers that are not permitted for standard users. That being said, it is not always necessary to log all the way off and log back in as root in order to do these tasks. For example, if you have ever used the ‘run as admin’ command in Windows, then you will know the basic concept behind ‘sudo’ or ‘superuser (root) do’ for whatever it is you want it to do. It’s a very simple and elegant method for reducing the amount of time you need to be logged in as a privileged user. The more time a user spends with enhanced permissions, the more likely it is that something is going to go wrong – whether accidentally or intentionally.

What is VPN?
VPN means Virtual Private Network, a technology that allows a secure tunnel to be created across a network such as the Internet. For example, VPNs allow you to establish a secure dial-up connection to a remote server.

What is NIC?

NIC is short for Network Interface Card. This is a peripheral card that is attached to a PC in order to connect to a network. Every NIC has its own MAC address that identifies the PC on the network.

What is DoS?
DoS, or Denial-of-Service attack, is an attempt to prevent users from being able to access the internet or any other network services. Such attacks may come in different forms and are done by a group of perpetrators. One common method of doing this is to overload the system server so it cannot anymore process legitimate traffic and will be forced to reset.

What is tracert?
Tracert is a Windows utility program that can be used to trace the route taken by data from the router to the destination network. It also shows the number of hops taken during the entire transmission route.

What protocol can be applied when you want to transfer files between different platforms, such between UNIX systems and Windows servers?
Use FTP (File Transfer Protocol) for file transfers between such different servers. This is possible because FTP is platform independent.

What is netstat?
Netstat is a command line utility program. It provides useful information about the current TCP/IP settings of a connection.

What is ICMP?

ICMP is Internet Control Message Protocol. It provides messaging and communication for protocols within the TCP/IP stack. This is also the protocol that manages error messages that are used by network tools such as PING.

What is Ping?
Ping is a utility program that allows you to check connectivity between network devices on the network. You can ping a device by using its IP address or device name, such as a computer name.

You need to connect two computers for file sharing. Is it possible to do this without using a hub or router?
Yes, you can connect two computers together using only one cable. A crossover type cable can be used in this scenario. In this setup, the data transmit pin of one cable is connected to the data receive pin of the other cable, and vice versa.

What is ipconfig?
Ipconfig is a utility program that is commonly used to identify the addresses information of a computer on a network. It can show the physical address as well as the IP address.

What is client/server?
Client/server is a type of network wherein one or more computers act as servers. Servers provide a centralized repository of resources such as printers and files. Clients refer to workstation that access the server.

When you move the NIC cards from one PC to another PC, does the MAC address gets transferred as well?
Yes, that’s because MAC addresses are hard-wired into the NIC circuitry, not the PC. This also means that a PC can have a different MAC address when the NIC card was replaced by another one.

What is the importance of Encryption on a network?
Encryption is the process of translating information into a code that is unreadable by the user. It is then translated back or decrypted back to its normal readable format using a secret key or password. Encryption help ensure that information that is intercepted halfway would remain unreadable because the user has to have the correct password or key for it.

What do mean by tunnel mode?
This is a mode of data exchange wherein two communicating computers do not use IPSec themselves. Instead, the gateway that is connecting their LANs to the transit network creates a virtual tunnel that uses the IPSec protocol to secure all communication that passes through it.

What is RSA algorithm?
RSA is short for Rivest-Shamir-Adleman algorithm. It is the most commonly used public key encryption algorithm in use today.

What is a firewall?
A firewall is used to provide security to the private networks connected to the internet. They can be implemented as hardware or software, or a combination of both. All incoming and outgoing network traffic are examined and accepted/rejected by the firewall as per defined rules.

What is the difference between network gateway and a firewall?

A: A network gateway joins two networks together and a network firewall protects a computer network against unauthorized incoming or outgoing access. Network firewalls may be hardware devices or software programs.

What is the difference between IPS and a firewall?
A: The primary function of a firewall is to prevent/control traffic flow from an untrusted network (outside). A firewall is not able to detect an attack in which the data is deviating from its regular pattern, whereas an IPS can detect and reset that connection as it has inbuilt anomaly detection.

What is a transparent firewall?

A: A transparent firewall is considered as Layer 2. Deploying a new firewall into a network can be a complicated process due to various issues (e.g. IP address reconfiguration, network topology changes, current firewall etc.) because the firewall is not a routed hop and you can easily introduce a transparent firewall into an existing network.

What is packet filtering?
A: Packet filtering is the process of permitting or blocking ip packets based on source and destination addresses, ports, or protocols. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing or allow. Packet filtering is also part of a firewall program for protecting a local network from unwanted access.

What is the Public Key Encryption?
A: Public key encryption uses public and private key for encryption and decryption. In this mechanism, public key is used to encrypt messages and only the corresponding private key can be used to decrypt them. To encrypt a message, a sender has to know the recipient’s public key.

Define Digital Signatures
A: Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the authenticity of the sender.

What is Authorization?

A: Authorization is a security mechanism used to determine user/client privileges or access levels related to network resources, including firewalls, routers, switches and application features. Authorization is normally preceded by authentication and during authorization. It’s system that verifies an authenticated user’s access rules and either grant or refuses resource access.

What is stateful failover?
A: Every time a session is created for a flow of traffic on the primary node, it is synced to the secondary node. When the primary node fails, sessions continue to pass traffic through the second node without having to re-establish.

What is VPN and describe IPsec VPN?

A: Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet.
IPsec VPN means VPN over IP Security allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.

What is Site to Site and remote access VPN?
A: A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN is different from remote-access VPN as it eliminates the need for each computer to run VPN client software as if it were on a remote-access VPN.

How do you check the status of the tunnel’s phase 1 & 2?
A: Use following commands to check the status of tunnel phases:
Phase 1 : show crypto isakmp and State : MM_ACTIVE
Phase 2 : show crypto ipsec sa
Note: if you have lot of tunnels and the output is confusing use a ‘show crypto ipsec sa peer’ command instead.

What is SSL VPN? How it is different from IPsec VPN?
A: SSL VPN provides remote access connectivity from almost any internet enabled location without any special client software at a remote site. You only need a standard web browser and its native SSL encryption.
IPsec is a dedicated point-to-point fixed VPN connection where SSL VPNs provides anywhere connectivity without any configuration or special software at remote site.

What is GRE and why is it required?
A: Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks.
GRE enables a wrapper to be placed around a packet during transmission of the data. A receiving GRE removes the wrapper, enabling the original packet to be processed by the receiving stack.
Advantages of GRE tunnels include the following:
    •    GRE tunnels connect discontinuous sub-networks.
    •    GRE tunnels allow VPNs across wide area networks (WANs).
    •    GRE tunnels encase multiple protocols over a single-protocol backbone.
    •    GRE tunnels provide workarounds for networks with limited hops.

Firewalls work at what layer? Define firewall generations and their roles.
A: Firewalls work at layer 3, 4 & 7. First generation firewalls provide packet filtering and they generally operate at layer 3 (Network Layer). Second generation firewalls operate up to the Transport layer (layer 4) and records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Second generation firewall is mainly used for Stateful Inspection.
Third generation firewalls operate at layer 7. The key benefit of application layer filtering is that it can “understand” certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)).

What is DoS attack? How can it be prevented?
A: DoS (Denial of Service) attack can be generated by sending a flood of data or requests to a target system resulting in a consume/crash of the target system’s resources. The attacker often uses ip spoofing to conceal his identity when launching a DoS attack.

What is IP Spoofing?
A: An IP spoofing attack enables an attacker to replace its identity as trusted for attacking host. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host.

What are the security-levels in cisco ASA?
A: ASA uses security levels to determine the parameters of trust given to a network attached to the respective interface. The security level can be configured between 0 to 100 where higher number are more trusted than lower. By default, the ASA allows packets from a higher (trusted) security interface to a lower (untrusted) security interface without the need for an ACL explicitly allowing the packets.

What is AAA?
A: AAA stands for authentication, authorization and accounting, used to control user’s rights to access network resources and to keep track of the activity of users over a network. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

What is IPS? How does it work?
A: An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. An Intrusion Prevention System can play a good role to protect against various network security attacks such as brute force attacks, Denial of Service (DoS) attacks, and vulnerability detection. Moreover, an IPS also ensures prevention against protocol exploits.
Intrusion Prevention System uses four types of approaches to secure the network from intrusions which include:
    •    Signature-Based
    •    Anomaly-Based
    •    Policy-Based
    •    Protocol-Analysis-Based

How can a brute force attack on a router be prevented
A limit for the maximum number of login attempts can be setup on the router. On exceeding the limit, the account can be locked. Logs can be setup on the router to observe the IP address from which the login attempts is generated and an access list set up to block the IP.

Name two radius servers which are used in network environment

IAS Server and FreeRadius.

A switch is configured to authenticate users with a radius server. Which port on the server would be used for radius authentication

UDP port 1812 would be used for the same.

A user needs to access a Windows PC, which is behind a NAT router in office. What method can be used to access the desktop of the PC from home

To access the desktop of a remote PC, windows remote desktop protocol can be used. Since the PC is behind a NAT router, port forwarding can be setup on the router to forward packets to the internal PC. The user at home would initiate remote desktop connection to the internet IP address of the NAT router, which would forward the request to the internal PC.

A VPN server is to be deployed in an organization. The VPN server would be used by remote users for gaining access to the organization network. The organization has a NAT router, which is used by users inside the organization for internet sharing and has one public IP address. Can the VPN server use the same IP address, which can then be used by remote users.
The VPN server can be setup behind the NAT router and port forwarding configured to allow incoming traffic to the VPN server. The remote users would connect to the public IP address of the NAT router, which would then forward the request to the VPN server.

Which feature on a wireless access point can be used for blocking unauthorized access based on the mac-address
Mac-filtering feature on an access point can be used. The list of allowed mac-addresses can be configured using the feature.

Which field in a STP packet is manipulated in a STP BPDU attack.

The priority value in the STP header is crafted lower than the actual root bridge value, which would make the STP topology change, as lower priority value packet would be elected as the root bridge.

Which is a common feature used by stateless firewalls
Access control lists

What is TKIP and why is it used.
TKIP stands for temporal key integrity protocol. It is used by WPA, wifi protected access to provide encryption services on a wireless network.

Which command would you use to ping a system in a loop from a Windows PC.
ping -t can be used to ping the IP address in a loop

Which protocol does ping use at the network layer

What type of ICMP packet is send when a ping request is initiated.
ICMP request.

If a system is not responding to ping requests, what could be a possible reason
A firewall would be blocking ping requests.

What is the similarity between ping and tracert
Both use ICMP for communication

Which protocol does ping use – TCP or UDP
Ping does not use TCP or UDP. It uses ICMP.

If a system does not respond to ping, does it imply the system is shutdown.
No, It could just be any issues on the TCP/IP stack or a firewall is configured to block ping packets.

A user on a PC pings a device which is on a different network through a router. The router is unaware of the network. What would happen.
After the router identifies that the network is unreachable, an ICMP packet is sent from the router to the initiator informing the destination network is unreachable. ICMP Type 3 is used for the purpose.

Is it possible to start wireshark from command line on Windows
Yes, it is possible to start using the appropriate executable on Windows which is wireshark.exe

A user is unable to ping a system on the network. How can wireshark be used to solve the problem.
Ping uses ICMP. Wireshark can be used to check if ICMP packets are being sent out from the system. If it is sent out, it can also be checked if the packets are being received.

Which wireshark filter can be used to check all incoming requests to a HTTP Web server
HTTP web servers use TCP port 80. Incoming requests to the web server would have the destination port number as 80. So the filter tcp.dstport==80.

Which wireshark filter can be used to monitor outgoing packets from a specific system on the network.
Outgoing packets would contain the IP address of the system as it’s source address. So assuming that the IP address of the system is, the filter would be ip.src==

Which is the protocol does HTTPS use for encrypting data
HTTPS uses SSL or TLS for encrypting data.

On which port does a HTTPS server listen on
TCP port 443

Name two instances where you have used HTTPS on the internet
Online transactions (Net banking), Webmail login (Yahoo, gmail)

Does HTTPS use TCP or SSL at the transport layer for data transfer.
HTTPS uses TCP at the transport layer. SSL is used for data encryption.

Can a Web server support HTTP and HTTPS communication simultaneously?
This is possible as both works on different port numbers.

How is the encryption key derived in a HTTPS based communication
The encryption key for every session is derived dynamically between the client and the server.

A user logs into a HTTPS based form on a website with his username and password. Would the username or password be encrypted during the session
Both the username and password would be encrypted in a HTTPS based communication.

Would the authentication between a Web client and a Web Server be successful if the client does not have a client certificate?
Authentication with client certificate is optional. The client can successfully authenticate with the server using a username and password.

Can HTTPS communication be used on a LAN
HTTPS works on TCP/IP. So it can be used any systems which uses TCP/IP irrespective of whether it is on LAN or WAN.

Which feature on a firewall can be used for mitigating IP spoofing attacks
Access control list can be used for the purpose.

What type of firewall can be used to block a web security threat
A web application firewall or a layer 7 firewall can be used for the purpose.

Which fields in a packet does a network layer firewall look into for making decisions.
IP and transport layer headers for information related to source and destination IP addresses, port numbers etc.

Which feature on a Cisco firewall can be used for protection against TCP Syn flood attacks
You can also configure maximum connections, maximum embryonic connections, and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

Which feature on a firewall can be used to block a specific URL or a website.
URL Filtering.

Which is the main field in an IP header, which is modified by a NAT firewall.
The source IP address in the IP header.

What type of firewall can be configured for providing user based authentication to users on the LAN network.
Proxy firewall.

Which protocol does WEP use for encrypting data.
WEP uses RC4 for encryption.

Name two protocols which are used by wireless clients in a 802.1x authentication

Is 802.11 wireless communication full or half duplex
802.11 uses half duplex communication.

At which layer does WPA encrypt data
It encrypts data at the data link layer.

If three wireless stations communicate with an access point which supports 54 Mbps, what would be the theoretical bandwidth for each user.
802.11 is a shared medium. All users share the bandwidth. So it would be 54/3 per station.

Why is mac-filtering an insecure form of authentication in a wireless network.
A wireless network uses a shared medium, which makes it possible for any user on the wireless network to sniff for valid mac-addresses on the network.

Which protocol does PEAP use to derive session encryption keys.
It uses TLS.

At which layer of the OSI model does WPA handshake work on
Layer 2

Name one free tool which you would use to craft a packet?

How would you design a test plan for testing a feature on a router.
The design document of the feature has to understood, based on which the test plan would be created.

How two tools which you use to automate the process of remote test execution
A combination of TCL and Expect or Python and Pexpect can be used for the purpose.

Name the typical fields which would be available in a test case document used for protocol testing
Test ID, Test description, steps to execute, expected result, actual result, status, remarks

What is the difference between functionality and conformance testing.
Functionality testing refers to the verification and working of the feature on a product. For ex, the working of VLAN on a switch. This is dependent on the design of the specific feature. Conformance testing refers to the procedure of testing the protocol for adherence to standards like RFC, IEEE etc.

Name two commercial tools which can be used for performance testing
IXIA, Spirent.

Name two applications which can be used for test case and defect management.
HP Quality center and Bugzilla.

In the below topology, a router is setup for internet sharing. The TCP/IP adapter setting on the computers are presently configured with the respective IP address and subnet masks. The DNS server provided by the ISP is configured on the router. The LAN IP address of the router is Identify the required additional parameters which needs to be configured on the TCP/IP adapter of the PC’s from the below options.
A. Default gateway and DNS servers as
B. Default gateway as, DNS server not required.
C. Default gateway as the IP address of the switch, DNS server not required
D. Default gateway as the DNS server of the ISP.
DNS servers are required for computers to access internet. DNS servers are responsible for resolving URL into IP address which is mandatory for network communication. The computers which require access to the internet needs to be configured with the respective DNS server IP address. The default gateway also needs to be configured as internet bound packets resides on different networks. In the above topology, the internet provided DNS server IP address is configured on the router. This implies that the router is aware of whom to contact for name resolutions.
The DNS server IP addresses for the respective computers are configured with the routers IP address. When the a user on the computer types a website name, a DNS request packet is generated for identifying the IP address of the URL corresponding to the website name. This packet is sent to the router from where the, DNS request packet is sent to the ISP provided DNS server. The gateway address for the computers needs to be configured with the LAN IP address of the router,

Users on a network are unable to access the internet. Name three steps which you would use to troubleshoot the issue.
a. Check if the router is configured and setup with a public IP address and appropriate DNS servers.

b. Check the TCP/IP adapter settings of the users for DNS server IP address.

c. Check if appropriate routing is enabled on the router.

On a network, users are unable to receive an IP address from the DHCP server on the network. Name the steps you would follow to troubleshoot the issue.
a. Check if the DHCP Server is reachable by ping.

b. Check if the DHCP service is up and running on the system.

c. Check if the DHCP servers and clients are on the same network.

You are a network support engineer who has been asked to setup internet sharing for users on the network. The type of traffic for which internet is required is HTTP, FTP, Telnet ICMP etc. Which technology would you use (Proxy Server or NAT) and why?
Different types of protocols require access to the internet. A proxy server is specific on the type of application or protocol for which internet access is required. This would not suffice the purpose. So a NAT router would be required.

What tool would you use to check if a remote port is open or closed?
nmap can be used for the purpose.

Which protocol would you use to remotely manage a router and why?
SSH , because it is secure.

Name one practical scenario where you would use port forwarding feature on a router?
In a situation , where a PC on the LAN network requires access from the outside network like the internet. The PC can be configured for remote desktop connection and appropriate port forwarding configuration can be setup on the router.

Do the DNS server and default gateway be the same address?
It need not be. If it is the same, the actual DNS server address is to be configured on the gateway.

What resources are located on your DMZ? 
Only systems that are semi-public should be kept on the DMZ.
This includes external web servers, external mail servers, and external DNS. A split-architecture may be used where internal web, mail, and DNS are also located on the internal network.

What resources are located on your internal network?
In addition to internal web, mail, and DNS servers, your internal network could also include databases, application servers, and test and development servers.

What type of traffic are you denying at the firewall?
There should be a default deny rule on all firewalls to disallow anything that is not explicitly permitted. This is more secure than explicitly denying certain traffic because that can create holes and oversights on some potentially malicious traffic.

What is the difference between proxy, firewall, IDS, and IPS?
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity.

Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules.

IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has.

IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
    1.    proxy – Squid
    2.    Firewall- IPTables, CISCO Pix, ZoneAlarm
    3.    IDS- SNORT
    4.    IPS- IBM Proventia

Can an IDS be used to prevent intrusions?
(Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

How does HTTP handles state?
Ans: HTTP is a stateless protocol.

Because a stateless protocol does not require the server to retain session information or status about each communications partner for the duration of multiple requests. HTTP is a stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends.

HTTP is a connectionless and this is a direct result that HTTP is a stateless protocol. The server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different request across the web pages

What is “SQL injection”?
Ans. SQL Injection is one of the common attacking techniques used by hackers to get the critical data.
Hackers check for any loop hole in the system through which they can pass SQL queries which by passed the security checks and return back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.
SQL injections are very critical and needs to be avoided. Periodic security testing can prevent these kind of attacks. SQL database security needs to be define correctly and input boxes and special characters should be handled properly.

List the attributes of Security Testing?

Ans. There are following seven attributes of Security Testing:
    1.    Authentication
    2.    Authorization
    3.    Confidentiality
    4.    Availability
    5.    Integrity
    6.    Non-repudiation
    7.    Resilience

What is XSS or Cross Site Scripting?
Ans. XSS or cross site scripting is type of vulnerability that hackers used to attack web applications.
It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and returns to the hackers. It is one of the most critical and common techniques which needs to be prevented.

What is SSL connection and an SSL session?
Ans. SSL or secured socket layer connection is a transient peer-to-peer communications link where each connection is associated with one SSL Session.
SSL session can be defined as association between client and server generally created by handshake protocol. There are set of parameters are defined and it may be share by multiple SSL connections.

What is “Penetration Testing”?
Ans. Penetration testing is on the security testing which helps in identifying vulnerabilities in a system. Penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers uses that vulnerability to get deeper access to the system and found more vulnerabilities. The main purpose of this testing to prevent a system from any possible attacks.
Penetration testing can be done by two ways –White Box testing and Black box testing.
In white box testing all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real world scenario to find out the vulnerabilities.

Why “Penetration Testing” is important?

Ans. Penetration testing is important because-
    1.    Security breaches and loop holes in the systems can be very costly as threat of attack is always possible and hackers can steal the important data or even crash the system.
    2.    It is impossible to protect all the information all the time. Hackers always come with new techniques to steal the important data and its necessary for testers as well to perform the testing periodically to detect the possible attacks.
    3.    Penetration testing identifies and protects a system by above mentioned attacks and helps organizations to keep their data safe.

Name the two common techniques used to protect a password file?

Ans. Two common techniques to protect a password file are- hashed passwords and a salt value or password file access control.

List down some factors that can cause vulnerabilities?

Ans. Factors causing vulnerabilities are:
    1.    Design flaws – If there are loopholes in the system that can allow hackers to attack the system easily.
    2.    Passwords – If passwords are known to hackers they can get the information very easily. Password policy should be followed rigorously to minimize the risk of password steal.
    3.    Complexity – Complex software can open the doors on vulnerabilities.
    4.    Human Error – Human error is a significant source of security vulnerabilities.
    5.    Management – Poor management of the data can lead to the vulnerabilities in the system.

List the various methodologies in Security testing?
Ans. Methodologies in Security testing are:
    1.    White Box- All the information are provided to the testers.
    2.    Black Box- No information is provided to the testers and they can test the system in real-world scenario.
    3.    Grey Box- Partial information is with the testers and rest they have to test on their own.

What is a Cookie?

Ans. Cookie is a piece of information received from web server and stored in a web browser which can be read anytime later. Cookie can contain password information, some auto fill information and if any hackers get these details it can be dangerous. Learn here how to test website cookies.

What are the types of Cookies?

Ans. Types of Cookies are:
    •    Session Cookies – These cookies are temporary and last in that session only.
    •    Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or manually removal of it.

What is a honeypot?
Ans. Honeypot is fake computer system which behaves like a real system and attracts hackers to attack on it. Honeypot is used to find out loop holes in the system and to provide solution for these kinds of attacks.

List the parameters that define an SSL session state?
Ans. The parameters that define an SSL session state are:
    1.    Session identifier
    2.    Peer certificate
    3.    Compression method
    4.    Cipher spec
    5.    Master secret
    6.    Is resumable

Describe Network Intrusion Detection system?
Ans. Network Intrusion Detection system generally known as NIDS. It is used for analysis of the passing traffic on the entire sub-net and to match with the known attacks. If any loop hole identified then administrator receives an alert.

What do you see as the most critical and current threats effecting Internet accessible websites?

Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. 

What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?
Goal of question Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable. 

What do you see as challenges to successfully deploying/monitoring web intrusion detection?
    •    Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
    •    Proper logging increasing the verboseness of logging (Mod_Security audit_log)
    •    Remote Centralized Logging
    •    Alerting Mechanisms
    •    Updating Signatures/Policies

What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?
Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a users web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client. The web server is merely used as a conduit for the XSS data to be presented to the end client. See also "Client-Side Scripting".

What are the most important steps you would recommend for securing a new web server? Web application?
    •    Web Server Security:
    •    Update/Patch the web server software
    •    Minimize the server functionality disable extra modules
    •    Delete default data/scripts
    •    Increase logging verboseness
    •    Update Permissions/Ownership of files
    •    Web Application Security:
    •    Make sure Input Validation is enforced within the code - Security QA testing
    •    Configured to display generic error messages
    •    Implement a software security policy
    •    Remove or protect hidden files and directories

Does using a VPN make all of my network traffic secure?
No. The VPN only adds security to traffic that goes over the tunnel. If using the wireless profile, it encrypts the traffic from your computer to the VPN concentrator located on the UMnet Backbone. If you use the Cisco VPN Client from off-campus, only the traffic from your computer to U-M resources located on the UMnet Backbone is encrypted. All traffic to non U-M sites is sent in the clear.To ensure that all of your network traffic is secure (including your password) once it hits the Internet, you should always use encrypted protocols such as SSH, SFTP, SCP, and SSL.

Is VPN a long term solution or short-term solution?
VPNs are long-term solutions. VPNs may become ubiquitious and transparent to user, but they will not go away. Because the problem VPNs address - privacy over the public network . VPN will exist from the desktop to the server , and at the IP packet level as well as the application data level.

In which IPSEC Phase is the keys used for data encryption derived?
The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC protocol ESP for encrypting the data.

How the IPSEC protocols, ESP and AH provide replay protection?
ESP and AH include the sequence number fields in the respective headers. The values are used by the IPSEC peers to track duplicate packets. If a packet with an already received sequence number arrives, it would be rejected, thus providing replay protection.

In IPSEC, If ESP provides both encryption and authentication, why is AH required?
ESP does not provide authentication to the outer IP header, which AH does.

Explain two methods by which two IPSEC routers can authenticate with each other?

IPSEC routers can be authenticated using pre-shared keys or using digital certificates.

Which UDP ports should be open on a firewall to allow traffic from an L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside?
UDP port 500 for IKE traffic, UDP port 1701 for L2TP communication between client and server and UDP port 4500 for NAT-T communication.

Which IP protocol does AH and ESP headers use in IPSEC?
ESP and AH uses IP protocol 50 and 51 respectively.

Which type of VPN would you use if data has to be encrypted at the network layer?
IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the application layer.

What security vulnerabilities are addressed by VPN?
VPNs directly protect the privacy of a communication and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.

Are VPNs used for specific kinds of applications or environments? If so, what are some examples of where and why VPNs would be deployed?
VPNs should be used for all information exchange. I don't want to have to "go encrypted" when something secret is about to be sent. I want everything to be encrypted. It should be as commonplace as people sending postal mail in sealed envelopes. It will also ensure that the VPN mechanism is working.

What kind of policies and procedures need to be developed for VPN?
If we are imagining an IPSEC world, where eventually the majority of gateways we might connect to supports IPSEC, things become both easy and interesting. If we have a mechanism that can invite encryption use, respond to such invitations, but also talk without encryption if required, we need to think about things such as:

Can you list some items for a VPN checklist from deciding whether to use, then selecting, then deploying, then maintaining VPN?
Well, IPSEC — real IPSEC as it exists today — is still morphing, but not so much that one shouldn't require it as a basis for a VPN. So we might have:
IPSEC compliant (including ISAKMP/Oakley)
Interoperability with other IPSEC compliant vendors
Strong encryption, long key length
If the VPN solution is not part of the firewall, which is fine, will it work with the firewall?
Does the VPN product work both with and without trust? (Remember, it requires working closely with the firewall.)
For an "add on" VPN, does it work in conjunction with the firewall, or does it simply circumvent the firewall? (I'm not suggesting one way is good and the other bad, but it may be something the security manager cares about, and the answer should be known.)
Does the VPN support automatic creation of user-level VPNs (for mobile users)? In a very large organization, the system manager probably would rather not have to manually create VPN accounts for every user.
Has the VPN been certified by a recognized organization? (The ICSA has a certification and testing process for VPNs. Others probably exist as well.)

When and why should I use VPN?
Use VPN when you need to connect to campus resources that would otherwise be unavailable on distant networks such as file servers and print services. VPN provides an added layer of security for some services (FTP, Webmail, etc). This is useful when you're working with a possibly untrustworthy network for example, in hotels or airports. VPN transports any network service without special settings. File sharing, printing, remote desktop, SSH, FTP, telnet, and Web-based services have all been tested with VPN.

Does VPN offer virus protection?
Not at present. While VPN provides considerable security against network eavesdropping, it does not offer security against other Internet threats. For information about protecting your computer from viruses and other attacks, see the CIT Security page.

Can you explain different components in PKI?
certificte authority
private and public keys
certificate enrollment
digital cert

Can you explain static and dynamic tunnels?

Static Tunnel:
The manually created tunnels are called Static Tunnels. Static tunnels creation is the only choice when global discovery of hosts and tunnel partners are disabled by enhancing express tunnels into manually created tunnels. The priority is higher when compared with static tunnel.

Dynamic Tunnel:
The tunnels that are auto-discovered are known as dynamic tunnels. Dynamic tunnels are created quickly and automatically after the Packet Shaper is reset. At the time of preventing automatic tunnel, dynamic tunnels are allowed to setup the situation.

On which layer does L2F, PPTP and L2TP operate?

Can you explain PPTP (Point-to-Point Tunneling Protocol)?
Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet. Effectively, a corporation uses a wide-area network as a single large local area network. A company no longer needs to lease its own lines for wide-area communication but can securely use the public networks. This kind of interconnection is known as a virtual private network (VPN).