Exam Objectives Frequently Asked Questions | SSCP Study Guide and DVD Training System

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.

Q.		What security concerns are associated with each LAN topology?
A.		As we know there are five major LAN topologies; star, bus, ring, mesh, and tree. The star topology is the most common type and its security risks include broadcast data packets, a central location that can be used to bring the entire network down, and generally insecure transmission mediums such as twisted-pair or wireless Ethernet. The bus topology is not as common anymore, but may be seen in older networks. A computer can be placed on the main backbone and sniff passing network traffic. Another risk is that by severing the backbone cable an attacker could bring down the network. The mesh topology is the most redundant type of network. It still suffers from the same risks associated with broadcast networks, such as data sniffing. The tree topology's risk can be viewed as a combination of risks associated with the star topology and the bus topology. The ring topology is the most efficient type of LAN topology. Severing the cable that makes up the ring can bring down the ring topology.
Q.		Which network topology is the best for building a secure network?
A.		The mesh topology, when implemented with secure cabling and strong authentication, will beat out the other topologies when trying to make the most secure network. As we learned, one of the main items that make up data security is availability. The mesh topology has built-in redundancy so it would be very hard for an attacker to cause sever network disruption by physically harming a network cable.
Q.		How can a common star LAN secure itself against packet sniffing?
A.		The only sure way to protect against packet sniffing is to employ strong encryption of all data transmissions. This is not typically done because of the tradeoff needed between security and convenience. Encrypting all data packets would require a very high overhead to implement and few organizations feel the need to employ such a high level of security. A more common method is to implement switches instead of hubs and to use a more secure networking protocol such as IPX/SPX. Be aware that an attacker would only have to use a little more effort to be able to extract information on a switched network with a securer protocol.
Q.		Why do LANs use broadcast technology?
A.		When the Ethernet standard was created, the process of making the system work was more important than securing the network. Early developers never realized that network security would be so closely scrutinized and attacked at every level. Switches can be directed to receiving computers by using MAC addresses.
Q.		Why is a token ring network so reliable?
A.		In a token ring network, only the computer that currently holds the token can transmit data across the network. Also, each device on the network functions as a repeater, which nearly eliminates problems with signal degradation.
Q.		Is FDDI more secure that a regular token ring network?
A.		Yes. A FDDI network can provide dual rings, which allows for redundancy if one ring is damaged. Also, FDDI utilizes fiber-optic cabling, which is the most secure type of cabling due to the fact that it is nearly impossible to tap into.
Q.		What is a purpose of a WAN?
A.		A WAN is used to allow an organization with multiple geographic locations to function as if they were in the same building on the same network. Employing a high-speed connection between two or more LANs creates a WAN.
Q.		Are leased lines secured?
A.		A leased line is only as secure as the communications carrier providing it and the medium used for the high-speed connection.
Q.		At what layer of the OSI model are most security vulnerabilities located at and why?
A.		The Application layer is typically the location of most security vulnerabilities. This is not because of the protocols located at that layer, but how those protocols are implemented in an actual application. If a secure protocol is implemented in an insecure manner, all security is lost.
Q.		How can the TCP handshake located at the Transport layer be used to mask a network probe?
A.		A network probe, or scan, is used by an attacker to discover what ports are open on a server. Most network devices only log a scan if the entire TCP handshake is completed and a connection is established. The log files for this type of network would be easily identifiable as an attack because a single IP address would try to access a large number of ports on the server. If the attacker breaks the handshake right before the connection is established, most devices will not log the scan. This is known as a stealth scan.
Q.		Why is the Physical layer so important to network security?
A.		Network security involves many things including making sure the network is available. The Physical layer contains network cabling and hubs. If either of these items is not available, either through an attack or mechanical failure, the network may be rendered useless and data transmission would not be available.
Q.		How does NAT assist with network security?
A.		NAT allows the use of private IP ranges to be used on an internal network that are not accessible to the public Internet. It also allows, through the use of NAT tables, for clients on the network to access external resources through the use of one publicly available address. This protects the internal host from direct contact with the untrusted network.
Q.		What is the most secure type of firewall?
A.		It is important to realize that a weaker firewall implemented correctly is more secure than a strong firewall implemented incorrectly. With that said, the strongest type of firewall is a packet-filtering firewall that uses stateful inspection.
Q.		What is the purpose of a DMZ?
A.		A DMZ provides a level of security to a publicly available server. For example, a Web server must be more accessible from the Internet than the internal network would be. By using a DMZ, you can provide a level of security for the Web server by creating a space behind one network security device, but in front of a second security device protecting the internal network.
Q.		Which protocols are used to create the most secure VPN?
A.		The most secure VPN would combine L2TP to create a tunnel between two host and IPSec in tunneling mode to encrypt the header and data of a packet. An important consideration when implementing a VPN is how important security is. It is true that L2TP plus IPSec would create the most secure VPN, but it would also require the slowest access and the highest overhead in terms of devices on each side of the VPN.
Q.		Is SSH a true VPN protocol?
A.		No, SSH is not a VPN protocol. It can, however, function as a VPN because it provides a secure connection between a client and host server to provide terminal access. SSH should always be used in place of similar applications such as Telnet.
Q.		Should I use transport mode or tunneling mode for IPSec?
A.		It depends on what you require a VPN to do. Tunneling mode is more secure, but it provides higher overhead. You should ask yourself if you could sacrifice some security for faster access. If the answer is yes, then transport mode will still provide adequate security while reducing network overhead.
Q.		Can sniffing be prevented?
A.		In a typical network, it would be hard to prevent an attacker from being able to sniff network traffic. It would be better to make sure any important data passing over a private or public network is being encrypted so that if it is sniffed, it will not reveal confidential information to the attacker.
Q.		Can SYN stealth port scanner be detected?
A.		Yes, a stealth scan can be detected if your firewall supports and uses stateful inspection. A firewall that uses stateful inspection will log these stealth scans that do not fully establish a connection.
Q.		Why is it important to still be concerned with war dialing?
A.		Today, many networks provide very robust firewalls to protect against attacks from the Internet. Many of these same networks provide employees with remote access to networks via a dial-in account. Using a war dialer, an attacker can scan numbers associated with your organization to find this dial-in access server. This is done by assuming that if an organization's phone number is 555-5500, and its fax number is 555-5501, then it would be logical that if they purchased a separate line to provide dial-in access, it would be around the 555-55xx range of numbers. Once an attacker locates this machine, it can be a simple process to have complete access to a network.
Q.		What is the difference between RADIUS and TACACS+?
A.		RADIUS and TACACS+ provide essentially the same service. Both provide a database that contains usernames and passwords that allow devices to centrally maintain authentication. TACACS+ provides authorization, or defining where a user authenticates from, as well as authentication. TACACS+ is typically thought of as a higher-end version of RADIUS.
Q.		Should I use PAP or CHAP as an authentication protocol?
A.		If possible, you should use CHAP because it is more secure. PAP transmits the username and password in cleartext.