SANS SEC401 Question and answer latest
update
Conceptual Design (network architecture)
Includes the core components of a network architecture
Will consider OS platforms, server services, critical core operational functions, etc.
Helps to understand the overall purpose the network ('WHY' we have it and the "WHAT' it helps us to
achieve)
May utilize the concept of "closed-box" diagramming
TTP
Tactics
Techniques
Procedures
Logical design (network architecture)
Represents the logical functions in the system
Putting the conceptional design on paper
Maps the components of the conceptual design via the use of a network diagram
Next parts of the architecture understanding will leverage and build upon this design step
Uses icons to depict workstations servers printers routers switches and other devices connected to
the network
Physical design (network architecture)
Builds upon the logical design by providing detailed aspects of the network components
Details might include: versions, patch levels, hardening configurations, risk categorization, etc.
Physical design also considers physical risks such as network cable location, risk of communication
interception, etc.
Physical security can betray logical security controls
Details include OS version, patches, hardening configurations, risks, physical security
Communication Flow
Understanding Who accesses data ? When (at what times) data is accessed ? How much data is
accessed ?
Will lead to the development of a baseline - knowing normal allows abormal to stand out.
Never a 'one and done'. Continual updating is necessary.
Threat Agents
,Opportunistic
Organized cyber crime
Advanced Persistent Threats (nation states)
Attacks Against Routers (5 examples)
Denial of Service
Distributed Denial of Service
Packet Sniffing
Packet Misrouting
Routing Table Poisoning
Attacks against switches (5 examples)
CDP Information Disclosure
MAC Flooding
DHCP Manipulation
STP Manipulation
VLAN Hopping
CDP Information Disclosure
Cisco Discovery Protocol is used for switches to communicate about other devices are discoverable on
the network. Exploiting this protocol would give information about types and versions of switches, OS,
usernames and administrative accounts on the switches, etc.
MAC Flooding
Flooding the network with fake Media Access Control (MAC) addresses may degrade the switch and
force it into downgrading into a hub, giving the attackers access to the overall network.
DHCP Manipulation
Dynamic Host Configuration Protocol is used to communicate the network configuration to other
devices on the network. An attacker could monitor this protocol and respond to DHCP requests
sooner than the intended recipient, placing the attacker's device in the middle of legitimate network
traffic - a type of Machine in the Middle position.
STP Manipulation
Spanning Tree Protocol is used to ensure that switches do not get stuck in a switch loop. The protocol
is similar to CDP and the attack is similar - the manipulation could lead a network reconfiguration to
cause a DoS or a MiTM.
VLAN Hopping
,Virtual Local Area Network is a way for switches to segment a network into different areas for security
purposes. A VLAN hopping attack fools the VLAN into allowing packets into a prohibited VLAN
segment.
Physical Topology
How devices are physically connected together
How communications are sent over the physical connection (electrical signaling, pulses of light, radio,
etc.)
Logical Topology
How communication is logically formed prior to transmission
Ethernet
Most common communication mechanism on networks worldwide
Uses CSMA/CD (Carrier Sense with Multiple Access / Collision Detection) that is, it listens to ensure
only one station communicates at a time and monitors the transitions to detect collisions.
Segmentation (network design)
Segmentation = separation
Assets should not be able to communicate unabated
Concept of principle of least privilege
Software Defined Networking (SDN)
Networking from a virtualized concept
Can visualize the network as a whole and segment accordingly
Can be achieved programmatically
Benefits of network architecture understanding
Situational awareness
Prioritization of effort
Reduced cost of effort
Timely detection of attacks
Timely detection = timely response = reduction of damage
Network design objectives
Protect internal network from external attacks
Provide defense in depth through a tiered architecture
Control flow of information between systems
, Network sections
Public
Semi public (DMZ)
Middleware
Private
DMZ (network section, tier)
Demilitarized zone - a network tier intended to be public facing, systems include web servers, email
servers, DNS, etc.
This tier is at greater risk of compromise because it faces the public internet at all times. Assume it
will be compromised.
Middleware (network section, tier)
A network segmentation to separate the DMZ from the private, internal network. An example may
include a proxy, which inspects traffic coming in from the DMZ intended for a database on the private
network. The middleware inspects traffic for threats. Traffic from the private network intended for
the DMZ is also inspected in the proxy (reverse proxy).
Private (network section, tier)
The internal network of the organization, an area of higher trust and less risk, it is not connected
directly to the public internet, security, such as firewalls are still present.
3 rules of tiered network architecture
1. Any system visible from the internet must reside in the DMZ and may not contain sensitive data.
2. Sensitive data must reside on the internal, private network and not be accessible from the public,
internet
3. DMZ systems can only communicate with private systems through middleware proxies.
What is a network protocol
A set of rules dictating how computer networks communicate through network hardware and
software. The protocols define the format and order of messages and actions to be taken.
What is a protocol stack
A set of network protocol layers that work together to implement communications.
Three purposes for communication protocols
1. Standardize the format of a communication
2. Specify the order or time of communication
3. To allow all parties to determine the meaning of the communication
ISO OSI Protocol Stack
update
Conceptual Design (network architecture)
Includes the core components of a network architecture
Will consider OS platforms, server services, critical core operational functions, etc.
Helps to understand the overall purpose the network ('WHY' we have it and the "WHAT' it helps us to
achieve)
May utilize the concept of "closed-box" diagramming
TTP
Tactics
Techniques
Procedures
Logical design (network architecture)
Represents the logical functions in the system
Putting the conceptional design on paper
Maps the components of the conceptual design via the use of a network diagram
Next parts of the architecture understanding will leverage and build upon this design step
Uses icons to depict workstations servers printers routers switches and other devices connected to
the network
Physical design (network architecture)
Builds upon the logical design by providing detailed aspects of the network components
Details might include: versions, patch levels, hardening configurations, risk categorization, etc.
Physical design also considers physical risks such as network cable location, risk of communication
interception, etc.
Physical security can betray logical security controls
Details include OS version, patches, hardening configurations, risks, physical security
Communication Flow
Understanding Who accesses data ? When (at what times) data is accessed ? How much data is
accessed ?
Will lead to the development of a baseline - knowing normal allows abormal to stand out.
Never a 'one and done'. Continual updating is necessary.
Threat Agents
,Opportunistic
Organized cyber crime
Advanced Persistent Threats (nation states)
Attacks Against Routers (5 examples)
Denial of Service
Distributed Denial of Service
Packet Sniffing
Packet Misrouting
Routing Table Poisoning
Attacks against switches (5 examples)
CDP Information Disclosure
MAC Flooding
DHCP Manipulation
STP Manipulation
VLAN Hopping
CDP Information Disclosure
Cisco Discovery Protocol is used for switches to communicate about other devices are discoverable on
the network. Exploiting this protocol would give information about types and versions of switches, OS,
usernames and administrative accounts on the switches, etc.
MAC Flooding
Flooding the network with fake Media Access Control (MAC) addresses may degrade the switch and
force it into downgrading into a hub, giving the attackers access to the overall network.
DHCP Manipulation
Dynamic Host Configuration Protocol is used to communicate the network configuration to other
devices on the network. An attacker could monitor this protocol and respond to DHCP requests
sooner than the intended recipient, placing the attacker's device in the middle of legitimate network
traffic - a type of Machine in the Middle position.
STP Manipulation
Spanning Tree Protocol is used to ensure that switches do not get stuck in a switch loop. The protocol
is similar to CDP and the attack is similar - the manipulation could lead a network reconfiguration to
cause a DoS or a MiTM.
VLAN Hopping
,Virtual Local Area Network is a way for switches to segment a network into different areas for security
purposes. A VLAN hopping attack fools the VLAN into allowing packets into a prohibited VLAN
segment.
Physical Topology
How devices are physically connected together
How communications are sent over the physical connection (electrical signaling, pulses of light, radio,
etc.)
Logical Topology
How communication is logically formed prior to transmission
Ethernet
Most common communication mechanism on networks worldwide
Uses CSMA/CD (Carrier Sense with Multiple Access / Collision Detection) that is, it listens to ensure
only one station communicates at a time and monitors the transitions to detect collisions.
Segmentation (network design)
Segmentation = separation
Assets should not be able to communicate unabated
Concept of principle of least privilege
Software Defined Networking (SDN)
Networking from a virtualized concept
Can visualize the network as a whole and segment accordingly
Can be achieved programmatically
Benefits of network architecture understanding
Situational awareness
Prioritization of effort
Reduced cost of effort
Timely detection of attacks
Timely detection = timely response = reduction of damage
Network design objectives
Protect internal network from external attacks
Provide defense in depth through a tiered architecture
Control flow of information between systems
, Network sections
Public
Semi public (DMZ)
Middleware
Private
DMZ (network section, tier)
Demilitarized zone - a network tier intended to be public facing, systems include web servers, email
servers, DNS, etc.
This tier is at greater risk of compromise because it faces the public internet at all times. Assume it
will be compromised.
Middleware (network section, tier)
A network segmentation to separate the DMZ from the private, internal network. An example may
include a proxy, which inspects traffic coming in from the DMZ intended for a database on the private
network. The middleware inspects traffic for threats. Traffic from the private network intended for
the DMZ is also inspected in the proxy (reverse proxy).
Private (network section, tier)
The internal network of the organization, an area of higher trust and less risk, it is not connected
directly to the public internet, security, such as firewalls are still present.
3 rules of tiered network architecture
1. Any system visible from the internet must reside in the DMZ and may not contain sensitive data.
2. Sensitive data must reside on the internal, private network and not be accessible from the public,
internet
3. DMZ systems can only communicate with private systems through middleware proxies.
What is a network protocol
A set of rules dictating how computer networks communicate through network hardware and
software. The protocols define the format and order of messages and actions to be taken.
What is a protocol stack
A set of network protocol layers that work together to implement communications.
Three purposes for communication protocols
1. Standardize the format of a communication
2. Specify the order or time of communication
3. To allow all parties to determine the meaning of the communication
ISO OSI Protocol Stack
