Network Security: Chapter 9

Questions and Answers

What is the primary function of a network?

• To isolate devices from each other.
• To prevent any unauthorized access to devices.
• To limit the amount of data transferred between devices.
• To connect two or more devices for communication. (correct)

Which of the following terms describes a vulnerability where data can be secretly listened to?

• Wiretapping (correct)
• Modification
• Addressing
• Fabrication

What is a common vulnerability associated with wireless networks?

• Interception (correct)
• Cable splicing
• Inductance
• Physical cable cuts

What does 'MAC' stand for in the context of network transmission media?

Media Access Control (D)

Which type of network transmission is NOT susceptible to inductive tapping?

Optical fiber (D)

What is the term for examining each packet as it goes by on a network?

Packet sniffing (C)

What type of attack attempts to make a service unavailable to legitimate users?

Denial of Service (A)

What is a 'frame' in the context of Wi-Fi networks?

A unit of Wi-Fi data (B)

What is the purpose of link encryption?

To encrypt data just before it is sent over the communication link. (D)

Which authentication mechanism is designed for client-server applications and uses a Key Distribution Center (KDC)?

Kerberos (D)

A network requires more than two devices connected by hardware and software.

False (B)

Data communications are only vulnerable when transmitted wirelessly.

False (B)

Cable splicing involves an attacker cutting and splicing a secondary cable to receive a copy of data.

True (A)

Optical fibers are easily tapped without detection.

False (B)

A MAC address is a unique physical address assigned to a router.

False (B)

Analyzing a file can only involve one host before reaching its destination.

False (B)

A replay attack involves legitimate data being intercepted and replayed.

True (A)

A 'SYN' flood is where the attacker overwhelms victims by filling their SYN_SEND queue.

False (B)

In the context of networks, 'inductance' refers to the process of reading signals an intruder can read through wire radiation.

True (A)

Kerberos requires a continuous availability of a non-trusted ticket granting server.

False (B)

Which of the following represents a significant security risk associated with wireless communication compared to wired networks?

Increased susceptibility to signal interception. (D)

In the context of network security, which of the following describes a 'sequencing attack'?

Data packets arrive in an unintended order, disrupting communication. (A)

What is the primary purpose of a 'SYN flood' attack in the context of network security?

To overwhelm a server by exhausting its resources for managing connection requests. (D)

Which of the listed options describes the purpose of 'traffic redirection' as a network attack?

To mislead routers and disrupt normal network communication. (B)

Why is 'anonymity' a significant security concern in network environments?

It makes it difficult to trace the origin of network traffic. (B)

Which statement explains why 'Inductance' can be a security vulnerability in network transmission media?

It permits intruders to read signals through wire radiation without physical contact. (C)

Which of the following is a key characteristic of a 'Smurf attack'?

It involves sending a flood of ping packets with a spoofed source address. (D)

What is a primary security advantage of using optical fiber for network communication?

It is not subject to inductive tapping. (C)

What is the main purpose of link encryption in network security?

To encrypt data only between adjacent nodes on a network. (B)

What is a significant limitation of Kerberos in distributed systems?

It requires continuous availability of a trusted ticket granting server. (D)

In a network, inductance is a process where an intruder must make physical contact with the cable to tap a wire.

False (B)

An attacker employing a substitution attack inserts additional data values into a data stream, disrupting its integrity.

False (B)

Optical fiber's immunity to wiretapping is primarily due to its use of light energy, which prevents emanations detectable through inductance.

True (A)

A physical replay attack involves intercepting and reusing legitimate data packets without any modification.

False (B)

In a SYN flood DoS attack, the attacker's true identity is easily traceable due to the nature of TCP connection establishment.

False (B)

The SESAME protocol in distributed systems relies exclusively on symmetric-key cryptography for secure communications.

False (B)

In wireless networks, the SSID hides a wireless access point.

False (B)

In the context of network security, intercepting communications is only a minor threat compared to integrity and availability threats.

False (B)

The primary advantage of link encryption over end-to-end encryption is that it permits users to selectively encrypt individual messages based on their sensitivity.

False (B)

Kerberos is designed to withstand attacks in distributed environments, however, it operates effectively even without continual availability of a trusted ticket granting server (KDC).

False (B)

Flashcards

Network

Two devices connected by hardware and software enabling communication.

Cable Vulnerability

Signals in Ethernet or LAN vulnerable to interception.

Packet Sniffing

Examining each data packet as it goes by, often using tools like Wireshark.

Radiation Threat

Signals radiate from wires, allowing intruders to read them.

Cable Splicing

Cutting and splicing a cable to receive a copy of the data.

Data Communications Vulnerability

Travel either on a wire or wirelessly, both are vulnerable.

Protocol

A language or set of conventions for how two computers communicate.

Substitution Attack

The replacement of one piece of a datastream with another.

Replay Attack

Legitimate data intercepted and reused, without modification.

Denial of Service (DoS)

Prevents authorized users from accessing services or data.

MAC Address

Each LAN connector has a unique identifier.

Radiation

Signals radiate from wires.

Port

Number associated with an application.

Sequencing attack

When packet 2 arrives before packet 1.

Insertion attack

Insert data values into a stream.

SYN flood

Overwhelm victims by filling their SYN_RECV queue.

DDoS Attack

Attacker infects multiple machines with Trojan horses.

Wiretapping

Means to intercept communications.

Data Interception

Data can be intercepted via eavesdropping on wired or wireless networks.

Microwave Communication :

Broadcast through the air, making them more accessible to outsiders

Satellite communication

On signal's return to earth, the wide broadcast's footprint, allows any antenna within range to obtain the signal without being detected.

Addressing on a network

Every computer connected to a network has a network interface card with a unique physical address.

Routing

Routers direct traffic on a path that leads to a destination.

SSID

An SSID is a string to identify a wireless access point

Flooding Attack

A flooding attack occurs from demand in excess of capacity, from malicious or natural causes.

IP Fragmentation: Teardrop

Attack sends overlapping fragments of the datagram that cannot be properly reassembled by the recipient.

Traffic Redirection

By misleading routers about the best paths to network addresses, attackers can disrupt network communication

Optical Fiber Security

Optical network must be tuned carefully each time a new connection is made. Therefore, no one can tap an optical system without detection.

Microwave Weakness

Exposed to interception along the path of transmission. Requires line of sight location.

Interruption Threat

A loss of service caused by attacks against routing.

Network Impersonation

Pretending to be someone or something else on a network.

Denial of Service

Result of action preventing a telecommunications system from working.

Link Encryption

Data is encrypted just before being placed on physical communication links.

End-to-End Encryption

Provides security from one end of a transmission to the other.

Kerberos

A trusted service that provides authenticated tokens (tickets) for client-server applications.

Message Confidentiality

Violations in the delivery, exposure, or traffic flow of messages.

Optical Fiber Weakness

Wiretappers can tap at the repeaters, splices and other equipment.

Message Integrity Violation

Changing message content, parts, or re-direction of the message.

Study Notes

• Cable signals in Ethernet or other LAN are vulnerable to interception
• Each LAN connector has a MAC address
  • Packet sniffing examines each packet as it goes by, using Wireshark for example
  • Wires radiate signals, and an intruder can read through inductance
  • Cable splicing involves an attacker cutting and splicing in a secondary cable to receive copy of data
• Optical fiber cannot be tapped without being detected
  • Optical fiber is not subject to inductive tap
• Microwave broadcasts through the air, making it more accessible to outsiders
• Satellite Communication's wide broadcast footprint allows any antenna in range to obtain the signal without being detected
• Other radio wave technologies comprise cellular, Bluetooth, and near-field communication

Authentication Issues in Distributed System

• Kerberos is designed to withstand attacks, including no password transmitted on the network
  • Cryptographic protection against spoofing
  • Limited period of validity
  • Timestamps to prevent replay attacks
  • Mutual authentication
• Kerberos is not perfect because it requires continuous availability of a trusted ticket granting server, or KDC - Servers authenticity needs a trusted relationship between the ticket granting server and every server - Kerberos requires timely transactions - A subverted workstation could save and replay passwords
• Kerberos was designed at MIT
• The basis of Kerberos is a central server that provides authenticated tokens called tickets to requesting application
• Password guessing attacks can still be effective if weak passwords are used in Kerberos
• Kerberos may not scale well in large or highly dynamic environments due to overhead of TGTs and KDCs
• Kerberos provides authentication and encryption but might not address all security concerns like secure authorization or DoS