Pages

Tuesday, March 17, 2015

Network Security fundamentals interview questions

1.Name two protocols which encrypt data at the application and network layer with an explanation.
SSL protocol encrypts data at the application layer. It is used by application layer protocols like https, secure-ftp etc. IPSEC is a protocol which is used for encrypting data at the network layer. IPSEC is used by VPN’s for encrypting data over public networks like internet.

2.What technology can be used for protection against flooding attacks
IDS / IPS solutions can be used for providing protection against the same.

3.Do FTP servers send passwords or data in clear text
FTP is an insecure protocol. It does not provide encryption. It sends both passwords and data in clear text.

4.Name one protocol which can be used in lieu of telnet for secure remote access
SSH

5.What feature on a router can be used for blocking unauthorized websites
URL filtering feature, available on routers can be used for the purpose.

6.How does a cam flood attack work
In a cam flood attack, the attacker sends numerous frames to a switch port with random mac-addresses. The goal of the attacker is to fill the cam table of the switch and make it overflow. When the cam table overflows, the switch would behave like a hub and start broadcasting frames to all ports on the switch.

7.At which layer of the OSI model, does the WEP protocol encrypt data
The WEP protocol is used for encrypting data in the frames. It works at Layer 2 of the OSI model.

8.What feature can be configured on a switch to prevent rogue DHCP server attacks?
DHCP Snooping is a feature which can be configured to prevent rogue DHCP server attacks.

9.Which feature on a firewall can be configured to defend against IP spoofing attacks.
Access control lists can be used as a defense against IP spoofing attacks.

10.Name two attacks which are targeted on FTP servers.
FTP protocol transmits data in clear text. This makes it possible to eavesdrop communication between a FTP client and a FTP server and retrieve confidential information like username and passwords. FTP servers use username and password combination for authentication. A weak password policy makes it vulnerable to brute force attacks.

11.Which security feature on a switch can be used as a defense for cam flooding attacks.
In a cam flooding attack, the goal of the attacker is to fill up the mac-address table of the switch by generating frames with different source mac-addresses. As a defense, port- security feature can be configured on a switch port, which can be used to limit the number of allowed mac-addresses on a switch port.

12.Name two tools which can be used to create custom packets.
Nmap and Scapy.

13.An organization uses a Cisco router for routing between its internal networks. What feature on the router can be used to block access specifically between two internal networks?
Extended access control lists can be configured for blocking access between internal networks. With an extended access control list, the source and destination IP network subnets can be specified.

14.Name one security limitation with Rip v1 and how it is improved with Rip v2.
Rip v1 does not use authentication. This makes it vulnerable to route poisoning attacks. An attacker can craft custom Rip v1 packets and corrupt the routing table. In Rip v2, authentication is provided by having MD5 based password authentication.


1. What is Network Security?

 Protecting the confidentiality, integrity, and availability (CIA triad) of data and resources in a network.

2. What is the CIA Triad?

  • Confidentiality → Keep data secret (encryption, access control).

  • Integrity → Prevent unauthorized changes (hashing, checksums).

  • Availability → Ensure resources are accessible (redundancy, DDoS protection).

3. What is the difference between Authentication, Authorization, and Accounting (AAA)?

  • Authentication → Verifies identity (passwords, biometrics).

  • Authorization → Determines access rights.

  • Accounting → Tracks user activity (logs, audits).

4. What is the difference between Symmetric and Asymmetric encryption?

  • Symmetric → Same key for encryption & decryption (fast, e.g., AES).

  • Asymmetric → Public/private key pair (secure, e.g., RSA).

5. What is a Firewall and why is it important?

A firewall filters traffic between networks based on rules, preventing unauthorized access.

6. What are IDS and IPS?

  • IDS → Intrusion Detection System → Detects & alerts on malicious activity.

  • IPS → Intrusion Prevention System → Detects and blocks malicious activity.

7. What is a DMZ in network security?

 A Demilitarized Zone is a buffer zone where public-facing servers (web, mail, DNS) are placed, isolating them from the internal LAN.

8. What is the difference between VPN and HTTPS?

  • VPN → Secures network-level communication (device ↔ network).

  • HTTPS → Secures application-level communication (browser ↔ website).

9. What is Multi-Factor Authentication (MFA)?

 Requires more than one verification factor (something you know, have, are). Increases login security.

10. What is a Man-in-the-Middle (MITM) attack?

 An attacker intercepts communication between two parties to steal or alter data.

11. What is Phishing?

 A social engineering attack tricking users into revealing credentials or sensitive information (often via fake emails/websites).

12. What is the difference between Blacklist and Whitelist?

  • Blacklist → Block known bad IPs, domains, or apps.

  • Whitelist → Allow only approved IPs, domains, or apps.

13. What is Zero Trust Security?

 A model where no user/device is trusted by default. Every access request is continuously verified.

14. What is Patch Management and why is it important?

 Regularly updating software/firmware to fix vulnerabilities and improve security.

15. What is a Security Incident vs Event?

  • Event → Any observable occurrence in a system (e.g., login attempt).

  • Incident → A confirmed security breach or policy violation.

Quick Tip for Interview:
If asked “How would you secure a corporate network?”, structure answer using Defense in Depth → Firewalls, VPNs, IDS/IPS, MFA, patching, monitoring (SIEM), user awareness.


1. What is the CIA Triad?

The CIA Triad is a foundational model for network security that represents three core principles: Confidentiality, Integrity, and Availability.

  • Confidentiality: Ensures that data is only accessible to authorized users. This is achieved through methods like encryption, which prevents unauthorized disclosure of information.

  • Integrity: Ensures that data is accurate, consistent, and trustworthy throughout its entire lifecycle. It protects data from unauthorized modification or corruption. Technologies such as hashing and digital signatures are used to maintain data integrity.

  • Availability: Ensures that systems, services, and data are available to authorized users when they need them. It protects against disruptions like power outages and Denial-of-Service (DoS) attacks. Solutions like redundancy and backups are critical for availability.

2. What is a firewall and what is its role?

A firewall is a network security device (either hardware or software) that monitors and filters incoming and outgoing network traffic based on a defined set of security policies. Its primary role is to create a barrier between a trusted internal network and an untrusted external network (like the internet), controlling traffic based on criteria such as source/destination IP addresses, port numbers, and protocol types.

Licensed by Google

.

3. Explain the difference between an IDS and an IPS.

  • IDS (Intrusion Detection System): A passive monitoring system that scans network traffic for malicious activity or policy violations. When it detects something suspicious, it generates an alert but does not take any action to stop the traffic. It is a monitoring and alerting tool.

  • IPS (Intrusion Prevention System): An active, inline system that not only detects malicious activity but also takes action to block or prevent the attack. When it identifies a threat, it can drop the malicious packet, block the source IP address, or reset the connection. It is a proactive security tool.

4. Explain the difference between symmetric and asymmetric encryption.

  • Symmetric Encryption: This method uses a single, shared key for both encrypting and decrypting data. It is very fast and is used for large-scale data transfer. The main challenge is the secure exchange of the shared key. Examples include AES and DES.

  • Asymmetric Encryption: This method, also known as public-key cryptography, uses a pair of keys: a public key and a private key. Data encrypted with the public key can only be decrypted with the corresponding private key. It is slower than symmetric encryption but is used for secure key exchange and digital signatures. Examples include RSA and ECC.

5. How does a VPN work?

A VPN (Virtual Private Network) works by creating a secure, encrypted "tunnel" over an insecure network, such as the internet. All of your internet traffic is routed through this tunnel, making it unreadable to anyone who might try to intercept it. A VPN provides confidentiality, integrity, and anonymity by masking your IP address.

6. What is a DDoS attack and how can you mitigate it?

A DDoS (Distributed Denial-of-Service) attack is a malicious attempt to disrupt a targeted service by overwhelming it with a flood of internet traffic from multiple sources.

Mitigation strategies include:

  • Rate Limiting: Limiting the number of requests a server will accept from a single IP address.

  • Load Balancing: Distributing incoming traffic across multiple servers to prevent one from being overwhelmed.

  • Cloud-based DDoS Protection: Services that absorb the attack traffic and forward only legitimate traffic to your server.

7. What is a zero-day vulnerability?

A zero-day vulnerability is a software vulnerability that is unknown to the software vendor or the public. It is called "zero-day" because developers have had zero days to address and patch it. These are particularly dangerous because there is no readily available fix, making them a prime target for attackers to exploit.

1. Your network is hit by a DDoS attack. How do you respond?

 Steps:

  • Identify attack type (volumetric, protocol, application-level).

  • Monitor traffic flow and patterns.

  • Apply rate-limiting, geo-blocking, or blackhole routing.

  • Use WAF/CDN/anti-DDoS services (Cloudflare, Akamai, AWS Shield).

  • Post-incident → analyze logs, strengthen defenses.

2. You detect unusual outbound traffic from a server. What actions would you take?

 Steps:

  • Isolate the server immediately.

  • Analyze logs for signs of compromise (malware, exfiltration).

  • Run forensic analysis and malware scan.

  • Patch vulnerabilities, reset credentials.

  • Restore from clean backup if required.

3. An employee reports a suspicious phishing email. What’s your next step?

 Steps:

  • Instruct user not to click links/attachments.

  • Analyze email headers & links.

  • Quarantine the email in mail server.

  • Check if other users received it (search by sender/domain).

  • Train employees & update email filters.

4. You find a critical vulnerability in a production system. What would you do?

 Steps:

  • Assess severity & exploitability (CVSS score, vendor advisory).

  • Apply patch immediately (if downtime allowed).

  • If patch unavailable, apply workarounds (firewall rules, config changes).

  • Notify stakeholders & document mitigation.

  • Test and monitor after patch.

5. How would you secure a newly deployed public-facing web server?

 Steps:

  • Harden OS (disable unused services, strong passwords, patches).

  • Install and configure firewall/WAF.

  • Use HTTPS with TLS 1.2/1.3.

  • Enable logging & monitoring (SIEM).

  • Apply least privilege & access control.

  • Run vulnerability scans/pen tests.

6. You see multiple failed login attempts from the same IP. How do you respond?

 Steps:

  • Block or throttle the IP (firewall, IDS/IPS).

  • Check if it’s a brute-force or credential-stuffing attempt.

  • Enforce account lockout/MFA.

  • Inform affected users.

  • Analyze whether it’s targeted or wide-scale attack.

7. A critical database shows signs of SQL injection attempts. What do you do?

 Steps:

  • Block malicious IPs.

  • Review and patch application code.

  • Use prepared statements & parameterized queries.

  • Enable WAF filtering for SQL patterns.

  • Audit database logs for compromise.

8. Your IDS/IPS generates a high number of alerts. How do you prioritize?

 Steps:

  • Filter alerts by severity (critical vs informational).

  • Check false positives vs real threats.

  • Correlate with other logs (SIEM).

  • Prioritize based on business impact (servers vs test systems).

  • Automate low-level triage if possible.

9. You’re asked to secure a remote workforce. How would you do it?

 Steps:

  • Enforce VPN with multi-factor authentication.

  • Apply endpoint protection (antivirus, EDR).

  • Push regular security patches.

  • Restrict access based on Zero Trust model.

  • Provide phishing/security awareness training.

10. Your organization suffers a ransomware attack. What’s your response?

 Steps:

  • Isolate infected systems immediately.

  • Inform incident response team.

  • Identify ransomware strain.

  • Restore data from backups (if safe & tested).

  • Report as per compliance (GDPR, HIPAA, etc.).

  • Perform post-attack review → patch entry points, improve monitoring.

Interview Tip:
When answering, always structure responses using Incident Response Lifecycle:

  1. Identify

  2. Contain

  3. Eradicate

  4. Recover

  5. Lessons Learned



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)