Pages

Tuesday, March 17, 2015

Network Security Interview questions

Interview question 1
Why does Active FTP not work with network firewalls?
When a user initiates a connection with the FTP server, two TCP connections are established. The second TCP connection (FTP data connection) is initiated and established from the FTP server. When a firewall is between the FTP client and server, the firewall would block the connection initiated from the FTP server since it is a connection initiated from outside. To resolve this, Passive FTP can be used or the firewall rule can be modified to add the FTP server as trusted.

Interview question 2.
Which feature on a network switch can be used to prevent rogue DHCP servers?
DHCP Snooping

Interview Question 3.
Which feature on a Cisco IOS firewall can be used to block incoming traffic on a FTP server?
Extended ACL.

Interview Question 4.
Name one secure network protocol which can be used instead of telnet to manage a router?
SSH

Interview Question 5.
Provide a reason as to why HTTPS should be used instead of HTTP?
HTTP sends data in clear text whereas HTTPS sends data encrypted.

Interview Question 6.
How can you prevent a brute force attack on a windows login page?
Setup a account lockout for specific number of attempts, so that the user account would be locked up automatically after the specified number.

Interview Question 7.
In an ICMP address mask request, what is the attacker looking for?
The attacker is looking for the subnet/network mask of the victim. This would help the attacker to map the internal network.

Interview Question 8.
Why is Rip v1 insecure in a network?
RIP v1 does not use a password for authentication as with Rip v2. This makes it possible to attackers to send rogue RIP packets and corrupt the routing table.

Interview Question 9.
Which feature on a network switch can be used to protect against cam flooding attacks?
Port-Security feature can be used for the same. In a cam flooding attack, the attacker sends a storm of mac-addresses (frames) with different values. The goal of the attacker is to fill up the cam table. Port-Security can be used to limit the number of mac-addresses allowed on the port.

Interview Question10.
Which protocol does HTTPS uses at the transport layer for sending and receiving data?
TCP.

                

1. What is Network Security?

Network security is the practice of protecting data, devices, and systems connected to a network from unauthorized access, misuse, or attacks.

2. What are the main goals of Network Security?

CIA Triad:

  • Confidentiality – Prevent unauthorized access (encryption, VPNs).

  • Integrity – Prevent tampering (hashing, checksums).

  • Availability – Ensure services are accessible (DoS protection, redundancy).

3. What are common types of network attacks?

  • DoS/DDoS (denial of service)

  • MITM (Man-in-the-Middle)

  • Phishing & Social Engineering

  • ARP Spoofing

  • DNS Spoofing

  • Port Scanning & Reconnaissance

  • Ransomware/Worms/Trojans

4. What is a Firewall? Types?

 A firewall filters network traffic based on rules.

  • Packet Filtering Firewall

  • Stateful Inspection Firewall

  • Application Layer Firewall (Proxy)

  • Next-Gen Firewall (NGFW)

5. What is the difference between IDS and IPS?

  • IDS (Intrusion Detection System): Detects malicious traffic and alerts.

  • IPS (Intrusion Prevention System): Detects and blocks malicious traffic.

6. What is a VPN and why is it used?

 VPN (Virtual Private Network) creates a secure, encrypted tunnel for data transmission over public networks, ensuring confidentiality and privacy.

7. What is the difference between symmetric and asymmetric encryption?

  • Symmetric → Same key for encryption & decryption (fast, e.g., AES).

  • Asymmetric → Public/private key pair (secure, e.g., RSA).

8. What is a DMZ in network security?

 A Demilitarized Zone (DMZ) is a buffer network between internal LAN and the internet, where public-facing servers (web, mail, DNS) are placed to limit risk.

9. Explain Zero Trust Security.

 Zero Trust assumes no device or user is trusted by default, even inside the network. Every request is authenticated, authorized, and continuously verified.

10. What is the difference between HTTPS and VPN security?

  • HTTPS → Secures application-level communication (browser ↔ website).

  • VPN → Secures network-level communication (device ↔ network).

11. What is port scanning?

 Port scanning is a technique used to discover open ports/services on a system. Attackers use it for reconnaissance; defenders use it for audits.

12. What are some common security protocols?

  • SSL/TLS – Web encryption (HTTPS).

  • IPSec – VPN encryption.

  • SSH – Secure remote access.

  • Kerberos – Authentication in enterprise networks.

  • RADIUS/TACACS+ – Authentication & authorization for network devices.

13. What is Multi-Factor Authentication (MFA)?

 MFA requires more than one authentication factor (something you know, have, or are) to strengthen access security.

14. What is a Man-in-the-Middle (MITM) attack?

 An attacker intercepts communication between two parties to steal or alter data. Example: ARP spoofing, SSL stripping.

15. How do you protect against DDoS attacks?

 Use rate-limiting, traffic filtering, WAFs, CDNs, and anti-DDoS services (Cloudflare, Akamai, AWS Shield).

Quick Tip for Interviews:
If asked a scenario question like “How would you secure an enterprise network?”, structure your answer around defense in depth:

  • Perimeter security (firewalls, IDS/IPS)

  • Secure communication (VPN, TLS)

  • Access control (MFA, RBAC)

  • Monitoring & logging (SIEM)

  • Patch management                                       


 Network Security Tools Comparison
Feature / Tool Firewall IDS (Intrusion Detection System) IPS (Intrusion Prevention System) SIEM (Security Info & Event Mgmt)
Primary Function Blocks/filters traffic based on rules Detects suspicious/malicious traffic Detects and blocks malicious traffic Collects, correlates, and analyzes security logs/events
Placement Network perimeter (between internal & external networks) Inline or passive monitoring point Inline, active monitoring point Centralized log server/SOC
Traffic Handling Allows or denies traffic Monitors & alerts only Monitors, alerts, and blocks Aggregates logs, generates alerts/reports
Action Preventive Reactive (alert only) Preventive + Reactive Investigative + Monitoring
Visibility Limited (packet headers, ports, IPs) Deep packet inspection for attack patterns Deep inspection + real-time blocking End-to-end visibility across entire infrastructure
Response Drops or permits packets Sends alerts to admins Blocks traffic + sends alerts Provides incident detection, correlation, forensic analysis
Example Use Cases Block unauthorized access, enforce policies Detect port scans, malware traffic Stop SQL injection, DDoS, exploits Detect insider threats, compliance, SOC monitoring
Examples (Tools/Vendors) Cisco ASA, Palo Alto, Fortinet Snort, Suricata, Zeek Cisco Firepower, Palo Alto NGFW, Fortinet IPS Splunk, IBM QRadar, Elastic SIEM, Azure Sentinel

Quick One-liner Summary for Interviews:

  • Firewall → First line of defense, blocks unauthorized access.

  • IDS → Detects threats, alerts only.

  • IPS → Detects & actively blocks threats.

  • SIEM → Aggregates & analyzes logs, helps detect patterns and incidents.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)