Pages

Monday, July 25, 2016

CCIE Security exam Notes

Cisco IOS methods:

Threat Management

Attack types
- Network reconnaissance
- Denial of Service (DOS)
- IP spoofing
- DHCP snooping
- DNS spoofing
- Session hijacking
- MAC Spoofing
- ARP snooping
- Fragment attack
- TCP syn attack

Attack Mitigations
- Traffic characterization
- Packet classification
- Marking Techniques
- Identifying Attack Patterns
- Understanding Attack vectors
- Common Protocol and Port numbers

Cisco IOS Mitigations Tools
- Cisco IOS firewalling ( CBAC and ZFW) and Cisco IPS are well-known security features
- Other features available to identify and protect against attacks:
 : Flexible packet matching (FPM)
 : network-based application recognition (NBAR)
 : Netflow

FPM :
- performs stateless deep packet inspection providing more granular control than ACLs
- supports IPv4 and IPv6
- Specify custom pattern matching deep within the packet header or payload to block viruses, worms, and attacks while minimizing inadvertent filtering of legitimate network traffic
- with ACLs -legitimate traffic could be blocked
 eg stopping slammer with ACLs meant blocking port 1434 - denying business transactions involving microsoft sql
- FPM delivers flexible, granular L 2-7 matching at any offset within the packet.
 eg port 1434 + packet length 404B + specific pattern within payload -> slammer

FPM is stateless; it cannot keep track of traffic flow through the configured interface eg port numbers
FPM cannot classify packets with IP options
FPM is not supported on tunnel or multiprotocol label switching (MPLS) interfaces
Non-initial fragments will not be matched by FPM

Config :
class-map
policy-map
service-policy

NBAR :
used for classifying traffic

- Classification of applications that dynamically assign TCP/UDP port numbers
- Classification of http traffic by URL, HOST, or Multipurpose Internet Mail Extension (MIME) type
- Classification of application traffic using sub-port information
- can support customized application
- Protocol discovery via packet description language modules (PDLMs) eg P2P
- Use the classification in conjunction with CAR or traffic policing

- NBAR doesn’t support
 : non-ip traffic
 : MPLS label packets
 : fragmented packtes
 : pipelined persistent http requests
 : URL/host/MIME classification with secure http
 : asymmetric flows with stateful protocols

Config eg:
1. Identify the criteria of interest
2. All scep request to the CA server must be tracked

show policy-map int e0/0

Netflow :
- Provides network administrators with “packet flow” information
- Allows for
 : Traffic flow analysis
 : Security monitoring
 : Anomaly detection

Enable on an interface via # ip flow ingress
tuned by MQC to identify interesting traffic
ip flow global commands customize output (vlan-d , mac-address)
customize displays: ip fow-top-talkers

Netflow mitigates attacks
Netflow classify the attack
Can be used for anomaly detection

Understanding Logical Planes:

Traffic to the control and management plane is always destined to the device. “Receive Packets” and “Exception Packets”

Traffic in the data plane is always destined through the device. “Transit packets”.

Control Plane Policing CoPP:
Police and apply actions to inbound traffic types.
protecting bandwidth for essential operations

Control Plane Protection CPPr.

Finer granularity for policing of inbound control plane traffic and by providing the ability to rate limit on each subinterface (host, transit, and CEF-exception) individually
Ability to limit protocol queue usage, eg limit eBGP on CEF-exception
Filter on closed on nonlistening TCP/UDP ports on a Cisco IOS Devices.

Control Plane Security :
Disable unused control plane services globally
- no service dhcp

ICMP techniques applied on interfaces that limit need for ICMP messages
- no icmp redirects, no icmp unreachables

Selective packet discard - ip options, fragments
ip options drop
deny ip any any option traceroute

MD5 authentication
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco

BGP techniques - max prefixes, ttl-security
neigbor ttl-security hops 2
neighbor maximum-prefix 10 65 restart 5

OSPF ttl-security
ip ospf ttl-security hops 254

Route filtering and passive interfaces

Infrastructure ACL’s

Selective Packet discard IPv6 - prioritize routing packets  (precedence 7)
ipv6 spd queue max-threshold 60000

OSPFv3 IPv6
ipv6 router ospf 21
 area 0 encryption ipsec

Management Plane Security Goals:
limit threat potential by restricting device access
Authorize and monitor access activities
Only allow access from trusted sources
Understanding what the device is doing and apply the best methods
 - management plane specific security features
 - protocol and best practices features.

Management Plane Protection (MPP)
 control-plane host
 management-interface g0/1 allow
 http telnet

Password security
-SMP security
-Remote terminal access security
-Disable idle user sessions
-Infrastructure ACLs
-Role-based CLI access
-AAA

Data Plane Security Goals:
Prevent punting “transit” packets to the RP as they require some additional processing
Prevent forwarding unnecessary traffic, protect bandwidth and other devices
Discard unknowns as soon as possible
Drop all or selective drop IP options
Disable redirects, source routing directed broadcasts
- eg prevent SMURF attacks

Implement ICMP packet filtering (IPv4 vs IPv6)
- ICMPv4 : reduce activities requiring the RP
- ICMPv6 : neighbor discover protocol is a MUST
   SeND

Unicast RPF
 - strict and loose modes

TTL expiry control
  - ttl expired in transit messages

Device management:
 AAA for Device Security
- Local or remote (via AAA server)
-TACACS+ is the protocol of choice for device management
  allows for granular command control
  per user access levels
- Audit is important to track configuration changes
- Console and line access can be controlled
- Role-based access control (RBAC) methods allow support for users grouped by requirements
  Admins versus Help Desk

RBAC requires each role is represented by a Group, users are created and become group members allowing for individual audit trails and group policy application

AAA and login on router lines
By default console and vty - no authentication or password

line vty 0 4
password cisco
login

While login it will ask for password

if password is not set
you will get message “password required” but none set

If no login is set, the line is open

if login local is set, a locally defined username/password is required.

Using aaa new model

R1# aaa new-model
No authentication is required at console but local username and password is required for VTY

Default Method :
R1 # aaa authentication login default local

The default method for authentication is applied to all lines, console and vty
Now vty and cole both require username and password.

Flexvpn:

ikev2 based unified VPN that consolidates site-to-site, remote access, hub-spoke and spoke-spoke topologies

Flex VPN highlights
- common CLI -ikev2 , ipsec-profiles
- Comman infrastructure : leverages IOS p2p VTIs
-Support for dynamic routing for all deployments, or static via route-ste
- DoS protection with anti-clogging cookie
- Simplified config using smart defaults
- Ikev2 standards compliant and consolidates IKEv1 and extensions

IKEv2 Exchanges
IKE_SA_INIT (2 messages) -> IKE_SA authentication parameters negotiated
IKE_AUTH (incl. CREATE_CHILD_SA) 2 msg -> IKE authentication occurs and one CHILD_SA created

CREATE_CHILD_SA (2 msg )

A ———————protected data ———————B
No AUTH payload in IKE_AUTH(i) indicates use EAP (additional IKE_AUTH)


Wireless authentication method:

WLC supports multiple dynamic interfaces -> WLANS -> SSIDs

AP receives an IP address from pool and discovers WLC addr from DHCP option 43

Once AP knows WLC, it will be provisioned and managed by WLC using CAPWAP : UDP (control channel) and 5247 (data channel). This can be encrypted using DTLS

AP may be subject to TrustSec auth method.

a client connects to AP using SSID

SSID mapped to dynamic int

WLAN profile applies security policy

Client IP addresses issued from DHCP server via wired interface

security for wlans can be done at layer 2 (WPA + WPA 2) and layer 3

Port-security keyword provides an additional level of security as it will prevent a device from sending traffic on a switchport (apart from DHCP) until it receives an IP address from DHCP

To allow Telnet or SSH access, you need to specify the incoming source ip address or network

telnet 10.11.11.0 255.255.255.0 inside
ssh 10.11.11.15 255.255.255.255 inside

5 tuples on ASA:
source ip address/port
destination ip address/port
protocol in use

Cisco ASA packet flow :
1. Check ACL . If a connection is already there ACL is bypassed.
2. Check for NAT table if applicable.
3. Route lookup
4. Mac L2 resolution

null is null device

IPS # show interfaces brief

Sunday, April 24, 2016

Network Security Interview Questions

Split tunneling allows what?
simultaneous access through the tunnel and outside the tunnel using same network adaptor

what type of key does AES use ?
same key is used by AES for encryption and decryption

Which ESP fields are not encrypted?
SPI and sequence number

Hair pinning allows what?
the packet comes in on single interface and routed out from the same interface which by default is not allowed on ASA.

What does crypto ACL do?
It identifies the traffic that should be encrypted.

A QM_IDLE ikev1 phase1 state means?
Ikev1 phase 1 tunnel is established

What is the command that is used to identify/list the port no.s used by various applications in Unix/Windows?
netstat -anb
-a is for show all
-n is for show numbers
-b is for show PID i.e Process IDs

Explain How does NAT/PAT work?
NAT means Network Address Translation, NAT helps the Private IP to route over the public Internet, its translate private IP to a public IP by one to one or many to one, PAT means Port Address Translation , its translate based on source port

How will request send by http browser from workstation to any website goes through router and come back to workstation and open web page. Explain how packets travel in term of ip protocols. ?
once a web site is entered in the address bar and enter key pressed the following process happens.

1. The system performs a check on the dns cache to check if there is any entry for the concerned domain name if yes goes to step 3.
2. the system performs a dns query for converting the domain name into ip by sending a query to the DNS server.
3. once a dns response for the query is received the initiates a 3 way handshake with destination ip on port 80 or 443.
4. client sends a sync to server, server sends a sync+ack to client. the client sends a ack to sync from the server.
5. once a 3 way hand shake is completed the browser presents the request to server.
6. based on the received request the server responds with requested file/data.
7. once the transmitting of data is completed the server sends a fin packet, then client sends a fin packet and connection gets terminated.

What is Domain Controller
A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources.
A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain
What is Digital Signatures?
Digital signature is an attachment to an electronic message used for security purpose. It is used to verify the authenticity of the sender.

What is Data encryption?
Data encryption ensures data safety and very important for confidential or critical data. It protect data from being read, altered or forged while transmission.

What is the Public Key Encryption?
Public key encryption use public and private key for encryption and decryption. In this mechanism, public key is used to encrypt messages and only the corresponding private key can be used to decrypt them. To encrypt a message, a sender has to know recipient’s public key.

What are Brute Force Attacks?
Brute forcing is a mechanism which is used by an attacker to break the encryption of data by applying a set of various key. Cryptanalyst has a set of number of keys and apply them one by one to the encryption algorithm until he get the right key.
Example: http://www.abc.com/online/Displaymsg.asp?msgID=87951
In this example a cryptanalyst may apply bruteforcing to the value of msgID and read the user’s data.
In this the browser requesting for Displaymsg.asp page and sending msgID 87951 to the web server.

How do you use RSA for both authentication and secrecy?
RSA is a public key encryption algorithm. The RSA algorithms are based on the mathematical part that it is easy to find and multiply large prime numbers together, but it is extremely difficult to factor their product.
For authentication: One can encrypt the hash (MD4/SHA) of the data with a private key. This is known as digital signature.
       

If you are a victim of Denial of Service (Dos) then what you do?
The function of a denial of service attack is to flood its target machine with too much traffic and prevents it from being accessible to any other requests or providing services.
To prevent DoS attacks firewall can be configured as a relay; in this approach the firewall responds on behalf of the internal host. During the attack, the firewall responds to the SYN sent by the attacker; since the ACK never arrives, the firewall terminates the connection.
By Keeping protocols and Antivirus software up-to-date, we can prevent to be a victim of DoS. A regular scanning of the machine is also necessary in order to detect any anomalous behaviour.

What are the differences among encoding, encryption and hashing?
Encoding: Basically encoding is used to protect the integrity of data as it crosses through a communication network to keep its original message upon arriving. It is primarily an insecure function because it is easily reversible.
Encryption: Encryption is basically designed for confidentiality and data integrity and reversible only if you have the appropriate key.
Hashing: With hashing, the operation is one-way i.e. non-reversible. It takes an input (or , message ) and returns a fixed-size string, which is called the hash value.

What is Authentication Header and how it provides the protection to IP header?
Basically, Authentication Header protects IP header and provides the complete authenticity to the IP packets.
AH may work in two ways: transport mode and tunnel mode.
In tunnel mode; AH protects the IP header using two IP header layers inner and outer. Inner IP header is used to contain the source and destination addresses, and the outer IP header is used to contain the security gateway information.

What’s more secure, SSL or HTTPS?
Trick question: these are not mutually exclusive.
HTTPS runs over SSL (as it's name suggests, HTTP-over-SSL), not SSL over HTTP. First SSL session is established, then all HTTP data are wrapped into secured SSL packets before sending and after receiving.

SSL VS TLS

The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

Which is more Secure SSL or TLS

In terms of security they both are consider equally secured
The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

(SSL and TLS vs HTTP)

HTTP protocol is used to request and recive the data and https in which the 's' is nothing but secure SSL which makes the http protocol request and receive activity encrypted so no middle man attacker can obtain the data easily.

If neither SSL nor TLS is used with HTTP

then your connection with the web server is unencrypted all the data will be sent in plaintext any middle man attacker can obtain and view that data.

so should go with SSL or TLS

well, both are same but TLS is more extensible and hoping to get more support in future and TLS is backward compatible.

SSL (Secure Socket Layer)

SSL was created by Netscape Communications Corporation back in 1994. It was designed to create a secure Internet communication via the Web. It is a standard protocol that encrypts communication between your browser and the server. It allows for private information like social security numbers, credit card details, and login credentials to be transferred easily over the Internet.
SSL utilizes two keys:
  • Public keys that are knowable by everyone.
  • Private keys known only by the person receiving the message.
The two keys work together to form an encrypted connection via the Web.
Being able to connect to a specific port requires a secure connection. As an example, you would use port 442 for HTTPS, 995 for secure POP, 993 for secure IMAP and so on. All of these ports are already set up on the server. They are ready to negotiate secure connections first, then they will proceed to do whatever else you need after that.

TLS (Transport Layer Security)

TLS is a type of protocol allowing communication between the Internet and client-server applications. It forms a secure communication via the Web for email, data transfers, and faxing.
TLS has two distinct layers:
  • TLS Record Protocol establishes a secure connection with encryption methods like data encryption standard.
  • TLS Handshake Protocol allows authentication for the servers and clients together. Before data can be exchanged, it has to convert cryptographic keys and algorithms.
This particular type of connection begins by contacting the server. Then, it switches to a secured method of communication after the initial handshake is successful. In the event the handshake fails, the connection will be terminated. One of the best examples of this is using the command STARTTLS that is used for an outbound email connection.

  • There are a number of benefits to using an SSL or TLS connection, such as:
  • Secured communication between the server and the browser
  • Ensured safety of your sensitive information
  • Encrypted user and website info
  • SEO benefits when conducting Google searches
  • Protection for your website from cyber attacks
  • A boost to your website's reputation online
  • Security for your software, documents and applications

HTTPS (Secure Hypertext Transport Protocol)

HTTPS is a secure version of HTTP. This ensures that any communication sent online is secured by the SSL/TLS connection. Any ongoing communication between the server and browser will be encrypted for your safety. It allows you to evaluate how secure the environment is. If you are looking to establish an HTTPS connection, you will have to first purchase an SSL certificate from someone you can trust. You don't want to purchase a certificate from just anyone. Look for a trusted certificate authority. Then, you need to install it on the proper server.
HTTPS is the code-text that is written using standard HTTPS format and secured with SSL/TLS to encrypt the HTTP text and ensure the communication is protected at all times.
There are a number of reasons to use an HTTPS connection:
  • It helps to establish a secure communication between server and browser
  • It secures websites against tampering activities or eavesdropping
  • It protects users from man-in-the-middle attacks
  • It is used worldwide by business of all sizes to process secure payment transactions
  • It is used by banking, healthcare, e-commerce, social media and government industries
If you had to both encrypt and compress data during transmission, which would you do first, and why?
Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.

What’s the difference between symmetric and public-key cryptography

single key vs. two keys, etc, etc.

In public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?
You encrypt with the other person’s public key, and you sign with your own private.

What port does ping work over?
ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols

How exactly does traceroute/tracert work at the protocol level?
The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

Cryptographically speaking, what is the main method of building a shared secret over a public medium?
Diffie-Hellman.

What’s the difference between Diffie-Hellman and RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol.
RSA -
an encryption algorithm,
very slow for bulk data encryption
sender encrypts the data to be transferred using the public key of the recipient
receiver decrypts the encrypted data using his private key.

DH -
A method of exchanging cryptographic keys
establishes a shared secret that can be used for secret communications
vulnerable to man-in-middle attack

What kind of attack is a standard Diffie-Hellman exchange vulnerable to?
Man-in-the-middle, as neither side is authenticated.

How would you implement a secure login field on a high traffic website where performance is a consideration?
present the login form via HTTPs. A key piece of the answer should center around avoidance of the MiTM threat posed by pure HTTP.

What are the various ways to handle account brute forcing?

Look for a discussion of account lockouts, IP restrictions, fail2ban, etc.

What is Cross-Site Request Forgery?

when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowledge. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

What’s the difference between HTTP and HTML?

Http is the networking/application protocol and the other is the markup language.

What exactly is Cross Site Scripting?
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application

What’s the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

What’s the difference between a threat, vulnerability, and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few different schools on this. Just look for solid answers that are self-consistent.

How would traceroute help you find out where a breakdown in communication is?
Tracert or traceroute, depending on the operating system, allows you to see exactly what routers you touch as you move along the chain of connections to your final destination. However, if you end up with a problem where you can’t connect or can’t ping your final destination, a tracert can help in that regard as you can tell exactly where the chain of connections stops. With this information, you can contact the correct people – whether it be your own firewall, your ISP, your destination’s ISP or somewhere in the middle.

Why would you want to use SSH from a Windows pc?
SSH (TCP port 22) is a secure connection used on many different systems and dedicated appliances. Routers, Switches, SFTP servers and unsecured programs being tunneled through this port all can be used to help harden a connection against eavesdropping. Despite the fact that most times when you hear about somebody ‘SSHing’ into a box it involves Linux, the SSH protocol itself is actually implemented on a wide variety of systems – though not by default on most Windows systems. Programs like PuTTY, Filezilla and others have Windows ports available, which allow Windows users the same ease-of-use connectivity to these devices as do Linux users.

What’s the difference between Symmetric and Asymmetric encryption?

Symmetric encryption uses the same key to encrypt and decrypt, while Asymmetric uses different

What is XSS?
Cross-site scripting, the nightmare of Javascript. Because Javascript can run pages locally on the client system as opposed to running everything on the server side, this can cause headaches for a programmer if variables can be changed directly on the client’s webpage. There are a number of ways to protect against this, the easiest of which is input validation.

How would you log in to Active Directory from a Linux or Mac box?
While it may sound odd, it is possible to access Active Directory from a non-Windows system. Active Directory uses an implementation of the SMB protocol, which can be accessed from a Linux or Mac system by using the Samba program. Depending on the version, this can allow for share access, printing, and even Active Directory membership.

What are salted hashes?
Salt at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks. For example, if a user uses the same password on two different systems, if they used the same hashing algorithm, they could end up with the same hash value. However, if even one of the systems uses salt with its hashes, the values will be different.

What are the three ways to authenticate a person?

Something they know (password), something they have (token), and something they are (biometrics). Two-factor authentication often times uses a password and token setup, although in some cases this can be a PIN and thumbprint.

You see a user logging in as root to perform basic functions. Is this a problem?
A Linux admin account (root) has many powers that are not permitted for standard users. That being said, it is not always necessary to log all the way off and log back in as root in order to do these tasks. For example, if you have ever used the ‘run as admin’ command in Windows, then you will know the basic concept behind ‘sudo’ or ‘superuser (root) do’ for whatever it is you want it to do. It’s a very simple and elegant method for reducing the amount of time you need to be logged in as a privileged user. The more time a user spends with enhanced permissions, the more likely it is that something is going to go wrong – whether accidentally or intentionally.

What is VPN?
VPN means Virtual Private Network, a technology that allows a secure tunnel to be created across a network such as the Internet. For example, VPNs allow you to establish a secure dial-up connection to a remote server.

What is NIC?

NIC is short for Network Interface Card. This is a peripheral card that is attached to a PC in order to connect to a network. Every NIC has its own MAC address that identifies the PC on the network.

What is DoS?
DoS, or Denial-of-Service attack, is an attempt to prevent users from being able to access the internet or any other network services. Such attacks may come in different forms and are done by a group of perpetrators. One common method of doing this is to overload the system server so it cannot anymore process legitimate traffic and will be forced to reset.

What is tracert?
Tracert is a Windows utility program that can be used to trace the route taken by data from the router to the destination network. It also shows the number of hops taken during the entire transmission route.

What protocol can be applied when you want to transfer files between different platforms, such between UNIX systems and Windows servers?
Use FTP (File Transfer Protocol) for file transfers between such different servers. This is possible because FTP is platform independent.

What is netstat?
Netstat is a command line utility program. It provides useful information about the current TCP/IP settings of a connection.

What is ICMP?

ICMP is Internet Control Message Protocol. It provides messaging and communication for protocols within the TCP/IP stack. This is also the protocol that manages error messages that are used by network tools such as PING.

What is Ping?
Ping is a utility program that allows you to check connectivity between network devices on the network. You can ping a device by using its IP address or device name, such as a computer name.

You need to connect two computers for file sharing. Is it possible to do this without using a hub or router?
Yes, you can connect two computers together using only one cable. A crossover type cable can be used in this scenario. In this setup, the data transmit pin of one cable is connected to the data receive pin of the other cable, and vice versa.

What is ipconfig?
Ipconfig is a utility program that is commonly used to identify the addresses information of a computer on a network. It can show the physical address as well as the IP address.

What is client/server?
Client/server is a type of network wherein one or more computers act as servers. Servers provide a centralized repository of resources such as printers and files. Clients refer to workstation that access the server.

When you move the NIC cards from one PC to another PC, does the MAC address gets transferred as well?
Yes, that’s because MAC addresses are hard-wired into the NIC circuitry, not the PC. This also means that a PC can have a different MAC address when the NIC card was replaced by another one.

What is the importance of Encryption on a network?
Encryption is the process of translating information into a code that is unreadable by the user. It is then translated back or decrypted back to its normal readable format using a secret key or password. Encryption help ensure that information that is intercepted halfway would remain unreadable because the user has to have the correct password or key for it.

What do mean by tunnel mode?
This is a mode of data exchange wherein two communicating computers do not use IPSec themselves. Instead, the gateway that is connecting their LANs to the transit network creates a virtual tunnel that uses the IPSec protocol to secure all communication that passes through it.

What is RSA algorithm?
RSA is short for Rivest-Shamir-Adleman algorithm. It is the most commonly used public key encryption algorithm in use today.

What is a firewall?
A firewall is used to provide security to the private networks connected to the internet. They can be implemented as hardware or software, or a combination of both. All incoming and outgoing network traffic are examined and accepted/rejected by the firewall as per defined rules.

What is the difference between network gateway and a firewall?

A: A network gateway joins two networks together and a network firewall protects a computer network against unauthorized incoming or outgoing access. Network firewalls may be hardware devices or software programs.

What is the difference between IPS and a firewall?
A: The primary function of a firewall is to prevent/control traffic flow from an untrusted network (outside). A firewall is not able to detect an attack in which the data is deviating from its regular pattern, whereas an IPS can detect and reset that connection as it has inbuilt anomaly detection.

What is a transparent firewall?

A: A transparent firewall is considered as Layer 2. Deploying a new firewall into a network can be a complicated process due to various issues (e.g. IP address reconfiguration, network topology changes, current firewall etc.) because the firewall is not a routed hop and you can easily introduce a transparent firewall into an existing network.

What is packet filtering?
A: Packet filtering is the process of permitting or blocking ip packets based on source and destination addresses, ports, or protocols. The packet filter examines the header of each packet based on a specific set of rules, and on that basis, decides to prevent it from passing or allow. Packet filtering is also part of a firewall program for protecting a local network from unwanted access.

What is the Public Key Encryption?
A: Public key encryption uses public and private key for encryption and decryption. In this mechanism, public key is used to encrypt messages and only the corresponding private key can be used to decrypt them. To encrypt a message, a sender has to know the recipient’s public key.

Define Digital Signatures
A: Digital signature is an attachment to an electronic message used for security purposes. It is used to verify the authenticity of the sender.

What is Authorization?

A: Authorization is a security mechanism used to determine user/client privileges or access levels related to network resources, including firewalls, routers, switches and application features. Authorization is normally preceded by authentication and during authorization. It’s system that verifies an authenticated user’s access rules and either grant or refuses resource access.

What is stateful failover?
A: Every time a session is created for a flow of traffic on the primary node, it is synced to the secondary node. When the primary node fails, sessions continue to pass traffic through the second node without having to re-establish.

What is VPN and describe IPsec VPN?

A: Virtual Private Network (VPN) creates a secure network connection over a public network such as the internet.
IPsec VPN means VPN over IP Security allows two or more users to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.

What is Site to Site and remote access VPN?
A: A site-to-site VPN allows offices in multiple locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN is different from remote-access VPN as it eliminates the need for each computer to run VPN client software as if it were on a remote-access VPN.

How do you check the status of the tunnel’s phase 1 & 2?
A: Use following commands to check the status of tunnel phases:
Phase 1 : show crypto isakmp and State : MM_ACTIVE
Phase 2 : show crypto ipsec sa
Note: if you have lot of tunnels and the output is confusing use a ‘show crypto ipsec sa peer 12.12.12.12’ command instead.

What is SSL VPN? How it is different from IPsec VPN?
A: SSL VPN provides remote access connectivity from almost any internet enabled location without any special client software at a remote site. You only need a standard web browser and its native SSL encryption.
IPsec is a dedicated point-to-point fixed VPN connection where SSL VPNs provides anywhere connectivity without any configuration or special software at remote site.

What is GRE and why is it required?
A: Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks.
GRE enables a wrapper to be placed around a packet during transmission of the data. A receiving GRE removes the wrapper, enabling the original packet to be processed by the receiving stack.
Advantages of GRE tunnels include the following:
    •    GRE tunnels connect discontinuous sub-networks.
    •    GRE tunnels allow VPNs across wide area networks (WANs).
    •    GRE tunnels encase multiple protocols over a single-protocol backbone.
    •    GRE tunnels provide workarounds for networks with limited hops.

Firewalls work at what layer? Define firewall generations and their roles.
A: Firewalls work at layer 3, 4 & 7. First generation firewalls provide packet filtering and they generally operate at layer 3 (Network Layer). Second generation firewalls operate up to the Transport layer (layer 4) and records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Second generation firewall is mainly used for Stateful Inspection.
Third generation firewalls operate at layer 7. The key benefit of application layer filtering is that it can “understand” certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)).

What is DoS attack? How can it be prevented?
A: DoS (Denial of Service) attack can be generated by sending a flood of data or requests to a target system resulting in a consume/crash of the target system’s resources. The attacker often uses ip spoofing to conceal his identity when launching a DoS attack.

What is IP Spoofing?
A: An IP spoofing attack enables an attacker to replace its identity as trusted for attacking host. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host.

What are the security-levels in cisco ASA?
A: ASA uses security levels to determine the parameters of trust given to a network attached to the respective interface. The security level can be configured between 0 to 100 where higher number are more trusted than lower. By default, the ASA allows packets from a higher (trusted) security interface to a lower (untrusted) security interface without the need for an ACL explicitly allowing the packets.

What is AAA?
A: AAA stands for authentication, authorization and accounting, used to control user’s rights to access network resources and to keep track of the activity of users over a network. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

What is IPS? How does it work?
A: An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. An Intrusion Prevention System can play a good role to protect against various network security attacks such as brute force attacks, Denial of Service (DoS) attacks, and vulnerability detection. Moreover, an IPS also ensures prevention against protocol exploits.
Intrusion Prevention System uses four types of approaches to secure the network from intrusions which include:
    •    Signature-Based
    •    Anomaly-Based
    •    Policy-Based
    •    Protocol-Analysis-Based

How can a brute force attack on a router be prevented
A limit for the maximum number of login attempts can be setup on the router. On exceeding the limit, the account can be locked. Logs can be setup on the router to observe the IP address from which the login attempts is generated and an access list set up to block the IP.

Name two radius servers which are used in network environment

IAS Server and FreeRadius.

A switch is configured to authenticate users with a radius server. Which port on the server would be used for radius authentication

UDP port 1812 would be used for the same.

A user needs to access a Windows PC, which is behind a NAT router in office. What method can be used to access the desktop of the PC from home

To access the desktop of a remote PC, windows remote desktop protocol can be used. Since the PC is behind a NAT router, port forwarding can be setup on the router to forward packets to the internal PC. The user at home would initiate remote desktop connection to the internet IP address of the NAT router, which would forward the request to the internal PC.

A VPN server is to be deployed in an organization. The VPN server would be used by remote users for gaining access to the organization network. The organization has a NAT router, which is used by users inside the organization for internet sharing and has one public IP address. Can the VPN server use the same IP address, which can then be used by remote users.
The VPN server can be setup behind the NAT router and port forwarding configured to allow incoming traffic to the VPN server. The remote users would connect to the public IP address of the NAT router, which would then forward the request to the VPN server.

Which feature on a wireless access point can be used for blocking unauthorized access based on the mac-address
Mac-filtering feature on an access point can be used. The list of allowed mac-addresses can be configured using the feature.

Which field in a STP packet is manipulated in a STP BPDU attack.

The priority value in the STP header is crafted lower than the actual root bridge value, which would make the STP topology change, as lower priority value packet would be elected as the root bridge.

Which is a common feature used by stateless firewalls
Access control lists

What is TKIP and why is it used.
TKIP stands for temporal key integrity protocol. It is used by WPA, wifi protected access to provide encryption services on a wireless network.

Which command would you use to ping a system in a loop from a Windows PC.
ping -t 192.168.1.100 can be used to ping the IP address 192.168.1.100 in a loop

Which protocol does ping use at the network layer
ICMP

What type of ICMP packet is send when a ping request is initiated.
ICMP request.

If a system is not responding to ping requests, what could be a possible reason
A firewall would be blocking ping requests.

What is the similarity between ping and tracert
Both use ICMP for communication

Which protocol does ping use – TCP or UDP
Ping does not use TCP or UDP. It uses ICMP.

If a system does not respond to ping, does it imply the system is shutdown.
No, It could just be any issues on the TCP/IP stack or a firewall is configured to block ping packets.

A user on a PC pings a device which is on a different network through a router. The router is unaware of the network. What would happen.
After the router identifies that the network is unreachable, an ICMP packet is sent from the router to the initiator informing the destination network is unreachable. ICMP Type 3 is used for the purpose.

Is it possible to start wireshark from command line on Windows
Yes, it is possible to start using the appropriate executable on Windows which is wireshark.exe

A user is unable to ping a system on the network. How can wireshark be used to solve the problem.
Ping uses ICMP. Wireshark can be used to check if ICMP packets are being sent out from the system. If it is sent out, it can also be checked if the packets are being received.

Which wireshark filter can be used to check all incoming requests to a HTTP Web server
HTTP web servers use TCP port 80. Incoming requests to the web server would have the destination port number as 80. So the filter tcp.dstport==80.

Which wireshark filter can be used to monitor outgoing packets from a specific system on the network.
Outgoing packets would contain the IP address of the system as it’s source address. So assuming that the IP address of the system is 192.168.1.2, the filter would be ip.src==192.168.1.2

Which is the protocol does HTTPS use for encrypting data
HTTPS uses SSL or TLS for encrypting data.

On which port does a HTTPS server listen on
TCP port 443

Name two instances where you have used HTTPS on the internet
Online transactions (Net banking), Webmail login (Yahoo, gmail)

Does HTTPS use TCP or SSL at the transport layer for data transfer.
HTTPS uses TCP at the transport layer. SSL is used for data encryption.

Can a Web server support HTTP and HTTPS communication simultaneously?
This is possible as both works on different port numbers.

How is the encryption key derived in a HTTPS based communication
The encryption key for every session is derived dynamically between the client and the server.

A user logs into a HTTPS based form on a website with his username and password. Would the username or password be encrypted during the session
Both the username and password would be encrypted in a HTTPS based communication.

Would the authentication between a Web client and a Web Server be successful if the client does not have a client certificate?
Authentication with client certificate is optional. The client can successfully authenticate with the server using a username and password.

Can HTTPS communication be used on a LAN
HTTPS works on TCP/IP. So it can be used any systems which uses TCP/IP irrespective of whether it is on LAN or WAN.

Which feature on a firewall can be used for mitigating IP spoofing attacks
Access control list can be used for the purpose.

What type of firewall can be used to block a web security threat
A web application firewall or a layer 7 firewall can be used for the purpose.

Which fields in a packet does a network layer firewall look into for making decisions.
IP and transport layer headers for information related to source and destination IP addresses, port numbers etc.

Which feature on a Cisco firewall can be used for protection against TCP Syn flood attacks
You can also configure maximum connections, maximum embryonic connections, and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

Which feature on a firewall can be used to block a specific URL or a website.
URL Filtering.

Which is the main field in an IP header, which is modified by a NAT firewall.
The source IP address in the IP header.

What type of firewall can be configured for providing user based authentication to users on the LAN network.
Proxy firewall.

Which protocol does WEP use for encrypting data.
WEP uses RC4 for encryption.

Name two protocols which are used by wireless clients in a 802.1x authentication
EAP-TLS and PEAP-MSCHAP v2.

Is 802.11 wireless communication full or half duplex
802.11 uses half duplex communication.

At which layer does WPA encrypt data
It encrypts data at the data link layer.

If three wireless stations communicate with an access point which supports 54 Mbps, what would be the theoretical bandwidth for each user.
802.11 is a shared medium. All users share the bandwidth. So it would be 54/3 per station.

Why is mac-filtering an insecure form of authentication in a wireless network.
A wireless network uses a shared medium, which makes it possible for any user on the wireless network to sniff for valid mac-addresses on the network.

Which protocol does PEAP use to derive session encryption keys.
It uses TLS.

At which layer of the OSI model does WPA handshake work on
Layer 2

Name one free tool which you would use to craft a packet?
Scapy

How would you design a test plan for testing a feature on a router.
The design document of the feature has to understood, based on which the test plan would be created.

How two tools which you use to automate the process of remote test execution
A combination of TCL and Expect or Python and Pexpect can be used for the purpose.

Name the typical fields which would be available in a test case document used for protocol testing
Test ID, Test description, steps to execute, expected result, actual result, status, remarks

What is the difference between functionality and conformance testing.
Functionality testing refers to the verification and working of the feature on a product. For ex, the working of VLAN on a switch. This is dependent on the design of the specific feature. Conformance testing refers to the procedure of testing the protocol for adherence to standards like RFC, IEEE etc.

Name two commercial tools which can be used for performance testing
IXIA, Spirent.

Name two applications which can be used for test case and defect management.
HP Quality center and Bugzilla.

In the below topology, a router is setup for internet sharing. The TCP/IP adapter setting on the computers are presently configured with the respective IP address and subnet masks. The DNS server provided by the ISP is configured on the router. The LAN IP address of the router is 192.168.1.1. Identify the required additional parameters which needs to be configured on the TCP/IP adapter of the PC’s from the below options.
A. Default gateway and DNS servers as 192.168.1.1
B. Default gateway as 192.168.1.1, DNS server not required.
C. Default gateway as the IP address of the switch, DNS server not required
D. Default gateway as the DNS server of the ISP.
Explanation
DNS servers are required for computers to access internet. DNS servers are responsible for resolving URL into IP address which is mandatory for network communication. The computers which require access to the internet needs to be configured with the respective DNS server IP address. The default gateway also needs to be configured as internet bound packets resides on different networks. In the above topology, the internet provided DNS server IP address is configured on the router. This implies that the router is aware of whom to contact for name resolutions.
The DNS server IP addresses for the respective computers are configured with the routers IP address. When the a user on the computer types a website name, a DNS request packet is generated for identifying the IP address of the URL corresponding to the website name. This packet is sent to the router from where the, DNS request packet is sent to the ISP provided DNS server. The gateway address for the computers needs to be configured with the LAN IP address of the router, 192.168.1.1.

Users on a network are unable to access the internet. Name three steps which you would use to troubleshoot the issue.
a. Check if the router is configured and setup with a public IP address and appropriate DNS servers.

b. Check the TCP/IP adapter settings of the users for DNS server IP address.

c. Check if appropriate routing is enabled on the router.

On a network, users are unable to receive an IP address from the DHCP server on the network. Name the steps you would follow to troubleshoot the issue.
a. Check if the DHCP Server is reachable by ping.

b. Check if the DHCP service is up and running on the system.

c. Check if the DHCP servers and clients are on the same network.

You are a network support engineer who has been asked to setup internet sharing for users on the network. The type of traffic for which internet is required is HTTP, FTP, Telnet ICMP etc. Which technology would you use (Proxy Server or NAT) and why?
Different types of protocols require access to the internet. A proxy server is specific on the type of application or protocol for which internet access is required. This would not suffice the purpose. So a NAT router would be required.

What tool would you use to check if a remote port is open or closed?
nmap can be used for the purpose.

Which protocol would you use to remotely manage a router and why?
SSH , because it is secure.

Name one practical scenario where you would use port forwarding feature on a router?
In a situation , where a PC on the LAN network requires access from the outside network like the internet. The PC can be configured for remote desktop connection and appropriate port forwarding configuration can be setup on the router.

Do the DNS server and default gateway be the same address?
It need not be. If it is the same, the actual DNS server address is to be configured on the gateway.

What resources are located on your DMZ? 
Only systems that are semi-public should be kept on the DMZ.
This includes external web servers, external mail servers, and external DNS. A split-architecture may be used where internal web, mail, and DNS are also located on the internal network.

What resources are located on your internal network?
In addition to internal web, mail, and DNS servers, your internal network could also include databases, application servers, and test and development servers.

What type of traffic are you denying at the firewall?
There should be a default deny rule on all firewalls to disallow anything that is not explicitly permitted. This is more secure than explicitly denying certain traffic because that can create holes and oversights on some potentially malicious traffic.

What is the difference between proxy, firewall, IDS, and IPS?
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity.

Firewall is basically meant for network traffic control/filtering mainly at layer-3. It allows/denies packets and connections based on certain pre-defined rules.

IDS- Intrusion Detection System is an application which tries to detect intrusion attempts based on attack signature database it has.

IPS- Intrusion Prevention System detects the intrusion (like IDS) and goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based on rules)
Examples:
    1.    proxy – Squid
    2.    Firewall- IPTables, CISCO Pix, ZoneAlarm
    3.    IDS- SNORT
    4.    IPS- IBM Proventia

Can an IDS be used to prevent intrusions?
(Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

How does HTTP handles state?
Ans: HTTP is a stateless protocol.

Because a stateless protocol does not require the server to retain session information or status about each communications partner for the duration of multiple requests. HTTP is a stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends.


HTTP is a connectionless and this is a direct result that HTTP is a stateless protocol. The server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different request across the web pages

What is “SQL injection”?
Ans. SQL Injection is one of the common attacking techniques used by hackers to get the critical data.
Hackers check for any loop hole in the system through which they can pass SQL queries which by passed the security checks and return back the critical data. This is known as SQL injection. It can allow hackers to steal the critical data or even crash a system.
SQL injections are very critical and needs to be avoided. Periodic security testing can prevent these kind of attacks. SQL database security needs to be define correctly and input boxes and special characters should be handled properly.

List the attributes of Security Testing?

Ans. There are following seven attributes of Security Testing:
    1.    Authentication
    2.    Authorization
    3.    Confidentiality
    4.    Availability
    5.    Integrity
    6.    Non-repudiation
    7.    Resilience

What is XSS or Cross Site Scripting?
Ans. XSS or cross site scripting is type of vulnerability that hackers used to attack web applications.
It allows hackers to inject HTML or JAVASCRIPT code into a web page which can steal the confidential information from the cookies and returns to the hackers. It is one of the most critical and common techniques which needs to be prevented.

What is SSL connection and an SSL session?
Ans. SSL or secured socket layer connection is a transient peer-to-peer communications link where each connection is associated with one SSL Session.
SSL session can be defined as association between client and server generally created by handshake protocol. There are set of parameters are defined and it may be share by multiple SSL connections.

What is “Penetration Testing”?
Ans. Penetration testing is on the security testing which helps in identifying vulnerabilities in a system. Penetration test is an attempt to evaluate the security of a system by manual or automated techniques and if any vulnerability found testers uses that vulnerability to get deeper access to the system and found more vulnerabilities. The main purpose of this testing to prevent a system from any possible attacks.
Penetration testing can be done by two ways –White Box testing and Black box testing.
In white box testing all the information is available with the testers whereas in black box testing testers don’t have any information and they test the system in real world scenario to find out the vulnerabilities.

Why “Penetration Testing” is important?

Ans. Penetration testing is important because-
    1.    Security breaches and loop holes in the systems can be very costly as threat of attack is always possible and hackers can steal the important data or even crash the system.
    2.    It is impossible to protect all the information all the time. Hackers always come with new techniques to steal the important data and its necessary for testers as well to perform the testing periodically to detect the possible attacks.
    3.    Penetration testing identifies and protects a system by above mentioned attacks and helps organizations to keep their data safe.

Name the two common techniques used to protect a password file?

Ans. Two common techniques to protect a password file are- hashed passwords and a salt value or password file access control.

List down some factors that can cause vulnerabilities?

Ans. Factors causing vulnerabilities are:
    1.    Design flaws – If there are loopholes in the system that can allow hackers to attack the system easily.
    2.    Passwords – If passwords are known to hackers they can get the information very easily. Password policy should be followed rigorously to minimize the risk of password steal.
    3.    Complexity – Complex software can open the doors on vulnerabilities.
    4.    Human Error – Human error is a significant source of security vulnerabilities.
    5.    Management – Poor management of the data can lead to the vulnerabilities in the system.

List the various methodologies in Security testing?
Ans. Methodologies in Security testing are:
    1.    White Box- All the information are provided to the testers.
    2.    Black Box- No information is provided to the testers and they can test the system in real-world scenario.
    3.    Grey Box- Partial information is with the testers and rest they have to test on their own.

What is a Cookie?

Ans. Cookie is a piece of information received from web server and stored in a web browser which can be read anytime later. Cookie can contain password information, some auto fill information and if any hackers get these details it can be dangerous. Learn here how to test website cookies.

What are the types of Cookies?

Ans. Types of Cookies are:
    •    Session Cookies – These cookies are temporary and last in that session only.
    •    Persistent cookies – These cookies stored on the hard disk drive and last till its expiry or manually removal of it.

What is a honeypot?
Ans. Honeypot is fake computer system which behaves like a real system and attracts hackers to attack on it. Honeypot is used to find out loop holes in the system and to provide solution for these kinds of attacks.

List the parameters that define an SSL session state?
Ans. The parameters that define an SSL session state are:
    1.    Session identifier
    2.    Peer certificate
    3.    Compression method
    4.    Cipher spec
    5.    Master secret
    6.    Is resumable

Describe Network Intrusion Detection system?
 
Ans. Network Intrusion Detection system generally known as NIDS. It is used for analysis of the passing traffic on the entire sub-net and to match with the known attacks. If any loop hole identified then administrator receives an alert.

What do you see as the most critical and current threats effecting Internet accessible websites?

Topics such as Denial of Service, Brute Force, Buffer Overflows, and Input Validation are all relevant topics. 

What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?
Goal of question Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable. 

What do you see as challenges to successfully deploying/monitoring web intrusion detection?
    •    Limitations of NIDS for web monitoring (SSL, semantic issues with understanding HTTP)
    •    Proper logging increasing the verboseness of logging (Mod_Security audit_log)
    •    Remote Centralized Logging
    •    Alerting Mechanisms
    •    Updating Signatures/Policies

What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?
Cross-Site Scripting: (Acronym XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a users web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). XSS attacks do not typically directly target the web server or application, but are rather aimed at the client. The web server is merely used as a conduit for the XSS data to be presented to the end client. See also "Client-Side Scripting".

What are the most important steps you would recommend for securing a new web server? Web application?
    •    Web Server Security:
    •    Update/Patch the web server software
    •    Minimize the server functionality disable extra modules
    •    Delete default data/scripts
    •    Increase logging verboseness
    •    Update Permissions/Ownership of files
    •    Web Application Security:
    •    Make sure Input Validation is enforced within the code - Security QA testing
    •    Configured to display generic error messages
    •    Implement a software security policy
    •    Remove or protect hidden files and directories

Does using a VPN make all of my network traffic secure?
No. The VPN only adds security to traffic that goes over the tunnel. If using the wireless profile, it encrypts the traffic from your computer to the VPN concentrator located on the UMnet Backbone. If you use the Cisco VPN Client from off-campus, only the traffic from your computer to U-M resources located on the UMnet Backbone is encrypted. All traffic to non U-M sites is sent in the clear.To ensure that all of your network traffic is secure (including your password) once it hits the Internet, you should always use encrypted protocols such as SSH, SFTP, SCP, and SSL.

Is VPN a long term solution or short-term solution?
VPNs are long-term solutions. VPNs may become ubiquitious and transparent to user, but they will not go away. Because the problem VPNs address - privacy over the public network . VPN will exist from the desktop to the server , and at the IP packet level as well as the application data level.

In which IPSEC Phase is the keys used for data encryption derived?
The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC protocol ESP for encrypting the data.

How the IPSEC protocols, ESP and AH provide replay protection?
ESP and AH include the sequence number fields in the respective headers. The values are used by the IPSEC peers to track duplicate packets. If a packet with an already received sequence number arrives, it would be rejected, thus providing replay protection.

In IPSEC, If ESP provides both encryption and authentication, why is AH required?
ESP does not provide authentication to the outer IP header, which AH does.

Explain two methods by which two IPSEC routers can authenticate with each other?

IPSEC routers can be authenticated using pre-shared keys or using digital certificates.

Which UDP ports should be open on a firewall to allow traffic from an L2TP/IPSEC based VPN clients to a PPTP VPN server on the inside?
UDP port 500 for IKE traffic, UDP port 1701 for L2TP communication between client and server and UDP port 4500 for NAT-T communication.

Which IP protocol does AH and ESP headers use in IPSEC?
ESP and AH uses IP protocol 50 and 51 respectively.

Which type of VPN would you use if data has to be encrypted at the network layer?
IPSEC VPN encrypts data at the network layer whereas SSL encrypts data at the application layer.

What security vulnerabilities are addressed by VPN?
VPNs directly protect the privacy of a communication and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.

Are VPNs used for specific kinds of applications or environments? If so, what are some examples of where and why VPNs would be deployed?
VPNs should be used for all information exchange. I don't want to have to "go encrypted" when something secret is about to be sent. I want everything to be encrypted. It should be as commonplace as people sending postal mail in sealed envelopes. It will also ensure that the VPN mechanism is working.

What kind of policies and procedures need to be developed for VPN?
If we are imagining an IPSEC world, where eventually the majority of gateways we might connect to supports IPSEC, things become both easy and interesting. If we have a mechanism that can invite encryption use, respond to such invitations, but also talk without encryption if required, we need to think about things such as:

Can you list some items for a VPN checklist from deciding whether to use, then selecting, then deploying, then maintaining VPN?
Well, IPSEC — real IPSEC as it exists today — is still morphing, but not so much that one shouldn't require it as a basis for a VPN. So we might have:
IPSEC compliant (including ISAKMP/Oakley)
Interoperability with other IPSEC compliant vendors
Strong encryption, long key length
If the VPN solution is not part of the firewall, which is fine, will it work with the firewall?
Does the VPN product work both with and without trust? (Remember, it requires working closely with the firewall.)
For an "add on" VPN, does it work in conjunction with the firewall, or does it simply circumvent the firewall? (I'm not suggesting one way is good and the other bad, but it may be something the security manager cares about, and the answer should be known.)
Does the VPN support automatic creation of user-level VPNs (for mobile users)? In a very large organization, the system manager probably would rather not have to manually create VPN accounts for every user.
Has the VPN been certified by a recognized organization? (The ICSA has a certification and testing process for VPNs. Others probably exist as well.)

When and why should I use VPN?
Use VPN when you need to connect to campus resources that would otherwise be unavailable on distant networks such as file servers and print services. VPN provides an added layer of security for some services (FTP, Webmail, etc). This is useful when you're working with a possibly untrustworthy network for example, in hotels or airports. VPN transports any network service without special settings. File sharing, printing, remote desktop, SSH, FTP, telnet, and Web-based services have all been tested with VPN.

Does VPN offer virus protection?
Not at present. While VPN provides considerable security against network eavesdropping, it does not offer security against other Internet threats. For information about protecting your computer from viruses and other attacks, see the CIT Security page.

Can you explain different components in PKI?
certificte authority
private and public keys
certificate enrollment
digital cert

Can you explain static and dynamic tunnels?

Static Tunnel:
The manually created tunnels are called Static Tunnels. Static tunnels creation is the only choice when global discovery of hosts and tunnel partners are disabled by enhancing express tunnels into manually created tunnels. The priority is higher when compared with static tunnel.

Dynamic Tunnel:
The tunnels that are auto-discovered are known as dynamic tunnels. Dynamic tunnels are created quickly and automatically after the Packet Shaper is reset. At the time of preventing automatic tunnel, dynamic tunnels are allowed to setup the situation.

On which layer does L2F, PPTP and L2TP operate?
L2

Can you explain PPTP (Point-to-Point Tunneling Protocol)?
Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet. Effectively, a corporation uses a wide-area network as a single large local area network. A company no longer needs to lease its own lines for wide-area communication but can securely use the public networks. This kind of interconnection is known as a virtual private network (VPN).

What is an IP Helper address feature and why is it required in a DHCP environment?
If dhcp client and server are not in same network, ip helper address is used.

How many mac address does a switch have ?
It is based on the no of mac it learns on its ports.

which packet contains MTU parameter in case of OSPF?
DBD packet

Ospf hello packets are multicast or unicast or broadcast?
Ospf hello packet contains multicast address 224.0.0.a

Identify at least one network problem caused by Spanning-Tree Protocol
Wastage of bandwidth

What is the purpose of the TTL field in the IP header? How does the TTL process work?
Time-to-live (TTL) is a value in an Internet Protocol (IP) packet that tells a network router whether or not the packet has been in the network too long and should be discarded. In IPv6 the TTL field in each packet has been renamed the hop limit. An IP TTL is set initially by the system sending the packet.

Why hello of ospf cannot travel more than one hop?
Because of broadcast packet

Why we need root bridge.
Root bridge act as a reference point in topology to forward the packets.

If we configure access between two switches. Will it work ?
Yes, you can connect two switches with access ports, and you just need to say "switchport mode access" and "switchport access vlan ID" on the ports that you would connect between the switches.

If one side of a switch has vlan a0 and other side is configured with vlan 20. Then how things will work?
We need to use inter vlan routing ie router on a stick concept.

What is advantage of having double tag
Segregate vlans of customer from each other.

Why MTU should be same in OSPF.
Otherwise neighbor relationship will stuck at exstart state.

Why show ip ospf neighbour shows 2way/DROTHER?
DR and BDR will only have full relation with other routers in segment but rest of the routers among themselves will have 2-way relationship.

Is OSPF distance vector as well?
Inter area routing in ospf  work exactly as distance vector

What is the need for master/slave in ospf?
The master controls the synchronization process and ensures that only one DD packet is outstanding at a time.

Does OSPF form adjacencies with neighbors that are not on the same subnet?
The only time that OSPF forms adjacencies between neighbors that are not on the same subnet is when the neighbors are connected through point-to-point links. This may be desired when using the ip unnumbered command, but in all other cases, the neighbors must be on the same subnet.

Why does the show ip ospf neighbor Command Reveal Neighbors Stuck in Two-Way State?
Hello not received from neighbor.

Which device does reassembly and why?
Always end device will do reassembly. Reason is buffer issue and all fragments packets should pass through same router.

Can we have multiple area o’s in a network.
No we can’t have multiple area 0s. Always we have one area 0 ie backbone area. This is used to avoid looping in ospf while interacting between areas.

Does ospf provide fragmentation?
Ospf does not provide any explicit fragmentation/reassembly support. When fragmentation is necessary, IP fragmentation/reassembly is used.

Why area 0 is required in case of Ospf?
Backbone “Area 0” (level 2) is a central (transition) area to which all other areas are connected, which distributes routing information between areas, and has the same properties as other areas. Backbone routers use the same procedures and algorithms as Internal Routers.

Can we run multiple OSPF process in single router and what is the advantage of using it?
We can have multiple process but it can have one process per interface.

In a single switch if porta is connected to vlan a0 with pc ip a0.a.a.2 and port 2 is connected with vlan 20 with pc ip a0.a.a.3. Will ping works?
No, here ping will not work since both ports are in different vlans. Vlana0 packet in port a will not be broadcast to port 2 having vlan 20 

Same scenario if we have two switches and link between the switches are configured as access ports. Will ping happen?
Yes, ping will work here , Since outgoing  access ports are not tagged with vlans. And raw traffic will flow.

In same scenario, if links between switches is configured as trunk . Will ping happen?
No, ping will not happen. Since trunk link is tagged with the vlans. Packet from Vlan a0 will not broadcast to vlan 20.

Ra (aa00)----------------------------------(a000)r2
How Ra will know it has to do fragmentation?
Mtu size exchange will happen between the neighbors in La

pca -----Ra---------R2-------pc2
Static route is configured on Ra to reach pc2. Will ping happens?
Ping will not be successful since pca knows to reach the pc2 but pc2 doesn’t know how to reach pca.

Ra aa00--------------------a000R2aa00---------------a000R3
How packet will flow here?
Ra will fragment data into a000 and a00 and both will pass through R2 and reassembly happens at R3.

How to prevent an IP datagram from being fragmented?
A IP datagram can be prevented from fragmentation, by setting the "don't fragment" flag in the IP header.

What happens when a datagram must be fragmented to traverse a network, but the "don't fragment" flag in the datagram is set?
The datagram whose "don't fragment" flag is set is discarded, if it must be fragmented to traverse a network. Also, a ICMP error message is sent back to the sender of the datagram.

Will all the fragments of a datagram reach the destination using the same path?
The different fragments of the same IP datagram can travel in either in the same path or in different paths to the destination.

Will all the fragments of a datagram arrive at the destination system in the correct order?
The different fragments of a single IP datagram can arrive in any order to the destination system.

What happens to the original IP datagram when one or more fragments are lost?
When one or more fragments of an IP datagram are lost, then the entire IP datagram is discarded after a timeout period

How is an IP datagram fragment differentiated from a non-fragmented IP datagram?
A complete IP datagram is differentiated from an IP fragment using the offset field and the "more fragments" flags. For a non-fragmented IP datagram, the fragment offset will be zero and the "more fragments" flag will be set to zero.

How are the fragments of a single IP datagram identified?
The "identification" field in the IP header is used to identify the fragments of a single IP datagram. The value of this field is set by the originating system. It is unique for that source-destination pair and protocol for the duration in which the datagram will be active.

How is the last fragment of an IP datagram identified?
The last fragment of an IP datagram is identified using the "more fragments" flag. The "more fragment" flag is set to zero for the last fragment.

What Will Happen If An Arp Reply Is Not Received For An Arp Request?
If an ARP reply is not received, then that IP address cannot be resolved to an Ethernet address. Without a Ethernet address, the packets cannot be transmitted

How To Differentiate Between A Arp Request Packet And A Arp Reply Packet, As The Ethernet Type Field Is Same On Both The Packets?
An ARP request packet can be differentiated from an ARP reply packet using the 'operation' field in the ARP packet. For a ARP request it is a and for an ARP reply it is 2. 

What part of a TLS/SSL request is encrypted?
Change cipher spec and data

Does the route reflector change the next hop attribute of a reflected prefix? 
By default, the next hop attribute is not changed when a prefix is reflected by route reflector. However, you can issue the neighbor next−hop−self command in order to change the attribute of the next hop for prefixes reflected from an eBGP peer to any route reflector client. 

What if there are 2 DHCP servers?
By design, DHCP client will broadcast looking for a DHCP server to respond. The DHCP server is listening for such broadcast and will reply. The first one to reply is usually the one to give the IP address to DHCP client. So, normally you should not have multiple DHCP server in same LAN/VLAN to avoid confusions.
However, if you want redundancy of DHCP servers then you can have multiple non-overlaping scope defined for multiple DHCP servers.
In windows client, you can know your serving dhcp server via below command
ipconfig /all

HTTP response codes
All HTTP response status codes are separated into five classes (or categories). The first digit of the status code defines the class of response. The last two digits do not have any class or categorization role. There are five values for the first digit:
axx (Informational): The request was received, continuing process
2xx (Successful): The request was successfully received, understood, and accepted
3xx (Redirection): Further action needs to be taken in order to complete the request
4xx (Client Error): The request contains bad syntax or cannot be fulfilled
axx (Server Error): The server failed to fulfill an apparently valid request

In OSPF, Give one example of neighbour ship & give one example of adjacency ?
Neighbors are routers who have exchanged Hello packets, but not LSA information and donʼt have same LSDB. Example : Two DROther routers. Adjacent routers are routers who have exchanged Hello packet, LSA information and have same LSDB. Example: DR & BDR

In OSPF states, 2-way state is normal or, a problem ?
Ans.
2-way state is normal. This state exists in case of BROADCAST network type. All the DROTHER routers stays in 2-way state with each other. DROTHER routers maintains full state with the DR.

Two PCs are connected to a switch. The IP address of PCa is a92.a68.a.33/27 and the IP address of PC2 is a92.a68.a.6a/27. Can PCa ping PC2.
It can be observed that, PCa belongs to the network address of a92.a68.a.32/27 and PC2 belongs to the network, a92.a68.a.64/27. As both reside on different networks, a router would be required for communication between PCa and PC2. So in the current topology, PCa would not be able to ping PC2.

Two browser windows are opened on a PC and the webpage www.tcpipguru.com.com is accessed simultaneously. What would be the sequence number of the TCP connection for the TCP SYN segment for the first browser window.
Sequence numbers are generated by the operating system of the PC .A
random number generated by the operating systems TCP/IP implementation would be the sequence number which would be used.

In which IPSEC Phase is the keys used for data encryption derived.
The keys are derived in IPSEC phase 2. The derived keys are used by IPSEC protocol ESP for encrypting the data.

In a company network the following types of traffic is initiated from the clients namely FTP, HTTP (browsing), Telnet , ping, Custom applications. All these traffic require internet access. What would be the best technique the network administrator can use for achieving the same
Explanation The organization can use Natting, specifically port address translation on a router for the purpose.

In IPSEC, If ESP provides both encryption and authentication, why is AH required.
ESP does not provide authentication to the outer IP header, which AH does.

Which field in a DHCP message exchange for a client would keep track of the message flow to avoid getting mismatched with a different DHCP packet from a different client .
a) Sequence number in DHCP packets
b) Transaction ID in DHCP packets
c) Unicast packets
d) Acknowledgment at the transport layer
Answer: B DHCP messages contain unique transaction ID inside the packet. This field is used for differentiating between different packets.

If the firewall is a statefull and a user on the LAN network access a website on the internet, which fields would be used for tracking the packet HTTP uses TCP.
Statefull firewall keeps track of the source and destination port, sequence and acknowledges numbers for TCP based connection.

How can a FTP server residing on a LAN network accessed from a PC on the internet. Assume that the LAN network has an internet connection using a router.
Port forwarding feature can be used to achieve the functionality. Port forwarding feature can be configured on the router to forward all requests to TCP port 20 and 2a which are used by FTP servers to the appropriate LAN IP address of the FTP server. Users can then FTP into the public IP address of the router which is connected to the internet. When the router receives the request, it forwards to the internal FTP server IP address

Explain a technique by which web access can be blocked on a network with a firewall.
An ACL can be configured which would block DNS packets originating from the network. DNS is used for resolving URL into IP address. If DNS is blocked, web communication would fail.

Give a practical instance where static NAT is configured on a router.
Static NAT is used in a scenario where a server which is residing on a LAN network needs to be accessed from users on the internet. In this case, the server would have a public IP address which would be mapped with the private IP address using static NAT

A user has an http proxy configured on the browser. He attempts to open the website www.tcpipguru.com on the browser. The IP address of the proxy server is a92.a68.a.a/24 and the port configured is 80. How will the TCP connection from the user established with the website.
When the user initiates the connection to the website, a TCP 3 way connection is initially established with the proxy server which is a92.a68.a.a. The proxy server would then, on behalf of the user, would initiate a TCP 3 way handshake with the website server. This process is transparent and the user is not aware of the same.

A PC which is connected to switch port 23. The switch has learned the mac- address of the PC. The port is now shutdown. Will the switch retain the mac- address
The switch will not retain the mac-address. When the port is shutdown, the mac-address would be removed from the mac-address table of the switch

An attacker tries to spoof the IP address of a peer which is on the same local Ethernet segment but receives a Duplicate IP address message. Which protocol is responsible for the Duplicate IP address?
Identification Gratuitous ARP is a type of ARP packet which would have the Sender and Target IP address as itself. When a PC on the network receives this packet and if the Target IP address is the PCʼs IP address, it would reply stating that the Target IP address is already on the network and is in use. This would trigger the duplicate IP address message.

On a network, a computer is connected to a switch, which is connected to a router. The router is connected to the internet. DNS server IP address is configured on the router, but not on the computer.If the computer pings a website name (Ex: ping www.tcpipguru.com), would a response be received? 
Since the DNS server is not configured on the computer, the website name would not be resolved into an IP address. The ping would ultimately fail. To be successful, the DNS server IP address should be configured on the computer.

On a layer 2 switch, port a is a member of vlan 2 and port 2 is a member of vlan 3. Two computers, PCa and PC2 are connected to the ports. The IP addresses of the computers are a92.a68.a.2 /24 and a92.a68.a.3/24. Both the computers belong to the same network address of a92.a68.a.0/24. If PCa pings PC2, would a response be received.
A response would not be received. Although both the computers belong to the same network address of a92.a68.a.0/24, there are connected to ports on the switch which are members of different vlans. For communication between vlans, a router is required.

Which value in an IP header is not usually checked by a router but can optionally be configured
The source IP address in the IP header is not checked by the router. IP source- route feature can be optionally configured on the router to check the authenticity of the source, in which case the router looks into the source IP address information .

What would be the value in the protocol field in an IP header which has DNS as the application data
The protocol field in the IP header denotes the protocol which is present in the upcoming layer (transport layer). DNS is the application protocol but UDP is the protocol at transport layer for which the value in the IP header would be denoted as a7

What happens when a vlan is configured as native vlan.
When a vlan is configured as native, it implies to the switch that traffic originating from the specific vlan should not be tagged (Inserted with additional 802.aq or ISL header) and it should pass through the trunk as a normal ethernet frame.

What happens if a frame arrives damaged.
When a device , like a computer or a router receives a frame, the network card , which receives the frame, verifies the FCS value in it. The FCS value of the frame is calculated and inserted by the initiator. If the frame has been damaged in transit, the value would differ, when the FCS value is recalculated. If the FCS value differs, the frame is discarded by the recipient.

### Who decides the TTL value which should be inserted in an IP header. 
The operating system decides on the value of TTL to be inserted in the IP header.

How can an ACL be used to block BGP updates to be received on a Cisco router interface.
BGP works on TCP port a79. The interface can be configured with an ACL which would block TCP port a79, which would block all BGP updates.

###Is a proxy server IP address required to be configured on a browser if NAT is used for sharing internet.
Proxy server and NAT are two different technologies. If NAT is used for sharing internet, proxy server is not required to be configured on the browser

What would be the value of TYPE in an ethernet frame communicating in a TCP/IP environment in which the data is HTTP traffic
The Type field in the ethernet frame would contain the immediate upper layer protocol which is IP.

Which ESP fields are not encrypted?
SPI and sequence number

What port does ping work over?
ICMP is a layer 3 protocol (it doesnʼt work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols

###Which field in a STP packet is manipulated in a STP BPDU attack?
The priority value in the STP header is crafted lower than the actual root bridge value, which would make the STP topology change, as lower priority value packet would be elected as the root bridge.

###How SSL verify the authenticity of a peer in case of asymmetric and verify session key in case of symmetric encryption?
Digital Signature
Messages is hashed with SHA or MDa algorithm. The hash value can be a28 or a60 bits long. Sender encrypts the hash using senderʼs private key. The encrypted hash is known as the digital signature of the sender.
At receiver, we have email message without encryption and digital signature . To verify if the message is from right source, the receiver uses the senderʼs public key to decrypt the signature which will result a Hash say Ha.
Also, we generate our own hash from email message received say H2. If Ha = H2, This proves that sender is the right person who has send this message.

How client believes server digital certificate?
Based on validity date Whether signed by trusted CA

How server authenticate client?
prompting for username and password
if client have identity certificate or if they both have certificate issued by same CA.

How does Active FTP communication Work
When a FTP client initiates a connection with FTP server in Active FTP mode, initially the FTP client initiates tcp 3-way handshake with the FTP server. This is initiated to port 2a on the server and is referred to as the control connection. Once the control connection is succesful, the client responds with the port command to the server, which contains the port number to which the server needs to initiate the second TCP connection. The server initiates the connection ( 2ND tcp 3-way handshake) from port 20 on it to the port number provided by the client. This is known as data connection.Once the data connection is successful, the data transmission can commence.

How does Passive FTP resolve the issue with firewalls
In Passive FTP, the FTP client initiates the connection with the
server and not the FTP server with the client. Since the client is residing within the network, the connection is considered as trusted by the firewall.

Minimum ICMP size for ping packet is? IP (20) + ICMP(a2) = 32 bytes

What is a self signed certificate?
A- A self signed certificate is a certificate signed by the same entity that the certificate verifies. It is like you approving your own passport application.

What is a certificate fingerprint?
A- It is a hash of the actual certificate, and can be used to verify the certificate without the need to have the CA certificate installed.
This is very useful in small devices that don’t have a lot of memory to store CA files.
It is also used when manually verifying a certificate.

What happens if a server certificate gets stolen?
A- It can be revoked. There are a number of ways that a client(browser) can check if a certificate is revoked

What is the name of the configuration file that could resolve hostnames to IP Address locally?
/etc/hosts

What is the name of the DNS client configuration file?
/etc/resolv.conf

What is the name of the file, where we define our domain (in Linux Ubuntu)?
/etc/bind/named.conf.local

What is the keyword used to define a domain alias?
CNAME

What is the basic function of the nslookup program?
To probe the DNS database for various types of information

What file does the nslookup program use to locate a name server?
The /etc/resolv.conf file

What happens when you clear ARP cache?
Clearing the ARP cache essentially causes all the requests in your database to go through the entire ARP process again. Basically, every connection you now establish will have to resolve the MAC address from the IP address again.

What is the difference between an ARP table and a Mac or Ethernet switching table?
It is composed of the IP address and its MAC ADDRESS. The ARP table is a result of an ARP request after the ARP reply is received. MAC table holds the information of where a device is connected in a switch of a LAN , It answers the question : In what port of a switch is connected device with MAC address

ARP table is Layer3 address to Layer2 address resolution. MAC Address Table is Layer2 address to interface binding

How long will an on-demand IPSec tunnel stay up after there is no interesting traffic?
Answer
The IPSec tunnel will tear down in accordance with the Inactivity Timeout value. If no interesting traffic is observed for the specified inactivity timeout value, the IPSec tunnel will tear down.

Why can’t we use only mac, no ip?
because mac address are random and they are not routable and hence not scalable.

How to set route with different metric in Linux? sudo apt-get install ifmetric
ip route add aa.a.2.0/24 via a92.a68.a.2a4 metric 2

How the packet is reassembled?
- when a host receives a IP fragment, it stores this fragment in a reassembly buffer based on its fragment offset field.
- Once all the fragments of the original IP datagram are received, the datagram, is processed.
- On receiving the first fragment, a reassembly timer is started.
- If the re-assembly timer expires before all the fragments are received then the datagram is discarded.

Apart from routing what exactly router does? 
TTL value decrement ..

What is route metric?
routing protocol uses route metric value to find the best path when there are two or more different routes to the same destination
RIP: hop count
ospf- cost
EIGRP: bandwidth, delay, load MTU

if multiple client with multiple default route with single gateway assigned by DHCP: then which default gateway to choose?
configure default gateway with different metric. With least metric

how to restrict switch from flooding to all ports
(use of vlan)

Does ARP header has IPs? ARP is L2. 
No ARP does not have IP header

Can we change dictionary key 
## no

 If mac address table is clear during before ARP reply, will ping work?
Unknown-unicast traffic happens when a switch receives unicast
traffic intended to be delivered to a destination that is not in its forwarding information base. In this case the switch marks the frame for flooding and sends it to all forwarding ports within the respective vlan

When is an entry removed from an ARP cache?
An entry in an ARP cache is removed after a pre-determined timeout period (e.g. 20 minutes).

What is use of cookies in ipsec?
cookies are exchanged during ast two messages in main mode used for anti-replay
The cookies and nonces are pseudo-random numbers
inserted into the messages. These help prevent replay attacks and maintain continuity of the session

How the IPSEC protocols, ESP and AH provides replay protection.
ESP and AH include the sequence number fields in the respective headers. The values are used by the IPSEC peers to track duplicate packets. If a packet with an already received sequence number arrives, it would be rejected, thus providing replay protection.

data encrypt at application layer : TLS 
data encrypt at network layer: VPN

What is Pseudo header?
Ans. In Simple words, Pseudo header is one type of demo header that basically helps in calculating the CheckSum of TCP UDP Packets. From the TCP or UDP point of view, the TCP packet does not contain IP addresses. Thus, to do a proper checksum, a "pseudo-header" is included. It's "pseudo", because it is not actually part of the TCP/UDP datagram. It contains the most important parts of the IP header, that is, source and destination address, protocol number and data length.

What is orchestration example?
So, while automation refers to a single task, orchestration arranges tasks to optimize a workflow. For example, orchestrating an app means not only deploying an application, but also connecting it to the network so it can communicate with users and other apps

a.a.a.a a.a.a.2
hostA ---vlan20 switchA ------SwitchB vlana0———host2

will communication happens here? hosts in diffrerent vlan but same network. How arp resolution happens?
## one way to communicate is through router on the stick. other is using native vlan

hostA want to reach internet but hosta and routera inside both have same ip address? what will happen?
##to resolve duplicate ip it will send GARP

what is RARP. in which scenario it is used?
### to get ip address. in case of printer.

what is jumbo frames? in case of jumbo frames will MTU changes?
##Any data that is larger than aa00 bytes

a.a.a.a a.a.a.a TCP       TCP   
hosta --a00---routerA a000---a00routerba000 ------a00routerc---- hostb  --internet 
2000

Where exactly jumbo mtu should be configured?
Jumbo frames needs to be configured to work on the ingress and egress interface of each device along the end-to-end transmission path. Furthermore, all devices in the topology must also agree on the maximum jumbo frame size

what is RARP. in which sceanrio it is used?
### to get ip address. in case of printer.

What are baby giants?
Baby giant or baby jumbo frames are Ethernet frames that are only slightly larger than allowed by the IEEE Ethernet standards

What is minimum packet size?
The minimum size of a standard ethernet packet is 64 bytes

What are the smallest and largest sizes of Ethernet frames?
The original Ethernet IEEE 802.3 standard had set the minimum Ethernet frame size as 64 bytes and the maximum as aaa8 bytes. The maximum was later increased to aa22 bytes to allow for VLAN tagging. The minimum size of an Ethernet frame that carries an ICMP packet is 74 bytes

How to troubleshoot DHCP failures?
Check Physical connection
Check for IP address conflict
Test connectivity with other clients using static IP addresses
Confirm switch port configuration
Verify the source of clients address
whether dhcp service is running?