Security Set Of Questions Lionnel NDZIE December 1, 2022 1 Introduction This is a set of questions related to the HCIA Security course. 2 2.1 Part basic concepts of information security Information and information security 2.1.1 Q: What is information security? R: Information security refers to the preservation of the confidentiality, integrity and availability of data through security technologies 2.1.2 Q: What are the security technologies? R: Computer hardware and software, network and key technologies. 2.1.3 Q: What can be affected if information assets are damaged? R: 1. National security; 2. System operating and continuous development; 3. Personal privacy and property 2.1.4 Q: What is the aim of information security? R: It is to protect data against threats through technical means and effective management 2.1.5 Q: List the stages in the development of information security? R: Early 1900s, communication secrecy stage; Post 1960s, information security stage; 1980, information insurance stage 2.1.6 Q: What is the characteristic of the communication secrecy stage? R: There were limited communication technologies and data was dispersedly stored. 2.1.7 Q: Talk about the communication secrecy stage? R: 1. Limited to physical security and cipher based security of communication 2.1.8 Q: What is the characteristic of the informaiton security stage? R: Internet development brings new challenges and threats to IS. 2.1.9 Q: What is involved in the information security stage? R: Confidentiality, integrity, availability, controllability and non-repudiation. 1 2.1.10 Q: What is the purpose of confidentiality? R: It means resisting passive attacks by adversaries by adversaries and preventing information leakage to unauthorized users. 2.1.11 Q: What is the purpose of the integrity? R: It means resisting active attacks by adversaries and preventing unauthorized tampering. 2.1.12 Q: What is the purpose of controllability? R: It implements security monitoring to protect information and its system against attacks. 2.1.13 Q: What is the purpose of non-repudiation? R: It prevents the information sender or receiver from denying the information. 2.1.14 Q: In which year the WannaCry ransomware crypto worm occurred? R: In 2017 2.1.15 Q: What is the vulnerability exploited by WannaCry? R: The port 445 windows vulnerability 2.1.16 Q: What are the main attacks methods used by OceanLotus? R: Spear phishing and Watering hole 2.1.17 Q: What is the purpose of spear phishing? R: A email is sent to someone with a trojan horse in attachment. 2.1.18 Q: What is the purpose of watering hole? R: The attacker exploits the vulnerability of a website by for example replacing a shared document on a website with a trojan horses. 2.1.19 Q: What are general two types of attacks’ causes? R: Direct causes and Indirect causes. 2.1.20 Q: What are the direct causes? R: Vulnerability, Virus, Trojan horse, Backdoor program, DDoS attack. 2.1.21 Q: What are the indirect causes? R: Information system complexity and Human and environment factors 2.2 Information security risks and management 2.2.1 Q: What are the types of risks involved in information security? R: Physical risks, Network risks, System risks, Information risks, Application risks, Management risks, Other risks (Management PIANOS) 2 2.2.2 Q: What is involved in physical risks? R: 1. Device theft and destruction. 2. Network device faults; 3. Network device unavailability due to power failure; 4. Electromagnetic radiation in the equipment room 2.2.3 Q: What is information risk about? R: It is about information storage security, information transmission security and information access security. 2.2.4 Q: What is included in information storage security risk? R: Protection of server disks and encryption and anti-theft of storage information 2.2.5 Q: What is included in application risks? R: Network virus, security of applications 2.2.6 Q: What is network risk about? R: The risks from the internet and risks from the intranet itself 2.2.7 Q: What is included in system risks? R: DB system configuration security, security DB itself and security of services running in the system. 2.2.8 Q: What is the purpose of management risks? R: To determine whether the IT system has management risks from the following aspects: National policy, Enterprise system and Management system 3 3.1 Part Information security standards and specifications Part Information security standards and specifications Q: What are information security standards? R: They are normative documents that are jointly formulated, approved by recognized authorities and use thoughout the industry to achieve the best security. That is, they are documents that respond to the question : how can an enterprise build a secure information system? 3.1.1 Q: List the international organizations related to information security? R: ISO(International Organisation for Standardization) and IEC(International Electronical Commission) 3.1.2 Q: List the chinese security standards organizations? R: China Information Security Standardization Technical Committee(CISSTC), Cyber and Information Security Technical committee (TC8) and China Communication Standards Association (CCSA) 3.1.3 Q: List the other security standards organizations? R: International Telecommunication Union (ITU) from US and Internet Engineering Task Force (IETF) 3.1.4 Q: List the common IS standards and specifications? R: 1. China: Graded Protection of IS(GB); 2. US: Trusted Computer System Evaluation Criteria(TCSEC); 3. EU: IT Security Evaluation Criteria(ITSEC); 4. ISO 27001 3 3.2 ISO 27001 ISMS 3.2.1 Q: What is ISO 27001 ISMS? R: It is an international information security standard based on the BS7799 standard 3.2.2 Q: What are the phases involved in ISMS? R: Plan(Establish an ISMS), Do(Implement and operate the ISMS), Check(Monitor and review the ISMS) and Action(Maintain and Improve the ISMS) 3.2.3 Q: In which year do ISO/IEC 27001 and ISO/IEC 27001 were released? R: In 2013 4 4.1 Basic networks concepts TCP/IP Architecture 4.1.1 Q: What is the purpose of the OSI model? R: Overcome the interconnection difficulties and low efficiency due the fact of using various protocols and by designing and open and inteconnected network. 4.1.2 Q: What are the desing principles of the OSI model? R: 1. Clear boundaries between layers to facilitate understandig; 2. Each layer implements specific functions and does not affect each other; 3. Each layer is a service provider and service user; 4. 4.1.3 Q: Why do we use a modular design in medium to large networks? R: In order to split network functions 4.1.4 Q: What are the layers included in traditional networks? R: Egress layer, core layer, aggregation layer and access layer 4.1.5 Q: What is the function of the core layer? R: To provide high-speed data channels 4.1.6 Q: What is the function of the aggregation layer? R: Its role is to converge traffic and control policies 4.1.7 Q: What is the function of the access layer? R: To provide various access modes to devices 4.1.8 Q: What is the quintuple? R: SRC IP + DST IP + Protocol + SRC Port + DST Port 4 4.2 Common Network protocols 4.2.1 Q: What are the common network protocols? R: ARP, ICMP, Routing protocols, SNMP, NetStream 4.2.2 Q: Talk about functions of ARP? R: When a packet is forwarded to a host or gateway in the same network segment, the destination address is known and the MAC address corresponding to the destination address is obtained. 4.2.3 Q: What is ICMP? R: It is network layer protocol used to send control packets between IP network devices to transmit error, control, and query messages 4.2.4 Q: What are the common parameters of the ping command? R: -a source-ip-address: Specifies the source IP address for sending ICMP Echo Request packets. If the source IP address is not specified, the IP address of the outbound interface is used by default. -c count: Specifies the number of times that ICMP Echo Request packets are sent. The default value is 5 -h ttl-value: Specifies the Time To Live (TTL) for ICMP Echo Request packets. The default value is 255. -t timeout: Specifies the timeout period of waiting for an ICMP Echo Reply packet after an ICMP Echo Request packet is sent. 4.2.5 Q: What information is given in ping command output? R: The destination address, the ICMP packet length, the packet number, the TTL value and the round trip time 4.2.6 Q: What is the purpose of tracert? R: It is used to trace the forwarding path of packets hop by hop based on the TTL value in the packet header 4.2.7 Q: What does a node do when the TTL timeouts? R: It sends a TTL timeout message carrying the timestamp to the source end 4.2.8 Q: What are the common parameters of the tracert command? R: a source-ip-address: Specifies the source address of a tracert packet. -f first-ttl: Indicates the initial TTL. The default value is 1. -m max-ttl: Indicates the maximum TTL. The default value is 30. -name: Displays the host name on each hop. -p port: Specifies the UDP port number of the destination host. 4.2.9 Q: What are the types of routes based on the destination address? R: 1. Network segment routes(subnet mask less than 32); 2. Host routes(subnet mask is 32) 4.2.10 Q: What are the types of routes based on whether the destination is directly connected to the router? R: 1. Direct routes; 2. Indirect routes 4.2.11 Q: What are the types of routes based on the destination address types? R: 1. Unicast routes; 2. Multicast routes 5 4.2.12 Q: What are the characteristics of OSPF? R: 1. No loop; 2. Fast convergence; 3. Good scalability; 4. Support authentication 4.2.13 Q: What is SNMP? R: It is a network management protocol widely used in TCP/IP networks 4.2.14 Q: What are the kind of operations supported by SNMP? R: 1. Configuration update; 2. Query; 3. Trapps 4.2.15 Q: What is included in the SNMP architecture? R: 1. NMS; 2. Agent; 3. MIB 4.2.16 Q: What is the purpose of interprise network O&M R: 1. Understand the traffic trends of all branches and identify the devices and branches that need expansion; 2. Analyse the distribution of of branch traffic, identify the value points for capacity expansion; 3. Rank changes in branch traffic and allocate network resources accordingly 4.2.17 Q: What does means NTA? R: Network Traffic Analyser 4.2.18 Q: eSight NTA is software only solution, true or false? R: True 4.2.19 Q: What is the purpose of eSight NTA? R: It provides a reliable and convenient traffic analysis, monitors network-wide traffic in real time and provides multidimensional traffic analysis report. 4.2.20 Q: What are the features of NTA? R: 1. Traffic visualization; 2. Exception detectability; 3. Proper planning 4.2.21 Q: What is NetStream? R: It is a huawei-patented technology used to collect and distribute statistics about network traffic. 4.2.22 Q: For what ends do the data provided by netstream can be used? R: Network management and planning, Enterprise accounting and departemental charging, ISP billing report, Data storage, Data mining for marketing purposes 4.2.23 Q: What are the devices used by NetStream? R: 1. NetStream Data Exporter(NDE); 2. NetStream Collector(NSC); 3. NetStream Data Analyser(NDA) 4.2.24 Q: Talk about the TCP 3-way handshake? R: 6 4.2.25 Q: What are the types of servers involved in DNS? R: 1. Root Server; 2. Top-level domain name server; 3. Recursive server; 4. Cache server 4.2.26 Q: Which organization does manage the root servers? R: ICANN 4.2.27 Q: What is the purpose of top-level domain name servers? R: They store top-level domain names such as .com, .edu, .cn and so on 4.2.28 Q: What is a recursive server? R: It is an authoritative server that stores definitive domain name records (the resolution relationship between a domain name and an IP address) for the zone in which it servers. 4.2.29 Q: What is the purpose of the cache server? R: It is an equivalent to a proxy of the authoritative server and reduces the pressure of the authoritative server. 4.2.30 Q: What is the purpose of FTP? R: It provides an effective way to upload and download files between a server and a client. 4.2.31 Q: What are the two modes supported by FTP? R: Active mode and Passive mode. 4.2.32 Q: What makes the distinction between the active mode and the passive mode? R: Wether the server sets up the data connection or not. 4.2.33 Q: What is the default mode? R: Active mode. 4.2.34 Q: What is the process of the active mode? R: The client sets up the control connection and the server sets up the data connection. 4.2.35 Q: What is the process of the passive mode? R: The client sets up the control connection and the data connection. 4.2.36 Q: What are the three components on which the web is built? R: 1. HTML(used to describe web files); 2. URL(used to define files locations); 3. HTTP used for client/server communication. 4.2.37 Q: What is Hypertext? R: It is a holistic information architecture, which establishes links for the different parts of a document through keywords so that information can be searched interactively. 7 4.2.38 Q: What is hypermedia? R: It is the integration of hypertext and media. 4.2.39 Q: HTTP is connection-oriented, true of false? R: True 4.2.40 Q: HTTP is a stateless protocol, true or false? R:True 4.2.41 Q: HTTP is based on TCP, true of false? R: True 4.2.42 Q: What is the purpose of SMTP? R: It is a protocol that defines how PCs send mails to an SMTP server and how mails are transferred between SMTP servers. 4.2.43 Q: What is the purpose of POP3 and IMAP? R: They specify how PCs manage and download mails on a mail server through a client software. 4.2.44 Q: What is the difference between POP3 and IMAP? R: POP3 is used, after the client software downloads unread mails to the PC, the mail server deletes the mails. If IMAP is used, users can directly manage mails on the server without downloading all emails to the local PC. 5 5.1 Common network devices Basic network devices 5.1.1 Q: What do we find in a typical campus network security deployment scenario? R: 1. Offices LANs; 2. Data center; 3. Anti-DDoS; 4. DMZ; 5. Branchs or Partners connected via Site-Site VPN 5.1.2 Q: What is a vNGFW? R: It’s a virtual firewall that is deployed on a virtual machine and has the same functionalities as a physical firewall. 5.1.3 Q: What is NIP? R: It means Network Intrusion Prevention and is a Huawei-developed intrusion detection and prevention system. 5.1.4 Q: What is an agile controller? R: It’s an automated network resource control system used for access control. 5.1.5 Q: What is the purpose of a switch? R: Forward data frames. 5.1.6 Q: Which kind of table does a switch stores? R: The MAC address table. 8 5.1.7 Q: What is the purpose of the MAC address table? R: It stores the mapping between MAC addresses and switch interfaces. 5.1.8 Q: What are the three types of frame operations that a switch can perform? R: 1. Flooding; 2. Forwarding; 3. Discarding 5.1.9 Q: What is done if a switch recieves a broadcast frame? R: The switch does not check the MAC address table but directly performs the flooding operation. 5.1.10 Q: How does a switch learn MAC addresses? R: By recording the mapping between the source MAC addresse of a frame and the interfaces through which the frame was recieved. 5.1.11 Q: What is the default aging time of MAC address table entries? R: 300 seconds. 5.1.12 Q: What is the function of a router? R: To forwards data packets between different network segments. 5.1.13 Q: What is the other function of a router? R: Route selection. 5.1.14 Q: What is the purpose of a firewall? R: To protect one network area against network attacks and intrusions from another network area. That is, a firewall logically isolates a network. 5.1.15 Q: Where can a firewall be applied? R: To network borders and subnet isolation. 5.1.16 Q: What is the core function of a firewall? R: Security protection. 5.1.17 Q: What is the primary function of switches and routers? R: Switching. 5.1.18 Q: In which year were developed packet filtering firewalls? R: In 1989. 5.1.19 Q: What is the purpose of packet filtering firewalls? R: For simple access control. 9 5.1.20 Q: What is the generational name of packet filtering firewalls? R: 1st generation firewalls. 5.1.21 Q: What is a proxy firewall? R: It is firewall acting as a proxy for communications between an intranet and an extranet at the application layer. 5.1.22 Q: What is the generational name of proxy firewalls? R: 2nd generation firewalls. 5.1.23 Q: What are the pros of proxy firewalls? R: 1. High Security; 5.1.24 Q: What are the cons of proxy firewalls? R: 1. Low processing; 2. Developing a proxy service for each type of application can be difficult 5.1.25 Q: What is the purpose of stateful inspection firewalls? R: They determine what action should be performed by dynamically analyzing packet status. 5.1.26 Q: What is the generational name of stateful inspection firewalls? R: 3rd generation firewalls. 5.1.27 Q: What is the meaning of UTM? R: Unified Threat management. 5.1.28 Q: In which year does the concept of UTM was proposed? R: In 2004. 5.1.29 Q: What is the purpose of UTM? R: It is a concept that integrates the conventional firewall, intrusion detection, antivirus, URL filtering, application control, and mail control into one firewall for all-round security protection. 5.1.30 Q: What are the cons of UTM? R: 1. The detection degree of application layer information was limited; 2. Performance issues 5.1.31 Q: In which year does the concept of DPI was proposed? R: In 2005. 5.1.32 Q: What is the purpose of deep packet inspection(DIP)? R: To alleviate the problem of detection degree of applicaiton layer information. 10 5.1.33 Q: In which year was released the NGFW? R: In 2008. 5.1.34 Q: What is the purpose of NGFW? R: Implement control based on user, application and content. 5.1.35 Q: What is a security zone? R: A security zone(zone in short) is an interface or a group of interfaces with the same security attributes. 5.1.36 Q: What are the default zone for Huawei? R: 1. Untrust zone; 2. DMZ zone; 3. Trust zone; 4. Local zone; 5.1.37 Q: All devices on the networks connected to the same interface must reside in the same security zone, true or false? R: True 5.1.38 Q: What is the range of security levels of security zones? R: 1 to 100. 5.1.39 Q: What is the default value of the untrust zone? R: 5 5.1.40 Q: What is the default value of the DMZ zone? R: 50 5.1.41 Q: What is the default value of the trust zone? R: 85 5.1.42 Q: What is the default value of the local zone? R: 100 5.1.43 Q: Can the firewall have two different security zones with the same security level value? R: No 5.1.44 Q: Does the firewall allows the same physical interface to belong to two different security zones? R: No 5.1.45 Q: Can different interfaces on a firewall belongs to the same security zone? R: Yes 11 5.2 Device initial login 5.2.1 Q: What is VRP? R: VRP that stands for Versatile Routing Platform is a network operating system that runs on Huawei devices. 5.2.2 Q: What are the functions of VRP? R: 1. It provides a unified user and management interface; 2. It implements control plane functionality; 3. It defines the interface specifications of the forwarding plane (so that the interaction between a product’s forwarding plane and the VRP control plane can be implemented); 4. It also implements the network interface layer to shield the differences between the link and network layers of each product. 5.2.3 Q: VRP commands use a level-defined protection, true or false? R: True. 5.2.4 Q: What are the four commands level? R: 1. Visit level; 2. Monitoring level; 3. Configuration level; 4. Management level 5.2.5 Q: What are the commands available in the visit level? R: 1. Network diagnosis commands(ping and tracert); 2. Commands to access external devices from the local device(telnet, ssh, rlogin). 5.2.6 Q: What are the commands available in the monitoring level? R: 1. Display commands; 2. Debugging commands 5.2.7 Q: Commands at the monitoring level cannot be saved in configuration files, true or false? R: True. 5.2.8 Q: What are the commands available in the configuration level? R: Service configuration commands. 5.2.9 Q: What are the commands available in the management level? R: 1. File system commands; 2. Configuration file switchover; 3. Standby board control; 4. User management; 5. Command level setting; 6. System internal parameter setting commands 5.2.10 Q: What is the purpose of the full help? R: It displays all the keywords or parameters and their descriptions after entering the question mark in the command line. 5.2.11 Q: What are the means to obtain the full help? R: 1. Enter the question mark in any command view; 2. Enter the question mark between a command keyword and a space. 5.2.12 Q: What is the purpose of the partial help? R: It displays all the keywords or paramaters that start with the character string entered in the command line. 12 5.2.13 Q: What are the steps to add an interface to a security zone? R: 1. Enter the system view; 2. Run the command firewall zone zone-name, to create a security zone and enter the view of the security zone; 3. Run the commmand add interface interface-type interface-number, to assign the interface to the security zone. 5.2.14 Q: What If no default route exists and the destination IP address of the packet is not in the routing table? R: The packet is discarded and an ICMP packet is returned to the source to report that the destination IP address or network is unreachable. 5.2.15 Q: In web login mode, by default, you can log into a device through GigabitEthernet0/0/0, true or false? R: True. 5.2.16 Q: What is the default IP address to access to web login mode? R: 192.168.0.1 5.2.17 Q: What are the default username and password for the web login? R: admin, Admin@123 5.2.18 Q: What is the command to enable the web management function? R: [ ]web-manager security enable interface 8443 5.2.19 Q: By default, the telnet login is disabled, true or false? R: True. 5.2.20 Q: What is the command to enable the telnet login? R: [ ]telnet server enable 5.2.21 Q: What are the steps to enable the ssh login? R: 1. Enable the Stelnet service; 2. Configure SSH management on the USG interface; 3. Configure a local RSA key pair; 4. Configure VTY user interfaces; 5. Create an SSH administrator; 6. Create an SSH user 5.2.22 Q: What are the three types Device file management? R: 1. Configuration file management; 2. System file management(Software upgrade); 3. License management 5.2.23 Q: What is the purpose of the configuration file? R: It contains the configuration that the device will load when it is started. 5.2.24 Q: What is included in the system file? R: 1. USG software version; 2. Signature database files 5.2.25 Q: What are the means to upload the system software to a device? R: FTP and TFTP. 13 5.2.26 Q: What is the purpose of the license? R: To authorize the usage scope and validity period of product features. 5.2.27 Q: What are the types of configuration files? R: 1. Saved-configuration; 2. current-configuration 5.2.28 6 6.1 Common Information Security Threats Current Situation of Information Security Threats 6.1.1 Q: What are the main sources of security incidents? R: 1. Attacks through malicious code; 2. Personnal information breach; 3. Communication process hijacking; 4. DDoS attacks 6.1.2 Q: What is Stuxnet? R: It is one of the most sophisticated cyber weapons in the history which targeted the SCADA system. 6.1.3 Q: What is the current situation of information security attacks? R: 1. Forms of attacks largely unchanged; 2. More sophisticated attacks means; 3. Diverse attacks methods 6.1.4 Q: What are the security threats categories? R: 1. Threats to cyber security; 2. Threats to application security; 3. Threats to data transmission and device security 6.2 Threats to network security 6.2.1 Q: From which devices do the DDoS attacks against Dyn DNS Service was launched? R: Fom IoT devices which were infected by the Mirai Malware. 6.2.2 Q: In which year does the Dyn DNS was attacked by the DDoS attack? R: 2016 6.2.3 Q: What is the process of a Mirai attack? R: 1. Look for zombies; 2. Build a botnet; 3. Load the attack module; 4. Launch an attack 6.2.4 Q: What is scanning? R: It is a potential attack action that does not directly interrrupt network devices by gathers relevant network information before an attack. 6.2.5 Q: What are the two types of scanning? R: 1. Addresses scanning; 2. Port scanning 6.2.6 Q: What is the purpose of a spoofing attack? R: To obtain access and control permission. 14 6.2.7 Q: What is a zombie? R: It is a controlled host. 6.2.8 Q: What is a botnet? R: It is a network consisted of the attacker and zombie hosts. 6.2.9 Q: What is the main purpose of a DDoS attack? R: To prevent the target from providing services to legitimate users. 6.2.10 Q: What are the types of DDoS attacks based on the type of exploited packets? R: Syn flood, UDP flood, ICMP flood, HTTP flood, HTTPs flood, DNS flood 6.2.11 Q: What are the defense measures against cyber attacks? R: 1. Firewall; 2. Anti-DDoS devices 6.3 Threats to application security 6.3.1 Q: What is a worm? R: It is a software program capable of reproducing itself that can spread from one computer to the next on a network. 6.3.2 Q: What is the process of the worm attack against Weibo? R: 1. Exploit a web page vulnerability; 2. Phishing; 3. Spread the worm; 4. Tacke down the web site 6.3.3 Q: What is a vulnerability? R: It is a defect to the implementation of hardware, software, protocol or in system security policies. 6.3.4 Q: What are the threats bought by vulnerabilities? R: 1. Injection; 2. XSS; 3. Malicious code propagation; 4. Data breach 6.3.5 Q: What is phishing? R: It is a fraudulent attempt to obtain users’ private information for malicious reasons by using the URL or web page content of an authentic website as disguise or exploiting vulnerabilities of authentic websites. 6.3.6 Q: What are the two types of phishing websites? R: 1. Websites using the idea of ”winning a prize”; 2. Fake website masquerading 6.3.7 Q: What is a malicious code? R: It is a computer code that is delibarately developed to cause threats or potential threats to a network or to a system. 6.3.8 Q: What are the most common examples of malicious code? R: 1. Viruses; 2. Trojan horses; 3. Worms; 4. Backdoors 15 6.3.9 Q: What is the other name of malicious code? R: Malware 6.3.10 Q: What is included in malware? R: adware, spyware, malicious shareware 6.3.11 Q: What are the main ways for malicious code to access intranets? R: Web browsing and Email Transmission 6.3.12 Q: What are the defense measures for application attacks? R: 1. Regular vulnerabilities fixing; 2. Improving Information Security Awareness; 3. Protection through professional equipment 6.3.13 Q: What is a WAF(Web application firewall)? R: It is a protection devices that protects web application by executing a series of HTTP/HTTPs security policies 6.3.14 Q: What are the threats in communication process? R: 1. Transmission security risks; 2. Device security risks 6.3.15 Q: What are the transmission security risks? R: 1. MITM attacks; 2. Data not encrypted or inadequately encrypted 6.3.16 Q: What are the device security risks? R: 1. Servers with vulnerabilities; 2. Using weak passwords; 3. User indentity not authenticated 7 7.1 Threat defense and information security development trends Security Threat Defense 7.1.1 Q: What are the three elements of information security protection? R: 1. People; 2. Security O&M and management; 3. Security products and technologies 7.1.2 Q: What is the weakest link in information security? R: People 7.1.3 Q: What is the purpose of information security O&M and management? R: To ensure security compliance during process operations of interprises. 7.1.4 Q: What is included in information security awareness? R: 1. Cyber security awareness survey; 2. Public WIFI Security awareness; 3. Social engineering 16 7.1.5 Q: What is social engineering? R: It is the psychological manipulation of people to give away personal information which can cause great damage to the victims. 8 Operating system overview 8.1 Operating system 101 8.1.1 Q: What are the main functions of an operating system? R: 1. Processor management; 2. Memory management; 3. Device management; 4. File management; 5. Job management 8.1.2 Q: What is the main task of processor management? R: To allocate, control and manage processor resources. 8.1.3 Q: What is included into processor management? R: 1. Process control; 2. Process synchronization; 3. Process communication; 4. Process scheduling 8.1.4 Q: What is the main task of memory management? R: To allocate memory resources to programs and manage these resources. 8.1.5 Q: What is included into memory management? R: 1. Memory allocation; 2. Memory protection; 3. Memory expansion 8.1.6 Q: What is the main task of device management? R: To execute I/O requests, classify I/O devices and facilitate CPU and I/O device usage 8.1.7 Q: What is included into device management? R: 1. Buffer management; 2. Device allocation; 3. Device virtualization 8.1.8 Q: What is the main task of file management? R: To manage user and system files. 8.1.9 Q: What is the main task of job management? R: To provide a stable environment suitable for users to effectively organize their workflows. 8.1.10 Q: What should be provided by job management? R: Task and interface management, Human-machine interaction, graphical interfaces and language control. 8.1.11 Q: How can we categorize operating systems? R: By application domain, by the number of users supported and by the openness of source code. 8.1.12 Q: What are the types of operating systems according to their application domain? R: Desktop os, server os and embedded os 17 8.1.13 Q: What are the types of operating systems according to their number of supported users? R: Single user os, and multiple users os 8.1.14 Q: What are the types of operating systems according to their source code openness? R: closed-source os and open-source os 8.2 Windows operating system 8.2.1 Q: What is window 1.0? R: It is the first generation window-based multitasking operating system that was released by microsoft in 1985. 8.2.2 Q: Why did Windows did not draw the expected social attention and did not played its advantages? R: Due to the hardware limitations at that time. 8.2.3 Q: What did the launch of Window 1.0 indicated? R: It indicated that PCs entered the era of of GUI. 8.2.4 Q: What is Microsoft Windows? R: It is a group of os developed by the american multinational technology company Microsoft. 8.2.5 Q: In which kinds of platfom do Windows operating system can run? R: PCs, mobile devices, servers, embedded systems. 8.2.6 Q: When does Windows 10 was released? R: July 29, 2015. 8.2.7 Q: What are the four kinds of processes in user mode? R: 1. System processes; 2. Service processes; 3. Applications; Environment subsystems 8.2.8 Q: What is are system processes? R: They are fixed system processes that are not started through the service control manager. 8.2.9 Q: What are service processes? R: They are processes that can be run by a user after login. 8.2.10 Q: What are environment subsystems? R: They expose the functions of the os to application through APIs(Windows API, POSIX, OS/2) 8.2.11 Q: What is the role of a DLL? R: They translate a documented function into a required non documented system service. 18 8.2.12 Q: What are the features of Windows? R: 1. Intuitive and object-oriented GUIs that are easy to learn and use; 2. most widely used and most compatible os worldwide; 3. Unified, friendly and neat UIs; 4. Various device-independent graphical operations; 5. Multi-user and multitasking 8.3 Linux Operating System 8.3.1 Q: What is the common characteristic of Windows and Unix? R: They are commercial softwares. 8.3.2 Q: Why do Unix was not popular among common users? R: Its high purchase price. 8.3.3 Q: What was the purpose of the Multics program? R: To allow multiple users to access a mainframe simultaneously. 8.3.4 Q: Where did UNIX came from? R: Unix was a revised version of MULTICS, written by Ken Thompson, after Bell Labs witdrew from the MULTICS project. 8.3.5 Q: In which year do UNIX was officially released? R: In 1971 8.3.6 Q: Who is Andrew Tanenbaum? R: It is a Dutch computer scientist who developed Minix, a Unix-like os for educational purposes. 8.3.7 Q: Who is Linus Torvalds? R: It is Finnish college student who created an os kernel based on Minix. 8.3.8 Q: What is the name of the penguin of Linux? R: Tux 8.3.9 Q: What is Linux distribution? R: It is an improved product based on the linux kernel. 8.3.10 Q: In which year was released the first version of linux, Linux 0.02? R: October 1991 8.3.11 Q: What are the four major parts of the Linux system? R: Kernel, Shells, file system and applications. 8.3.12 Q: What is the purpose of the Linux kernel? R: It is the core of the os and provides many basic functions. 19 8.3.13 Q: What are the basic functions provided by the Linux kernel? R: Process management, memory management, device drivers management, file management, network system management and determines the system performance and stability. 8.3.14 Q: What is the shell? R: It is the user interface to the kernel. 8.3.15 Q: What is the purpose of the Linux file systems? R: It controls how data is stored on storage devices. 8.3.16 Q: What are the two defines characteristics of Linux? R: 1. Everything is a file; 2. Each software program has a defined purpose. 8.3.17 Q: What are the main features of Linux? R: 1. Free of charge; 2. Multi-user and multi-tasking; 3. User-friendly interfaces; 4. Support multiple platforms 9 9.1 Common server types and threats Server overview 9.1.1 Q: What is a server? R: It is a high-performance computer that provides services to clients over a network. 9.1.2 Q: What are the requirements of servers? R: Stability, security and processing performance 9.1.3 Q: Are common computers suitable to be used as servers? R: No, because they can no stay running for a long time. 9.1.4 Q: What are the features of a server? R: 1. Availability; 2. Usability, 3. Scalabilty; 4. Manageabilty 9.1.5 Q: On which criteria can servers be classified? R: By application level, by system architecture, by appearance and by usage. 9.1.6 Q: What is the classification of servers in term of application level; R: 1. Entry level servers; 2. Work group servers; 3. Department level servers; 4. Enterprise level servers. 9.1.7 Q: What is the purpose of entry level servers? R: File and printing services; 9.1.8 Q: What is the purpose of work group servers? R: When the application is not complex, e.g., database. 20 9.1.9 Q: What is are the features of department level servers? R: high availability, reliability, scalability and mangeability. 9.1.10 Q: What is the purpose of department level servers? R: applicable to websites and data centers of medium sized enterprises. 9.1.11 Q: What are the types of servers in term of system architecture? R: 1. x86 servers; 2. Non-x86 servers 9.1.12 Q: What are the types of servers in term of appearance? R: Rack, Blade, Tower and cabinet servers 9.2 Common server software Q: What are the common types of software servers? R: File server, Database server, mail server, Web server, ftp server, DNS server, NTP server, Proxy server. 9.2.1 Q: Which security threats may affect the running of a server? R: Malicious programs, system vulnerabilities, DDoS attacks, SQL injection attacks and brute force cracking attacks. 9.2.2 Q: What are the categories of threats from malicious programs? R: 1. Threats depended on host; 2. Independent threats 9.2.3 Q: What are the types of malicious programs? R: Trojan horses, worms and viruses 9.3 Vulnerabilities and patches 9.3.1 Q: What is a vulnerability? R: It is a defect in the hardware, software or protocols of computer systems or in system security policies. 9.3.2 Q: What are the characteristics of vulnerabilities? R: They are unknown and cannot be discovered in advance. 9.3.3 Q: What are the impacts of vulnerabilities? R: 1. Permission bypass; 2. Permission escalation; 3. DDoS attack; 4. Data leakage; 5. Execution of unauthorized instructions. 9.3.4 Q: What are the kind of vulnerabilities by exploitation methods? R: 1. Local attack vulnerabilities; 2. Remote attack vulnerabilities 9.3.5 Q: What are the kinds of vulnerabilities by location? R: OS, Network stack protocol, Non-server program, Server program, Hardware, Communication protocol 21 9.3.6 Q: What are the kinds of vulnerabilities by potential threats to system? R: High-level, Medium-level and low-level vulnerabilities 9.3.7 Q: What is the purpose of high-level vulnerabilities? R: obtain administrative passwords. 9.3.8 Q: What is the purpose of medium-level vulnerabilities? R: Obtain the permission of common users, read restricted files and reject services. 9.3.9 Q: What is the purpose of low-level vulnerabilities? R: To read unrestricted files and leak server information. 9.3.10 Q: What are the causes of system vulnerabilities? R: 1. Defect in software or protocol design; 2. Bugs in software compilation; 3. Improper system configuration; 4. Limited security awareness 9.3.11 Q: What is the usage of vulnerability scanning? R: Attack simulation and security audits. 9.3.12 Q: What are the steps in vulnerability scanning? R: 1. Locate the target host or network; 2. Collect further target information; 3. Check for security vulnerabilities in the system. 9.3.13 Q: What is the purpose of the ping sweep? R: To check which IP addresses are connected to live hosts. 9.3.14 Q: What are the types of port scanning? R: Full scanning, SYN scanning and Stealth scanning 9.3.15 Q: What are the types of system vulnerabilities scanning? R: 1. Passive scanning; 2. Active scanning 9.3.16 Q: What is the purpose of passive scanning? R: 9.3.17 Q: What is the purpose of active scanning? R: 9.3.18 Q: what is a patch? R: It is a set of changes designed to update a program and fix security vulnerabilities. 22 10 Host firewall and antivirus software 10.0.1 Firewall Overview 10.0.2 Q: What is a firewall? R: It is a method for separating private networks from public networks. 10.0.3 Q: What are the types of firewalls in term of form? R: Hardware firewalls and software firewalls. 10.0.4 Q: What are the types of firewalls in term of protected object? R: Standalone firewalls and network firewalls. 10.0.5 Q: What is Windows firewall? R: It is a software firewall built in the Windows os. 10.0.6 Q: What are the elements of a linux firewall? R: netfilter and iptables. 10.0.7 Q: What is iptables? R: It is an interface between a firewall and users. 10.0.8 Q: What is netfilter? R: It is a framework in the Linux kernel that provides firewall functions. 10.0.9 Q: What is the structure of iptables? R: Tables, chains and rules. 10.0.10 Q: What is it specified by an iptable rule? R: source address + destination address + source port + destination port + protocol 10.0.11 Q: What is it a chain? R: It is a path for transmitting data packets. 10.0.12 Q: What if a packet matches a rule defined in a chain? R: It is processed according to the action of the rule. 10.0.13 Q: What if the packet does not match the current rule? R: The next rule is checked. 10.0.14 Q: What if the packet does not match any rule in the chain? R: It is processed according to the default policy defined in the rule. 23 10.0.15 Q: What are the five rule chains defined by netfilter? R: Prerouting, INPUT, forward, OUTPUT and Postrouting. 10.0.16 Q: What are the four tables, in order of priority, contained in iptables? R: raw, mangle, nat and filter 10.0.17 Q: What are the chains allowed in the filter table? R: Input, Forward and Output. 10.0.18 Q: What are the chains allowed in the nat table? R: Prerouting, OUTPUT and postrouting. 10.0.19 Q: What are the chains allowed in the mangle table? R: Prerouting, INPUT, forward, OUTPUT and Postrouting. 10.1 Antivirus Software 10.1.1 Q: What is an antivirus software? R: It is a type of software that is used to remove computer viruses, malicious software, Trojan horses and other computer threats. 10.1.2 Q: What are the functions provided by antivirus software? R: Monitoring, indentification, virus scanning, virus cleaning, automatic upgrade and proactive defense. 10.1.3 Q: What are the basic functions of antivirus software? R: Virus prevention, virus identification and virus cleaning. 10.1.4 Q: What are the components of an antivirus software? R: Scanners, a virus signature database and a VM which are integrated in the main program. 10.1.5 Q: In what depends the effect of the antivirus software? R: It depends on how advanced the scanner compilation technology and algorithm are. 10.1.6 Q: Most antivirus software has more than one scanner, true or false? R: True 10.1.7 Q: What are the key technologies of antivirus software? R: 1. Unpacking, self-protection, repair, real-time update, proactive defense 10.1.8 Q: What is the purpose of unpacking? R: It is used to analyze compressed files, files with misleading instructions and packed files. 24 10.1.9 Q: What is the purpose of self-protection? R: It prevents viruses from ending the running process of antivirus software or tampering with antivirus files. 10.1.10 Q: What is the purpose of repair? R: It repairs damaged files. 11 Introduction 11.1 Firewall Overview 11.1.1 Q: What are the features of a firewall? R: 1. Logical area filter; 2. Hiding the intranet structure; 3. Security assurance; 4. Proactive defense against attacks 11.1.2 Q: What are the security features provided by hardware firewalls? R: access control, identity authentication, data encryption, VPN technology, and address translation 11.1.3 Q: What are the types of firewalls according to the access control mode? R: 1. Packet filtering firewalls; 2. Proxy firewalls; 3. Stateful inspection firewalls 11.1.4 Q: What is the principle of packet filtering firewall? R: to configure ACLs to filter data packets based on the source/destination IP address, source/destination port number, IP identifier, and packet transmission direction in a data packet. 11.1.5 Q: What are the advantages of packet filtering firewalls? R: 1. Simple in design; 2. Easy to implement; 3. Cost-effective 11.1.6 Q: What are the flaws of packet filtering firewalls? R: 1. Unable to associate data packets; 2. Unable to adapt to multi-channel protocols; 3. Not check the application data generally 11.1.7 Q: True or False : Proxy firewall is also called application firewall? R: True 11.1.8 Q: At which layer does the proxy firewall works? R: At the application layer. 11.1.9 Q: What is the principle of a proxy firewall? R: It checks the services directly transmitted between the intranet and internet users. 11.1.10 Q: What are the drawbacks of proxy firewalls? R: 1. Slow processing; 2. Difficult to upgrade 25 11.1.11 Q: True or False : Stateful inspection firewall is an extension of packet filtering firewall? R: True 11.1.12 Q: What is the principle of stateful inspection firewall? R: A stateful inspection firewall uses various session tables to trace activated TCP sessions and pseudo UDP sessions. The ACL determines the sessions to be established. A data packet is forwarded only when it is associated with a session. 11.1.13 Q: What is the purpose of a pseudo UDP session? R: It monitors the status of the UDP connection process. 11.1.14 Q: What is a pseudo UDP session? R: It is a virtual connection established for the UDP data flow when UDP packets are processed. 11.1.15 Q: What are the advantages of stateful inspection firewalls? R: 1. Fast processing; 2. High security 11.1.16 Q: What are the firewall networking modes? R: 1. Layer 2 design where the firewall is transparent; 2. Layer 3 design that allows the firewalls to run on different IP networks 11.1.17 Q: What is the principle of the packet filtering firewall? R: It obtains header information (including the source and destination IP addresses, IP-bearing upper-level protocol number, and source and destination port numbers) from a packet to be forwarded, matches the predefined packet-filtering rules, and forwards or discards the packets according to the matching result. 11.1.18 Q: What is the core thechnique for packet filtering? R: It is the access control list. 11.1.19 Q: Why is the forwarding efficiency of packet filtering firewalls low? R: Because packets are matched with packets filtering rules one by one. 11.1.20 Q: What is the process of a stateful inspection firewall? R: The firewall uses the stateful inspection mechanism to check the first packet and if it passes the check, the firewall creates a session and directly forwards subsequent packets according to the session. 11.1.21 Q: What is the purpose of security policies? R: Control traffic forwarding according to specified rules and apply integrated content security detection to traffic. 11.1.22 Q: What are the major applications of security policies? R: 1. Control of network communication through the firewall; 2. Control of access to the firewall. 26 11.1.23 Q: What is the core function of security policies? R: Filter the traffic passing through the firewall according to the defined rules, and determine the next operation performed on the filtered traffic based on keywords. 11.1.24 Q: True of False: The stateful inspection firewall checks and forward packets based on data flow. R: True 11.1.25 Q: What is the process of a stateful inspection firewall? R: It checks the first packet of a data flow with packet-filtering rules, and records the result as the status of the data flow. For subsequent packets of the data flow, the firewall determines whether to forward (or perform content security detection) or discard the packets according to the status. This ”status” is presented as a session entry. 11.1.26 Q: What are the five elements that are generally checked by a firewall? R: The quintuple. 11.1.27 Q: What is the default interzone packet filtering rule? R: Deny 11.1.28 Q: True or False: After the first packet of a connection is inspected and considered legitimate, a session is created and most subsequent packets are not inspected? R: True 11.1.29 Q: True or False : Inspection on the packets that match a session takes much shorter time than on the packets that do not match any sessions? R: True 11.1.30 Q: What are the seven elements of the session table of on a NGFW? R: Quintuple + User and application. 11.1.31 Q: How to display the firewall session table? R: By running the command display firewall session table 11.2 Firewall security policies and application 11.2.1 Q: What are the core elements of a security policy? R: 1. Matching conditions; 2. Actions 11.2.2 Q: What is the purpose of matching conditions? R: They describe the traffic characteristics in order to filter the traffic that meets the conditions. 11.2.3 Q: Give some matching conditions? R: 1. The user; 2. Source and destination of the traffic(including the source and destination security zones, source and destination IP addresses, source and destination regions, and source and destination VLANs. A region is a geographic region mapped by an IP address); 3. Services, applications or categories of URL to be accessed; 4. Time range 27 11.2.4 Q: What are the two basic actions of security policies? R: 1. Permit; 2. Deny 11.2.5 Q: What if the action is permit? R: Content security check on the traffic that matches the security policy can be further performed. 11.2.6 Q: What are objects in the firewall? R: Objects can be matching conditions such as users, terminals, time ranges, addresses, regions, services, applications, and URL categories, and various profiles required for content security check 11.2.7 Q: What are the means for configuring security policies? R: CLI, web UI and northbound interfaces including RESTCONF and NETCONF. 11.2.8 Q: What is the security policy matching principle? R: In the first-packet process, the firewall matches the packet with security policies. In the subsequent-packet process, the firewall does not match the packets with security policies. 11.2.9 Q: What is the matching process of the NGFW? R: Matching condition, then action and then content profile. 11.2.10 Q: What are the steps in the Security profile configuration process? R: 1. Create security zones; 2. Configure interfaces; 3. Configure user and authentication; Configure objects; 4. Create profiles; 5. Configure the security profile; 6. Save and commit 11.3 Application Specific Packet Filter(ASPF) 11.3.1 Q: Packet filtering firewalls can use ACLs to match applications of single- channel protocols to prevent network attacks. However, ACLs can block only applications using fixed ports, true or false? R: True 11.3.2 Q: Multi-channel protocol applications that use random ports bring security risks, true or false? R: True 11.3.3 Q: Give some examples of multimedia application protocols? R: H.323, SIP, FTP and NetMeeting 11.3.4 Q: What is ASPF? R: It is an advanced filtering technology that checks application layer protocol information and monitors the status of the application-layer protocol by dynamically creating and deleting filtering rules. 11.3.5 Q: What is the usage of server map? R: To prevent the data channel, on an multi-channel protocol, from being disconnected by other ACLs rules by temporarily enabling a channel. 28 11.3.6 Q: Does ASPF resolves the problem of multi-channel protocols? R: Yes 11.3.7 Q: What is the process of ASPF? R: It detects application-layer information and dynamically creates and deletes temporary rules based on packet content to allow or deny packets. 11.3.8 Q: The server map is used only for checking the first packet. After a connection is established, packets are forwarded based on the session table, true or false? R: True 11.3.9 Q: In which cases does a firewall generates server map? R: 1. Server map entries generated when the firewall forwards the traffic of multi-channel protocols, such as FTP and RTSP, after ASPF is configured; 2. triplet server map entries generated when the firewall forwards the traffic of the Simple Traversal of UDP Through NAT (STUN) protocols, such as MSN and TFTP, after ASPF is configured; 3. static server map entries generated when NAT server mapping is configured; 4. dynamic server map entries generated when NAT No-PAT is configured 11.3.10 Q: What is the purpose of port identification? R: It is used by the firewall to identify application-layer protocol packets that use non-standard ports. 11.3.11 Q: What are the application layer protocols supported by prot mapping? R: FTP, HTTP, RTSP, PPTP, MGCP, MMS, SMTP, H323, SIP, and SQLNET 11.3.12 Q: In what is based port mapping? R: It is based on basic ACLs. 11.3.13 Q: Port mapping applies only to the data within an interzone, true or false? R: True 11.3.14 Q: What is the purpose of fragment cache? R: During actual transmission, the first fragment may not be the first to reach the firewall. In this case, the firewall discards the fragmented packet. To ensure session continuity, the firewall can cache fragments by default. The firewall caches the fragments that reach the firewall before the first fragment to the fragment hash list. When the first fragment arrives, the firewall creates a session for the fragmented packet and forwards all the fragments. If the first fragment does not arrive within a specified period, the firewall discards the fragments in the fragment hash list. 11.3.15 Q: What is the purpose of persistent connections? R: By referencing ACLs to define data flow rules, you can set long aging time for the sessions of the packets that match the ACL rules to ensure the normal use of the sessions. The default aging time of a persistent connection is 168 hours. 11.3.16 Q: Persistent connection is only supported for TCP, true or false? R: True 29 12 12.1 Network Address Translation NAT principle 12.1.1 Q: What is NAT? R: It is a technology that have been developed to mitigate the exhaustion of IPv4 addresses. 12.1.2 Q: What are the advantages of NAT? R: 1. IP addresses reusage; 2. NAT is transparent to users; 3. Privacy protection is available for internal users; 4. Load balancing among internal servers is available 12.1.3 Q: What are the disadvantages of NAT? R: 1. Network monitoring is difficult; 2. Some applications are restricted 12.1.4 Q: What is the basic principle of NAT? R: translation between private address+port number and public address+port number 12.1.5 Q: What are some common NAT devices? R: Routers and firewalls. 12.1.6 Q: What are the categories of NAT? R: Source NAT(enables multiple private network users to access the Internet at the same time) and Server mapping(enables external users to access servers on private networks) and is also called Static mapping (NAT server) 12.1.7 Q: What is included into source NAT? R: 1. Address pool mode; 2. Outbound interface address mode (easy IP) 12.2 Source NAT 12.2.1 Q: What is the purpose of source NAT? R: It translates the Source IP address in a IP packet header into a public address. 12.2.2 Q: What are the two types of address pool mode? R: 1. Address pool mode without port address translation; 2. Address pool mode with port address translation. 12.2.3 Q: What is Easy IP? R: Easy IP translates private addresses into the public address of the outbound interface, without the need of configuring a NAT address pool. 12.2.4 Q: What is NAT ALG? R: It is a translation proxy used for certain application protocols and can translate the address and port carried in application layer data. 30 12.3 NAT Server 12.3.1 Q: What is the purpose of the NAT Server? R: It uses a public address to represent the private address of an internal server. 12.3.2 Q: In what is based server map? R: It is based on triplets and is used to record data connection mappings negotiated using control data or address mappings configured for NAT to allow external users to access internal networks. 12.3.3 Q: After the NAT server is configured, the device automatically generates server map entries that record the mappings between public and private addresses, true or false? R: True 12.3.4 Q: Talk about Interzone Twice NAT? R: 12.3.5 Q: Talk about Intrazone Twice NAT? R: 13 13.1 Dual System Hot Standby Technical Principles of Dual-System Hot Standby 13.1.1 Q: What is a VRRP group? R: It is a group of routers in the same broadcast domain, that form o virtual router. 13.1.2 Q: In which mode does the master router send hello packets to backup routers? R: In multicast mode. 13.1.3 Q: The backup routers determine the status of the master router based on the Hello packet, true or false? R: True 13.1.4 Q: What is the problem with the traditional VRRP mode? R: The status of the master firewall cannot be consistent with that of the backup firewalls. 13.1.5 Q: Can VRRP be used if the routers are not connected at layer 2? R: No 13.1.6 Q: What are the requirements of VRRP on firewalls? R: 1. VRRP status consistency; 2. Session table status backup 13.1.7 Q: What is the purpose of VGMP? R: It controls the status switchover of VRRP groups in a unified manner, ensuring the consistent status of the VRRP groups. 31 13.1.8 Q: If the VGMP group on a firewall is in the active state, all VRRP groups in the VGMP group are in the active state, true or false? R: True 13.1.9 Q: What if an interface or a board of the firewall is faulty? R: The VGMP group priority of the firewall decreases. 13.1.10 Q: What is the initial VGMP group priority of the USG6000 and NGFW Module? R: 45000 13.1.11 Q: What is the default period of VGMP hello packets? R: 1 second 13.1.12 Q: What are the functions of VGMP? R: 1. Status consistency management; 2. Preemption management 13.1.13 Q: After a VRRP group is added to a VGMP group, the preemption function of the VRRP group becomes invalid, true or false? R: True, because it means that the VGMP group determines whether to preempt 13.1.14 Q: What is the purpose of HRP(Huawei Redundancy Protocol)? R: It backs up dynamic status data and key configuration commands between firewalls. 13.1.15 Q: What is the purpose of the HRP module? R: It provides the basic data backup mechanism and transmission function. 13.1.16 Q: What is the purpose of the application module? R: It collects the data that needs to be backed up by the module and submits the data to the HRP module. 13.1.17 Q: What are the backed up data? R: TCP/UDP session table, server-map entries, dynamic blacklist, NO-PAT entries, and ARP entries. 13.1.18 Q: What is the backup direction? R: The firewall with the active VGMP group backs up the required data to the peer. 13.1.19 Q: Generally, the ports that directly interconnect the two firewalls are used as the backup channel, which is also called the heartbeat link and is also used by VGMP for communication. 13.1.20 Q: Can the heartbeat interface be a layer 2 interface? R: No 32 13.1.21 Q: What are the 5 status of the heartbeat interface? R: Down, Invalid, Peerdown, Ready, Running 13.1.22 Q: Talk about the down interface? R: The physical and protocol statuses are down. 13.1.23 Q: Talk about the invalid interface? R: The physical status is Up and protocol status is Down. 13.1.24 Q: Talk about the peerdown interface? R: The physical and protocol statuses are both Up. The local heartbeat interface cannot receive heartbeat link detection reply packets from the peer heartbeat interface. 13.1.25 Q: Talk about the ready interface? R: The local heartbeat interface receives heartbeat link detection reply packets from the peer heartbeat interface. 13.1.26 Q: What are the backup modes of hot standby? R: Automatic backup, Manual batch backup, Quick session backup, Automatic synchronization of active/standby firewall configurations after restart, 13.1.27 Q: What is the process mechanism of Automatic backup? R: automatically back up configuration commands in real time and status information regularly 13.1.28 Q: Talk about quick session backup? R: Quick session backup applies when the forward and reverse paths are inconsistent on load balancing networks. 13.1.29 Q: Talk about the Automatic synchronization of active/standby firewall configurations after restart R: To ensure that the active and standby firewalls have the same configurations, after the firewall is restarted, configurations are automatically synchronized from the firewall that processes services. 13.2 Basic networking and configuration of dual system hot standby 13.2.1 Q: While configuring the a VRRP Group on the command line, if the active or standby parameter is specified, the VRRP Group is added to the corresponding active or standby VGMP Group, true or false? R: True 13.2.2 Q: Up to 255 VRRP Groups can be configured on each common physical interface, true or false? R: True 13.2.3 Q: The preemption function of VGMP groups is enabled by default, and the default preemption delay is 60 seconds, true or false? R: True 33 13.2.4 For hrp, The types and numbers of the heartbeat interfaces on the two USGs must be the same, and the heartbeat interfaces cannot be Layer 2 Ethernet interfaces 13.2.5 Heartbeat interfaces on the active and standby USGs can be connected directly or through an intermediate device such as a switch or router. 13.2.6 If conflicting settings are configured on the active and standby devices, the most recent setting overrides the previous one. 13.2.7 When USGs work on a load-balancing network, the forward and reverse paths of packets may be inconsistent. 14 14.1 Firewall User Management User authentication and AAA principles 14.1.1 Q: What is AAA? R: Authentication, Authorization and Accounting. 14.1.2 Q: What is authentication? R: It refers to the confirmation of user indentities using various factors. 14.1.3 Q: What are these factors? R: 1. What I know; 2. What I have; 3. What I am 14.1.4 Q: What is the purpose of authorization? R: Authorizes the users to access certain services; Authorizes users to access certain commands; 14.1.5 Q: What are the functions covered by accounting? R: 1. How long do users stay online; 2. How much money do users spend; 3. What operations do users perform. 14.1.6 Q: What are the AAA authentication modes? R: 1. No authentication; 2. Local authentication; 3. Server authentication; 14.1.7 Q: What is the meaning of RADIUS? R: Remote Access Dial In User Service. 14.1.8 Q: What are the parties involved in the RADIUS authentication? R: The user, the NAS server and the RADIUS server. 14.1.9 Q: What are the features of RADIUS? R: 1. Uses UDP; 2. Excellent real-time performance; 3. Retransmission mechanism; 4. Backup server mechanism 34 14.1.10 Q: What is the RADIUS client? R: It is the network device that receives user names and passwords and sends an authentication request to the RADIUS Server. 14.1.11 Q: What is HWTACACS? R: Meaning Huawei Terminal Access Controller Access Control System, it is an enhancement of TACACS, using the client/server model to implement communication between the NAS and the TACACS server. 14.1.12 Q: What is the meaning of LDAP? R: Lightweight Directory Access Protocol. 14.1.13 Q: What is a directory service? R: It is a set of directory databases and a set of access protocols. 14.1.14 Q: What are the features of directory services? R: 1. Data is organised in directory mode; 2. Unified Access point is provided for external users; 3. Data is stored in distributed mode; 4. Data query is optimized of fast read operations 14.1.15 Q: What is the basic data unit of LDAP? R: An entry. 14.1.16 Q: What constitutes an entry? R: A set of attributes. 14.1.17 Q: What constitutes an attribute? R: It describes a feature of an object and is composed of A type and one or more values. 14.1.18 Q: What is the DIT(Directory Information Tree)? R: It is a set of directory entries. 14.1.19 Q: What are all the authentication methods? R: 1. Local authentication; 2. Server authentication; 3. Single Sign On; 4. SMS authentication 14.2 User Management and Application 14.2.1 Q: What is the purpose of user management? R: To authenticate, label and assign different permissions and applications to users for the purpose of security build bundling users into user groups. 14.2.2 Q: What is involved in the organizational structure of users? R: 1. Authentication domain; 2; User/User group; 3. Security Group 35 14.2.3 Q: What is the purpose of the authentication domain? R: It determines users’ authentication mode and organizational structure. 14.2.4 Q: What are the types of users? R: 1. Administrator; 2. Internet access users(intranet users); 3. Remote access users(extranet users) 14.2.5 Q: What are the administrator login modes? R: Console, telnet, SSH, FTP and Web. 14.2.6 Q: What are the authentication modes of internet access users? R: SSO, Built-in portal authentication, User-defined portal authentication, authentication exemption and SMS authentication. 14.2.7 Q: What are the SSO methods? R: AD SSO, TSM SSO and RADIUS SSO 14.2.8 Q: What is it included in built-in portal authentication? R: 1. Redirected authentication(For user accessing HTTP); 2. User-initiated authentication(For users accessing non-HTTP services) 14.2.9 Q: How does User-initiated authentication works? R: The firewall interworks with a user-defined portal authentication to authenticate users. 14.2.10 Q: How does Authentication exemption works? R: Here, users do not need to enter usernames or passwords to be authenticated. The firewall can obtain information for identifying users via their IP addresses to implement user specific policy managment. 14.2.11 Q: What does SSO refers to? R: It refers to that the firewall obtain user login information from other authentication system instead of authenticating users so that users can go online from the firewall. 14.2.12 Q: C’est quoi un controleur de domaine? R: C’est un serveur qui répond aux demandes d’authentification des utilisateurs. e.g., Microsoft AD, Samba 14.2.13 Q: C’est quoi un domaine? R: C’est un moyen hierarchique d’organiser les utilisateurs et ordinateurs travaillant de concert sur le même réseau. C’est une collection d’objets 14.2.14 Q: What are the SSO methods? R: 1. AD SSO, receiving messages from the user PC; 2. AD SSO, quering Security logs from the AD server; 3. AD SSO with the firewall listening to AD authentication packets. 36 14.2.15 Q: What is the purpose of authentication policy? R: It determines which data flows need to undergo portal authentication and authentication exemption. 14.2.16 Q: What are the types of traffic that do not trigger authentication even if they match the specified authentication policy? R: 1. Traffic destined or originated by the firewall; 2. DHCP, BGP, OSPF and LDP packets; 3. DNS packet from an HTTP service data flow that triggers authentication. 14.2.17 Q: What is an authentication policy? R: It is a set of authentication rules that determine whether to authenticate a data flow. 14.2.18 Q: Of what is composed an authentication rule? R: Conditions and an action. 14.2.19 Q: What are the conditions used by the firewall? R: Source/Destination zone; Source/destination region/address 14.2.20 Q: What are the possible actions? R: 1. Portal authentication; 2. Authentication exemption; 3. No authentication; 4. SMS authentication 14.2.21 Q: What are the steps in the configuration of user authentication? R: 15 15.1 Overview of Intrusion Prevention Intrusion Overview 15.1.1 Q: What is the most common security threat? R: Malware 15.1.2 Q: What is it included into malware? R: Viruses, worms, botnets, rootkits, Trojans, backdoor programs, vulnerability exploit programs, and wap malicious programs. 15.1.3 Q: What is a virus? R: A virus is a type of malicious code that infects or attaches to application programs or files and spreads through protocols, such as email or file sharing protocols, threatening the security of user hosts and networks. 15.1.4 Q: What is an incrusion? R: It is an unauthorized attempt to acces information system resources, tamper with system data and paralyze the system. 15.1.5 Q: What is the purpose of an intrusion? R: Compromize system integrity, confidentiality, availability and controllability. 37 15.2 Intrusion Prevention System overview 15.2.1 Q: What is an intrusion prevention system? R: It is an intelligent intrusion detection and prevention product. 15.2.2 Q: What are the deploiment modes of an IPS? R: Off-line(Deployed on the switch to perform port mirroring) and Inline(Deployed in serial mode to blocks the attacks in real time) 15.2.3 Q: What are the technical features of an IPS? R: 1. Real-time blocking; 2. Self-learning and self-adaptation; 3. User-defined rules; 4. Service awareness; 5. Zeroconfigurations to go online 15.3 Network Antivirus Overview 15.3.1 Q: What is a computer virus? R: It is a set of self replicatable instructions or program code compiled independently or embedded in computer programs to adversely affect a computer’s use by damaging its functions or data. 15.3.2 Q: What is the replication mechanism of viruses? R: They insert into host programs. 15.3.3 Q: True or false: A virus is a segment of malicious code that is parasitic on a normal program? R: True 15.3.4 Q: What is the replication mechanism of worms? R: They are self-replicating. 15.3.5 Q: True or false: A worm is a variant of the virus. It is an independent entity that does not need to be parasitic. R: True 15.3.6 Q: What is the replication mechanism of trojan horses? R: They don’t replicate. 15.3.7 Q: True or false: A Trojan horse is a kind of malicious code that is parasitic by nature, and is extremely covert. R: True 15.3.8 Q: What are the types of antivirus based on zone? R: 1. Single device antivirus; 2. Network antivirus 15.3.9 Q: What is the purpose of network antivirus? R: It refers to deploying antivirus policies on a security gateway. 38 15.3.10 Q: In which scenarios do antivirus is used for network security? R: 1. Intranet users who download files; 2. Internet users who upload files. 15.3.11 Q: What are the antivirus scanning modes? R: Proxy antivirus gateway and Flow scanning mode. 15.3.12 Q: What is the purpose of the Intelligent Awareness Engine? R: The intelligent awareness engine (IAE) carries out in-depth analysis into network traffic to identify the protocol type and file transfer direction. 15.3.13 Q: What are the main means for virus propagation? R: Email and file sharing. 15.3.14 Q: What are the protocols for which the firewall performs virus detection for files transferred? R: File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Post Office Protocol - Version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), Network File System (NFS) and Server Message Block (SMB). 15.3.15 Q: Whic actions can be taken by the firewall when a virus is detected? R: Alert, Block, Declare and Delete Attachment. 15.3.16 Q: What is it performed while the action is alert? R: The device permits the virus-infected file and generates a virus log. 15.3.17 Q: What is it performed while the action is block? R: The device blocks the virus-infected file and generates a virus log. 15.3.18 Q: What is it performed while the action is declare? R: For a virus-infected email message, the device permits it but adds information to the email body to announce the detection of viruses and generates a virus log. This action applies only to SMTP and POP3. 15.3.19 Q: What is it performed while the action is delete attachment? R: The device deletes malicious attachments in the infected email message, permits the message, generates a log, and adds information to the email body to announce the detection of viruses and deletion of attachments. This action applies only to SMTP and POP3. 16 16.1 Encryption and decryption mechanisms Encryption technology development 16.1.1 Q: What is cryptography? R: It is the conversion of plaintext into ciphertext using mathematical methods. 39 16.1.2 Q: What in encryption? R: It is the process of making information only readable to certain receivers and incomprehensible to other users. 16.1.3 Q: What does encrytion garantees? R: Confidentiality, integrity, authenticity and non-repudiation of information. 16.2 Encryption and decryption mechanisms 16.2.1 Q: What are the two types of encryption technology? R: 1. Symmetric encryption and asymmetric encryption. 16.2.2 Q: What is the strength of symmetric encryption? R: Fast encryption and decryption. 16.2.3 Q: What is the weakness of symmetric encryption R: Transmission of keys 16.2.4 Q: What is the strength of asymmetric encryption? R: High security of keys. 16.2.5 Q: What is the weakness of asymmetric encryption R: encryption and decryption are speed sensitive. 16.2.6 Q: What is digital envelope? R: It permits to encrypt data using a secret key and associate that data with the encrypted secret key using the receiver public key. 16.2.7 Q: What is a digital fingerprint? R: It is the information digest generated by the sender using the has algorithm on plaintext information. 16.2.8 Q: What are the types of common symmetric cryptogrophy algorithms? R: Stream cipher and block cipher. 16.2.9 Q: How does a stream cipher process? R: It encrypts one byte of plaintext at a time and the key is input into a pseudo random byte generator to generate an apparently random byte stream called the key stream. 16.2.10 Q: What are the common stream cipher algorithms? R: RC4(Rivest Cipher) 16.2.11 Q: How does a block cipher process? R: The plaintext is divided into parts called blocks, which are combined into ciphertext blocks after n rounds of processing, and the input of each round is the output of the preceding round. 40 16.2.12 Q: List some common block algorithms? R: 1. DES: 64 bit plaintext and 56 bit key are input to generate a 64 bit ciphertext; 2. 3DES: uses a 128 bit key; AES: uses a 128 bit key and support 128, 192 and 256 bit keys; 3. IDEA: is a symmetric block cipher algorithm, with a 64-bit plaintext and a 128-bit key input to generate a 64-bit ciphertext; 4. RC2: t data is encrypted to 64- bit blocks. It can use keys of different sizes, from zero to infinity, and the encryption speed depends on the key size; 5. RC5: . It is a cipher algorithm with changeable block sizes, key sizes, and number of rounds; 6: RC6: tackle a vulnerability of RC5; 7: SM1 and SM4 16.2.13 Q: List some common asymmetric cipher algorithms? R: DH, RSA, DSA 16.2.14 Q: List some hash algorithms? R: MD5, SHA, SM3 17 Publick Key Infrastructure Certificate System Foreword: digital signature does not garantees the authenticity of the sender. 17.1 Digital certificate 17.1.1 What is the purpose of a digital certificate? R: It ensures that that one public key is possessed by only one owner. 17.1.2 Q: How is created the digital certificate? R: It is signed by the trusted certificate authority using digital signature. 17.1.3 Q: What is it included into the digital certificate? R: The public key of the owner and identity information. 17.1.4 Q: What are the certificates types? R: 1. Self-signed certificate: A self-signed certificate, which is also called a root certificate, is issued by an entity to itself; 2: CA certificate: the certificate of the CA; 3. Local certificate: A certificate issued by a CA to the applicant; 4. Local device certificate: A certificate issued by a device to itself according to the certificate issued by the CA. 17.2 PKI system structure 17.2.1 Q: What is the problem with digital signature? R: If user C alter user B, you may obtain the public key of user C thinking its the one of user B. 17.2.2 Q: C’est quoi une infrastructure? R: C’est l’ensemble des éléments constituant la base à l’edification et au fonctionnement d’un système abstrait ou concret. 17.2.3 Q: What is public key infrastructure? R: It is a framework for managing digital certificates and public key encryption. 17.2.4 Q: What is the purpose of PKI? R: Its provides certificate management in compliance with certain standards. 41 17.2.5 Q: What is the core of PKI? R: Digital certificate lifecycle management(including applying for, issuing, and using the digital certificates) 17.2.6 Q: What technologies are used by PKI? R: During the lifecycle, PKI uses the symmetric key cryptographic, public key cryptographic, digital envelope, and digital signature 17.2.7 Q: What are the elements in the PKI system structure? R: End entity, Certificate Authority(CA), Registration Authority(RA), Certificate/Certificate Revocation List Database(CRL). 17.2.8 Q: What are the steps in the PKI lifecycle? R: Application, Issue, Storage, Download, Installation, Authentification, Renewal, Revocation 17.2.9 Q: What are the means by which a PKI entity can dowload a certificate from the Certificate/CRL database? R: SCEP, CMPv2, LDAP,HTTP or out-of-band mode. 17.2.10 Q: How is the certificate application step performed? R: The PKI entity generates a pair of public/private keys. The public key and the entity’s identity information are included into a certificate enrollment request(CER) and sent to the CA to generate a local certificate. 17.2.11 Q: What are the methods by which a PKI entity can sent the CER to the CA? R: Online and offline. 17.2.12 Q: In which technologies does the PKI is implemented? R: HTTPS, IPsec VPN, SSL VPN 18 18.1 Application of cryptographic technologies Application of cryptography 18.1.1 Q: What are the applications of cryptography? R: Digital envelope, Digital signature and Digital certificate. 18.1.2 Q: What are the application scenarios of VPN? R: VPN, IPv6, HTTPs, System login authentication 18.1.3 Q: What is the most important application scenario of cryptography? R: VPN. 18.2 VPN overview 18.2.1 Q: What is a VPN? R: It is a private data channel established accros a shared public network. 42 18.2.2 Q: What is the meaning of virtual in the VPN? R: ”Virtual” means that users use the toll lines of the Internet to set up their own private networks, without requiring dedicated physical toll lines. 18.2.3 Q: What is the meaning of private in VPN? R: ”Private network” means that users can customize a network best suited to their needs. 18.2.4 Q: What are the types of VPNs according to the layer at which they are implemented? R: Transport layer(SSL VPN), L3VPN(GRE, IPsec), L2VPN(PPTP, L2F, L2TP) 18.2.5 Q: What are the types of VPNs according to application scenarios? R: Sit-to-Site VPN and Client-to-Site VPN 43