101. Three basic types of distributed trust models are:
- Hierarchical trust model: Here one root CA and one or more subordinate CAs
will be present. The subordinate CAs provide redundancy and load balancing.
The root CA is usually off-line. Here even if a subordinate CA is
compromised, the root CA can revoke the subordinate CA, thus providing
- Web of Trust: This is also called cross-certification model. Here CAs form
peer-to-peer relationship. This model is difficult to manage as the number
of CAs grow larger. This kind of trust relationship may happen when
different divisions of a company has different CAs, and need to work
together. Here CAs must trust one another.
- Bridge CA architecture: Bridge CA overcomes the complexity involved with
Web of Trust model. Here Bridge CA act as the central co-ordinate point. All
other CAs (known as principals) must trust only the Bridge CA.
If the CA’s private key is compromised, certificates’ private key is
compromised, certificates issued by that CA issued by that CA are affected.
This will lead to issuance of new certificates to all users, and
registration. These problems can be overcome by use of a distributed trust
model, in which multiple CAs are involved.
102. The following are the basic types of firewall architectures:
- Bastion host
- Screened host gateway
- Screened subnet gateway or DMZ
103. Hash Algorithms: Hash algorithms produce a hash of a message and encrypt
it. They use a mathematical formula for hashing, and it is extremely difficult
to tamper with the message and still produce the same hash. Basically, Hashing
enable a recipient to check whether a message is received intact without being
tampered by a third party.
- SHA (Secure Hashing Algorithms): There are several Secure Hashing
Algorithms and they primarily differ in the hash length. They are SHA-1,
SHA-256, SHA-384 and SHA-512. In SHA-1 the bit length is 160 bits, in
SHA-256 it is 256 bits, for SHA-384, 384 bits and in SHA-512 it is 512 bits.
- MD2, MD4, MD5 (Message Digest Series Algorithms): These are another type
of hash algorithms. These algorithms were developed by Rivest. All three
algorithms take a message of arbitrary length and produce a 128-bit message
digest. MD2 is meant for 8 bit machines and MD4, MD5 are suitable for 32 bit
machines. These algorithms are primarily used for digital signature
104. The two primary security services that are provided by IPSec are:
1. Authentication Header (AH), and
2. Encapsulating Security Payload
AH provides the authentication of the sender, and ESP provides encryption of the
105. Some issues that need to be taken care of, while planning security
- Due Care
- Separation of Duties
- Need to Know
- Password Management
- Disposal Management
- Human Resource Policies, and
- Incident Management
106. Social engineering is a skill that an attacker uses to trick an innocent
person such as an employee of a company into doing a favour. For example, the
attacker may hold packages with both the hands and request a person with
appropriate permission to enter a building to open the door. Social Engineering
is considered to be the most successful tool that hackers use.
107. The following are the most commonly used access control mechanisms:
- Mandatory Access Control (MAC): Here the access control is determined by
the security policy of the system. The object owner or the user have almost
no control over the resource.
- Discretionary Access Control (DAC): Here the access control is determined
by the owner of an object.
- Role Based Access Control (RBAC): As the name suggests, the access to an
object is determined by the role of an employee. Users are assigned roles
first and then the permissions are assigned to roles.
108. DNS server uses UDP for name resolution uses port 53. Web server uses
port 80. DHCP uses port 67 by default. FTP uses port 21.
109. Block cipher derives its name from the fact that a block of data is
taken at a time to cipher.
110. Usually the user names and passwords are transmitted in plain text. But
this kind of transmission of authentication details is not secure. Any body with
a packet sniffer can read the login and password. Kerberos is basically an
authentication protocol that uses secret-key cryptography for secure
authentication. In Kerberos, all authentication takes place between clients and
servers. The name Kerberos comes from Greek mythology; it is the three-headed
dog that guarded the entrance to Hades. It was developed by the Massachusetts
Institute of Technology, USA
111. Biometrics is the ability measure physical characteristics of a human
such as fingerprints, speech etc. These measured values are then used for
authentication purpose. Given below are few of the measurable quantities:
Fingerprint: Scans and matches finger print to a securely stored value.
Voiceprint: Identifies a person by measuring speech pattern.
Iris profile: Identifies a person by using Iris part of the eye.
Signature: Matches an individual’s signature with the stored value.
Password is not a physical character of a human; any one can match a given
password once it is known.
112. A token can be a physical device such as a smart card or an electronic
process such as RSA’s SecureID token. Tokens provide one of the most secure
authentication environments, because typically a token is unique to a user, and
it is difficult to spoof.
113. VPN (Short for Virtual Private Network) is private network formed using
public Internet. It is formed between two hosts using tunneling protocols such
as PPTP, L2TP, etc. Using VPN, you can connect two LANs in geographically
distant locations together, as if they were located in the same building. The
cost of connecting these LANs together is small since public Internet is used
for providing the WAN link.
114. Buffer overflow occurs when the input is more than that allocated for
that purpose. The system doesn’t know what to do with the additional input,
and it may result in freezing of the system, or sometimes to take control of the
system by a hacker. By validating the inputs, it is possible to reduce this
vulnerability to a great extent.
IP address check, and using short input fields are not a solution, and imposes
restrictions on access and functionality. Avoiding email input doesn’t help in
solving the problem.
115. FTP transfers authentication information in clear text. The security
concerns while using FTP also include buffer overflow, and anonymous access.
However, the cache mining does not occur while using FTP.
116. Web servers are most prone to CGI script exploits, and buffer overflow
attacks. CGI scripts run at server side performing a given functionality, such
as writing to database or reading from database etc. Hackers may use the
loopholes the scripts to hack in to the web server. Similarly, buffer-overflow
can be used to run undesirable code on the server making it vulnerable.
War-driving is related to exploiting the vulnerabilities in wireless networks.
Spam is primarily related to client side machines.
117. Non-repudiation ensures that the sender, as well as the receiver cannot
refute having sent or received a message. For example, you receive an email from
your perspective employer. By using an unsigned email, it might so happen that
your employer later denies having sent any such email. Non-repudiation ensures
that neither the sender nor the receiver can deny the transmission or the
reception of a message respectively.
118. The VPN can be implemented in any of the following combinations:
a. Gateway-to-gateway VPN
b. Gateway-to-host VPN
c. Host-to-gateway VPN
d. Host-to-host VPN
The host-to-host configuration provides the highest security for the data.
However, a Gate-to-Gateway VPN is transparent to the end users.
119. Networking Devices:
- Hub: A hub is basically a multi-port repeater. When it receives a packet,
it repeats that packet out each port. This means that all computers that are
connected to the hub receive the packet whether it is intended for them or
not. It's then up to the computer to ignore the packet if it's not addressed
to it. This might not seem like a big deal, but imagine transferring a 50 MB
file across a hub. Every computer connected to the hub gets sent that entire
file (in essence) and has to ignore it.
- Bridge: A bridge is a kind of repeater, but it has some intelligence. It
learns the layer 2 (MAC) addresses of devices connected to it. This means
that the bridge is smart enough to know when to forward packets across to
the segments that it connects. Bridges can be used to reduce the size of a
collision domain or to connect networks of differing
media/topologies, such as connecting an Ethernet network to a Token Ring
- Switch: A switch is essentially a multi-port bridge. The switch learns the
MAC addresses of each computer connected to each of its ports. So, when a
switch receives a packet, it only forwards the packet out the port that is
connected to the destination MAC address. Remember that a hub sends the
packet out every port.
- Router: A router works at the logical layer of the IP stack. It is
basically required to route packets from one network (or subnet) to another
network (or subnet). In the given question, all the computers are within the
same subnet and a router is inappropriate.
- Gateway: A gateway works at the top layers of the TCP/IP stack. For
example, a Gateway may be used to facilitate communication between a Unix
mail server and a Windows mail server.
120. The Packet Filters work at Network Layer of OSI model.
The Application Layer Proxy works at the Application Layer of OSI model
Network Address Translation (NAT) is primarily used to hide internal network
from external network, such as the Internet. A NAT basically translates the
internal IP addresses to external IP addresses and vice-versa. This
functionality assures that external users do not see the internal IP addresses,
and hence the hosts.
A Firewall implemented with stateful technology (like Checkpoint Firewall) works
at all layers of the OSI model.