Quiz‐01 - LPouliot/Junior-Spring-NET-330-01-Network-Design GitHub Wiki
Quiz One
Access Code: NET330
These questions are made for you to think (Provide References of what is used!)
Take a look at notes taken from class
What's gonna be on the quiz
Questions will be short answer with some multiple choice and other formats.
Topics include but not limited to:
Parsing IP Headers
- Subnet masking and valid host ranges
- Subnet design
- DHCP- protocol and packet exchange
- DHCP Service design consideration
- DHCP Server - general configuration
Hierarchical Internetworking Model
- Access(Edge) Layer
- Distribution Layer
- Core Layer
- Border Layer
- Devices used at the Different Layers
Network Address Translation
- NAT Definition
- Why use NAT
- IP Masquerading
- Types of NAT
1: What are the security risks involved with DHCP:
DHCP Spoofing Attack:
- This is when an attacker may use a rouge DHCP server to gain further access to the network or certain hosts by configuring IP addresses and the default gateway for client machines. Then the attacker can force all of the traffic that is outbound from the local subnet to the attacker's machine. This group or individual can then read all of the outbound traffic, even on a switched network with traffic sniffing.
Denial of Service (DoS) Attack with Rogue DHCP:
- This type of attack will prevent clients that depend on DHCP from obtaining or renewing their configurations to join the network. The attacker will have the rouge DHCP respond to every DHCPDISCOVER packet broadcast but not supply any DHCPACK to the resulting DHCPREQUEST from the client. Since the rouge server isn't handing out any valid configurations, it doesn't need to go through the table to ensure the address isn't already taken, which means it will be the first to answer every time. As a result, all of the slots fill up quickly and there are none left for actual clients to ask for.
DHCP relay attacks:
- DHCP relay attacks exploit the DHCP relay agent, which forwards DHCP messages between different network segments. A relay attack can bypass security messages a DHCP server or network segment may have in place to inject malicious DHCP messages or access restricted network sections. This can happen if the IP source guard is unused, as it verifies the source of an IP address back on the DHCP snooping database.
Unauthorized DHCP clients:
- This is a type of device that connects to the network without permission and gains an IP address from the DHCP server, which then allows the device to consume network resources, install security vulnerabilities, or interfere with other network devices. This can affect a network if there is no MAC address filtering, as it can allow or deny DHCP requests based on MAC addresses.
https://www.linkedin.com/advice/1/what-most-common-dhcp-security-threats-skills-system-administration-5v74f https://www.telecomhall.net/t/dhcp-operations-and-security-strategies/26736
2: Name the layer and provide an example of a device that operates at that layer (for the four layers of the hierarchal internetworking model)
Border layer: This layer includes the network devices that connect an enterprise network to the internet.
- Connect to Internet (Routing/Layer 3 and up)
- Border firewall/load balancers/ IPS
Core layer:
This is the backbone of the network, providing high speed and highly redundant forward services to move packets between the distribution layer. They are the most powerful when it comes to forward power but they are not smart, only including layer two switching.
- Dumb and Fast (Switching/Layer 2
Distribution layer:
This middle layer offers policy-based connectivity and regulates the boundary between the other two layers. It is the smart layer, involving routing, filtering, and QoS policies. They also include managing branch-office WAN connections.
- Smart! (Routing/Layer 3 switches)
Access layer:
This provides network access to end devices and enforces access control policies. This layer is also known as the desktop layer because it focuses on connecting clients like workstations in the network. These are commonly known as the switching platforms.
- Wireless AP’s and Switches
- Access VLANs (Layer 2)
https://github.com/LPouliot/Junior-Spring-NET-330-01-Network-Design/wiki/Notes-04%E2%80%901
3: PAT and Static NAT, explain
Port Address Translation (PAT) is a common implementation of IP masquerading NAT, allowing many devices on a LAN to be mapped to a single public IP address. IPv4 addresses are used but with port numbers. PAT devices use the Source TCP port number as a way to keep track of different sessions, where the table tracks the mapping between the original IP/port and the new IP/port. PAT routers use a Source Port along with a table for tracking and is also a dynamic NAT that has two types, Static, and Overloaded PAT.
Network Address Translation (NAT) is a feature of port forwarding, allowing traffic outside of the network to reach designated hosts in a masqueraded network. NAT can be used to slow down the decline of available IP addresses by translating local IP or Private IP addresses into a global or public IP address. NAT is a method of remapping one IP address space into another by modifying network address information in the Internet Protocol datagram packet headers while in transit across a routing device. NAT also uses IPv4 addresses but it has three types, Static, Dynamic NAT, and PAT/NAT Overloading/IP masquerading. This type is simple to configure and can allow access to a few servers, hosts, or applications. However, it does not scale well. It's important to define the "inside" and "outside" interfaces, where the inside is the interface connected to the private address and the outside is connected to the public address.
https://github.com/LPouliot/Soph-Fall-NET-215-Network-Protocols/wiki/Notes6
4: Define and primary function of the four layers of the hierarchal internetworking model
Border layer:
- This layer includes the network devices that connect an enterprise network to the internet.
Core layer:
- This is the backbone of the network, providing high speed and highly redundant forward services to move packets between the distribution layer.
Distribution layer:
- This middle layer offers policy-based connectivity and regulates the boundary between the other two layers. It is the smart layer, involving routing, filtering, and QoS policies.
Access layer:
- This provides network access to end devices and enforces access control policies. It focuses on connecting clients like workstations in the network.
https://github.com/LPouliot/Junior-Spring-NET-330-01-Network-Design/wiki/Notes-04%E2%80%901
5: DHCP order of operations for a new client trying to get an IP address and explain why the last two steps are necessary
DORA
Discover: Client attempts to discover a DHCP server
Offer: IP lease offer from server to client
Request: Client requests to use the IP lease sent by the server
The client requesting the IP lease sent by the server responds with an ARP to see if there are any other hosts present in the network with the same IP address. If there is no host with the same configurations, then the message is broadcasted showing the acceptance of the IP address. This is important to the DORA process as it ensures that no client has the same unique IP address, as that would create major complications for those two devices
Acknowledgement: Server sends acknowledgement to client that the lease was accepted.
The server will many an entry of the client host with the IP address and lease time, ensuring that the IP address will not be given to any other client. This ensures a centralized management of IP addresses with automated TCP/IP configuration. This also ensures the proper recycle of IP addresses when lease time is up, reducing the number of IP addresses required.
https://github.com/LPouliot/Junior-Spring-NET-330-01-Network-Design/wiki/Notes-03%E2%80%901
https://www.geeksforgeeks.org/dynamic-host-configuration-protocol-dhcp/
6: Identifying the following network
Consider the following network: 129.170.32.0/22
Identify the role of the following addresses:
Valid Host Address
- 129.170.35.144
Broadcast Address
- 129.170.33.255
Valid Host Address
- 129.170.36.12
Network Address
- 129.170.34.0
7: Might change: NAT is exclusively for routing...
No, it can be used for other things too! Such as Firewalls, Load Balancers, and Gateways & Proxy Servers
https://www.geeksforgeeks.org/network-address-translation-nat/
8: One DHCP server and many routed subnets (fill in the blank)
What must be configured on the routers when there are multiple routed subnets, (a specific command) (DHCP helper)
- ip helper-address
9: DHCP renewal happens with what lease time
50!
(Can be found in notes)
10: Post address translation is a ___ translation between IP Ranges
many-to-one
11: Which of the following should be included in a DHCP server's IP pool configuration for a standard client network with expectation of internet access (click all that apply)
Valid TCP/IP configuration parameters for all clients on the network.
Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.
Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.
The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.
CNAME Record Address
Default Gateway (this one)
DNS Server Address
Subnet Mask (this one)
Host IP Range
https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top
12: Subnetting chart!
Remember:
- Pass it down to the next row, so if the /21 is the first row and the /24 is the next row, pass the /21 num down. (There is a chart showing what amount is passed down)