Network Security Interview Question (Basic + Advanced)

What is FW Monitor?

Check Point's FW Monitor is a powerful built-in tool for capturing network traffic at the packet level. The FW Monitor utility captures network packets at multiple capture points along the FireWall inspection chains. These captured packets can be inspected later using the WireShark.

What is HSRP Cisco?

In computer networking, the Hot Standby Router Protocol (HSRP) is a Ciscoproprietary redundancy protocol for establishing a fault-tolerant default gateway


How does HSRP work?

“HSRP is a redundancy protocol developed by Cisco to provide gateway redundancy without any additional configuration on the end devices in the subnet. With HSRP configured between a set of routers, they work in concert to present the appearance of a single virtual router to the hosts on the LAN.

What is the trace route?


Traceroute is a utility that records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer. It also calculates and displays the amount of time each hop took.

How does a TCP trace route work?


Any IP packet will trigger an ICMP "Time Exceeded" response from an intermediate router when the TTL value reaches zero. This could be TCP, UDP, ICMP, or any other. As long as intervening routers will pass the packet, the trace will work. Traditional traceroute uses ICMP echo requests, but this is just by convention.


What protocol does Traceroute use?


ICMP (Internet Control Message Protocol). In an IP packet header there is a field called TTL or time to live. It actually shows the maximum number of nodes a packet can travel. Each intermediate router decreases its value by one and when its value becomes zero, any router receiving this packet will drop it. While dropping the packet, this router will reply an ICMP msg to report the source node that this packet was dropped.


traceroute works as follows:


It starts by sending a packet with TTL equal to 1. The first router getting this packet will drop it(because after decrementing TTL value becomes zero) and sends ICMP back to source. Using this ICMP packet you know the IP address of first intermediate router.


Then traceroute sends another packet with TTL equal to 2. And from the same process we can know address of second intermediate router. And this is continued till destination is reached. From this seven know the path followed by a packet from source to destination.

Another answer:


It uses a combination of UDP and ICMP as described here: Traceroute - Wikipedia


Max size of UDP


65,507 bytes


However the actual limit for the data length, which is imposed by the underlying IPv4 protocol, is 65,507 bytes (65,535 − 8 byte UDP header − 20 byte IP header). In IPv6 jumbograms it is possible to have UDP packets of size greater than 65,535 bytes.


Min 8 bytes

GARP (Generic Attribute Registration Protocol)


GARP (Generic Attribute Registration Protocol) is a local area network (LAN) protocol that defines procedures by which end stations and switches can register and de-register attributes, such as network identifiers or addresses, with each other.


http://searchnetworking.techtarget.com/definition/GARP-Generic-Attribute-Registration-Protocol


What is MSS in TCP?


The maximum segment size (MSS) is a parameter of the options field of the TCPheader that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment.


What is TCP MTU option?


A maximum transmission unit (MTU) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet- or frame-based network such as the Internet. The Internet's Transmission Control Protocol (TCP) uses the MTUto determine the maximum size of each packet in any transmission.

MTU is maximum IP packet size of a given link. MSS is Maximum TCP segment size.


MTU is used for fragmentation i.e packet larger than MTU is fragmented.But in case of MSS, packet larger than MSS is discarded.


MSS is specified during TCP handshake basically in SYN and its value can't be changed after the connection is established.


MSS=MTU-40(IP header(20 bytes) + TCP header(20 bytes) )


What are the OSPF LSA Types


OSPF uses a LSDB (link state database) and fills this with LSAs (link state advertisement). Instead of using 1 LSA packet OSPF has many different types of LSAs and in this tutorial I’m going to show all of them to you. Let’s start with an overview:


· LSA Type 1: Router LSA


· LSA Type 2: Network LSA


· LSA Type 3: Summary LSA


· LSA Type 4: Summary ASBR LSA


· LSA Type 5: Autonomous system external LSA


· LSA Type 6: Multicast OSPF LSA


· LSA Type 7: Not-so-stubby area LSA


· LSA Type 8: External attribute LSA for BGP
https://networklessons.com/ospf/ospf-lsa-types-explained/

What is the Port no. of SYS Log
syslog port no  514


What is sys log?

Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events.


What is a DORA Process ?

DORA is the the 4 steps process of assigning and IP Address for clients by the DHCP Server.


1. Discover: Sent by the DHCP client to find a willing DHCP server


2. Offer: Sent by a DHCP server to offer to lease to that client a specific IP address (and inform the client of its other parameters)


3. Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed in the Offer message.


4. Acknowledgment: Sent by the DHCP server to assign the address, and to list the mask, default router, and DNS server IP addresses.


What is Packet-Tracer command in ASA?

The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.


Checkpoint - tcpdump and fw monitor


What’s the difference between tcpdump and fw monitor ?

Tcpdump displays traffic coming or leaving to/from a firewall interface while fw monitor would also tell you how the packet is going through the firewall including routing and NAT decisions.

Let’s get deeper

FW MONITOR

It captures traffic at 4 important points in the firewall namely i, I, o & O. You would see them in the capture in the same sequence.
i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.
I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the next line in capture after this at ‘o’, you could infer that it’s a routing issue.
For both i & I the interface is the incoming, where the packet enters the firewall.
o – Preoutbound, the place where the packet is received at the exit interface within the firewall. If this is the point beyond which the capture is not seen, then you may need to check NAT.
O- Postoutbound, If you see this then make you are sure that the packet has left the firewall and the ACL, route and NAT all are working as expected.

fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitor2.out



TCPDUMP.

It captures at position i & O of firewall monitor, and you can be sure the traffic has left the firewall. This is similar to the way captures work on a Cisco PIX/ASA.

So, which one you use ?

Consider you run tcpdump and see the incoming traffic but don’t see the traffic leaving the exit interface. You can guess it’s a routing or a NAT issue. But to make a sure shot without wasting time by looking in routes or the NAT rules you could run fw monitor and know what the issue is.