NETWORK FORENSICS, AS YOU FIRST READ back in Chapter 1, deals with evidence that moves across one or more computer networks. It involves capturing, recording, and analyzing network events. Businesses are marketing advanced networking technologies, such as network-attached storage devices, firewalls, and Gigabit Ethernet, to home users today. Therefore, nearly any computer seized will have been used in a network environment of some type.
Network forensics can involve a variety of digital evidence, including information from router, NetFlow, and firewall logs. Forensics can also involve evidence from the logs of Internet service providers (ISPs), intrusion detection systems, and captured network traffic. This chapter presents the basics of network forensics, including tools and techniques for investigating specific types of attacks.
A network is a collection of computers and devices joined by connection media. In a typical enterprise network environment, network components work together to make information and resources available to many users. From their workstations, users access resources that are connected to an organization's networks. Table 11-1 lists three basic network types and their characteristics.
As a forensic investigator, you'll work with two categories of networks:
Peer-to-peer (P2P) network—In a peer-to-peer (P2P) network, each user manages his or her own resources and configures who may access those computer resources and how. On a P2P network, each computer is configured individually.
Server-based network—In a server-based network, a central server manages which users have access to which resources through a database called a directory. This is the best option when an organization has 10 or more network users. The central server runs a network operating system (NOS).
Networks can be set up using a number of topologies—that is, designs that specify the devices, locations, and cable installation as well as how data is transferred in the network. The most common physical network topologies are the star and hybrid star. In a star topology, all computers and network devices, such as printers and firewalls, connect to a central hub or switch. This topology allows central management but can also fail easily. Advances in communications and switching technology have blurred the lines in network designs.
Table 11-1. Network types.
NETWORK TYPE | SIZE | DESCRIPTION |
|---|---|---|
A LAN covers a small physical area, such as an office or a building. | Local area networks (LANs) are common in homes and businesses and make it easy to share resources, such as printers and shared disks. | |
A MAN connects two or more LANs but does not span an area larger than a city or town. | Metropolitan area networks (MANs) connect multiple buildings or groups of buildings spread around an area larger than a few city blocks. | |
A WAN connects multiple LANs and can span very large areas, including multiple countries. | Wide area networks (WANs) provide network connections among computers, devices, and other networks that communicate across great distances. For example, the Internet is a WAN. |
The interconnection of networks, including the Internet, can make it difficult to distinguish individual network types. Even so, learn all about the different types of networks. Documenting a network involves creating a diagram of the network's physical layout. This is vital to show where you have collected evidence. Figure 11-1 shows a basic network diagram.
Use a tool, such as Microsoft Visio, to draw a network diagram. Visio offers templates that include network design symbols. Download these templates at no charge from the Visio downloads page, http://visio.mvps.org/3rdparty.htm. In addition, automatic network discovery tools make the network documentation easier. Examples of such tools include LANsurveyor (see http://www.solarwinds.com/products/lansurveyor/), NetCure (see http://www.rocketsoftware.com/products/netcure), and WhatsUp Gold (see http://www.whatsupgold.com). You can also use radio-frequency detectors, such as AirWave 7 (see http://www.airwave.com/products/), to identify and document wireless networks.
Wireless networks are almost everywhere today—including homes, offices, hotels, airports, and coffee shops. Some cities even provide wireless network access to citizens in their areas. Wireless connections allow devices to connect to a network without having to physically connect to a cable. This makes it easy to connect computers and devices when running cables is either difficult or not practical.
Many wireless LANs are either not secured or are not well secured. Attackers may compromise a server to allow public access to stolen software, music, movies, or pornography. The following are the most important forensic concerns with wireless networks:
Did a perpetrator use a wireless network entry point for a direct network attack or theft of data?
Did an attacker use a third-party wireless network, such as a hotel hotspot, to conceal his or her identity?
In addition to evidence that moves across wireless networking devices, you may find evidence in wireless storage devices. These devices include wireless digital and video cameras, wireless printers with storage capacity, wireless network-attached storage (NAS) devices, PDAs and smartphones, wireless digital video recorders (DVRs), and wireless game consoles.
To investigate activity that involves networks, become familiar with a number of protocols. Protocols allow applications to exchange information with other applications on other computers. To communicate, computers must use the same protocol. For example, most Web browser applications communicate with a Web server application by using Hypertext Transfer Protocol (HTTP). Web browsers can use other protocols, but HTTP is the most common protocol for regular Web pages.
HTTP is based on a request/response standard. A client requests a resource, such as text, an image, or a multimedia file from the server. The server responds with a status line and additional information. HTTP is important to understand because Web browsing can be used for any online communication. Whenever someone accesses a resource on a Web server over the Internet, the server records an entry in an access log. That entry shows which computer was used to access what files and the HTTP return status code. Most server access files use or resemble the Common Log Format (CLF). This format includes the remote host, user ID, date, time, request, status code, and number of bytes returned. An extended CLF format also includes the referring uniform resource locator (URL) and the browser version.
A common networking protocol is Transmission Control Protocol/Internet Protocol (TCP/IP), which you read about in Chapter 10. TCP/IP is a combination of two separate protocols that work together in so many environments that they are often referenced as a single protocol. Table 11-2 lists some of the most common network communication protocols.
The Institute of Electrical and Electronic Engineers (IEEE) defines many computing and communications standards. For example, the IEEE 802.11 standards define communications protocols for wireless local area networks (WLANs). A WLAN is a LAN that links devices wirelessly. IEEE 802.11 currently uses four main protocols: 802.11a, 802.11b, 802.11g, and 802.11n. The technical details are beyond the scope of this chapter, but it is important to know the basic differences between different wireless protocols.
Bluetooth is a popular wireless protocol for connecting devices over short distances. The most popular use of Bluetooth is to create PANs of devices that communicate with a computer or device. Headsets, mouse devices, and printers are some examples of devices that commonly support the Bluetooth protocol. Unless you protect all the wireless connections in a Bluetooth-enabled computer, the computer can be vulnerable to several types of wireless attacks.
Attackers can target networks in a number of ways. They sometimes aim attacks at specific parts of a network, such as routers. They also attack specific Web sites, server applications, or entire networks. The following sections describe some common network-related attacks that you may have to deal with.
Table 11-2. Common network communication protocols.
DESCRIPTION | |
|---|---|
Telnet | Used for connecting terminals to servers. Sends text to and from the server. Telnet is useful for remote administration using command-line utilities. |
Secure Shell (SSH) | Similar to Telnet, except this protocol encrypts messages. Useful for secure remote system administration using command-line utilities. |
Used for most Web browser/Web server communication. | |
Secure HTTP. Useful for exchanging confidential information between Web browsers and Web servers. | |
Secure Socket Layer/Transport Layer Security (SSL/TLS) | SSL is the predecessor of TLS. Both protocols provide encryption for application layer protocols, such as HTTPS. |
Transmission Control Protocol/Internet Protocol (TCP/IP) | The most common protocol pair for Internet communication. |
Used to assign Internet Protocol (IP) addresses to computers. | |
Another common protocol used in place of IP when persistent connections are not necessary or desirable. | |
A protocol suite used to secure IP communication by encrypting each IP packet. | |
Used to establish a direct connection between nodes. | |
Point-to-Point Tunneling Protocol (PPTP) | One of three common protocols used for virtual private networks (VPNs). |
Another common protocol used for VPNs. | |
A VPN protocol that uses SSL/TLS to encrypt HTTP traffic in a tunnel. | |
An older protocol for securing wireless network traffic. | |
A more secure protocol than WEP, with stronger encryption for wireless network traffic. | |
Used to authenticate network nodes to one another over a network that is not secure. |
Routers can be vulnerable to several types of attacks, including:
DoS attacks—In a DoS attack, the attacker uses one of three approaches. The attacker can damage the router's ability to operate, overflow the router with too many open connections at the same time, or use up the bandwidth of the router's network. In a DoS attack, the attacker usually floods the network with malicious packets, preventing legitimate network traffic from passing. The following section discusses specific types of DoS attacks.
Packet mistreating attacks—A packet mistreating attack occurs when a compromised router mishandles packets. This type of attack results in congestion in a part of the network.
Router table poisoning—Router table poisoning is one of the most common and effective attacks. To carry out this type of attack, an attacker alters the routing data update packets that the routing protocols need. This results in incorrect entries in the routing table. This, in turn, can result in artificial congestion, can overwhelm the router, and can allow an attacker access to data in the compromised network.
A perpetrator launches a DoS attack to make a computer resource unavailable to its users by flooding the network or by disrupting the connections. A DoS attack can target a specific Web site, a server application, or an entire network. A distributed DoS attack is a DoS attack in which a large number of compromised systems attack a single target.
The following are symptoms of a DoS attack:
Unusual slowdown of network services
Unavailability of a specific Web site
Dramatic increase in the volume of spam
Attackers use a number of specific types of DoS attacks. The following are some of the most common examples:
Ping of death attack—In a ping of death attack, an attacker sends an Internet Control Message Protocol (ICMP) echo packet of a larger size than the IP protocol can accept. At one time, this form of attack caused many operating systems to lock or crash, until vendors released patches to deal with the ping attacks. Some firewalls block ICMP ping messages.
Teardrop attack—In a teardrop attack, the attacker sends fragments of packets with bad values in them which cause the target system to crash when it tries to reassemble the fragments. Like the ping of death attack, the teardrop attack has been around long enough for vendors to have released patches to avoid it.
SYN flood attacks—In a SYN flood attack, the attacker sends unlimited SYN packets to the host system. The SYN packets, which are requests, arrive so quickly that the system doesn't have time to handle them properly.
Land attacks—In a land attack, the attacker sends a fake TCP SYN packet with the same source and destination IP addresses and ports as the target computer. Basically, the computer is tricked into thinking it is sending messages to itself because the packets coming in from the outside are using the computer's own IP address.
Smurf attacks—A smurf attack generates a large number of ICMP echo requests from a single request, acting like an amplifier. This causes a traffic jam in the target network. Worse still, if the routing device on the target network accepts the requests, hosts on that network will reply to each echo, increasing the traffic jam.
Fraggle attacks—A fraggle attack is similar to a smurf attack, except that it uses spoofed UDP packets instead of ICMP echo replies. Fraggle attacks can often bypass a firewall.
Techniques for detecting DoS attacks include activity profiling, sequential change point detection, and wavelet-based signal analysis. Detecting DoS attacks can be challenging. For example, it can be difficult to detect and distinguish malicious packet traffic from legitimate packet traffic. In addition, false positives, missed detections, and detection delays cause problems.
Web sites and Web applications are increasing in number and complexity. Many business applications are now delivered over the Web using HTTP. Many types of attacks target Web sites and Web applications. The following are some of the best-known attacks:
Cross-site scripting attacks—These attacks occur when a Web page collects data from a user and displays that input on the page without validating the input. The attackers insert malicious code—such as JavaScript, VBScript, ActiveX, HTML, or flash code—into the Web page. The Web page then executes the malicious script on the user's machine and collects information about the user, steals the session cookies. and takes over the user's account, or executes malicious code, such as a virus, on the end user's computer.
SQL injection attacks—These attacks occur when structured query language (SQL) code—not created by the developer—passes into an application. A SQL injection attack targets the database that supports a Web application. In this type of attack, user-provided data in the form of a dynamic SQL statement is placed in the SQL query. Unless the input is validated for correct format or checked for embedded escape strings, the malicious code modifies user input to execute arbitrary SQL commands. To locate a SQL attack, review intrusion detection system (IDS) log files, database server logs, and Web server log files.
Code injection attacks—A code injection attack is similar to a SQL injection attack. In this attack, instead of passing SQL commands as user input, the attacker sends other types of malicious input, such as shell commands or Hypertext Preprocessor (PHP) scripts. The server receives and executes the request, often allowing the attacker to access Web sites or databases normally restricted to authorized users. Perpetrators often use this sort of attack to access databases that contain personal information, such as credit card numbers and passwords.
An IDS, which you'll read more about in the next section, detects code injection attacks. The IDS looks for a series of executable instructions in the network traffic. It then executes the instructions in a matched, monitored environment. If the instructions use system resources, the IDS sends an alert indicating that the incoming packet contains malicious data.
Buffer overflow attacks—Buffer overflow attacks are among the most common attacks on the Web. In this type of attack, a buffer, which is a temporary data storage area, is overloaded with more data than the buffer can handle. One of the reasons that this type of attack is so common is that it's easy to write beyond the bounds of data objects in languages such as C and C++. When a buffer overflows, it transfers the data to any adjacent buffers, which can corrupt the data in those buffers. This can damage a system's files. The extra data may include malicious code. Excess requests to a server may result in a server compromise and allow an attacker to run commands directly on the server.
Cookie poisoning—Cookie poisoning is the process of tampering with the value of cookies. Web applications use cookies to store information, such as user ID, passwords, account numbers, items ordered online, and prices. Cookie poisoning results in an attacker gaining unauthorized access to a user's sensitive personal information.
Use software packages to detect poisoned cookies. Intrusion prevention products trace the set cookie commands issued by the Web server. For each set command, the software stores the cookie name, value, IP address, and session identifier. The product then intercepts every HTTP request sent to the server and compares the cookie information with the stored cookies. If a cookie's content has changed, the software determines that an attack has occurred.
Many different types of evidence exist on networks. For example, evidence can exist in clients, servers, network devices, and network traffic. You can often determine the source, nature, and time of an attack by analyzing a compromised system's log files. Once you've identified that an attack has occurred or is occurring, inspect the firewall and IDS logs to determine whether the attack is from a compromised computer on your network or from outside your network. You can also use sniffers and other tools to examine network traffic.
An end-to-end investigation looks at an entire attack. It looks at how an attack starts, at the intermediate devices, and at the result of the attack. Evidence may reside on each device in the path from the attacking system to the victim. Routers, VPNs, and other devices produce logs. Network security devices, such as firewalls and intrusion detection systems (IDS), also generate logs. An IDS is software that automates the process of monitoring events occurring in a computer system or network and analyzing them for signs of possible incidents and attempting to stop detected possible incidents.
A device's log files contain the primary records of a person's activities on a system or network. For example, authentication logs show accounts related to a particular event and the authenticated user's IP address. They contain date and timestamps as well as the username and IP address of the request. Application logs record the time, date, and application identifier. When someone uses an application, it produces a text file on the desktop system containing the application identifier, the date and time the user started the application, and how long that person used the application.
Operating systems log certain events, such as the use of devices, errors, and reboots. You can analyze operating system logs to identify patterns of activity and unusual events. Network device logs, such as firewall and router logs, provide information about the activities that take place on the network. You can also use them to support logs provided by other systems.
Examine log files to discover attacks. For example, a firewall log may show access attempts that the firewall blocked. These attempts may indicate an attack. Log files can show how an attacker entered a network. They can also help find the source of illicit activities. For example, log files from servers and Windows security event logs on domain controllers can attribute activities to a specific user account. This may lead you to the person responsible.
Tip
Because user accounts can be shared or hacked, you can't prove that the account owner is the person responsible for an attack. You can, however, say that the server authenticated a specific user account at a specific time. You can also attribute specific events to an individual account.
IDS record events that match known attack signatures, such as buffer overflows or malicious code execution. Configure an IDS to capture all the network traffic associated with a specific event. In this way, you can discover what commands an attacker ran and what files he or she accessed. You can also determine what files the criminal uploaded, such as malicious code.
You bump into a few problems when using log files, however. One is that logs change rapidly, and getting permission to collect evidence from some sources, such as ISPs, takes time. In addition, volatile evidence is easily lost. Another is that hackers can easily alter logs to include false information.
You can use log files in court if the files meet certain requirements: The logs must be created reasonably contemporaneously with the event. The log files must not be tampered with, and the logs must be kept as a regular business practice. This means that logs instituted after an incident has begun do not qualify as a customary business practice. This is one of the reasons security professionals recommend routinely logging events in an organization. For example, an organization can configure an IDS to capture network traffic whenever a specific condition occurs, such as whenever an alert goes out.
Logs can be admissible in court under the business records exception of the hearsay rules. The Federal Rules of Evidence provide a general definition of hearsay as a "statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted." The business records exception says that the courts consider business records, created during the ordinary course of business, reliable. An organization can use these records if it lays the proper foundation when introducing the records as evidence. Depending on the jurisdiction, either the records custodian or someone with knowledge of the records must lay a foundation for the records.
This person must be able to testify about the system used, where the logging software came from, how and when records are created, and so on. Any record of failures of the hardware or software platform used to create the logs will call the evidence into question.
As mentioned in Chapter 5, all the traffic going through a firewall is part of a connection. A connection consists of two Internet Protocol (IP) addresses that are communicating with each other and two port numbers that identify the protocol or service. To review, the three ranges for port numbers are:
Attempts on the same set of ports from many different Internet sources are usually due to "decoy" scans. In a decoy scan strategy, an attacker spoofs scans that originate from a large number of decoy machines and adds his or her IP address somewhere in the mix. Using protocol analysis may help you determine who the attacker is. For example, you can ping each of the systems and match up the time to live (TTL) fields in those responses with the connection attempts. The TTLs should match; if they don't, they are being spoofed by an attacker. One drawback is that scanners may randomize the attacker's own TTL, making it difficult to pinpoint the source.
Analyze the firewall logs in depth to look for decoy addresses originating from the same subnets. You will likely see that the attacker has connected recently, whereas the decoyed addresses have not.
A sniffer is computer software or hardware that can intercept and log traffic passing over a digital network. You use sniffers to collect digital evidence. Configure them to work in specific environments. Commonly applied sniffers include Tcpdump (see http://www.tcpdump.org/tcpdump_man.html) for various UNIX platforms and WinDump (see http://www.winpcap.org/windump/), which is a version of Tcpdump for Windows. These programs extract network packets and perform a statistical analysis on the dumped information. Use them to measure response time, the percentage of packets lost, and TCP/UDP connection startup and end.
The following are some other popular tools for network analysis:
Netlntercept (see
http://www.sandstorm.net/products/netintercept/)Wireshark (see
http://www.wireshark.org)CommView (see
http://www.tamos.com/products/commview/)Softperfect Network Protocol Analyzer (see
http://www.softperfect.com)HTTP Sniffer (see
http://www.effetech.com/sniffer/)ngrep (see
http://sourceforge.net/projects/ngrep/)OmniPeek (see
http://www.wildpackets.com)
Some software tools for investigating network traffic include:
NetWitness (
http://www.netwitness.com)NetResident (
http://www.tamos.com/products/netresident/)InfiniStream (
http://www.netscout.com/products/infinistream.asp)Snort (
http://www.snort.org)
When collecting evidence on a network, it's vital to document what you've collected. Specifically, note in detail who collected the evidence, when it was collected, where it was collected, and how it was collected. Then analyze the evidence to construct a clearer picture of all activities that have occurred. If possible, organize the evidence by time and function.
Using network forensics, you can determine the type of attack over a network. You can also in some cases trace the path back to the attacker. A router is a hardware or software device that forwards data packets across a network to a destination network. The destination network could be multiple networks away. A router may contain read-only memory with power-on self-test code, flash memory containing the router's operating system, nonvolatile random-access memory (RAM) containing configuration information, volatile RAM containing the routing tables, and log information.
A router is located where two networks meet. A router connects to at least two networks. A router can connect any type of networks, as long as they use the same protocols. Routers are more intelligent than switches. They actually inspect the address portion of the packets on a network.
Note
The basic functions of a router are to:
Forward packets
Share routing information
Filter packets
Perform network address translation
Encrypt or decrypt packets when used with VPNs
Basically, a router checks the destination address on a packet, determines the best path for the packet to reach its destination, and passes the packet either to its destination network or across another network to the next router on the path. Router software chooses the best path and next location based on information about the state of the networks the router is connected to. Routers use headers and forwarding tables to make decisions about where to send packets. Routers use protocols, such as ICMP, to communicate the best route between hosts.
Routers operate in the first three levels of the OSI seven-layer protocol stack. The Open Systems Interconnection (OSI) reference model is a tool for understanding communications systems. As shown in Figure 11-2, the OSI reference model divides networking into seven layers. Each layer contains similar functions that provide services to the layer above it and receive services from the layer below it.
A routing table determines the final destination of the data packets sent through the router. Among other information, router tables contain:
An address prefix, which is the packet's final address
A next-hop address, which is the address of the next router the packet will be delivered to on its route
A value for choosing between several routes with similar prefixes
The route duration
The route type
Routers are vital to the Internet and are the backbone of any network infrastructure. This makes routers preferred targets for those who want to break into a specific network. If an attacker can control the router, the attacker can transmit any kind of traffic to any network the router is connected to. The attacker can also discover vulnerabilities in the network and open the network to several types of attacks. An attacker can monitor and record logs on traffic into and out of routers to discover which routers handle the most traffic.
The attacker can interrupt communication by dropping or misrouting packets as they pass through the router. A denial of service (DoS) attack will occur if the attacker disables the router. An attacker can often disable neighboring routers and networks and stop communications among several networks. If an attacker can compromise a router, he or she can avoid firewalls and IDS.
Note
As discussed earlier in this chapter, routers can be vulnerable to several types of attacks, including DoS attacks, packet mistreating attacks, and router table poisoning.
When you investigate a router, have the system online to determine what kind of traffic is going through the router. To analyze an attack, you must recover live data. Be extremely cautious in investigating routers because you can lose valuable evidence if you mishandle the router. For example, never restart or reboot a router as part of incident response. Routers can contain important evidence in volatile memory. You can lose this evidence if you disconnect the router from the network or if you shut down or reboot the router.
Record all the steps that you take while investigating a router. For example, record when you log onto the router and record the actual and router time of each step you take. You can show the current time by using the show clock detail command, as follows, in the router console:
>(router name)#show clock detailAccess a router through the router console and not through the network. Configuration commands may change the state of the router. Therefore, use only show commands and not configuration commands.
For most router investigations, follow these steps:
Link to the console port and document the system time by using the following command:
>(
router name)#show clock detailExamine the logs to see who has gained access to the router:
>(
router name)#show usersExamine the router's uptime, which is the time since the previous bootup:
>(
router name)#show versionSave the running router configuration:
>(
router name)#show running-configSave the startup router configuration:
>(
router name)#show startup-configExamine the routing table to detect vulnerable and static routes that are modified by the router through Routing Information Protocol (RIP) spoofing:
>(
router name)#ip routeThis reveals the IP address to which the attack was directed and exactly how the attack was carried out.
Verify the interface configuration:
>(
router name)#show ip interfaceInspect the ARP cache:
>(
router name)#show ip arp
By following these steps, you can gather information about where users on the network have been and when. You can also find out who or what has been trying to get into the network.
Check logs to see who logged into a router during a specific time period. Other types of logging are also useful. Common router log files contain the following information:
System time
Total time for message delivery, or duration
Client IP address
Actual size of the data transferred to the client
Requested URLs
Server name
Server IP address
Server port
Request method (for example,
get)Client's uniform resource identifier (URI) query
Bytes sent by the server
Bytes received by the server
Client's protocol version
Host header name
HTTP status code
Cookie contents
Many routers and switches have a logging feature called NetFlow services. NetFlow logs provide information about network traffic and activities. NetFlow logs don't capture network content. Therefore, these logs allow you to monitor without the privacy issues associated with full packet capture and analysis. NetFlow logs from internal and bordering routers provide information such as the start and end times for data flow, source and destination IP addresses, port numbers, and the number of packets.
In an investigation, you can use NetFlow logs to show the source of an attack, the protocols used, the ports accessed, and the amount of data transferred. When you have identified the source of an attack, search the NetFlow logs for other compromised devices and computers on the network.
A free set of utilities for collecting and analyzing NetFlow logs is called the flow-tools package. Download this free, open source package from http://www.splintered.net/sw/flow-tools/. Other tools available for processing NetFlow data include SiLK, at http://tools.netsa.cert.org/silk/, and the Orion NetFlow Traffic Analyzer, at http://www.solarwinds.com/products/orion/nta.
Tip
While router logs are useful, some evidence exists only inside data packets. To review the contents of packets, you can capture network traffic by using a sniffer, as discussed earlier in this chapter.
Collecting network data is one of a forensic investigator's greatest challenges. Because of the amount of network data, it can be difficult or even impossible to record all the data moving through a network. As a system forensics analyst, you must be able to use a variety of tools to sort through large amounts of data to extract what is most useful. To investigate computer networks, learn all you can about network architecture, network devices and protocols, and various logs. Documenting in detail the steps you take in gathering and analyzing the evidence is essential.
802.11 standards
Bluetooth
Campus area network (CAN)
Global area network (GAN)
Intrusion detection system (IDS)
Local area network (LAN)
Log file
Metropolitan area network (MAN)
Network
Open Systems Interconnection (OSI) reference model
Peer-to-peer (P2P) network
Personal area network (PAN)
Router
Server-based network
Topology
Wide area network (WAN)
Wireless local area networks (WLANs)
A ________ is a collection of computers and devices joined by connection media.
Which of the following is a network that covers a small physical area, such as an office or a building?
PAN
LAN
MAN
WAN
The Internet is an example of which of the following types of networks?
PAN
LAN
MAN
WAN
In a P2P network, each user manages his or her own resources and configures who may access the user's computer resources and On a P2P network, each computer is configured individually.
True
False
Which of the following is the most common protocol for regular Web pages?
TCP/IP
IP
HTTP
DHCP
IPSec
Software that automates the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents and attempting to stop detected possible incidents is known as _________.
Which of the following is not an example of a network-related attack?
Buffer overflow attack
Firewall attack
Cookie poisoning
DDoS attacks
Fraggle attack
Log files provide good forensic information, but they can't be used in court.
True
False
Which of the following are wireless technologies? (Select two.)
TCP/IP
Bluetooth
DDoS attacks
802.11b
Firewalls
Port numbers are divided into three ranges. Which of the following is not one of the ranges?
Well-known ports
Open ports
Registered ports
Dynamic ports
A ________ is a hardware or software device that forwards data packets across a network to a destination network.
The ________ divides networking into seven layers that provide services to and receive services from the layers directly above and below.