Huawei H12-721 HCNP-Security-CISN (Huawei Certified Network Professional - Constructing Infrastructure of Security Network) Exam Practice Test

Note: B-Land attack; C-Faggle attack: use UDP port 7 (ECHO) - respond to received content and port 19 (Chargen) will generate a character stream after receiving UDP message; D- special ICMP unreachable packet attack in packet attack

Note: Land attack: It is to set the source address and destination address of the TCP SYN packet to the IP address of a certain victim. This will cause the victim to send a SYN-ACK message to its own address, which in turn will send back an ACK message and create an empty connection, each of which will remain until timeout. Various victims react differently to Land attacks, many UNIX hosts will crash, and NT hosts will become extremely slow.

Note: 4 types of network attacks: First, traffic-type attacks: commonly used Flood mode, send a large number of seemingly legitimate TCP, UDP, ICMP packets to the target host, and even some attackers also use source address forgery technology to Bypassing the monitoring of the detection system, thereby draining bandwidth or server resources. The second is scanning snooping attacks: using ping (including ICMP and TCP) scans to identify surviving systems on the network to identify potential targets and identify target weaknesses. The third is a malformed packet attack: by sending a defective packet to the target system, the target system generates an error when processing such an IP packet, or causes a system crash, which affects the normal operation of the target system. The main methods are ping of Death and Teardrop. The fourth is special packet attack: using some legitimate packets to reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.

Note: There are three main technologies for implementing load balancing: one is virtual service technology; the other is server health detection; the third is flow-based forwarding.

Note: IKE V1 Phase 1 mainly negotiates the following three tasks: First, negotiate the parameters used to establish IKE SA: encryption algorithm, integrity verification algorithm, identity authentication method and authentication word, DH group, IKE SA life cycle, etc. . These parameters are defined in the IKE security proposal. The second is to use the DH algorithm to exchange information related to the key (the material for generating various keys), and the peer devices can use each of the key information to generate a symmetric key for ISAKMP message encryption and verification. The third is to verify each other's identity and use a pre-shared key or digital certificate to verify identity.

Note: Compare T33

Note: DHCP snooping is a DHCP security feature that filters DHCP messages that do not contain information through MAC address restriction, DHCP snooping security binding, IP+MAC binding, and Option 82 features. DHCP DoS attack, DHCP server spoofing attack, ARP man-in-the-middle attack, and IP/MAC Snooping attack. DHCP snooping is enabled on all interfaces of the DHCP client. If the user-side interface is not configured with the Trusted mode, the interface is enabled with the Snooping feature. The default interface mode is Untrusted. This prevents the DHCP server from being attacked by the bogus. To prevent the attack from being attacked by the DHCP server, you can configure the DHCP snooping function on the device to configure the interface on the user side as Untrusted and the interface on the DHCP server as Trusted. All received from the Untrusted interface. DHCP relay packets are discarded. DHCP snooping is configured on the firewall. The DHCP snooping binding function is used to forward packets only if the received packets are the same as those in the binding table. Otherwise, the packets are discarded.

Answer: BC Note: ACK Flood defense principle: First, when the ACK packet rate exceeds the threshold, the session check is started: (If the cleaning device checks that the ACK packet does not hit the session, there are two processing modes, (strict mode - - The strict mode is recommended in the network where the route is deployed. If the cleaning device does not check the established session, the device discards the packet. The basic mode: When the bypass is deployed, the device is cleaned before the session is established. The session is not detected. In this case, the basic mode is recommended. That is, when the ACK packet rate exceeds the threshold for a period of time, the session check is started. The device first passes several ACK packets to establish a session. Check the session to determine whether to discard the packet. Second, if the cleaning device checks the ACK packet to hit the session, check the session creation reason). The second is that the load check is performed by the cleaning device to check the payload of the ACK packet. If the payloads are all consistent (if the payload content is all 1), the packet is discarded. The third is to check the reason for the session creation if the cleaning device checks that the ACK packet hits the session. The fourth is if the session is by SYN or SYN-

If the ACK packet is built, the packet is allowed to pass. If the session is created by another packet (for example, an ACK packet), the packet inspection result is checked. The packet with the correct sequence number is allowed to pass, and the incorrect packet is discarded. The payload check can be enabled only if "session check" is enabled, and the payload check is performed on the packets passed by the session check.

Note: DoS: The attacker sends a small amount of abnormal traffic of non-traffic traffic to the attacking target through the network, so that the attacked server resolves the packet when the system crashes or the system is busy. Achieve the inability to serve normal users. DDoS: is a distributed DoS.

Note: The preemption function of the VGMP management group is enabled by default. The delay time is 30s, the priority of the master is 65001, and the priority of the slave is 65000.

Note There are three types of load balancing algorithms supported by the USG firewall: one is the source address hash algorithm; the other is the simple polling algorithm; the third is the weighted round robin algorithm.

Note: When dual-system hot backup load sharing is configured, the upstream and downstream routers are configured with equal-cost routes, and no HRP OSPF cost is required. When the dual-system hot standby network is deployed, the standby firewall automatically adds a COST value when it routes routes to the outside (the default is 65500).

Note: To establish a pair of IPSec, IKE V1 needs to go through two phases: "main mode + fast mode" or "barbaric mode + fast mode". The former needs to exchange at least 9 messages, and the latter requires at least 6 messages. In IKE V2, an IKE SA and a pair of IPSecs can be completed by using a total of four messages in two exchanges. If the required IPSec SA is greater than 1 pair, the first pair of SAs only needs to add 1 additional exchange, that is, 2 messages can be completed. This is much easier than IKE V1. IKE V2 defines three types of exchanges: initial exchange, creation of SA exchange, and notification exchange.

Note: IKE DPD needs to be enabled on both the master device and the tunnel peer device. After the switch is enabled, the peer device can quickly detect the tunnel and negotiate with the standby device. If the interval parameter is specified, the DPD works in the polling mode. If there is no traffic in the tunnel during the DPD detection interval, the DPD packet is sent periodically. Second, if the on-demand parameter is specified, it means that the DPD works in the traffic trigger mode. Since the last traffic end time, if there is no traffic in the tunnel during the DPD detection interval, the DPD report will be sent only when there is traffic. And the DPD detection time is recalculated from zero. Otherwise there will be no DPD messages in the tunnel. Third, if no interval or on-demand parameters are specified, DPD works in traffic trigger mode by default.

Note: When dual-system hot backup load balancing is configured, the upstream and downstream routers are configured with equal-cost routes, and no HRP OSPF cost is required. When the dual-system hot standby network is deployed, the standby firewall automatically adds a COST value when it routes routes to the outside (the default is 65500).

Note: IKE messages use UDP port 500. When NAT traversal is not enabled, AH and ESP are directly carried over IP. The protocol numbers are 51 and 50 respectively. In the case of NAT traversal, the first phase--messages and destinations of the IKE exchange process use UDP 4500 for both the source port and the destination port. All IKE messages exchanged with the initiator use 4500 ports. If the initiator is inside the NAT, Then NAT changes the source port of the initiator to another port to communicate with other devices. After the first phase of IKE is completed, both parties to the communication know the existence of NAT, and then negotiate whether to use NAT traversal in the SA load of the second phase of IKE, by adding two new encapsulation modes: UDP-tunnel and transmission mode. . An ESP header is encapsulated directly after the UDP header. The source port number and destination port number in the UDP packet header are the same as the IKE protocol. Therefore, it is necessary to check whether the intermediate device blocks protocol numbers 51 and 50, and the packets of UDP 500 and UDP 4500 ports pass. Analysis - because display ike sees no messages, that is, the first phase of IKE is not completed. The correct answer should be AC

Note: Compared with T151 RD: indicates that this SA has been successfully established; ST: indicates that this end is the channel negotiation initiator; RL: indicates that this channel has been replaced by a new channel, will be deleted after a while; FD: indicates this A soft timeout has occurred on the channel. It is still in use. The hard timeout will delete the pass. TO: indicates that the SA has not received the keepalive message after the last keepalive timeout, if the next keepalive timeout occurs. If no keepalive packet is received, this SA will be deleted.