H12-721 Huawei Certified ICT Professional - Constructing Infrastructure of Security Network Questions and Answers

Note: TCP reverse source detection principle, when the device receives a SYN message, it will detect the existence of the source IP. The TCP reverse source detects the SYN-ACK sequence number that is sent incorrectly. If the source exists, it will send an RST message to request a three-way handshake. Because the reverse source detection mechanism is not affected by the successful establishment of the session table, it is recommended to use the reverse source detection technology to defend against SYN flood attacks. If you use TCP proxy attack defense, you must enable the state detection mechanism.

Note: The main mode requires a total of 6 messages in three steps to complete the first phase of negotiation, and finally establishes an IKE SA: these three steps are mode negotiation, Diffle-Hellman exchange and nonce exchange, and the identity of both parties. verification. Features of the main mode include identity protection and full utilization of ISAKMP negotiation capabilities. Among them, identity protection is particularly important when the other party wants to hide their identity. Before the messages 1, 2 are sent, the negotiation initiator and the responder must calculate and generate their own cookies, which are used to uniquely identify each individual negotiation exchange. The cookie uses the source/destination IP address, random number, date, and time to perform the MD5 operation. And put into the ISAKMP of Message 1 to identify a separate negotiated exchange. In the first exchange, the two parties need to exchange the cookie and the SA payload. The SA load carries the parameters of the IKE SA to be negotiated, including the IKE hash type, the encryption algorithm, the authentication algorithm, and the negotiation time of the IKE SA. Limits, etc. Before the second exchange after the first exchange, the communicating parties need to generate a DH value for generating a Diffle-Hellman shared key. The generation method is that each party generates a random number, and the random number is processed by the DH algorithm to obtain a DH value Xa (initiator ' s DH value) and Xb (responder ' s DH value), and then both sides calculate according to the DH algorithm. A temporary value of Ni and Nr is given. For the second exchange, the two parties exchange their respective key exchange payloads (Diffle-

Hellman exchange, including Xa and Xb) and temporary value payloads (nonce exchanges containing Ni and Nr). After the two parties exchange the temporary value loads Ni and Nr, the pre-shared key is pre-prepared, and then a pseudo-random function operation can generate a key SKEYID, which is the basis of all subsequent key generation. Then, by calculating the DH value calculated by itself, the DH value obtained by the exchange, and the SKEYID, a shared key SKEYID_d that only the two parties know is generated. This shared key is not transmitted, only the DH value and the temporary value are transmitted, so even if the third party gets these materials, the shared key cannot be calculated. After the second exchange is completed, the calculation materials required by both parties have been exchanged. At this time, both parties can calculate all the keys and use the key to provide security for subsequent IKE messages. These keys include DKEYID_a and DKEYID_e. DKEYID_a is used to provide security services such as integrity and data source authentication for IKE messages. DKEYID_e is used to encrypt IKE messages. The third exchange is the exchange of the identification load and the hash load. The identifier payload contains the identifier information, IP address or host name of the initiator; the hash payload contains the values ​​obtained by HASH operation of the three sets of keys generated in the previous process. These two payloads are encrypted by DKEYID_e. If the payloads of both parties are the same, the authentication is successful. The IKE first-stage master mode pre-shared key exchange is complete.

Note: Asynchronous mode: is the main mode of operation of BFD. In this mode, after the BFD session is established, the two systems periodically send BFD control messages to each other. If the packet sent from the peer is not received, the BFD session is considered to be in the Down query mode. It is the second mode of BFD. When a BFD session exists in a system, the BFD control packet is periodically sent. The overhead affects the normal operation of the system, and the query mode can be adopted.

Note: 4 types of network attacks: First, traffic-type attacks: commonly used Flood mode, send a large number of seemingly legitimate TCP, UDP, ICMP packets to the target host, and even some attackers also use source address forgery technology to Bypassing the monitoring of the detection system, thereby draining bandwidth or server resources. The second is scanning snooping attacks: using ping (including ICMP and TCP) scans to identify surviving systems on the network to identify potential targets and identify target weaknesses. The third is a malformed packet attack: by sending a defective packet to the target system, the target system generates an error when processing such an IP packet, or causes a system crash, which affects the normal operation of the target system. The main methods are ping of Death and Teardrop. The fourth is special packet attack: using some legitimate packets to reconnaissance or data detection on the network. These packets are legal application types, but they are rarely used in normal networks.

Note: The HRP backup channel configuration of the active and standby USGs must be the same. The HRP backup channel interfaces of the active and standby USGs must be directly connected. The switch cannot be connected in the middle. The HRP backup channel interface cannot be a Layer 2 switch interface or a Vlanif interface. The USG supports the use of an Eth-Trunk interface as an HRP backup channel, which improves reliability and increases the bandwidth of the backup channel. There are three ways to back up HRP in the textbook: real-time backup, fast backup, and batch backup. After consulting the data, there are four persuasive arguments: one is fast backup; the other is batch backup; the third is manual backup; the fourth is automatic backup--the default backup mode when HRP function is enabled. Therefore, the answer is ABC

Note: In ARP Flood attack prevention, the unit that restricts traffic is pps (package/second). From this point of view, there is no correct answer. This question appeared in the exam. From the results, it should limit the ARP traffic by 100 packets/second instead of 100 packets/minute. The correct answer should be A.

Note: Haiwei Secoway VPN is Huawei ' s VPN product, using the standard L2TP protocol, the destination port number uses UDP 1701; if using L2TP over IPSec technology, it uses UDP 500 and UDP4500 ports, if the port in the question If the number is not a mistake, the correct answer should be B, which is false.

Note: The management control information and service information of the inband management interface are sent on the same channel.

Note: Compared with T151 RD: indicates that this SA has been successfully established; ST: indicates that this end is the channel negotiation initiator; RL: indicates that this channel has been replaced by a new channel, will be deleted after a while; FD: indicates this A soft timeout has occurred on the channel. It is still in use. The hard timeout will delete the pass. TO: indicates that the SA has not received the keepalive message after the last keepalive timeout, if the next keepalive timeout occurs. If no keepalive packet is received, this SA will be deleted.

Note: Can be used as an in-band management interface. In-band management: The management control information of the network and the bearer service information of the user network are transmitted through the same logical channel. Out-of-band management: The management control information of the network and the bearer service information of the user network are transmitted on different logical channels.

Note There are three types of load balancing algorithms supported by the USG firewall: one is the source address hash algorithm; the other is the simple polling algorithm; the third is the weighted round robin algorithm.

Note: ACK Flood defense principle: First, when the ACK packet rate exceeds the threshold, start session check: (If the cleaning device checks that the ACK packet does not hit the session, there are 2 processing modes, (strict mode - - The strict mode is recommended in the network where the route is deployed. If the cleaning device does not check the established session, the device discards the packet. The basic mode: When the bypass is deployed, the device is cleaned before the session is established. The session is not detected. In this case, the basic mode is recommended. That is, when the ACK packet rate exceeds the threshold for a period of time, the session check is started. The device first passes several ACK packets to establish a session. Check the session to determine whether to discard the packet. Second, if the cleaning device checks the ACK packet to hit the session, check the session creation reason). The second is that the load check is performed by the cleaning device to check the payload of the ACK packet. If the payloads are all consistent (if the payload content is all 1), the packet is discarded. The third is to check the reason for the session creation if the cleaning device checks that the ACK packet hits the session. The fourth is if the session is by SYN or SYN-

If the ACK packet is built, the packet is allowed to pass. If the session is created by another packet (for example, an ACK packet), the packet inspection result is checked. The packet with the correct sequence number is allowed to pass, and the incorrect packet is discarded. The payload check can be enabled only if " session check " is enabled, and the payload check is performed on the packets passed by the session check.

Note: In L2TP over IPSec, packets are encapsulated with L2TP and then encrypted with IPSec. Authentication--L2TP is completed, encryption--IPSec is completed, and there is no direct relationship between authentication and encryption.

Note: The SIP protocol is a video conferencing protocol that works at the application layer.

Note: Virtual firewalls are a combination of VPN instances (Instances), instances of multiple instances, and configuration of multiple instances. The virtual firewall provides the following multiple instances: one is VPN multi-instance; the other is secure multi-instance; the third is to configure multiple instances; the fourth is NAT multi-instance; the fifth is routing multi-instance; the sixth is UTM multi-instance.

Note: B-Land attack; C-Faggle attack: use UDP port 7 (ECHO) - respond to received content and port 19 (Chargen) will generate a character stream after receiving UDP message; D- special ICMP unreachable packet attack in packet attack