Hardware, Software, Systems & Networks

Exam Review Answers

If our exam was open book and six hours long, it would look something like this (without the
pointers). Our actual exam is two hours long and closed book, so the questions will be more focused
than these but covering the same topics. Also be prepared for the exam questions ask you to
integrate some of these smaller questions into a more comprehensive answer.

Learning Outcomes Questions

Explain the role and operation of each of the software components 1 (30 marks)
essential to a corporate networked information system (C2, PLO1)
Evaluate proposed improvements to [2] the configuration of a corporate 2,3 (35 marks)
networked information system and [3] the associated administration
policies and procedures (C4, PLO 2)

Samples for Q1:

1. First, partition the disk. Second, create a filesystem on each partition. These two steps must be
done for every disk, regardless of the operating system being installed. Then, copy/install boot
files and device drivers. Finally, activate the bootloader.
2. /etc is for system configuration and startup scripts, /var/log is a standard location
3. /etc/passwd is the primary file that stores information about user accounts and can be read by
all users. /etc/shadow is used by the operating system and is restricted to privileged users. Both
have the user name, but /etc/passwd has a placeholder where /etc/shadow has the actual
encrypted password for the account.
4. A facility code is used to classify the type of program that is logging the message, and in practice
determines which file the message will be written to. The level reflects the severity of an event,
from emergency (system is unstable) up to info (normal operation messages that require no
action) and debug (only of interest to developers).
5. d---rwx--- dir-owner-group-world // read-write-execute // r=4 w=2 x=1 add together up to 7. //
x on a directory allows viewing files inside.
6. Sticky bit on the directory ( t ) allows world write, but files can only be deleted by the owner.
/var/run also should have these permissions, because many startup scripts and processes like to
write their PID there. Dovecot also requires these permissions for mailbox folders.
7. It is impossible to send a unicast message without a source and destination IP address. A client
coming up on the network only knows its MAC address, so the DHCPDISCOVER message has to
be broadcast.
8. Commonly used dhcp options include subnet mask, broadcast address, router addresses, and
the DNS servers the client should use.
9. Since most will send a REQUEST for the first OFFER they receive by default, a rogue server may
cause clients to ignore OFFERs from the enterprise DHCP servers. This can cause big problems
with subnet masks, default gateways, nameservers, and other (vendor-specific) options.
Solution: use a packet sniffer in promiscuous mode and filter port 67 and/or 68. Then go talk to
the person responsible and/or tune firewall rules.

1
10. DNS maps of human-friendly domain names to IP addresses, using a hierarchy of DNS servers
that each have their own “zone of authority”. A client will always send an initial DNS query using
UDP Protocol over Port 53, and if it does not get a response within a certain time it will
retransmit the query using TCP.
11. (b) /etc/hosts has a list of IP addresses and aliases. (a) /etc/HOSTNAME only has the “proper”
(canonical) hostname, which will also be in /etc/hosts if we are not using DNS. (c)
/etc/resolv.conf identifies the nameservers that provide a DNS lookup service (d) /var/hostlist is
not a standard configuration file.
12. DNS CNAME record defines an “alias” or alternative name for a host which means one IP address
can be associated with more than one name.

Samples for Q2:

13. > is used to redirect output to a new file (or overwrite an existing file), >> appends output to a
new file, | (pipe) sends output to another program, like date +%A | figlet
14. Redirect output (stdout) to the null device rather than the terminal, then redirect stderr (2) to
the same place as stdout (1). The effect is that nothing will be shown on the screen when the
script runs (bonus: often used in startup scripts).
15. System accounts like these are useful for processes that need access to privileged ports and
processes that create files (some do both). The process can start with root privileges to gain
access to a privileged port, then change its ownership to the system user. Files created by the
process will be owned by the system user, and access will be restricted like any other normal
user. Since there is no password, no one will be able to log in as the system user. If the process is
somehow hijacked or runs amok, it will not be running with root privileges.
16. In principle, yes, because a port is just a number to identify a service. In practice, no, because
standards define standard ports for some services. Well-known ports are 0 to 1023, and are also
known as restricted ports because they require root (administrator) permissions. Applications
will sometimes pick random ports from the dynamic ports range (49152 to 65535), so if we need
a non-standard port it should be an unassigned number in the registered ports range (1024 to
49151). Well-known and registered port assignments are listed in /etc/services
17. A “man-in-the-middle application” listens on a port, and when it receives a message simply
changes the port number in the TCP header and sends it on to the destination.
18. SSH is more secure because it uses certificates (PKI) and encrypts all communications over the
network (like https://) while telnet sends everything – including passwords – in plain text. We
can use telnet securely for testing by using xinetd to accept connections Only From the localhost
(loopback) address 127.0.0.1. We can also use it securely for remote access by using stunnel to
provide encryption.
19. Dovecot can use LDAP for username and password to access email; Squirrelmail can use LDAP to
show a corporate address book.
20. DocumentRoot, where the html files are served from; ScriptAlias, where CGI scripts are run
from; indexfile, the file to be served when the URL only has the domain name. These are set
individually for each virtual server. The last one is the port, which is not changed for a virtual
server.
21. A webserver “virtualhost” means more than one name can be served by a single webserver
process. The virtual host is dependent on the CNAME: the CNAME binds the IP address to the
name and the webserver binds the URL to the service.

2
22. Submission port is intended to be used from client to initial server, using SMTP protocol, port
587. Transfer is intended to be server to server (relay) using SMTP protocol, port 25. This allows
administrators to run two distinct services configured optimally for each purpose rather than a
single MTA service that has to make allowances for different types of use. Able to require
encryption and SMTP authentication for port 587 sessions; port 25 sessions can Prefer but
CANNOT Require encryption.
23. Packet filters allow or deny access to services based on per-packet network and transport layer
header information such as source and destination address or port, packet type, direction,
sequence, etc. (bonus: “stateful” firewalls have “circuit-level” rules pertaining to connections
rather than individual packets). Packet sniffers intercept traffic between the source and
destination and show the content. Packet filters are used to create firewalls, packet sniffers are
used to analyse traffic.

Samples for Q3:

24. All three allow or deny access to services using Access Control Lists (ACL). All three can control
traffic based on IP address and port. Xinetd and tcpwrap can filter using domain names, but
iptables cannot. Iptables and xinted can do port forwarding, tcpwrap cannot. Changes to the
tcpwrap and iptables rules take effect immediately, xinetd needs to be stopped and restarted.
Iptables can allow or deny packets based on the state of the connection (like ESTABLISHED,
RELATED), the other two cannot. Xinetd can control access using time intervals when the service
is available, the other two cannot.
25. Both encapsulate data packets in TLS encrypted packets to protect data in transit. Both encrypt
packets at the source and catch them at the destination before passing them up the stack.
Stunnel is per-service using port forwarding, openvpn secures a layer 2 (tap) or layer 3 (tun)
connection.
26. ACL is Access Control List, a general description of packet filtering rules (like IPTables) or host
access rules (like TCPWrap and xinetd).
27. A security policy defines what information is to be protected and from whom. Security
mechanisms implement aspects of the security policy, and their effectiveness must be
monitored. Security policies apply to resources under control of the enterprise; acceptable use
policies apply to people and interfaces. Security procedures implement aspects of the
acceptable use policy, and compliance must be monitored. Implementing the acceptable use
policy is essentially a management issue; implementing the security policy is more of a technical
issue. Security policy implementation mechanisms must provide information necessary for
enforcement of the acceptable use policy. Monitoring effectiveness of mechanisms and
compliance with policies (accountability) requires keeping track of activity (audit trails)
28. FCAPS: Fault management (fixing breakdowns and correcting mistakes); Configuration
management (licensing, version control, network architecture); Accounting management
(charging for services, auditing use); Performance management (capacity planning, response
times); Security management (policy formulation, implementation, evaluation).
29. Firewall directly allows or denies access to services based on per packet network and transport
layer header information [1] such as address, service, and direction of the packet. The design
philosophy of a network-based IDS or host-based Logfile Tracker is very much like an anti-virus
system. It scans traffic and uses a database of known network attack signatures (traffic patterns)
to assign a severity level to groups of suspicious packets and records these in a log file with
extended information.

3
30. Changing passwords locks out someone who guessed, increasing security. However, new
passwords are hard to remember so users tend to write them down or change in a predictable
pattern. This effect is even worse when administrators force users to choose strong passwords,
composed of a mix of uppercase, lowercase, numeric and special characters.
31. Root access means anything can be done, which magnifies the effect of mistakes. Some feel that
forcing us to type sudo is a way to consciously reinforce this, and we can be better sysadmins by
learning more about sudo configuration options if and when we get tired of it. Others feel that
having the root password is fine and we can learn from our (potentially disastrous) mistakes. An
easy way to remind users when they have a root shell is to change the colour of the prompt
using ASCII terminal escape codes.
32. [1] Look for what you recognise (in the logfiles, starting at the end) [2] Always keep a working
configuration as backup [3] Do one thing at a time, and then test [4] Do the simplest thing first
33. Problems with services? Check ports, permissions, and paths; typo errors cause problems with
parsing scripts and configuration files.
34. Lots of services like to write their process ID to a file in /var/run so the best thing to do is give it
permissions like /tmp [see question 6]