Course 5 – IT Security: Defense Against the Digital Dark Arts

Week 4: Security Your Networks

Coursera Study Guide


In the fourth week of this course, we’ll learn about secure network architecture. It’s important to know how to implement security measures on a network environment, so we’ll show you some of the best practices to protect an organization’s network. We’ll learn about some of the risks of wireless networks and how to mitigate them. We’ll also cover ways to monitor network traffic and read packet captures. By the end of this module, you’ll understand how VPNs, proxies and reverse proxies work; why 802.1X is a super important for network protection; understand why WPA/WPA2 is better than WEP; and know how to use tcpdump to capture and analyze packets on a network. That’s a lot of information, but well worth it for an IT Support Specialist to understand!

Learning Objectives

  • Implement security measures on a network environment.
  • Understand the risks of wireless networks and how to mitigate them.
  • Understand how to monitor network traffic and read packet captures.


1. Why is normalizing log data important in a centralized logging setup?

  • It’s difficult to analyze abnormal logs.
  • Log normalizing detects potential attacks.
  • Uniformly formatted logs are easier to store and analyze. (CORRECT)
  • The data must be decrypted before sending it to the log server.

Nice work! Logs from various systems may be formatted differently. Normalizing logs is the practice of reformatting the logs into a common format, allowing for easier storage and lookups in a centralized logging system.

2. What type of attacks does a flood guard protect against? Check all that apply.

  • Malware infections
  • SYN floods (CORRECT)
  • DDoS attacks (CORRECT)
  • Man-in-the-middle attacks

You got it! A flood guard protects against attacks that overwhelm networking resources, like DoS attacks and SYN floods.

3. What does DHCP Snooping protect against?

  • DDoS attacks
  • Brute-force attacks
  • Data theft
  • Rogue DHCP server attacks (CORRECT)

Good job! DHCP snooping is designed to guard against rogue DHCP attacks. The switch can be configured to transmit DHCP responses only when they come from the DHCP server’s port.

4. What does Dynamic ARP Inspection protect against?

  • ARP poisoning attacks (CORRECT)
  • DDoS attacks
  • Malware infections
  • Rogue DHCP server attacks

That’s exactly right! Dynamic ARP inspection protects against ARP poisoning attacks by watching for ARP packets. If an ARP packet doesn’t match the table of MAC address and IP address mappings generated by DHCP snooping, the packet will be dropped as invalid or malicious.

5. What does IP Source Guard protect against?

  • IP spoofing attacks (CORRECT)
  • Brute-force attacks
  • DDoS attacks
  • Rogue DHCP server attacks

Right on! IP Source Guard prevents an attacker from spoofing an IP address on the network. It does this by matching assigned IP addresses to switch ports, and dropping unauthorized traffic.

6. What does EAP-TLS use for mutual authentication of both the server and the client?

  • One-time passwords
  • Digital certificates (CORRECT)
  • Usernames and passwords
  • Biometrics

Yep! The client and server both present digital certificates, which allows both sides to authenticate the other, providing mutual authentication.

7. Why is it recommended to use both network-based and host-based firewalls? Check all that apply.

  • For protection against DDoS attacks
  • For protection against man-in-the-middle attacks
  • For protection for mobile devices, like laptops (CORRECT)
  • For protection against compromised hosts on the same network (CORRECT)

Nice job! Using both network- and host-based firewalls provides protection from external and internal threats. This also protects hosts that move between trusted and untrusted networks, like mobile devices and laptops.


1. What are some of the weaknesses of the WEP scheme? Check all that apply.

  • Its use of the RC4 stream cipher (CORRECT)
  • Its small IV pool size (CORRECT)
  • Its use of ASCII characters for passphrases
  • Its poor key generation methods (CORRECT)

You nailed it! The RC4 stream cipher had a number of design flaws and weaknesses. WEP also used a small IV value, causing frequent IV reuse. Lastly, the way that the encryption keys were generated was insecure.

2. What symmetric encryption algorithm does WPA2 use?

  • DSA
  • RSA
  • DES

Great work! WPA2 uses CCMP. This utilizes AES in counter mode, which turns a block cipher into a stream cipher.

3. How can you reduce the likelihood of WPS brute-force attacks? Check all that apply.

  • Use a very long and complex passphrase.
  • Update firewall rules.
  • Disable WPS. (CORRECT)
  • Implement lockout periods for incorrect attempts. (CORRECT)

Exactly! Ideally, you should disable WPS entirely if you can. If you need to use it, then you should use a lockout period to block connection attempts after a number of incorrect ones.

4. Select the most secure WiFi security configuration from below:

  • WPA personal
  • WPA enterprise
  • WEP 128 bit
  • None
  • WPA2 personal
  • WPA2 enterprise (CORRECT)

Exactly right! WPA2 Enterprise would offer the highest level of security for a WiFi network. It offers the best encryption options for protecting data from eavesdropping third parties, and does not suffer from the manageability or authentication issues that WPA2 Personal has with a shared key mechanism. WPA2 Enterprise used with TLS certificates for authentication is one of the best solutions available.


1. What does tcpdump do? Select all that apply.

  • Generates packets
  • Captures packets  (CORRECT)
  • Analyzes packets and provides a textual analysis  (CORRECT)
  • Encrypts your packets

Correct! Tcpdump is a popular, lightweight command line tool for capturing packets and analyzing network traffic.

2. What does wireshark do differently from tcpdump? Check all that apply.

  • It can write packet captures to a file.
  • It has a graphical interface. (CORRECT)
  • It can capture packets and analyze them.
  • It understands more application-level protocols. (CORRECT)

Awesome job! tcpdump is a command line utility, while wireshark has a powerful graphical interface. While tcpdump understands some application-layer protocols, wireshark expands on this with a much larger complement of protocols understood.

3. What factors should you consider when designing an IDS installation? Check all that apply.

  • Traffic bandwidth (CORRECT)
  • Storage capacity (CORRECT)
  • OS types in use
  • Internet connection speed

Wohoo! It’s important to understand the amount of traffic the IDS would be analyzing. This ensures that the IDS system is capable of keeping up with the volume of traffic. Storage capacity is important to consider for logs and packet capture retention reasons.

4. What is the difference between an Intrusion Detection System and an Intrusion Prevention System?

  • An IDS can detect malware activity on a network, but an IPS can’t
  • An IDS can alert on detected attack traffic, but an IPS can actively block attack traffic. (CORRECT)
  • They are the same thing.
  • An IDS can actively block attack traffic, while an IPS can only alert on detected attack traffic.

That’s exactly right! An IDS only detects intrusions or attacks, while an IPS can make changes to firewall rules to actively drop or block detected attack traffic.

5. What factors would limit your ability to capture packets? Check all that apply.

  • Network interface not being in promiscuous or monitor mode (CORRECT)
  • Anti-malware software
  • Encryption
  • Access to the traffic in question (CORRECT)

You got it! If your NIC isn’t in monitor or promiscuous mode, it’ll only capture packets sent by and sent to your host. In order to capture traffic, you need to be able to access the packets. So, being connected to a switch wouldn’t allow you to capture other clients’ traffic.


1. What traffic would an implicit deny firewall rule block?

  • Everything not allowed (CORRECT)
  • Inbound traffic
  • Outbound traffic
  • Nothing unless blocked

You got it! Implicit deny means that everything is blocked, unless it’s explicitly allowed.

2. The process of converting log entry fields into a standard format is called _______.

  • Log auditing
  • Log analysis
  • Log encryption
  • Log normalization (CORRECT)

That’s correct! Normalizing logs is the process of ensuring that all log fields are in a standardized format for analysis and search purposes.

3. A ______ can protect your network from DoS attacks.

  • DHCP Snooping
  • IP Source Guard
  • Flood Guard (CORRECT)
  • Dynamic ARP Inspection

Yep! Flood guards provide protection from DoS attacks by blocking common flood attack traffic when it’s detected.

4. Using different VLANs for different network devices is an example of _______.

  • Network Separation (CORRECT)
  • Implicit Denial
  • Remote Access
  • Network Encryption

Exactly! Using VLANs to keep different types of devices on different networks is an example of network separation.

5. How do you protect against rogue DHCP server attacks?

  • DHCP Snooping (CORRECT)
  • Dynamic ARP Inspection
  • Flood Guard
  • IP Source Guard

Nice job! DHCP snooping prevents rogue DHCP server attacks. It does this by creating a mapping of IP addresses to switch ports and keeping track of authoritative DHCP servers.

6. What does Dynamic ARP Inspection protect against?

  • IP Spoofing attacks
  • DoS attacks
  • Rogue DHCP Server attacks
  • ARP Man-in-the-middle attacks (CORRECT)

Great work! Dynamic ARP Inspection will watch for forged gratuitous ARP packets that don’t correspond to the known mappings of IP addresses and MAC address, and drop the fake packets.

7. What kind of attack does IP Source Guard protect against?

  • DoS attacks
  • Rogue DHCP Server attacks
  • IP Spoofing attacks (CORRECT)
  • ARP Man-in-the-middle attacks

You nailed it! IP Source Guard protects against IP spoofing. It does this by dynamically generating ACLs for each switch port, only permitting traffic for the mapped IP address for that port.

8. A reverse proxy is different from a proxy because a reverse proxy provides ______.

  • Remote Access (CORRECT)
  • Authentication
  • DoS protection
  • Privacy

Correct! A reverse proxy can be used to allow remote access into a network.

9. What underlying symmetric encryption cipher does WEP use?

  • RSA
  • DES
  • AES

Awesome! WEP uses the RC4 stream cipher.

10. What key lengths does WEP encryption support? Check all that apply.

  • 40-bit
  • 64-bit (CORRECT)
  • 128-bit (CORRECT)
  • 256-bit

Nice! WEP supports 64-bit and 128-bit encryption keys.

11. What’s the recommended way to protect a WPA2 network? Check all that apply.

  • Hide the SSID
  • Use WEP64
  • Use a long, complex passphrase (CORRECT)
  • Use a unique SSID (CORRECT)

That’s exactly right! Because the SSID is used as a salt, it should be something unique to protect against rainbow table attacks. A long, complex password will protect against brute-force attacks.

12. If you’re connected to a switch and your NIC is in promiscuous mode, what traffic would you be able to capture? Check all that apply.

  • All traffic on the switch
  • Traffic to and from your machine (CORRECT)
  • Broadcast traffic (CORRECT)
  • No traffic

Great job! Since you’re connected to a switch, you’d only see packets that are sent to your switch port, meaning traffic to or from your machine or broadcast packets.

13. What could you use to sniff traffic on a switch?

  • Port Mirroring (CORRECT)
  • DHCP Snooping
  • Network hub
  • Promiscuous Mode

Yes! Port mirroring allows you to capture traffic on a switch port transparently, by sending a copy of traffic on the port to another port of your choosing.

14. What does tcpdump do?

  • Brute forces password databases
  • Performs packet capture and analysis (CORRECT)
  • Generates DDoS attack traffic
  • Handles packet injection

Right on! tcpdump captures and analyzes packets for you, interpreting the binary information contained in the packets and converting it into a human-readable format.

15. Compared to tcpdump, wireshark has a much wider range of supported _______.

  • Protocols (CORRECT)
  • Languages
  • Packet types
  • Packet sizes

Yep! Wireshark supports a very wide range of various networking protocols.

16. A Network Intrusion Detection System watches for potentially malicious traffic and _______ when it detects an attack.

  • Triggers alerts (CORRECT)
  • Shuts down
  • Disables network access
  • Blocks traffic

Correct! A NIDS only alerts when it detects a potential attack.

17. What does a Network Intrusion Prevention System do when it detects an attack?

  • It does nothing.
  • It blocks the traffic. (CORRECT)
  • It attacks back.
  • It triggers an alert.

Exactly! An NIPS would make adjustments to firewall rules on the fly, and drop any malicious traffic detected.