Term
| What is the IP Address for? |
|
Definition
| Same as registration plates |
|
|
Term
| What is safe to keep in raw data? |
|
Definition
|
|
Term
| What should you not do with packets? |
|
Definition
| Store or monitor the content |
|
|
Term
| Why would you want to store data? |
|
Definition
Application-level analysis
ID tunnel-ed traffic
Intrusion detection
Share with research community |
|
|
Term
|
Definition
DHCP in organisations is relatively static
For very short packets, the CRC can reduce the guesswork to reconstruct the packet |
|
|
Term
| What three ways to anonymise? |
|
Definition
|
|
Term
|
Definition
| Get rid of it (example 0.0.0.0) |
|
|
Term
|
Definition
|
|
Term
|
Definition
Increase the IP address:
Ex. 10.0.0.1, 10.0.0.2, 10.0.0.3 |
|
|
Term
|
Definition
Network and compare anonymised trace with generated traffic
Identify servers. E.g proxy / web |
|
|
Term
| Whom should see the information? |
|
Definition
| Depends on the contract with the user |
|
|
Term
| What's the problem with default windows vista installation? |
|
Definition
| It allows file sharing for the 'local network' |
|
|
Term
| What's the problem with default windows xp installation? |
|
Definition
| Supports TCP options and doesn't respond to ICMP |
|
|
Term
|
Definition
| traffic monitoring can be done only in the aggregation poins, no choice of monitoring local subnets |
|
|
Term
| Virtual LANs are used for what? |
|
Definition
| Used to segregate hosts connecting to the same switch |
|
|
Term
| Firewalls are what for intrusive monitoring? |
|
Definition
|
|
Term
| Why do we want a firewall? |
|
Definition
| Network security cannot be ignored |
|
|
Term
| What principles does NAT destroy? |
|
Definition
IP address uniqueness
Remote endpoints cannot connect directly |
|
|
Term
| Why does NAT cause problems with monitoring? |
|
Definition
| Accounting traffic per IP address does not indicate individual performance |
|
|
Term
| How can the number NAT thing be inferred? |
|
Definition
TTL / System fingerprinting
IP ID field |
|
|
Term
| Why are proxies bad for network monitoring? |
|
Definition
| Any direct link between endpoints is severed |
|
|
Term
|
Definition
| Describes an application embedding its traffic into another application |
|
|
Term
| How is tunnelling detectable? |
|
Definition
| Application-level analysis |
|
|
Term
| What's VPN to network monitoring? |
|
Definition
|
|
Term
| What two ways are there to identifying apps |
|
Definition
| Signature and anomaly based |
|
|
Term
| Why is port-based application identification not an option? |
|
Definition
|
|
Term
| Why is privacy / anonomization bad for researchers? |
|
Definition
| Increasingly difficult to gather information about network performance outside the controlled environment |
|
|
Term
| Why are network managers ok with the privacy? |
|
Definition
| Good balance between network security and its performance |
|
|
Term
| Why is it quite good fo companies providing monitoring solutions? |
|
Definition
| Means that people need ready-made solutions and expertise required to ID optimal solutions |
|
|
