Network Defense

higherho

Hello All,

Had some discussions with a fellow manager and we were talking about interview questions for network defense type individuals (IDS / IPS, network border type of stuff). I stated that if an individual cannot describe to me some basic network attacks (SYN flood for example) then I would raise a red flag. To my understanding individuals into network security should really understand proxies, SSL, different type of network attacks, and how your defense works. Don't you agree? What would be some really good network defense type questions?

Respectfully,
H

markulous

I'd make sure they have a good understanding of just the basics: group policy, AD, switches vs hubs, firewalls, full understanding of OSI model, basic system hardening, etc. If they can't understand how networking itself works, how can they understand how to protect it?

higherho

I agree, my employer thinks my questions are to network focussed and he wants more of a "Security guy" but wants network security (CERT, IRRT team type stuff). I'm just confused because everything we do is Network security centric (at least on this current role) so if the individual cannot explain to me those basics things properly then he should not be considered.

xnx

Also not being able to explain the 3 way TCP handshake and TCP session tear down would be pretty bad.. lol

da_vato

It sounds like you guys are after an individual that is total infrastructure security so he needs to understand actual network security, yes... Information security is really about risk management disaster response as well fixing vulnerabilities. Infosec is way more conceptual than just tell me about the osi model and how do you protect each layer.

I would ask him/her:
What is Information security in your own words?
Whats your experience with making and enforcing policies?

I would also ask about a scenario and see how they would respond.

MSP-IT

I think da_vato is on the right track. I would say one of the best skills on the job is critical thinking, problem solving, and analysis. I'd look toward more of these softer skills on top of technical understanding.

dmoore44

If you're looking for someone to monitor IDS/IPS/SIEM consoles, then I would tell you that someone who has a decent understanding of network flow, as well as a good understanding of OSes is important. Striking the right balance between the sysadmin and netadmin roles is crucial - you want someone that understands how to trace network and can assess the impact on the target.

philz1982

Ask them what Snort is....

Seriously though,

You could ask about ARP poisoning, you could ask about VLAN's, you could ask about Port Security, You could ask about Private SSID's, you could ask about NMAP (give them an NMAP result and ask them to tell you what it tells them), ask them about Wireshark, (ask them to look through a few packets and tell you what they see).

higherho

Thanks for the input. On a different topic, if you see someone putting on their resume that they know BGP. Asking them the three well known mandatory attributes is a fair question to ask? (SP level Networking Engineering position). I asked this question and the individual did not know it (had 10 years exp on his resume) and he came back on me asking if I knew it and had a little attitude about it. He also did this to me when I asked about ARP poisoning (which I told him the answer to both questions). I felt that this was a red flag both from a attitude perspective and technical. Thoughts?

networker050184

Definitely a fair question. I wouldn't rule someone out for not knowing all three (google is easy) as long as they know that there are different types (well know, transitive etc) and an example or two. Just like I'm not a big fan of questions like protocol timers. The attitude part would be an immediate red flag though.

lsud00d

Sounds like someone I wouldn't want on my team! If they are getting an attitude in the interview (because they can't answer pretty straightforward questions?!) then don't waste any more time.

xnx

higherho wrote: »

Thanks for the input. On a different topic, if you see someone putting on their resume that they know BGP. Asking them the three well known mandatory attributes is a fair question to ask? (SP level Networking Engineering position). I asked this question and the individual did not know it (had 10 years exp on his resume) and he came back on me asking if I knew it and had a little attitude about it. He also did this to me when I asked about ARP poisoning (which I told him the answer to both questions). I felt that this was a red flag both from a attitude perspective and technical. Thoughts?

I'd end the interview straight away, you're testing THEIR knowledge, not being tested on your own...