Net Def Final
DMZ
The rule base should permit access to public servers in the ____________ and enable users to access the Internet.
B. they are not routable on the Internet
Which of the following is true about private IP addresses? A. they are assigned by the IANA B. they are not routable on the Internet C. they are targeted by attackers D. NAT was designed to conserve them
firewall appliance
hardware devices with firewall functionality
proxy server
software that forwards network packets and caches Web pages to speed up network performance
load-balancing software
software that prioritizes and schedules requests and then distributes them to servers in a server clusted based on each server's current load and processing power
False
Proxy servers take action based only on IP header information. True/False
False
Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny. True/False
screening
A __________ router determines whether to allow or deny packets based on their source and destination IP addresses.
Java
A _____________ applet is a small program sometimes used as embedded code in Web pages.
stack
A critical buffer component is the function __________ and buffer overflows are usually aimed at this component.
False
A dual-homed host has a single NIC with two MAC addresses. True/False
endpoints
Network gateways are _____________ of the VPN connection.
stateless packet filters
simple filters that determine whether to allow or block packets based on information in protocol headers
False
Firewalls can protect against employees copying confidential data from within the network. True/False
anycast addressing
a network addressing scheme that allows DNS services to be decentralized among a group of servers, regardless of their location
publicly
A DMZ is a subnet of ____________ accessible servers placed outside the internal network.
perimeter
A firewall can consist of all devices postioned on the network __________.
filter
A primary objective of a rule base is to _______________ communications based on complex rules.
True
A screened host has a router as part of the configuration. True/False
rule
ACLs filter packets by using a _____________ base to determine whether to allow a packet to pass.
True
Another name for a VPN connection is tunnel. True/False
True
Computers on the Internet are identified primarily by their IP address. True/False
cache
DNS _____________ poisoning streers unsuspecting victims to a server of the attacker's choice instead of the intended Web site.
False
Generally, connections to instant-messaging ports are harmless and should be allowed. True/False
True
Hardware VPNs create a gateway-to-gateway VPN. True/False
True
IPsec has become the standard set of protocols for VPN security. True/False
False
If you use Windows RRAS for your VPN, you will need a third-party RADIUS server if you want to use RADIUS for authentication. True/False
host
In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.
C. DDoS
In what type of attack are zombies usually put to use? A. buffer overrun B. virus C. DDoS D. spoofing
True
SQL injection attacks are isolated to custom applications, so administrators can prevent them. True/False
False
Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful. True/False
False
Software firewalls are usually more scalable than hardware firewalls. True/False
False
Standards and protocols used in VPNs are in their infancy and seldom used. True/False
False
Stateless packet filtering keeps a record of connections that a host computer has made with other computers. True/False
XOR
TLS splits the input data in half and recombines it using a(n) ___________ function.
handshake
The ACK flag is normally sent at the end of the three-way ___________ to indicate that a connection is established.
C. firewall appliance
The Cisco PIX line of products is best described as which of the following? A. software firewall B. PC with firewall installed C. firewall appliance D. VPN gateway
Exchange
The Internet Key ____________ protocol enables computers to make an SA.
False
The TCP normalization feature forwards abnormal packets to an administrator for further inspection. True/False
DNSSEC
The goal of ____________ is to provide authentication of DNS data and ensure integrity of DNS data.
NAPs
The internet tier system starts with a backbone network connected via _____________ to regional Internet service providers.
spoofing
The lack of authentication for computers on the Internet make IP _____________ possible, which is change in the IP addresses in the headers of malicious packets.
True
The objective of a phishing attack is to entice e-mail recipients to click a bogus link where personal information can be stolen. True/False
False
The term Internet and World Wide Web are different terms that mean the same thing. True/False
C. TCP 21 control, TCP 20 data
What are the to standard ports used by FTP along with their function? A. UDP 23 control, TCP 20 data B. UDP 20 data, TCP 21 control C. TCP 21 control, TCP 20 data D. TCP 23 data, TCP 21 control
C. anycast addressing
What feature of the 13 DNS root servers enables any group of servers to act as a root server? A. multicast addressing B. broadcast addressing C. anycast addressing D. unicast addressing
A. 30 rules
What is a suggested maximum size of a rule base? A. 30 rules B. 300 rules C. 10 rules D. 100 rules
B. updating a secondary DNS server
What is a zone transfer? A. the movement of e-mail from one domain to another B. updating a secondary DNS server C. backing up an SQL data file D. coping host file data to another system
B. DNS
What service uses UDP port 53? A. SMTP B. DNS C. ICMP D. TFTP
D. proxy server
What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet? A. router B. filtering C. ICMP monitor D. proxy server
D. reverse firewall
What should you consider installing if you want to inspect packets as they leave the network? A. security workstation B. RIP router C. filtering proxy D. reverse firewall
D. split-DNS architecture
What type of DNS configuration prevents internal zone information from being stored on an Internet-accessible server? A. read-only zone B. anti-phishing DNS C. caching DNS zone D. split-DNS architecture
A. primary
What type of DNS server is authoratative for a specific domain? A. primary B. secondary C. read-only D. initial
B. phishing
What type of attack displays false information masquerading as legitimate data? A. Java applet B. phishing C. buffer overflow D. SQL injection
D. SQL injection
What type of attack involves plaintext scripting that affects databases? A. phishing B. ActiveX control C. Java applet D. SQL injection
B. VPN quarantine
What was created to address the problem of remote clients not meeting an organization's VPN security standards? A. split tunneling B. VPN quarantine C. IPsec filters D. GRE isolation
C. IPsec driver
Which IPsec component is software that handles the taks of encrypting, authenticating, decrypting and checking packets? A. ISAKMP B. IKE C. IPsec driver D. Oakley protocol
C. SSL
Which VPN protocol leverages Web-based applications? A. PPTP B. L2TP C. SSL D. IPsec
B. L2TP
Which VPN protocol uses UDP port 1701 and does not provide confidentiality and authentication? A. IPsec B. L2TP C. PPTP D. SSL
C. IPsec
Which VPN protocol works at Layer 3 and can encrypt the entire TCP/IP packet? A. PPTP B. L2TP C. IPsec D. SSL
D. encapsulation
Which activity performed by VPNs encloses a packet within another packet? A. address translation B. encryption C. authentication D. encapsulation
C. NAT
Which element of a rule base conceals internal names and IP addresses from users outside the network? A. tracking B. filtering C. NAT D. QoS
B. a computer on the perimeter network that is highly protected
Which of the following best describes a bastion host? A. a host with two or more network interfaces B. a computer on the perimeter network that is highly protected C. a computer running a standard OS that also has a proxy software installed D. a computer running only embedded firmware
C. data patterns
Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets. A. IP address B. ports C. data patterns D. TCP flags
C. use the default standard Web page error messages
Which of the following is NOT a recommended security setting for Apache Web servers? A. harden the underlying OS B. create Web groups C. use the default standard Web page error messages D. disable HTTP traces
C. use standard naming conventions
Which of the following is NOT a step you should take to prevent attackers from exploiting SQL security holes? A. limit table access B. use stored procedures C. use standard naming conventions D. place the database server in a DMZ
B. employees can use instant-messaging only with external network users
Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy? A. only authenticated traffic can access the internal network B. employees can use instant-messaging only with external network users C. the public can access the company Web servers D. employees can have restricted internet access
D. authentication server
Which of the following is NOT an essential element of a VPN? A. VPN server B. tunnel C. VPN client D. authentication server
C. have more security vulnerabilities than software VPNs
Which of the following is NOT true about a hardware VPN? A. should be the first choice for fast-growing networks B. can handle more traffic than software VPNs C. have more security vulnerabilities than software VPNs D. create a gateway-to-gateway VPN
C. may require client configuration
Which of the following is a disadvantage of using a proxy server? A. shields internal host IP addresses B. slows Web page access C. may require client configuration D. can't filter based on packet content
C. NAP
Which of the following is a highly secure public facility in which backbones have interconnected data lines and routers that exchange routing and traffic data? A. ISP B. POP C. NAP D. NSF
A. Teredo tunneling
Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted? A. Teredo tunneling B. ICMPv6 encapsulation C. IPsec tunneling D. SMTP/S tunneling
B. not dependent on a conventional OS
Which of the following is an advantage of hardware firewalls? A. not scalable compared to software firewalls B. not dependent on a conventional OS C. less expensive than software firewalls D. easy to patch
D. adds a hashed message authentication code
Which of the following is an improvement of TLS over SSL? A. requires less processing power B. uses a single hashing algorithm for all the data C. uses only asymmetric encryption D. adds a hashed message authentication code
D. load-balancing software
Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power. A. server pooling software B. traffic distribution filter C. priority server farm D. load-balancing software
B. it was established in the mid-1960s
Which of the following is true about the Internet? A. it is the same as the World Wide Web B. it was established in the mid-1960s C. it was developed by a network of banks and businesses D. it was originally built on an extended star topology
C. 80,443
Which two ports should packet-filtering rules address when establishing rules for Web access? A. 143, 80 B. 25, 110 C. 80, 443 D. 423, 88
A. screened subnet DMZ
Which type of firewall configuration protects public servers by isolating them from the internal network? A. screened subnet DMZ B. dual-homed host C. screening router D. reverse firewall
B. proxy server
Which type of security device can speed up Web page retrieval and shield hosts on the internal network? A. caching firewall B. proxy server C. caching-only DNS server D. DMZ intermediary
B. port address translation
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? A. one-to-one NAT B. port address translation C. one-to-many NAT D. DMZ proxy translation
B. pharming
Which variation on phishing modifies the user's host file to redirect traffic? A. spear phishing B. pharming C. DNS phishing D. hijacking
False
Windows Basic Authentication requires that users enter a username and password and the password is transmitted using a hashing algorithm. True/False
harden
You can _________ a bastion host by removing unnecessary accounts and services.
split brain DNS architecture
a network architecture that uses a single DNS domain with a DNS server on the organization's DNZ for Internet services and a DNS server on the internal network for service to internal hosts
Botnets
_________ are networks of zombie computers that magnify the scope and intensity of an attack.
Routers
_____________ direct network traffic to its destionation on the Internet using tables and protocols.
dual-homed host
a computer configured with more than one network interface
IKE
a form of key exchange used to encrypt and decrypt data as it passes though a VPN tunnel
screened host
a host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network
GRE
a nonproprietary tunneling protocol that can encapsulate a variety of Network layer protocols
cleanup rule
a packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules
many-to-one NAT
a process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts
SSL
a protocol developed by Netscape Communications Corporation as a way of enabling Web servers and browsers to exchange encrypted information
screening router
a router placed between an untrusted network and an internal network
IPsec
a set of standard procedures that the IETF developed for enabling secure communication on the Internet
Kerberos
an IETF standard for secure authentication of requests for resource access
ESP
an IPsec protocol that encrypts the header and data components of TCP/IP packets
rule base
the collection of rules that filter traffic at an interface of a firewall
socket
the end point of a computer-to-computer connection defined by an IP address and port address
one-to-one NAT
the process of mapping one internal IP address to one external IP address
