4.4 Compare and contrast remote access methods and security implications.
What four components are required for a computer to establish a remote Transmission Control Protocol/Internet Protocol (TCP/IP) connection? a) Common protocols b) Remote Access Service (RAS) c) A physical layer connection d) TCP/IP configuration e) Point-to-Point Tunneling Protocol (PPTP) f) Host and remote software
A, C, D, F. A computer requires four components to establish a remote connection. First, a physical-layer Wide Area Network (WAN) connection is needed. Second, the two systems must share common protocols from the data link layer and above. Third, if TCP/IP is being used to establish a remote session, then TCP/IP parameters must be configured on the systems. Fourth, host and remote software are needed. The remote client must have software that enables it to establish a remote session, and the server must have software that enables it to receive and grant remote sessions. Microsoft RAS supports both client and server remote access software; however, this is not a required component since other types of software can be used. PPTP is a tunneling protocol and is not a required component for establishing a remote session.
Which of the following technologies utilize Access Control Lists (ACLs) to limit access to network resources? (Choose all that apply.) a) NTFS b) LDAP c) WAP d) Kerberos
A, C. NTFS files and folders all have ACLs, which contain Access Control Entries (ACEs) that specify the users and groups that can access them and the specific permissions they have been granted. Wireless Access Points (WAPs) have ACLs that contain Media Access Control (MAC) addresses of the devices that are permitted to connect to the wireless network. Lightweight Directory Access Protocol (LDAP) and Kerberos are protocols that provide directory service communication and authentication, respectively. Neither one uses ACLs.
Which of the following types of traffic are carried by Telnet? (Choose all that apply.) a) Keystrokes b) Mouse movements c) Display information d) Application data
A, C. Telnet is a character-based remote-control protocol and application that is available on virtually all computing platforms. Because it is strictly character based, Telnet clients transmit only keystrokes and receive only character-based display information from the server.
Which of the following software releases is a fix designed to address one specific issue? a) A patch b) An update c) An upgrade d) A service pack
A. A patch is a relatively small update that is designed to address a specific issue, often a security exploit or vulnerability. Patches do not add features or new capabilities; they are fixes targeted at a specific area of the software. Updates, upgrades, and service packs are larger packages that might include new features and/or many different fixes.
A user attempting to connect to a WiFi hotspot in a coffee shop is taken to a web page that requires her to accept an End User License Agreement (EULA) before access to the network is granted. Which of the following is the term for such an arrangement? a) Captive portal b) Ransomware c) Port security d) Root guard
A. A web page that prompts users for payment, authentication, or acceptance of a EULA is a captive portal. Ransomware is a type of attack that extorts payment. Port security and root guards are methods for protecting access to switch ports.
Which of the following mitigation techniques helps organizations maintain compliance to standards such as HIPAA and FISMA? a) File integrity monitoring b) Role separation c) Deauthentication d) Tamper detection e) Router Advertisement guard
A. File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach. Role separation applies to the deployment of applications on servers. Deauthentication is a type of wireless network attack. Tamper detection is a term used to describe a physical security measure for hardware. Router Advertisement (RA) guard is a feature found on certain switches that prevents the misuse of RA messages to redirect traffic.
Which of the following types of patches is most typically applied to a hardware device? a) Firmware updates b) Driver updates c) Feature changes d) Vulnerability patches
A. Firmware is a type of software permanently written to the memory built into a hardware device. A firmware patch overrides the read-only nature of this memory to update the software. Driver updates, feature updates, and vulnerability patches are typically applied to software products, such as applications and operating systems.
Which of the following elements must be identical in both the client and server computers to establish a remote Wide Area Network (WAN) connection? (Choose all that apply.) a) The WAN type b) The data link layer protocol c) The authentication method d) The operating system
A, B, C. Although the computers do not have to use hardware made by the same manufacturer, both must use the same basic type of WAN connection, such as a leased line, a modem and PSTN line, or an Internet connection. Both of the computers must also use the same data link layer protocol, such as PPP, to establish a remote network connection. Most remote network connections use some form of authentication mechanism, even if it is nothing more than the exchange of a username and cleartext password. To establish the remote network connection, both computers must be configured to use the same type of authentication, even if it is no authentication at all. As long as all of the other elements are in place, such as the physical layer connection and the protocols, there is no need for both of the computers involved in a remote network connection to be running the same operating system.
When Ralph digitally signs and encrypts a document with his private key, Alice can decrypt the document only by using Ralph's public key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all that apply.) a) Ralph cannot deny having created the document. b) No one has altered the document since Ralph sent it. c) No one but Ralph can have created the document. d) No one but Alice can decrypt and read the document.
A, B, C. Because only Ralph possesses the private key, only he could have signed and encrypted it. Although it is possible for someone other than Alice to have decrypted the document while it was in transit, using Ralph's public key, that individual could not have modified it and encrypted it again.
Which of the following types of traffic are carried by the Remote Desktop Protocol (RDP)? (Choose all that apply.) a) Keystrokes b) Mouse movements c) Display information d) Application data
A, B, C. RDP is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information.
Which of the following types of traffic are transmitted by Virtual Network Computing (VNC)? (Choose all that apply.) a) Keystrokes b) Mouse movements c) Display information d) Application data
A, B, C. VNC is a graphical desktop sharing system that uses a protocol called Remote Frame Buffer (RFB) to connect a client to a server and control it remotely. VNC does not transmit actual application data; it just transfers keystrokes, mouse movements, and graphic display information.
Which of the following Virtual Private Network (VPN) protocols does not provide encryption within the tunnel? a) PPTP b) IPSec c) L2TP d) SSL
C. Layer 2 Tunneling Protocol (L2TP) is used to create the tunnel forming a VPN connection, but it does not encrypt the traffic passing through the tunnel. To do this, it requires a separate protocol that provides encryption, such as Internet Protocol Security (IPSec). Point-to-Point Tunneling Protocol (PPTP) and Secure Sockets Layer (SSL) are both capable of encrypting tunneled traffic.
MAC filtering is an access control method used by which of the following types of hardware devices? a) Wireless Access Point b) RADIUS server c) Domain controller d) Smartcards
A. Wireless Access Points (WAPs) typically include the ability to maintain an Access Control List (ACL), which specifies the Media Access Control (MAC) addresses of devices that are permitted to connect to the wireless network. The technique is known as MAC address filtering. Remote Authentication Dial-In User Service (RADIUS) servers, domain controllers, and smartcards typically do not include MAC filtering capabilities.
Which of the following remote access protocols provides users with full graphical control over a Windows computer? (Choose all that apply.) a) SSH b) RDP c) VNC d) Telnet
B, C. Remote Desktop Protocol (RDP) is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information. Virtual Network Computing (VNC) is a similar desktop sharing system that is platform independent and open source. Secure Shell (SSH) and Telnet are character-based remote control solutions.
Which of the following types of Virtual Private Network (VPN) connection is the best solution for connecting a branch office to a corporate headquarters? a) Host-to-site b) Site-to-site c) Host-to-host d) Extranet
B. A site-to-site VPN enables one network to connect to another, enabling users on both networks to access resources on the other one. This is usually a more economical solution for branch office connections than a Wide Area Network (WAN) link. A host-to-site VPN is a remote access solution, enabling users to access the corporate network from home or while traveling. A host-to-host VPN enables two individual users to establish a protected connection to each other. An extranet VPN is designed to provide clients, vendors, and other outside partners with the ability to connect to a corporate network with limited access.
Which of the following statements best defines out-of-band management? a) Out-of-band management is a method for accessing network devices from a remote location. b) Out-of-band management is a method for accessing network devices using a direct cable connection. c) Out-of-band management is a method for accessing network devices using a connection to the system other than the production network to which the device is connected. d) Out-of-band manterm-36agement is a method for accessing network devices using any tool that operates over the production network to which the device is connected.
C. Out-of-band management refers to the use of an alternative communications channel to a network device. The channel can be a modem connection, a direct cable connection, a wireless or cellular connection, or a dedicated Ethernet connection.
How does Media Access Control (MAC) address filtering increase the security of a Wireless Local Area Network (WLAN)? a) By preventing access points from broadcasting their presence b) By allowing traffic sent to or from specific MAC addresses through the Internet firewall c) By substituting registered MAC addresses for unregistered ones in network packets d) By permitting only devices with specified MAC addresses to connect to an access point e) By isolating specific wireless clients from the rest of the network
D. MAC address filtering enables administrators to configure an access point to allow only devices with specific addresses to connect; all other traffic is rejected. Access points broadcast their presence using a Service Set Identifier (SSID), not a MAC address. MAC address filtering protects WLANs when implemented in an access point, not a firewall. MAC address filtering does not call for the modification of addresses in network packets. MAC filtering does not isolate clients from the network.
Ralph has come upon the term _virtual desktop_, and he is not exactly sure what it means. After performing some Internet searches, he finds multiple definitions. Which of the following is not one of the technologies that uses the term _virtual desktop_? a) A three-dimensional realization of a computer display created using a virtual reality hardware device b) A computer display with a virtual operating system desktop that is larger than can be displayed on a monitor c) A cloud-based Windows 10 deployment that enables users to access their desktops using any remote device d) A hardware device that projects a computer desktop on a screen, rather than displaying it on a monitor
D. The term _virtual desktop_ does not refer to a projection device that can display a computer desktop on a screen. A virtual desktop can be a realization of a computer monitor in a virtual reality environment; a virtualized desktop larger than the monitor, which users can scroll to view all parts of the display; or a cloud-based service provided by Microsoft Azure that provides users with access to their desktops using remote devices.
Which of the following terms refers to the process of uninstalling a recently released patch to resume using the previous version? a) Backslide b) Downgrade c) Reset d) Rollback
D. _Rollback_ is a term used in change management to describe the process of reversing a change that has been made, to restore the original configuration. In the case of patch management, a rollback is the process of uninstalling a recently installed software update. The terms _backslide_, _downgrade_, and _reset_ are not used to describe this procedure.
Alice is a consultant working in your office, who has been given the Secure Set Identifier (SSID) and the passphrase for the company's main wireless network, but she is unable to connect with her laptop. Which of the following security measures might be preventing her from connecting? a) MAC filtering b) Disabling SSID broadcast c) Geofencing d) Using WPA2 e) Guest network isolation
A. Media Access Control (MAC) filtering takes the form of an Access Control List (ACL) on the wireless network's access points, listing the MAC addresses of all the devices that are to be permitted to access the network. If the MAC address of Alice's laptop is not included in the ACL, she will be unable to connect to the network. Alice has been given the SSID of the network, so she should be able to connect, even if the access points are not broadcasting the SSID. Geofencing is intended to prevent users outside the office from accessing the network, so this should not be the problem. Alice has been given the passphrase for the network, so she should be able to configure WiFi Protect Access 2 (WPA2) on her laptop. Alice is not using a separate guest network, so this is not preventing her from connecting.
Which of the following services is provided by the Remote Desktop Protocol (RDP)? a) Thin client computing b) Clientless virtual private networking c) Encrypted tunneling d) Unauthenticated file transfers
A. RDP is a component of Remote Desktop Services, a Windows mechanism that enables a client program to connect to a server and control it remotely. RDP does not carry actual application data; it just transfers keystrokes, mouse movements, and graphic display information. Because the client program does not participate in the application computing on the server, it is known as a thin client. RDP does not provide clientless virtual private networking, encrypted tunneling, or unauthenticated file transfers.
The Internet of Things (IoT) encompasses a huge number of device types ranging from personal electronics to household appliances to medical equipment to industrial machinery. Many of these devices deal with sensitive information, and many perform critically important tasks. The field of IoT security is still in its infancy; there is no all-encompassing standard defining IoT protection protocols. IoT devices have vastly different security requirements and also vastly different functional capabilities, making it difficult to create a blanket protection mechanism for all of them. Which of the following are potentially viable methods for securing all IoT devices against attack? (Choose all that apply.) a) Network segmentation b) Network Access Control (NAC) c) Security gateways d) Firewalls
B, C. Because many IoT devices are mobile or located in unprotected areas, a firewall is not a viable protection mechanism for all of them, nor is the practice of placing them on separate network segments. Network security mechanisms such as access control policies and centralized gateways providing authentication and authorization could conceivably be incorporated into a general IoT security standard.
Which of the following statements about in-band management and out-of-band management are true? (Choose all that apply.) a) Out-of-band management tools do not provide access to the remote system's BIOS or UEFI firmware. b) Out-of-band management tools enable you to reinstall the operating system on a remote computer. c) Telnet, Secure Shell (SSH), and Virtual Network Computing (VNC) are in-band management tools. d) To perform out-of-band management on a device, it must have an IP address.
B, C. Out-of-band management uses a dedicated channel to devices on the network. This means that the device to be managed does not require an IP address. The channel provides access to the BIOS or UEFI firmware and makes it possible to reinstall the operating system on a remote computer. Telnet, SSH, and VNC are not out-of-band management tools.
When Alice encrypts a document with Ralph's public key, Ralph can decrypt the document only by using his private key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all that apply.) a) Alice cannot deny having created the document. b) No one has opened the document since Alice sent it. c) No one but Alice can have created the document. d) No one but Ralph can decrypt and read the document.
B, D. Because anyone can obtain Ralph's public key, the document could have been created and encrypted by anyone. However, because only Ralph possesses the private key that can decrypt the document, he can be sure that no one else has opened it while it was in transit.
Which of the following statements about a switch's default VLAN are true? (Choose all that apply.) a) Administrators must create a default VLAN when configuring a new switch. b) The default VLAN on a switch cannot be deleted. c) The default VLAN on most switches is designated as VLAN 0. d) The default VLAN on a switch cannot be renamed.
B, D. The default Virtual Local Area Network (VLAN) on most switches has the ID VLAN 1, not VLAN 0, and it cannot be renamed or deleted. The default VLAN does not have to be created by the administrator; it is the one to which all ports are assigned in the default configuration.
On a wireless network, which of the following best describes an example of a captive portal? a) A switch port used to connect to other switches b) A web page with which a user must interact before being granted access to a wireless network c) A series of two doors through which people must pass before they can enter a secured space d) A web page stating that the user's computer has been locked and will only be unlocked after payment of a fee
B. A captive portal is a web page displayed to a user who is attempting to access a public wireless network. The user typically must supply credentials, provide payment, or accept a user agreement before access is granted. A captive portal does not refer to a switch port, a secured entryway to a room, or a type of extortionate computer attack.
Which of the following protocols is a root guard designed to affect? a) EAP b) STP c) LDAP d) ARP
B. A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric. Root guards do not affect the Extensible Authentication Protocol (EAP), the Lightweight Directory Access Protocol (LDAP), or the Address Resolution Protocol (ARP).
Which of the following is another term for a switching technique called port isolation? a) Frame relay b) Private VLAN c) Site-to-site VPN d) Screened subnet
B. Port isolation, also known as Private Virtual Local Area Network (VLAN), is a feature in some switches that enables administrators to restrict selected ports to a given uplink, essentially creating a separate, secondary VLAN that is isolated from the switch's default, primary VLAN. Screened subnets (also called perimeter networks or demilitarized zones [DMZs]), frame relay, and VPNs are not switching techniques.
Which of the following protocols is not used for remote control of computers? a) RDP b) TFTP c) SSH d) Telnet
B. Trivial File Transfer Protocol (TFTP) is typically used to download boot image files to computers performing a Preboot Execution Environment (PXE) startup. It is not used for remote control. Remote Desktop Protocol (RDP) is used by Remote Desktop Services in Windows to provide clients with graphical control over servers at remote locations. Secure Shell (SSH) and Telnet are both character-based tools that enable users to execute commands on remote computers.
Which of the following technologies enables Virtual Private Network (VPN) clients to connect directly to each other, as well as to the VPN server at the home site? a) VPN concentrator b) DMVPN c) SIP trunk d) MPLS e) Clientless VPN
B. VPN typically enables remote clients to connect to a VPN router at a central site, much like the star topology of a Local Area Network (LAN), in which computers are all connected to a central switch. Dynamic Multipoint Virtual Private Network (DMVPN) is a technology that creates a mesh topology between the remote VPN sites, enabling the remote sites to connect directly to each other, rather than to the central VPN server. A VPN concentrator is a type of router that enables multiple client systems to access a network from remote locations. A Session Initiation Protocol (SIP) trunk provides a connection between the private and public domains of a unified communications network. Multiprotocol Label Switching (MPLS) is a data transfer mechanism that assigns labels to individual packets, and then routes the packets based on those labels. Clientless VPN creates an encrypted tunnel to a server using a browser, without the need to install additional client software.
Which of the following statements explains why web browsing over a client-to-site Virtual Private Network (VPN) connection is usually so much slower than browsing locally? a) The browser application is running on the VPN server. b) The browser is using the remote network's Internet connection. c) The VPN tunnel restricts the amount of bandwidth available. d) VPN encryption is processor intensive.
B. When users connect to a remote network using VPN, they become a participant on that network, which includes using the remote network's Internet connection. Therefore, when a user opens a browser, the application passes the user's requests through the VPN tunnel to the remote server, which uses the default gateway and Internet connection at the remote site to connect to the desired address. This is inherently slower than connecting the browser directly to the Internet from the client computer.
Which of the following functions cannot be implemented using digital signatures? a) Integrity b) Nonrepudiation c) Segmentation d) Authentication
C. Digital signatures can be used for the following functions: authentication, to confirm that data originated from a specific individual; nonrepudiation, to prevent the sender from denying the data's origin; and integrity, to confirm that the data has not been modified in transit. Segmentation is not a function of digital signatures.
Ralph is a network administrator for a firm that is allowing employees to telecommute for the first time, and he is responsible for designing a remote access solution that will enable users to access network resources, such as company email and databases, securely. All of the remote users have been issued smartcards and will be connecting using Virtual Private Network (VPN) connections on company-supplied laptop computers running Windows 10 and equipped with card readers. The users will be logging on to the company network using their standard Active Directory Domain Services accounts, so it is important for Ralph to design a solution that provides the maximum protection for their passwords, both inside and outside the office. Which of the following authentication protocols should Ralph configure the remote access servers and the laptop computers to use? a) Password Authentication Protocol (PAP) b) Challenge Handshake Authentication Protocol (CHAP) c) Extensible Authentication Protocol (EAP) d) Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2)
C. EAP is the only authentication protocol included with Windows 10 that supports hardware-based authentication, so this is the only viable option. PAP transmits passwords in cleartext and is therefore not a viable option, as is CHAP, because it must store passwords using reversible encryption. MSCHAPv2 provides sufficient password protection but does not support the hardware-based authentication needed for smartcard use.
Which of the following Virtual Private Network (VPN) protocols is generally considered to be obsolete? a) IPSec b) L2TP c) PPTP d) SSL/TLS
C. Point-to-Point Tunneling Protocol (PPTP) is considered to be obsolete for VPN use because of several serious security vulnerabilities that have been found in it. IPSec, Layer 2 Tunneling Protocol (L2TP), and Secure Sockets Layer/Transport Layer Security (SSL/TLS) are all still in use.
Which of the following describes the primary function of a Remote Desktop Gateway? a) Provides multiple users with Remote Desktop client access to one workstation b) Provides a single Remote Desktop client with simultaneous access to multiple workstations c) Enables remote users outside the network to access network workstations d) Enables remote users to access workstations without the need for a Remote Desktop client.
C. Remote Desktop Gateway is a Windows Server role that enables remote users outside the network to establish a Remote Desktop Protocol (RDP) connection without the need for a Virtual Private Network (VPN) connection. The gateway does not provide multiple Remote Desktop client access to one workstation, Remote Desktop client access to multiple workstations, or access to workstations without a Remote Desktop client.
Unlike individual users, who usually have their operating system patches downloaded and installed automatically, corporate IT departments typically evaluate new patches before deploying them. Which of the following is not a common step in this evaluation process? a) Testing b) Researching c) Rolling back d) Backing up
C. Rolling back, the process of uninstalling a patch to revert to the previous version of the software, is not part of the patch evaluation process. The evaluation process for new patches in a corporate environment usually consists of a research stage, in which you examine the need and purpose for the patch; a testing stage, in which you install the patch on a lab machine; and a backup of the production systems to which you will apply the patch.
Which of the following is not a protocol that is typically used to secure communication between web servers and web browsers? a) SSL b) TLS c) SSH d) DTLS
C. Secure Shell (SSH) is a character-based tool that enables users to execute commands on remote computers. It does not provide web server/browser security. Secure Sockets Layer (SSL) is a security protocol that provides encrypted communications between web browsers and servers. Transport Layer Security (TLS) is an updated security protocol that is designed to replace SSL. Datagram Transport Layer Security (DTLS) is a security protocol that provides the same basic functions as TLS, but for User Datagram Protocol (UDP) traffic.
Which of the following types of Virtual Private Network (VPN) connection is the best solution for allowing clients limited access to your corporate network? a) Host-to-site b) Site-to-site c) Host-to-host d) Extranet
D. An extranet VPN is designed to provide clients, vendors, and other outside partners with the ability to connect to your corporate network with limited access. A host-to-site VPN is a remote access solution, enabling users to access the corporate network from home or while traveling. A site-to-site VPN enables a branch office to connect to the home office using the Internet rather a more expensive Wide Area Network (WAN) connection. A host-to-host VPN enables two individual users to establish a protected connection to each other.
Control plane policing (CPP or CoPP) is a feature on some routers and switches that limits the rate of traffic on the device's processor, to prevent Denial-of-Service (DoS) and reconnaissance attacks, using which of the following technologies? a) IPSec b) 802.1X c) RA Guard d) QoS e) VLAN hopping
D. Control plane policing uses Quality of Service (QoS) policies to block, allow, or impose rate limits on the traffic processed by the router or switch. Internet Protocol Security (IPSec) is a network layer security mechanism that encrypts or authenticates traffic. 802.1X is a network authentication mechanism. Router Advertisement (RA) Guard is a feature found on certain switches that prevents the misuse of RA messages to redirect traffic. Virtual Local Area Network (VLAN) hopping is a method for sending commands to switches to transfer a port from one VLAN to another.
Which of the following is the best description of geofencing? a) Something you have b) Something you know c) Something you do d) Somewhere you are
D. Geofencing is the generic term for a technology that limits access to a network or other resource based on the client's location. It is therefore best described as somewhere you are. A finger gesture would be considered something you do, a password is something you know, and a smartcard is something you have.