ITN 263 Final Part 2
Which of the following statements is TRUE of an Internet Protocol Security (IPSec) virtual private network (VPN) when compared to a Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPN?
It requires client software
Which of the following is a protocol that replaces the use of telnet and rlogin to log in to a shell on a remote host?
Secure Shell (SSH)
The IT department of a company has just rolled out a virtual private network (VPN) solution that offers greater flexibility, delegation of management, and added security over the previous implementation. What is this solution called?
Secure Sockets Layer (SSL) virtualization
What is a virtual private network (VPN) protocol that requires public key infrastructure (PKI) support to obtain and use a certificate?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
A hardware virtual private network (VPN) is a standalone device, dedicated to managing VPN functions.
True
An intranet virtual private network (VPN) connects two or more internal networks.
True
Authentication Header (AH) provides integrity protection for packet headers and data, as well as user authentication.
True
Netcat cannot be used to create covert channels to control a target system remotely.
False
Physical damage is not related to denial of service.
False
Security education for users is desired, but not required, for maintaining a secure environment.
False
Software-based virtual private networks (VPNs) are typically more scalable than hardware VPNs.
False
You can fix a firewall's vulnerability to denial of service (DoS) flooding by upgrading the firewall or applying a patch.
False
Fragmentation is a supported function of Internet Protocol (IP) packets.
True
Internet Protocol Security (IPSec) has three major components: Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE).
True
Internet Protocol Security (IPSec) supports both transport mode and tunnel mode.
True
One of the primary objectives of a change control board is to ensure that all changes are properly tested.
True
Onion routing limits a network's vulnerability to eavesdropping and traffic analysis.
True
The longer the time span between a malicious action and an authoritative response, the greater the likelihood the perpetrator will get away without consequence.
True
During which step of firewall incident response is the compromise resolved?
Eradication
The most common method of exploiting and/or bypassing a firewall is tunneling.
False
Alice is a network engineer who has been tasked with researching a virtual private network (VPN) tunneling protocol to be used by her company. It must be able to pass traffic through a network address translation (NAT) server and be compatible with a number of well-known proprietary and open source platforms. What solution does she select?
Internet Key Exchange v2 (IKEv2)
A written policy dictates which firewall features to enable or disable.
True
Hacker tunneling is the creation of a communication channel similar to the creation of a virtual private network (VPN).
True
Ambrose is testing his IT department's new firewall deployment. He is using a collection of applications that employ a brute-force technique to craft packets and other forms of input directed toward a target. What is this collection of tools called?
Fuzzing tools
With hosted services, an Internet service provider (ISP) or a software vendor leases applications to organizations.
True
Which of the following is a security state that reverts to a state of being unavailable or locked?
Fail-close
A small fire breaks out in the lunch room of a branch office and the fire alarms sound. The employees are directed to leave the building and assemble in the parking lot. What condition is required to enable them to cross restricted access areas that are normally locked?
Fail-open
A good policy is to implement the first generation or first release of a firewall product.
False
A virtual private network (VPN) server for remote access must be located in the demilitarized zone (DMZ).
False
Allow by default/deny by exception is always the preferred security stance.
False
An antivirus scanner needs to have its database of definitions updated at least once per week.
False
An intranet virtual private network (VPN) never traverses a wide area network (WAN) link.
False
Basic packet filtering uses a complex, dynamic rule set.
False
Client capabilities do not affect the performance of a remote virtual private network (VPN) connection.
False
Delay is the use of security to convince a potential attacker that the efforts to compromise a system are not worth it.
False
Depending on the situation, a fail-open state could be fail-secure or fail-close.
False
The Network Layer of the Open Systems Interconnection (OSI) Reference Model is the protocol layer that transfers data between adjacent network nodes.
False
The functionalities of software and hardware virtual private network (VPN) solutions are fundamentally different.
False
Whole hard drive encryption prevents anyone from accessing data on the drive.
False
Devaki is developing a backup and recovery strategy for the network and server system. She needs a way to address and quickly restore small events where a bit of data has accidentally been deleted, as well as to remedy situations where the entire facility is compromised. What is her plan?
Keep a local backup for quick retrieval to deal with small events and an encrypted remotely stored copy for major incidents.
A best practice is to perform verification scans of all deployed firewall settings to ensure their functionality.
True
A simulated firewall test uses an attack simulator to transmit attack packets to a firewall.
True
A software-based virtual private network (VPN) may be part of a server operating system, part of an appliance operating system, or a third-party add-on software solution.
True
A virtualized desktop is hosted on a remote central server instead of on the local hardware of the remote client.
True
Detection involves watching for attempts to breach security and being able to respond promptly.
True
Once a zero-day exploit is discovered, a hacker can utilize that vulnerability until it is patched.
True
Which of the following is a limitation of Internet Protocol Security (IPSec)?
It does not encrypt data on client computers.
Hacker tunneling can create a covert channel.
True
In a layered security strategy, each security mechanism addresses a single issue or a small set of issues within a specific context.
True
In either a host firewall or an appliance firewall, the logic and controlling mechanisms are software.
True
Microsoft DirectAccess enables administrators to execute control over remote clients such as through Group Policy.
True
Once a firewall policy is in place, the policy should be reviewed at least annually.
True
Whereas honeypots can be single systems or multiple networked systems, a honeynet is a network of honeypots.
True
Which of the following is the protocol used with HTTPS for encrypting communications to and from websites?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
A best practice is to block any device connecting to a network that is not in compliance with the security policy.
True
A hacker tunneling set up using an inbound connection must "hijack" an existing open port or reconfigure the firewall to open another port for use by the tunnel.
True
A network security management best practice is to focus on the big-impact and big-result issues first.
True
A virtual private network (VPN) implementation best practice is to use strong authentication.
True
A virtualized Secure Sockets Layer (SSL) virtual private network (VPN) provides the ability to create custom authentication methods.
True
After installing a firewall, you should always install every available patch and update from the vendor.
True
An SSL/TLS-based virtual private network (VPN) enables remote access connectivity from almost any Internet-enabled location using a web browser.
True
Breaches are confirmed during the detection and analysis phase of incident response.
True
Delay involves slowing down an attack so that even successful breaches give defenders time to respond.
True
Even with a firewall protecting the internal network, a denial of service (DoS) flooding attack can still successfully disconnect or interfere with external communications.
True
Every update, change, or alteration to any aspect of a firewall should trigger another round of firewall testing.
True
How you apply Internet Protocol Security (IPSec) and Secure Sockets Layer/Transport Layer Security (SSL/TLS) in a virtual private network (VPN) solution can affect VPN performance.
True
Online backups make an organization dependent on the online provider's security.
True
Prevention is the use of safeguards to thwart exploitation or compromise.
True
Pushing out a patch without proper testing can result in negative impacts that are just as bad as delaying patch approval.
True
RD RemoteApp is a Microsoft solution that runs on a Microsoft Remote Desktop Services (RDS) server but appears to end users as if it were actually running on their systems.
True
RD Web Access is a Microsoft Remote Desktop Services (RDS) server role that allows desktops and RD RemoteApp applications to launch from a web browser.
True
Remote Desktop Connection (RDC) is a built-in application that uses Remote Desktop Protocol (RDP).
True
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft.
True
The Secure Shell (SSH) protocol is a method for secure remote login and other secure network services over a public network.
True
The purpose of compartmentalization is to create small collectives of systems that support work tasks while minimizing risk.
True
A company uses an Internet Protocol Security (IPSec) virtual private network (VPN) solution. It allows remote users to connect to the main office and allows communication between the main office and branch offices securely over the Internet. The main office network uses network address translation (NAT) with an internal IP address range of 192.168.0.1 to 192.168.0.254. Which of the following ranges must remote offices and users NOT use on their internal networks?
192.168.0.x
Felicia is a network engineer deploying a virtual private network (VPN) solution. The VPN operates using Secure Shell (SSH). When asked by a new help desk tech about which layer of the OSI model it employs, how does Felicia answer?
7
While fragmentation of IP packets is supported when they encounter network segments that have a smaller maximum transmission unit (MTU), that feature can be manipulated by malicious parties in overlapping attacks. In calculating a defense for such an exploit, what is the only reliable defense?
A dynamic filtering system that performs virtual reassembly
In layered security strategy, the strengths and benefits of one countermeasure do not affect the other countermeasures.
False
Susan has discovered that the vice president of marketing has brought in her own personal tablet device and connected it to the company's secure wireless network. This violates the organization's IT security policies. Susan informs the chief information security office (CISO) of the situation. What level of control must the CISO exercise with this upper-level manager?
Accounting
Internet Protocol Security (IPSec) is designed to work well with network address translation (NAT).
False
Which of the following can perform authentication to provide integrity protection for the outermost IP header?
Authentication Header (AH)
Which of the following provides integrity protection for packet headers and data and can optionally provide replay protection and access protection?
Authentication Header (AH)
Which of the following is insurance against data loss?
Backups
Lauren is a network technician monitoring performance on the local area network (LAN). She becomes alarmed when the network utilization reaches 95 percent for a particular time of day. How does she know what the utilization is normally like?
Benchmarks
Microsoft RD Web Access connects remote clients to internal resources over a virtual private network (VPN) connection.
False
Bill is a network engineer. On Monday morning, he learns that the firewalls between network segments are not operating as expected. He checks the activity sheet for the on-call techs who worked the weekend and sees that one of them performed an unscheduled patch. Bill suspects the patch made modifications to the firewalls. Of the following choices, what is the BEST way to check this?
Bill compares screenshots of the optimal firewall configuration against the current settings.
A malicious person wants to use tunneling to get through a company's firewall using a vulnerability. Micah, a network security engineer, is aware of this threat and configures the firewall to combat it. What does he do?
Block all encryption
An exploit called "overlapping" can cause the full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams. An overrun attack can create excessively large datagrams and, with other types of fragmentation attacks, can result in:
Denial of Service
Hong is a network engineer. He is developing a firewall policy that addresses troubleshooting a firewall that has either failed or is under attack. In his plan, what should be included as a best practice?
Collect firewall documentation before an attack.
What is a type of assessment that judges how well an organization is accomplishing set goals or requirements?
Compliance auditing
Marta is a network technician intern at a mid-sized company. She is learning hardware virtual private network (VPN) best practices from one of the engineers. Which of the following does the engineer tell Marta is NOT a best practice?
Connecting a client computer to more than one network interface while connected to the office via VPN
In an incident response situation, which term is used to described the actual confirmation of a breach?
Detection and analysis
Wen, a network engineer for a mid-sized company, is rolling out a virtual private network (VPN) solution that is easy to set up, manage, and maintain and represents the majority of VPN platforms on the market. What type of VPN is Wen deploying?
Customer premise equipment (CPE)
In a tunneling attack, once the tunnel is open, what are the limitations?
Data can move in either direction.
Isabelle is a network engineer deploying an IT infrastructure in one of her company's new branch offices. Currently, she is designing a local subnetwork that contains and exposes the office's external services to a larger, untrusted network, specifically the Internet. What is this called?
Demilitarized zone (DMZ)
Juan is a technician designing a physical security strategy for his company's network. He wants to convince potential hackers that it would be too difficult and complex for them to mount a successful assault or that such an attack would be too easily detected. What central function is he addressing?
Deterrence
Bill's work-issued Windows laptop has been configured so he can remotely connect to his office from home without having to initiate a virtual private network (VPN) connection. What technology is he using?
DirectAccess
______ is commonly exploited by many hackers because most enterprise web traffic is _________.
Encryption; encrypted
A malicious person is using an existing virtual private network (VPN) tunnel to infiltrate a company's private local area network (LAN). What is this tunneling method doing?
Hijacking an existing port
Tonya is an accountant working from home. She connects to her office each day over a virtual private network (VPN). The IT department for her company has deployed a VPN appliance to assist employees such as Tonya in performing their tasks remotely. What solution does Tonya use to access her files on the company's accounting server?
Host-to-gateway
Hacker tunneling uses two techniques. The first is to install a server component on an internal system and then have an external client make a connection. What is the second?
Install a server component on an external system and then use an internal client to make the connection.
All of the following protect against fragmentation attacks, EXCEPT:
Internal code planting
Which Internet Protocol Security (IPSec) core component negotiates, creates, and manages security associations?
Internet Key Exchange (IKE)
Which layer of the OSI model is the Data Link Layer?
Layer 2
Which of the following is a malicious remote control tool?
NetBus
A malicious person is attempting to subvert a company's virtual private network (VPN). She is using a tool that creates TCP and UDP network connections that can link to or from any port. What is this tool?
Netcat
Virtual private networks (VPNs) and which standard have historically suffered from conflicts when used together?
Network Address Translation (NAT)
Ahmed is testing the security of his company's IT infrastructure. He is using an application that works as a network mapper, port scanner, and OS fingerprinting tool. Which of the following is he employing?
Nmap
A malicious person is performing a technique called anti-forensics on a target network to hide evidence of an intrusion and conceal implanted rootkits and other malware. What is one action that might be taken when this method is used?
Overwriting metadata
Aditya is a network engineer. He is deploying a special host that will attract hackers so he can capture and analyze the attacks. This specific method involves using an intrusion detection system (IDS) to detect attacks and then routing them to an environment where they can do no harm. What is this method called?
Padded cell
Mei is a new network technician for a mid-sized company. She is trying to determine what is causing a performance lag on the infrastructure's virtual private network (VPN). The lags typically occur between 8 a.m. and 9 a.m., and again between 1 p.m. and 2 p.m. What is the most likely cause?
Peak usage loads
A company hires security experts to play the role of hackers. The experts are asked to attempt to breach the infrastructure to determine how secure the company is from threats. The experts are also asked to recommend improvements. What is this activity called?
Penetration testing
Nimi has deployed a new virtual private network (VPN) solution in her company's IT infrastructure. She is testing the connection to the server from a client. Which tool is the best choice for her to use?
Ping
Jacob is a remote employee. He clicks the Start menu button in Windows and selects an application to run. Most of the time, he is unaware that he is really accessing the application on a server at his company's main office several miles away. What solution is he using?
RD RemoteApp
Remote Desktop Connection (RDC) is a built-in application that uses what proprietary protocol?
Remote Desktop Protocol (RDP)
Lin is a disgruntled IT technician who believes she is about to be discharged from her job. While she still has access to her company's network infrastructure, she decides to reset the main firewall to its factory settings so she will know the default administrative username and password. Which of the following is the method she is MOST likely to use?
She uses a straightened paper clip to press the pinhole-sized reset button in the back of the firewall for 30 seconds.
In deploying security for a network, which method is no longer seen as truly secure or sufficient for protecting logins?
Single-factor authentication
The configuration, location, software version, and underlying operating system of a virtual private network (VPN) are all factors that are most likely to affect:
Stability
Carl is a security engineer for his company. He is reviewing a checklist of measures to physically protect the network specifically and the office environment in general. What is he focused on?
Testing alarms
Susan is a network professional at a mid-sized company. Her supervisor has assigned her the task of designing a virtual private network (VPN) implementation. Susan has set up strong authentication and encryption in a test environment, and the VPN appliance is directly facing the Internet. When her work is evaluated, what does her supervisor immediately notice?
The VPN device is not protected by a firewall.
A best practice is to back up firewall configurations before applying new and tested updates.
True
Arturo is installing a hardware server in the network room of a branch office. He wants to label it in a way that will make it easy to differentiate this server from other server machines, yet not clearly identify it in case an unauthorized person gains physical access. How should he label it?
Using a code
What is a common security mistake made by both end users and experts?
Using the same password on multiple systems
Carl is a student in a computer networking class who is studying virtual private network (VPN) implementations. He is learning the basics about VPNs. Which of the following statements does he find is TRUE?
VPNs are both hardware and software solutions.
Tonya is a network engineer. She is developing a new security policy for her company's IT infrastructure. She understands that the heart of performing a risk assessment, which is a necessary part of policy development, is understanding assets, likelihoods, threats, and _________.
Vulnerabilities
Arturo is a new network technician. He wants to use Remote Desktop Protocol (RDP) to connect to a server from his computer. The server is on the other side of the building. His computer is running Windows 10. Will he be able to make the connection?
Yes, because the RDP protocol has clients that work on most common operating systems.
Alice is a network technician designing infrastructure security based on compartmentalization. Which of the following does she employ?
Zones of access that are separated from other parts of the network by routers, switches, and firewalls
Besides a firewall, numerous other elements are often implemented to protect a network, EXCEPT:
a public IP address proxy.
All of the following are firewall management best practices, EXCEPT:
establish a philosophy of default allow rather than default deny.
Arturo is troubleshooting a firewall that may have been hacked by a malicious outsider. He is under pressure and immediately tries a fix that, if it fails, will not be easy to back out of. Before he makes the attempt, his supervisor warns him of the danger. What does Arturo's supervisor say?
Avoid destructive or irreversible solutions until last.
Dhruv is a network engineer using a command-line interface on his computer. He types the command mstsc/v and then a server name. What is he doing?
Connecting to a Windows server running a virtual private network (VPN)
James is a network engineer. He has been assigned the responsibility of designing a virtual private network (VPN) solution that will allow customers, suppliers, and business partners access to network resources without exposing the secure private LAN. The parties accessing these resources must use digital certificates issues by a certification authority (CA). What form of VPN is he setting up?
Extranet
Lin is designing a virtual private network (VPN) implementation as a class project. The assignment includes a budget she has to follow. To save money, she decided to use a VPN without a firewall. What is the problem with her decision?
This approach will not work because VPNs cannot take the place of firewalls.
Your sales department likes to stream professional sports games across the computer network on Wednesday afternoons, causing VPN performance issues during that time. What is the most likely cause of the performance issues?
Traffic spike
Which of the following is a protocol that supports Advanced Encryption Standard (AES) with 128, 192, and 256 keys?
Transport Layer Security (TLS)
Extranets differ from intranets in that remote users outside of the enterprise are allowed access to resources inside the network.
True
Microsoft Remote Assistance allows support professionals to remotely control a user's system.
True
The higher the encryption level of a virtual private network (VPN) connection, the greater the impact on the memory and processor of the endpoint devices.
True
Which of the following is a core Internet Protocol Security (IPSec) protocol that provides encryption only, both encryption and integrity protection, or integrity protection only in all but the oldest IPSec implementations?
Encapsulating Security Payload (ESP)
Maria is a new network engineer for a company that was established more than 30 years ago. She is examining the IT infrastructure and discovers that the virtual private network (VPN) solution employs an older encryption protocol for backward compatibility. This protocol has largely been replaced, but it used to be popular in early VPN solutions. What is this protocol?
Layer 2 Tunneling Protocol (L2TP)
Which of the following is an advantage of Secure Sockets Layer/Transport Layer Security (SSL/TLS) virtual private networks (VPNs) versus Internet Protocol Security (IPSec) VPNs?
No NAT problems
Which of the following best describes a technology with the least inherent security risks and is less likely to reveal information a user did NOT intend to share?
Onion routing
Which of the following can cause a full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams?
Overlapping
A virtual private network (VPN) replaces a firewall.
False
In IPSec tunnel mode, only the data packet payload is encapsulated, while the packet header is left intact.
False
In a gateway-to-gateway virtual private network (VPN), the mobile user takes specific actions to connect to the VPN.
False
Internet Protocol Security (IPSec) is a standards-based protocol suite designed specifically for securing ____________ communications.
Internet Protocol (IP)
Various virtual private network (VPN) encryption technologies offer access to almost any network application or resource. Which one offers additional features, such as easy connectivity from non-company-managed desktops, little or no desktop software maintenance, and user-customized web portals upon login?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Oscar is deploying a virtual private network (VPN) solution for his company. The VPN needs to connect to remote servers by their Internet Protocol (IP) addresses rather than using network address translation (NAT). What type of VPN is Oscar deploying?
Operating system (OS)
Chad is a network engineer. He is tasked with selecting a virtual private network (VPN) platform for his company. He chooses a solution that is inexpensive and runs on UNIX, although it is less scalable and less stable than other solutions. What has he chosen?
Operating system-based VPN
A customer premise equipment (CPE)-based virtual private network (VPN) is a VPN appliance.
True
The performance characteristics associated with an Internet Protocol Security (IPSec) virtual private network (VPN) can be very different from a Secure Sockets Layer (SSL) VPN implementation.
True
The stability of a virtual private network (VPN) connection can be affected by the number of firewalls and routers it must traverse.
True
Whereas a virtual private network (VPN) encrypts pieces of data, a firewall protects the internal network from outside threats.
True
A virtual private network (VPN) implementation best practice is to protect the VPN server behind a firewall.
True
Depending on the location of a virtual private network's (VPN's) endpoints, the topology may affect performance.
True
Layer 2 of the Open Systems Interconnection (OSI) Reference Model is the Data Link Layer.
True
Chris is a network engineer deploying a virtual private network (VPN) solution. He needs an implementation of Secure Sockets Layer/Transport Layer Security (SSL/TLS) that adds a layer of authentication to the access. What feature does he require?
Bidirectional authentication
Maria is the technician on call for her company's IT department. Over the weekend she discovers a breach in the primary firewall. She is restraining further escalation of the issue, an action that is referred to as:
Containment