Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
What is anomaly-based detection?
A form of intrusion detection system/intrusion prevention system (IDS/ IPS) based on a defined normal, often defined using rules similar to firewall rules.
Which of the following describes an access control list (ACL)?
A mechanism that defines traffic or an event to apply an authorization control of allow or deny against.
Which of the following describes fair queuing?
A technique of load balancing that operates by sending the next transaction to the firewall with the least current workload.
Which of the following describes a general purpose OS?
An operating system such as windows or linux that can support a wide variety of purposes and functions, but which, when used as a bastion host OS, must be hardened and locked down.
Which of the following refers to a system designed, built, and deployed specifically to serve as a frontline defense for a network?
Bastion host
Which of the following refers to a form of IDS/IPS detection based on a recording of real-world traffic as a baseline for normal?
Behavioral-based detection
Which of the following refers to a form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events? All traffic or events that match an item in the database are considered abnormal and potentially malicious.
Database-based detection
It's important to evaluate the purpose and content of your firewall policy. Which of the following is not an evaluation method?
Determine how to write a policy that is as short as possible to avoid confusion.
Which term describes an approach to security similar to defense in depth in that it supports multiple layers, but uses a different security mechanism at each or most of the layers?
Diversity of defense
HTTP Proxy is Linux software powered by VMware that creates SSH encrypted tunnels used in combination with TOR.
False
If you do not eliminate personal communications, business functions can continue unhindered.
False
Intruders can edit data written to a WORM device.
False
Signature-based detection describes a form of intrusion detection system/intrusion prevention system (IDS/ IPS) based on a defined normal.
False
The Eradication phase of an incident response plan returns the situation to normal operation.
False
The term weakest link describes an organization's filtering configuration; it's the answer to the question, "What should be allowed and what should be blocked?"
False
You cannot replace a native or default software firewall product in a general-purpose operating system (OS) with a third-party option.
False
Which of the following refers to an event that does not trigger an alarm but should have, due to the traffic or event actually being abnormal and/or malicious?
False negative
Which of the following does not protect against fragmentation attacks?
Firewalking
Which of the following is not a security strategy?
Firewall policies
Which of the following uses a brute-force technique to craft packets and other forms of input directed toward the target?
Fuzzing tools
Which of the following are documents that can help you to review and assess your organization's status and state of security?
Incident response plan
Which one of the following is not a benefit of having a written firewall policy?
It defines how to use a revers proxy to add an additional layer of protection and control between Internet-based users and internally hosted servers.
Which of the following can improve firewall performance?
Load balancing
Which of the following uses ICMP as a tunneling protocol?
Loki
Which command-line or graphical interface is used to control and configure a device?
Management interface
Which of the following is a malicious remote control tool?
NetBus
Which of the following creates TCP and UDP network connections to or from any port?
Netcat
Which of the following is a network mapper, port scanner, and OS fingerprinting tool that checks the state of ports, identifies targets, and probes services?
Nmap
Which of the following refers to a network access control or admission control (NAC) used on individual network access devices, such as firewalls, VPN gateways, and wireless routers, to offload authentication to a dedicated authentication server/service?
PNAC
Which of the following steps of an incident response plan returns to the operation to normal?
Recovery
There are six steps for writing a security incident response plane. Which of the following is not a step?
Report
Which of the following is a centralized logging service that hosts a duplicate copy of log files?
Syslog
Which of the following is a technique for storing or copying log events to a centralized logging server?
Syslog
A firewall can perform only the operations for which it is programmed, and the specifics of and the order of the rules that result in less access rather than greater access are: List specific Deny rules first, then the Allow exceptions, and always keep the default-deny rule last.
True
A firewall's vulnerability to DoS flooding is a limitation or weakness that you can't fix, improve, or repair by either upgrading the firewall or applying a patch.
True
Each form of firewall filtering or traffic management is vulnerable in some way.
True
Encryption of the session that accesses a firewall's management interface is the most important and critical aspect of management interface configuration.
True
Fair queuing is a technique of load balancing that operates by sending the next transaction to the firewall with the least current workload.
True
Snort is an open-source, rule-based IDS that can detect firewall breaches.
True
The definition of a business task should consider whether or not the task is necessary. If the task is necessary, the organization's security solution should make the task possible.
True
When defining firewall rules, you should keep the rule set as simple as possible.
True
When it comes to firewall rules, in general, grant access only to traffic that is essential.
True
When security interferes with doing business and an organization believes that security can be turned off because it is inconvenient, it's only a matter of time before a catastrophic compromise occurs.
True
You should immediately terminate any communication found to take place without firewall filtering.
True
You should spend security funds somewhat evenly to secure the overall organization, rather than over-securing one area and neglecting another.
True
Which of the following refers to the deployment of a firewall as an all-encompassing primary gateway security solution?
UTM
Which of the following is not a commonsense element of troubleshooting firewalls?
Work with urgency
Which of the following describes security stance?
an organization's filtering configuration; it answers the question, "What should be allowed and what should be blocked?"
Which of the following does port forwarding support?
any service on any port
Which of the following is a dedicated hardware device that functions as a black-box sentry?
appliance firewall
Which of the following is not a protection against fragmentation attacks?
buffer overflows
Which of the following forces all traffic, communications, and activities through a single pathway or channel that can be used to control bandwidth consumption, filter content, provide authentication services, or enforce authorization.
chokepoint
Which of following is an advantage of the build-it-yourself firewall?
cost
Which term describes a security stance that prevents all communications except those enabled by specific allow exceptions?
deny by default/allow by exception
A false negative is an event that triggers an alarm when the traffic or event is abnormal and/or malicious.
false
Authentication and authorization must be used together.
false
Denial of service (DoS) attacks cannot be detected by a firewall.
false
Deploy firewalls as quickly as possible.
false
Deploying a security product is more preferable than addressing your environment's specific risks.
false
Port forwarding supports caching, encryption endpoint, and load balancing.
false
The firewall administrator should give physical access to firewall devices to senior managers and middle managers.
false
When troubleshooting firewalls, you should never attempt to repeat the problem because you could do more damage.
false
Which of the following is a written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic?
filter
In which type of system environment do you block all access to all resources, internal and external, by default, and then use the principle of least privilege by adding explicit and specific allow-exceptions only when necessary based on job descriptions?
filter-free
Which type of test is run in non-production subnets where you've configured a duplicate of the production environment?
laboratory test
When troubleshooting firewalls, which of the following is not something you should do after you attempt a fix?
make multiple fixes
Which of the following troubleshooting steps involves reviewing the entire troubleshooting response process?
performing a post-mortem review
Which of the following steps of an incident response plan selects and trains security incident response team (SIRT) members and allocates resources?
preparation
Which of the following refers to an operating system built exclusively to run on a bastion host device?
proprietary os
Which of the following provides faster access to static content for external users accessing internal Web servers?
reverse caching
Which of the following hands out tasks in a repeating non-priority sequence?
round robin
Which of the following is not a common reason for deploying a reverse proxy?
time savings
Adding caching to a firewall transforms it into a proxy server for whatever service you configure the caching to supplement.
true
Allowing every communication is a bad idea from a security standpoint as well as a productivity one.
true
Diversity of defense uses a different security mechanism at each or most of the layers.
true
Firewalking is a hacking technique used against static packet filtering firewalls to discover the rules or filters controlling inbound traffic.
true
If strong authentication is a priority, select an application gateway firewall or a dedicated application-specific proxy firewall.
true
Netcat is a hacker tool that creates network communication links using UDP or TCP ports that support the transmission of standard input and output.
true
Overlapping occurs when full or partial overwriting of datagram components creates new datagrams out of parts of previous datagrams.
true
PacketiX VPN and HotSpotShield are encrypted Web proxy services.
true
Rule-set ordering is critical to the successful operation of firewall security.
true
Security through obscurity can be both a good strategy and a bad one depending on the type of security.
true
Simulator tests are secure by design.
true
The Containment phase of an incident response plan restrains further escalation of the incident.
true
The Detection phase of an incident response plan confirms breaches.
true
Unified threat management (UTM) has the advantage of managing multiple security services from a single interface.
true
When troubleshooting firewalls, you should simplify the task by first disabling or disconnecting software and hardware not essential to the function of the firewall.
true
Wireshark can be used in the absence of a firewall, with a firewall set to allow all traffic, or even in the presence of a firewall to inventory all traffic on the network.
true
Wireshark is a free packet capture, protocol analyzer, and sniffer that can analyze packets and frames as they enter or leave a firewall.
true
You should consider placing rules related to more common traffic earlier in the set rather than later.
true
You should not automatically purchase the product your cost/benefit analysis says is the best option.
true
