ICS 171 Quiz #2
Where would a NIDS sit on a network? (Select the best answer.)
Inline - A NIDS normally sits inline on the network. It could be before or after the firewall but more commonly is on the side closer to the Internet. Although it is possible to put a NIDS on the extranet or on a DMZ, it is far less common. Back to back is a phrase used when an organization implements two firewalls.
Access control lists enable or deny traffic and can be configured to help secure a router.
True
A firewall can use NAT and packet filters.
True - Firewalls can use packet filtering, NAT filtering, application-level gateways, and circuit-level gateways.
An IP proxy can be the victim of denial-of-service attacks
True - IP proxies can indeed be the victim of denial-of-service attacks and should be monitored periodically and updated regularly
NAT filtering matches incoming traffic to corresponding outbound IP connections by matching the IP address and port
True - NAT filtering matches incoming and outgoing traffic by way of IP addresses and port numbers.
NAT is sometimes also known as IP masquerading
True - NAT, which stands for network address translation, is sometimes also known as IP masquerading. NAT is the process of changing an IP address while it is in transit across a router.
Which of the following refers to the unauthorized access of information from a wireless device through a Bluetooth connection?
Bluesnarfing - Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection. Bluejacking is the sending of unsolicited messages to a Bluetooth-enabled phone. Radio-frequency identification (RFID) relates to identifying and tracking tags that are attached to objects. Near field communication (NFC) generally requires that communicating devices be within 4 cm of each other, which makes skimming of information difficult
A stateless packet filter is vulnerable to IP spoofing attacks.
True - Stateless packet filters are vulnerable to IP spoofing attacks. Firewalls running stateful packet inspection are not vulnerable because they keep track of the state of network connections.
By checking CVEs, you can keep informed of the latest attacks to web servers.
True - The list of Common Vulnerabilities and Exposures (CVE) should be reviewed often by network administrators so that they know the latest attacks to web, FTP, and other servers
What should you configure to improve wireless security?
Use MAC filtering - MAC filtering disallows connections from any wireless clients unless the wireless client's MAC address is on the MAC filtering list.
Which of the following ways can help secure a modem? (Select the two best answers.)
Use strong passwords. Use the callback feature.
If a server has inbound port 21 open, what service is it running?
File Transfer Protocol - Port 21 corresponds to the File Transfer Protocol (FTP). The Simple Mail Transfer Protocol (SMTP) uses port 25. The Hypertext Transfer Protocol (HTTP) uses port 80. Kerberos uses port 88.
A characteristic of reflection attacks is the lack of _______ traffic.
backscatter
Which of the following should be your primary line of defense in network security?
Firewall - Firewalls should be your primary line of defense in network security. Although intrusion detection/prevention systems are important, a firewall should be installed first. Proxy servers can also help to protect computers on the LAN and should be considered. Protocol analyzers investigate packets that are sent across the network
James has detected a network intrusion in his company. What should he check first?
Firewall logs - If there were a network intrusion, the first thing you should check are the firewall logs. DNS logs in the Event Viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs
Your boss wants you to secure your web server's transactions. Which protocol and port number should you use to accomplish this?
HTTPS - port 443 HTTPS (Hypertext Transfer Protocol Secure) should be used; it corresponds to port 443. POP3 is used by e-mail servers. LDAP is used by domain controllers. RDP is used by remote desktop services to connect to other computers over a network connection.
A client computer uses the IP address 10.254.254.189. It has made a connection to a web server by opening the outbound port 1589. The server uses the IP address 65.19.28.154. You want to filter out any HTTP packets coming from the server. Which IP address and port should you specify to be filtered on the firewall?
65.19.28.154:80 You should filter the packets coming from the server's IP and its inbound port: 65.19.28.154:80. It would be difficult to filter port 1589 because this port is assigned dynamically to the outbound connection of the client computer; it will change every time a new session starts. The client computer should not use port 80 because it is not the computer acting as a web server. The web server will most likely not use port 1589. The connection from the client computer on outbound port 1589 is made to the web server on inbound port 80.
Your organization has seen a rising number of rogue wireless access points through its network. As a network administrator, what are some steps (give at least 3) could you take to reduce this trend?
Examples include:Physically control access to wiring hubs/servers or any wiring closets to prevent "add-ons"Port control on switches/routers (unused ports are administratively locked)Port control on systems (lock USB, or at least restrict it so installation of wireless devices/software would not be allowed)Firewall ACLs can be modified to allow only "specified" IPs to send traffic out (a outgoing "white list")Routinely screen logs for strange IPs attempting to go "out" of the firewall (should be failed/dropped attempts if the ACLs are correctly done)Routinely screen the spectrum to look for unauthorized wireless devices (spectrum analyzers, etc.)Lock down DHCP to prevent rogue devices from getting a legitimate IP from the DHCP serverWatch DHCP logs to look for strange devices attempting to request IPs from the network
A MAC flood is when a person accesses a single port of a switch that was not physically secured.
False - A MAC flood is when numerous packets are sent to a switch, each with a different source MAC address, in an attempt to use up all the memory on the switch and causing a change of state known as failopen mode
An IP proxy serves client requests by caching HTTP information.
False - IP proxies secure networks by keeping the machines behind them anonymous. Caching proxies serve client requests such as caching hypertext information among other types of information
Privilege escalation is used in computer programs to bypass normal authentication
False - Privilege escalation is the act of exploiting a bug or design flaw in an operating system or application to gain access to resources that normally would be protected from an application or user. Backdoors are used in computer programs to bypass normal authentication and other security mechanisms in place.
One way to defend against a double-tagging attack is to put unplugged ports on the switch into an unused VLAN.
False - Putting unplugged ports on the switch into an unused VLAN is one way of defending against switch spoofing. Ways to defend against double tagging include upgrading firmware and picking an unused VLAN as the default VLAN.
One example of PaaS is a Gmail email account
False- A Gmail email account would be an example of SaaS. An example of PaaS would be cloud-based application development, most likely in a virtualized fashion
A NIDS can inspect traffic and possibly remove, detain, or redirect malicious traffic
False- A NIDS attempts to detect malicious network activities by monitoring network traffic and alerts the administrator in the case that it finds any. A NIPS can inspect traffic and remove, detain, or redirect that traffic
Which of the following can detect malicious packets and discard them?
NIPS - NIPS, or a network intrusion prevention system, can detect and discard malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation, which translates both IPv4 addresses and port numbers.
Which of the following is not a denial-of-service attack?
Replay attack - The replay attack is a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. It is not within the realm of denial-of-service attacks. All the other answers are types of denial-of-service attacks.
