itn 263 final
Hyon is a network consultant. She was hired by a client company to examine the effectiveness of its IT infrastructure. She discovers that the company's Internet-facing firewall is not capable of automatically handling and adjusting for random source ports when a session is being established to its web and gaming servers. How should she correct this?
Create a custom rule to manage random source ports
Which of the following is unlikely to support at-firewall authentication?
DMZ
Which elements do digital certificate contain that can be used to increase the reliability of authenticity and nonrepudiation?
Digital certificates use a public key and private key pair signed by a trusted third party.
The IT department of a company has just rolled out a virtual private network (VPN) solution that offers greater flexibility, delegation of management, and added security over the previous implementation. What is this solution called?
Secure Sockets Layer (SSL) virtualization
A remote access virtual private network (VPN) is also known as host-to-site VPN because it supports single-host VPN connections into a LAN site.
TRUE
A software-based virtual private network (VPN) may be part of a server operating system, part of an appliance operating system, or a third-party add-on software solution.
TRUE
What is a common security mistake made by both end users and experts?
Using the same password on multiple systems
Which of the following is insurance against data loss?
backups
A virtual private network (VPN) connection ensures quality of service.
false
It is uncommon to leverage a virtual private network (VPN) to send sensitive information when connected to an untrustworthy network.
false
Mazie is a network engineer designing a virtual private network (VPN) architecture. The architecture must have the ability to establish and maintain a secure link between the company's main office and a branch office over the Internet, effectively creating a single distributed LAN. What solution does she recommend be applied?
site to site
Analisa is a sales representative who travels extensively. At a trade show, Analisa uses her virtual private network (VPN) connection to simultaneously connect to the office LAN and her personal computer at home. What security risk does this pose?
split tunneling
After installing a firewall, you should always install every available patch and update from the vendor.
true
When monitoring a virtual private network (VPN), multiple concurrent employee connections may indicate a security issue.
true
When selecting a virtual private network (VPN) solution, a best practice is to consider only solutions with proven capabilities.
true
In a tunneling attack, once the tunnel is open, what are the limitations?
data can move in either direction
What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work?
database based detection
Which of the following is the most common vulnerability on any hardware device, including hardware-based virtual private networks (VPNs)?
default password
An exploit called "overlapping" can cause the full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams. An overrun attack can create excessively large datagrams and, with other types of fragmentation attacks, can result in:
denial of service
Juan is a technician designing a physical security strategy for his company's network. He wants to convince potential hackers that it would be too difficult and complex for them to mount a successful assault or that such an attack would be too easily detected. What central function is he addressing?
deterrence
Bill's work-issued Windows laptop has been configured so he can remotely connect to his office from home without having to initiate a virtual private network (VPN) connection. What technology is he using?
direct access
Hajar is a new network administrator. She is inventorying firewalls in her company. She finds one that has a management interface lacking something and makes a note to replace it immediately. What critical security measure is the management interface missing?
encryption
______ is commonly exploited by many hackers because most enterprise web traffic is _________.
encryption tunneled
James is a network engineer. He has been assigned the responsibility of designing a virtual private network (VPN) solution that will allow customers, suppliers, and business partners access to network resources without exposing the secure private LAN. The parties accessing these resources must use digital certificates issues by a certification authority (CA). What form of VPN is he setting up?
extranet
Which of the following is a security state that reverts to a state of being unavailable or locked?
fail close
A small fire breaks out in the lunch room of a branch office and the fire alarms sound. The employees are directed to leave the building and assemble in the parking lot. What condition is required to enable them to cross restricted access areas that are normally locked?
fail open
A good policy is to implement the first generation or first release of a firewall product.
false
A potential loophole is created when the wrong rule is positioned last in a firewall rule set.
false
A virtual private network (VPN) server for remote access must be located in the demilitarized zone (DMZ).
false
All private key cryptography is asymmetric, but some asymmetric algorithms are not private key algorithms.
false
Allow by default/deny by exception is always the preferred security stance.
false
Allow-by-default automatically prevents most malicious communications by default.
false
Internet Protocol Security (IPSec) is designed to work well with network address translation (NAT).
false
Microsoft RD Web Access connects remote clients to internal resources over a virtual private network (VPN) connection.
false
Multiple firewalls in a series is considered diversity of defense but not defense in depth.
false
Netcat cannot be used to create covert channels to control a target system remotely.
false
Only hardware virtual private networks (VPNs) are vulnerable to denial of service (DoS) attacks.
false
Open-source virtual private network (VPN) solutions are usually less flexible than commercial solutions.
false
Physical damage is not related to denial of service.
false
Resiliency is the ease with which an organization can quickly increase capacity and use or shrink capacity and use of a device, system, or network.
false
Security education for users is desired, but not required, for maintaining a secure environment.
false
Software-based virtual private networks (VPNs) are typically more scalable than hardware VPNs.
false
The Network Layer of the Open Systems Interconnection (OSI) Reference Model is the protocol layer that transfers data between adjacent network nodes.
false
The functionalities of software and hardware virtual private network (VPN) solutions are fundamentally different.
false
The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators.
false
The source address and the port address of inbound firewall rules are often set to Deny, unless the rule is to apply to specific systems or ports.
false
The weakest link security strategy gains protection by using abnormal configurations.
false
To avoid confusion, an organization should have a written security policy for a minimum number of security components.
false
Virtual private networks (VPNs) over the Internet can experience latency but not fragmentation.
false
Whereas privacy is the ability of a network or system user to remain unknown, anonymity is keeping information about a network or system user from disclosure.
false
Whole hard drive encryption prevents anyone from accessing data on the drive.
false
The most common method of exploiting and/or bypassing a firewall is tunneling.
falseE=
A malicious party has discovered the IP address of a host inside a network she wants to hack. She employs a form of port scanning, attempting to establish a connection with the host using multiple different ports. Which technique is she using?
firewalking
What is the basic service of a reverse proxy?
hides the identity of a web server accessed by a client over the internet
While there is no single way to troubleshoot a virtual private network (VPN) issue, what is the MOST appropriate first step?
identify the specific symptoms of the problem
All of the following protect against fragmentation attacks, EXCEPT:
internal code planting
Which Internet Protocol Security (IPSec) core component negotiates, creates, and manages security associations?
internet key exchange
Which of the following statements is TRUE of an Internet Protocol Security (IPSec) virtual private network (VPN) when compared to a Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPN?
it requires client software
Which layer of the OSI model is the Data Link Layer?
layer 2
Jahi is a security engineer for a U.S. Department of Defense contractor. He is implementing a more secure method for remote users to log into an internal system over a virtual private network (VPN). In addition to requiring a password, this method asks the user to enter a PIN texted to their mobile phone, and to use a fingerprint reader mounted to their company-issued laptop. Which method is Jahi deploying?
multifactor authentication
Which of the following can be described as putting each resource on a dedicated subnet behind a demilitarized zone (DMZ) and separating it from the internal local area network (LAN)?
n tier deployment
Which of the following is a malicious remote control tool?
netbus
A malicious person is attempting to subvert a company's virtual private network (VPN). She is using a tool that creates TCP and UDP network connections that can link to or from any port. What is this tool?
netcat
Virtual private networks (VPNs) and which standard have historically suffered from conflicts when used together?
network address translation
Ahmed is testing the security of his company's IT infrastructure. He is using an application that works as a network mapper, port scanner, and OS fingerprinting tool. Which of the following is he employing? Correct!
nmap
Which of the following is an advantage of Secure Sockets Layer/Transport Layer Security (SSL/TLS) virtual private networks (VPNs) versus Internet Protocol Security (IPSec) VPNs?
no nat problems
What is a mathematical operation that is easily performed but that is highly unlikely to reverse in a reasonable amount of time?
one way function
Which of the following best describes a technology with the least inherent security risks and is less likely to reveal information a user did NOT intend to share?
onion routing
Oscar is deploying a virtual private network (VPN) solution for his company. The VPN needs to connect to remote servers by their Internet Protocol (IP) addresses rather than using network address translation (NAT). What type of VPN is Oscar deploying?
operating system
Chad is a network engineer. He is tasked with selecting a virtual private network (VPN) platform for his company. He chooses a solution that is inexpensive and runs on UNIX, although it is less scalable and less stable than other solutions. What has he chosen?
operating system based vpn
Aditya is a network engineer. He is deploying a special host that will attract hackers so he can capture and analyze the attacks. This specific method involves using an intrusion detection system (IDS) to detect attacks and then routing them to an environment where they can do no harm. What is this method called?
padded cell
Mei is a new network technician for a mid-sized company. She is trying to determine what is causing a performance lag on the infrastructure's virtual private network (VPN). The lags typically occur between 8 a.m. and 9 a.m., and again between 1 p.m. and 2 p.m. What is the most likely cause?
peak usage loads
Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture?
802.1x
Wen, a network engineer for a mid-sized company, is rolling out a virtual private network (VPN) solution that is easy to set up, manage, and maintain and represents the majority of VPN platforms on the market. What type of VPN is Wen deploying?
CUSTOMER PREMISE EQUIPMENT CPE
Amy is a network engineering consultant. She is designing security for a small to medium-sized government contractor working on a project for the military. The government contractor's network is comprised of 30 workstations plus a wireless printer, and it needs remote authentication. Which of the following is a type of authentication solution she should deploy?
radius
A malicious person is using an existing virtual private network (VPN) tunnel to infiltrate a company's private local area network (LAN). What is this tunneling method doing?
Hijacking an existing port
Tomika is a network architect. A coworker is helping to design a more secure placement of the company's virtual private network (VPN) device. The coworker suggests that the device be placed between the Internet-facing firewall and the internal network. What is Tomika's opinion of this deployment strategy?
It is somewhat secure but does not address possible security issues involving untrustworthy VPN connections.
Armand is the IT director of his organization. He is working with accounting to determine a budget for upgrading the company's virtual private network (VPN) equipment. Several options are available, and he still needs more technical assistance to make a decision. Rather than going with award-winning VPN products he has found in industry magazines and websites, which of the following is the best choice to consult for assistance in collecting information and helping to narrow his choices?
reseller
Tiffany is a network engineer for her company. To enhance the performance of the network, she uses a method that assigns incoming transactions as they arrive in sequence to each of the infrastructure's three firewalls. Transaction 1 goes to firewall 1, transaction 2 goes to firewall 3, transaction 3 to firewall 2, and so on. Which technique is Tiffany using?
round robi
All firewalls, including those using static packet filtering, stateful inspection, and application proxy, have one thing in common. What is it?
rules
Which component of a virtual private network (VPN) policy describes the parameters for employee use of the VPN, including consequences for not following the policy?
scope/binding nature statement
Leandro is writing a firewall policy. He needs to define which type of firewall he needs for each portion of the infrastructure based on differing areas of risk and trust. What are these areas called?
security zones
Which of the following is described as an approach to network security in which each administrator is given sufficient privileges only within a limited scope of responsibility?
separation of duties
Maria is the technician on call for her company's IT department. Over the weekend she discovers a breach in the primary firewall. She is restraining further escalation of the issue, an action that is referred to as:
containment
An intranet virtual private network (VPN) never traverses a wide area network (WAN) link.
false
Ambrose is testing his IT department's new firewall deployment. He is using a collection of applications that employ a brute-force technique to craft packets and other forms of input directed toward a target. What is this collection of tools called?
fuzzing tools
Remote Desktop Connection (RDC) is a built-in application that uses what proprietary protocol?
remote desktop protocol
Isabella is a network administrator. She is researching virtual private network (VPN) options for company employees who work from home. The solution must provide encryption over public networks, including the Internet; not rely upon pathways the company owns; be reliable; and not be subject to eavesdropping. It must also be cost-effective. Which solution does she choose?
secured vpn
Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is this solution called?
single defense
The configuration, location, software version, and underlying operating system of a virtual private network (VPN) are all factors that are most likely to affect:
stability
A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.
true
With edge routers as the virtual private network (VPN) termination point, the VPN link exists only over the public intermediary networks, not within the private LAN(s).
true
A company uses an Internet Protocol Security (IPSec) virtual private network (VPN) solution. It allows remote users to connect to the main office and allows communication between the main office and branch offices securely over the Internet. The main office network uses network address translation (NAT) with an internal IP address range of 192.168.0.1 to 192.168.0.254. Which of the following ranges must remote offices and users NOT use on their internal networks?
192.168.0.x
Felicia is a network engineer deploying a virtual private network (VPN) solution. The VPN operates using Secure Shell (SSH). When asked by a new help desk tech about which layer of the OSI model it employs, how does Felicia answer?
7
Which of the following is an encryption method that is very fast and is based on a single, shared key?
symmetric
Carl is a security engineer for his company. He is reviewing a checklist of measures to physically protect the network specifically and the office environment in general. What is he focused on?
testing alarms
Besides a firewall, numerous other elements are often implemented to protect a network, EXCEPT:
a public ip address proxy
Maria is a network engineer assigned to select a new virtual private network (VPN) solution for her company. She is weighing the benefits of commercial versus open-source VPNs. Which of the following is a benefit of open-source platforms?
access to internet based support
Which of the following provides integrity protection for packet headers and data and can optionally provide replay protection and access protection?
authentication header
Alejandro is a cybersecurity contractor. He was hired by a Fortune 500 company to redesign its network security system, which was originally implemented when the company was a much smaller organization. The company's current solution is to use multiple firewall platforms from different vendors to protect internal resources. Alejandro proposes an infrastructure security method that, in addition to firewalls, adds tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control. What is this solution called?
diversity of defense
Carl is a network technician who has been assigned to select a dedicated hardware device to act as the company's termination point for the secured virtual private network (VPN) tunnel. He chooses a device that allows the firewall to filter traffic that is exiting the VPN and moving into the local area network (LAN). It is the choice that is best suited for controlled access into the demilitarized zone (DMZ). What is the solution that he recommends? Correct!
edge router
An intrusion detection system (IDS) false positive occurs when the IDS fails to detect an attack.
false
Basic packet filtering uses a complex, dynamic rule set.
false
Delay is the use of security to convince a potential attacker that the efforts to compromise a system are not worth it.
false
Depending on the situation, a fail-open state could be fail-secure or fail-close.
false
Fair queuing is the distribution of the firewall filtering workload across multiple parallel firewalls.
false
Firewalking is a technique to learn the configuration of a firewall from the inside.
false
In IPSec tunnel mode, only the data packet payload is encapsulated, while the packet header is left intact.
false
In a gateway-to-gateway virtual private network (VPN), the mobile user takes specific actions to connect to the VPN.
false
Instability is not considered a potential threat associated with software virtual private networks (VPNs).
false
A best practice when troubleshooting a virtual private network (VPN) is to document processes and procedures.
true
Firewalls filter traffic using rules or filters.
true
Internet Protocol Security (IPSec) supports both transport mode and tunnel mode. Correct!
true
Tonya is a network engineer. She is developing a new security policy for her company's IT infrastructure. She understands that the heart of performing a risk assessment, which is a necessary part of policy development, is understanding assets, likelihoods, threats, and _________.
vulnerabilities
Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design?
traffic patterns
Your sales department likes to stream professional sports games across the computer network on Wednesday afternoons, causing VPN performance issues during that time. What is the most likely cause of the performance issues?
traffic spike
Which of the following is a virtual private network (VPN) encryption encapsulation method best suited for linking individual computers together, even though it does not encrypt the original IP header?
transport
Which of the following is a protocol that supports Advanced Encryption Standard (AES) with 128, 192, and 256 keys?
transport layer security
Once a zero-day exploit is discovered, a hacker can utilize that vulnerability until it is patched.
tre=ue
A VPN creates or simulates a network connection over an intermediary network. Correct!
true
A benefit of a commercial virtual private network (VPN) solution is access to vendor support.
true
A best practice for firewall rules is to keep the rule set as simple as possible.
true
A best practice is to back up firewall configurations before applying new and tested updates.
true
A best practice is to block any device connecting to a network that is not in compliance with the security policy.
true
A best practice is to define a complete firewall rule set for each prescribed firewall in a written firewall policy.
true
A best practice is to perform verification scans of all deployed firewall settings to ensure their functionality.
true
A buffer overflow is a condition in which a memory buffer exceeds its capacity and the extra content "overflows" into adjacent memory.
true
A change control mechanism tracks and monitors the changes to a system.
true
A customer premise equipment (CPE)-based virtual private network (VPN) is a VPN appliance.
true
A dedicated leased line is an alternative to a virtual private network (VPN) between two office locations.
true
A default-allow firewall stance assumes that most traffic is benign.
true
A default-deny firewall stance assumes that all traffic is potentially unauthorized.
true
A hacker tunneling set up using an inbound connection must "hijack" an existing open port or reconfigure the firewall to open another port for use by the tunnel.
true
A hardware virtual private network (VPN) is a standalone device, dedicated to managing VPN functions.
true
A remote access link enables access to network resources using a wide area network (WAN) link to connect to the geographically distant network.
true
A virtual private network (VPN) appliance can be positioned outside the corporate firewall so that all VPN traffic passes through firewall filters.
true
A virtual private network (VPN) can operate securely over the Internet and still provide high levels of security through encryption.
true
A virtual private network (VPN) implementation best practice is to protect the VPN server behind a firewall.
true
A virtual private network (VPN) implementation best practice is to use strong authentication.
true
A virtual private network (VPN) policy documents an organization's rules for using the VPN.
true
A virtual private network (VPN) policy helps to ensure that users understand the requirements for computing on a VPN.
true
A virtual private network (VPN) policy should be a part of an overall IT security policy framework to avoid duplicate or conflicting information.
true
A virtual private network (VPN) set up in a demilitarized zone (DMZ) has a firewall in front and behind it. Correct!
true
A virtualized Secure Sockets Layer (SSL) virtual private network (VPN) provides the ability to create custom authentication methods. Correct!
true
A virtualized desktop is hosted on a remote central server instead of on the local hardware of the remote client.
true
A written policy dictates which firewall features to enable or disable.
true
An SSL/TLS-based virtual private network (VPN) enables remote access connectivity from almost any Internet-enabled location using a web browser.
true
An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port.
true
An intranet virtual private network (VPN) connects two or more internal networks.
true
An intrusion detection system (IDS) serves as a companion mechanism to a firewall.
true
An intrusion prevention system (IPS) does not replace an intrusion detection system (IDS). Correct!
true
Authentication Header (AH) provides integrity protection for packet headers and data, as well as user authentication.
true
Breaches are confirmed during the detection and analysis phase of incident response.
true
Delay involves slowing down an attack so that even successful breaches give defenders time to respond.
true
Depending on the firewall, a single rule can sometimes define outbound and inbound communication parameters.
true
Detection involves watching for attempts to breach security and being able to respond promptly. Correct!
true
Effective virtual private network (VPN) policies clearly define security restrictions imposed on VPNs.
true
Even with a firewall protecting the internal network, a denial of service (DoS) flooding attack can still successfully disconnect or interfere with external communications.
true
Every update, change, or alteration to any aspect of a firewall should trigger another round of firewall testing. Correct!
true
Extranets differ from intranets in that remote users outside of the enterprise are allowed access to resources inside the network.
true
Firewall filtering is an effective protection against fragmentation attacks.
true
Firewall logging helps to ensure that defined filters or rules are sufficient and functioning as expected.
true
Firewall rules are instructions that evaluate and take action on traffic traversing the network. Correct!
true
Firewalls should be considered a part of a security infrastructure, not the totality of security.
true
Cassie is an IT help desk representative. She just received a trouble ticket from a remote user stating they cannot connect to the company network over the virtual private network (VPN). Cassie begins troubleshooting the matter, checking on recent configuration changes to the VPN equipment, looking at the unit's logs for error messages, and so on. She has examined the VPN-related features and potential problems but still doesn't understand why the end user's connection failed. She has been assured that both the end user and the company have Internet connectivity. What is the most likely reason the user cannot connect?
A network engineer has inadvertently changed the IP address of the firewall's internal interface that connects to the VPN's outward-facing port.
Fragmentation is a supported function of Internet Protocol (IP) packets.
true
Hacker tunneling can create a covert channel.`
true
Hacker tunneling is the creation of a communication channel similar to the creation of a virtual private network (VPN).
true
How you apply Internet Protocol Security (IPSec) and Secure Sockets Layer/Transport Layer Security (SSL/TLS) in a virtual private network (VPN) solution can affect VPN performance.
true
Fumiko is a network technician. She is configuring rules on one of her company's externally facing firewalls. Her network has a host address range of 192.168.42.140-190. She wants to allow all hosts access to a certain port except for hosts 188, 189, and 190. What rule or rules must she write?
A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts.
If a remote client needs to connect directly to a local area network (LAN), such as over a dial-up connection, a remote access server (RAS) is needed to host a modem to accept the connection.
true
In a bypass virtual private network (VPN), traffic to the VPN and from the VPN to the internal network is not firewalled.
true
In a layered security strategy, each security mechanism addresses a single issue or a small set of issues within a specific context.
true
In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.
true
In either a host firewall or an appliance firewall, the logic and controlling mechanisms are software.
true
In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.
true
Insecure default configuration is a vulnerability of a hardware virtual private network (VPN). Correct!
true
Internet Protocol Security (IPSec) has three major components: Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE).
true
Layer 2 of the Open Systems Interconnection (OSI) Reference Model is the Data Link Layer.
true
Malware is a vulnerability of a software virtual private network (VPN).
true
Microsoft DirectAccess enables administrators to execute control over remote clients such as through Group Policy.
true
Onion routing limits a network's vulnerability to eavesdropping and traffic analysis.
true
Online backups make an organization dependent on the online provider's security.
true
Prevention is the use of safeguards to thwart exploitation or compromise.
true
Pushing out a patch without proper testing can result in negative impacts that are just as bad as delaying patch approval. Correct!
true
RD RemoteApp is a Microsoft solution that runs on a Microsoft Remote Desktop Services (RDS) server but appears to end users as if it were actually running on their systems.
true
RD Web Access is a Microsoft Remote Desktop Services (RDS) server role that allows desktops and RD RemoteApp applications to launch from a web browser.
true
Remote Desktop Connection (RDC) is a built-in application that uses Remote Desktop Protocol (RDP).
true
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft. Correct!
true
Reverse proxy is a firewall service that allows external users access to internally hosted web resources.
true
Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness.
true
Side attacks against the encrypted link of a virtual private network (VPN) are nearly eliminated, while data entering or leaving the VPN is at risk.
true
Split tunneling is a configuration setting that allows simultaneous access to both an untrusted network and a secured virtual private network (VPN) network connection.
true
Split tunneling potentially opens a door into the network that you cannot control.
true
The Secure Shell (SSH) protocol is a method for secure remote login and other secure network services over a public network.
true
The collection of disparate log information from systems on a network is called aggregation.
true
The higher the encryption level of a virtual private network (VPN) connection, the greater the impact on the memory and processor of the endpoint devices.
true
The longer the time span between a malicious action and an authoritative response, the greater the likelihood the perpetrator will get away without consequence.
true
The performance characteristics associated with an Internet Protocol Security (IPSec) virtual private network (VPN) can be very different from a Secure Sockets Layer (SSL) VPN implementation.
true
The purpose of compartmentalization is to create small collectives of systems that support work tasks while minimizing risk.
true
The source address and the port address of outbound firewall rules are often set as ANY, unless the rule is to apply to specific systems or ports.
true
The stability of a virtual private network (VPN) connection can be affected by the number of firewalls and routers it must traverse.
true
The universal Deny rule should be the last and final rule in a firewall rule set. Correct Answer
true
Under the universal participation security stance, every employee, consultant, vendor, customer, business partner, and outsider must be forced to work within the security policy's limitations.
true
When a firewall functions at wire speed, the firewall does not introduce any delay or latency in communications because it operates at the same speed as the network. Correct!
true
When the defense in depth security strategy is followed, a single component failure does not result in compromise or intrusion.
true
remote control is the ability to use a local computer system to remotely take control of another computer.
true
Carl is a networking student who is reading about methods of encryption and how they work with firewalls. Right now, he is studying a form of encryption that encrypts the entire original payload and header of a packet. However, because the header contains only information about endpoints, it is not useful for a firewall filtering malicious traffic. Which of the following is the encryption method being described?
tunnel mode
Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny?
type 8
Arturo is installing a hardware server in the network room of a branch office. He wants to label it in a way that will make it easy to differentiate this server from other server machines, yet not clearly identify it in case an unauthorized person gains physical access. How should he label it?
using a code
Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend?
weakest link
Elissa is a network technician. She is configuring firewall rules for one of her company's branch offices, which supports online retail sales of the company's products. She is configuring rules to block traffic based on a traditional model but needs to allow a particular type of traffic. What should she allow?
All traffic from port 80 originating from the office's web server, which is in a protected subnet
Alphonse is a networking contractor who has been hired by a small to medium-sized company to configure its firewall. The firewall comes preconfigured with a common rule set that allows web, email, instant messaging, and file transfer traffic using default ports. The company wants to allow access to secure websites and common website protocols but block access to insecure Internet websites. Which of the following is the best solution?
Allow access to HTTPS, SQL, and Java, but deny access to HTTP
Diego is a network consultant. He is explaining the benefits of virtual private network (VPN) connections for remote clients to the owner of a company who wants to allow most staff to work remotely. He says that a VPN is both private and secure. What does he say is the rationale?
Authentication provides privacy and encryption provides security.
Arturo is troubleshooting a firewall that may have been hacked by a malicious outsider. He is under pressure and immediately tries a fix that, if it fails, will not be easy to back out of. Before he makes the attempt, his supervisor warns him of the danger. What does Arturo's supervisor say?
Avoid destructive or irreversible solutions until last.
Bill is a network engineer. On Monday morning, he learns that the firewalls between network segments are not operating as expected. He checks the activity sheet for the on-call techs who worked the weekend and sees that one of them performed an unscheduled patch. Bill suspects the patch made modifications to the firewalls. Of the following choices, what is the BEST way to check this?
Bill compares screenshots of the optimal firewall configuration against the current settings.What is a type of assessment that judges how well an organization is accomplishing set goals or requirements?
Marta is a network technician intern at a mid-sized company. She is learning hardware virtual private network (VPN) best practices from one of the engineers. Which of the following does the engineer tell Marta is NOT a best practice?
Connecting a client computer to more than one network interface while connected to the office via VPN
Dhruv is a network engineer using a command-line interface on his computer. He types the command mstsc/v and then a server name. What is he doing?
Connecting to a Windows server running a virtual private network (VPN)
Which of the following is a type of virtual private network (VPN) architecture that places a firewall in front of the VPN to protect it from Internet-based attacks as well as a firewall behind the VPN to protect the internal network?
DMZ architecture
Which of the following is a core Internet Protocol Security (IPSec) protocol that provides encryption only, both encryption and integrity protection, or integrity protection only in all but the oldest IPSec implementations?
ENCAPSULATING SECURITY PAYLOAD ESP
Montel is the newly hired IT administrator at a long-established company. In studying its IT infrastructure, he discovers that the main office is connected to four other branch offices in their large city, with each office being linked to the others by dedicated leased lines that allow for direct communications from one location to the next. This mesh network is used only by the company. Montel tells the company's CIO that he has discovered an issue with this design. Compared to a virtual private network (VPN), what main drawback does Montel report?
EXPENSE
An antivirus scanner needs to have its database of definitions updated at least once per week.
FALSE
Which of the following is a protocol that replaces the use of telnet and rlogin to log in to a shell on a remote host?
/ssh
Tonya is an accountant working from home. She connects to her office each day over a virtual private network (VPN). The IT department for her company has deployed a VPN appliance to assist employees such as Tonya in performing their tasks remotely. What solution does Tonya use to access her files on the company's accounting server?
HOST TO GATEWAY
In balancing competing concerns while deploying a personal virtual private network (VPN) solution, Yee values his privacy more than his anonymity. Which is he most concerned about?
Having information about his network exposed
Rachel is the cybersecurity engineer for a company that fulfills government contracts on Top Secret projects. She needs to find a way to send highly sensitive information by email in a way that won't arouse the suspicion of malicious parties. If she encrypts the emails, everyone will assume they contain confidential information. What is her solution?
Hide messages in the company's logo within the email.
Alice is a network engineer who has been tasked with researching a virtual private network (VPN) tunneling protocol to be used by her company. It must be able to pass traffic through a network address translation (NAT) server and be compatible with a number of well-known proprietary and open source platforms. What solution does she select?
Internet Key Exchange v2 (IKEv2)
Devaki is developing a backup and recovery strategy for the network and server system. She needs a way to address and quickly restore small events where a bit of data has accidentally been deleted, as well as to remedy situations where the entire facility is compromised. What is her plan?
Keep a local backup for quick retrieval to deal with small events and an encrypted remotely stored copy for major incidents.
Maria is a new network engineer for a company that was established more than 30 years ago. She is examining the IT infrastructure and discovers that the virtual private network (VPN) solution employs an older encryption protocol for backward compatibility. This protocol has largely been replaced, but it used to be popular in early VPN solutions. What is this protocol?
Layer 2 Tunneling Protocol (L2TP)
The combination of certain techniques allows for relevant information collected by this solution from multiple systems and processes to be aggregated and analyzed for use in decision making. What is the name of this solution?
/SIEM
Alphonse is a network engineer who is developing his IT infrastructure's virtual private network (VPN) deployment plan. He has decided to place the VPN device between the externally facing and internally facing firewalls in the demilitarized zone (DMZ). He is determining the rule sets with which to configure both firewalls. His VPN device is a Secure Sockets Layer (SSL) VPN and he wants to use default settings. Which port should he allow the firewalls to pass traffic through?
443
Which of the following virtual private network (VPN) policy requirements is valid?
Define the mechanisms that provide remote technical support for VPN telecommuters.
Which of the following statements is TRUE of encryption?
Every time an additional bit is added to a key length, it doubles the size of the possible keyspace.
Which of the following can a delay in firewall software patching cause?
Exploitation of the firewall
Which of the following is a limitation of Internet Protocol Security (IPSec)?
It does not encrypt data on client computers.
In symmetric cryptography, the same key must be used to encrypt and decrypt data.
TRUE
Miriam is the cybersecurity manager for her company's IT department. She is updating the computing and networking-related policies that apply company-wide. She learns that Wyatt, an engineer responsible for maintaining VPN access for remote employees, has written a VPN usage policy specifying parameters for use that is independent of what she is crafting. What is the most likely problem?
The two independent policies might describe conflicting requirements such as differing password lengths.
Lin is designing a virtual private network (VPN) implementation as a class project. The assignment includes a budget she has to follow. To save money, she decided to use a VPN without a firewall. What is the problem with her decision?
This approach will not work because VPNs cannot take the place of firewalls.
Alice is a network technician designing infrastructure security based on compartmentalization. Which of the following does she employ?
Zones of access that are separated from other parts of the network by routers, switches, and firewalls
Susan has discovered that the vice president of marketing has brought in her own personal tablet device and connected it to the company's secure wireless network. This violates the organization's IT security policies. Susan informs the chief information security office (CISO) of the situation. What level of control must the CISO exercise with this upper-level manager?
accounting
Teodora is the procurement manager for her company's IT department. She is researching firewalls that come with enhancements beyond basic traffic filtering. Which of the following is considered a firewall enhancement?
anti malware scanning
Opal is the chief technology officer for her company. She is working with the legal department to acquire virtual private network (VPN) service through a cloud provider. She wants the contract to address failover specifically. What is she most likely concerned about?
authentication
Hijacking an existing port
block all encryption
Which of the following virtual private network (VPN) solutions typically accepts a wider variety of client operating system types?
cloud based vpn
What is a type of assessment that judges how well an organization is accomplishing set goals or requirements?
compliance auditing
What is the first step in deploying a firewall?
construct a firewall policy
Which of the following is one of the most common and easily exploited vulnerabilities on any hardware network device?
default password
In an incident response situation, which term is used to described the actual confirmation of a breach?
detection and analysis
During which step of firewall incident response is the compromise resolved?
eradication
All of the following are firewall management best practices, EXCEPT:
establish a philosophy of default allow rather than default deny.
Hashing modifies the original data.
false
a filter pathway is designed to
make it hard to bybass a network filtering system and forece all traffic through one route
Nimi has deployed a new virtual private network (VPN) solution in her company's IT infrastructure. She is testing the connection to the server from a client. Which tool is the best choice for her to use?
ping
Which of the following is a firewall, proxy, and routing service that does NOT support caching, encryption endpoint, or load balancing? Note that this service can be found on almost any service or device that supports network address translation.
port forwarding
Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service provider (ISP) connection devices?
proprietary OS
Otto is one of many employees working from home. Because his home is located in a rural area, the only form of connectivity available is dial-up. To connect to his office located in an urban community, what must the IT department set up?
remote access server ras
In deploying security for a network, which method is no longer seen as truly secure or sufficient for protecting logins?
single factor authentication
A host virtual private network (VPN) software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services.
true
A host-to-host virtual private network (VPN) is a direct VPN connection between one host and another.
true
A network security management best practice is to focus on the big-impact and big-result issues first.
true
A simulated firewall test uses an attack simulator to transmit attack packets to a firewall.
true
A site-to-site virtual private network (VPN) is also known as a LAN-to-LAN VPN.
true
Virtual private network (VPN) patches address security issues and fix bugs.
true
users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege.
true
Isabelle is a network engineer deploying an IT infrastructure in one of her company's new branch offices. Currently, she is designing a local subnetwork that contains and exposes the office's external services to a larger, untrusted network, specifically the Internet. What is this called?
/dmz
Jacob is a remote employee. He clicks the Start menu button in Windows and selects an application to run. Most of the time, he is unaware that he is really accessing the application on a server at his company's main office several miles away. What solution is he using?
/rd remote app
Which of the following is needed when determining what firewall traffic to allow and what to block?
A complete inventory of all needed or desired network communications
While fragmentation of IP packets is supported when they encounter network segments that have a smaller maximum transmission unit (MTU), that feature can be manipulated by malicious parties in overlapping attacks. In calculating a defense for such an exploit, what is the only reliable defense?
A dynamic filtering system that performs virtual reassembly
A hashing cryptographic function takes the input of any file or message and creates a fixed length output based on:
A hashing cryptographic function takes the input of any file or message and creates a fixed length output based on:
Internet Protocol Security (IPSec) is a standards-based protocol suite designed specifically for securing ____________ communications.
IP
Hacker tunneling uses two techniques. The first is to install a server component on an internal system and then have an external client make a connection. What is the second?
Install a server component on an external system and then use an internal client to make the connection.
Which of the following steps helps you verify that the internal network port of a virtual private network (VPN) device is available?
Open a command-line interface and use the ping command.
Asymmetric cryptography that uses key pairs is commonly known as:
PUBLIC KEY CRYPTOGRAPHY
Which of the following is the protocol used with HTTPS for encrypting communications to and from websites?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
What is an example of security through obscurity?
Using a nonstandard operating system for workstations such as FreeBSD
Her supervisor has told her she must find a configuration method that assumes all network traffic is safe and, as malicious traffic is identified, it is added to a list of exceptions. Which of the following configuration methods does Torri select?
allow by default/deny be exception
Virtual private networks (VPNs) allow external entities to connect to and interact with a private network. What does identity verification require?
authentication
Which of the following establishes what a user can and cannot do relative to a virtual private network (VPN)?
authorization
A virtual private network (VPN) replaces a firewall.
false
Client capabilities do not affect the performance of a remote virtual private network (VPN) connection.
false
In an internally connected virtual private network (VPN), the Internet-facing VPN connection is front of a firewall.
false
In intrusion detection, anomaly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline.
false
In layered security strategy, the strengths and benefits of one countermeasure do not affect the other countermeasures.
false
You can fix a firewall's vulnerability to denial of service (DoS) flooding by upgrading the firewall or applying a patch.
false
Which of the following can cause a full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams?
overlapping
A malicious person is performing a technique called anti-forensics on a target network to hide evidence of an intrusion and conceal implanted rootkits and other malware. What is one action that might be taken when this method is used?
overwriting metadata
A company hires security experts to play the role of hackers. The experts are asked to attempt to breach the infrastructure to determine how secure the company is from threats. The experts are also asked to recommend improvements. What is this activity called?
penetration testing
Depending on the location of a virtual private network's (VPN's) endpoints, the topology may affect performance.
true
Microsoft Remote Assistance allows support professionals to remotely control a user's system.
true
Once a firewall policy is in place, the policy should be reviewed at least annually.
true
One common firewall event that usually warrants an alert is a firewall reboot.
true
Whereas a virtual private network (VPN) encrypts pieces of data, a firewall protects the internal network from outside threats.
true
Whereas honeypots can be single systems or multiple networked systems, a honeynet is a network of honeypots.
true
With diversity of defense, most layers use a different security mechanism.
true
With hosted services, an Internet service provider (ISP) or a software vendor leases applications to organizations.
true
A company vice president (VP) finds that the network security restrictions imposed by the security manager are too confining. To counter them, the VP habitually uses weak passwords, shares accounts with his assistant, and installed unapproved software. What security principle is the VP violating?
universal participation
Reid is a network security trainer for a mid-sized company. He is demonstrating alternative methods of protecting a network using unconventional means. The IT department's "sandbox" network is used for testing and is not connected to the production network. Using the sandbox, Reid shows how to protect a network from external threats without using a firewall. What is Reid's approach?
Packet sniffer
Which of the following statements about ciphertext is TRUE? Correct!
Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns.
Shoshana is a network technician for a mid-sized organization. She is configuring firewall rules. She is in a firewall's graphical interface and sets a rule as TCP, 192.168.42.0/24, ANY, ANY, 443, Allow. In what order is this rule organizing protocols, source addresses, source and target ports, and actions?
Protocol, source address, source port, target address, target port, action
Sebastian is the HR department's trainer. He is developing various materials to teach the fundamentals of using a virtual private network (VPN) to a variety of audiences, from the president and vice presidents of the corporation to newly hired mid-level managers and entry-level employees. After implementing his training program some weeks ago, he began getting calls from the IT help desk stating that users are contacting them with troubleshooting issues for their VPN sessions. The help desk technicians do not know how to respond. What is the most likely problem?
Sebastian neglected to train IT personnel on troubleshooting remote connections.
Various virtual private network (VPN) encryption technologies offer access to almost any network application or resource. Which one offers additional features, such as easy connectivity from non-company-managed desktops, little or no desktop software maintenance, and user-customized web portals upon login?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
What is a virtual private network (VPN) protocol that requires public key infrastructure (PKI) support to obtain and use a certificate?
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Lin is a disgruntled IT technician who believes she is about to be discharged from her job. While she still has access to her company's network infrastructure, she decides to reset the main firewall to its factory settings so she will know the default administrative username and password. Which of the following is the method she is MOST likely to use?
She uses a straightened paper clip to press the pinhole-sized reset button in the back of the firewall for 30 seconds.
Susan is a network professional at a mid-sized company. Her supervisor has assigned her the task of designing a virtual private network (VPN) implementation. Susan has set up strong authentication and encryption in a test environment, and the VPN appliance is directly facing the Internet. When her work is evaluated, what does her supervisor immediately notice?
The VPN device is not protected by a firewall.
Kasim is a network technician. He is tasked with deploying a virtual private network (VPN) in his company's IT infrastructure. He wants to place the VPN device where it is directly connected to both the Internet and the internal LAN. He believes that security will not be a concern because the VPN is already encrypted point-to-point. Which of the following statements is TRUE about this configuration?
The VPN device itself is still capable of being attacked.
Lenita is a network technician. She is setting up a rule set for a firewall in her company's demilitarized zone (DMZ). For email, she creates an allow-exception rule permitting Simple Mail Transfer Protocol (SMTP) traffic on port 25 to leave the internal network for the Internet. Her supervisor examines Lenita's work and points out a possible problem. What is it?
The allow-exception rule could create a loophole threatening internal communications on the same port.
Aileen is a help desk technician. She and her coworkers start getting a lot of calls from remote workers saying that their virtual private network (VPN) connection to the office abruptly dropped. Last month, Aileen helped deploy a new VPN solution that uses redundant VPN devices with their own power sources connecting to an Internet circuit. What is the most likely cause of the problem?
The company's single Internet circuit went down.
Susan is a mid-level executive at her corporation who works remotely. Today, she worked from a restaurant using her company-issued laptop and connected to the Internet using the restaurant's free Wi-Fi. Once she made a connection, she authenticated to her virtual private network (VPN) client that links to her office network over a private, secure tunnel. While working, she contacted Lelah, who works in IT. She casually mentioned where she is working. How did Lelah respond?
The data on the laptop may have been vulnerable in the time between when the laptop's wireless network interface connected to the Wi-Fi access point and when Susan enabled the VPN connection.
Jacob is a network technician who works for a publishing company. He is setting up a new hire's access permissions. The new hire, Latisha, is an editor. She needs access to books that have been accepted for publication but are in the review stage. Jacob gives her access to the network drive containing only books in review, but not access to administrative or human resources network drives. What principle is Jacob applying?
The principle of least privilege
Which of the following can perform authentication to provide integrity protection for the outermost IP header?
AUTHENTICATION HEADER
Which of the following statements is TRUE of connections between a corporate local area network (LAN) and a remote client, such as a remote worker?
The remote client can have either a dedicated or a nondedicated connection to the Internet.
Carl is a student in a computer networking class who is studying virtual private network (VPN) implementations. He is learning the basics about VPNs. Which of the following statements does he find is TRUE?
VPNs are both hardware and software solutions.
Consuela is a business analyst for her company. She is working from home and on a video conference with several other team members. Her video-conferencing client displays a message indicating that the quality of her connection is unstable. What is the most likely problem?
VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets.
Duncan runs a small writing and editing business. He employs two people in his small office/home office (SOHO). He also has general knowledge of networking, including how to configure a basic firewall to protect the network. His off-the-shelf firewall has rule sets built in with several main elements. Duncan is currently setting rules for TCP and UDP. What element is he working with?
BASE PROTOCOL
Arturo is a new network technician. He wants to use Remote Desktop Protocol (RDP) to connect to a server from his computer. The server is on the other side of the building. His computer is running Windows 10. Will he be able to make the connection?
Yes, because the RDP protocol has clients that work on most common operating systems.
Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called?
bastion host operating system
Lauren is a network technician monitoring performance on the local area network (LAN). She becomes alarmed when the network utilization reaches 95 percent for a particular time of day. How does she know what the utilization is normally like?
benchmarks
Chris is a network engineer deploying a virtual private network (VPN) solution. He needs an implementation of Secure Sockets Layer/Transport Layer Security (SSL/TLS) that adds a layer of authentication to the access. What feature does he require?
bidirectional authentication
Hong is a network engineer. He is developing a firewall policy that addresses troubleshooting a firewall that has either failed or is under attack. In his plan, what should be included as a best practice?
Collect firewall documentation before an attack.