ITN263
Alphonse is a network engineer who is developing his IT infrastructure's virtual private network (VPN) deployment plan. He has decided to place the VPN device between the externally facing and internally facing firewalls in the demilitarized zone (DMZ). He is determining the rule sets with which to configure both firewalls. His VPN device is a Secure Sockets Layer (SSL) VPN and he wants to use default settings. Which port should he allow the firewalls to pass traffic through?
443
Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture?
802.1x
Fumiko is a network technician. She is configuring rules on one of her company's externally facing firewalls. Her network has a host address range of 192.168.42.140-190. She wants to allow all hosts access to a certain port except for hosts 188, 189, and 190. What rule or rules must she write?
A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts.
What is important to note about a split tunnel configuration?
A split tunnel keeps local traffic on your network but routes IPsec traffic through the VPN tunnel.
In a split tunnel configuration, where is local traffic routed?
All local traffic is on your network.
Virtual private networks (VPNs) allow external entities to connect to and interact with a private network. What does identity verification require?
Authentication
Diego is a network consultant. He is explaining the benefits of virtual private network (VPN) connections for remote clients to the owner of a company who wants to allow most staff to work remotely. He says that a VPN is both private and secure. What does he say is the rationale?
Authentication provides privacy and encryption provides security.
Which of the following establishes what a user can and cannot do relative to a virtual private network (VPN)?
Authorization
Duncan runs a small writing and editing business. He employs two people in his small office/home office (SOHO). He also has general knowledge of networking, including how to configure a basic firewall to protect the network. His off-the-shelf firewall has rule sets built in with several main elements. Duncan is currently setting rules for TCP and UDP. What element is he working with?
Base protocol
Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called?
Bastion host operating system
Which of the following virtual private network (VPN) solutions typically accepts a wider variety of client operating system types?
Cloud-based VPN
Which of the following best describes hairpinning?
Communication between hosts on a local network using their external end points
What is the first step in deploying a firewall?
Construct a firewall policy.
What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work?
Database-based detection
How is time in the pfSense Lifetime box measured?
Days
Which of the following virtual private network (VPN) policy requirements is valid?
Define the mechanisms that provide remote technical support for VPN telecommuters.
Which of the following is unlikely to support at-firewall authentication?
Demilitarized zone (DMZ) firewall
Which elements do digital certificate contain that can be used to increase the reliability of authenticity and nonrepudiation?
Digital certificates use a public key and private key pair signed by a trusted third party.
Alejandro is a cybersecurity contractor. He was hired by a Fortune 500 company to redesign its network security system, which was originally implemented when the company was a much smaller organization. The company's current solution is to use multiple firewall platforms from different vendors to protect internal resources. Alejandro proposes an infrastructure security method that, in addition to firewalls, adds tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control. What is this solution called?
Diversity of defense
Hajar is a new network administrator. She is inventorying firewalls in her company. She finds one that has a management interface lacking something and makes a note to replace it immediately. What critical security measure is the management interface missing?
Encryption
A virtual private network (VPN) connection ensures quality of service
False
Allow-by-default automatically prevents most malicious communications by default.
False
An intrusion detection system (IDS) false positive occurs when the IDS fails to detect an attack.
False
Fair queuing is the distribution of the firewall filtering workload across multiple parallel firewalls.
False
Hashing modifies the original data.
False
In an internally connected virtual private network (VPN), the Internet-facing VPN connection is front of a firewall.
False
In intrusion detection, anomaly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline.
False
In pfSense, packets that match user-created firewall rules are logged by default.
False
Instability is not considered a potential threat associated with software virtual private networks (VPNs).
False
It is uncommon to leverage a virtual private network (VPN) to send sensitive information when connected to an untrustworthy network.
False
Multiple firewalls in a series is considered diversity of defense but not defense in depth.
False
Only hardware virtual private networks (VPNs) are vulnerable to denial of service (DoS) attacks.
False
Open-source virtual private network (VPN) solutions are usually less flexible than commercial solutions.
False
Resiliency is the ease with which an organization can quickly increase capacity and use or shrink capacity and use of a device, system, or network.
False
The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators.
False
The weakest link security strategy gains protection by using abnormal configurations.
False
Virtual private networks (VPNs) over the Internet can experience latency but not fragmentation.
False
Whereas privacy is the ability of a network or system user to remain unknown, anonymity is keeping information about a network or system user from disclosure.
False
Rachel is the cybersecurity engineer for a company that fulfills government contracts on Top Secret projects. She needs to find a way to send highly sensitive information by email in a way that won't arouse the suspicion of malicious parties. If she encrypts the emails, everyone will assume they contain confidential information. What is her solution?
Hide messages in the company's logo within the email.
What is the basic service of a reverse proxy?
Hides the identity of a web server accessed by a client over the Internet
Which type of VPN logically separates connections without encryption?
Multiprotocol Label Switching VPN
Which of the following can be described as putting each resource on a dedicated subnet behind a demilitarized zone (DMZ) and separating it from the internal local area network (LAN)?
N-tier deployment
What is a mathematical operation that is easily performed but that is highly unlikely to reverse in a reasonable amount of time?
One-way function
Which of the following is not a type of VPN?
Pop-up VPN
Which of the following is a firewall, proxy, and routing service that does NOT support caching, encryption endpoint, or load balancing? Note that this service can be found on almost any service or device that supports network address translation.
Port forwarding
Which of the following statements about ciphertext is TRUE?
Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns.
Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service provider (ISP) connection devices?
Proprietary OS
Otto is one of many employees working from home. Because his home is located in a rural area, the only form of connectivity available is dial-up. To connect to his office located in an urban community, what must the IT department set up?
Remote access server (RAS)
Tiffany is a network engineer for her company. To enhance the performance of the network, she uses a method that assigns incoming transactions as they arrive in sequence to each of the infrastructure's three firewalls. Transaction 1 goes to firewall 1, transaction 2 goes to firewall 3, transaction 3 to firewall 2, and so on. Which technique is Tiffany using?
Round-robin
Isabella is a network administrator. She is researching virtual private network (VPN) options for company employees who work from home. The solution must provide encryption over public networks, including the Internet; not rely upon pathways the company owns; be reliable; and not be subject to eavesdropping. It must also be cost-effective. Which solution does she choose?
Secured VPN
The combination of certain techniques allows for relevant information collected by this solution from multiple systems and processes to be aggregated and analyzed for use in decision making. What is the name of this solution?
Security information and event management (SIEM)
Which of the following is described as an approach to network security in which each administrator is given sufficient privileges only within a limited scope of responsibility?
Separation of duties
Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is this solution called?
Single defense
Mazie is a network engineer designing a virtual private network (VPN) architecture. The architecture must have the ability to establish and maintain a secure link between the company's main office and a branch office over the Internet, effectively creating a single distributed LAN. What solution does she recommend be applied?
Site-to-site
Analisa is a sales representative who travels extensively. At a trade show, Analisa uses her virtual private network (VPN) connection to simultaneously connect to the office LAN and her personal computer at home. What security risk does this pose?
Split tunneling
Why is the key length of 2048 bits used when it is not the most secure strength available?
Stronger encryption would require additional processing time.
Which of the following is an encryption method that is very fast and is based on a single, shared key?
Symmetric
What should you remember about creating a VPN connection in a Microsoft operating system?
TCP/IP settings default to route all traffic through the VPN.
Susan is a mid-level executive at her corporation who works remotely. Today, she worked from a restaurant using her company-issued laptop and connected to the Internet using the restaurant's free Wi-Fi. Once she made a connection, she authenticated to her virtual private network (VPN) client that links to her office network over a private, secure tunnel. While working, she contacted Lelah, who works in IT. She casually mentioned where she is working. How did Lelah respond?
The data on the laptop may have been vulnerable in the time between when the laptop's wireless network interface connected to the Wi-Fi access point and when Susan enabled the VPN connection.
Why is a Diffie-Hellman key important to the VPN configuration?
The key exchange method provides for entities to create a shared secret key over an ensure communications channel.
Jacob is a network technician who works for a publishing company. He is setting up a new hire's access permissions. The new hire, Latisha, is an editor. She needs access to books that have been accepted for publication but are in the review stage. Jacob gives her access to the network drive containing only books in review, but not access to administrative or human resources network drives. What principle is Jacob applying?
The principle of least privilege
Which of the following statements is TRUE of connections between a corporate local area network (LAN) and a remote client, such as a remote worker?
The remote client can have either a dedicated or a nondedicated connection to the Internet.
Which of the following is a requirement of connecting a VPN?
The same VPN protocol must be used.
Which VPN solution is more secure, IKEv2 or IPsec?
They are not comparable; IKEv2 operates in conjunction with IPsec to create secure VPN tunnels.
Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design?
Traffic patterns
Which of the following is a virtual private network (VPN) encryption encapsulation method best suited for linking individual computers together, even though it does not encrypt the original IP header?
Transport
Which type of network is best suited for connections where both end points are known?
Transport VPN
A VPN creates or simulates a network connection over an intermediary network.
True
A benefit of a commercial virtual private network (VPN) solution is access to vendor support.
True
A best practice for firewall rules is to keep the rule set as simple as possible.
True
A best practice when troubleshooting a virtual private network (VPN) is to document processes and procedures.
True
A buffer overflow is a condition in which a memory buffer exceeds its capacity and the extra content "overflows" into adjacent memory.
True
A change control mechanism tracks and monitors the changes to a system.
True
A dedicated leased line is an alternative to a virtual private network (VPN) between two office locations.
True
A default-allow firewall stance assumes that most traffic is benign
True
A default-deny firewall stance assumes that all traffic is potentially unauthorized.
True
A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.
True
A host virtual private network (VPN) software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services.
True
A host-to-host virtual private network (VPN) is a direct VPN connection between one host and another.
True
A remote access link enables access to network resources using a wide area network (WAN) link to connect to the geographically distant network.
True
A remote access virtual private network (VPN) is also known as host-to-site VPN because it supports single-host VPN connections into a LAN site.
True
A site-to-site virtual private network (VPN) is also known as a LAN-to-LAN VPN.
True
A virtual private network (VPN) appliance can be positioned outside the corporate firewall so that all VPN traffic passes through firewall filters.
True
A virtual private network (VPN) can operate securely over the Internet and still provide high levels of security through encryption.
True
A virtual private network (VPN) policy helps to ensure that users understand the requirements for computing on a VPN.
True
A virtual private network (VPN) policy should be a part of an overall IT security policy framework to avoid duplicate or conflicting information.
True
A virtual private network (VPN) set up in a demilitarized zone (DMZ) has a firewall in front and behind it.
True
An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port.
True
An intrusion detection system (IDS) serves as a companion mechanism to a firewall.
True
An intrusion prevention system (IPS) does not replace an intrusion detection system (IDS).
True
Depending on the firewall, a single rule can sometimes define outbound and inbound communication parameters.
True
Effective virtual private network (VPN) policies clearly define security restrictions imposed on VPNs.
True
Firewall logging helps to ensure that defined filters or rules are sufficient and functioning as expected.
True
Firewalls should be considered a part of a security infrastructure, not the totality of security.
True
If a remote client needs to connect directly to a local area network (LAN), such as over a dial-up connection, a remote access server (RAS) is needed to host a modem to accept the connection.
True
In a bypass virtual private network (VPN), traffic to the VPN and from the VPN to the internal network is not firewalled.
True
In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.
True
In symmetric cryptography, the same key must be used to encrypt and decrypt data.
True
In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.
True
Insecure default configuration is a vulnerability of a hardware virtual private network (VPN).
True
Malware is a vulnerability of a software virtual private network (VPN).
True
One common firewall event that usually warrants an alert is a firewall reboot.
True
Remote control is the ability to use a local computer system to remotely take control of another computer.
True
Reverse proxy is a firewall service that allows external users access to internally hosted web resources.
True
Security systems configured by the same security administrator can potentially have the same misconfiguration or design weakness.
True
Side attacks against the encrypted link of a virtual private network (VPN) are nearly eliminated, while data entering or leaving the VPN is at risk.
True
Split tunneling potentially opens a door into the network that you cannot control.
True
The source address and the port address of outbound firewall rules are often set as ANY, unless the rule is to apply to specific systems or ports.
True
The universal Deny rule should be the last and final rule in a firewall rule set.
True
Under the universal participation security stance, every employee, consultant, vendor, customer, business partner, and outsider must be forced to work within the security policy's limitations.
True
Users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege.
True
Virtual private network (VPN) patches address security issues and fix bugs.
True
When monitoring a virtual private network (VPN), multiple concurrent employee connections may indicate a security issue.
True
When the defense in depth security strategy is followed, a single component failure does not result in compromise or intrusion.
True
With diversity of defense, most layers use a different security mechanism.
True
With edge routers as the virtual private network (VPN) termination point, the VPN link exists only over the public intermediary networks, not within the private LAN(s).
True
Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny?
Type 8
The TCP and UDP protocols differ, primarily, in which of the following ways?
UDP does not guarantee packet delivery; TCP does guarantee packet delivery.
A company vice president (VP) finds that the network security restrictions imposed by the security manager are too confining. To counter them, the VP habitually uses weak passwords, shares accounts with his assistant, and installed unapproved software. What security principle is the VP violating?
Universal participation
Which of the following is true of VPN tunnels?
VPN tunnels are vulnerable to inline attacks.
Consuela is a business analyst for her company. She is working from home and on a video conference with several other team members. Her video-conferencing client displays a message indicating that the quality of her connection is unstable. What is the most likely problem?
VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets.
Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend?
Weakest link
When can you use the "Use my Internet connection" (VPN) link?
When connecting to the Internet on an established active connection to the Internet
The term "firewall" was originally conceived in the civil engineering industry, where it refers to:
a fire-proof barrier that prevents the spread of a fire.
Firewall rules ________ in a list are matched before firewall rules ________ in a list.
higher; lower
A filter pathway is designed to:
make it hard to bypass a network filtering system and force all traffic through one route.
The auto-generated Anti-Lockout Rule on pfSense's LAN interface serves to:
prevent a local user from getting locked out of pfSense WebGUI
The process of defining firewall rules can be compared to the process of defining most Access Control Lists (ACLs) because, in both cases, they are:
simple lists of rules that are evaluated in order.
A ________ firewall allows inbound traffic to an internal host, as long as that traffic is a response to a request made by that host.
stateful
A hashing cryptographic function takes the input of any file or message and creates a fixed length output based on:
the hashing algorithm being used.
Inbound traffic can be described as _________, while outbound traffic can be described as ___________.
traffic entering the local network; traffic leaving the local network