Network Security Final
What is a suggested maximum size of a rule base? 30 rules 300 rules 10 rules 100 rules
30 rules
Which two ports should packetfiltering rules address when establishing rules for Web access? 423, 88 143, 80 25, 110 80, 443
80, 443
Which of the following is NOT an ICMPv6 packet type that you should allow within your organization but never outside the organization? Time Exceeded Destination unreachable Packet Redirect Packet too big
Packet Redirect
________________ clauses exist in acceptable use policies so that companies can discipline employees whose computer activities interfere with productivity.
Penalty
Which of the following is a general practice for a rule base? -permit access to public servers in the DMZ -allow direct access from the Internet to computers behind the firewall -allow all access to the firewall -begin by blocking all traffic and end by allowing selective services
permit access to public servers in the DMZ
Which type of NAT is typically used on devices in the DMZ? - port address translation - one-to-many NAT - many-to-one NAT - one-to-one NAT
one-to-one NAT
A(n) ____________________ audit should look for accounts assigned to employees who have left the company or user group.
operational
Where should network management systems generally be placed? in the DMZ out of band in the server farm on the perimeter
out of band
A firewall can consist of all devices positioned on the network _____________.
perimeter
Which of the following is NOT among the six factors needed to create a risk analysis? consequences threats probabilities personnel profiles
personnel profiles
Which variation on phishing modifies the user's host file to redirect traffic? pharming DNS phishing spear phishing hijacking
pharming
What type of attack displays false information masquerading as legitimate data? Java applet buffer overflow phishing SQL injection
phishing
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? port address translation one-to-many NAT DMZ proxy translation one-to-one NAT
port address translation
What type of DNS server is authoritative for a specific domain? secondary primary initial readonly
primary
Anomaly detection systems make use of _______________ that describe the services and resources each authorized user or group normally accesses on the network.
profiles
What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet? ICMP monitor VPN server proxy server router
proxy server
A DMZ is a subnet of _____________ accessible servers placed outside the internal network.
publicly
Which of the following is a network's ability to detect attacks when they occur and to evaluate the extent of damage and compromise? recovery reliability resistance recognition
recognition
By providing _________________ through backup systems, you ensure information remains accessible if primary systems go offline.
redundancy
What is a step you can take to harden a bastion host? - configure several extra accounts with complex passwords - remove unnecessary services - enable additional services to serve as honeypots - open several ports to confuse attackers
remove unnecessary services
To manage the security information from the devices in a large network, you should establish a security incident _________________ team.
response
What should you consider installing if you want to inspect packets as they leave the network? RIP router filtering proxy security workstation reverse firewall
reverse firewall
The process called _____________ analysis determines the threats an organization faces.
risk
ACLs filter packets by using a __________ base to determine whether to allow a packet to pass.
rule
Which type of firewall configuration protects public servers by isolating them from the internal network? dual-homed host reverse firewall screened subnet DMZ screening router
screened subnet DMZ
Which of the following is defined as a relationship between two or more entities that describes how they will use the security services to communicate? pairing tunnel internet key exchange security association
security association
Which of the following is NOT a phase in the system development life cycle? security audit needs assessment system implementation performance monitoring
security audit
The process of testing a network defense system is referred to as which of the following? change management security auditing IDPS evaluation distributed data collection
security auditing
Each IDPS has _____________ that gather data passing through the gateway.
sensors
T/F: A weakness of a signaturebased system is that it must keep state information on a possible attack.
True
T/F: An IDPS must have enough memory to maintain connection state information.
True
T/F: An operational audit looks for accounts that have weak or blank passwords.
True
T/F: Another name for a VPN connection is tunnel.
True
T/F: Change management should be used before making changes to firewall or IDPS rules that affect users.
True
T/F: Hardware VPNs create a gatewaytogateway VPN.
True
T/F: IPsec has become the standard set of protocols for VPN security.
True
T/F: One of the events you should continually monitor is logins.
True
T/F: SQL injection attacks are isolated to custom applications, so administrators can prevent them.
True
T/F: The first phase of the system development life cycle is needs assessment.
True
Which of the following defines how employees should use the organization's computing resources? Acceptable Use Policy Email and Spam Policy Network and Internet Policy Computing and Resource Policy
Acceptable Use Policy
The _______________ Web Server is the most widely used Web server application.
Apache
At what layer of the OSI model do proxy servers generally operate? Network Application Session Transport
Application
____________ are networks of zombie computers that magnify the scope and intensity of an attack.
Botnets
_______________ management involves modifying equipment, systems, software, or procedures in a sequential, planned way.
Change
The Cisco PIX line of products is best described as which of the following? firewall appliance software firewall VPN gateway PC with firewall installed
firewall appliance
Search warrants and subpoenas were developed in response to the _____________ Amendment which protects U.S. residents against illegal search and seizure.
fourth
The ACK flag is normally sent at the end of the threeway ______________ to indicate that a connection is established.
handshake
In what type of attack are zombies usually put to use? virus buffer overrun spoofing DDoS
DDoS
The rule base should permit access to public servers in the _________ and enable users to access the Internet.
DMZ
What service uses UDP port 53? ICMP SMTP DNS TFTP
DNS
_______________________ is a nameresolution service that translates domain names to IP addresses.
DNS
The goal of _____________ is to provide authentication of DNS data and ensure integrity of DNS data.
DNSSEC
Which approach to stateful protocol analysis involves detection of the protocol in use, followed by activation of analyzers that can identify applications not using standard ports? -IP packet reassembly -Traffic rate monitoring -Protocol state tracking -Dynamic Application Layer protocol analysis
Dynamic Application Layer protocol analysis
While the AH ensures data integrity, confidentiality of data is provided by the __________ component of IPsec.
ESP
_________ procedures are a set of actions that are spelled out in the security policy and followed if the IDPS detects a true positive.
Escalation
What type of attack are stateless packet filters particularly vulnerable to? -attempts to connect to ports above 1023 -attempts to connect to ports below 1023 -IP spoofing attacks -attempts to connect to the firewall
IP spoofing attacks
Which VPN protocol works at Layer 3 and can encrypt the entire TCP/IP packet? L2TP PPTP SSL IPsec
IPsec
T/F: A dualhomed host has a single NIC with two MAC addresses.
False
T/F: An IDPS consists of a single device that you install between your firewall and the Internet.
False
T/F: Generally, connections to instantmessaging ports are harmless and should be allowed.
False
T/F: If you use Windows RRAS for your VPN, you will need a thirdparty RADIUS server if you want to use RADIUS for authentication.
False
T/F: Most IDPSs use random ports to transfer security data, thereby making it difficult for attackers to exploit.
False
T/F: Network protection is something you should implement initially and then only make changes if there is a serious security breach.
False
T/F: Since ICMP messages use authentication, maninthemiddle attacks cannot be successful.
False
T/F: Software firewalls are usually more scalable than hardware firewalls.
False
T/F: Standards and protocols used in VPNs are in their infancy and seldom used.
False
T/F: Stateless packet filtering keeps a record of connections that a host computer has made with other computers.
False
T/F: The TCP normalization feature forwards abnormal packets to an administrator for further inspection.
False
T/F: The first step in SNA is the survivability analysis.
False
T/F: The people that manage security for the organization should not be same people that conduct risk analysis.
False
T/F: The term Internet and World Wide Web are different terms that mean the same thing.
False
T/F: Windows Basic Authentication requires that users enter a username and password and the password is transmitted using a hashing algorithm.
False
Which of the following is NOT a typical IDPS component? -Internet gateway -database server -command console -network sensors
Internet Gateway
Which of the following is a disadvantage of putting the VPN on a firewall? -Internet and VPN traffic compete for resources -VPN and firewall use the same configuration tools -more configuration mistakes -centralized control of network access security
Internet and VPN traffic compete for resources
A _______________ applet is a small program sometimes used as embedded code in Web pages.
JAVA
Which VPN protocol uses UDP port 1701 and does not provide confidentiality and authentication? SSL IPsec L2TP PPTP
L2TP
Which of the following is a highly secure public facility in which backbones have interconnected data lines and routers that exchange routing and traffic data? POP NAP NSF ISP
NAP
Which element of a rule base conceals internal names and IP addresses from users outside the network? tracking NAT QoS filtering
NAT
____________________ risk is the amount of risk left over after countermeasures are implemented.
Residual
Which of the following is NOT a step in threat and risk assessment? Asset definition Resolution Threat assessment Recommendation
Resolution
___________ direct network traffic to its destination on the Internet using tables and protocols.
Routers
What type of attack involves plaintext scripting that affects databases? SQL injection ActiveX control Java applet phishing
SQL injection
Which VPN protocol leverages Webbased applications? L2TP PPTP SSL IPsec
SSL
Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted? Teredo tunneling SMTP/S tunneling IPsec tunneling ICMPv6 encapsulation
Teredo tunneling
What are the two standard ports used by FTP along with their function? TCP 21 control, TCP 20 data UDP 23 control, TCP 20 data UDP 20 data, TCP 21 control TCP 23 data, TCP 21 control
TCP 21 control, TCP 20 data
T/F: A hybrid IDPS combines aspects of NIDPS and HIDPS configurations.
True
T/F: A screened host has a router as part of the configuration.
True
What was created to address the problem of remote clients not meeting an organization's VPN security standards? split tunneling VPN quarantine IPsec filters GRE isolation
VPN quarantine
TLS splits the input data in half and recombines it using a(n) ___________ function.
XOR
Which of the following best describes a bastion host? -a computer running only embedded firmware -a computer on the perimeter network that is highly protected -a computer running a standard OS that also has proxy software installed -a host with two or more network interfaces
a computer on the perimeter network that is highly protected
How much space is typically needed to store IDPS data? at least a terabyte a gigabyte or more a few hundred Kilobytes a few hundred gigabytes
a gigabyte or more
Which of the following best describes a DMZ? -a subnet of publicly accessible servers placed outside the internal network -a proxy server farm used to protect the identity of internal servers -a private subnet that is inaccessible to both the Internet and the company network -a network of computers configured with robust firewall software
a subnet of publicly accessible servers placed outside the internal network
Which aspect of hardening a Windows Web server allows you to restrict access to the web server based on IP address? authentication access control NTFS permissions data confidentiality
access control
Which of the following is NOT a type of event that you would normally monitor? -access to shared folders -antivirus scanning -user account creation email -attachment handling
access to shared folders
Which of the following is an improvement of TLS over SSL? -uses a single hashing algorithm for all the data -requires less processing power -uses only asymmetric encryption -adds a hashed message authentication code
adds a hashed message authentication code
Which of the following is true about an NIDPS versus an HIDPS? -an HIDPS can detect intrusion attempts on the entire network -an NIDPS can compare audit log records -an HIDPS can detect attacks not caught by an NIDPS -an NIDPS can determine if a host attack was successful
an HIDPS can detect attacks not caught by an NIDPS
Which of the following best describes a Monte Carlo simulation? -an analytical method that simulates a reallife system for risk analysis -a procedural system that simulates a catastrophe -a formula that estimates the cost of countermeasures -a technique for simulating an attack on a system
an analytical method that simulates a reallife system for risk analysis
What feature of the 13 DNS root servers enables any group of servers to act as a root server? broadcast addressing anycast addressing multicast addressing unicast addressing
anycast addressing
A primary goal of proxy servers is to provide security at the _______________ layer.
application
SNA starts with the assumption that a system or network will be ________________.
attacked
The process of reviewing records of network computer activity is called which of the following? monitoring archiving auditing recording
auditing
Which of the following is NOT an essential element of a VPN? tunnel authentication server VPN server VPN client
authentication server
Which of the following is NOT a primary detection methodology? anomaly detection signature detection baseline detection stateful protocol analysis
baseline detection
What type of attack exploits a lack of bounds checking on the size of data stored in an array? SQL injection phishing ActiveX control buffer overflow
buffer overflow
DNS _____________ poisoning steers unsuspecting victims to a server of the attacker's choice instead of the intended Web site.
cache
Which of the following is true about using VPNs? -more expensive than leased lines -usually higher performance than leased lines -can use an existing broadband connection -not dependent on an ISP
can use an existing broadband connection
Which of the following is a typical drawback of a free firewall program? -oversimplified configuration -cannot monitor traffic in real time -more expensive than hardware firewalls -have centralized management
cannot monitor traffic in real time
Which type of change does NOT typically require the use of change management procedures? -new password systems or procedures -changes to ACLs -new VPN gateways -changing a manager's permissions to a file
changing a manager's permissions to a file
Which of the following is a type of VPN connection? server-to-client site-to-server client-to-site remote gateway
client-to-site
Which of the following is an IDPS security best practice? -communication between IDPS components should be encrypted -all sensors should be assigned IP addresses -to prevent false positives, only test the IDPS at initial configuration -log files for HIDPSs should be kept local
communication between IDPS components should be encrypted
Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets. TCP flags data patterns IP address ports
data patterns
One way to consolidate the data from several network and security devices is to transfer the information to a central _______________.
database
With ___________________ data collection, data from security devices goes to a management console on its own local network.
distributed
Which of the following is an advantage of a signaturebased detection system? -each signature is assigned a number and name -the definition of what constitutes normal traffic changes -the IDPS must be trained for weeks -it is based on profiles the administrator creates
each signature is assigned a number and name
Which activity performed by VPNs encloses a packet within another packet? address translation authentication encapsulation encryption
encapsulation
Network gateways are ____________ of the VPN connection.
endpoints
What is a critical step you should take on the OS you choose for a bastion host? -make sure it is the latest OS version -ensure all security patches are installed -choose an obscure OS with which attackers are unfamiliar -customize the OS for bastion operation
ensure all security patches are installed
You should review the logs and alerts created by your security devices, a process called _________ monitoring.
event
The Internet Key ______________ protocol enables computers to make an SA.
exchange
An extranet is a backup network that you can use if the main network fails.
false
Once written, a security policy should not be altered so that you can maintain consistency.
false
Which of the following is considered a problem with a passive, signature based system? profile updating custom rules signature training false positives
false positives
Which is best defined as the ability of a system to continue operations despite a failure? adaptation and evolution survivability analysis reliability audit fault tolerance
fault tolerance
Which of the following is NOT true about a hardware VPN? -have more security vulnerabilities than software VPNs -can handle more traffic than software VPNs -should be the first choice for fastgrowing networks -create a gatewaytogateway VPN
have more security vulnerabilities than software VPNs
Which method for detecting certain types of attacks uses an algorithm to detect suspicious traffic, is resource intensive, and requires extensive tuning and maintenance? -signature -anomaly -brute force -heuristic
heuristic
What is the term used for a computer placed on the network perimeter that is meant to attract attackers? honeypot virtual server bastion host proxy decoy
honeypot
In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.
host
Which of the following best describes ROI? -how long before an investment will pay for itself -the chance that a threat will result in lost money -the benefits of setting security priorities -the cost of mitigating a threat
how long before an investment will pay for itself
Which of the following is NOT a network defense function found in intrusion detection and prevention systems? -prevention -identification -response -detection
identification
What is considered the 'cleanup rule' on a Cisco router? implicit allow explicit allow all implicit deny all explicit prompt
implicit deny all
The portion of a security policy that describes who responds when there has been a security breach is called the ______________ response section.
incident
Which of the following is a sensor type that uses bandwidth throttling and alters malicious content? -passive only -online only -inline only -active only
inline only
Which of the following is considered an asset? disgruntled employee hacker unpatched Web server intellectual property
intellectual property
Why is a bastion host the system most likely to be attacked? -it has weak security -it contains company documents -it is available to external users -it contains the default administrator account
it is available to external users
Which of the following is true about a screening router? -it can stop attacks from spoofed addresses -it maintains a state table to determine connection information -it examines the data in the packet to make filtering decisions -it should be combined with a firewall for better security
it should be combined with a firewall for better security
Which of the following is true about SSL? -it operates at the Data Link layer -it uses sockets to communicate between client and server -it uses sharedkey encryption only -it uses IPsec to provide authentication
it uses sockets to communicate between client and server
Which of the following is true about the Internet? -it was originally built on an extended star topology -it is the same as the World Wide Web -it was established in the mid1960s -it was developed by a network of banks and businesses
it was established in the mid1960s
Which of the following is a benefit of using centralized data collection to manage sensor data? data stays on the local network less network traffic less administrative time must use a VPN to transport data
less administrative time
Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power. traffic distribution filter server pooling software priority server farm loadbalancing software
loadbalancing software
An IDPS __________________ server is the central repository for sensor and agent data.
management
Which of the following is NOT typically an aspect of a security event management program? monitoring events managing change managing data from sensors managing IDPS firmware
managing IDPS firmware
Which of the following is a disadvantage of using a proxy server? - can't filter based on packet content - slows Web page access - shields internal host IP addresses - may require client configuration
may require client configuration
Which of the following is true about an HIDPS? -tracks misuse by external users -monitors OS and application logs -sniffs packets as they enter the network -centralized configurations affect host performance
monitors OS and application logs
The ________________ command reviews the current connections and reports which ports a server is listening to.
netstat
What should an outside auditing firm be asked to sign before conducting a security audit? search and seizure contract social engineering covenant subpoena nondisclosure agreement
nondisclosure agreement
Which of the following is NOT a factor a secure VPN design should address? authentication encryption nonrepudiation performance
nonrepudiation
Which of the following is an advantage of hardware firewalls? -not dependent on a conventional OS -not scalable compared to software firewalls -easy to patch -less expensive than software firewalls
not dependent on a conventional OS
Where is a hostbased IDPS agent typically placed? -on a workstation or server -between two subnets -at Internet gateways -between remote users and internal network
on a workstation or server
Which of the following is true about a dualhomed host? - its main objective is to stop worms and viruses - serves as a single point of entry to the network - uses a single NIC to manage two network connections - it is used as a remote access server in some configurations
serves as a single point of entry to the network
In a _________ based detection system, the IDPS can begin working immediately after installation.
signature
You monitor and evaluate network traffic to gather evidence that indicates whether your IDPS _________________ are working well or need to be updated.
signatures
Which of the following is described as the combination of an IP address and a port number? portal datagram subnet socket
socket
What type of DNS configuration prevents internal zone information from being stored on an Internetaccessible server? anti-phishing DNS read-only zone split-DNS architecture caching DNS zone
split-DNS architecture
The lack of authentication for computers on the Internet make IP _____________ possible, which is a change in the IP addresses in the headers of malicious packets.
spoofing
Which VPN topology is also known as a hubandspoke configuration? bus partial mesh star full mesh
star
What is an advantage of the anomaly detection method? -easy to understand and less difficult to configure than a signaturebased system -after installation, the IDPS is trained for several days or weeks -system can detect attacks from inside the network by people with stolen accounts -makes use of signatures of wellknown attacks
system can detect attacks from inside the network by people with stolen accounts
A network ____________ is a type of passive sensor that consists of a direct connection between a sensor and the physical network medium.
tap
Which best defines residual risk? -a vulnerability for which the risk has been reduced to zero -risk that occurs as a result of new vulnerabilities -the amount of risk remaining after countermeasures are implemented -the cost of implementing solutions to an assessed risk
the amount of risk remaining after countermeasures are implemented
What makes IP spoofing possible for computers on the Internet? the lack of authentication the 32bit address space network address translation the DNS hierarchy
the lack of authentication
If you see a /16 in the header of a snort rule, what does it mean? -a maximum of 16 log entries should be kept -the size of the log file is 16 MB -the detected signature is 16 bits in length -the subnet mask is 255.255.0.0
the subnet mask is 255.255.0.0
Which of the following is true about private IP addresses? -they are not routable on the Internet -NAT was designed to conserve them -they are assigned by the IANA -they are targeted by attackers
they are not routable on the Internet
What do you call a firewall that is connected to the Internet, the internal network, and the DMZ? three-pronged firewall multi-zone host three-way packet filter multi-homed proxy
three-pronged firewall
Groups known as ______________ teams are assembled to actively test a network.
tiger
Why might you want to allow extra time for setting up the database in an anomalybased system? - the installation procedure is usually complex and time consuming - to add your own custom rule base - to allow a baseline of data to be compiled - it requires special hardware that must be custom built
to allow a baseline of data to be compiled
Which of the following is a security-related reason for monitoring and evaluating network traffic? -to create substantial data to analyze -to see how many files employees download form the Internet -to determine if your IDPS signatures are working well -to optimize your router and switch protocols
to determine if your IDPS signatures are working well
Which of the following shows how devices are connected and includes an IP allocation register? security policy hardware inventory topology map asset table
topology map
The period of time during which an IDPS monitors network traffic to observe what constitutes normal network behavior is referred to as which of the following? -baseline scanning -traffic normalizing -training period -profile monitoring
training period
Which of the following is a toplevel digital certificate in the PKI chain? security-aware resolver DNSSEC resolver RRSIG record trust anchor
trust anchor
VPNs create a _____________ to transport information through public communications media.
tunnel
What are the two modes in which IPsec can be configured to run? header and payload client and server tunnel and transport transit and gateway
tunnel and transport
What is a zone transfer? -updating a secondary DNS server -backing up an SQL data file -copying host file data to another system
updating a secondary DNS server
Which of the following is NOT a recommended security setting for Apache Web servers? -harden the underlying OS -use the default standard Web page error messages -create Web groups -disable HTTP traces
use the default standard Web page error messages
Which IDPS customization option is a list of entities known to be harmless? whitelists thresholds alert settings blacklists
whitelists