Network, Security, Firewalls, and VPNs 3rd Edition Chapter 1 - 14

Which of the following describes a blacklist?

A type of filtering in which all activities or entities are permitted except those identified

Which term describes the calculation of the total loss potential across a year for a given asset and a specific threat?

Annualized loss expectancy (ALE)

In executing the processes of risk assessment and risk management, which statistic calculates the potential number of times the threat could be a realized attack in a year's time?

Annualized rate of occurrence

Which name is given to a probability prediction based on statistics and historical occurrences on the likelihood of how many times in the next year a threat is going to cause harm?

Annualized rate of occurrence (ARO)

Duncan runs a small writing and editing business. He employs two people in his small office/home office (SOHO). He also has general knowledge of networking, including how to configure a basic firewall to protect the network. His off-the-shelf firewall has rule sets built in with several main elements. Duncan is currently setting rules for TCP and UDP. What element is he working with?

Base protocol

Charles is an IT help desk technician. He gets a ticket from a branch office saying that they lost Internet connectivity. He investigates remotely over a backup maintenance link and determines that this was done by design; the office's firewall deliberately severed the connection. Which of the following does this functionality define?

Bastion host

Which term is used to describe a firewall that is implemented via software?

Bump-in-the-stack

Which name is given to a VPN created between a client and a server either within the same local network or across a WAN link or intermediary network to support secure client interaction with the services of a resource host?

Client-to-server VPN

Which of the following refers to a type of software product that is pre-compiled and whose source code is undisclosed?

Closed source

Which of the following terms describes hiding information from unauthorized third parties?

Cryptography

Devaki is an engineer who is designing network security for her company's infrastructure. She is incorporating protections for programming flaws, default settings, maximum values, processing capabilities, and memory capacities on devices, as well as malicious code and social engineering. What is this type of protection called?

Defense in depth

Alejandro is a cybersecurity contractor. He was hired by a Fortune 500 company to redesign its network security system, which was originally implemented when the company was a much smaller organization. The company's current solution is to use multiple firewall platforms from different vendors to protect internal resources. Alejandro proposes an infrastructure security method that, in addition to firewalls, adds tools such as an intrusion detection system (IDS), antivirus, strong authentication, virtual private network (VPN) support, and granular access control. What is this solution called?

Diversity of defense

Ingress and egress filtering can expand beyond protection against spoofing and include a variety of investigations on inbound and outbound traffic. Which of the following is not one of the ways ingress and egress filtering expand beyond protection against spoofing?

Dynamic packet filtering

Carl is a network technician who has been assigned to select a dedicated hardware device to act as the company's termination point for the secured virtual private network (VPN) tunnel. He chooses a device that allows the firewall to filter traffic that is exiting the VPN and moving into the local area network (LAN). It is the choice that is best suited for controlled access into the demilitarized zone (DMZ). What is the solution that he recommends?

Edge router

A host software firewall should never be installed on a server if a dedicated firewall appliance is deployed on the same network.

False

Fair queuing is the distribution of the firewall filtering workload across multiple parallel firewalls.

False

Firewalking is a technique to learn the configuration of a firewall from the inside.

False

In IPSec tunnel mode, only the data packet payload is encapsulated, while the packet header is left intact.

False

Isabelle is the cybersecurity engineer for a medium-sized company. She is setting up a firewall for examining inbound network traffic for a variety of characteristics. While remote users working from home should be allowed access to network resources, malicious traffic should be blocked. To differentiate between the two, Isabelle is looking at factors such as whether the inbound traffic is a response to a previous request inside the network; whether it includes blocked domain names, IP addresses, and protocols; and whether it conforms to known malicious patterns or is otherwise abnormal. What is she setting up the firewall to practice?

Filtering

A malicious party has discovered the IP address of a host inside a network she wants to hack. She employs a form of port scanning, attempting to establish a connection with the host using multiple different ports. Which technique is she using?

Firewalking

In balancing competing concerns while deploying a personal virtual private network (VPN) solution, Yee values his privacy more than his anonymity. Which is he most concerned about?

Having information about his network exposed.

Location-aware anti-theft software will periodically upload its location to a centralized site in the event that the mobile device is lost or stolen. What can defeat this?

If the thief reformats the mobile device's drive

Nicolau is a network engineer for a large online retailer. He is concerned about the security of his company's network connections to its customers, vendors, and partners. Although all of these sources are generally trusted, he knows they can be hacked by malicious parties and used to steal confidential company data. Which network-based solution should he choose to detect unauthorized user activity and attacks that is also capable of taking action to prevent a breach?

Intrusion detection system/intrusion prevention system (IDS/IPS)

Chad is a network engineer. He is tasked with selecting a virtual private network (VPN) platform for his company. He chooses a solution that is inexpensive and runs on UNIX, although it is less scalable and less stable than other solutions. What has he chosen?

Operating system-based VPN

Geraldine is a freelance network technician. She has been hired to design and build a small office/home office (SOHO) network. She is considering what firewall solution to select, keeping in mind that her client has a tight budget and the network is made up of no more than six nodes. Which of the following is the best solution?

Personal hardware firewall integrated in the wireless access point or modem

Amy is a network engineering consultant. She is designing security for a small to medium-sized government contractor working on a project for the military. The government contractor's network is comprised of 30 workstations plus a wireless printer, and it needs remote authentication. Which of the following is a type of authentication solution she should deploy?

RADIUS

Jacob is a remote employee. He clicks the Start menu button in Windows and selects an application to run. Most of the time, he is unaware that he is really accessing the application on a server at his company's main office several miles away. What solution is he using?

RD RemoteApp

Which of the following describes caching?

Retention of Internet content by a proxy server

Every morning when James logs into his computer and attempts to access Microsoft 365, he is asked to enter his password. After that, he is sent a text on his mobile phone with a six-digit code he must enter. In terms of multifactor authentication, his password is something he knows. What is the text message?

Something he has

Analisa is a sales representative who travels extensively. At a trade show, Analisa uses her virtual private network (VPN) connection to simultaneously connect to the office LAN and her personal computer at home. What security risk does this pose?

Split tunneling

Which name is given to a form of filtering that focuses on traffic content?

Stateful inspection filtering

Jacob is a network technician who works for a publishing company. He is setting up a new hire's access permissions. The new hire, Latisha, is an editor. She needs access to books that have been accepted for publication but are in the review stage. Jacob gives her access to the network drive containing only books in review, but not access to administrative or human resources network drives. What principle is Jacob applying?

The principle of least privilege

A best practice when troubleshooting a virtual private network (VPN) is to document processes and procedures.

True

A best practice when troubleshooting issues is to make one change at a time, and then test the change before making any other changes.

True

A guideline for firewall selection is to never skimp on throughput.

True

A remote access link enables access to network resources using a wide area network (WAN) link to connect to the geographically distant network.

True

A small office/home office (SOHO) virtual private network (VPN) hardware firewall provides remote access.

True

A virtual private network (VPN) can operate securely over the Internet and still provide high levels of security through encryption.

True

A virtual private network (VPN) set up in a demilitarized zone (DMZ) has a firewall in front and behind it.

True

An intrusion prevention system (IPS) does not replace an intrusion detection system (IDS).

True

IT infrastructure growth can be expected, unexpected, gradual, or abrupt.

True

If a server has a public IP address, it is a potential target for hacker attacks.

True

In a bypass virtual private network (VPN), traffic to the VPN and from the VPN to the internal network is not firewalled.

True

In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections.

True

Including photos of configuration screens in firewall procedures can speed up restoration after a network incident.

True

Internet Protocol Security (IPSec) has three major components: Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE).

True

Layer 2 of the Open Systems Interconnection (OSI) Reference Model is the Data Link Layer.

True

Malware is a vulnerability of a software virtual private network (VPN).

True

Nahla is a network engineer charged with maintaining the routine operations of equipment in her company's server room. She is aware that fluctuations in electrical power flow can damage delicate circuitry. While configuring redundancy into a number of systems, which component does she choose that offers both redundancy and power conditioning?

Uninterruptable power supply (UPS)

A company vice president (VP) finds that the network security restrictions imposed by the security manager are too confining. To counter them, the VP habitually uses weak passwords, shares accounts with his assistant, and installed unapproved software. What security principle is the VP violating?

Universal participation

Dhruv is the lead network engineer for his three-year-old company. He is writing a proposal that recommends the network protocol to use in several branch offices. Based on the age of the networking equipment, what is his recommendation to the chief information officer (CIO)?

Upgrade to IPv6

Carl is a student in a computer networking class who is studying virtual private network (VPN) implementations. He is learning the basics about VPNs. Which of the following statements does he find is TRUE?

VPNs are both hardware and software solutions.

Arturo is a new network technician. He wants to use Remote Desktop Protocol (RDP) to connect to a server from his computer. The server is on the other side of the building. His computer is running Windows 10. Will he be able to make the connection?

Yes, because the RDP protocol has clients that work on most common operating systems.

Alice is a network technician designing infrastructure security based on compartmentalization. Which of the following does she employ?

Zones of access that are separated from other parts of the network by routers, switches, and firewalls

An exploit called "overlapping" can cause the full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams. An overrun attack can create excessively large datagrams and, with other types of fragmentation attacks, can result in:

denial of service

Which of the following describes an appliance firewall?

A hardened hardware firewall

Which of the following is a malicious software program distributed by a hacker to take control of a victim's computers?

Agent or bot

Which of the following refers to encoding and decoding information using related but different keys for each process?

Asymmetric cryptography

Which term describes programs used to control access to computer resources, enforce policies, audit usage, and provide billing information?

Authentication, authorization, and accounting (AAA) services

Which firewall product is designed for larger networks?

Commercial firewalls

Which term describes a VPN created between two individual hosts across a local or intermediary network?

Host-to-host VPN

What is Compression?

Removal of redundant or superfluous data or space to reduce the size of a data set

In deploying security for a network, which method is no longer seen as truly secure or sufficient for protecting logins?

Single-factor authentication

Carl is a security engineer for his company. He is reviewing a checklist of measures to physically protect the network specifically and the office environment in general. What is he focused on?

Testing alarms

A hashing cryptographic function takes the input of any file or message and creates a fixed length output based on:

The hashing algorithm being used.

Which of the following characteristics describes an edge router?

The last device owned and controlled by an organization before an ISP or telco connection

Lin is designing a virtual private network (VPN) implementation as a class project. The assignment includes a budget she has to follow. To save money, she decided to use a VPN without a firewall. What is the problem with her decision?

This approach will not work because VPNs cannot take the place of firewalls.

A best practice is to perform verification scans of all deployed firewall settings to ensure their functionality.

True

A best practice is to use strong authentication and nonrepudiation methods for all transactions over the Internet.

True

A virtual firewall can protect physical networks as well as virtual clients and servers.

True

A virtual private network (VPN) implementation best practice is to protect the VPN server behind a firewall.

True

In a risk assessment, the asset value (AV) includes both tangible and intangible costs.

True

How does Symmetric Cryptography work?

Uses a single shared key to encrypt/decrypt data.

Joaquin is a senior network technician for a mid-sized company who has been assigned the task of improving security for the IT infrastructure. He has been given a limited budget and must increase security without redesigning the network or replacing all internetworking security devices. He focuses on an approach that will identify a single vulnerability. What does he recommend?

Weakest link

Which of the following is not a consideration when placing firewalls on the network?

Where hackers are located

Asymmetric cryptography that uses key pairs is commonly known as:

public key cryptography.

A company uses an Internet Protocol Security (IPSec) virtual private network (VPN) solution. It allows remote users to connect to the main office and allows communication between the main office and branch offices securely over the Internet. The main office network uses network address translation (NAT) with an internal IP address range of 192.168.0.1 to 192.168.0.254. Which of the following ranges must remote offices and users NOT use on their internal networks?

192.168.0.x

Alphonse is a network engineer who is developing his IT infrastructure's virtual private network (VPN) deployment plan. He has decided to place the VPN device between the externally facing and internally facing firewalls in the demilitarized zone (DMZ). He is determining the rule sets with which to configure both firewalls. His VPN device is a Secure Sockets Layer (SSL) VPN and he wants to use default settings. Which port should he allow the firewalls to pass traffic through?

443

Felicia is a network engineer deploying a virtual private network (VPN) solution. The VPN operates using Secure Shell (SSH). When asked by a new help desk tech about which layer of the OSI model it employs, how does Felicia answer?

7

Which of the following describes optical carrier (OC)?

A network carrier line—often leased or dedicated—which uses fiber optic cables for high-speed connections

Cassie is an IT help desk representative. She just received a trouble ticket from a remote user stating they cannot connect to the company network over the virtual private network (VPN). Cassie begins troubleshooting the matter, checking on recent configuration changes to the VPN equipment, looking at the unit's logs for error messages, and so on. She has examined the VPN-related features and potential problems but still doesn't understand why the end user's connection failed. She has been assured that both the end user and the company have Internet connectivity. What is the most likely reason the user cannot connect?

A network engineer has inadvertently changed the IP address of the firewall's internal interface that connects to the VPN's outward-facing port.

Which of the following describes dynamic packet filtering?

A process that automatically creates temporary filters. In most cases, the filters allow inbound responses to previous outbound requests.

Which of the following characteristics relates to the term algorithm?

A set of rules and procedures—usually mathematical in nature—that can define how the encryption and decryption processes operate

In preserving the confidentiality of users on a corporate network, which party is responsible for setting up security policies to guarantee users' privacy?

Administrator

Elissa is a network technician. She is configuring firewall rules for one of her company's branch offices, which supports online retail sales of the company's products. She is configuring rules to block traffic based on a traditional model but needs to allow a particular type of traffic. What should she allow?

All traffic from port 80 originating from the office's web server, which is in a protected subnet

Alphonse is a networking contractor who has been hired by a small to medium-sized company to configure its firewall. The firewall comes preconfigured with a common rule set that allows web, email, instant messaging, and file transfer traffic using default ports. The company wants to allow access to secure websites and common website protocols but block access to insecure Internet websites. Which of the following is the best solution?

Allow access to HTTPS, SQL, and Java, but deny access to HTTP

Which of the following describes a dedicated leased line?

Allows communication between one site and another

Mario is the network security engineer for his company. He discovered that, periodically, a remote user working from home accesses certain resources on the network that are not part of her regular duties. Mario has questioned the user and her supervisor, and has accessed the user's workstation. Mario believes the user is not the source of these intrusions and strongly suspects a malicious source is responsible. What is the most likely explanation?

An external hacker has gained access to the user's authentication and is accessing confidential company resources.

When conducting an audit, the auditor should be which of the following?

An external person who is independent of the organization under audit

Although it is not recommended, a company chief information officer (CIO) wants to configure and use the ff02::1 group on his new IPv6 network to send traffic to every node in the infrastructure. What group must he enable?

Anycast

Which of the following refers to a type of firewall that filters on a specific application's content and session information?

Application firewall

Which term describes an object, computer, program, piece of data, or other logical or physical component you use in a business process to accomplish a business task?

Asset

Which term describes the cumulative value of an asset based on both tangible and intangible values?

Asset value (AV)

Diego is a network consultant. He is explaining the benefits of virtual private network (VPN) connections for remote clients to the owner of a company who wants to allow most staff to work remotely. He says that a VPN is both private and secure. What does he say is the rationale?

Authentication provides privacy and encryption provides security.

Which term describes when a system is usable for its intended purpose?

Availability

Arturo is troubleshooting a firewall that may have been hacked by a malicious outsider. He is under pressure and immediately tries a fix that, if it fails, will not be easy to back out of. Before he makes the attempt, his supervisor warns him of the danger. What does Arturo's supervisor say?

Avoid destructive or irreversible solutions until last.

Which of the following is the name given to unauthorized access to a system?

Backdoor

Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called?

Bastion host operating system

Chris is a network engineer deploying a virtual private network (VPN) solution. He needs an implementation of Secure Sockets Layer/Transport Layer Security (SSL/TLS) that adds a layer of authentication to the access. What feature does he require?

Bidirectional authentication

Bill is a network engineer. On Monday morning, he learns that the firewalls between network segments are not operating as expected. He checks the activity sheet for the on-call techs who worked the weekend and sees that one of them performed an unscheduled patch. Bill suspects the patch made modifications to the firewalls. Of the following choices, what is the BEST way to check this?

Bill compares screenshots of the optimal firewall configuration against the current settings.

A malicious person wants to use tunneling to get through a company's firewall using a vulnerability. Micah, a network security engineer, is aware of this threat and configures the firewall to combat it. What does he do?

Block all encryption

Which malicious software program is distributed by hackers to take control of victims' computers?

Bots

Which term describes a network device that forwards traffic between networks based on the MAC address of the Ethernet frame?

Bridge

Which of the following refers to a communication pathway, circuit, or frequency dedicated or reserved for a specific transmission?

Channel

Which term describes the seemingly random and unusable output from a cryptographic function applied to original data?

Ciphertext

Which of the following refers to a host on a network that supports user interaction with the network?

Client

Augustine is a network engineer for a mid-sized company. He needs to deploy a new firewall, which was expensive to purchase and is complex to configure. In preparation for installation and configuration, he attends training conducted by the firewall vendor. Which of the following types of firewalls is he most likely planning to install?

Commercial

Dhruv is a network engineer using a command-line interface on his computer. He types the command mstsc/v and then a server name. What is he doing?

Connecting to a Windows server running a virtual private network (VPN)

A social networking website has been gathering a great deal of personal information on its users for years. This presents the potential danger of exposure if the site is hacked. In addition, the data could be sold by the social networking platform without the users' knowledge or consent. What technology does the social media company most likely use to gather data, such as users' buying preferences?

Data mining

Which term describes the process of converting ciphertext back into plain text?

Decryption

Isabelle is a network engineer deploying an IT infrastructure in one of her company's new branch offices. Currently, she is designing a local subnetwork that contains and exposes the office's external services to a larger, untrusted network, specifically the Internet. What is this called?

Demilitarized zone (DMZ)

Brianna is an IT technician. She is studying a threat that holds the communication channel open when a TCP handshake does not conclude. What kind of attack does this involve?

Denial of service (DoS) attack

In an incident response situation, which term is used to described the actual confirmation of a breach?

Detection and analysis

Which term is used to describe a public-key, cryptography-based mechanism for proving the source (and possibly integrity) of a dataset or message?

Digital Signature

Bill's work-issued Windows laptop has been configured so he can remotely connect to his office from home without having to initiate a virtual private network (VPN) connection. What technology is he using?

DirectAccess

Which firewall has a network interface located in a unique network segment that allows for true isolation of the segments and forces the firewall to filter all traffic moving from one segment to another?

Dual-homed firewall

During which step of firewall incident response is the compromise resolved?

Eradication

James is a network engineer. He has been assigned the responsibility of designing a virtual private network (VPN) solution that will allow customers, suppliers, and business partners access to network resources without exposing the secure private LAN. The parties accessing these resources must use digital certificates issues by a certification authority (CA). What form of VPN is he setting up?

Extranet

A small fire breaks out in the lunch room of a branch office and the fire alarms sound. The employees are directed to leave the building and assemble in the parking lot. What condition is required to enable them to cross restricted access areas that are normally locked?

Fail-open

A good policy is to implement the first generation or first release of a firewall product.

False

A potential loophole is created when the wrong rule is positioned last in a firewall rule set.

False

A software firewall can protect multiple hosts from malicious network activity.

False

A virtual private network (VPN) connection ensures quality of service.

False

A virtual private network (VPN) replaces a firewall.

False

A virtual private network (VPN) server for remote access must be located in the demilitarized zone (DMZ).

False

All firewalls provide network perimeter security.

False

All private key cryptography is asymmetric, but some asymmetric algorithms are not private key algorithms.

False

Allow by default/deny by exception is always the preferred security stance.

False

Allow-by-default automatically prevents most malicious communications by default.

False

An antivirus scanner needs to have its database of definitions updated at least once per week.

False

An intranet virtual private network (VPN) never traverses a wide area network (WAN) link.

False

An intrusion detection system (IDS) false positive occurs when the IDS fails to detect an attack.

False

Basic packet filtering uses a complex, dynamic rule set.

False

Bump-in-the-wire is a software firewall implementation.

False

Client capabilities do not affect the performance of a remote virtual private network (VPN) connection.

False

Delay is the use of security to convince a potential attacker that the efforts to compromise a system are not worth it.

False

Depending on the situation, a fail-open state could be fail-secure or fail-close.

False

Hashing does not verify the integrity of messages.

False

Hashing modifies the original data.

False

Hypertext Transfer Protocol Secure (HTTPS) does NOT encrypt private transactions made over the Internet.

False

In a gateway-to-gateway virtual private network (VPN), the mobile user takes specific actions to connect to the VPN.

False

In an internally connected virtual private network (VPN), the Internet-facing VPN connection is front of a firewall.

False

In intrusion detection, anomaly-based detection looks for differences from normal traffic based on a recording of real-world traffic that establishes a baseline.

False

Instability is not considered a potential threat associated with software virtual private networks (VPNs).

False

Internet Protocol Security (IPSec) is designed to work well with network address translation (NAT).

False

It is uncommon to leverage a virtual private network (VPN) to send sensitive information when connected to an untrustworthy network.

False

Multiple firewalls in a series is considered diversity of defense but not defense in depth.

False

Software-based virtual private networks (VPNs) are typically more scalable than hardware VPNs.

False

Delmar is a consultant configuring a small firewall for a client who uses a small office/home office (SOHO) network. He is permitting the common protocols on the outbound connection, but he can only forward rather than block incoming protocols. If he forwards common protocols such as FTP, Telnet, and NetBIOS, how can this protect the network from anyone who may maliciously use these ports?

Forward to a nonexistent port where no device is listening

Ambrose is testing his IT department's new firewall deployment. He is using a collection of applications that employ a brute-force technique to craft packets and other forms of input directed toward a target. What is this collection of tools called?

Fuzzing tools

A malicious person is using an existing virtual private network (VPN) tunnel to infiltrate a company's private local area network (LAN). What is this tunneling method doing?

Hijacking an existing port

Which of the following refers to a software firewall installed on a client or server?

Host firewall

Which term describes a network, network link, or channel located between the endpoints of a VPN?

Intermediary network

Alice is a network engineer who has been tasked with researching a virtual private network (VPN) tunneling protocol to be used by her company. It must be able to pass traffic through a network address translation (NAT) server and be compatible with a number of well-known proprietary and open source platforms. What solution does she select?

Internet Key Exchange v2 (IKEv2)

Internet Protocol Security (IPSec) is a standards-based protocol suite designed specifically for securing ____________ communications.

Internet Protocol (IP)

Devaki is developing a backup and recovery strategy for the network and server system. She needs a way to address and quickly restore small events where a bit of data has accidentally been deleted, as well as to remedy situations where the entire facility is compromised. What is her plan?

Keep a local backup for quick retrieval to deal with small events and an encrypted remotely stored copy for major incidents.

Maria is a new network engineer for a company that was established more than 30 years ago. She is examining the IT infrastructure and discovers that the virtual private network (VPN) solution employs an older encryption protocol for backward compatibility. This protocol has largely been replaced, but it used to be popular in early VPN solutions. What is this protocol?

Layer 2 Tunneling Protocol (L2TP)

Jahi is a security engineer for a U.S. Department of Defense contractor. He is implementing a more secure method for remote users to log into an internal system over a virtual private network (VPN). In addition to requiring a password, this method asks the user to enter a PIN texted to their mobile phone, and to use a fingerprint reader mounted to their company-issued laptop. Which method is Jahi deploying?

Multifactor authentication

A malicious person is attempting to subvert a company's virtual private network (VPN). She is using a tool that creates TCP and UDP network connections that can link to or from any port. What is this tool?

Netcat

Chang is a network engineer. He is revising the company's firewall implementation procedure. He is reviewing the procedural element requiring placement of network firewalls at chokepoints and mapping out the network structure to pinpoint the location where firewalls are to be placed. Which of the following is he focusing on?

Network design

Ahmed is testing the security of his company's IT infrastructure. He is using an application that works as a network mapper, port scanner, and OS fingerprinting tool. Which of the following is he employing?

Nmap

A malicious person is performing a technique called anti-forensics on a target network to hide evidence of an intrusion and conceal implanted rootkits and other malware. What is one action that might be taken when this method is used?

Overwriting metadata

A firewall is a filtering device that watches for traffic that fails to comply with rules defined by the firewall administrator. What does the firewall inspect?

Packet Header

Aditya is a network engineer. He is deploying a special host that will attract hackers so he can capture and analyze the attacks. This specific method involves using an intrusion detection system (IDS) to detect attacks and then routing them to an environment where they can do no harm. What is this method called?

Padded cell

Mei is a new network technician for a mid-sized company. She is trying to determine what is causing a performance lag on the infrastructure's virtual private network (VPN). The lags typically occur between 8 a.m. and 9 a.m., and again between 1 p.m. and 2 p.m. What is the most likely cause?

Peak usage loads

A company hires security experts to play the role of hackers. The experts are asked to attempt to breach the infrastructure to determine how secure the company is from threats. The experts are also asked to recommend improvements. What is this activity called?

Penetration testing

Which name is given to an entrance or exit point to a controlled space?

Physical layer (Layer 1)

Israel is a network technician who has just deployed a new firewall. Before putting it in production, he wants to test the firewall's ability to filter traffic according to its rule set, without risking the internal network. What is the best solution?

Place the firewall in a virtual network environment and simulate traffic.

Which term refers to a type of business telephone network?

Private Branch Exchange (PBX)

Gino is an ethical hacker hired as a consultant to test the security of a mid-sized company's network. As part of his assignment, he has been given physical access to the system. He has built a dictionary of hashed passwords from the hard drive of the device. Which type of attack is he planning to launch?

Rainbow

Armand is the IT director of his organization. He is working with accounting to determine a budget for upgrading the company's virtual private network (VPN) equipment. Several options are available, and he still needs more technical assistance to make a decision. Rather than going with award-winning VPN products he has found in industry magazines and websites, which of the following is the best choice to consult for assistance in collecting information and helping to narrow his choices?

Reseller

All firewalls, including those using static packet filtering, stateful inspection, and application proxy, have one thing in common. What is it?

Rules

Landon is a network contractor. He has been hired to design security for the network of a small company. The company has a limited budget. Landon is asked to create a system that will protect the company's workstations and servers without undo expense. Landon decides to deploy one hardware firewall between the Internet and the local area network (LAN). What is this solution called?

Single defense

Demetrice is a network consultant. She has been hired to design security for a network that hosts 25 employees, many of whom need remote access. The client recently opened another small office in a neighboring community and wants to be able to routinely establish secure network connections between the two locations. The client often deals with customer bank information and requires a particularly secure solution. What is her response to these requirements?

Small office/home office (SOHO) virtual private network (VPN)

Which of the following refers to a host firewall installed on a client or server?

Software firewall

Which term describes the act of working from a home, remote, or mobile location while connecting into the employer's private network, often using a VPN?

Telecommuting

Kasim is a network technician. He is tasked with deploying a virtual private network (VPN) in his company's IT infrastructure. He wants to place the VPN device where it is directly connected to both the Internet and the internal LAN. He believes that security will not be a concern because the VPN is already encrypted point-to-point. Which of the following statements is TRUE about this configuration?

The VPN device itself is still capable of being attacked.

Aileen is a help desk technician. She and her coworkers start getting a lot of calls from remote workers saying that their virtual private network (VPN) connection to the office abruptly dropped. Last month, Aileen helped deploy a new VPN solution that uses redundant VPN devices with their own power sources connecting to an Internet circuit. What is the most likely cause of the problem?

The company's single internet circuit went down.

Which of the following describes authentication?

The process of confirming the identity of a user

Which of the following characteristics relates to access control?

The process or mechanism of granting or denying use of resources; typically applied to users or generic network traffic

Which of the following characteristics describes the application layer?

The top or seventh layer of the OSI model, which is responsible for enabling communications with host software, including the operating system

A hacker is attempting to access a company's router using false Internet Control Message Protocol (ICMP) type 5 redirect messages. What is the hacker's goal?

To spoof or manipulate routing data

Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design?

Traffic patterns

Which of the following refers to a form of encryption also known as point-to-point or host-to-host encryption?

Transport mode encryption

Which term describes encryption that protects only the original IP packet's payload?

Transport mode encryption

A Dynamic Host Configuration Protocol (DHCP) system automatically assigns IP addresses on network.

True

A VPN creates or simulates a network connection over an intermediary network.

True

A bastion host firewall stands guard along the pathway of potential attack, positioned to take the brunt of any attack.

True

A benefit of a commercial virtual private network (VPN) solution is access to vendor support.

True

A best practice for firewall rules is to keep the rule set as simple as possible.

True

A best practice is to back up firewall configurations before applying new and tested updates.

True

A best practice is to block any device connecting to a network that is not in compliance with the security policy.

True

A best practice is to define a complete firewall rule set for each prescribed firewall in a written firewall policy.

True

A buffer overflow is a condition in which a memory buffer exceeds its capacity and the extra content "overflows" into adjacent memory.

True

A change control mechanism tracks and monitors the changes to a system.

True

A customer premise equipment (CPE)-based virtual private network (VPN) is a VPN appliance.

True

A dedicated leased line is an alternative to a virtual private network (VPN) between two office locations.

True

A default-allow firewall stance assumes that most traffic is benign.

True

A default-deny firewall stance assumes that all traffic is potentially unauthorized.

True

A drawback of multiple-vendor environments is the amount of network staff training that is typically needed.

True

A firewall allows you to restrict unauthorized access between the Internet and an internal network.

True

A firewall serves as a clear and distinct boundary between one network area and another.

True

A firewall with two interfaces is known as a dual-homed firewall.

True

A firewall's job is to impose all restrictions and boundaries defined in the security policy on all network traffic.

True

A hacker tunneling set up using an inbound connection must "hijack" an existing open port or reconfigure the firewall to open another port for use by the tunnel.

True

A hardware firewall is a dedicated hardware device specifically built and hardened to support the functions of firewall software.

True

A hardware virtual private network (VPN) is a standalone device, dedicated to managing VPN functions.

True

A host virtual private network (VPN) software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services.

True

A host-to-host virtual private network (VPN) is a direct VPN connection between one host and another.

True

A network security management best practice is to focus on the big-impact and big-result issues first.

True

A next-generation firewall (NGFW) is a device that offers additional capabilities beyond traditional firewall functionality.

True

A remote access virtual private network (VPN) is also known as host-to-site VPN because it supports single-host VPN connections into a LAN site.

True

A simulated firewall test uses an attack simulator to transmit attack packets to a firewall.

True

A site-to-site virtual private network (VPN) is also known as a LAN-to-LAN VPN.

True

A small office/home office (SOHO) firewall may include intrusion detection.

True

A software-based virtual private network (VPN) may be part of a server operating system, part of an appliance operating system, or a third-party add-on software solution.

True

A virtual private network (VPN) appliance can be positioned outside the corporate firewall so that all VPN traffic passes through firewall filters.

True

A virtual private network (VPN) implementation best practice is to use strong authentication.

True

A virtual private network (VPN) policy documents an organization's rules for using the VPN.

True

A virtual private network (VPN) policy helps to ensure that users understand the requirements for computing on a VPN.

True

A virtual private network (VPN) policy should be a part of an overall IT security policy framework to avoid duplicate or conflicting information.

True

A virtualized Secure Sockets Layer (SSL) virtual private network (VPN) provides the ability to create custom authentication methods.

True

A virtualized desktop is hosted on a remote central server instead of on the local hardware of the remote client.

True

A web server between two firewalls is considered to be in a demilitarized zone (DMZ).

True

A written policy dictates which firewall features to enable or disable.

True

After installing a firewall, you should always install every available patch and update from the vendor.

True

All the rules on a firewall are exceptions.

True

An IPv6 address consists of 128 bits; an IPv4 address consists of 32 bits.

True

An SSL/TLS-based virtual private network (VPN) enables remote access connectivity from almost any Internet-enabled location using a web browser.

True

An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port.

True

An active threat is one that takes some type of initiative to seek out a target to compromise.

True

An intranet virtual private network (VPN) connects two or more internal networks.

True

An intrusion detection system (IDS) serves as a companion mechanism to a firewall.

True

Authentication Header (AH) provides integrity protection for packet headers and data, as well as user authentication.

True

Authentication is the verification or proof of someone's or something's identity.

True

Basic packet filtering provided by routers can be used to protect subnets within a network.

True

Breaches are confirmed during the detection and analysis phase of incident response.

True

Content filtering can focus on domain name, URL, filename, file extension, or keywords in the content of a packet.

True

Delay involves slowing down an attack so that even successful breaches give defenders time to respond.

True

Depending on the firewall, a single rule can sometimes define outbound and inbound communication parameters.

True

Depending on the location of a virtual private network's (VPN's) endpoints, the topology may affect performance.

True

Detection involves watching for attempts to breach security and being able to respond promptly.

True

Effective virtual private network (VPN) policies clearly define security restrictions imposed on VPNs.

True

Extranets differ from intranets in that remote users outside of the enterprise are allowed access to resources inside the network.

True

Firewall filtering is an effective protection against fragmentation attacks.

True

Firewall implementation documentation should include every action taken from the moment the firewall arrives on site through the point of enabling the filtering of production traffic.

True

Firewall logging helps to ensure that defined filters or rules are sufficient and functioning as expected.

True

Firewalls can provide port-forwarding services.

True

Firewalls should be considered a part of a security infrastructure, not the totality of security.

True

How you apply Internet Protocol Security (IPSec) and Secure Sockets Layer/Transport Layer Security (SSL/TLS) in a virtual private network (VPN) solution can affect VPN performance.

True

If a remote client needs to connect directly to a local area network (LAN), such as over a dial-up connection, a remote access server (RAS) is needed to host a modem to accept the connection.

True

In a layered security strategy, each security mechanism addresses a single issue or a small set of issues within a specific context.

True

In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public.

True

In symmetric cryptography, the same key must be used to encrypt and decrypt data.

True

Insecure default configuration is a vulnerability of a hardware virtual private network (VPN).

True

Internet Protocol Security (IPSec) supports both transport mode and tunnel mode.

True

Network router security is primarily about preventing unauthorized access.

True

Networked systems that are no longer used or monitored can become network entry points for hackers.

True

One common firewall event that usually warrants an alert is a firewall reboot.

True

Carl is a networking student who is reading about methods of encryption and how they work with firewalls. Right now, he is studying a form of encryption that encrypts the entire original payload and header of a packet. However, because the header contains only information about endpoints, it is not useful for a firewall filtering malicious traffic. Which of the following is the encryption method being described?

Tunnel mode

Which term describes encryption that protects the entire original IP packet's header and payload?

Tunnel mode encryption

Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny?

Type 8

Arturo is installing a hardware server in the network room of a branch office. He wants to label it in a way that will make it easy to differentiate this server from other server machines, yet not clearly identify it in case an unauthorized person gains physical access. How should he label it?

Using a code

Consuela is a business analyst for her company. She is working from home and on a video conference with several other team members. Her video-conferencing client displays a message indicating that the quality of her connection is unstable. What is the most likely problem?

VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets.

Besides a firewall, numerous other elements are often implemented to protect a network, EXCEPT:

a public IP address proxy.

All of the following are firewall management best practices, EXCEPT:

establish a philosophy of default allow rather than default deny.

All of the following protect against fragmentation attacks, EXCEPT:

internal code planting

A filter pathway is designed to:

make it hard to bypass a network filtering system and force all traffic through one route.

A firewall best practice is to document every action taken during troubleshooting.

true

A good practice is to trust no network traffic until it is proved to comply with security policy.

true