Chapter 10 key
Under which of the following conditions is the FORWARD firewall chain used?
A Linux system is performing Network Address Translation (NAT).
A company has suffered a data breach. Investigators are able to establish exactly when the data breach occurred, but on checking the IDS logs, no evidence of the breach is present. What type of intrusion detection error condition is this?
A false negative.
What component does a network-based IDS use to scan traffic?
A sniffer or sensor.
The firewall bases is decisions on a set of rules called what?
ACL
Other than attempting to block access to sites based on content, what security options might be offered by Internet content filters?
Blocking access based on time of day or total usage
What type of firewall monitors packet sequence to prevent session jacking?
Circuit-level
What is shunning?
Configuring an IPS to set a temporary firewall rule to block the suspect IP address.
You are troubleshooting a connectivity problem with a network application server. Certain clients cannot connect to the service port. How could you rule out a network or remote client host firewall as the cause of the problem?
Connect to or scan the service port from the same segment with no host firewall running
What sort of maintenance must be performed on signature-based monitoring software?
Definition/signature updates
What is the default rule on a firewall?
Deny anything not permitted by the preceding rules.
A company has a 20% drop in productivity in the previous quarter. Management believes this is due to employees conducting personal business online at work. Management asks the network manager to provide a solution. Recommend a solution for management.
Deploy a content filter
What is the command iptables used for in Linux based systems?
Edit rules enforced by Linux-based firewalls
A software scans files and re-computes a hashsum for the local version. The software then verifies that the hashsum matches the correct value. Evaluate security tools and determine what software is performing this action.
File Integrity Monitoring (FIM)
What blocks traffic that does not conform to rules?
Firewall
A network manager needs to secure a critical client. The manager's primary goal is to prevent modification of the system. Which can the manager use to prevent modification of the system?
Host-Based Intrusion Prevention System (HIPS)
What parameters can a layer 3 firewall ruleset use?
IP source and destination address, protocol type, and port number.
What tool can an administrator use that provides passive detection by logging incidents and displays alerts at the management interface?
Network-Based Intrusion Detection System (NIDS)
A network manager installs a tool that throttles the bandwidth of attacking hosts and modifies suspect packets to render them harmless. Evaluate security technology tools and determine what tool the network manager is utilizing.
Network-Based Intrusion Prevention System (NIPS)
A network administrator deploys a firewall that analyzes the header and Hypertext Markup Language (HTML) code in Hypertext Protocol (HTTP) packets to match patterns in a threat database. Consider the types of firewalls and determine which firewall is on the network.
Next Generation Firewall (NGFW)
What OSI layer does an NGFW work at and why?
OSI layer 7 (Application) because the next generation firewall (NGFW) is configured with application-specific filters that can parse the contents of protocols such as HTTP, SMTP, or FTP.
Using iptables, in which chain would you create rules to block all outgoing traffic not meeting certain exceptions?
OUTPUT chain.
A network manager is configuring a firewall. Prepare guidelines for the network manager to follow. (Select two)
Only allow the minimum amount of traffic required. The most specific rules are placed at the top.
What deconstructs each packet, performs analysis, rebuilds and then forwards the packets rather than inspecting passing traffic?
Proxy server
What uses a database of attack patterns and known composites of malware to prevent malware attacks?
Signature-based detection
Why would you deploy a reverse proxy?
To publish a web application without directly exposing the servers on the internal network to the Internet.
A company has a need for increased security control. The company currently has two network technicians and a small budget for the project. Given this scenario, which is the BEST solution for the company?
Unified Threat Management (UTM)
What is the main purpose of UTM?
Unified Threat Management (UTM) consolidates multiple security functions in a single appliance with a single management console.
It is a good idea to block TCP and UDP ports in a firewall.
false
The more antiviruses a system has, the great performance of functionality the system will have and lower chance of the system getting malware.
false; greater antiviruses slows it down!
A reverse proxy is used with a published website to not directly expose the server to the Internet.
true
The basic function of a NIDS is to provide a PASSIVE response to any network threat
true
The basic function of a NIPS is provide an ACTIVE detection of network traffic and threats.
true