Network Security, Firewalls, and VPNs Textbook (Third Edition) Answer Key
Which of the following is the only insurance against data loss?
Backup
Which security stance focuses on the use of firewalls as it's primary means of controlling commuinications?
Chokepoint
Which of the following are the two main types of NAT?
Dynamic and static
Protocol converter is another name for what device?
Gateway
Which of the following is not a benefit of SSL/TLS over the use of IPSec VPNs?
Guaranteed uptime
Which of the following is not a biometric characteristic?
Height
Most exploits are based on existence which of the following?
Human beings
Which of the following is not a type of specialized firewall?
Hybrid
Which standard allows a firewall to hand off authentication to a dedicated service hosted on a different system?
IEEE 802.1x
Which of the following is one of the primary methods for deploying remote access VPNs?
IPSec
Which of the following is not part of a complete and comprehensive security approach?
Implement single-factor authentication
Which of the following techniques is not considered a part of network security assessment?
Incident response
Which of the following is the best, first tool to use when troubleshooting firewalls?
Information
Which of the following attacks is not stopped by a border firewall?
Inside client to internal host attack
Which of the following ins an IPSec protocol that negotiates, creates, and manages security associations?
Internet key exchange
Which of the following is true of Remote desktop services?
It can host multiple, simultaneous sessions
Which of the following is true about the stark typology?
It is more fault tolerant than a bus network
What is the most important characteristic of an effective security goal?
It is written down
Which of the following is a true statement regarding IPSec?
It provides secure node-on-network connectivity
CIOs can be held accountable for security breaches in government compliance. When CIOs complain about security, which of the following is their top complaint?
Lack of measures
Which of the following is not of the three most common VPN deployment architectures?
Modified
Which term describes the deployment of multiple subnets in a series to separate private resources from public?
N-tier
Which of the following protocols does not support VPN use?
NAT-T
Which of the following is a benefit of a commercial VPN solution over open-source solutions?
Product support
Which the following best describes network availability?
Protection against downtime while supporting authorized access to resources
When selecting a firewall solution, which of the following are security concerns to consider?
Refresh rate
Which of the following is not a network security management best practice?
Rely upon single or individual defenses
Which form of attack captures authentication packets to retransmit them later?
Replay
Which of the following is the most important feature of a bastion host OS?
Resistance to attacks and compromise attempts
How can you know if a firewall is function properly?
Review the test results
Which of the following should be complete prior to building a VPN policy?
Risk assessment
What is the primary security concern with wireless connections?
Signal range
Which of the following is an example of biometric characteristic?
Signature
Which attack is based on the impersonation of a legitimate host?
Spoofing
What is another name for dynamic packet filtering?
Stateful inspection
Which of the following is not an installation method for pfSense?
Streamed across the network
Which device works at layer 2(Data Link Layer) and uses Mac addresses to differentiate traffic?
Switch
What form of cryptography encrypts the bulk of data transmitted between VPN endpoints?
Symmetric
Which of the following is a firewall rule that prevents internal users from accessing public FTP sites?
TCP 192.168.42.0/24 ANY ANY 21 Deny
Which of the following is a default-deny rule?
TCP ANY ANY 192.168.42.0/24 ANY Deny
Which of the following is not one of the overlapping types of risk in network and transaction security?
The server hardware can fail
Which of the following is most important to the effectiveness of an antivirus scanner?
Timelines of the definitions database
What is the primary purpose of a post-mortem assessment review?
To learn from mistakes
What is the purpose of physical security in an organization?
To prevent unauthorized access to facilities and equipment
Which of the following VPN tools provides anonymous, encrypted tunneling systems?
Tor
Which of the following is not a part of IPv6 IPSec cryptography?
Translation services
Which of the following is not a component of a VPN policy?
Troubleshooting
What are the two modes supported by IPSec? (Multiple answers are correct)
Tunnel Transport
Which organization originally managed the Onion Routing Project?
U.S. Naval Research Lab
Which of the following is a firewall management best practice?
Upon firewall installation, install available updates from the vendor
Which of the following is not a firewall management best practice?
Use vendor default configuration
Which of the following is a highly recommended method or technique for keeping firewall logs secure and uncorrupted?
Using WORM devices
Which of the following does not contribute to the erosion of the network perimeter?
VPN
Which of the following is a limitation of deploying a VPN?
Vulnerabilities exist at endpoints
Which command do you use to verify that an OpenVPN VPNN is running?
ping
When deploying software firewalls, what is the maximum number this should be operational on a single system at one time?
1
Which the following is not true firewalls?
A firewall is a type of authentication system
What does a hacker exploit in a target system?
A vulnerability
Which of the following is not a step or phase in incidence response plan?
Acqusition
Which of the following is not a remote VPN option discussed in this chapter?
AdobeConnect
When constructing a rule set, where should you place the default-deny rule?
After any explicit Deny rules
Which of the following is not a type of emerging issue the EPIC would alert the public about?
Alexa personal helper
Which of the following is true of firewall rules?
All rules on a firewall are exceptions.
Which of the following best describes the principle of least privilege?
Allow the user access to only what is essential for the job responsibilities.
When considering multifactor authentication, which of the following is something you have?
An ID card
Which of the following best describes nonrepudiation?
An action cannot be denied as occurring
Which of the following is the best option for resolving firewall compromises?
Apply outstanding patches
What does Van Eck phreaking allow?
Attackers to eavesdrop on electronic devices from a device
Which of the following is used by IPSec and provides integrity for packet headers and data, as well as user authentication?
Authentication Header (AH)
Which of the following is the primary factor when composing firewall rules?
Bandwidth
Which of the following is not a function of the firewall?
Block one device from using too much bandwidth
Which VPN access control issue can be enforced through VPN authentication?
Blocking unauthorized VPN users
Which of the following is not a common mistake that should be included in user training?
Bricking cooperate computers
Which form of attack submits excessive amounts of data to a target to cause arbitrary code execution?
Buffer overflow
Which of the following is a potential weakness of a firewall that cannot be fixed with the application of a path?
Buffer overflow vulnerability
Which of the following network typologies requires the use of terminators?
Bus
What is the term for a VPN deployment in which traffic between the VPN and internal network is not firewalled?
Bypass deployment
Which of the following is a form of filtering that allows communication, regardless of whether a session was previously established?
Circuit proxy
Which type of hacker represents the greatest threat because they likely already have physical access to a target?
Consultant
Which method of communication is unseen, unfiltered, and based on time manipulations?
Covert channel
Which of the following specialized firewall types is designed to provided data leakage prevention?
Data protection
What is another term for a VPN?
Data-encrypted tunnel
Which of the following is not a major component of the SSH protocol?
Datagram protection protocol
Which of the following is not a benefit of virtualization's hypervisor?
Deep-content inspection
Which of the following is not a threat to software and hardware VPNs?
Denial of service
Which activity differentiates a triple homed firewall from a dual homed firewall?
Deployment of traffic from the Internet to a DMZ
When a firewall breach is detected, what is the first step that should be taken?
Disable the firewall
Which of the following is a method of filtering that automatically keeps track of sessions on a limited timeout basis to allow the responses to queries to reach internal systems?
Dynamic packet filtering
Which agency was created to alert the public emergency issues with National information infrastructure?
EPIC
Which form of VPN deployment requires additional authentication for accessing resources across the VPN
Edge router
Which of the following should be done as part of router configuration?
Enable a warning banner for all attempting connections
Which of the following is the best way to treat private messages as confidential?
Encrypt the message so it stays private
Which of the following is not satisfied with a firewall policy?
Ensuring consistent filtering across the infrastructure
Which of the following is not a task completed with tunneling?
Ensuring encryption of traffic
Which of the following might a hacker launch if the other attempts are not successful?
Fall back attack
Pick two benefits of SSL/TLS over the use of IPSec VPNs (Multiple answers are correct)
Fewer firewall rules required Granular access control
Which of the following is not a core security principle?
Flexibility
Which of the following is true of IPv4 versus IPv6?
IPv4 is plaintext transmission by default
Which of the following best describes nonrepudiation?
It prevents a user from being able to deny having performed an action
What is always the most important element within a firewall rule set?
Listing inbound exceptions before outbound exceptions
What is the term for the unique address identifying hardware assigned by the manufacturer under the guidance of the FCC?
Mac address
Which of the following networks provides the most redundancy?
Mesh
Which of the following tools is a method for encapsulating IPSec ESP packets into UDP packets for passing through routers or firewalls employing NAT?
NAT-T
Which of the following tools is primarily used for network vulnerability assessments?
Netcat
Which of the following is true of network security?
Network security included elements preventing unwanted access and action
Part of troubleshooting is identifying open ports. Which of the following tools aids in scanning if ports are open or closed?
Nmap
Which of the following is an event found in a firewall log that a symptom of a rouge host operating within the private network?
Packets from an unassigned internal address
Which of the following is not one the best ways to consider security from a business perspective?
Permissions
Which of the following is not a VPN best practice?
Permit split tunneling
Which of the following firewall rule guidelines is most important?
Place universal allow rules for individual systems before universal deny rules for systems in that range
When designing the authentication for VPNs and VPN users, what should you use as the primary security guideline?
Principle of least privilege
Which security strategy is based on locking the environment down so users can perform their assigned tasks, but little else
Principle of least privilege
Which of the following is not a network security management tool or technique?
Products that won awards
Which of the following is a type of passive hub?
Punch panel
What is the first stage or step in the hacking process?
Reconnaissance
Which of the following is Not a type of attack against password use?
Recursive
Which of the following is not a benefit of virtualized SSL VPN environments?
Redundant hardware installation
Which of the following is Microsoft's free remote software for Windows server and Windows 10?
Remote desktop services
Which regulation was created to protect investors by requiring publicly traded companies to validate controls securing financial data?
Sarbanes-Oxley
What are the two most important characteristics of VPN authentication?
Scalable and Interoperable
Which feature in tunnel-mode encryption is not supported in transport-mode encryption?
The header is encrypted
Which of the following products features the ability to awaken when sent a "magic packet"?
Wake-on-LAN
Which of the following is one of the most common and easily exploited vulnerabilities on any hardware network device?
Weak default password
Which of the following is not a threat common to software and hardware VPNs?
Weak user name
Which type of communication session can be improved using caching on a firewall?
Web
Which of the following is a downside of using a workgroup for business network activities?
Workgroups do not have a central authority that controls or restricts network activity.
For what type of threat are there no current defenses?
Zero-day
Which of the following is an example of redundancy?
An uninterrupted power supply
Which of the following is commonly referred to as access control?
Authorization
Which of the following is part of a defense in depth strategy?
Avoid single points of failure
Which of the following is the term for malicious code entering the network and making sharp turn into the secure network?
Hairpinning
Which of the following best defines security through obscurity?
Hiding the network in order to secure it
Which of the following tools is not a troubleshooting tool for firewalls?
NAT
When considering deployment of and IDS or IPS, what is the biggest problem?
False negatives
Which of the following is a type of smart hub?
Firewall
When is the reverse proxy useful?
To offer external access to an internal web server
Which of the following best describes a dynamic password token?
A device that shows a random password
Which addressing class is 192.168.32.16?
Class C
Of the following VPNs, which prevents filtering of VPN traffic?
Corporate firewall
Which of the following is Not true of a logical network?
It is possible for the physical network to be a star and logical network to be a ring.
Which of the following best defines ingress filtering?
Monitoring traffic on its way into the network
Which of the following are the two distinct areas that must be protected with firewalls?
Network and transaction security
Which attack uses non-technical means to achieve results?
Social engineering
Which of the following is not part of multifactor authentication?
Something you wear
Which of the following is not a content filtering method?
Source IP address
Which of the following is the primary difference between a VPN and a LAN connection?
Speed
Which of the following best describes the concept of risk?
The likelihood that a threat will take advantage of vulnerability on the network.
Which of the following best describes the concept of hardening?
The process of securing or locking down a host through their own devices
Which of the following statements is true regarding a reverse proxy?
The reverse proxy server can act as the endpoint for a TLS tunnel
What form of encryption allows a firewall to filter based on the original source and destination address? (Assume that the firewall is located along the path between session endpoints.)
Transport mode