Chapter 6 - 15
A network security management best practice is to focus on the big-impact and big-result issues first. True False
True
A remote access link enables access to network resources using a wide area network (WAN) link to connect to the geographically distant network. True False
True
A virtual private network (VPN) implementation best practice is to use strong authentication. True False
True
A best practice for firewall rules is to keep the rule set as simple as possible. True False
True
A default-allow firewall stance assumes that most traffic is benign. True False
True
Effective virtual private network (VPN) policies clearly define security restrictions imposed on VPNs. True False
True
One common firewall event that usually warrants an alert is a firewall reboot. True False
True
Which of the following is insurance against data loss? Backups Firewalls Honeypots Intrusion detection system (IDS)
Backups
Side attacks against the encrypted link of a virtual private network (VPN) are nearly eliminated, while data entering or leaving the VPN is at risk. True False
True
The collection of disparate log information from systems on a network is called aggregation. True False
True
The pfSense firewall requires the host to have at least two network interface controllers (NICs). T/F
True
The universal Deny rule should be the last and final rule in a firewall rule set. True False
True
In preserving the confidentiality of users on a corporate network, which party is responsible for setting up security policies to guarantee users' privacy? Administrator Hardware engineer Infrastructure designer The Vice President of Information Services
Administrator
What is a type of assessment that judges how well an organization is accomplishing set goals or requirements? Change management Compliance auditing Digital forensics assessment Requirements assessment
Compliance auditing
The most common method of exploiting and/or bypassing a firewall is tunneling. True False
False
The pfSense firewall is a border firewall. T/F
False
The weakest link security strategy gains protection by using abnormal configurations. True False
False
While there is no single way to troubleshoot a virtual private network (VPN) issue, what is the MOST appropriate first step? Call the vendor. Answer phone calls, emails, and texts from users asking when the problem will be fixed. Identify the specific symptoms of the problem. Try the most likely solution.
Identify the specific symptoms of the problem.
Which Internet Protocol Security (IPSec) core component negotiates, creates, and manages security associations? Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Transport Layer Security (TLS)
Internet Key Exchange (IKE)
Which of the following is a malicious remote control tool? NetBus Netcat Tor Cryptcat
NetBus
Otto is one of many employees working from home. Because his home is located in a rural area, the only form of connectivity available is dial-up. To connect to his office located in an urban community, what must the IT department set up? Cable DSL Remote access server (RAS) Virtual private network (VPN) server
Remote access server (RAS)
A virtual private network (VPN) implementation best practice is to protect the VPN server behind a firewall. True False
True
Alphonse is a network engineer who is developing his IT infrastructure's virtual private network (VPN) deployment plan. He has decided to place the VPN device between the externally facing and internally facing firewalls in the demilitarized zone (DMZ). He is determining the rule sets with which to configure both firewalls. His VPN device is a Secure Sockets Layer (SSL) VPN and he wants to use default settings. Which port should he allow the firewalls to pass traffic through? 115 194 443 500
443
Which of the following is needed when determining what firewall traffic to allow and what to block? A complete inventory of all needed or desired network communications A complete inventory of all unneeded and unwanted network communications A list of available port numbers and protocols Which type of traffic to deny only inside the network and which type to deny to enter the network from the Internet
A complete inventory of all needed or desired network communications
Which of the following can affect the confidentiality of documents stored on a server? A distributed denial of service (DDoS) attack Information about the server being accessed A server breach A denial of service (DoS) attack
A server breach
What is an encryption standard that was designed to scale upward with longer keys? Advanced Encryption Standard (AES) Triple Data Encryption Standard (3DES) Data Encryption Standard (DES) IP Multimedia Subsystem (IMS)
Advanced Encryption Standard (AES)
Torri is a network technician. She needs to configure the edge firewalls for her company's IT infrastructure. Her supervisor has told her she must find a configuration method that assumes all network traffic is safe and, as malicious traffic is identified, it is added to a list of exceptions. Which of the following configuration methods does Torri select? Allow by default/deny by exception Allow by default/allow by exception Deny by default/allow by exception Deny by default/deny by exception
Allow by default/deny by exception
Teodora is the procurement manager for her company's IT department. She is researching firewalls that come with enhancements beyond basic traffic filtering. Which of the following is considered a firewall enhancement? Anti-malware scanning IP address scanning MAC address scanning Protocol scanning
Anti-malware scanning
Diego is a network consultant. He is explaining the benefits of virtual private network (VPN) connections for remote clients to the owner of a company who wants to allow most staff to work remotely. He says that a VPN is both private and secure. What does he say is the rationale? Authentication provides privacy and security. Encryption provides privacy and security. Authentication provides privacy and encryption provides security. Encryption provides privacy and authentication provides security.
Authentication provides privacy and encryption provides security.
Which of the following is a type of virtual private network (VPN) architecture that places a firewall in front of the VPN to protect it from Internet-based attacks as well as a firewall behind the VPN to protect the internal network? Bypass Internally connected Two-factor DMZ architecture
DMZ architecture
______ is commonly exploited by many hackers because most enterprise web traffic is _________. Authentication; authenticated Encryption; encrypted Fragmentation; fragmented Encryption; tunneled
Encryption; encrypted
A virtual private network (VPN) connection ensures quality of service. True False
False
A virtual private network (VPN) replaces a firewall. True False
False
A virtual private network (VPN) server for remote access must be located in the demilitarized zone (DMZ). True False
False
All firewalls provide network perimeter security.
False
Allow-by-default automatically prevents most malicious communications by default. True False
False
Firewalking is a technique to learn the configuration of a firewall from the inside. True False
False
Hashing modifies the original data. True False
False
Hypertext Transfer Protocol Secure (HTTPS) does NOT encrypt private transactions made over the Internet.
False
In IPSec tunnel mode, only the data packet payload is encapsulated, while the packet header is left intact. True False
False
Instability is not considered a potential threat associated with software virtual private networks (VPNs). True False
False
Open-source virtual private network (VPN) solutions are usually less flexible than commercial solutions. True False
False
A malicious party has discovered the IP address of a host inside a network she wants to hack. She employs a form of port scanning, attempting to establish a connection with the host using multiple different ports. Which technique is she using? Buffer overflow Firewalking Fragmentation attack Zero-day exploit
Firewalking
Which of the following is a limitation of Internet Protocol Security (IPSec)? It is not reliable for network encryption. It does not encrypt data on client computers. It cannot be used to encrypt data packets. It is not used for virtual private networks (VPNs).
It does not encrypt data on client computers.
Which layer of the OSI model is the Data Link Layer? Layer 1 Layer 2 Layer 3 Layer 4
Layer 2
Ahmed is testing the security of his company's IT infrastructure. He is using an application that works as a network mapper, port scanner, and OS fingerprinting tool. Which of the following is he employing? Fport Netstat Nmap Wireshark
Nmap
Which operating system (OS) for a bastion host runs on most appliance firewalls as well as many Internet service provider (ISP) connection devices? Access OS General-purpose OS Proprietary OS UNIX OS
Proprietary OS
Shoshana is a network technician for a mid-sized organization. She is configuring firewall rules. She is in a firewall's graphical interface and sets a rule as TCP, 192.168.42.0/24, ANY, ANY, 443, Allow. In what order is this rule organizing protocols, source addresses, source and target ports, and actions? Protocol, source address, source port, target address, target port, action Action, target port, target address, source port, source address, protocol Source port, source address, protocol, target port, target address, action Target port, source address, source port, target address, protocol, action
Protocol, source address, source port, target address, target port, action
Remote Desktop Connection (RDC) is a built-in application that uses what proprietary protocol? Internet Key Exchange v2 (IKEv2) Layer 2 Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP)
Leandro is writing a firewall policy. He needs to define which type of firewall he needs for each portion of the infrastructure based on differing areas of risk and trust. What are these areas called? Active Directory domains Bridges Security zones Virtual LANs (VLANs)
Security zones
Which of the following is described as an approach to network security in which each administrator is given sufficient privileges only within a limited scope of responsibility? Defense in depth Fail-safe Separation of duties Simplicity
Separation of duties
Kasim is a network technician. He is tasked with deploying a virtual private network (VPN) in his company's IT infrastructure. He wants to place the VPN device where it is directly connected to both the Internet and the internal LAN. He believes that security will not be a concern because the VPN is already encrypted point-to-point. Which of the following statements is TRUE about this configuration? A VPN has a built-in firewall and is therefore protected from Internet threats. This configuration could leave the VPN device vulnerable to social engineering. The VPN device itself is still capable of being attacked. Without a firewall, an employee on the internal LAN could use the VPN to make an insecure connection to a remote host.
The VPN device itself is still capable of being attacked.
Which of the following statements is TRUE of connections between a corporate local area network (LAN) and a remote client, such as a remote worker? The corporate LAN connection is usually a temporary or nondedicated connection to the Internet. The remote client connection is usually a dedicated link to the Internet. The corporate LAN connection is always a circuit employing Multi-Protocol Label Switching (MPLS). The remote client can have either a dedicated or a nondedicated connection to the Internet.
The remote client can have either a dedicated or a nondedicated connection to the Internet.
802.1x authentication requires connecting systems to authenticate using public key infrastructure (PKI) machine certificates. True False
True
A virtualized Secure Sockets Layer (SSL) virtual private network (VPN) provides the ability to create custom authentication methods. True False
True
RD RemoteApp is a Microsoft solution that runs on a Microsoft Remote Desktop Services (RDS) server but appears to end users as if it were actually running on their systems. True False
True
Whereas honeypots can be single systems or multiple networked systems, a honeynet is a network of honeypots. True False
True
With a cloud-based firewall, the firewall functions are performed in the cloud. True False
True
With edge routers as the virtual private network (VPN) termination point, the VPN link exists only over the public intermediary networks, not within the private LAN(s). True False
True
Bill is a network technician. He is currently configuring the infrastructure's Internet-facing firewalls. He knows that the Internet Control Message Protocol (ICMP) echo type often referred to as "ping" is used by malicious persons to probe networks. He wants to set up a rule that will deny ping attempts from outside the network. What does he deny? Type 0 Type 3 Type 8 Type 11
Type 8
All of the following protect against fragmentation attacks, EXCEPT: internal code planting. firewall filtering. intrusion detection. sender fragmentation.
internal code planting.
Brianna is an IT technician. She is studying a threat that holds the communication channel open when a TCP handshake does not conclude. What kind of attack does this involve? Denial of service (DoS) attack Hackers accessing information on a server The interception of transaction data Unauthorized persons breaching a server's document tree
Denial of service (DOS) Attack
Carl is a network technician who has been assigned to select a dedicated hardware device to act as the company's termination point for the secured virtual private network (VPN) tunnel. He chooses a device that allows the firewall to filter traffic that is exiting the VPN and moving into the local area network (LAN). It is the choice that is best suited for controlled access into the demilitarized zone (DMZ). What is the solution that he recommends? Corporate firewall Edge router Software VPN VPN appliance
Edge router
Which of the following is the most common vulnerability on any hardware device, including hardware-based virtual private networks (VPNs)? Application conflict Operating system vulnerability Default password Weak default password
Default password
In the fail-safe security stance, when any aspect of security fails, the best result of that failure is to fail into a state that supports or maintains essential security protections. True False
True
One of the primary objectives of a change control board is to ensure that all changes are properly tested. True False
True
Onion routing limits a network's vulnerability to eavesdropping and traffic analysis. True False
True
The goal of the Electronic Privacy Information Center (EPIC) is to preserve consumer privacy in the state of California.
False
The less complex a solution, the more room there is for mistakes, bugs, flaws, or oversights by security administrators. True False
False
Which of the following is an authentication method that supports smart cards, biometrics, and credit cards, and is a fully scalable architecture? TACACS RADIUS Kerberos 802.1x
802.1x
A malicious person wants to use tunneling to get through a company's firewall using a vulnerability. Micah, a network security engineer, is aware of this threat and configures the firewall to combat it. What does he do? Allow all authentication Block all authentication Allow all encryption Block all encryption
Block all encryption
The functionalities of software and hardware virtual private network (VPN) solutions are fundamentally different. True False
False
Whole hard drive encryption prevents anyone from accessing data on the drive. True False
False
You can fix a firewall's vulnerability to denial of service (DoS) flooding by upgrading the firewall or applying a patch. True False
False
Which of the following is BEST described as processes and procedures intended to help ensure that employees will follow security policies? Access controls Compliance Governance Integrity
Governance
Which of the following is a protocol that allows web servers to complete secure transactions over the Internet? Demilitarized Zone (DMZ) Hypertext Markup Language (HTML) Hypertext Transfer Protocol Secure (HTTPS) Transmission Control Protocol/Internet Protocol (TCP/IP)
Hypertext Transfer Protocol Secure (HTTPS)
Juan is a network engineer. His manager has tasked him with gathering concrete metrics on network security and operations. Juan selects the most popular performance metrics methodology. What is it? Data analytics A bandwidth utilization tool Advanced Encryption Standard (AES) Information Technology Infrastructure Library (ITIL)
Information Technology Infrastructure Library (ITIL)
Tomika is a network architect. A coworker is helping to design a more secure placement of the company's virtual private network (VPN) device. The coworker suggests that the device be placed between the Internet-facing firewall and the internal network. What is Tomika's opinion of this deployment strategy? It is a highly secure deployment and the plan should be proposed to the chief technology officer (CTO). It is somewhat secure but does not address possible security issues involving untrustworthy VPN connections. Along with the firewall, an intrusion detection system/intrusion prevention system (IDS/IPS) solution should be placed between the firewall and the VPN device. Although the firewall adds more security, it will slow down traffic to the VPN device.
It is somewhat secure but does not address possible security issues involving untrustworthy VPN connections.
Which of the following statements is TRUE of an Internet Protocol Security (IPSec) virtual private network (VPN) when compared to a Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPN? It requires client software. It is typically less expensive. It offers more client flexibility. It requires fewer firewall rules.
It requires client software.
Jahi is a security engineer for a U.S. Department of Defense contractor. He is implementing a more secure method for remote users to log into an internal system over a virtual private network (VPN). In addition to requiring a password, this method asks the user to enter a PIN texted to their mobile phone, and to use a fingerprint reader mounted to their company-issued laptop. Which method is Jahi deploying? Multifactor authentication Proximity authentication Two-factor authentication Single-factor authentication
Multifactor authentication
What is a mathematical operation that is easily performed but that is highly unlikely to reverse in a reasonable amount of time? Dead-end function One-way function Digital key function Key exchange function
One-way function
A major online retailer was recently hacked, and the secure banking data and other personal information of tens of thousands of users were stolen. Who or what is the most likely culprit? Competitor Ethical hacker Organized crime group Script kiddie
Organized crime group
Werner is a security manager for a health insurance company. He is examining the organization's compliance with patient privacy. While investigating how staff handle verbal and email communications, he discovers that some staff members are lax about how well they protect details that, when combined, might be used to reveal sensitive details about some customers. What is the focus of his concern? Authentication Domain Name System (DNS) Integrity Personally identifiable information (PII)
Personally Identifiable Information (PII)
Armand is the IT director of his organization. He is working with accounting to determine a budget for upgrading the company's virtual private network (VPN) equipment. Several options are available, and he still needs more technical assistance to make a decision. Rather than going with award-winning VPN products he has found in industry magazines and websites, which of the following is the best choice to consult for assistance in collecting information and helping to narrow his choices? Purchasing manager Reseller Marketing manager Help desk staff
Reseller
Which of the following is an encryption method that is very fast and is based on a single, shared key? Asymmetric Ciphertext Hashing Symmetric
Symmetric
A hybrid firewall combines several different functions in a single appliance. True False
True
Firewalls filter traffic using rules or filters. True False
True
What is a common security mistake made by both end users and experts? Allowing new systems to go online before they are hardened and tested Failing to keep patches current Failing to change the default password on a hardware firewall Using the same password on multiple systems
Using the same password on multiple systems
Strong encryption supports: availability. confidentiality. governance. integrity.
confidentiality
Maria is the technician on call for her company's IT department. Over the weekend she discovers a breach in the primary firewall. She is restraining further escalation of the issue, an action that is referred to as: containment. detection. eradication. recovery.
containment.
Protecting computers, hard disks, databases, and other computer equipment from unauthorized Internet access can be categorized as what kind of security area? Application Security Hardware Security Network Security Transaction Security
Network Security
Which of the following is a virtual private network (VPN) encryption encapsulation method best suited for linking individual computers together, even though it does not encrypt the original IP header? Cryptography Ciphertext Transport Tunnel
Transport
A best practice is to block any device connecting to a network that is not in compliance with the security policy. True False
True
A site-to-site virtual private network (VPN) is also known as a LAN-to-LAN VPN. True False
True
A small office/home office (SOHO) firewall may include intrusion detection. T/F
True
A virtual private network (VPN) policy helps to ensure that users understand the requirements for computing on a VPN. True False
True
A virtual private network (VPN) policy should be a part of an overall IT security policy framework to avoid duplicate or conflicting information. True False
True
A virtual private network (VPN) set up in a demilitarized zone (DMZ) has a firewall in front and behind it. True or False
True
If a remote client needs to connect directly to a local area network (LAN), such as over a dial-up connection, a remote access server (RAS) is needed to host a modem to accept the connection. True False
True
In a layered security strategy, each security mechanism addresses a single issue or a small set of issues within a specific context. True False
True
When selecting a virtual private network (VPN) solution, a best practice is to consider only solutions with proven capabilities. True False
True
Carl is a network engineer for a mid-sized company. He has been assigned the task of positioning hardware firewalls in the IT infrastructure based on common pathways of communication. After analyzing the problem, on which aspect of the network does he base his design? Wireless access points Cellular network Remote access Traffic patterns
Traffic Patterns
Tonya is a network engineer. She is developing a new security policy for her company's IT infrastructure. She understands that the heart of performing a risk assessment, which is a necessary part of policy development, is understanding assets, likelihoods, threats, and _________. admission control. network access. restrictions. vulnerabilities.
vulnerabilities
With hosted services, an Internet service provider (ISP) or a software vendor leases applications to organizations. True False
True
Before an Internet user can access a demilitarized zone (DMZ), extranet, or private network resource, it first encounters an entity that is sturdy enough to withstand any sort of attack. What is this entity called? Bastion host operating system General operating system Hardware firewall Software firewall
Bastion host operating system
Which of the following can cause a full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams? Overlapping Overwriting Packet Fragmentation Transmission unit failure
Overlapping
Fumiko is a network technician. She is configuring rules on one of her company's externally facing firewalls. Her network has a host address range of 192.168.42.140-190. She wants to allow all hosts access to a certain port except for hosts 188, 189, and 190. What rule or rules must she write? A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts. Multiple rules are necessary for this configuration; one or more rules must define Deny exceptions for 188, 189, and 190, followed by the Allow rule for the 140-190 range. A Deny rule is needed for 188, 189, and 190, and then exception rules for the 140-187 range. The default Deny all rule needs to be placed first in the list, and then an exception rule for the 140-187 range.
A single rule allowing hosts 140-187 is all that is necessary; the default-deny rule takes care of blocking the remaining nonincluded hosts.
Elissa is a network technician. She is configuring firewall rules for one of her company's branch offices, which supports online retail sales of the company's products. She is configuring rules to block traffic based on a traditional model but needs to allow a particular type of traffic. What should she allow? All Internet Control Message Protocol (ICMP) traffic coming from the Internet Any traffic specifically directed to the firewall All traffic from port 80 originating from the office's web server, which is in a protected subnet Inbound Transmission Control Protocol (TCP) traffic on port 53 to external Domain Name System (DNS) zone transfer requests
All traffic from port 80 originating from the office's web server, which is in a protected subnet
Microsoft Remote Assistance allows support professionals to remotely control a user's system. True False
True
Chris is a network engineer deploying a virtual private network (VPN) solution. He needs an implementation of Secure Sockets Layer/Transport Layer Security (SSL/TLS) that adds a layer of authentication to the access. What feature does he require? Advanced Encryption Standard (AES) Bidirectional authentication Identity services One-way authentication
Bidirectional authentication
Jiang is a network technician. He is programming a web server to provide clients with dynamically produced web content in real time based on several attributes that the connecting user enters. This includes any forms the user may fill out. Martha is the cybersecurity chief. She says that the technology Jiang is using could expose sensitive customer data to hackers if it were ever accessed. What web server technology is Jiang using? Common Gateway Interface (CGI ) Hypertext Transfer Protocol Secure (HTTPS) Network News Transfer Protocol (NNTP) Kernel panics
Common Gateway Interface (CGI)
Tonya is redesigning her company's network infrastructure to accommodate rapid growth. Several departments are highly specialized. Tonya needs to allow Network News Transfer Protocol (NNTP) on some, but not all, subnets. Her budget is limited. Which of the following is the best solution? Install firewalls at the demilitarized zone (DMZ) to filter packets by protocol, port, and destination subnet, and then perform port forwarding. Install firewalls at each network segment with rules to filter specific traffic for each one as required. Configure existing routers to filter NNTP packets. Configure the native firewall on each workstation to filter traffic based on the requirements for the subnet they're on.
Configure existing routers to filter NNTP packets.
Hyon is a network consultant. She was hired by a client company to examine the effectiveness of its IT infrastructure. She discovers that the company's Internet-facing firewall is not capable of automatically handling and adjusting for random source ports when a session is being established to its web and gaming servers. How should she correct this? Allow all source ports above 1023 Create a custom rule to manage random source ports Deny all source ports above 1023 Enable port forwarding
Create a custom rule to manage random source ports
What is an intrusion detection system/intrusion prevention system (IDS/IPS) that uses patterns of known malicious activity similar to how antivirus applications work? Anomaly-based detection Baseline-based detection Behavioral-based detection Database-based detection
Database-based detection
Which of the following is one of the most common and easily exploited vulnerabilities on any hardware network device? Default password Application conflicts Malware Undistributed authentication credentials
Default password
Which of the following is unlikely to support at-firewall authentication? Demilitarized zone (DMZ) firewall Authentication server Web server Virtual private network (VPN) firewall
Demilitarized zone (DMZ) firewall
Which elements do digital certificate contain that can be used to increase the reliability of authenticity and nonrepudiation? Each digital certificate host stores only the trusted private keys of the certificate authority (CA). Digital certificates use a private key pair signed by a third party. Digital certificates use a public key pair signed by a trusted third party. Digital certificates use a public key and private key pair signed by a trusted third party.
Digital certificates use a public key and private key pair signed by a trusted third party.
Hashing does not verify the integrity of messages. T/F
False
It is uncommon to leverage a virtual private network (VPN) to send sensitive information when connected to an untrustworthy network. True False
False
Which of the following is closely associated with maintaining data integrity? Redundancy Encryption Hash Nonrepudiation
Hash
In balancing competing concerns while deploying a personal virtual private network (VPN) solution, Yee values his privacy more than his anonymity. Which is he most concerned about? Having information about his network exposed Passing his username and password Revealing his credit card number Unencrypted traffic
Having information about his network exposed
Rachel is the cybersecurity engineer for a company that fulfills government contracts on Top Secret projects. She needs to find a way to send highly sensitive information by email in a way that won't arouse the suspicion of malicious parties. If she encrypts the emails, everyone will assume they contain confidential information. What is her solution? Hide messages in the company's logo within the email. Hide messages in the email's header information. Hide messages in the font of the email's text. Hide messages in the time index of the email.
Hide messages in the company's logo within the email.
What is the basic service of a reverse proxy? Hides the identity of a client connecting to the Internet Hides the identity of a web server accessed by a client over the Internet Hides the identity of subnet hosts connecting to a database server Hides the identity of hackers trying to defraud online retailers
Hides The Identity of a web server accessed by a client over the Internet
Which of the following steps helps you verify that the internal network port of a virtual private network (VPN) device is available? Open a command-line interface and use the ping command. Open a command-line interface and use an ipconfig command. Use an Internet-based tool to issue a traceroute command. Physically visit the VPN device and visually inspect the connection to the internal port.
Open a command-line interface and use the ping command.
Which of the following statements about ciphertext is TRUE? Ciphertext requires multiple redundancies to encrypt data. Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns. Ciphertext removes redundancies and recognizable patterns. Decryption converts plaintext data into ciphertext.
Properly encrypted data produces ciphertext that does not contain redundancies or recognizable patterns.
Data analytics enables you to understand what is happening on a network. True False
True
Demetrice is a network consultant. She has been hired to design security for a network that hosts 25 employees, many of whom need remote access. The client recently opened another small office in a neighboring community and wants to be able to routinely establish secure network connections between the two locations. The client often deals with customer bank information and requires a particularly secure solution. What is her response to these requirements? Intrusion detection system/intrusion prevention system (IDS/IPS) with Remote Desktop Connection support Snort intrusion detection system (IDS) Small office/home office (SOHO) virtual private network (VPN) Web proxy with content filtering and network address translation (NAT) mapping
Small office/home office (SOHO) virtual private network (VPN)
Analisa is a sales representative who travels extensively. At a trade show, Analisa uses her virtual private network (VPN) connection to simultaneously connect to the office LAN and her personal computer at home. What security risk does this pose? Chain linking Dual vectors Forking Split tunneling
Split tunneling
Lenita is a network technician. She is setting up a rule set for a firewall in her company's demilitarized zone (DMZ). For email, she creates an allow-exception rule permitting Simple Mail Transfer Protocol (SMTP) traffic on port 25 to leave the internal network for the Internet. Her supervisor examines Lenita's work and points out a possible problem. What is it? Lenita used the wrong port: SMTP uses port 21. The allow-exception rule could create a loophole threatening internal communications on the same port. Lenita should have used a deny-exception rule just prior to the Allow rule. The allow-exception rule could create a bottleneck, slowing down traffic to and from the Internet.
The allow-exception rule could create a loophole threatening internal communications on the same port.
Firewall filtering is an effective protection against fragmentation attacks. True False
True
Firewall logging helps to ensure that defined filters or rules are sufficient and functioning as expected. True False
True
In a bypass virtual private network (VPN), traffic to the VPN and from the VPN to the internal network is not firewalled. True False
True
In an N-tier deployment, multiple subnets are deployed in series to separate private resources from public. True False
True
A best practice is to define a complete firewall rule set for each prescribed firewall in a written firewall policy. True False
True
A best practice is to use strong authentication and nonrepudiation methods for all transactions over the Internet. True or False
True
A dedicated leased line is an alternative to a virtual private network (VPN) between two office locations. True False
True
A remote access virtual private network (VPN) is also known as host-to-site VPN because it supports single-host VPN connections into a LAN site. True False
True
A virtual private network (VPN) appliance can be positioned outside the corporate firewall so that all VPN traffic passes through firewall filters. True False
True
A web server between two firewalls is considered to be in a demilitarized zone (DMZ). T/F
True
An access control list (ACL) focuses on controlling a specific user's or client's access to a protocol or port. True False
True
An intrusion prevention system (IPS) does not replace an intrusion detection system (IDS). True False
True
Under the universal participation security stance, every employee, consultant, vendor, customer, business partner, and outsider must be forced to work within the security policy's limitations. True False
True
Users with the minimum level of access to resources needed to complete their assigned tasks follow the principle of least privilege. True False
True
A company vice president (VP) finds that the network security restrictions imposed by the security manager are too confining. To counter them, the VP habitually uses weak passwords, shares accounts with his assistant, and installed unapproved software. What security principle is the VP violating? Defense in diversity Fail-open Simplicity Universal participation
Universal Participation
The network infrastructure supervisor is designing a firewall placement strategy that will protect the organization's Internet-facing web and email servers and the internal network. Which design will provide the best protection? Placing the firewall between the Internet and a single network hosting both the servers and the internal network, using port forwarding to direct traffic to the servers Placing the web and email servers, configured with the latest patches and anti-malware applications, on the Internet in front of the firewall, while placing the internal network behind the firewall Using an intrusion detection system/intrusion prevention system (IDS/IPS) with edge and web servers facing the Internet, and placing the firewall behind them but ahead of the internal network Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network
Using two firewalls to create a demilitarized zone (DMZ); one firewall is placed between the Internet and the servers, the other firewall is located behind the first firewall and the servers protecting the internal network
Which of the following provides integrity protection for packet headers and data and can optionally provide replay protection and access protection? Triple Data Encryption Standard (3DES) Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE)
Authentication Header (AH)
Arturo is troubleshooting a firewall that may have been hacked by a malicious outsider. He is under pressure and immediately tries a fix that, if it fails, will not be easy to back out of. Before he makes the attempt, his supervisor warns him of the danger. What does Arturo's supervisor say? Avoid destructive or irreversible solutions until last. Make multiple fixes all at once. Repeat the failure at the start. Update the troubleshooting log first.
Avoid destructive or irreversible solutions until last.
Wen, a network engineer for a mid-sized company, is rolling out a virtual private network (VPN) solution that is easy to set up, manage, and maintain and represents the majority of VPN platforms on the market. What type of VPN is Wen deploying? Customer premise equipment (CPE) Do it yourself (DIY) Network Policy and Access Services (NPAS) Operating system (OS)─based
Customer premise equipment (CPE)
Which term describes a technology that performs deep-content inspection within a scope defined by a central management console? IP Multimedia Subsystem (IMS) Information Technology Infrastructure Library (ITIL) Governance, risk, and compliance (GRC) Data leakage prevention (DLP)
Data leakage prevention (DLP)
The Network Layer of the Open Systems Interconnection (OSI) Reference Model is the protocol layer that transfers data between adjacent network nodes. True False
False
Nimi has deployed a new virtual private network (VPN) solution in her company's IT infrastructure. She is testing the connection to the server from a client. Which tool is the best choice for her to use? IPConfig Ping Transmission Control Protocol (TCP) User Datagram Protocol (UDP)
Ping
Lin is a disgruntled IT technician who believes she is about to be discharged from her job. While she still has access to her company's network infrastructure, she decides to reset the main firewall to its factory settings so she will know the default administrative username and password. Which of the following is the method she is MOST likely to use? She pushes the firewall power button. She uses a straightened paper clip to press the pinhole-sized reset button in the back of the firewall for 30 seconds. She remotely logs into the firewall from her work computer and hacks the reset code. She turns the power off in the server room and then turns it back on, forcing the firewall to reset.
She uses a straightened paper clip to press the pinhole-sized reset button in the back of the firewall for 30 seconds.
Availability deals with keeping information, networks, and systems secure from unauthorized access. True False
False
The Sarbanes-Oxley (SOX) Act was created to protect shareholders by requiring publicly traded companies to validate controls securing financial data. True False
False
Hacker tunneling uses two techniques. The first is to install a server component on an internal system and then have an external client make a connection. What is the second? Install a server component on an external system and then use an internal client to make the connection. Install a server component on an internal system and then have an internal client make the connection. Install a client component on an internal system and then have an external system make the connection. Install a client component on an external system and then have another external system make the connection.
Install a server component on an external system and then use an internal client to make the connection.
Oscar is deploying a virtual private network (VPN) solution for his company. The VPN needs to connect to remote servers by their Internet Protocol (IP) addresses rather than using network address translation (NAT). What type of VPN is Oscar deploying? Customer premise equipment (CPE) Hardware VPN Operating system (OS) Internet Protocol Security (IPSec)
Operating system (OS)
Aditya is a network engineer. He is deploying a special host that will attract hackers so he can capture and analyze the attacks. This specific method involves using an intrusion detection system (IDS) to detect attacks and then routing them to an environment where they can do no harm. What is this method called? Compartmentalization Honeynet Anti-forensics Padded cell
Padded cell
Jacob is a remote employee. He clicks the Start menu button in Windows and selects an application to run. Most of the time, he is unaware that he is really accessing the application on a server at his company's main office several miles away. What solution is he using? Hosted services RD RemoteApp RD Web Access SSL NAT Transversal
RD RemoteApp
The IT department of a company has just rolled out a virtual private network (VPN) solution that offers greater flexibility, delegation of management, and added security over the previous implementation. What is this solution called? Desktop virtualization Operating system virtualization Small office/home office (SOHO) virtualization Secure Sockets Layer (SSL) virtualization
Secure Sockets Layer (SSL) virtualization
What is a virtual private network (VPN) protocol that requires public key infrastructure (PKI) support to obtain and use a certificate? Internet Key Exchange v2 (IKEv2) Layer 2 Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Secure Sockets Layer/Transport Layer Security (SSL/TLS)
Which of the following is a protocol that supports Advanced Encryption Standard (AES) with 128, 192, and 256 keys? Authentication Header (AH) RSA Secure Sockets Layer (SSL) Transport Layer Security (TLS)
Transport Layer Security (TLS)
A best practice is to perform verification scans of all deployed firewall settings to ensure their functionality. True False
True
A hacker tunneling set up using an inbound connection must "hijack" an existing open port or reconfigure the firewall to open another port for use by the tunnel. True False
True
A written policy dictates which firewall features to enable or disable. True False
True
After installing a firewall, you should always install every available patch and update from the vendor. True False
True
An intranet virtual private network (VPN) connects two or more internal networks. True False
True
Authentication Header (AH) provides integrity protection for packet headers and data, as well as user authentication. True False
True
Breaches are confirmed during the detection and analysis phase of incident response. True False
True
Delay involves slowing down an attack so that even successful breaches give defenders time to respond. True False
True
Every update, change, or alteration to any aspect of a firewall should trigger another round of firewall testing. True False
True
Extranets differ from intranets in that remote users outside of the enterprise are allowed access to resources inside the network. True False
True
Fragmentation is a supported function of Internet Protocol (IP) packets. True False
True
Governance is generally used to demonstrate to management, customers, and auditors that your information security program is operating as outlined in your policies, procedures, and practices. True False
True
How you apply Internet Protocol Security (IPSec) and Secure Sockets Layer/Transport Layer Security (SSL/TLS) in a virtual private network (VPN) solution can affect VPN performance. True False
True
Layer 2 of the Open Systems Interconnection (OSI) Reference Model is the Data Link Layer. True False
True
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student information. True False
True
The Payment Card Industry Data Security Standard (PCI DSS) ensures the confidentiality, integrity, and availability of cardholder data and transaction-processing functions. True False
True
The Safeguards Rule within the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to develop and comply with a comprehensive information security policy that includes safeguards for the handling of sensitive customer information. True False
True
Carl is a student in a computer networking class who is studying virtual private network (VPN) implementations. He is learning the basics about VPNs. Which of the following statements does he find is TRUE? VPNs are primarily hardware solutions. VPNs are primarily software solutions. VPNs are both hardware and software solutions. VPNs are network address translation (NAT) solutions.
VPNs are both hardware and software solutions.
Lauren is a network technician monitoring performance on the local area network (LAN). She becomes alarmed when the network utilization reaches 95 percent for a particular time of day. How does she know what the utilization is normally like? Benchmarks Whitelists KISS Standards
Benchmarks
Which of the following is NOT an example of a vanishing network perimeter? Coffee shop Demilitarized zone (DMZ) Hotel Wi-Fi café
Demilitarized zone (DMZ)
All of the following are firewall management best practices, EXCEPT: Have a written firewall policy. Establish a philosophy of default allow rather than default deny. Establish a no-exceptions policy. Review the written firewall policy regularly.
Establish a philosophy of default allow rather than default deny.
Microsoft RD Web Access connects remote clients to internal resources over a virtual private network (VPN) connection. True False
False
Security education for users is desired, but not required, for maintaining a secure environment. True False
False
Alice is a network technician designing infrastructure security based on compartmentalization. Which of the following does she employ? Zones of access shared with departments that typically do not commonly interact Zones of access that are separated from other parts of the network by routers, switches, and firewalls Zones of access that are separated from other parts of the network by intrusion detection and prevention as well as padded cells Zones of access that do not include virtual LANs (VLANs)
Zones of access that are separated from other parts of the network by routers, switches, and firewalls
All of the following are true about data leakage prevention (DLP), EXCEPT: it identifies, monitors, and protects data in use, data in motion, and data at rest. it performs deep-content inspection. it is usually deployed at multiple locations within an environment. it cannot scan social media accounts.
it cannot scan social media accounts.
A customer premise equipment (CPE)-based virtual private network (VPN) is a VPN appliance. True False
True
Depending on the location of a virtual private network's (VPN's) endpoints, the topology may affect performance. True False
True
Detection involves watching for attempts to breach security and being able to respond promptly. True False
True
Internet Protocol Security (IPSec) has three major components: Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE). True False
True
Felicia is a network engineer deploying a virtual private network (VPN) solution. The VPN operates using Secure Shell (SSH). When asked by a new help desk tech about which layer of the OSI model it employs, how does Felicia answer? 2 3 5 7
7
________ is the concept that data is subject to the laws of a country in which it is stored, and is becoming a challenge for businesses as their operations move to the cloud. Governance, risk, and compliance The Internet of Things Data sovereignty Data leakage prevention
Data sovereignty
An exploit called "overlapping" can cause the full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams. An overrun attack can create excessively large datagrams and, with other types of fragmentation attacks, can result in: Denial of service. File server crashing. Packet overflow. Payload override.
Denial of service.
Which of the following is a security state that reverts to a state of being unavailable or locked? Fail-secure Fail-open Fail-close Fail-restrict
Fail-close
Delay is the use of security to convince a potential attacker that the efforts to compromise a system are not worth it. True False
False
Remote Desktop Connection (RDC) is a built-in application that uses Remote Desktop Protocol (RDP). True False
True
Some firewalls can be partitioned into multiple virtual firewalls, each with its own security policy, interfaces, and configuration. True False
True
The Secure Shell (SSH) protocol is a method for secure remote login and other secure network services over a public network. True False
True
The higher the encryption level of a virtual private network (VPN) connection, the greater the impact on the memory and processor of the endpoint devices. True False
True
The performance characteristics associated with an Internet Protocol Security (IPSec) virtual private network (VPN) can be very different from a Secure Sockets Layer (SSL) VPN implementation. True False
True