CISSP- Telecommunications & Network Security
Use the following scenario to answer Questions 23-25. Don is a security manager of a large medical institution. One of his groups develops proprietary software that provides distributed computing through a client/server model. He has found out that some of the systems that maintain the proprietary software have been experiencing half-open denial-of-service attacks. Some of the software is antiquated and still uses basic remote procedure calls, which has allowed for masquerading attacks to take place. 23. What type of client ports should Don make sure the institution's software is using when client-to-server communication needs to take place? A. Well known B. Registered C. Dynamic D. Free 24. Which of the following is a cost-effective countermeasure that Don's team should implement? A. Stateful firewall B. Network address translation C. SYN proxy D. IPv6 25. What should Don's team put into place to stop the masquerading attacks that have been taking place? A. Dynamic packet filter firewall B. ARP spoofing protection C. Disable unnecessary ICMP traffic at edge routers D. SRPC
23. C. Well-known ports are mapped to commonly used services (HTTP, FTP, etc.). Registered ports are 1,024-49,151, and vendors register specific ports to map to their proprietary software. Dynamic ports (private ports) are available for use by any application. 24.D. Basic RPC does not have authentication capabilities, which allow for masquerading attacks to take place. Secure RPC (SRPC) can be implemented, which requires authentication to take place before remote systems can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets. 25.B. A single-attachment station (SAS) is attached to only one ring (the primary) through a concentrator. If the primary goes down, it is not connected to the backup secondary ring. A dual-attachment station (DAS) has two ports and each port provides a connection for both the primary and the secondary rings.
Use the following scenario to answer Questions 26-28. Grace is a security administrator for a medical institution and is responsible for many different teams. One team has re- ported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building- to-building connectivity. Since this is a training medical facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP ECHO REQUEST packets to all the hosts on a specific subnet, which is aimed at one specific server. 26. Which of the following is most likely the issue that Grace's team experienced when their systems went offline? A. Three critical systems were connected to a dual-attached station. B. Three critical systems were connected to a single-attached station. C. The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems. D. The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings. 27.Which of the following is the best type of fiber that should be implemented in this scenario? A. Single mode B. Multimode C. Optical carrier D. SONET 28.Which of the following is the best and most cost-effective countermeasure for Grace's team to put into place? A. Network address translation B. Disallowing unnecessary ICMP traffic coming from untrusted networks C. Application-based proxy firewall D. Screened subnet using two firewalls from two different vendors.
26. B. A single-attachment station (SAS) is attached to only one ring (the primary) through a concentrator. If the primary goes down, it is not connected to the backup secondary ring. A dual-attachment station (DAS) has two ports and each port provides a connection for both the primary and the secondary rings. 27.B. In single mode, a small glass core is used for high-speed data transmission over long distances. This scenario specifies campus building-to-building connections, which are usually short distances. In multimode, a large glass core is used and is able to carry more data than single-mode fibers, though they are best for shorter distances because of their higher attenuation levels. 28.B. The attack description is a Smurf attack. In this situation the attacker sends an ICMP Echo Request packet with a spoofed source address to a victim's network broadcast address. This means that each system on the victim's subnet receives an ICMP Echo Request packet. Each system then replies to that request with an ICMP Echo Response packet to the spoof address provided in the packets—which is the victim's address. All of these response packets go to the victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how to process. Filtering out unnecessary ICMP traffic is the cheapest solution.
Use the following scenario to answer Questions 29-31. John is the manager of the security team within his company. He has learned that attackers have installed sniffers through- out the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data. 29. Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic? A. SNMP v3 B. L2TP C. CHAP D. Dynamic packet filtering firewall 30.Which of the following unauthorized activities have most likely been taking place in this situation? A. Domain kiting B. Phishing C. Fraggle D. Zone transfer 31. Which of the following is the best countermeasure that John's team should implement to protect from improper caching issues? A. PKI B. DHCP snooping C. ARP protection D. DNSSEC
29A. SNMP versions 1 and 2 send their community string values in cleartext, but with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic. 30 D. The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Attackers can carry out zone transfers to gather very useful network information from victims' DNS servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity. 31. D. When a DNS server receives an improper (potentially malicious) name resolution response, it will cache it and provide it to all the hosts it serves unless DNSSEC is implemented. If DNSSEC were enabled on a DNS server, then the server would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server.
Use the following scenario to answer Questions 32-34. Sean is the new security administra- tor for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large with useless data. He also tells Sean that the team needs to be using less permissive rules instead of the current "any- any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems. 32. Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers? A. TCP sequence hijacking is taking place. B. Source routing is not restricted. C. Fragment attacks are underway. D. Attacker is tunneling communication through PPP. 33. Which of the following best describes the firewall configuration issues Sean's team member is describing? A. Clean-up rule, stealth rule B. Stealth rule, silent rule C. Silent rule, negate rule D. Stealth rule, silent rule 34. Which of the following best describes why Sean's team wants to put in the mentioned countermeasure for the most commonly attacked systems? A. Prevent production system hijacking B. Reduce DoS attack effects C. Gather statistics during the process of an attack D. Increase forensic capabilities
32. B. Source routing means the packet decides how to get to its destination, not the routers in between the source and destination computer. Source routing moves a packet throughout a network on a predetermined path. To make sure none of this misrouting happens, many firewalls are configured to check for source routing information within the packet and deny it if it is present. 33. C. The following describes the different firewall rule types: • Silent rule Drop "noisy" traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant. • Stealth rule Disallows access to firewall software from unauthorized systems. • Cleanup rule The last rule in the rule base, which drops and logs any traffic that does not meet the preceding rules. • Negate rule Used instead of the broad and permissive "any rules." Negate rules provide tighter permission rights by specifying what system can be accessed and how. 34. B. A tarpit is commonly a piece of software configured to emulate a vulnerable, running service. Once the attackers start to send packets to this "service," the connection to the victim system seems to be live and ongoing, but the response from the victim system is slow and the connection may time out. Most attacks and scanning activities take place through automated tools that require quick responses from their victim systems. If the victim systems do not reply or are very slow to reply, the automated tools may not be successful because the protocol connection times out. This can reduce the effects of a DoS attack.
Use the following scenario to answer Questions 35-37. Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smart phones, and other mobile devices into the network, which may be infected and have running sniffers that the owners are not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will cause too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution. 35.What should Tom's team implement to provide source authentication and data encryption at the data link level? A. IEEE 802.1 AR B. IEEE 802.1 AE C. IEEE 802. 1 AF D. IEEE 802.1X 36. Which of the following solutions is best to meet the company's need to protect wireless traffic? A. EAP-TLS B. EAP-PEAP C. LEAP D. EAP-TTLS Which of the following is the best solution to meet the company's need for broadband wireless connectivity? A. WiMAX B. IEEE 802.12 C. WPA2 D. IEEE 802.15
35 D. IEEE 802.1AR provides a unique ID for a device. IEEE 802.1AE provides data encryption, integrity, and origin authentication functionality. IEEE 802.1 AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE 802.1X EAP-TLS framework. A recent version (802.1X- 2010) has integrated IEEE 802.1AE and IEEE 802.1AR to support service identification and optional point-to-point encryption. 36 D. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. EAP-TTLS is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each wireless device be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates 37 A. IEEE 802.16 is a MAN wireless standard that allows for wireless traffic to cover a wide geographical area. This technology is also referred to as broadband wireless access. The commercial name for 802.16 is WiMAX.
Use the following scenario to answer Questions 38-40. Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. Lance has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides pass- word-based authentication options. 38.Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling? A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device. B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device. C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device. D. IPv6 should be disabled on all systems. 39. Which of the following is the best countermeasure for the attack type addressed in the scenario? A. DNSSEC B. IPSec C. Split server configurations D. Disabling zone transfers 40. Which of the following technologies should Lance's team investigate for increased authentication efforts? A. Challenge handshake protocol B. Simple Authentication and Security Layer C. IEEE 802.2 AB D. EAP-SSL
38 A. Teredo encapsulates IPv6 packets within UDP datagrams with IPv4 addressing. IPv6-aware systems behind the NAT device can be used as Teredo tunnel end-points even if they do not have a dedicated public IPv4 address. 39. A. DNSSEC protects DNS servers from forged DNS information, which is commonly used to carry out DNS cache poisoning attacks. If DNSSEC is implemented, then all responses that the server receives will be verified through digital signatures. This helps to ensure that an attacker cannot provide a DNS server with incorrect information, which would point the victim to a malicious web site. 40. B. Simple Authentication and Security Layer is a protocol-independent authentication framework. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.
What does it mean if someone says they were a victim of a Bluejacking attack? A. An unsolicited message was sent. B. A cell phone was cloned. C. An IM channel introduced a worm. D. Traffic was analyzed.
A. Bluejacking occurs when someone sends an unsolicited message to a device that is Bluetooth-enabled. Bluejackers look for a receiving device (phone, PDA, tablet PC, laptop) and then send a message to it. Often, the Bluejacker is trying to send someone else their business card, which will be added to the victim's contact list in their address book.
An effective method to shield networks from unauthenticated DHCP clients is through the use of _______________ on network switches. A. DHCP snooping B. DHCP protection C. DHCP shielding D. DHCP caching
A. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses. Also, advance network switches now have the capability to direct clients toward legitimate DHCP servers to get IP addresses and to restrict rogue systems from becoming DHCP servers on the network.
Why are switched infrastructures safer environments than routed networks? A. It is more difficult to sniff traffic since the computers have virtual private connections. B. They are just as unsafe as nonswitched environments. C. The data link encryption does not permit wiretapping. D. Switches are more intelligent than bridges and implement security mechanisms.
A. Switched environments use switches to allow different network segments and/or systems to communicate. When this communication takes place, a virtual connection is set up between the communicating devices. Since it is a dedicated connection, broadcast and collision data are not available to other systems, as in an environment that uses purely bridges and routers.
Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3? A. Data link, session, application, transport, and network B. Data link, transport, application, session, and network C. Network, session, application, network, and transport D. Network, transport, application, session, and presentation
A. The OSI model is made up of seven layers: application (layer 7), presentation (layer 6), session (layer 5), transport (layer 4), network (layer 3), data link (layer 2), and physical (layer 1).
The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP. A. Session Initiation Protocol B. Real-time Transport Protocol C. SS7 D. VoIP
A. The Session Initiation Protocol (SIP) is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP. The protocol can be used for creating, modifying, and terminating two-party (unicast) or multiparty (multicast) sessions consisting of one or several media streams
What takes place at the session layer? A. Dialog control B. Routing C. Packet sequencing D. Addressing
A. The session layer is responsible for controlling how applications communicate, not how computers communicate. Not all applications use protocols that work at the session layer, so this layer is not always used in networking functions. A session layer protocol will set up the connection to the other application logically and control the dialog going back and forth. Session layer protocols allow applications to keep track of the dialog.
Which of the following allows for the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the needs of dynamic computing workloads? A. Software as a Service B. Network convergence C. IEEE 802.1x D. RAID
B. Network convergence means the combining of server, storage, and network capabilities into a single framework. This helps to decrease the costs and complexity of running data centers and has accelerated the evolution of cloud computing. Converged infrastructures provide the ability to pool resources, automate resource provisioning, and increase and decrease processing capacity quickly to meet the needs of dynamic computing workloads.
Which best describes the IP protocol? A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction B. A connectionless protocol that deals with the addressing and routing of packets C. A connection-oriented protocol that deals with the addressing and routing of packets D. A connection-oriented protocol that deals with sequencing, error detection, and flow control
B. The IP protocol is connectionless and works at the network layer. It adds source and destination addresses to a packet as it goes through its data encapsulation process. IP can also make routing decisions based on the destination address.
Which of the following is not one of the stages of the DHCP lease process? i. Discover ii. Offer iii. Request iv. Acknowledgment A. All of them B. None of them C. i, ii D. ii, iii
B. The four-step DHCP lease process is: • DHCPDISCOVER message This message is used to request an IP addresslease from a DHCP server. • DHCPOFFER message This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. • DHCPREQUEST message The client sends the initial DHCP server that responded to its request a DHCP Request message. • DHCPACK message The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby the DHCP server assigns the IP address lease to the DHCP client.
Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer? A. Open relay manipulation B. VLAN hopping attack C. Hypervisor denial-of-service attack D. Smurf attack
B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at this data link layer.
Systems that are built on the OSI framework are considered open systems. What does this mean? A. They do not have authentication mechanisms configured by default. B. They have interoperability issues. C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems. D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.
C. An open system is a system that has been developed based on standardized protocols and interfaces. Following these standards allows the systems to interoperate more effectively with other systems that follow the same standards.
Which of the following proxies cannot make access decisions based upon protocol commands? A. Application B. Packet filtering C. Circuit D. Stateful
C. Application and circuit are the only types of proxy-based firewall solutions listed here. The others do not use proxies. Circuit-based proxy firewalls make decisions based on header information, not the protocol's command structure. Application-based proxies are the only ones that understand this level of granularity about the individual protocols.
Which of the following protocols work in the following layers: application, data link, network, and transport? A. FTP, ARP, TCP, and UDP B. FTP, ICMP, IP, and UDP C. TFTP, ARP, IP, and UDP D. TFTP, RARP, IP, and ICMP
C. Different protocols have different functionalities. The OSI model is an attempt to describe conceptually where these different functionalities take place in a networking stack. The model attempts to draw boxes around reality to help people better understand the stack. Each layer has a specific functionality and has several different protocols that can live at that layer and carry out that specific functionality. These listed protocols work at these associated layers: TFTP (application), ARP (data link), IP (network), and UDP (transport).
Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes? A. Network convergence B. Security as a service C. Unified Threat Management D. Integrated convergence management
C. It has become very challenging to manage the long laundry list of security solutions almost every network needs to have in place. The list includes, but is not limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering, data leak prevention, VPN capabilities, and continuous monitoring and reporting. Unified Threat Management (UTM) appliance products have been developed that provide all (or many) of these functionalities into a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network's security from a holistic point of view.
How does TKIP provide more protection for WLAN environments? A. It uses the AES algorithm. B. It decreases the IV size and uses the AES algorithm. C. It adds more keying material. D. It uses MAC and IP filtering.
C. The TKIP protocol actually works with WEP by feeding it keying material, which is data to be used for generating random keystreams. TKIP increases the IV size, ensures it is random for each packet, and adds the sender's MAC address to the keying material.
What takes place at the data link layer? A. End-to-end connection B. Dialog control C. Framing D. Data syntax
C. The data link layer, in most cases, is the only layer that understands the environment in which the system is working, whether it be Ethernet, Token Ring, wireless, or a connection to a WAN link. This layer adds the necessary headers and trailers to the frame. Other systems on the same type of network using the same technology understand only the specific header and trailer format used in their data link technology.
Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component? A. Orthogonal frequency division B. Unified threat management modem C. Virtual firewall D. Internet Security Association and Key Management Protocol
C. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the one system.
Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec? A. Authentication header protocol provides data integrity, data origin authentication, and protection from replay attacks. B. Encapsulating security payloads protocol provides confidentiality, data origin authentication, and data integrity. C. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.
D. Authentication header protocol provides data integrity, data origin authentication, and protection from replay attacks. Encapsulating security payloads protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. Internet Key Exchange provides authenticated keying material for use with the Internet Security Association and Key Management Protocol.
Which of the following is not a characteristic of the Protected Extensible Authentication Protocol? A. Authentication protocol used in wireless networks and point-to-point connections B. Designed to provide authentication for 802.11 WLANs C. Designed to support 802.1X port access control and transport layer security D. Designed to support password-protected connections
D. PEAP (Protected Extensible Authentication Protocol) is a version of EAP and is an authentication protocol used in wireless networks and point-topoint connections. PEAP is designed to provide authentication for 802.11 WLANs, which support 802.1X port access control and TLS. It is a protoco that encapsulates EAP within a potentially encrypted and authenticated TLS tunnel.
Which of the following protocols is considered connection-oriented? A. IP B. ICMP C. UDP D. TCP
D. TCP is the only connection-oriented protocol listed. A connectionoriented protocol provides reliable connectivity and data transmission, while a connectionless protocol provides unreliable connections and does not promise or ensure data transmission.
Which of the following is not a characteristic of the IEEE 802.11a standard? A. It works in the 5GHz range. B. It uses the OFDM spread spectrum technology. C. It provides 52 Mbps in bandwidth. D. It covers a smaller distance than 802.11b.
D. The IEEE standard 802.11a uses the OFDM spread spectrum technology, works in the 5GHz frequency band, and provides bandwidth of up to 54 Mbps. The operating range is smaller because it works at a higher frequency.
Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers? A. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks. B. The access layer connects the customer's equipment to a service provider's core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network. C. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers. D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.
Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11 standard. Which of the following provides the correct characteristics of Wi-Fi Protected Access 2 (WPA2)? A. IEEE 802.1X, WEP, MAC B. IEEE 802.1X, EAP, TKIP C. IEEE 802.1X, EAP, WEP D. IEEE 802.1X, EAP, CCMP
D. Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access control, EAP or preshared keys for authentication, and AES in Counter-Mode/ CBC-MAC Protocol (CCMP) for encryption.