Final
Which of the following is considered a problem with a passive, signature-based system? profile updating signature training custom rules false positives
false positives
Which of the following is true about the steps in setting up and using an IDPS? anomaly-based systems come with a database of attack signatures sensors placed on network segments will always capture every packet alerts are sent when a packet doesn't match a stored signature false positives do not compromise network security
false positives do not compromise network security
hardware or software configured to block unauthorized access to a network
firewall
hardware devices with firewall functionality
firewall appliance
an addition to a security policy that describes how firewalls should handle application traffic, such as Web or e-mail applications
firewall policy
Which of the following is a disadvantage of using a proxy server? shields internal host IP addresses slows Web page access may require client configuration can't filter based on packet content
may require client configuration
sets of characteristics that describe network services and resources a user or group normally accesses
profiles
The period of time during which an IDPS monitors network traffic to observe what constitutes normal network behavior is referred to as which of the following? training period baseline scanning profile monitoring traffic normalizing
training period
a genuine attack detected successfully by an IDPS
true positive
Which IDPS customization option is a list of entities known to be harmless? thresholds whitelists blacklists alert settings
whitelists
Which of the following is true about a screening router? it examines the data in the packet to make filtering decisions it can stop attacks from spoofed addresses it maintains a state table to determine connection information it should be combined with a firewall for better security
it should be combined with a firewall for better security
Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power. server pooling software traffic distribution filter priority server farm load-balancing software
load-balancing software
software that prioritizes and schedules requests and then distributes them to servers in a server cluster based on each server's current load and processing power
load-balancing software
a process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts
many-to-one NAT
Which of the following is true about an HIDPS? monitors OS and application logs sniffs packets as they enter the network tracks misuse by external users centralized configurations affect host performance
monitors OS and application logs
Which of the following is an advantage of hardware firewalls? not scalable compared to software firewalls not dependent on a conventional OS less expensive than software firewalls easy to patch
not dependent on a conventional OS
What is an advantage of the anomaly detection method? makes use of signatures of well-known attacks system can detect attacks from inside the network by people with stolen accounts easy to understand and less difficult to configure than a signature-based system after installation, the IDPS is trained for several days or weeks
system can detect attacks from inside the network by people with stolen accounts
Which of the following is true about private IP addresses? they are assigned by the IANA they are not routable on the Internet they are targeted by attackers NAT was designed to conserve them
they are not routable on the Internet
What do you call a firewall that is connected to the Internet, the internal network, and the DMZ? multi-homed proxy three-pronged firewall three-way packet filter multi-zone host
three-pronged firewall
a firewall with separate interfaces connected to an untrusted network, a semitrusted network, and a trusted network
three-pronged firewall
Why might you want to allow extra time for setting up the database in an anomaly-based system? the installation procedure is usually complex and time consuming to add your own custom rule base it requires special hardware that must be custom built to allow a baseline of data to be compiled
to allow a baseline of data to be compiled
Which of the following best describes a bastion host? a host with two or more network interfaces a computer on the perimeter network that is highly protected a computer running a standard OS that also has proxy software installed a computer running only embedded firmware
a computer on the perimeter network that is highly protected
the ability to track an attempted attack or intrusion back to its source
accountability
Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful. True False
False
Which of the following is a sensor type that uses bandwidth throttling and alters malicious content? passive only inline only active only online only
inline only
an NIDPS sensor positioned so that all traffic on the network segment is examined as it passes through
inline sensor
an attempt to gain unauthorized access to network resources
intrusion
Why is a bastion host the system most likely to be attacked? it has weak security it contains company documents it is available to external users it contains the default administrator account
it is available to external users
an IDPS component that monitors traffic on a network segment
sensor
a group of servers connected in a subnet that work together to receive requests
server farm
Which VPN protocol is a poor choice for high-performance networks with many hosts due to vulnerabilities in MS-CHAP? SSL L2TP IPsec PPTP
PPTP
What is a suggested maximum size of a rule base? 30 rules 300 rules 10 rules 100 rules
30 rules
Which two ports should packet-filtering rules address when establishing rules for Web access? 143, 80 25, 110 80, 443 423, 88
80, 443
Which of the following is true about a dual-homed host? serves as a single point of entry to the network its main objective is to stop worms and viruses uses a single NIC to manage two network connections it is used as a remote access server in some configurations
serves as a single point of entry to the network
At what layer of the OSI model do proxy servers generally operate? Application Session Transport Network
Application
Which of the following is described as the combination of an IP address and a port number? portal subnet datagram socket
socket
the end point of a computer-to-computer connection defined by an IP address and port address
socket
a file maintained by stateful packet filters that contains a record of all current connections
state table
If you see a /16 in the header of a snort rule, what does it mean? a maximum of 16 log entries should be kept the size of the log file is 16 MB the subnet mask is 255.255.0.0 the detected signature is 16 bits in length
Correct Answer the subnet mask is 255.255.0.0
filters that are similar to stateless packet filters, except that they also determine whether to allow or block packets based on information about current connections
stateful packet filters
the process of maintaining a table of current connections so that abnormal traffic can be identified
stateful protocol analysis
In what type of attack are zombies usually put to use? buffer overrun virus DDoS spoofing
DDoS
What service uses UDP port 53? SMTP DNS ICMP TFTP
DNS
Which approach to stateful protocol analysis involves detection of the protocol in use, followed by activation of analyzers that can identify applications not using standard ports? Protocol state tracking IP packet reassembly Traffic rate monitoring Dynamic Application layer protocol analysis
Dynamic Application layer protocol analysis
simple filters that determine whether to allow or block packets based on information in protocol headers
stateless packet filters
A dual-homed host has a single NIC with two MAC addresses. True False
False
Firewalls can protect against employees copying confidential data to an external disk from within the network.
False
Generally, connections to instant-messaging ports are harmless and should be allowed.
False
Proxy servers take action based only on IP header information. True False
False
Software firewalls are usually more scalable than hardware firewalls.
False
Stateless packet filtering keeps a record of connections that a host computer has made with other computers. True False
False
The TCP normalization feature forwards abnormal packets to an administrator for further inspection. True False
False
What type of attack are stateless packet filters particularly vulnerable to? attempts to connect to ports above 1023 attempts to connect to the firewall IP spoofing attacks attempts to connect to ports below 1023
IP spoofing attacks
Which of the following is NOT a typical IDPS component? network sensors command console database server Internet gateway
Internet gateway
Which element of a rule base conceals internal names and IP addresses from users outside the network? tracking filtering NAT QoS
NAT
Which of the following is NOT an ICMPv6 packet type that you should allow within your organization but never outside the organization? Destination unreachable Packet too big Time Exceeded Packet Redirect
Packet Redirect
What type of ICMP packet can an attacker use to send traffic to a computer they control outside the protected network? Source Quench Echo Request Destination Unreachable Redirect
Redirect
Which method for detecting certain types of attacks uses an algorithm to detect suspicious traffic, is resource intensive, and requires extensive tuning and maintenance? brute force heuristic signature anomaly
heuristic
What is the term used for a computer placed on the network perimeter that is meant to attract attackers? bastion host honeypot proxy decoy virtual server
honeypot
Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion? inline host-based hybrid network-based
hybrid
Which of the following is NOT a network defense function found in intrusion detection and prevention systems? prevention response identification detection
identification
What are the two standard ports used by FTP along with their function? UDP 23 control, TCP 20 data UDP 20 data, TCP 21 control TCP 21 control, TCP 20 data TCP 23 data, TCP 21 control
TCP 21 control, TCP 20 data
Which of the following is NOT a protocol,port pair that should be filtered when an attempt is made to make a connection from outside the company network? TCP,80 TCP,139 UDP,138 TCP,3389
TCP,80
Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted? Teredo tunneling ICMPv6 encapsulation IPsec tunneling SMTP/S tunneling
Teredo tunneling
What is considered the 'cleanup rule' on a Cisco router? explicit allow all implicit deny all explicit prompt implicit allow
implicit deny all
A screened host has a router as part of the configuration. True False
True
Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny. True False
True
Which of the following best describes a DMZ? a network of computers configured with robust firewall software a subnet of publicly accessible servers placed outside the internal network a private subnet that is inaccessible to both the Internet and the company network a proxy server farm used to protect the identity of internal server
a subnet of publicly accessible servers placed outside the internal network
Which of the following is true about an NIDPS versus an HIDPS? an NIDPS can determine if a host attack was successful an HIDPS can detect attacks not caught by an NIDPS an HIDPS can detect intrusion attempts on the entire network an NIDPS can compare audit log records
an HIDPS can detect attacks not caught by an NIDPS
Which of the following is NOT a primary detection methodology? signature detection baseline detection anomaly detection stateful protocol analysis
baseline detection
Which of the following is a typical drawback of a free firewall program? cannot monitor traffic in real time oversimplified configuration have centralized management more expensive than hardware firewalls
cannot monitor traffic in real time
a packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules
cleanup rule
Which of the following is an IDPS security best practice? to prevent false positives, only test the IDPS at initial configuration communication between IDPS components should be encrypted all sensors should be assigned IP addresses log files for HIDPSs should be kept local
communication between IDPS components should be encrypted
Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets. IP address ports data patterns TCP flags
data patterns
a computer configured with more than one network interface
dual-homed host
Which of the following is an advantage of a signature-based detection system? the definition of what constitutes normal traffic changes it is based on profiles the administrator creates each signature is assigned a number and name the IDPS must be trained for weeks
each signature is assigned a number and name
Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy? only authenticated traffic can access the internal network employees can use instant-messaging only with external network users the public can access the company Web servers employees can have restricted Internet access
employees can use instant-messaging only with external network users
What is a critical step you should take on the OS you choose for a bastion host? ensure all security patches are installed make sure it is the latest OS version choose an obscure OS with which attackers are unfamiliar customize the OS for bastion operation
ensure all security patches are installed
increasing an intrusion response to a higher level
escalated
the entire length of an attack
event horizon
Where is a host-based IDPS agent typically placed? on a workstation or server at Internet gateways between remote users and internal network between two subnets
on a workstation or server
Which type of NAT is typically used on devices in the DMZ? one-to-one NAT port address translation one-to-many NAT many-to-one NAT
one-to-one NAT
the process of mapping one internal IP address to one external IP address
one-to-one NAT
Where should network management systems generally be placed? out of band in the DMZ on the perimeter in the server farm
out of band
Which of the following is NOT a method used by passive sensors to monitor traffic? spanning port network tap packet filter load balancer
packet filter
an NIDPS sensor that examines copies of traffic on the network
passive sensor
Which of the following is a general practice for a rule base? begin by blocking all traffic and end by allowing selective services permit access to public servers in the DMZ allow all access to the firewall allow direct access from the Internet to computers behind the firewall
permit access to public servers in the DMZ
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? one-to-one NAT port address translation one-to-many NAT DMZ proxy translation
port address translation
What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet? router VPN server ICMP monitor proxy server
proxy server
Which network device works at the Application layer by reconstructing packets and forwarding them to Web servers? Layer 7 switch translating gateway proxy server ICMP redirector
proxy server
Which type of security device can speed up Web page retrieval and shield hosts on the internal network? caching firewall proxy server caching-only DNS server DMZ intermediary
proxy server
software that forwards network packets and caches Web pages to speed up network performance
proxy server
software that forwards packets to and from the network being protected and caches Web pages to speed up network performance
proxy server
What is a step you can take to harden a bastion host? enable additional services to serve as honeypots open several ports to confuse attackers configure several extra accounts with complex passwords remove unnecessary services
remove unnecessary services
What should you consider installing if you want to inspect packets as they leave the network? security workstation RIP router filtering proxy reverse firewall
reverse firewall
a device that filters outgoing connections
reverse firewall
the collection of rules that filter traffic at an interface of a firewall
rule base
a host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network
screened host
Which type of firewall configuration protects public servers by isolating them from the internal network? screened subnet DMZ dual-homed host screening router reverse firewall
screened subnet DMZ
a router placed between an untrusted network and an internal network
screening router
