TestOut Domain 2 study guide

Ace your homework & exams now with Quizwiz!

You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use?

Anomaly-based IDS Ex: An anomaly-based intrusion detection system (IDS) can recognize and respond to some unknown attacks. Signature recognition, also referred to as pattern matching or dictionary recognition, looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. This system can only detect attacks identified by published signature files. Antivirus software is a form of signature-based IDS. A network-based firewall filters packets for a network, while a host-based firewall filters packets for a host. Firewalls are typically configured using access control lists that identify specific traffic as allowed or denied.

Which IDS method defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline?

Anomoly-Based Ex: Anomaly-based detection defines a baseline of normal network traffic and then looks for anything that falls outside of that baseline. Dictionary recognition is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Pattern matching is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline. Misuse detection is a detection method. However, this method does not define a baseline of normal network traffic and then look for anything that falls outside of that baseline.

What is the most common form of a host-based IDS? (Hint: it employs signature matching detection methods.)

Antivirus software Ex: Antivirus software that uses signature matching is the most commonly deployed form of a host-based IDS.

What do host-based intrusion detection systems often rely on to perform detection activities?

Auditing capabilities Ex: A host-based IDS often relies on the host system's auditing capabilities to perform detection activities. A host-based IDS uses the local system's logs to search for attacks or intrusion activities. Host-based IDSs do not analyze network traffic, use external sensors, or rely on remote monitoring tools.

What does an IDS that uses signature recognition employ to identify attacks?

Comparisons to known attack patterns Ex: Signature recognition (also referred to as pattern matching, dictionary recognition, or misuse detection) looks for patterns in network traffic and compares them to known attack patterns called signatures. Anomaly recognition (also referred to as behavioral, heuristic, or statistical recognition) monitors traffic to define a standard activity pattern as normal functionality. Clipping levels or thresholds are defined to identify deviations from that norm. When the threshold is reached, the system generates an alert or takes an action. Anomaly-based systems can recognize and respond to some unknown attacks (attacks that do not have a corresponding signature file).

What does the ip address dhcp command allow you to do?

Configure a switch to obtain an IP address from a DHCP server. Ex: You can use the ip address dhcp command to configure a switch or router to get its IP address from a DHCP server. You can configure the DHCP server to deliver the default gateway and DNS server addresses to a Cisco device as well. A manually configured default gateway address overrides any address received from the DHCP server.

You have a website that uses multiple servers for different types of transactions. For example, one server is responsible for static web content, while another is responsible for secure transactions. You would like to implement a device to speed up access to your web content. The device should be able to distribute requests between the various web servers using specialized hardware, not just software configurations. In addition, SSL sessions should use the hardware components in the device to cr

Content Switch Ex: Use a content switch to perform these functions. Switches use specialized hardware modules to perform common tasks. For example, you can have a switch with a special hardware module that's used for SSL connections. Using the hardware module in a specialized switch is faster than using the CPU or software in another device. A bandwidth shaper (also called a traffic shaper) is a device that's capable of modifying the flow of data through a network. This happens in response to network traffic conditions. A proxy server is a server that sits between a client and a destination device and can be configured to filter requests based on URL. However, a proxy server uses software and not hardware to perform these tasks. A circuit-level gateway uses the session information to make filtering decisions for allowed or denied traffic.

Which OSI model layer is a switch associated with?

Data Link Ex: Switches are associated with the Data Link layer of the OSI model. Switches examine the device address within a packet and forward messages directly to that device.

Your company purchased a new bridge that filters packets based on the destination computer's MAC address. Which layer of the OSI model is this device functioning at?

Data Link Ex: The bridge in this scenario is operating at the Data Link layer.

Which of the following BEST describes the concept of a VLAN?

Devices on the same network logically grouped as if they were on separate networks. Ex: A VLAN is created by identifying a subset of devices on the same network and logically identifying them as if they were on separate networks. Think of a VLAN as a subdivision of a LAN.

Which IDS traffic assessment indicates that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic? False positive False negative Positive Negative

False Positive

You have configured a network-based intrusion detection system (NIDS) to monitor network traffic. Which of the following describes harmless traffic that has been identified as a potential attack by the NIDS device?

False Positive

You are the administrator for your company's network. You want to prevent unauthorized access to your intranet from the internet. Which of the following should you implement?

Firewall Ex: A firewall allows you to filter unwanted traffic from the internet to your network. Packet Internet Groper is better known by its acronym, PING. It is a TCP/IP command. A proxy server caches web pages. ICS (internet connection sharing) allows you to connect a small network to the internet through a single connection.

Which of the following is the best device to deploy if you want to protect your private network from a public untrusted network? Gateway Firewall Hub Router

Firewall Ex: A firewall is the best device to deploy if you want to protect your private network from a public untrusted network. Firewalls are used to control traffic entering and leaving your trusted network environment. Firewalls can manage traffic based on source or destination IP address, port number, service protocol, application or service type, user account, and even traffic content. Routers offer some packet-based access control, but it is not as extensive as what a full-fledged firewall provides. Hubs and gateways are not sufficient for managing the interface between a trusted and an untrusted network.

You are the network administrator for a small organization. Recently, you contracted with an ISP to connect your organization's network to the internet. Since doing so, it has come to your attention that an intruder has invaded your network from the internet on three separate occasions. Which type of network hardware should you implement to prevent this from happening again?

Firewall Ex: A firewall's role is to provide a barrier between an organization's network and a public network, such as the internet. The firewall's job is to prevent unauthorized access to the organization's private network. To do this, the firewall examines incoming packets and determines whether they should be allowed to enter based on a set of rules defined by the network administrator. Routers offer some packet-based access control, but it is not as extensive as what a full-fledged firewall provides. Hubs are not sufficient for managing the interface between a trusted and an untrusted network. Switches use the MAC address in a frame for forwarding decisions.

Which of the following is a device that can send and receive data simultaneously?

Full-duplex Ex: A full-duplex device can send and receive data simultaneously. A honeypot is a security system used to decoy attackers. A managed device is a network device that can receive instructions and return responses to various components. An unmanaged switch is a simple plug-and-play device that needs no configuration to work.

As a security precaution, you've implemented IPsec to work between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement?

Host-Based IDS Ex: A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it's received. A network-based IDS is a dedicated device installed on the network. It analyzes all traffic on the network. It cannot analyze encrypted traffic because the packet's contents are encrypted so that only the recipient can read them. A protocol analyzer examines packets on the network, but it cannot look at the contents of encrypted packets. A port scanner probes a device to identify open protocol ports. A VPN concentrator is a device used to establish remote access VPN connections.

Which of the following devices does not segment the network?

Hub

Which of the following devices can monitor a network and detect potential security attacks? IDS DNS server CSU/DSU Proxy

IDS Ex: An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A proxy server is a type of firewall that can filter based on upper-layer data. A CSU/DSU is a device that converts the signal received from the WAN provider into a signal that can be used by equipment at the customer's site. A DNS server provides IP address-to-hostname resolution.

Which of the following is true about an unmanaged switch?

It can connect to all devices in a small area. Ex: An unmanaged switch is faster and more economical than a managed switch and can connect all devices within a small area, like a home or small office. Managed switches allow VLAN creation for segmentation; unmanaged switches do not. Managed switches support link aggregation; unmanaged switches do not. Managed switches allow port configuration; unmanaged switches do not.

At which OSI model layer does a media converter operate?

Layer 1 Ex: A media converter operates at Layer 1 of the OSI model, which is the Physical layer. The media converter translates frames into bits and transmits them on the transmission medium. At Layer 2, the MAC address is added to make the data into a frame. At Layer 3, the IP address is added to the packet. At Layer 4, the port and socket number are assigned.

On your network, you have a VLAN for the sales staff and a VLAN for the production staff. Both need to be able to communicate over the network. Which of the following devices would work BEST for communication between VLANs?

Layer 3 Ex: A Layer 3 switch can route between VLANs. A load balancer is a network device that distributes incoming HTTP requests. It does not route between VLANs. A Layer 2 switch cannot route between VLANs. A repeater is a network device that boosts, or forwards, wireless signals from the router to cover a larger area.

At which OSI layer does a router operate to forward network messages?

Layer 3 (Network) Ex: A router uses the logical network address specified at the Network layer to forward messages to the appropriate LAN segment. A bridge, on the other hand, uses the MAC address and works at the Data Link layer.

Which of the following OSI layers does a router operate at?

Layer 3 (network)

As a network administrator, you have 10 VLANs on your network that need to communicate with each other. Which of the following network devices is the BEST choice for allowing communication between 10 VLANs?

Layer 3 switch Ex: A Layer 3 switch is the best network device to provide communication between 10 VLANs. Providing communication between VLANs is one of the most important functions of this type of switch. A repeater is a network device that boosts, or forwards, wireless signals from the router to cover a larger area. A load balancer is a network device that distributes incoming HTTP requests. A Layer 2 switch cannot perform inter-VLAN routing.

Which of the following describes a false positive when using an IPS device? Answer The source address matching the destination address. Legitimate traffic being flagged as malicious. The source address identifying a non-existent host. Malicious traffic not being identified. Malicious traffic masquerading as legitimate traffic.

Legitimate traffic being flagged as malicious. Ex: On an intrusion prevention system (IPS), a positive match occurs when traffic matches the signature that identifies malicious traffic. A false positive occurs when legitimate traffic is identified as malicious traffic. This situation is undesirable, as it often results in legitimate traffic being rejected. Good IPS signature files result in low false positive rates. A false negative occurs when malicious traffic is not identified and is allowed to pass through. Spoofing is the technique of falsifying a packet's source address.

You have a server that has a 100BaseFX network interface card you need to connect to a switch. The switch only has 100BaseTX switch ports. Which device should you use?

Media Converter Ex: Use a media converter to convert from one media type to another within the same architecture. Use a bridge to connect two devices that use different network architectures. For example, you can use a bridge to connect a wired network to wireless clients. A hub or repeater connects devices using the same media type.

You are configuring a switch so that you can manage it using PuTTY from the same network segment. On the switch, you enter the following commands: switch#config terminal switch(config)#interface vlan 1 switch(config-if)#ip address 192.168.1.10 255.255.255.0 Will this configuration work?

No. The no shutdown command needs to be entered. Ex: By default, the Vlan1 interface is set to administratively down, preventing remote access. Use the following commands to configure the switch's IP address and allow remote management: switch#config terminal switch(config)#interface vlan 1 switch(config-if)#ip address 192.168.1.10 255.255.255.0 switch(config-if)#no shutdown Because the switch is being accessed from the same network segment, the ip default-gateway command doesn't need to be used. The ip address dhcp command only allows the switch to obtain an IP address using DHCP.

Which IDS type can alert you to trespassers?

PIDS Ex: A PIDS (perimeter intrusion detection system) can alert you to physical trespassers. VMIDS, NIDS, and HIDS are IDS types. However, they cannot alert you to physical trespassers.

At which layer of the OSI model do hubs operate?

Physical Layer 1

Which of the following hardware devices regenerate a signal out of all connected ports without examining the frame or packet contents? (Select two.)

Repeater, and Hub. Ex: A hub and a repeater send received signals out of all other ports. These devices do not examine the frame or packet contents. Switches and bridges use the MAC address in a frame for forwarding decisions. A router uses the IP address in a packet for forwarding decisions.

Which of the following hardware devices links multiple networks and directs traffic between networks?

Router Ex: A router is a device that links multiple networks and directs traffic between networks. Each network linked by routers has its own unique identifier called the network number or network address. A hub and a repeater send received signals out all other ports. These devices do not examine the frame or the packet contents. Bridges learn addresses by copying the MAC address of the source device and placing it into the MAC address table.

An eight-port switch receives a frame on port number 1. The frame is addressed to an unknown device. What will the switch do?

Send the frame out ports two through eight.

Which IDS method looks for patterns in network traffic and compares them to a database of known threats?

Signature-based Ex: Signature-based detection looks for patterns in network traffic and compares them to a database of known threats. Anomaly-based detection (also referred to as heuristic, behavioral-based, or statistical-based detection) does not compare traffic to a database of known threats.

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Stateful inspection-based IDS Signature-based IDS Anomaly analysis-based IDS Heuristics-based IDS

Signature-based IDS Ex: A signature-based IDS, or pattern matching-based IDS, is a detection system that searches for intrusion or attack attempts by recognizing patterns that are listed in a database. A heuristics-based IDS is able to perform some level of intelligent statistical analysis of traffic to detect attacks. Anomaly analysis-based IDSs look for changes in the normal patterns of traffic. Stateful inspection-based IDSs search for attacks by inspecting packet contents and associating one packet with another. These searches look for attacks in overall data streams rather than individual packets.

Which of the following connectivity hardware is used to create a VLAN?

Specialized switches are used to create virtual LANs (VLANs). The switch must be capable of appending and reading VLAN IDs.

In which type of device is a MAC address table stored?

Switch Ex: A Layer 2 switch stores MAC addresses in a table, which the switch uses to know where to forward frames. A router is a Layer 3 device and stores ARP tables, not MAC address tables. A hub cannot learn or store MAC addresses. They are Layer 1 devices. A repeater is a Layer 1 device that boosts a signal by electrically amplifying it. A repeater does not store MAC address tables.

Which of the following devices is used to create a physical star topology?

Switch Ex: A physical star topology uses a switch or a hub. Routers connect multiple subnets together. A firewall is a router that filters packets or other network communications. Use a bridge to connect two devices that use different network architectures.

Which of the following is a communication device that connects other network devices through cables and receives and forwards data to a specified destination within a LAN?

Switch Ex: A switch is a communication device that connects other network devices through cables and receives and forwards data to a specified destination within a LAN. A router is a communication device that connects computer networks and receives and forwards data through the internet. A hub is a communication device that connects other devices on a network, but hubs broadcast all incoming data to all active ports. An access point is a network connector that provides wireless signals for other devices.

Which of the following can you use to create a virtual LAN?

Switch Ex: Use a switch to create virtual LANs (VLANs). You can assign the various switch ports to a specific VLAN and create logically distinct networks on the same physical network topology. Routers, gateways, and hubs are common network devices, but they do not support the creation of VLANs.

Which of the following describes the worst possible action by an IDS? The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. The system detected a valid attack and the appropriate alarms and notifications were generated. The system correctly deemed harmless traffic as inoffensive and let it pass. The system identified harmless traffic as offensive and generated an alarm.

The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. Ex: The worst possible action an IDS can perform is identifying harmful traffic as harmless and allowing it to pass without generating any alerts. This condition is known as a false negative. Positive traffic assessment means that the system detected a valid attack and the appropriate alarms and notifications were generated. Negative traffic assessment means that the system correctly deemed harmless traffic as inoffensive and let it pass. False positive traffic assessment means that the system identified harmless traffic as offensive and triggered an alarm.

A recent review of employee web activity shows an increase in traffic to social media sites. Which feature would you configure on your UTM appliance to block access to these sites?

URL Filter Ex: A URL filter blocks access to social media sites based on their URLs. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. Phishing and malware inspection reviews data that passes through the UTM (Unified Threat Management) but do not block site access.

Which of the following combines several layers of security services and network functions into one piece of hardware? Firewall Unified Threat Management (UTM) Intrusion detection system (IDS) Circuit-level gateway

UTM Ex: A Unified Threat Management (UTM) appliance combines several layers of security services and network functions into one piece of hardware. An intrusion detection system (IDS) is a special network device that can detect attacks and suspicious activity. A circuit-level gateway makes decisions about which traffic to allow based on virtual circuits or sessions. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules.

You've just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis?

Update the signature files Ex: Signature recognition (also referred to as pattern matching, dictionary recognition, or misuse detection) looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. It can only detect attacks identified by published signature files. For this reason, it's important to update signature files on a regular basis. Anomaly recognition (also referred to as behavioral, heuristic, or statistical recognition) monitors traffic to define a standard activity pattern as normal functionality. Clipping levels or thresholds identify deviations from that norm. When the threshold is reached, the system generates an alert or takes an action.

You run a small network for your business that has a single router connected to the internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer. What should you use in this situation?

VLAN Ex: You should define virtual LANs (VLANs) on the switch. With a VLAN, a switch port is associated with a VLAN, and only devices connected to ports that are members of the same VLAN can communicate with each other. You can use routers to allow communication between VLANs if necessary. Use a virtual private network (VPN) to connect two hosts securely through an unsecure network (such as the internet). VPN tunneling protocols protect data as it travels through the unsecure network. Spanning Tree is a switch feature that allows redundant paths between switches. Port security is a method of requiring authentication before a network connection is allowed.

How do switches and bridges learn where devices are located on a network?

When a frame enters a port, the source MAC address is copied from the frame header. Ex: Bridges and switches learn addresses by copying the MAC address of the source device and placing it into the MAC address table. The port number that the frame entered is also recorded in the table and associated with the source MAC address. The switch or the bridge cannot record the destination MAC address because it does not know the port that is used to reach the destination device.

Which command would you use on a switch to enable management from a remote network?

ip default-gateway 192.168.10.185 Ex: To enable management from a remote network, configure the default gateway. To do so, use the following command in global configuration mode: switch(config)#ip default-gateway IP_address


Related study sets

PSYC 315 - The Modern Unconscious - Midterm 3

View Set

1 - Basic Concepts of Strategic Management

View Set

Sleep, Dreaming, and Circadian Rhythms

View Set

Project Management Software Exam 1

View Set

Chapter 33 - Patients w/ Breast and Female Reproductive Disorders

View Set

Chapter 25: The Baroque in Northern Europe

View Set

Bio 122 Study Guide Chapter 15: The Chromosomal Basis of Inheritance

View Set