IS3220 CHAPTER 7

Question 1

Mechanism defining traffic or an event to apply an authorization control of allow or deny against is called ___?
Often used interchangeably with the terms rule and filter in relation to firewalls.

Answer 1

ACCESS CONTROL LIST (ACL)

Question 2

A notification from a firewall that a specific event or packet was detected is called ___?
These notify administrators of events that may need real-time human response or attention.

Answer 2

ALERT

Question 3

A security stance that allows all communications except those prohibited by specific deny exceptions is called ___? AKA default allow.

Answer 3

ALLOW BY DEFAULT

Question 4

A form of Intrusion Detection System/Intrusion Prevention System (IDS/IPS) detection based on a defined normal, often defined using rules similar to firewall rules is called ___?
All traffic or events that fail to match defined normal are considered anomalies and potentially malicious.

Answer 4

ANOMALY-BASED DETECTION

Question 5

A form of IDS/IPS detection based on a recording of real-world traffic as a baseline for normal is called ___?
All traffic or events that fail to match the normal baselines are considered abnormal and potentially malicious.

Answer 5

BEHAVIORAL-BASED DETECTION

Question 6

____ by a proxy server is the retention of Internet content. Various internal clients may access this content and provide it to subsequent requesters without the need to retrieve the same content from the Internet repeatedly.

Answer 6

CACHING

Question 7

This mechanism is used to create a redundant copy of all log files in a single warehousing location is called ___?
A technique of storing or copying log events. One common example of this is syslog.

Answer 7

CENTRALIZED LOGGING SYSTEM

Question 8

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA signature, knowledge, and pattern-matching based detection.

Answer 8

DATABASE-BASED DETECTION

Question 9

A security stance that allows all communications except those prohibited by specific deny exceptions and is called ___?

Answer 9

DEFAULT ALLOW

Question 10

A security stance that prevents all communications except those enabled by specific allow exceptions is called ___?

Answer 10

DENY BY DEFAULT

Question 11

A technique of load balancing that operates by sending the next transaction to the firewall with the least current workload is called ___?

Answer 11

FAIR QUEUING

Question 12

An event that does not trigger an alarm but should have, due to the traffic or event actually being abnormal and/or malicious is called ___?
This is the unwanted non-detection of a malicious event.

Answer 12

FALSE NEGATIVE

Question 13

An event that triggers an alarm but should not have, due to the traffic or event actually being benign is called ___? This is the unwanted false alarm that wastes time and resources pursuing a non-malicious event.

Answer 13

FALSE POSITIVE

Question 14

A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic is called ___?
This expresses the intention to block or deny unwanted items of concern. AKA a rule or ACL.

Answer 14

FILTERS

Question 15

A hacking technique used against static packet filtering firewalls to discover the rules or filters controlling inbound traffic is called ___?

Answer 15

FIREWALKING

Question 16

A networking mechanism to hand off or pass off the task of authentication to a third-party dedicated authentication system is called ___?
AKA port authentication, portal authentication, or port-based network access (admission) control (PNAC).

Answer 16

IEEE 802.1x

Question 17

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA signature, database, and pattern-matching-based detection.

Answer 17

KNOWLEDGE BASED DETECTION

Question 18

A network traffic management technique to spread the workload or traffic levels across multiple devices to maintain availability is called ___?

Answer 18

LOAD BALANCING

Question 19

The command line or graphical interface used to control and configure a device is called ___?
Often accessible through a console (CON) port on the device or through a logical interface across the network.

Answer 19

MANAGEMENT INTERFACE

Question 20

Used on individual network access devices, such as firewalls, VPN gateways, and wireless routers, to offload authentication to a dedicated authentication server/service is called ___?
Only after valid authentication are communications with or across the network device allowed.

Answer 20

PORT-BASED NETWORK ACCESS (ADMISSION) CONTROL (PNAC)

Question 21

A form of load balancing which hands out tasks in a repeating non-priority sequence is called ___?

Answer 21

ROUND ROBIN

Question 22

The list of rules on a firewall (or router or switch) that determine what traffic is and is not allowed to cross the filtering device is called ___?
Most employ a first-match-apply-action process.

Answer 22

RULE SETS

Question 23

A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more action(s) to take when the item of concern appears in traffic is called ___? AKA a filter or ACL.

Answer 23

RULE(S)

Question 24

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA database, knowledge, and pattern-matching-based detection.

Answer 24

SIGNATURE-BASED DETECTION

Question 25

The deployment of firewall as an all-encompassing primary gateway security solution is called ___? The idea behind this is a single device can be designed to perform firewall filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, detailed logging, and potentially other security services, performance enhancements, or extended capabilities.

Answer 25

UNIFIED THREAT MANAGEMENT (UTM)

Question 26

The maximum communication or transmission capability of a network segment is called ___? Often used to describe a network device's ability to perform tasks on traffic, while being able to maintain overall network transmission speeds without introducing delay, lag or latency.

Answer 26

WIRESPEED

Question 27

A form of storage device that can be written to once, but once written cannot be electronically altered is called ___?

Answer 27

WRITE-ONCE READ-MANY (WORM)

Question 28

1. Which of the following is a firewall rule that prevents internal users from accessing public FTP sites? 1. TCP ANY ANY ANY FTP Deny 2. TCP 192.168.42.0/24 ANY ANY 21 Deny 3. TCP 21 192.168.42.0/24 ANY ANY Deny 4. TCP ANY ANY 192.168.42.0/24 ANY Deny 5. TCP FTP ANY ANY Deny

Answer 28

TCP 192.168.42.0/24 ANY ANY 21 Deny

Question 29

2. Which of the following is a default deny rule? 1. TCP ANY ANY ANY ANY Deny 2. TCP 192.168.42.0/24 ANY ANY ANY Deny 3. TCP ANY 192.168.42.0/24 ANY ANY Deny 4. TCP ANY ANY 192.168.42.0/24 ANY Deny 5. DENY TCP ANY ANY ANY ANY

Answer 29

TCP ANY ANY ANY ANY Deny

Question 30

3. The default deny rule appears where in the rule set? 1. First 2. After any explicit allows 3. Anywhere 4. Last 5. After any explicit denies

Answer 30

Last

Question 31

4. What mechanism allows a firewall to hand off authentication to a dedicated service hosted on a different system? 1. IEEE 802.11 2. RFC 1918 3. IEEE 802.1x 4. RFC 1492 5. IEE 802.3

Answer 31

IEEE 802.1x

Question 32

5. When an organization first deploys a firewall and chooses to begin logging activity, what should you include in the log file? 1. Only malicious traffic 2. Only DoS traffic 3. Only dropped packets 4. Only allowed packets 5. All events

Answer 32

All events

Question 33

6. You can use firewall logging to perform all of the following activities EXCEPT: 1. Discover new methods or techniques of attack 2. Create a historical record of activity used for traffic and trend analysis 3. Track usage levels and times for load balancing 4. Stop intrusions 5. Create legally admissible evidence for use in prosecution

Answer 33

Stop intrusions

Question 34

7. All the following events appearing in a firewall log warrant investigation by an administrator EXCEPT: 1. Firewall host reboot 2. A connection attempt to the firewall host 3. Detection of an attack attempt 4. Inbound packets with spoofed internal source addresses 5. An internal user accessing a public Web site

Answer 34

An internal user accessing a public Web site

Question 35

8. Which of the following is a highly recommended method or technique for keeping firewall logs secure and uncorrupted? 1. Storing then in binary form 2. Using 15,000 RPM hard drives 3. Recording only important events 4. Centralized logging 5. Using timestamps

Answer 35

Centralized logging

Question 36

9. Which of the following is an event found in a firewall log file that is a symptom of a rogue host operating within the private network? 1. Packets from a known malicious address 2. Packets from an unassigned internal address 3. Packets to an unknown port on an internal host 4. Packet in a serial grouping that attempt to access a sequential sequence of ports 5. Packets in a very large grouping that are all exactly the same directed toward a single target

Answer 36

Packets from an unassigned internal address

Question 37

10. What is the biggest issue or problem with an IDS? 1. False positive 2. Failing to operate at wirespeed 3. False negative 4. Keeping the pattern database current 5. Using anomaly detection

Answer 37

False negative

Question 38

11. Which of the following is NOT a limitation or potential weakness of a firewall? 1. Firewalking 2. Software bugs or flaws 3. Using first match apply rule systems 4. Fragmentation attacks 5. Internal code connecting to an external service

Answer 38

Using first match apply rule systems

Question 39

12. When a firewall is able to process packets, filtering malicious code, and transmit authorized communications onward to their destination without introducing latency or lag, this is known as operating at ___.

Answer 39

wirespeed

Question 40

13. Which of the following is NOT related to improving or maintaining performing of a firewall? 1. Native antivirus scanning 2. Round-robin task assignment 3. Caching 4. Fair queuing session management 5. Load balancing

Answer 40

Native antivirus scanning

Question 41

14. What form of encryption allows a firewall to filter based on original source and destination address (assume the firewall is located along the path between session endpoints)? 1. Tunnel mode 2. VPN remote access encryption 3. Transport mode 4. VPN LAN to LAN encryption 5. Header encryption

Answer 41

Transport mode

Question 42

15. What type of communication session can be performance improved using caching on a firewall? 1. Instant messaging 2. Remote access 3. Email 4. Time synchronization 5. Web

Answer 42

Web

Question 43

16. Which of the following limitations or potential weaknesses of a firewall cannot be fixed or corrected wit the application of an update or patch? 1. Programming bug or flaw 2. Firewalking 3. Buffer overflow vulnerability 4. Fragmentation 5. Denial of service due to traffic from external sources

Answer 43

Denial of service due to traffic from external sources

Question 44

17. What is the primary factor used to distinguish a great firewall enhancement from a marketing gimmick used to drive up sales? 1. Does the enhanced firewall cost the same or less than separate products 2. Does the enhancement affect the operating speed of the firewall 3. Does the enhancement operate as good as or better than the original firewall 4. Does the enhancement require the purchase of a new firewall, or can it be added to existing products already deployed 5. Does the enhancement have a reoccurring license or subscription fee

Answer 44

Does the enhancement operate as good as or better than the original firewall

Question 45

18. What is the name of a single device that is based on a firewall but which has been expanded and improved to perform a wide variety of services, such as filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, and detailed logging? 1. Load balanced filtering 2. Port based network access (admission) control 3. Unified threat management 4. Multi-factor authentication 5. IEEE 802.1x

Answer 45

Unified threat management

Question 46

19. The most important configuration element in related to a firewall's management interface is: 1. Access over wireless is prevented 2. Access through a network interface is enabled 3. Access is encrypted 4. Access through a CON port is allowed 5. Access to the device physically is controlled

Answer 46

Access is encrypted

Question 47

20. All the following avenues of accessing a firewall's management interface should be limited, restricted, or disabled EXCEPT: 1. Wireless 2. Telnet 3. Public facing NIC interface 4. Port 80 Web 5. Private network NIC interface

Answer 47

Private network NIC interface