IS3220 CHAPTER 7 Flashcards Preview

IS3220 NETWORK SECURITY, FIREWALLS, & VPNS > IS3220 CHAPTER 7 > Flashcards

Flashcards in IS3220 CHAPTER 7 Deck (47):
1

Mechanism defining traffic or an event to apply an authorization control of allow or deny against is called ___?
Often used interchangeably with the terms rule and filter in relation to firewalls.

ACCESS CONTROL LIST (ACL)

2

A notification from a firewall that a specific event or packet was detected is called ___?
These notify administrators of events that may need real-time human response or attention.

ALERT

3

A security stance that allows all communications except those prohibited by specific deny exceptions is called ___? AKA default allow.

ALLOW BY DEFAULT

4

A form of Intrusion Detection System/Intrusion Prevention System (IDS/IPS) detection based on a defined normal, often defined using rules similar to firewall rules is called ___?
All traffic or events that fail to match defined normal are considered anomalies and potentially malicious.

ANOMALY-BASED DETECTION

5

A form of IDS/IPS detection based on a recording of real-world traffic as a baseline for normal is called ___?
All traffic or events that fail to match the normal baselines are considered abnormal and potentially malicious.

BEHAVIORAL-BASED DETECTION

6

____ by a proxy server is the retention of Internet content. Various internal clients may access this content and provide it to subsequent requesters without the need to retrieve the same content from the Internet repeatedly.

CACHING

7

This mechanism is used to create a redundant copy of all log files in a single warehousing location is called ___?
A technique of storing or copying log events. One common example of this is syslog.

CENTRALIZED LOGGING SYSTEM

8

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA signature, knowledge, and pattern-matching based detection.

DATABASE-BASED DETECTION

9

A security stance that allows all communications except those prohibited by specific deny exceptions and is called ___?

DEFAULT ALLOW

10

A security stance that prevents all communications except those enabled by specific allow exceptions is called ___?

DENY BY DEFAULT

11

A technique of load balancing that operates by sending the next transaction to the firewall with the least current workload is called ___?

FAIR QUEUING

12

An event that does not trigger an alarm but should have, due to the traffic or event actually being abnormal and/or malicious is called ___?
This is the unwanted non-detection of a malicious event.

FALSE NEGATIVE

13

An event that triggers an alarm but should not have, due to the traffic or event actually being benign is called ___? This is the unwanted false alarm that wastes time and resources pursuing a non-malicious event.

FALSE POSITIVE

14

A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more actions to take when the item of concern appears in traffic is called ___?
This expresses the intention to block or deny unwanted items of concern. AKA a rule or ACL.

FILTERS

15

A hacking technique used against static packet filtering firewalls to discover the rules or filters controlling inbound traffic is called ___?

FIREWALKING

16

A networking mechanism to hand off or pass off the task of authentication to a third-party dedicated authentication system is called ___?
AKA port authentication, portal authentication, or port-based network access (admission) control (PNAC).

IEEE 802.1x

17

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA signature, database, and pattern-matching-based detection.

KNOWLEDGE BASED DETECTION

18

A network traffic management technique to spread the workload or traffic levels across multiple devices to maintain availability is called ___?

LOAD BALANCING

19

The command line or graphical interface used to control and configure a device is called ___?
Often accessible through a console (CON) port on the device or through a logical interface across the network.

MANAGEMENT INTERFACE

20

Used on individual network access devices, such as firewalls, VPN gateways, and wireless routers, to offload authentication to a dedicated authentication server/service is called ___?
Only after valid authentication are communications with or across the network device allowed.

PORT-BASED NETWORK ACCESS (ADMISSION) CONTROL (PNAC)

21

A form of load balancing which hands out tasks in a repeating non-priority sequence is called ___?

ROUND ROBIN

22

The list of rules on a firewall (or router or switch) that determine what traffic is and is not allowed to cross the filtering device is called ___?
Most employ a first-match-apply-action process.

RULE SETS

23

A written expression of an item of concern (protocol, port, service, application, user, IP address) and one or more action(s) to take when the item of concern appears in traffic is called ___? AKA a filter or ACL.

RULE(S)

24

A form of IDS/IPS detection based on a collection of samples, patterns, signatures, and so on stored in a database of known malicious traffic and events is called ___?
All traffic or events that match an item in the database is considered abnormal and potentially malicious. AKA database, knowledge, and pattern-matching-based detection.

SIGNATURE-BASED DETECTION

25

The deployment of firewall as an all-encompassing primary gateway security solution is called ___?
The idea behind this is a single device can be designed to perform firewall filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, detailed logging, and potentially other security services, performance enhancements, or extended capabilities.

UNIFIED THREAT MANAGEMENT (UTM)

26

The maximum communication or transmission capability of a network segment is called ___?
Often used to describe a network device's ability to perform tasks on traffic, while being able to maintain overall network transmission speeds without introducing delay, lag or latency.

WIRESPEED

27

A form of storage device that can be written to once, but once written cannot be electronically altered is called ___?

WRITE-ONCE READ-MANY (WORM)

28

1. Which of the following is a firewall rule that prevents internal users from accessing public FTP sites?

1. TCP ANY ANY ANY FTP Deny
2. TCP 192.168.42.0/24 ANY ANY 21 Deny
3. TCP 21 192.168.42.0/24 ANY ANY Deny
4. TCP ANY ANY 192.168.42.0/24 ANY Deny
5. TCP FTP ANY ANY Deny

TCP 192.168.42.0/24 ANY ANY 21 Deny

29

2. Which of the following is a default deny rule?

1. TCP ANY ANY ANY ANY Deny
2. TCP 192.168.42.0/24 ANY ANY ANY Deny
3. TCP ANY 192.168.42.0/24 ANY ANY Deny
4. TCP ANY ANY 192.168.42.0/24 ANY Deny
5. DENY TCP ANY ANY ANY ANY

TCP ANY ANY ANY ANY Deny

30

3. The default deny rule appears where in the rule set?

1. First
2. After any explicit allows
3. Anywhere
4. Last
5. After any explicit denies

Last

31

4. What mechanism allows a firewall to hand off authentication to a dedicated service hosted on a different system?

1. IEEE 802.11
2. RFC 1918
3. IEEE 802.1x
4. RFC 1492
5. IEE 802.3

IEEE 802.1x

32

5. When an organization first deploys a firewall and chooses to begin logging activity, what should you include in the log file?
1. Only malicious traffic
2. Only DoS traffic
3. Only dropped packets
4. Only allowed packets
5. All events

All events

33

6. You can use firewall logging to perform all of the following activities EXCEPT:

1. Discover new methods or techniques of attack
2. Create a historical record of activity used for traffic and trend analysis
3. Track usage levels and times for load balancing
4. Stop intrusions
5. Create legally admissible evidence for use in prosecution

Stop intrusions

34

7. All the following events appearing in a firewall log warrant investigation by an administrator EXCEPT:

1. Firewall host reboot
2. A connection attempt to the firewall host
3. Detection of an attack attempt
4. Inbound packets with spoofed internal source addresses
5. An internal user accessing a public Web site

An internal user accessing a public Web site

35

8. Which of the following is a highly recommended method or technique for keeping firewall logs secure and uncorrupted?
1. Storing then in binary form
2. Using 15,000 RPM hard drives
3. Recording only important events
4. Centralized logging
5. Using timestamps

Centralized logging

36

9. Which of the following is an event found in a firewall log file that is a symptom of a rogue host operating within the private network?
1. Packets from a known malicious address
2. Packets from an unassigned internal address
3. Packets to an unknown port on an internal host
4. Packet in a serial grouping that attempt to access a sequential sequence of ports
5. Packets in a very large grouping that are all exactly the same directed toward a single target

Packets from an unassigned internal address

37

10. What is the biggest issue or problem with an IDS?

1. False positive
2. Failing to operate at wirespeed
3. False negative
4. Keeping the pattern database current
5. Using anomaly detection

False negative

38

11. Which of the following is NOT a limitation or potential weakness of a firewall?

1. Firewalking
2. Software bugs or flaws
3. Using first match apply rule systems
4. Fragmentation attacks
5. Internal code connecting to an external service

Using first match apply rule systems

39

12. When a firewall is able to process packets, filtering malicious code, and transmit authorized communications onward to their destination without introducing latency or lag, this is known as operating at ___.

wirespeed

40

13. Which of the following is NOT related to improving or maintaining performing of a firewall?

1. Native antivirus scanning
2. Round-robin task assignment
3. Caching
4. Fair queuing session management
5. Load balancing

Native antivirus scanning

41

14. What form of encryption allows a firewall to filter based on original source and destination address (assume the firewall is located along the path between session endpoints)?
1. Tunnel mode
2. VPN remote access encryption
3. Transport mode
4. VPN LAN to LAN encryption
5. Header encryption

Transport mode

42

15. What type of communication session can be performance improved using caching on a firewall?

1. Instant messaging
2. Remote access
3. Email
4. Time synchronization
5. Web

Web

43

16. Which of the following limitations or potential weaknesses of a firewall cannot be fixed or corrected wit the application of an update or patch?
1. Programming bug or flaw
2. Firewalking
3. Buffer overflow vulnerability
4. Fragmentation
5. Denial of service due to traffic from external sources

Denial of service due to traffic from external sources

44

17. What is the primary factor used to distinguish a great firewall enhancement from a marketing gimmick used to drive up sales?
1. Does the enhanced firewall cost the same or less than separate products
2. Does the enhancement affect the operating speed of the firewall
3. Does the enhancement operate as good as or better than the original firewall
4. Does the enhancement require the purchase of a new firewall, or can it be added to existing products already deployed
5. Does the enhancement have a reoccurring license or subscription fee

Does the enhancement operate as good as or better than the original firewall

45

18. What is the name of a single device that is based on a firewall but which has been expanded and improved to perform a wide variety of services, such as filtering, IPS, antivirus scanning, anti-spam filtering, VPN end-point hosting, content filtering, load-balancing, and detailed logging?
1. Load balanced filtering
2. Port based network access (admission) control
3. Unified threat management
4. Multi-factor authentication
5. IEEE 802.1x

Unified threat management

46

19. The most important configuration element in related to a firewall's management interface is:

1. Access over wireless is prevented
2. Access through a network interface is enabled
3. Access is encrypted
4. Access through a CON port is allowed
5. Access to the device physically is controlled

Access is encrypted

47

20. All the following avenues of accessing a firewall's management interface should be limited, restricted, or disabled EXCEPT:

1. Wireless
2. Telnet
3. Public facing NIC interface
4. Port 80 Web
5. Private network NIC interface

Private network NIC interface