IS3220 CHAPTER 8 Flashcards Preview

IS3220 NETWORK SECURITY, FIREWALLS, & VPNS > IS3220 CHAPTER 8 > Flashcards

Flashcards in IS3220 CHAPTER 8 Deck (30):
1

A system designed, built, and deployed specifically to serve as a frontline defense for a network and it withstands the brunt of any attack attempt to provide protection for hosts behind it is called ___?
It is a fortified computer device, possibly a host, firewall, or router, placed in the line of fire between privately owned and controlled networks and the public Internet.

BASTION HOST OS

2

This supports multiple layers of security and is similar to defense-in-depth. The difference is that each of the layers uses a different security mechanism is called ___? This then comes from using a collection of diverse security solutions.

DIVERSITY OF DEFENSE

3

This type of OS include Windows, Linux, Mac OS, UNIX, and others. These support a wide variety of purposes and functions, including serving as client or server host OS's and is called ___?
When used as a Bastion Host OS they must be hardened and locked down. Otherwise, an insecure host OS can render the security provided by a firewall worthless.

GENERAL PURPOSE OS

4

Another aspect of defense-in-depth is to deploy multiple subnets in series to separate private resources from public. This is known as ___?

N-TIER

5

This OS is built exclusively to run on a bastion host device. Most appliance firewalls employ this OS and is called ___?
This includes commercial firewall devices as well as many ISP connection devices and wireless access points. These support the functions or services critical to security (or their other primary purposes) and little else.

PROPRIETARY OS

6

This allows static content to be cached and served by the proxy rather than requiring that each request for the same content be served by the Web server itself is called ___?

REVERSE CACHING

7

Network security managers must investigate the needs and threats to make informed decisions about what traffic to allow and what traffic to block in the individual organization. This is called ___?

SECURITY STANCE

8

For security to be effective, everyone must work within the limitations established by your organization's written policy. Security only works when you employ forced ___?

UNIVERSAL PARTICIPATION

9

This is a security stance in an ongoing process of locating the least secure element of an infrastructure and security it is called ___?
The idea behind this process is that hackers are performing this task as they seek out vulnerabilities to compromise. Hackers discover and break this to gain access and entry into a secured environment.

WEAKEST LINK

10

Both consumer and commercial grade, include some form of firewall to provide filtering services for wireless clients and physical cable connections this is called ___?This could be labeled as routers and/or switches, especially when they include two to six extra-wired connection ports.

WIRELESS ACCESS POINT

11

1. When crafting firewall rules, determining what to allow versus what to block is primarily dependent on what factor?

1. Traffic levels
2. Business tasks
3. Bandwidth
4. User preferences
5. Timing

Business tasks

12

2. The first step in determining what to allow and what to block in a firewall's rule set is ___?

1. Review vulnerability watch lists
2. Poll users for what services they want
3. Read blogs about best practices for firewall rules
4. Record traffic for 24 hours
5. Create an inventory of business communications

Create an inventory of business communications

13

3. What is the purpose of including rules that block ports, such as 31337?

1. Prevent users from accessing social networking sites
2. To prevent DNS zone transfers
3. To stop ICMP traffic
4. Block known remote access and remote control malware
5. Allow users to employ cloud backup solutions

Block known remote access and remote control malware

14

4. What security strategy is based on the concept of locking the environment down so users can perform their assigned tasks but little else?
1. Simplicity
2. Principle of least privilege
3. Diversity of defense
4. Choke point
5. Weakest link

Principle of least privilege

15

5. What security strategy reverts to a secure position in the event of a compromise?

1. Fail-safe
2. Universal participation
3. Defense-in-depth
4. Security through obscurity
5. N-tier deployment

Fail-safe

16

6. Which security stance most directly focuses on the use of firewalls or other filtering devices as its primary means of controlling communications?
1. Universal participation
2. Weakest link
3. Fail-safe
4. Choke point
5. Simplicity

Choke point

17

7. A firewall policy performs all of the following functions EXCEPT:

1. Assist in troubleshooting
2. Placing blame for intrusions
3. Guiding installation
4. Ensuring consistent filtering across the infrastructure
5. Detect changes in deployed settings

Placing blame for intrusions

18

8. Which of the following is NOT a viable option for an enterprise network that needs to control and filter network traffic?
1. Virtual firewall
2. Appliance firewall
3. Physical firewall
4. Host firewall
5. Software firewall

Physical firewall

19

9. A reverse proxy is useful in which of the following scenarios?

1. Grant outside users access to internal email servers
2. Support internal users accessing the public Internet
3. Allow private hosts to access external Web servers
4. Offer external entities access to an internal Web server
5. Cache file transfers for peer-to-peer exchange protocols

Offer external entities access to an internal Web server

20

10. All the following are true statements in regards to port forwarding except?

1. Is a variation of NAT
2. Limited to Web traffic only
3. Hides the identity of internal hosts
4. Allow the use of nonstandard ports for publicly accessed services
5. Internal servers do not see the identity of the real source of a communication

Limited to Web traffic only

21

11. Which of the following statements is true with respect to revers proxy?

1. Reverse proxy cannot be used in conduction with secured Web sites
2. Revers proxy can be used with tunnel mode IPSec VPNs
3. Reverse proxy can only support SSL tunnels
4. Reverse proxy canes client requests and archives them for load balancing purposes
5. The reverse proxy server can act as the end-point for a TLS tunnel

The reverse proxy server can act as the end-point for a TLS tunnel

22

12. Which of the following is NOT a true statement in regards to port forwarding?

1. Port forwarding services can be found on almost any service or device that supports NAT
2. Port forwarding is an essential element in the Internet Connection Sharing (ICS) service of Windows
3. Port forward is used in reverse proxy, but only for Web traffic
4. Port forwarding supports caching, encryption endpoint, and load balancing
5. Port forwarding is a variation or enhancement of NAT

Port forwarding supports caching, encryption endpoint, and load balancing

23

13. Which of the following is NOT considered a viable option as a bastion host OS?

1. UNIX
2. Linux
3. Android
4. Mac OS
5. Windows 7

Android

24

14. You are selecting a new appliance firewall for deployment in the company network. You are concerned with OS flaws and exploits appearing not only on your hosts but also on the firewall. To minimize that risk, what bastion host OS should you choose?
1. Cisco IOS
2. Windows 7
3. UNIX
4. Mac OS
5. Linux

Cisco IOS

25

15. What is the most important aspect or feature of a bastion host OS?

1. Leveraging existing OS administrative knowledge
2. Ease of use
3. Remote administration
4. Resistance to attacks and compromise attempts
5. Support of a wide range of services

Resistance to attacks and compromise attempts

26

16. What is always the most important element within a firewall rule set?

1. Using specific addresses instead of ANY
2. Listed deny-exceptions after allow-exception
3. List inbound exceptions before outbound exceptions
4. Final rule of default-deny
5. Blocking every known malicious port

Final rule of default-deny

27

17. Which of the following examples of complete firewall rule sets is the most valid?

1. TCP ANY ANY ANY ANY Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP 192.168.42.115 ANY ANY 80 Deny
2. TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY ANY Deny
3. TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.116 ANY ANY 80 Deny
TCP 192.168.42.119 ANY ANY 80 Deny
4. TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY 80 Deny
TCP ANY ANY ANY ANY Deny
5. TCP ANY ANY ANY ANY Deny

TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY ANY Deny

28

18. Which of the following guidelines is most important?

1. Include all specific denials for known malicious remote control tools after explicit allows
2. Include every possible address and port in a rule within the set to ensure an explicit callout exists for every type of communication
3. There should be more inbound rules than outbound rules
4. There should be more inbound rules than outbound rules
5. Place universal allows before universal denies

There should be more inbound rules than outbound rules

29

19. When considering the security response triggered by a firewall detecting unwanted traffic, what is the main factor in choosing between:
1) a response that protects confidentiality and integrity and
2) a response that protects availability

a response that protects confidentiality and integrity and

30

20. When security mechanisms and business communications are at odds, what is the best and most secure response?

1. Disable security to allow the business communication
2. Modify the security policy to protect the business communication
3. Disable both security and the offending business communication
4. Disable business communication to maintain security
5. Do nothing

Modify the security policy to protect the business communication