Network Security Flashcards

Question

What port does SCP use?

Answer 1

Secure Copy (SCP) uses port 22

Answer 2

Simple Mail Transfer Protocol (SMTP) uses port 25

Answer 3

Open ports

Answer 4

Disable them

Answer 5

Disabling unused ports is a part of basic port security.

Answer 6

A host-based firewall can help prevent intrusions on individual computers such as a server or desktop computer.

Answer 7

A firewall controls traffic between networks using rules within an ACL.

Answer 8

A web security gateway performs content filtering (including filtering for malicious attachments, malicious code, blocked URLs and more).

Answer 9

A load balancer can optimize and distribute data loads across multiple computers or multiple networks.

Answer 10

A proxy server includes the ability to filter and cache content from web pages.

Answer 11

An intrusion detection system (IDS) detects malicious activity after it has occurred.

Answer 12

A host-based intrusion detection system (HIDS) can detect attacks (including successful attacks resulting in compromises) on local systems such as workstations and servers.

Answer 13

A network-based intrusion detection system (NIDS) will detect attacks, but will not necessarily block them (unless it is an active NIDS).

Answer 14

Signature-based, network-based intrusion detection systems (NIDS) use signatures similar to antivirus software, which are downloaded regularly as updates.

Answer 15

An anomaly-based (also called heuristic or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes.

Answer 16

The primary purpose of an intrusion prevention system (IPS) is to stop attacks in progress.

Answer 17

A host-based intrusion prevention system (HIPS) provides active protection for an individual host, including its operating system.

Answer 18

A network-based intrusion prevention system (NIPS) attempts to detect and mitigate threats by taking action to block them.

Answer 19

Many intrusion prevention systems (IPSs) use content inspection techniques to monitor data streams in search of malicious code or behaviors.

Answer 20

Loop protection such as Spanning Tree Protocol (STP) protects against the switching loop problem described in the scenario.

Answer 21

A virtual local area network (VLAN) can group several different computers into a virtual network, or logically separate the computers in two different departments.

Answer 22

A deny any any or drop all statement is placed at the end of an ACL and enforces an implement deny strategy.

Answer 23

Firewalls use firewall rules (or rules within an ACL) to identify what traffic is allowed and what traffic is denied. A basic packet filtering firewall can filter traffic based on ports, protocols, and addresses.

Answer 24

An access control list (ACL) on a router can block access to the subnet from another subnet.

Answer 25

Access control lists within a firewall must include rules to open the appropriate ports.

Answer 26

A drop all or deny any any statement is placed at the end of an access control list (ACL) and enforces an implement deny strategy.

Answer 27

Most firewalls have an implicit deny statement (such as drop all or deny any any) at the end of an access control list (ACL) to block all traffic not previously allowed.

Answer 28

Firewall rules (including the implicit deny rule) provide technical implementation of security policies. The other choices are not technical controls.

Answer 29

Both 192.168.1.165 and 192.168.1.189 are on the same subnet since bits 25 and 26 are the same (10). If a calculator is needed on the exam (such as for a problem like this), it will be available.

Answer 30

A demilitarized zone (DMZ) can provide access to services (hosted on servers) from the Internet while providing a layer of protection for the internal network.

Answer 31

Network Address Translation (NAT) translates public IP addresses to private IP addresses, and private back to public and hides addresses on the internal network.

Answer 32

IPsec is one of many tunneling protocols the organization can use to create a VPN tunnel.

Answer 33

Encapsulating Security Payload (ESP) in tunnel mode encapsulates the entire IP packets and provides confidentiality, integrity, and authentication.

Answer 34

Network access control (NAC) inspects clients for specific health conditions and can redirect access to a remediation network for unhealthy clients.

Answer 35

Cloud computing is very useful for heavily utilized systems and networks, and cloud providers provide the services.

Answer 36

Applications such as web-based email provided over the Internet are Software as a Service (SaaS) cloud-based technologies.

Answer 37

Platform as a Service (PaaS) provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities.

Answer 38

Virtualization can reduce the footprint of a datacenter, eliminate wasted resources, and result in less physical equipment needing physical security.

Answer 39

Network Address Translation (NAT) translates public IP addresses to private, private IP addresses back to public, and hides addresses on the internal network.

Answer 40

B. Virtual machines all run in their own separate and isolated area on the system as if they were on a separate physical machine. This greatly increases security, as any issues arising in one virtual machine will not affect another virtual system. This also allows multiple operating systems to be installed on the same physical hardware, which saves money by avoiding the need to buy multiple hardware systems.

Answer 41

B. The NIPS system actively tries to mitigate an incoming intrusion rather than just detect it. A network intrusion detection system actively monitors for intrusions and will alert the administrator when one is detected. A network intrusion prevention system goes a step further and tries to actively prevent the intrusion as it is occurring.

Answer 42

A. The demilitarized zone (DMZ) is a network that typically contains Internet servers and services that are accessible from the outside world but should be isolated from your internal network. The DMZ ensures incoming connections for these services are routed to the DMZ and never reach the internal LAN.

Answer 43

A. Network address translation (NAT) allows internal hosts with nonroutable Internet addresses to access the Internet using an external address. NAT also hides the IP information of the internal network from the outside world.

Answer 44

D. A virtual LAN (VLAN) is used to segment a network into smaller logical units to aid in security and performance. The virtual LANs are logically isolated from each other to prevent network traffic and unauthorized access.

Answer 45

B. You could convert your legacy application to a secure, cloud-based web resource that allows clients to remotely access the application and its data from any Internet connection. The data can be easily shared, and multiple users can collaborate on projects.

Answer 46

D. A web security gateway device is specifically engineered to content-filter HTTP web traffic and prevent attacks on web clients via the HTTP protocol. A network firewall, web proxy, or antispam filter would not prevent security issues specifically for HTTP applications.

Answer 47

A. A content filtering server can analyze network traffic and block specific file types, such as MP3 music files, from being downloaded. The end users will receive an error when they try to access blocked files.

Answer 48

A. Web proxy servers are used primarily for their caching capability, which boosts web browsing performance by storing content retrieved from an external web serve

Answer 49

C. A protocol analyzer is best suited for examining and capturing network packets and frames between the two devices. You would be able to examine the network traffic to determine the details of the unauthorized connection and use firewall rules to block it.

Answer 50

A. SFTP is used to encrypt FTP sessions with SSH (Secure Shell). The other methods such as FTP, TFTP, or FTP over HTTP are not secure and communicate in clear text.

Answer 51

D. You should enable MAC address security on your switch ports to only allow the hardware addresses of the specific clients on the development network to access those ports.

Answer 52

C. The access rule should be set to deny the SNMP UDP port 161 for the specified IP address.

Answer 53

D. In the event that a documented vulnerability is found in a network device firmware or operating system, it should be updated or a patch applied to fix the bug to prevent the device from being compromised.

Answer 54

C. A smurf attack uses a spoof attack combined with a DDoS attack to exploit the use of IP broadcast addressing and ICMP. By spoofing the address of the web server in an IP broadcast, the attacker causes the replies from other systems on the network to the broadcast all to be sent back to the web server, causing a denial of service.

Answer 55

A. Implicit deny means that anything that is not explicitly defined in an access rule is denied. This denies all access by default until you apply access rules for only the specific services required.

Answer 56

B. A distributed denial-of-service (DDoS) attack comes from multiple, geographically distributed hosts, making it difficult for the network administrator to block it.

Answer 57

A. TCP port 21 (FTP) is not required on your e-mail server, and it should be disabled to prevent hackers from connecting to the e-mail server on this port.

Answer 58

D. To securely administer your router remotely with a web browser, you should make sure you are using an HTTPS connection that is encrypted via SSL. Other methods send their communications in clear text.

Answer 59

C. The default SNMP community string is “public.” This is a basic type of password used between all systems being monitored by SNMP. This should be changed to a more secure value.

Answer 60

A. When using an open wireless access point and browsing personal web sites such as your e-mail and banking sites, make sure you use secure, encrypted websites via SSL, or use a VPN connection. This ensures that your session with the web server is encrypted. Any hacker on the same open network can use a packet sniffer to view unencrypted communications.

Answer 61

D. WPA2 is currently the strongest level of encryption security available for a wireless network. WPA2 replaces the weaker WPA and adds Robust Security Network (RSN) support that includes added protection for ad hoc networks, key caching, preroaming authentication, and CCMP, which utilizes the AES cipher to replace TKIP

Answer 62

C. WPA-PSK uses a preshared key passphrase that requires all devices on the wireless network to use the same passphrase to access the network. WPA-Enterprise uses an authentication server to perform key management and exchange for all wireless clients.

Answer 63

A. Bluesnarfing is a hacking method in which an unauthorized user can connect to unprotected Bluetooth devices and access any data stored on the device. Link-level security authenticates the actual communications link before data transmission begins. Data encryption can also be performed when the link is authenticated

Answer 64

D. By disabling SSID broadcast, you assure your access points will not advertise the SSID they are using for wireless clients to connect. A user would require prior knowledge of the SSID before he could access the network.

Answer 65

A. The IV (initialization vector) attack uses the weakness in the 24-bit generated IV that is paired with the WEP encryption key. The IV can be discovered over time on busy networks that use repeat IV values, and used to decrypt the cipher stream without knowing the WEP key.

Answer 66

A. A list of authorized client MAC addresses must be configured on each access point for the network. If any client tries to communicate with the access point and its MAC address isn’t in the list, it will be denied access.

Answer 67

B. You can use a cable and an external antenna to extend the range of your closest access point to the office with the low signal. This is an easy and inexpensive solution rather than purchasing and installing a new access point.

Answer 68

D. Antenna and access point placement is important to make sure that it is not close to any other electrical wires or devices (especially those that broadcast on a similar frequency) where electrical interference can cause a loss of wireless signal.

Answer 69

C. An initial site survey should be performed before installation of a wireless network to ensure the environment will be conducive to wireless communications. The survey can also help determine the best placement and coverage for your wireless access points.

Answer 70

1. Signature-Based 2. Behavior/Anomaly-Based 3. Heuristic-Based 4. Rule-Based

Answer 71

It works by using a predefined db of known attacks that have appeared previously. Each type can be recognized by its unique chars, and signature. Pros- Powerful and efficient because it relys on the collective knowledge of security vendors. Cons - Must keep db continually updated. Unable to detect very new attacks whose signatures are not yet availble.

Answer 72

A baseline of normal behavior and then monitor network traffic based on these performance profiles to recognize behavioral anomalies that exceed the thresholds of the normal baseline. Pros - More effient as time goes on (more data collected) Easily and quickly adapt to the current environment and can detect new variants of attacks that a signature or rule-based might not.

Answer 73

B. Obtain a software as a service agreement with a cloud computing verndor

Answer 74

A. traffic is easily sniffed

Answer 75

B. Access control list

Answer 76

``` class A network - 10.0.0.0 - 10.255.255.255 class B network - 172.16.0.0 - 172.31.255.255 class C network - 192.168.0.0 - 192.168.255.255 ```

Answer 77

It is a device that is specifically engineered to content-filter HTTP web traffic and prevent attacks on web clients via the HTTP protocol. Used for safe web-browsing and block certain content downloading.

Answer 78

Servers(s) primarily used for caching capability, which boosts web browsing performance by storing content retrieved from tan external web server.

Answer 79

It is best suited for examining and capturing network packets and frames between the firewall and the email server.

Answer 80

1. TCP/IP 2. ICMP 3. HTTP/HTTPS 4. Telnet 5. SSH 6. FTP 7. TFTP 8. FTPS/SFTP 9. SCP 10. DNS 11. SNMP 12. IPsec 13. NetBIOS

Answer 81

``` TCP UDP HTTP FTP Packet sniffing and Spoofing because they don't use authentication functions. ```

Answer 82

They are used for the IP or address of a computer. IPv4 - IPv6 -

Answer 83

7. Application - Data 6. Presentation - Data 5. Session - Data 4. Transport - Segments 3. Network - packets 2. Data Link - frames 1. Physical - Bits

Answer 84

7th layer: It provides services needed by software applications to help users interact with the network. Protocols: HTTP,FTP, SMTP, DHCP, NFS, Telnet, SNMP, POP3, NNTP and IRC

Answer 85

6th layer: is responsible for data presentation, ensuring that the data sent from the application layer can be read by the corresponding application layer on the receiving end. It defines protocols that provide coding and data conversion function - transition, (de)compression, encryption and decryption. These are applied to the application level data to make it transparent to the layers around it. Protocols: SSL

Answer 86

5th layer: Required for inter-host communication. Establish, maintain and terminate communication sessions between the software application on different networks. Attaches header information to data packets and coordination data transfer for providing dialog control between devices and determine if data is to be sent as simplex, half-duplex or full-duplex messages. Protocols: PPTP

Answer 87

4th layer: Provides the services required for end-to-end connectivity and ensuring that data is delivered error-free and in the proper sequence. Provides process-level addressing, multiplexing and e-multiplexing, and segmentation, packaging and reassembly of data. Includes protocols for establishing , managing, and termination of connections for acknowledgement and retransmission of lost data, flow control, error checking and recovery. Protocols: TCP, UDP

Answer 88

3rd layer: Enable multiple individual networks to be combined into an internetwork.. Handles logical addressing. It provides path determination- routing messages using the best path available and is responsible for creating virtual circuits between network devices. Performs datagram and encapsulation, packet fragmentation and reassembly, and error handling and diagnostics. Protocol: IP

Answer 89

2nd Layer: Provides services for the various protocols at the network layer. Divided into 2 sub layers: logical link control (LLC) and media access control (MAC). LLC - takes the packets from the network layer and breaks them into frames using synchronization flow control and error checking functions. MAC - provides control for accessing the transmission medium at the physical layer. It converts the data into binary digits and prepares them for the physical layer.

Answer 90

1st layer: defines the networks hardware specs and physical topology. Defines the encoding and signaling functions required to transmit data across the transmission medium and physically transmits and receives data.

Answer 91

4. Application - mail, file transfer, login applications 3. Transport (Host-to-Host) TCP or UDP 2. Internet - package, route, transmit via IP 1. Network Access (Link) physical data delivery Uses TCP/IP protocols (TCP/IP Model)

Answer 92

A set of network protocols that specifies how computers communicate, and provides a set of conversions for interconnection networks and routing traffic. Fucntions independent of the underlying network tech. Includes and integrated addressing system (IP). Operates at OSI layers Application, Transport, Internet and Network Interface. 2 Main Transport Protocols: TCP - connection-oriented delivery UDP- connectionless delivery. No error checking

Answer 93

Is used to transmit control messages between systems. Used for diagnostics (ping)

Answer 94

Internet Layer

Answer 95

Control Message Protocol - used to send management messages between systems.

Answer 96

port 53 (TCP or UDP)

Answer 97

Name Service - 137 Datagram Service - 138 Session Service - 139

Answer 98

1. Name Service - TCP/UDP 137 usually UDP 2. Datagram Service used to send small msgs - UDP 138 3. Session Service allow 2 computers communicate lrg msgs via a connection with error detection and recovery - TCP 139

Answer 99

TCP Transmission Control Protocol | UDP User Datagram Protocol

Answer 100

Telnet allows a user to remotely connect to a host server and login. Telnet does not encrypt data.

Answer 101

User Datagram Protocol is a TCP/IP protocol. Simple and fast connectionless and best used when speed is required to broad cast data or multicast. Message is not guaranteed to arrive with no error checking.

Answer 102

UPD TCP can not broadcast or multicast since it enables communication between a specific sender and receiver. It is for unicast communication.

Answer 103

TCP - unicast | UDP - broadcast or multicast

Answer 104

TCP - establishes and manages a connection between the source and destination devices. It sequences messages, retransmits messages lost in transmit and implements data flow and congestion control.

Answer 105

Ephemeral ports are assigned only temporarily to client processes. Port numbers range from 1024 - 65535, and can be used by user-developed programs on most systems. The IP/port combination must be unique for data to be transported.

Answer 106

Provides a secure channel for data exchange on port 22. Provides encryption and authentication. It ensures that the entire flow of information between the machine and other devices (router/firewall) are encrypted.

Answer 107

SMTP on port 25 (Send email) POP3 on port 110 (retrieve email, can be used with SMTP) IMAP on port 143 (retrieve email)

Answer 108

It is used on LANs to enable software on individual computers to communicate.

Answer 109

1. BOOTP used via DHCP to determine its IP. Allows a file to be loaded into memory so a machine can be boot without a disk drive. UPD 67 2. TFTP is a basic file transfer for small data transfers, boot computers, x-terminals and diskless workstations. UPD 69 3. NTP used to synch clock times on computers. UPD 123 4. SNMP (Simple Network Mng Protocol) enables network devices to exchange mng information. UPD 161

Answer 110

Limited via a checksum with no recovery.

Answer 111

Port Scanner

Answer 112

To capture, analyze and transmit data packets | When performing traffic analysis to detect patterns

Answer 113

1. CNAC 2. TNC 3. NAP

Answer 114

A specific TCP packet is sent to a particular device on a network, usually a router. The packet has the flags turned on for the URG,PUSH and FIN. These flags being turned on looks like a Christmas Tree.

Answer 115

B, C,D Intrusion detection systems are designed to analyze data, identify attacks, and respond to the intrusion. Answer A is incorrect because preventing attacks is associated with an intrusion prevention system.

Answer 116

B IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack.

Answer 117

D | A HIDS collects and analyzes data that originates on the local machine.

Answer 118

A A NIDS tries to locate packets not allowed on the network that the firewall missed and looks at the information exchanged between machines.

Answer 119

B Intrusion prevention differs from intrusion detection in that it actually prevents attacks in real-time instead of only detecting the occurrence.

Answer 120

D Network Load Balancers are servers configured in a cluster to provide scalability and high availability. Load Balancing distributes IP traffic to multiple copies of a TCP/IP service, such as a web server, each running on a host within the cluster.

Answer 121

B,C When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network.

Answer 122

D When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it does not cause a complete network outage; instead, it acts like a patch cable.

Answer 123

C A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both.

Answer 124

An application-level gateway understands services and protocols. All traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Because the filtering is application-specific, it adds over-head to the transmissions but is more secure than packet filtering.

Answer 125

1. Network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and might have gotten through the firewall. 2. Host-based intrusion-detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity

Answer 126

Proxy servers can be placed between the private network and the Internet for Internet connectivity or internally for web content caching. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.

Answer 127

A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, soft- ware, or a combination of both. A firewall is the first line of defense for the network. The primary function of a firewall is to mitigate threats by monitoring all traffic entering or leaving a network.

Answer 128

A A VPN concentrator is used to allow multiple users to access network resources using secure features that are built in to the device and are deployed where the requirement is for a single device to handle a very large number of VPN tunnels.

Answer 129

B A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session.

Answer 130

A A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data.

Answer 131

C circuit-level gateway operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one.

Answer 132

D With an application-level gateway, all traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).

Answer 133

A,B,D Proxy servers are used for security, logging, and caching. When the proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages.

Answer 134

A,B An exposed server that provides public access to a critical service, such as a web or email server, may be configured to isolate it from an organization’s network and to report attack attempts to the network administrator. Such an isolated server is referred to as a bastion host, named for the isolated towers that were used to provide castles advanced notice of pending assault.

Answer 135

B When a proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache of previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced.

Answer 136

D A packet-filtering firewall filters packets based on IP addresses, ports, or protocols and is a simple, good first line of defense.

Answer 137

A Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information.

Answer 138

C Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis.

Answer 139

A Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purposes.

Answer 140

D Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information.

Answer 141

C Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” For example, to filter non-pornographic material, the terminology must be input and defined in the database.

Answer 142

A,B Protocol analyzers can do more than just look at packets. They prove useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if the network is running slowly, a protocol analyzer can tell you whether necessary protocols are running on the network.

Answer 143

B Content filtering will report only on violations identified in the specified applications listed for the filtering application. In other words, if the application will filter only Microsoft Office documents and a user chooses to use open Office, the content will not be filtered.

Answer 144

B Like most other solutions, firewalls have strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or nontrusted services and applications. However, they require proper configuration.

Answer 145

A,B A host intrusion detection system uses either misuse detection or anomaly detection. A HIDS monitors events for suspicious activity. This can be done by using either misuse detection or anomaly detection. In misuse detection, a database of signatures is used, and the information monitored is compared to the database. This is similar to the way antivirus software works

Answer 146

D Monitoring outbound connections is important in the case of malware that “phones home.” Without this type of protection, the environment is not properly protected.

Answer 147

A,B HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. NIDSs monitor the packet flow and try to locate packets that may have gotten through misconfigured firewalls and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access.

Answer 148

D NIDSs try to locate packets not allowed on the network. HIDSs collect and analyze data that originate on the local machine or a computer hosting a service. NIDSs tend to be more distributed.

Answer 149

A, C | Port 110 is used for POP3 incoming mail and port 25 is used for SMTP mail.

Answer 150

A, B. | UDP ports 161 and 162 are used by SNMP

Answer 151

B. A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy.

Answer 152

D. The purpose of a virtual local-area network (VLAN) is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network.

Answer 153

A. NAT allows multiple computers to connect to the Internet using one IP address.

Answer 154

C. Subnetting splits one network into two or more, using routers to connect each subnet. Answer A is incorrect. NAT allows multiple computers to connect to the Internet using one IP address.

Answer 155

B. Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. An important security aspect of NAT is that it hides the internal network from the outside world.

Answer 156

D. Subnetting can be done for several reasons. If you have a Class C address and 1,000 clients, you will have to subnet the network or use a custom subnet mask to accommodate all the hosts. The most common reason networks are subnetted is to control network traffic by limiting broadcast domains, which limits broadcast storms.

Answer 157

C. There are specific reserved private IP addresses for use on an internal network. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254. Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each.

Answer 158

``` A. Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, the client is automatically configured with an address from the169.254.0.1 through 169.254.255.254 range. ```

Answer 159

B. In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time the client issues a DHCP lease request, the client is automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range.

Answer 160

D. One of the most effective ways to protect the network from malicious hosts is to use network access control (NAC). NAC offers a method of enforcement that helps ensure that computers are properly configured. The premise behind NAC is to secure the environment by examining the user’s machine and, based on the results, grant access accordingly.

Answer 161

A, B, C. In a Class A network, valid nonroutable host IDs are from 10.0.0.1 to 10.255.255.254. In a Class B network, valid nonroutable host IDs are from 172.16.0.1 through 172.31.255.254. In a Class C network, valid nonroutable host IDs are from 192.168.0.1 to 192.168.255.254.

Answer 162

A, C, D. The basic components of NAC products are the Access requestor (AR), which is the device that requests access; the policy decision point (PDP), which is the system that assigns a policy based on the assessment; and the policy enforcement point (PEP), which is the device that enforces the policy.

Answer 163

B, C, D. | The policy enforcement point is the device that enforces the policy. This device may be a switch, firewall, or router.

Answer 164

B. The four ways NAC systems can be integrated into the network are inline, out-of-band, switch based, and host based. An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access.

Answer 165

A, C, D. In addition to providing the capability to enforce security policy, contain noncompliant users, and mitigate threats, NAC offers a number of business benefits. The business benefits include compliance, a better security posture, and operational cost management.

Answer 166

A, B. To protect your network, make sure the PBX is in a secure area, any default passwords have been changed, and only authorized maintenance is done. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port.

Answer 167

D. Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. To protect your network, make sure the Private Branch Exchange (PBX) is in a secure area, any default passwords have been changed, and only authorized maintenance is done

Answer 168

A, B, C. Man-in-the-middle attacks are executed between the SIP phone and a SIP proxy, allowing the audio to be manipulated, causing dropped, rerouted, or playback calls. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent.

Answer 169

C. Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data.

Answer 170

A. For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy.

Answer 171

B. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. Answer

Answer 172

A, C. Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP: encryption, authentication, data validation, and nonrepudiation. VoIP is basically based on a TCP/IP network; therefore, technologies that are used to secure IP networks can be used for VoIP, too.

Answer 173

B, D Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks.

Answer 174

A. | The loop guard feature makes additional checks in Layer 2 switched networks.

Answer 175

B. | A flood guard is a firewall feature to control network activity associated with denial of service attacks (DoS).

Answer 176

D. Port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

Answer 177

C. With interconnected networks, the potential for damage greatly increases because one compromised system on one network can easily spread to other networks. Networks that are shared by partners, vendors, or departments should have clear separation boundaries.

Answer 178

D. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. VLANs are a logical separation of a physical network.

Answer 179

B. | Logging is the process of collecting data to be used for monitoring and auditing purposes

Answer 180

A. Logging procedures and evaluation are an important part of keeping your network safe. However, before you can configure logging, it is essential to identify what is typical behavior for your network

Answer 181

B. When choosing what to log, be sure you choose carefully. Logs take up disk space and use system resources. They also have to be read, and if you log too much, will bog down the system; it will take a long time to weed through the log files to determine what is important

Answer 182

C, D. Standards should be implemented for the types of events you want to log based on business, technical, and regulatory requirements, and the threats the organization faces.

Answer 183

A. | Not only do you need to read the logs, you may also have to know how to correlate events examining output

Answer 184

B, C. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior.

Answer 185

C. Most organizations deploy, at a minimum, two firewalls. The first firewall is placed in front of the DMZ to allow requests destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed to allow outbound requests. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet.

Answer 186

A. A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the Open Systems Interconnection (OSI) model. Packet-filtering solutions are generally considered less secure firewalls because they still allow packets inside the network, regardless of communication patterns within the session

Answer 187

D. Proxy service firewalls are go-betweens for the network and the Internet. They can be used to hide the internal addresses from the outside world through NAT. This does not allow the computers on the network to directly access the Internet.

Answer 188

B. Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. Because the firewall check traffic against a set of rules, setting, policies, and guidelines are incorrect.

Answer 189

C. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network.

Answer 190

``` D. A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer A is incorrect because a virtual private network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection ```

Answer 191

C, D. Because you want to monitor both types of traffic, the IDSs should be used together. Network-based intrusion detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. Host-based intrusion detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. A firewall protects computers and networks from undesired access by the outside world

Answer 192

B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content.

Answer 193

A. | Proxy servers are usually placed internally for web content caching.

Answer 194

B. Proxy servers can be placed between the private network and the Internet for Internet connectivity. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content.

Answer 195

D. In some proxy server designs, such as for a large organization, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.

Answer 196

A. Internet content filtering works by analyzing data against a database contained in the software. Content filtering reports only on violations identified in the specified applications listed for the filtering application. In other words, if the application will only filter Microsoft Office documents and a user chooses to use Open Office, the content will not be filtered

Answer 197

A, C, D. Network Internet content filters can be hardware or software. Many network solutions combine both. Hardware appliances are usually connected to the same network segment as the users they will monitor. Other configurations include being deployed behind a firewall or in a DMZ, with public addresses behind a packet filtering router. These appliances use access control filtering software on the dedicated filtering appliance. The device monitors every packet of traffic that passes over a network.

Answer 198

C. In some proxy server designs, the proxy server is placed in parallel with IP routers. This design allows for network load balancing by forwarding of all HTTP and FTP traffic through the proxy server and all other IP traffic through the router.

Answer 199

A, D. Protocol analyzers can be placed inline or in between the devices from which you want to capture the traffic. If you are analyzing SAN traffic, the analyzer can be placed outside the direct link with the use of an optical splitter. The analyzer is placed to capture traffic between the host and the monitored device

Answer 200

C. A packet-filtering firewall is best suited for simple networks or used to protect a network that is used mainly for Internet access. The placement of a packet filtering firewall is between the Internet and the protected network. It filters all traffic entering or leaving the network.

Answer 201

B. When deploying multiple firewalls, you might experience network latency. If you do, check the placement of the firewalls and possibly reconsider the topology to be sure you get the most out of the firewalls

Answer 202

A. Proxy service firewalls allow organizations to offer services securely to Internet users. All servers hosting public services are placed in the demilitarized zone (DMZ) with the proxy firewall between the DMZ and the internal network

Answer 203

D. A stateful-inspection firewall is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested.

Answer 204

D. If attackers can compromise the virtual machines, they will likely have control of the entire machine. Most virtual machines run with very high privileges on the host because a virtual machine needs access to the host’s hardware so that it can map the physical hardware into virtualized hardware.

Answer 205

A. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing.

Answer 206

B, C. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions. Virtual environments are used for cost-cutting measures, too. One well-equipped server can host several virtual servers. This reduces the need for power and equipment. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did.

Answer 207

B. The hypervisor controls how access to a computer’s processors and memory is shared. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time.

Answer 208

A, D. Forensic analysts often use virtual environments to examine environments that may contain malware or as a method of viewing the environment the same way the criminal did.

Answer 209

B. Virtualized environments, if compromised, can provide access to not only the network, but also any virtualization infrastructure. This puts a lot of data at risk. Security policy should address virtual environments

Answer 210

A, C. Vulnerabilities also come into play in virtual environments. For example,a few years ago, VMware’s NAT service had a buffer-overflow vulnerability that allowed remote attackers to execute malicious code by exploiting the virtual machine itself.Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system. You should be cognizant of share files among guest and host operating systems

Answer 211

C. Security policy should address virtual environment vulnerabilities. Any technology software without a defined business need should not be allowed on systems. This applies to all systems, including virtual environments

Answer 212

C, D. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by allowing unstable applications to be used in an isolated environment and providing better disaster recovery solutions

Answer 213

C. With more emphasis being placed on going green and power becoming more expensive, virtualization offers cost benefits by decreasing the number of physical machines required within an environment; however, the security of the VMs must be considered. Segmenting virtual machines by the information they handle will keep highly sensitive data from being on the same physical hardware as virtual machines used for testing or lower security applications. The organization should have a policy in place that states that high-security virtual machines containing vital information never share the same hardware as virtual machines for testing.

Answer 214

A, B, C, D. | Virtual environments are available to run on just about everything from servers and routers to USB thumb drives.

Answer 215

D. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides more than one operating system to run on a host computer at the same time.

Answer 216

B. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too

Answer 217

C. The security concerns of virtual environments begin with the guest operating system. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges. This can allow an intruder who compromises a virtual machine to compromise the host machine, too

Answer 218

D. To secure a virtualized environment, machines should be segmented by the sensitivity of the information they contain. A policy should be in place that specifies that hardware is not shared for test environments and sensitive data.

Answer 219

C. Platform-as-a-Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation.

Answer 220

A. Software-as-a-Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Answer B is incorrect because Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet.

Answer 221

B. Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department

Answer 222

B. Infrastructure-as-a-Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department.

Answer 223

A, B Both essentially serve the same purpose with TLS being the successor to SSL.

Answer 224

D. Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol often used to support the creation of virtual private networks (VPNs).

Answer 225

B. Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.

Answer 226

B. Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.

Answer 227

``` A. Secure Shell (SSH) utilizes the asymmetric (public key) Rivest, Shamir,Adleman (RSA) cryptography method to provide both connection and authentication. ```

Answer 228

A, B, C. Data encryption with SSH is accomplished using one of the following algorithms: International Data Encryption Algorithm (IDEA), Blowfish, or Data Encryption Standard (DES).

Answer 229

A, D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session. The SSH suite encapsulates three secure utilities: slogin, ssh, and scp.

Answer 230

C. IPsec provides authentication services, as well as encapsulation of data through support of the Internet Key Exchange (IKE) protocol

Answer 231

``` D. Authentication Header (AH) provides connectionless integrity and data origin authentication for IP packets ```

Answer 232

B. If IPsec is configured to do authentication header only (AH), you must permit protocol 51 traffic to pass through the stateful firewall or packet filter.

Answer 233

C. Encapsulating Security Payload (ESP) provides encryption and limited traffic flow confidentiality, or connectionless integrity, data origin authentication, and an anti-replay service. In an IP header, ESP can be identified as IP protocol number 50

Answer 234

B. If IPsec uses nested Authentication Header (AH) and Encapsulating Security Payload (ESP), IP can be configured to let only protocol 51 (AH) traffic pass through the stateful firewall or packet filter.

Answer 235

A. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme to encrypt electronic mail transmissions over public networks

Answer 236

C. An alternative to HTTPS is the Secure Hypertext Transport Protocol (SHTTP),which was developed to support connectivity for banking transactions and other secure web communications

Answer 237

D. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme to encrypt electronic mail transmissions and provides email privacy using encryption and authentication via digital signatures s.

Answer 238

B. PGP/MIME derives from the Pretty Good Privacy application and is an alternative to S/MIME. Basically, it encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA.

Answer 239

D. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security

Answer 240

A. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security

Answer 241

C. | Hypertext Transfer Protocol Secure (HTTPS) traffic typically occurs over port 443.

Answer 242

``` D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session ```

Answer 243

D. An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications

Answer 244

A. SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network

Answer 245

B. The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication.

Answer 246

B. | Traceroute uses an ICMP echo request packet to find the path between two addresses.

Answer 247

D | A connection using the HTTP protocol over SSL (HTTPS) will be made using the RC4 cipher and will be made using port 443

Answer 248

C When a client attempts to make an 802.1x-compliant connection, the client attempts to contact a wireless access point (AP). The AP authenticates the client through a basic challenge-response method, and then provides connectivity to a wired network or serves as a bridge to a secondary wireless AP.

Answer 249

D An IPv6 address uses 128-bit IP addresses and includes eight groups of four hexadecimal characters. Double colons indicate no compression so the zeros must be shown

Answer 250

Mac Flooding ARP poisoning Spanning Tree attacks

Answer 251

Involves sending a switch lots of Ethernet frames with different source MAC addresses. The switch caches the MAC addresses against the port they arrive on. If too many are sent the cache is overloaded. This forces the switch to broadcast to all the ports, thus acting like a hub. This allows hackers to sniff out ALL the ports using dsniff or ettercap.

Answer 252

The attacker enters false MAC-IP address mapping into the switch's Address Resolution Protocol table. This false mapping sets up the attacker as the subnets default gateway and all traffic is sent to him. This allows them to receive and send data masquerading as an authorized user.

Answer 253

A form of DoS attacks that target the Spanning Tree Protocol (STP). The STP prevents looped broadcast traffic between switches. The attack mimics the root bridge and the traffic storms may crash the network.

Answer 254

1. configure port security - restrict the number of MAC address and configure authentication at the port level. disable unused ports - place unused ports in a vLAN that is not allowed to connect to the network. 2. keep the switch updated - firmware updates 3. mitigate spanning tree attacks - enable features to prevent attacks, such as Loop Guard, Root Guard and portfast. Use IEEE 802.iD protocol 4. Secure the management console - use ACL to restrict hoses.

Answer 255

Switches divide a network into different collision domains. | Routers divide networks into subnets.They connect switches to one another and to the internet.

Answer 256

Layer 3 - network layer. They provide complex signaling and packet translations and allow for some security filtering such the blocking of specific ports, broadcast traffic, and traffic without a correct network address.

Answer 257

Layer 2 - Data link Used to divide a network into separate segments (logically-VLAN or physically). Each port is a separate collision domain.

Answer 258

It checks the destination of the received traffic against the media access control or MAC address table residing in the switch. It then forwards the traffic to the specific port for that address.

Answer 259

A hub broadcasts the message to ALL ports while a switch uses the MAC address table to determine which port to send the message(P2P).

Answer 260

Physical - Use separate switches with it own routers that do not connect. Logical (VLAN) on switches using routers.

Answer 261

Spanning Tree Protocol (STP).

Answer 262

802.1D and the most common protocol that is based on this is STP

Answer 263

monitor active paths between source and destination networks and select the best routes for information in response to traffic loads and line speeds.

Answer 264

Open Shortest Path First (OSPF) Routing Information Protocol (RIP) Border Gateway Protocol (BGP)

Answer 265

SSH HTTPS SCP

Answer 266

By using ACL traffic is allow/disallowed based on IP and port number, source and destination.

Answer 267

10. 0.0.1 - 10.255.255.254 172. 16.0.1 - 172.31.255.254 192. 168.0.1 - 192.168.255.254

Answer 268

When 2 computers are on the same VLAN but are on different physical switches (different buildings). They can still talk to each other without having to be routed.

Answer 269

The request is sent out the switch to the trunking router to check the ACL. If it passes then it goes back to the switch to the destination port.

Answer 270

On border devices: | Firewalls and proxy servers

Answer 271

maps multiple private IPs to a single public IP using different ports

Answer 272

Uses a pool of public IPs and binds a private IP to one of the IPs in the public pool. The address translation is held until the connection ends. This is limited to the number of public IPs in the pool.

Answer 273

Also known as Destination NAT. It is when inbound traffic is requesting a resource by its public IP and port which is translated to the private IP. Ex a user requesting a web page requests the public IP for the web server and the NAT will translate it to the internal private IP for the web server.

Answer 274

1. maps a public IP on inbound traffic to an internal IP (Destination NAT) 2. maps multiple internal IP to a single public IP via port mapping (Source NAT) 3. maps internal IP addresses to a public address for internal requests made by internal users (Source NAT)