Security Architecture Domains 1 and 2 Flashcards

Question

What techniques can be used in small organisations to help with the problem of separation of duties?

Answer 1

Assign accounts on a per-role basis - An individual should have a separate account for each role used. Prevent those with multiple roles from reading and writing to the same storage area Auditing is vital - Consider implementing object-level auditing for individuals with multiple roles. Conduct more frequent evaluations

Answer 2

the Trusted Computing Base (TCB).

Answer 3

the most vulnerable components of the TCB

Answer 4

Port Locking and Network Access Control (switches) User management and resource control (Workstations and Servers) Network Filtering and Access Control (Routers) Business data access rules (Databases) Boundary protections (firewalls) Information Flow Control (Application servers)

Answer 5

Security Kernel

Answer 6

Authentication, auditing, and access control.

Answer 7

The security reference monitor

Answer 8

Compares an access request against a listing that describes the allowed actions

Answer 9

Authentication, Authorisation and Accounting

Answer 10

A single device as the security reference monitor. Authorisation and access control decisions are made from the centralised device

Answer 11

1. The ACS proxies client requests - limits communication 2. A gatekeeper mechanism - limits communication 3. Free roaming on the network with control over individual access requests.

Answer 12

Single point of failure Single point of compromise Capacity

Answer 13

TACACS, TACACS+, RADIUS, and EAP are just a few of the most common access

Answer 14

An older centralised access control system. Terminal Access Control ACS. On port 49

Answer 15

A critical shortcoming in TACACS is the lack of encryption. All communication from a TACACS client to the server is in cleartext. Using this protocol through an untrusted or public network exposes the session and endpoints to a potential compromise.

Answer 16

Protocol supporting centralised access control TACACS+ - This proprietary protocol by Cisco is based on TACACS. It is primarily used with TCP on port 49. This protocol overcomes the security weaknesses of its predecessor by providing encryption for the packet payload. Authentication, Authorization, and Accounting (AAA) capabilities are built into the protocol, whereas it is missing from TACACS.

Answer 17

The use of AAA capabilities is implementation specific. Therefore, a security architect must ensure that each TACACS+ implementation is consistent with the policy of the organization.

Answer 18

Protocol supporting centralised access control The Remote Authentication Dial In Service (RADIUS) also has AAA capabilities built into the protocol. RADIUS is a centralized access control protocol commonly used in the telecommunications industry as well as by Internet service providers. A network access server (NAS) acting as the gateway to a network passes client access requests to the RADIUS server.

Answer 19

Protocol supporting centralised access control The Extensible Authentication Protocol (EAP) is a protocol supporting multiple authentication methods. It operates above the data link layer and therefore does not rely on IP. Essentially a peer-to-peer protocol. The protocol relies on the lower layer to ensure packet ordering, but retransmissions are the responsibility of EAP. Its design as an authentication protocol prohibits its use for data transport, which would be inefficient.

Answer 20

Reduce attack surface Active monitoring Device backup Redundancy

Answer 21

decentralized access control mechanism. The

Answer 22

- Continuous synchronization considerations - The access control mechanism is only as current as the last synchronization. Excessive gaps in the time between synchronizations may allow inappropriate access to the system or objects. - Bandwidth usage - Synchronization events might consume a lot of bandwidth. Nodes joined through low-bandwidth connections may consume a disproportionate amount of bandwidth when synchronizing. - Physical and logical protection of each access control node - A compromise of one access control node could propagate a compromise to all. Successful attacks against the centralized database in one location could provide the attacker with the ability to attack any node participating in the architecture.

Answer 23

- Physical security - Management coordination - Remote maintenance (making it reachable to) - Exclusion from DMZ

Answer 24

Cooperative effort Mutual risk Utilize a DMZ Exclude access control integration

Answer 25

A framework to specify the attributes used to create a directory as well as the methods used to access its objects

Answer 26

Lightweight Directory Access Protocol (LDAP).

Answer 27

Active Directory

Answer 28

Supports hierarchical access to structured information.

Answer 29

Depends on the physical security of the device with the private key

Answer 30

Security Event Management (SEM) and Security Information Management (SIM).

Answer 31

1. Data aggregation 2. Correlation 3. Alerting 4. Dashboards 5. Compliance 6. Retention

Answer 32

The ability to use correlation techniques to integrate data from different sources.

Answer 33

A system user is the principal subject of interest within an access control mechanism.

Answer 34

every object

Answer 35

SQL commands are sent in clear text

Answer 36

Three-tier Web-based applications are a frequently used architecture to provide controlled access to organizational data.

Answer 37

1. A web browser can be used instead of proprietary applications 2. Provides a method of allowing multiple users to get access to the sites 3. Communication channels can be encrypted

Answer 38

1. Increased complexity 2. Vulnerability to cross site scripting 3. Middle tier security (a breach of the server could result in a breach of the data)

Answer 39

Orphaned groups Duplicated groups Separation of duty violations Failures in least privilege

Answer 40

Identity management

Answer 41

Users Rights and permissions

Answer 42

mutual exclusivity

Answer 43

the ability to specify mutual exclusivity.

Answer 44

groups could be used to mimic role-based access.

Answer 45

A detailed listing of the attributes and uses of each group as a role is required.

Answer 46

permissions associated with the roles

Answer 47

Refrain from assigning account permissions on objects. .

Answer 48

Yes, Issue users multiple accounts. This is necessary if varying levels of rights are needed. This does not mean a user must have an account for each role, but rather, the inclusion of a member in a "role" must not create a situation where an account can easily circumvent its intended use. In this regard, a solid identity management methodology increases in importance.

Answer 49

could act as intermediaries between subjects and objects.

Answer 50

monitor for inappropriate permissions and audit for misuse

Answer 51

Time Sequence Dependencies

Answer 52

The concept of TBAC is still an emerging topic. Presently, there are no accepted standards or definitions of what TBAC entails. However, this does not detract from the usefulness of implementing access control according to the attributes of a task in a workflow. Indeed, many organizations already implement types of access control in workflows. A number of document collaboration suites implement workflows and make use of TBAC enforcement attributes.

Answer 53

subnets or addresses that are accessible from a segment

Answer 54

Different segments should be physically separated until they are connected to the node applying the logical access controls. This prevents an insider from spoofing an address in an alternate subnet and bypassing access controls based on physical location.

Answer 55

When the segment has been compromised by a bot or a trojan

Answer 56

1. Device recognition - Each device type must be recognizable in some way by the access control mechanism. 2. Policy enforcement - Access control decisions are made according should not be allowed to connect and pass traffic in the network.

Answer 57

The rules regarding what the device is allowed to communicate with would be encoded into Layer 2 devices, Layer 3 devices, and monitoring devices.

Answer 58

As devices connect to the network, they are authenticated according to the certificate presented. A RADIUS server is used to support device authentication.

Answer 59

- Standards based - all connected devices can be authenticated - connection attempts can be logged

Answer 60

- not supported by all device types - each device still needs a certificate - certificates need to be managed - limited to authentication

Answer 61

- specialised - supported - policy alignment can be determined - automated

Answer 62

- cost - hype (imaginary functionality) - may not support all device types

Answer 63

* Join logical and physical - use the logical and physical attributes of nodes and networking equipment. * Layer controls - Use multiple techniques to achieve defence in depth. * Map and inventory the network * Conduct traffic pattern analysis - * Know where segments exist physically - * Implement rules on networking equipment * Monitor compliance

Answer 64

* Entity - A person or process claiming a particular identity. * Identity - A unique designator for a given subject. * Authentication factor - Proof of identity supplied by the entity. * Authenticator - The mechanism to compare the identity and factor against a database of authorised subjects. * Database - A listing of identities and associated authentication factors.

Answer 65

An individual who is yet to be authenticated is referred to as an entity rather than a subject. This distinction is necessary because a subject represents someone or something with logical rights and permissions in a system. An entity has no logical rights before authentication. An entity graduates to a subject when successfully validated.

Answer 66

1. It is known only to the entity 2. Reproduction of it is infeasible 3. It is computationally impractical to replicate

Answer 67

Badges Magnetic strips Proximity cards

Answer 68

Most cards are not capable of using encryption to prevent spoofing. Rogue readers with high output fields and strong sensitivity can be used to capture card identities as people pass by. This information can be passed to specially constructed devices that retransmit card information, allowing access to protected areas.

Answer 69

either physical or behavioural.

Answer 70

The way each person uses a keyboard represents a biometric referred to as typing dynamics or keystroke dynamics.

Answer 71

Accuracy Enrolment time Response time Security

Answer 72

Cost Acceptance Storage Changes

Answer 73

1. Users are still somewhat reluctant to participate in iris-based biometrics. It seems that people fear that the acquisition device could damage their eyes due to the use of infrared technology. 2. Eye movement, proximity, and angle of the acquisition device, as well as lighting, affect the quality of the minutiae collected. These variations can hinder the enrollment process.

Answer 74

User acceptance. Enrolment and authentication with a retina recognition device requires an individual to place the eye very close to the input device. Many users fear damage to their eye by the device or contracting an eye disease from a prior user. Eye glasses and contacts also interfere with the proper operation of a retina detection device. Due to cost and acceptance considerations, retina-based biometrics should only be used when a high level of security is essential.

Answer 75

Lighting, hairstyles, subject aging, cosmetics, accessories such as glasses or piercing, expressions, and facial hair can affect the accuracy of the detection process. Furthermore, some facial recognition techniques can be fooled with an image of the actual subject presented to the input device. Some facial recognition techniques also fail to distinguish between identical twins.

Answer 76

if something you are is reproducible or can be captured, then there is the risk of abuse. In such cases something you have, like a key that cannot be reproduced is superior.

Answer 77

A Biometric Template Logger (BTL) could also be used to capture minutiae attributes before they are sent over a network.

Answer 78

* Requirements - Have all requirements been addressed? * Operations - Are organizational needs met? * Functionality - Does it work as desired? * Weaknesses - Can it be circumvented?

Answer 79

laws, regulations, industry standards, and organisational policies.

Answer 80

Unique identifier Sources Requirement - Interpretation

Answer 81

* Operational - The access control must work as intended with the desired results. * Usable - A difficult-to-use access control mechanism will ultimately prove ineffective.

Answer 82

to ensure that the questions regarding requirements, operations, functionality, and weaknesses are not left unanswered.

Answer 83

Identify access control gaps Identify policy deficiencies Look for obvious ways to circumvent controls Identify countermeasures Use defence in depth to counteract weaknesses

Answer 84

Exercise controls Penetration testing Vulnerability assessment

Answer 85

- implemented correctly - operating as intended - producing the desired outcome

Answer 86

Determines if the controls are working as expected by running test cases

Answer 87

Determines if the controls can be circumvented

Answer 88

Identifies potential flaws in the system

Answer 89

Access control testing should ensure that the link between an entity and authentication factor is resistant to compromise and tampering.

Answer 90

Testing should determine if subject interactions with the system could result in the ability to increase rights or not.

Answer 91

have their permissions checked.

Answer 92

The correct option is A Permissions regulate the type of access a subject is given to an object. Common permissions include: read, write, delete, and execute.

Answer 93

The correct option is A Discretionary Access Control is the predominant access control technique in use today. Most commodity systems implement some form of DAC.

Answer 94

The correct option is B This is the basic functionality of Mandatory Access Control. The fundamental principles of MAC prevent a subject from reading up and writing down between classifications.

Answer 95

The correct option is B Among the options given, only DRM provides a means to control proprietary content

Answer 96

The correct option is D Disasters are unlikely; therefore, least privilege should not be designed with limitations.

Answer 97

The correct option is A Separation of duties is best implemented with roles composed of granular rights and permissions.

Answer 98

The correct option is C Accountability becomes more important when separation of duties is weak or unachievable. Auditing is paramount. Consider implementing object-level auditing for individuals with multiple roles. Identify key areas where abuse might occur, and implement multiple methods to monitor for violations.

Answer 99

The correct option is B Authentication, authorization, and accounting are important aspects of centralized access control.

Answer 100

The correct option is A A firewall with an integrated authentication mechanism is an example of a centralized access control device using the gatekeeper approach. This type of approach is primarily used to control access to resources and services at particular locations within the protected network.

Answer 101

The correct option is D Decentralized access control relies on shared databases.

Answer 102

The correct option is D Federated Access Control enables a business partner type of single sign-on.

Answer 103

The correct option is C RFC 4510 describes a simplified X.500 Directory Access Control protocol.

Answer 104

Polling by a centralised server is commonly used to query other servers to periodically collect events.

Answer 105

The correct option is A In DAC, non-system processes run in the memory space owned by the end user.

Answer 106

The correct option is B Vulnerabilities in the design or implementation could enable network penetration.

Answer 107

The correct option is C Views can be used as a type of access control for designated users or database requests.

Answer 108

The correct option is D The goal of a DMZ is to prevent or control information flow from outside to inside

Answer 109

The correct option is B Dual control requires explicit separation of duties and protocols.

Answer 110

The correct option is B The results of a test that is not documented or repeatable are questionable.

Answer 111

shifts conversations into predefined channels of frequency division multiplexers

Answer 112

Pulse Code Modulation (PCM)

Answer 113

Pulse Code Modulation PCM

Answer 114

First, the analog signal is sampled at predefined time intervals. Next, each sample, which can have an infinite number of heights, is quantized into a predefined value that is closest to the height of the signal. Then, the resulting height is encoded into a series of bits.

Answer 115

24 voice calls were sampled and encoded into 8 bits, and a framing bit was added to provide a pattern used for synchronisation. This was the well-known T1 frame, which comprises 193 bits (8 × 24 + 1) Because sampling occurs 8000 times per second, the data rate of the now ubiquitous T1 line became 193 bits/ frame × 8000 frames/second, or 1.544 mb per second

Answer 116

A T2 consists of four T1 lines multiplexed with additional framing that is used between telephone company offices operates at 6.312Mbps

Answer 117

28 T1 lines multiplexed operating at 44.736 Mbps

Answer 118

1. numerous data sources could be routed over common high-speed circuits. 2. each packet had its integrity checked via the use of a Cyclic Redundancy Check (CRC) 3. Packet switching could make use of alternate routes

Answer 119

Asynchronous could only provide a parity bit, which cannot detect multiple errors

Answer 120

The delay resulting from the need to retransmit packets because of CRC mismatches caused by spurious hits on circuits resulting primarily from machinery and weather conditions.

Answer 121

1. the end-to-end delay associated with packets carrying digitized voice, 2. jitter, 3. the method of voice digitization used, 4. the packet loss rate, and 5. security.

Answer 122

Jitter represents the variation in packet transit caused by queuing, contention, and the propagation of data through a network? Distorts sound

Answer 123

H.323 Recommendation, which defines a series of protocols to support audiovisual communications on packet networks.

Answer 124

the signaling required to establish and tear down communications, including voice and video calls flowing over a packet network

Answer 125

Signaling system protocol originally used for establishing and tearing down calls made over the world's series of public switched telephone networks. However, to make a call over a packet network such as the Internet, SS7 information must be conveyed. This occurs by transporting SS7 over the Internet Protocol (IP).

Answer 126

An endpoint in a LAN that participates in real-time, two-way communications with another H.323 terminal, gateway, or multipoint control unit (MCU). Under the H.323 standard, a terminal must support audio communication and can also support audio with video, audio with data, or a combination of all three.

Answer 127

The physical and logical connections from a packet-switched network to and from circuit-switched networks.

Answer 128

admission control, address translation, and bandwidth management.

Answer 129

three or more terminals and gateways to participate in a multipoint conference.

Answer 130

H.323 Zone.

Answer 131

telephony and VolP services to be delivered over a packet network.

Answer 132

SS7, a mnemonic for Signaling System No. 7,

Answer 133

By itself, the G3 standard does not directly deal with security. Although a modified Huffman coding is employed to reduce transmission time of each scanned line, anyone who has the knowledge to tap a transmission can more than likely decode the transmission.

Answer 134

as perimeter controls

Answer 135

a VolP call would require TCP data to convey the dialed number and other control information, while UDP would be used to transport digitized voice.

Answer 136

Local Area Signaling Service (LASS) codes. LASS codes are numbers entered on a telephone touchpad to access special features of the telephone system. Two well-known LASS codes are 67, which toggles Caller-ID blocking, and 69 for Call Return. By knowing how to use LASS codes, a hacker may be able to exploit the configuration of the callback feature of a security modem

Answer 137

Unified threat management (UTM) gateways

Answer 138

Web application firewalls

Answer 139

Router - uses table to look up forwarding address Firewall - tests, the packet if it fails it is discarded

Answer 140

Router examines headers - for routing information Firewall goes deeper, sometimes checking the contents for login attempts

Answer 141

Routers do not do proxy services Firewalls do

Answer 142

as Network Behavior Analysis (NBA) IDS

Answer 143

An inline sensor is deployed so that the network traffic it is monitoring must pass through it, much like the traffic flow associated with a firewall.

Answer 144

A passive sensor is deployed so that it monitors a copy of the actual network traffic; no traffic actually passes through the sensor. Passive sensors are typically deployed so that they can monitor key network locations, such as the divisions between networks, and key network segments, such as activity on a demilitarized zone

Answer 145

A port that can see all of the traffic going through the switch.

Answer 146

A network tap is a direct connection between a sensor and the physical network media itself, such as a fiber optic cable. The tap provides the sensor with a copy of all network traffic

Answer 147

An IDS load balancer is a device that aggregates and directs network traffic to monitoring systems, including IDS sensors.

Answer 148

sampling the traffic

Answer 149

Access point (AP) It needs to divide its time between providing access and monitoring traffic

Answer 150

intrusion detection capability.

Answer 151

are designed to be installed without an IP network address. Instead, they operate promiscuously, examining each packet flowing on the network and responding to predefined attacks by dropping packets, changing equipment settings, and generating a variety of alerts.

Answer 152

* Compliance through log management and compliance reporting * Threat management through real-time monitoring of user activity, data access, and application activity and incident management * A deployment that provides a mix of compliance and threat management capabilities

Answer 153

Storage. How much space will the events take? Events per second.

Answer 154

1. Bandwidth utilisation 2. HTTP Tunneling

Answer 155

"if the bandwidth directed to my web servers is greater than 40Mb/s for 10 minutes or more, trigger an alert."

Answer 156

If users are tunneling other protocols through HTTP they are likely attempting to evade controls, or it could be malware attempting to evade controls.

Answer 157

monitors for TCP port 80 or 443 traffic that is NOT HTTP protocol based.

Answer 158

Service Set identifier (SSID). The SSID is periodically broadcast by the access point

Answer 159

to turn off SSID broadcasting.

Answer 160

as peer-to-peer and infrastructure.

Answer 161

communicate directly with one another.

Answer 162

an access point. (Wireless router)

Answer 163

a two-port bridge, with one port representing the wireless interface while the second port is the wired interface.

Answer 164

flooding, filtering, and forwarding, as it builds a table of MAC addresses associated with each port.

Answer 165

One or more stations and an access point are referred to as a Basic Service Set BSS

Answer 166

Extended service set (ESS)

Answer 167

Extended Service Set Identifier (ESSID).

Answer 168

the wireless network.

Answer 169

only communicate with other devices using the same ESSID.

Answer 170

Wired Equivalent Privacy (WEP)

Answer 171

It was broken by several persons several years ago

Answer 172

two versions of Wi-Fi Protected Access (WPA and WPA2), and two new wireless-security-related standards from the IEEE referred to as the 802.11i and 802.1X.

Answer 173

Temporal Key Integrity Protocol (TKIP).

Answer 174

the Wi-Fi Alliance

Answer 175

1. a key mixing function, 2. a sequence counter that protects against replay attacks, and 3. a 64-bit message integrity check to eliminate the potential of a man-in-the-middle attack.

Answer 176

AES and CCMP 40

Answer 177

Personal mode and Enterprise mode.

Answer 178

1. Pre-shared key (PSK), and its use 2. encrypt traffic using a 256-bit key. That key can be entered as a passphrase of 8 to 63 printable ASCII characters or as a string of 64 hex digits.

Answer 179

implement the majority of the IEEE 802.11 standard, with WPA2 supporting the Advanced Encryption Standard (AES).

Answer 180

Advanced Encryption Standard

Answer 181

three block ciphers; AES-128, AES-192, and AES-256.

Answer 182

They are all 128Bit, the number refers to the key size

Answer 183

the fixed-length chunk of data that a block cipher processes at a time

Answer 184

While WPA and WPA2 represent a majority of the 802.11i standard, they are not fully compatible with it. While 802.1 li makes use of the AES block cipher,

Answer 185

The RC4 stream cipher. Another difference

Answer 186

authentication mechanism based on the use of the Extensible Authentication Protocol (EAP)

Answer 187

Cipher block chaining message authentication an encryption protocol based on AES

Answer 188

1. support for the 802.1X standard for authentication 2.The use of AES based counter mode with CCMP

Answer 189

port based authentication requiring devices to be authenticated prior to gaining access to a LAN

Answer 190

the supplicant

Answer 191

the authenticator opens the port to the supplicant's traffic, otherwise it is blocked.

Answer 192

is the use of a layer 3 VPN, an alternative security mechanism that can be valuable when users are traveling or their organisation does not fully support the 802.1X standard.

Answer 193

1. it can restrict who can access devices attached to specific switch ports, 2 It can enhance throughput by limiting broadcast traffic.

Answer 194

programs that operate as add-ons to Web browsers or at a corporate gateway, blocking unacceptable messages that might be pornographic or racist or otherwise harmful

Answer 195

Content filter

Answer 196

Content filtering

Answer 197

terminate outbound HTTPS sessions at the firewall.

Answer 198

This is accomplished by acting as a trusted man-in-the-middle. When a request is made of the firewall for an HTTPS protected resource, the firewall will establish a new connection to the destination server and retrieve its SSL certificate. The firewall then copies the information from the certificate and creates its own certificate using these details and provides that to the client. As long as the client trusts the root certificate of the firewall the process is completely transparent to the end user.

Answer 199

JavaScript and VBScript, Java applets, ActiveX controls, Flash animations, and even macros embedded within Microsoft Office documents such as Excel and Word documents.

Answer 200

Data loss prevention

Answer 201

Enterprise DLP solutions Channel DLP for specific channels like email DLP-lite - monitors only specific protocols

Answer 202

involve non IT stakeholders

Answer 203

the upper three layers of the OSI model (application, presentation, and session),

Answer 204

the intersection of the tremendous increase in smart device capabilities and the Bring Your Own Device (BYOD) phenomenon that has become prevalent in recent years

Answer 205

checks the Internet cookies in the user's machine.

Answer 206

to gratuitous link-sharing behaviors seen commonly on social networking sites.

Answer 207

The malicious content is hosted outside of the security infrastructure of the organisation.

Answer 208

SSL Secure Sockets Layer

Answer 209

Transport Layer Security (TLS) that is very similar to SSL Version 3.0; these standards are often referred to interchangeably in this

Answer 210

It is important to note that SSL does not support some TCP features, such as out-of-band data.

Answer 211

Netscape Communications Corporation in 1994.

Answer 212

1. After building a TCP connection, the SSL handshake is started by the client. 2. The client sends a number of specifications: which version of SSL/TLS it is running, what ciphersuites it wants to use, and what compression methods it wants to use. 3. The server checks what the highest SSL/TLS version is that is supported by them both, picks a ciphersuite from one of the client's options (if it supports one), and optionally picks a compression method. 4. After this the basic setup is done, the server sends its certificate. 5. Having verified the certificate and being certain this server really is who he claims to be (and not a man in the middle), a key is exchanged. This can be a public key, a PresharedSecret, or simply nothing, depending on the chosen ciphersuite. 6. Both the server and the client can now compute the key for the symmetric encryption. 7. The client tells the server that from now on, all communication will be encrypted, and sends an encrypted and authenticated message to the server.

Answer 213

close_notify

Answer 214

If an attacker tries to terminate the connection by finishing the TCP connection (injecting a FIN packet), both sides will know the connection was improperly terminated.

Answer 215

in the application layer, through passwords sent over an SSL-protected communications link between client and server

Answer 216

the client, the server is normally authenticated in the SSL layer

Answer 217

the fact that information passed over a secure connection becomes nonsecure when the server being accessed stores the received data on a hard drive.

Answer 218

voluntary and compulsory

Answer 219

The client

Answer 220

the communications carrier network provider

Answer 221

The client first initiates a connection to the communications carrier, which is an Internet service provider (ISP), when establishing an Internet VPN. Then, the VPN client application creates the tunnel to a VPN server over the connection.

Answer 222

- the Point-to-Point Tunneling Protocol (PPTP), - Layer 2 Tunneling Protocol (L2TP), - IP Security (IPSec), - a combination of L2TP and IP Sec referred to as L2TP/IPSec, and TCP Wrappers.

Answer 223

Point-to-Point Protocol (PPP)

Answer 224

PPTP stores data within PPP packets, then encapsulates the PPP packets within IP datagrams for transmission through an Internet-based VPN tunnel.

Answer 225

- the Password Authentication Protocol (PAP), - the Challenge-Handshake Authentication Protocol (CHAP), - and the Extensible Authentication Protocol EAP

Answer 226

its inclusion in just about every version of Windows. Thus, Windows servers also can function as PPTP-based VPN servers without having an organization bear any additional cost.

Answer 227

- Vulnerable to man in the middle attacks - Only supports single factor (password based) authentication - It has failed to embrace a single standard for authentication and encryption

Answer 228

Thus, two products that both fully comply with the PPTP specification can be totally incompatible with each other if they encrypt data differently.

Answer 229

by Layer 2 Tunneling Protocol and IPSec.

Answer 230

Layer 5 protocol and operates at the session layer of the OSI model using UDP Port 1701.

Answer 231

LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel, while the LNS is the server, which waits for new tunnels to be established. Once a tunnel is established, network traffic is bidirectional.

Answer 232

the tunnel is created from the LAC via the Internet to the LNS on a distant corporate network, and neither remote client has knowledge of the tunnel nor needs L2TP client software. Instead, each remote client creates a PPP connection to the LAC and is then tunneled to the LNS.

Answer 233

compulsory tunneling

Answer 234

occurs via PPP at the LAC or the LNS.

Answer 235

3 secures everything in the network

Answer 236

a client installation.

Answer 237

It is not only for web traffic, it covers all traffic

Answer 238

The operation of IPSec at Layer 3 makes this security protocol more flexible than SSL/TLS and higher-layer protocols.

Answer 239

1. Authentication Header (AH): Provides authentication for IP datagrams as well as protection against replay attacks. 2. Encapsulating Security Payload (ESP): Provides authentication, data integrity, and confidentiality of packets transmitted. 3. Internet Key Exchange (IKE): It is an IPSec protocol that is used to set up a Security Association (SA) by handling negotiation of the encryption and authentication keys to be used by IPSec.

Answer 240

using encryption without authentication is strongly discouraged because it is insecure.

Answer 241

uniquely identify a security association for that packet.

Answer 242

Authentication header

Answer 243

Transport mode

Answer 244

Tunnelling model

Answer 245

provides origin authentication, data integrity, and confidentiality of packets. ESP also supports encryption-only.

Answer 246

Unlike AH, ESP does not protect the IP packet header.

Answer 247

along with IPSec; the result is referred to as L2TP/IPSec,

Answer 248

no information about the content of the packet can be obtained from the encrypted packet.

Answer 249

the use of EAP

Answer 250

5 Session Layer

Answer 251

route packets between client-server applications via a proxy server.

Answer 252

loading a Web page that contains a malicious request.

Answer 253

accessing a Web-site.

Answer 254

when an attacker embeds a script in data pushed to the user as a result of a GET or POST request (first order) or when the script is retained in long-term storage before being activated (second order).

Answer 255

the insecure binding between DNS host names and network addresses.

Answer 256

both the victim and attacker have the same host name,

Answer 257

changes in principals or permissions

Answer 258

access controls are set in error and open a security hole for unintended access. For example, if access control rules are set to *.edu, any .edu site can access the users resources

Answer 259

Remote monitoring

Answer 260

Oversight Maintenance Visibility

Answer 261

The correct option is B The frequency range of a person's voice typically varies between 0 and 20 kHz, while a telephone channel has a passband of 3 kHz. The telephone company uses low-pass and high-pass filters to remove frequencies below 300 Hz and above 3300 Hz because the primary information of a voice conversation occurs in the passband. This allows more channels to be multiplexed onto a wideband circuit.

Answer 262

The correct option is B The data rate of PCM-encoded voice conversation is 64 kbps.

Answer 263

The correct option is D There can be up to 24 digitized voice channels on a T1 line.

Answer 264

The correct option is C Up to 24 T1 lines can be transported on a T'3 circuit.

Answer 265

The correct option is C Three advantages associated with the use of packet networks in comparison to the use of the public switched telephone network include a potential lower cost of use, a lower error rate as packet network nodes perform error checking and correction, and the ability of packet networks to automatically reroute data calls.

Answer 266

The correct option is A Five VolP architecture concerns include the end-to-end delay associated with packets carrying digiticed voice, jitter, the method of voice digitization used, the

Answer 267

The correct option is A Analog voice is encrypted by shifting portions of frequency to make the conversation unintelligible. In comparison, the encryption of digitized voice occurs by the modulo-2 addition of a random key to each digitized bit of the voice conversation.

Answer 268

The correct option is D Authentication is the process of verifying the other party in a conversation or transaction.

Answer 269

The correct option is A Integrity is a process that ensures data received has not been altered.

Answer 270

The correct option is D SIP defines the signalling required to establish and tear down communications to include voice and video calls flowing over a packet network.

Answer 271

The correct option is D The H.323 standard can be considered to represent an umbrella recommendation from the International Telecommunications Union (ITU) that covers a variety of standards for audio, video, and data communications across packet-based networks and, more specifically, IP-based networks such as the Internet and corporate Intranets.

Answer 272

The correct option is C The Real Time Protocol (RTP) defines a standardized packet format for delivering audio and video over the Internet, while the RTCP provides out-of-band control information for an RTP flow.

Answer 273

The correct option is A The H.323 standard defines the following components: Terminal, Gateway, Gatekeeper, MCU (Multipoint Control Unit), Multipoint Controller, Multipoint Processor, and H.323 Proxy.

Answer 274

The correct option is A A security modem represents a special type of modem that allows remote access to occur from trusted locations, may encrypt data, and may support caller ID to verify the calling telephone number.

Answer 275

The correct option is C The major difference between a router and firewall lies in three areas: the transfer of packets based on routing tables, the degree of packet inspection, and acting as an intermediate device by hiding the address of clients from users on the Internet, a technique referred to as acting as a proxy.

Answer 276

The correct option is B An IDS represents hardware or software that is specifically designed to detect unwanted attempts at accessing, manipulating, and even disabling networking hardware and computers connected to a network. In comparison, an IPS represents an active system that detects and responds to predefined events. Thus, the IPS represents technology built on an IDS system. This means that the ability of the IPS to prevent intrusions from occurring is highly dependent on the underlying IDS.

Answer 277

The correct option is A Wireless LANs can communicate is two different ways referred to as peer-to- peer and infrastructure.

Answer 278

The correct option is B The original security for wireless LANs, referred to as Wired Equivalent Privacy (WEP), permits the equivalent of wired network privacy and nothing more. WEP was broken by several persons many years ago. WPA represents a security protocol created by the Wi-Fi Alliance to secure wireless transmission and was created in response to the security weakness of WEP. This protocol implements a large portion of the IEEE wireless security standard referred to as 802.11i and WPA included the use of the Temporal Key Integrity Protocol (TKIP) to enhance data encryption.

Answer 279

The correct option is A The IEEE 802.1X standard provides port-based authentication, requiring a wireless device to be authenticated prior to its gaining access to a LAN and its resources. Under this standard, the client node is referred to as a supplicant while the authenticator is usually an access point or a wired Ethernet switch.