Net Def Final
Unlock all answers in this set
Unlock answersquestion
Firewalls can protect against employees copying confidential data from within the network. True/False
answer
False
question
Software firewalls are usually more scalable than hardware firewalls. True/False
answer
False
question
Stateless packet filtering keeps a record of connections that a host computer has made with other computers. True/False
answer
False
question
Generally, connections to instant-messaging ports are harmless and should be allowed. True/False
answer
False
question
Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful. True/False
answer
False
question
A dual-homed host has a single NIC with two MAC addresses. True/False
answer
False
question
A screened host has a router as part of the configuration. True/False
answer
True
question
Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny. True/False
answer
False
question
Proxy servers take action based only on IP header information. True/False
answer
False
question
The TCP normalization feature forwards abnormal packets to an administrator for further inspection. True/False
answer
False
question
Another name for a VPN connection is tunnel. True/False
answer
True
question
Hardware VPNs create a gateway-to-gateway VPN. True/False
answer
True
question
Standards and protocols used in VPNs are in their infancy and seldom used. True/False
answer
False
question
IPsec has become the standard set of protocols for VPN security. True/False
answer
True
question
If you use Windows RRAS for your VPN, you will need a third-party RADIUS server if you want to use RADIUS for authentication. True/False
answer
False
question
The term Internet and World Wide Web are different terms that mean the same thing. True/False
answer
False
question
Computers on the Internet are identified primarily by their IP address. True/False
answer
True
question
SQL injection attacks are isolated to custom applications, so administrators can prevent them. True/False
answer
True
question
The objective of a phishing attack is to entice e-mail recipients to click a bogus link where personal information can be stolen. True/False
answer
True
question
Windows Basic Authentication requires that users enter a username and password and the password is transmitted using a hashing algorithm. True/False
answer
False
question
The Cisco PIX line of products is best described as which of the following? A. software firewall B. PC with firewall installed C. firewall appliance D. VPN gateway
answer
C. firewall appliance
question
Which of the following is an advantage of hardware firewalls? A. not scalable compared to software firewalls B. not dependent on a conventional OS C. less expensive than software firewalls D. easy to patch
answer
B. not dependent on a conventional OS
question
Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets. A. IP address B. ports C. data patterns D. TCP flags
answer
C. data patterns
question
What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet? A. router B. filtering C. ICMP monitor D. proxy server
answer
D. proxy server
question
Which element of a rule base conceals internal names and IP addresses from users outside the network? A. tracking B. filtering C. NAT D. QoS
answer
C. NAT
question
Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy? A. only authenticated traffic can access the internal network B. employees can use instant-messaging only with external network users C. the public can access the company Web servers D. employees can have restricted internet access
answer
B. employees can use instant-messaging only with external network users
question
What is a suggested maximum size of a rule base? A. 30 rules B. 300 rules C. 10 rules D. 100 rules
answer
A. 30 rules
question
Which two ports should packet-filtering rules address when establishing rules for Web access? A. 143, 80 B. 25, 110 C. 80, 443 D. 423, 88
answer
C. 80,443
question
What service uses UDP port 53? A. SMTP B. DNS C. ICMP D. TFTP
answer
B. DNS
question
What are the to standard ports used by FTP along with their function? A. UDP 23 control, TCP 20 data B. UDP 20 data, TCP 21 control C. TCP 21 control, TCP 20 data D. TCP 23 data, TCP 21 control
answer
C. TCP 21 control, TCP 20 data
question
Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted? A. Teredo tunneling B. ICMPv6 encapsulation C. IPsec tunneling D. SMTP/S tunneling
answer
A. Teredo tunneling
question
Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power. A. server pooling software B. traffic distribution filter C. priority server farm D. load-balancing software
answer
D. load-balancing software
question
In what type of attack are zombies usually put to use? A. buffer overrun B. virus C. DDoS D. spoofing
answer
C. DDoS
question
What should you consider installing if you want to inspect packets as they leave the network? A. security workstation B. RIP router C. filtering proxy D. reverse firewall
answer
D. reverse firewall
question
Which type of firewall configuration protects public servers by isolating them from the internal network? A. screened subnet DMZ B. dual-homed host C. screening router D. reverse firewall
answer
A. screened subnet DMZ
question
Which type of security device can speed up Web page retrieval and shield hosts on the internal network? A. caching firewall B. proxy server C. caching-only DNS server D. DMZ intermediary
answer
B. proxy server
question
Which of the following is a disadvantage of using a proxy server? A. shields internal host IP addresses B. slows Web page access C. may require client configuration D. can't filter based on packet content
answer
C. may require client configuration
question
Which of the following best describes a bastion host? A. a host with two or more network interfaces B. a computer on the perimeter network that is highly protected C. a computer running a standard OS that also has a proxy software installed D. a computer running only embedded firmware
answer
B. a computer on the perimeter network that is highly protected
question
Which of the following is true about private IP addresses? A. they are assigned by the IANA B. they are not routable on the Internet C. they are targeted by attackers D. NAT was designed to conserve them
answer
B. they are not routable on the Internet
question
Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? A. one-to-one NAT B. port address translation C. one-to-many NAT D. DMZ proxy translation
answer
B. port address translation
question
Which of the following is NOT an essential element of a VPN? A. VPN server B. tunnel C. VPN client D. authentication server
answer
D. authentication server
question
Which of the following is NOT true about a hardware VPN? A. should be the first choice for fast-growing networks B. can handle more traffic than software VPNs C. have more security vulnerabilities than software VPNs D. create a gateway-to-gateway VPN
answer
C. have more security vulnerabilities than software VPNs
question
Which activity performed by VPNs encloses a packet within another packet? A. address translation B. encryption C. authentication D. encapsulation
answer
D. encapsulation
question
Which VPN protocol leverages Web-based applications? A. PPTP B. L2TP C. SSL D. IPsec
answer
C. SSL
question
Which VPN protocol uses UDP port 1701 and does not provide confidentiality and authentication? A. IPsec B. L2TP C. PPTP D. SSL
answer
B. L2TP
question
Which VPN protocol works at Layer 3 and can encrypt the entire TCP/IP packet? A. PPTP B. L2TP C. IPsec D. SSL
answer
C. IPsec
question
Which IPsec component is software that handles the taks of encrypting, authenticating, decrypting and checking packets? A. ISAKMP B. IKE C. IPsec driver D. Oakley protocol
answer
C. IPsec driver
question
Which of the following is an improvement of TLS over SSL? A. requires less processing power B. uses a single hashing algorithm for all the data C. uses only asymmetric encryption D. adds a hashed message authentication code
answer
D. adds a hashed message authentication code
question
What was created to address the problem of remote clients not meeting an organization's VPN security standards? A. split tunneling B. VPN quarantine C. IPsec filters D. GRE isolation
answer
B. VPN quarantine
question
Which of the following is true about the Internet? A. it is the same as the World Wide Web B. it was established in the mid-1960s C. it was developed by a network of banks and businesses D. it was originally built on an extended star topology
answer
B. it was established in the mid-1960s
question
Which of the following is a highly secure public facility in which backbones have interconnected data lines and routers that exchange routing and traffic data? A. ISP B. POP C. NAP D. NSF
answer
C. NAP
question
What feature of the 13 DNS root servers enables any group of servers to act as a root server? A. multicast addressing B. broadcast addressing C. anycast addressing D. unicast addressing
answer
C. anycast addressing
question
What type of attack involves plaintext scripting that affects databases? A. phishing B. ActiveX control C. Java applet D. SQL injection
answer
D. SQL injection
question
What type of attack displays false information masquerading as legitimate data? A. Java applet B. phishing C. buffer overflow D. SQL injection
answer
B. phishing
question
Which of the following is NOT a step you should take to prevent attackers from exploiting SQL security holes? A. limit table access B. use stored procedures C. use standard naming conventions D. place the database server in a DMZ
answer
C. use standard naming conventions
question
Which variation on phishing modifies the user's host file to redirect traffic? A. spear phishing B. pharming C. DNS phishing D. hijacking
answer
B. pharming
question
What type of DNS server is authoratative for a specific domain? A. primary B. secondary C. read-only D. initial
answer
A. primary
question
What is a zone transfer? A. the movement of e-mail from one domain to another B. updating a secondary DNS server C. backing up an SQL data file D. coping host file data to another system
answer
B. updating a secondary DNS server
question
What type of DNS configuration prevents internal zone information from being stored on an Internet-accessible server? A. read-only zone B. anti-phishing DNS C. caching DNS zone D. split-DNS architecture
answer
D. split-DNS architecture
question
Which of the following is NOT a recommended security setting for Apache Web servers? A. harden the underlying OS B. create Web groups C. use the default standard Web page error messages D. disable HTTP traces
answer
C. use the default standard Web page error messages
question
A firewall can consist of all devices postioned on the network __________.
answer
perimeter
question
ACLs filter packets by using a _____________ base to determine whether to allow a packet to pass.
answer
rule
question
The ACK flag is normally sent at the end of the three-way ___________ to indicate that a connection is established.
answer
handshake
question
A primary objective of a rule base is to _______________ communications based on complex rules.
answer
filter
question
The rule base should permit access to public servers in the ____________ and enable users to access the Internet.
answer
DMZ
question
A __________ router determines whether to allow or deny packets based on their source and destination IP addresses.
answer
screening
question
In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.
answer
host
question
A DMZ is a subnet of ____________ accessible servers placed outside the internal network.
answer
publicly
question
You can _________ a bastion host by removing unnecessary accounts and services.
answer
harden
question
Network gateways are _____________ of the VPN connection.
answer
endpoints
question
The Internet Key ____________ protocol enables computers to make an SA.
answer
Exchange
question
TLS splits the input data in half and recombines it using a(n) ___________ function.
answer
XOR
question
The internet tier system starts with a backbone network connected via _____________ to regional Internet service providers.
answer
NAPs
question
_____________ direct network traffic to its destionation on the Internet using tables and protocols.
answer
Routers
question
The lack of authentication for computers on the Internet make IP _____________ possible, which is change in the IP addresses in the headers of malicious packets.
answer
spoofing
question
DNS _____________ poisoning streers unsuspecting victims to a server of the attacker's choice instead of the intended Web site.
answer
cache
question
_________ are networks of zombie computers that magnify the scope and intensity of an attack.
answer
Botnets
question
A critical buffer component is the function __________ and buffer overflows are usually aimed at this component.
answer
stack
question
A _____________ applet is a small program sometimes used as embedded code in Web pages.
answer
Java
question
The goal of ____________ is to provide authentication of DNS data and ensure integrity of DNS data.
answer
DNSSEC
question
software that forwards network packets and caches Web pages to speed up network performance
answer
proxy server
question
the end point of a computer-to-computer connection defined by an IP address and port address
answer
socket
question
a packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules
answer
cleanup rule
question
hardware devices with firewall functionality
answer
firewall appliance
question
simple filters that determine whether to allow or block packets based on information in protocol headers
answer
stateless packet filters
question
the collection of rules that filter traffic at an interface of a firewall
answer
rule base
question
a process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts
answer
many-to-one NAT
question
the process of mapping one internal IP address to one external IP address
answer
one-to-one NAT
question
a computer configured with more than one network interface
answer
dual-homed host
question
a host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network
answer
screened host
question
software that prioritizes and schedules requests and then distributes them to servers in a server clusted based on each server's current load and processing power
answer
load-balancing software
question
a router placed between an untrusted network and an internal network
answer
screening router
question
a form of key exchange used to encrypt and decrypt data as it passes though a VPN tunnel
answer
IKE
question
an IETF standard for secure authentication of requests for resource access
answer
Kerberos
question
an IPsec protocol that encrypts the header and data components of TCP/IP packets
answer
ESP
question
a protocol developed by Netscape Communications Corporation as a way of enabling Web servers and browsers to exchange encrypted information
answer
SSL
question
a set of standard procedures that the IETF developed for enabling secure communication on the Internet
answer
IPsec
question
a nonproprietary tunneling protocol that can encapsulate a variety of Network layer protocols
answer
GRE
question
a network addressing scheme that allows DNS services to be decentralized among a group of servers, regardless of their location
answer
anycast addressing
question
a network architecture that uses a single DNS domain with a DNS server on the organization's DNZ for Internet services and a DNS server on the internal network for service to internal hosts
answer
split brain DNS architecture
