Q&A Hero

Q: Which type of firewall configuration protects public servers by isolating them from the internal network?a. screened subnet DMZ c. screening routerb. dual-homed host d. reverse firewall

Q: What should you consider installing if you want to inspect packets as they leave the network?a. security workstation c. filtering proxyb. RIP router d. reverse firewall

Q: In what type of attack are zombies usually put to use?a. buffer overrun c. DDoSb. virus d. spoofing

Q: Where should network management systems generally be placed?a. out of band c. on the perimeterb. in the DMZ d. in the server farm

Q: Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power.a. server pooling software c. priority server farmb. traffic distribution filter d. load-balancing software

Q: What do you call a firewall that is connected to the Internet, the internal network, and the DMZ?a. multi-homed proxy c. three-way packet filterb. three-pronged firewall d. multi-zone host

Q: Which of the following best describes a DMZ?a. a network of computers configured with robust firewall software b. a subnet of publicly accessible servers placed outside the internal network c. a private subnet that is inaccessible to both the Internet and the company networkd. a proxy server farm used to protect the identity of internal servers

Q: Which of the following is true about a dual-homed host?a. serves as a single point of entry to the network b. its main objective is to stop worms and viruses c. uses a single NIC to manage two network connectionsd. it is used as a remote access server in some configurations

Q: Which of the following is true about a screening router?a. it examines the data in the packet to make filtering decisions b. it can stop attacks from spoofed addresses c. it maintains a state table to determine connection informationd. it should be combined with a firewall for better security

Q: The TCP normalization feature forwards abnormal packets to an administrator for further inspection.

Q: Proxy servers take action based only on IP header information.

Q: Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny.

Q: A screened host has a router as part of the configuration.

Q: A dual-homed host has a single NIC with two MAC addresses.

Q: What is a cleanup rule? Provide an example.

Q: Describe a firewall policy for application traffic.

Q: What makes an effective rule base? List three points to consider.

Q: Describe a packet-filtering scenario that works with the DMZ.

Q: What is stateful packet filtering?

Q: What are the most common features of IP protocol headers that stateless packet filters base their filtering decisions on?

Q: Describe a hardware firewall and include one or more advantages and disadvantages.

Q: Describe a software firewall and include one or more advantages and disadvantages.

Q: Discuss what a firewall is and its role in a company's overall security scheme.

Q: a. cleanup rule f. rule baseb. firewall g. socketc. firewall appliance h. state tabled. firewall policy i. stateful packet filterse. proxy server j. stateless packet filters1/ software that forwards network packets and caches Web pages to speed up network performance2/ the end point of a computer-to-computer connection defined by an IP address and port address3/ a packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules4/ hardware devices with firewall functionality5/ filters that are similar to stateless packet filters, except that they also determine whether to allow or block packets based on information about current connections6/ hardware or software configured to block unauthorized access to a network7/ simple filters that determine whether to allow or block packets based on information in protocol headers8/ the collection of rules that filter traffic at an interface of a firewall9/ an addition to a security policy that describes how firewalls should handleapplication traffic, such as Web or e-mail applications10/ a file maintained by stateful packet filters that contains a record of all current connections

Q: The rule base should permit access to public servers in the _________ and enable users to access the Internet.

Q: A primary objective of a rule base is to ______________ communications based on complex rules.

Q: The ACK flag is normally sent at the end of the three-way ______________ to indicate that a connection is established.

Q: ACLs filter packets by using a __________ base to determine whether to allow a packet to pass.

Q: A firewall can consist of all devices positioned on the network _____________.

Q: Which of the following is NOT an ICMPv6 packet type that you should allow within your organization but never outside the organization?a. Destination unreachable c. Time Exceededb. Packet too big d. Packet Redirect

Q: Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted?a. Teredo tunneling c. IPsec tunnelingb. ICMPv6 encapsulation d. SMTP/S tunneling

Q: What type of ICMP packet can an attacker use to send traffic to a computer they control outside the protected network?a. Source Quench c. Destination Unreachableb. Echo Request d. Redirect

Q: What are the two standard ports used by FTP along with their function?a. UDP 23 control, TCP 20 data c. TCP 21 control, TCP 20 datab. UDP 20 data, TCP 21 control d. TCP 23 data, TCP 21 control

Q: What service uses UDP port 53?a. SMTP c. ICMPb. DNS d. TFTP

Q: Which two ports should packet-filtering rules address when establishing rules for Web access?a. 143, 80 c. 80, 443b. 25, 110 d. 423, 88

Q: Which of the following is a general practice for a rule base?a. begin by blocking all traffic and end by allowing selective services b. permit access to public servers in the DMZ c. allow all access to the firewalld. allow direct access from the Internet to computers behind the firewall

Q: Which of the following is NOT a protocol,port pair that should be filtered when an attempt is made to make a connection from outside the company network?a. TCP,80 c. UDP,138b. TCP,139 d. TCP,3389

Q: Which of the following is described as the combination of an IP address and a port number?a. portal c. datagramb. subnet d. socket

Q: What is considered the "˜cleanup rule" on a Cisco router?a. explicit allow all c. explicit promptb. implicit deny all d. implicit allow

Q: What is a suggested maximum size of a rule base?a. 30 rules c. 10 rulesb. 300 rules d. 100 rules

Q: Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy?a. only authenticated traffic can access the internal network b. employees can use instant-messaging only with external network users c. the public can access the company Web serversd. employees can have restricted Internet access

Q: Which element of a rule base conceals internal names and IP addresses from users outside the network?a. tracking c. NATb. filtering d. QoS

Q: At what layer of the OSI model do proxy servers generally operate?a. Application c. Transportb. Session d. Network

Q: What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet?a. router c. ICMP monitorb. VPN server d. proxy server

Q: What type of attack are stateless packet filters particularly vulnerable to?a. attempts to connect to ports above 1023 c. IP spoofing attacksb. attempts to connect to the firewall d. attempts to connect to ports below 1023

Q: Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets.a. IP address c. data patternsb. ports d. TCP flags

Q: Which of the following is an advantage of hardware firewalls?a. not scalable compared to software firewalls c. less expensive than software firewallsb. not dependent on a conventional OS d. easy to patch

Q: Which of the following is a typical drawback of a free firewall program?a. cannot monitor traffic in real time b. oversimplified configuration c. have centralized managementd. more expensive than hardware firewalls

Q: The Cisco PIX line of products is best described as which of the following?a. software firewall c. firewall applianceb. PC with firewall installed d. VPN gateway

Q: Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful.

Q: Generally, connections to instant-messaging ports are harmless and should be allowed.

Q: Stateless packet filtering keeps a record of connections that a host computer has made with other computers.

Q: Software firewalls are usually more scalable than hardware firewalls.

Q: Firewalls can protect against employees copying confidential data from within the network.

Q: What is an inline sensor and how is it used to stop attacks?

Q: What are the four common entry points to a network where sensors should be placed?

Q: What are the four typical components of an IDPS?

Q: List two approaches to stateful protocol analysis.

Q: Define stateful protocol analysis. Include in your answer the concept of the event horizon.

Q: Describe two advantages and two disadvantages of a signature-based system.

Q: Describe two advantages and two disadvantages of an anomaly-based system.

Q: Contrast anomaly detection with signature detection.

Q: What are the three network defense functions performed by an IDPS?

Q: a. accountability f. passive sensorb. escalated g. profilesc. event horizon h. sensord. inline sensor i. stateful protocol analysise. intrusion j. true positive1/ an attempt to gain unauthorized access to network resources2/ the entire length of an attack3/ a genuine attack detected successfully by an IDPS4/ an NIDPS sensor positioned so that all traffic on the network segment isexamined as it passes through5/ an IDPS component that monitors traffic on a network segment6/ increasing an intrusion response to a higher level7/ sets of characteristics that describe network services and resources a user or group normally accesses8/ the process of maintaining a table of current connections so that abnormal traffic can be identified9/ the ability to track an attempted attack or intrusion back to its source10/ an NIDPS sensor that examines copies of traffic on the network

Q: __________________ procedures are a set of actions that are spelled out in the security policy and followed if the IDPS detects a true positive.

Q: A network ____________ is a type of passive sensor that consists of a direct connection between a sensor and the physical network medium.

Q: An IDPS __________________ server is the central repository for sensor and agent data.

Q: In a _______________ based detection system, the IDPS can begin working immediately after installation.

Q: Anomaly detection systems make use of _______________ that describe the services and resources each authorized user or group normally accesses on the network.

Q: Which of the following is true about the steps in setting up and using an IDPS? a. anomaly-based systems come with a database of attack signatures c. alerts are sent when a packet doesn"t match a stored signature b. sensors placed on network segments will always capture every packet d. false positives do not compromise network security

Q: Why might you want to allow extra time for setting up the database in an anomaly-based system?a. the installation procedure is usually complex and time consuming b. to add your own custom rule base c. it requires special hardware that must be custom builtd. to allow a baseline of data to be compiled

Q: If you see a /16 in the header of a snort rule, what does it mean?a. a maximum of 16 log entries should be kept b. the size of the log file is 16 MB c. the subnet mask is 255.255.0.0d. the detected signature is 16 bits in length

Q: Which of the following is an IDPS security best practice?a. to prevent false positives, only test the IDPS at initial configuration b. communication between IDPS components should be encrypted c. all sensors should be assigned IP addressesd. log files for HIDPSs should be kept local

Q: Which of the following is true about an NIDPS versus an HIDPS?a. an NIDPS can determine if a host attack was successful b. an HIDPS can detect attacks not caught by an NIDPS c. an HIDPS can detect intrusion attempts on the entire networkd. an NIDPS can compare audit log records

Q: Which of the following is true about an HIDPS?a. monitors OS and application logs c. tracks misuse by external usersb. sniffs packets as they enter the network d. centralized configurations affect host performance

Q: Which of the following is a sensor type that uses bandwidth throttling and alters malicious content?a. passive only c. active onlyb. inline only d. online only

Q: Which of the following is NOT a method used by passive sensors to monitor traffic?a. spanning port c. packet filterb. network tap d. load balancer

Q: Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion?a. inline c. hybridb. host-based d. network-based

Q: Which of the following is considered a problem with a passive, signature-based system?a. profile updating c. custom rulesb. signature training d. false positives

Q: Which IDPS customization option is a list of entities known to be harmless?a. thresholds c. blacklistsb. whitelists d. alert settings