Chapter 5 - Network Design Elements and Network Threats

Question 1

Which of the following would you set up in a router?
A. DMZ
B. DOS
C. OSI
D. ARP

Answer 1

A. A DMZ, or demilitarized zone, can be set up on a router to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.

Question 2

Which of the following is an example of a nonessential protocol?
A. DNS
B. ARP
C. DMZ
D. TFTP

Answer 2

D. The Trivial File Transfer Protocol (TFTP) is a simpler version of FTP that uses a small amount of memory. It is generally considered to be a nonessential protocol. The Domain Name System service (or DNS service) is required for Internet access and on Microsoft domains. The Address Resolution Protocol (ARP) is necessary in Ethernets that use TCP/IP. And a demilitarized zone (DMZ) is not a protocol but more of a network design element.

Question 3

A person attempts to access a server during a zone transfer to get access to a zone file.  What type of server are they trying to manipulate?
A. Proxy server
B. DNS server
C. File server
D. Web server

Answer 3

B. DNS servers are the only types of servers listed that do zone transfers. The purpose of accessing the zone file is to find out what hosts are on the network.

Question 4

Which of the following is a private IP address?
A. 11.16.0.1
B. 127.0.0.1
C. 172.16.0.1
D. 208.0.0.1

Answer 4

C. 172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 5-1 earlier in the chapter. 11.16.0.1 is a public IP address, as is 208.0.0.1. 127.0.0.1 is the loopback address.

Question 5

Which of these hides an entire network of IP addresses?
A. SPI
B. NAT
C. SSH
D. FTP

Answer 5

B. Network Address Translation hides an entire network of IP Addresses. SPI, or Stateful Packet Inspection, is the other type of firewall that today’s SOHO routers incorporate.

Question 6

Which one of the following can monitor and protect a DNS server?
A. Ping the DNS server.
B. Block port 53 on the firewall.
C. Purge PTR records daily.
D. Check DNS records regularly.

Answer 6

D. By checking a DNS server’s records regularly, a security admin can monitor and protect it. Blocking port 53 on a firewall might protect it (it also might make it inaccessible depending on the network configuration) but won’t enable
you to monitor it. Pinging the server can simply tell you whether the server is alive. Purging pointer records (PTR) cannot help to secure or monitor the server.

Question 7

Which TCP port does LDAP use?
A. 389
B. 80
C. 443
D. 143

Answer 7

A. The Lightweight Directory Access Protocol (LDAP) uses port TCP 389. Port 80 is used by HTTP. Port 443 is used by HTTPS. Port 143 is used by IMAP.

Question 8

From the list of ports select two that are used for e-mail. (Select the two best answers.)
A. 110
B. 3389
C. 143
D. 389

Answer 8

A and C. POP3 uses port 110; IMAP uses port 143; 3389 is used by the remote desktop protocol; and 389 is used by LDAP.

Question 9

Which port number does the domain name system use?
A. 53
B. 80
C. 110
D. 88

Answer 9

A. The domain name system or DNS uses port 53. Port 80 is used by HTTP; port 110 is used by POP3; and port 88 is used by Kerberos.

Question 10

Which of the following statements best describes a static NAT?
A. Static NAT uses a one-to-one mapping.
B. Static NAT uses a many-to-many mapping.
C. Static NAT uses a one-to-many mapping.
D. Static NAT uses a many-to-one mapping.

Answer 10

A. Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.

Question 11

John needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions?
A. Port 80 inbound
B. Port 80 outbound
C. Port 443 inbound
D. Port 443 outbound

Answer 11

C. For clients to connect to the server via SSL, the server must have inbound
port 443 open. The outbound ports on the server are of little consequence for this concept, and inbound port 80 is used by HTTP.

Question 12

If a person takes control of a session between a server and a client, it is known as what type of attack?
A. DDoS
B. Smurf
C. Session hijacking
D. Malicious software

Answer 12

C. Session hijacking (or TCP/IP hijacking) is when an unwanted mediator takes control of the session between a client and a server (for example, an FTP or HTTP session).

Question 13

Making data appear as if it is coming from somewhere other than its original source is known as what?
A. Hacking
B. Phishing
C. Cracking
D. Spoofing

Answer 13

D. Spoofing is when a malicious user makes data or e-mail appear to be coming from somewhere else.

Question 14

Which of the following enables a hacker to float a domain registration for a maximum of five days?
A. Kiting
B. DNS poisoning
C. Domain hijacking
D. Spoofing

Answer 14

A. Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial five-day window known as an AGP, or add grace period.

Question 15

What is the best definition for ARP?
A. Resolves IP addresses to DNS names
B. Resolves IP addresses to host names
C. Resolves IP addresses to MAC addresses
D. Resolves IP addresses to DNS addresses

Answer 15

C. The address resolution protocol, or ARP, resolves IP addresses to MAC
addresses. DNS resolves from IP addresses to hostnames, word domain names, and vice versa. RARP resolves MAC addresses to IP addresses.

Question 16

Which of the following should be placed between the LAN and the Internet?
A. DMZ
B. HIDS
C. Domain controller
D. Extranet

Answer 16

A. A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer,
usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet.

Question 17

You have three e-mail servers. What is it called when one server forwards e-mail to another?
A. SMTP relay
B. Buffer overflows
C. POP3
D. Cookies

Answer 17

A. The SMTP relay is when one server forwards e-mail to other e-mail servers. Buffer overflows are attacks that can be perpetuated on web pages. POP3 is another type of e-mail protocol, and cookies are small text files stored on the client computer that remember information about that computer’s session with a website.

Question 18

You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?
A. Switch
B. Hub
C. Router
D. Firewall

Answer 18

A. A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.

Question 19

A coworker goes to a website but notices that the browser brings her to a different website and that the URL has changed.  What type of attack is this?
A. DNS poisoning
B. Denial of service
C. Buffer overflow
D. ARP poisoning

Answer 19

A. DNS poisoning can occur at a DNS server and can affect all clients on the network. It can also occur at an individual computer. Another possibility is that spyware has compromised the browser. A denial of service is a single attack that attempts to stop a server from functioning. A buffer overflow is an attack that, for example, could be perpetuated on a web page. ARP poisoning is the poisoning of an ARP table, creating confusion when it comes to IP address-to-MAC address resolutions.

Question 20

Which of the following misuses the transmission control protocol handshake process?
A. Man-in-the-middle attack
B. SYN attack
C. WPA attack
D. Replay attack

Answer 20

B. A synchronize (SYN) attack misuses the TCP three-way handshake process. The idea behind this is to overload servers and deny access to users.

Question 21

For a remote tech to log in to a user’s computer in another state, what inbound port must be open on the user’s computer?
A. 21
B. 389
C. 3389
D. 8080

Answer 21

C. Port 3389 must be open on the inbound side of the user’s computer to enable a remote tech to log in remotely and take control of that computer. Port 21 is the port used by FTP, and 389 is used by LDAP. 8080 is another port used by web browsers that takes the place of port 80.

Question 22

A DDoS attack can be best defined as what?
A. Privilege escalation
B. Multiple computers attacking a single server
C. A computer placed between a sender and receiver to capture data
D. Overhearing parts of a conversation

Answer 22

B. When multiple computers attack a single server, it is known as a Distributed Denial of Service attack, or DDoS. Privilege escalation is when a person who is not normally authorized to a server manages to get administrative permissions to resources. If a computer is placed between a sender and receiver, it is known as a man-in-the-middle attack. Overhearing parts of a conversation is known as eavesdropping.

Question 23

When users in your company attempt to access a particular website, the attempts are redirected to a spoofed website.  What are two possible reasons for this?
A. DoS
B. DNS poisoning
C. Modified hosts file
D. Domain name kiting

Answer 23

B and C. DNS poisoning and a DNS server’s modified hosts files are possible causes for why a person would be redirected to a spoofed website. DoS, or a Denial of Service, is when a computer attempts to attack a server to stop it from functioning. Domain name kiting is when a person renews and cancels domains within five-day periods.

Question 24

What kind of attack is it when the packets sent do not require a synchronization process and are not connection-oriented?
A. Man-in-the-middle
B. TCP/IP hijacking
C. UDP attack
D. ICMP flood

Answer 24

C. User Datagram Protocol (UDP) attacks, or UDP flood attacks, are DoS attacks that use a computer to send a large number of UDP packets to a remote host. The remote host will reply to each of these with an ICMP Destination Unreachable packet, which ultimately, makes it inaccessible to clients.

Question 25

How many of the TCP/IP ports can be attacked?
A. 1,024 ports
B. 65,535
C. 256
D. 16,777,216

Answer 25

B. The best answer to this question is 65,535. The Internet Assigned Numbers Authority (IANA) list of ports starts at 0 and ends at 65,535. Although this equals 65,536 ports, it should be known that normally port 0 (zero) will forward packets to another port number that is dynamically assigned. So port
0 should not be affected by attacks, because it actually doesn’t act as a normal port.

Question 26

Which of the following attacks is a type of DoS attack that sends large amounts of UDP echoes to port 7 and 19?
A. Teardrop
B. IP spoofing
C. Fraggle
D. Replay

Answer 26

C. A Fraggle attack is a type of DoS attack that sends large amounts of UDP
echoes to port 7 and 19. This is similar to the Smurf attack. Teardrop DoS attacks send many IP fragments with oversized payloads to a target.

Question 27

Don must configure his firewall to support TACACS. Which port(s) should he open on the firewall?
A. Port 53
B. Port 49
C. Port 161
D. Port 22

Answer 27

B. Port 49 is used by TACACS. Port 53 is used by DNS, Port 161 is used by SNMP, and Port 22 is used by SSH.

Question 28

Which of the following ports is used by Kerberos by default?
A. 21
B. 80
C. 88
D. 443

Answer 28

C. Port 88 is used by Kerberos by default. Port 21 is used by FTP. Port 80 is used by HTTP. Port 443 is used by HTTPS TLS/SSL).

Question 29

Which of the following is the best option if you are trying to monitor network devices?
A. SNMP
B. TELNET
C. FTPS
D. IPsec

Answer 29

A. SNMP (Simple Network Management Protocol) is the best protocol to use to monitor network devices. TELNET is a deprecated protocol that is used to remotely administer network devices. FTPS provides for the secure transmission of files from one computer to another. IPsec is used to secure VPN connections and other IP connections.

Question 30

What is a secure way to remotely administer Linux systems?
A. SCP
B. SSH
C. SNMP
D. SFTP

Answer 30

B. SSH (Secure SHell) is used to remotely administer Unix/Linux systems and network devices. SCP (Secure copy) is a way of transferring files securely between two hosts—it utilizes SSH. SNMP is used to remotely monitor network equipment. SFTP is used to securely transfer files from host to host—it also
uses SSH.

Question 31

You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?
A. Loop protection
B. DMZ
C. VLAN segregation
D. Port forwarding

Answer 31

A. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.

Question 32

You see a network address in the command-line that is composed of a long string of letters and numbers.  What protocol is being used?
A. IPv4
B. ICMP
C. IPv3
D. IPv6

Answer 32

D. IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by the ping and other commands. IPv3 was a test version prior to IPv4 and was
similar in IP addressing structure.

Question 33

Which of the following cloud computing services offers easy to configure operating systems?
A. SaaS
B. IaaS
C. PaaS
D. VM

Answer 33

C. Platform as a Service (PaaS) is a cloud computing service that offers many software solutions including easy-to-configure operating systems and on-demand computing. SaaS is Software as a Service, used to offer solutions such as webmail. IaaS is Infrastructure as a Service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.

Question 34

Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer.  The crash happened immediately afterward.  What type of network attack occurred?
A. DDoS
B. DoS
C. MAC spoofing
D. MITM

Answer 34

B. A denial of service (DoS) attack probably occurred. The attacker most likely used code to cause an infinite loop or repeating search, which caused the server to crash. It couldn’t have been a DDoS (distributed denial of service) since there was only one attacker involved. MAC spoofing is when an attacker
disguises the MAC address of their network adapter with another number. MITM stands for the man-in-the-middle attack, which wasn’t necessary since the attacker had direct access to the search fields on the web server.

Question 35

Which port number is used by SCP?
A. 22
B. 23
C. 25
D. 443

Answer 35

A. SCP (Secure Copy) uses SSH, which runs on port 22 by default. Port 23 is TELNET. Port 25 is SMTP. Port 443 is HTTPS (SSL/TLS).

Question 36

A malicious insider is accused of stealing confidential data from your organization.  What is the best way to identify the insider’s computer?
A. IP address
B. MAC address
C. Computer name
D. NetBIOS name

Answer 36

B. The MAC address is the best way because it is unique and is the hardest to modify or spoof. IP addresses are often dynamically assigned on networks and are easily modified. Computer names (which are effectively NetBIOS names) can easily be changed as well.

Question 37

What is the best way to utilize FTP sessions securely?
A. FTPS
B. FTP passive
C. FTP active
D. TFTP

Answer 37

A. FTPS (FTP Secure) uses encryption in the form of SSL or TLS to secure file transfers. The other three options do not use encryption, making them less secure.