Chapter 6 - Network Perimeter Security Flashcards
Which tool would you use if you want to view the contents of a packet? A. TDR B. Port scanner C. Protocol analyzer D. Loopback adapter
C. A protocol analyzer has the capability to “drill” down through a packet and show the contents of that packet as they correspond to the OSI model.
The honeypot concept is enticing to administrators because
A. It enables them to observe attacks.
B. It traps an attacker in a network.
C. It bounces attacks back at the attacker.
D. It traps a person physically between two locked doors.
A. By creating a honeypot, the administrator can monitor attacks without sustaining damage to a server or other computer. Don’t confuse this with a honeynet (answer B), which is meant to attract and trap malicious attackers in an entire false network. Answer C is not something that an administrator would normally do, and answer D is defining a man trap.
James has detected an intrusion in his company. What should he check first? A. DNS Logs B. Firewall logs C. The Event Viewer D. Performance logs
B. If there were an intrusion, the first thing you should check are the firewall logs. DNS logs in the event viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs.
Which of the following devices should you employ to protect your network? (Select the best answer.) A. Protocol analyzer B. Firewall C. DMZ D. Proxy server
B. Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.
Which device’s log file will show access control lists and who was allowed access and who wasn’t? A. Firewall B. PDA C. Performance monitor D. IP proxy
A. A firewall contains one or more access control lists (ACLs) defining who is enabled to access to the network. The firewall can also show attempts at access and whether they succeeded or failed. A personal digital assistant (PDA) might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.
Where are software firewalls usually located? A. On routers B. On servers C. On clients D. On every computer
C. Software-based firewalls, such as the Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.
Where is the optimal place to have a proxy server?
A. In between two private networks
B. In between a private and a public network
C. In between two public networks
D. On all of the servers
B. Proxy servers should normally be between the private and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.
A coworker has installed an SMTP server on the company firewall. What security principle does this violate? A. Chain of custody B. Use of a device as it was intended C. Man trap D. Use of multifunction network devices
B. SMTP servers should not be installed on a company firewall. This is not the intention of a firewall device. The SMTP server should most likely be installed
within a DMZ.
You are working on a server and are busy implementing a network intrusion detection system on the network. You need to monitor the network traffic from the server. What mode should you configure the network adapter to work in? A. Half-duplex mode B. Full-duplex mode C. Auto configuration mode D. Promiscuous mode
D. To monitor the implementation of NIDS on the network, you should configure the network adapter to work in promiscuous mode; this forces the network adapter to pass all the traffic it receives to the processor, not just the frames that were addressed to that particular network adapter. The other three answers have to do with duplexing—whether the network adapter can send and receive simultaneously.
Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses? A. HTTP proxy B. Protocol analyzer C. IP proxy D. SMTP proxy
C. An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using Network Address Translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail.
If your ISP blocks objectionable material, what device would you guess has been implemented? A. Proxy server B. Firewall C. Internet content filter D. NIDS
C. An Internet content filter, usually implemented as content-control software can block objectionable material before it ever gets to the user. This is common in schools, government, and many companies.
Of the following, which is a collection of servers that was set up to attract hackers? A. DMZ B. Honeypot C. Honeynet D. VLAN
C. A honeynet is a collection of servers set up to attract hackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.
Which of the following will detect malicious packets and discard them? A. Proxy server B. NIDS C. NIPS D. PAT
C. NIPS, or a network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.
Which of the following will an Internet filtering appliance analyze? (Select the three best answers.) A. Content B. Certificates C. Certificate revocation lists D. URLs
A, B, and D. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.
Which of the following devices would detect but not react to suspicious behavior on the network? A. NIPS B. Firewall C. NIDS D. HIDS
C. A NIDS will detect suspicious behavior but most likely not react to it. To prevent it and react to it you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network.