IS3220 CHAPTER 8 Flashcards
A system designed, built, and deployed specifically to serve as a frontline defense for a network and it withstands the brunt of any attack attempt to provide protection for hosts behind it is called ___?
It is a fortified computer device, possibly a host, firewall, or router, placed in the line of fire between privately owned and controlled networks and the public Internet.
BASTION HOST OS
This supports multiple layers of security and is similar to defense-in-depth. The difference is that each of the layers uses a different security mechanism is called ___? This then comes from using a collection of diverse security solutions.
DIVERSITY OF DEFENSE
This type of OS include Windows, Linux, Mac OS, UNIX, and others. These support a wide variety of purposes and functions, including serving as client or server host OS’s and is called ___?
When used as a Bastion Host OS they must be hardened and locked down. Otherwise, an insecure host OS can render the security provided by a firewall worthless.
GENERAL PURPOSE OS
Another aspect of defense-in-depth is to deploy multiple subnets in series to separate private resources from public. This is known as ___?
N-TIER
This OS is built exclusively to run on a bastion host device. Most appliance firewalls employ this OS and is called ___?
This includes commercial firewall devices as well as many ISP connection devices and wireless access points. These support the functions or services critical to security (or their other primary purposes) and little else.
PROPRIETARY OS
This allows static content to be cached and served by the proxy rather than requiring that each request for the same content be served by the Web server itself is called ___?
REVERSE CACHING
Network security managers must investigate the needs and threats to make informed decisions about what traffic to allow and what traffic to block in the individual organization. This is called ___?
SECURITY STANCE
For security to be effective, everyone must work within the limitations established by your organization’s written policy. Security only works when you employ forced ___?
UNIVERSAL PARTICIPATION
This is a security stance in an ongoing process of locating the least secure element of an infrastructure and security it is called ___?
The idea behind this process is that hackers are performing this task as they seek out vulnerabilities to compromise. Hackers discover and break this to gain access and entry into a secured environment.
WEAKEST LINK
Both consumer and commercial grade, include some form of firewall to provide filtering services for wireless clients and physical cable connections this is called ___?This could be labeled as routers and/or switches, especially when they include two to six extra-wired connection ports.
WIRELESS ACCESS POINT
- When crafting firewall rules, determining what to allow versus what to block is primarily dependent on what factor?
- Traffic levels
- Business tasks
- Bandwidth
- User preferences
- Timing
Business tasks
- The first step in determining what to allow and what to block in a firewall’s rule set is ___?
- Review vulnerability watch lists
- Poll users for what services they want
- Read blogs about best practices for firewall rules
- Record traffic for 24 hours
- Create an inventory of business communications
Create an inventory of business communications
- What is the purpose of including rules that block ports, such as 31337?
- Prevent users from accessing social networking sites
- To prevent DNS zone transfers
- To stop ICMP traffic
- Block known remote access and remote control malware
- Allow users to employ cloud backup solutions
Block known remote access and remote control malware
- What security strategy is based on the concept of locking the environment down so users can perform their assigned tasks but little else?
- Simplicity
- Principle of least privilege
- Diversity of defense
- Choke point
- Weakest link
Principle of least privilege
- What security strategy reverts to a secure position in the event of a compromise?
- Fail-safe
- Universal participation
- Defense-in-depth
- Security through obscurity
- N-tier deployment
Fail-safe
- Which security stance most directly focuses on the use of firewalls or other filtering devices as its primary means of controlling communications?
- Universal participation
- Weakest link
- Fail-safe
- Choke point
- Simplicity
Choke point
- A firewall policy performs all of the following functions EXCEPT:
- Assist in troubleshooting
- Placing blame for intrusions
- Guiding installation
- Ensuring consistent filtering across the infrastructure
- Detect changes in deployed settings
Placing blame for intrusions
- Which of the following is NOT a viable option for an enterprise network that needs to control and filter network traffic?
- Virtual firewall
- Appliance firewall
- Physical firewall
- Host firewall
- Software firewall
Physical firewall
- A reverse proxy is useful in which of the following scenarios?
- Grant outside users access to internal email servers
- Support internal users accessing the public Internet
- Allow private hosts to access external Web servers
- Offer external entities access to an internal Web server
- Cache file transfers for peer-to-peer exchange protocols
Offer external entities access to an internal Web server
- All the following are true statements in regards to port forwarding except?
- Is a variation of NAT
- Limited to Web traffic only
- Hides the identity of internal hosts
- Allow the use of nonstandard ports for publicly accessed services
- Internal servers do not see the identity of the real source of a communication
Limited to Web traffic only
- Which of the following statements is true with respect to revers proxy?
- Reverse proxy cannot be used in conduction with secured Web sites
- Revers proxy can be used with tunnel mode IPSec VPNs
- Reverse proxy can only support SSL tunnels
- Reverse proxy canes client requests and archives them for load balancing purposes
- The reverse proxy server can act as the end-point for a TLS tunnel
The reverse proxy server can act as the end-point for a TLS tunnel
- Which of the following is NOT a true statement in regards to port forwarding?
- Port forwarding services can be found on almost any service or device that supports NAT
- Port forwarding is an essential element in the Internet Connection Sharing (ICS) service of Windows
- Port forward is used in reverse proxy, but only for Web traffic
- Port forwarding supports caching, encryption endpoint, and load balancing
- Port forwarding is a variation or enhancement of NAT
Port forwarding supports caching, encryption endpoint, and load balancing
- Which of the following is NOT considered a viable option as a bastion host OS?
- UNIX
- Linux
- Android
- Mac OS
- Windows 7
Android
- You are selecting a new appliance firewall for deployment in the company network. You are concerned with OS flaws and exploits appearing not only on your hosts but also on the firewall. To minimize that risk, what bastion host OS should you choose?
- Cisco IOS
- Windows 7
- UNIX
- Mac OS
- Linux
Cisco IOS
- What is the most important aspect or feature of a bastion host OS?
- Leveraging existing OS administrative knowledge
- Ease of use
- Remote administration
- Resistance to attacks and compromise attempts
- Support of a wide range of services
Resistance to attacks and compromise attempts
- What is always the most important element within a firewall rule set?
- Using specific addresses instead of ANY
- Listed deny-exceptions after allow-exception
- List inbound exceptions before outbound exceptions
- Final rule of default-deny
- Blocking every known malicious port
Final rule of default-deny
- Which of the following examples of complete firewall rule sets is the most valid?
1. TCP ANY ANY ANY ANY Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP 192.168.42.115 ANY ANY 80 Deny
2. TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY ANY Deny
3. TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.116 ANY ANY 80 Deny
TCP 192.168.42.119 ANY ANY 80 Deny
4. TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY 80 Deny
TCP ANY ANY ANY ANY Deny
5. TCP ANY ANY ANY ANY Deny
TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY ANY Deny
- Which of the following guidelines is most important?
- Include all specific denials for known malicious remote control tools after explicit allows
- Include every possible address and port in a rule within the set to ensure an explicit callout exists for every type of communication
- There should be more inbound rules than outbound rules
- There should be more inbound rules than outbound rules
- Place universal allows before universal denies
There should be more inbound rules than outbound rules
- When considering the security response triggered by a firewall detecting unwanted traffic, what is the main factor in choosing between:
1) a response that protects confidentiality and integrity and
2) a response that protects availability
a response that protects confidentiality and integrity and
- When security mechanisms and business communications are at odds, what is the best and most secure response?
- Disable security to allow the business communication
- Modify the security policy to protect the business communication
- Disable both security and the offending business communication
- Disable business communication to maintain security
- Do nothing
Modify the security policy to protect the business communication
