IS3220 CHAPTER 8 Flashcards

1
Q

A system designed, built, and deployed specifically to serve as a frontline defense for a network and it withstands the brunt of any attack attempt to provide protection for hosts behind it is called ___?
It is a fortified computer device, possibly a host, firewall, or router, placed in the line of fire between privately owned and controlled networks and the public Internet.

A

BASTION HOST OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

This supports multiple layers of security and is similar to defense-in-depth. The difference is that each of the layers uses a different security mechanism is called ___? This then comes from using a collection of diverse security solutions.

A

DIVERSITY OF DEFENSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This type of OS include Windows, Linux, Mac OS, UNIX, and others. These support a wide variety of purposes and functions, including serving as client or server host OS’s and is called ___?
When used as a Bastion Host OS they must be hardened and locked down. Otherwise, an insecure host OS can render the security provided by a firewall worthless.

A

GENERAL PURPOSE OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Another aspect of defense-in-depth is to deploy multiple subnets in series to separate private resources from public. This is known as ___?

A

N-TIER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This OS is built exclusively to run on a bastion host device. Most appliance firewalls employ this OS and is called ___?
This includes commercial firewall devices as well as many ISP connection devices and wireless access points. These support the functions or services critical to security (or their other primary purposes) and little else.

A

PROPRIETARY OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This allows static content to be cached and served by the proxy rather than requiring that each request for the same content be served by the Web server itself is called ___?

A

REVERSE CACHING

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Network security managers must investigate the needs and threats to make informed decisions about what traffic to allow and what traffic to block in the individual organization. This is called ___?

A

SECURITY STANCE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

For security to be effective, everyone must work within the limitations established by your organization’s written policy. Security only works when you employ forced ___?

A

UNIVERSAL PARTICIPATION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This is a security stance in an ongoing process of locating the least secure element of an infrastructure and security it is called ___?
The idea behind this process is that hackers are performing this task as they seek out vulnerabilities to compromise. Hackers discover and break this to gain access and entry into a secured environment.

A

WEAKEST LINK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Both consumer and commercial grade, include some form of firewall to provide filtering services for wireless clients and physical cable connections this is called ___?This could be labeled as routers and/or switches, especially when they include two to six extra-wired connection ports.

A

WIRELESS ACCESS POINT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. When crafting firewall rules, determining what to allow versus what to block is primarily dependent on what factor?
  2. Traffic levels
  3. Business tasks
  4. Bandwidth
  5. User preferences
  6. Timing
A

Business tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. The first step in determining what to allow and what to block in a firewall’s rule set is ___?
  2. Review vulnerability watch lists
  3. Poll users for what services they want
  4. Read blogs about best practices for firewall rules
  5. Record traffic for 24 hours
  6. Create an inventory of business communications
A

Create an inventory of business communications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What is the purpose of including rules that block ports, such as 31337?
  2. Prevent users from accessing social networking sites
  3. To prevent DNS zone transfers
  4. To stop ICMP traffic
  5. Block known remote access and remote control malware
  6. Allow users to employ cloud backup solutions
A

Block known remote access and remote control malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. What security strategy is based on the concept of locking the environment down so users can perform their assigned tasks but little else?
  2. Simplicity
  3. Principle of least privilege
  4. Diversity of defense
  5. Choke point
  6. Weakest link
A

Principle of least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What security strategy reverts to a secure position in the event of a compromise?
  2. Fail-safe
  3. Universal participation
  4. Defense-in-depth
  5. Security through obscurity
  6. N-tier deployment
A

Fail-safe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which security stance most directly focuses on the use of firewalls or other filtering devices as its primary means of controlling communications?
  2. Universal participation
  3. Weakest link
  4. Fail-safe
  5. Choke point
  6. Simplicity
A

Choke point

17
Q
  1. A firewall policy performs all of the following functions EXCEPT:
  2. Assist in troubleshooting
  3. Placing blame for intrusions
  4. Guiding installation
  5. Ensuring consistent filtering across the infrastructure
  6. Detect changes in deployed settings
A

Placing blame for intrusions

18
Q
  1. Which of the following is NOT a viable option for an enterprise network that needs to control and filter network traffic?
  2. Virtual firewall
  3. Appliance firewall
  4. Physical firewall
  5. Host firewall
  6. Software firewall
A

Physical firewall

19
Q
  1. A reverse proxy is useful in which of the following scenarios?
  2. Grant outside users access to internal email servers
  3. Support internal users accessing the public Internet
  4. Allow private hosts to access external Web servers
  5. Offer external entities access to an internal Web server
  6. Cache file transfers for peer-to-peer exchange protocols
A

Offer external entities access to an internal Web server

20
Q
  1. All the following are true statements in regards to port forwarding except?
  2. Is a variation of NAT
  3. Limited to Web traffic only
  4. Hides the identity of internal hosts
  5. Allow the use of nonstandard ports for publicly accessed services
  6. Internal servers do not see the identity of the real source of a communication
A

Limited to Web traffic only

21
Q
  1. Which of the following statements is true with respect to revers proxy?
  2. Reverse proxy cannot be used in conduction with secured Web sites
  3. Revers proxy can be used with tunnel mode IPSec VPNs
  4. Reverse proxy can only support SSL tunnels
  5. Reverse proxy canes client requests and archives them for load balancing purposes
  6. The reverse proxy server can act as the end-point for a TLS tunnel
A

The reverse proxy server can act as the end-point for a TLS tunnel

22
Q
  1. Which of the following is NOT a true statement in regards to port forwarding?
  2. Port forwarding services can be found on almost any service or device that supports NAT
  3. Port forwarding is an essential element in the Internet Connection Sharing (ICS) service of Windows
  4. Port forward is used in reverse proxy, but only for Web traffic
  5. Port forwarding supports caching, encryption endpoint, and load balancing
  6. Port forwarding is a variation or enhancement of NAT
A

Port forwarding supports caching, encryption endpoint, and load balancing

23
Q
  1. Which of the following is NOT considered a viable option as a bastion host OS?
  2. UNIX
  3. Linux
  4. Android
  5. Mac OS
  6. Windows 7
A

Android

24
Q
  1. You are selecting a new appliance firewall for deployment in the company network. You are concerned with OS flaws and exploits appearing not only on your hosts but also on the firewall. To minimize that risk, what bastion host OS should you choose?
  2. Cisco IOS
  3. Windows 7
  4. UNIX
  5. Mac OS
  6. Linux
A

Cisco IOS

25
Q
  1. What is the most important aspect or feature of a bastion host OS?
  2. Leveraging existing OS administrative knowledge
  3. Ease of use
  4. Remote administration
  5. Resistance to attacks and compromise attempts
  6. Support of a wide range of services
A

Resistance to attacks and compromise attempts

26
Q
  1. What is always the most important element within a firewall rule set?
  2. Using specific addresses instead of ANY
  3. Listed deny-exceptions after allow-exception
  4. List inbound exceptions before outbound exceptions
  5. Final rule of default-deny
  6. Blocking every known malicious port
A

Final rule of default-deny

27
Q
  1. Which of the following examples of complete firewall rule sets is the most valid?
1. TCP ANY ANY ANY ANY Deny
   TCP 192.168.42.0/24 ANY ANY 80 Allow
   TCP 192.168.42.115 ANY ANY 80 Deny 
2. TCP 192.168.42.115 ANY ANY 80 Deny 
    TCP 192.168.42.0/24 ANY ANY 80 Allow
    TCP ANY ANY ANY ANY Deny
3. TCP 192.168.42.115 ANY ANY 80 Deny 
    TCP 192.168.42.116 ANY ANY 80 Deny
    TCP 192.168.42.119 ANY ANY 80 Deny 
4. TCP 192.168.42.0/24 ANY ANY 80 Allow
    TCP ANY ANY ANY 80 Deny
    TCP ANY ANY ANY ANY Deny
5. TCP ANY ANY ANY ANY Deny
A

TCP 192.168.42.115 ANY ANY 80 Deny
TCP 192.168.42.0/24 ANY ANY 80 Allow
TCP ANY ANY ANY ANY Deny

28
Q
  1. Which of the following guidelines is most important?
  2. Include all specific denials for known malicious remote control tools after explicit allows
  3. Include every possible address and port in a rule within the set to ensure an explicit callout exists for every type of communication
  4. There should be more inbound rules than outbound rules
  5. There should be more inbound rules than outbound rules
  6. Place universal allows before universal denies
A

There should be more inbound rules than outbound rules

29
Q
  1. When considering the security response triggered by a firewall detecting unwanted traffic, what is the main factor in choosing between:
    1) a response that protects confidentiality and integrity and
    2) a response that protects availability
A

a response that protects confidentiality and integrity and

30
Q
  1. When security mechanisms and business communications are at odds, what is the best and most secure response?
  2. Disable security to allow the business communication
  3. Modify the security policy to protect the business communication
  4. Disable both security and the offending business communication
  5. Disable business communication to maintain security
  6. Do nothing
A

Modify the security policy to protect the business communication