Lesson 10: Implementing Network Security Appliances

Question 1

Compare and analyze the types of firewalls available to differentiate between them. Choose the answer with the most correct description.

A. Packet filtering firewalls operate at layer 5 of the OSI model, while circuit-level stateful inspection firewalls operate at layer 3.

B. An appliance firewall is also known as a stateful multilayer inspection or a deep packet inspection. An application aware firewall is a stand-alone hardware firewall that performs the function of a firewall only.

C. A packet filtering firewall maintains stateful information about a connection between two hosts and implements an appliance firewall as a software application running on a single host.

D. An application firewall can analyze the HTTP headers to identify code that matches a pattern, while an appliance firewall monitors all traffic passing into and out of a network segment.

Answer 1

D

Question 2

Artificial intelligence (AI) and machine learning are especially important during which security information and event management (SIEM) task?

A. Packet capture

B. Analysis and report review

C. Data aggregation

D. Log collection

Answer 2

B

Question 3

Which of the following solutions best addresses data availability concerns that may arise with the use of application-aware next-generation firewalls (NGFW) and unified threat management (UTM) solutions?

A. Signature-based detection system

B. Secure web gateway (SWG)

C. Network-based intrusion prevention system (IPS)

D. Active or passive test access point (TAP)

Answer 3

B

Question 4

Security information and event management (SIEM) collect data inputs from multiple sources. Which of the following is NOT one of the main types of log collection for SIEM?

A. Agent-based

B. Listener/collector

C. Sensor (sniffer)

D. Artificial intelligence (AI)

Answer 4

D

Question 5

Evaluate the functions of a Network-Based Intrusion Detection System (NIDS) and conclude which statements are accurate. (Select all that apply.)

A. Training and tuning are fairly simple, and there is a low chance of false positives and false negatives.

B. A NIDS will identify and log hosts and application activity that the administrator can use to analyze and take further action.

C. Training and tuning are complex, and there is a high chance of false positive and negative rates.

D. A NIDS will identify attacks and block the traffic to stop the attack. The administrator will be able to review the reports for future prevention.

Answer 5

B,C

A NIDS can identify and log hosts and applications and detect attack signatures and other indicators of attack. An administrator can analyze logs to tune firewall rulesets, remove or block suspect hosts and processes, or deploy additional security controls to mitigate threats identified.

One of the main disadvantages of NIDS is that training and tuning are complex, which results in high false positive and false negative rates, especially during initial deployment.

Question 6

Which of the following considerations is most important when employing a signature-based intrusion detection system?

A. The system may produce false positives and block legitimate activity.

B. The system must create a valid baseline signature of normal activity.

C. Signatures and rules must be kept up to date to protect against emerging threats.

D. Signatures and rules must be able to detect zero-day attacks.

Answer 6

C

Question 7

Analyze each statement and determine which describes a fundamental improvement on traditional log management that security information and event management (SIEM) offers.

A. SIEM is completely automated; it requires no manual data preparation.

B. SIEM logs ensure non-repudiation, whereas other logs cannot link a specific user to an action.

C. SIEM can perform correlation, linking observables into meaningful indicators of risk or compromise.

D. SIEM addresses the issue of sheer volume of alerts, using machine learning to facilitate threat hunting.

Answer 7

C

Question 8

A network administrator is shopping for a security product to utilize to fine-tune existing firewall and appliance settings. Comparing product features, which type of product is most likely to satisfy the network administrator’s needs?

A. Network-based intrusion detection system (NIDS)

B. Unified threat management (UTM) product

C. Network-based intrusion prevention system (IPS)

D. Network behavior and anomaly detection (NBAD) product

Answer 8

A

Analyzing NIDS logs allows an administrator to tune firewall rulesets, remove or block suspect hosts and processes from the network, or deploy additional security controls to mitigate any identified threats.

Question 9

Compare and contrast the characteristics of the various types of firewalls and select the correct explanation of a packet filtering firewall.

A. An administrator configures an Access Control List (ACL) to deny access to IP addresses

B. A firewall that maintains stateful information about the connection

C. A firewall that analyzes HTTP headers and the HTML code to identify code that matches a pattern

D. A stand-alone firewall implemented with routed interfaces or as a virtual wire transparent firewall

Answer 9

A

Question 10

Analyze the following scenarios and determine which best simulates a content filter in action. (Select all that apply.)

A. A system has broken down a packet containing malicious content, and erases the suspicious content, before rebuilding the packet.

B. A high school student is using the school library to do research for an assignment and cannot access certain websites due to the subject matter.

C. A system administrator builds a set of rules based on information found in the source IP address to allow access to an intranet.

D. A system administrator blocks access to social media sites after the CEO complains that work performance has decreased due to excessive social media usage at work.

Answer 10

B,D

Question 11

A system administrator wants to install a mechanism to conceal the internal IP addresses of hosts on a private network. What tool can the administrator use to accomplish this security function?

A. NAT gateway

B. Reverse proxy server

C. Virtual firewall

D. Access Control List (ACL)

Answer 11

A

Question 12

A network administrator wants to use a proxy server to prevent external hosts from connecting directly with application servers. Which proxy server implementation will best fit this need?

A. Transparent proxy server

B. Non-transparent proxy server

C. Caching proxy server

D. Reverse proxy server

Answer 12

D

Question 13

Which of the following are types of log collection for SIEM? (Select all that apply.)

A. Log aggregation

B. Firewall

C. Agent-based

D. Listener/Collector

Answer 13

C,D

Question 14

A network administrator conducts a network assessment to determine where to implement a network intrusion detection system (NIDS). Which sensor deployment option is most ideal if the admin is concerned about system overloads and resiliency in the event of power loss?

A. Passive test access point (TAP)

B. Active test access point (TAP)

C. Aggregation test access point (TAP)

D. Switched port analyzer (SPAN)/mirror port

Answer 14

A

With a passive TAP, the monitor port receives every frame—corrupt, malformed, or not—and load does not affect copying.