Module 1: Security Technology: Firewall and VPN

Question 1

This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.

Answer 1

access control

Question 2

This is a security technique that regulates who or what can view or use resources in a computing environment.

Answer 2

access control

Question 3

This is a fundamental concept in security that minimizes risk to the business or organization.

Answer 3

access control

Question 4

It is the allowing, restricting, and denying access to resources.

Answer 4

access control

Question 5

What is the difference between authorization and access?

Answer 5

Access refers to the “means” while authorization refers to the “permission”.

Question 6

This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.

Answer 6

owner

Question 7

A person who maintains the security of a system, perhaps by adding and removing access by user accounts.

aka. administrator

Answer 7

custodian

Question 8

A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.

Answer 8

end user

Question 9

They perform operations on objects or the assets.

Answer 9

subjects (users or procesess acting for users)

Question 10

The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.

Answer 10

mandatory access control (MAC)

Question 11

They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)

Answer 11

nondiscretionary access control

Question 12

Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.

Answer 12

discretionary access control (DAC)

Question 13

This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.

Answer 13

discretionary access control

Question 14

This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.

Answer 14

lattice-based access control (LBAC)

Question 15

Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.

Answer 15

Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.

Question 16

____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.

Answer 16

role-based

Question 17

Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.

Answer 17

task-based access control

Question 18

What are the access control mechanisms

Answer 18

1. identification
2. authentication
3. authorization
4. accountability

Question 19

access control mechanism

A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.

I am a user of the system

Answer 19

identification

Question 20

access control mechanism

It is the process of validating an unauthenticated entity’s purported identity.

I can prove I am a user of the system

Answer 20

authentication

Question 21

access control mechanism

There are three widely used authentication mechanisms, or authentication factors:

Answer 21

• something you know
• something you have
• something you are

Question 22

access control mechanism

This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.

Here’s what I can do with the system

Answer 22

autherization

Question 23

An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.

Answer 23

access control matrix

Question 24

An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.

Answer 24

asynchronous token

Question 25

An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.

Answer 25

dumb card

Question 26

A plain-language phrase, typically longer than a password, from which a virtual password is derived.

Answer 26

passphrase

Question 27

A secret word or combination of characters that only the user should know; it is used to authenticate the user.

Answer 27

password

Question 28

An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.

Answer 28

smart card

Question 29

In access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.

Answer 29

strong authentication

Question 30

An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.

Answer 30

synchronous token

Question 31

The derivative of a passphrase

Answer 31

virtual password

Question 32

This is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some differences between the various other standards.

Answer 32

The Common Criteria for Information Technology Security Evaluation, aka Common Criteria or just CC

Question 33

The system being evaluated

Answer 33

target of evaluation (ToE)

Question 34

User-generated specification for security requirements

Answer 34

protection profile (PP)

Question 35

Document describing the ToE’s security properties

Answer 35

security target (ST)

Question 36

Catalog of a product’s security functions

Answer 36

security functional requirements (SFRs)

Question 37

The rating or grading of a ToE after evaluation

Answer 37

evaluation assurance levels (EALs)

Question 38

How many levels does the evaluation assurance level typically have?

Answer 38

EAL1 - 7

Question 39

This is a “state machine reference model”—in other words, a
model of an automated system that is able to manipulate its state or status over time.

Answer 39

Bell-LaPadula (BLP) confidentiality model

Question 40

This is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.

Answer 40

Biba integrity model

Question 41

Unauthorized or unintended methods of communications hidden inside a computer system.

Answer 41

covert channels

Question 42

Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.

Answer 42

reference monitor

Question 43

TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.

Answer 43

storage channels

Question 44

TCSEC-defined covert channels that communicate by managing the relative timing of events.

Answer 44

timing channels

Question 45

Under the Trusted Computer System Evaluation Criteria (TCSEC), this is the combination of all hardware, firmware, and software responsible for enforcing the security policy.

Answer 45

trusted computing base (TCB)

Question 46

This model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The model’s change control principles are:
x No changes by unauthorized subjects
x No unauthorized changes by authorized subjects
x The maintenance of internal and external consistency

Answer 46

Clark-Wilson integrity model

Question 47

This means that the system does what it is expected to do every time, without exception.

Answer 47

internal consistency

Question 48

This means that the data in the system is consistent with similar data in the outside world.

Answer 48

external consistency

Question 49

Data item with protected integrity.

Answer 49

Constrained data item (CDI)

Question 50

Data not controlled by Clark-Wilson; nonvalidated input or any output

Answer 50

Unconstrained data item

Question 51

Procedure that scans data and confirms its integrity

Answer 51

Integrity verification procedure (IVP)

Question 52

Procedure that only allows changes to a constrained data item

Answer 52

Transformation procedure (TP):

Question 53

This model has three parts: a set of objects, a set of subjects, and a set of rights.

Answer 53

Graham-Denning access control model

Question 54

This model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not allow.

Answer 54

Harrison-Ruzzo-Ullman (HRU) model

Question 55

This model is commonly known as a Chinese Wall, is designed to prevent a conflict of interest between two parties.

Answer 55

Brewer-Nash model

Question 56

Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.

Answer 56

address restrictions

Question 57

A firewall type that can react to network traffic and create or modify configuration rules to adapt.

Answer 57

dynamic packet-filtering firewall

Question 58

In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.

Answer 58

firewall

Question 59

A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.

Answer 59

packet-filtering firewall

Question 60

A tabular record of the state and context of each packet in a conversation between an internal and external user or system. This is used to expedite traffic filtering.

Answer 60

state table

Question 61

A firewall type that keeps track of each network
connection between internal and external systems using a state table and that expedites the filtering of those communications.

Answer 61

stateful packet inspection (SPI) firewall aka stateful inspection firewall

Question 62

A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.

Answer 62

static packet-filtering firewall

Question 63

The system of networks inside the organization that contains its information assets and is under the organization’s control.

Answer 63

trusted network

Question 64

The system of networks outside the organization over which the organization has no control. The Internet is an example of this.

Answer 64

untrusted network

Question 65

This is simply a computer containing two network cards.

Answer 65

firewall

Question 66

True or false?

The computer is initially configured to not allow any traffic to pass from one card to another.

Answer 66

True

Question 67

The firewall may be a:

Answer 67

• Separate computer system
• Software service running on an
  existing router or server
• Separate network containing a
  number of supporting devices.

Question 68

The firewall is categorized by:

Answer 68

• Their processing type
• Their evolutional generation
• The way they are implemented

Question 69

Firewalls by Processing Type

Answer 69

• Packet Filtering Firewalls
• Application Gateway Firewalls
• Circuit Gateways
• MAC Layer Firewalls
• Hybrids

Question 70

Traffic on network is broken down into ____.

Answer 70

packets (smaller message units)

Question 71

Each packet must hold at least two addresses: the ____ and that of the ____.

Answer 71

Each packet must hold at least two addresses: that of the sender and that of the recipient.

Question 72

True or false?

Packet filtering protects a local network from desired invasion depending upon the predefined rules

Answer 72

True

Question 73

Packet filtering controls (allows or drops) packet or data transfer based on the following standards:

Answer 73

• The address the packet is coming from.
• The address the packet is going to.
• The application protocols or rules set to transfer the data.

Question 74

A device capable of functioning both as a firewall and an application layer proxy server.

Answer 74

application layer proxy firewall aka application firewall

Question 75

An intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher level of risk.

Answer 75

demilitarized zone (DMZ)

Question 76

A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers.

aka cache servers

Answer 76

proxy server

Question 77

A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.

Answer 77

reverse proxy

Question 78

This is a type of firewall that provides application-level control over network traffic.

Answer 78

application gateway firewall

Question 79

These can be used to deny access to the resources of private networks to distrusted users over the Internet.

Answer 79

application gateways

Question 80

This is a device placed between an external, untrusted network and an internal, trusted network.

Aka sacrificial host

Answer 80

bastion host

Question 81

This serves as the sole target for attack and should therefore be thoroughly secured.

Answer 81

bastion host

aka single bastion host

Question 82

A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

Answer 82

extranet

Question 83

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.

Answer 83

network address translation (NAT)

Question 84

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.

Answer 84

port address translation (PAT)

Question 85

A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.

Answer 85

screened host architecture

Question 86

A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.

Answer 86

screened subnet architecture

Question 87

A firewall that provides User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) connection security.

Answer 87

circuit-level gateways

Question 88

Works between an Open Systems Interconnection (OSI) network model’s transport and application layers such as the session layer.

Answer 88

circuit gateways

Question 89

Unlike application gateways, these monitor TCP data packet handshaking and session fulfillment of firewall rules and policies.

Answer 89

circuit gateways

Question 90

What does ISO mean?

Answer 90

international organization for standardization

Question 91

What does OSI mean?

Answer 91

open system interconnection

Question 92

The ____ of the ISO-OSI Data Link layer is concerned with ____ addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.

Answer 92

The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.

Question 93

This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question.

Answer 93

MAC layer firewalls

Question 94

This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.

Answer 94

MAC layer firewall

Question 95

This combines the elements of other types of firewalls that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways

Answer 95

hybrid firewalls

Question 96

These are static packet-filtering firewalls.

Answer 96

first generation firewalls

Question 97

These are simple networking devices that filter packets according to their headers as the packets travel to and from the ogranization’s network.

Answer 97

first generation firewall / static packet filtering firewall

Question 98

These are application-level firewalls or proxy servers

Answer 98

second generation firewalls

Question 99

These are dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.

Answer 99

second generation firewalls / application-level firewalls or proxy servers

Question 100

These are stateful inspection firewalls

Answer 100

third generation firewalls

Question 101

These monitors the state of active connections and uses the information to permit the network packets through the firewall.

Answer 101

third generation firewall / stateful inspection firewalls

Question 102

These are dynamic packet-filtering firewalls

Answer 102

fourth generation firewalls

Question 103

These firewalls allow only a particular packet with a particular source, destination, and port address to enter.

Answer 103

fourth generation firewalls / dynamic packet-filtering firewalls

Question 104

These are kernel proxy firewalls.

Answer 104

fifth generation firewalls

Question 105

These are integrated into an operating system’s core to provide multiple levels of session and packet evaluation

Answer 105

fifth generation firewalls / kernel proxy firewalls

Question 106

What are the 4 firewalls by structure?

Answer 106

• commercial appliances
• commercial systems
• small office - home office appliances
• residential (consumer) software

Question 107

These are standalone self-contained combination of computing hardware and software. These devices frequently have many of the features of a general-purpose computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of being compromised.

Answer 107

commercial appliances

aka commercial grade firewall appliances

Question 108

These variant operating systems are tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.

Answer 108

commercial appliances

Question 109

This consists of application software that is configured for the firewall application and run on a general-purpose computer.

Answer 109

commercial systems

aka commercial grade firewall systems

Question 110

These systems exploit the fact that firewalls are essentially applications software packages that use common general purpose network connections to move data from one network to another.

Answer 110

commercial systems

Question 111

One of the most effective methods improving computing security in the small office home office appliances setting is by means of this type of firewall by structure.

Answer 111

small office / home office firewall

aka soho or residential grade firewall

Question 112

Another method of protecting the user is to install a software directly on the user system. Many people have implemented this ____, some of which also provide antivirus or inclusion detection capabilities. But unfortunately, they may not be as fully protected as they think.

Answer 112

residential (consumer) software

Question 113

These are implementations of cryptographic technology. It is a private data network that uses the public telecommunications infrastructure to create a means for private communication via a tunneling protocol coupled with security procedures.

Answer 113

virtual private networks (VPNs)

Question 114

These are commonly used to securely extend an organization’s internal network connections to remote locations.

Answer 114

virtual private networks (VPNs)

Question 115

This is a combination of trusted and secure VPN implementations. Combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.

Answer 115

hybrid VPN

Question 116

This is a VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. They use that same security protocol like IPSec to encrypt traffic transmitted across unsecured public networks like the Internet.

Answer 116

secure VPN

Question 117

This also known as legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.

Answer 117

trusted VPN

Question 118

A private, secure network operated over a public and insecure network. This keeps the content of the network messages hidden from observers who may have access to public traffic.

Answer 118

VPN

Question 119

A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following:

Answer 119

• encapsulation of incoming and outgoing data
• encryption of incoming and outgoing data
• authentication

Question 120

What does IPSec stand for?

Answer 120

internet protocol security

Question 121

This is the dominant protocol used in VPNs. It uses either transport mode or tunnel mode. It can be used as a standalone protocol or coupled with the Layer Two Tunneling Protocol (L2TP)

Answer 121

IPSec

Question 122

In this mode, the data within the IP packet is encrypted, but the header information is not. This allows the users to establish a secure link directly with the remote host, encrypting only the data content of the packet.

Answer 122

transport mode

Question 123

This mode eliminates the need for special servers and tunneling software, and allows end users to transmit traffic from anywhere, which is especially useful for traveling or telecommuting employees.

Answer 123

transport mode

Question 124

Transport mode VPNs have 2 popular uses

Two end users can communicate directly, encrypting and decrypting their communications as needed. Each machine acts as the end-node VPN server and client.

Answer 124

end-to-end support of encrypted data

Question 125

Transport mode VPNs have 2 popular uses

This allows the teleworker’s system to work as if it were a part of the local area network. The VPN server in this example acts as an intermediate node, encrypting traffic from the secure intranet and transmitting it to the remote client, and decrypting traffic from the remote client and transmitting it to its final destination.

Answer 125

remote access worker or teleworker connects to an office network over the Internet by connecting to a VPN server on the perimeter

Question 126

Establishes two perimeter tunnel servers to encrypt all traffic that will traverse unsecured network.

Answer 126

tunnel mode

Question 127

Entire client package is encrypted and added as data portion of packet, from one tunneling server to another.

Answer 127

tunnel mode

Question 128

Primary benefit to this mode is that an intercepted packet reveals nothing about the true destination system.

Answer 128

tunnel mode

Question 129

This is an example of tunnel mode VPN

Answer 129

Microsoft’s Internet Security and Acceleration (ISA) server