Module 1: Security Technology: Firewall and VPN Flashcards

1
Q

This is the method by which systems determine whether and how to admit a user into a strusted area of the organization.

A

access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

This is a security technique that regulates who or what can view or use resources in a computing environment.

A

access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This is a fundamental concept in security that minimizes risk to the business or organization.

A

access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

It is the allowing, restricting, and denying access to resources.

A

access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between authorization and access?

A

Access refers to the “means” while authorization refers to the “permission”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This is the person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.

A

owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A person who maintains the security of a system, perhaps by adding and removing access by user accounts.

aka. administrator

A

custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.

A

end user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

They perform operations on objects or the assets.

A

subjects (users or procesess acting for users)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level.

A

mandatory access control (MAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

They are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role (role-based access controls) or a specified set of tasks (tasks-based access controls)

A

nondiscretionary access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Least restrictive model; suubjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels.

A

discretionary access control (DAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This type of access control provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information/resources at their disposal.

A

discretionary access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This is a form of nondiscretionary access control in which users are assigned a matrix of authorizations for areas of access.

A

lattice-based access control (LBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Lattice-based access control specifies the level of access each subject has to each object, as implemented in ____ and ____.

A

Lattice-based access control specifies the level of access each subject has to each object, as implemented in access control lists (ACLs) and capabilities table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

____ controls are associated with the duties a user performs in an organization, such as a position or temporary assignment like project manager, while task-based controls are tied to a particular chore or responsibility, such as a department’s printer administrator.

A

role-based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Some consider this access control as a method of providing more detailed control over the steps or stages associated with a role or project.

A

task-based access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the access control mechanisms

A
  1. identification
  2. authentication
  3. authorization
  4. accountability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

access control mechanism

A mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.

I am a user of the system

A

identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

access control mechanism

It is the process of validating an unauthenticated entity’s purported identity.

I can prove I am a user of the system

A

authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

access control mechanism

There are three widely used authentication mechanisms, or authentication factors:

A
  • something you know
  • something you have
  • something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

access control mechanism

This is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix.

Here’s what I can do with the system

A

autherization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

An integration of access control lists (focusing on assets) and capabilities tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings.

A

access control matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computergenerated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.

A

asynchronous token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

An authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.

A

dumb card

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A plain-language phrase, typically longer than a password, from which a virtual password is derived.

A

passphrase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A secret word or combination of characters that only the user should know; it is used to authenticate the user.

A

password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.

A

smart card

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

In access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.

A

strong authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.

A

synchronous token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The derivative of a passphrase

A

virtual password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

This is an international standard (ISO/IEC 15408) for computer security certification. It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some differences between the various other standards.

A

The Common Criteria for Information Technology Security Evaluation, aka Common Criteria or just CC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The system being evaluated

A

target of evaluation (ToE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

User-generated specification for security requirements

A

protection profile (PP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Document describing the ToE’s security properties

A

security target (ST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Catalog of a product’s security functions

A

security functional requirements (SFRs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The rating or grading of a ToE after evaluation

A

evaluation assurance levels (EALs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

How many levels does the evaluation assurance level typically have?

A

EAL1 - 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

This is a “state machine reference model”—in other words, a
model of an automated system that is able to manipulate its state or status over time.

A

Bell-LaPadula (BLP) confidentiality model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

This is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.

A

Biba integrity model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Unauthorized or unintended methods of communications hidden inside a computer system.

A

covert channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.

A

reference monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.

A

storage channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

TCSEC-defined covert channels that communicate by managing the relative timing of events.

A

timing channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Under the Trusted Computer System Evaluation Criteria (TCSEC), this is the combination of all hardware, firmware, and software responsible for enforcing the security policy.

A

trusted computing base (TCB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

This model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The model’s change control principles are:
x No changes by unauthorized subjects
x No unauthorized changes by authorized subjects
x The maintenance of internal and external consistency

A

Clark-Wilson integrity model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

This means that the system does what it is expected to do every time, without exception.

A

internal consistency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

This means that the data in the system is consistent with similar data in the outside world.

A

external consistency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Data item with protected integrity.

A

Constrained data item (CDI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Data not controlled by Clark-Wilson; nonvalidated input or any output

A

Unconstrained data item

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Procedure that scans data and confirms its integrity

A

Integrity verification procedure (IVP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Procedure that only allows changes to a constrained data item

A

Transformation procedure (TP):

53
Q

This model has three parts: a set of objects, a set of subjects, and a set of rights.

A

Graham-Denning access control model

54
Q

This model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not allow.

A

Harrison-Ruzzo-Ullman (HRU) model

55
Q

This model is commonly known as a Chinese Wall, is designed to prevent a conflict of interest between two parties.

A

Brewer-Nash model

56
Q

Firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.

A

address restrictions

57
Q

A firewall type that can react to network traffic and create or modify configuration rules to adapt.

A

dynamic packet-filtering firewall

58
Q

In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network.

A

firewall

59
Q

A networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.

A

packet-filtering firewall

60
Q

A tabular record of the state and context of each packet in a conversation between an internal and external user or system. This is used to expedite traffic filtering.

A

state table

61
Q

A firewall type that keeps track of each network
connection between internal and external systems using a state table and that expedites the filtering of those communications.

A

stateful packet inspection (SPI) firewall aka stateful inspection firewall

62
Q

A firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.

A

static packet-filtering firewall

63
Q

The system of networks inside the organization that contains its information assets and is under the organization’s control.

A

trusted network

64
Q

The system of networks outside the organization over which the organization has no control. The Internet is an example of this.

A

untrusted network

65
Q

This is simply a computer containing two network cards.

A

firewall

66
Q

True or false?

The computer is initially configured to not allow any traffic to pass from one card to another.

A

True

67
Q

The firewall may be a:

A
  • Separate computer system
  • Software service running on an
    existing router or server
  • Separate network containing a
    number of supporting devices.
68
Q

The firewall is categorized by:

A
  • Their processing type
  • Their evolutional generation
  • The way they are implemented
69
Q

Firewalls by Processing Type

A
  • Packet Filtering Firewalls
  • Application Gateway Firewalls
  • Circuit Gateways
  • MAC Layer Firewalls
  • Hybrids
70
Q

Traffic on network is broken down into ____.

A

packets (smaller message units)

71
Q

Each packet must hold at least two addresses: the ____ and that of the ____.

A

Each packet must hold at least two addresses: that of the sender and that of the recipient.

72
Q

True or false?

Packet filtering protects a local network from desired invasion depending upon the predefined rules

A

True

73
Q

Packet filtering controls (allows or drops) packet or data transfer based on the following standards:

A
  • The address the packet is coming from.
  • The address the packet is going to.
  • The application protocols or rules set to transfer the data.
74
Q

A device capable of functioning both as a firewall and an application layer proxy server.

A

application layer proxy firewall aka application firewall

75
Q

An intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher level of risk.

A

demilitarized zone (DMZ)

76
Q

A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers.

aka cache servers

A

proxy server

77
Q

A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.

A

reverse proxy

78
Q

This is a type of firewall that provides application-level control over network traffic.

A

application gateway firewall

79
Q

These can be used to deny access to the resources of private networks to distrusted users over the Internet.

A

application gateways

80
Q

This is a device placed between an external, untrusted network and an internal, trusted network.

Aka sacrificial host

A

bastion host

81
Q

This serves as the sole target for attack and should therefore be thoroughly secured.

A

bastion host

aka single bastion host

82
Q

A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

A

extranet

83
Q

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-one basis; that is, one external valid address directly maps to one assigned internal address.

A

network address translation (NAT)

84
Q

A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.

A

port address translation (PAT)

85
Q

A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.

A

screened host architecture

86
Q

A firewall architectural model that consists of one or more internal bastion hosts located behind a packet filtering router on a dedicated network segment, with each host performing a role in protecting the trusted network.

A

screened subnet architecture

87
Q

A firewall that provides User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) connection security.

A

circuit-level gateways

88
Q

Works between an Open Systems Interconnection (OSI) network model’s transport and application layers such as the session layer.

A

circuit gateways

89
Q

Unlike application gateways, these monitor TCP data packet handshaking and session fulfillment of firewall rules and policies.

A

circuit gateways

90
Q

What does ISO mean?

A

international organization for standardization

91
Q

What does OSI mean?

A

open system interconnection

92
Q

The ____ of the ISO-OSI Data Link layer is concerned with ____ addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.

A

The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured.

93
Q

This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question.

A

MAC layer firewalls

94
Q

This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.

A

MAC layer firewall

95
Q

This combines the elements of other types of firewalls that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways

A

hybrid firewalls

96
Q

These are static packet-filtering firewalls.

A

first generation firewalls

97
Q

These are simple networking devices that filter packets according to their headers as the packets travel to and from the ogranization’s network.

A

first generation firewall / static packet filtering firewall

98
Q

These are application-level firewalls or proxy servers

A

second generation firewalls

99
Q

These are dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.

A

second generation firewalls / application-level firewalls or proxy servers

100
Q

These are stateful inspection firewalls

A

third generation firewalls

101
Q

These monitors the state of active connections and uses the information to permit the network packets through the firewall.

A

third generation firewall / stateful inspection firewalls

102
Q

These are dynamic packet-filtering firewalls

A

fourth generation firewalls

103
Q

These firewalls allow only a particular packet with a particular source, destination, and port address to enter.

A

fourth generation firewalls / dynamic packet-filtering firewalls

104
Q

These are kernel proxy firewalls.

A

fifth generation firewalls

105
Q

These are integrated into an operating system’s core to provide multiple levels of session and packet evaluation

A

fifth generation firewalls / kernel proxy firewalls

106
Q

What are the 4 firewalls by structure?

A
  • commercial appliances
  • commercial systems
  • small office - home office appliances
  • residential (consumer) software
107
Q

These are standalone self-contained combination of computing hardware and software. These devices frequently have many of the features of a general-purpose computer with the addition of firmware-based instructions that increase their reliability and performance and minimize the likelihood of being compromised.

A

commercial appliances

aka commercial grade firewall appliances

108
Q

These variant operating systems are tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.

A

commercial appliances

109
Q

This consists of application software that is configured for the firewall application and run on a general-purpose computer.

A

commercial systems

aka commercial grade firewall systems

110
Q

These systems exploit the fact that firewalls are essentially applications software packages that use common general purpose network connections to move data from one network to another.

A

commercial systems

111
Q

One of the most effective methods improving computing security in the small office home office appliances setting is by means of this type of firewall by structure.

A

small office / home office firewall

aka soho or residential grade firewall

112
Q

Another method of protecting the user is to install a software directly on the user system. Many people have implemented this ____, some of which also provide antivirus or inclusion detection capabilities. But unfortunately, they may not be as fully protected as they think.

A

residential (consumer) software

113
Q

These are implementations of cryptographic technology. It is a private data network that uses the public telecommunications infrastructure to create a means for private communication via a tunneling protocol coupled with security procedures.

A

virtual private networks (VPNs)

114
Q

These are commonly used to securely extend an organization’s internal network connections to remote locations.

A

virtual private networks (VPNs)

115
Q

This is a combination of trusted and secure VPN implementations. Combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.

A

hybrid VPN

116
Q

This is a VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks. They use that same security protocol like IPSec to encrypt traffic transmitted across unsecured public networks like the Internet.

A

secure VPN

117
Q

This also known as legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.

A

trusted VPN

118
Q

A private, secure network operated over a public and insecure network. This keeps the content of the network messages hidden from observers who may have access to public traffic.

A

VPN

119
Q

A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following:

A
  • encapsulation of incoming and outgoing data
  • encryption of incoming and outgoing data
  • authentication
120
Q

What does IPSec stand for?

A

internet protocol security

121
Q

This is the dominant protocol used in VPNs. It uses either transport mode or tunnel mode. It can be used as a standalone protocol or coupled with the Layer Two Tunneling Protocol (L2TP)

A

IPSec

122
Q

In this mode, the data within the IP packet is encrypted, but the header information is not. This allows the users to establish a secure link directly with the remote host, encrypting only the data content of the packet.

A

transport mode

123
Q

This mode eliminates the need for special servers and tunneling software, and allows end users to transmit traffic from anywhere, which is especially useful for traveling or telecommuting employees.

A

transport mode

124
Q

Transport mode VPNs have 2 popular uses

Two end users can communicate directly, encrypting and decrypting their communications as needed. Each machine acts as the end-node VPN server and client.

A

end-to-end support of encrypted data

125
Q

Transport mode VPNs have 2 popular uses

This allows the teleworker’s system to work as if it were a part of the local area network. The VPN server in this example acts as an intermediate node, encrypting traffic from the secure intranet and transmitting it to the remote client, and decrypting traffic from the remote client and transmitting it to its final destination.

A

remote access worker or teleworker connects to an office network over the Internet by connecting to a VPN server on the perimeter

126
Q

Establishes two perimeter tunnel servers to encrypt all traffic that will traverse unsecured network.

A

tunnel mode

127
Q

Entire client package is encrypted and added as data portion of packet, from one tunneling server to another.

A

tunnel mode

128
Q

Primary benefit to this mode is that an intercepted packet reveals nothing about the true destination system.

A

tunnel mode

129
Q

This is an example of tunnel mode VPN

A

Microsoft’s Internet Security and Acceleration (ISA) server