Perimeter Defense

Question 1

Which of these is true regarding router ACL creation?

a. All deny rules should precede all permit rules. 
b. All permit rules should precede all deny rules.
c. Rule ordering is irrelevant.
d. Rules are tested in order from top to bottom.

Answer 1

d. Rules are tested in order from top to bottom.

Question 2

Which of these best expresses the “Principle of Least Privilege”?

a. Deny/disable all but what is required to complete the mission.
b. Apply multiple layers—by type and within type—security controls.
c. Never rely upon “security through obscurity”. 
d. Ensure any security control is developed with open/public scrutiny.

Answer 2

a. Deny/disable all but what is required to complete the mission.

Question 3

The “Principle of Least Privilege” (POLP for short) is also directly related to two other expressions you heard your instructor mention (and common to the security community); what are they?

1. ___________________
   Hint: it’s a personnel security issue
2. ___________________
   Hint: what is the over-all purpose for pursuing POLP whenever/wherever possible?

Answer 3

1. Need-to-Know

2. Reduce Target Surface

Question 4

What is this: You should have blocked (filtered) something bad but you did not.

a. True-positive
b. True-negative
c. False-positive
d. False-negative

Answer 4

d. False-negative

did correctly = true, should have (but didn’t) = false

Question 5

What is the semantic meaning of the ACL TCP rule pro-word established ?

a. Causes rule to check that the TCP Syn flag is set.
b. Causes the router to ignore packets until the 3-way handshake is completed.
c. Causes rule to check that the TCP Ack flag is set.
d. Causes router to verify that there is matching (socket-pair) traffic in opposite direction.

Answer 5

c. Causes rule to check that the TCP Ack flag is set.

Question 6

Generally, the structure of an individual ACL rule follows…

a. permit or deny followed by “socket-pair” formatted information.
b. no particular order or format whatsoever.
c. permit or deny followed by port information followed by IP address information.
d. a target protocol followed by a “bad” field/value whose existence (or not) in a packet
    will determine if it gets denied or permitted.

Answer 6

a. permit or deny followed by “socket-pair” formatted information.

Question 7

When an ACL involves both permit and deny rules, the general/typical approach is to…

a. list denies, then permits, then deny all
b. list permits, then denies, then deny all
c. list denies, then permits, then permit all
d. list permits, then denies, then permit all

Answer 7

a. list denies, then permits, then deny all

Question 8

Which ACL rule would permit traffic from a DNS client to the DNS server with IP address 1.2.3.4?

a. permit udp any gt 1023 host 1.2.3.4 eq 53
b. permit tcp host 1.2.3.4 any eq 53 any
c. permit udp host 1.2.3.4 eq 53 any gt 1023
d. permit dns any gt 1023 1.2.3.4 eq 53

Answer 8

a. permit udp any gt 1023 host 1.2.3.4 eq 53

Question 9

Two criteria were given regarding what should be filtered (blocked); which of these best expresses those two?

a. Known malicious traffic -AND- unencrypted traffic.
b. Non-protocol-compliant traffic -AND- suspicious traffic.
c. Known malicious traffic -AND- traffic for services that aren’t supported/offered.
d. Non-protocol-compliant traffic -AND- un-authenticated traffic.

Answer 9

c. Known malicious traffic -AND- traffic for services that aren’t supported/offered.

Question 10

Which of these represents the correct IP-spoof protection strategy for traffic arriving-to and departing-from Your Network (YN). Assume “YN” below means Your Network’s IP space?

a. Deny arriving traffic if source IP = YN, only permit departing traffic if source IP = YN
b. Deny arriving traffic if source IP = YN, deny departing traffic if source IP = YN
c. Only permit arriving traffic if destination IP = YN, only permit departing traffic if source 
    IP = YN
d. Only permit arriving traffic if source IP = YN, only permit departing traffic if source IP = YN

Answer 10

a. Deny arriving traffic if source IP = YN, only permit departing traffic if source IP = YN

Question 11

Assume you host a Web server with IP = 1.2.3.4 in your DMZ. Your inbound permit rule is: permit any gt 1023 host 1.2.3.4 eq 80. What “corresponding” outbound rule should you have to support traffic FROM this Web server to clients on the Internet?

a. permit any eq 80 any eq 80-1023 established
b. permit host 1.2.3.4 eq 80 any gt 1023 established
c. permit host 1.2.3.4 any any gt 1023 established
d. permit any gt 1023 client any eq 80 established

Answer 11

b. permit host 1.2.3.4 eq 80 any gt 1023 established

Question 12

What is TRUE regarding cyber “defense-in-depth”, as presented in lecture?

a. It is alive and well as the term of trade for a “layered” defense that entails multiple security control types.
b. Defense-in-depth (DID) has been disproven as an effective methodology with which to pursue cyber protection.
c. Though DoD continues to embrace the defense-in-depth concept, most non-DoD organizations have evolved to something more sophisticated.
d. Defense-in-depth is largely a joke, and you should nod along with everyone else should you ever attend a seminar where the speaker makes this joke.

Answer 12

a. It is alive and well as the term of trade for a “layered” defense that entails multiple security control types.

Question 13

Which statement best describes a DMZ?

a. A network intended only for internal, trusted users.
b. A highly protected network intended only for external users.
c. A publicly accessible service network that is “moderately” protected relative to the more internal employee “private” network(s). 
d. A network that has no perimeter protection at all, relying instead upon the hardening of the servers in the network/zone.

Answer 13

c. A publicly accessible service network that is “moderately” protected relative to the more internal employee “private” network(s).

Question 14

When a packet is delivered to a server, the destination port number in the packet…

a. tells the receiving computer which device driver to use.
b. serves as a reliable indicator of what application layer data is in the packet.
c. does not necessarily indicate what application layer data is actually in the packet.
d. indicates which layer 4 protocol is carried in the IP datagram.

Answer 14

c. does not necessarily indicate what application layer data is actually in the packet.

Question 15

Assume you want to deny any packet with Malicious item M in it. Assume you want to permit any packet with Legitimate item L in it. Assume that denial of malicious items takes precedence over the permitting of legitimate traffic. What is true of an ACL that has only these two ACL rules?

Permit L  
Deny M

a. This could result in false-negative (aka a “false accept” error)
b. This could result in a false-positive (aka a “false reject” error)
c. This could result in either a false-negative OR a false-positive depending on which item (L or M) occurs first in a packet.
d. This kind of overlap must be avoided when creating ACLs, or else the router/firewall may exhibit unknown results/behavior.

Answer 15

a. This could result in false-negative (aka a “false accept” error)

Question 16

Which DMZ type was created in the SomeCo.com (Packet Tracer) lab?

a. Private-network/NAT DMZ 
b. Dual-perimeter DMZ
c. Three-legged DMZ
d. Partial-perimeter DMZ

Answer 16

c. Three-legged DMZ

Question 17

Which statement best describes the difference between a proxy firewall and an inspecting firewall?

a. A proxy firewall is better able to filter payload for exploits/malware because it is actually implementing the server software for that specific payload/application type.
b. Only a proxy firewall is able to see payload information, thus it is capable of making more sophisticated filter decisions than an inspecting firewall.
c. An inspecting firewall is more likely to detect improperly formatted (malicious) payload for the particular service it is filtering for.
d. “Inspection” means that only header information can be considered in the filter decision, whereas “proxy” means that headers and payload can be considered in the filter decision.

Answer 17

a. A proxy firewall is better able to filter payload for exploits/malware because it is actually implementing the server software for that specific payload/application type.

Question 18

If your organization’s policy permits its users to “tunnel” their SSL-encrypted traffic through the organization’s perimeter firewall, then…

a. the firewall will be unable to filter based on IP addresses.
b. the organization is showing no trust in their employees.
c. the firewall will be unable to detect/block viruses carried in the payload.
d. both a and c.

Answer 18

c. the firewall will be unable to detect/block viruses carried in the payload.

Question 19

Which of these technologies is the least capable of making “sophisticated” filter decisions?

a. Stateless inspection
b. Transparent proxy 
c. Stateful non-inspecting
d. Stateless non-inspecting

Answer 19

d. Stateless non-inspecting

Question 20

If an organization’s network topology shows a VPN gateway behind their firewall, then it would appear that the security officials at this organization…

a. trust their remote users to control the content of their VPN traffic.
b. insist on being able to filter everything that passes through the firewall.
c. may still be able to filter on header information depending on the type of VPN being used.
d. both a and c

Answer 20

d. both a and c

Question 21

The primary advantage of static/stateless filtering is that…

a. it can dynamically open ports based upon payload analysis.
b. it is relatively inexpensive, yet can filter relatively quickly.
c. it can base permit/deny decisions of incoming traffic on outgoing traffic it has previously seen.
d. None of the above

Answer 21

b. it is relatively inexpensive, yet can filter relatively quickly.

Question 22

Which of these best describes split-tunneling?

a. Any given point-to-point circuit that can simultaneously carry both encrypted and unencrypted communications.
b. The condition when a single host is simultaneously connected to more than one secure tunnel.
c. A VPN option that allows selective encryption of network traffic on a byte-by-byte basis. 
d. A host may be connected to a secure tunnel but will concurrently be permitted to access network resources that are not co-located at the tunnel’s endpoint.

Answer 22

d. A host may be connected to a secure tunnel but will concurrently be permitted to access network

Question 23

What is the fundamental security issue with wireless LANs (WLANs)?

a. Unlike a (wired) switched LAN, all WLAN clients may “see” all WLAN traffic.
b. Encryption and firewall technology doesn’t work on RF traffic.
c. Their WLAN’s RF footprint may exceed the physical boundary/perimeter of the organization.
d. Both a and c.

Answer 23

d. Both a and c.

Question 24

What is the general situation that would suggest that the “VLAN’ing” of already deployed, non-VLAN’ed, switches would likely be a preferred solution?

a. You realize the need to split a single switch into more than one collision domain.
b. It would be easier to logically “split” networks than to physically “split” them.
c. You decide that all single-hop traffic should get encrypted.
d. You want two or more separate networks to be “merged” into a single broadcast domain.

Answer 24

b. It would be easier to logically “split” networks than to physically “split” them.

Question 25

Which of these is the generally accepted best practice regarding the deployment of both VPN and firewall (filtering) technology for perimeter protection?

a. Deploy the two technologies in parallel.
b. Place the firewall behind the VPN gateway.
c. Place the VPN gateway behind the firewall. 
d. Co-locate the VPN and firewall technologies on the same device.

Answer 25

b. Place the firewall behind the VPN gateway.

Question 26

Which of these would be the most likely candidate to be deployed as a “bastion server”?

a. A file server that serves public/non-sensitive information on a read-only configured server.
b. The agency's Web server that hosts a lot of resources critical to the agency's business.
c. A server that is intended to be accessed solely by an organization's "internal" employees.
d. Any public facing server that is designated to be hosted in an organization's DMZ.

Answer 26

a. A file server that serves public/non-sensitive information on a read-only configured server.

Question 27

Which of these is the most likely deployment setup for a NIPS appliance (i.e., dedicated machine)?

a. As a non-transparent sniffer monitoring all traffic on the protected network.
b. As a "bump-in-the-stack" configuration on the network's default-gateway router.
c. Attached to a promiscuous port on the switch of the network it's intended to protect. 
d. As a "bump-in-the-wire" configuration on the network's "perimeter".

Answer 27

a. As a non-transparent sniffer monitoring all traffic on the protected network.

or

d. As a “bump-in-the-wire” configuration on the network’s “perimeter”.

Question 28

Which of these filter technologies is most likely to be deployed as the outer “blaster” in a dual-perimeter (“master-blaster”) defense situation? [Hint: which is fastest vice smartest]

a. Stateless non-inspecting
b. Stateless inspecting
c. Stateful non-inspecting
d. Stateful inspecting

Answer 28

a. Stateless non-inspecting