Review 6

Question 1

A firewall can use NAT and packet filters.

Answer 1

True—Firewalls can use packet filtering, NAT filtering, application level gateways, and circuit level gateways.

Question 2

NAT filtering accepts or rejects packets based on rules.

Answer 2

False—NAT filtering filters traffic according to ports such as TCP or UDP. A firewall that incorporates packet filtering inspects each packet passing through the firewall and accepts or rejects it based on rules.

Question 3

A stateless packet filter is vulnerable to IP spoofing attacks.

Answer 3

True—Stateless packet filters are vulnerable to IP spoofing attacks. Firewalls running stateful packet inspection are not vulnerable because they keep track of the state of network connections.

Question 4

Circuit level gateways work at the Session Layer of the OSI model.

Answer 4

True—Circuit level gateways do work at the Session Layer of the OSI model and apply security mechanisms whenever TCP or UDP connections are established.

Question 5

NAT filtering matches incoming traffic to corresponding outbound IP connections by matching the IP address and port.

Answer 5

True—NAT filtering matches incoming and outgoing traffic by way of IP addresses and port numbers.

Question 6

An IP proxy serves client requests by caching HTTP information.

Answer 6

False—IP proxies secure networks by keeping the machines behind it anonymous. Caching proxies serve client requests such as caching hypertext information among other types of information.

Question 7

An IP proxy can be the victim of denial-of-service attacks.

Answer 7

True—IP proxies can indeed be the victim of denial-of-service attacks and should be monitored periodically and updated regularly.

Question 8

A honeypot is a device that caches information for hackers.

Answer 8

False—Honeypots are usually single computers that are used to attract and trap potential attackers. Normally, you would not cache information for a hacker, but you would cache information for legitimate users by way of a caching proxy.

Question 9

Honeynets are one or more computers or servers used to counteract attempts at unauthorized access to a network.

Answer 9

True—A honeynet is one or more computers, servers, or an area of a network; these are used when a single honeypot is not sufficient to trap potential attackers.

Question 10

A NIDS can inspect traffic and possibly remove, detain, or redirect malicious traffic.

Answer 10

False—A NIDS attempts to detect malicious network activities by monitoring network traffic and alerts the administrator in the case that it finds any. A NIPS can inspect traffic and remove, detain, or redirect that traffic.

Question 11

Where would a NIDS sit on a network? (Select the best answer.) 
A. Inline 
B. On the extranet 
C. On the DMZ 
D. Back to back

Answer 11

A. A NIDS normally sits inline on the network. It could be before or after the firewall but more commonly is on the side closer to the Internet. Although it is possible to put a NIDS on the extranet or on a DMZ, it is far less common. Back to back is a phrase used when an organization implements to firewalls.

Question 12

What are Snort and Bro examples of? 
A. Firewalls 
B. Proxy servers 
C. IDS 
D. SPI

Answer 12

C. Snort and Bro are examples of IDS.

Question 13

Which of the following are examples of protocol analyzers? (Select the two best answers.) 
A. Wireshark 
B. HTTP proxy 
C. NAT filter 
D. Network Monitor

Answer 13

A and D. Wireshark and Network Monitor are examples of protocol analyzers. HTTP proxies cache information for client computers. NAT filtering is a type of filtering that firewalls can accomplish if configured.

Question 14

James has detected an intrusion in his company. What should he check first? 
A. DNS logs 
B. Firewall logs 
C. Event Viewer 
D. Performance logs

Answer 14

B. If there were an intrusion, the first thing you should check are the firewall logs. DNS logs in the event viewer and the performance logs will most likely not show intrusions to the company. The best place to look first is the firewall logs.

Question 15

Which of the following can detect malicious packets and discard them? 
A. Proxy server 
B. NIDS 
C. NIPS 
D. PAT

Answer 15

C. NIPS, or a network intrusion prevention system, can detect and discard
malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is a port-based address translation.

Question 16

Which of the following should be your primary line of defense? 
A. Proxy server 
B. NIPS 
C. Firewall 
D. Protocol analyzer

Answer 16

C. Firewalls should be your primary line of defense. Although intrusion detection/prevention systems are important, a firewall should be installed first. Proxy servers can also help to protect computers on the LAN and should be considered. Protocol analyzers investigate packets that are sent across the network.

Question 17

Which type of firewall filter can match incoming traffic to the corresponding outbound IP address connection by way of IP address and port? 
A. Packet filtering 
B. NAT filtering 
C. Application-level gateway 
D. Circuit-level gateway

Answer 17

B. NAT filtering matches incoming traffic to the corresponding outbound IP address connection. Packet filtering inspects each packet passing through the firewall and accepts or rejects it based on rules. Application-level gateways apply security mechanisms to specific applications. Circuit-level gateways apply security mechanisms whenever TCP or UDP connections are established.

Question 18

A client computer uses the IP address 10.254.254.189. It has made a connection to a web server by opening the outbound port 1589. The server uses the IP address 65.19.28.154. You want to filter out any HTTP packets coming from the server. Which IP address and port should you specify to be filtered on the firewall? 
A. 10.254.254.189:1589 
B. 10.254.254.189:80 
C. 65.19.28.154: 1589 
D. 65.19.28.154:80

Answer 18

D. You should filter the packets coming from the server’s IP and its inbound port: 65.19.28.154:80. It would be difficult to filter Port 1589 because this port is assigned dynamically to the outbound connection of the client computer; it will change every time a new session starts. The client computer should not use Port 80 because it is not the computer acting as a web server. The web server will most likely not use Port 1589. The connection from the client computer on outbound Port 1589 is made to the web server on inbound Port 80.

Question 19

Which of the following devices should you use to keep machines behind it anonymous? (Select the best answer.) 
A. Caching proxy 
B. IP proxy 
C. Circuit-level gateway 
D. Firewall

Answer 19

B. IP proxy secures a network by keeping the computers behind it anonymous. Caching proxies store HTTP or other information so that clients don’t have to actually contact a remote server. Circuit-level gateways apply security mechanisms when connections are established; they are a type of filtering. Firewalls protects the LAN, and although some firewall devices include an IP proxy, they won’t necessarily do so.

Question 20

Which of the following should be used to filter out activities such as instant messaging? 
A. IP proxy 
B. Application-level gateway 
C. Internet content filter 
D. Honeypot

Answer 20

C. Internet content filters are used to filter out activities such as instant messaging, email, and websites accessed. IP proxies are used to secure networks by keeping the computers behind it anonymous. Application-level gateways apply security mechanisms to specific applications. Honeypots are used to attract and trap potential attackers.