Secure Network Architecture and Securing Network Components

Question 1

Name the layers of the OSI model and their numbers from top to bottom.

Answer 1

Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1).

Question 2

Name three problems with cabling and the methods to counteract those issues.

Answer 2

Problems with cabling and their countermeasures include attenuation (use repeaters or don’t violate distance recommendations), using the wrong CAT cable (check the cable specifications against throughput requirements, and err on the side of caution), crosstalk (use shielded cables, place cables in separate conduits, or use cables of different twists per inch), cable breaks (avoid running cables in locations where movement occurs), interference (use cable shielding, use cables with higher twists per inch, or switch to fiber-optic cables), and eavesdropping (maintain physical security over all cable runs or switch to fiber-optic cables).

Question 3

What are the various technologies employed by wireless devices to maximize their use of the available radio frequencies?

Answer 3

Some of the frequency spectrum-use technologies are spread spectrum, Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM).

Question 4

Discuss methods used to secure 802.11 wireless networking.

Answer 4

Methods to secure 802.11 wireless networking include disabling the SSID broadcast; changing the SSID to something unique; enabling MAC filtering; considering the use of static IPs or using DHCP with reservations; turning on the highest form of encryption offered (such as WEP, WPA, or WPA2/802.11i); treating wireless as remote access and employing 802.1X, RADIUS, or TACACS; separating wireless access points from the LAN with firewalls; monitoring all wireless client activity with an IDS; and considering requiring wireless clients to connect with a VPN to gain LAN access.

Question 5

Name the LAN shared media access technologies and examples of their use, if known.

Answer 5

The LAN shared media access technologies are CSMA, CSMA/CA (used by 802.11 and AppleTalk), CSMA/CD (used by Ethernet), token passing (used by Token Ring and FDDI/CDDI), and polling (used by SDLC, HDLC, and some mainframe systems).

Question 6

What is layer 4 of the OSI model?

A. Presentation
B. Network
C. Data Link
D. Transport

Answer 6

D. The Transport layer is layer 4. The Presentation layer is layer 6, the Data Link layer is layer 2, and the Network layer is layer 3.

Question 7

What is encapsulation?

A. Changing the source and destination addresses of a packet
B. Adding a header and footer to data as it moves down the OSI stack
C. Verifying a person’s identity
D. Protecting evidence until it has been properly collected

Answer 7

B. Encapsulation is adding a header and footer to data as it moves down the OSI stack.

Question 8

Which OSI model layer manages communications in simplex, half-duplex, and full-duplex modes?

A. Application
B. Session
C. Transport
D. Physical

Answer 8

B. Layer 5, Session, manages simplex (one-direction), half-duplex (two-way, but only one direction can send data at a time), and full-duplex (two-way, in which data can be sent in both directions simultaneously) communications.

Question 9

Which of the following is the least resistant to EMI?

A. Thinnet
B. 10Base-T UTP
C. 10Base5
D. Coaxial cable

Answer 9

B. 10Base-T UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) and thicknet (10Base5) are each a type of coaxial cable, which is shielded against EMI.

Question 10

Which of the following is not an example of network segmentation?

A. Intranet
B. DMZ
C. Extranet
D. VPN

Answer 10

D. A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.

Question 11

Which of the following is not considered a non-IP protocol?

A. IPX
B. UDP
C. AppleTalk
D. NetBEUI

Answer 11

B. UDP is a transport layer protocol that operates as the payload of an IP packet. While it is not IP itself, it depends upon IP. IPX, AppleTalk, and NetBEUI are all alternatives to IP and thus are labeled as non-IP protocols.

Question 12

If you are the victim of a bluejacking attack, what was compromised?

A. Your car
B. Your switch
C. Your cell phone
D. Your web cookies

Answer 12

C. A bluejacking attack is a wireless attack on Bluetooth, and the most common device compromised in a bluejacking attack is a cell phone.

Question 13

Which networking technology is based on the IEEE 802.3 standard?

A. Ethernet
B. Token Ring
C. FDDI
D. HDLC

Answer 13

A. Ethernet is based on the IEEE 802.3 standard.

Question 14

What is a TCP wrapper?

A. An encapsulation protocol used by switches
B. An application that can serve as a basic firewall by restricting access based on user IDs or system IDs
C. A security protocol used to protect TCP/IP traffic over WAN links
D. A mechanism to tunnel TCP/IP through non-IP networks

Answer 14

B. A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.

Question 15

What is both a benefit and a potentially harmful implication of multilayer protocols?

A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing

Answer 15

B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.

Question 16

By examining the source and destination addresses, the application usage, the source of origin, and the relationship between current packets with the previous packets of the same session,_______________ firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.

A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Circuit-level gateway

Answer 16

C. Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.

Question 17

________________ firewalls are known as third-generation firewalls.

A. Application-level gateway
B. Stateful inspection
C. Circuit-level gateway
D. Static packet-filtering

Answer 17

B. Stateful inspection firewalls are known as third-generation firewalls.

Question 18

Which of the following is not true regarding firewalls?

A. They are able to log traffic information.
B. They are able to block viruses.
C. They are able to issue alarms based on suspected attacks.
D. They are unable to prevent internal attacks.

Answer 18

B. Most firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms and even basic IDS functions. Firewalls are unable to block viruses or malicious code transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passed out of or into the private network.

Question 19

Which of the following is not a routing protocol?

A. OSPF
B. BGP
C. RPC
D. RIP

Answer 19

C. There are numerous dynamic routing protocols, including RIP, OSPF, and BGP, but RPC is not a routing protocol.

Question 20

A _________________ is an intelligent hub because it knows the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, it repeats traffic only out of the port on which the destination is known to exist.

A. Repeater
B. Switch
C. Bridge
D. Router

Answer 20

B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.

Question 21

Which of the following is not a technology specifically associated with 802.11 wireless networking?

A. WAP
B. WPA
C. WEP
D. 802.11i

Answer 21

A. Wireless Application Protocol (WAP) is a technology associated with cell phones accessing the Internet rather than 802.11 wireless networking.

Question 22

Which wireless frequency access method offers the greatest throughput with the least interference?

A. FHSS
B. DSSS
C. OFDM
D. OSPF

Answer 22

C. Orthogonal Frequency-Division Multiplexing (OFDM) offers high throughput with the least interference. OSPF is a routing protocol, not a wireless frequency access method.

Question 23

What security concept encourages administrators to install firewalls, malware scanners, and an IDS on every host?

A. Endpoint security
B. Network access control (NAC)
C. VLAN
D. RADIUS

Answer 23

A. Endpoint security is the security concept that encourages administrators to install firewalls, malware scanners, and an IDS on every host.

Question 24

What function does the RARP protocol perform?

A. It is a routing protocol.
B. It converts IP addresses into MAC addresses.
C. It resolves physical addresses into logical addresses.
D. It manages multiplex streaming.

Answer 24

C. Reverse Address Resolution Protocol (RARP) resolves physical addresses (MAC addresses) into logical addresses (IP addresses).

Question 25

What form of infrastructure mode wireless networking deployment supports large physical environments through the use of a single SSID but numerous access points?

A. Stand-alone
B. Wired extension
C. Enterprise extension
D. Bridge

Answer 25

C. Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.

Question 26

Which of the following attacks take advantage of dynamic system actions and the ability to manipulate the timing of those actions?

a. Active attacks
b. Passive attacks
c. Asynchronous attacks
d. Tunneling attacks

Answer 26

c. Asynchronous attacks take advantage of dynamic system activity to get access. User requests are placed into a queue and are satisfied by a set of predetermined criteria.

Question 27

Routers, which are network connectivity devices, use which of the following?

a. Sink tree and spanning tree
b. Finger table and routing table
c. Fault tree and decision tree
d. Decision table and truth table

Answer 27

a. A sink tree shows the set of optimal routes from all sources to a given destination, rooted at the destination. A sink tree does not contain any loops, so each packet is delivered within a finite and bounded number of hops.

Question 28

Enforcing effective data communications security requires other types of security such as physical security. Which of the following can easily compromise such an objective?

a. Smart cards with PINs
b. Nonreusable passwords
c. Network cabling
d. Last login messages

Answer 28

c. Data communications security requires physical security and password controls. The network cables that carry data are vulnerable to intruders.

Question 29

An effective way to run a World Wide Web (WWW) service is not by:

a. Disabling automatic directory listings
b. Placing the standalone WWW computer outside the firewall in the DMZ
c. Implementing encryption
d. Relying on third-party providers

Answer 29

d. Important security features of WWW include (i) disabling automatic directory listings for names and addresses, (ii) placing the standalone, stripped-down WWW computer outside the firewall in the demilitarized zone (DMZ), and (iii) providing encryption when sensitive or personal information is transmitted or stored.

Question 30

For Web services, which of the following uses binary tokens for authentication, digital signatures for integrity, and content-level encryption for confidentiality?

a. Web service interoperability (WS-I)
b. Web services security (WS-Security)
c. Web services description languages (WSDL)
d. Web-Oriented architecture (WOA)

Answer 30

b. The Web service is a software component or system designed to support an interoperable machine or application-oriented interaction over a network.

Question 31

Radio frequency identification technologies rely on which of the following to ensure security?

a. Defense-in-depth strategy
b. Defense-in-breadth strategy
c. Defense-in-time strategy
d. Defense-in-technology strategy

Answer 31

b. Radio frequency identification (RFID) technologies are used in supply chain systems which, in turn, use defense-in-breadth strategy for ensuring security. Defense-in-depth strategy considers layered defenses to make security stronger.

Question 32

Which of the following is not an example of race condition attacks?
a Symbolic links
b. Object-oriented
c. Deadlock
d. Core-file manipulation

Answer 32

c. Allowing exclusive access to a dedicated input/output device (e.g., printer, plotter, and disk) in response to a user request can lead to a deadlock situation in the absence of spooling. Deadlocks are not related to race condition attacks because the latter is called timing attacks.

Question 33

What do most effective security controls over remote maintenance ports include?

a. Legal contracts and dial-back systems
b. Dial-back systems and modem pools
c. Legal contracts and modem pools
d. Dial-back systems and disconnecting unneeded connections

Answer 33

c. Remote maintenance ports enable the vendor to fix operating problems.

Question 34

Which of the following statements is not true about Internet firewalls?

a. A firewall can enforce security policy.
b. A firewall can log Internet activity.
c. A firewall can limit an organization’s security exposure.
d. A firewall can protect against all computer viruses in PCs.

Answer 34

d. Firewalls (also known as secure gateways) cannot keep personal computer viruses out of a network. There are simply too many types of viruses and too many ways a virus can hide within data.

Question 35

Web content filtering software is related to which of the following?

a. Web bug
b. Blacklisting
c. RED
d. BLACK

Answer 35

b. Web content filtering software is a program that prevents access to undesirable websites, typically by comparing a requested website address to a list of known bad websites (i.e., blacklisting). Blacklisting is a hold placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.

Question 36

Which of the following identifies calls originating from nonexistent telephone extensions to detect voice-mail fraud?

a. Antihacker software
b. Call-accounting system
c. Antihacker hardware
d. Toll-fraud monitoring system

Answer 36

b. A call-accounting system can indicate calls originating from nonexistent “phantom” telephone extensions or trunks.

Question 37

Regarding instant messaging (IM), which of the following is an effective countermeasure to ensure that the enclave users cannot connect to public messaging systems?

a. Disable file-sharing feature
b. Restrict IM chat announcements
c. Block ports at the enclave firewall
d. Install antivirus software

Answer 37

c. Blocking ports at the enclave firewall ensures that enclave users cannot connect to public messaging systems.

Question 38

Synchronization of file updates in a local-area network environment cannot be accomplished by using which of the following?

a. File locks
b. Record locks
c. Semaphores
d. Security labels

Answer 38

d. Security labels deal with security and confidentiality of data, not with file updates.

Question 39

Which of the following is a byproduct of administering the security policy for firewalls?

a. Protocol filtering policy
b. Connectivity policy
c. Firewall implementation
d. Protocol filtering rules

Answer 39

c. The role of site security policy is important for firewall administration.

Question 40

Communications between computers can take several approaches. Which of the following approaches is most secure?

a. Public telephone network
b. Fiber optic cables
c. Direct wiring of lines between the computer and the user workstation
d. Microwave transmission or satellites

Answer 40

b. Due to their design, fiber optic cables are relatively safer and more secure than other types of computer links.

Question 41

Which of the following is risky for transmission integrity and confidentiality when a network commercial service provider is engaged to provide transmission services?

a. Commodity service
b. Cryptographic mechanisms
c. Dedicated service
d. Physical measures

Answer 41

a. An information system should protect the integrity and confidentiality of transmitted information whether using a network service provider.

Question 42

Network security and integrity do not depend on which of the following controls?

a. Logical access controls
b. Business application system controls
c. Hardware controls
d. Procedural controls

Answer 42

b. Application system controls include data editing and validation routines to ensure integrity of the business-oriented application systems such as payroll and accounts payable.

Question 43

Which of the following questions must be answered first when planning for secure telecommuting?

a. What data is confidential?
b. What systems and data do employees need to access?
c. What type of access is needed?
d. What is the sensitivity of systems and data?

Answer 43

c. Telecommuting is the use of telecommunications to create a virtual office away from the established (physical) office.

Question 44

The Internet uses which of the following?

a. Mesh topology
b. Star topology
c. Bus topology
d. Ring topology

Answer 44

a. The Internet uses the mesh topology with a high degree of fault tolerance.

Question 45

Which of the following network architectures is designed to provide data services using physical networks that are more reliable and offer greater bandwidth?

a. Integrated services digital network (ISDN)
b. Transmission control protocol/Internet Protocol (TCP/IP)
c. File transfer protocol (FTP)
d. The open system interconnection (OSI) protocol

Answer 45

a. Integrated services digital network (ISDN) was designed to provide both voice and a wide variety of data services, initially using the existing phone network.

Question 46

Which of the following is the most important aspect of a remote access?

a. User authentication
b. Media authentication
c. Device authentication
d. Server authentication

Answer 46

d. Server authentication is the most important for remote access methods where a user is manually establishing the remote access connections, such as typing a URL into a Web browser.

Question 47

Possible security threats inherent in a local-area network (LAN) environment include passive and active threats. Which of the following is a passive threat?

a. Denial of message service
b. Masquerading
c. Traffic analysis
d. Modification of message service

Answer 47

c. Passive threats do not alter any data in a system.

Question 48

In which of the following remote access methods is a pinholing scheme used to facilitate the network address translation (NAT) contact to occur with internal workstations?

a. Tunneling
b. Application portals
c. Remote desktop access
d. Direct application access

Answer 48

c. There are two major styles of remote desktop access: (i) direct between the telework client device (e.g., a consumer device such as a smartphone and PDA or PC used for performing telework) and the internal workstation, and (ii) indirect through a trusted intermediate system. However, direct access is often not possible because it is prevented by many firewalls.

Question 49

When constructing the communications infrastructure for moving data over a wide-area network, the major implementation choices involve decisions about all the following except which of the following?

a. Multiplexers
b. Network interface cards
c. Concentrators
d. Front-end processors

Answer 49

b. A network interface card (NIC) is used in implementing local-area networks (LANs), not wide-area networks (WANs).

Question 50

A website has been vandalized. Which of the following should be monitored closely?

a. Illegal logging
b. Illegal privilege usage
c. Illegal file access
d. Illegal Web server shutdown

Answer 50

c. Selecting the illegal file access addresses the vandalism issue because that is what the attacker can benefit from the most. Files have critical data useful to an attacker. The other three choices are incidental.

Question 51

The Voice over Internet Protocol (VoIP) technology can lead to which of the following?

a. Converged network
b. Ad hoc network
c. Content delivery network
d. Wireless sensor network

Answer 51

a. The Voice over Internet Protocol (VoIP) technology can lead to a converged network, where the latter combines two different networks such as data and voice networks, similar to the VoIP.

Question 52

Which of the following transmission media is unsuitable for handling intra-building data or voice communications?

a. Twisted pair
b. Coaxial cable
c. Optical fiber
d. Microwave transmission

Answer 52

d. Microwave transmission is a point-to-point transmission using radio frequency spectrum signals and is commonly used as a substitution for copper or fiber cable. Because of this, it is not suitable for handling intra-building communications and is more appropriate for long-distance transmission.

Question 53

From a corporation viewpoint, which of the following design objectives is most important for a local-area network?

a. Productivity
b. Availability
c. Throughput
d. Responsiveness

Answer 53

b. Availability is the ratio of the total time a functional unit is capable of being used during a given interval to the length of the interval. It is the time during which a functional unit can be used. What good are productivity, throughput, and response time if the system is shut down and not available? Therefore, system availability is the most important objective for a local-area network (LAN) or any other network.

Question 54

Which of the following wiring schemes makes future network changes easier to implement?

a. Post wiring
b. Wiring on demand
c. Buildings with high ceilings
d. Cable conduits

Answer 54

d. Because the cost of wiring an existing building goes up with the height of the ceiling and rises even higher after the tenants have moved in, making the right decisions as early as possible can significantly reduce future costs.

Question 55

Which of the following is a disadvantage of satellite communications versus a conventional communications method?

a. User-owned stations
b. Cost
c. Frequency bands
d. Broadcast ability

Answer 55

c. Frequency bands are of two types: low and high frequency. All the lower frequency bands have become increasingly crowded, and developing higher frequencies is difficult and expensive.

Question 56

Host-based firewalls can have a serious negative effect on system usability and user satisfaction with which of the following?

a. Deny-by-default rulesets for incoming traffic
b. Deny-by-default rulesets for outgoing traffic
c. Deny-by-default rulesets for servers
d. Deny-by-default rulesets for desktops

Answer 56

b. To prevent malware incidents, organizations should configure host-based firewalls with deny-by-default rulesets for incoming traffic.

Question 57

Which of the following is an example of an asynchronous attack?

a. Data diddling attack
b. Data leakage attack
c. TOC-TOU attack
d. Salami attack

Answer 57

c. In a time-of-check to time-of-use (TOC-TOU) attack, a print job under one user’s name is exchanged with a print job for another user.

Question 58

Security mechanisms implement security services. Which of the following security services is provided by a notarization security mechanism?

a. Confidentiality
b. Integrity
c. Authentication
d. Nonrepudiation

Answer 58

d. Nonrepudiation services prevent the parties to a communication from denying that they sent or received it, or disputing its contents.

Question 59

Legacy IEEE 802.11 wireless local-area networks (WLANs) operate in which of the following layers of the ISO/OSI reference model?

a. Physical and data layers
b. Data and network link layers
c. Transport and presentation layers
d. Application and session layers

Answer 59

a. Legacy IEEE 802.11 wireless LANs (WLANs) operate in the physical layer and the data link layer of the ISO/OSI reference model because they define the physical characteristics and access rules for the network.

Question 60

Which of the following security practices is supported by most remote control program (RCP) products when accessing a host workstation on a local-area network (LAN)?

a. Matching user ID and name with password
b. Controlling reboot options
c. Limiting access to local drives and directories
d. Controlling file transfer rights

Answer 60

a. Some remote control products provide minimal security support, whereas others provide varying degrees of support.

Question 61

When a nonremote user connection is established with a remote device using a virtual private network (VPN), the configuration settings generally prevent which of the following?

a. Split knowledge
b. Split domain name service
c. Split tunneling
d. Split gateway

Answer 61

c. Split tunneling is a method that routes organization-specific traffic through the secure sockets layer (SSL) VPN tunnel, but other traffic uses the remote user’s default gateway.