Topic 4: System and network security implementation Flashcards
What is the primary role of a firewall? Pick the most complete answer:
to enable users to gain access to the resources they need.
to permit all work related traffic.
to manage traffic flow through the firewall based on criteria determined by the organisation.
to block all non-work related traffic
to manage traffic flow through the firewall based on criteria determined by the organisation.
What security technology is a form of policy based examination that uses remediation zones?
DMZ.
network access control.
baselining.
firewalling
DMZ.
The concept of a DMZ is borrowed from which area?
historical buildings.
banking and finance.
ancient warfare.
sports and development
ancient warfare.
What is the best technology for securing a network against attackers?
firewall.
policy.
IDS.
it depends on a number of factors and is difficult to answer
it depends on a number of factors and is difficult to answer
With respect to firewall rule base design considerations is the following statement True or false?
All traffic should be blocked unless it is specifically required for a business function.
True
Which of the following would you set up in a multifunction SOHO router?
A. DMZ
B. DOS
C. OSI
D. ARP
A. A DMZ, or demilitarized zone, can be set up on a SOHO router (in the firewall portion) to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.
Which of the following is a private IPv4 address?
A. 11.16.0.1
B. 127.0.0.1
C. 172.16.0.1
D. 208.0.0.1
C. 172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 6-2 earlier in the chapter. 11.16.0.1 is a public IPv4 address, as is 208.0.0.1. 127.0.0.1 is the IPv4 loopback address.
Which of these hides an entire network of IP addresses?
A. SPI
B. NAT
C. SSH
D. FTP
B. NAT (network address translation) hides an entire network of IP addresses. SPI, or Stateful Packet Inspection, is the other type of firewall that today’s SOHO routers incorporate. Secure Shell (SSH) is a protocol used to log in to remote systems securely over the network. The File Transfer Protocol (FTP) is used to copy files from one system to a remote system.
Which of the following statements best describes a static NAT?
A. Static NAT uses a one-to-one mapping.
B. Static NAT uses a many-to-many mapping.
C. Static NAT uses a one-to-many mapping.
D. Static NAT uses a many-to-one mapping.
A. Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.
Which of the following should be placed between the LAN and the Internet?
A. DMZ
B. HIDS
C. Domain controller
D. Extranet
A. A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer, usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet.
You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?
A. Switch
B. Hub
C. Router
D. Firewall
A. A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.
You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?
A. Loop protection
B. DMZ
C. VLAN segregation
D. Port forwarding
A. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.
You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used?
A. IPv4
B. ICMP
C. IPv3
D. IPv6
D. IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by ping and other commands. IPv3 was a test version prior to IPv4 and was similar in IP addressing structure.
Which of the following cloud computing services offers easy-to-configure operating systems?
A. SaaS
B. IaaS
C. PaaS
D. VM
C. Platform as a service (PaaS) is a cloud computing service that offers many software solutions, including easy-to-configure operating systems and on-demand computing. SaaS is software as a service, used to offer solutions such as webmail. IaaS is infrastructure as a service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.
Which of the following might be included in Microsoft Security Bulletins?
A. PHP
B. CGI
C. CVE
D. TLS
C. Common Vulnerabilities and Exposures (CVE) can be included in Microsoft Security Bulletins and will be listed for other web server products such as Apache. PHP and CGI are pseudo-programming languages used within HTML for websites. Both can contain harmful scripts if used inappropriately. Transport Layer Security (TLS) is a protocol used by sites secured by HTTPS.
Which of the following devices would most likely have a DMZ interface?
A. Switch
B. VoIP phone
C. Proxy server
D. Firewall
D. The firewall is the device most likely to have a separate DMZ interface. Switches connect computers on the LAN. VoIP phones are used by individuals to make and answer phone calls on a Voice over IP connection. A proxy server acts as a go-between for the clients on the LAN and the web servers that they connect to, and caches web content for faster access.
Your network uses the subnet mask 255.255.255.224. Which of the following IPv4 addresses are able to communicate with each other? (Select the two best answers.)
A. 10.36.36.126
B. 10.36.36.158
C. 10.36.36.166
D. 10.36.36.184
E. 10.36.36.224
C and D. The hosts using the IP addresses 10.36.36.166 and 10.36.36.184 would be able to communicate with each other because they are on the same subnet (known as subnet ID 5). All of the other answer choices’ IP addresses are on different subnets, so they would not be able to communicate with each other (or with the IP addresses of the correct answers) by default.
It is noteworthy that the answer 10.36.36.224 is not even usable because it is the first IP of one of the subnets. Remember that the general rule is: you can’t use the first and last IP within each subnet. That is because they are reserved for the subnet ID and the broadcast addresses, respectively.
You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this?
A. Use a virtual switch.
B. Remove the virtual network from the routing table.
C. Use a standalone switch.
D. Create a VLAN without any default gateway.
A. The virtual switch is the best option. This virtual device will connect the virtual servers together without being routable to the firewall (by default). Removing the virtual network from the routing table is another possibility; but if you have not created a virtual switch yet, it should not be necessary. A physical standalone switch won’t be able to connect the virtual servers together; a virtual switch (or individual virtual connections) is required. Creating a VLAN would also require a physical switch. In that scenario, you can have multiple virtual LANs each containing physical computers (not virtual computers), and each working off of the same physical switch. That answer would keep the VLAN from being routable to the firewall, but not virtual servers.
Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing?
A. PaaS
B. IaaS
C. SaaS
D. Community cloud
B. The IT director is most likely proposing that you use infrastructure as a service (IaaS). A cloud-based service, IaaS is often used to house servers (within virtual machines) that store developed applications. It differs from PaaS in that it is the servers, and already developed applications, that are being moved from the server room to the cloud. However, PaaS might also be required if the applications require further development. The most basic cloud-based service, software as a service (SaaS), is when users work with applications (often web-based) that are provided from the cloud. A community cloud is when multiple organizations share certain aspects of a public cloud.
A security analyst wants to ensure that all external traffic is able to access an organization’s front-end servers but also wants to protect access to internal resources. Which network design element is the best option for the security analyst?
A. VLAN
B. Virtualization
C. DMZ
D. Cloud computing
C. The demilitarized zone (DMZ) is the best option in this scenario. By creating a DMZ, and placing the front-end servers within it (on a separate branch of the firewall), you create a type of compartmentalization between the LAN (important internal resources) and the front-end servers. A VLAN is used to separate a LAN into multiple virtual units. Virtualization is a general term that usually refers to the virtualizing of operating systems. Cloud computing is another possible option in this scenario, because you could take the front-end servers and move them to the cloud. However, a certain level of control is lost when this is done, whereas with a DMZ, the security analyst still retains complete control.