Topic 4: System and network security implementation

Question 1

What is the primary role of a firewall? Pick the most complete answer:

to enable users to gain access to the resources they need.

to permit all work related traffic.

to manage traffic flow through the firewall based on criteria determined by the organisation.

to block all non-work related traffic

Answer 1

to manage traffic flow through the firewall based on criteria determined by the organisation.

Question 2

What security technology is a form of policy based examination that uses remediation zones?

DMZ.

network access control.

baselining.

firewalling

Answer 2

DMZ.

Question 3

The concept of a DMZ is borrowed from which area?

historical buildings.

banking and finance.

ancient warfare.

sports and development

Answer 3

ancient warfare.

Question 4

What is the best technology for securing a network against attackers?

firewall.

policy.

IDS.

it depends on a number of factors and is difficult to answer

Answer 4

it depends on a number of factors and is difficult to answer

Question 5

With respect to firewall rule base design considerations is the following statement True or false?

All traffic should be blocked unless it is specifically required for a business function.

Answer 5

True

Question 6

Which of the following would you set up in a multifunction SOHO router?

A. DMZ

B. DOS

C. OSI

D. ARP

Answer 6

A. A DMZ, or demilitarized zone, can be set up on a SOHO router (in the firewall portion) to create a sort of safe haven for servers. It is neither the LAN nor the Internet, but instead, a location in between the two.

Question 7

Which of the following is a private IPv4 address?

A. 11.16.0.1

B. 127.0.0.1

C. 172.16.0.1

D. 208.0.0.1

Answer 7

C. 172.16.0.1 is the only address listed that is private. The private assigned ranges can be seen in Table 6-2 earlier in the chapter. 11.16.0.1 is a public IPv4 address, as is 208.0.0.1. 127.0.0.1 is the IPv4 loopback address.

Question 8

Which of these hides an entire network of IP addresses?

A. SPI

B. NAT

C. SSH

D. FTP

Answer 8

B. NAT (network address translation) hides an entire network of IP addresses. SPI, or Stateful Packet Inspection, is the other type of firewall that today’s SOHO routers incorporate. Secure Shell (SSH) is a protocol used to log in to remote systems securely over the network. The File Transfer Protocol (FTP) is used to copy files from one system to a remote system.

Question 9

Which of the following statements best describes a static NAT?

A. Static NAT uses a one-to-one mapping.

B. Static NAT uses a many-to-many mapping.

C. Static NAT uses a one-to-many mapping.

D. Static NAT uses a many-to-one mapping.

Answer 9

A. Static network address translation normally uses a one-to-one mapping when dealing with IP addresses.

Question 10

Which of the following should be placed between the LAN and the Internet?

A. DMZ

B. HIDS

C. Domain controller

D. Extranet

Answer 10

A. A demilitarized zone, or DMZ, can be placed between the LAN and the Internet; this is known as a back-to-back perimeter configuration. This allows external users on the Internet to access services but segments access to the internal network. In some cases, it will be part of a 3-leg firewall scheme. Host-based intrusion detection systems are placed on an individual computer, usually within the LAN. Domain controllers should be protected and are normally on the LAN as well. An extranet can include parts of the Internet and parts of one or more LANs; normally it connects two companies utilizing the power of the Internet.

Question 11

You want to reduce network traffic on a particular network segment to limit the amount of user visibility. Which of the following is the best device to use in this scenario?

A. Switch

B. Hub

C. Router

D. Firewall

Answer 11

A. A switch can reduce network traffic on a particular network segment. It does this by keeping a table of information about computers on that segment. Instead of broadcasting information to all ports of the switch, the switch selectively chooses where the information goes.

Question 12

You receive complaints about network connectivity being disrupted. You suspect that a user connected both ends of a network cable to two different ports on a switch. What can be done to prevent this?

A. Loop protection

B. DMZ

C. VLAN segregation

D. Port forwarding

Answer 12

A. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch. A DMZ is a demilitarized zone that is used to keep servers in a midway zone between the Internet and the LAN. VLAN segregation (or VLAN separation) is a way of preventing ARP poisoning. Port forwarding refers to logical ports associated with protocols.

Question 13

You see a network address in the command-line that is composed of a long string of letters and numbers. What protocol is being used?

A. IPv4

B. ICMP

C. IPv3

D. IPv6

Answer 13

D. IPv6 uses a long string of numbers and letters in the IP address. These addresses are 128-bit in length. IPv4 addresses are shorter (32-bit) and are numeric only. ICMP is the Internet Control Message Protocol, which is used by ping and other commands. IPv3 was a test version prior to IPv4 and was similar in IP addressing structure.

Question 14

Which of the following cloud computing services offers easy-to-configure operating systems?

A. SaaS

B. IaaS

C. PaaS

D. VM

Answer 14

C. Platform as a service (PaaS) is a cloud computing service that offers many software solutions, including easy-to-configure operating systems and on-demand computing. SaaS is software as a service, used to offer solutions such as webmail. IaaS is infrastructure as a service, used for networking and storage. VM stands for virtual machine, which is something that PaaS also offers.

Question 15

Which of the following might be included in Microsoft Security Bulletins?

A. PHP

B. CGI

C. CVE

D. TLS

Answer 15

C. Common Vulnerabilities and Exposures (CVE) can be included in Microsoft Security Bulletins and will be listed for other web server products such as Apache. PHP and CGI are pseudo-programming languages used within HTML for websites. Both can contain harmful scripts if used inappropriately. Transport Layer Security (TLS) is a protocol used by sites secured by HTTPS.

Question 16

Which of the following devices would most likely have a DMZ interface?

A. Switch

B. VoIP phone

C. Proxy server

D. Firewall

Answer 16

D. The firewall is the device most likely to have a separate DMZ interface. Switches connect computers on the LAN. VoIP phones are used by individuals to make and answer phone calls on a Voice over IP connection. A proxy server acts as a go-between for the clients on the LAN and the web servers that they connect to, and caches web content for faster access.

Question 17

Your network uses the subnet mask 255.255.255.224. Which of the following IPv4 addresses are able to communicate with each other? (Select the two best answers.)

A. 10.36.36.126

B. 10.36.36.158

C. 10.36.36.166

D. 10.36.36.184

E. 10.36.36.224

Answer 17

C and D. The hosts using the IP addresses 10.36.36.166 and 10.36.36.184 would be able to communicate with each other because they are on the same subnet (known as subnet ID 5). All of the other answer choices’ IP addresses are on different subnets, so they would not be able to communicate with each other (or with the IP addresses of the correct answers) by default.

It is noteworthy that the answer 10.36.36.224 is not even usable because it is the first IP of one of the subnets. Remember that the general rule is: you can’t use the first and last IP within each subnet. That is because they are reserved for the subnet ID and the broadcast addresses, respectively.

Question 18

You are implementing a testing environment for the development team. They use several virtual servers to test their applications. One of these applications requires that the servers communicate with each other. However, to keep this network safe and private, you do not want it to be routable to the firewall. What is the best method to accomplish this?

A. Use a virtual switch.

B. Remove the virtual network from the routing table.

C. Use a standalone switch.

D. Create a VLAN without any default gateway.

Answer 18

A. The virtual switch is the best option. This virtual device will connect the virtual servers together without being routable to the firewall (by default). Removing the virtual network from the routing table is another possibility; but if you have not created a virtual switch yet, it should not be necessary. A physical standalone switch won’t be able to connect the virtual servers together; a virtual switch (or individual virtual connections) is required. Creating a VLAN would also require a physical switch. In that scenario, you can have multiple virtual LANs each containing physical computers (not virtual computers), and each working off of the same physical switch. That answer would keep the VLAN from being routable to the firewall, but not virtual servers.

Question 19

Your boss (the IT director) wants to move several internally developed software applications to an alternate environment, supported by a third party, in an effort to reduce the footprint of the server room. Which of the following is the IT director proposing?

A. PaaS

B. IaaS

C. SaaS

D. Community cloud

Answer 19

B. The IT director is most likely proposing that you use infrastructure as a service (IaaS). A cloud-based service, IaaS is often used to house servers (within virtual machines) that store developed applications. It differs from PaaS in that it is the servers, and already developed applications, that are being moved from the server room to the cloud. However, PaaS might also be required if the applications require further development. The most basic cloud-based service, software as a service (SaaS), is when users work with applications (often web-based) that are provided from the cloud. A community cloud is when multiple organizations share certain aspects of a public cloud.

Question 20

A security analyst wants to ensure that all external traffic is able to access an organization’s front-end servers but also wants to protect access to internal resources. Which network design element is the best option for the security analyst?

A. VLAN

B. Virtualization

C. DMZ

D. Cloud computing

Answer 20

C. The demilitarized zone (DMZ) is the best option in this scenario. By creating a DMZ, and placing the front-end servers within it (on a separate branch of the firewall), you create a type of compartmentalization between the LAN (important internal resources) and the front-end servers. A VLAN is used to separate a LAN into multiple virtual units. Virtualization is a general term that usually refers to the virtualizing of operating systems. Cloud computing is another possible option in this scenario, because you could take the front-end servers and move them to the cloud. However, a certain level of control is lost when this is done, whereas with a DMZ, the security analyst still retains complete control.

Question 21

In your organization’s network you have VoIP phones and PCs connected to the same switch. Which of the following is the best way to logically separate these device types while still allowing traffic between them via an ACL?

A. Install a firewall and connect it to the switch.

B. Create and define two subnets, configure each device to use a dedicated IP address, and then connect the whole network to a router.

C. Install a firewall and connect it to a dedicated switch for each type of device.

D. Create two VLANs on the switch connected to a router.

Answer 21

D. The best option is to create two VLANs on the switch (one for the VoIP phones, and one for the PCs) and make sure that the switch is connected to the router. Configure access control lists (ACLs) as necessary on the router to allow or disallow connectivity and traffic between the two VLANs. Installing a firewall and configuring ACLs on that firewall is a possibility, but you would also have to use two separate dedicated switches if VLANs are not employed. This is a valid option, but requires additional equipment, whereas creating the two VLANs requires no additional equipment (as long as the switch has VLAN functionality). While subnetting is a possible option, it is more elaborate than required. The VLAN (in this case port-based) works very well in this scenario and is the best option.

Question 22

You ping a hostname on the network and receive a response including the address 2001:4560:0:2001::6A. What type of address is listed within the response?

A. MAC address

B. Loopback address

C. IPv6 address

D. IPv4 address

Answer 22

C. The address in the response is a truncated IPv6 address. You can tell it is an IPv6 address because of the hexadecimal numbering, the separation with colons, and the groups of four digits. You can tell it is truncated because of the single zero and the double colon. A MAC address is also hexadecimal and can use colons to separate the groups of numbers (though hyphens often are used), but the numbers are grouped in twos. An example is 00-1C-C0-A1-54-15. The loopback address is a testing address for the local computer. In IPv6 it is simply ::1, whereas in IPv4 it is 127.0.0.1. Finally, IPv4 addresses in general are 32-bit dotted-decimal numbers such as 192.168.1.100.

Question 23

Analyze the following network traffic logs depicting communications between Computer1 and Computer2 on opposite sides of a router. The information was captured by the computer with the IPv4 address 10.254.254.10.

Computer1 Computer2
[192.168.1.105]——[INSIDE 192.168.1.1 router OUTSIDE 10.254.254.1] —–[10.254.254.10] LOGS
7:58:36 SRC 10.254.254.1:3030, DST 10.254.254.10:80, SYN
7:58:38 SRC 10.254.254.10:80, DST 10.254.254.1:3030, SYN/ACK
7:58:40 SRC 10.254.254.1:3030, DST 10.254.254.10:80, ACK

Given the information, which of the following can you infer about the network communications?

A. The router implements NAT.

B. The router filters port 80 traffic.

C. 192.168.1.105 is a web server.

D. The web server listens on a nonstandard port.

Answer 23

A. The only one of the listed answers that you can infer from the log is that the router implements network address translation (NAT). You can tell this from the first line of the log, which shows the inside of the router using the 192.168.1.1 IP address and the outside using 10.254.254.1. NAT is occurring between the two at the router. This allows the IP 192.168.1.105 to communicate with 10.254.254.10 ultimately. However, the rest of the logs only show the first step of that communication between 10.254.254.10 and the router at 10.254.254.1.

What’s really happening here? The router is showing that port 3030 is being used on 10.254.254.1. That is the port used by an online game known as netPanzer as well as a mass-e-mailing backdoor worm. The client (10.254.254.10) is using port 80 to make a web-based connection to the game. You can see the three-way TCP handshake occurring with the SYN, SYN/ACK, and ACK packets. Ultimately, 10.254.254.10 is communicating with 192.168.1.105, but we only see the first stage of that communication to the router. As a security analyst you would most likely want to shut down the use of port 3030, so that employees can be more productive and you have less overall chance of a network breach.

As far as the incorrect answers, the router definitely is not filtering out port 80, as traffic is successfully being sent on that port. 192.168.1.105 is not a web server; it is most likely used for other purposes. Finally, even though port 80 is used by the client computer, there is likely no web server in this scenario.

Question 24

Your organization uses VoIP. Which of the following should be performed to increase the availability of IP telephony by prioritizing traffic?

A. NAT

B. QoS

C. NAC

D. Subnetting

Answer 24

B. Quality of Service (QoS) should be configured on the router to prioritize traffic, promoting IP telephony traffic to be more available. You’ll get some detractors of QoS, especially for the SOHO side of networks, but if used on the right device and configured properly, it can make a difference. This might sound like more of a networking question, but it ties in directly to the CIA triad of security. Data confidentiality and integrity are important, but just as important is availability—the ability for users to access data when required. NAT is network address translation, which interprets internal and external IP networks to each other. NAC is network access control—for example, 802.1X. Subnetting is when a network is divided into multiple logical areas through IP addressing/planning and subnet mask configuring.

Question 25

You have been tasked with segmenting internal traffic between layer 2 devices on the LAN. Which of the following network design elements would most likely be used?

A. VLAN

B. DMZ

C. NAT

D. Routing

Answer 25

A. You would most likely use a virtual LAN (VLAN). This allows you to segment internal traffic within layer 2 of the OSI model, by using either a protocol-based scheme or a port-based scheme. The DMZ is used to create a safe haven for servers that are accessed by outside traffic. NAT is network address translation, which is a layer 3 option used on routers. Because we are dealing with a layer 2 scenario, routing in general is not necessary.

Question 26

Which tool would you use if you want to view the contents of a packet?

A. TDR

B. Port scanner

C. Protocol analyzer

D. Loopback adapter

Answer 26

C. A protocol analyzer has the capability to “drill” down through a packet and show the contents of that packet as they correspond to the OSI model. A TDR is a time-domain reflectometer, a tool used to locate faults in cabling. (I threw that one in for fun. It is a Network+ level concept, so you security people should know it!) A port scanner identifies open network ports on a computer or device; we’ll discuss that more in Chapters 12 and 13. A loopback adapter is a device that can test a switch port or network adapter (depending on how it is used).

Question 27

The honeypot concept is enticing to administrators because

A. It enables them to observe attacks.

B. It traps an attacker in a network.

C. It bounces attacks back at the attacker.

D. It traps a person physically between two locked doors.

Answer 27

A. By creating a honeypot, the administrator can monitor attacks without sustaining damage to a server or other computer. Don’t confuse this with a honeynet (answer B), which is meant to attract and trap malicious attackers in an entirely false network. Answer C is not something that an administrator would normally do, and answer D is defining a man trap.

Question 28

James has detected an intrusion in his company network. What should he check first?

A. DNS logs

B. Firewall logs

C. The Event Viewer

D. Performance logs

Answer 28

B. If there was an intrusion, James should check the firewall logs first. DNS logs in the Event Viewer and the performance logs will most likely not show intrusions to the company network. The best place to look first is the firewall logs.

Question 29

Which of the following devices should you employ to protect your network? (Select the best answer.)

A. Protocol analyzer

B. Firewall

C. DMZ

D. Proxy server

Answer 29

B. Install a firewall to protect the network. Protocol analyzers do not help to protect a network but are valuable as vulnerability assessment and monitoring tools. Although a DMZ and a proxy server could possibly help to protect a portion of the network to a certain extent, the best answer is firewall.

Question 30

Which device’s log file will show access control lists and who was allowed access and who wasn’t?

A. Firewall

B. Smartphone

C. Performance Monitor

D. IP proxy

Answer 30

A. A firewall contains one or more access control lists (ACLs) defining who is enabled to access the network. The firewall can also show attempts at access and whether they succeeded or failed. A smartphone might list who called or e-mailed, but as of the writing of this book does not use ACLs. Performance Monitor analyzes the performance of a computer, and an IP proxy deals with network address translation, hiding many private IP addresses behind one public address. Although the function of an IP proxy is often built into a firewall, the best answer would be firewall.

Question 31

Where are software firewalls usually located?

A. On routers

B. On servers

C. On clients

D. On every computer

Answer 31

C. Software-based firewalls, such as Windows Firewall, are normally running on the client computers. Although a software-based firewall could also be run on a server, it is not as common. Also, a SOHO router might have a built-in firewall, but not all routers have firewalls.

Question 32

Where is the optimal place to have a proxy server?

A. In between two private networks

B. In between a private network and a public network

C. In between two public networks

D. On all of the servers

Answer 32

B. Proxy servers should normally be between the private network and the public network. This way they can act as a go-between for all the computers located on the private network. This applies especially to IP proxy servers but might also include HTTP proxy servers.

Question 33

A coworker has installed an SMTP server on the company firewall. What security principle does this violate?

A. Chain of custody

B. Use of a device as it was intended

C. Man trap

D. Use of multifunction network devices

Answer 33

B. SMTP servers should not be installed on a company firewall. This is not the intention of a firewall device. The SMTP server should most likely be installed within a DMZ.

Question 34

You are working on a server and are busy implementing a network intrusion detection system on the network. You need to monitor the network traffic from the server. What mode should you configure the network adapter to work in?

A. Half-duplex mode

B. Full-duplex mode

C. Auto-configuration mode

D. Promiscuous mode

Answer 34

D. To monitor the implementation of NIDS on the network, you should configure the network adapter to work in promiscuous mode; this forces the network adapter to pass all the traffic it receives to the processor, not just the frames that were addressed to that particular network adapter. The other three answers have to do with duplexing—whether the network adapter can send and receive simultaneously.

Question 35

Which of the following displays a single public IP address to the Internet while hiding a group of internal private IP addresses?

A. HTTP proxy

B. Protocol analyzer

C. IP proxy

D. SMTP proxy

E. PAC

Answer 35

C. An IP proxy displays a single public IP address to the Internet while hiding a group of internal private IP addresses. It sends data back and forth between the IP addresses by using network address translation (NAT). This functionality is usually built into SOHO routers and is one of the main functions of those routers. HTTP proxies store commonly accessed Internet information. Protocol analyzers enable the capture and viewing of network data. SMTP proxies act as a go-between for e-mail. PAC stands for proxy auto-config, a file built into web browsers that allows the browser to automatically connect to a proxy server.

Question 36

If your ISP blocks objectionable material, what device would you guess has been implemented?

A. Proxy server

B. Firewall

C. Internet content filter

D. NIDS

Answer 36

C. An Internet content filter, usually implemented as content-control software, can block objectionable material before it ever gets to the user. This is common in schools, government agencies, and many companies.

Question 37

Of the following, which is a collection of servers that was set up to attract attackers?

A. DMZ

B. Honeypot

C. Honeynet

D. VLAN

Answer 37

C. A honeynet is a collection of servers set up to attract attackers. A honeypot is usually one computer or one server that has the same purpose. A DMZ is the demilitarized zone that is in between the LAN and the Internet. A VLAN is a virtual LAN.

Question 38

Which of the following will detect malicious packets and discard them?

A. Proxy server

B. NIDS

C. NIPS

D. PAT

Answer 38

C. A NIPS, or network intrusion prevention system, detects and discards malicious packets. A NIDS only detects them and alerts the administrator. A proxy server acts as a go-between for clients sending data to systems on the Internet. PAT is port-based address translation.

Question 39

Which of the following will an Internet filtering appliance analyze? (Select the three best answers.)

A. Content

B. Certificates

C. Certificate revocation lists

D. URLs

Answer 39

A, B, and D. Internet filtering appliances will analyze content, certificates, and URLs. However, certificate revocation lists will most likely not be analyzed. Remember that CRLs are published only periodically.

Question 40

Which of the following devices would detect but not react to suspicious behavior on the network? (Select the most accurate answer.)

A. NIPS

B. Firewall

C. NIDS

D. HIDS

E. UTM

Answer 40

C. A NIDS, or network intrusion detection system, will detect suspicious behavior but most likely will not react to it. To prevent it and react to it, you would want a NIPS. Firewalls block certain types of traffic but by default do not check for suspicious behavior. HIDS is the host-based version of an IDS; it checks only the local computer, not the network. A UTM is an all-inclusive security product that will probably include an IDS or IPS—but you don’t know which, so you can’t assume that a UTM will function in the same manner as a NIDS.

Question 41

One of the programmers in your organization complains that he can no longer transfer files to the FTP server. You check the network firewall and see that the proper FTP ports are open. What should you check next?

A. ACLs

B. NIDS

C. AV definitions

D. FTP permissions

Answer 41

A. Access control lists can stop specific network traffic (such as FTP transfers) even if the appropriate ports are open. A NIDS will detect traffic and report on it but not prevent it. Antivirus definitions have no bearing on this scenario. If the programmer was able to connect to the FTP server, the password should not be an issue. FTP permissions might be an issue, but since you are working in the firewall, you should check the ACL first; then later you can check on the FTP permissions, passwords, and so on.

Question 42

Which of the following is likely to be the last rule contained within the ACLs of a firewall?

A. Time of day restrictions

B. Explicit allow

C. IP allow any

D. Implicit deny

Answer 42

D. Implicit deny (block all) is often the last rule in a firewall; it is added automatically by the firewall, not by the user. Any rules that allow traffic will be before the implicit deny/block all on the list. Time of day restrictions will probably be stored elsewhere but otherwise would be before the implicit deny as well.

Question 43

Which of the following best describes an IPS?

A. A system that identifies attacks

B. A system that stops attacks in progress

C. A system that is designed to attract and trap attackers

D. A system that logs attacks for later analysis

Answer 43

B. An IPS (intrusion prevention system) is a system that prevents or stops attacks in progress. A system that only identifies attacks would be an IDS. A system designed to attract and trap attackers would be a honeypot. A system that logs attacks would also be an IDS or one of several other devices or servers.

Question 44

What is a device doing when it actively monitors data streams for malicious code?

A. Content inspection

B. URL filtering

C. Load balancing

D. NAT

Answer 44

A. A device that is actively monitoring data streams for malicious code is inspecting the content. URL filtering is the inspection of the URL only (for example, https://www.comptia.org). Load balancing is the act of dividing up workload between multiple computers; we’ll discuss that more in Chapter 16, “Redundancy and Disaster Recovery.” NAT is network address translation, which is often accomplished by a firewall or IP proxy.

Question 45

Allowing or denying traffic based on ports, protocols, addresses, or direction of data is an example of what?

A. Port security

B. Content inspection

C. Firewall rules

D. Honeynet

Answer 45

C. Firewall rules (ACLs) are generated to allow or deny traffic. They can be based on ports, protocols, IP addresses, or which way the data is headed. Port security deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports. Content inspection is the filtering of web content, checking for inappropriate or malicious material. A honeynet is a group of computers or other systems designed to attract and trap an attacker.

Question 46

Which of the following should a security administrator implement to limit web-based traffic that is based on the country of origin? (Select the three best answers.)

A. AV software

B. Proxy server

C. Spam filter

D. Load balancer

E. Firewall

F. URL filter

Answer 46

B, E, and F. The security administrator should implement a proxy server, a firewall, and/or a URL filter. These can all act as tools to reduce or limit the amount of traffic based on a specific country. AV software checks for, and quarantines, malware. Spam filters will reduce the amount of spam that an e-mail address or entire e-mail server receives. A load balancer spreads out the network load to various switches, routers, and servers. A NIDS is used to detect anomalies in network traffic.

Question 47

You have implemented a technology that enables you to review logs from computers located on the Internet. The information gathered is used to find out about new malware attacks. What have you implemented?

A. Honeynet

B. Protocol analyzer

C. Firewall

D. Proxy

Answer 47

A. A honeynet has been employed. This is a group of computers on the Internet, or on a DMZ (and sometimes on the LAN), that is used to trap attackers and analyze their attack methods, whether they are network attacks or malware attempts. A protocol analyzer captures packets on a specific computer in order to analyze them but doesn’t capture logs per se. A firewall is used to block network attacks but not malware. A proxy is used to cache websites and act as a filter for clients.

Question 48

Which of the following is a layer 7 device used to prevent specific types of HTML tags from passing through to the client computer?

A. Router

B. Firewall

C. Content filter

D. NIDS

Answer 48

C. A content filter is an application layer (layer 7) device that is used to prevent undesired HTML tags, URLs, certificates, and so on, from passing through to the client computers. A router is used to connect IP networks. A firewall blocks network attacks. A NIDS is used to detect anomalous traffic.

Question 49

Your boss has asked you to implement a solution that will monitor users and limit their access to external websites. Which of the following is the best solution?

A. NIDS

B. Proxy server

C. Block all traffic on port 80

D. Honeypot

Answer 49

B. You should implement a proxy server. This can limit access to specific websites, and monitor who goes to which websites. Also, it can often filter various HTML and website content. A NIDS is used to report potentially unwanted data traffic that is found on the network. Blocking all traffic on port 80 is something you would accomplish at a firewall, but that would stop all users from accessing any websites that use inbound port 80 (the great majority of them!). A honeypot is a group of computers used to lure attackers in and trap them for later analysis.

Question 50

Which of the following firewall rules only denies DNS zone transfers?

A. deny IP any any

B. deny TCP any any port 53

C. deny UDP any any port 53

D. deny all dns packets

Answer 50

B. The firewall rule listed that only denies DNS zone transfers is deny TCP any any port 53. As mentioned in Chapter 7, “Networking Protocols and Threats,” DNS uses port 53, and DNS zone transfers specifically use TCP. This rule will apply to any computer’s IP address initiating zone transfers on the inbound and outbound sides. If you configured the rule for UDP, other desired DNS functionality would be lost. Denying IP in general would have additional unwanted results. When creating a firewall rule (or ACL), you need to be very specific so that you do not filter out desired traffic.