Chapter 6 Quiz

Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.

​Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.

Authentication is the process of validating and verifying an unauthenticated entity's purported identity.

​Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.

Firewalls can be categorized by processing mode, development era, or structure.

A firewall cannot be deployed as a separate network containing a number of supporting devices.

Packet-filtering firewalls scan network data packets looking for compliance with the rules of the firewall's database or violations of those rules.

The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.

The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server.

Using an application firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ.

The DMZ can be a dedicated port on the firewall device linking a single bastion host.

The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.

Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.

Syntax errors in firewall policies are usually difficult to identify.

When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.

Good firewall rules include denying all data that is not verifiably authentic.

Some firewalls can filter packets by protocol name.

It is important that e-mail traffic reach your e-mail server and only your e-mail server.

A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to external content from within a network.

A content filter is essentially a set of scripts or programs that restricts user access to certain networking protocols and Internet locations.

The RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the NAS server.

Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.

A VPN, used properly, allows use of the Internet as if it were a private network.

Authentication is a mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system. _________________________

The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device. _________________________

One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels. _________________________

In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall. _________________________

A routing table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. _________________________

The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table. _________________________

The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event. _________________________

Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses to communicate with the Internet on a one-to-one basis. _________________________

When a bastion host approach is used, the host contains two NICs, forcing all traffic to go through the device. _________________________

Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. _________________________

A(n) intranet ​is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. _________________________

When Web services are offered outside the firewall, SMTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. _________________________

Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped. _________________________

Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network. _________________________

Kerberos uses asymmetric key encryption to validate an individual user to various network resources. _________________________

Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. _________________________

The popular use for tunnel mode VPNs is the end-to-end transport of encrypted data. _________________________

The restrictions most commonly implemented in packet-filtering firewalls are based on __________.

A __________ filtering firewall can react to an emergent event and update or create rules to deal with the event.

__________ inspection firewalls keep track of each network connection between internal and external systems.

The application layer proxy firewall is also known as a(n) __________.

The proxy server is often placed in an unsecured area of the network or is placed in the __________ zone.

The __________ is an intermediate area between a trusted network and an untrusted network.

__________ firewalls are designed to operate at the media access control sublayer of the data link layer of the OSI network model.

Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as the __________ host.

The dominant architecture used to secure network access today is the __________ firewall.

Known as the ping service, ICMP is a(n) __________ and should be ___________.

In most common implementation models, the content filter has two components: __________.

Which of the following versions of TACACS is still in use?

The service within Kerberos that generates and issues session keys is known as __________.

Kerberos __________ provides tickets to clients who request services.

The primary benefit of a VPN that uses _________ is that an intercepted packet reveals nothing about the true destination system.