Final Test

An IDPS consists of a single device that you install between your firewall and the Internet.

A weakness of a signature-based system is that it must keep state information on a possible attack.

No actual traffic passes through a passive sensor; it only monitors copies of the traffic. True False

An NIDPS can tell you whether an attack attempt on the host was successful.

A hybrid IDPS combines aspects of NIDPS and HIDPS configurations.

Which of the following is NOT a network defense function found in intrusion detection and prevention systems? a) prevention b) response c) identification d) detection

Which of the following is NOT a primary detection methodology? a. signature detection b. baseline detection c. anomaly detection d. stateful protocol analysis

The period of time during which an IDPS monitors network traffic to observe what constitutes normal network behavior is referred to as which of the following? a. training period b. baseline scanning c. profile monitoring d. traffic normalizing

What is an advantage of the anomaly detection method?

Which approach to stateful protocol analysis involves detection of the protocol in use, followed by activation of analyzers that can identify applications not using standard ports?

Which of the following is an advantage of a signature-based detection system?

Which method for detecting certain types of attacks uses an algorithm to detect suspicious traffic, is resource intensive, and requires extensive tuning and maintenance?

Which of the following is NOT a typical IDPS component?

Where is a host-based IDPS agent typically placed?

Which IDPS customization option is a list of entities known to be harmless?

Which of the following is considered a problem with a passive, signature-based system?

Which type of IDPS can have the problem of getting disparate systems to work in a coordinated fashion?

Which of the following is NOT a method used by passive sensors to monitor traffic?

Which of the following is a sensor type that uses bandwidth throttling and alters malicious content?

Which of the following is true about an HIDPS?

Which of the following is true about an NIDPS versus an HIDPS?

Which of the following is an IDPS security best practice?

If you see a /16 in the header of a snort rule, what does it mean?

Why might you want to allow extra time for setting up the database in an anomaly-based system?

Which of the following is true about the steps in setting up and using an IDPS?

Firewalls can protect against employees copying confidential data from within the network.

Software firewalls are usually more scalable than hardware firewalls.

Stateless packet filtering keeps a record of connections that a host computer has made with other computers.

Generally, connections to instant-messaging ports are harmless and should be allowed.

Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful.

The Cisco PIX line of products is best described as which of the following?

Which of the following is a typical drawback of a free firewall program?

Which of the following is an advantage of hardware firewalls?

Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets.

What type of attack are stateless packet filters particularly vulnerable to? a. attempts to connect to ports above 1023 b. attempts to connect to the firewall c. IP spoofing attacks d. attempts to connect to ports below 1023

What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet?

At what layer of the OSI model do proxy servers generally operate?

Which element of a rule base conceals internal names and IP addresses from users outside the network?

Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy? a. only authenticated traffic can access the internal network b. employees can use instant-messaging only with external network users c. the public can access the company Web servers d. employees can have restricted Internet access

What is a suggested maximum size of a rule base?

What is considered the 'cleanup rule' on a Cisco router?

Which of the following is described as the combination of an IP address and a port number?

Which of the following is a general practice for a rule base?

What service uses UDP port 53?

Which of the following is NOT an ICMPv6 packet type that you should allow within your organization but never outside the organization?

What type of DNS server is authoritative for a specific domain? a. initial b. read-only c. secondary d. primary

The first phase of the system development life cycle is needs assessment.

The people that manage security for the organization should not be same people that conduct risk analysis.

What type of attack involves plaintext scripting that affects databases?

A screened host has a router as part of the configuration.

Which of the following is NOT a method used by passive sensors to monitor traffic?

Firewalls can protect against employees copying confidential data from within the network.

What service uses UDP port 53?

What makes IP spoofing possible for computers on the Internet?

Which of the following is true about a screening router?

At what layer of the OSI model do proxy servers generally operate?

A dual-homed host has a single NIC with two MAC addresses.

A screened host has a router as part of the configuration.

Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny.

Proxy servers take action based only on IP header information.

The TCP normalization feature forwards abnormal packets to an administrator for further inspection.

Which of the following is true about a dual-homed host?

Which of the following best describes a DMZ?

What do you call a firewall that is connected to the Internet, the internal network, and the DMZ?

Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power.

In what type of attack are zombies usually put to use?

What should you consider installing if you want to inspect packets as they leave the network?

Which type of firewall configuration protects public servers by isolating them from the internal network?

Which type of security device can speed up Web page retrieval and shield hosts on the internal network?

Which network device works at the Application layer by reconstructing packets and forwarding them to Web servers?

Which of the following is a disadvantage of using a proxy server?

What is a critical step you should take on the OS you choose for a bastion host?

What is a step you can take to harden a bastion host?

What is the term used for a computer placed on the network perimeter that is meant to attract attackers?

Why is a bastion host the system most likely to be attacked?

Which of the following is true about private IP addresses?

Which type of NAT is typically used on devices in the DMZ?

Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address?