Net Def Final

Firewalls can protect against employees copying confidential data from within the network. True/False

Software firewalls are usually more scalable than hardware firewalls. True/False

Stateless packet filtering keeps a record of connections that a host computer has made with other computers. True/False

Generally, connections to instant-messaging ports are harmless and should be allowed. True/False

Since ICMP messages use authentication, man-in-the-middle attacks cannot be successful. True/False

A dual-homed host has a single NIC with two MAC addresses. True/False

A screened host has a router as part of the configuration. True/False

Reverse firewalls allow all incoming traffic except what the ACLs are configured to deny. True/False

Proxy servers take action based only on IP header information. True/False

The TCP normalization feature forwards abnormal packets to an administrator for further inspection. True/False

Another name for a VPN connection is tunnel. True/False

Hardware VPNs create a gateway-to-gateway VPN. True/False

Standards and protocols used in VPNs are in their infancy and seldom used. True/False

IPsec has become the standard set of protocols for VPN security. True/False

If you use Windows RRAS for your VPN, you will need a third-party RADIUS server if you want to use RADIUS for authentication. True/False

The term Internet and World Wide Web are different terms that mean the same thing. True/False

Computers on the Internet are identified primarily by their IP address. True/False

SQL injection attacks are isolated to custom applications, so administrators can prevent them. True/False

The objective of a phishing attack is to entice e-mail recipients to click a bogus link where personal information can be stolen. True/False

Windows Basic Authentication requires that users enter a username and password and the password is transmitted using a hashing algorithm. True/False

The Cisco PIX line of products is best described as which of the following? A. software firewall B. PC with firewall installed C. firewall appliance D. VPN gateway

Which of the following is an advantage of hardware firewalls? A. not scalable compared to software firewalls B. not dependent on a conventional OS C. less expensive than software firewalls D. easy to patch

Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets. A. IP address B. ports C. data patterns D. TCP flags

What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet? A. router B. filtering C. ICMP monitor D. proxy server

Which element of a rule base conceals internal names and IP addresses from users outside the network? A. tracking B. filtering C. NAT D. QoS

Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization's security policy? A. only authenticated traffic can access the internal network B. employees can use instant-messaging only with external network users C. the public can access the company Web servers D. employees can have restricted internet access

What is a suggested maximum size of a rule base? A. 30 rules B. 300 rules C. 10 rules D. 100 rules

Which two ports should packet-filtering rules address when establishing rules for Web access? A. 143, 80 B. 25, 110 C. 80, 443 D. 423, 88

What service uses UDP port 53? A. SMTP B. DNS C. ICMP D. TFTP

What are the to standard ports used by FTP along with their function? A. UDP 23 control, TCP 20 data B. UDP 20 data, TCP 21 control C. TCP 21 control, TCP 20 data D. TCP 23 data, TCP 21 control

Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted? A. Teredo tunneling B. ICMPv6 encapsulation C. IPsec tunneling D. SMTP/S tunneling

Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server's current load and processing power. A. server pooling software B. traffic distribution filter C. priority server farm D. load-balancing software

In what type of attack are zombies usually put to use? A. buffer overrun B. virus C. DDoS D. spoofing

What should you consider installing if you want to inspect packets as they leave the network? A. security workstation B. RIP router C. filtering proxy D. reverse firewall

Which type of firewall configuration protects public servers by isolating them from the internal network? A. screened subnet DMZ B. dual-homed host C. screening router D. reverse firewall

Which type of security device can speed up Web page retrieval and shield hosts on the internal network? A. caching firewall B. proxy server C. caching-only DNS server D. DMZ intermediary

Which of the following is a disadvantage of using a proxy server? A. shields internal host IP addresses B. slows Web page access C. may require client configuration D. can't filter based on packet content

Which of the following best describes a bastion host? A. a host with two or more network interfaces B. a computer on the perimeter network that is highly protected C. a computer running a standard OS that also has a proxy software installed D. a computer running only embedded firmware

Which of the following is true about private IP addresses? A. they are assigned by the IANA B. they are not routable on the Internet C. they are targeted by attackers D. NAT was designed to conserve them

Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address? A. one-to-one NAT B. port address translation C. one-to-many NAT D. DMZ proxy translation

Which of the following is NOT an essential element of a VPN? A. VPN server B. tunnel C. VPN client D. authentication server

Which of the following is NOT true about a hardware VPN? A. should be the first choice for fast-growing networks B. can handle more traffic than software VPNs C. have more security vulnerabilities than software VPNs D. create a gateway-to-gateway VPN

Which activity performed by VPNs encloses a packet within another packet? A. address translation B. encryption C. authentication D. encapsulation

Which VPN protocol leverages Web-based applications? A. PPTP B. L2TP C. SSL D. IPsec

Which VPN protocol uses UDP port 1701 and does not provide confidentiality and authentication? A. IPsec B. L2TP C. PPTP D. SSL

Which VPN protocol works at Layer 3 and can encrypt the entire TCP/IP packet? A. PPTP B. L2TP C. IPsec D. SSL

Which IPsec component is software that handles the taks of encrypting, authenticating, decrypting and checking packets? A. ISAKMP B. IKE C. IPsec driver D. Oakley protocol

Which of the following is an improvement of TLS over SSL? A. requires less processing power B. uses a single hashing algorithm for all the data C. uses only asymmetric encryption D. adds a hashed message authentication code

What was created to address the problem of remote clients not meeting an organization's VPN security standards? A. split tunneling B. VPN quarantine C. IPsec filters D. GRE isolation

Which of the following is true about the Internet? A. it is the same as the World Wide Web B. it was established in the mid-1960s C. it was developed by a network of banks and businesses D. it was originally built on an extended star topology

Which of the following is a highly secure public facility in which backbones have interconnected data lines and routers that exchange routing and traffic data? A. ISP B. POP C. NAP D. NSF

What feature of the 13 DNS root servers enables any group of servers to act as a root server? A. multicast addressing B. broadcast addressing C. anycast addressing D. unicast addressing

What type of attack involves plaintext scripting that affects databases? A. phishing B. ActiveX control C. Java applet D. SQL injection

What type of attack displays false information masquerading as legitimate data? A. Java applet B. phishing C. buffer overflow D. SQL injection

Which of the following is NOT a step you should take to prevent attackers from exploiting SQL security holes? A. limit table access B. use stored procedures C. use standard naming conventions D. place the database server in a DMZ

Which variation on phishing modifies the user's host file to redirect traffic? A. spear phishing B. pharming C. DNS phishing D. hijacking

What type of DNS server is authoratative for a specific domain? A. primary B. secondary C. read-only D. initial

What is a zone transfer? A. the movement of e-mail from one domain to another B. updating a secondary DNS server C. backing up an SQL data file D. coping host file data to another system

What type of DNS configuration prevents internal zone information from being stored on an Internet-accessible server? A. read-only zone B. anti-phishing DNS C. caching DNS zone D. split-DNS architecture

Which of the following is NOT a recommended security setting for Apache Web servers? A. harden the underlying OS B. create Web groups C. use the default standard Web page error messages D. disable HTTP traces

A firewall can consist of all devices postioned on the network __________.

ACLs filter packets by using a _____________ base to determine whether to allow a packet to pass.

The ACK flag is normally sent at the end of the three-way ___________ to indicate that a connection is established.

A primary objective of a rule base is to _______________ communications based on complex rules.

The rule base should permit access to public servers in the ____________ and enable users to access the Internet.

A __________ router determines whether to allow or deny packets based on their source and destination IP addresses.

In a screened ____________ setup, a router is added between the host and the Internet to carry out IP packet filtering.

A DMZ is a subnet of ____________ accessible servers placed outside the internal network.

You can _________ a bastion host by removing unnecessary accounts and services.

Network gateways are _____________ of the VPN connection.

The Internet Key ____________ protocol enables computers to make an SA.

TLS splits the input data in half and recombines it using a(n) ___________ function.

The internet tier system starts with a backbone network connected via _____________ to regional Internet service providers.

_____________ direct network traffic to its destionation on the Internet using tables and protocols.

The lack of authentication for computers on the Internet make IP _____________ possible, which is change in the IP addresses in the headers of malicious packets.

DNS _____________ poisoning streers unsuspecting victims to a server of the attacker's choice instead of the intended Web site.

_________ are networks of zombie computers that magnify the scope and intensity of an attack.

A critical buffer component is the function __________ and buffer overflows are usually aimed at this component.

A _____________ applet is a small program sometimes used as embedded code in Web pages.

The goal of ____________ is to provide authentication of DNS data and ensure integrity of DNS data.

software that forwards network packets and caches Web pages to speed up network performance

the end point of a computer-to-computer connection defined by an IP address and port address

a packet-filtering rule that comes last in a rule base and covers any packets that have not been covered by preceding rules

hardware devices with firewall functionality

simple filters that determine whether to allow or block packets based on information in protocol headers

the collection of rules that filter traffic at an interface of a firewall

a process that uses the source and destination TCP and UDP port addresses to map traffic between internal and external hosts

the process of mapping one internal IP address to one external IP address

a computer configured with more than one network interface

a host in which one interface is connected to an internal network and the other interface is connected to a router to an untrusted network

software that prioritizes and schedules requests and then distributes them to servers in a server clusted based on each server's current load and processing power

a router placed between an untrusted network and an internal network

a form of key exchange used to encrypt and decrypt data as it passes though a VPN tunnel

an IETF standard for secure authentication of requests for resource access

an IPsec protocol that encrypts the header and data components of TCP/IP packets

a protocol developed by Netscape Communications Corporation as a way of enabling Web servers and browsers to exchange encrypted information

a set of standard procedures that the IETF developed for enabling secure communication on the Internet

a nonproprietary tunneling protocol that can encapsulate a variety of Network layer protocols

a network addressing scheme that allows DNS services to be decentralized among a group of servers, regardless of their location

a network architecture that uses a single DNS domain with a DNS server on the organization's DNZ for Internet services and a DNS server on the internal network for service to internal hosts