34. A sender in a transmission control protocol (TCP) network plans to transmit message packets of sizes 1,024, 2,048, 4,096, and 8,192 bytes to a receiver. The receiver’s granted window size is 16,384 bytes and the timeout size is set at 8,192 bytes. What should be the sender’s congestion window size to avoid network bursts or congestion problems?

a. 2,048 bytes

b. 4,096 bytes

c. 8,192 bytes

d. 16,384 bytes

34. b. As long as the congestion window size remains at 4,096, which is less than the timeout size, no bursts take place, regardless of the receiver’s granted window size. Network bursts can occur at a transmission of 8,192 bytes or higher because 8,192 bytes are the timeout limit. To be safe, the optimum size of the sender’s congestion window must be set at less than the receiver’s granted window size or the timeout size, whichever is smaller.

35. Which of the following network architectures is designed to provide data services using physical networks that are more reliable and offer greater bandwidth?

a. Integrated services digital network (ISDN)

b. Transmission control protocol/Internet Protocol (TCP/IP)

c. File transfer protocol (FTP)

d. The open system interconnection (OSI) protocol

35. a. Integrated services digital network (ISDN) was designed to provide both voice and a wide variety of data services, initially using the existing phone network. Broadband ISDN was designed to provide a more sophisticated set of services using reliable high-speed networks that can be provided using optical fiber physical networks of higher bandwidth. Both the TCP/IP and OSI protocol suites are designed to provide communications between heterogeneous systems. These two platforms support applications, such as file transfer, e-mail, and virtual terminal protocols. Interoperability between TCP/IP and OSI cannot be accomplished without building special software, or gateways, to translate between protocols. However, these architectures were designed to provide data services using physical networks that were not always reliable and offered limited bandwidth.

36. Which of the following is the most important aspect of a remote access?

a. User authentication

b. Media authentication

c. Device authentication

d. Server authentication

36. d. Server authentication is the most important for remote access methods where a user is manually establishing the remote access connections, such as typing a URL into a Web browser. A server is a host computer that provides one or more services for other hosts over a network as a primary function. Hence, the server, especially if it is a central server, provides a major entry point into the network. If the authentication method to the server is weak, it can affect the performance and security of the entire network negatively, and can become a single point of failure, resulting in major security risks. In terms of sequence of actions, the server authentication comes first, user authentication comes next or at the same as the server, and media (e.g., disk) and device (e.g., Phone, PDA, or PC) authentication comes last. Although the other choices are important in their own way, they are not as important as the server authentication in terms of potential security risks at the server.

37. Possible security threats inherent in a local-area network (LAN) environment include passive and active threats. Which of the following is a passive threat?

a. Denial of message service

b. Masquerading

c. Traffic analysis

d. Modification of message service

37. c. Passive threats do not alter any data in a system. They simply read information for the purpose of gaining some knowledge. Because there is no alteration of data and consequently no audit trail exists, passive threats are difficult to detect. Examples of passive threats include traffic analysis. If an attacker can read the packet header, then the source and destination of the message is known, even when the message is encrypted. Through traffic analysis, the attacker knows the total volume in the network and the amount of traffic entering and leaving selected nodes. Although encryption can limit the reading of header information and messages, traffic padding is also needed to counteract the traffic analysis. Traffic padding requires generating a continuous stream of random data or cipher text and padding the communication link so that the attacker would find it difficult to differentiate the useful data from the useless data. Padded data in traffic is useless.

The other three choices are incorrect because they are examples of active threats. Active threats generate or alter the data or control signals rather than to simply read the contents of those signals. A denial of message service results when an attacker destroys or delays most or all messages. Masquerading is an attempt to gain access to a computer system by posing as an authorized client or host. An attacker poses as an authentic host, switch, router, or similar device to communicate with a peer to acquire data or services. Modification of message service occurs when an attacker modifies, deletes, delays, reorders existing real messages, and adds fake messages.

38. In which of the following remote access methods is a pinholing scheme used to facilitate the network address translation (NAT) contact to occur with internal workstations?

a. Tunneling

b. Application portals

c. Remote desktop access

d. Direct application access

38. c. There are two major styles of remote desktop access: (i) direct between the telework client device (e.g., a consumer device such as a smartphone and PDA or PC used for performing telework) and the internal workstation, and (ii) indirect through a trusted intermediate system. However, direct access is often not possible because it is prevented by many firewalls. For example, if the internal workstation is behind a firewall performing network address translation (NAT), the telework client device cannot initiate contact with the internal workstation unless either the NAT enables such contact or the internal workstation initiates communications with the external telework client device (e.g., periodically checking with the client device to see if it wants to connect). A “pinholing” scheme can be used to facilitate the NAT contact to occur where particular ports are allocated to each internal workstation. The other three choices do not deal with the NAT.

Tunneling, which uses IPsec tunnel, SSL tunnel, or SSH tunnel with thick remote access client software, provides more control over the remote access environment. On the other hand, application portals, remote desktop access, and direct application access use thin remote access client software providing less control over the remote access environment. Because the remote desktop access method is less secure, it should be used only for exceptional cases after a careful analysis of the security risk.

39. When constructing the communications infrastructure for moving data over a wide-area network, the major implementation choices involve decisions about all the following except which of the following?