1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 59
Выбрать главу

102. c. Unlike PPTP and L2TP, L2F is intended for use between network devices, such as an ISP’s network access server and an organization’s VPN gateway. Like L2TP, L2F can use authentication protocols such as RADIUS and TACACS+. However, L2F does not support encryption.

103. The wireless local-area network (WLAN) using the IEEE 802.11i standard for a robust security network (RSN) does not support the protection of which of the following?

a. Stations and access points

b. Access points and authentication servers

c. Extensible authentication protocol and transport layer security

d. Stations and authentication servers

103. b. The WLAN IEEE 802.11 and its related standards explicitly state that protection of the communications between the access points and authentication server is not available. Therefore, it is important to ensure that communications between each access point and its corresponding authentication servers are protected sufficiently through cryptography. In addition, the authentication servers should be secured through operating system configuration, firewall rules, and other security controls. The data confidentiality and integrity protocol, such as the counter mode with cipher block chaining message authentication code protocol (CCMP), protects communications between stations and access points. The extensible authentication protocol (EAP) with transport layer security (TLS) is considered the most secure EAP method because it enables strong mutual cryptographic authentications of both stations and authentication servers using public key certificates.

104. Storing and hosting data on which of the following instant messaging (IM) architectures increases the risk of information theft, unauthorized access, and data tampering?

1. Private hosting

2. Public hosting

3. Client-to-client

4. Public-switched network

a. 1 and 2

b. 1 and 4

c. 2 and 3

d. 3 and 4

104. c. There are four possible architectural designs for IM systems: private hosting, public hosting, client-to-client, and public-switched network. The difference between the four architectures is the location of the session data.

In the private hosting design (i.e., client-to-server), the data is located behind a firewall for internal users, which is safe and secure.

In public hosting design, the data is placed on public servers out on the Internet, which is vulnerable to attacks.

Two types of client-to-client (peer-to-peer) designs include pure and hybrid, which should be prohibited because they bypass the security and auditing policies within the enclave.

Because the data in public-switched network is not stored on a server, store and forward is not a security issue. However, data in transit is vulnerable to man-in-the-middle (MitM) attacks between the source and destination. The Internet has private global switched networks that deliver IM communications where data is not persistently stored on servers. In other words, the public-switched network is secure in terms of data storage on its servers. It is the data stored on public servers and client-to-client that increases the risk of information theft, unauthorized access, and data tampering. To protect the IM data, IM systems should implement client-to-server architecture (i.e., private hosting).

105. For instant messaging (IM) systems, a virtual (remote) meeting moderator should configure which of the following properly to prevent potential exploits?

a. Grant access based on need-to-know principle.

b. Implement role-based access controls.

c. Use application sharing capability.

d. Require a password to attend the meeting.

105. c. Some instant messaging (IM) systems enable two or more online users to communicate immediately over a network using shared applications (virtual meetings), presentations, white boards, and text messaging. Virtual meetings must have user access controls and virtual data classifications, and be restricted to authorized users only. Virtual users will be granted access based on the need-to-know principle established by the information owner and enforced by role-based access controls, and required by a password to participate in the meeting. Application sharing allows the virtual meeting participants to simultaneously run the same application with the same capability as remote control software. To limit this capability of application sharing and to prevent potential exploits, the meeting moderator should configure the application identifying so that users can use the application sharing feature.

106. The extensible authentication protocol (EAP) method with tunneled transport layer security (EAP-TTLS) used in a robust security network (RSN) such as wireless local-area network (WLAN) using the IEEE 802.11i standard does not prevent which of the following?

a. Eavesdropping attack

b. Man-in-the-middle attack

c. Replay attack

d. Dictionary attack

106. b. The root certificate may not be delivered securely to every client to prevent man-in-the-middle (MitM) attacks, thus not providing strong assurance against MitM attacks. Because passwords sent to the Web server are encrypted, EAP-TTLS protects the eavesdropping attack. The TLS tunnel protects the inner applications from replay attacks and dictionary attacks.

107. Which of the following classes of attacks focus on breaking security protection features?

a. Passive

b. Active

c. Close-in

d. Insider

107. b. With an active attack, an intruder modifies the intercepted messages. Breaking security protection features is an example of active attack. With a passive attack, an intruder intercepts messages to view the data. It includes traffic and packet analysis to disclose personal information such as credit card numbers and medical files. A close-in attack is where an unauthorized individual is in physical close proximity to networks and systems, or facilities for the purpose of modifying, gathering, or denying access to information. Insider attacks can be malicious or nonmalicious. Using information in a fraudulent manner is an example of a malicious insider attack.

108. In a legacy wireless local-area network (WLAN) environment using the IEEE 802.11 standard, which of the following provides a defense-in-depth strategy?

1. Wi-Fi protected access 2 (WPA2)

2. Wired equivalent privacy (WEP)

3. IPsec VPNs and SSL VPNs

4. Dedicated wired network or a VLAN

a. 1 only

b. 1 and 2

c. 3 only

d. 3 and 4

108. d. Both WPA2 and WEP do not provide a defense-in-depth strategy because they are weak in security. An alternative method for WPA2 and WEP for achieving confidentiality and integrity protection is to use virtual private network (VPN) technologies such as Internet Protocol security (IPsec) VPNs and secure sockets layer (SSL) VPNs. Because VPNs do not eliminate all risk from wireless networking, it is good to place the WLAN traffic on a dedicated wired network or a virtual local-area network (VLAN) as an option to VPN technologies. VLAN can also protect against denial-of-service (DoS) attacks. Therefore, IPsec VPNs, SSL VPNs, dedicated wired network, or a VLAN provides a defense-in-depth strategy.

~ 59 ~