148. Which of the following is the long-term solution as a core cryptographic algorithm for the wireless local-area network (WLAN) using the IEEE 802.11i standard to ensure a robust security network (RSN)?

a. Wired equivalent privacy (WEP)

b. Temporal key integrity protocol (TKIP)

c. Counter mode with cipher block chaining message authentication code protocol (CCMP)

d. Wi-Fi protected access 2 (WPA2)

148. c. The counter mode with cipher block chaining message authentication code protocol (CCMP) is considered the long-term solution for IEEE 802.11 WLANs because it requires hardware updates and replaces pre-RSN equipment. Of all the four choices, only CCMP uses the advanced encryption standard (AES) as the core cryptographic algorithm. For legacy IEEE 802.11 equipment that does not provide CCMP, IPsec VPN can be used as auxiliary security protection. WEP is an original standard as a data confidentiality and integrity protocol with several security problems. Later, WPA2 was designed as the interim solution as an upgrade to existing WEP-enabled equipment to provide a higher level of security, primarily through the use of TKIP and MIC (message integrity code). TKIP is intended as an interim solution along with WEP and WPA2. TKIP can be implemented through software updates and does not require hardware replacement of access points and stations.

149. Which of the following provides stronger security in managing access point (AP) configuration in a legacy wireless local-area network (WLAN) environment?

a. Simple network management protocol (SNMP)

b. SNMP version 1

c. SNMP version 2

d. SNMP version 3

149. d. Simple network management protocol (SNMP) version 3 provides strong security feature enhancements to basic SNMP, including encryption and message authentication, and therefore should be used.

The earlier versions of SNMP, SNMPv1, and SNMPv2 should not be used because they are fundamentally insecure as they support only trivial authentication based on default plaintext community strings. The default SNMP community string that SNMPv1 and SNMPv2 agents commonly use is the word “public” with assigned “read” or “read and write” privileges; using this string leaves devices vulnerable to attack. If an unauthorized user were to gain access and had read/write privileges, that user could write data to the AP, compromising its original configuration. Organizations using SNMPv1 or SNMPv2 should change the community string as often as needed, taking into consideration that the string is transmitted in plaintext. For all versions of SNMP, privileges should be set to the least required (e.g., read only).

150. Which of the following cannot defend the enclave boundary?

a. Firewalls

b. Switches and routers

c. Virtual private networks

d. Software/hardware guards

150. b. Switches and routers defend the networks and their infrastructures such as LANs, campus area networks (CANs), MANs, and WANs. The other three choices defend the enclave boundary, which defines a clear separation between inside and outside of a network where local computing environment (LAN) is inside the enclave and connection to external networks and remote users (e.g., dial-up access, ISP connection, and dedicated line) is outside the enclave. Boundary protection is provided by software/hardware guards, firewalls, and other devices, which control access into the local computing environment (LAN). Remote access protection is provided by communications server, encryption, VPN, and others.

A single enclave may span a number of geographically separate locations with connectivity via commercially purchased point-to-point communications (e.g., T-1, T-3, and ISDN) along with WAN connectivity such as the Internet. An enclave is a collection of information systems connected by one or more internal networks under the control of a single organization and security policy. These systems may be structured by physical proximity or by function, independent of location. An enclave boundary is a point at which an enclave’s internal network service layer connects to an external network’s service layer (i.e., to another enclave or to a wide-area network).

151. Which of the following virtual private network (VPN) architectures often replaces costly private wide-area network (WAN) circuits?

a. Gateway-to-gateway

b. Host-to-gateway

c. Contractor-to-company

d. Host-to-host

151. a. The gateway-to-gateway virtual private network (VPN) architecture often replaces more costly private wide-area network (WAN) circuits.

The host-to-gateway VPN architecture often replaces dial-up modem pools, is somewhat complex to implement and maintain for user and host management, and is most often used to provide secure remote access.

The contractor-to-company architecture is an exclusive connection between the VPN client and the VPN network device; all other connectivity is blocked after the establishment of the VPN session, so there is no chance of IP packets being forwarded between the Internet and the company’s private network.

The host-to-host VPN architecture is most often used when a small number of trusted users need to use or administer a remote system that requires the use of insecure protocols (e.g., a legacy system), that requires a secure remote access solution, and that can be updated to provide VPN services. System administrators performing remote management of a single server can use the host-to-host VPN architecture. The host-to-host VPN architecture is resource-intensive to implement and maintain for user and host management.

152. Which of the following provides stronger security in administering the network devices, such as routers or switches?

a. Simple network management protocol (SNMP)

b. SNMP version 1

c. SNMP version 2

d. SNMP version 3

152. d. Simple network management protocol (SNMP) version 3 provides security feature enhancements to basic SNMP, including encryption and message authentication. SNMP, SNMP version 1, and SNMP version 2 rely on default clear-text community strings (e.g., public and private) across the network without cryptographic protection. Therefore, SNMP, SNMP version 1, and SNMP version 2 should not be used to configure network devices over untrusted networks. The default community strings should be removed before real community strings are put into place. If both of these string types are present on the device at any time, an attacker could retrieve real community strings from the device using the default community strings. Hence, SNMP version 3 provides stronger security than the other three choices for administering the network devices such as routers or switches.

153. Which of the following models is used for formally specifying and verifying protocols?

a. Protocol converter

b. Protocol tunneling

c. Petri net model

d. Seeding model

153. c. Petri net model is used for formally specifying and verifying protocols. Petri nets are a graphical technique used to model relevant aspects of the system behavior and to assess and improve safety and operational requirements through analysis and redesign.

The other three choices do not deal with formally specifying and verifying protocols. A protocol converter is a device that changes one type of coded data to another type of coded data for computer processing. Protocol tunneling is a method to ensure confidentiality and integrity of data transmitted over the Internet. A seeding model is used to indicate software reliability in terms of error detection power of a set of test cases.