1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 68
Выбрать главу

170. Which of the following makes the transport layer security (TLS) proxy server architecture fully compatible with network address translation (NAT)?

a. HTTPS

b. PGP

c. GPG

d. SSH

170. a. The transport layer security (TLS) proxy server provides transport layer VPN services. The use of HTTPS makes the proxy server architecture fully compatible with NAT. HTTPS usage is permitted by firewall rulesets. The other three choices are incorrect because PGP, GPG, and SSH are application layer VPN protocols. Pretty good privacy (PGP) provides security for e-mail encryption, disk encryption, and digital signatures for home and office use. GNU privacy guard (GPG) is the software for safe and encrypted e-mail communication, which is a free software alternative to the PGP.

171. Which one of the following items replaces the other three items?

a. telnet

b. SSH

c. rcp and rsh

d. FTP

171. b. A commonly used application layer protocol suite is secure shell (SSH), which contains secure replacements for several unencrypted application protocols, including telnet, rcp, rsh, and FTP. SSH tunnel-based VPNs are resource-intensive to set up and are most commonly used by small groups of IT administrators.

172. Which of the following cannot protect non-IP protocols?

a. IPsec

b. PPTP

c. L2TP

d. L2F

172. a. The Internet Protocol security (IPsec) can protect only IP-based communications and protocols, which is one of its weaknesses. The other three choices are incorrect because PPTP, L2TP, and L2F can protect non-IP protocols. Point-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 tunneling protocol (L2TP) protects communications between an L2TP-enabled client and a server. Layer 2 forwarding (L2F) protocol protects communications between two network devices, such as an ISP network access server and VPN gateways.

173. Internet Protocol security (IPsec) protocols uses which of the following modes?

a. Main mode and agressive mode

b. Quick mode and informational mode

c. State mode and user mode

d. Transport mode and tunnel mode

173. d. The Internet Key Exchange (IKE) of IPsec protocol consists of two phases: Phase 1 exchange includes main mode and aggressive mode. Phase 2 exchange includes quick mode and information exchange mode. If Authentication Header (AH) or Encapsulating Security Payload (ESP) is added to an IP packet following the existing IP header, it is referred to as a transport mode. A tunnel mode requires inserting an additional IP header to the packet but offers increased inflexibility. State mode and user mode are not relevant here.

174. From a security configuration viewpoint, what is a managed or enterprise operational IT environment referred to as?

a. Inward-facing

b. Inward-dialing

c. Outward-facing

d. Outward-dialing

174. a. The managed environment is an inward-facing environment typically structured and centrally managed. When a system connects on the interior of a network behind a firewall, it is called inward facing. When a high-risk system or network directly connects to the Internet, it is called outward facing (e.g., public Web server, e-mail server, and DNS server). Inward dialing is incorrect because it refers to calling into a system and is not a meaningful term here. Outward dialing is incorrect because it refers to calling from a system and is not a meaningful term here.

175. What is a client/server application that requires nothing more than a browser and runs on only a user’s computer called?

a. Thick client

b. Thin client

c. Internet client

d. Web server

175. b. A thin client is a software application that requires nothing more than a browser and can be run only on the user’s computer (e.g., Microsoft Word). A thick client is a software application that requires programs other than just the browser on a user’s computer, that is, it requires code on both a client and server computers (e.g., Microsoft Outlook).

The terms “thin” and “thick” refer to the amount of code that must be run on the client computer. Thin clients are generally more secure than thick clients in the way encryption keys are handled. The Internet client and Web server are incorrect because they are not needed for the thin client to work but are needed for the thick client to work.

176. Ethernet is a part of which of the following TCP/IP layers?

a. Application layer

b. Transport layer

c. Network layer

d. Data link layer

176. d. Ethernet is a part of the data link layer, along with address resolution protocol (ARP), network interface card (NIC), and media/medium access control (MAC). The data link layer handles communications on the physical network components.

The application layer is incorrect because it sends and receives data for particular applications. The transport layer is incorrect because it provides connection-oriented or connectionless services for transporting application layer services between networks. The network layer is incorrect because it routes packets across networks.

177. Most electronic commerce server applications use which of the following?

a. One-tier architecture

b. Two-tier architecture

c. Three-tier architecture

d. Four-tier architecture

177. c. Most electronic commerce applications use the three-tier architecture, representing three different classes of computers. The user tier consists of computers that have browsers that request and process Web pages. The server tier consists of computers that run Web servers and process application programs. The database tier consists of computers that run a database management system (DBMS) that process structured query language (SQL) requests to retrieve and store data.

178. Which of the following network connectivity hardware and software devices do not perform similar functions?

a. Guards, firewalls, and routers

b. Connectors, concentrators, and sockets

c. Switches, hubs, and bridges

d. Bridges, routers, and brouters

178. b. Connectors, concentrators, and sockets do not perform similar functions. A connector is an electromechanical device on both ends of cables that permits them to be connected with and disconnected from other cables. A concentrator gathers several lines in one central location as in the fiber distributed data interface (FDDI). Sockets are endpoints created in a transmission control protocol (TCP) service by both the sender and the receiver.

The other three choices perform similar functions. The hardware/software guard system is composed of a server, workstations, malicious code detection, a firewall, and/or filtering routers all configured to allow transfer of information among communities of users operating at different security levels. Bridges are similar to switches in that both route on frame addresses. Switches are similar to hubs in that they enable communications between hosts. Bridges are routers that can also bridge; they route one or more protocols and bridge all other network traffic.

~ 68 ~