d. Mapping multiple IP addresses

187. c. For events within a network, an analyst can map an Internet protocol (IP) address (i.e., logical identifiers at the IP layer) to the media access control/medium access control (MAC) address of a particular network interface card (NIC) (i.e., physical identifier at the physical layer), thereby identifying a host of interest. Analyzing physical components and reviewing logical aspects are a partial approach. Mapping multiple IP addresses does not identify a host.

188. Regarding network data analysis, which of the following can tell a security analyst which application was most likely used or targeted?

a. IP number and port numbers

b. Network interface card

c. NIC and MAC address

d. IP and ARP

188. a. The combination of the Internet protocol (IP) number (IP layer field) and port numbers (transport layer fields) can tell an analyst which application was most likely used or targeted.

Network interface card (NIC) is incorrect because it is a physical device and a part of the data link layer; it cannot tell a security analyst which application was most likely used or targeted.

Media access control/medium access control (MAC) address is incorrect because it is a part of the data link layer and cannot tell a security analyst which application was most likely used or targeted.

Address resolution protocol (ARP) is incorrect because it is a part of the hardware layer (data link layer) and cannot tell a security analyst which application was most likely used or targeted.

189. For network traffic data sources, firewalls and routers do not typically record which of the following?

a. Date and time the packet was processed

b. Source IP address

c. Destination IP address

d. Packet contents

189. d. Firewalls and routers do not record the contents of packets. Instead, they are usually configured to log basic information for most or all denied connection attempts and connectionless packets; some log every packet. Information logged typically includes the date and time the packet was processed, the source and destination IP addresses, and the transport layer protocol (e.g., TCP, UDP, and ICMP) and basic protocol information (e.g., TCP or UDP port numbers and ICMP type and code).

190. Packet sniffers are commonly used to capture network traffic data for which of the following purposes?

1. Troubleshooting purposes

2. Investigative purposes

3. Marketing purposes

4. Strategic purposes

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

190. c. Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets. Packet sniffers are commonly used to capture a particular type of traffic for troubleshooting (operational) or investigative (legal) purposes, which are technical purposes. For example, if IDS alerts indicate unusual network activity between two hosts, a packet sniffer could record all the packets between the hosts, potentially providing additional information for analysts. The marketing and strategic purposes are not relevant here because the question refers to the operational and legal purposes.

191. A network-based intrusion detection system (IDS) does not do or contain which of the following?

a. Perform packet sniffing

b. Analyze network traffic

c. Possess correction capabilities

d. Possess prevention capabilities

191. c. Network-based intrusion detection systems (IDS) perform packet filtering and analyze network traffic to identify suspicious activity and record relevant information such as type of attack (e.g., buffer overflow), the targeted vulnerability, the apparent success or failure of the attack, and the pointers to more information on the attack. Some IDSs also have intrusion prevention capabilities, not correction capabilities.

192. For network data analysis, remote access servers (RAS) do not do which of the following?

a. Connect external systems to internal systems

b. Connect internal systems to external systems

c. Record application-specific data

d. Provide packet-filtering functions

192. c. Because the remote access servers (RASs) have no understanding of the application’s functions, they usually do not record any application-specific data.

The other three choices are proper functions of RAS. The RASs are devices such as VPN gateways and modem servers that facilitate connections between networks. This often involves external systems connecting to internal systems through the RAS but could also include internal systems connecting to external or internal systems. Some RASs also provide packet-filtering functions; this typically involves logging similar to that for firewalls and routers.

193. Secure gateways block or filter access between two networks. Which of the following benefits resulting from the use of secure gateways is not true?

a. Secure gateways prevent the spread of computer viruses.

b. Secure gateways reduce risks from malicious hackers.

c. Secure gateways reduce internal system security overhead.

d. Secure gateways can centralize management services.

193. a. Questions frequently arise as to whether secure gateways (also known as firewalls) prevent the spread of viruses. In general, having a gateway scan transmitted files for viruses requires more system overhead than is practical, especially because the scanning would have to handle many different file formats. Secure gateways enable internal users to connect to external networks and at the same time prevent malicious hackers from compromising the internal systems. In addition to reducing the risks from malicious hackers, secure gateways have several other benefits. They can reduce internal system security overhead, because they enable an organization to concentrate security efforts on a limited number of machines. Another benefit is the centralization of services. A secure gateway can be used to provide a central management point for various services, such as advanced authentication, e-mail, or public dissemination of information. Having a central management point can reduce system overhead and improve service.

194. For network data analysis, managed switches collect which of the following statistical data?

a. Bandwidth usage

b. Payload size

c. Source and destination IP addresses

d. Ports for each packet

194. a. Some managed switches and other network devices offer basic network monitoring capabilities, such as collecting statistics on bandwidth usage.

The other three choices are functions of network monitoring software, which collects information such as the payload size and the source and destination IP addresses and ports for each packet. Network monitoring software is designed to observe network traffic and gather statistics on it. Packet sniffers, protocol analyzers, and intrusion detection system (IDS) software may also perform basic network monitoring functions.