1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 71
Выбрать главу

195. Which of the following is not an example of alternative access points to an organization’s IT resources?

a. Internet gateway

b. Workstations

c. Modems

d. Wireless access points

195. a. An organization’s major access point is the Internet gateway. Attackers often enter networks from alternative access points to avoid detection by security controls monitoring major access points. A classic example of an alternative access point is a modem in a user’s workstation. If an attacker can dial into the workstation and gain access, then attacks can be launched from that workstation against other hosts. In such cases, little or no information about the network activity may be logged because the activity does not pass through firewalls, intrusion detection system (IDS)-monitored network segments, and other common data collection points. Organizations typically address this by limiting alternative access points, such as modems and wireless access points, and ensuring that each is monitored and restricted through firewalls, IDS sensors, or other controls.

196. When monitoring failures occur, redundant equipment should be used for which of the following?

a. IDS sensors

b. Network-based firewalls

c. Host-based firewalls

d. System logs

196. a. In most organizations, the cost of redundant monitoring makes it feasible only for the highest risk areas. In the case of dedicated monitoring systems, such as intrusion detection system (IDS) sensors, using redundant equipment (e.g., two sensors monitoring the same activity) can lessen the impact of monitoring failures. Another strategy is to perform multiple levels of monitoring, such as configuring network-based and host-based firewalls to log connections.

197. Which of the following is not a primary component or aspect of firewall systems?

a. Protocol filtering

b. Application gateways

c. Extended logging capability

d. Packet switching

197. d. Packet switching is not related to a firewall system. It is a message delivery technique in which small units of information (packets) are relayed through stations in a computer network along the best route currently available between the source and the destination. A packet-switching network handles information in small units, breaking long messages into multiple packets before routing. Although each packet may travel along a different path, and the packets composing a message may arrive at different times or out of sequence, the receiving computer reassembles the original message. Packet-switching networks are considered to be fast and efficient. To manage the tasks of routing traffic and assembling or disassembling packets, such networks require some “intelligence” from the computers and software that control delivery.

Protocol filtering is incorrect because it is one of the primary components or aspects of firewall systems. A firewall filters protocols and services that are either not necessary or that cannot be adequately secured from exploitation. Application gateways are incorrect because they are one of the primary components or aspects of firewall systems. A firewall requires inside or outside users to connect first to the firewall before connecting further, thereby filtering the protocol. Extending logging capability is incorrect because it is one of the primary components or aspects of firewall systems. A firewall can concentrate extended logging of network traffic on one system.

198. Which of the following is a major risk in network traffic involving services running on unexpected port numbers?

a. Capturing

b. Monitoring

c. Analyzing

d. Detecting

198. d. Applications such as intrusion detection systems and protocol analyzers often rely on port numbers to identify which service is in use for a given connection. Unfortunately, most services can be run on any port number. Traffic involving services running on unexpected port numbers may not be captured, monitored, or analyzed properly, causing unauthorized services usage (e.g., providing Web services on an atypical port) to be undetected. Another motivation is to slip traffic through perimeter devices that filter based on port numbers. Many Trojans create services on atypical ports for sending SPAM.

199. For sources of network traffic data, which of the following provides the starting point for examining suspicious activity?

a. Firewalls

b. IDS software

c. Proxy servers

d. Remote access servers

199. b. Organizations typically have many different sources of network traffic data. Intrusion detection system (IDS) data is often the starting point for examining suspicious activity. Unfortunately, IDS software produces false positives, so IDS alerts need to be validated. By itself, data from these sources (e.g., firewalls, routers, proxy servers, and remote access servers) is usually of little value. Examining data over time may indicate overall trends, such as an increase in blocked connection attempts. However, because these sources typically record little information about each event, the data provides little insight as to the nature of the events.

200. Intrusion detection system (IDS) software attempts to identify malicious network traffic at which of the following Transmission Control Protocol/Internet Protocol (TCP/IP) layers?

1. Application layer

2. Transport layer

3. Network layer

4. Data link layer

a. 1 only

b. 2 only

c. 3 only

d. 1, 2, 3, and 4

200. d. Not only does the intrusion detection system (IDS) software typically attempt to identify malicious network traffic at all TCP/IP layers, but it also logs many data fields (and sometimes raw packets) that can be useful in validating events and correlating them with other data sources.

201. Which of the following protocols are the most likely to be spoofed?

1. ICMP

2. UDP

3. TCP

4. Ethernet

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

201. c. Internet control message protocol (ICMP) and user datagram protocol (UDP) are connectionless protocols, thus most likely to be spoofed. Transmission control protocol (TCP) and Ethernet are incorrect because they are connection-oriented protocols, thus least likely to be spoofed. Many attacks use spoofed IP addresses. Spoofing is far more difficult to perform successfully for attacks that require connections to be established because the attacker needs an insight into sequence numbers and connection status.

202. Which of the following applications are used on local-area networks (LANs) with user datagram protocol (UDP)?

1. X.25

2. SMDS

3. DHCP

4. SNMP

a. 1 only

~ 71 ~