1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 77
Выбрать главу

a. Firewalls

b. Intrusion detection systems

c. Virus checkers

d. Operating system’s security features

244. d. Application software often contains numerous vulnerabilities. Many security systems (e.g., firewalls, intrusion detection systems, and virus checkers) attempt to protect these insecure applications by monitoring and filtering the application’s interactions with users. Ultimately, however, these barrier techniques are inadequate because users must be allowed to interface directly with the vulnerable applications software. The best defense is to install ever-stronger barriers around the applications software. The operating system is the best place for such a barrier.

245. Which of the following is an example of a boundary access control?

a. Gateway

b. Bridge

c. Modem

d. Firewall

245. d. Firewalls monitor network traffic that enters and leaves a network. A firewall controls broad access to all networks and resources that lie “inside” it. By limiting access to host systems and services, firewalls provide a necessary line of perimeter defense against attack; that is, they form a boundary control.

A gateway is incorrect because it is an interface between two networks. A bridge is incorrect because it is a device used to link two or more homogeneous local-area networks (LANs). A modem is incorrect because it is a device that converts analog signals to digital signals and vice versa. The devices mentioned in the three incorrect choices do not have the ability to perform as a boundary access control.

246. Which of the following is used for high-speed remote access with virtual private networks (VPNs)?

a. Calling cards with ISDN

b. Cable modems with ADSL

c. Modem pools with ADSL

d. Toll-free lines with ISDN

246. b. Modem pools, calling cards, and toll-free arrangements can be an expensive alternative to cable modems and asymmetric digital subscriber line (ADSL). An ISDN line is limited to 128 bits and is slow. Cable modems and ADSL technologies take advantage of the Internet and IPsec functioning at the network layer. These technologies provide high-speed remote access.

247. Which of the following is suitable for a low-risk computing environment?

a. Static packet filter firewall

b. Hybrid gateway firewall

c. Stateful inspection gateway firewall

d. Dynamic packet firewall

247. a. The static packet filter firewall offers minimum-security provisions suitable for a low-risk computing environment. The hybrid gateway firewall is good for medium- to high-risk computing environment. Both stateful and dynamic packet firewalls are appropriate for high-risk computing environments.

248. The Internet Protocol security (IPsec) is usually implemented in which of the following?

a. Bridge

b. Gateway

c. Firewall

d. Backbone

248. c. Usually, Internet Protocol security (IPsec) is implemented on a firewall for VPNs. The IPsec in tunnel mode, not in transport mode, encrypts and encapsulates IP packets, so outsiders cannot observe the true source and destinations. VPNs enable a trusted network to communicate with another network over untrusted networks such as the Internet. A policy is needed for use of firewalls with VPNs. Any connection between firewalls over public networks should use encrypted VPNs to ensure the privacy and integrity of the data passing over the public network. Bridges, gateways, and backbones do not have the access control mechanism as the firewall.

249. Which of the following is an example of connectionless data communications?

a. X.25

b. TCP

c. Ethernet

d. WAN

249. c. Connectionless data communications does not require that a connection be established before data can be sent or exchanged. X.25, TCP, and WAN are examples of connection-oriented data communications that requires that a connection first be established.

250. Which of the following protocols provides cellular/mobile wireless security?

a. WSP

b. WTP

c. WTLS

d. WDP

250. c. Wireless transport layer security (WTLS) is a communications protocol that enables cellular/mobile phones to send and receive encrypted information over the Internet, thus providing wireless security. Wireless session protocol (WSP), wireless transaction protocol (WTP), WTLS, and wireless datagram protocol (WDP) are part of wireless access protocol (WAP). WAP is an Internet protocol that defines the way in which cell phones and similar devices can access the Internet.

251. In border gateway protocol (BGP), prefix filters help to limit the damage to the routes in which of the following ways?

a. The egress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers.

b. The ingress filters of BGP peers is matched with the ingress filters of an autonomous system (AS).

c. The ingress filters of an autonomous system (AS) is matched with the ingress filters of BGP peers.

d. The egress filters of BGP peers is matched with egress filters of an autonomous system (AS).

251. a. Normally, border gateway protocol (BGP) peers should have matching prefix filters with the autonomous system (AS). This means, the egress filters of an AS should be matched by the ingress filters of BGP peers with which it communicates. This matching approach helps to reduce the risk from attackers that seek to inject false routes by pretending to send updates from the AS to its peers. Attackers can of course still send faulty routes, but filtering limits the damage to these routes.

252. Which of the following border gateway protocol (BGP) attacks does not use Time To Live (TTL) hack as a countermeasure?

a. Peer spoofing and TCP resets

b. Denial-of-service via resource exhaustion

c. Route flapping

d. Session hijacking

252. c. Because border gateway protocol (BGP) runs on transmission control protocol/Internet protocol (TCP/IP), any TCP/IP attack can be applied to BGP. Route flapping is a situation in which BGP sessions are repeatedly dropped and restarted, normally as a result of router problems. Examples of countermeasures for route flapping attacks include graceful restart and BGP route-flap damping method, not TTL hack.

Route-flap damping is a method of reducing route flaps by implementing an algorithm that ignores the router sending flapping updates for a configurable period of time. Each time a flapping event occurs, peer routers add a penalty value to a total for the flapping router. As time passes, the penalty value decays gradually; if no further flaps are seen, it reaches a reuse threshold, at which time the peer resumes receiving routes from the previously flapping router.

The other three choices use TTL hack. The Time To Live (TTL) or hop count is an 8-bit field in each IP packet that prevents packets from circulating endlessly in the Internet. TTL is based on the generalized TTL security mechanism (RFC 3682), often referred to as the TTL hack, which is a simple but effective defense that takes advantage of TTL processing. At each network node, the TTL is decremented by one and is discarded when it is reduced to zero without reaching its destination point.

~ 77 ~