In peer spoofing attack, the goal is to insert false information into a BGP peer’s routing tables. A special case of peer spoofing, called a reset attack, involves inserting TCP RESET messages into an ongoing session between two BGP peers. Examples of countermeasures against peer spoofing and TCP resets include using strong sequence number randomization and TTL hack.

In a denial-of-service attack via resource exhaustion, routers use a large amount of storage for path prefixes. These resources are exhausted if updates are received too rapidly or if there are too many path prefixes to store due to malicious prefixes. Examples of countermeasures against denial-of-service via resource exhaustion attacks include using rate limit synchronization processing, increasing queue length, route filtering, and TTL hack.

In a session hijacking attack, the attack is designed to achieve more than simply bringing down a session between BGP peers. The objective is to change routes used by the peer, to facilitate eavesdropping, blackholing, or traffic analysis. Examples of countermeasures against session hijacking attacks include using strong sequence number randomization, IPsec authentication, and TTL hack.

253. Which of the following is not one of the actions taken by a firewall on a packet?

a. Accept

b. Deny

c. Discard

d. Destroy

253. d. The firewall examines a packet’s source and destination addresses and ports, and determines what protocol is in use. From there, it starts at the top of the rule base and works down through the rules until it finds a rule that permits or denies the packet. It takes one of the three actions: (i) The firewall passes the packet through the firewall as requested (accept), (ii) the firewall drops the packets, without passing it through the firewall (deny) or (iii) the firewall not only drops the packet, but it does not return an error message to the source system (discard). Destroy is not one of the actions taken by a firewall.

254. Network address translation (NAT) protocol operates at what layer of the ISO/OSI reference model?

a. Presentation Layer 6

b. Network Layer 3

c. Transport Layer 4

d. Session Layer 5

254. b. The network address translation (NAT) protocol operates at the Layer 3 (network) of the ISO/OSI reference model.

255. All the following are countermeasures against software distribution attacks on software guards except:

a. Conducting third-party testing and evaluations

b. Complying with Common Criteria Guidelines

c. Reviewing audit logs

d. Implementing high-assurance configuration controls

255. c. Distribution attacks can occur anytime during the transfer of a guard’s software or hardware. The software or hardware could be modified during development or before production. The software is also susceptible to malicious modification during production or distribution.

Audit log is a countermeasure against insider attacks on hardware/software guards such as modification of data by insiders. Audit logs need to be generated and diligent reviews must be conducted in a timely manner.

Countermeasures protecting the software guards include implementing strong software development processes, performing continuous risk management, conducting third-party testing and evaluation of software, following trusted product evaluation program and Common Criteria guidelines, high-assurance configuration control, cryptographic signatures over tested software products, use of tamper detection technologies during packaging, use of authorized couriers and approved carriers, and use of blind-buy techniques.

256. Which of the following is not used to accomplish network address translation (NAT)?

a. Static network address translation

b. Hiding network address translation

c. Dynamic network address translation

d. Port address translation

256. c. Network address translation (NAT) is accomplished in three schemes: (i) In a static network address translation, each internal system on the private network has a corresponding external, routable IP address associated with it. (ii) With hiding network address translation, all systems behind a firewall share the same external, routable IP address. (iii) In a port address translation (PAT) schema, the implementation is similar to hiding network address translation, with two primary differences. First, port address translation is not required to use the IP address of the external firewall interface for all network traffic. Second, with port address translation, it is possible to place resources behind a firewall system and still make them selectively accessible to external users.

257. Which of the following ensures that all Web network traffic dealing with a firewall system is secured from an administration viewpoint?

a. DES

b. SSL

c. HTTP

d. SSH

257. b. There should be a policy stating that all firewall management functions take place over secure links. For Web-based interfaces, the security should be implemented through secure sockets layer (SSL) encryption, along with a user ID and password. If neither internal encryption nor SSL are available, tunneling solutions such as the Secure Shell (SSH) are usually appropriate. HTTP and DES are not appropriate here as they do not provide strong security.

258. All the following are applications of spanning tree concept except:

a. Multicast routing

b. Spanning port

c. Risk analysis

d. Bridges

258. b. A spanning port is a switch port that can see all network traffic going through the switch. The spanning port has nothing to do with the spanning tree whereas the other three choices are applications of the spanning tree concept. The spanning tree has several applications such as (i) multicast routing which makes excellent use of bandwidth where each router knows which of its lines belong to the tree, (ii) conducting risk analysis, and (iii) building plug-and-play bridges.

259. Which of the following does not perform “prefix filtering” services?

a. Border gateway protocol

b. Sensors

c. Routers

d. Firewalls

259. b. Sensors (intrusion detection systems) are composed of monitors and scanners, and they do not perform prefix filtering services. Sensors identify and stop unauthorized use, misuse, and abuse of computer systems by both internal network users and external attackers in near real time. Sensors do not perform permit and deny actions as do the border gateway protocol (BGP), routers, and firewalls. Prefix filtering services are provided by BGP, routers, and firewalls in that they perform permit and deny actions. Prefix filtering is the most basic mechanism for protecting BGP routers from accidental or malicious disruption, thus limiting the damage to the routes. Filtering of both incoming prefixes (ingress filtering) and outgoing prefixes (egress filtering) is needed. Router filters are specified using syntax similar to that for firewalls. Two options exist. One option is to list ranges of IP prefixes that are to be denied and then permit all others. The other option is to specify a range of permitted prefixes, and the rest are denied. The option of listing a range of permitted prefixes provides greater security.