1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 79
Выбрать главу

260. Local-area networks (LANs) operate at what layer of the ISO/OSI reference model?

a. Physical Layer 1

b. Data link Layer 2

c. Network Layer 3

d. Transport Layer 4

260. b. Layer 2 (data link) of the ISO/OSI reference model represents the layer at which network traffic delivery on local-area networks (LANs) occurs.

261. Which of the following are examples of major problems associated with network address translation (NAT)?

1. Cannot abide by the IP architecture model

2. Cannot locate the TCP source port correctly

3. Cannot work with the file transfer protocol

4. Cannot work with the H.323 Internet Telephony Protocol

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

261. d. Major problems associated with network address translation (NAT) include (i) it violates the architectural model of IP, which states that every IP address must uniquely identify a single computer worldwide, (ii) it will not locate the TCP source port correctly, (iii) it violates the rules of protocol layering in that a lower-level layer should not make any assumptions about the next higher-level layer put into the payload field, and (iv) it needs to be patched every time a new application is introduced because it cannot work with file transfer protocol (FTP) or H.323 Internet Telephony Protocol. The FTP and H.323 protocols will fail because NAT does not know the IP addresses and cannot replace them.

262. Hardware/software guards provide which of the following functions and properties?

1. Data-filtering

2. Data-blocking

3. Data-sanitization

4. Data-regrading

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 1, 2, 3, and 4

262. d. Hardware/software guard technology can bridge across security boundaries by providing some of the interconnectivity required between systems operating at different security levels. Several types of guard exist. These protection approaches employ various data processing, data filtering, and data-blocking techniques in an attempt to provide data sanitization (e.g., downgrade) or separation between networks. Some approaches involve human review of the data flow and support data flow in one or both directions. Guards can be used to counteract attacks made on the enclave.

Information flowing from public to private networks is considered as a data upgrade. This type of transfer may not require a review cycle but should always require a verification of the integrity of the information originating from the public source system and network.

Information flowing from private to public networks is considered as data regrade and requires a careful review.

263. In a fully networked topology, if there are five nodes, how many direct paths does it result in?

a. 2

b. 3

c. 5

d. 10

263. d. The equation for the number of direct paths in a fully connected network is n (n–1)/2, where “n” is the number of nodes. Applying the equation results in 10 (i.e., 5(5–1)/2). The answer 2 is obtained by using the equation as (n–1)/2. The answer 3 is obtained by using the equation as (n+1)/2.

264. Which of the following networks is used to distribute music, games, movies, and news using client caching, server replication, client’s request redirection, and a proxy server?

a. Asynchronous transfer mode (ATM) network

b. Content delivery network (CDN)

c. Voice over Internet Protocol (VoIP) network

d. Integrated services digital network (ISDN)

264. b. Content delivery networks are used to deliver the contents of music, games, movies, and news from content owner’s website to end users quickly with the use of tools and techniques such as client caching, server replication, client’s request redirection, and a proxy content server to enhance the Web performance in terms of optimizing the disk space and preload time.

ATMs are good for voice traffic only. VoIP is the transmission of voice over packet-switched IP networks and it takes a wide variety of forms, including traditional telephone handsets, conferencing units, and mobile units. ISDN is an international communications standard for sending voice, video, and data over digital or standard telephone wires. The ISDN security must begin with the user (i.e., may be a person, an organizational entity, or a computer process).

265. Firewalls are the perfect complement to which of the following?

a. Bridges

b. Routers

c. Brouters

d. Gateways

265. b. Given that all routers support some type of access control functionality, routers are the perfect complement to firewalls. The generally accepted design philosophy is that boundary routers should protect firewall devices before the firewall devices ever have to protect themselves. This principle ensures that the boundary router can compensate for any operating system or platform-specific vulnerabilities that might be present on the firewall platform. Brouters combine the functionality of bridges and routers.

266. Which of the following is the best backup strategy for firewalls?

a. Incremental backup

b. Centralized backup

c. Day Zero backup

d. Differential backup

266. c. The conduct and maintenance of backups are key points to any firewall administration policy. It is critical that all firewalls are subject to a Day Zero backup (full backup), i.e., all firewalls should be backed up immediately prior to production release. As a general principle, all firewall backups should be full backups, and there is no need for incremental, centralized, or differential backups because the latter are less than full backups.

267. Which of the following needs to be protected for a failsafe performance?

a. Virus scanners

b. Firewalls

c. Blocking filters

d. Network ports

267. b. Network firewalls are devices or systems that control the flow of network traffic between networks employing differing security postures. A failsafe is the automatic termination and protection of programs when a hardware or software failure is detected. Because firewalls provide a critical access control security service, multiple firewalls should be employed for failsafe performance. Depending on a person’s viewpoint, firewalls provide either the first line of defense or the last line of defense in accessing a network.

Virus scanners look for common viruses and macro viruses. Blocking filters can block Active-X and Java applets. Network ports provide access points to a network. These are not that important when compared to the firewall to have a failsafe performance.

~ 79 ~