Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition

Study online at https://quizlet.com/_6iogcl

A mechanism that defines traffic or an event to apply an autho-
Which of the following describes an access control list (ACL)?
rization control of allow or deny against.
Which of the following uses a brute-force technique to craft pack-
Fuzzing tools
ets and other forms of input directed toward the target?
Allowing every communication is a bad idea from a security
true
standpoint as well as a productivity one.
Which of the following steps of an incident response plan selects
and trains security incident response team (SIRT) members and preparation
allocates resources?
List 5 common elements included in a properly designed security
sytem.
Which of the following uses ICMP as a tunneling protocol? Loki
A false negative is an event that triggers an alarm when the traffic
false
or event is abnormal and/or malicious.
Which of following is an advantage of the build-it-yourself firewall? cost
Wireshark is a free packet capture, protocol analyzer, and sniffer
that can analyze packets and frames as they enter or leave a true
firewall.
If strong authentication is a priority, select an application gateway
true
firewall or a dedicated application-specific proxy firewall.
HTTP Proxy is Linux software powered by VMware that creates
False
SSH encrypted tunnels used in combination with TOR.
Which of the following refers to a form of IDS/IPS detection based
Behavioral-based detection
on a recording of real-world traffic as a baseline for normal?
Which of the following troubleshooting steps involves reviewing
performing a post-mortem review
the entire troubleshooting response process?
Deploy firewalls as quickly as possible. false
Rule-set ordering is critical to the successful operation of firewall
true
security.
Simulator tests are secure by design. true
Which of the following hands out tasks in a repeating non-priority
round robin
sequence?
Adding caching to a firewall transforms it into a proxy server for
true
whatever service you configure the caching to supplement.
Which of the following is not a common reason for deploying a
time savings
reverse proxy?
You should not automatically purchase the product your cost/ben-
true
efit analysis says is the best option.
Each form of firewall filtering or traffic management is vulnerable
True
in some way.
Which term describes a security stance that prevents all commu-
deny by default/allow by exception
nications except those enabled by specific allow exceptions?
When troubleshooting firewalls, you should never attempt to re-
false
peat the problem because you could do more damage.
Which of the following is similar to defense in depth and supports
multiple layers of security?
You cannot replace a native or default software firewall product
in a general-purpose operating system (OS) with a third-party False
option.
Which of the following is not a security strategy? Firewall policies
True

1/6
 Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
Study online at https://quizlet.com/_6iogcl
When it comes to firewall rules, in general, grant access only to
traffic that is essential.
Discuss four best practices for firewall management.
Wireshark can be used in the absence of a firewall, with a firewall
set to allow all traffic, or even in the presence of a firewall to true
inventory all traffic on the network.
Which of the following is a centralized logging service that hosts
Syslog
a duplicate copy of log files?
Which of the following refers to a network access control or ad-
mission control (NAC) used on individual network access devices,
PNAC
such as firewalls, VPN gateways, and wireless routers, to offload
authentication to a dedicated authentication server/service?
Encryption of the session that accesses a firewall's management
interface is the most important and critical aspect of management True
interface configuration.
Denial of service (DoS) attacks cannot be detected by a firewall. false
The Containment phase of an incident response plan restrains
true
further escalation of the incident.
In which type of system environment do you block all access to
all resources, internal and external, by default, and then use the
filter-free
principle of least privilege by adding explicit and specific allow-ex-
ceptions only when necessary based on job descriptions?
Which of the following does not protect against fragmentation
Firewalking
attacks?
If you do not eliminate personal communications, business func-
False
tions can continue unhindered.
When troubleshooting firewalls, which of the following is not
make multiple fixes
something you should do after you attempt a fix?
There are six steps for writing a security incident response plane.
Report
Which of the following is not a step?
The firewall administrator should give physical access to firewall
false
devices to senior managers and middle managers.
The Eradication phase of an incident response plan returns the
False
situation to normal operation.
Diversity of defense uses a different security mechanism at each
true
or most of the layers.
When security interferes with doing business and an organization
believes that security can be turned off because it is inconvenient, True
it's only a matter of time before a catastrophic compromise occurs.
Which of the following does port forwarding support? any service on any port
Netcat is a hacker tool that creates network communication links
using UDP or TCP ports that support the transmission of standard true
input and output.
When defining firewall rules, you should keep the rule set as
True
simple as possible.
Which of the following refers to the deployment of a firewall as an
UTM
all-encompassing primary gateway security solution?
A technique of load balancing that operates by sending the next
Which of the following describes fair queuing?
transaction to the firewall with the least current workload.
Fair queuing is a technique of load balancing that operates by
sending the next transaction to the firewall with the least current True
workload.
Which of the following can improve firewall performance? Load balancing
2/6
 Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
Study online at https://quizlet.com/_6iogcl
Deploying a security product is more preferable than addressing
false
your environment's specific risks.
Which of the following refers to an event that does not trigger an
alarm but should have, due to the traffic or event actually being False negative
abnormal and/or malicious?
Which command-line or graphical interface is used to control and
Management interface
configure a device?
Which of the following is a written expression of an item of concern
(protocol, port, service, application, user, IP address) and one or filter
more actions to take when the item of concern appears in traffic?
Which of the following creates TCP and UDP network connections
Netcat
to or from any port?
What is the principle of least privilege?
Authentication is the process of defining which resources can be
accessed by an electronic entity and what level or type of access
is granted.
You should consider placing rules related to more common traffic
true
earlier in the set rather than later.
Which of the following is a malicious remote control tool? NetBus
When troubleshooting firewalls, you should simplify the task by
first disabling or disconnecting software and hardware not essen- true
tial to the function of the firewall.
A firewall can perform only the operations for which it is pro-
grammed, and the specifics of and the order of the rules that
result in less access rather than greater access are: List specific True
Deny rules first, then the Allow exceptions, and always keep the
default-deny rule last.
A form of intrusion detection system/intrusion prevention system
What is anomaly-based detection? (IDS/ IPS) based on a defined normal, often defined using rules
similar to firewall rules.
Which of the following is not a commonsense element of trou-
Work with urgency
bleshooting firewalls?
Which term describes an approach to security similar to defense
in depth in that it supports multiple layers, but uses a different Diversity of defense
security mechanism at each or most of the layers?
Which of the following is a technique for storing or copying log
Syslog
events to a centralized logging server?
Authentication and authorization must be used together. false
Which of the following steps of an incident response plan returns
Recovery
to the operation to normal?
Which of the following is not a protection against fragmentation
buffer overflows
attacks?
You should spend security funds somewhat evenly to secure
the overall organization, rather than over-securing one area and True
neglecting another.
Which type of test is run in non-production subnets where you've
laboratory test
configured a duplicate of the production environment?
A firewall's vulnerability to DoS flooding is a limitation or weakness
that you can't fix, improve, or repair by either upgrading the firewall True
or applying a patch.
Which of the following forces all traffic, communications, and
chokepoint
activities through a single pathway or channel that can be used

3/6
 Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
Study online at https://quizlet.com/_6iogcl
to control bandwidth consumption, filter content, provide authen-
tication services, or enforce authorization.
Firewalking is a hacking technique used against static packet
filtering firewalls to discover the rules or filters controlling inbound true
traffic.
Which of the following refers to a system designed, built, and
Bastion host
deployed specifically to serve as a frontline defense for a network?
an organization's filtering configuration; it answers the question,
Which of the following describes security stance?
"What should be allowed and what should be blocked?"
Overlapping occurs when full or partial overwriting of datagram
components creates new datagrams out of parts of previous true
datagrams.
Which of the following refers to a form of IDS/IPS detection based
on a collection of samples, patterns, signatures, and so on stored
in a database of known malicious traffic and events? All traffic Database-based detection
or events that match an item in the database are considered
abnormal and potentially malicious.
Which of the following are documents that can help you to review
Incident response plan
and assess your organization's status and state of security?
Which of the following is a network mapper, port scanner, and OS
fingerprinting tool that checks the state of ports, identifies targets, Nmap
and probes services?
It's important to evaluate the purpose and content of your firewall Determine how to write a policy that is as short as possible to
policy. Which of the following is not an evaluation method? avoid confusion.
Signature-based detection describes a form of intrusion detection
system/intrusion prevention system (IDS/ IPS) based on a defined False
normal.
The Detection phase of an incident response plan confirms
true
breaches.
Which of the following provides faster access to static content for
reverse caching
external users accessing internal Web servers?
The definition of a business task should consider whether or not
the task is necessary. If the task is necessary, the organization's True
security solution should make the task possible.
Snort is an open-source, rule-based IDS that can detect firewall
True
breaches.
Which of the following is a dedicated hardware device that func-
appliance firewall
tions as a black-box sentry?
What are the four basic guidelines for defining firewall rules?
An operating system such as windows or linux that can support a
Which of the following describes a general purpose OS? wide variety of purposes and functions, but which, when used as
a bastion host OS, must be hardened and locked down.
Security through obscurity can be both a good strategy and a bad
true
one depending on the type of security.
Log file analysis tools increase manpower, making it slow to
analyze massive volumes of information collected by network
firewalls.
PacketiX VPN and HotSpotShield are encrypted Web proxy ser-
true
vices.
Which of the following refers to an operating system built exclu-
proprietary os
sively to run on a bastion host device?
Intruders can edit data written to a WORM device. False

4/6
 Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
Study online at https://quizlet.com/_6iogcl
The term weakest link describes an organization's filtering config-
uration; it's the answer to the question, "What should be allowed False
and what should be blocked?"
When troubleshooting firewalls, you should not use free options,
as they aren't likely to solve the problem and will waste your time.
Port forwarding supports caching, encryption endpoint, and load
false
balancing.
Unified threat management (UTM) has the advantage of manag-
true
ing multiple security services from a single interface.
It defines how to use a revers proxy to add an additional layer of
Which one of the following is not a benefit of having a written
protection and control between Internet-based users and inter-
firewall policy?
nally hosted servers.
Discuss the difference between defense in depth and diversity of
defense.
You should immediately terminate any communication found to
True
take place without firewall filtering.
Which of the following is given to a notification from a firewall that
Alert
a specific event or packet was detected?
Which name is given to a hacking technique used against static
packet filtering firewalls to discover the rules or filters controlling firewalking
inbound traffic?
Which of the following is a double-blind encapsulation system that
TOR
enables anonymous but not encrypted Internet communications?
A storage device that can be written to once, but once written
Which of the following describes write-once read-many (WORM)?
cannot be electronically altered.
Which of the following is not a firewall type? universal
The more expensive it is, the better the security solution. False
To allow clients to use a single public address to access a cluster
of internal Web servers, you can deploy reverse proxy to sup-
true
port load balancing or load distribution across multiple internal
resource hosts.
Which of the following is disabled by default and requires an
RDP and Remote Assistance
invitation?
Software firewalls cannot be bastion hosts. false
A hacker uses a valid IP address of an internal host, and then from
an external system, the hacker attempts to establish a communi-
False
cation session with the internal host over a multitude of different
ports. This is called internal code planting.
Which of the following is described as the maximum communica-
wirespeed
tion or transmission capability of a network segment?
Which of the following command-line tools will list the current
open, listening, and connection sockets on a system as well as Fport
the service related to each socket?
Which of the following is an operating system built exclusively to
proprietary OS
run on a bastion host device?
On which of the following can you filter on because of the lack of
Transport mode header
encryption and because filtering rules apply?
Which of the following steps of an incident response plan resolves
Eradication
the compromise?
The fewer rules you need to check before you grant an Allow, the
true
less delay to the traffic stream.
Your security strategy should never support encrypted communi-
False
cations across your network.
5/6
 Chapter 7,8,9 Network security, Firewalls, and VPNs Second Edition
Study online at https://quizlet.com/_6iogcl
Which of the following describes the principle that for an organi-
zation's security policy to be effective, everyone must be forced universal participation
to work within it and follow its rules?
Examples of users purposefully avoiding or violating securi-
ty—that is, not actively supporting and participating in securi- Setting strong passwords
ty—include all of the following except which one?
Cryptcat is a Linux distribution that includes hundreds of security
and hacking tools, including Nessus and Metasploit. It can per- False
form attacks against or through a firewall for testing purposes.
When conducting an inventory, you don't need to include proto-
cols in use or the port(s) in use. You just need to include the likely false
source and destination addresses.
If the process of creating rules requires a significant number of
consider re-configuring the network rather than using a too com-
special exceptions to modify or adjust ranges of addresses or
plex or too long rule set
ports, what should you do?
Behavioral-based detection looks for differences from normal
based on a recording of real-world traffic that establishes a base- True
line.

6/6