Exam Prep Questions

Question 1

Which of the following is not an asset in the small business network's Corporate Internet module? (Choose two.)

  • A. Management server

  • B. File server

  • C. Web server

  • D. Layer 3 switch

  • E. Router or firewall

A1:

Answers A and D are correct. The Corporate Internet module in the small business network edge contains the public- facing servers of this organization (Web, file, DNS, mail), a switch to segregate traffic, and a router or firewall to control traffic (incoming and outgoing). The management server (answer A) is in the campus (either here or at the headquarters, if this is a branch). There is no need for a Layer 3 switch in the small business network: There is not enough traffic to justify the cost (Layer 3 switches cost more because they offload traffic onto high-speed ASICs and so can do high-volume Layer 3 processing faster than a router).

Question 2
graphics/trick_icon.gif

Why would there be no VPN termination on the router/firewall in a small business network's Corporate Internet module?

  • A. VPNs are passed through for termination on the management server.

  • B. VPNs are terminated on the Layer 3 switch in the Corporate Internet module (for processing speed).

  • C. VPNs are terminated at corporate headquarters; this network is a branch.

  • D. All of these are correct.

A2:

Answer C is correct. VPNs terminate at the headquarters if this site is a branch. If this network is the only network for an organization (a standalone), any VPNs that it might need should terminate on the router/firewall in the edge; they should never pass through into the campus (answer A). The small business network does not have a Layer 3 switch (answer B); if it did, the latter does not have the IPSec capability needed to terminate a VPN.

Question 3
graphics/trick_icon.gif

Which of the following is not a threat to the small business network edge?

  • A. Packet sniffers

  • B. Password attacks

  • C. Denial of service (DoS)

  • D. Mail relays

  • E. Unauthorized access

  • F. Trust exploitation

A3:

Answer D is correct. Mail relays are mail servers that are often used by spammers to disguise the origin of their offensive emails. However, they have legitimate uses, too, including relaying mail to and from a primary mail server inside a protected network. Mail relays are not a security threat, per se. The threats against the small business network's edge include the following:

  • Packet sniffers

  • Network reconnaissance

  • IP spoofing

  • Trust exploitation

  • Unauthorized access

  • Password attacks

  • Port redirection

  • Application-layer attacks

  • Virus and trojan horse attacks

  • Denial of service (DoS)

Question 4

What is the name for filtering incoming traffic with source addresses from inside the network?

  • A. Unicast RPF filtering.

  • B. RFC 1918 filtering.

  • C. RFC 2922 filtering.

  • D. RFC 2827 filtering.

  • E. None of these is correct.

A4:

Answer D is correct. RFC 2827 describes filtering traffic that should originate on the other side of the router: incoming traffic heading toward the address block that contains the source address. There is no good reason for traffic with such a source address to arrive from outside the address block's network. Unicast RPF filtering (answer A) refers to checking whether traffic with a given source address should reasonably be arriving on this interface instead of another one. RFC 1918 (answer B) describes the private address blocks to be used to conserve address space in IPv4; although incoming traffic with those addresses should also be filtered, that is because those addresses should never come in from the publicly routable space. RFC 2922 (answer C) describes a MIB (for use with SNMP) to discover network topology.

Question 5

Which of these techniques best mitigates the threat posed by packet sniffers?

  • A. NIDS

  • B. A switched network

  • C. Strong password policy

  • D. Restrictive trust model

A5:

Answer B is correct. A packet sniffer monitors all traffic on the wire by placing its host's NIC into promiscuous mode. A switched network typically connects only one host (at most, a few) per port, so the traffic that can be sniffed is extremely limited (compared to the traffic available on a network connected via hubs, where multiple hosts always share the same wire). NIDS (answer A) monitors the stream of packets passing by for characteristics associated with known attacks; sniffing is a passive activity and generates no packets to be examined until the result is downloaded. A strong password policy can make cracking the password recovered by a sniffer more difficult, but it does nothing to reduce the occurrence of sniffing. A restrictive trust model reduces the degree of trust that systems automatically extend to traffic from other systems; again, sniffing is a passive activity, not sending any traffic on its own (merely creating a file to be retrieved later).

Question 6

What techniques can be used to counter DoS attacks? (Choose two.)

  • A. UDP initialization controls

  • B. TCP setup controls

  • C. RFC 2827 and RFC 1918 filtering at ingress

  • D. HIDS on the public-facing servers

  • E. Rate limiting at your ISP

A6:

Answers B and E are correct. Many DoS attacks choke a limited resource such as TCP connection buffers by creating half- open sessions and leaving them waiting for the ACK to complete the three-step handshake. TCP setup limits or controls the number of half-open sessions allowed on the router. As a result, many of the DoS packets are dropped ( unfortunately , so are some legitimate incoming sessions, but the router does not crash under the load, so those sessions might be able to connect on retries). Rate limiting of certain traffic types by your upstream (the ISP in the small business network) will throttle those types and leave bandwidth open for legitimate traffic. UDP traffic has no initialization sequence to use to crash the router, so, of course, that cannot be controlled (eliminating answer A). RFC 2827 and RFC 1918 filtering drop traffic from the outside that should not be entering, based on source IP address. Although those addresses can be used in a DoS attack, they are not a part of the DoS attack itself and might not even be present. That rules out answer C. HIDS on the public-facing servers (answer D) will protect the servers from packets matching a known attack signature, but a DoS attack on the server might simply consist of repeated valid packets, such as pings , which would not be dropped. A HIDS is better at protecting from malware or other attacks that seek to capitalize on vulnerabilities in the system (OS or application). They need the system to stay in service to be effective. DoS is about disrupting that service.

Question 7
graphics/trick_icon.gif

Which of these is a design alternative for the small business network's edge?

  • A. Layer 3 switch to better handle traffic volume at speed.

  • B. VPN concentrator to offload tunnel termination for a branch.

  • C. NIDS on the switch distributing traffic to the servers.

  • D. VPN concentrator to offload tunnel termination for the standalone business.

  • E. None of these is correct.

A7:

Answer D is correct. Although the small network's Corporate Internet module starts with the option to use either a router with integrated firewall or a dedicated firewall for traffic control, either device might be incapable of handling many tunnel terminations. A small network that is a branch of a larger operation might have a site-to-site (LAN-to-LAN) tunnel back to headquarters, but that is only one tunnel, and there would be no need for a concentrator locally (eliminating answer B). However, if the small network is a standalone organization and needs to connect with several parties over tunnels, it might be worthwhile to set up a VPN concentrator to offload that encryption/decryption load from the router/firewall. There is no need for a Layer 3 switch in the small business network because the traffic volume most unlikely will not reach the level at which the optimized processing by ASICs is needed (eliminating answer A). A NIDS on the switch distributing traffic within the edge (answer C) will never see traffic until it comes out of the tunnel, so it cannot help with the tunnel operation.

Question 8
graphics/trick_icon.gif

Which of these is not a threat to the small network Campus module? (Select two.)

  • A. Password attacks

  • B. Trust exploitation

  • C. Network reconnaissance

  • D. Port redirection

A8:

Answers A and C are correct. The threats to the small business network's Campus module include the following:

  • Packet sniffers

  • Trust exploitation

  • Unauthorized access

  • Port redirection

  • Application-layer attacks

  • Virus and trojan horse attacks

The threat to the edge (Corporate Internet module) includes all of these, plus password attacks (answer A), DoS, IP spoofing, and network reconnaissance (answer C). Be careful which module you are listing threats to.

Question 9

Which of the following mitigates port redirection on the corporate servers?

  • A. HIDS, to prevent malware installation.

  • B. Restrictive trust model, to prevent servers from trusting each other automatically.

  • C. Filtering malware packets at the firewall on ingress.

  • D. All of these are correct.

A9:

Answer A is correct. Port redirection occurs when a malicious software application redirects packets intended for port X to port Y on the same system. Because different ports are used for different applications, this can redirect certain packets from an innocuous protocol allowed through the firewall (TCP 80, for instance) to a port used for a purpose that you would not allow (TCP 21 for FTP, for instance). Port redirection is a means of getting packets past the firewall and then using them for subversive purposes. Because the packets arrive over a port that you are leaving open on purpose, filtering at the firewall will not stop them (answer C). The restrictive trust model will help if one server attempts to initiate a process on another server, but it will not help if the subversion occurs inside a given server (eliminating answer B). HIDS's entire function is to inspect packets for malicious content and then act as instructed if such content is found. HIDS can prevent the malware's installation, greatly reducing the opportunity for port redirection to take place.

Question 10
graphics/trick_icon.gif

Which of these mitigates packet sniffing in the small business campus?

  • A. Restrictive trust model.

  • B. RFC 2827 and RFC 1918 filtering at ingress.

  • C. NIDS.

  • D. None of these is correct.

A10:

Answer D is correct. Packet sniffing is mitigated by use of a switched network to limit the scope of packets that can be sniffed, and HIDS, to detect the attempt to place a sniffer on a host. NIDS (answer C) inspects all traffic through a switch but typically is set to alarm without droppingdropping is left to HIDS, which is configured more aggressively. Thus, HIDS mitigates packet sniffing while NIDS does not. Filtering at ingress according to RFC 2827 and RFC 1918 (answer B) drops missourced packets but does nothing to mitigate sniffing. A restrictive trust model (answer A) affects a host accepting a connection from another host, but packet sniffing is entirely passive: It simply copies packets that appear on the wire destined for anyone .

Question 11
graphics/trick_icon.gif

What is a design alternative in the Campus module of the small business network? (Choose two.)

  • A. Add a Layer 3 switch

  • B. Add a small router

  • C. Add a firewall

  • D. Add a NIDS on the Layer 2 switch

A11:

Answers B and C are correct. There is really one design alternative to the Campus module of the small business network: to add a Layer 3 device to filter traffic. This could be a Layer 3 switch (answer A), although that size device is overkill for a network of this size and traffic load. A much better choice would be a small router or small firewall, which could filter the traffic at Layer 3 much more inexpensively than a Layer 3 switch. Remember, the SAFE Blueprint is practical as well as technical. A NIDS (answer D), like the Layer 3 switch, is overkill for the traffic flow on this network.




CSI Exam Cram 2 (Exam 642-541)
CCSP CSI Exam Cram 2 (Exam Cram 642-541)
ISBN: 0789730243
EAN: 2147483647
Year: 2002
Pages: 177
Authors: Annlee Hines

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net