Chapter 16. Answers to Practice Exam 2

Answers B and C are correct. In global configuration mode, the command to disable CDP is no cdp run . In interface configuration mode, the command is no cdp enable . It might help to think of disabling CDP on the entire router or switch as a matter of not allowing the process to run , while interfaces typically use enable to add capabilities.

Answers A and D are correct. IKE establishes the parameters of the secured connection: how the key will be derived (the Diffie-Hellman Group ), the encryption algorithm (DES, 3DES, AES, and bit size), the integrity check method (MD5 or SHA-1), and how long the connection will last (the SA lifetime). There is not an "encryption window," in the sense parallel to a TCP window. Certificates are managed by the Certificate Authority (CA), a server somewhere on the network.

Answer A is correct. A NIDS blade can be added to a Layer 3 switch; the blade is actually called the Cisco Secure Intrusion Detection System Module (IDSM). The VPN accelerator card (VAC) is an optional component for the PIX firewall.

Answer A is correct. Unicast Reverse Path Forwarding (URPF) is the security precaution against IP spoofing that tests for reasonableness in the source IP address on a packet: Could a packet with this source address have reasonably arrived on this interface? If the router has a route to that address (even as a summarized block) via that interface, the packet is accepted. If not, it is dropped. A hacker might know that Company A and Company B exchange traffic. When attempting to insert traffic into Company A with a spoofed Company B source address, the hacker might insert the traffic over a link that is not used for that traffic; URPF would detect that and drop the traffic, preventing the attack. To use URPF, the router must use Cisco Express Forwarding (CEF) because the reverse-lookup function uses the Forwarding Information Base (FIB) created by CEF. If you want to see the traffic anyway, you must use an ACL in conjunction with URPF.

Answer D is correct. You must give the policy a priority (13, in this case) and provide any parameters that deviate from the defaults. You can repeat the defaults, if you like, but they are assumed if you make no entries concerning those parameters. The default DH Group is Group 1 (768-bit key, rather than Group 2, 1024-bit key), and the default hash algorithm is SHA-1.

Answer B is correct. The four parts of the security wheel are Secure, Monitor, Test, and Improve. Mitigation of threats is what you do in the Secure phase.

Answer B is correct. Port redirection occurs when software directs traffic properly addressed to one port (such as port 80) to be processed by another port (such as 23) on a given host. The packet is not rewritten; it is simply sent to an alternate process (Telnet instead of Web, in this case). This is a means to slip malware into a system that must listen on certain ports (such as Web or mail servers, on ports 80 and 25/110, respectively). Traffic arrives on an acceptable port but is then diverted to a process whose port is nominally closed. It is akin to sneaking in a window when the door is locked.

Answer D is correct. A stratum 0 source is the most fundamental time reference available, such as an atomic clock. It actually does not "listen" as a server listens for others to connect; it simply provides the true time (as closely as it can obtain it). Servers that take their time reference directly from a stratum 0 source are known as stratum 1 sources. Most publicly available time references are stratum 2, one step further removed. Many large network providers have stratum 1 servers, which they then connect to stratum 2 servers to provide their network's time reference, and then on to stratum 3 servers that are made publicly accessible.

Answers B and D are correct. The VPN hardware client acts as the interface between a branch and its headend. It is capable of acting as a local DHCP server and providing NAT (including PAT) services. The scope configuration behind the client should avoid overlapping with the scope assigned to any other branch, if possible; if the organization's address space does not extend far enough, PAT can provide overload capabilities to economize on the public address space used by a given branch. The hardware VPN client does not include a stateful firewall, which makes sense if you assume that it is intended for IPSec tunnel termination. Nontunnel traffic, if received, should be silently discarded, and tunnel traffic is implicitly trusted. If split tunneling is allowed or a separate Internet connection is available to the branch, a firewall should protect that ingress. Finally, DNS and WINS servers are typically at the headend and are accessed from the branch for name resolution, as required.

Answer A is correct. The Cisco Security Agent is a host intrusion-protection system, a somewhat advanced form of HIDS. As such, it should be placed on those hosts (primarily servers, but possibly including sensitive workstations) whose integrity cannot be compromised. Routers, switches, and firewalls can incorporate a NIDS, such as the Cisco Secure Intrusion Detection Sensor.

Answers B and D are correct. The design alternatives for the medium network's Corporate Internet module include these:

• Adding a stateful firewall to the perimeter (edge) router

• Placing a NIDS appliance in front of the ingress firewall

• Adding a content inspection device (or server) to filter URLs and content

• Eliminating the router between this module's firewall and the Campus module

Note that the router nominated for elimination is inside the firewall, not outside it, as the perimeter router is. A firewall, router, or switch can have NIDS as part of its software package; HIDS is installed on servers and (possibly) workstations.

Answer A is correct. One of the capabilities offered by the 3000-series VPN concentrators is the capability to allow tunnels to exchange data, thus enabling two branches ( spokes ) to connect to each other. It is an indirect connection via the concentrator, rather than enabling the two branches to directly connect. (Think about a direct connection: They would have a tunnel with each other as endpoints, and the concentrator would not be involved.) Tunnels terminating on a PIX or a router must go elsewhere, depending on the routing information established for that device. Split tunneling is not limited to tunnels whose headend is provided by a concentrator: The PIX and router can both support it. The key is that the client end requires the Cisco hardware or software VPN clients because (if enabled by policy from the headend) the client elects whether to encrypt the traffic (place it in the tunnel).

Answer D is correct. Port redirection is the internal rerouting of apparently legitimate traffic (from one process based on an ingress port to another process based on a different port). A NIDS sees traffic that conforms in all apparent characteristics to traffic that is acceptable for that destination. AAA controls user account access and activities, but port redirection is a process emplaced (somehow) that is redirecting accepted traffic within the server. Because the traffic stays within the server, private VLANs are no help, either. HIDS can intercept the redirected activity and (even better) prevent the emplacement of a port redirector in the first place.

Answer C is correct. Remember that unauthorized access includes access by devices as well as users. If a host on the network attempts to access the server, HIDS will detect and intercept that request (if it matches one of the attack definitions present). Access controls prevent unauthorized users from accessing a protected device. Trust exploitation occurs when authorized access is abused; the access, being legitimate, must be allowed to occur. Viruses and trojans are malicious software packages for which specific antivirus software has been developed. Packet sniffers are a passive activity, simply listening to and copying the information carried on the network wire attached to the NIC of its host.

Answer C is correct. Remember that insiders have the advantage of starting an attack (even reconnaissance) from a trusted host and account within the network. If they spoof their source address, traffic could appear at a Layer 3 device destined for a network segment but with a source address from within that segment (perhaps attempting to exploit a trust relationship via the outer packaging of the malicious packet). Spoofing is a threat, regardless of where the packet really originated (inside or outside the edge). There is no reason for traffic originating from a particular interface's segment to enter the router or Layer 3 switch or firewall from any other interface. And if the traffic is from the same segment, ARP should enable it to go directly to the destination host, unless private VLANs are in use. Even in that case, the traffic should not enter from another direction. RFC 2827 filtering prevents such spoofed traffic from going any further. A switched architecture does not help in this case because this is a Layer 3 problem (IP addresses). IP protocol filtering is a generic termvarious protocols might or might not be acceptable; the problem lies not in the protocol, but in the false source address (not port or protocol number). AAA protects by means of user or host validation, and, in the case of the latter, a spoofed IP address could be the key that unlocks the door. Thus, AAA is not a help. ("If Fred has an account, I can be Fred long enough to get in, and then get what I want.")

Answer F is correct. Both the router with a firewall and the firewall appliance offer full perimeter protection and tunnel termination for the remote user (whether one person or several in a small branch). The protection includes stateful filtering, basic Layer 7 filtering, mitigation of DoS (through TCP intercept, for instance), authentication of the remote site to the headend, and termination of the tunnel itself (encryption/decryption). A VPN client, either hardware or software, can provide the last two, but the rest of the feature list requires more extensive software than that included in a client.

Answer C is correct. All of the SAFE Blueprints assume that there is already a security policy in place (and being enforced). Without that, you do not know what needs to be protected against what threats; remember, it is reasonable to choose to bear the risk of some threats when the cost of protecting against them exceeds the value of what is to be protected (such as not buying a $50 lock to protect a $20 tool set). The security policy also defines various usage policies that impact security design and the portion concerning incident response. In short, the security policy is the guiding document, while the secured network design lays out how to implement that guidance. As an analogy, would you develop a floor plan (how many bedrooms, baths, kitchen plan, and so on) before, at the same time as, or after drawing the blueprints for a house?

Answer C is correct. The axioms of the SAFE SMR Blueprint (or SMR SAFE, for short) are as follows :

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Applications are targets.

• Networks are targets.

• Secure management and reporting.

The other answers offered to this question are all reasonable statements, but they are not one of the axioms.

Answer F is correct. The only difference between the two is in how they perform these functions: A firewall appliance typically performs many tasks in hardware (on preprogrammed ASICs) that a router does in software (in its general processing). That leads to a difference in speed, with hardware being faster. The key difference in which to choose for a remote user probably lies in how much traffic needs to be encrypted (tunneled to the headend) versus how much is ordinary Internet traffic, perhaps using other protocols. Encryption/decryption is computationally intensive , and the hardware offloading will make a difference in performance if that is a large portion of the traffic transiting the device. Routers can provide QoS and multiprotocol support.

Answer A is correct. The small network campus is, by definition, not a large network. With relatively few hosts, there is simply not enough traffic to justify a Layer 3 switch. However, if more control over traffic is desired, especially over traffic to and from the management stations , it is a reasonable precaution to add a small router or firewall between them and the rest of the network to filter the traffic.

Answers A and D are correct. A software client must be manually updated by a user with administrator rights. The update notice provides an address from which the administrator can download the update and then install it. The hardware client, however, is intended to be remotely manageable; therefore, its update process includes a TFTP push of the update, after which the client reboots to load the new software.

Answer D is correct. Port redirection occurs when apparently legitimate traffic for a given port on a host is redirected on arrival to another port, which sends it to a different process. The traffic must be permitted because there is no superficial difference by which to reject it; even Layer 3 filtering will not catch this, and a switched architecture does not help because it will not cause any examination deeper than the IP header. Strong AAA will protect the host against unauthorized users, but this problem stems from a software package that has been surreptitiously installed. Because it is already operating on the host, AAA is not involved (no one, user or device, is attempting to access the host). Antivirus software protects against viruses and some trojans; however, those are software packages with a different set of characteristics than a port redirector, so antivirus software doesn't help (at least, not yet), either. Only a HIDS can prevent the port redirector from being installed, although locking down the OS and applications present will also help. (If the port redirector diverts some traffic from port 80 to port 23 and the Telnet daemon is not running, there is no process to receive and do something with the malicious traffic.)

Answers A and C are correct. This is a case of careful reading (or careful typing, if you experience it as a simulation). The NAT ID for the nat (inside) command (in this case, either 1 or 3) must match the Global ID in the global (outside) command (in this case, 1 or 2). Because they must match, the correct commands are those with ID 1, or answers A and C.

Answer B is correct. You are tasked to permit all IP traffic: Only answers B and C permit IP (not IPX or only TCP). However, the syntax of the access list in answer C is incorrect; the slash notation for network mask lengths is not allowed. Warning: Whether you read this in a prepared question or have to enter it in a simulation, remember that PIX network masks in an access list look like all other network masks, but router access lists use wildcard masks (which are inverted network masks: a /24 network mask is 255.255.255.0, but its wildcard mask is 0.0.0.255, where the onesor "aces," if you preferare wildcards and the zeroes must match).

Answer D is correct. The design alternatives for the medium network Campus module include the following:

• On a smaller network, roll all the switching into the core Layer 3 switch, eliminating the building switches

• If the traffic level is not too high, eliminate the (expensive) Layer 3 switch and use a Layer 2 switch, with a router for network segmentation and filtering

• If there is a large volume of traffic to be inspected, the NIDS appliance can be replaced by a NIDS module on the Layer 3 switch (which then has the backplane throughput rather than one port's throughput to process).

Answers B and C are correct. A router's Diffie-Hellman Group identifiers can be DH Group 1 (768-bit) or DH Group 2 (1024-bit). A PIX can also use Group 1 or Group 2. The VPN-specific products from Cisco, however, have more options. The VPN concentrator and both VPN clients can support DH Group 5 (1536-bit), and the concentrator can also support Group 7 (for interoperation with the movianVPN Client, or others using elliptic curve cryptography). Group 3 is an earlier elliptic curve implementation, elliptic curve over GF[2 ¹⁵⁵ ] (GF is the Galois Field[2 ⁿ ]). Cisco does not implement Group 3. DH Group 9 is not used. Larger groups will be coming with the advent of the Advanced Encryption Standard (AES), which uses larger keys (see RFC 3526 for the new groups and RFC 2409 for the existing groups).

Answer D is correct. HIDS protects against unauthorized or inappropriate software running on its host. It does this by monitoring the various processes that are running (or attempting to run) and what they try to do. It thus protects against applications behaving badlyapplication-layer attacks. Trust exploitation occurs when the trust relationship between two devices is abused; this is mitigated by a restrictive trust model and private VLANs to limit trust-based attacks (force the traffic through Layer 3 filtering). IP spoofing depends on bogus source addresses (which can lead to trust exploitation), but HIDS monitors processes, not packet sources. Unauthorized access is an attempt by a user or a host to enter the Corporate Internet module (these questions are specific to a module, remember). When packet sniffers are in place, they simply monitor traffic and report home when required. Except when there is an attempt to place them on the particular host, a HIDS is unaware of them. At that point, of course, they are an application to be protected against.

Answers A and C are correct. To encrypt packets, you have a choice of DES (56-bit) or 3DES (168-bit) as the encryption algorithm. To authenticate the packets, you have a choice of SHA-1 or MD5 as the hash algorithm. AH does authenticate more of the header than ESP, but using esp-sha-hmac or esp-md5-hmac authenticates most of the header, and this is sufficient in many cases. The DH Group is used during IKE to create the symmetric key to be used for the IPSec tunnel. IKE is a related but separate process from IPSec encryption and authentication.

Answer B is correct. Man-in-the-middle attacks depend on the interposed party successfully pretending to be the other end of the conversation to each of the primary participants . If the traffic is encrypted, the interloper cannot know the content and thus cannot interfere creatively (by listening in or by changing information asymmetrically between the parties). Remember that the man-in-the-middle attack occurs in the part of the traffic path outside your control. Filtering eliminates packets only from being passed inside the network; it has no effect on what happens outside the local network.

Answer B is correct. The software VPN client is limited in function to handling the remote end of a tunnel: It authenticates its end to the headend and encrypts and decrypts the remote user's traffic entering or exiting the tunnel. It cannot filter or otherwise limit the traffic.

Answers C and D are correct. Internal threats are persons who have legitimate access to the network: They have an account, and they are generally trusted until they prove themselves undeserving (sometimes it takes lots of proof, unfortunately ). Simply by being legitimate users, they can learn hostnames and IP addresses of significant resources. They thus posses two advantages that an external threat must develop: a trusted account and knowledge (to some degree) of the network. There is no evidence that moral scruples change in either direction based on access, so you cannot assume anything about their inhibitions either way. External threats are, in fact, more numerous than internal threats; even the largest organization is dwarfed in size by the number of potential threats who can access the Internet.

Answer D is correct. SNMP communities can be read-only (ro) or read-write (rw). A read-only community allows devices to report to a management host on their condition, but the management host cannot modify their operation via SNMP (nor can anyone else). A read-write community, however, does enable the modification of the operating configuration via SNMP. Although such active management was the purpose of SNMP when it was designed, even in version 3 (the latest and most secure), it is not strongly protected. Cisco recommends using ro communities if you use SNMP. Of the other choices, rwx is the standard permission structure in Unix and Unix-like OSs, and there is no rwo in this computer-system context.

Answer D is correct. Although the other three choices are reasonable (we do prefer network and security management to be OOB with regard to production traffic, though), they are not among the design objectives of the SMR SAFE Blueprint:

• Security and attack mitigation based on policy

• Security implementation through the infrastructure (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets

Answer C is correct. The smallest concentrators, the 3005 and the 3015, can support up to 100 users; at the high end, the 3080 can support up to 10,000. The range of maximum LAN-to-LAN sessions is 100 to 1,000, and encryption throughput ranges from 4Mbps to 100Mbps.

Answer A is correct. The axioms of the SAFE SMR Blueprint (or SMR SAFE, for short) are as follows:

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Applications are targets.

• Networks are targets.

• Secure management and reporting.

The other answers offered to this question might be reasonable statements, but they are not among the axioms.

Answers B and C are correct. Because a NIDS is monitoring traffic destined for multiple (possibly many) hosts, it is best configured to send an alarm that will alert management to the possible presence of a network threat. HIDS, on the other hand, is protecting only one host. That host likely has a limited set of mission-critical functions. The stakes are higher on the host, and the possibility of a false positive is lower due to the more limited range of allowed functions. Thus, the HIDS should be configured to alarm and drop offending traffic. Some recommend sending a TCP reset, although others argue that the existence of the reset might encourage a hacker or provide information regarding the protective stance on this device. In addition, if the attack is in the form of UDP, no reset is possible. Likewise, if the source address is spoofed, the reset adds to network traffic without actually contributing anything useful.

Answers B and C are correct. When a WAN link is used to connect the branch to its headend, all management traffic can flow over the link because it is a private circuit. And because it is a private circuit, a VPN is not required. The Corporate Internet module does go away because the WAN module provides connectivity, and the public- facing servers (which require the protection of firewalling and private VLANs, and so on) and VPN termini are all at the headend. The only reason to have a Corporate Internet module would be to provide Internet access directly from the branch rather than via the WAN link and then the headend's access. If an IPSec tunnel is used, the tunnel terminus is inside the perimeter, so the perimeter router (which is outside the tunnel) must be managed via an alternate connection, such as SSH. All other management traffic can flow over the tunnel.

Answer B is correct. A switched infrastructure limits how much traffic a packet sniffer can capture. It cannot help with unauthorized access: That must be controlled via AAA. Likewise, trust exploitation results from an abuse of an authorized connectionthe switched architecture must allow that traffic through because it cannot inspect beyond the Layer 2 header. Network reconnaissance typically uses Layer 3 and above information to learn topology and assets; a switched architecture, operating at Layer 2, remains ignorant of information further inside packets. Viruses and trojans are a form of application-layer attack and thus also cannot be mitigated at Layer 2.

Answer B is correct. Although the other three choices are reasonable principles to adopt, they are not among the design objectives of the SMR SAFE Blueprint:

• Security and attack mitigation based on policy

• Security implementation through the infrastructure (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets

Note that "Secure management and reporting" is both a design fundamental and an axiom .

Answer C is correct. In the medium Corporate Internet module, DoS enters at the ingress router. TCP setup controls there limit the number of open and half-open connections allowed at any one time; unfortunately, you can do little to limit other DoS attacks. However, your upstream might be willing to apply Committed Access Rate (CAR) filtering outbound on your link. This is more likely if you can specifically describe the offending traffic (a ping flood or an overload of traffic attacking a particular port). A switched architecture will not result in any of the traffic being limited, nor will strong AAA do more than deny many attempts to access the device under attack. A NIDS is normally configured to alarm only because it monitors traffic destined for multiple hosts. Although the NIDS can be reconfigured to drop the traffic, it is likely that the NIDS itself will be overloaded by the DoS traffic. The best choice is to prevent the traffic from ever getting into the network.

Answer A is correct. Private VLANs limit how much members of a VLAN exchange traffic without it being forced to Layer 3 for inspection and filtering. They thus offer protection from an exploitation of a trust relationship between two hosts. Viruses and trojans are malicious applications operating on one host (and probably spreading to other hosts); private VLANs offer no help in preventing those applications from running or sending forth their malicious traffic. Unauthorized access, too, is a local host problem that limiting the host-to-host conversation does not mitigate. Packet sniffers are limited by a switched network architecture to copying what is on a (limited) wire; the traffic for the host still has to traverse that wire and so will still be captured if a sniffer is present in the proper location. Network reconnaissance is a discovery process, learning topology, naming, and addressing data; a private VLAN has no more effect here than a switched architecture does (which is essentially no effectthe traffic must be filtered at Layer 3 and above).

Answers B and D are correct. In the medium Campus module, the cost of failing to prevent unauthorized access can be extremely high because the information stored here (as opposed to that available to the public in the Corporate Internet module) includes the most valuable data the organization possesses. As a result, strong AAA must be used and the HIDS configuration should be extremely aggressive . Together, they can limit the danger from unauthorized people and unauthorized hosts accessing the data. A switched architecture simply optimizes bandwidth by limiting how many hosts share a given wire (and thus protects against packet sniffers). NIDS protects an entire network segment but must allow a larger variety of traffic to pass due to the variety of legitimate activities behind it. Protocol filtering can help against traffic-exploiting services that should not be operating (such as Telnet or FTP), but you might need to allow legitimate users to employ those protocols. Limit who can employ them via AAA, and that part of the problem should be resolved.

Answer A is correct. This is one that you have to remember carefully . The default SA lifetimes are as follows:

• IKE SA on the router : 86,400 seconds (1 day)

• IPSec SA on the router : 3,600 seconds (1 hour )

• IPSec SA on the PIX : 28,800 seconds (8 hours)

Answer A is correct. The axioms of the SAFE SMR Blueprint (or SMR SAFE, for short) are as follows:

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Applications are targets.

• Networks are targets.

• Secure management and reporting.

The other answers offered to this question might be reasonable statements, but they are not among the axioms.

Answers A and E are correct. SLAs are contractual agreements between ISPs and their customers regarding how much traffic will be carried, with what qualitative measures ( drops , latency, and so on), and the penalties for nonperformance by either side. They are not an asset as much as a mutual contractual obligation. Customer premises equipment (CPE) does not belong to the organization, but rather to the service provider, which also maintains its configuration. The organization thus must accept its configuration as a given. PDAs, cell phones, and IP phones, however, are all operable within the network and are likely to be within the organization's control, if not always ownership. They are thus much better answers to the question.

Answer B is correct. Misconfigured network-management software might become a threat, but it is not normally considered a threat. Packet sniffers, keystroke loggers (also known as key loggers), and trojans are definite threats to discover network secrets and abuse network resources.

Answer D is correct. Even when operating as a branch, a small network might have local servers, especially DHCP, mail, and file servers. Management servers, however, are almost always located at the headend, where greater expertise in their use (as well as centralized control) is normally available. There is no particular reason to require fixed IP addresses; in fact, most small networks use DHCP just like their bigger cousins.

Answer C is correct. This is another example of careful reading/input. The syntax is crypto ipsec , not ipsec crypto . After that, you must be careful to denote an encryption algorithm ( esp-des or esp-3des , but not esp-sha ) and an authentication algorithm ( esp-sha-hmac or esp-md5-hmac , or ah-sha-hmac or ah-md5-hmac ). An access list number is not included in this command; the use of crypto ipsec map is followed by a map_name variable, not an access list number.

Answers A and C are correct. Unicast Reverse Path Forwarding (URPF) is the security precaution against IP spoofing that tests for reasonableness in the source IP address on a packet: Could a packet with this source address have reasonably arrived on this interface? If the router has a route to that address (even as a summarized block) via the interface on which it arrived (the ingress port), the packet is accepted. If not, it is dropped. A hacker might know that Company A and Company B exchange traffic. When attempting to insert traffic into Company A with a spoofed Company B source address, the hacker might insert the traffic over a link that is not used for that traffic; URPF would detect that and drop the traffic, preventing the attack. To use URPF, the router must use Cisco Express Forwarding (CEF) because the reverse-lookup function uses the Forwarding Information Base (FIB) created by CEF. If you want to see the traffic anyway, you must use an ACL in conjunction with URPF.

Answer C is correct. The remote-user network has a very limited architecture, and the protective devices might or might not include a stateful firewall. Network reconnaissance often consists of pinging an address block to find live hosts and then trying to Telnet or open particular ports (a former ISP had me open a Telnet session to its mail server on port 25 as a means of troubleshooting my outgoing mailand, yes, my connection was fine; they had a configuration error). Filtering by protocol mitigates this type of search for responsive hosts, especially because hosts often respond with the information needed to communicate intelligently (such as the operating software and version number, and/or the host's fully qualified domain name). Scanning a network block with nmap (in a neighborhood with unsecured wireless home networks) can be enlightening in this regard. Encryption keeps snoopers from reading the traffic, but it does not prevent them from learning that a host is there, or even the host's IP address, which must be in clear text for the packet to reach any destination.

Answers B and C are correct. IPSec handles IP unicast traffic only. Information that needs to be kept private but must use other protocols (such as multicast traffic) must be encrypted and then further encapsulated, typically inside GRE. When a medium network is a branch, local Internet traffic can be substantial (remember, there are certainly many more hosts in a medium network than a small network). Unless there is a need to strictly control Internet traffic, split tunneling makes sense, in terms of both reduced CPU load on traffic ingress/egress and reduced overhead because the 20 bytes per packet of IPSec tunnel header is not required for nonheadend traffic. The other two answers are not specific to operation as a branch versus as a headend: Whenever and wherever you use IPSec, you must consider the cost and the additional overhead.

Answer C is correct. Despite many unpleasant and annoying experiences, spam is not considered a threat type. The four threat types are as follows:

• Reconnaissance

• Unauthorized access

• Denial of service (DoS)

• Data manipulation

Answer A is correct. A modular approach to network security has two principal advantages: First, implementation can be done in stages, securing one module at a time. This means that, second, you can think separately about the security relationship between modules. Both of these ideas follow standard engineering practice: Optimize subsets and then worry about interactions. The OSI model takes the same approach. An update to the session layer need not interfere with the activity at any other layer, as long as the standard interaction requirements are followed.

Answer C is correct. In the small network Corporate Internet module, the only servers are public-facing, and the public must be able to access them. Therefore, you must limit the traffic that arrives at them to only that which is safe (to the best of your ability). That requires filtering on ingress (whether a router or firewall serves as the ingress device). HIDS on the DMZ servers will protect them from application layer attacks but not from unauthorized access. The small network's Corporate Internet module is not big enough to justify the presence of a NIDS.

Answer A is correct. Although HIDS on the servers will detect the reconnaissance, of the answers available here, only protocol filtering at ingress will mitigate this threat. Antivirus software might prevent the operation of a virus, but it cannot prevent the detection of a server. There is no NIDS in the small network Corporate Internet module. Private VLANs will protect one server from another abusing trust relationships, but it cannot protect from a simple telnet open port 25 to learn the critical information about a mail server's program and version. Only protocol filtering will prevent the reconnaissance.

Answer A is correct. Private VLANs restrict the free passage of traffic at Layer 2 between hosts that (administratively) belong to the same VLAN. They thus protect from malware on one host crossing into another host, which blithely accepts the traffic because of its source. Antivirus software is needed to protect against viruses and trojans. Strong access controls protect against unauthorized access, and a switched architecture (any switched architecture, not just private VLANs) protects against packet sniffers.

Answer E is correct. Port redirection occurs due to malware operating on a given host; only HIDS can protect against that. NIDS limits nothing on a given host, and strong AAA limits user access, but this problem occurs due to malware already present (by whatever means). Protocol filtering and a switched architecture protect the network in general from reconnaissance and sniffing, but they have no effect on the operations inside a given host. That is the domain of HIDS.

Answers A and C are correct. The ingress device to the small network Corporate Internet module could be a router with a software firewall or a stateful firewall (appliance). There is no need for a NIDS in the small network's edge. Broadband devices will be found in remote-user networks as well as some small networks, but they are CPE and are not included in the SAFE small network model. The choice between a router and a firewall falls to performance: the extra capabilities of a router, such as QoS and multiprotocol support, or the faster encryption/decryption and more rigorous protective stance of the appliance.

Answer B is correct. Password attacks attempt to open an existing account through repeated tries at presenting the appropriate credentials. This is the purview of AAA. A switched architecture simply segregates the traffic for performance and, to a certain degree, relative privacy. Protocol filtering will restrict reconnaissance. NIDS will see login traffic, but that is normal (at least, to a point)remember, the password attack must await a response before it judges success or failure and moves on to the next attempt or proceeds from the login. HIDS can detect what happens after the login is finally successful, but only AAA and OS policies (such as account lockout for X minutes after Y failed login attempts) will mitigate the actual password attack.

Answer A is correct. Although the other three choices are reasonable principles to adopt, they are not among the design objectives of the SMR SAFE Blueprint:

• Security and attack mitigation based on policy

• Security implementation through the infrastructure (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets