| < Day Day Up > |
|
Page
11-8
1. | Which of the following is an advantage that SSL has over IPSec?
|
|
2. | Which of the following is an advantage of using an SSL certificate issued by a public CA?
|
|
3. | Which port should you open on a firewall to allow HTTP traffic protected by SSL?
|
|
4. | Which port will you open on a firewall to allow POP3 traffic protected by SSL?
|
|
Answers
1. | c. SSL’s primary advantage over IPSec is that it does not require the client to be authenticated. This allows users on the Internet to access the Web server without providing personally identifiable information. |
2. | b. The primary advantage of using a certificate issued by a public CA is that browsers and other applications will trust the CA by default, without requiring the user to add the root CA to the application’s list of trusted CAs. |
3. | c. HTTP protected by SSL uses TCP port 443. |
4. | d. POP3 protected by SSL uses TCP port 995. |
Page
11-24
1. | Which of the following scenarios are appropriate for using client certificates? (Choose all that apply.)
|
|
2. | A user is having a problem authenticating with a client certificate. Which of the following is the best tool to troubleshoot this problem?
|
|
Answers
1. | b and d. Client certificates are ideal for authenticating users at partnering companies that manage their own CAs. You can use many-to-one mapping to allow access to users who have valid certificates, thereby delegating responsibility for managing user access to the partner company. Client certificates can also be used on an intranet when users have been issued user certificates. |
2. | d. Although you can capture and analyze client certificate authentication traffic by using Network Monitor, the best tool to use is the SSL Diagnostics Utility. |
Page
11-37
1. | When a certificate is installed on a domain controller, which of the following types of communications can be protected with SSL? (Choose all that apply.)
|
|
2. | After installing an SSL certificate on a computer running SQL Server, how can you protect database communications by using SSL? (Choose all that apply.)
|
|
Answers
1. | b and d. Only global catalog traffic and LDAP queries can be protected with SSL. However, Kerberos authentication is always encrypted, and file replication might be encrypted by means of different mechanisms, such as IPSec. |
2. | a, b, and e. If you want to require encryption for all incoming connections to the computer running SQL Server, select the Force Protocol Encryption check box on the computer running SQL Server. Otherwise, add the appropriate string to the ODBC or OLE DB connection strings. |
Page
11-39
1. | How should you protect the personal information and credit card numbers of consumers purchasing products from your Web site?
|
|
2. | You want to purchase SSL certificates created by a trusted public CA for your Web servers so that users will not be prompted about the certificate. How many SSL certificates do you need to purchase?
|
|
3. | How can you protect the communications between the Web servers and the database servers? (Choose all that apply.)
|
|
Answers
1. | d. You should use SSL to authenticate your Web servers to the consumer to prevent man-in-the- middle attacks and to encrypt the communications to prevent eavesdropping. SSL only provides protection for the information in transit, however. The private information can still be exposed if your Web servers, or any other servers that have access to the information, are compromised by an attacker. |
2. | a. You only need a single certificate for both Web servers because they are hosting a single Web site. The two servers will have an identical common name: www.adventure-works.com. As a result, you can install the same certificate on both servers. However, the CA you use to issue the certificates might require you to purchase a certificate for each physical Web server as part of the service agreement. |
3. | a, d, and e. You can use either IPSec or SSL to authenticate your database server and encrypt the communications between the Web servers and the database servers. Additionally, you can physically secure the network hardware connecting the computers to reduce the opportunity that attackers have for eavesdropping. You can choose to use one, two, or all three of these mechanisms. |
Page
11-41
1. | First, reproduce the error by using Internet Explorer on Computer1. What is the exact error message? |
|
2. | Examine the certificate. What is the cause of the problem? |
|
3. | How can you resolve the problem? (Choose all that apply.)
|
|
Answers
1. | A Security Alert message box appears when you attempt to access the page https://adventure- works.com. The message box shows a warning symbol and the message “The name on the security certificate is invalid or does not match the name of the site.” |
2. | The common name shown on the certificate is www.adventure-works.com. This is sufficient to allow users to access the site by using that name in the URL. However, if users leave off the www portion of the FQDN, they will receive the error message you saw because the URL does not exactly match the name on the certificate. |
3. | c and d. Only one SSL certificate can be associated with a given IP address/port number combination. Therefore, you cannot use separate SSL certificates with host headers. However, you can configure a Web site with host headers that redirects all non-SSL requests to http://www.adventure-works.com. Users will still receive a warning if they type https://adventure- works.com directly into the address bar, however. To avoid this potential problem, you can add a second IP address to the Web server and associate a second SSL certificate with that IP address. |
| < Day Day Up > |
|