| Question 1 | Which of the following is not an asset in the medium business network's Corporate Internet module? (Choose two.) -
A. Management server -
B. File server -
C. Web server -
D. Layer 3 switch -
E. Router |
| A1: | Answers A and D are correct. The Corporate Internet module in the medium business network edge contains the public- facing servers of this organization (Web, file, DNS, mail), switches to segregate traffic, two routers (one at ingress and the other at egress), a firewall to control traffic (incoming and outgoing), a VPN concentrator, and a NAS. The management server (answer A) is in the campus (either here or at the headquarters, if this is a branch). There is no need for a Layer 3 switch in the medium business network's edge: That switch is in the medium network's Campus module. |
| Question 2 |  | Why would there be no VPN termination on the firewall in a medium business network's Corporate Internet module? | -
A. Device-management VPNs are passed through for termination on the management server. -
B. VPNs are terminated on the Layer 3 switch in the Corporate Internet module (for processing speed). -
C. VPNs are terminated at corporate headquarters; this network is a branch. -
D. All VPNs are from users and are terminated on the VPN concentrator. |
| A2: | Answer D is correct. VPNs terminate on the firewall for site-to-site VPNs and for device-management VPNs (eliminating answer A). VPNs should never pass through into the campus, which is where the medium network has a Layer 3 switch (which, by the way, cannot terminate VPNs, eliminating answer B in two different ways). If this network is a branch of a larger organization, it will probably have a site-to-site VPN with its headquarters, and that VPN will terminate on the firewall (eliminating answer C). Only if no VPNs connect two sites and there are no device-management VPNs will there be no VPN termination on the firewall. In that case, the only VPNs remaining are those from users, which terminate on the VPN concentrator. |
| Question 3 | | | Which of the following is not a threat to the medium business network edge? | |
| A3: | Answer D is correct. This is no different from the situation facing the small network edge: Mail relays are mail servers that are often used by spammers to disguise the origin of their offensive emails. However, mail relays can be legitimate devices to use, primarily for relaying mail to and from a primary mail server inside a protected network. Mail relays are thus not a security threat, per se. The threats against the medium business network's edge include the following: -
Packet sniffers -
Network reconnaissance -
IP spoofing -
Trust exploitation -
Unauthorized access -
Password attacks -
Port redirection -
Application-layer attacks -
Virus and trojan horse attacks -
Denial of service (DoS) -
Man-in-the-middle attacks -
Network topology discovery Not all threats apply to all aspects of the medium network's edgethe last two listed, for instance, are threats to VPN services. |
| Question 4 | | | Where would you apply RFC 2827 and RFC 1918 filtering in a medium network? (Choose two.) | -
A. On the Corporate Internet module's inside router -
B. On the Corporate Internet module's firewall -
C. On the Corporate Internet module's NAS -
D. On the Corporate Internet module's edge router -
E. On the Layer 3 switch in the Campus module |
| A4: | Answers D and E are correct. RFC 2827 describes filtering incoming traffic that should originate on the other side of the router: incoming traffic heading toward the address block that contains the source address. That applies inside the campus as well as to incoming traffic from the Internet or the WAN. RFC 1918 filtering denies traffic with private addresses from being sent to public address space, and it should be done on egress from the private network to public networks, such as the Internet or the WAN. Thus, you see the two kinds of filters on the edge ingressthe Corporate Internet module's edge router and the WAN module's routerand inside the campus, where unauthorized traffic must be kept out of certain sensitive network segments. The filtering should be done before the traffic reaches the firewall (eliminating answer B), the filtering cannot be done on the NAS (eliminating answer C), and such traffic should never get as far inside the edge as the Corporate Internet module's inside router (answer A). Remember, that router is segmenting the edge from the campus. |
| Question 5 | Which of these techniques best protects the medium network against the threat posed by packet sniffers? |
| A5: | Answer B is correct. A packet sniffer monitors all traffic on the wire that it can access by placing its host's NIC into promiscuous mode. A switched network typically connects only one host (at most, a few) per port, so the traffic that can be sniffed is extremely limited (compared to the traffic available on a network connected via hubs, where multiple hosts always share the same wire). Ingress filtering (answer A) denies ingress to packets whose source address is on the other side of the router and so should never enter the router on its current interface; it has nothing to do with packet sniffing. A strong password policy (answer C) might make cracking the password recovered by a sniffer more difficult, but it does nothing to reduce the occurrence of sniffing. A restrictive trust model (answer D) reduces the degree of trust with which systems treat any and all traffic from other systems, but sniffing monitors and potentially copies all or part of the existing traffic, however much or little it might be. |
| Question 6 | | | If the worst attack is the one you cannot stop, which of the following attacks is most likely to fit that category? | |
| A6: | Answer F is correct. DoS attacks flood your incoming bandwidth or choke your systems with packets or processes that overload a limited resource (buffers or CPU cycles). The traffic is being generated outside your control: You cannot stop it. You might be able to reduce it through rate limiting on its arrival, but more effective mitigation requires the assistance of your upstream (ISP). Again, you can't stop it yourself. You can mitigate password attacks (answer A) with a strong password policy. You can filter an Internet worm (answer B) by port or source address, especially if it is spoofing (answer G) through RFC 2827 and RFC 1918 filtering on ingress. Trojans (answer C) and email viruses (answer D) can be mitigated through mail filtering and HIDS with an aggressive drop policy. You can mitigate trust exploitation attacks (answer E) through the use of a restrictive trust policy. In short, you can do something about every kind of attack except a DoSfor that, you require help from outside your organization. |
| Question 7 | Which of these is a design alternative for the medium network's Corporate Internet module? -
A. Eliminate the edge router. -
B. Add NIDS to the edge router. -
C. Add redundant connectivity to the DMZ (no single point of failure). -
D. Add URL filtering. -
E. All of these are correct. |
| A7: | Answer D is correct. Design alternatives for the medium Corporate Internet module include these: -
Replace the edge router with a stateful firewall -
Add a NIDS between the edge router and the firewall (not on the edge router) -
Eliminate the inside (not the edge) router -
Add URL filtering As you can see from the list, answers A and B are close but not correct. The edge router, or firewall (its potential replacement), should be configured to filter trafficadding a NIDS there would simply add load to a device that already experiences the largest load (after all, it's receiving all the incoming traffic and dropping or distributing it). The SMR Blueprint specifically states that it does not include redundancy or high availability; that is reserved for the Enterprise Blueprint (along with e-commerce), which eliminates answer C. |
| Question 8 | Which of these is a threat to the medium network Campus module but not the small network Campus module? (Select two.) -
A. Password attacks -
B. Trust exploitation -
C. IP spoofing -
D. Packet sniffers -
E. Unauthorized access -
F. Port redirection |
| A8: | Answers A and C are correct. The threats in the medium network campus include these: This list includes all the threats to the small network campus, plus IP spoofing and password attacks. |
| Question 9 | Private VLANs should be used in which of the following locations in the medium network's Campus module? -
A. On a segment with corporate servers. -
B. On a segment with management servers. -
C. On a segment with management workstations. -
D. All of these are correct. |
| A9: | Answer D is correct. Private VLANs should be used whenever it is not advisable to allow hosts, even within the same VLAN, to communicate indiscriminately. Within the medium network's Campus module, that applies to the corporate servers, the management servers, workstations used for system management, and possibly within departmental VLANs to hosts that might contain temporary or working files of great sensitivity (such as high-value projects or financial data). |
| Question 10 | | | What is the primary security function of the router in the medium network WAN module? | -
A. Peering with the Frame Relay/ATM service provider. -
B. RFC 2827 and RFC 1918 filtering at ingress. -
C. Tunnel termination. -
D. None of these is correct. |
| A10: | Answer B is correct. Although the router in the medium network's WAN module does peer with its upstream within the service provider's network (and/or with another corporate router at the other end of the virtual circuits that it terminates), that is a routing function, not a security function (eliminating answer A). In most cases, the private circuit capability of a Frame Relay or ATM VC is sufficient protection; IPSec tunnels are used when sensitive traffic must traverse shared infrastructure (such as the Internet), but this is a private infrastructure. If extra precautions must be taken, IPSec (or other more generic) tunneling can be used, but it is not often required (eliminating answer C). The router always receives traffic from the Frame Relay/ATM service provider, and that traffic can include malicious traffic that has reached the provider's network with your destination address. Therefore, ingress filtering according to RFC 2827 and RFC 1918 is needed, although you will not likely have as many discards here as you would on a connection from the Internet. |
| Question 11 | What is a design alternative in the Campus module of the medium business network? (Choose two.) -
A. Eliminate the Layer 3 switch -
B. Eliminate the Layer 2 switches -
C. Eliminate the inside router -
D. Add a NIDS on the Layer 2 switch at the management servers -
E. Add a NIDS on the Layer 2 switch at the corporate servers |
| A11: | Answers A and B are correct. The design alternatives for the medium Campus module are related to traffic levels: -
Eliminate the Layer 2 switches and perform all switching on the core Layer 3 switch -
Replace the Layer 3 switch with a router and Layer 2 switch -
Replace the separate NIDS appliance with a NIDS module on the Layer 3 switch The relationship of the third alternative to traffic levels depends on how much speed you need in the NIDS processing (how much traffic it must inspect); it will be faster operating with the Layer 3 switch's backplane than on a single Ethernet (even Fast Ethernet) connection. There is no inside router to eliminate; that device is a part of the medium Corporate Internet module (eliminating answer C). All the servers have HIDS, and NIDS is provided at the Layer 3 switch that directs traffic to them. Therefore, an extra NIDS on a Layer 2 switch serving the corporate servers or the management servers (answers D and E) is not required. |
