|
|
A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.
1. | Your network currently does not use IPSec to protect internal communications. An attacker could perform what sort of attack on your network to capture valuable information, such as user names and passwords?
|
|
2. | You have detected an unauthorized computer capturing all traffic between two servers on your network. You suspect that this computer has changed some or all of the transmissions that have been sent from both servers. What type of attack are you most likely experiencing?
|
|
Answers
1. | þ Answer A is correct Snooping, or sniffing, the network can be done using a software application designed for this purpose that can capture all packets transmitted on the network, not just those addressed to the network adapter being used to perform the attack. ý Answer B is incorrect because a Spoofing attack is one in which an attacker assumes the identity of a trusted computer in order to trick other computers into giving it otherwise unauthorized access.Answer C is incorrect because a DoS attack is one in which a network or network service is targeted by a massive stream of traffic, preventing legitimate users from being able to make use of the network or network service.Answer D is incorrect because a MITM attack is one in which an attacker sits between two communicating hosts, intercepting traffic and modifying it before transmitting the traffic to the legitimate hosts. In this way, the man in the middle can change and control the conversation. |
2. | þ Answer D is correct In this case, you are most likely experiencing a MITM attack. In this type of attack, the attacker sits between two parties who believe they are communicating with each other, when in fact their entire conversation is being captured and most likely modified by the attacker. ý Answer A is incorrect because snooping, or sniffing, the network can be done using a software application designed for this purpose that can capture all packets transmitted on the network, not just those addressed to the network adapter being used to perform the attack.Answer B is incorrect because a spoofing attack is one in which an attacker assumes the identity of a trusted computer in order to trick other computers into giving it otherwise unauthorized access. Answer C is incorrect because a DoS attack is one in which a network or network service is targeted by a massive stream of traffic, preventing legitimate users from being able to make use of the network or network service. |
3. | IPSec operates at what layer of the seven-layer open system interconnection (OSI) Model?
|
|
4. | Jon is interested in deploying IPSec on his network. What benefits can Jon expect to gain by doing so? (Choose all that apply.)
|
|
5. | In regards to IPSec, the AH does what for you?
|
|
6. | What is added to a standard IP datagram when the AH is used?
|
|
7. | Andrea is configuring a new IPSec policy for her network. What methods does she have to choose from as far as authentication? (Choose all that apply.)
|
|
8. | During the process of starting an IPSec communication between two computers, how many SAs are created?
|
|
9. | Chris wants to use IPSec to secure communications between her main office and a remote office over the Internet. What is this called?
|
|
10. | You are interviewing a new candidate for the position of assistant network administrator. Bruno, the candidate, is in the process of answering the question "What does message integrity mean?" Which of the following answers should Bruno give you?
|
|
Answers
3. | þ Answer B is correct. IPSec operates at layer 3 of the seven-layer model. Layer 3 is the network layer. ý Answer A is incorrect because layer 2 is the transport layer.Answer C is incorrect because layer 6 is the presentation layer.Answer D is incorrect because layer 7 is the application layer. |
4. | þ Answers A, B, and C are correct. IPSec can provide Jon with integrity (assurance that the message received is identical to the message that was sent), confidentiality (keeping your private information private), and authentication (establishes the identity of a sender or recipient). ý Answer D is incorrect because impersonation is a form of attack, such as the MITM attack. Using IPSec can prevent attacks such as this. |
5. | þ Answer A is correct The AH is one of two protocols implemented in IPSec. AH ensures data integrity and authentication of sender, thus preventing a replay type of attack. ý Answer B is incorrect because AH does not prevent capture of packets. Packets can be captured if someone is allowed to gain access to a wired or wireless segment of the network. The capture of packets does not automatically mean, however, that the data on the network is unsafe. It does, however, pose a great risk. Answers C and D are incorrect because AH does not provide confidentiality of data or data encryption. Those functions are provided by the ESP. |
6. | þ Answer B is correct. AH is just that: a small header that is inserted into an IP datagram after the IP header and before the TCP header that provides authentication, anti-replay, and integrity. In short, AH tells you that the packet is genuine and came from where it claims to have come from. ý Answers A, C, and D are incorrect because AH does not provide any form of encryption or confidentiality of the packet, nor does it provide delivery assurance of any kind. |
7. | þ Answers A, C, and D are correct. Andrea can use any or all of the following: certificate, shared secret or Kerberos. Kerberos is the default selection. The use of a certificate requires that a functional CA be in place on your network. Shared secrets are the least preferred because they can lead to network compromise if learned by an attacker. ý Answer B is incorrect because SNMP is not used for configuring IPSec. SNMP is typically used for network configuration, such as routers and switches, among other items. |
8. | þ Answer C is correct. There are three total SAs created between two computers that wish to use IPSec to secure their communications. There is a Phase 1 SA and two Phase 2 SAs, one for inbound traffic and the other for outbound traffic. The Phase 1 SA involves the negotiation of the encryption algorithm and hashing algorithm to be used, followed by the actual authentication process. The Phase 2 SAs involve the negotiation of the IPSec protocol to be used (AH and/or ASP), the encryption algorithm to be used and the hashing algorithm to be used. ý Answers A, B, and D are incorrect because there are always three SAs formed when two computers initiate an IPSec-secured communication. |
9. | þ Answer C is correct. When IPSec is used to secure a communication between two gateways, as in the case of from one office to another across the Internet, it is said to be operating in tunnel mode. ý Answer B is incorrect because Transport mode occurs between clients on the same WAN or over a private (not the Internet) WAN link. Answers A and D are incorrect. because there is no such thing as Internet mode or Transfer mode. |
10. | þ Answer A is correct. The term integrity refers to the assurance that the message received is identical to the message that was sent. ý Answer B is incorrect because the term authentication refers to the assurance that the identity of the sender or recipient is verified.Answer C is incorrect because the term confidentiality refers to keeping a message safe from prying eyes, thus ensuring the message is kept private.Answer D is incorrect because the assurance that a receiving user is authorized to receive the message is not a function of IPSec, but typically is the responsibility of the messaging and operating system. |
11. | You have recently configured and deployed an IPSec solution on your network between all computers in the Finance department. What can you use to verify that IPSec is in fact being used by these computers to secure their communications?
|
|
12. | You have configured several different IPSec policies for your organization, one for each department within the organization. From where can a configured IPSec policy be selected for use on a computer? (Choose all correct answers.)
|
|
Answers
11. | þ Answer B is correct. The IP Security Monitor (IPSec Monitor) can be used to monitor IPSec on your network and verify that computers are making the desired hard associations. ý Answer A is incorrect because the IP Security Policies in the Group Policy Editor is used to configure and create IPSec policies.Answer C is incorrect because the Certificates Snap-in is not used to monitor IPSec directly.Answer D is incorrect because the IP Security Policy Agent is used to load and refresh the applied IP Security policy, not to monitor IPSec. |
12. | þ Answers A and C are correct. The IP Security Policies folder within Group Policy can be used to configure and select IP Security policies. The TCP/IP Advanced Properties window can be used to select a preconfigured IP Security policy. ý Answer B is incorrect because the IP Security Monitor is not used to select an IPSec policy for use. Answer D is incorrect because the Certificates Snap-in is not used to select an IPSec policy for use. |
13. | Catherine is interested in deploying IPSec on her network to increase network security. She currently uses a NAT device to translate one Public IP address for her 25 internal clients (Windows 2000 Professional and Windows 98) using DHCP. What concerns should Catherine have in this situation? (Choose all that apply.)
|
|
14. | You are creating a new IPSec policy for your network. You have several highly sensitive servers that you do not want to allow any unsecured connections to. You have a mix of Windows 2000 Professional and Windows NT 4.0 client computers. You need all of your client computers to be able to connect securely to these servers. What do you need to do? (Choose all that apply.)
|
|
15. | Hannah wants to customize the IPSec hash algorithm that is in use in her organization's IPSec policy. What are her choices? (Choose all that apply.)
|
|
Answers
13. | þ Answers C and D are correct. IPSec cannot be used to create connections through NAT devices, thus Catherine will not be able to make IPSec secured connections outside of her network. This may or may not be a problem for her, but it is something that she should be aware of during the design and planning phase. IPSec is only supported for Windows 2000 and later operating systems, so her Windows 98 computers will not be able to communicate with any computers that require secure connections. She should consider upgrading these computers to Windows 2000 Professional. ý Answers A and B are incorrect because while IPSec is a good solution for any size network, Catherine still has the concerns related to the NAT device and the legacy Windows 98 clients on her network. IPSec has no bearing on DHCP, nor does DHCP have any bearing on IPSec. The only thing to bear in mind is that if you require secure connections on a server providing network services such as DHCP or DNS, then you must ensure that all clients are configured properly to establish connections to the server. If not, network communications will be impossible. |
14. | þ Answers A and D are correct. You will need to upgrade the Windows NT 4.0 computers to be able to use IPSec for those machines. Selecting the "Do not communicate with computers that do not support IPSec" option will prevent any unsecured communications from occurring. ý Answer B is incorrect because trusting a computer for delegation is not part of IPSec and cannot be done to a Windows NT 4.0 client at any rate. You might trust a computer for delegation if it were a file server and you wanted to allow people to be able to use EFS encryption on it. Answer C is incorrect because setting the archive bit to false affects how the NTBACKUP.EXE utility will handle that volume, and has no impact on IPSec in any way. |
15. | þ Answers A and D are correct. IPSec currently supports the SHA1 and MD5 hash algorithms. ý Answer B is incorrect because Wired Equivalent Privacy (WEP) is a security encryption measure used in 802.11 wireless networks (see Chapter 7 for more discussion on WLAN issues).Answer C is incorrect because AES is an emerging encryption standard that is favored by the US Government and is likely to see inclusion in a future 802.11 standard. AES uses the Rijndael symmetric encryption algorithm and is extremely secure. |
|
|