Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
65 Cards in this Set
- Front
- Back
|
Because it is so important, and is the “root” document of so much of what we (U.S.A Federal) do in the IT Security space: What does FISMA stand for?
|
Federal Information Security Management Act (FISMA)
|
|
|
The Federal Information Security Management Act (FISMA) provides?
a. presents information pertaining to a specific platform, OS, and application. b. presents information that is independent of any particular platform, OS, or application. |
b. presents information that is independent of any particular platform, OS, or application.
|
|
|
Only one example of an application-layer security control was provided. What was it?
|
“Pretty Good Privacy” (PGP)
|
|
|
What does TLS stand for, and what other (named) security protocol is it a replacement for?
|
Transport Layer Security (TLS) secures HTTP traffic. Other Name: “Secure Sockets Layer” (SSL)
|
|
|
What “one drawback” of TLS was mentioned?
|
Only capable of supporting TCP communications
|
|
|
] Which of these correctly indicates which layer(s) a data link layer security control protects?
a. It would provide confidentiality for all layers (TCP/IP layers 1-5) b. It would provide confidentiality for all layers above layer 1 (TCP/IP layers 2-5) c. It would provide confidentiality for all layers above layer 2 (TCP/IP layers 3-5) d. It would provide confidentiality for all layers above layer 3 (TCP/IP layers 4-5) |
c. It would provide confidentiality for all layers above layer 2 (TCP/IP layers 3-5)
|
|
|
For review purposes; notice the mention of MAC. Which of these represents a MAC?
a. PvtKey{hash(data-to-be-protected)} b. hash(SymSecret, data-to-be-protected) c. hash(PvtKey, data-to-be-protected) d. SymSecret{hash(data-to-be-protected)] |
b. hash(SymSecret, data-to-be-protected)
|
|
|
IPSec… ?
a. never can provide any kind of traffic analysis protection. b. can only hide the IPs of the endpoints, but cannot obscure how much data is exchanged. c. always provides complete protection against traffic analysis. d. can obscure how much data is being exchanged, and obscure the IP of the endpoints. |
d. can obscure how much data is being exchanged, and obscure the IP of the endpoints.
|
|
|
Notice the mention of “out-of-band” with respect to dealing with the problem of exchanging ________________ keys.
a. Symmetric b. Asymmetric c. This could apply to either Symmetric or Asymmetric |
a. Symmetric
|
|
|
What does DES, 3DES, AES stand for?
|
DES: Digital Encryption Standard
3DES: Triple Digital Encryption Standard AES: Advanced Encryption Standard |
|
|
What does RC4, IDEA, HMAC stand for?
|
RC4: Rivest Cipher 4
IDEA: International Data Encryption Algorithm HMAC: Hash Msg Authentication Code |
|
|
What does MD5, SHA, RSA, DSA, and ECDSA stand for?
|
MD5: Message Digest 5
SHA: Secure Hash Algorithm RSA: Rivest Shamir and Adleman DSA: Digital Signature Algorithm ECDSA: Elliptical Curve Digital Signature Algorithm |
|
|
Which of these is the least commonly used VPN architecture?
a. Gateway-to-Gateway b. Host-to-Gateway c. Host-to-Host |
c. Host-to-Host
|
|
|
Which VPN architecture provides the most thorough protection in terms of topological coverage of the protective encryption?
a. Gateway-to-Gateway b. Host-to-Gateway c. Host-to-Host |
c. Host-to-Host
|
|
|
What are the three primary component (protocols) that comprising IPsec?
|
1. AH- Authentication Header
2. ESP- Encapsulating Security Payload 3. IKE- Internet Key Exchange |
|
|
Which statement is true?
a. AH cannot provide any confidentiality service. b. ESP provides confidentiality, but cannot provide any integrity protection. c. Some IPSec software no longer supports ESP because AH can do it all. d. AH and ESP authentication capabilities are identical. |
a. AH cannot provide any confidentiality service.
|
|
|
Which is true? (only one)
a. Both ESP and AH can be operated in both tunnel or transport mode. b. ESP works solely in tunnel mode, AH works solely in transport mode. c. ESP can run in either tunnel or transport mode, but AH only works in tunnel mode. d. ESP can only run in tunnel mode, but AH can be operated in either mode. |
a. Both ESP and AH can be operated in both tunnel or transport mode.
|
|
|
Technically- (vice practically-) speaking…
a. we could use transport mode for any of the three VPN architectures. b. we could use tunnel mode for any of the three VPN architectures. c. we must use tunnel more for gateway-to-gateway, and we must use transport mode any time one endpoint is a host. d. we must use transport mode for host-to-host, and we must use tunnel mode any time one endpoint is a gateway. |
b. we could use tunnel mode for any of the three VPN architectures.
|
|
|
In AH mode, what, if anything, in an IP datagram is excluded from integrity protection?
|
Nothing
|
|
|
If you were inspecting an ESP-protected packet in Wireshark; which of these would allow you to identify if the packet was processed in transport or tunnel mode?
a. Look at the Next Header value of the ESP header, if value is 6, it is likely tunnel mode. b. Look at the IP protocol value, if value is 4, it is likely tunnel mode. c. Look at the Next Header value of the ESP header, if value is 4, it is likely tunnel mode. d. Look at the IP protocol value, if value is 50, it is likely tunnel mode |
b. Look at the IP protocol value, if value is 4, it is likely tunnel mode.
|
|
|
Which is true?
a. If you only need confidentiality, you could use AH mode. b. If you only need integrity, you must use AH mode. c. If you want both confidentiality and integrity, both AH & ESP modes must be used together. d. If you want both confidentiality and integrity, you could use just ESP mode. |
d. If you want both confidentiality and integrity, you could use just ESP mode.
|
|
|
Which mode combination of IPSec does this “stack” illustrate? (picture with layers 5,4,3 (encrypted), and layers 3 and 2 unencrypted). Question 20 on Q&A
a. AH in transport mode. b. AH in tunnel mode. c. ESP in transport mode. d. ESP in tunnel mode. |
d. ESP in tunnel mode.
|
|
|
Why is it that IPSec and NAT often do not “play well” together?
|
NAT Modifies packets. IPSec, looks for any modified IP Packet and then will discard the packet.
|
|
|
Which of these best expresses the role of the SPI in the above mentioned relationship? SPI= Security Parameters Index (3.2.3)
a. The SPI is a number that is “hard-coded” to a specific cipher-suite b. Used by each side in order to know which SA to use for traffic to the other side. c. The SPI is an incrementing value employed for anti-reply protection. d. The SPI is a hash taken over the socket-pair representing a given IPSec connection |
b. Used by each side in order to know which SA to use for traffic to the other side.
|
|
|
What does IPSec (AH or ESP mode) employ for replay protection?
a. Nonces b. Timestamps c. Sequence Numbers d. Randomized SPIs |
c. Sequence Numbers
|
|
|
How does IPSec employ sequence numbers for replay protection?
a. Numbers are assigned by sender, recipient ensures all received numbers arrive in incrementing, sequential order. b. Numbers are randomly generated by sender, recipient ensures no repeats are ever received. c. Numbers are assigned by sender, recipient ensures all received numbers fall within the range of a sliding window. d. Both sides of the IPSec SA synchronize the values used to ensure anti-replay protection. |
c. Numbers are assigned by sender, recipient ensures all received numbers fall within the range of a sliding window.
|
|
|
What—exactly—is the sequence number for the AH example of Figure 3-4?
|
00 00 00 01
|
|
|
What—exactly—is the MAC for the AH transport mode example of Figure 3-4?
a. 01 04 00 00 cd b5 99 34 00 00 00 01 61 a6 6b fb ae 89 23 1b e4 52 42 ff b. 61 a6 6b fb ae 89 23 1b e4 52 42 ff c. 08 00 fb 5b 02 00 50 00 61 62 d. 01 04 00 00 cd b5 99 34 |
b. 61 a6 6b fb ae 89 23 1b e4 52 42 ff
|
|
|
“AH still provides one benefit that ESP does not: INTEGRITY protection for the OUTER MOST IP header.”
|
Integrity; Outer Most
|
|
|
Looking at Figure 3-7, you can see that ESP in Transport mode does not include the IP header in what it provides integrity protection for; as does AH (see Figs 3-1 and 3-2). Why then is ESP in Transport mode still incompatible with NAT?
|
The checksum will not be the same, changing the IP packet; therefore NAT will drop the packet
|
|
|
An Initialization Vector (IV) is included in the ESP payload. In short, what is the usage of this item?
|
Inclusion of the IV will prevent two of the same packets will have different results after encryption.
|
|
|
Which is true regarding ESP’s use of padding?
a. It is always used. b. It is only used if it is desired to obscure the true amount of data contained in each packet. c. It is only used to ensure the data length matches a multiple of the underlying encryption cipher’s block size, or to ensure the overall ESP PDU falls on a 4-byte boundary. d. Both b and c. |
d. Both b and c.
|
|
|
If ESP is implemented to include integrity protection, where is the integrity-providing MAC carried?
a. In the ESP header. b. In the ESP trailer. c. In the ESP payload. d. Coded into the SPI value. |
a. In the ESP header.
|
|
|
Which of these is true?
a. AH Transport mode is most compatible with NAT operation. b. AH Tunnel mode is most compatible with NAT operation. c. ESP Transport mode is most compatible with NAT operation. d. ESP Tunnel mode is most compatible with NAT operation. |
d. ESP Tunnel mode is most compatible with NAT operation.
|
|
|
You see reference to “-SHA1-96” here, yet you may recall that SHA1 has a 160-bit hash output. What do you think is going on?
a. It’s a different SHA-1 (96-bit vs 160-bit). b. They simply truncate the 160-bit SHA-1 result to 96 bits. c. The reference to SHA-1 here is completely separate from the SHA-1 discussed in class. |
b. They simply truncate the 160-bit SHA-1 result to 96 bits.
|
|
|
_______________ is the most commonly used IPSec mode.
a. AH Transport mode. b. AH Tunnel mode. c. ESP Transport mode. d. ESP Tunnel mode. |
d. ESP Tunnel mode.
|
|
|
What does IKE do first?
a. Authenticate the two endpoints. b. Negotiate the protection suite that will be used to protect subsequent IKE traffic. |
b. Negotiate the protection suite that will be used to protect subsequent IKE traffic.
|
|
|
What all is (or can be) negotiated during Phase One of IKE?
|
Encryption algorithm, hash algorithm, authentication method, information about a group over which to do Diffie-Hellman, cookies.
|
|
|
If you read the descriptions of the Digital Signature and Public Key Encryption based authentication methods; you may (from lecture discussion) notice an error in the way the second is explained. What is the error?
|
It should read “each peer encrypts with the peer’s pubic key…”
|
|
|
DH gets heavy usage in network crypto applications. Which of these best explains the use of DH as it pertains to VPNs?
a. A way for 2 remote devices to create a shared secret, without a secure channel to begin with. b. Method employed during Phase I to establish the pre-shared secret for initial authentication. c. DH is employed to slightly alter the IPSec SA key for each packet. d. DH is the core technique employed to authenticate the endpoints prior to IPSec SA creation. |
a. A way for 2 remote devices to create a shared secret, without a secure channel to begin with.
|
|
|
What encryption algorithm is being offered?
|
DES-CBC
|
|
|
What hash algorithm is being offered?
|
MD5
|
|
|
Is this endpoint suggesting pre-shared key or PKI-based authentication?
|
Pre-shared Key
|
|
|
What kind of DH technique is being offered?
a. The weakest Elliptic Curve b. The strongest Elliptic Curve c. The weakest exponentiation over prime modulus d. The strongest exponentiation over prime modulus |
d. The strongest exponentiation over prime modulus
|
|
|
What is true about the responder cookie in this 1st message of the 1st part of IKE Phase 1?
a. It’s zero b. It’s completely random. c. It defaults to whatever value was chosen by the initiator. d. There is no responder cookie field in this message. |
a. It’s zero
|
|
|
(T / F) The IPSec VPN endpoints identify each other during the second pair of main mode messages.
|
False
|
|
|
What is the Next Payload sequence in this IKE Main Mode 3rd message?
a. ISAKMP Nonce Key Exchange b. Key Exchange Nonce Identity c. ISAKMP Nonce Identity d. ISAKMP Key Exchange Nonce |
a. ISAKMP Nonce Key Exchange
|
|
|
] In IKE Main Mode, during which pair of message exchanges do the two endpoints authenticate one another?
a. First b. Second c. Third d. Fourth |
c. Third
|
|
|
Which of these correctly summarizes the purpose of each pair of message exchanges of IKE Main Mode?
a. Agreement on algorithms to use – DH Session Key Construction – Authentication b. Authentication – DH Session Key Construction – Agreement on algorithms to use c. Agreement on algorithms to use – Authentication – DH Session Key Construction d. DH Session Key Construction – Agreement on algorithms to use – Authentication |
a. Agreement on algorithms to use – DH Session Key Construction – Authentication
|
|
|
In Figure 3-13, you see that the payload is encrypted. Given that we are still looking at IKE negotiation, vice an instance of an IPSec tunnel to protect actual user data transfer; what is the advantage/intent of encrypting this third IKE message exchange pair?
|
To ensure the authentication process cannot be replay or misused by an attacker.
|
|
|
Which of these is true?
a. Main mode is faster, but Aggressive mode is more secure. b. Main mode is more secure, but support for it is optional. c. Aggressive mode is faster, but Main mode is more secure. d. Aggressive mode more secure, but support for it is optional. |
c. Aggressive mode is faster, but Main mode is more secure.
|
|
|
What is these best states the purpose of IKE Phase 2?
a. Authenticate the two endpoints. b. Establish an SA for the actual IPSec (data transfer) connection. c. Establish a new session key for use in creating IPSec SA instances. d. Validation of endpoint-provided public keys. |
b. Establish an SA for the actual IPSec (data transfer) connection.
|
|
|
Which of these is true regarding IKE Phase 2?
a. All IPSec SA protocol decisions have been established during IKE Phase 1, so IKE Phase 2 only needs to send a chosen (session) key for each IPSec connection. b. Phase 2’s only purpose is to assign a SPI for each IPSec SA instance. c. Phase 1 negotiates keys & algorithms, Phase 2 handles authentication. d. IPSec keys and algorithms are established for each IPSec SA in this phase. |
d. IPSec keys and algorithms are established for each IPSec SA in this phase.
|
|
|
Which of these is correct?
a. A SAD points to an SA using a SPI. b. The SPI contains all instances of SAs which hold SAD information. c. A SPI points to an SA instance in the SAD. d. A SAD contains all the information needed to define a single IPSec SA. |
c. A SPI points to an SA instance in the SAD
|
|
|
Which of these best expresses the “bottom line” on PFS?
a. Attacker must resort to brute-force to compromise a session key. b. Attacker compromise of one key, does not help in compromising other keys. c. All keys, including session keys, are asymmetric-based. d. Each IPSec SA creates a unique session key from all other IPSec SAs. |
b. Attacker compromise of one key, does not help in compromising other keys.
|
|
|
What combination of information allows an IPSec VPN endpoint to look-up the correct SA?
a. Destination IP, SPI, and ESP-or-AH b. Source IP, Destination IP, and SPI c. SPI, ESP-or-AH, and Tunnel-or-Transport d. SPI, SPD, SAD |
a. Destination IP, SPI, and ESP-or-AH
|
|
|
Which of these best summarizes the difference between the SAD and the SPD?
a. SAD indicates what traffic to protect; SPD indicates how to protect it. b. SAD is list of what to protect; SPD is a list of algorithms that could be used. c. SPD lists all participating IPs; SAD lists all participating ports. d. SPD indicates what traffic to protect; SAD indicates how to protect it. |
d. SPD indicates what traffic to protect; SAD indicates how to protect it.
|
|
|
In summary…
a. IKE phase 1 creates an IKE SA; IKE phase 2 creates an IPSec SA. b. IKE phase 1 creates an IPSec SA; IKE phase 2 creates an IKE SA. c. IKE phase 1 negotiates keys and algorithms; IKE phase 2 authenticates. d. IKE phase 1 builds the SAD; IKE phase 2 builds the SPD. |
a. IKE phase 1 creates an IKE SA; IKE phase 2 creates an IPSec SA
|
|
|
. Recall that NAT changes source IP on outbound packets, and changes destination IP on inbound packets; which “breaks” the integrity checksum. Despite all the variations and options mentioned; what are the two basic solutions?
1. Perform the ______ process before the ______ process for outbound traffic; the reverse order would thus be done for arriving traffic (not mentioned in the reading but should be rather obvious). 2. Encapsulate the IPSec PDU inside of ______ (protocol) |
1. NAT, IPsec
2. UDP |
|
|
What does “bump in the stack” mean?
|
Third-party clients are typically shims, which means that they are implemented between the IP stack and the local network drivers. This technique is also known as a bump in the stack. (BITS).
|
|
|
All other things being equal, which would represent a more secure IPSec implementation for the enterprise that supports remote user IPSec VPN tunnels?
a. Split-tunneling permitted b. Split-tunneling not permitted |
b. Split-tunneling not permitted
|
|
|
] In a nut shell, this sections addresses the defense-in-depth concept; including several specific “defenses” not directly related to IPSec. One of these (bottom of p. 4-11 and top of p. 4-12) mentions “. . . checking its host security control settings, and then deciding if it should be permitted to use the organization’s networks . . . .” This security control was recently (2012) implemented at NPS. What is the term used for this?
|
NAC (network access control) *Safe Connect
|
|
|
Which statement is true?
a. L2F is a Cisco proprietary protocol that can implement the host-to-host VPN architecture. b. PPTP should not be used to protect communications because of its known weaknesses. c. L2TP is limited to PPP-provided authentication methods. d. Most data link layer VPN protocols use GRE to provide their encryption. |
b. PPTP should not be used to protect communications because of its known weaknesses.
|
|
|
Which statement is false?
a. TLS is most commonly used to provide security for HTTP-based applications. b. TLS authentication is typically one-way, authenticating the server to the client. c. All major Web browsers include support for TLS. d. Users wanting to utilize TLS security will likely need to install special client software. |
d. Users wanting to utilize TLS security will likely need to install special client software.
|
|
|
Which statement is false?
a. A commonly used application layer VPN protocol is SSH. b. SSH is better classified as a transport—vice application—layer VPN protocol. c. Only shell-based commands can be passed through SSH tunnels. d. In some cases, an app-layer VPN protocol may only protect a portion of the application data. |
c. Only shell-based commands can be passed through SSH tunnels.
|
