Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
99 Cards in this Set
- Front
- Back
|
Two main purposes of a DNS server
|
convert easy-to-remember names into the harder-to-remember numbers that computers require to identify machines
enhance the response time for name resolution queries |
|
|
How does a local DNS server resolve a query for a domain name that isn't listed locally?
|
local DNS server sends a query to a Root Server. Root Server returns the IP address for the TLD server for the correct TLD (.com, for example). The local DNS server then queries the TLD for the correct zone. The TLD server responds to the local DNS server with the IP address for the server that is authoritative
|
|
|
What are DNS Zones?
|
basic organizational units of the DNS. Zones contain records and are defined by how they acquire those records and how they respond to DNS requests. Zone records describe the characteristics of a zone.
|
|
|
What are the three types of DNS zone?
|
The master zone has the master copy of the zone’s records and provides authoritative answers to queries.
The slave zone is a copy of a master zone and is stored on a slave or secondary name server. The forward zone directs all queries for a particular zone to other DNS servers. |
|
|
How many DNS record types are available in Mac OS 10.6?
|
9
|
|
|
Define FQDN versus relative domain name
|
FQDN is the full location of the specific machine that has that name and is fully reversible to its specific IP address
relative domain name is typically only the name of the specific machine without any other domain information |
|
|
What happens if a server does not have a DNS entry available during initial configuring?
|
It creates a default zone for itself in the DNS server and start the service
|
|
|
What are the four steps necessary to configure a DNS server for an organization?
|
Register the domain
Create the zones Populate the zones Start the service |
|
|
What are five major types of security attacks related to DNS
|
DNS cache poisoning
server mining DNS service profiling DoS service piggybacking |
|
|
How does caching increase the performance of a DNS server?
|
Caching increases the performance of a DNS server by storing local copies of DNS resolutions. This allows the server to respond to queries for which it is not authoritative without forwarding those queries through the DNS hierarchy.
|
|
|
How many root-level name servers are there?
|
13
|
|
|
How do zone records describe the characteristics of a zone?
|
Zone records describe the machines and services found in a zone
|
|
|
Of the three types of DNS zones, which type would not include zone records?
|
The forward zone does not have any zone records. All requests for resolutions relating to the specific zone are forwarded to another server for resolution
|
|
|
What is the character limit of the TXT record type?
|
The TXT record type is limited to 255 ASCII characters
|
|
|
At what level in the domain name hierarchy is .com in the domain ns.pretendco.com?
|
The domain .com is at the top level of the domain name hierarchy
|
|
|
How can you prevent the automatic configuration of the DNS service on a Mac OS X Server v10.6 system?
|
make sure you have a fully functioning and accurately configured DNS server with a record for the new server
|
|
|
How does the DNS service in Mac OS X Server v10.6 associate computer host names with IP addresses?
|
The DNS service in Mac OS X Server v10.6 associates computer host names with IP addresses through the configuration of machine records. During the configuration of the machine record, a host name and IP address are assigned to each machine
|
|
|
The primary function of DHCP
|
Primary is dynamic configuration of IP information on a host machine. However, DHCP can also be used to provide other host configuration information, such as the default information for connecting to an LDAP server.
|
|
|
4 steps to configured DHCP in server admin
|
Enable the DHCP service.
2. Create the subnet. 3. Enable the interface. 4. Start the DHCP service. |
|
|
How to identify whether a computer has a DHCP or link local address?
|
look at IP address - link-local addresses are in the 169.254.x.x range
|
|
|
What is static mapping (DHCP)
|
the process of assigning a specific IP address to a specific host via the host’s MAC address
|
|
|
Where can one view the current client list of a DHCP server
|
Client pane of the DHCP service
|
|
|
Where can one see DHCP specific log files?
|
The log pane of the DHCP service
|
|
|
What is the acronym for determining whether a client has a DHCP lease in the DHCP log file?
|
DORA
Discover Offer Request Acknowledge |
|
|
Is DHCP secure?
|
No. Use only after you’ve evaluated all security considerations. If you must use DHCP, it is advisable not to provide DNS, LDAP, or WINS.
|
|
|
When configuring the LDAP option in DHCP, in what format do you present the URL?
|
The URL for the LDAP server must be in the ldap://host.pretendco.com format, where host.pretendco.com is the fully qualified domain name of the LDAP server.
|
|
|
How many subnets can a single DHCP server manage?
|
A given server can manage any number of subnets. Limitations are based on other resources of the server, such as available RAM, CPU power, and so on.
|
|
|
If a host machine is on an active network with other clients receiving DHCP addresses, why might this specific machine not get an IP address?
|
If other machines on a given network are able to secure DHCP addresses, it is likely that the server has run out of DHCP leases.
|
|
|
How can you determine whether a host has a routable IP address or a link-local address?
|
Because a link-local address must fall in the 169.254.x.x range, checking the current IP address of the client will provide the answer.
|
|
|
Before you can statically map an IP address to a specific client, what must you know about that client?
|
You must know the client’s MAC address
|
|
|
When viewing log entries for the DHCP service, how can you filter those entries to show you only the information regarding a specific host?
|
You can enter specific host information in the search field in the upper right corner of the Log pane to search for information related to a particular host.
|
|
|
What are the three types of NAT
|
static NAT, dynamic NAT, and port address translation (PAT)
|
|
|
What does port forwarding allow?
|
Port forwarding lets you reroute packets sent to specific ports on the NAT system to other hosts in the private network.
|
|
|
What does the Gateway Setup Assistant configure?
|
DHCP, DNS, Firewall, and NAT services and provides an option for configuring the VPN service
|
|
|
What needs to be running on a Mac OS X server machine for NAT to fuction?
|
NAT and Firewall services
|
|
|
What other function does NAT provide other than IP address sharing?
|
The NAT service provides a level of security between your private network and a public network. Traffic from the public network only reaches your private network in response to an internal request or through port forwarding.
|
|
|
When using the Gateway Setup Assistant, what IP range will it assign to the LAN?
|
The IP range assigned to the LAN will be in the 192.168.x.1/24 range
|
|
|
The Gateway Setup Assistant allows for the easy configuration of what services?
|
The assistant can configure the DHCP, NAT, DNS, Firewall, and VPN services
|
|
|
What rule is required to be in place in the Firewall for NAT to function?
|
NAT relies on the packet divert rule
|
|
|
When configuring Mac OS X Server to provide NAT, which Ethernet interface should be listed first in the Network Interfaces list in Network Preferences?
|
When configuring NAT on Mac OS X Server, the public Ethernet interface (the interface facing the Internet) must be listed before all other Ethernet interfaces.
|
|
|
How can unsolicited traffic from a public network reach computers on your private network?
|
Traffic from a public network can reach a machine on your private network if you configure port forwarding to allow it.
|
|
|
Mac OS X and Mac OS X Server contain what kind of firewall, and what is it based on?
|
Mac OS X and Mac OS X Server contain a built-in stateful packet firewall that keeps track of the state of network connections traveling across it. The packet firewall is based on the open source ipfw project.
|
|
|
Mac OS X Server runs what service to monitor bad login attempts?
What will ten incorrect logins do? |
Mac OS X Server runs a service called emond that monitors bad login attempts. Ten consecutive incorrect login attempts cause emond to use the Adaptive Firewall to inject a rule into ipfw, blocking the offending hosts access entirely for 15 minutes.
|
|
|
What does Mac OS X server use to make decisions about which packets to allow to deny?
Where can these be modified? |
Rules
You can modify these rules using the Server Admin graphical user interface, or the ipfw command-line tool |
|
|
Where does ipfw logs its messages
|
/var/log/ipfw.log
|
|
|
What does Mac OS X contain beyond the traditional stateful firewall?
|
Mac OS X contains the Application Firewall. Unlike a traditional stateful firewall, the Application Firewall grants or denies access to specific applications
|
|
|
When would one use tcdump?
|
tcpdump is an excellent utility to use when you’re troubleshooting a service that is not connecting and a firewall is a suspected reason.
|
|
|
What does the Mac OS X firewall provide?
|
powerful protection for desktop and mobile Mac systems
|
|
|
Identify the stateful firewall that is built into Mac OS X and Mac OS X Server
|
The IP Firewall, ipfw, is the stateful firewall built into Mac OS X and Mac OS X Server.
|
|
|
When enabling the default set of firewall rules in Mac OS X Server, what traffic is allowed?
|
By default, all traffic is allowed out, and only Apple administrative ports and established traffic are allowed in.
|
|
|
In what primary way does the Mac OS X Application Firewall differ from a standard port-blocking firewall?
|
The Application Firewall identifies the application that is generating or receiving traffic when choosing which traffic to allow. Port-blocking firewalls use ports only, and do not identify which application is behind the traffic.
|
|
|
Why is tcpdump a good utility for troubleshooting the firewall configuration?
|
On the server side, tcpdump shows what traffic is going past the firewall and arriving at the application layer. On a client, it informs you if traffic is being generated and accepted on the remote end.
|
|
|
Which configuration file is used for the Application Firewall?
|
The /Library/Preferences/com.apple.alf.plist file.
|
|
|
Which standard OS X configuration command is used to remotely enable or disable firewall services?
|
The defaults write command is used to change parameters in the firewall plist that will enable or disable the firewall or turn Allow Signed Applications or Stealth Mode on and off.
|
|
|
Mac OS X and iPhone each have a built-in VPN client that can connect via what protocols?
|
Mac OS X servers via L2TP and PPTP protocols, or to any Cisco IPsec VPN server.
|
|
|
Mac OS X Server runs a service called what that provides what sort of VPN services?
|
• Mac OS X Server runs a service called vpnd that provides VPN services using either L2TP or PPTP.
|
|
|
Mac OS X can provide on-demand VPN connections when accessing predefined remote domain resources.
|
Remember that.
|
|
|
How can The Mac OS X Server VPN service be remotely enabled and disabled
|
utilizing serveradmin commands
|
|
|
When supporting Mac OS X v10.2 clients, which VPN protocol must be used?
|
The PPTP protocol must be used for Mac OS X v10.2 or earlier, Windows 95, and other non–L2TP-compatible systems.
|
|
|
True or false: Mac OS X’s VPN client allows on-demand VPN connections that activate when resources for a particular domain are requested.
|
True. A Mac OS X VPN client can be configured to initiate the VPN automatically when a particular domain resource is requested and the domain is specified in the VPN on-demand area
|
|
|
To which types of VPN services can Mac OS X and iPhone VPN clients connect?
|
Mac OS X v10.6 and iPhone VPN clients support connections to any L2TP-, PPTP-, or Cisco IPsec–compliant VPN server.
|
|
|
Can Mac OS X Server provide Cisco IPsec as a VPN service?
|
No, Cisco IPsec services are provided on OS X and iPhone VPN clients for connection to existing Cisco IPsec VPN servers, not to the OS X Server VPN service.
|
|
|
When enabling a VPN service on Mac OS X Server, must you configure the Mac OS X or the external firewall?
|
Yes. Administrators should ensure that the appropriate L2TP or PPTP ports are open and available to Mac OS X Server to enable the VPN service to operate properly.
|
|
|
What standard Mac OS X Server configuration command is used to enable or disable VPN services remotely?
|
The serveradmin command can be used to enable or disable the VPN service and check its status by issuing the following commands, respectively:
sudo serveradmin start vpn sudo serveradmin stop vpn |
|
|
What is the difference between symmetric and asymmetric keys
|
Symmetric - keys to decrypt are known by both sides, either can decrypt message
Asymmetric - keys are only known by one side. One will send it's public key to the other to encrypt it's data with, the private key will decrypt |
|
|
What is a CA
|
Certificate Authority - can be used to issue certificates
|
|
|
Can digital signing be used to encrypt messages between email sender and recipient?
|
No. Digital signing confirms that a message has not been tampered with since the sender signed it and verifies the sender’s identity. It is not used to encrypt emails.
|
|
|
Which graphical application tool provided via Keychain Access allows administrators to create their own CA?
|
Certificate Assistant.
|
|
|
Which command-line tool can be used to generate and install a self-signed certificate on Mac OS X server for use in Server Admin?
|
certtool can create a self-signed certificate, which is automatically installed in Server Admin to provide for web, Mail, iChat, iCal, and other services.
|
|
|
Which command-line tool can be used to install a self-signed certificate to a user’s keychain on a client system?
|
security is the command-line tool used on Mac OS X to provide import, export, or verification of certificates
|
|
|
Do software developers use digital signatures with software updates and installation packages to ensure encryption of the conversation between a website and the end user?
|
No, software developers utilize digital signing of applications and updates to ensure that no tampering of the respective application or update has taken place.
|
|
|
Which iPhone SDK tools that are most useful for the development of web applications for the iPhone OS
|
Dashcode and iPhone Simulator
|
|
|
Which iPhone SDK tools that are most useful for the development of native applications for the iPhone OS
|
Xcode, Interface Builder, iPhone Simulator, and Instruments
|
|
|
How does one gain access to the iPhone SDK
|
must be a member of the iPhone Developer Program
|
|
|
What is needed to install a native application for testing on an iPhone
|
a development certificate in the keychain on your computer, a provisioning profile, and iPhone OS 2.0 or later installed on the device.
|
|
|
two options for deploying an application within your organization
|
You can use the App Store, or you can distribute the application yourself.
|
|
|
Two ways to deploy iPhone apps
|
predeploy applications using iPhone Configuration Utility
Or have users install on their own |
|
|
The benefits of a web application as opposed to a native application
|
ease of deployment
use of existing knowledge use of existing tools. |
|
|
The benefits of deploying a native application as opposed to a web application
|
availability anytime and anywhere, as well its potential to generate revenue from iTunes App Store distribution.
|
|
|
What is including in a provisioning profile
|
one or more development certificates, devices, and an iPhone application ID (a unique identifier for the iPhone applications you or your organization develop under an iPhone Developer Program contract)
|
|
|
How to install provisioning profile?
|
drag the file to the user’s Library group within iTunes
|
|
|
Three things iPhone Configuration Utility can do
|
create, distribute, and manage iPhone configuration files.
|
|
|
What are the system requirements for installing the iPhone SDK?
|
You must install the iPhone SDK on an Intel-based Macintosh computer. The iPhone SDK is not supported on Power PC systems.
|
|
|
In addition to web applications, what else can you create with Dashcode?
|
Dashboard widgets
|
|
|
When using Dashcode, you would click Run to open iPhone Simulator and display your application. In Xcode, how do you open iPhone Simulator and display your application?
|
In Xcode, you click “Build and Debug” to open iPhone Simulator and display your application
|
|
|
4. If you are developing a native application for external distribution on the App Store for a company with more than 500 employees, which iPhone Developer program should you join, Standard or Enterprise?
|
You should join the Standard Program as you are developing applications for distribution on the App Store, not solely for internal distribution.
|
|
|
Before you can receive a development certificate from the Program Portal, what must Apple accept?
|
Before it can provide a development certificate, Apple must approve your CSR (certificate signing request).
|
|
|
If you need to be positive that your application would work without network access, which type of application should you develop?
|
You should develop a native iPhone application
|
|
|
How do you change the payload of a VPN configuration profile that has already been deployed?
|
To update any changes within any of the payloads that make up a profile, you must replace the entire profile.
|
|
|
The basic function of the Mobile Access service
|
to provide proxied access from the Internet to specific services hosted on origin servers on a private network
|
|
|
How is mobile access more secure than VPN?
|
MAS allows connections only to specific servers for specific services on the private intranet, whereas VPN generally allows access to the entire intranet.
|
|
|
The Mobile Access service provides proxied access to which services?
|
iCal, Address Book, mail, and web
|
|
|
MAS requires OD auth plus what to access a service?
|
That the user has whitelist authorization
|
|
|
MAS supports which two methods for using certificates with proxied services
|
First, a certificate can be obtained for each origin server and imported into MAS. Second, a single wild card certificate can be obtained and used on any server for any service.
|
|
|
MAS is based on what type of proxy service?
|
MAS is based on a reverse proxy
|
|
|
When would VPN be a better solution for intranet access by external clients?
|
VPN would be a better solution for remote access when the specific user requires access to services or resources that are not available via Mobile Access.
|
|
|
Why would you assign specific port numbers, such as www.pretendco.com:8000, to external web server host names?
|
When using a version of Mac OS X Server prior to v10.6.2, you would assign port numbers to external web server host names if you had more than one web server on the intranet. This solution circumvented the issues related to virtual hosts and SSL certificates. However, with the release of v10.6.2, Apple has implemented SNI, and this workaround often is no longer necessary.
|
|
|
By what mechanism does MAS confirm that a user is authorized to access the intranet for specific services?
|
MAS uses the whitelist to determine authorized users
|
|
|
Why is a self-signed certificate not recommended for use on MAS?
|
When using a self-signed certificate, users are prompted to accept a certificate from an untrusted site. Training users to accept such a certificate may condition them to accept certificates in other situations in which they should not do so for security reasons (for example, when the certificate failed validation for legitimate security reasons).
|
