Set the Language

We weren't able to detect the audio language on your flashcards. Please select the correct language below.

Front

Back

Flashcards
»
SSCP - Domain 3: Networks and Communications

Sscp - Domain 3: Networks And Communications

by kalford, May 2013

Subjects: SSCP - Domain 3: Networks and Communications

Favorite

Add to folder

Flag

Related Essays

Technology: Advantages And Disadvantages Of Bluetooth Technology
Bluetooth has following Specifications- 1. Volume 1, Core Specifications--- It is for diverse units such as baseband, Link Manager Protocal (LMP), Logical l...
Overview Of Bluetooth Technology
The key areas of focus for Bluetooth technology are its less complex architecture, low price, less power consumption, robustness, and the ability to transmit...
Unit 4 Assignment 2: A Case Study
802.11b and 802.11a WLAN standards were made official in September of 1999 by the IEEE committee. Included with its ratification was Wired Equivalent Privacy...
802.11 Cons
The 802.11 is the standard protocol for wireless networks, which includes WEP (wired equivalent privacy). The standards committee for 802.11 left many of th...
Technology Framework Design : Digital Edge Manufacturing Network Infrastructure Plan
Our Wi-Fi network is based on the IEEE 802.11 b/g standards, which is the most commonly used
Nt1330 Unit 6 Igms
IV makes the key stream vulnerable: The 802.11 does not specify how the IVs are set or changed, so some Wireless adapter might generate same IV sequence whi...
Advantages And Disadvantages Of Bluetooth
Provides complete information of the working, types and future development of Bluetooth. Bluetooth is basically used to connect two devices to exchange data ...
IEEE 802.11: The Standard Of Wireless Communication Technology
Wireless communications has changed people’s lives over the years. It’s become a fundamental of existence in each home, enterprise, or public spaces such as ...
Advantage Of Wifi Technology
2.5.3 Short Distance Wireless Technology 2.5.3.1 Bluetooth Bluetooth is intended to enable short range wireless communication between devices. Bluetooth com...
Advantage And Disadvantage Of Bluetooth
SIG worked with IrDA to include “an interoperability layer in which some protocols defined by IrDA are incorporated” to promote interoperability within some ...

Shuffle
Toggle On

Toggle Off
Alphabetize
Toggle On

Toggle Off
Front First
Toggle On

Toggle Off
Both Sides
Toggle On

Toggle Off
Read
Toggle On

Toggle Off

Reading...

Front

Card Range To Study

through

Play button

Progress

1/98

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

98 Cards in this Set

Front
Back

	Which of the following is used on a wireless network to identify the network name? - Subnet mask - SSID - IP address - MAC address	- SSID Explanation: Wireless devices use the SSID to identify the network name. All devices on a wireless network use the same SSID. The MAC address is a unique physical device address. The IP address is a logical address that includes both the logical network and the logical device address. The subnet mask is used with the IP address to identify the network portion of the IP address. Section 3.11
	Which type of configuration would you use if you wanted to deploy 802.11g technology to communicate directly between two computers? - Ad hoc - Infrastructure - WAP - WEP	- Ad hoc Explanation: Configure an ad hoc connection to connect one computer directly to another using a wireless connection. An infrastructure configuration uses a Wireless Access Point (WAP) to create a network. Devices communicate with each other through the WAP. WEP is a security mechanism used for authentication. Section 3.11
	You have a large number of sales people who use wireless access to the network from your single access point. You are concerned, however, about the network being used by nonauthorized users with wireless LAN cards. Which of the following can you enable on the access point (AP) to increase security? - Kerberos - IPSec - SSL - WEP	- WEP Explanation: WEP (Wired Equivalent Privacy) is used to add a layer of security to the transmission by encrypting the data. The other technologies listed are all useful for various other forms of encryption, but do not work between a wireless access point and network card. Section 3.11
	Which of the following provides security for wireless networks? - 802.3u - WPA - 802.11a - WAP - CSMA/CD	- WPA Explanation: Wi-Fi Protected Access (WPA) provides encryption and user authentication for wireless networks. Wired Equivalent Privacy (WEP) also provides security, but WPA is considered more secure than WEP. Section 3.11
	Which of the following features are supplied by WPA on a wireless network? - Refusal of client connections based on MAC address - Filtering of traffic based on packet characteristics - Identification of the network - Encryption - Centralized access point for clients	- Encryption Explanation: Wi-Fi Protected Access (WPA) provides encryption and user authentication for wireless networks. MAC address filtering allows or rejects client connections based on the hardware address. The SSID is the network name or identifier. A wireless access point (called an AP or WAP) is the central connection point for wireless clients. A firewall allows or rejects packets based on packet characteristics (such as address, port, or protocol type). Section 3.11
	You are designing a wireless network for a client who has offices in a single building. Your client needs the network to support a data rate of at least 54 Mbps. In addition, the client already has a wireless telephone system installed that operates 2.4 GHz. Which 802.11 standard will work best in this situation? - 802.16 - 802.11a - 802.11g - 802.11b - 802.15	- 802.11a Explanation: 802.11a is the best choice for this client. While both 802.11a and 802.11g each operate at 54 Mbps, 802.11g operates in the 2.4 GHz to 2.4835 GHz range; which will cause interference with the client's wireless phone system. 802.11a, on the other hand, operates in the 5.725 GHz to 5.850 GHz frequency range; which won't interfere with the phone system. 802.11b also operates in the 2.4 GHz range, and only gives you 11 Mbps. 802.15 is for personal wireless area networks, which are ad hoc connections between devices at very close ranges. 802.16 is for metropolitan wireless area networks which is for distances that cover several kilometers. Section 3.11
	Which of the following is true of Bluetooth devices? (Select two.) - Specifications are defined by the IEEE 802.15 committee. - Bluetooth uses a proprietary 128-bit encryption method. - Bluetooth uses AES with a 128-bit key and a 48-bit initialization vector (IV) for encryption. - Specifications are defined by the IEEE 802.16 committee. - Bluetooth uses RC4 with a 40-bit key and 24-bit initialization vector (IV) for encryption.	- Specifications are defined by the IEEE 802.15 committee. - Bluetooth uses a proprietary 128-bit encryption method. Explanation: Bluetooth adheres to the IEEE 802.15 specifications for personal wireless area networks. Bluetooth creates ad hoc connections between devices, and uses a proprietary 128-bit encryption method. 802.16 is for metropolitan wireless area networks which is for distances that cover several kilometers, with WiMAX being the most common implementation. RC4 encryption is used with WPA, while AES is used with WPA2. Section 3.11
	WiMAX is an implementation of which IEEE committee? - 802.1x - 802.11a - 802.11b - 802.11g - 802.11i - 802.15 - 802.16	- 802.16 Explanation: WiMAX is an implementation of the 802.16 specifications for metropolitan wireless area networks. 802.1x is an authentication method. 801.11a/b/g are wireless local area networking standards. 802.11i is the security standards for wireless networks, with WPA2 being the implementation of the 802.11i standards. 802.15 is the specifications for personal wireless area networks, with Bluetooth being the most common implementation. Section 3.11
	Which of the following are true about Wi-Fi Protected Access 2 (WPA2)? (Select two.) - Uses RC4 for encryption and MIC for data integrity. - Uses RC4 for encryption and CRC-32 for data integrity. - Upgrading from a network using WEP typically requires installing new hardware. - Upgrading from a network using WEP can usually be done through a firmware upgrade. - Uses AES for encryption and CBC-MAC for data integrity.	- Upgrading from a network using WEP typically requires installing new hardware. - Uses AES for encryption and CBC-MAC for data integrity. Explanation: Wi-Fi Protected Access 2 (WPA2) uses Advanced Encryption Standard (AES) for encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) for data integrity. Because of the processor-intensive nature of AES, new hardware is typically required when upgrading from a wireless network that currently uses WEP. Wired Equivalent Privacy (WEP) uses RC4 for encryption and CRC-32 for data integrity. Wi-Fi Protected Access (WPA) uses RC4 for encryption and MIC for data integrity and can typically be implemented through a firmware update when moving from WEP. Section 3.11
	What encryption method is used with Wi-Fi Protected Access (WPA)? - AES with a 128-bit key and a 48-bit initialization vector (IV) - DES with a 56-bit key and a 16-bit initialization vector (IV) - 3DES with a 168-bit key and a 48-bit initialization vector (IV) - RC4 with a 40-bit key and 24-bit initialization vector (IV) - RC4 with a 128-bit key and a 48-bit initialization vector (IV)	- RC4 with a 128-bit key and a 48-bit initialization vector (IV) Explanation: Wi-Fi Protected Access (WPA) uses RC4 with a 128-bit key and a 48-bit initialization vector (IV) for encryption. Both WEP and WPA use RC4, but WPA improves upon the 40-bit key (or 104-bit key) and 24-bit IV used with WEP. Wi-Fi Protected Access 2 (WPA2) uses AES with a 128-bit key and a 48-bit initialization vector (IV) for encryption. DES and 3DES are not used for wireless encryption. 3DES is used for IPSec which can be added to wireless transmissions to improve security. Section 3.11
	You have a small home wireless network that uses WEP. The access point is configured as the DHCP server and a NAT router that connects to the Internet. You do not have a RADIUS server. Which authentication method should you choose? - Open - 802.1x - Shared secret - TKIP	- Open Explanation: When using WEP without a RADIUS server, use open authentication. Shared secret authentication with WEP uses the WEP key as the shared secret. Because of the weakness of WEP, this exposes the WEP key to attack. 802.1x authentication requires a RADIUS server and a directory server. Temporal Key Integrity Protocol (TKIP) is the protocol used by Wi-Fi Protected Access (WPA) for dynamic key rotation. Section 3.11
	You have a business network where you are replacing the wired network with an 802.11g wireless network. You currently use Active Directory on the company network as your directory service. The new wireless network will have multiple wireless access points. What is the method that is used to uniquely identify each access point? - BSSID - MAC address - SSID - OFDM	- BSSID Explanation: The Basic Service Set Identifier (BSSID) is a 48-bit value that identifies an access point (AP) in an infrastructure network. The BSSID allows devices to find a specific AP on a network with multiple access points, and is used by computers to keep track of APs when roaming on a network with multiple access points. The Service Set Identifier (SSID), also called the network name, groups wireless devices together into the same logical network. The SSID must be shared between all devices on the same network. The MAC address is unique to a host, and is used by an access point to identify hosts. Orthogonal Frequency Division Multiplexing (OFDM) is a wireless transmission method. Section 3.11
	You have a business network where you are replacing the wired network with an 802.11g wireless network. You currently use Active Directory on the company network as your directory service. The new wireless network will have multiple wireless access points. You want to use WPA2 on the network. What should you do to configure the wireless network? (Select two.) - Configure devices to run in infrastructure mode. - Install a RADIUS server. Use 802.1x authentication. - Use open authentication with MAC address filtering. - Configure devices to run in ad hoc mode. - Use shared secret authentication.	- Configure devices to run in infrastructure mode. - Install a RADIUS server. Use 802.1x authentication. Explanation: When using wireless access points, configure an infrastructure network. Because you have multiple access points and an existing directory service, you can centralize authentication by installing a RADIUS server and using 802.1x authentication. Use ad hoc mode when you need to configure a wireless connection between two hosts. Use open authentication with WEP or when you do not want to control access to the wireless network. Use shared secret authentication with WPA or WPA2 when you can't use 802.1x. Section 3.11
	Which two of the following lists accurately describes TCP and UDP? - TCP: connection-oriented, reliable, sequenced, high overhead - TCP: connectionless, unreliable, unsequenced, low overhead - UDP: connection-oriented, reliable, sequenced, high overhead - UDP: connectionless, reliable, sequenced, low overhead - UDP: connectionless, unreliable, unsequenced, low overhead	- TCP: connection-oriented, reliable, sequenced, high overhead - UDP: connectionless, unreliable, unsequenced, low overhead Explanation: TCP and UDP are both Transport and Host-to-Host level protocols, but they have different characteristics. TCP characteristics include: Connection-oriented Reliable Sequenced High overhead UDP characteristics include: Connectionless Unreliable Unsequenced Low overhead Sections 3.1 and 3.4.
	You are an application developer creating applications for a wide variety of customers. In which two of the following situations would you select a connectionless protocol? - A company connects two networks through an unreliable phone system. They are concerned that the transmission media is not reliable, and want to overcome this limitation as much as possible. - A gaming company wants to create a networked version of its latest game. Communication speed and reducing packet overhead are more important than error-free delivery. - A bank needs to transfer funds between systems. After data has been successfully transmitted, it is deleted from the sending system. - A company connects two networks through an expensive WAN link. The communication media is reliable, but very expensive. They want to minimize connection times. - A medical company needs an application to transfer medical records and patient prescriptions. Data accuracy and integrity are vital.	- A gaming company wants to create a networked version of its latest game. Communication speed and reducing packet overhead are more important than error-free delivery. - A company connects two networks through an expensive WAN link. The communication media is reliable, but very expensive. They want to minimize connection times. Explanation: Connectionless protocols assume a reliable connection between devices. For this reason, there is minimal packet overhead. Devices send when they are ready and do not expect a response. In this question, select a connectionless protocol for the gaming company that wants to minimize packet overhead and improve communication speed. Also use a connectionless protocol for the company that wants to minimize WAN connection times. Because of the reliability of the link, you can assume accurate delivery. Select a connection-oriented protocol for the other situations. Section 3.1
	You are designing a new Ethernet network for your office. Cables will be routed in the ceiling space near lights. You want the network to operate at 100 Mbps and 1 Gbps. Which cable type should you choose? - Cat5e UTP - Cat 5 STP, plenum-rated - Multi-mode fiber optic - 10Base5, plenum-rated	- Cat 5 STP, plenum-rated Explanation: Because the cables will be in the ceiling area, you must choose a plenum-rated cable. This cable gives off less toxic fumes when burned. For 100 Mbps or 1 Gbps Ethernet, choose Cat5 or higher cables. Use Shielded Twisted Pair (STP) cables to reduce the effects of EMI from lights. Cat5e offers better protection from EMI than Cat5 cables, but you still need plenum-rated cables. Fiber optic cables offer the greatest protection from EMI, but the plenum rating would still be a requirement. 10Base5 cables are used for 10 Mbps Ethernet Section 3.2
	Which of the following best describes the purpose of the dual rings used with an FDDI network? (Select two.) - Fiber-optic cables must be specially terminated at each device. Ring wrapping is the method of connecting the fiber-optic cables. - Data is sent on both the primary and the secondary ring to double the data transfer rate. - If a break in the cable occurs, data is rerouted onto the secondary ring, isolating the break. - Fiber-optic cables used in the primary and secondary rings are insulated to minimize electromagnetic interference. - Multiple tokens are released on the primary ring to increase data transfer rates.	- Data is sent on both the primary and the secondary ring to double the data transfer rate. - If a break in the cable occurs, data is rerouted onto the secondary ring, isolating the break. Explanation: Dual rings in an FDDI network can be used to double the data transfer rate, with data being sent on both rings. In addition, if a break occurs in one ring, all data can be routed to the other ring to ensure network availability in the event of a cable break. Section 3.2
	You want to implement a fault tolerant network topology for some mission-critical applications that will run on your network. Which of the following would meet your needs? - 4 mbps Token Ring - FDDI - 100BaseT - 10Base5	- FDDI Explanation: FDDI uses dual rings in its topology. If a break occurs in a segment in one ring, the network will still be fully operational. If a break occurs in both rings, much of the network may still function as well. Section 3.2
	Both PPP and SLIP are used to connect to the Internet through a dial-up connection. Which offers error control and security? - PPP - SLIP - Both PPP and SLIP - Neither PPP nor SLIP	- PPP Explanation: Point to Point Protocol (PPP) offers enhancements to SLIP such as error control and security. When given a choice for a dial-up protocol, choose PPP. Section 3.9
	Which of the following protocols or services is commonly used on cable Internet connections for user authentication? - RRAS - RDP - PPP - PPPoE	- PPPoE Explanation: The Point-to-Point Protocol over Ethernet (PPPoE) is commonly used on cable Internet connections for user authentication. Like its dial-up counterpart, the Point-to-Point Protocol (PPP), PPPoE requires that users provide authentication information before a connection is granted. The Routing and Remote Access Service (RRAS) is a software program used on Windows systems to provide remote connectivity capabilities to users. Although it could be used for authentication services on a cable Internet access system, it is not commonly used for this purpose. The Point-to-Point Protocol (PPP) is a user authentication system commonly deployed on dial-up remote access connections. Remote Desktop Protocol (RDP) is the protocol used by Windows Terminal Services based applications, including Remote Desktop. Section 3.9
	You are configuring a Linux workstation so that a user can dial in remotely to a Windows 2000 Server. The user will be accessing the corporate network via modem. Which of the following dial-up protocols are you most likely to configure for the connection? - PPP - CHAP - SLIP - VPN	- PPP Explanation: The Point to Point Protocol (PPP) provides dial-up access for remote systems and is widely supported, including by Windows 2000. The Serial Line Interface Protocol (SLIP) is only supported by Windows 2000 as an outbound access protocol. It is not accepted for incoming connections. The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol, not a dial-up protocol used to establish a connection. A Virtual Private Network (VPN) is a secure link between two locations over a public network such as the Internet. It is not in and of itself a protocol used for establishing dial-up connections. Section 3.9
	You are configuring a dial-up connection to a remote access server. Which protocols would you choose to establish the connection and authenticate, providing the most secure connection possible? (Select two.) - SLIP - PAP - PPPoE - CHAP - PPP	- CHAP - PPP Explanation: Choose PPP and CHAP for the connection. Choose Point-to-Point Protocol (PPP) for the connection. PPP is preferred over Serial Line Interface Protocol (SLIP) because it can negotiate encryption protocols to use for the connection. Point-to-Point Protocol over Ethernet (PPPoE) is similar to PPP, but is used for a cable (not a dial-up) connection. Choose Challenge Handshake Authentication Protocol (CHAP) for authentication. CHAP uses hashing to protect the passwords, and also allows re-authentication. Avoid using Password Authentication Protocol (PAP) because it transmits credentials in the clear (unencrypted). Section 3.9
	Which remote access authentication protocol allows for the use of smart cards for authentication? - PAP - SLIP - PPP - CHAP - EAP	- EAP Explanation: Extensible Authentication Protocol (EAP) is a set of interface standards that allows you to use various authentication methods including smartcards, biometrics, and digital certificates. Password Authentication Protocol (PAP) transmits logon credentials in clear text. Challenge Handshake Authentication Protocol (CHAP) protects logon credentials using a hash and allows for periodic re-authentication. Point-to-Point Protocol (PPP) and Serial Line Interface Protocol (SLIP) are not remote access authentication protocols. They are used to establish the connection, but do not provide authentication. Section 3.9
	Which of the following protocols can be used to centralize remote access authentication? (Select two.) - CHAP - TACACS - SESAME - DIAMETER - EAP - Kerberos	- TACACS - DIAMETER Explanation: Centralized remote access authentication protocols include: - Remote Authentication and Dial-In User Service (RADIUS) - Terminal Access Controller Access Control System (TACACS) - DIAMETER Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) are authentication protocols used between the client and the server. Kerberos and Secure European System for Applications in a Multi-Vendor Environment (SESAME) are single sign-on protocols. Section 3.9
	Which of the following WAN technologies uses extensive error-checking and retransmission over telephone lines and is the best protocol to use when the line quality is poor? - X.25 - ISDN - ATM - Frame Relay	- X.25 Explanation: X.25 was first used to transmit data over analog telephone lines. Because the lines were unreliable, extensive error-checking was built into the technology. However, this error-checking can be redundant and unnecessary if the transmission media is reliable. Section 3.9
	Which Internet connectivity method sends voice phone calls using the TCP/IP protocol over digital data lines? - 802.11g - PSTN - Cable Internet - VoIP	- VoIP Explanation: VoIP sends voice phone calls using the TCP/IP protocol over digital data lines. Cable Internet uses the extra bandwidth on cable television connections for Internet data. PSTN is the public telephone system that uses analog signaling. 802.11g is a wireless networking standard. Section 3.9
	You want to reduce collisions by creating separate collision domains and virtual LANs. Which of the following devices should you choose? - Bridge - Switch - Router - Active hub	- Switch Explanation: Use a switch to create additional collision domains on a LAN. A switch filters an entire network and creates virtual LANs inside it, rather than dividing it into separate internetworks as a router does. Section 3.5
	Which of the following best describes the concept of a virtual LAN? - Devices on different networks that can receive multicast packets - Devices in separate networks (i.e. different network addresses) logically grouped as if they were in the same network - Devices connected through the Internet that can communicate without using a network address - Devices on the same network logically grouped as if they were on separate networks - Devices connected by a transmission medium other than cable (i.e. microwave, radio transmissions)	- Devices on the same network logically grouped as if they were on separate networks Explanation: A virtual LAN is created by identifying a subset of devices on the same network, and logically identifying them as if they were on separate networks. Think of VLANs as a subdivision of a LAN. Section 3.5
	Which of the following is an advantage of using switches to create virtual LANs? - Traffic is routed between separate networks. - Broadcast traffic travels to a subset of devices rather than to all devices on the network. - Messages are forwarded to all devices on the network. - Broadcast traffic is routed through the WAN.	- Broadcast traffic travels to a subset of devices rather than to all devices on the network. Explanation: Creating VLANs with switches lets you define separate broadcast domains and distribute traffic more evenly. Broadcast traffic within the VLAN goes only to the members of the VLAN. While you could do this with routers by defining separate networks, switches are easier to administer and are cheaper than routers, and they provide tighter network security, as well as microsegmentation and network scalability. Section 3.5
	Which characteristic of a switch can improve bandwidth utilization and reduce the risk of sniffing attacks on the network? - The switch creates a collision domain that includes all devices connected to the switch. - The switch puts each port in its own collision domain. - The switch creates a broadcast domain that includes all devices connected to the switch. - The switch puts each port in its own broadcast domain.	- The switch puts each port in its own collision domain. Explanation: A switch creates multiple collision domains, with each port being in its own collision domain. This improves bandwidth utilization because collisions are reduced or eliminated (when connecting one device per port). Sniffing attacks are reduced because messages are sent only to the port where the device is attached. When a hub is used, messages are sent to all devices, making packet sniffing as easy as connecting a sniffer to the hub port. Switches have a single broadcast domain. Hubs have a single collision domain. Section 3.5.
	What characteristic of hubs poses a security threat? - Hubs often include repeaters that amplify the signal strength. - Hubs create multiple collision domains. - Hubs transmit frames to all hosts on all ports. - Hubs create multiple broadcast domains.	- Hubs transmit frames to all hosts on all ports. Explanation: The biggest security threat that comes from hubs is that hubs transmit frames to all hosts on all ports. In normal operations, hosts will ignore any message not sent to that host. However, you can hook a sniffer up to a hub and receive all traffic on that network segment. To mitigate this risk, use switches instead of hubs. Hubs have a single collision domain which is caused by all devices being able to transmit at the same time. Hubs have a single broadcast domain. While this leaves devices on a hub susceptible to broadcast traffic attacks, the most serious threat comes from sniffing attacks. Hubs have repeaters, but this does not pose a significant security threat. Section 3.5
	Which of the following describes how a router can be used to implement security on your network? - Examine the packet payload to deny packets with malformed data. - Use a lookup table to deny access to traffic from specific MAC addresses. - Use an access control list to deny traffic sent from specific users. - Use an access control list to deny traffic from specific IP addresses.	- Use an access control list to deny traffic from specific IP addresses. Explanation: Routers operate at the Network layer of the OSI model and examine the IP addresses contained in the packet. You can use access lists on the router to deny traffic sent from or to specific IP addresses or networks. Routers can also reject packets from specific protocols and port numbers. Switches examine the MAC address in frames. You can configure MAC address filtering on switches to deny frames sent from specific hosts. Denying access from users is performed by a proxy server that looks at data at the Application layer. Section 3.5
	Which of the following describes how a router can be used to implement security on your network? - Examine the packet payload to deny packets with malformed data. - Use a lookup table to deny access to traffic from specific MAC addresses. - Use an access control list to deny traffic sent from specific users. - Use an access control list to deny traffic from specific IP addresses.	- Use an access control list to deny traffic from specific IP addresses. Explanation: Routers operate at the Network layer of the OSI model and examine the IP addresses contained in the packet. You can use access lists on the router to deny traffic sent from or to specific IP addresses or networks. Routers can also reject packets from specific protocols and port numbers. Switches examine the MAC address in frames. You can configure MAC address filtering on switches to deny frames sent from specific hosts. Denying access from users is performed by a proxy server that looks at data at the Application layer. Section 3.5
	Which of the following devices does not examine the MAC address in a frame before processing or forwarding the frame? - Network interface card (NIC) - Hub - Switch - Router	- Hub Explanation: A hub does not examine the MAC address in a frame. A hub simply forwards all frames regardless of the MAC address. Switches use the MAC address for forwarding decisions. A network interface card (NIC) reads the MAC address in a frame to know which frames to receive. A router does the same thing to identify packets that are addressed to the router. However, it uses the IP address to make packet forwarding decisions. Section 3.5
	After blocking a number of ports to secure your server, you are unable to send e-mail. To allow e-mail service which of the following needs to be done? - Open port 25 to allow SMTP service. - Open port 110 to allow POP3 service. - Open port 110 to allow SMTP service. - Open port 80 to allow SNMP service. - Open port 80 to allow SMTP service. - Open port 25 to allow SNMP service.	- Open port 25 to allow SMTP service. Explanation: The Simple Mail Transfer Protocol (SMTP) uses TCP port 25 and is responsible for sending email. If port 25 is blocked users will not be able to send email but they could receive email using port 110 and the POP3 protocol. SNMP is used to monitor network traffic. POP3 uses port 110 and is used to retrieve email from a mail server. Section 3.7
	You are the administrator for a secure network that uses firewall filtering. Several network users have requested to access Internet Usenet groups but are unable. What needs to be done to allow users to access the newsgroups? - From the firewall server, select the option to allow UDP transfer through a secure port. - Open port 119 to allow NNTP service. - Open ports 1024-1032 to allow NNTP, FTP, and UDP service. - Open port 161 to allow SNMP service. - Open port 123 to allow NTP service.	- Open port 119 to allow NNTP service. Explanation: The Network News Transfer Protocol (NNTP) is part of the TCP/IP protocol suite and used to connect clients to Usenet groups on the Internet. NNTP uses port 119 and if this port is blocked, NNTP service will be unavailable. The Network Time Protocol (NTP) uses port 123 and is used to update the real time clock on a computer. The Simple Network Management Protocol (SNMP) uses port 161 and is used for network monitoring. Section 3.7
	To increase security on your company's internal network, the administrator has disabled as many ports as possible. Now, however, though you can browse the Internet, you are unable to perform secure credit card transactions. Which port needs to be enabled to allow secure transactions? - 443 - 69 - 80 - 21 - 23	- 443 Explanation: To perform secure transactions, SSL on port 443 needs to be enabled. Section 3.7
	You want to maintain tight security on your internal network so you restrict access to the network through certain port numbers. If you want to allow users to continue to use DNS, which port should you enable? - 443 - 53 - 42 - 21 - 80	- 53 Explanation: The DNS service uses port 53. Section 3.7
	You are reviewing the configuration of a firewall that serves as single point for Internet Access. You note that the following ports are open: 21, 22, 25, 53, 80, 110, and 443. Policy dictates that users are only allowed to perform the following actions on Internet hosts: - Download files using FTP. - Browse secure and insecure Websites. - Send and receive e-mail. Which ports, if any, are you most likely to close on the firewall? - 21, 22, 110, 443 - 22, 53 - 21, 53, 443 - 22 - None.	- 22 Explanation: TCP/IP port 22 is used by the Secure Shell (SSH) protocol. SSH is used to establish secure sessions on remote hosts, and so does not fall into the list of permitted activities. Therefore, you should block TCP/IP port 22 on the firewall. The File Transfer Protocol (FTP) uses TCP/IP port 21. TCP/IP port 25 is associated with the Simple Mail Transfer Protocol (SMTP). SMTP is used to send e-mail to remote hosts. The Domain Name Service (DNS) uses TCP/IP port 53. Although not specifically stated, you are unlikely to block TCP/IP port 53, as it would prevent users from accessing remote hosts by their TCP/IP hostname. TCP/IP port 80 is associated with the Hypertext Transfer Protocol (HTTP). HTTP is used to access and download Web pages from Web servers. TCP/IP port 110 is associated with the Post Office Protocol version 3 (POP3). POP3 is used to download e-mail from servers. TCP/IP port 443 is associated with the Secure Sockets Layer (SSL) protocol. SSL is used to access secure Web sites. Section 3.7
	Which of the following is a key characteristic of a kernel proxy firewall? - Is a combination of a packet filter and a stateful inspection firewall. - Examines data a the OSI Layer 7. - Operates at the operating system ring 0. - Opens and closes ports dynamically in response to a requested frame.	- Operates at the operating system ring 0. Explanation: A kernel proxy firewall, also called a generation five firewall, operates at the operating system ring 0. This gives it trusted status with the operating system. Most other firewalls operate at ring 3. Generation four (dynamic packet filter) firewalls are a combination of packet filter and stateful inspection firewalls. It can open and close ports dynamically in response to a requested frame. A generation two application layer firewall examines traffic at the Application layer (Layer 7). Section 3.7
	Which of the following are true of a circuit proxy filter firewall? (Select two.) - Verifies sequencing of session packets. - Operates at the Network and Transport layers. - Examines the entire message contents. - Operates at the Session layer. - Operates at the Application layer. - Operates at ring 0 of the operating system.	- Verifies sequencing of session packets. - Operates at the Session layer. Explanation: A circuit proxy filter (generation two) firewall operates at the Session layer. It verifies the sequencing of session packets, breaks the connections, and acts as a proxy between the server and the client. An application layer firewall operates at the Application layer, examines the entire message, and can also act as a proxy to clients. A stateful inspection firewall operates at the Network and Transport layers. It filters on both IP addresses and port numbers. A kernel proxy filtering firewall operates at the operating system ring 0. Section 3.7
	Which of the following firewall types can be a proxy between servers and clients? (Select two.) - Circuit proxy filtering firewall - Application layer firewall - Stateful inspection firewall - Kernel proxy filtering firewall - Dynamic packet filtering firewall	- Circuit proxy filtering firewall - Application layer firewall Explanation: Both the circuit proxy filtering firewall and the application layer firewall can act as a proxy server between a server and a client. The kernel proxy filtering firewall operates at the operating system ring 0. The stateful inspection firewall operates at the Network and Transport layers, and therefore cannot adequately examine messages in order to act as a proxy. The dynamic packet filtering firewall is a combination of a stateful inspection and a packet filtering firewall. Section 3.7
	Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks? - Kernel proxy - Multi-homed - Circuit proxy - Bastian or sacrificial host	- Bastian or sacrificial host Explanation: A bastian or sacrificial host is one that is unprotected by a firewall. The term bastian host can be used to describe any device fortified against attack (such as a firewall). A sacrificial host might be a device intentionally exposed to attack, such as a honey pot. Circuit proxy and kernel proxy are types of firewall devices. Multi-homed describes a device with multiple network interface cards. Section 3.7
	When designing a firewall, what is the recommended approach for opening and closing ports? - Close all ports; open only ports required by applications inside the DMZ. - Open all ports; close ports that expose common network attacks. - Close all ports. - Close all ports; open ports 20, 21, 53, 80, and 443. - Open all ports; close ports that show improper traffic or attacks in progress.	- Close all ports; open only ports required by applications inside the DMZ. Explanation: When designing a firewall, the recommended practice is to close all ports and then only open those ports that allow the traffic that you want to allow inside the DMZ or the private network. Ports 20, 21, 53, 80, and 443 are common ports that are opened, but the exact ports you will open depend on the services provided inside the DMZ. Section 3.7
	Which of the following authentication protocols transmits passwords in clear text, and is therefore considered too insecure for modern networks? - CHAP - PAP - RADIUS - EAP	- PAP Explanation: The Password Authentication Protocol (PAP) is considered insecure because it transmits password information in clear text. Anyone who 'sniffs' PAP traffic from a network can view the password information from a PAP packet with a simple traffic analyzer. The Challenge Handshake Protocol (CHAP) uses a three-way handshake to authenticate users. During this handshake, a hashed value is used to authenticate the connection. The Extensible Authentication Protocol (EAP) is an enhanced authentication protocol that can use a variety of authentication methods including digital certificates and smartcards. The Remote Authentication Dial-In User Service (RADIUS) is an authentication system that allows the centralization of remote user account management. Section 3.9
	What is the primary function of the Internet Key Exchange (IKE) protocol used with IPSec? - Encrypt packet contents. - Provide authentication services. - Provides both authentication and encryption. - Ensures dynamic key rotation and selects initialization vectors (IVs). - Create a security association between communicating partners.	- Create a security association between communicating partners. Explanation: The Internet Key Exchange (IKE) protocol is used with IPSec to create a security association between communicating partners. It controls the negotiation of encryption methods, identifies how keys are exchanged, and sets up other parameters that control communications. Encapsulating Security Payload (ESP) provides both authentication and encryption, while Authentication Header (AH) provides authentication only. Section 3.10
	You are the network administrator for a small company that implements NAT to access the Internet. However, you recently acquired 5 servers that must be accessible from outside your network. Your ISP has provided you with 5 additional registered IP addresses to support these new servers but you don’t want the public to access these servers directly. You want to place these servers behind your firewall on the inside network yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these 5 servers? - Dynamic - Restricted - Overloading - Static	- Static Explanation: Static translation consistently maps an unregistered IP address to the same registered IP address on a one-to-one basis. Static NAT is particularly useful when a device needs to be assigned the same address so it can be accessed from outside the network, such as web servers and other similar devices. Dynamic translation would not work for these servers because it maps an unregistered host IP address to any available IP address configured in a pool of one or more registered IP addresses. Accessing a server assigned one of these addresses would be nearly impossible because the addresses are still shared by multiple hosts. Section 3.8
	You want to connect your small company network to the Internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. What type of Network Address Translation (NAT) should you implement? - Restricted - Shared - Dynamic - Static	- Dynamic Explanation: Use dynamic NAT to share public addresses with multiple private hosts. Dynamic NAT allows private hosts to access the Internet, but does not allow Internet hosts to initiate contact with private hosts. Section 3.8
	Routers operate at what level of the Open System Interconnect model? - Network layer - Layer 2 - Transport layer - Layer 5	- Network layer Explanation: Routers operate at the Network layer of the OSI model (also known as Layer 3). The Network layer is where the primary network protocol resides. For TCP/IP networks, that is the IP protocol. At this layer, routers are able to manage traffic based on the contents of the IP packet header. The IP packet header contains the IP addresses of the source and destination. Section 3.1
	Which of the following is a privately controlled portion of a network that is accessible to some specific external entities? - Internet - Intranet - Extranet - MAN	- Extranet Explanation: An extranet is a privately controlled portion of a network that is accessible to some specific external entities. Often those external entities are business partners, suppliers, distributors, vendors, or possibly customers. An intranet is a LAN that employs the technology of the Internet, namely TCP/IP, Web servers, and e-mail. The Internet is the global TCP/IP based network that supports most of the Web and e-mail communications occurring today. A MAN (metropolitan area network) is a LAN that is spread across several city blocks, across a business park, or across a campus. Section 3.1
	Which of the following is an example of a decentralized privilege management solution? - Client/server environment - Terminal services - Workgroup - RADIUS	- Workgroup Explanation: A workgroup is an example of a decentralized privilege management solution. In a workgroup, user accounts are defined on each individual system rather than on a centralized access control server. All of the other selections are centralized privilege management solutions. Section 3.1
	All of the 802.11x standards for wireless networking support which type of communication path sharing technology? - CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) - Polling - CSMA/CD (Carrier Sense Multiple Access with Collision Detection) - Token passing	- CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) Explanation: 802.11x standards for wireless networking all support the CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) type of communication path sharing technology. This CSMA/CA allows for multiple baseband clients to share the same communication medium. CSMA/CA works as follows: The system asks for permission to transmit. A designated authority (such as a hub, router, or access point), grants access when the communication medium is free. The system transmits data and waits for an ACK (acknowledgment). If no ACK is received, the data is retransmitted. Polling is a mechanism where one system is labeled as the primary system. The primary system polls each secondary system in turn to inquire whether they have data to transmit. Token passing is a mechanism that uses a digital pass card. Only the system holding the token is allowed to communicate. CSMA/CD is the technology used by Ethernet. CSMA/CD works as follows: The system listens for traffic, if the line is clear it begins transmitting. During the transmission, the system listens for collisions. If no collisions are detected, the communication succeeds. If collisions are detected, an interrupt jam signal is broadcast to stop all transmissions. Each system waits a random amount of time before starting over at step 1. Section 3.11
	Which of the following is a type of coaxial cable? - UTP - STP - 10BaseT - 10Base5	- 10Base5 Explanation: 10Base5 or ThickNet is a type of coaxial cable. Another type of coaxial cable not listed in this question is 10Base2 or ThinNet. Coax cable is often used as trunk lines between hubs, routers, or switches to provide a more robust connection over greater distance than a normal UTP cable. 10BaseT is a twisted pair cable. 10BaseT can also be called STP or UTP cable. Section 3.2
	What category (CAT) level of UTP cable is rated to support 100 Mbps of throughput at a maximum distance of 100 meters? - CAT3 - CAT4 - CAT5 - CAT7	- CAT5 Explanation: CAT5 cable is rated to support 100Mbps of throughput at a maximum distance of 100 meters. CAT3 cable is rated to support 4Mbps of throughput at a maximum distance of 100 meters. CAT4 cable is rated to support 16Mbps of throughput at a maximum distance of 100 meters. CAT7 cable is rated to support 1Gbps of throughput at a maximum distance of 100 meters. Section 3.2
	The twisting of wire pairs within 10BaseT wiring is a countermeasure against? - Termination - Crosstalk - Attenuation - Eavesdropping	- Crosstalk Explanation: Twisting is a countermeasure against crosstalk. The greater the difference in twists per inch between two twisted cable sets, the less likely crosstalk will occur between them. Crosstalk is the problem of the signal from one set of communication wires being picked up by another set of wires. Attenuation is loss of signal strength due to excessive length of cable. Eavesdropping is the act of capturing and examining traffic on a network cable. Termination is a requirement of coax cable, not twisted pair cable. Section 3.2
	What is the primary difference between STP and UTP? - Number of twists per inch - Throughput capability - Number of wires within the cable - Foil	- Foil Explanation: The primary difference between STP and UTP is the presence of a foil shield in a STP cable. Otherwise, STP and UTP cable are exactly the same. The shielding of STP makes it slightly less vulnerable to crosstalk and interference. STP and UTP have the same number of wires within the cable: 8 (or 4 pairs). STP and UTP have the same number of twists per inch when comparing cables from the same category (i.e. CAT 5). STP and UTP cables from the same category also have the same throughput capability. Section 3.2
	Which type of cable is most resistant to tapping and eavesdropping? - 10Base2 - ThickNet - 10BaseT - Fiber optic	- Fiber optic Explanation: Fiber optic cable is the most resistant to tapping and eavesdropping. Fiber optic cable transmits light pulses rather than electricity to communicate. Thus, it is not susceptible to most forms of interference or wire taping technologies. ThickNet (10Base5 coax), 10Base2 (ThinNet coax), and 10BaseT (STP and UTP) are very susceptible to tapping and eavesdropping. Section 3.2
	Telnet is inherently insecure because its communications is in plain text and easily intercepted. Which of the following is an acceptable alternative to Telnet? SLIP (Serial Line Interface Protocol) - Remote Desktop - SHTTP (Secure Hypertext Transfer Protocol) - SSH (Secure Shell)	- SSH (Secure Shell) Explanation: SSH (Secure Shell) is a secure and acceptable alternative to Telnet. SSH allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH uses the IDEA algorithm for encryption by default, but is able to use Blowfish and DES. Remote Desktop, while a remote control mechanism, is limited in use to a few versions of Windows and is not very secure. Section 3.4
	S/FTP (Secure FTP) uses which mechanism to provide security for authentication and data transfer? - IPSec (Internet Protocol Security) - Token devices - Multi-factor authentication - SSL (Secure Sockets Layer)	- SSL (Secure Sockets Layer) Explanation: S/FTP (Secure FTP) uses SSL (Secure Sockets Layer) to provide security for authentication and data transfer. S/FTP is an FTP replacement that brings reasonable security to an otherwise insecure file transfer mechanism. FTP by itself is insecure because FTP transmits logon credentials in the clear and does not encrypt transmitted files. Section 3.4
	What is the default encryption algorithm used by SSH (Secure Shell) to protect data traffic between a client and the controlled server? - AES - Blowfish - IDEA - DES	- IDEA Explanation: SSH uses the IDEA algorithm for encryption by default. SSH (Secure Shell) is a secure and acceptable alternative to Telnet. SSH allows for secure interactive control of remote systems. SSH uses RSA public key cryptography for both connection and authentication. SSH can use Blowfish or DES, but these are not the default methods. SSH does not support AES (at least not SSH-2 which is covered on this exam). Section 3.4
	Which of the following is not true regarding SSL (Secure Sockets Layer)? - SSL was developed by Netscape to secure Internet based client/server interactions - SSL encrypts the entire communication session between a server and a client - SSL authenticates the server to the client using a biometric based multi-factor authentication mechanism - SSL can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail	- SSL authenticates the server to the client using a biometric based multi-factor authentication mechanism Explanation: SSL authenticates the server to the client using public key cryptography and digital certificates. It does not use biometrics nor does it employ a multi-factor authentication mechanism. SSL (Secure Sockets Layer) operates over TCP port 443. SSL was developed by Netscape to secure Internet based client/server interactions. SSL encrypts the entire communication session between a server and a client. SSL can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	The session keys employed by SSL (Secure Sockets Layer) are available in what bit lengths? - 128 bit and 65 bit - 256 bit and 192 bit - 128 bit and 40 bit - 256 bit and 128 bit	- 128 bit and 40 bit Explanation: Session keys employed by SSL (Secure Sockets Layer) are available 128 bit and 40 bit lengths. SSL operates over TCP port 443. SSL was developed by Netscape to secure Internet based client/server interactions. SSL authenticates the server to the client using public key cryptography and digital certificates. SSL encrypts the entire communication session between a server and a client. SSL can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	SSL (Secure Sockets Layer) operates at which layer of the OSI model? - Presentation - Transport - Session - Application	- Session Explanation: SSL (Secure Sockets Layer) operates at the Session layer of the OSI model. SSL operates over TCP port 443. SSL was developed by Netscape to secure Internet based client/server interactions. SSL authenticates the server to the client using public key cryptography and digital certificates. SSL encrypts the entire communication session between a server and a client. SSL can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	Which of the following technologies is based upon SSL (Secure Sockets Layer)? - L2TP (Layer 2 Tunneling Protocol) - S/MIME (Secure Multipurpose Internet Mail Extensions) - IPSec (Internet Protocol Security) - TLS (Transport Layer Security)	- TLS (Transport Layer Security) Explanation: TLS is based on SSL, but they are not interoperable. TLS (Transport Layer Security) operates over TCP port 443 or port 80. TLS was developed by Netscape to secure Internet based client/server interactions. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	Which of the following is an improvement built into TLS (Transport Layer Security) that SSL (Secure Sockets Layer) does not have? - Prevents eavesdropping and tampering - Employs server to client authentication - Based on X.509 certificates - Secures Web traffic	- Prevents eavesdropping and tampering Explanation: Prevention of eavesdropping and tampering is an improvement built into TLS (Transport Layer Security) that SSL (Secure Sockets Layer) does not have. TLS is based on SSL, but they are not interoperable. TLS (Transport Layer Security) operates over TCP port 443 or port 80. TLS was developed by Netscape to secure Internet based client/server interactions. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	Which type of encryption is used by SSL (Secure Sockets Layer)? - Asymmetric - Public Key cryptography - Symmetric - Hashing algorithm	- Symmetric Explanation: SSL uses symmetric cryptography for encryption. Symmetric cryptography can also be called private key cryptography or secret key cryptography. Specifically, SSL employs RSA. Section 3.4
	Which of the following communications encryption mechanisms has a specific version for wireless communications? - TLS (Transport Layer Security) - SSL (Secure Sockets Layer) - IPSec (Internet Protocol Security) - HTTPS (Hypertext Transfer Protocol over Secure Socket Layer)	- TLS (Transport Layer Security) Explanation: TLS has a specific version for wireless communications known as WTLS or Wireless Transport Layer Security. TLS (Transport Layer Security) operates over TCP port 443 or port 80. TLS was developed by Netscape to secure Internet based client/server interactions. TLS is based on SSL, but they are not interoperable. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	When using SSL authentication, what does the client verify first when checking a server's identity? - The current date and time must fall within the server's certificate validity period - The certificate must be non-expiring and self-signed by the sysadmin - Master secrets are verifiable from asymmetric keys - All DNS resolution must point to the corporate intranet routers	- The current date and time must fall within the server's certificate validity period Explanation: An SSL client first checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. SSL clients verify a server's identity with the following steps: The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. The client verifies that the issuing Certificate Authority (CA) is on it's list of trusted CAs. The client uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. To protect against Man in the Middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. Section 3.4
	An SSL client has determined that the Certificate Authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity? - The CA's public key must validate the CA's digital signature on the server certificate - The domain on the server certificate must match the CA's domain name - The master secret is generated from common key code - The post-master secret must initiate subsequent communication	- The CA's public key must validate the CA's digital signature on the server certificate Explanation: Once an SSL client has identified a CA as trusted, it uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. SSL clients verify a server's identity with the following steps: 1. The client checks the server's certificate validity period. The authentication process stops if the current date and time fall outside of the validity period. 2. The client verifies that the issuing Certificate Authority (CA) is on it's list of trusted CAs. 3. The client uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA. 4. To protect against Man in the Middle attacks, the client compares the actual DNS name of the server to the DNS name on the certificate. Section 3.4
	Which of the following statements is not true? - TLS (Transport Layer Security) provides security for Web traffic at the Transport layer. - TLS (Transport Layer Security) operates over TCP port 443 or port 80. - TLS (Transport Layer Security) has the capability to drop down into SSL 3.0 mode for backward compatibility. - TLS (Transport Layer Security) is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol.	- TLS (Transport Layer Security) provides security for Web traffic at the Transport layer. Explanation: TLS provides security for Web traffic above the Transport layer. TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. TLS has the capability to drop down into SSL 3.0 mode for backward compatibility. TLS operates over TCP port 443 or port 80. TLS is based on SSL, but they are not interoperable. TLS was developed by Netscape to secure Internet based client/server interactions. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 3.4
	Which of the following is not a benefit of using a VLAN? - Reduced likelihood of traffic interception - Connect geographically separate systems into the same network - Decreased broadcast traffic - Increased collisions	- Increased collisions Explanation: VLANs do not increase collisions, they usually reduce collisions. VLANs reduce the likelihood of traffic interception because the switch creating the VLANs transmits traffic only over the specific port hosting the intended recipient of a message. Thus, eavesdropping on any given segment will reveal only the traffic occurring on that specific segment rather than from the entire network. VLANs decrease broadcast traffic and allow the connection of geographically separate systems into the same network. Section 3.5
	Which of the following is a security mechanism that adds ACLs to individual ports? - TCP wrapper - IDS - Ping scanner - Fingerprinting	- TCP wrapper Explanation: A TCP wrapper is a security mechanism that adds ACLs to individual ports. TCP wrappers is a daemon (i.e. network service) that intercepts connection requests. If the connection request is authorized, the request is passed on to the inetd daemon that processes and supports the requested communication. TCP wrappers are mainly found on UNIX and Linux systems. An IDS is a network monitoring tool that looks for unwanted or abnormal events either in live network traffic or in audit logs. A ping scanner is a network mapping tool that employs ICMP packets to test the connectivity of ports and IP addresses. Fingerprinting is the act of identifying an operating system or network service based upon its ICMP message quoting characteristics. Section 3.7
	Which of the following is the best device to deploy to protect your private network from a public untrusted network? - Firewall - Gateway - Router - Hub	- Firewall Explanation: A firewall is the best device to deploy to protect your private network from a public untrusted network. Firewalls are used to control traffic entering and leaving your trusted network environment. Firewalls can manage traffic based on source or destination IP address, port number, service protocol, application or service type, user account, and even traffic content. Routers offer some packet-based access control, but not as extensive as that of a full fledged firewall. Hubs and gateways are not sufficient for managing the interface between a trusted and an untrusted network. Section 3.7
	A multi-homed firewall offers what advantage? - Protecting your trusted network even if the DMZ is compromised - Providing adequate bandwidth even when attacked by a Denial of Service attack - Providing an efficient system to distribute files to external users - Supporting your company's e-commerce traffic	- Protecting your trusted network even if the DMZ is compromised Explanation: A multi-homed firewall offers the advantage of protecting your trusted network even if the DMZ is compromised. A multi-homed firewall is a firewall device or host system that has two or more network interfaces. One interface is connected to the untrusted network and another interface is connected to the trusted network. A DMZ can be added to a multi-homed firewall just by adding a third interface. The rules for accessing the DMZ are looser than those protecting the private network. A Denial of Service attack does not allow a device to provide adequate bandwidth, that's the whole point of such an attack. A firewall does not offer support for e-commerce or file distribution as a native feature. Firewalls may allow such traffic to cross from the trusted to untrusted network if so configured. Section 3.7
	Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted Internet? - Padded Cell - Extranet - DMZ - Intranet	- DMZ Explanation: A DMZ or demilitarized zone is a network placed between a private secured network and the untrusted Internet to grant external users access to internally controlled services. The DMZ serves as a buffer network. An intranet is a private network that happens to employ Internet information services. An extranet is a division of a private network that is accessible to a limited number of users, such as business partners, suppliers, and certain customers. A padded cell is an intrusion detection countermeasure used to delay intruders sufficiently to record meaningful information about them for discovery and prosecution. Section 3.7
	Which of the following is likely to be located in a DMZ (demilitarized zone) or a buffer subnet? - User workstations - FTP server - Backup server - Domain controller	- FTP server Explanation: An FTP server is the most likely component from this list to be located in a DMZ (demilitarized zone) or a buffer subnet. A DMZ should only contain servers that are to be accessed by external visitors. Often it is assumed that any server placed in the DMZ will be compromised. Thus, no mission critical or sensitive systems are located in a DMZ. A domain controller may appear in a DMZ when the DMZ is an entire isolated domain, however this is not common. User workstations are never located in a DMZ. Backup servers, unless specifically deployed for just the DMZ, are never located in a DMZ. Section 3.7
	You have placed an FTP server in your DMZ behind your firewall. The FTP server will be used to distribute software updates and demonstration versions of your products. Users report that they are unable to access the FTP server. What should you do to enable access? - Install a VPN - Define user accounts for all external visitors - Move the FTP outside of the firewall - Open ports 20 and 21 for outbound connections	- Open ports 20 and 21 for outbound connections Explanation: To allow FTP traffic into your DMZ, you must open the correct ports on the firewall. For FTP those ports are 20 and 21 for outbound connections. Installing a VPN is not necessary to grant access to external users. Defining using accounts may be required in some situations, but this one requires anonymous access. Moving the FTP server outside the firewall is not a secure action. Section 3.7
	Your company’s network provides HTTP, HTTPS, and SSH access to remote employees. Which ports must be opened on the firewall to allow this traffic to pass? - 8080, 4430, 21 - 8088, 440, 25 - 80, 443, 22 - 88, 4043, 23	- 80, 443, 22 Explanation: Open the following ports for this network: Port 80 for traditional HTTP Web Port 443 for HTTPS Port 22 for Secure Shell (SSH) Section 3.7
	Your network recently experienced a series of attacks aimed at the Telnet and FTP services. You have rewritten the security policy to abolish the unsecured services, and now you must secure the network using your firewall and routers. Which ports must be closed to prevent traffic directed to these two services? - 21, 22 - 23, 21 - 22, 23 - 25, 23	- 23, 21 Explanation: Close port 23 to prevent Telnet traffic and port 21 for FTP. Both protocols pass user credentials in cleartext and represent a serious vulnerability to your network. Packet sniffing can be used to obtain usernames and passwords, and this information may be used to launch more advanced attacks. Consider replacing Telnet services with Secure Shell (SSH), and traditional FTP with Secure FTP (SFTP) running across SSH on port 22. Section 3.7
	Your network offers Email services utilizing the standard (unencrypted) SMTP, IMAP, and POP3 protocols. Which ports must be open on the firewall for proper operation? - 23, 443, 112 - 23, 443, 80 - 25, 143, 110 - 21, 440, 112	- 25, 143, 110 Explanation: The Simple Mail Transport (SMTP) protocol uses port 25 for server to server and client to server mail transfers. Email servers listen for client requests on port 143 using the Internet Message Access Protocol (IMAP), and port 110 using the Post Office Protocol 3 (POP3) protocol. IMAP based services allow the client to store and manipulate mail on the server. POP3 is used as a “store and forward” system, with the messages being deleted after the client downloads them, although some configurations allow messages to be stored on the server for a predetermined period of time. Section 3.7
	Which of the following is not one of the ranges of IP addresses defined in RFC 1918 that are commonly used behind a NAT server? - 192.168.0.0 - 192.168.255.255 - 172.16.0.0 - 172.31.255.255 - 169.254.0.0 - 169.254.255.255 - 10.0.0.0 - 10.255.255.255	- 169.254.0.0 - 169.254.255.255 Explanation: 169.254.0.1 - 169.254.255.254 is the range of IP addresses assigned to Windows DHCP clients if a DHCP server does not assign the client an IP address. This range is known as the Automatic Private IP Addressing (APIPA) range. The other three ranges listed in this question are defined as the private IP addresses from RFC 1918 which are commonly used behind a NAT server. Section 3.8
	Which of the following is not a benefit of NAT? - Hiding the network infrastructure from external entities - Preventing traffic initiations from outside the private network - Using fewer public IP addresses - Improving the throughput rate of traffic	- Improving the throughput rate of traffic Explanation: NAT does not provide improved throughput for traffic. A proxy server may provide improved performance when accessing the same resource accessed by other clients previously which has been temporarily stored in cache. NAT provides the benefits of hiding your network infrastructure (i.e. IP address ranges and assignments) from external entities, it allows you to employ fewer public IP addresses for a larger number of internal clients who need Internet access, and it prevents traffic that was not initiated by an internal client from entering into the private network. Section 3.8
	RADIUS (Remote Authentication Dial-In User Service) is primarily used for what purpose? - Pre-authenticating remote clients before access to the network is granted - Controlling entry gate access using proximity sensors - Managing access to a network over a VPN - Managing RAID fault-tolerant drive configurations	- Pre-authenticating remote clients before access to the network is granted Explanation: RADIUS (Remote Authentication Dial-In User Service) is primarily used for pre-authenticating remote clients before access to the network is granted. RADIUS is based on RFC 2865. RADIUS maintains client profiles in a centralized database. RADIUS offloads the authentication burden for dial-in users from the normal authentication of local network clients. For environments with a large number of dial-in clients, RADIUS provides improved security, easier administration, improved logging, and less-performance impact on LAN security systems. Section 3.9
	Which of the following remote access authentication technologies allows for the use of multi-factor authentication? - SLIP (Serial Line Interface Protocol) - L2F (Layer 2 Forwarding Protocol) - PPTP (Point to Point Tunneling Protocol) - RADIUS (Remote Authentication and Dial-In User Service ) - TACACS+ (Terminal Access Controller Access Control System Plus)	- TACACS+ (Terminal Access Controller Access Control System Plus) Explanation: TACACS+ (Terminal Access Controller Access Control System Plus) allows for the use of multi-factor authentication. Multi-factor authentication for remote access clients is a significant security improvement. Without multi-factor authentication remote access user accounts are subject to password cracking attacks and packet interception attacks. With multi-factor authentication, password cracking attacks alone are insufficient to compromise the authentication process. RADIUS does not support multi-factor authentication, but it is a remote access authentication technology. SLIP, PPTP, and L2F are not remote access authentication technologies. Section 3.9
	Which remote access authentication protocol periodically and transparently re-authenticates during a logon session by default? - PAP - EAP - Certificates - CHAP	- CHAP Explanation: CHAP is the only remote access authentication protocol that periodically and transparently re-authenticates during a logon session by default. PAP, EAP, and certificates do not re-authentication mid-session. Section 3.9
	CHAP (Challenge Handshake Authentication Protocol) performs which of the following security functions? - Periodically verifies the identity of a peer using a three-way handshake - Links remote systems together - Protects usernames - Allows the use of biometric devices	- Periodically verifies the identity of a peer using a three-way handshake Explanation: CHAP periodically verifies the identity of a peer using a three-way handshake. CHAP ensures that the same client or system exists throughout a communication session by repeatedly and randomly re-testing the validated system. This test involves the security server sending a challenge message to the client. The client then performs a one-way hash function on the challenge and returns the result to the security server. The security server performs its own function on the challenge and compares its result with that received from the client. If they don't match, the session is terminated. CHAP does provide protection for both passwords and usernames. However stating that it only protects usernames is incomplete and therefore not the best answer. CHAP does not link remote systems together, a VPN protocol is needed for that purpose. CHAP does not function as a device driver or interoperability mechanism for biometric devices. Section 3.9
	A VPN (Virtual Private Network) is used primarily for what purpose? - Support secured communications over an untrusted network - Allow remote systems to save on long distance charges - Allow the use of network-attached printers - Support the distribution of public Web documents	- Support secured communications over an untrusted network Explanation: A VPN (Virtual Private Network) is used primarily to support secured communications over an untrusted network. A VPN can be used over a local area network, across a WAN connection, over the Internet, and even between a client and a server over a dial-up connection through the Internet. All of the other items listed in this question are benefits or capabilities that are secondary to this primary purpose. Section 3.10
	Which VPN protocol typically employs IPSec as its data encryption mechanism? - PPTP (Point to Point Tunneling Protocol) - L2F (Layer 2 Forwarding Protocol) - L2TP (Layer 2 Tunneling Protocol) - PPP (Point to Point Tunneling Protocol)	- L2TP (Layer 2 Tunneling Protocol) Explanation: L2TP (Layer 2 Tunneling Protocol) is the VPN protocol that typically employs IPSec as its data encryption mechanism. L2TP is the recommended VPN protocol to use on dial-up VPN connections. PPTP and PPP only support CHAP and PAP for data encryption. L2F offers no data encryption. Section 3.10
	PPTP (Point to Point Tunneling Protocol) is quickly becoming obsolete because of what VPN protocol? - TACACS (Terminal Access Controller Access Control System) - SLIP (Serial Line Interface Protocol) - L2F (Layer 2 Forwarding Protocol) - L2TP (Layer 2 Tunneling Protocol)	- L2TP (Layer 2 Tunneling Protocol) Explanation: PPTP (Point to Point Tunneling Protocol) is quickly becoming obsolete because of L2TP (Layer 2 Tunneling Protocol). L2TP was created by combining PPTP and L2F and adding in support for IPSec. The result is a very versatile, nearly universally interoperable VPN protocol that provides solid authentication and reliable data encryption. Section 3.10
	Which statement best describes IPSec when used in tunnel mode? - IPSec in tunnel mode may not be used for WAN traffic - The identities of the communicating parties are not protected - Packets are routed using the original headers, only the payload is encrypted - The entire data packet, including headers, is encapsulated	- The entire data packet, including headers, is encapsulated Explanation: When using IPSec in tunnel mode, the entire data packet, including original headers, is encapsulated. New encrypted packets are created with headers indicating only the endpoint addresses. Tunneling protects the identities of the communicating parties and original packet contents, and is frequently used to secure traffic traveling across insecure public channels such as the Internet. IPSec in tunnel mode is the most common configuration for gateway to gateway communications. In transport mode, routing is done using the original headers--only the packet's payload is encrypted. Transport mode is primarily used in direct host-to-host communication outside of a dedicated IPSec gateway/firewall configuration. Section 3.10
	What is the primary use of tunneling? - Deploying thin clients on a network - Improving communication throughput - Protecting passwords - Supporting private traffic through a public communication medium	- Supporting private traffic through a public communication medium Explanation: Tunneling is used primarily to support private traffic through a public communication medium. The most widely known form of tunneling is VPN (Virtual Private Networking). A VPN establishes a secured communications tunnel through an insecure network connecting two systems. Tunnels are not directly associated with password theft or protection. Tunnels provide secure communications, they usually provide less than optimal throughput due to the additional overhead of encryption and maintaining the communications link. Terminal services or similar products are used to support thin clients, dumb terminals, or remote sessions. Section 3.10
	In addition to Authentication Header (AH), IPSec is comprised of what other service? - Advanced Encryption Standard (AES) - Encryption File System (EFS) - Encapsulating Security Payload (ESP) - Extended Authentication Protocol (EAP)	- Encapsulating Security Payload (ESP) Explanation: IPSec is comprised of two services, one service is named Authentication Header (AH) and the other named Encapsulating Security Payload (ESP). AH is used primarily for authenticating the two communication partners of an IPSec link. ESP is used primarily to encrypt and secure the data transferred between IPSec partners. IPSec employs ISAKMP for encryption key management. Section 3.10
	Which of the following can be used to encrypt Web, e-mail, telnet, file transfer, and SNMP traffic? - IPSec (Internet Protocol Security) - EFS (Encryption File System) - SSL (Secure Sockets Layer) - SHTTP (Secure Hypertext Transfer Protocol)	- IPSec (Internet Protocol Security) Explanation: IPSec (Internet Protocol Security) can be used to encrypt any traffic supported by the IP protocol. This includes Web, e-mail, telnet, file transfer, and SNMP traffic as well as countless others. IPSec is fully capable of providing a secure means to communicate for any LAN or Internet based system using TCP/IP. EFS is not a communication protocol, thus it cannot be used to encrypt traffic. Rather it is a file encryption tool. SHTTP is used only for Web traffic. SSL is able to encrypt most Internet based communication sessions, it is not designed to protect all TCP/IP LAN traffic like IPSec. Section 3.10
	Which IPSec subprotocol provides data encryption? - Authentication Header (AH) - Advanced Encryption Standard (AES) - Secure Sockets Layer (SSL) - Encapsulating Security Payload (ESP)	- Encapsulating Security Payload (ESP) Explanation: The Encapsulating Security Payload (ESP) protocol provides data encryption for IPSec traffic. The Authentication Header (AH) provides message integrity through authentication, verifying that data are received unaltered from the trusted destination. AH provides no privacy however, and is often combined with ESP to achieve integrity and confidentiality. Section 3.10
	What is the primary use of tunneling? - Improving communication throughput - Deploying thin clients on a network - Supporting private traffic through a public communication medium - Protecting passwords	- Supporting private traffic through a public communication medium Explanation: Tunneling is used primarily to support private traffic through a public communication medium. The most widely known form of tunneling is VPN (Virtual Private Networking). A VPN establishes a secured communications tunnel through an insecure network connecting two systems. Tunnels are not directly associated with password theft or protection. Tunnels provide secure communications, they usually provide less than optimal throughput due to the additional overhead of encryption and maintaining the communications link. Terminal services or similar products are used to support thin clients, dumb terminals, or remote sessions. Section 3.10
	Which data transmission rate is defined by the IEEE 802.11b wireless standard? - 2 Mbps - 10 Mbps - 11 Mbps - 56 Mbps	- 11 Mbps Explanation: The IEEE 802.11b standard defines wireless transmission rates up to 11 Mbps. Wireless network interface cards and wireless access points (also called wireless hubs or wireless routers) will automatically negotiate the best transmission speed up to 11 Mbps based on current network traffic load and the quality of the wireless connection between the client and access point. The wireless communications are affected by distance, dense physical obstructions, and other electromagnetic interference producing devices. The IEEE 802.11a standard defines wireless transmission rates up to 2 Mbps. The IEEE 802.11g standard defines wireless transmission rates up to 56 Mbps. The IEEE 802.3 standard defines Ethernet 10baseT cable based transmissions of 10 Mbps. Section 3.11
	Which IEEE standard defines the technologies used in wireless LAN networking? - 802.3 - 802.8 - 802.11 - 802.5	- 802.11 Explanation: IEEE 802.11 defines the technologies used in wireless LAN networking. The IEEE 802.11a standard defines wireless transmission rates up to 2 Mbps. The IEEE 802.11b standard defines wireless transmission rates up to 11 Mbps. The IEEE 802.11g standard defines wireless transmission rates up to 56 Mbps. IEEE 802.5 defines the technologies used in Token Ring. IEEE 802.3 defines the technologies used in Ethernet. IEEE 802.8 defines the technologies used in FDDI. Section 3.11
	On a wireless network that is employing WEP (Wired Equivalent Privacy), which type of users are allowed to authenticate through the access points? - Users with proper company IDs - Only users with remote access privileges - Users with the correct WEP key - Users within the 80% strength radius	- Users with the correct WEP key Explanation: On a wireless network that is employing WEP (Wired Equivalent Privacy), only users with the correct WEP key are allowed to authenticate through the access points. That's the whole point of WEP, prevent unauthorized users by employing a wireless session key for access. Section 3.11

Share This Flashcard Set

Set the Language

Sscp - Domain 3: Networks And Communications

Add to Folders

Upgrade to Cram Premium

Related Essays

Card Range To Study

98 Cards in this Set