Review Questions

advertisement
Chapter 9
Review Questions
1. The weakest type of encryption for sending a single document over a WLAN is
a. private key cryptography
b. WPA2
c. AES
d. public key cryptography
2. Each of the following are public key cryptography tools used for encrypting files
for transmission except
a. Pretty Good Privacy (PGP)
b. Secure Copy (SCP)
c. Cryptographic File System (CFS)
d. Wired Equivalent Privacy (WEP)
3. The counterpart to the commercial product Pretty Good Privacy (PGP) is a free
product that runs on Windows, UNIX, and Linux known as
a. GNU Privacy Guard (GPG)
b. File Encryption Security (FES)
c. Wireless Cryptographic Standard (WCS)
d. Lock Secure Technology Systems (LSTS)
4. Each of the following are security vulnerabilities of File Transfer Protocol (FTP)
except
a. FTP does not use encryption
b. Files are vulnerable to man-in-the-middle attacks
c. Attackers can view the contents of transmitted binary files
d. FTP only supports SSH
5. _____ is a facility for transmitting files securely yet does not perform
authentication or other means of security.
a. Secure Copy (SCP)
b. Telnet
c. SFTP
d. UPD
6. STP port forwarding can be used to provide secure access to other services that do
not normally encrypt data during transmission. True or False?
7. Sending HTTP over TLS/SSL is known as HTTPS (Secure Hypertext Transport
Protocol). True or False?
8. SNMPv1 uses usernames and passwords. True or False?
9. A virtual private network (VPN) takes advantage of using an unsecured public
network, such as a hotspot WLAN or the Internet, as if it were a secure private
network. True or False?
10. A remote-access or virtual private dial-up network (VPDN) is a site-to-site
connection used by remote users. . True or False?
11. _____ function in a similar way to SSH port forwarding that can be used to
provide secure access to other services that do not normally encrypt data during
transmission. Virtual private networks (VPNs)
12. _____ is the most widely deployed tunneling protocol. Point-to-Point Tunneling
Protocol (PPTP)
13. A variation of the point-to-point protocol (PPP) that is used by broadband Internet
providers (with DSL or cable modem connections) is _____. Point-to-Point
Protocol over Ethernet (PPPoE).
14. _____ is an industry standard and is not limited to working with TCP/IP-based
networks, but supports a wide array of protocols. Layer 2 Tunneling Protocol
(L2TP)
15. Unlike SSL, which is implemented as a part of the user application, _____ is
located in the operating system or the communication hardware. IPsec (IP
Security)
16. Explain why it may be preferable to have a tunneling protocol operate at a lower
layer of the OSI model.
Different security tools function at different layers of the Open System
Interconnection (OSI) model. The advantages of having security tools function at
the higher layers like the Application layer is that they can be specifically designed
to protect that application. However, protecting at higher layers may require
multiple security tools, even as many as one per each application. Secure Socket
Layers (SSL)/Transport Layer Security (TLS) operate at the Session layer. The
advantage of operating at this lower level is that more applications can be protected,
yet minor modifications may have to be made to the application. An improved
functionality can be achieved if the protection is even lower in the OSI layer. If the
protection is at the Network layer, it can protect a wide range of applications with
no modifications needed. Even applications that are ignorant of security, such as a
legacy MS-DOS application, can still be protected
17. List and explain the two encryption modes of IPSec.
IPsec supports two encryption modes, which are Transport and Tunnel. Transport
mode encrypts only the data portion (payload) of each packet yet leaves the header
unencrypted. The more secure Tunnel mode encrypts both the header and the data
portion. IPsec accomplishes transport and tunnel modes by adding new headers to
the IP packet. The entire original packet (header and payload) is then treated as the
data portion of the new packet. Because tunnel mode protects the entire packet, it is
generally used in a network gateway-to-gateway communication. Transport mode is
used when a device must see the source and destination addresses to route the
packet.
18. What is the difference between pass-through VPN and built-in VPN endpoints?
Endpoints that provide pass-through VPN capability require that a separate
VPN client application be installed on each device that connects to a VPN server.
This client application handles setting up the connection with the remote VPN
server and takes care of the special data handling required to send and receive
data through the VPN tunnel. The endpoint simply passes the special VPN
encapsulated and encrypted packets through to the client, which then will
decode the transmission. Hardware devices that have a built-in VPN endpoint
handle all the VPN tunnel setup, encapsulation, and encryption in the endpoint.
Wireless client devices are not required to run any special software and the
entire VPN process is transparent to them.
19. When would a software-based VPN be used instead of a hardware-based VPN?
Software-based VPNs offer the most flexibility in how the network traffic is
managed. Unlike hardware-based VPNs which generally tunnel all traffic they
handle, regardless of protocol, many software-based products allow traffic to be
tunneled based on either the IP address or the protocol that is being used.
Tunneling specific types of network traffic can be an advantage in settings in which
a mix of network traffic may be found, such as at a remote office that needs to
access the corporate database via VPN but does not require VPN for Web surfing.
Software-based VPNs are also more desirable for “road warriors” who do not want
to carry an additional hardware device with them while traveling. Software-based
VPNs are good options where performance requirements are modest, such as when
users are connecting over dial-up links.
20. What are Layer 4-7 devices?
Traditional routing based on connection-level information at Layers 2 and 3 often
cannot keep pace with the data volumes and demands of today's applications. A new
breed of devices, sometimes called Layer 4-7 devices, can provide intelligent traffic
and bandwidth management based on the content of a session and not just on
network connections. Layer 4-7 devices, which can make routing decisions based on
information unknown to Layer 2-3 switches and routers, can help deliver enhanced
capabilities required for application-aware IP networks. These include more
intelligent traffic management capabilities, local and global server load balancing,
content-aware routing and access control, and content-based bandwidth
management. Security will become inherent in these Layer 4-7 applications and
services.
Download