Chapter 9 Review Questions 1. The weakest type of encryption for sending a single document over a WLAN is a. private key cryptography b. WPA2 c. AES d. public key cryptography 2. Each of the following are public key cryptography tools used for encrypting files for transmission except a. Pretty Good Privacy (PGP) b. Secure Copy (SCP) c. Cryptographic File System (CFS) d. Wired Equivalent Privacy (WEP) 3. The counterpart to the commercial product Pretty Good Privacy (PGP) is a free product that runs on Windows, UNIX, and Linux known as a. GNU Privacy Guard (GPG) b. File Encryption Security (FES) c. Wireless Cryptographic Standard (WCS) d. Lock Secure Technology Systems (LSTS) 4. Each of the following are security vulnerabilities of File Transfer Protocol (FTP) except a. FTP does not use encryption b. Files are vulnerable to man-in-the-middle attacks c. Attackers can view the contents of transmitted binary files d. FTP only supports SSH 5. _____ is a facility for transmitting files securely yet does not perform authentication or other means of security. a. Secure Copy (SCP) b. Telnet c. SFTP d. UPD 6. STP port forwarding can be used to provide secure access to other services that do not normally encrypt data during transmission. True or False? 7. Sending HTTP over TLS/SSL is known as HTTPS (Secure Hypertext Transport Protocol). True or False? 8. SNMPv1 uses usernames and passwords. True or False? 9. A virtual private network (VPN) takes advantage of using an unsecured public network, such as a hotspot WLAN or the Internet, as if it were a secure private network. True or False? 10. A remote-access or virtual private dial-up network (VPDN) is a site-to-site connection used by remote users. . True or False? 11. _____ function in a similar way to SSH port forwarding that can be used to provide secure access to other services that do not normally encrypt data during transmission. Virtual private networks (VPNs) 12. _____ is the most widely deployed tunneling protocol. Point-to-Point Tunneling Protocol (PPTP) 13. A variation of the point-to-point protocol (PPP) that is used by broadband Internet providers (with DSL or cable modem connections) is _____. Point-to-Point Protocol over Ethernet (PPPoE). 14. _____ is an industry standard and is not limited to working with TCP/IP-based networks, but supports a wide array of protocols. Layer 2 Tunneling Protocol (L2TP) 15. Unlike SSL, which is implemented as a part of the user application, _____ is located in the operating system or the communication hardware. IPsec (IP Security) 16. Explain why it may be preferable to have a tunneling protocol operate at a lower layer of the OSI model. Different security tools function at different layers of the Open System Interconnection (OSI) model. The advantages of having security tools function at the higher layers like the Application layer is that they can be specifically designed to protect that application. However, protecting at higher layers may require multiple security tools, even as many as one per each application. Secure Socket Layers (SSL)/Transport Layer Security (TLS) operate at the Session layer. The advantage of operating at this lower level is that more applications can be protected, yet minor modifications may have to be made to the application. An improved functionality can be achieved if the protection is even lower in the OSI layer. If the protection is at the Network layer, it can protect a wide range of applications with no modifications needed. Even applications that are ignorant of security, such as a legacy MS-DOS application, can still be protected 17. List and explain the two encryption modes of IPSec. IPsec supports two encryption modes, which are Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet yet leaves the header unencrypted. The more secure Tunnel mode encrypts both the header and the data portion. IPsec accomplishes transport and tunnel modes by adding new headers to the IP packet. The entire original packet (header and payload) is then treated as the data portion of the new packet. Because tunnel mode protects the entire packet, it is generally used in a network gateway-to-gateway communication. Transport mode is used when a device must see the source and destination addresses to route the packet. 18. What is the difference between pass-through VPN and built-in VPN endpoints? Endpoints that provide pass-through VPN capability require that a separate VPN client application be installed on each device that connects to a VPN server. This client application handles setting up the connection with the remote VPN server and takes care of the special data handling required to send and receive data through the VPN tunnel. The endpoint simply passes the special VPN encapsulated and encrypted packets through to the client, which then will decode the transmission. Hardware devices that have a built-in VPN endpoint handle all the VPN tunnel setup, encapsulation, and encryption in the endpoint. Wireless client devices are not required to run any special software and the entire VPN process is transparent to them. 19. When would a software-based VPN be used instead of a hardware-based VPN? Software-based VPNs offer the most flexibility in how the network traffic is managed. Unlike hardware-based VPNs which generally tunnel all traffic they handle, regardless of protocol, many software-based products allow traffic to be tunneled based on either the IP address or the protocol that is being used. Tunneling specific types of network traffic can be an advantage in settings in which a mix of network traffic may be found, such as at a remote office that needs to access the corporate database via VPN but does not require VPN for Web surfing. Software-based VPNs are also more desirable for “road warriors” who do not want to carry an additional hardware device with them while traveling. Software-based VPNs are good options where performance requirements are modest, such as when users are connecting over dial-up links. 20. What are Layer 4-7 devices? Traditional routing based on connection-level information at Layers 2 and 3 often cannot keep pace with the data volumes and demands of today's applications. A new breed of devices, sometimes called Layer 4-7 devices, can provide intelligent traffic and bandwidth management based on the content of a session and not just on network connections. Layer 4-7 devices, which can make routing decisions based on information unknown to Layer 2-3 switches and routers, can help deliver enhanced capabilities required for application-aware IP networks. These include more intelligent traffic management capabilities, local and global server load balancing, content-aware routing and access control, and content-based bandwidth management. Security will become inherent in these Layer 4-7 applications and services.