Security+ Guide to Network Security Fundamentals, 2e
Solutions 7-1
Chapter 7 Review Questions
1. The File Transfer Protocol (FTP) can be accessed by each of the following
except ___________________.
a. Web browser
b. FTP client
c. command line
d. LPTP server
2. Another name for anonymous FTP is __________________.
a. blind FTP
b. free user FTP
c. Freenet
d. Unannounced FTP
3. The most widely-deployed tunneling protocol is ____________.
a. L2TP
b. RADIUS
c. PPP
d. PPTP
4. Each of the following is a characteristic of the Layer 2 Tunneling Protocol
(L2TP) except ________________.
a. It merges the features of PPTP and Layer 2 Forwarding Protocol (L2F).
b. It requires a TCP/IP network.
c. It can be implemented on devices like routers.
d. It can support advanced encryption methods.
5. Each of the following is an authentication technology except _________.
a. IEEE 802.11b
b. RADIUS
c. TACACS+
d. IEEE 802.1x
Security+ Guide to Network Security Fundamentals, 2e
Solutions 7-2
6. The 802.1x protocol is based on the Extensible Authentication Protocol
(EAP), which is an extension of PPP. True or False?
7. One of the advantages of the RADIUS architecture is that it supports
authentication and authorization as well as auditing functions. True or false?
8. Similar to RADIUS, Terminal Access Control Access Control System
(TACACS+) is an industry standard protocol specification that forwards
username and password information to a centralized server. True or false?
9. Secure Shell (SSH) is a Windows-based command interface and protocol that
replaces three Windows utilities: wlogin, wcp, and wsh. True or false?
10. IP Security (IPSec) functions at Layer 1 of the OSI model. True or false?
11. One of the ways to reduce the risk of FTP vulnerabilities is to use _____.
secure FTP
12. IP Security (IPSec) confidentiality is performed by the _____ protocol.
Encapsulating Security Payload (ESP)
13. A(n) _____ takes advantage of using the public Internet as if it were a private
network. virtual private network (VPN)
14. A(n) _____is a database that is stored on the network itself that contains all
the information about users and their privileges to network resources.
directory service
15. _____ is the security layer of the Wireless Access Protocol (WAP) and
provides privacy, data integrity, and authentication. Wireless Transport
Layer Security (WTLS)
16. Explain how the three elements of the IEEE 802.1x standard function.
A networking supporting the 802.1x protocol consists of three elements.
The supplicant is the client device, like a desktop computer or PDA,
which requires secure network access. The supplicant sends the request
to an authenticator that serves as an intermediary device. An
authenticator can be a network switch or a wireless device. The
authenticator sends the request from the supplicant to the authentication
server. The authentication server accepts or rejects the supplicant’s
request and sends that information back to the authenticator, which in
turn grants or denies access to the supplicant. One of the strengths of the
802.1x protocol is that the supplicant never has direct communication
Security+ Guide to Network Security Fundamentals, 2e
Solutions 7-3
with the authentication server. This minimizes the risk of attack on the
authentication server, which contains valuable login data for all users.
17. What are the advantages of IPSec functioning at a lower layer of the OSI
model?
Different security tools function at different layers of the Open System
Interconnection (OSI) model. Tools such as Secure/Multipurpose
Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)
operate at the Application layer, while Kerberos functions at the Session
layer. The advantages of having security tools function at the higher
layers like the Application layer is that these tools can be specifically
designed to protect that application. However, protecting at this layer
may require multiple security tools, perhaps even as many as one per
each application. Secure Socket Layers (SSL)/ Transport Layer Security
(TLS) operate at the Session layer. The advantage of operating at this
level is that more applications can be protected, yet minor modifications
may have to be made to the application. An even improved functionality
can be achieved if the protection is even lower in the OSI layer. If the
protection was at the Network layer, it can protect a wide range of
applications with no modifications needed. Even applications that are
ignorant of security, such as a legacy MS-DOS application, can still be
protected. This is the level at which IPSec functions.
18. What are the two IPSec encryption modes? Give an example that illustrates
why two modes are necessary.
Security+ Guide to Network Security Fundamentals, 2e
Solutions 7-4
IPSec supports two encryption modes: Transport and Tunnel. Transport
mode encrypts only the data portion (payload) of each packet yet leaves
the header unencrypted. The more secure Tunnel mode encrypts both the
header and the data portion. IPSec accomplishes transport and tunnel
modes by adding new headers to the IP packet. The entire original packet
(header and payload) is then treated as the data portion the new packet.
Because tunnel mode protects the entire packet, it is generally used in a
network gateway-to-gateway communication. Transport mode is used
when a device must see the source and destination addresses in order to
route the packet. For example, a packet sent from a client computer to
the local IPSec-enabled firewall would be sent in transport mode in order
for the packet to be transported through the local network. Once it
reached the firewall it would be changed to tunnel mode before being
sent onto the Internet. The receiving firewall would then extract, decrypt
and authenticate the original packet before it is routed to the final
destination computer.
19. Explain the process of how Internet data can be displayed on a cell phone.
With standard computers, Web browser software makes a request to the
World Wide Web file server for a Web page. This page is transmitted
back to the Web browser in HTML. When a Web server sends a Web
page back to a computer, it is sending only HTML code. The Web
browser is responsible for interpreting that code and displaying the
results on the screen. WAP follows this standard Internet model with a
few variations. A WAP cell phone runs a tiny browser program called a
microbrowser that uses Wireless Markup Language (WML) instead of
HTML. WML is designed to display text-based Web content on the small
screen of a cell phone. However, since the Internet standard is HTML, a
WAP Gateway (sometimes called a WAP Proxy) must translate between
WML and HTML. The WAP Gateway takes the Web page sent from the
Web server in HTML code and changes it to WML language before
forwarding it on to the cell phone.
20. What is the wired equivalent privacy (WEP) and what is its weakness?
Security+ Guide to Network Security Fundamentals, 2e
Solutions 7-5
The wired equivalent privacy (WEP) is an optional configuration for
WLANs that encrypt packets during transmission to prevent attackers
from viewing their contents. WEP uses shared keys, meaning that the
same key for encryption and decryption must be installed on the AP as
well as each wireless device. WEP can also be used for authentication.
When a wireless devices attempts to connect to a WLAN the AP sends the
device 128 bytes of challenge text. The client encrypts the challenge text
with its WEP key and returns it to the AP, which compares the encrypted
text with its own encrypted version of the challenge text with its WEP
key. If the two match, then the client has the correct WEP key and is
approved. The vulnerability with WEP is that the IV is not properly
implemented. Every time a packet is encrypted it should be given a
unique IV. Yet because the IV is only 24 bits in length, it can have only
16,777,215 possible values. A WLAN transmitting at 11Mbps will
transmit approximately 700 packets each second. This means that in less
than seven hours all of the 16 million IV values have been used and it
must start repeating itself. Because the IVs are transmitted in clear text,
an attacker can capture packets and see when the IV starts repeating.
With the information he or she is then able to crack the encryption.