Network+ Guide to Networks, 6th Edition

ovenforksqueeSecurity

Nov 3, 2013 (3 years and 7 months ago)

137 views

Network+

Guide to Networks,
6
th

Edition


Solutions

11


1

Network+ Guide to Networks,
6
th Edition

Chapter
11

Solutions

Review Questions

1
.

You work for a retailer that sells household goods online. The company has decided
to

redesign its network for better security. Included in this redesign is the addition of
a

new

firewall. Assuming the firewall is placed between the Internet connection and
the Web

server, which of the following should be included in the firewall's
configuration so that

customers can still reach the Web site?

a.

Allow incoming UDP
-
based transmi
ssions to port 23.

b.

Allow incoming TCP
-
based transmissions to port 80.

c.

Allow outgoing TCP
-
based transmissions to port 88.

d.

Allow outgoing UDP
-
based transmissions to port 1024.

2
.

Which of the following is the most secure password?

a.

12345ABC

b.

dol
phins

c.

!tlzOGS557x
^^
L

d.

A1B2C3
33

Network+

Guide to Networks,
6
th

Edition


Solutions

11


2

3
.

You are alerted that suddenly 100% of the resources on your two core routers are
being

used and no legitimate traffic can travel into or out of your network. What kind
of

security attack are you most likely experienci
ng?

a.

IP spoofing

b.

Brute force attack

c.

Flashing

d.

Denial
-
of
-
service attack

4
.

What type of device guards against an attack in which a hacker modifies the IP source

address in the packets he's issuing so that the transmission appears to belong to
your

network?

a.

Packet
-
filtering firewall

b.

Proxy server

c.

NAT gateway

d.

Router

5
.

Which of the following devices can improve performance for certain applications, in

addition to enhancing network security?

a.

Packet
-
filtering firewall

b.

NAT gateway

Network+

Guide to Networks,
6
th

Edition


Solutions

11


3

c.

Proxy server

d.

Router

6.

I
f a firewall does nothing more than filter packets, at what layer of the OSI model
does

it operate?

a.

Transport

b.

Network

c.

Data Link

d.

Session

7
.

Which of the following encryption methods provides the best security for
data
traveling

over VPN connections?

a.

PPTP

b.

L2TP

c.

IPSec

d.

SLIP

8
.

Which of the following criteria could a router's ACL use for denying packets access
to a

private network?

a.

Source IP address

Network+

Guide to Networks,
6
th

Edition


Solutions

11


4

b.

Authentication header

c.

RTT

d.

Source MAC address

9
.

Which of the following NOS logon restrictions is most likely to stop a hacker who is

attempting to discover someone's password through a brute force or dictionary attack?

a.

Total time logged on

b.

Time of day

c.

Period of time after which a password expi
res

d.

Number of unsuccessful logon attempts

1
0.

Which of the following can automatically detect and deny network access to a host

whose traffic patterns appear suspicious?

a.

IPS

b.

NAT gateway

c.

Proxy server

d.

Router


1
1
.

If you are entering your account number and password in a Web form to
check your
bank account balance
online, which of the following encryption methods are you
most

likely using?

Network+

Guide to Networks,
6
th

Edition


Solutions

11


5

a.

PGP


b.

SSL

c.

SSH

d.

Kerberos

1
2
.

Which of the following encryption techn
iques is incorporated into IP version 6?

a.

SSH

b.

SSL

c.

Kerberos

d.

IPSec

1
3
.

Which of the following is one reason WEP is less secure than 802
.11
i?

a.

WEP is only capable of 16
-
bit keys, whereas 802.
11
i can use keys up to 128 bits

long.

b.

WEP uses only
one encryption method, whereas 802.1
1
i combines two encryption

methods for data in transit.

c.

WEP uses the same key for authentication and encryption every time a client
connects, whereas 802.11i assigns keys dynamically to each transmission.

d.

WEP does
not require clients to specify an SSID, whereas 802.1
1
i requires clients
to

specify an SSID plus a user name and password for the network's access server.

Network+

Guide to Networks,
6
th

Edition


Solutions

11


6

1
4
.

Using a 20
-
bit key is how many times more secure than using an 18
-
bit key?

a.

Two times

b.

Three
times

c.

Four times

d.

Eight times

1
5
.

How many keys are required for public key

encryption?

a.

One

b.

Two

c.

Four

d.

None

1
6
.

You are designing an 802.
11n

wireless network for a local cafe. You want the
wireless

network to be available to the cafe's custo
mers, but not to anyone with a
wireless NIC

who happens to be in the vicinity. Which of the following security
measures require customers to enter a network key to gain access to your network via
the access point?

a.

SSL

b.

IPSec

c.

TLS

Network+

Guide to Networks,
6
th

Edition


Solutions

11


7

d.

WPA2

1
7
.

Which o
f the following requires port
-
based authentication?

a.

Kerberos

b.

RADIUS

c.

WEP

d.

WPA

18.

Which of the following plays a crucial role in the public key infrastructure?

a.

IDS

b.

Certificate authority

c.

VPN concentrator

d.

PGP

19. Which of the following
techniques would prevent an FTP bounce attack?


a. Configuring your firewall to deny requests to ports 20 and 21


b. Performing a port scan of your network using NMAP


c. Configuring the FTP service to require a password.


d. Restricting the size of your F
TP server’s memory allocation table

Network+

Guide to Networks,
6
th

Edition


Solutions

11


8

20.

You have decided to add a honeypot to your network. Where on the network would
you place it?


a. On your company’s Web server


b. In a decoy DMZ


c. Between the access server and RADIUS server


d. Attached to a
workgroup switch

Hands
-
On Projects

Project 1
1
-
1

In this project students explore Web resources to find out about the latest security
threats to the most common networking software and hardware. This project
requires workstations that have access to the Int
ernet and are running modern
Web browsers.

Steps 1


6
: Students read about recent security threats related to
Microsoft
p
roducts

via the Microsoft TechN
et advisory service

and are encouraged to
consider the potential repercussions of these vulnerabilities
.

Steps
7


11:

Students read about current security alerts released by CERT.


Network+

Guide to Networks,
6
th

Edition


Solutions

11


9

Project 1
1
-
2

In this project students experiment with eavesdropping on wireless connections
using the protocol analyzer application, Wireshark. Each student’s

workstation
shoul
d be running

the

Windows
7

operating system
, have a functional
wireless
NIC, a modern

Web browser,
Internet access, and have the Wireshark application
installed.
(However, Wireshark can also run on other operating systems, including
Linux, and this project

could be easily altered

to work with other operating
systems
.)

In addition, each classroom should have an access point configured to broadcast
its SSID and, at first, to
not

use WEP
, WPA, WPA2,

or any other encryption
method.

Steps 1


9: Students make
certain their wireless LAN connection is properly
configured to associate with the classroom access point and to not to use
encryption. They then initiate a connection via the access point.

Steps 10


13: Students launch Wireshark and instruct the program
to begin
capturing packets.
Note: If workstations contain more than one NIC, students
must choose the
correct
wireless NIC from the drop
-
down list of interfaces in the

Capture dialog box in Wireshark or no data will be captured.

Steps 14


18: Students ope
n a browser and navigate to the text
-
based RFC for
802.1x (RADIUS).

Steps 1
9


22: In Wireshark, s
tudents
stop the capture
and
view the data captured
by Wir
eshark, noting that the RFC text they viewed in a browser window appears
plainly as part of the HTT
P stream they captured.

Network+

Guide to Networks,
6
th

Edition


Solutions

11


10


Project 11
-
3

This p
roject picks up where Project 11
-
2 left off. For this project, students need a
Windows
7

workstation that has the protocol analyzer program
Wireshark

installed. Also, for this project, the access point should be configured to broadcast
its SSID and to use
WPA2

encryption.

Steps 1


4: Students reconfigure their wireless connections so that they use
WPA
and the

correct

pass
phrase
.

Step 5: After reassoci
ating with the access point, students repeat Steps 10 through
2
2

from Pro
ject 11
-
2, setting Wireshark to capture traffic, and then generating
traffic to analyze.

Step 6: Students review the (encrypted) data they obtained from the second
capture and compare

it to th
e data they viewed in Project 11
-
2.

Case Projects

Case Projec
t 1
1
-
1

The credit union has a head start on some security measures, such as cameras and
a security policy.

Potential security risks include:



RRAS server (does it require sufficient cred
entials for authentication?)



Firewall (is it configured properly?) and Internet access

Network+

Guide to Networks,
6
th

Edition


Solutions

11


11



Web
-
based transactions (what are the security measures

such as strong
encryption

for protecting data via the Internet?)



Security policy (is it effective, current, thorou
gh, and enforced?) Are
secure passwords enforced (for example, the minimum length and
complexity requirements)? Is there a team in place for dealing with
security breaches?



Users’ access to resources. Is it limited to only what the users need? Is the
acces
s restricted to certain times of day or duration based on the users’
needs?



Trusted relationships between

Linux

database hosts and other servers. Are
these relationships limited to only the necessary privileges?



The T1 link between offices. Are the routers

configured to limit what type
of traffic can go in and out via the T1 connection?



Windows Server 200
8

R2
operating system. Is the NOS being consistently
updated with security service packs or patches from Microsoft?



Linux

operating system


is it being co
nsistently updated according to the
vendor’s recommendation?


A checklist for their
posture assessment

should include (at least):



List of who has permissions to which directories on what server(s)



Justification for each group and individual permission



Wind
ows Server 200
8

R2

operating system


e.g., are all the default

password
s (such as th
e administrator account’s) changed
?

Network+

Guide to Networks,
6
th

Edition


Solutions

11


12



Linux

operating system check



Review of the corporate security policy to make sure it’s current and
thorough and that all users understa
nd its implications



Description of what happens when security is breached, and assignment of
a security response team



Policies for logging into the remote access server (password restrictions,
time of day restrictions, number of concurrent users, resource
restrictions,
etc.)



Firewall policies (what filters are present for inbound and outbound
traffic?)


Case Projec
t 1
1
-
2

Some techniques that will help wireless security include WPA

or WPA2
, creating
an access list for the access points (if they are also wire
less routers), preventing
the access points from broadcasting their SSIDs, etc. Security can be stricter for
employee WLANs, since access is limited to internal users. Public WLANs, for
example, are not conducive to access list limitations, for example.


Case Projec
t 1
1
-
3

An expansion of 10 users would probably be best serviced by a VPN solution,
since the credit union already has an Internet connection established. With so few
users, it probably doesn’t make sense to lease office space (depending on what
Network+

Guide to Networks,
6
th

Edition


Solutions

11


13

area of the country they’re in, and the cost of office space). In either case, though,
security must be implemented at the point where VPN or remote users connect to
the headquarters’ network. With a remote office, it might be an ISDN line with a
remote ac
cess server. For a VPN, a similar remote access server could be used on
the other side of their Internet connection. In both cases a RADIUS server might
be a good way of centrally authenticating all remote users. If placed at the
headquarters, this radius
server could be used for the east side office as well as
home workers. It would provide another layer of security (in addition to the
firewall) for Internet access.