Chapter 06 Security Technology Access Controls Firewalls

and VPNs

TRUEFALSE

1. Discretionary access control is an approach whereby the organization specifies use of resources
based on the assignment of data classification schemes to resources and clearance levels to users.

(A) True

(B) False

Answer : (B)

2. ​Lattice-based access control is a form of access control in which users are assigned a matrix of
authorizations for particular areas of access.

(A) True

(B) False

Answer : (A)

3. ​Task-based controls are associated with the assigned role a user performs in an organization,
such as a position or temporary assignment like project manager.

(A) True

(B) False

Answer : (B)

4. Authentication is the process of validating and verifying an unauthenticated entity's purported

identity.

(A) True

(B) False

Answer : (A)

5. ​Accountability is the matching of an authenticated entity to a list of information assets and

corresponding access levels.

(A) True

(B) False
Answer : (B)

6. Firewalls can be categorized by processing mode, development era, or structure.

(A) True

(B) False

Answer : (A)

7. A firewall cannot be deployed as a separate network containing a number of supporting devices.

(A) True

(B) False

Answer : (B)

8. Packet-filtering firewalls scan network data packets looking for compliance with the rules of the
firewall's database or violations of those rules.

(A) True

(B) False

Answer : (A)

9. The ability of a router to restrict traffic to a specific service is an advanced capability and not
considered a standard feature for most routers.

(A) True

(B) False

Answer : (B)

10. The application layer proxy firewall is capable of functioning both as a firewall and an
application layer proxy server.

(A) True

(B) False

Answer : (A)

11. Using an application firewall means the associated Web server must be exposed to a higher level
of risk by placing it in the DMZ.
(A) True

(B) False

Answer : (B)

12. All organizations with a router at the boundary between the organization's internal
networks and the external service provider will experience improved network performance
due to the complexity of the ACLs used to filter the packets.

(A) True

(B) False

Answer : (B)

13. The DMZ can be a dedicated port on the firewall device linking a single bastion host.

(A) True

(B) False

Answer : (A)

14. The screened subnet protects the DMZ systems and information from outside threats by
providing a network with intermediate security, which means the network is less secure than the
general-public networks but more secure than the internal network.

(A) True

(B) False

Answer : (B)

15. An extranet is a segment of the DMZ where no authentication and authorization controls are
put into place.

(A) True

(B) False

Answer : (B)

16. Good policy and practice dictates that each firewall device, whether a filtering router, bastion
host, or other firewall implementation, must have its own set of configuration rules.

(A) True

(B) False
Answer : (A)

17. Syntax errors in firewall policies are usually difficult to identify.

(A) True

(B) False

Answer : (B)

18. When Web services are offered outside the firewall, HTTP traffic should be blocked from
internal networks through the use of some form of proxy access or DMZ architecture.

(A) True

(B) False

Answer : (A)

19. Good firewall rules include denying all data that is not verifiably authentic.

(A) True

(B) False

Answer : (A)

20. Some firewalls can filter packets by protocol name.

(A) True

(B) False

Answer : (A)

21. It is important that e-mail traffic reach your e-mail server and only your e-mail server.

(A) True

(B) False

Answer : (A)

22. Though not used as much in Windows environments, terminal emulation is still useful to systems
administrators on Unix/Linux systems.

(A) True
(B) False

Answer : (A)

23. A content filter, also known as a reverse firewall, is a network device that allows administrators
to restrict access to external content from within a network.

(A) True

(B) False

Answer : (A)

24. A content filter is essentially a set of scripts or programs that restricts user access to certain
networking protocols and Internet locations.

(A) True

(B) False

Answer : (A)

25. Internet connections via dial-up lines are regaining popularity due to recent technological
developments.

(A) True

(B) False

Answer : (B)

26. The RADIUS system decentralizes the responsibility for authenticating each user by validating
the user's credentials on the NAS server.

(A) True

(B) False

Answer : (B)

27. Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request
additional services.

(A) True

(B) False

Answer : (B)
28. A VPN, used properly, allows use of the Internet as if it were a private network.

(A) True

(B) False

Answer : (A)

29. Most current operating systems require specialized software to connect to VPN servers, as
support for VPN services is no longer built into the clients.

(A) True

(B) False

Answer : (B)

30. Access control is achieved by means of a combination of policies, programs, and technologies.
_________________________

(A) True

(B) False

Answer : (A)

31. Authentication is a mechanism whereby unverified entities who seek access to a resource
provide a label by which they are known to the system. _________________________

(A) True

(B) False

Answer : (B)

32. The false reject rate describes the number of legitimate users who are denied access because of
a failure in the biometric device. _________________________

(A) True

(B) False

Answer : (A)

33. One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of
explicit channels. _________________________

(A) True
(B) False

Answer : (B)

34. In static filtering, configuration rules must be manually created, sequenced, and modified within
the firewall. _________________________

(A) True

(B) False

Answer : (A)

35. A routing table tracks the state and context of each packet in the conversation by recording
which station sent what packet and when. _________________________

(A) True

(B) False

Answer : (B)

36. The primary disadvantage of stateful packet inspection firewalls is the additional processing
required to manage and verify packets against the state table. _________________________

(A) True

(B) False

Answer : (A)

37. The static packet filtering firewall can react to an emergent event and update or create rules
to deal with that event. _________________________

(A) True

(B) False

Answer : (B)

38. Port Address Translation assigns non-routing local addresses to computer systems in the local
area network and uses ISP-assigned addresses to communicate with the Internet on a one-to-one
basis. _________________________

(A) True

(B) False

Answer : (B)
39. When a bastion host approach is used, the host contains two NICs, forcing all traffic to go
through the device. _________________________

(A) True

(B) False

Answer : (B)

40. A common DMZ arrangement is a subnet firewall that consists of two or more internal
bastion hosts behind a packet-filtering router, with each host protecting the trusted network.
_________________________

(A) True

(B) False

Answer : (A)

41. Firewalls operate by examining a data packet and performing a comparison with some
predetermined logical rules. _________________________

(A) True

(B) False

Answer : (A)

42. A(n) intranet ​is a segment of the DMZ where additional authentication and authorization
controls are put into place to provide services that are not available to the general public.
_________________________

(A) True

(B) False

Answer : (B)

43. When Web services are offered outside the firewall, SMTP traffic should be blocked from
internal networks through the use of some form of proxy access or DMZ architecture.
_________________________

(A) True

(B) False

Answer : (B)

44. Most firewalls use packet header information to determine whether a specific packet should be
allowed to pass through or should be dropped. _________________________

(A) True

(B) False

Answer : (A)

45. Best practices in firewall rule set configuration state that the firewall device never allows
administrative access directly from the public network. _________________________

(A) True

(B) False

Answer : (A)

46. Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators
to ensure that clients and servers can communicate. _________________________

(A) True

(B) False

Answer : (B)

47. The presence of external requests for Telnet services can indicate a potential attack.
_________________________

(A) True

(B) False

Answer : (A)

48. In order to keep the Web server inside the internal network, direct all HTTP requests to the
internal filtering firewall and configure the internal filtering router/firewall to allow only that device
to access the internal Web server. _________________________

(A) True

(B) False

Answer : (B)

49. The filtering component of a content filter is like a set of firewall rules for Web sites, and is
common in residential content filters. _________________________

(A) True
(B) False

Answer : (B)

50. An attacker who suspects that an organization has dial-up lines can use a device called a(n) war
dialer to locate the connection points. _________________________

(A) True

(B) False

Answer : (A)

51. Kerberos uses asymmetric key encryption to validate an individual user to various network
resources. _________________________

(A) True

(B) False

Answer : (B)

52. SESAME, as described in RFC 4120, keeps a database containing the private keys of clients and
servers-in the case of a client, this key is simply the client's encrypted password.
_________________________

(A) True

(B) False

Answer : (B)

53. Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public
networks like the Internet. _________________________

(A) True

(B) False

Answer : (A)

54. The popular use for tunnel mode VPNs is the end-to-end transport of encrypted data.
_________________________

(A) True

(B) False

Answer : (B)
MULTICHOICE

55. __________ access control is a form of __________ access control in which users are assigned a
matrix of authorizations for particular areas of access.

(A) lattice-based, discretionary

(B) arbor-based, nondiscretionary

(C) arbor-based, discretionary

(D) lattice-based, nondiscretionary

Answer : (D)

56. Which of the following is not a major processing mode category for firewalls?

(A) Packet-filtering firewalls

(B) Application gateways

(C) Circuit gateways​

(D) Router passthru

Answer : (D)

57. __________ firewalls examine every incoming packet header and can selectively filter packets
based on header information such as destination address, source address, packet type, and other key
information.

(A) Packet-filtering

(B) Application gateway

(C) Circuit gateway

(D) MAC layer

Answer : (A)

58. The restrictions most commonly implemented in packet-filtering firewalls are based on
__________.

(A) IP source and destination address

(B) Direction (inbound or outbound)

(C) TCP or UDP source and destination port requests

(D) All of the above

Answer : (D)

59. __________ filtering requires that the firewall's filtering rules for allowing and denying packets
are developed and installed with the firewall.

(A) Dynamic

(B) Static

(C) Stateful

(D) Stateless

Answer : (B)

60. A __________ filtering firewall can react to an emergent event and update or create rules to deal
with the event.

(A) dynamic

(B) static

(C) stateful

(D) stateless

Answer : (A)

61. __________ inspection firewalls keep track of each network connection between internal and
external systems.

(A) Static

(B) Dynamic

(C) Stateful

(D) Stateless

Answer : (C)

62. The application layer proxy firewall is also known as a(n) __________.

(A) application firewall

(B) client firewall

(C) proxy firewall

(D) All of the above

Answer : (A)

63. The proxy server is often placed in an unsecured area of the network or is placed in the
__________ zone.

(A) fully trusted

(B) hot

(C) demilitarized

(D) cold

Answer : (C)

64. The __________ is an intermediate area between a trusted network and an untrusted network.

(A) perimeter

(B) DMZ

(C) domain

(D) firewall

Answer : (B)

65. __________ firewalls are designed to operate at the media access control sublayer of the data link
layer of the OSI network model.

(A) MAC layer

(B) Circuit gateway

(C) Application gateway

(D) Packet-filtering

Answer : (A)

66. Because the bastion host stands as a sole defender on the network perimeter, it is commonly
referred to as the __________ host.

(A) trusted

(B) domain

(C) DMZ

(D) sacrificial
Answer : (D)

67. The dominant architecture used to secure network access today is the __________ firewall.

(A) static

(B) bastion

(C) unlimited

(D) screened subnet

Answer : (D)

68. Configuring firewall policies is viewed as much as a(n) __________ as it is a(n) __________.

(A) art, science

(B) philosophy, skill

(C) skill, science

(D) pain, necessity

Answer : (A)

69. Telnet protocol packets usually go to TCP port __________, whereas SMTP packets go to port
__________.

(A) 23, 52

(B) 80, 52

(C) 80, 25

(D) 23, 25

Answer : (D)

70. Known as the ping service, ICMP is a(n) __________ and should be ___________.

(A) essential feature, turned on to save money

(B) common method for hacker reconnaissance, turned off to prevent snooping

(C) infrequently used hacker tool, turned off to prevent snooping

(D) common method for hacker reconnaissance, turned on to save money

Answer : (B)
71. In most common implementation models, the content filter has two components: __________.

(A) encryption and decryption

(B) filtering and encoding

(C) rating and decryption

(D) rating and filtering

Answer : (D)

72. __________ and TACACS are systems that authenticate the credentials of users who are trying to
access an organization's network via a dial-up connection.

(A) RADIUS

(B) RADIAL

(C) TUNMAN

(D) IPSEC

Answer : (A)

73. Which of the following versions of TACACS is still in use?

(A) TACACS

(B) Extended TACACS

(C) TACACS+

(D) All of the above

Answer : (C)

74. The service within Kerberos that generates and issues session keys is known as __________.

(A) VPN

(B) KDC

(C) AS

(D) TGS

Answer : (B)

75. Kerberos __________ provides tickets to clients who request services.

(A) KDS

(B) TGS

(C) AS

(D) VPN

Answer : (B)

76. In SESAME, the user is first authenticated to an authentication server and receives a token. The
token is then presented to a privilege attribute server as proof of identity to gain a(n) __________.

(A) VPN

(B) ECMA

(C) ticket

(D) PAC

Answer : (D)

77. A(n) __________ is a private data network that makes use of the public telecommunication
infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.

(A) SVPN

(B) VPN

(C) SESAME

(D) KERBES

Answer : (B)

78. In __________ mode, the data within an IP packet is encrypted, but the header information is not.

(A) tunnel

(B) transport

(C) public

(D) symmetric

Answer : (B)

79. The primary benefit of a VPN that uses _________ is that an intercepted packet reveals nothing
about the true destination system.
(A) intermediate mode

(B) tunnel mode

(C) reversion mode

(D) transport mode

Answer : (B)

SHORTANSWER

80. A(n) ____________________ contains a computer chip that can verify and validate several pieces of
information instead of just a PIN.Answer : smart card

81. The ____________________ describes the number of legitimate users who are denied access
because of a failure in the biometric device. This failure is known as a Type I error.Answer : false
reject rate

82. A(n) ____________________ is a combination of hardware and software that filters or prevents
specific information from moving between the outside world and the inside world.Answer : firewall

83. A packet-____________________ firewall installed on a TCP/IP-based network typically functions at

the IP level and determines whether to drop a packet (deny) or forward it to the next network
connection (allow) based on the rules programmed into the firewall.Answer : filtering

84. ____________________ is a firewall type that keeps track of each network connection between
internal and external systems using a table and that expedites the processing of those
communications.Answer : Stateful packet inspection (SPI)
Answer : Stateful packet inspection
Answer : SPI
Answer : Stateful inspection firewall

85. The ____________________ packet-filtering firewall can react to an emergent event and update or
create rules to deal with that event.Answer : dynamic

86. The application firewall is also known as a(n) ____________________ server.Answer : proxy

87. ____________________ firewalls combine the elements of other types of firewalls-that is, the
elements of packet filtering and proxy services, or of packet filtering and circuit gateways.Answer :
Hybrid

88. Because the bastion host stands as a sole defender on the network perimeter, it is commonly
referred to as the ____________________ host.Answer : sacrificial

89. The architecture of a(n) ____________________ firewall provides a DMZ.Answer : screened subnet

90. As organizations implement cloud-based IT solutions, bring your own device (BYOD) options for
employees, and other emerging network solutions, the network perimeter may be
____________________ for them.Answer : dissolving
Answer : disappearing
Answer : vanishing

91. Terminal emulation, especially the unprotected ____________________ protocol, should be blocked
from any access to all internal servers from the public network.Answer : telnet

92. The firewall device must never be accessible directly from the ____________________
network.Answer : public
Answer : untrusted
Answer : unprotected

93. A(n) ____________________ filter is a software filter-technically not a firewall-that allows

administrators to restrict access to content from within a network.Answer : content

94. Content filters are often called ____________________ firewalls.Answer : reverse

95. A(n) ____________________ dialer is an automatic phone-dialing program that dials every number
in a configured range and checks to see if a person, answering machine, or modem picks up.Answer
: war

96. The Remote ____________________ Dial-In User Service system centralizes the management of user
authentication by placing the responsibility for authenticating each user in the central RADIUS
server.Answer : Authentication

97. The ____________________ Access Controller Access Control System contains a centralized
database, and it validates the user's credentials at the TACACS server.Answer : Terminal

98. The ____________________ authentication system is named after the three-headed dog of Greek
mythology that guards the gates to the underworld.Answer : Kerberos

99. In Kerberos, a(n) ____________________ is an identification card for a particular client that verifies
to the server that the client is requesting services and that the client is a valid member of the
Kerberos system and therefore authorized to receive services.Answer : ticket

100. Kerberos is based on the principle that the ____________________ knows the secret keys of all
clients and servers on the network.Answer : Key Distribution Center (KDC)
Answer : Key Distribution Center
Answer : KDC

101. SESAME uses ____________________ key encryption to distribute secret keys.Answer : public

102. A(n) ____________________ private network is a secure network connection between systems that
uses the data communication capability of an unsecured and public network.Answer : virtual

103. A trusted VPN uses ____________________ circuits from a service provider who gives contractual
assurance that no one else is allowed to use these circuits and that they are properly maintained and
protected.Answer : leased

104. A ____________________ mode VPN establishes two perimeter tunnel servers to encrypt all traffic
that will traverse an unsecured network. The entire client packet is encrypted and added as the data
portion of a packet addressed from one tunneling server to another.Answer : tunnel

ESSAY

105. Briefly describe the best practice rules for firewall use.

Graders Info :

1. All traffic from the trusted network is allowed out.2. The firewall device is never directly
accessible from the public network for configuration or management purposes.
3. Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall, but it should
all be routed to a well-configured SMTP gateway to filter and route messaging traffic securely.
4. All Internet Control Message Protocol (ICMP) data should be denied.
5. Telnet (terminal emulation) access to all internal servers from the public networks should be
blocked.
6. When Web services are offered outside the firewall, HTTP traffic should be denied from reaching
your internal networks through the use of some form of proxy access or DMZ architecture.
7. All data that is not verifiably authentic should be denied.

106. List and describe the interacting services of the Kerberos system.

Graders Info :

Kerberos consists of three interacting services, all of which use a database library:1. Authentication
server (AS), which is a Kerberos server that authenticates clients and servers.
2. Key Distribution Center (KDC), which generates and issues session keys.
3. Kerberos ticket granting service (TGS), which provides tickets to clients who request services. In
Kerberos a ticket is an identification card for a particular client that verifies to the server that the
client is requesting services and that the client is a valid member of the Kerberos system and
therefore authorized to receive services. The ticket consists of the client's name and network
address, a ticket validation starting and ending time, and the session key, all encrypted in the
private key of the server from which the client is requesting services.

107. What must a VPN accomplish to offer a secure and reliable capability while relying on public
networks?

Graders Info :

- Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded
within the frames of a protocol that can be routed over the public network as well as be usable by
the server network environment.- Encryption of incoming and outgoing data to keep the data
contents private while in transit over the public network but usable by the client and server
computers and/or the local networks on both ends of the VPN connection.
- Authentication of the remote computer and, perhaps, the remote user as well. Authentication and
the subsequent authorization of the user to perform specific actions are predicated on accurate and
reliable identification of the remote system and/or user.