network security - questions and answers

Objective 5.1: Given a scenario, implement appropriate wireless security measures



Find the answers to these questions at the end of this chapter.
1. How does MAC address filtering increase the security of a wireless LAN?
2. Which encryption algorithm did the second version of the WPA protocol add to the standard?
3. What differentiates WPA2 from WPA2-Enterprise?
4. What are the three factors discussed in this chapter that weakened WEP?



1. By permitting only devices with specified MAC addresses to connect to an access point.
2. Advanced Encryption System (AES).
3. WPA2-Enterprise calls for the use of RADIUS, while WPA2 does not.
4. The use of 40-bit encryption keys, 24-bit initialization vectors, and static shared secrets.
























Objective 5.2: Explain the methods of network access security



Find the answers to these questions at the end of this chapter.
1. What protocol does PPP use to negotiate the communication parameters that the two connecting machines have in common?
2. Which protocol has replaced SSL as the dominant means of encrypting web client/server traffic at the application layer?
3. Which IPsec protocol inserts a header, providing mutual authentication and data integrity, but does not provide data encryption?
4. What protocol enables the computers on a home network to establish individual connections to remote services accessible through a broadband router?
5. SSH provides a secure alternative to what traditional remote access protocol?



1. Link Control Protocol.
2. Transport Layer Security (TLS).
3. IP Authentication Header.
4. PPPoE.
5. Telnet.














Objective 5.3: Explain methods of user authentication



 What authentication protocol do Windows networks use for AD DS authentication of internal clients?
 In a PKI system, which key is needed to decrypt data encrypted with a user’s public key?
 Which of the Windows remote access authentication protocols must you use to authenticate users with smart
cards?
 Which of the roles specified by the IEEE 802.1X standard is typically filled by a RADIUS server?



1. Kerberos.
2. Only the user’s private key can decrypt data encrypted with that user’s public key.
3. EAP.
4. The authentication server role.





Objective 5.4: Explain common threats, vulnerabilities, and mitigation techniques



What is the term used to describe a flood of useless packets deliberately directed at a particular computer?
What term describes an attack that consists of nothing more than a person calling users on the phone and tricking them into supplying sensitive information?
 Which of the attacks described in this objective uses a botnet to bombard a target with traffic?
 What tools are needed by an individual performing a war driving attack?



1. Denial of service (DoS) attack.
2. Social engineering.
3. A smurf attack.
4. A portable computer and a vehicle.





Objective 5.5: Given a scenario, install and configure a basic firewall



Find the answers to these questions at the end of this chapter.
1. Service dependent filtering blocks traffic using what element of the incoming packets?
2. What must you do to configure a firewall to admit FTP traffic using the default port settings to the internal network?
3. A firewall that scans transport layer header fields for evidence of SYN floods uses what type of scanning?
4. How does NAT protect a network from Internet intrusion?



1. Port numbers.
2. You must open TCP ports 20 and 21.
3. Stateful packet inspection.
4. NAT enables a network with private IP addresses to send messages to the Internet, but systems on the Internet cannot send messages directly to the systems on the protected network.





Objective 5.6: Categorize different types of network security appliances and methods


Which of the products discussed in this objective can identify a network’s security weaknesses by mounting attacks against the systems?
What feature does an IDS need to monitor all the traffic on a switched network?
Which type of IDS uses signatures that must be updated regularly?



1. Nessus.
2. Port mirroring.
3. Network-based IDS products are signature based.