Podcast
Questions and Answers
Inspection firewalls keep track of each network connection between internal and external systems.
Inspection firewalls keep track of each network connection between internal and external systems.
True (A)
A filtering firewall can react to an emergent event and update or create rules to deal with the event.
A filtering firewall can react to an emergent event and update or create rules to deal with the event.
False (B)
What is the dominant architecture used to secure network access today?
What is the dominant architecture used to secure network access today?
Screened Subnet
What is the role of the Transformation Procedure (TP) in the Clark-Wilson Model?
What is the role of the Transformation Procedure (TP) in the Clark-Wilson Model?
Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.
Discretionary access control is an approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users.
Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access.
Lattice-based access control is a form of access control in which users are assigned a matrix of authorizations for particular areas of access.
Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.
Task-based controls are associated with the assigned role a user performs in an organization, such as a position or temporary assignment like project manager.
Authentication is the process of validating and verifying an unauthenticated entity's purported identity.
Authentication is the process of validating and verifying an unauthenticated entity's purported identity.
Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.
Accountability is the matching of an authenticated entity to a list of information assets and corresponding access levels.
Firewalls fall into several major categories of processing modes: packet-filtering firewalls, application layer proxy firewalls, media access control layer firewalls, and hybrids.
Firewalls fall into several major categories of processing modes: packet-filtering firewalls, application layer proxy firewalls, media access control layer firewalls, and hybrids.
The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.
The ability of a router to restrict traffic to a specific service is an advanced capability and not considered a standard feature for most routers.
The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server.
The application layer proxy firewall is capable of functioning both as a firewall and an application layer proxy server.
Using an application layer firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ.
Using an application layer firewall means the associated Web server must be exposed to a higher level of risk by placing it in the DMZ.
All organizations with a router at the boundary between the organization's internal networks and the external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets.
All organizations with a router at the boundary between the organization's internal networks and the external service provider will experience improved network performance due to the complexity of the ACLs used to filter the packets.
The DMZ can be a dedicated port on the firewall device linking a single bastion host.
The DMZ can be a dedicated port on the firewall device linking a single bastion host.
The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.
The screened subnet protects the DMZ systems and information from outside threats by providing a network with intermediate security, which means the network is less secure than the general-public networks but more secure than the internal network.
An extranet is a segment of the DMZ where no authentication and authorization controls are put into place.
An extranet is a segment of the DMZ where no authentication and authorization controls are put into place.
Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.
Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules.
Syntax errors in firewall policies are usually difficult to identify.
Syntax errors in firewall policies are usually difficult to identify.
When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.
When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.
Good firewall rules include denying all data that is not verifiably authentic.
Good firewall rules include denying all data that is not verifiably authentic.
Firewalls can only filter packets by port number.
Firewalls can only filter packets by port number.
It is important that e-mail traffic reach your e-mail server and only your e-mail server.
It is important that e-mail traffic reach your e-mail server and only your e-mail server.
Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems.
Though not used as much in Windows environments, terminal emulation is still useful to systems administrators on Unix/Linux systems.
A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to internal content from external users.
A content filter, also known as a reverse firewall, is a network device that allows administrators to restrict access to internal content from external users.
The proxy server is often placed in an unsecured area of the network or is placed in the demilitarized zone.
The proxy server is often placed in an unsecured area of the network or is placed in the demilitarized zone.
The perimeter is an intermediate area between a trusted network and an untrusted network.
The perimeter is an intermediate area between a trusted network and an untrusted network.
Media Access Control Layer firewalls operate on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.
Media Access Control Layer firewalls operate on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.
A routing table tracks the state and context of each packet in a conversation by recording which station sent which packet and when.
A routing table tracks the state and context of each packet in a conversation by recording which station sent which packet and when.
The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table.
The primary disadvantage of stateful packet inspection firewalls is the additional processing required to manage and verify packets against the state table.
The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event.
The static packet filtering firewall can react to an emergent event and update or create rules to deal with that event.
Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses on a one-to-one basis.
Port Address Translation assigns non-routing local addresses to computer systems in the local area network and uses ISP-assigned addresses on a one-to-one basis.
When a bastion host approach is used, the host contains two CPUs, forcing all traffic to go through the device.
When a bastion host approach is used, the host contains two CPUs, forcing all traffic to go through the device.
A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network.
A common DMZ arrangement is a subnet firewall that consists of two or more internal bastion hosts behind a packet-filtering router, with each host protecting the trusted network.
Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules.
Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules.
An intranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
An intranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.
Most firewalls use packet header information to determine whether a specific packet should be allowed to pass through or should be dropped.
Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network.
Best practices in firewall rule set configuration state that the firewall device never allows administrative access directly from the public network.
Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators to ensure that clients and servers can communicate.
Traceroute, formally known as an ICMP Echo request, is used by internal systems administrators to ensure that clients and servers can communicate.
Most current operating systems require specialized software to connect to VPN servers, as support for VPN services is no longer built into the clients.
Most current operating systems require specialized software to connect to VPN servers, as support for VPN services is no longer built into the clients.
The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device.
The false reject rate describes the number of legitimate users who are denied access because of a failure in the biometric device.
One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels.
One of the biggest challenges in the use of the trusted computer base (TCB) is the existence of explicit channels.
In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall.
In static filtering, configuration rules must be manually created, sequenced, and modified within the firewall.
A RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the network accessserver.
A RADIUS system decentralizes the responsibility for authenticating each user by validating the user's credentials on the network accessserver.
Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.
Even if Kerberos servers are subjected to denial-of-service attacks, a client can still request additional services.
A VPN, used properly, allows communication across the Internet as if it were a private network.
A VPN, used properly, allows communication across the Internet as if it were a private network.
An attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.
An attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.
Kerberos uses asymmetric key encryption to validate an individual user to various network resources.
Kerberos uses asymmetric key encryption to validate an individual user to various network resources.
RADIUS, as described in RFC 4120, keeps a database containing the private keys of clients and servers - in the case of a client, this key is simply the client's encrypted password.
RADIUS, as described in RFC 4120, keeps a database containing the private keys of clients and servers - in the case of a client, this key is simply the client's encrypted password.
Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet.
Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet.
A popular use for tunnel mode VPNs is the end-to-end transport of encrypted data.
A popular use for tunnel mode VPNs is the end-to-end transport of encrypted data.
Access control in which users are assigned a matrix of authorizations for particular areas of access.
Access control in which users are assigned a matrix of authorizations for particular areas of access.
Which of the following is not a major processing mode category for firewalls?
Which of the following is not a major processing mode category for firewalls?
Firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.
Firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.
The application layer proxy firewall is also known as a(n)
The application layer proxy firewall is also known as a(n)
The proxy server is often placed in an unsecured area of the network or is placed in the ______ zone.
The proxy server is often placed in an unsecured area of the network or is placed in the ______ zone.
______ is an intermediate area between a trusted network and an untrusted network.
______ is an intermediate area between a trusted network and an untrusted network.
______ make filtering decisions based on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.
______ make filtering decisions based on the specific host computer's identity, as represented by its network interface card (NIC) address, and operate at the data link layer of the OSI model or the subnet layer of the TCP/IP model.
Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as a(n) ______ host.
Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as a(n) ______ host.
The dominant architecture used to secure network access today is the ______ firewall.
The dominant architecture used to secure network access today is the ______ firewall.
Configuring firewall ______ is viewed as much an art as it is a science.
Configuring firewall ______ is viewed as much an art as it is a science.
The architecture of a(n) ______ firewall protects a DMZ.
The architecture of a(n) ______ firewall protects a DMZ.
Both ______ and Next Generation Firewalls (NGFW) are hybrid firewalls categorized by their ability to perform the work of an SPI firewall, network IDPS, content filter, spam filter, and malware scanner and filter.
Both ______ and Next Generation Firewalls (NGFW) are hybrid firewalls categorized by their ability to perform the work of an SPI firewall, network IDPS, content filter, spam filter, and malware scanner and filter.
At the very least, ______ access to the organization's Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organization's entire network.
At the very least, ______ access to the organization's Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organization's entire network.
A firewall device must never be accessible directly from the ______ network.
A firewall device must never be accessible directly from the ______ network.
A(n) ______ filter is a software filter-technically not a firewall-that allows administrators to restrict access to content from within a network.
A(n) ______ filter is a software filter-technically not a firewall-that allows administrators to restrict access to content from within a network.
Content filters are often called ______ firewalls.
Content filters are often called ______ firewalls.
A trusted ______ uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
A trusted ______ uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
A ______ mode VPN establishes two perimeter servers to encrypt all traffic that will traverse an unsecured network. The entire client packet is encrypted and added as the data portion of a packet addressed from one perimeter server to another.
A ______ mode VPN establishes two perimeter servers to encrypt all traffic that will traverse an unsecured network. The entire client packet is encrypted and added as the data portion of a packet addressed from one perimeter server to another.
Deperimeterization is the recognition that there is no clear information security boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls.
Deperimeterization is the recognition that there is no clear information security boundary between an organization and the outside world, meaning that the organization must be prepared to protect its information both inside and outside its digital walls.
The Bell-LaPadula model is primarily concerned with:
The Bell-LaPadula model is primarily concerned with:
The Biba Integrity Model focuses on:
The Biba Integrity Model focuses on:
The Graham-Denning Model defines how:
The Graham-Denning Model defines how:
The Chinese Wall Model is designed to prevent:
The Chinese Wall Model is designed to prevent:
In the Chinese Wall Model, access is restricted based on:
In the Chinese Wall Model, access is restricted based on:
A key principle of the Chinese Wall Model is:
A key principle of the Chinese Wall Model is:
The Clark-Wilson Model is primarily concerned with:
The Clark-Wilson Model is primarily concerned with:
In the Clark-Wilson Model, well-formed transactions are defined as:
In the Clark-Wilson Model, well-formed transactions are defined as:
What mechanism does the Clark-Wilson model use to enforce integrity?
What mechanism does the Clark-Wilson model use to enforce integrity?
Kerberos consists of three interacting services, all of which use a database library:
Kerberos consists of three interacting services, all of which use a database library:
What must a VPN accomplish to offer a secure and reliable capability while relying on public networks?
What must a VPN accomplish to offer a secure and reliable capability while relying on public networks?
Flashcards
Stateful Firewall
Stateful Firewall
A firewall that monitors and tracks every network connection between internal and external systems.
Dynamic Filtering Firewall
Dynamic Filtering Firewall
This firewall can adjust its rules in response to security threats that emerge. It's flexible and adaptive.
Screened Subnet Firewall Architecture
Screened Subnet Firewall Architecture
A common network security setup where a firewall is used to protect a network by creating a separate, screened subnet.
Transformation Procedure (TP) in Clark-Wilson Model
Transformation Procedure (TP) in Clark-Wilson Model
Signup and view all the flashcards
Study Notes
Access Controls, Firewalls, and VPNs
- Stateful inspection firewalls track each network connection between internal and external systems.
- Dynamic firewalls react to emergent events by updating or creating rules.
- Screened subnet architecture is the dominant network access security architecture today.
- The Transformation Procedure (TP) in the Clark-Wilson model ensures data integrity.
- Discretionary access control allows the organization to specify the use of resources based on data classification.
- Lattice-based access control assigns authorization matrices to users for access areas.
- Task-based access control is related to a user's role within an organization.
- Authentication is the validation and verification of an entity's identity.
- Authentication factors include something the user knows, something the user has, and something the user is.
- Accountability matches an authenticated entity to a list of information assets and access levels.
- Firewalls use packet-filtering, application layer, media access control, and hybrid modes.
- Firewalls cannot be deployed as separate networks.
- Packet-filtering firewalls scan network data packets for compliance rules and violations.
- The ability of a router to restrict traffic to a specific service is an advanced capability that is not a standard feature.
- Application layer proxy firewalls can function as both firewalls and application layer proxy servers.
- Using an application layer firewall can expose the associated web server to a higher level of risk, hence the use of a DMZ.
- ACLs in routers may sometimes degrade network performance.
- The DMZ is a dedicated port connecting a single bastion host on the firewall device.
- The screened subnet provides intermediate security by protecting the DMZ from outside threats, placing it between the internal and general public networks.
- Extranets are a section of the DMZ with no authentication and authorization controls.
- Proper firewall configuration requires unique configuration rules for each device.
- Syntax errors in firewall policies can be hard to identify.
- HTTP traffic should be blocked from internal networks using proxy access or DMZ architecture when web services are offered outside the firewall.
- Firewall rules must ensure data authenticity.
- Firewalls limit traffic to designated ports.
- Firewall technologies are categorized by mode, configurations, and management.
- RADIUS systems decentralize user authentication on the network access server.
- Kerberos can still function even if servers are subjected to DoS attacks.
- VPNs enable communication across the internet as if it were a private network.
- War dialers are used to locate dial-up lines.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your knowledge on access controls, firewalls, and VPNs. This quiz covers key concepts such as stateful inspection firewalls, dynamic firewalls, and various access control models. Prepare to delve into authentication methods and accountability measures in network security.
