Chapter 4: Communication and Network Security (Domain 4) 349
- B. The Remote Access Dial In User Service (RADIUS) protocol was originally designed
to support dial-up modem connections but is still commonly used for VPN-based
authentication. HTTPS is not an authentication protocol. ESP and AH are IPsec protocols
but do not provide authentication services for other systems. - A. A ring connects all systems like points on a circle. A ring topology was used with
Token Ring networks, and a token was passed between systems around the ring to allow
each system to communicate. More modern networks may be described as a ring but are
only physically a ring and not logically using a ring topology. - B. The firewall in the diagram has two protected zones behind it, making it a two-tier
firewall design. - D. Remote PCs that connect to a protected network need to comply with security settings
and standards that match those required for the internal network. The VPN concentrator
logically places remote users in the protected zone behind the firewall, but that means that
user workstations (and users) must be trusted in the same way that local workstations are. - C. An intrusion protection system can scan traffic and stop both known and unknown
attacks. A web application firewall, or WAF, is also a suitable technology, but placing it at
location C would only protect from attacks via the organization’s VPN, which should only
be used by trusted users. A firewall typically won’t have the ability to identify and stop
cross-site scripting attacks, and IDS systems only monitor and don’t stop attacks. - D. Distance-vector protocols use metrics including the direction and distance in hops to
remote networks to make decisions. A link-state routing protocol considers the shortest
distance to a remote network. Destination metric and link-distance protocols don’t exist. - B. Disabling SSID broadcast can help prevent unauthorized personnel from attempting
to connect to the network. Since the SSID is still active, it can be discovered by using a
wireless sniffer. Encryption keys are not related to SSID broadcast, beacon frames are used
to broadcast the SSID, and it is possible to have multiple networks with the same SSID. - B. A proxy is a form of gateway that provide clients with a filtering, caching, or other
service that protects their information from remote systems. A router connects networks,
while a firewall uses rules to limit traffic permitted through it. A gateway translates
between protocols. - B. DNS poisoning occurs when an attacker changes the domain name to IP address
mappings of a system to redirect traffic to alternate systems. DNS spoofing occurs when
an attacker sends false replies to a requesting system, beating valid replies from the actual
DNS server. ARP spoofing provides a false hardware address in response to queries about
an IP, and Cain & Abel is a powerful Windows hacking tool, but a Cain attack is not a
specific type of attack. - B. Screen scrapers copy the actual screen displayed and display it at a remote location.
RDP provides terminal sessions without doing screen scraping, remote node operation is
the same as dial-up access, and remote control is a means of controlling a remote system
(screen scraping is a specialized subset of remote control).