OS Hardening SEC340 – Chapter 9 & 10

At what layer of the OSI model do proxy servers generally operate?
Select one:
a. Application
b. Transport
c. Network
d. Session

a. Application

The Cisco PIX line of products is best described as which of the following?
Select one:
a. PC with firewall installed
b. software firewall
c. firewall appliance
d. VPN gateway

c. firewall appliance

What are the two standard ports used by FTP along with their function?
Select one:
a. UDP 23 control, TCP 20 data
b. TCP 21 control, TCP 20 data
c. UDP 20 data, TCP 21 control
d. TCP 23 data, TCP 21 control

b. TCP 21 control, TCP 20 data

What is a suggested maximum size of a rule base?
Select one:
a. 10 rules
b. 30 rules
c. 300 rules
d. 100 rules

b. 30 rules

What is considered the ‘cleanup rule’ on a Cisco router?
Select one:
a. implicit deny all
b. implicit allow
c. explicit prompt
d. explicit allow all

a. implicit deny all

What service uses UDP port 53?
Select one:
a. DNS
b. SMTP
c. ICMP
d. TFTP

a. DNS

What should a company concerned about protecting its data warehouses and employee privacy might consider installing on the network perimeter to prevent direct connections between the internal network and the Internet?
Select one:
a. VPN server
b. router
c. ICMP monitor
d. proxy server

d. proxy server

What type of attack are stateless packet filters particularly vulnerable to?
Select one:
a. attempts to connect to the firewall
b. attempts to connect to ports below 1023
c. IP spoofing attacks
d. attempts to connect to ports above 1023

c. IP spoofing attacks

What type of ICMP packet can an attacker use to send traffic to a computer they control outside the protected network?
Select one:
a. Destination Unreachable
b. Echo Request
c. Redirect
d. Source Quench

c. Redirect

Which element of a rule base conceals internal names and IP addresses from users outside the network?
Select one:
a. tracking
b. QoS
c. NAT
d. filtering

c. NAT

Which of the following is a general practice for a rule base?
Select one:
a. permit access to public servers in the DMZ
b. allow direct access from the Internet to computers behind the firewall
c. begin by blocking all traffic and end by allowing selective services
d. allow all access to the firewall

a. permit access to public servers in the DMZ

Which of the following is a method for supporting IPv6 on IPv4 networks until IPv6 is universally adopted?
Select one:
a. IPsec tunneling
b. SMTP/S tunneling
a. permit access to public servers in the DMZ
d. ICMPv6 encapsulation

a. permit access to public servers in the DMZ

Which of the following is a typical drawback of a free firewall program?
Select one:
a. oversimplified configuration
b. have centralized management
c. cannot monitor traffic in real time
d. more expensive than hardware firewalls

c. cannot monitor traffic in real time

Which of the following is an advantage of hardware firewalls?
Select one:
a. not scalable compared to software firewalls
b. not dependent on a conventional OS
c. easy to patch
d. less expensive than software firewalls

b. not dependent on a conventional OS

Which of the following is described as the combination of an IP address and a port number?
Select one:
a. socket
b. subnet
c. portal
d. datagram

a. socket

Which of the following is NOT a criteria typically used by stateless packet filters to determine whether or not to block packets.
Select one:
a. ports
b. TCP flags
c. data patterns
d. IP address

c. data patterns

Which of the following is NOT a protocol,port pair that should be filtered when an attempt is made to make a connection from outside the company network?
Select one:
a. TCP,139
b. TCP,80
c. TCP,3389
d. UDP,138

b. TCP,80

Which of the following is NOT among the common guidelines that should be reflected in the rule base to implement an organization’s security policy?
Select one:
a. employees can have restricted Internet access
b. employees can use instant-messaging only with external network users
c. the public can access the company Web servers
d. only authenticated traffic can access the internal network

b. employees can use instant-messaging only with external network users

Which of the following is NOT an ICMPv6 packet type that you should allow within your organization but never outside the organization?
Select one:
a. Packet too big
b. Packet Redirect
c. Time Exceeded
d. Destination unreachable

b. Packet Redirect

Which two ports should packet-filtering rules address when establishing rules for Web access?
Select one:
a. 143, 80
b. 80, 443
c. 25, 110
d. 423, 88

b. 80, 443

In what type of attack are zombies usually put to use?
Select one:
a. buffer overrun
b. spoofing
c. DDoS
d. virus

c. DDoS

What do you call a firewall that is connected to the Internet, the internal network, and the DMZ?
Select one:
a. multi-zone host
b. three-way packet filter
c. multi-homed proxy
d. three-pronged firewall

d. three-pronged firewall

What is a critical step you should take on the OS you choose for a bastion host?
Select one:
a. customize the OS for bastion operation
b. choose an obscure OS with which attackers are unfamiliar
c. ensure all security patches are installed
d. make sure it is the latest OS version

c. ensure all security patches are installed

What is a step you can take to harden a bastion host?
Select one:
a. open several ports to confuse attackers
b. enable additional services to serve as honeypots
c. remove unnecessary services
d. configure several extra accounts with complex passwords

c. remove unnecessary services

What is the term used for a computer placed on the network perimeter that is meant to attract attackers?
Select one:
a. virtual server
b. bastion host
c. honeypot
d. proxy decoy

c. honeypot

What should you consider installing if you want to inspect packets as they leave the network?
Select one:
a. security workstation
b. reverse firewall
c. filtering proxy router
d. RIP

b. reverse firewall

Where should network management systems generally be placed?
Select one:
a. out of band
b. in the server farm
c. in the DMZ
d. on the perimeter

a. out of band

Which network device works at the Application layer by reconstructing packets and forwarding them to Web servers?
Select one:
a. Layer 7 switch
b. proxy server
c. translating gateway
d. ICMP redirector

b. proxy server

Which of the following best describes a bastion host?
Select one:
a. a host with two or more network interfaces
b. a computer running a standard OS that also has proxy software installed
c. a computer on the perimeter network that is highly protected
d. a computer running only embedded firmware

c. a computer on the perimeter network that is highly protected

Which of the following best describes a DMZ?
Select one:
a. a private subnet that is inaccessible to both the Internet and the company network
b. a subnet of publicly accessible servers placed outside the internal network
c. a network of computers configured with robust firewall software
d. a proxy server farm used to protect the identity of internal servers

b. a subnet of publicly accessible servers placed outside the internal network

Which of the following is a disadvantage of using a proxy server?
Select one:
a. shields internal host IP addresses
b. can’t filter based on packet content
c. slows Web page access
d. may require client configuration

d. may require client configuration

Which of the following is best described as software that prioritizes and schedules requests and then distributes them to servers based on each server’s current load and processing power.
Select one:
a. load-balancing software
b. priority server farm
c. server pooling software
d. traffic distribution filter

a. load-balancing software

Which of the following is true about a dual-homed host?
Select one:
a. it is used as a remote access server in some configurations
b. uses a single NIC to manage two network connections
c. serves as a single point of entry to the network
d. its main objective is to stop worms and viruses

c. serves as a single point of entry to the network

Which of the following is true about a screening router?
Select one:
a. it can stop attacks from spoofed addresses
b. it examines the data in the packet to make filtering decisions
c. it should be combined with a firewall for better security
d. it maintains a state table to determine connection information

c. it should be combined with a firewall for better security

Which of the following is true about private IP addresses?
Select one:
a. they are assigned by the IANA
b. NAT was designed to conserve them
c. they are not routable on the Internet
d. they are targeted by attackers

c. they are not routable on the Internet

Which type of firewall configuration protects public servers by isolating them from the internal network?
Select one:
a. dual-homed host
b. screened subnet DMZ
c. reverse firewall
d. screening router

b. screened subnet DMZ

Which type of NAT is typically used on devices in the DMZ?
Select one:
a. one-to-one NAT
b. many-to-one NAT
c. port address translation
d. one-to-many NAT

a. one-to-one NAT

Which type of security device can speed up Web page retrieval and shield hosts on the internal network?
Select one:
a. caching-only DNS server
b. caching firewall
c. DMZ intermediary
d. proxy server

d. proxy server

Which type of translation should you use if you need 50 computers in the corporate network to be able to access the Internet using a single public IP address?
Select one:
a. one-to-many NAT
b. port address translation
c. one-to-one NAT
d. DMZ proxy translation

b. port address translation

Why is a bastion host the system most likely to be attacked?
Select one:
a. it is available to external users
b. it contains the default administrator account
c. it has weak security
d. it contains company documents

a. it is available to external users