Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation

Question 1
Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the
context or state of the request?
• ICMP
• TCP
• UDP
• IP
Correct Answer is: TCP
Details:
The correct answer is: TCP
The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or
sequence that can be expected. Consult the references for further details.
ICMP, IP and UDP don't have any concept of a session; i.e. each packet or datagram is handled
individually, with no reference to the contents of the previous one. With no sessions, these protocols
usually cannot be filtered on the state of the session.
Some newer firewalls, however, simulate the concept of state for these protocols, and filter out
unexpected packets based upon normal usage. Although these are commonly treated like normal
stateful filters, they are more complex to program, and hence more prone to errors.
A stateful packet filter or stateful inspection inspects each packet and only allows known connection
states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would
filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state
is incorrect then it is dropped.
The incorrect answers are:
ICMP. ICMP is basically stateless so you could not *easily* filter them based on the state or sequence.
UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The
question was explicit in asking *easily*. While it is possible, UDP is not the best answer.
IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out
*easily*.
The following reference(s) was used to create this question:

CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh Edition
Page 440(TCP Handshake States) and Page 467(Stateful Packet Inspection) or Kindle Location 12018 and
12747.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 14568
http://www.nwo.net/ipf/ipf-howto.pdf
Question 2
ICMP and IGMP belong to which layer of the OSI model?
• Datagram Layer.
• Network Layer.
• Transport Layer.
• Data Link Layer.
Correct Answer is: Network Layer.
Details:
The correct answer is: Network Layer.
The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and
the Internet Group Management Protocol (IGMP)
From the OIG:
The Internet (network) layer defines how information the transport layer receives is sent over networks,
and how the network addresses, or references, other hosts. The network layer contains the Internet
Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management
Protocol (IGMP). Because it contains the IP module, the network layer is considered the heart of any
TCP/IP-based network. Within the network layer, the IP module performs most of the work. ICMP and
IGMP are IP-support protocols helping the IP handle special network messages such as error messages
and multicast messages (messages sent to two or more nodes). The network layer handles the delivery
of information from one computer to the other computers across networks. IP, ICMP, and IGMP all
operate at the Network Layer.
The following answers are incorrect:
Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer.
Transport Layer. Is incorrect because it is used to deliver error-free data between applications and uses
the TCP and UDP protocols.
Data Link Layer. Is incorrect because this layer deals with addressing hardware.
Page 433 or Kindle Location 11848
Question 3
The IP header contains a protocol field. If this field contains the value of 6, what type of data is
contained within the ip datagram?
• TCP.
• ICMP.
• UDP.
• IGMP.
Correct Answer is: TCP.
Details:
The correct answer is: TCP.
If the protocol field has a value of 6 then it would indicate it was TCP.
The protocol field of the IP packet dictates what protocol the IP packet is using.
TCP=6, ICMP=1, UDP=17, IGMP=2
ICMP. Is incorrect because the value for an ICMP protocol would be 1.
UDP. Is incorrect because the value for an UDP protocol would be 17.
IGMP. Is incorrect because the value for an IGMP protocol would be 2.
SANS http://www.sans.org/resources/tcpip.pdf?ref=3871
Question 4
contained within the IP datagram?
• TCP
• ICMP
• UDP
• IGMP
Correct Answer is: IGMP
Details:
The correct answer is: IGMP.
If the protocol field has a value of 2 then it would indicate it was IGMP.
The protocol field of the IP packet dictates what protocol the IP packet is using.
TCP=6, ICMP=1, UDP=17, IGMP=2
TCP. Is incorrect because the value for a TCP protocol would be 6.
UDP. Is incorrect because the value for an UDP protocol would be 17.
ICMP. Is incorrect because the value for an ICMP protocol would be 1.
SYBEX CISSP (ISC)2 Certified Information Systems Security Professional OFFICIAL study guide, Seventh
Edition Page 447 or Kindle Location 12206
SANS http://www.sans.org/resources/tcpip.pdf?ref=3871
Question 5
You are running a packet sniffer on a network and see a packet containing a long string of "0x90 0x90
0x90 0x90...." in the middle of it traveling to an x86-based machine as a target. This could be indicative
of what activity being attempted?
• Over-subscription of the traffic on a backbone.
• A source quench packet.
• A FIN scan.
• A buffer overflow attack.
Correct Answer is: A buffer overflow attack.
Details:
The correct answer is: A buffer overflow attack.

A series of the same control characters, hexadecimal code, imbedded in the string is usually an indicator
of a buffer overflow attack.
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer
overflow attacks use long strings of control characters and this is representative of that type of attack.
A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is
an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to
be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up
by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make
a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by
pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This
task could be to open a command shell with administrative privilege or execute malicious code.
Common threats to system availability, integrity, and confidentiality include hardware failure, misuse of
system privileges, buffer overflows and other memory attacks, denial of service, reverse engineering,
and system hacking.
Since many vulnerabilities result from insecure design and most threats are well known, it is the
responsibility of the security architect to ensure that their designs are addressing security requirements
appropriately while also ensuring that the system can continue to perform its intended function.
Over-subscription of the traffic on a backbone. Is incorrect because if there was Over-subscription of the
traffic on a backbone, that would typically result in not being able to send or receive any packets, more
commonly known as Denial of Service or DoS.
A source quench packet. This is incorrect because a source quench packet is an ICMP message that
contains the internet header plus 64 bits of the original datagram.
A FIN scan. This is incorrect because a FIN scan is when a packet with the FIN flag set is sent to a specific
port and the results are then analyzed.
The following reference(s) were used to create this question:
Edition Page 370-372 or Kindle Location 10422
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html
Wikipedia http://en.wikipedia.org/wiki/Buffer_overflow
Question 6
A packet containing a long string of NOP's followed by a command is usually indicative of what?
• A syn scan.
• A half-port scan.
• A buffer overflow attack.
• A packet destined for the network's broadcast address.
Correct Answer is: A buffer overflow attack.
Details:
The correct answer is: A buffer overflow attack.
A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a
buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal
equivalent is 0x90)
A syn scan. This is incorrect because a SYN scan is when a SYN packet is sent to a specific port and the
results are then analyzed.
A half-port scan. This is incorrect because the port scanner generates a SYN packet. If the target port is
open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the
connection before the handshake is completed. Also known as a Half Open Port scan.
A packet destined for the network's broadcast address. This is incorrect because this type of packet
would not contain a long string of NOP characters.

AIOv3 Security Models and Architecture (page 321)
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html
Simple Buffer Overflow Tutorial http://www.milw0rm.com/papers/73
Question contributed by: Sarang Chalikwar
Email or CCCure Nickname of question author:
Question reviewed by: Clement Dupuis
Question comments submitted by:
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer
overflow attacks use long strings of control characters and this is representative of that type of attack.
Question 7
In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by
classes. Which of the following would have been true of a Class C network?
• The first bit of the IP address would be set to zero.
• The first bit of the IP address would be set to one and the second bit set to zero.
• The first two bits of the IP address would be set to one, and the third bit set to zero.
• The first three bits of the IP address would be set to one.
Correct Answer is: The first two bits of the IP address would be set to one, and the third bit set to zero.
Details:
The correct answer is: The first two bits of the IP address would be set to one, and the third bit set to
zero.
Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0
The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network
address.
The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because,
this would be a Class B network address .
The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D
& E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1.
Classless Internet Domain Routing (CIDR)
High Order bits are shown in bold below.
For Class A, the addresses are 0.0.0.0 - 127.255.255.255
The lowest Class A address is represented in binary as 00000000.00000000.0000000.00000000
For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255.
The lowest Class B address is represented in binary as 10000000.00000000.00000000.00000000
For Class C, the addresses are 192.0.0.0 - 223.255.255.255
The lowest Class C address is represented in binary as 11000000.00000000.00000000.00000000
For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast)
The lowest Class D address is represented in binary as 11100000.00000000.00000000.00000000
For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage)
The lowest Class E address is represented in binary as 11110000.00000000.00000000.00000000

3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf
AIOv3 Telecommunications and Networking Security (page 438)
Question 8
classes. Which of the following would have been true of a Class A network?
• The first bit of the IP address would be set to zero
• The first bit of the IP address would be set to one and the second bit set to zero
• The first two bits of the IP address would be set to one, and the third bit set to zero
• The first three bits of the IP address would be set to one
Correct Answer is: The first bit of the IP address would be set to zero
Details:
The correct answer is: The first bit of the IP address would be set to zero.
Each Class A network address has a 8-bit network prefix, with the first bit of the ipaddress set to zero.
See the diagram below for more details.
The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because
this would be a Class B network address.
The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect
because, this would be a Class C network address.
The first three bits of the ipaddress would be set to one. Is incorrect because, this is a distractor.
Class D & E have the first three bits set to 1.

Class D the 4th bit is 0 and for
Class E the 4th bit to 1.
See diagram below from the 3COM tutorial on everything you ever wanted to know about IP addressing:
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet
Protocolpackets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous
addressing architecture of classful network design in the Internet. Their goal was to slow the growth of
routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.
For Class A, the addresses are 0.0.0.0 - 127.255.255.255.
For Class C, the addresses are 192.0.0.0 - 223.255.255.255.
For Class D, the addresses are 224.0.0.0 - 239.255.255.255.
For Class E, the addresses are 240.0.0.0 - 255.255.255.255.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) Kindle location 12583 and 13186.
and
and
https://secure.wikimedia.org/wikipedia/en/wiki/Classless_Inter-Domain_Routing
Question 9
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid
address to use on the Internet)?
• 10.0.42.5
• 11.0.42.5
• 12.0.42.5
• 13.0.42.5
Correct Answer is: 10.0.42.5
Details:
The correct answer is: 10.0.42.5
This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 -
10.255.255.255.
11.0.42.5 Is incorrect because it is not a Class A reserved address.
The private IP address ranges are defined within RFC 1918:
Question 10
Which of the following media is MOST resistant to tapping?
• microwave.
• twisted pair.
• coaxial cable.
• fiber optic.
Correct Answer is: fiber optic.
Details:
The correct answer is: fiber optic.
Fiber Optic is the most resistant to tapping because Fiber Optic uses a light to transmit the signal. While
there are some technologies that will allow to monitor the line passively, it is very difficult to tap into
without detection so this technology would be the MOST resistent to tapping.
Tapping is when an unauthorized device is attached to a communications line. A fiber optic cable is a
physical medium that is capable of conducting modulated light trasmission. Fiber optic cable carries
signals as light waves, thus creating higher trasmission speeds and greater distances due to less
attenuation. This type of cabling is more difficult to tap than other cabling and is most resistant to
interference, especially EMI.
The following answers are in correct:
microwave. Is incorrect because microwave transmissions can be intercepted if in the path of the
broadcast without detection.
twisted pair. Is incorrect because it is easy to tap into a twisted pair line.
coaxial cable. Is incorrect because it is easy to tap into a coaxial cable line.
Edition Page 477 or Kindle Location 13041.
Question 11
Organizations should consider which of the following first before allowing external access to their LANs
via the Internet?
• plan for implementing workstation locking mechanisms.
• plan for protecting the modem pool.
• plan for providing the user with his account usage information.
• plan for considering proper authentication options.
Correct Answer is: plan for considering proper authentication options.
Details:
The correct answer is: plan for considering proper authentication options.
Before a LAN is connected to the Internet, you need to determine what the access controls mechanisms
are to be used, this would include how you are going to authenticate individuals that may access your
network externally through access control.
plan for implementing workstation locking mechanisms. This is incorrect because locking the
workstations have no impact on the LAN or Internet access.
plan for protecting the modem pool. This is incorrect because protecting the modem pool has no impact
on the LAN or Internet access, it just protects the modem.
plan for providing the user with his account usage information. This is incorrect because the question
asks what should be done first. While important your primary concern should be focused on security.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press)
OIG CISSP CBK Access Control (page 98)

Question 12
Which one of the following is usually not a benefit resulting from the use of firewalls?
• reduces the risks of external threats from malicious hackers.
• prevents the spread of viruses.
• reduces the threat level on internal system.
• allows centralized management and control of services.
Correct Answer is: prevents the spread of viruses.
Details:
The correct answer is: prevents the spread of viruses.
This is not a benefit of a firewall. Most firewalls are limited when it comes to preventing the spread of
viruses.
This question is testing your knowledge of Malware and Firewalls. The keywords within the questions
are "usually " and "virus ". Once again to come up with the correct answer, you must stay within the
context of the question and really ask yourself which of the 4 choices is NOT usually done by a firewall.
Some of the latest Appliances such as Unified Threat Management (UTM) devices does have the ability
to do virus scanning but most first and second generation firewalls would not have such ability.
Remember, the questions is not asking about all possible scenarios that could exist but only about which
of the 4 choices presented is the BEST.
For the exam you must know your general classes of Malware. There are generally four major classes of
malicious code that fall under the general definition of malware:
1. Virus: Parasitic code that requires human action or insertion, or which attaches itself to another
program to facilitate replication and distribution. Virus-infected containers can range from e-mail,
documents, and data file macros to boot sectors, partitions, and memory fobs. Viruses were the first
iteration of malware and were typically transferred by floppy disks (also known as sneakernet ) and
injected into memory when the disk was accessed or infected files were transferred from system to
system.
2. Worm: Self-propagating code that exploits system or application vulnerabilities to replicate. Once on
a system, it may execute embedded routines to alter, destroy, or monitor the system on which it is
running, then move on to the next system. A worm is effectively a virus that does not require human
interaction or other programs to infect systems.
3. Trojan Horse: Named after the Trojan horse of Greek mythology (and serving a very similar function),
a Trojan horse is a general term referring to programs that appear desirable, but actually contain
something harmful. A Trojan horse purports to do one thing that the user wants while secretly
performing other potentially malicious actions. For example, a user may download a game file, install it,
and begin playing the game. Unbeknownst to the user, the application may also install a virus, launch a
worm, or install a utility allowing an attacker to gain unauthorized access to the system remotely, all
without the user s knowledge.
4. Spyware: Prior to its use in malicious activity, spyware was typically a hidden application injected
through poor browser security by companies seeking to gain more information about a user s Internet
activity. Today, those methods are used to deploy other malware, collect private data, send advertising
or commercial messages to a system, or monitor system input, such as keystrokes or mouse clicks.
reduces the risks of external threats from malicious hackers. This is incorrect because a firewall can
reduce the risks of external threats from malicious hackers.
reduces the threat level on internal system. This is incorrect because a firewall can reduce the threat
level on internal system.
allows centralized management and control of services. This is incorrect because a firewall can allow
centralize management and control of services.
Question 13
Which of the following OSI layers provides routing and related services?
• Network Layer
• Presentation Layer
• Session Layer
• Physical Layer
Correct Answer is: Network Layer
Details:
The correct answer is: Network Layer.
The Network Layer performs network routing functions.
Presentation Layer. Is incorrect because the Presentation Layer transforms the data to provide a
standard interface for the Application layer.
Session Layer. Is incorrect because the Session Layer controls the dialogues/connections (sessions)
between computers.
Physical Layer. is incorrect because the Physical Layer defines all the electrical and physical specifications
for devices.
Wikipedia http://en.wikipedia.org/wiki/OSI_Model
Question 14
Frame relay and X.25 networks are part of which of the following?
• Circuit-switched services
• Cell-switched services
• Packet-switched services
• Dedicated digital services
Correct Answer is: Packet-switched services
Details:
The correct answer is: Packet-switched services.
Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks
there are no dedicated connections between endpoints, and data is divided into packets and
reassembled on the receiving end.
Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end

stations to dynamically share the network medium and the available bandwidth. The following two
techniques are used in packet-switching technology:
• Variable-length packets
• Statistical multiplexing
Variable-length packets are used for more efficient and flexible data transfers. These packets are
switched between the various segments in the network until the destination is reached.
Statistical multiplexing techniques control network access in a packet-switched network. The advantage
of this technique is that it accommodates more flexibility and more efficient use of bandwidth. Most of
today's popular LANs, such as Ethernet and Token Ring, are packet-switched networks.
Frame Relay often is described as a streamlined version of X.25, offering fewer of the robust capabilities,
such as windowing and retransmission of last data that are offered in X.25. This is because Frame Relay
typically operates over WAN facilities that offer more reliable connection services and a higher degree of
reliability than the facilities available during the late 1970s and early 1980s that served as the common
platforms for X.25 WANs. As mentioned earlier, Frame Relay is strictly a Layer 2 protocol suite, whereas
X.25 provides services at Layer 3 (the network layer) as well. This enables Frame Relay to offer higher
performance and greater transmission efficiency than X.25, and makes Frame Relay suitable for current
WAN applications, such as LAN interconnection.

Circuit-switched services. An example of a circuit-switched service are Integrated Services Digital
Network (ISDN) and Point-to-Point Protocol (PPP). Frame Relay and X.25 do not use circuit switching
technology.
Cell-switched services. This is a distractor.
Dedicated digital services. A packet switched network is commonly via a digital method, but is not
dedicated. Examples of a Dedicated digital service might be a Permanent Virtual Circuit (PVC), which
does not use packet switching.
Question 15
In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided?
• Transport
• Network
• Presentation
• Application
Correct Answer is: Transport
Details:
The correct answer is: Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the
OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The
transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure
error-free delivery such as TCP.
Network. The Network layer moves information between hosts that are not physically connected. It
deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not
reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard
presentation such as
ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data transmission,
for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI
Reference Model.
Edition Page 434 & 435 or Kindle Location 11905.
Question 16
FTP, TFTP, SNMP, and SMTP are provided at what level of the Open Systems Interconnect (OSI)
Reference Model?
• Application
• Network
• Presentation
• Transport
Correct Answer is: Application
Details:
The correct answer is: Application. The Layer 7 Application Layer of the Open Systems Interconnect (OSI)
Reference Model is a service for applications and Operating Systems data transmission, for example FTP,
TFTP, SNMP, and SMTP.
Network. The Network layer moves information between hosts that are not physically connected. It
deals with routing of information. IP is a protocol that is used in Network Layer. FTP, TFTP, SNMP, and
SMTP do not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard
presentation such as
ASCII. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 6 Presentation Layer in the OSI Reference
Model.
Transport. The Transport Layer creates an end-to-end transportation between peer hosts. The
transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure
error-free delivery such as TCP. FTP, TFTP, SNMP, and SMTP do not reside at the Layer 4 Transportation
Layer in the OSI Reference Model.
Question 17
Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP)?
• TCP is connection-oriented, UDP is not.
• UDP provides for Error Correction, TCP does not.
• UDP is useful for longer messages, rather than TCP.

• TCP does not guarantee delivery of data, while UDP does guarantee data delivery.
Correct Answer is: TCP is connection-oriented, UDP is not.
Details:
The correct answer is: TCP is connection-oriented, UDP is not
TCP is a reliable connection-oriented transport for guaranteed delivery of data.
Protocols represent certain rules and regulations that are essential in order to have data communication
between two entities. Internet Protocols work in sending and receiving data packets. This type of
communication may be either connection-less or connection-oriented.
In a connection-oriented scenario, an acknowledgement is being received by the sender from the

receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is
being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's
not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as
TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.
UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP
does.
UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its
connectionless nature.
TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.
Question 18
Which OSI/ISO layer is responsible for determining the best route for data to be transferred?
• Session layer
• Physical layer
• Network layer
• Transport layer
Correct Answer is: Network layer
Details:
The correct answer is: Network layer.
The main responsibility of the network layer is to insert information into the packet's header so that it
can be properly routed. The protocols at the network layer must determine the best path for the packet
to take.
Session layer. The session layer is responsible for establishing a connection between two applications.
Physical layer. The physical layer if responsible for converting electronic impulses into bits and vice-
versa.
Transport layer. The transport layer is responsible for data transmission and error detection.
Question 19
Which of the following is true related to network sniffing?
• Sniffers allow an attacker to monitor data passing across a network.
• Sniffers alter the source address of a computer to disguise and exploit weak authentication
methods.
• Sniffers take over network connections.
• Sniffers send IP fragments to a system that overlap with each other.
Correct Answer is: Sniffers allow an attacker to monitor data passing across a network.
Details:
The correct answer is: Sniffers allow an attacker to monitor data passing across a network . Sniffers
exploit characteristics of several data-link technologies, including Token Ring and especially Ethernet.
The following answers are incorrect: Sniffers alter the source address of a computer to disguise and
exploit weak authentication methods. IP Spoofing is a network-based attack, which involves altering the
source address of a computer to disguise the attacker and exploit weak authentication methods.
Sniffers take over network connections. Session Hijacking tools allow an attacker to take over network
connections, kicking off the legitimate user or sharing a login.
Sniffers send IP fragments to a system that overlap with each other. Malformed Packet attacks are a
type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many
vendor product implementations do not take into account all variations of user entries or packet types.
If software handles such errors poorly, the system may crash when it receives such packets. A classic
example of this type of attack involves sending IP fragments to a system that overlap with each other
(the fragment offset values are incorrectly set. Some unpatched Windows and Linux systems will crash
when the encounter such packets.

Question 20
Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated
by the difference between the hot and ground wires?
• traverse-mode noise
• common-mode noise
• crossover-mode noise
• transversal-mode noise
Correct Answer is: common-mode noise
Details:
The correct answer is: Common-mode noise is electrical noise between the hot and ground wire and
between the neutral and ground wire.
Common mode noise will disrupt the memory logic of the processor. Noise between neutral and ground
creates problems since the theoretical zero voltage between neutral and ground is utilized by
microprocessors and digital logic control systems as zero voltage reference. A voltage on the ground
wire will disrupt the stored memory variables of today's fast microprocessors. Common mode noise can
be incorrectly interpreted as data.
This noise can cause what appears to be "software glitches ", erratic performance of the equipment and
partial or complete memory loss. Poor grounding also contributes significantly to common mode noise
and this dynamic situation can change with building age, material corrosion, soil conditions and
construction.

Question 21
Which of the following protocols that provide integrity and authentication for IPSec, can also provide
non-repudiation in IPSec?
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Secure Sockets Layer (SSL)
• Secure Shell (SSH-2)
Correct Answer is: Authentication Header (AH)
Details:
The correct answer is: Authentication Header (AH)
As per the RFC in reference, the Authentication Header (AH) protocol is a mechanism for providing
strong integrity and authentication for IP datagrams. It might also provide non-repudiation, depending
on which cryptographic algorithm is used and how keying is performed. For example, use of an
asymmetric digital signature algorithm, such as RSA, could provide non-repudiation.
IPSec is a suite of protocols that was developed to specifically protect IP traffic. IPv4 does not have any
integrated security, so IPSec was developed to bolt onto IP and secure the data the protocol transmits.
Where PPTP and L2TP work at the data link layer, IPSec works at the network layer of the OSI model.
The main protocols that make up the IPSec suite and their basic functionality are as follows: A.
Authentication Header (AH) provides data integrity, data origin authentication, and protection from
replay attacks. B. Encapsulating Security Payload (ESP) provides confidentiality, data-origin
authentication, and data integrity. C. Internet Security Association and Key Management Protocol
(ISAKMP) provides a framework for security association creation and key exchange. D. Internet Key
Exchange (IKE) provides authenticated keying material for use with ISAKMP.
The following are incorrect answers:
ESP is a mechanism for providing integrity and confidentiality to IP datagrams. It may also provide
authentication, depending on which lgorithm and algorithm mode are used. Non-repudiation and
protection from traffic analysis are not provided by ESP (RFC 1827).
SSL is a secure protocol used for transmitting private information over the Internet. It works by using a
public key to encrypt data that is transferred of the SSL connection. OIG 2007, page 976
SSH-2 is a secure, efficient, and portable version of SSH (Secure Shell) which is a secure replacement for
telnet.
Question 22
Identify the framework that meets the characteristics listed below:
1. Handles multiple connections at the same time,
2. Provides secure authentication and encryption,
3. Supports only IP networks,
4. Used to be focused mostly on LAN-to-LAN communication rather than dial-up protocol,
5. Works at the network layer and provides security on top of IP.
• Hybrid L2PP
• IPSec
• L2F
• L2TP
Correct Answer is: IPSec

Details:
The correct answer is: IPSEC
IPSEC is the Short form for IP Security, a set of protocols developed by the IETF to support secure
exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private
Networks (VPNs).
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications
by authenticating and encrypting each IP packet of a communication session.
Internet Protocol security (IPSec) is a framework of open standards for helping to ensure private, secure
communications over Internet Protocol (IP) networks through the use of cryptographic security services.
IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay
protection. Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all
protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need
to configure separate security for each application that uses TCP/IP.
IPSec helps provide defense-in-depth against:
• Network-based attacks from untrusted computers, attacks that can result in the denial-of-
service of applications, services, or the network
• Data corruption
• Data theft
• User-credential theft
• Administrative control of servers, other computers, and the network.
IPsec supports two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each packet, but leaves the header
untouched.
The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an
IPSec-compliant device decrypts each packet.
For IPsec to work, the sending and receiving devices must share a public key. This is accomplished
through a protocol known as Internet Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using
digital certificate.
Question 23
What is the main problem of the renewal of a root CA certificate?
• It requires key recovery of all end user keys
• It requires the authentic distribution of the new root CA certificate to all PKI participants
• It requires the collection of the old root CA certificates from all the users
• It requires issuance of the new root CA certificate
Correct Answer is: It requires the authentic distribution of the new root CA certificate to all PKI
participants
Details:
The correct answer is: It requires the authentic distribution of the new root CA certificate to all PKI
participants.
The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all
the PKI participants (e.g. the users).
In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each
user is needed, which could be very costly.
Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX-
reference), but these solutions works only well for scenarios with currently valid root CA certificates
(and not for emergency cases e.g. compromise of the current root CA certificate).
The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored
during PKI deployment.
Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise
Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure
Certificate and CRL Profile.
Question 24
What is the primary role of smartcards in a PKI?
• Transparent renewal of user keys
• Easy distribution of the certificates between the users
• Fast hardware encryption of the raw data
• Tamper resistant, mobile storage and application of private keys of the users
Correct Answer is: Tamper resistant, mobile storage and application of private keys of the users
Details:
The correct answer is: tamper resistant, mobile storage and application of private keys of the users.
Security
Tamper-resistant microprocessors are used to store and process private or sensitive information, such
as private keysor electronic money credit. To prevent an attacker from retrieving or modifying the
information, the chips are designed so that the information is not accessible through external means
and can be accessed only by the embedded software, which should contain the appropriate security
measures.
Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips
used in smartcards, as well as the Clipper chip.
It has been argued that it is very difficult to make simple electronic devices secure against tampering,
because numerous attacks are possible, including:
• physical attack of various forms (microprobing, drills, files, solvents, etc.)
• freezing the device
• applying out-of-spec voltages or power surges
• applying unusual clock signals
• inducing software errors using radiation
• measuring the precise time and power requirements of certain operations (see power analysis)
Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if
they detect penetration of their security encapsulation or out-of-specification environmental
parameters. A chip may even be rated for "cold zeroisation ", the ability to zeroise itself even after its
power supply has been crippled.
Nevertheless, the fact that an attacker may have the device in his possession for as long as he likes, and
perhaps obtain numerous other samples for testing and practice, means that it is practically impossible
to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most
important elements in protecting a system is overall system design. In particular, tamper-resistant
systems should "fail gracefully " by ensuring that compromise of one device does not compromise the
entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the
expected return from compromising a single device (plus, perhaps, a little more for kudos). Since the
most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out,
carefully designed systems may be invulnerable in practice.
Edition Page 566 & 567 or Kindle Location 15169 & 15200.
Question 1
Which of the following access methods is used by Ethernet?
• CSU/DSU.
• CSMA/CD.
• TCP/IP.
• FIFO.
Correct Answer is: CSMA/CD.
Details:
The correct answer is: CSMA/CD.
Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to minimize the effect
of broadcast collisions.
CSU/DSU Is incorrect because Channel Service Unit/Digital Service Unit(CSU/DSU) is a digital interface
normally used to connect a router to a digital circuit.
TCP/IP Is incorrect because Transmission Control Protocol/Internet Protocol(TCP/IP) is a network

protocol not an access method.
FIFO Is incorrect as it is a distractor. First In, First Out (FIFO) is typically a processing methodology in
which first come, first served.
Ethernet is a frame based network technology.
Wikipedia http://en.wikipedia.org/wiki/FIFO
Question 2
When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the
proper term to refer to a single unit of TCP data at the transport layer?
• TCP packet.
• TCP datagram.
• TCP frame.
• TCP segment.
Correct Answer is: TCP segment.
Details:
The correct answer is: TCP segment.
A TCP Segment is the group of TCP data tramsmitted at the Transport Layer. TCP is segment based
network technology.
The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is
now a segment. If the message is being transmitted over TCP, it is referred to as a segment.
TCP datagram. Is incorrect because a TCP datagram is only a distractor, IP datagram would be the proper
terminology. TCP is segment based network technology.
TCP frame. Is incorrect because a TCP frame is only a distractor, Ethernet Frame would be the proper
terminology. TCP is segment based network technology.
TCP packet. Is incorrect because a TCP packet is only a distractor. TCP is segment based network
technology.
Wikipedia http://en.wikipedia.org/wiki/Transport_layer
Wikipedia http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, 1994, ISBN 0-201-63346-9.
http://www.infocellar.com/networks/osi-model.htm
Question 4
What is the proper term for the Protocol Data Unit used at the Network Layer of the OSI model?
• IP segment.
• IP fragment.
• IP frame.
• IP Packet.
Correct Answer is: IP Packet.
Details:
The correct answer is: IP Packet.
PDUs are relevant in relation to layers of the OSI and DoD model as follows:
• The Layer 1 (Physical Layer) PDU is the bit
• The Layer 2 (Data Link Layer) PDU is the frame
• The Layer 3 (Network Layer) PDU is the packet
• The Layer 4 (Transport Layer) PDU is the segment for TCP or the datagram for UDP
• The Layer 5-6-7 (Application Layer) PDU is the data, which can be clear text, encrypted, or
compressed
Given a context pertaining to a specific OSI layer, PDU is sometimes used as a synonym for its
representation at that layer
See graphic below to see how the terms would be used in the DoD TCP model.
DIFFERENCE BETWEEN PACKETS AND DATAGRAM
As specified at: http://en.wikipedia.org/wiki/Packet_(information_technology)
In general, the term packet applies to any message formatted as a packet, while the term datagram is
generally reserved for packets of an "unreliable " service.
A "reliable " service is one that notifies the user if delivery fails, while an "unreliable " one does not
notify the user if delivery fails. For example, IP provides an unreliable service.
Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these
protocols use packets, but UDP packets are generally called datagrams.
If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide
reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET
indicated that the network itself could not reliably detect all packet delivery failures, and this pushed
responsibility for error detection onto the sending host in any case. This led to the development of the
end-to-end principle, which is one of the Internet's fundamental design assumptions.
See resume below:
Another view below:
IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is
a datagram based technology.
IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame. IP is a
datagram based technology.
IP fragment. Is incorrect because IP fragment is a detractor.
Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol
http://docwiki.cisco.com/wiki/Internetworking_Basics
Question 7
classes. Which of the following would have been true of a Class B network?
• The first bit of the IP address would be set to zero.
• The first three bits of the IP address would be set to one.
• The first two bits of the IP address would be set to one, and the third bit set to zero.
• The first bit of the IP address would be set to one and the second bit set to zero.
Correct Answer is: The first bit of the IP address would be set to one and the second bit set to zero.
Details:
The correct answer is: The first bit of the IP address would be set to one and the second bit set to zero.
Each Class B network address has a 16-bit network prefix, with the two highest order bits set to 1-0.
The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network
address.
The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect
because, this would be a Class C network address.
The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D
& E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1.
High Order bits are shown in bold below.
For Class A, the addresses are 0.0.0.0 - 127.255.255.255
The lowest Class A address is represented in binary as 00000000.00000000.0000000.00000000
The lowest Class B address is represented in binary as 10000000.00000000.00000000.00000000
For Class C, the addresses are 192.0.0.0 - 223.255.255.255

The lowest Class C address is represented in binary as 11000000.00000000.00000000.00000000
For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast)
The lowest Class D address is represented in binary as 11100000.00000000.00000000.00000000
For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage)
The lowest Class E address is represented in binary as 11110000.00000000.00000000.00000000
Question 12
Which of the following attacks could capture network user passwords?
• Smurfing
• Data diddling
• Sniffing
• IP Spoofing
Correct Answer is: Sniffing
Details:
The correct answer is: sniffing

A network sniffer captures a copy every packet that traverses the network segment the sniffer is
connect to.
Sniffers are typically devices that can collect information from a communication medium, such as a
network. These devices can range from specialized equipment to basic workstations with customized
software.
A sniffer can collect information about most, if not all, attributes of the communication. The most
common method of sniffing is to plug a sniffer into an existing network device like a hub or switch. A hub
(which is designed to relay all traffic passing through it to all of its ports) will automatically begin sending
all the traffic on that network segment to the sniffing device. On the other hand, a switch (which is
designed to limit what traffic gets sent to which port) will have to be specially configured to send all
traffic to the port where the sniffer is plugged in.
Another method for sniffing is to use a network tap a device that literally splits a network transmission
into two identical streams; one going to the original network destination and the other going to the
sniffing device. Each of these methods has its advantages and disadvantages, including cost, feasibility,
and the desire to maintain the secrecy of the sniffing activity.
The packets captured by sniffer are decoded and then displayed by the sniffer. Therfore, if the
username/password are contained in a packet or packets traversing the segment the sniffer is
connected to, it will capture and display that information (and any other information on that segment it
can see).
Of course, if the information is encrypted via a VPN, SSL, TLS, or similar technology, the information is
still captured and displayed, but it is in an unreadable format.
• Data diddling involves changing data before, as it is enterred into a computer, or after it is
extracted.
• Spoofing is forging an address and inserting it into a packet to disguise the origin of the
communication - or causing a system to respond to the wrong address.
• Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the
broadcast address on a gateway in order to cause a denial of service.

Question contributed by: Sarang Chalikwar, Keith Palmgren
Question reviewed by: Nathalie Lambert
Question comment submited by: Tim Hersey, Matthew Bowman
You should note that the term "sniffer " is a registered trademark of the company Network General.
A "network sniffer " is actually a slang term for what is properly known as a "protocol analyzer ". Most
people call them sniffers, but legally, only Network General can use that term.
Question 13
What is the 802.11 standard related to?
• The OSI/ISO model
• Packet-switching technology
• Wireless network communications
• Public Key Infrastructure (PKI)
Correct Answer is: Wireless network communications
Details:
The correct answer is: Wireless network communications
The 802.11 standard outlines how wireless clients and APs communicate, lays out the specifications of
their interfaces, dictates how signal transmission should take place, and describes how authentication,
association, and security should be implemeted.
Public Key Infrastructure (PKI) Public Key Infrastructure is a supporting infrastructure to manage public
keys. It is not part of the IEEE 802 Working Group standard.
Packet-switching technology A packet-switching technology is not included in the IEEE 802 Working
Group standard. It is a technology where-in messages are broken up into packets, which then travel
along different routes to the destination.
The OSI/ISO model The Open System Interconnect model is a sevel-layer model defined as an
international standard describing network communications.
802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11
specifies an over-the-air interface between a wireless client and a base station or between two wireless
clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family:
• 802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
• 802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather
than FHSS or DSSS.
• 802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to
wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz
band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing
wireless functionality comparable to Ethernet.
• 802.11g # applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11
specifies an over-the-air interface between a wireless client and a base station or between two wireless
clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family:
• 802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).
• 802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather
than FHSS or DSSS.
• 802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to
wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz
band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing
wireless functionality comparable to Ethernet.
• 802.11g # applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
Question 14
Which of the following statements about the "Intranet" is NOT true?
• It is usually restricted to a community of users.
• It can work with Metropolitan area networks (MANS) or Wide area networks (WANS).
• It is an add-on or part of a local area network.
• It is unrestricted and publicly available.
Correct Answer is: It is unrestricted and publicly available.
Details:
The correct answer is: It is unrestricted and publicly available. The concept of an Intranet is to limit
access and restrict information to only the desired individuals, such as corporate employees. Public
information would be posted on an external website on the Internet for public consumption. Although
an Intranet is designed for sharing of information within an organization, consideration should be given
to how the information could be misused for an insider attack.

It is an add-on or part of a local area network(LAN). An Intranet is commonly accessed via the LAN and
can be built using existing systems and infrastructure or added on as a new component.
It is usually restricted to a community of users. An Intranet's main purpose is to restrict information

access to a specific community of users.
It can work with Metropolitan area networks (MANS) or Wide area networks (WANS). Although
commonly assumed to be contained in a Local Area Network (LAN), an Intranet is not limited to local
networks only and can span MANS and WANS.
Notice the use of the word "the " in front of Intranet. This is an intentionl method of misleading one into
thinking of the Internet. Pay close attention to how the questions are worded as one might assume the
meaning of the question.
Question 16
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?
• Application
• Presentation
• Transport
• Data Link
Correct Answer is: Data Link
Details:
The correct answer is: The Data Link layer of the OSI/ISO model provides SLIP, CSLIP and PPP protocol.
RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a
standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised
of three main components:
1 A method for encapsulating multi-protocol datagrams.
2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer
protocols.
Question 19
Which of the following is unlike the other three choices presented?
• El Gamal
• Buffer Overflow
• Teardrop
• Smurf
Correct Answer is: El Gamal
Details:
The correct answer is: El Gamal; El Gamal is a public-key cryptosystem while the others are types of DoS
attacks.
Question 20
What is the role of IKE within the IPsec protocol?
• data signature
• enforcing quality of service
• data encryption
• peer authentication and key exchange
Correct Answer is: peer authentication and key exchange
Details:
The correct answer is: peer authentication and key exchange.
: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New
Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
Question 21
In which phase of Internet Key Exchange (IKE) protocol is peer authentication performed?
• Pre Initialization Phase
• No peer authentication is performed
• Phase 1
• Phase 2
Correct Answer is: Phase 1
Details:
The correct answer is: Phase 1
The Internet Key Exchange (IKE) protocol is a key management protocol standard that is used in
conjunction with the IPSec standard. IKE enhances IPSec by providing additional features, flexibility, and
ease of configuration for the IPSec standard. IPSec can however, be configured without IKE by manually
configuring the gateways communicating with each other for example.
A security association (SA) is a relationship between two or more entities that describes how the entities
will use security services to communicate securely.
In phase 1 of this process, IKE creates an authenticated, secure channel between the two IKE peers,
called the IKE security association. The Diffie-Hellman key agreement is always performed in this phase.
In phase 2 IKE negotiates the IPSec security associations and generates the required key material for
IPSec. The sender offers one or more transform sets that are used to specify an allowed combination of
transforms with their respective settings.
Benefits provided by IKE include:
Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both
peers.
Allows you to specify a lifetime for the IPSec security association.
Allows encryption keys to change during IPSec sessions.
Allows IPSec to provide anti-replay services.
Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation.
Allows dynamic authentication of peers.
RFC 2409: The Internet Key Exchange (IKE);
DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets,
and Virtual Private Networks, 1999, Prentice Hall PTR;
Reference: http://www.ciscopress.com/articles/article.asp?p=25474
Question 22
In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session
between a client and a server?
• Peer-to-peer authentication
• Role based authentication scheme
• Server authentication (mandatory) and client authentication (optional)
• Only server authentication (optional)

Correct Answer is: Server authentication (mandatory) and client authentication (optional)
Details:
The correct answer is: server authentication (mandatory) and client authentication (optional)
RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley Professional;
Question 23
In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the
following term?
• Subordinate CA
• Big CA
• Master CA
• Top CA
Correct Answer is: Top CA
Details:
The correct answer is: Top CA
Also note that sometimes other terms such as Certification Authority Anchor (CAA) might be used within
some government organization, Top level CA is another common term to indicate the top level CA, Top
Level Anchor could also be used.

Arsenault, Turner, Internet X.509 Public Key Infrastructure: Roadmap, Chapter "Terminology ".
Question 24
What is the primary role of cross certification?
• Build an overall PKI hierarchy
• Creating trust between different PKIs
• set up direct trust to a second root CA
• Prevent the nullification of user certificates by CA certificate revocation
Correct Answer is: Creating trust between different PKIs
Details:
The correct answer is: Creating trust between different PKIs
More and more organizations are setting up their own internal PKIs. When these independent PKIs need
to interconnect to allow for secure communication to take place (either between departments or
different companies), there must be a way for the two root CAs to trust each other.
These two CAs do not have a CA above them they can both trust, so they must carry out cross
certification. A cross certification is the process undertaken by CAs to establish a trust relationship in
which they rely upon each other's digital certificates and public keys as if they had issued them
themselves.
When this is set up, a CA for one company can validate digital certificates from the other company and
vice versa.

For more information and illustration on Cross certification: http://windowsitpro.com/security/ca-trust-

relationships-windows-server-2003-pki
http://www.entrust.com/resources/pdf/cross_certification.pdf;
RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile; and
FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital
Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 254.
Question 25
Which of the following choices is a valid Public Key Cryptography Standard (PKCS) addressing RSA?
• PKCS#11
• PKCS#1
• PKCS-RSA
• PKCS #17799
Correct Answer is: PKCS#1
Details:
The correct answer is: PKCS #1: RSA Cryptography Standard
This document provides recommendations for the implementation of public-key cryptography based on
the RSA algorithm, covering the following aspects: cryptographic primitives; encryption schemes;
signature schemes with appendix; ASN.1 syntax for representing keys and for identifying the schemes.

RSA Laboratories at http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-

cryptography-standard.htm
Question 26
What does the directive of the European Union on Electronic Signatures deal with?
• Authentication of web servers
• Encryption of classified data
• Encryption of secret data
• Non repudiation
Correct Answer is: Non repudiation
Details:
The correct answer is: non repudiation.
FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital
Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 589; Directive 1999/93/EC of 13
December 1999 on a Community framework for electronic signatures.
Question 27
Which of the following would best describe certificate path validation?
• Verification of the integrity of the concerned private key
• Verification of the revocation status of the concerned certificate

• Verification of the integrity of the associated root certificate
• Verification of the validity of all certificates of the certificate chain to the root certificate
Correct Answer is: Verification of the validity of all certificates of the certificate chain to the root
certificate
Details:
The correct answer is: Verification of the validity of all certificates of the certificate chain to the root
certificate
With the advent of public key cryptography (PKI), it is now possible to communicate securely with
untrusted parties over the Internet without prior arrangement. One of the necessities arising from such
communication is the ability to accurately verify someone's identity (i.e. whether the person you are
communicating with is indeed the person who he/she claims to be). In order to be able to perform
identity check for a given entity, there should be a fool-proof method of binding the entity's public key
to its unique domain name (DN).
A X.509 digital certificate issued by a well known certificate authority (CA), like Verisign, Entrust, Thawte,
etc., provides a way of positively identifying the entity by placing trust on the CA to have performed the
necessary verifications. A X.509 certificate is a cryptographically sealed data object that contains the
entity's unique DN, public key, serial number, validity period, and possibly other extensions.
The Windows Operating System offers a Certificate Viewer utility which allows you to double-click on
any certificate and review its attributes in a human-readable format. For instance, the "General " tab in
the Certificate Viewer Window (see below) shows who the certificate was issued to as well as the
certificate's issuer, validation period and usage functions.
The Certification Path tab contains the hierarchy for the chain of certificates. It allows you to select the
certificate issuer or a subordinate certificate and then click on View Certificate to open the certificate in
the Certificate Viewer.
Each end-user certificate is signed by its issuer, a trusted CA, by taking a hash value (MD5 or SHA-1) of
ASN.1 DER (Distinguished Encoding Rule) encoded object and then encrypting the resulting hash with
the issuer s private key (CA's Private Key) which is a digital signature. The encrypted data is stored in the
signatureValue attribute of the entity s (CA) public certificate.
Once the certificate is signed by the issuer, a party who wishes to communicate with this entity can then
take the entity s public certificate and find out who the issuer of the certificate is. Once the issuer s of
the certificate (CA) is identified, it would be possible to decrypt the value of the signatureValue attribute
in the entity's certificate using the issuer s public key to retrieve the hash value. This hash value will be
compared with the independently calculated hash on the entity's certificate. If the two hash values
match, then the information contained within the certificate must not have been altered and, therefore,
one must trust that the CA has done enough background check to ensure that all details in the entity s
certificate are accurate.
The process of cryptographically checking the signatures of all certificates in the certificate chain is
called key chaining . An additional check that is essential to key chaining is verifying that the value of the
"subjectKeyIdentifier extension in one certificate matches the same in the subsequent certificate.
Similarly, the process of comparing the subject field of the issuer certificate to the issuer field of the
subordinate certificate is called name chaining . In this process, these values must match for each pair of
adjacent certificates in the certification path in order to guarantee that the path represents unbroken
chain of entities relating directly to one another and that it has no missing links.
The two steps above are the steps to validate the Certification Path by ensuring the validity of all
certificates of the certificate chain to the root certificate as described in the two paragraphs above.
Question 28
Which is NOT a suitable method for distributing certificate revocation information?
• CA revocation mailing list
• OCSP (online certificate status protocol)
• Distribution point CRL
• Delta CRL
Correct Answer is: CA revocation mailing list
Details:
The correct answer is: CA revocation mailing list because it would not provide adequate information for
certificate revocation.
The following are incorrect answers because they are all suitable methods.
A Delta CRL is a CRL that only provides information about certificates whose statuses have changed since
the issuance of a specific, previously issued CRL.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation
status of an X.509 digital certificate.
A Distribution point CRL or CRL Distribution Point, a location specified in the CRL Distribution Point (CRL
DP) X.509, version 3, certificate extension when the certificate is issued.
Question 29
What is the name of the transformation of a string of characters into a usually shorter fixed-length value
or key that represents the original string? Such a transformation cannot be reversed?
• DES
• One-way hash
• Transposition
• Substitution
Correct Answer is: One-way hash
Details:
The correct answer is: One-Way hash

A cryptographic hash function is a transformation that takes an input (or 'message') and returns a fixed-
size string, which is called the hash value (sometimes termed a message digest, a digital fingerprint, a
digest or a checksum).
The ideal hash function has three main properties - it is extremely easy to calculate a hash for any given
data, it is extremely difficult or almost impossible in a practical sense to calculate a text that has a given
hash, and it is extremely unlikely that two different messages, however close, will have the same hash.
Functions with these properties are used as hash functions for a variety of purposes, both within and
outside cryptography. Practical applications include message integrity checks, digital signatures,
authentication, and various information security applications. A hash can also act as a concise
representation of the message or document from which it was computed, and allows easy indexing of
duplicate or unique data files.
In various standards and applications, the two most commonly used hash functions are MD5 and SHA-1.
In 2005, security flaws were identified in both of these, namely that a possible mathematical weakness
might exist, indicating that a stronger hash function would be desirable. In 2007 the National Institute of
Standards and Technologyannounced a contest to design a hash function which will be given the name
SHA-3 and be the subject of a FIPSstandard.
A hash function takes a string of any length as input and produces a fixed length string which acts as a
kind of "signature " for the data provided. In this way, a person knowing the hash is unable to work out
the original message, but someone knowing the original message can prove the hash is created from
that message, and none other. A cryptographic hash function should behave as much as possible like a
random function while still being deterministic and efficiently computable.
A cryptographic hash function is considered "insecure " from a cryptographic point of view, if either of
the following is computationally feasible:
• finding a (previously unseen) message that matches a given digest
• finding "collisions ", wherein two different messages have the same message digest.
An attacker who can do either of these things might, for example, use them to substitute an authorized
message with an unauthorized one.
Ideally, it should not even be feasible to find two messages whose digests are substantially similar; nor
would one want an attacker to be able to learn anything useful about a message given only its digest. Of
course the attacker learns at least one piece of information, the digest itself, which for instance gives the
attacker the ability to recognise the same message should it occur again.
Question 30
Which of the following reviews system and event logs to detect attacks on the host and determine if the
attack was successful?
• server-based IDS
• firewall-based IDS
• bastion-based IDS
• host-based IDS
Correct Answer is: host-based IDS
Details:
A host-based IDS can review the system and event logs in order to detect an attack on the host and to
determine if the attack was successful.
Question 31
Attributes that characterize an attack are stored for reference using which of the following Intrusion
Detection System (IDS) ?
• inferent-based IDS
• signature-based IDS
• event-based IDS
• statistical anomaly-based IDS

Correct Answer is: signature-based IDS
Details:
In a signature-based ID, signatures or attributes, which characterize an attack, are stored for reference.
Question 32
Which of the following is a disadvantage of a statistical anomaly-based intrusion detection system?
• it may loosely detect a non-attack event that had caused a momentary anomaly in the system.
• It may falsely detect a non-attack event that had caused a momentary anomaly in the system.
• it may correctly detect a non-attack event that had caused a momentary anomaly in the
system.
• it may truly detect a non-attack event that had caused a momentary anomaly in the system.
Correct Answer is: It may falsely detect a non-attack event that had caused a momentary anomaly in the
system.
Details:
The Correct Answer is : It may falsely detect a non-attack event that had caused a momentary anomaly
in the system.
The primary drawback for a behavior-based IDS is that it often raises a high number of false alarms, also
called false alerts or false positives that had caused a momentary anomaly in the system.
A statistical anomaly based IDS is a behavioral-based system. Behavioral-based IDS products do not use
predefined signatures, but rather are put in a learning mode to build a profile of an environment s
normal activities. This profile is built by continually sampling the environment s activities. The longer the
IDS is put in a learning mode in most instances, the more accurate a profile it will build and the better
protection it will provide. After this profile is built, all future traffic and activities are compared to it. The
same type of sampling that was used to build the profile takes place, so the same type of data is being
compared. Anything that does not match the profile is seen as an attack, in response to which the IDS
sends an alert. With the use of complex statistical algorithms, the IDS looks for anomalies in the network
traffic or user activity. Each packet is given an anomaly score, which indicates its degree of irregularity. If
the score is higher than the established threshold of normal behavior, then the preconfigured action will
take place.
The benefit of using a statistical anomaly based IDS is that it can react to new attacks. It can detect 0 day
attacks, which means an attack is new to the world and no signature or fix has been developed yet.
These products are also capable of detecting the low and slow attacks, in which the attacker is trying to
stay under the radar by sending packets little by little over a long period of time. The IDS should be able
to detect these types of attacks because they are different enough from the contrasted profile. Now for
the bad news. Since the only thing that is normal about a network is that it is constantly changing,
developing the correct profile that will not provide an overwhelming number of false positives can be
difficult. Many IT staff members know all too well this dance of chasing down alerts that end up being
benign traffic or activity.
In fact, some environments end up turning off their IDS because of the amount of time these activities
take up. (Proper education on tuning and configuration will reduce the number of false positives.)
If an attacker detects there is an IDS on a network, she will then try to detect the type of IDS it is so she
can properly circumvent it. With a behavioral-based IDS, the attacker could attempt to integrate her
activities into the behavior pattern of the network traffic.
That way, her activities are seen as normal by the IDS and thus go undetected. It is a good idea to ensure
no attack activity is under way when the IDS is in learning mode. If this takes place, the IDS will never
alert you of this type of attack in the future because it sees this traffic as typical of the environment. If a
corporation decides to use a statistical anomaly based IDS, it must ensure that the staff members who
are implementing and maintaining it understand protocols and packet analysis. Because this type of an
IDS sends generic alerts, compared to other types of IDSs, it is up to the network engineer to figure out
what the actual issue is. For example, a signature-based IDS reports the type of attack that has been
identified, while a rule-based IDS identifies the actual rule the packet does not comply with. In a
statistical
anomaly based IDS, all the product really understands is that something abnormal has happened, which
just means the event does not match the profile.
For your exam you should know the information below:
• Signature- or Pattern-Matching systems Examine the available information (logs or network

traffic) to determine if it matches a known attack.
• Protocol Anomaly-Based systems Examine network traffic to determine if what it sees conforms
to the defined standard for that protocol, for example, as it is defined in a Request for Comment or RFC.
• Statistical-Anomaly-Based systems Establish a baseline of normal traffic patterns over time and
detect any deviations from that baseline. Some also use heuristics to evaluate the intended behavior of
network traffic to determine if it intended to be malicious or not. Most modern systems combine two or
more of these techniques together to provide a more accurate analysis before it decides whether it sees
an attack or not.
Question 33
Which layer deals with Media Access Control (MAC) addresses?
• Physical layer
• Network layer
• Transport layer
• Data link layer
Correct Answer is: Data link layer
Details:
The correct answer is: Data link layer
Layer 2 (Data Link layer) transfers information to the other end of the physical link. It handles physical
addressing, network topology, error notification, delivery of frames and flow control.
Question 34
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers are in which
of the following order (1 to 7) ?
• Physical Layer, Data Link Layer, Network Layer, Session Layer, Transport Layer, Presentation
Layer, Application Layer
• Physical Layer, Data Link Layer, Transport Layer, Session Layer, Presentation Layer, Network
Layer , Application Layer
• Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer, Presentation
• Physical Layer, Network Layer, Data Link Layer, Transport Layer, Session Layer, Presentation
Correct Answer is: Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer,
Presentation Layer, Application Layer
Details:
The correct answer is: Physical Layer, Data Link Layer, Network Layer, Transport Layer, Session Layer,
Presentation Layer, Application Layer
International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and

Characteristics:
Applications Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer)
or
All People Seem To Need Data Processing (top to bottom layer).
Question 35
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of
the following?
• Network Layer
• Data Link Layer
• Presentation Layer
• Application Layer
Correct Answer is: Presentation Layer
Details:
The correct answer is: Presentation Layer

International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and
Characteristics:
Layers:
1. Physical Layer
2. Data Link Layer
3. Network Layer
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Applications Layer
Here's a great mnemonicfor the OSI model: "Please Do Not Throw Sausage Pizza Away ".
Question 36
Communications and network security relates to transmission of which of the following?
• voice and multimedia
• data and multimedia
• voice, data and multimedia
• voice
Correct Answer is: voice, data and multimedia

Details:
The correct answer is: voice, data and multimedia
From the published (ISC)2 goals for the Certified Information Systems Security Professional candidate:
The CISSP candidate should be familiar to communications and network security as it relates to voice,
data, multimedia, and facsimile transmissions in terms of local area, wide area, and remote access.
Question 38
contained within the ip datagram?
• User datagram protocol (UDP)
• Authentication Header (AH)
• Transmission Control Protocol (TCP)
• Internet Control Message Protocol (ICMP)
Correct Answer is: Authentication Header (AH)
Details:
The correct answer is: Authentication Header (AH)

TCP has the value of 6
UDP has the value of 17
ICMP has the value of 1
www.iana.org/ assignments/ protocol-numbers.
Question 39
At which layer does IPSEC operate?
• Data Link
• Session
• Network
• Transport
Correct Answer is: Network
Details:
The correct answer is: Network
As IPSec (IP Security) protocol allows setting up a secure channel for protected data exchange between
two devices. It offers strong encryption and authentication methods and operates at the Network layer.
The other answers are incorrect because :
Session : When two applications need to communicate , or transfer information , a connection session
may need to be set up between them.
Transport : IP Security does not work at transport layer.
Data Link : IP Security does not work at data link layer of the OSI model.
Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) kindle location 14869
Thanks to Doug Rike for providing feedback to improve this question.
Here is a brief description of the OSI layers, taken from Shon Harris AIO Book:
The application layer, layer 7, works closest to the user and provides file transmissions, message
exchanges, terminal sessions, and much more. This layer does not include the actual applications but
includes the protocols that support the applications. Some examples of the protocols working at this
layer are the Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer
Daemon (LPD),File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP).
The presentation layer, layer 6, receives information from the application layer protocols and puts it in a
format that all computers following the OSI model can understand. This layer provides a common means
of representing data in a structure that can be properly processed by the end system. This means that
when a user constructs a Word document and sends it out to several people, it does not matter whether
the receiving computer has different word processing programs; each of these computers will be able to
receive this file and understand and present it to its user as a document.
When two applications need to communicate, or transfer information, a connection session may need
to be set up between them. The session layer, layer 5, is responsible for establishing a connection
between the two applications, maintaining it during the transfer of data, and controlling the release of
this connection. A good analogy for the functionality within this layer is a telephone conversation. When
Kandy wants to call a friend, she uses the telephone. The telephone network circuitry and protocols set
up the connection over the telephone lines and maintains that communication path, and when Kandy
hangs up, it releases all the resources it was using to keep that connection open.
When two computers are going to communicate through a connection-oriented protocol, they will first
agree on how much information each computer will send at a time, how to verify the integrity of the
data once it is received, and how to determine whether a packet was lost along the way. The two
computers agree on these parameters through a handshaking process at the transport layer, layer 4. The
agreement on these issues before transferring data helps provide more reliable data transfer, error
detection, correction, recovery, and flow control, and it optimizes the network services needed to
perform these tasks. The transport layer provides end-to-end data transport services and establishes the
logical connection between two communicating computers.
The main responsibilities of the network layer, layer 3, are to insert information into the packet s header
so that it can be properly addressed and routed, and then to actually route the packets to their proper
destination. In a network, many routes can lead to one destination. The protocols at the network layer
must determine the best path for the packet to take.
As we continue down the protocol stack, we are getting closer to the actual network wire over which all
this data will travel. The outer format of the data packet changes slightly at each layer, and it comes to a
point where it needs to be translated into local area network (LAN) or wide area network (WAN)
technology binary format for proper line transmission. This happens at the data link layer.
The physical layer, layer 1, converts bits into voltage for transmission. Signals and voltage schemes have
different meanings for different LAN and WAN technologies.
Question 40
Why does a digital signature CONTAIN a message digest?
• To detect any alteration of the message
• To confirm the identity of the receiver
• To indicate the encryption algorithm
• To enable transmission in a digital format
Correct Answer is: To detect any alteration of the message
Details:
The correct answer is: To detect any alteration of the message

As the message digest is calculated and included in a digital signature to prove that the message has not
been altered since the time it was created by the sender.
The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature,
the sender's private key is used to encrypt the message digest of the message. Encrypting the message
digest is the act of Signing the message. The receiver will use the matching public key of the sender to
decrypt the Digital Signature using the sender's public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be
used to authenticate the identity of the sender of a message or the signer of a document, and possibly
to ensure that the original content of the message or document that has been sent is unchanged. Digital
signatures cannot be forged by someone else who does not possess the private key, it can also be
automatically time-stamped. The ability to ensure that the original signed message arrived means that
the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that
the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate
contains the digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real and has not been modified since the day it was issued.
How Digital Signature Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give
your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the contract.
3. You then use a private key that you have previously obtained from a public-private key authority
to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be different
each time you send a message.)
At the other end, your lawyer receives the message.
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.
Below are some common reasons for applying a digital signature to communications:
Authentication
Although messages may often include information about the entity sending a message, that information
may not be accurate. Digital signatures can be used to authenticate the source of messages. The
importance of high assurance in the sender authenticity is especially obvious in a financial context. For
example, suppose a bank's branch office sends instructions to the central office requesting a change in
the balance of an account. If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a serious mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after the signature has been applied would
invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature
to produce a new message with a valid signature, because this is still considered to be computationally
infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital

signatures. By this property, an entity that has signed some information cannot at a later time deny
having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a
valid signature.
Note that authentication, non-repudiation, and other properties rely on the secret key not having been
revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys
would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an
"online " check, e.g. checking a "Certificate Revocation List " or via the "Online Certificate Status
Protocol ". This is analogous to a vendor who receives credit-cards first checking online with the credit-
card issuer to find if a given card has been reported lost or stolen.
Tip for the exam
Digital Signature does not provide confidentiality. It provides only authenticity and integrity. The
sender's private key is used to encrypt the message digest to calculate the digital signature
Encryption provides only confidentiality. The receiver's public key or symmetric key is used for
encryption
• To indicate the encryption algorithm is incorrect as message digest is a hashing function and not
an encryption algorithm.
• To confirm the identity of the receiver is also incorrect as it does NOT confirm the identity of the
receiver.
• To enable transmission in a digital format is also incorrect as this is also not the reason why
digital signature contains message digests.
Edition Page 236-237 or Kindle Location 6953.

A digital signature is a hash value that has been encrypted with the sender s private key. The act of
signing means encrypting the message s hash value with a private key.
The hashing function ensures the integrity of the message, and the signing of the hash value provides
authentication and nonrepudiation. The act of signing just means that the value was encrypted with a
private key.
A message can be encrypted, which provides confidentiality.
A message can be hashed, which provides integrity.
A message can be digitally signed, which provides authentication,nonrepudiation, and integrity.
A message can be encrypted and digitally signed, which provides confidentiality, authentication,
nonrepudiation, and integrity.
Question 41
Electronic signatures can PREVENT messages from being:
• Repudiated
• Disclosed
• Forwarded
• Erased
Correct Answer is: Repudiated
Details:
The correct answer is: Repudiated
As electronic signatures provide a receipt of the transaction in order to ensure that the entities that
participated in the transaction can not repudiate their commitments.
The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature,
the sender's private key is used to encrypt the message digest of the message. Encrypting the message
digest is the act of Signing the message. The receiver will use the matching public key of the sender to
decrypt the Digital Signature using the sender's public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be
used to authenticate the identity of the sender of a message or the signer of a document, and possibly
to ensure that the original content of the message or document that has been sent is unchanged. Digital
signatures cannot be forged by someone else who does not possess the private key, it can also be
automatically time-stamped. The ability to ensure that the original signed message arrived means that
the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that
the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate
contains the digital signature of the certificate-issuing authority so that anyone can verify that the
certificate is real and has not been modified since the day it was issued.
How Digital Signature Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give
your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the contract.
3. You then use a private key that you have previously obtained from a public-private key authority
to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be different
each time you send a message.)
At the other end, your lawyer receives the message.
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.

Below are some common reasons for applying a digital signature to communications:
Authentication
Although messages may often include information about the entity sending a message, that information
may not be accurate. Digital signatures can be used to authenticate the source of messages. The
importance of high assurance in the sender authenticity is especially obvious in a financial context. For
example, suppose a bank's branch office sends instructions to the central office requesting a change in
the balance of an account. If the central office is not convinced that such a message is truly sent from an
authorized source, acting on such a request could be a serious mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after the signature has been applied would
invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature
to produce a new message with a valid signature, because this is still considered to be computationally
infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital

signatures. By this property, an entity that has signed some information cannot at a later time deny
having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a
valid signature.
Note that authentication, non-repudiation, and other properties rely on the secret key not having been
revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys
would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an
"online " check, e.g. checking a "Certificate Revocation List " or via the "Online Certificate Status
Protocol ". This is analogous to a vendor who receives credit-cards first checking online with the credit-
card issuer to find if a given card has been reported lost or stolen.
Tip for the exam
Digital Signature does not provide confidentiality. It provides only authenticity and integrity and non-
repudiation. The sender's private key is used to encrypt the message digest to calculate the digital
signature
Encryption provides only confidentiality. The receiver's public key or symmetric key is used for
encryption
• Erased is incorrect as electronic signatures does not prevent messages to be erased.
• Disclosed is incorrect as electronic signatures does not prevent messages to be disclosed.
• Forwarded is incorrect as electronic signatures does not prevent messages to be forwarded.
Question 42
Which SERVICE usually runs on port 25?
• File Transfer Protocol (FTP)
• Telnet
• Domain Name Service (DNS)
• Simple Mail Transfer Protocol (SMTP)
Correct Answer is: Simple Mail Transfer Protocol (SMTP)

Details:
The correct answer is: Simple Mail Transfer Protocol (SMTP)
FTP - Port 21 Telnet - Port 23 SMTP - Port 25 DNS - Port 53
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and
the Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151.
The Dynamic and/or Private Ports are those from 49152 through 65535.
For the purpose of the exam you DO NOT need to know all of the 65,535 ports but you must know the
one that are very commonly used.
Question 43
Which of the following are WELL KNOWN PORTS assigned by the IANA?
• Ports 0 to 1023
• Ports 0 to 1024
• Ports 0 to 255
• Ports 0 to 127
Correct Answer is: Ports 0 to 1023
Details:
The correct answer is: Ports 0 to 1023
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports. The range for assigned "Well Known " ports managed by the IANA
(Internet Assigned Numbers Authority) is 0-1023.
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and
the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those
from 49152 through 65535.
Reference : http://www.iana.org/assignments/port-numbers
Question 44
Which of the following is the REGISTERED PORTS range as defined by IANA ?
• Ports 1024 to 32767
• Ports 1025 to 65535

• Ports 128 to 255
• Ports 1024 to 49151
Correct Answer is: Ports 1024 to 49151
Details:
The correct answer is: Ports 1024 to 49151
Ports 1024 to 49151 is the reange of REGISTERED PORTS defined by IANA.
A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1
65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for
Assigned Names and Numbers (ICANN) before March 21, 2001) for use with a certain protocol or
application.
Ports with numbers lower than those of the registered ports are called well known ports; ports with
numbers greater than those of the registered ports are called dynamic and/or private ports.
• Ports 0-1023 - well known ports
• Ports 1024-49151 - Registered port: vendors use for applications
• Ports >49151 - dynamic / private ports
The other answers are not correct

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the
Dynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151.
The Dynamic and/or Private Ports are those from 49152 through 65535.
Reference : http://www.iana.org/assignments/port-numbers
Question 45
Packet Filtering Firewalls examines both the source and destination address of the:
• incoming and outgoing data packets.
• Incoming Data packets only.
• user data packet.
• outgoing data packets only.
Correct Answer is: incoming and outgoing data packets.
Details:
The correct answer is: incoming and outgoing data packets.
Packeting filtering firewalls are devices that enforce administrative security policies by filtering incoming
traffic as well as outgoing traffic based on rules that can include the source and/or destination
addresses.
"Outgoing data packets" is incorrect. Firewalls filter incoming as well as outgoing traffic. This is
sometimes called Egress and Ingress filtering.
"Incoming data packets only" is incorrect. (see previous explantion)

"User data packet" is incorrect. A packet filtering firewall does not typicallly look into the data portion of
the packet.
CBK, p. 464
AIO3, pp. 482 - 484
Question 46
Proxies works by transferring a copy of each accepted data packet from one network to another,
thereby masking the:
• data's origin.
• data's owner.
• data's details.
• data's payload.
Correct Answer is: data's origin.
Details:
The correct answer is: data's origin.
The application firewall (proxy) relays the traffic from a trusted host running a specific application to an
untrusted server. It will appear to the untrusted server as if the request originated from the proxy
server.
"Data's payload" is incorrect. Only the origin is changed.
"Data's details" is incorrect. Only the origin is changed.
"Data's owner" is incorrect. Only the origin is changed.

CBK, p. 467
AIO3, pp. 486 - 490
Question 47
A variation of the application layer firewall is called a:
• Session-Level Proxy.
• Circuit-Level Proxy.
• Current-Level Proxy.
• Cache-Level Proxy.
Correct Answer is: Circuit-Level Proxy.
Details:
The correct answer is: Circuit level Proxy
A circuit-level proxy creates a conduit through which a trusted host can communicate with an untrusted
one. This type of proxy does not inspect any of the traffic that it forwards, which adds very little
overhead to the communication between the user and untrusted server. The lack of application
awareness also allows circuit-level proxies to forward any traffic to any TCP and UDP port. The
disadvantage is that traffic will not be analyzed for malicious content.
SOCKS is one of the better known circuit-level proxies.
FIREWALL GENERATIONS
Packet Filtering Firewall - First Generation
 Screening Router
 Operates at Network and Transport level
 Examines Source and Destination IP Address

 Can deny based on ACLs
 Can specify Port
Application Level Firewall - Second Generation
 Proxy Server
 Copies each packet from one network to the other
 Masks the origin of the data
 Operates at layer 7 (Application Layer)
 Reduces Network performance since it has do analyze each packet and decide what to do with it.
 Also Called Application Layer Gateway
Stateful Inspection Firewalls – Third Generation
 Packets Analyzed at all OSI layers
 Queued at the network level
 Faster than Application level Gateway
Dynamic Packet Filtering Firewalls – Fourth Generation
 Allows modification of security rules
 Mostly used for UDP
 Remembers all of the UDP packets that have crossed the network’s perimeter, and it decides whether
to enable packets to pass through the firewall.
Kernel Proxy – Fifth Generation
 Runs in NT Kernel
 Uses dynamic and custom TCP/IP-based stacks to inspect the network packets and to enforce security
policies.
"Current level firewall" is incorrect. This is an amost-right-sounding distractor to confuse the unwary.
"Cache level firewall" is incorrect. This too is a distractor.
"Session level firewall" is incorrect. This too is a distractor.

(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (Kindle Locations
14588-14591). CRC Press. Kindle Edition.
Thanks to Charles R. for providing feedback to improve this question.
Multiple inconsistent uses of terms is unfortunately a given in the security industry.
For the exam, be sure you understand the types of firewalls and the differences between them. This will
allow you to work through any confusing uses of terms to choose the best answer.
Since the official CBK and AIO seem to have agreed on "proxy" as opposed to "application layer firewall,"
I would suggest this as the normative usage.
Question 48
A demilitarized zone is:
• a part of a network perfectly safe from hackers
• a militarized network segment
• a firewall
•
the network segment between the Internet and a private network
Correct Answer is:
the network segment between the Internet and a private network
Details:
The correct answer is: the network segment between the Internet and a private network
The DMZ is a buffer between the protected and unprotected network.
"A part of a network perfectly safe from hackers" is incorrect. There is no such thing.
"A militarized network segment" is incorrect. While the term DMZ originated in the Korean War, it has
nothing to do with the military.
"A firewall" is incorrect. Firewalls can play an important part in building a DMZ but a DMZ is much more
than a firewall.
CBK, p. 850
AIO, p. 483
Question 49
Which of the following elements of telecommunications is NOT used in assuring confidentiality?
• Passwords
• Network security protocols
• Network authentication services
• Data encryption services
Correct Answer is: Passwords

Details:
The correct answer is: Passwords
Passwords are one of the multiple ways to authenticate (prove who you claim to be) an identity which
allows confidentiality controls to be enforced to assure the identity can only access the information for
which it is authorized. It is the authentication that assists assurance of confidentiality not the passwords.
"Network security protocols" is incorrect. Network security protocols are quite useful in assuring
confidentiality in network communications.
"Network authentication services" is incorrect. Confidentiality is concerned with allowing only

authorized users to access information. An important part of determining authorization is authenticating
an identity and this service is supplied by network authentication services.
"Data encryption services" is incorrect. Data encryption services are quite useful in protecting the
confidentiality of information.
Official ISC2 Guide to the CISSP CBK, pp. 407 - 520
AIO 3rd Edition, pp. 415 - 580
Question 50
Knowledge-based Intrusion Detection Systems (IDS) are more common than:
• Network-based IDS
• Application-Based IDS
• Behavior-based IDS
• Host-based IDS
Correct Answer is: Behavior-based IDS

Details:
The correct answer is: Behavior-based IDS
Knowledge-based IDS are more common than behavior-based ID systems.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 63.
Application-Based IDS - "a subset of HIDS that analyze what's going on in an application using the
transaction log files of the application." Source: Official ISC2 CISSP CBK Review Seminar Student Manual
Version 7.0 p. 87
Host-Based IDS - "an implementation of IDS capabilities at the host level. Its most significant difference
from NIDS is intrusion detection analysis, and related processes are limited to the boundaries of the
host." Source: Official ISC2 Guide to the CISSP CBK - p. 197
Network-Based IDS - "a network device, or dedicated system attached to the network, that monitors
traffic traversing the network segment for which it is integrated." Source: Official ISC2 Guide to the CISSP
CBK - p. 196
CISSP for dummies a book that we recommend for a quick overview of the 10 domains has nice and
concise coverage of the subject:
Intrusion detection is defined as real-time monitoring and analysis of network activity and data for
potential vulnerabilities and attacks in progress. One major limitation of current intrusion detection
system (IDS) technologies is the requirement to filter false alarms lest the operator (system or security
administrator) be overwhelmed with data. IDSes are classified in many different ways, including active
and passive, network-based and host-based, and knowledge-based and behavior-based:
Active and passive IDS
An active IDS (now more commonly known as an intrusion prevention system — IPS) is a system that's
configured to automatically block suspected attacks in progress without any intervention required by an
operator. IPS has the advantage of providing real-time corrective action in response to an attack but has
many disadvantages as well. An IPS must be placed in-line along a network boundary; thus, the IPS itself
is susceptible to attack. Also, if false alarms and legitimate traffic haven't been properly identified and
filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may
be used to effect a Denial of Service (DoS) attack by intentionally flooding the system with alarms that
cause it to block connections until no connections or bandwidth are available.
A passive IDS is a system that's configured only to monitor and analyze network traffic activity and alert
an operator to potential vulnerabilities and attacks. It isn't capable of performing any protective or
corrective functions on its own. The major advantages of passive IDSes are that these systems can be
easily and rapidly deployed and are not normally susceptible to attack themselves.
Network-based and host-based IDS
A network-based IDS usually consists of a network appliance (or sensor) with a Network Interface Card
(NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a
network segment or boundary and monitors all traffic on that segment.
A host-based IDS requires small programs (or agents) to be installed on individual systems to be
monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A
host-based IDS can only monitor the individual host systems on which the agents are installed; it doesn't
monitor the entire network.
Knowledge-based and behavior-based IDS
A knowledge-based (or signature-based) IDS references a database of previous attack profiles and
known system vulnerabilities to identify active intrusion attempts. Knowledge-based IDS is currently
more common than behavior-based IDS.
Advantages of knowledge-based systems include the following:
• It has lower false alarm rates than behavior-based IDS.
• Alarms are more standardized and more easily understood than behavior-based IDS.
Disadvantages of knowledge-based systems include these:
• Signature database must be continually updated and maintained.
• New, unique, or original attacks may not be detected or may be improperly classified.
A behavior-based (or statistical anomaly–based) IDS references a baseline or learned pattern of normal
system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an
alarm to be triggered.
Advantages of behavior-based systems include that they
• Dynamically adapt to new, unique, or original attacks.
• Are less dependent on identifying specific operating system vulnerabilities.
Disadvantages of behavior-based systems include
• Higher false alarm rates than knowledge-based IDSes.
• Usage patterns that may change often and may not be static enough to implement an effective
behavior-based IDS.
Question 51
A common way to create fault tolerance with leased lines is to group several T1s together with an
inverse multiplexer placed:
• at one end of the connection.
• at both ends of the connection.
• somewhere between both end points.
• in the middle of the connection.
Correct Answer is: at both ends of the connection.
Details:
The correct answer is: at both ends of the connection.
A common way to create fault tolerance with leased lines is to group several T1s together with an
inverse multiplexer placed at both ends of the connection.
In fact it would be a Multiplexer at one end and DeMultiplexer at other end or vice versa. Inverse
Multiplexer at both end.
In electronics, a multiplexer (or mux) is a device that selects one of several analog or digital input signals
and forwards the selected input into a single line. A multiplexer of 2n inputs has n select lines, which are
used to select which input line to send to the output. Multiplexers are mainly used to increase the
amount of data that can be sent over the network within a certain amount of time and bandwidth. A
multiplexer is also called a data selector.
An electronic multiplexer makes it possible for several signals to share one device or resource, for
example one A/D converter or one communication line, instead of having one device per input signal.
On the other hand, a demultiplexer (or demux) is a device taking a single input signal and selecting one
of many data-output-lines, which is connected to the single input. A multiplexer is often used with a
complementary demultiplexer on the receiving end.
An electronic multiplexer can be considered as a multiple-input, single-output switch, and a

demultiplexer as a single-input, multiple-output switch

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, 2001, John Wiley & Sons, Page 72.
and
https://secure.wikimedia.org/wikipedia/en/wiki/Multiplexer
Question 52
Frame relay uses a public switched network to provide:
• Wide Area Network (WAN) connectivity.
• World Area Network (WAN) connectivity.
• Metropolitan Area Network (MAN) connectivity.
• Local Area Network (LAN) connectivity.
Correct Answer is: Wide Area Network (WAN) connectivity.
Details:
The correct answer is: Wide Area Network (WAN) connectivity.
Frame relay uses a public switched network to provide Wide Area Network (WAN) connectivity.
Question 53
Which of the following is a drawback of fiber optic cables?

• It is affected by electromagnetic interference (EMI).
• The limited distance at high speeds.
• It can easily be tapped.
• The expertise needed to install it.
Correct Answer is: The expertise needed to install it.
Details:
The correct answer is: The expertise needed to install it.
Fiber optic is immune to the effects of electromagnetic interference, is very hard to tap and has a much
longer effective usable length than any other cable type. The primary drawbacks of this cable type are its
cost of installation and the high level of expertise needed to have it properly terminated.
Optical fiber cable Data travels as light
• Single mode Small glass core, and are used for high-speed data transmission over long distances. They
are less susceptible to attenuation than multimode fibers.
• Multimode Large glass cores, and are able to carry more data than single-core fibers, though they are
best for shorter distances because of their higher attenuation levels.
Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 72).
Question 54
What type of attack involves IP spoofing, ICMP ECHO and a bounce site?
• Smurf attack
• IP spoofing attack
• SYN attack
• Teardrop attack
Correct Answer is: Smurf attack
Details:
The correct answer is: Smurf attack
A smurf attack occurs when an attacker sends a spoofed (IP spoofing) PING (ICMP ECHO) packet to the
broadcast address of a large network (the bounce site). The modified packet containing the address of
the target system, all devices on its local network respond with a ICMP REPLY to the target system,
which is then saturated with those replies. An IP spoofing attack is used to convince a system that it is
communication with a known entity that gives an intruder access. It involves modifying the source
address of a packet for a trusted source's address. A teardrop attack consists of modifying the length
and fragmentation offset fields in sequential IP packets so the target system becomes confused and
crashes after it receives contradictory instructions on how the fragments are offset on these packets. A
SYN attack is when an attacker floods a system with connection requests but does not respond when the
target system replies to those requests.
Question 55
Which layer defines how packets are routed between end systems?
• Session layer
• Network layer
• Data link layer
• Transport layer
Correct Answer is: Network layer
Details:
The correct answer is: Network layer
The network layer (layer 3) defines how packets are routed and relayed between end systems on the
same network or on interconnected networks. Message routing, error detection and control of node
traffic are managed at this level.
Question 56
Which OSI/ISO layers are TCP and UDP implemented at?
• Transport layer
• Presentation layer
• Session layer
• Application layer
Correct Answer is: Transport layer
Details:
The correct answer is: Transport layer
TCP and UDP are implemented at the transport layer (layer 4).
Question 57
Which OSI/ISO layer is the Media Access Control (MAC) sublayer part of?
• Physical layer
• Transport layer
• Data link layer
• Network layer
Correct Answer is: Data link layer
Details:
The correct answer is: Data link layer
The data link layer contains the Logical Link Control sublayer and the Media Access Control (MAC)
sublayer.
Question 58
Which layer of the DoD TCP/IP Model ensures error-free delivery and packet sequencing?
• Network access layer
• Internet layer
• Host-to-host
Correct Answer is: Host-to-host
Details:
The correct answer is: Host-to-Host
This layer of the DoD Model is also sometimes called Transport in some books but the proper name is
Host-to-Host as per the RFC document.
The host-to-host layer provides for reliable end-to-end communications, ensures the data's error-free
delivery, handles the data's packet sequencing, and maintains the data's integrity.
It is comparable to the transport layer of the OSI model.
http://en.wikipedia.org/wiki/Internet_protocol_suite
and
http://technet.microsoft.com/en-us/library/cc786900%28v=ws.10%29.aspx
and
Question 59
Which layer of the DoD TCP/IP model controls the communication flow between hosts?
• Internet layer
• Host-to-host transport layer
Correct Answer is: Host-to-host transport layer
Details:
The correct answer is: Host-to-host transport layer
Whereas the host-to-host layer (equivalent to the OSI's transport layer) provides end-to-end data
delivery service, flow control, to the application layer.
The four layers in the DoD model, from top to bottom, are:
The Application Layer contains protocols that implement user-level functions, such as mail delivery, file
transfer and remote login.
The Host-to-Host Layer handles connection rendez vous, flow control, retransmission of lost data, and
other generic data flow management between hosts. The mutually exclusive TCP and UDP protocols are
this layer's most important members.
The Internet Layer is responsible for delivering data across a series of different physical networks that
interconnect a source and destination machine. Routing protocols are most closely associated with this
layer, as is the IP Protocol, the Internet's fundamental protocol.
The Network Access Layer is responsible for delivering data over the particular hardware media in use.
Different protocols are selected from this layer, depending on the type of physical network
The OSI model organizes communication services into seven groups called layers. The layers are as
follows:
• Layer 7, The Application Layer: The application layer serves as a window for users and
application processes to access network services. It handles issues such as network transparency,
resource allocation, etc. This layer is not an application in itself, although some applications may
perform application layer functions.
• Layer 6, The Presentation Layer: The presentation layer serves as the data translator for a
network. It is usually a part of an operating system and converts incoming and outgoing data from one
presentation format to another. This layer is also known as syntax layer.
• Layer 5, The Session Layer: The session layer establishes a communication session between
processes running on different communication entities in a network and can support a message-mode
data transfer. It deals with session and connection coordination.
• Layer 4, The Transport Layer: The transport layer ensures that messages are delivered in the
order in which they are sent and that there is no loss or duplication. It ensures complete data transfer.
This layer provides an additional connection below the Session layer and assists with managing some
data flow control between hosts. Data is divided into packets on the sending node, and the receiving
node's Transport layer reassembles the message from packets. This layer is also responsible for error
checking to guarantee error-free data delivery, and requests a retransmission if necessary. It is also
responsible for sending acknowledgments of successful transmissions back to the sending host. A
number of protocols run at the Transport layer, including TCP, UDP, Sequenced Packet Exchange (SPX),
and NWLink.
• Layer 3, The Network Layer: The network layer controls the operation of the subnet. It
determines the physical path that data takes on the basis of network conditions, priority of service, and
other factors. The network layer is responsible for routing and forwarding data packets.
• Layer 2, The Data-Link Layer: The data-link layer is responsible for error free transfer of data
frames. This layer provides synchronization for the physical layer. ARP and RARP would be found at this
layer.
• Layer 1, The Physical Layer: The physical layer is responsible for packaging and transmitting data
on the physical media. This layer conveys the bit stream through a network at the electrical and
mechanical level.
See a great flash animation on the subject at:
https://www.youtube.com/watch?v=-6Uoku-M6oY
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7:
Telecommunications and Network Security (page 344).
Question 60
Which of the following protocols is NOT implemented at the Internet layer of the TCP/IP protocol
model?
• Internet protocol (IP)
• Internet Group Management Protocol (IGMP)
• Internet control message protocol (ICMP)
• User datagram protocol (UDP)
Correct Answer is: User datagram protocol (UDP)
Details:
The correct answer is: User datagram protocol (UDP)
The User Datagram Protocol (UDP) is implemented at the host-to-host transport layer, not at the
internet layer.
Protocol at what layer?
Ensure you are familiar with both the OSI model and the DoD TCP/IP model as well. You need to know
how to contrast the two side by side and what are the names being used on both side. Below you have a
graphic showing the two and how things maps between the two as well as some of the most common
protcolos found at each of the layers:
Graphic from http://technet.microsoft.com/en-us/library/cc958821.aspx
All of the other protocols sit at the Internet Layer of the TCP/IP model.
NOTE:
Some reference are calling the Transport layer on the DoD model Host-to-Host.

CISM Review Manual 2015
Microsoft Technet at http://technet.microsoft.com/en-us/library/cc958821.aspx
Thanks to Robie Lutsey for providing input to improve this question.
Thanks to Neil Schworm for providing feedback to improve this question.
TIP from: prasath suthandiram
Except the IMAP protocol, there is about 98% of the protocol starting with the letter "I " located at layer
3
Question 61
How many bits compose an IPv6 address?
• 32 bits
• 128 bits
• 96 bits
• 64 bits
Correct Answer is: 128 bits

Details:
The correct answer is: 128 bits
The actual IP address (IPv4) is composed of 32 bits. An IPv6 address is composed of 128 bits.
Question 62
What protocol is used on the Local Area Network (LAN) to obtain an IP address from it's known MAC
address?
• Data link layer
• Address resolution protocol (ARP)
• Network address translation (NAT)
• Reverse address resolution protocol (RARP)
Correct Answer is: Reverse address resolution protocol (RARP)
Details:
The correct answer is: Reverse address resolution protocol (RARP)
The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a
request to be informed of the IP address that should be assigned to that MAC.
Diskless workstations do not have a full operating system but have just enough code to know how to
boot up and broadcast for an IP address, and they may have a pointer to the server that holds the
operating system. The diskless workstation knows its hardware address, so it broadcasts this
information so that a listening server can assign it the correct IP address.
As with ARP, Reverse Address Resolution Protocol (RARP) frames go to all systems on the subnet, but
only the RARP server responds. Once the RARP server receives this request, it looks in its table to see
which IP address matches the broadcast hardware address. The server then sends a message that
contains its IP address back to the requesting computer. The system now has an IP address and can
function on the network.
The Bootstrap Protocol (BOOTP) was created after RARP to enhance the functionality that RARP
provides for diskless workstations. The diskless workstation can receive its IP address, the name server
address for future name resolutions, and the default gateway address from the BOOTP server. BOOTP
usually provides more functionality to diskless workstations than does RARP.
The evolution of this protocol has unfolded as follows: RARP evolved into BOOTP, which evolved into
DHCP.
NAT is a tool that is used for masking true IP addresses by employing internal addresses.
ARP does the opposite of RARP, it finds the MAC address that maps with an existing IP address.
Data Link layer The Data Link layer is not a protocol; it is represented at layer 2 of the OSI model. In the
TCP/IP model, the Data Link and Physical layers are combined into the Network Access layer, which is
sometimes called the Link layer or the Network Interface layer.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 453). CRC Press.
Kindle Edition.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Telecommunications and Network
Security, Page 584-585 and also 598. For Kindle users see Kindle Locations 12348-12357. McGraw-Hill.
and
Question 63
Which of the following is NOT a VPN communications protocol standard?
• Layer 2 tunnelling protocol (L2TP)
• IP Security
• Challenge Handshake Authentication Protocol (CHAP)
• Point-to-point tunnelling protocol (PPTP)
Correct Answer is: Challenge Handshake Authentication Protocol (CHAP)
Details:
The correct answer is: Challenge Handshake Authentication Protocol (CHAP)
CHAP is an authentication mechanism for point-to-point protocol connections that encrypt the user's
password. It is a protocol that uses a three-way handshake. The server sends the client a challenge,
which includes a random value (a nonce) to thwart replay attacks. The client responds with a MD5 hash
of the nonce and the password. The authentication is successful if the client’s response is the one that
the server expected.
The VPN communication protocol standards listed above are PPTP, L2TP and IPSec.
PPTP and L2TP operate at the data link layer (layer 2) of the OSI model and enable only a single point-to-
point connection per session.
PPTP uses native PPP authentication and encryption services. Point-to-Point Tunneling Protocol (PPTP)
is a VPN protocol that runs over other protocols. PPTP relies on generic routing encapsulation (GRE) to
build the tunnel between the endpoints. After the user authenticates, typically with Microsoft Challenge
Handshake Authentication Protocol version 2 (MSCHAPv2), a Point-to-Point Protocol (PPP) session
creates a tunnel using GRE.
L2TP is a combination of PPTP and the earlier Layer 2 Forwarding protocol (L2F). Layer 2 Tunneling
Protocol (L2TP) is a hybrid of Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s PPTP. It allows callers over
a serial line using PPP to connect over the Internet to a remote network. A dial-up user connects to his
ISP’s L2TP access concentrator (LAC) with a PPP connection. The LAC encapsulates the PPP packets into
L2TP and forwards it to the remote network’s layer 2 network server (LNS). At this point, the LNS
authenticates the dial-up user. If authentication is successful, the dial-up user will have access to the
remote network.
IPSec operates at the network layer (layer 3) and enables multiple simultaneous tunnels. IP Security
(IPSec) is a suite of protocols for communicating securely with IP by providing mechanisms for
authenticating and encryption. Implementation of IPSec is mandatory in IPv6, and many organizations
are using it over IPv4. Further, IPSec can be implemented in two modes, one that is appropriate for end-
to-end protection and one that safeguards traffic between networks.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press)
(Kindle Locations 7067-7071). Auerbach Publications. Kindle Edition.
and
Question 64
Which of the following is a device that is used to regenerate or replicate the received signals?
• Router
• Repeater
• Brouter
• Bridge
Correct Answer is: Repeater

Details:
The correct answer is: Repeater
Repeaters offer the simplest form of connectivity. They regenerate received electrical signals at their
original strength between cable segments. Bridges are devices used to connect similar or dissimilar LANs
together to form an extended LAN. Routers provide packet routing between network segments. Brouter
are devices that combine router and bridge functionality.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7:
Question 65
Which of the following networking devices allows the connection of two or more homogeneous LANs in
a simple way where they forward the traffic based on the MAC address ?
• Gateways
• Bridges
• Firewalls
• Routers
Correct Answer is: Bridges
Details:
The correct answer is: Bridges
Bridges are simple, protocol-dependent networking devices that are used to connect two or more
homogeneous LANs to form an extended LAN.
A bridge does not change the contents of the frame being transmitted but acts as a relay.
A gateway is designed to reduce the problems of interfacing any combination of local networks that
employ different level protocols or local and long-haul networks.
A router connects two networks or network segments and may use IP to route messages.
Firewalls are methods of protecting a network against security threats from other systems or networks
by centralizing and controlling access to the protected network segment.
Question 66
Which of the following can prevent hijacking of a web session?
• RSA
• SET
• SSL
• PPP
Correct Answer is: SSL
Details:
The correct answer is: SSL
The Secure Socket Layer (SSL) protocol is used between a web server and client and provides entire
session encryption, thus preventing from session hijacking. RSA is asymmetric encryption algorithm that
can be used in setting up a SSL session. SET is the Secure Electronic Transaction protocol that was
introduced by Visa and Mastercard to allow for more credit card transaction possibilities. PPP is a point-
to-point protocol.
Question 67
Which type of attack involves impersonating a user or a system?
• Smurfing attack
• Sniffing attack
• Spamming attack
• Spoofing attack
Correct Answer is: Spoofing attack
Details:
The correct answer is: Spoofing attack
A spoofing attack is when an attempt is made to gain access to a computer system by posing as an
authorized user or system. Spamming refers to sending out or posting junk advertising and unsolicited
mail. A smurf attack is a type of denial-of-service attack using PING and a spoofed address. Sniffing refers
to observing packets passing on a network.
Question 68
Which of the following IEEE standards defines the token ring media access method?
• 802.2
• 802.5
• 802.11
• 802.3
Correct Answer is: 802.5
Details:
The correct answer is: 802.5
The IEEE 802.5 standard defines the token ring media access method. 802.3 refers to Ethernet's
CSMA/CD, 802.11 refers to wireless communications and 802.2 refers to the logical link control.
Question 69
Which xDSL flavour, appropriate for home or small offices, delivers more bandwidth downstream than
upstream?
• SDSL
• ADSL
• HDSL
• VDSL
Correct Answer is: ADSL
Details:
The correct answer is: ADSL
Asymmetric digital subscriber line (ADSL) is designed to provide more bandwidth downstream (1 to 8
Mbps) than upstream (16 to 800Kb).
DSL (Digital Subscriber Line) is a modem technology for broadband data access over ordinary copper
telephone lines (POTS) from homes and businesses. xDSL refers collectively to all types of DSL, such as
ADSL (and G.Lite), HDSL, SDSL, IDSL and VDSL etc. They are sometimes referred to as last-mile (or first
mile) technologies because they are used only for connections from a telephone switching station to a
home or office, not between switching stations.
xDSL is similar to ISDN in as much as both operate over existing copper telephone lines (POTS) using
sophisticated modulation schemes and both require the short runs to a central telephone office
Graphic below from: http://computer.howstuffworks.com/vdsl3.htm
Single-line Digital Subscriber Line (SDSL) deliver 2.3 Mbps of bandwidth each way.
High-rate Digital Subscriber Line (HDSL) deliver 1.544 Mbps of bandwidth each way.
Very-high data-rate Digital Subscriber Line (VDSL) can deliver up to 52 Mbps downstream over a single
copper twisted pair over a relatively short distance (1000 to 4500 feet). It could have been another
choice but it is not the best choice. The key to VDSL is that the telephone companies are replacing
many of their main feeds with fiber-optic cable. In fact, many phone companies are planning Fiber to the
Curb (FTTC), which means that they will replace all existing copper lines right up to the point where your
phone line branches off at your house. At the least, most companies expect to implement Fiber to the
Neighborhood (FTTN). Instead of installing fiber-optic cable along each street, FTTN has fiber going to
the main junction box for a particular neighborhood.
http://computer.howstuffworks.com/vdsl3.htm
http://www.javvin.com/protocolxDSL.html
http://computer.howstuffworks.com/vdsl2.htm
Question 70
Which of the following services is provided by Secure RPC?
• Accountability
• Integrity
• Authentication
• Availability
Correct Answer is: Authentication
Details:
The correct answer is: Authentication
Secure RPC provides authentication services. Secure RPC (Remote Procedure Call) protects remote
procedures with an authentication mechanism. The Diffie-Hellman authentication mechanism
authenticates both the host and the user who is making a request for a service. The authentication
mechanism uses Data Encryption Standard (DES) encryption. Applications that use Secure RPC include
NFS and the naming services, NIS and NIS+.
WHAT IS RPC?
Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program
located in another computer in a network without having to understand network details. (A procedure
call is also sometimes known as a function call or a subroutine call.) RPC uses the client/server model.
The requesting program is a client and the service-providing program is the server. Like a regular or local
procedure call, an RPC is a synchronousoperation requiring the requesting program to be suspended
until the results of the remote procedure are returned. However, the use of lightweight processes or
threads that share the same address space allows multiple RPCs to be performed concurrently.
When program statements that use RPC are compiled into an executable program, a stub is included in
the compiled code that acts as the representative of the remote procedure code. When the program is
run and the procedure call is issued, the stub receives the request and forwards it to a client runtime
program in the local computer. The client runtime program has the knowledge of how to address the
remote computer and server application and sends the message across the network that requests the
remote procedure. Similarly, the server includes a runtime program and stub that interface with the
remote procedure itself. Results are returned the same way.
There are several RPC models and implementations. A popular model and implementation is the Open
Software Foundation's Distributed Computing Environment (DCE). The Institute of Electrical and
Electronics Engineers defines RPC in its ISO Remote Procedure Call Specification, ISO/IEC CD 11578
N6561, ISO/IEC, November 1991.
RPC spans the Transport layer and the Application layer in the Open Systems Interconnection (OSI)
model of network communication. RPC makes it easier to develop an application that includes multiple
programs distributed in a network.
All of the other answers are not features of S/RPC.
(2015-03-20). Official (ISC)2 Guide to the CISSP CBK, Fourth Edition ((ISC)2 Press) (p. 475). CRC Press.
Kindle
and
http://docs.sun.com/app/docs/doc/816-4883/6mb2joane?a=view
and
http://docs.oracle.com/cd/E23823_01/html/816-4557/auth-2.html
Question 71
Which of the following is NOT a common function of a firewall?
• Protect against viruses
• Limit security exposures
• Log Internet activity

• Enforce organization's security policy
Correct Answer is: Protect against viruses
Details:
The correct answer is: Protect against viruses
Firewalls enforce a corporate security policy and limit an organization's security exposures by filtering
traffic passing to and from the Internet and the corporate network. It does log Internet activity but does
not usually protect against viruses.
Security
and
John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 89).
CISA Review Manual 2014 Page number 344
Thanks to Josh Tilles for sending feedback to improve this question.

NOTE FROM CLEMENT:
Most firewall types will support virus detection through the usage of an additional module or using a
third party plugin. However out of the box, even today, only a few enterprise or larger size models have
full antivirus capability.
Question 72
Which of the following is the simplest type of firewall ?
• Packet filtering firewall
• Application gateway
• Dual-homed host firewall
• Stateful packet filtering firewall
Correct Answer is: Packet filtering firewall
Details:
The correct answer is: Packet filtering firewall
A static packet filtering firewall is the simplest and least expensive type of firewalls, offering minimum
security provisions to a low-risk computing environment.
A static packet filter firewall examines both the source and destination addresses of the incoming data
packet and applies ACL’s to them. They operates at either the Network or Transport layer. They are
known as the First generation of firewall.
Older firewalls that were only packet filters were essentially routing devices that provided access control
functionality for host addresses and communication sessions. These devices, also known as stateless
inspection firewalls, do not keep track of the state of each flow of traffic that passes though the firewall;
this means, for example, that they cannot associate multiple requests within a single session to each
other. Packet filtering is at the core of most modern firewalls, but there are few firewalls sold today that
only do stateless packet filtering. Unlike more advanced filters, packet filters are not concerned about
the content of packets. Their access control functionality is governed by a set of directives referred to as
a ruleset. Packet filtering capabilities are built into most operating systems and devices capable of
routing; the most common example of a pure packet filtering device is a network router that employs
access control lists.
There are many types of Firewall:
Application Level Firewalls – Often called a Proxy Server. It works by transferring a copy of each
accepted data packet from one network to another. They are known as the Second generation of
firewalls.
An application-proxy gateway is a feature of advanced firewalls that combines lower-layer access

control with upper-layer functionality. These firewalls contain a proxy agent that acts as an intermediary
between two hosts that wish to communicate with each other, and never allows a direct connection
between them. Each successful connection attempt actually results in the creation of two separate
connections—one between the client and the proxy server, and another between the proxy server and
the true destination. The proxy is meant to be transparent to the two hosts—from their perspectives
there is a direct connection. Because external hosts only communicate with the proxy agent, internal IP
addresses are not visible to the outside world. The proxy agent interfaces directly with the firewall
ruleset to determine whether a given instance of network traffic should be allowed to transit the
firewall.
Stateful Inspection Firewall - Packets are captured by the inspection engine operating at the network
layer and then analyzed at all layers. They are known as the Third generation of firewalls.
Stateful inspection improves on the functions of packet filters by tracking the state of connections and
blocking packets that deviate from the expected state. This is accomplished by incorporating greater
awareness of the transport layer. As with packet filtering, stateful inspection intercepts packets at the
network layer and inspects them to see if they are permitted by an existing firewall rule, but unlike
packet filtering, stateful inspection keeps track of each connection in a state table. While the details of
state table entries vary by firewall product, they typically include source IP address, destination IP
address, port numbers, and connection state information.
Web Application Firewalls - The HTTP protocol used in web servers has been exploited by attackers in
many ways, such as to place malicious software on the computer of someone browsing the web, or to
fool a person into revealing private information that they might not have otherwise. Many of these
exploits can be detected by specialized application firewalls called web application firewalls that reside
in front of the web server.
Web application firewalls are a relatively new technology, as compared to other firewall technologies,
and the type of threats that they mitigate are still changing frequently. Because they are put in front of
web servers to prevent attacks on the server, they are often considered to be very different than
traditional firewalls.
Host-Based Firewalls and Personal Firewalls - Host-based firewalls for servers and personal firewalls for
desktop and laptop personal computers (PC) provide an additional layer of security against network-
based attacks. These firewalls are software-based, residing on the hosts they are protecting—each
monitors and controls the incoming and outgoing network traffic for a single host. They can provide
more granular protection than network firewalls to meet the needs of specific hosts.
Host-based firewalls are available as part of server operating systems such as Linux, Windows, Solaris,
BSD, and Mac OS X Server, and they can also be installed as third-party add-ons. Configuring a host-
based firewall to allow only necessary traffic to the server provides protection against malicious activity
from all hosts, including those on the same subnet or on other internal subnets not separated by a
network firewall. Limiting outgoing traffic from a server may also be helpful in preventing certain
malware that infects a host from spreading to other hosts.11 Host-based firewalls usually perform
logging, and can often be configured to perform address-based and application-based access controls
Dynamic Packet Filtering – Makes informed decisions on the ACL’s to apply. They are known as the
Fourth generation of firewalls.
Kernel Proxy - Very specialized architecture that provides modular kernel-based, multi-layer evaluation
and runs in the NT executive space. They are known as the Fifth generation of firewalls.
The following were incorrect answers:
All of the other types of firewalls listed are more complex than the Packet Filtering Firewall.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Telecommunications and Network
Security, Page 630.
and
NIST Guidelines on Firewalls and Firewalls policies, Special Publication 800-4 Revision 1
Question 73
Which of the following is an example of a passive attack?
• Shoulder surfing
• Brute-force password cracking
• Smurfing
• Denying services to legitimate users
Correct Answer is: Shoulder surfing
Details:
The correct answer is: Shoulder surfing
Shoulder surfing is a form of a passive attack involving stealing passwords, personal identification
numbers or other confidential information by looking over someone's shoulder. All other forms of attack
are active attacks, where a threat makes a modification to the system in an attempt to take advantage of
a vulnerability.
Security Management Practices (page 63).
Question 74
Which of the following offers security to wireless communications?
• S-WAP
• WDP
• WSP
• WTLS
Correct Answer is: WTLS
Details:
The correct answer is: WTLS
Wireless Transport Layer Security (WTLS) is a communication protocol that allows wireless devices to
send and receive encrypted information over the Internet. S-WAP is not defined. WSP (Wireless Session
Protocol) and WDP (Wireless Datagram Protocol) are part of Wireless Access Protocol (WAP).
Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).
Question 75
Which of the following is an example of an active attack?
• Eavesdropping
• Scanning
• Wiretapping
• Traffic analysis
Correct Answer is: Scanning
Details:
The correct answer is: Scanning
Scanning is definitively a very active attack. The attacker will make use of a scanner to perform the
attack, the scanner will send a very large quantity of packets to the target in order to illicit responses
that allows the attacker to find information about the operating system, vulnerabilities, misconfiguration
and more. The packets being sent are sometimes attempting to identify if a known vulnerability exist on
the remote hosts.
A passive attack is usually done in the footprinting phase of an attack. While doing your passive
reconnaissance you never send a single packet to the destination target. You gather information from
public databases such as the DNS servers, public information through search engines, financial
information from finance web sites, and technical infomation from mailing list archive or job posting for
example.
An attack can be active or passive.
An "active attack" attempts to alter system resources or affect their operation.

A "passive attack" attempts to learn or make use of information from the system but does not affect
system resources. (E.g., see: wiretapping.)
The following are all incorrect answers because they are all passive attacks:
Traffic Analysis - Is the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages are encrypted and
cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and
stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of
military intelligence or counter-intelligence, and is a concern in computer security.
Eavesdropping - Eavesdropping is another security risk posed to networks. Because of the way some
networks are built, anything that gets sent out is broadcast to everyone. Under normal circumstances,
only the computer that the data was meant for will process that information. However, hackers can set
up programs on their computers called "sniffers" that capture all data being broadcast over the network.
By carefully examining the data, hackers can often reconstruct real data that was never meant for them.
Some of the most damaging things that get sniffed include passwords and credit card information.
In the cryptographic context, Eavesdropping and sniffing data as it passes over a network are considered
passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts
of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place
to try to prevent them rather than to detect and stop them. Altering messages, modifying system files,
and masquerading as another individual are acts that are considered active attacks because the attacker
is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to
gain information prior to carrying out an active attack."
Wiretapping - Wiretapping refers to listening in on electronic communications on telephones,

computers, and other devices. Many governments use it as a law enforcement tool, and it is also used in
fields like corporate espionage to gain access to privileged information. Depending on where in the
world one is, wiretapping may be tightly controlled with laws that are designed to protect privacy rights,
or it may be a widely accepted practice with little or no protections for citizens. Several advocacy
organizations have been established to help civilians understand these laws in their areas, and to fight
illegal wiretapping.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 6th Edition, Cryptography, Page 865
and
http://en.wikipedia.org/wiki/Attack_%28computing%29
and
http://www.wisegeek.com/what-is-wiretapping.htm
and
https://pangea.stanford.edu/computing/resources/network/security/risks.php
and
http://en.wikipedia.org/wiki/Traffic_analysis
Thanks to Neil Schworm for providing a new reference for this question.
Thanks to FATHI for providing feedback to improve this question.
NOTE FROM FATHI:
I think there are two types of scanning which the question assumes.
"active" (1) Active Scanning Active scanners send transmissions to the network's nodes, examining the
responses they receive to evaluate whether a specific node represents a weak point within the network.
A network administrator can also use an active scanner to simulate an attack on the network,
uncovering weaknesses a potential hacker would spot, or examine a node following an attack to
determine how a hacker breached security.
"passive" (2) Passive Scanning: Passive scanners identify the active operating systems, applications and
ports throughout a network, monitoring activity to determine the network's vulnerabilities.
However, while passive scanners can provide information about weaknesses, they can't take action to
resolve security problems.
Question 76
A Wide Area Network (WAN) is basically everything outside of:
• a Campus Area Network (CAN).
• a Local Area Network (LAN).
• the Internet.
• a Metropolitan Area Network (MAN).
Correct Answer is: a Local Area Network (LAN).
Details:
The correct answer is: a Local Area Network (LAN).
A WAN is basically everything outside of a LAN.
Question 77
Like an intranet, an extranet is a private network that uses which of the following?
• Internet packets.
• Internet patents.
• Internet ports.
• Internet protocols.
Correct Answer is: Internet protocols.

Details:
The correct answer is: Internet protocols.
Like an intranet, an extranet is a private network that uses Internet protocols. The extranet normally
connect two companies utilizing the power of the Internet protocols. An example is sister companies,
partner companies, or clients of your organization can gain access to some of your data at your
discretion.
Extranet
An extranet differs from a DMZ (demilitarized network zone) in the following way: An extranet is made
available to authenticated connections that have been granted an access account to the resources in the
extranet. Conversely, a DMZ will host publicly available resources that must support unauthenticated
connections from just about any source, such as DNS servers and email servers.
Due to the need for companies to share large quantities of information, often in an automated fashion,
typically one company will grant the other controlled access to an isolated segment of its network to
exchange information through the use of an extranet.
Granting an external organization access to a network comes with significant risk. Both companies have
to be certain that the controls, both technical and nontechnical (e.g., operational and policy), effectively
minimize the risk of unauthorized access to information. Where access must be granted to external
organizations, additional controls such as deterministic routing can be applied upstream by service
providers. This sort of safeguard is relatively simple to employ and has significant advantages because
the ability for malicious entities to target an extranet for compromise leading to internal network
penetration is abbreviated. Companies that access extranets often treat the information within these
networks and their servers as “trusted:” confidential and possessing integrity (uncorrupted and valid).
However, these companies do not have control of each other’s security profile. Who knows what kind of
trouble a user can get into if he or she accesses supposedly trusted information through an extranet
from an organization whose network has been compromised? To mitigate this potential risk, security
architects and practitioners need to demand that certain security controls are in place before granting
access to an extranet.
Image Source - http://www.slideshare.net/WelingkarDLP/intranet-extranet-8799417

Question 78
Which of the following Common Data Network Services is used to share data files and subdirectories on
file servers?
• File services.
• Print services.
• Mail services.
• Client/Server services.
Correct Answer is: File services.
Details:
The correct answer is: File services.
File services share data files and subdirectories on file servers.

Question 79
Which of the following Common Data Network Services is used to send and receive email internally or
externally through an email gateway device?
• Mail services.
• Print services.
• File services.
Correct Answer is: Mail services.
Details:
The correct answer is: Mail services.
Mail services send and receive email internally or externally through an email gateway device.
Question 80
Asynchronous Communication transfers data by sending:
• bits of data sequentially

• bits of data in sync with a heartbeat or clock
• bits of data simultaneously
• bits of data sequentially in irregular patterns
Correct Answer is: bits of data sequentially in irregular patterns
Details:
The correct answer is: bits of data sequentially in irregular patterns
Asynchronous Communication transfers data by sending bits of data in irregular patterns.
Communications are either synchronous or asynchronous:
Synchronous communications rely on a timing or clocking mechanism based on either an independent

clock or a time stamp embedded in the data stream. Synchronous communications are typically able to
support very high rates of data transfer.
Asynchronous communications rely on a stop and start delimiter bit to manage the transmission of data.
Because of the use of delimiter bits and the stop and start nature of its transmission, asynchronous
communication is best suited for smaller amounts of data. Public switched telephone network (PSTN)
modems are good examples of asynchronous communication devices.
In asynchronous transmission each character is transmitted separately, that is one character at a time.
The character is preceded by a start bit, which tells the receiving end where the character coding begins,
and is followed by a stop bit, which tells the receiver where the character coding ends. There will be
intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent
characters in the asynchronous communication scheme. In this scheme, the bits within the character
frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise
the data transmission. Asynchronous communication is used when slow speed peripherals communicate
with the computer. The main disadvantage of asynchronous communication is slow speed transmission.
Asynchronous communication however, does not require the complex and costly hardware equipments
as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any
timing required to recover data from the communication symbols is encoded within the symbols. The
most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and
receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most
widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each
character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol
Stewart , James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information
Systems Security Professional Official Study Guide (Kindle Locations 13277-13283). Wiley. Kindle Edition.
http://en.wikipedia.org/wiki/Asynchronous_communication
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
http://www.ligaturesoft.com/data_communications/async-data-transmission.html
Question 80
Asynchronous Communication transfers data by sending:
• bits of data sequentially
• bits of data in sync with a heartbeat or clock
• bits of data simultaneously
• bits of data sequentially in irregular patterns
Correct Answer is: bits of data sequentially in irregular patterns
Details:
The correct answer is: bits of data sequentially in irregular patterns
Asynchronous Communication transfers data by sending bits of data in irregular patterns.
Communications are either synchronous or asynchronous:

modems are good examples of asynchronous communication devices.
In asynchronous transmission each character is transmitted separately, that is one character at a time.
The character is preceded by a start bit, which tells the receiving end where the character coding begins,
and is followed by a stop bit, which tells the receiver where the character coding ends. There will be
intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent
characters in the asynchronous communication scheme. In this scheme, the bits within the character
frame (including start, parity and stop bits) are sent at the baud rate.
The START BIT and STOP BIT including gaps allow the receiving and sending computers to synchronise
the data transmission. Asynchronous communication is used when slow speed peripherals communicate
with the computer. The main disadvantage of asynchronous communication is slow speed transmission.
Asynchronous communication however, does not require the complex and costly hardware equipments
as is required for synchronous transmission.
Asynchronous communication is transmission of data without the use of an external clock signal. Any
timing required to recover data from the communication symbols is encoded within the symbols. The
most significant aspect of asynchronous communications is variable bit rate, or that the transmitter and
receiver clock generators do not have to be exactly synchronized.
The asynchronous communication technique is a physical layer transmission technique which is most
widely used for personal computers providing connectivity to printers, modems, fax machines, etc.
An asynchronous link communicates data as a series of characters of fixed size and format. Each
character is preceded by a start bit and followed by 1-2 stop bits.
Parity is often added to provide some limited protection against errors occurring on the link.
Most Wide Area Networks use synchronous links and a more sophisticated link protocol
http://en.wikipedia.org/wiki/Asynchronous_communication
http://www.erg.abdn.ac.uk/users/gorry/course/phy-pages/async.html
http://www.ligaturesoft.com/data_communications/async-data-transmission.html
Question 81
Which communication method is characterized by very high speed transmission rates that are governed
by electronic clock timing signals?
• Synchronous Communication.
• Automatic Communication.
• Full duplex Communication.
• Asynchronous Communication.
Correct Answer is: Synchronous Communication.
Details:
The correct answer is: Synchronous Communication.
This question falls under the heading of Carrier networks or WAN connection technologies of which
there many protocols but before you can discuss any specific protocol the concept of synchronous and
asynchronous communication must be understood. Lets start with a medium like a wire, fiber or radio
waves to transport data:

Incorrect answers and why they are incorrect:
modems are good examples of asynchronous communication devices
Automatic Communication spoof answer - not a form of communication with timing signals
Full duplex Communication - In a full duplex system, both parties can communicate with each other
simultaneously. An example of a full-duplex device is a telephone; the parties at both ends of a call can
speak and be heard by the other party simultaneously. The earphone reproduces the speech of the
remote party as the microphone transmits the speech of the local party, because there is a two-way
communication channel between them, or more strictly speaking, because there are two
communication paths/channels between them. https://en.wikipedia.org/wiki/Duplex_
%28telecommunications%29 a type of communication system that may use timing signals or may not.
The New Official ISC2 Guide to the CISSP CBK Seventh Edition
Synchronous Communication - 7th Edition Study book kindle location 13276 or page 487
Asynchronous Communication - 7th Edition Study book kindle location 13276 or page 487
Email or CCCure Nickname of question author: updated by Tom Keck

For further study:
Some connection technologies in the 7th Edition Study Guide are Wan-14408, DTE-14420, DCE-14420,
PPP-14471, SLIP- , X.25-14419, Frame Relay-14442, ATM-14443, SMDS-14443
Question 82
Which of the following Common Data Network Services is used to print documents to a shared printer
or a print queue/spooler?
• Domain Name Service.
• Print services.
• Mail services.
Correct Answer is: Print services.
Details:
The correct answer is: Print services.
Print services are used to print documents to a shared printer or a print queue/spooler.
Question 83
Communication products and services that ensure network components (devices, protocols, access
methods) work together is referred to as:
• WAN Architecture.
• Multiprotocol Architecture.
• Network Architecture.
• Netware Architecture.
Correct Answer is: Network Architecture.
Details:
The correct answer is: Network Architecture.
A Network Architecture refers to the communications products and services, which ensure that the
various components of a network (such as devices, protocols, and access methods) work together.
Question 84
In this type of attack, the intruder re-routes data traffic from a network device to a personal machine.
This diversion allows an attacker to gain access to critical resources and user credentials, such as
passwords, and to gain unauthorized access to critical systems of an organization. Pick the best choice
below.
• Network Address Supernetting
• Network Address Sniffing

• Network Address Hijacking
• Network Address Translation
Correct Answer is: Network Address Hijacking
Details:
The correct answer is: Network Address Hijacking
Network address hijacking allows an attacker to reroute data traffic from a network device to a personal
computer.
Also referred to as session hijacking, network address hijacking enables an attacker to capture and
analyze the data addressed to a target system. This allows an attacker to gain access to critical resources
and user credentials, such as passwords, and to gain unauthorized access to critical systems of an
organization.
Session hijacking involves assuming control of an existing connection after the user has successfully
created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a
data stream. It is normally based on sequence number attacks, where sequence numbers are either
guessed or intercepted.
Network address translation (NAT) is a methodology of modifying network address information in

Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device
for the purpose of remapping one IP address space into another. See RFC 1918 for more details.
Network Address Supernetting There is no such thing as Network Address Supernetting. However, a
supernetwork, or supernet, is an Internet Protocol (IP) network that is formed from the combination of
two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) prefix. The
new routing prefix for the combined network aggregates the prefixes of the constituent networks.
Network Address Sniffing This is another bogus choice that sound good but does not even exist.
However, sniffing is a common attack to capture cleartext password and information unencrypted over
the network. Sniffier is accomplished using a sniffer also called a Protocol Analyzer. A network sniffers
monitors data flowing over computer network links. It can be a self-contained software program or a
hardware device with the appropriate software or firmware programming. Also sometimes called
"network probes" or "snoops," sniffers examine network traffic, making a copy of the data but without
redirecting or altering it.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press )
http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm
http://wiki.answers.com/Q/What_is_network_address_hijacking
Question 85
What protocol in the list below is used as an email message transfer agent (MTA)?
• S/MIME
• S-RPC
• SMTP
• SNMP
Correct Answer is: SMTP
Details:
The correct answer is: SMTP
SMTP (Simple Mail Transfer Protocol) works as a message transfer agent.
A mail server (also known as a mail transfer agent or MTA, a mail transport agent, a mail router or an
Internet mailer) is an application that receives incoming e-mail from local users (people within the same
domain) and remote senders and forwards outgoing e-mail for delivery.
A computer dedicated to running such applications is also called a mail server. Microsoft Exchange,
qmail, Exim and sendmail are among the more common mail server programs.
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.
http://searchsoa.techtarget.com/definition/mail-server
Question 86
What is the main characteristic of a bastion host?
• It is a hardened computer implementation
• It is a firewall.
• It does packet filtering.
• It is located on the internal network.
Correct Answer is: It is a hardened computer implementation
Details:
The correct answer is: It is a hardened computer implementation
A bastion host is a special purpose computer on a network specifically designed and configured to
withstand attack. The computer hosts a single application, for example a proxy server, and all other
services are removed or limited to reduce the threat to the computer. It is hardened in this manner
primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and
usually involves access from untrusted networks or computers.
http://en.wikipedia.org/wiki/Bastion_host
Question 87
Which of the following protocols' primary function is to send messages between network devices
regarding the health of the network?
• Internet Protocol (IP).
• Reverse Address Resolution Protocol (RARP).
• Internet Control Message protocol (ICMP).
• Address Resolution Protocol (ARP).
Correct Answer is: Internet Control Message protocol (ICMP).
Details:
The correct answer is: Internet Control Message protocol (ICMP).
Its primary function is to send messages between network devices regarding the health of the network.
ARP matches an IP address to an Ethernet address. RARP matches and Ethernet address to an IP
address. ICMP runs on top of IP.
Question 88
Which of the following is the protocol that provides for the collection of network information by polling
the devices on the network from a management station?
• File Transfer Protocol (FTP).
• Simple Network Management Protocol (SNMP).
• Simple Mail Transfer Protocol (SMTP).
• Trivial File Transfer Protocol (TFTP).
Correct Answer is: Simple Network Management Protocol (SNMP).
Details:
The correct answer is: Simple Network Management Protocol (SNMP).
Simple Network Management Protocol (SNMP) is the protocol that provides for the collection of
network information by polling the devices on the network from a management station. FTP is the
protocol that is used to facilitate file transfer between two machines. SMTP is a protocol for sending e-
mail messages between servers. TFTP is a UDP-based file transfer program.
Question 89
Which of the following best describes the Secure Electronic Transaction (SET) protocol?
• Originated by VISA and MasterCard as an Internet credit card protocol using Message
Authentication Code.
• Originated by VISA and American Express as an Internet credit card protocol using SSL.
• Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures.
• Originated by VISA and MasterCard as an Internet credit card protocol using the transport
layer.
Correct Answer is: Originated by VISA and MasterCard as an Internet credit card protocol using digital
signatures.
Details:
The correct answer is: Originated by VISA and MasterCard as an Internet credit card protocol using
digital signatures
Secure Electronic Transaction (SET). Originated by VISA and MasterCard as an Internet credit card
protocol using digital signatures. SET operates at the application layer which distinguishes it from SSL.
SSL operates at the Transport layer.
Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the
Internet. It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a
user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a
combination of digital certificates and digital signatures among the purchaser, a merchant, and the
purchaser's bank in a way that ensures privacy and confidentiality. SET makes use of Netscape's Secure
Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and Terisa System's Secure
Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure
(PKI).
Here's how SET works:
Assume that a customer has a SET-enabled browser such as Mozilla or Microsoft's Internet Explorer and
that the transaction provider (bank, store, etc.) has a SET-enabled server.
1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is some kind
of bank.
2. The customer receives a digital certificate. This electronic file functions as a credit card for
online purchases or other transactions. It includes a public key with an expiration date. It has been
through a digital switch to the bank to ensure its validity.
3. Third-party merchants also receive certificates from the bank. These certificates include the
merchant's public key and the bank's public key.
4. The customer places an order over a Web page, by phone, or some other means.
5. The customer's browser receives and confirms from the merchant's certificate that the
merchant is valid.
6. The browser sends the order information. This message is encrypted with the merchant's public
key, the payment information, which is encrypted with the bank's public key (which can't be read by the
merchant), and information that ensures the payment can only be used with this particular order.
7. The merchant verifies the customer by checking the digital signature on the customer's
certificate. This may be done by referring the certificate to the bank or to a third-party verifier.
8. The merchant sends the order message along to the bank. This includes the bank's public key,
the customer's payment information (which the merchant can't decode), and the merchant's certificate.
9. The bank verifies the merchant and the message. The bank uses the digital signature on the
certificate with the message and verifies the payment part of the message.
10. The bank digitally signs and sends authorization to the merchant, who can then fill the order.
Mc Graw Hill, Shon Harris, CISSP All In One (AIO) Book, Sixth Edition, Pages 856-858
and
What is Secure Electronic Transactions (SET) by SearchFinancialSecurity
and
Security, 2001, John Wiley & Sons, Pages 89, 170.
Question 90
Which of the following protocols is designed to send individual messages securely?
• Secure Electronic Transaction (SET).
• Secure HTTP (S-HTTP).
• Kerberos
• Secure Sockets Layer (SSL).
Correct Answer is: Secure HTTP (S-HTTP).
Details:
The correct answer is: Secure HTTP (S-HTTP).
An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual
messages securely. SSL is designed to establish a secure connection between two computers. SET was
originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos
is an authentication system.
Question 91
Buffer overflow and boundary condition errors are subsets of which of the following?
• Input validation errors.
• Exceptional condition handling errors.
• Race condition errors.
• Access validation errors.
Correct Answer is: Input validation errors.
Details:
The correct answer is: Input validation errors.
In an input validation error, the input received by a system is not properly checked, resulting in a
vulnerability that can be exploited by sending a certain input sequence. There are two important types
of input validation errors: buffer overflows (input received is longer than expected input length) and
boundary condition error (where an input received causes the system to exceed an assumed boundary).
A race condition occurs when there is a delay between the time when a system checks to see if an
operation is allowed by the security model and the time when the system actually performs the
operation. In an access validation error, the system is vulnerable because the access control mechanism
is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an
exceptional condition that has arisen.
DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march
2002 (page 105). Available at http://www.cccure.org.
Question 92
Which SSL version offers client-side authentication?
• SSL v2
• SSL v4
• SSL v3
• SSL v1
Correct Answer is: SSL v3
Details:
The correct answer is: SSL v3
Secure Sockets Layer (SSL) is the technology used in most Web-based applications.
SSL version 2.0 supports strong authentication of the web server, but the authentication of the client
side only comes with version 3.0. SSL v4 is not a defined standard.
SSL 2.0 was the first publicly released version of SSL in 1995. This version of SSL contained a number of
security issues which lead to the introduction of SSL 3.0. Because of the issues presented in SSL2.0, the
protocol is unsafe to use and should be completely disabled.
SSL 3.0 was released in 1996 with a complete redesign of the protocol but was never approved by the
IETF due to security issues.
Due to the POODLE (Padding Oracle On Downgraded Legacy. Encryption) vulnerability, SSL 3.0 is also
unsafe to use and should be disabled in order to avoid the plaintext of secure connections to be
calculated by a network attacker. Furthermore, Elliptic Curve Cryptography cannot be used with SSL3.0.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS
implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the
interest of a smooth user experience. Even if a client and server both support a version of TLS the
SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the downgrade
dance in other reporting). The POODLE attack leverages the fact that when a secure connection attempt
fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection
failure can then force the use of SSL 3.0 and attempt the new attack.
SSL 3.0 should be disabled as explained later on. If on the other-hand the support for legacy browsers is
required, it is highly recommended to support TLS_FALLBACK_SCSV. This mechanism prevents protocol
downgrade attacks on the TLS protocol and thus prevents attackers from inducing browsers to use SSL
3.0.
THE ONE THING YOU SHOULD TAKE AWAY FROM THIS: It is an historical concept, attacks forcing web
servers to fall back to older protocol that are insecure have been taken place over the past few years. In
short: Do not use it!
IMPORTANT NOTE ABOUT SSL V3 FROM RFC 6101:
Although the SSL 3.0 protocol is a widely implemented protocol, a pioneer in secure communications
protocols, and the basis for Transport Layer Security (TLS), it was never formally published or approved
by the IETF, except in several expired Internet Drafts.
This allowed no easy referencing to the protocol. We believe a stable reference to the original document
should exist and for that reason, this document describes what is known as the last published version of
the SSL 3.0 protocol, that is, the November 18, 1996, version of the protocol.
http://tools.ietf.org/html/rfc6101
http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Question 93
In order to ensure the privacy and integrity of the data, connections between firewalls over public
networks should use:
• Encryption
• Digital certificates
• An encrypted Virtual Private Network
• Screened subnets
Correct Answer is: An encrypted Virtual Private Network
Details:
The correct answer is: An encrypted Virtual Private network (VPN)
Virtual Private Networks allow a trusted network to communicate with another trusted network over
untrusted networks such as the Internet.
Screened Subnet: A screened subnet is essentially the same as the screened host architecture, but adds
an extra strata of security by creating a network which the bastion host resides (often call perimeter
network) which is separated from the internal network. A screened subnet will be deployed by adding a
perimeter network in order to separate the internal network from the external. This assures that if there
is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the
screening router that is connected between the internal and perimeter network.
Digital Certificates: Digital Certificates will be used in the intitial steps of establishing a VPN but they
would not provide the encryption and integrity by themselves.
Encryption: Even thou this seems like a choice that would include the other choices, encryption by itself
does not provide integrity mechanims. So encryption would satisfy only half of the requirements of the
question.

TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume
1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 65).
Question contributed by:
Thanks to Patrick C. Whitehorn for providing feedback to improve this question.
Thanks to Richard Sieber for sending the note about the fact that VPN does not always imply
Confidentiality
Thanks to Daniel Schatz for providing input to further improve this question
For more info on Firewall Architecture see: http://www.rxn.com/services/faq/internet/ISPTG-6.html
NOTE:
It is very important to realize that a VPN was the best choice in this case only because both Encryption
and Integrity had to be in place. Encryption by itself does not provide Integrity. However, that being
said, you could have a VPN link such as IPSEC that will only provide for Integrity using AH. So the word
VPN DOES NOT always imply confidentiality. Little nuances like this must be understood for the purpose
of the exam.
Question 94
Which layer of the TCP/IP protocol stack corresponds to the ISO/OSI Network layer (layer 3)?
• Session layer

• Host-to-host layer
• Internet layer
Correct Answer is: Internet layer
Details:
The correct answer is: Internet layer
The Internet layer in the TCP/IP protocol stack corresponds to the network layer (layer 3) in the OSI/ISO
model. The host-to-host layer corresponds to the transport layer (layer 4) in the OSI/ISO model. The
Network access layer corresponds to the data link and physical layers (layers 2 and 1) in the OSI/ISO
model. The session layer is not defined in the TCP/IP protocol stack.
WALLHOFF, John, CBK#2 Telecommunications and Network Security (CISSP Study Guide), April 2002
(page 1). Available at http://www.cccure.org.
Question 95
Of the given protocols which one is most closely associated with Best Effort packet delivery?
• IP
• TCP
• HTTP
• RSVP
Correct Answer is: IP
Details:
The correct answer is: IP
This question is asking if you can choose from the given answers the one that has been labeled Best
Effort. So what does Best Effort mean?
The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-
switched internetwork. IP provides an unreliable service (i.e., best effort delivery). This means that the
network makes no guarantees about the packet. When datagrams are sent from device A to device B,
device A just sends each one and then moves on to the next. IP doesn't keep track of the ones it sent. It
does not provide reliability or service quality capabilities such as error protection for the data it sends
(though it does on the IP header), flow control or retransmission of lost datagrams
Since the TCP/IP & OSI models are suites of protocols the term Best Effort may be assumed to be the
default for packet routing.
Incorrect answers and why they are incorrect:
TCP - can provide reliable delivery of data. Reliable delivery includes error checking and recovery from
error or loss of data and so is not considered Best Effort.
HTTP - HyperText Transport Protocol used to establish connections to a web server and thus one of the
higher level protocol using TCP to ensure delivery of all bytes between the client and the server. It was
not a good choice according to the question presented and so is not considered Best Effort.
RSVP - a process for a response from the invited person or people. It is an initialism derived from the
French phrase R pondez s'il vous pla t meaning "Please respond ". Maybe this is really Best Effort but is
not the intended answer as it does not have anything to do with packet delivery.
Edition Page 438 or Kindle Location 11980 Section titled: TCP/IP Protocol Suite Overview
CISA review manual 2014 Page number 258
http://en.wikipedia.org/wiki/Best_effort_delivery
http://en.wikipedia.org/wiki/Internet_Protocol
Email or CCCure Nickname of question author: updated by Tom Keck
Thanks to Zaw Oo for pointing out an error with this question.
Thanks to Doug Rike and Arthor Press for providing feedback to improve this question.
Special thanks to Rafis Garipov for sending feedback indicating that Best Effort was not properly
described within the explanations. Here is the description provided by Rafis:
Best effort is class of service and this is not dependent on the transport layer UDP or TCP. Transport for
voice is UDP protocol which uses TCP and we can change IP Precedence of IP datagram independent of
transport layer protocol.
For further study:
Here is another definition from the TCP/IP guide at:

http://www.tcpipguide.com/free/t_IPOverviewandKeyOperationalCharacteristics.htm
http://www.techexams.net/forums/network/9131-tcp-vs-ip-question.html
IP carries TCP. I know the term TCP/IP term is confusing. Try not to compare them that way. They are on
two different levels of the networking model. TCP/IP does not refer to two protocols (tcp and ip). TCP/IP
represents a "suite " of protocols (arp, ip,tcp,udp,icmp etc.)
Here's an example of how tcp and ip work together: Say I am in the middle of a telnet session, and I type
"a. " Say "a " is one byte. "a " gets encapsulated by the transport layer. In this case, it's TCP since telnet
is designed to use this protocol (tcp) to communicate. Once the transport layer encapsulates it, it
becomes a segment. Just to re-state, it is so far at 21 bytes (20 byte tcp header plus 1 byte data).
The tcp header includes source and destination port number, options etc. the transport layer passes
down the "segment " to the network layer. the network layer receives the segment. It knows it has to
use IP to reach the other computer. How? It checks it's local routing table and does not see an entry for
the dest IP. It encapsulates it with it's own header. The header includes the source and dest IP address
etc and any options. Once the network layer adds it's own header, it becomes a datagram. The network
layer passes it off the ip datagram to the physical layer. Which "frames " the packet. This basically makes
it a complete "packet " at this point. It gets sent as electrical signals across the media (cat5 etc) note: If
your computer realizes that the computer is not on your network, it will send it to the gateway. The
gateway will re-frame the packet and send it to the next hop. So TCP is sometimes used (depending
upon the application you're using). And IP is pretty much always used nowadays. TCP basically is used
when you need to gurarantee delivery. It tracks each byte of data. If each byte isn't received within a
certain period of time, TCP will re-send it. Your best bet is to run a sniffer while you watch traffic cross
the wire.
Question 96
Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error
notification, orderly delivery of frames, and optional flow control?
• Session
• Physical
• Network
• Data link
Correct Answer is: Data link
Details:
The correct answer is: Data link

The Data Link layer provides data transport across a physical link. It handles physical addressing,
network topology, line discipline, error notification, orderly delivery of frames, and optional flow
control.
ROTHKE, Ben, CISSP CBK Review presentation on domain 2, August 1999. Available at
http://www.cccure.org.
Question 97
Which of the following services relies on UDP?
• FTP
• DNS
• SMTP
• Telnet
Correct Answer is: DNS
Details:
The correct answer is: DNS
DNS relies on connectionless UDP whereas services like FTP, Telnet and SMTP rely on TCP.
Question 98
How many bits of a MAC address uniquely identify a vendor, as provided by the IEEE?
• 16 bits
• 24 bits
• 6 bits
• 12 bits
Details:
The MAC address is 48 bits long, 24 of which identify the vendor, as provided by the IEEE. The other 24
bits are provided by the vendor.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are used for numerous network
technologies and most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are
used in the media access control protocol sublayer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are
stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If
assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered
identification number and may be referred to as the burned-in address. It may also be known as an
Ethernet hardware address (EHA), hardware address or physical address. This is can be contrasted to a
programmed address, where the host device issues commands to the NIC to use an arbitrary address.
An example is many SOHO routers, where the ISPgrants access to only one MAC address (used
previously to inserting the router) so the router must use that MAC address on its Internet-facing NIC.
Therefore the router administrator configures a MAC address to override the burned-in one.
A network node may have multiple NICs and each must have one unique MAC address per NIC.
See diagram below from Wikipedia showing the format of a MAC address. :
http://en.wikipedia.org/wiki/MAC_address
Question 99
Which of the following characteristics does not apply to RIP?
• Exterior Gateway Protocol
• Maximum of 15 hops
• Not the most efficient routing protocol
• Distance vector routing
Correct Answer is: Exterior Gateway Protocol
Details:
The correct answer is: Exterior Gateway Protocol
RIP is a distance vector routing protocol. It offers no security and is an Interior (not Exterior) Gateway
protocol. It is not the most efficient, with route broadcasts every 30 seconds. The lowest cost route is
always best and a cost of 16 is unreachable.
Question 100
Which of the following is not a common weakness of packet filtering firewalls?
• No support for advanced user authentication schemes.
• Limited logging functionality.
• Vulnerability to IP spoofing.
• Vulnerability to denial-of-service and related attacks.
Correct Answer is: Vulnerability to denial-of-service and related attacks.
Details:
The correct answer is: Vulnerability to denial-of-service and related attacks.
An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block
some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary
with an untrusted network.
Other choices represent weaknesses of packet filtering firewalls.
WACK, John et al., NIST Special publication 800-41, Guidelines on Firewalls and Firewall Policy, January
2002 (page 7).
and
Shon Harris All In One Book Version 6 Page 630-632 "Packet Filtering Firewalls"
Question 101
What is the primary difference between FTP and TFTP?
• Authentication
• Ability to automate
• TFTP is used to transfer configuration files to and from network equipment.
• Speed of negotiation
Details:
TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipments
such as routers but the primary difference between FTP and TFTP is that TFTP does not require
authentication. Speed and ability to automate are not important.
Both of these protocols (FTP and TFTP) can be used for transferring files across the Internet. The
differences between the two protocols are explained below:
• FTP is a complete, session-oriented, general purpose file transfer protocol. TFTP is used as a
bare-bones special purpose file transfer protocol.
• FTP can be used interactively. TFTP allows only unidirectional transfer of files.
• FTP depends on TCP, is connection oriented, and provides reliable control. TFTP depends on
UDP, requires less overhead, and provides virtually no control.
• FTP provides user authentication. TFTP does not.
• FTP uses well-known TCP port numbers: 20 for data and 21 for connection dialog. TFTP uses
UDP port number 69 for its file transfer activity.
• The Windows NT FTP server service does not support TFTP because TFTP does not support
authentication.
• Windows 95 and TCP/IP-32 for Windows for Workgroups do not include a TFTP client program.
2http://support.microsoft.com/kb/102737
Question 102
In a SSL session between a client and a server, who is responsible for generating the master secret that
will be used as a seed to generate the symmetric keys that will be used during the session?
• Both client and server
• The merchant's Certificate Server
• The web server
• The client's browser
Correct Answer is: The client's browser
Details:
The correct answer is: The client's browser
Once the merchant server has been authenticated by the browser client, the browser generates a
master secret that is to be shared only between the server and client. This secret serves as a seed to
generate the session (private) keys. The master secret is then encrypted with the merchant's public key
and sent to the server. The fact that the master secret is generated by the client's browser provides the
client assurance that the server is not reusing keys that would have been used in a previous session with
another client.
See below SSL session step by step from the Microsoft website at: https://support.microsoft.com/en-
us/kb/257591
The steps involved in the SSL handshake are as follows (note that the following steps assume the use of
the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES):
1. The client sends the server the client's SSL version number, cipher settings, session-specific data,
and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL. The server
also sends its own certificate, and if the client is requesting a server resource that requires client
authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the problem and
informed that an encrypted and authenticated connection cannot be established. If the server can be
successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it
with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the
encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client
also signs another piece of data that is unique to this handshake and known by both the client and
server. In this case, the client sends both the signed data and the client's own certificate to the server
along with the encrypted pre-master secret.
6. If the server has requested client authentication, the server attempts to authenticate the client
(see Client Authentication for details). If the client cannot be authenticated, the session ends. If the
client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret,
and then performs a series of steps (which the client also performs, starting from the same pre-master
secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify
its integrity (that is, to detect any changes in the data between the time it was sent and the time it is
received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will
be encrypted with the session key. It then sends a separate (encrypted) message indicating that the
client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server will
server portion of the handshake is finished.
10. The SSL handshake is now complete and the session begins. The client and the server use the
session keys to encrypt and decrypt the data they send to each other and to validate its integrity.
11. This is the normal operation condition of the secure channel. At any time, due to internal or
external stimulus (either automation or user intervention), either side may renegotiate the connection,
in which case, the process repeats itself.

ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 112).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, page 569.
Question 103
During the initial stage of configuration of your firewall, which of the following rules appearing in an
Internet firewall policy is inappropriate?
• The firewall shall be configured to deny all services not expressly permitted.
• Appropriate firewall documentation and a copy of the rulebase shall be maintained on offline
storage at all times.
• The firewall should be tested online first to validate proper configuration.
• The firewall software shall run on a dedicated computer.
Correct Answer is: The firewall should be tested online first to validate proper configuration.
Details:
The correct answer is: The firewall should be tested online first to validate proper configuration.
As it is very clearly state in NIST SP 800-41-Rev1:
New firewalls should be tested and evaluated before deployment to ensure that they are working
properly. Testing should be completed on a test network without connectivity to the production
network. This test network should attempt to replicate the production network as faithfully as possible,
including the network topology and network traffic that would travel through the firewall. Aspects of the
solution to evaluate include the following:
Connectivity
Users can establish and maintain connections through the firewall.
Ruleset
Traffic that is specifically allowed by the security policy is permitted. All traffic that is not allowed by the
security policy is blocked. Verification of the ruleset should include both reviewing it manually and
testing whether the rules work as expected.
Application Compatibility
Host-based or personal firewall solutions do not break or interfere with the use of existing software
applications. This includes network communications between application components. Network firewall
solutions do not interfere with applications that have components that interact through the firewall
(e.g., client and server software).
Management
Administrators can configure and manage the solution effectively and securely.
Logging
Logging and data management function in accordance with the organization’s policies and strategies.
Performance
Solutions provide adequate performance during normal and peak usage. In many cases, the best way to
test performance under the load of a prototype implementation is to use simulated traffic generators on
a live test network to mimic the actual characteristics of expected traffic as closely as possible.
Simulating the loads caused by DoS attacks can also be helpful in assessing firewall performance. Testing
should incorporate a variety of applications that will traverse the firewall, especially those that are most
likely to be affected by network throughput or latency issues.
Security of the Implementation
The firewall implementation itself may contain vulnerabilities and weaknesses that attackers could
exploit. Organizations with high security needs may want to perform vulnerability assessments against
firewall components.
Question 104
Fiber optic cable cores consist of:
• PVC
• Teflon
• Kevlar
• Glass fibers
Correct Answer is: Glass fibers
Details:
The correct answer is: Glass fibers
Fiber optic cables have an outer insulating jacket made of Teflon or PVC, Kevlar fiber, which helps to
strengthen the cable and prevent breakage, plastic coatings, used to cushion the fiber center. The center
(core) of the cable is made of glass or plastic fibers.
ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 3: Telecommunications and Network
Security (page 31).
Component Interoperability
Components of the firewall solution must function together properly. This is of greatest concern when a
variety of components from different vendors are used.
Policy Synchronization
If there are multiple firewalls running synchronized policies or groups of rules, test that the
synchronization works in various scenarios (such as if one or more nodes are offline).
Additional Features
Additional features that will be used by the firewall—such as VPN and antimalware capabilities—should
be tested to ensure they are working properly.
If a firewall needs to be brought down for reconfiguration, Internet services should be disabled or a
secondary firewall should be made operational; internal systems should not be connected to the
Internet without a firewall.
After being reconfigured and tested, the firewall must be brought back into an operational and reliable
state.
GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx, Internet Security Policy: A
Technical Guide, Draft Version, May 25, 2000 (pages 76-78).
and
NIST SP 800-41-Rev1, Guidelines on Firewalls and Firewall Policy
Exam Tip:
This is another negative question. So far I have receive about half a dozen messages telling me this
question is wrong. It is fine, just ensure that you do understand what they are looking for? In this case
they are looking at the one choice that would be wrong. You never test a firewall online, you always do
your testing offline.
Question 105
Which SSL version offers client-side authentication?
• SSL v2
• SSL v3
• SSL v4
• SSL v1
Correct Answer is: SSL v3
Details:
The correct answer is: SSL v3
Secure Sockets Layer (SSL) is the technology used in most Web-based applications.
SSL version 2.0 supports strong authentication of the web server, but the authentication of the client
side only comes with version 3.0. SSL v4 is not a defined standard.
SSL 2.0 was the first publicly released version of SSL in 1995. This version of SSL contained a number of
security issues which lead to the introduction of SSL 3.0. Because of the issues presented in SSL2.0, the
protocol is unsafe to use and should be completely disabled.
SSL 3.0 was released in 1996 with a complete redesign of the protocol but was never approved by the
IETF due to security issues.
Due to the POODLE (Padding Oracle On Downgraded Legacy. Encryption) vulnerability, SSL 3.0 is also
unsafe to use and should be disabled in order to avoid the plaintext of secure connections to be
calculated by a network attacker. Furthermore, Elliptic Curve Cryptography cannot be used with SSL3.0.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS
implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the
interest of a smooth user experience. Even if a client and server both support a version of TLS the
SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the downgrade
dance in other reporting). The POODLE attack leverages the fact that when a secure connection attempt
fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection
failure can then force the use of SSL 3.0 and attempt the new attack.
SSL 3.0 should be disabled as explained later on. If on the other-hand the support for legacy browsers is
required, it is highly recommended to support TLS_FALLBACK_SCSV. This mechanism prevents protocol
downgrade attacks on the TLS protocol and thus prevents attackers from inducing browsers to use SSL
3.0.
THE ONE THING YOU SHOULD TAKE AWAY FROM THIS: It is an historical concept, attacks forcing web
servers to fall back to older protocol that are insecure have been taken place over the past few years. In
short: Do not use it!
IMPORTANT NOTE ABOUT SSL V3 FROM RFC 6101:
Although the SSL 3.0 protocol is a widely implemented protocol, a pioneer in secure communications
protocols, and the basis for Transport Layer Security (TLS), it was never formally published or approved
by the IETF, except in several expired Internet Drafts.
This allowed no easy referencing to the protocol. We believe a stable reference to the original document
should exist and for that reason, this document describes what is known as the last published version of
the SSL 3.0 protocol, that is, the November 18, 1996, version of the protocol.

http://tools.ietf.org/html/rfc6101
http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Question 106
In order to ensure the privacy and integrity of the data, connections between firewalls over public
networks should use:
• An encrypted Virtual Private Network
• Encryption
• Digital certificates
• Screened subnets
Correct Answer is: An encrypted Virtual Private Network
Details:
The correct answer is: An encrypted Virtual Private network (VPN)
Virtual Private Networks allow a trusted network to communicate with another trusted network over
untrusted networks such as the Internet.
Screened Subnet: A screened subnet is essentially the same as the screened host architecture, but adds
an extra strata of security by creating a network which the bastion host resides (often call perimeter
network) which is separated from the internal network. A screened subnet will be deployed by adding a
perimeter network in order to separate the internal network from the external. This assures that if there
is a successful attack on the bastion host, the attacker is restricted to the perimeter network by the
screening router that is connected between the internal and perimeter network.
Digital Certificates: Digital Certificates will be used in the intitial steps of establishing a VPN but they
would not provide the encryption and integrity by themselves.
Encryption: Even thou this seems like a choice that would include the other choices, encryption by itself
does not provide integrity mechanims. So encryption would satisfy only half of the requirements of the
question.
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume
1), 2000, CRC Press, Chapter 3, Secured Connections to External Networks (page 65).
Thanks to Patrick C. Whitehorn for providing feedback to improve this question.
Thanks to Richard Sieber for sending the note about the fact that VPN does not always imply
Confidentiality
Thanks to Daniel Schatz for providing input to further improve this question
For more info on Firewall Architecture see: http://www.rxn.com/services/faq/internet/ISPTG-6.html
NOTE:
It is very important to realize that a VPN was the best choice in this case only because both Encryption
and Integrity had to be in place. Encryption by itself does not provide Integrity. However, that being
said, you could have a VPN link such as IPSEC that will only provide for Integrity using AH. So the word
VPN DOES NOT always imply confidentiality. Little nuances like this must be understood for the purpose
of the exam.
Question 107
Which of the following protocols does not operate at the data link layer (layer 2)?
• L2F
• ICMP
• PPP
• RARP
Correct Answer is: ICMP
Details:
The correct answer is: ICMP
ICMP is the only of the mentioned protocols to operate at the network layer (layer 3). Other protocols
operate at layer 2.
WALLHOFF, John, CBK#2 Telecommunications and Network Security (CISSP Study Guide), April 2002
(page 1). Available at http://www.cccure.org.
Thanks to Roger Fraumann for doing research about where things fit within the OSI model.
TIP FROM CLEMENT:

The subject of where protocol fit within the OSI model is a very controversial subject. Sometimes you
will find references that contradict each others. One book says Layer 2 the other book says Layer 3 for
example. Sometimes there is even contradiction within the same book, go figure :-)
The answers selected within the quiz are as per the Official Study guide from ISC2 (referred to as the
OIG).
Roger Fraumann was kind enough to do lots of research on this topic, see a resume of his finding below:
=============
RARP (Layer 2)
Official (ISC)2 Guide to the CISSP CBK Second Edition, 2010, Harold F. Tipton
On Page 782, within the ISO oriented discussion of layers, Layer 2: Data-Link Layer refers to PPP and
ARP, at the tail end of the discussion of Layer 2 saying "Given a layer 3 IP Address of a device, ARP
determines the device's layer 2 MAC address." and is silent on RARP, which does the reverse.
The CISSP and CAP Prep Guide, Platinum Edition, 2007 Ronald L Kurtz and Russell Dean Vines
On page 102, examples of Data Link Layer protocols are: ARP, SLIP, PPP. However, on page 104
within the TCP/IP oriented discussion of layers, it refers to examples in the TCP/IP Internet Layer as: IP,
ARP, RARP, ICMP (For the purposes of the CISSP exam, it may be safer to assume RARP is considered
a Layer 2 protocol.
ALL IN ONE CISSP Exam Guide, Fifth Edition, 2010, Shon Harris
On page 498, Data Link Layer protocols are listed to include: ARP, RARP, PPP and SLIP
On page 534, Shon explains ARP as: "When the data link layer receives a frame, the network layer
has already attached the destination IP address to it, but the data link layer cannot understand the IP
address and this invokes ARP for help..." By the act of the network layer invoking ARP, it is viewed as
a Network (Layer 2) protocol. Page 236 discusses RARP.
=============
PPP (Layer 2)
On Page 782, within the ISO oriented discussion of layers, Layer 2: Data Link Layer refers to PPP and
ARP.
On Page 102, examples of Data Link Layer protocols are: ARP, SLIP, PPP
On page 498, Data Link Layer protocols are listed to include: ARP, RARP, PPP and SLIP
=============
L2F (Layer 2)
On page 809, refers to L2F as "...Cisco's Layer 2 Forwarding (L2F)..."
On page 622, A Summary of Tunneling Protocols includes "Layer 2 Forwarding (L2F)"...
=============
ICMP (Layer 3)
On page 809, Transport Layer "... relies on the correct addressing (routing) of information happening on
layer 3... "ICMP is mentioned specifically on page 809, but specific reference to where it is in the stack is
un-stated.
On page 101, examples of Network Layer protocols are: IP, OSPF, ICMP, RIP
On page 497, Network Layer protocols are listed to include: IP, ICMP, IGMP, RIP, OSPF, IPX
Question 108
The Logical Link Control sub-layer is a part of which of the following?
• The ISO/OSI Data Link layer
• Change management control
• The Transport layer of the TCP/IP stack model
• The Reference monitor
Correct Answer is: The ISO/OSI Data Link layer
Details:
The correct answer is: The ISO/OSI Data Link layer
The OSI/ISO Data Link layer is made up of two sub-layers; (1) the Media Access Control layer refers
downward to lower layer hardware functions and (2) the Logical Link Control refers upward to higher
layer software functions. Other choices are distracters.
Question 109
How many bits of a MAC address uniquely identify a vendor, as provided by the IEEE?
• 24 bits
• 16 bits
• 6 bits
• 12 bits
Details:
The MAC address is 48 bits long, 24 of which identify the vendor, as provided by the IEEE. The other 24
bits are provided by the vendor.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are used for numerous network
technologies and most IEEE 802 network technologies, including Ethernet. Logically, MAC addresses are
used in the media access control protocol sublayer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are
stored in its hardware, such as the card's read-only memory or some other firmware mechanism. If
assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered
identification number and may be referred to as the burned-in address. It may also be known as an
Ethernet hardware address (EHA), hardware address or physical address. This is can be contrasted to a
programmed address, where the host device issues commands to the NIC to use an arbitrary address.
An example is many SOHO routers, where the ISP grants access to only one MAC address (used
previously to inserting the router) so the router must use that MAC address on its Internet-facing NIC.
Therefore the router administrator configures a MAC address to override the burned-in one.
A network node may have multiple NICs and each must have one unique MAC address per NIC.
See diagram below from Wikipedia showing the format of a MAC address. :
http://en.wikipedia.org/wiki/MAC_address
Question 110
Which of the following characteristics does not apply to RIP?
• Distance vector routing
• Maximum of 15 hops
• Not the most efficient routing protocol
• Exterior Gateway Protocol
Correct Answer is: Exterior Gateway Protocol
Details:
The correct answer is: Exterior Gateway Protocol
RIP is a distance vector routing protocol. It offers no security and is an Interior (not Exterior) Gateway
protocol. It is not the most efficient, with route broadcasts every 30 seconds. The lowest cost route is
always best and a cost of 16 is unreachable.
Question 111
Which of the following is not a common weakness of packet filtering firewalls?
• Vulnerability to IP spoofing.
• Vulnerability to denial-of-service and related attacks.
• No support for advanced user authentication schemes.

• Limited logging functionality.
Correct Answer is: Vulnerability to denial-of-service and related attacks.
Details:
The correct answer is: Vulnerability to denial-of-service and related attacks.
An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block
some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary
with an untrusted network.
Other choices represent weaknesses of packet filtering firewalls.
WACK, John et al., NIST Special publication 800-41, Guidelines on Firewalls and Firewall Policy, January
2002 (page 7).
and
Shon Harris All In One Book Version 6 Page 630-632 "Packet Filtering Firewalls"
Question 112
What is the primary difference between FTP and TFTP?
• Speed of negotiation
• TFTP is used to transfer configuration files to and from network equipment.
• Ability to automate
• Authentication
Details:
TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipments
such as routers but the primary difference between FTP and TFTP is that TFTP does not require
authentication. Speed and ability to automate are not important.
Both of these protocols (FTP and TFTP) can be used for transferring files across the Internet. The
differences between the two protocols are explained below:
• FTP is a complete, session-oriented, general purpose file transfer protocol. TFTP is used as a
bare-bones special purpose file transfer protocol.
• FTP can be used interactively. TFTP allows only unidirectional transfer of files.
• FTP depends on TCP, is connection oriented, and provides reliable control. TFTP depends on
UDP, requires less overhead, and provides virtually no control.
• FTP provides user authentication. TFTP does not.
• FTP uses well-known TCP port numbers: 20 for data and 21 for connection dialog. TFTP uses
UDP port number 69 for its file transfer activity.
• The Windows NT FTP server service does not support TFTP because TFTP does not support
authentication.
• Windows 95 and TCP/IP-32 for Windows for Workgroups do not include a TFTP client program.
2http://support.microsoft.com/kb/102737
Question 113
In a SSL session between a client and a server, who is responsible for generating the master secret that
will be used as a seed to generate the symmetric keys that will be used during the session?
• The merchant's Certificate Server
• The web server
• The client's browser
• Both client and server
Correct Answer is: The client's browser
Details:
The correct answer is: The client's browser
Once the merchant server has been authenticated by the browser client, the browser generates a
master secret that is to be shared only between the server and client. This secret serves as a seed to
generate the session (private) keys. The master secret is then encrypted with the merchant's public key
and sent to the server. The fact that the master secret is generated by the client's browser provides the
client assurance that the server is not reusing keys that would have been used in a previous session with
another client.
See below SSL session step by step from the Microsoft website at: https://support.microsoft.com/en-
us/kb/257591
The steps involved in the SSL handshake are as follows (note that the following steps assume the use of
the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES):
1. The client sends the server the client's SSL version number, cipher settings, session-specific data,
and other information that the server needs to communicate with the client using SSL.
2. The server sends the client the server's SSL version number, cipher settings, session-specific
data, and other information that the client needs to communicate with the server over SSL. The server
also sends its own certificate, and if the client is requesting a server resource that requires client
authentication, the server requests the client's certificate.
3. The client uses the information sent by the server to authenticate the server (see Server
Authentication for details). If the server cannot be authenticated, the user is warned of the problem and
informed that an encrypted and authenticated connection cannot be established. If the server can be
successfully authenticated, the client proceeds to step 4.
4. Using all data generated in the handshake thus far, the client (with the cooperation of the
server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it
with the server's public key (obtained from the server's certificate, sent in step 2), and then sends the
encrypted pre-master secret to the server.
5. If the server has requested client authentication (an optional step in the handshake), the client
also signs another piece of data that is unique to this handshake and known by both the client and
server. In this case, the client sends both the signed data and the client's own certificate to the server
along with the encrypted pre-master secret.
6. If the server has requested client authentication, the server attempts to authenticate the client
(see Client Authentication for details). If the client cannot be authenticated, the session ends. If the
client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret,
and then performs a series of steps (which the client also performs, starting from the same pre-master
secret) to generate the master secret.
7. Both the client and the server use the master secret to generate the session keys, which are
symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify
its integrity (that is, to detect any changes in the data between the time it was sent and the time it is
received over the SSL connection).
8. The client sends a message to the server informing it that future messages from the client will
client portion of the handshake is finished.
9. The server sends a message to the client informing it that future messages from the server will
server portion of the handshake is finished.
10. The SSL handshake is now complete and the session begins. The client and the server use the
session keys to encrypt and decrypt the data they send to each other and to validate its integrity.
11. This is the normal operation condition of the secure channel. At any time, due to internal or
external stimulus (either automation or user intervention), either side may renegotiate the connection,
in which case, the process repeats itself.
ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 112).
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, page 569.
Question 114
Which of the following is less likely to be used today in creating a Virtual Private Network?
• L2F
• IPSec
• PPTP
• L2TP
Correct Answer is: L2F
Details:
The correct answer is: L2F
It is a Protocol that supports the creation of secure virtual private dial-up networks over the Internet.
Cisco developed its own VPN protocol called Layer 2 Forwarding (L2F), which is a mutual authentication
tunneling mechanism. However, L2F does not offer encryption. L2F was not widely deployed and was
soon replaced by L2TP.
As their names suggest, both operate at layer 2. Both can encapsulate any LAN protocol.
Layer 2 Tunneling Protocol (L2TP) was derived by combining elements from both PPTP and L2F. L2TP
creates a point-to-point tunnel between communication endpoints. It lacks a built-in encryption scheme,
but it typically relies on IPSec as its security mechanism. L2TP also supports TACACS + and RADIUS. IPSec
is commonly used as a security mechanism for L2TP.
At one point L2F was merged with PPTP to produce L2TP to be used on networks and not only on dial up
links.
IPSec is now considered the best VPN solution for IP environments.
Thans to Kimberly Bucholz for sending feedback to improve this question.
Question 115
Which of the following rules appearing in an Internet firewall policy is inappropriate?
• Source routing shall be disabled on all firewalls and external routers.
• In case of a firewall failure, it should fail to a configuration that denies all services (Fail Closed),
and require a firewall administrator to re-enable services after a firewall has failed in such a way.
• Firewalls shall not accept traffic on its external interfaces that appear to be coming from
internal network addresses.
• Firewalls shall be configured to passively allow all outbound and inbound services.
Correct Answer is: Firewalls shall be configured to passively allow all outbound and inbound services.
Details:
The correct answer is: Firewalls shall be configured to passively allow all outbound and inbound services.
Unless approved by the Network Services manager, all in-bound services shall be intercepted and
processed by the firewall. Allowing unrestricted services inbound and outbound is certainly NOT
recommended and very dangerous.
Pay close attention to the keyword: all
All of the other choices presented are recommended practices for a firewall policy.
Technical Guide, Draft Version, May 25, 2000 (page 78).
Question 116
During the initial stage of configuration of your firewall, which of the following rules appearing in an
Internet firewall policy is inappropriate?
• Appropriate firewall documentation and a copy of the rulebase shall be maintained on offline
storage at all times.
• The firewall software shall run on a dedicated computer.
• The firewall shall be configured to deny all services not expressly permitted.
• The firewall should be tested online first to validate proper configuration.
Correct Answer is: The firewall should be tested online first to validate proper configuration.
Details:
The correct answer is: The firewall should be tested online first to validate proper configuration.
As it is very clearly state in NIST SP 800-41-Rev1:
New firewalls should be tested and evaluated before deployment to ensure that they are working
properly. Testing should be completed on a test network without connectivity to the production
network. This test network should attempt to replicate the production network as faithfully as possible,
including the network topology and network traffic that would travel through the firewall. Aspects of the
solution to evaluate include the following:
Connectivity
Users can establish and maintain connections through the firewall.
Ruleset
Traffic that is specifically allowed by the security policy is permitted. All traffic that is not allowed by the
security policy is blocked. Verification of the ruleset should include both reviewing it manually and
testing whether the rules work as expected.
Application Compatibility
Host-based or personal firewall solutions do not break or interfere with the use of existing software
applications. This includes network communications between application components. Network firewall
solutions do not interfere with applications that have components that interact through the firewall
(e.g., client and server software).
Management
Administrators can configure and manage the solution effectively and securely.
Logging
Logging and data management function in accordance with the organization’s policies and strategies.
Performance
Solutions provide adequate performance during normal and peak usage. In many cases, the best way to
test performance under the load of a prototype implementation is to use simulated traffic generators on
a live test network to mimic the actual characteristics of expected traffic as closely as possible.
Simulating the loads caused by DoS attacks can also be helpful in assessing firewall performance. Testing
should incorporate a variety of applications that will traverse the firewall, especially those that are most
likely to be affected by network throughput or latency issues.
Security of the Implementation
The firewall implementation itself may contain vulnerabilities and weaknesses that attackers could
exploit. Organizations with high security needs may want to perform vulnerability assessments against
firewall components.
Component Interoperability
Components of the firewall solution must function together properly. This is of greatest concern when a
variety of components from different vendors are used.
Policy Synchronization
If there are multiple firewalls running synchronized policies or groups of rules, test that the
synchronization works in various scenarios (such as if one or more nodes are offline).
Additional Features
Additional features that will be used by the firewall—such as VPN and antimalware capabilities—should
be tested to ensure they are working properly.
If a firewall needs to be brought down for reconfiguration, Internet services should be disabled or a
secondary firewall should be made operational; internal systems should not be connected to the
Internet without a firewall.
After being reconfigured and tested, the firewall must be brought back into an operational and reliable
state.
Technical Guide, Draft Version, May 25, 2000 (pages 76-78).
and
NIST SP 800-41-Rev1, Guidelines on Firewalls and Firewall Policy
Exam Tip:
This is another negative question. So far I have receive about half a dozen messages telling me this
question is wrong. It is fine, just ensure that you do understand what they are looking for? In this case
they are looking at the one choice that would be wrong. You never test a firewall online, you always do
your testing offline.
Question 117
Which of the following is not a security goal for remote access?
• Reliable authentication of users and systems
• Automated login for remote users
• Easy to manage access control to systems and network resources
• Protection of confidential data
Correct Answer is: Automated login for remote users
Details:
An automated login function for remote users would imply a weak authentication, thus certainly not a
security goal.

TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume
2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).
Last modified 07/02/2007, Ron Hehemann
Question 118
Which of the following should be used as a replacement for Telnet for secure remote login over an
insecure network?
• SSH V2
• Rlogin
• S-Telnet
• SSL
Correct Answer is: SSH V2
Details:
The correct answer is: SSH V2
SSH Version 2 is a protocol for secure remote login and other secure network services over an insecure
network.
It consists of three major components:
• A transport layer protocol (providing server authentication, confidentiality, and integrity),
• A user authentication protocol (authenticating the client-side user to the server), and
• A connection protocol (multiplexing the encrypted tunnel into several logical channels).
It should be used instead of Telnet, FTP, rlogin, rexec and rsh.

The users must prove their identities to the remote machine using some authentication method.
Public-key authentication is based on the use of digital signatures. Each user creates a public/private key
pair for authentication purposes. The server knows the user's public key, and only the user has the
private key.
The filenames of private keys that are used in authentication are set in $HOME/.ssh2/identification.
When the user tries to authenticate, the server checks $HOME/.ssh2/authorization for filenames of
matching public keys and sends a challenge to the user end.
The user is authenticated by signing the challenge with the private key.
If Public Keys are not used, then you can also use password. SSH V2 will prompt the user for a password.
Since all communication is encrypted, the password will not be available for eavesdroppers.
NOTE:
This is only true for SSH version 2 or higher, there are known vulnerability on version 1 and also
programs capable of MITM attacks against SSH version 1. Version 1 should no longer be used.
S-Telnet This is mostly sending Telnet data sover an SSL tunnel. It can be done but it is rarely done and
not the best answer.
SSL The SSL protocol is used mostly to secure web traffic and not for remote login sessions. It is not the
best replacement for Telnet.
RLogin This protocol is deprecated and should no longer be used. It offers no security.

SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
https://support.ssh.com/manuals/server-zos-admin/55/ssh2.html
Question 119
Which of the following is NOT a defined ISO basic task related to network management?
• Fault management
• Communications management
• Security management
• Accounting resources
Correct Answer is: Communications management
Details:
ISO has defined five basic tasks related to network management :
Fault management: Detects the devices that present some kind of fault.
Configuration management: Allows users to know, define and change remotely the configuration of any
device.
Accounting resources: Holds the records of the resource usage in the WAN.
Performance management: Monitors usage levels and sets alarms when a threshold has been
surpassed.
Security management: Detects suspicious traffic or users and generates alarms accordingly.
Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review
manual, Chapter 3: Technical Infrastructure and Operational Practices (page 137).
Last modified 02 July 2007, Ron Hehemann
Special Thanks to Tim Watkins for providing further explanations to this question.
SUPPLEMENTAL INFO PROVIDED BY TIM WATKINS:
Link - http://www.2000trainers.com/ccda-study-guide/iso-network-management/ ISO Network

Management Processes Posted By Dan DiNicolo On May 15, 2007 @ 5:17 pm In CCDA Study Guide The
International Organization for Standardization has developed a framework for the management of
networks in their Structure of Management Information (SMI) standard. The framework divides network
management processes into 5 main functional areas – Fault, Configuration, Accounting, Performance,
and Security management.
Commonly referred to by the acronym FCAPS, each area relates to a high-level IT management process.
Fault Management Fault management is concerned with detecting network faults, logging this
information, contacting the appropriate person, and ultimately fixing a problem. A common fault
management technique is to implement an SNMP-based network management system - such as HP
OpenView or Sun Solstice (formerly Net Manager) - to collect information about network devices. In
turn, the management station can be configured to make a network administrator aware of problems
(by email, paging, or on-screen messages), allowing appropriate action to be taken. SNMP and its
functions will be looked at in more detail shortly. Configuration Management Configuration
management is concerned with monitoring system configuration information, and any changes that take
place. This area is especially important, since many network issues arise as a direct result of changes
made to configuration files, updated software versions, or changes to system [2] hardware. A proper
configuration management strategy involves tracking all changes made to network hardware and
software. Examples include altering the running configuration of a device, updating the IOS version of a
router or switch, or adding a new modular interface card. While it is possible to track these changes
manually, a more common approach is to gather this information using configuration management
software, such as CiscoWorks 2000. CiscoWorks 2000 will be looked at in more detail later in the
chapter. Accounting Management Accounting management is concerned with tracking network
utilization information, such that individual users, departments, or business units can be appropriately
billed or charged for accounting purposes. While this may not be applicable to all companies, in many
larger organizations the IT department is considered a cost center that accrues revenues according to
resource utilization by individual departments or business units. Performance Management
Performance management is focused on ensuring that network performance remains at acceptable
levels. This area is concerned with gathering regular network performance data such as network
response times, packet loss rates, link utilization, and so forth. This information is usually gathered
through the implementation of an SNMP management system, either actively monitored, or configured
to alert administrators when performance move above or below predefined thresholds. Actively
monitoring current network performance is an important step in identifying problems before they occur,
as part of a proactive network management strategy. Security Management Security management is
not only concerned with ensuring that a network environment is secure, but also that gathered security-
related information is analyzed regularly. Security management functions include managing network
authentication, authorization, and auditing, such that both internal and external users only have access
to appropriate network resources. Other common tasks include the configuration and management of
network firewalls, intrusion detection systems, and security policies such as access lists. Written by Dan
DiNicolo
Question 120
Which of the following statements pertaining to Secure Sockets Layer (SSL) is false?
• The SSL protocol's primary use is to authenticate the client to the server using public key
cryptography and digital certificates.
• Web pages using the SSL protocol start with HTTPS
• SSL can be used with applications such as Telnet, FTP and email protocols.
• The SSL protocol was developed by Netscape to secure Internet client-server transactions.
Correct Answer is: The SSL protocol's primary use is to authenticate the client to the server using public
key cryptography and digital certificates.
Details:
The correct answer is: The SSL protocol's primary use is to authenticate the client to the server using
public key cryptography and digital certificates.
All of these statements pertaining to SSL are true except that it is primary use is to authenticate the
client to the server using public key cryptography and digital certificates. It is the opposite, its primary
use is to authenticate the server to the client.

Question 121
Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio
transmissions?
• Because infrared eavesdropping requires more sophisticated equipment.
• Because infrared operates at extra-low frequencies (ELF).
• Because infrared operates only over short distances.
• Because infrared requires direct line-of-sight paths.
Correct Answer is: Because infrared requires direct line-of-sight paths.
Details:
Infrared is generally considered to be more secure to eavesdropping than multidirectional radio

transmissions because infrared requires direct line-of-sight paths.
Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).
Question 122
Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of
IPSec. AH provides the following service except:
• Authentication
• Confidentiality
• Integrity
• Replay resistance and non-repudiations
Correct Answer is: Confidentiality
Details:
The correct answer is: Confidentiality
AH provides integrity, authentication, and non-repudiation. AH does not provide encryption which
means that NO confidentiality is in place if only AH is being used. You must make use of the
Encasulating Security Payload if you wish to get confidentiality.
IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulation Security Payload.
AH is the authenticating protocol and the ESP is the authenticating and encrypting protocol that uses
cryptographic mechanisms to provide source authentication, confidentiality and message integrity.
The modes of IPSEC, the protocols that have to be used are all negotiated using Security Association.
Security Associations (SAs) can be combined into bundles to provide authentication, confidentialility and
layered communication.
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume
2, 2001, CRC Press, NY, page 164.
also see:
Shon Harris, CISSP All In One Exam Guide, 5th Edition, Page 758
Question 123
In IPSec, if the communication is to be gateway-to-gateway or host-to-gateway:
• Both tunnel and transport mode can be used
• Tunnel mode of operation is required
• Encapsulating Security Payload (ESP) authentication must be used
• Only transport mode can be used
Correct Answer is: Tunnel mode of operation is required
Details:
Transport mode is established when the enpoint is a host. If the gateway in a gateway-to-host
communication was to use transport mode, it would act as a host system, which is acceptable for direct
protocols to that gateway. Otherwise, TUNNEL mode is required for gateway services... This is the most
common mode of operation and is required for gateway-to-gateway and host-to-gateway
communications.
TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume
2, 2001, CRC Press, NY, page 167.
Question 124
Which of the following ports does NOT normally need to be open for a mail server to operate?
• Port 143
• Port 110
• Port 119
• Port 25
Correct Answer is: Port 119
Details:
The correct answer is: Port 119
Port 119 is normally used for the Network News Transfer Protocol, it has nothing to do with mail traffic.
It is thus not needed for a mail server, which would normally listen to ports 25 (SMTP), 110 (POP3) and
143 (IMAP). A few other ports may be needed as well if you run secure versions of the services above.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 1: Understanding
Firewalls.
Question 125
Which of the following is an extension to Network Address Translation (NAT) that permits multiple
devices providing services on a Local Area Network (LAN) to be mapped to a single public Internet
Protocol (IP) address?
• IP Distribution
• IP subnetting
• Port Address Translation
• IP Spoofing
Correct Answer is: Port Address Translation

Details:
The correct answer is: Port address translation
Port Address Translation (PAT), is an extension to network address translation (NAT) that permits
multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of
PAT is to conserve IP addresses or to publish multiple hosts with service to the internet while having
only one single IP assigned on the external side of your gateway.
Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP
address to the home network's router. When Computer X logs on the Internet, the router assigns the
client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a
unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local
IP address with a different port number. Although both computers are sharing the same public IP
address and accessing the Internet at the same time, the router knows exactly which computer to send
specific packets to because each computer has a unique internal address.
Port Address Translation is also called porting, port overloading, port-level multiplexed NAT and single
address NAT.
Shon Harris has the following example in her book:
The company owns and uses only one public IP address for all systems that need to communicate
outside the internal network. How in the world could all computers use the exact same IP address?
Good question. Here’s an example: The NAT device has an IP address of 127.50.41.3. When computer A
needs to communicate with a system on the Internet, the NAT device documents this computer’s
private address and source port number (10.10.44.3; port 43,887). The NAT device changes the IP
address in the computer’s packet header to 127.50.41.3, with the source port 40,000. When computer B
also needs to communicate with a system on the Internet, the NAT device documents the private
address and source port number (10.10.44.15; port 23,398) and changes the header information to
127.50.41.3 with source port 40,001. So when a system responds to computer A, the packet first goes to
the NAT device, which looks up the port number 40,000 and sees that it maps to computer A’s real
information. So the NAT device changes the header information to address 10.10.44.3 and port 43,887
and sends it to computer A for processing. A company can save a lot more money by using PAT, because
the company needs to buy only a few public IP addresses, which are used by all systems in the network.
As mentioned on Wikipedia:
NAT is also known as Port Address Translation: is a feature of a network device that translate TCP or
UDP communications made between host on a private network and host on a public network. I allows a
single public IP address to be used by many host on private network which is usually a local area
network LAN
NAT effectively hides all TCP/IP-level information about internal hosts from the Internet.
The following were all incorrect answer:
IP Spoofing - In computer networking, the term IP address spoofing or IP spoofing refers to the creation
of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of
concealing the identity of the sender or impersonating another computing system.
Subnetting - Subnetting is a network design strategy that segregates a larger network into smaller
components. While connected through the larger network, each subnetwork or subnet functions with a
unique IP address. All systems that are assigned to a particular subnet will share values that are common
for both the subnet and for the network as a whole.
A different approach to network construction can be thought of as subnetting in reverse. Known as

CIDR, or Classless Inter-Domain Routing, this approach also creates a series of subnetworks. Rather than
dividing an existing network into small components, CIDR takes smaller components and connects them
into a larger network. This can often be the case when a business is acquired by a larger corporation.
Instead of doing away with the network developed and used by the newly acquired business, the
corporation chooses to continue operating that network as a subsidiary or an added component of the
corporation’s network. In effect, the system of the purchased entity becomes a subnet of the parent
company's network.
IP Distribution - This is a generic term which could mean distribution of content over an IP network or
distribution of IP addresses within a Company. Sometimes people will refer to this as Internet Protocol
address management (IPAM) is a means of planning, tracking, and managing the Internet Protocol
address space used in a network. Most commonly, tools such as DNS and DHCP are used in conjunction
as integral functions of the IP address management function, and true IPAM glues these point services
together so that each is aware of changes in the other (for instance DNS knowing of the IP address taken
by a client via DHCP, and updating itself accordingly). Additional functionality, such as controlling
reservations in DHCP as well as other data aggregation and reporting capability, is also common. IPAM
tools are increasingly important as new IPv6 networks are deployed with larger address pools, different
subnetting techniques, and more complex 128-bit hexadecimal numbers which are not as easily human-
readable as IPv4 addresses.
Firewalls.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Telecommunications and Network Security, Page 350.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 12765-12774).
Telecommunications and Network Security, Page 604-606
http://searchnetworking.techtarget.com/definition/Port-Address-Translation-PAT
http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.wisegeek.com/what-is-subnetting.htm
http://en.wikipedia.org/wiki/IP_address_management
Question 126
Which of the following is the primary reason why a user would install a dial-up modem connection
allowing remote access on his desktop when the company offers faster, more secure Internet
connection through the organization's network using VPN's ?
• To access web sites that blocked by the organization's proxy server.
• To circumvent the organization's security policy and mechanisms.
• To check their personal e-mail.
• To set up public services using the organization's resources.
Correct Answer is: To circumvent the organization's security policy and mechanisms.
Details:
The correct answer is: To circumvent the organization's security policy and mechanisms.
All the choices above represent examples of circumventing the organization's security policy, which is
the primary reason why a user would be using a dial-up Internet connection to connect remotely when a
secure connection is available through the organization's network.
This is a tricky question where the highest leve choice that includes all of the other choices is the BEST
answer.
Firewalls.
Question 127
Before the advent of classless addressing, the address 128.192.168.16 would have been considered part
of:
• a class A network.
• a class D network.
• a class B network.
• a class C network.
Correct Answer is: a class B network.
Details:
Before the advent of classless addressing, one could tell the size of a network by the first few bits of an
IP address. If the first bit was set to zero (the first byte being from 0 to 127), the address was a class A
network. Values from 128 to 191 were used for class B networks whereas values between 192 and 223
were used for class C networks. Class D, with values from 224 to 239 (the first three bits set to one and
the fourth to zero), was reserved for IP multicast.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a
Security Viewpoint.
Question 128
What is an IP routing table?
• A list of station and network addresses with corresponding gateway IP address.
• A list of IP addresses and corresponding MAC addresses.
• A list of host names and corresponding IP addresses.
• A list of current network interfaces on which IP routing is enabled.
Correct Answer is: A list of station and network addresses with corresponding gateway IP address.
Details:
The correct answer is: A list of station and network addresses with corresponding gateway IP address.
A routing table is used when a destination IP address is not located on the current LAN segment. It
consists of a list of station and network addresses and a corresponding gateway IP address further along
to which a routing equipment should send packets that match that station or network address.
A list of IP addresses and corresponding MAC addresses is an ARP table.
A DNS is used to match host names and corresponding IP addresses.
A list of current network interfaces on which IP routing is enabled is a distracter.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 3: TCP/IP from a
Security Viewpoint.
Thanks to Raj Khedkar for sending feedback to improve this question.
Question 129
Which of the following protocols SHOULD be allowed through a firewall to support easier
communication and usage by users?
• RIP
• IGRP
• DNS
• OSPF
Correct Answer is: DNS
Details:
The correct answer is: DNS
DNS is a service that must be allowed through an organization's firewall because without it, network
users won't be able to find anything unless they remember IP addresses for any sites they wish to
connect to.The Domain Name Service (DNS) is a method of resolving hostnames to IP addresses so
names can be used instead of IP addresses within networked environments.
DNSSEC should be considered today as a more secure replacement for DNS. If you make use of DNS
you must ensure it is properly configured to allow only queries (UDP 53) and not zone transfer (TCP 53).
Else abuse could be attempted against your DNS.
RIP, IGRP and OSPF are interior IP routing protocols normally used to keep routing tables updated and
consistent inside an organization's network. Changes to an organization's routing tables should neither
be advertised to, or come from, outside of the organization's network. Those protocols should not
normally be allowed through the organization's firewall with an external network like the Internet.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services
from a Security Viewpoint.
CISSP All In One Exam Guide Page number 590
CISA Review Manual 2014
Question 130
What is the greatest danger from DHCP?
• Having multiple clients on the same LAN having the same IP address.
• Having the organization's mail server unreachable.
• An intruder on the network impersonating a DHCP server and thereby misconfiguring the DHCP
clients.
• Having the wrong router used as the default gateway.
Correct Answer is: An intruder on the network impersonating a DHCP server and thereby misconfiguring
the DHCP clients.
Details:
The greatest danger from BootP or DHCP (Dynamic Host Configuration Protocol) is from an intruder on
the network impersonating a DHCP server and thereby misconfiguring the DHCP clients. Other choices
are possible consequences of DHCP impersonation.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 4: Sockets and Services
from a Security Viewpoint.
Question 131
Which of the following can be defined as an Internet protocol by which a client workstation can
dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server
has received and is holding for the client?
• IMAP
• MIME
• PEM
• SMTP
Correct Answer is: IMAP
Details:
The correct answer is: IMAP
RFC 2828 (Internet Security Glossary) defines the Internet Message Access Protocol (IMAP4) as an
Internet protocol by which a client workstation can dynamically access a mailbox on a server host to
manipulate and retrieve mail messages that the server has received and is holding for the client.
IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security
services.
MIME is the MultiPurpose Internet Mail Extension. MIME extends the format of Internet mail to allow
non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII
information in message headers.
Simple Mail Transfer Protocol (SMTP) is a TCP-based, application-layer, Internet Standard protocol for
moving electronic mail messages from one computer to another.
Privacy Enhanced Mail (PEM) is an Internet protocol to provide data confidentiality, data integrity, and
data origin authentication for electronic mail.
Question 132
Which of the following is defined as an Internet, IPsec, key-establishment protocol, partly based on
OAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMP and for
other security associations?
• Simple Key-management for Internet Protocols (SKIP)
• Internet Key exchange (IKE)
• Key Exchange Algorithm (KEA)
• Security Association Authentication Protocol (SAAP)
Correct Answer is: Internet Key exchange (IKE)
Details:
The correct answer is: Internet Key exchange
RFC 2828 (Internet Security Glossary) defines IKE as an Internet, IPsec, key-establishment protocol
(partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with
ISAKMP and for other security associations, such as in AH and ESP.
SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are used to
encrypt data in IP packets.
The Key Exchange Algorithm (KEA) is defined as a key agreement algorithm that is similar to the Diffie-
Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the
secret level by the NSA.
Security Association Authentication Protocol (SAAP) is a distracter.

Question 133
Which of the following NAT firewall translation modes is required to make internal hosts available for
connection from external hosts?
• Network redundancy translation
• Static translation
• Load balancing translation
• Dynamic translation
Correct Answer is: Static translation
Details:
With static translation (also called port forwarding), a specific internal network resource (usually a
server) has a fixed translation that never changes. Static NAT is required to make internal hosts available
for connection from external hosts. In dynamic translation (also called Automatic, Hide Mode, or IP
Masquerade), a large group of internal clients share a single or small group of internal IP addresses for
the purpose of hiding their identities or expanding the internal network address space. Load Balancing
Translation is used to translate a single IP address and port to a pool of identically configured servers so
that a single public address can be served by a number of servers. In Network Redundancy Translation,
multiple Internet connections are attached to a single NAT firewall that it chooses and uses based on
load and availability.
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 7: Network Address
Translation.
Question 134
Which of the following is the primary security feature of a proxy server?
• Content filtering
• Virus Detection
• Route blocking
• URL blocking
Correct Answer is: Content filtering
Details:
The correct answer is: Content Filtering
In many organizations, the HTTP proxy is used as a means to implement content filtering, for instance,
by logging or blocking traffic that has been defined as, or is assumed to be nonbusiness related for some
reason.
Although filtering on a proxy server or firewall as part of a layered defense can be quite effective to
prevent, for instance, virus infections (though it should never be the only protection against viruses), it
will be only moderately effective in preventing access to unauthorized services (such as certain remote-
access services or file sharing), as well as preventing the download of unwanted content. HTTP
Tunneling.
HTTP tunneling is technically a misuse of the protocol on the part of the designer of such tunneling
applications. It has become a popular feature with the rise of the first streaming video and audio
applications and has been implemented into many applications that have a market need to bypass user
policy restrictions.
Usually, HTTP tunneling is applied by encapsulating outgoing traffic from an application in an HTTP
request and incoming traffic in a response. This is usually not done to circumvent security, but rather, to
be compatible with existing firewall rules and allow an application to function through a firewall without
the need to apply special rules, or additional configurations.
The following are incorrect choices:
Virus Detection A proxy is not best at detection malware and viruses within content. A antivirus
product would be use for that purpose.
URL blocking This would be a subset of Proxying, based on the content some URL's may be blocked by
the proxy but it is not doing filtering based on URL addresses only. This is not the BEST answer.
Route blocking This is a function that would be done by Intrusion Detection and Intrusion prevention
system and not the proxy. This could be done by filtering devices such as Firewalls and Routers as well.
Again, not the best choice.
Question 135
Which of the following is an advantage of proxies?
• Proxies provide a single point of access, control, and logging.
• Proxies do not protect the base operating system.
• Proxies create a single point of failure.
• Proxies must exist for each service.
Correct Answer is: Proxies provide a single point of access, control, and logging.
Details:
By ensuring that all content flows through a single point, proxies provide a checkpoint for network data,
which is an advantage rather than a liability, as are other choices.

STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 8: Application-Level
Proxies.
Question 136
In the context of network enumeration by an outside attacker and possible Distributed Denial of Service
(DDoS) attacks, which of the following firewall rules is not appropriate to protect an organization's
internal network?
• Allow echo reply outbound
• Drop echo request inbound
• Allow echo reply inbound
• Allow echo request outbound
Correct Answer is: Allow echo reply outbound
Details:
The correct answer is: Allow echo reply outbound
Echo replies outbound should be dropped, not allowed. There is no reason for any internet users to
send ICMP ECHO Request to your interal hosts from the internet. If they wish to find out if a service is
available, they can use a browser to connect to your web server or simply send an email if they wish to
test your mail service.
Echo replies outbound could be used as part of the SMURF amplification attack where someone will
send ICMP echo requests to gateways broadcast addresses in order to amplify the request by X number
of users sitting behind the gateway.
By allowing inbound echo requests and outbound echo replies, it makes it easier for attackers to learn
about the internal network as well by performing a simply ping sweep. ICMP can also be used to find
out which host has been up and running the longest which would indicates which patches are missing on
the host if a critical patch required a reboot.
ICMP can also be use for DDoS attacks, so you should strictly limit what type of ICMP traffic would be
allowed to flow through your firewall.
On top of all this, tools such as LOKI could be use as a client-server application to transfer files back and
forward between the internat and some of your internal hosts. LOKI is a client/server program
published in the online publication Phrack . This program is a working proof-of-concept to demonstrate
that data can be transmitted somewhat secretly across a network by hiding it in traffic that normally
does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in
either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a
Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the
system has been compromised in the past.
The outbound echo request and inbound echo reply allow internal users to verify connectivity with
external hosts.
Allow echo request outbound The outbound echo request and inbound echo reply allow internal users
to verify connectivity with external hosts.
Drop echo request inbound There is no need for anyone on the internet to attempt pinging your
internal hosts.
Allow echo reply inbound The outbound echo request and inbound echo reply allow internal users to
verify connectivity with external hosts.
http://www.phrack.org/issues.html?issue=49&id=6
STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 10: The Perfect
Firewall.
Thanks to Jeff Hurst for providing feedback on how to improve this question.
Question 137
Another name for a VPN is a:
• tunnel
• one-time password
• pipeline
• bypass
Correct Answer is: tunnel
Details:
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.
Question 138
What is a packet sniffer?
• It captures network traffic for later analysis.
• It scans network segments for cabling faults.
• It monitors network traffic for illegal packets.
• It tracks network connections to off-site locations.
Correct Answer is: It captures network traffic for later analysis.
Details:
The correct answer is: It captures network traffic for later analysis.
TCP/ IP (as well as most protocols) is subject to passive attacks via monitoring or sniffing.
Network monitoring is the act of monitoring traffic patterns to obtain information about a network.
Packet sniffing is the act of capturing packets from the network in hopes of extracting useful information
from the packet contents.
Effective packet sniffers can extract usernames, passwords, email addresses, encryption keys, credit card
numbers, IP addresses, system names, and so on.
All of the other answers are incorrect
Systems Security Professional Official Study Guide, 7th Edition, (Kindle Locations 12311-12316). Wiley.
Kindle Edition.
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Available at http://www.cccure.org.
Question 139
This OSI layer has a service that negotiates transfer syntax and translates data to and from the transfer
syntax for users, which may represent data using different syntaxes. At which of the following layers
would you find such service?
• Presentation
• Application
• Session
• Transport
Correct Answer is: Presentation
Details:
The correct answer is: Presentation
It is responsible for taking information from the "Application layer protocols" and putting it in a form
suitable for the application to process.
The presentation-layer implementation of the OSI protocol suite consists of a presentation protocol and
a presentation service. The presentation protocol allows presentation-service users (PS-users) to
communicate with the presentation service.
A PS-user is an entity that requests the services of the presentation layer. Such requests are made at
Presentation-Service Access Points (PSAPs). PS-users are uniquely identified by using PSAP addresses.
Presentation service negotiates transfer syntax and translates data to and from the transfer syntax for
PS-users, which represent data using different syntaxes. The presentation service is used by two PS-
users to agree upon the transfer syntax that will be used. When a transfer syntax is agreed upon,
presentation-service entities must translate the data from the PS-user to the correct transfer syntax.
The OSI presentation-layer service is defined in the ISO 8822 standard and in the ITU-T X.216
recommendation. The OSI presentation protocol is defined in the ISO 8823 standard and in the ITU-T
X.226 recommendation. A connectionless version of the presentation protocol is specified in the ISO
9576 standard.
To remember the OSI layers you can use the following Mnemonics:
The first one is from the bottom (Physical Layer - Layer 1) up (Application - Layer 7):
Please Do Not Throw Sausage Pizza Away
There is another mnemonic from the top down:
All People Seem To Need Data Processing
Both maps to:
1. Physical - 2. Data link - 3. Network - 4. Transport - 5. Session - 6. Presentation - 7. Application
Transport: Responsible for providing end to end data transport services and establish the logical
connection between COMPUTERS for example TCP and UDP
Session: Responsible for maintaing the connection between two APPLICATIONS during the data transfer
for example NFS , RPC protocol
Application : Works closest to the application , it does not itself contain applications but rather the
protocols that support the applications. for example HTTP work at this layer but the application it
support is IE , Mozilla , opera , chrome ...
http://www.cisco.com/cpress/cc/td/cpress/fund/ith2nd/it2432.htm
and
http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29
Question 140
At which layer of ISO/OSI does the fiber optics work?
• Data link layer
• Physical layer
• Network layer
• Transport layer
Correct Answer is: Physical layer
Details:
The correct answer is: Physical layer
The Physical layer is responsible for the transmission of the data through the physical medium. This
includes such things as cables. Fiber optics is a cabling mechanism which works at Physical layer of OSI
model
All of the other answers are incorrect.

Shon Harris all in one - Chapter 7 (Cabling)
Question 141
You wish to make use of "port knocking" technologies. How can you BEST explain this?
• This is where all the ports are open on the server and the connecting client scans the open port
to which he wants to connect to see if it's open and running.
• Port knocking is where the port sequence is encrypted with 3DES and only the server has the
other key to decrypt the port sequence.
• Port knocking is where the user calls the server operator to have him start the service he wants
to connect to.
• Port knocking is where the client will attempt to connect to a predefined set of ports to identify
him as an authorized client.
Correct Answer is: Port knocking is where the client will attempt to connect to a predefined set of ports
to identify him as an authorized client.
Details:
The correct answer is: Port knocking is where the client will attempt to connect to a predefined set of
ports to identify him as an authorized client. The port knocking sequence is used to identify the client as
a legitimate user.
The other answers are incorrect

http://www.portknocking.org/
Question 142
Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John
the new security manager reviews the configuration of the Firewall configured by Tim and identifies an
issue. This specific firewall is configured in failover mode with another firewall. A sniffer on a PC
connected to the same switch as the firewalls can decipher the credentials, used by Tim while
configuring the firewalls. Which of the following should be used by Tim to ensure that no one can
eavesdrop on the communication?
• RSH
• SFTP
• SSH
• SCP
Correct Answer is: SSH
Details:
The correct answer is: SSH
The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the
data, it prevents sniffing attacks using a protocol analyzer also called a sniffer.
With more and more computers installed in networked environments, it often becomes necessary to
access hosts from a remote location. This normally means that a user sends login and password strings
for authentication purposes. As long as these strings are transmitted as plain text, they could be
intercepted and misused to gain access to that user account without the authorized user even knowing
about it.
Apart from the fact that this would open all the user's files to an attacker, the illegal account could be
used to obtain administrator or root access or to penetrate other systems. In the past, remote
connections were established with telnet, which offers no guards against eavesdropping in the form of
encryption or other security mechanisms. There are other unprotected communication channels, like
the traditional FTP protocol and some remote copying programs.
The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login
name and a password) and all the other data exchanged between the hosts. With SSH, the data flow
could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain
text unless the encryption key is known. So SSH enables secure communications over insecure networks
such as the Internet.
SCP and SFTP
The SCP protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port
22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to
provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a
combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs
authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It
hinders the ability for packet sniffers to extract usable information from the data packets.
The SCP protocol has been superseded by the more comprehensive SFTP protocol, which is also based
on SSH.
RSH
RSH© allows a user to execute commands on a remote system without having to log in to the system.
For example, RSH can be used to remotely examine the status of a number of access servers without
connecting to each communication server, executing the command, and then disconnecting from the
communication server.
As described in the rlogin article, the rsh protocol is not secure for network use, because it sends
unencrypted information over the network, among other things. Some implementations also
authenticate by sending unencrypted passwords over the network. rsh has largely been replaced by the
very similar SSH (secure shell) program on untrusted networks like the internet.
As an example of RSH use, the following executes the command mkdir testdir as user remote user on
the computer remote computer:
rsh -l remote user remote computer "mkdir testdir"
After the command has finished RSH terminates. If no command is specified then rsh will log in on the
remote system using rlogin.

http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02.html
and
http://en.wikipedia.org/wiki/Remote_Shell
and
http://en.wikipedia.org/wiki/Secure_copy
Question 143
As described within your security policy, the CSO has implemented an e-mail package solution that
ensures integrity of messages sent using the SMIME standard. Which of the options below BEST
describes how it implements the enviroment to fulfill the policy´s requirement?
• Implementing MIME solutions and providing a footer within each message sent, referencing to
policy constraints related to e-mail usage.
• Implementing RSA standard for messages envelope and instructing users to sign all messages
using their public key from their PKI digital certificate.
• Implementing RSA standard for messages envelope and instructing users to sign all messages
using their private key from their PKI digital certificate.
• Implementing PGP and allowing for recipient to receive the private key used to sign e-mail
message.
Correct Answer is: Implementing RSA standard for messages envelope and instructing users to sign all
messages using their private key from their PKI digital certificate.
Details:
The correct answer is: Implementing RSA standard for messages envelope and instructing users to sign
all messages using their private key from his/her PKI digital certificate.
RSA e-mail standars stands for SMIME envelope. Using t s private key to sign messages, users will ensure
recipients of message integraty by using sender s public key for hash decription and content
comparison.
Exam candidates should be aware of e-mail solutions and technologies that addresses confidentiality,
integrity and non-repudiation.
Implementing PGP and allowing for recipient to receive the private key used to sign e-mail message.
Implementing RSA standard for messages envelope and instructing users to sign all messages using their
public key from the PKI digital certificate.
Implementing MIME solutions and provideing a footer within each message sent, referencing to policy
constraints related to e-mail usage.
CISA Review Manual 2010 - Chapter 5 - 5.4.5-Encryption - Digital Envelope
Question 144
Attackers uses a technique called ______ to exploit the trust between systems by pretending to be
someone else IP address, or MAC address, or another trusted systems. They can use this technique to
send a malformed packet containing a bug to the target system in order to mask the real source of the
attack.
• Exploiting
• Spoofing
• Choeping
• Smurfing
Correct Answer is: Spoofing
Details:
The correct answer is: Spoofing
smurfing
Choeping
Exploiting
Ethical hacking countermeasures v7
Question 145
What would you call the process that takes advantages of the security provided by a transmission
protocol by carrying one protocol over another?
• Piggy Backing
• Concealing
• Tunneling
• Steganography
Correct Answer is: Tunneling
Details:
The correct answer is: Tunneling
Computer networks use a tunneling protocol when one network protocol (the delivery protocol)
encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over
an incompatible delivery-network, or provide a secure path through an untrusted network.
Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The delivery
protocol usually (but not always) operates at a higher level in the model than does the payload protocol,
or at the same level.
To understand a particular protocol stack, network engineers must understand both the payload and
delivery protocol sets.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol
running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private
addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery
and payload protocols are compatible, but the payload addresses are incompatible with those of the
delivery network.
Secure Shell tunneling
A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection.
Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted
channel. For example, Windows machines can share files using the Server Message Block (SMB)
protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely
through the Internet, someone snooping on the connection could see transferred files. To mount the
Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote
fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption,
the encrypted SSH channel through which it travels offers security.
Tunneling to circumvent firewall policy
Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would
normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the
firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around
the intended firewall policy.
Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the
HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular
server:port, and relays data between that server:port and the client connection. Because this creates a
security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The
proxy allows access only to a whitelist of specific authorized servers.
Piggy Backing
In security, piggybacking refers to when a person tags along with another person who is authorized to
gain entry into a restricted area, or pass a certain. The act may be legal or illegal, authorized or
unauthorized, depending on the circumstances. However, the term more often has the connotation of
being an illegal or unauthorized act.
To describe the act of an unauthorized person who follows someone to a restricted area without the
consent of the authorized person, the term tailgating is also used. "Tailgating" implies without consent
(similar to a car tailgating another vehicle on the freeway), while "piggybacking" usually implies consent
of the authorized person.
Piggybacking came to the public's attention particularly in 1999, when a series of weaknesses were
exposed in airport security. While a study showed that the majority of undercover agents attempting to
pass through checkpoints, bring banned items on planes, or board planes without tickets were
successful, piggybacking was revealed as one of the methods that was used in order to enter off-limits
areas.
Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from
the sender and intended recipient, suspects the existence of the message, a form of security through
obscurity. The word steganography is of Greek origin and means "concealed writing" from the Greek
words steganos (στεγανός) meaning "covered or protected", and graphein (γράφειν) meaning "to
write". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a
treatise on cryptography and steganography disguised as a book on magic. Generally, messages will
appear to be something else: images, articles, shopping lists, or some other covertext and, classically,
the hidden message may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that messages do not attract attention to
themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion,
and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas
cryptography protects the contents of a message, steganography can be said to protect both messages
and communicating parties.
Steganography includes the concealment of information within computer files. In digital steganography,
electronic communications may include steganographic coding inside of a transport layer, such as a
document file, image file, program or protocol. Media files are ideal for steganographic transmission
because of their large size. As a simple example, a sender might start with an innocuous image file and
adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that
someone not specifically looking for it is unlikely to notice it.
Concealing
Concealment (also called abscondence or hiding) is obscuring something from view or rendering it
inconspicuous, the opposite of exposure. A military term is CCD: camouflage (object looks like its
surroundings), concealment (object cannot be seen), and deception (object looks like something else); in
a broad sense, all three are forms of concealment.
The objective of hiding is often to keep the presence of an object or person secret, but in other cases not
the presence is a secret, but only the location.
Ethical Hacking Countermeasures v6.1
Ethical Hacking Countermeasures v7.0
Introduction to Ethical hacking
http://en.wikipedia.org/wiki/Tunneling_protocol
http://en.wikipedia.org/wiki/Steganography
http://en.wikipedia.org/wiki/Piggybacking_%28security%29
Question 146
The Loki attack exploits a covert channel using which network protocol?
• SMTP
• ICMP
• PPP
• TCP
Correct Answer is: ICMP
Details:
The correct answer is: ICMP.

The Loki attack uses the ICMP protocol for communications between two systems, but ICMP was
designed to be used only for sending status and error messages about the network. Because the Loki
attack is using ICMP in an unintended manner, this constitues a covert channel attack.
TCP, PPP, and SMTP are all incorrect.
Shon Harris, AIO, 5th Edition, Chapter 12: Operations Security, p. 1107
Question 147
Data which is properly secured and can be described with terms like "genuine" or "not corrupted from
the original" refers to data that has a high level of what?
• Availability
• Authorization
• Non-Repudiation
• Authenticity
Correct Answer is: Authenticity
Details:
The correct answer is: Authenticity
Authenticity refers to the characteristic of a communication, document or any data that ensures the
quality of being genuine or not corrupted from the original.

Authorization is wrong because this refers to a users ability to access data based upon a set of
credentials.
Availability is wrong because this refers to systems which deliver data are accessible when and where
required by users.
Non-Repudiation is wrong because this is where a user cannot deny their actions on data they
processed. Classic example is a legal document you signed either manually with a pen or digitally with a
signing certificate. If it is signed then you cannot proclaim you did not send the document or do a
transaction.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module 1, Page.
11.
Question 148
If you were on a network and needed to get outbound connections using SSH but TCP Port 22 is being
blocked? How can you get your traffic out of that network without it being filtered by the firewalling
device that otherwise lets only TCP port 80 flow through the filtering device?
• IP Source Routing
• HTTP Tunneling
• HTTPS as a Transport Protocol
• Bulk Network Encryption
Correct Answer is: HTTP Tunneling
Details:
The correct answer is: HTTP Tunneling
A firewall device can drop or permit network traffic based on ports, content, destination, source IP
Address, basically any characteristic can be used to control the flow of information through the firewall
device.
When a single port like TCP/80 (And/or 443 for SSL) is permitted it is possible to use 3rd party
applications to tunnel traffic over permitted ports through the firewalling devices.
In this case, a HTTP Tunnel Tool would capture our SSH traffic and change the destination port to
TCP/80. The other end must be listening on TCP/80 for this to work but the SSH data is unwrapped at
the destination and the data passed to the intended application. In this case it would be the SSH
daemon and you'd have your SSH Connection end to end.
HTTP Tunnel creates a bidirectional virtual data connection tunneled in HTTP Requests.
IP Source Routing: This is incorrect. Most modern firewalling devices don't allow IP Source Routing and
wouldn't get your traffic out of a single router anyhow.
HTTPS as a Transport Protocol: This is incorrect
Bulk Network Encryption: Encryption is part of this answer's solution but only part. SSH uses encryption
to keep your network session secret but also stops content filtering devices from "seeing" your SSH
session inside the HTTP tunnel you're using.

2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 122
Wiki HTTP Tunneling Article
Wiki Web Filtering Article
Question 149
What was the major security risk with SNMPv1 with regards to attackers using a network sniffers on
your network?
• SNMPv1 only supports clear text community strings
• An attacker could capture the Default Community Strings
• CAM Table overflows
• MIB Database Overflows
Correct Answer is: SNMPv1 only supports clear text community strings
Details:
The correct answer is: SNMPv1 only supports clear text authentication through community strings
SNMPv1 only supports clear text authentication using a community string as a password. When sniffer
software became common this became a real security threat because attackers or malicious users could
capture SNMP community strings as they traversed the network.
Unfortunately SNMPv1 is still widely used in many networking devices and operating systems. Switches,
routers, Windows, Unix, Linux, firewalls, IDSes all support SNMP and can be vulnerable to community
string sniffing.
Mitigation: In a switched environment sniffing is less of a risk but switches can be tricked into acting like
hubs with ARP floods and CAM table overflow attacks. It is recommended to upgrade to SNMPv3 where
possible. V3 is not compatible with V1 in message formats and protocol operations.
In a non-switched (Hubbed) network sniffers had free reign to capture ALL network traffic because it
was a single broadcast domain where all hosts "see" all traffic. Network cards placed into promiscuous
mode could capture all network traffic and dissect it for passwords, usernames, SNMP community
strings and so on.
Most modern devices support SNMPv3 so upgrade as possible or disable it altogether.
CAM Table overflows: This is not the correct answer because CAM table overflows are a vulnerability of
a network switch, not SNMP.
MIB Database Overflows: This is incorrect because MIB databases aren't the target for overflow attacks.
Default Community Strings: This was not the intended answer because while default community strings
are a serious risk if unchanged by the network administrator the threat doesn't stem from network
sniffers but from attackers who use default community strings to attack devices or systems running
SNMPv1.
Wikipedia SNMP Article
Question 150
Which network management protocol suite uses community strings as authentication mechanisms?
• SAMP - Simple Administration Management Protocol
• SNMP - Simple Network Management Protocol
• SMTP - Simple Management Transfer Protocol
• NETMP - Network Management Protocol
Correct Answer is: SNMP - Simple Network Management Protocol
Details:
The correct answer is: SNMP - Simple Network Management Protocol
SNMP - Simple Network Management Protocol is a service that allows administrators to centrally
manage and monitor network hosts. SNMP runs on networking devices and computers. (Computers,
servers, UPS devices, switches, routers, printers etc.)
The SNMP MIB - Or SNMP Management Information Base is a data structure where values are read from
and written to by either the host or by the administrator.
You can read values from the MIB manually or they can be sent automatically from the device if a
threshold is met. (Example: A CPU utilization is greater than 50%, would send an alert to the
administrator.) These alert messages are called traps.
The administrator can also set values if he has the write community string.
If he only has the read community string he may only read values but not write them to the MIB. Values
are written to the MIB and the hosts reads them to make changes to the system.
Mitigation: SNMPv1 had weak authentication and passed credentials in clear text which can be sniffed
and used to gain access to devices. SNMPv2 and v3 added features and security but V3 is not
compatible with V1 devices.
The default community strings are public for read access and private for write access. These must be
immediately changed when new devices are deployed hosting SNMP because they are the first
community strings an attacker uses to gain access.
NETMP - Network Management Protocol: This is not the correct answer. There is no known protocol
called NETMP.
SMTP - Simple Management Transfer Protocol: This is incorrect because SMTP is used for transferring
mail and messages between users and hosts. SMTP is the Simple Mail Transfer Protocol.
SAMP - Simple Administration Management Protocol: There is no known protocol named Simple Admin
Management Protocol.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 3, Page 158.
SNMP on Wikipedia
Question 151
What is the name of the database structure that resides on SNMP Managed devices and is responsible
for the organization of information gathered from the device for later retrieval?
• SIB: System Information Base
• SMTP: Simple Machine Testing Protocol

• MIB - Management Information Base
• MIB: Management Implementation Base
Correct Answer is: MIB - Management Information Base
Details:
The correct answer is: MIB - Management Information Base
SNMP Managed devices gather system information and store them in a hierarchical database structure
called the MIB - Management Information base.
MIB uses OID - Object ID - numbers to assign values to particular values written by the system. These
values could include CPU utilization, network performance, system temperature or any other value the
hardware can create that the system writes as a MIB value.
There are two ways messages can be retrieved from SNMP Managed devices:
1. SNMP Traps: These are sent automatically by the SNMP devices when a threshold is reached like
when a CPU runs at 100% for more than a few minutes. (Thus requiring human interaction)
2. SNMP Management Queries: These usually originate from the network administrators SNMP
Management station when he runs a report on his SNMP Devices to see how they're doing.
The risks associated with SNMP originated with the earliest of implementations but became a real
problem after the advent of network sniffers when credentials could be captures from the network.
SNMPv1 and v2 sent authentication messages in clear textf across the network which was easily picked
up by packet loggers (Sniffers). Security staff and hackers can use these captured credentials to log into
managed devices to gather information or disrupt the devices operation.
SNMP devices read configuration data from the MIB so if dangerous settings are written to the devices
by an attacker the device could be damaged or disabled interrupting network communications or
creating dangerous conditions.
Mitigation: It is recommended that SNMPv3 be deployed to all devices which can support it. Most
modern devices support SNMPv3 and it is a more secure option because
SNMPv3 provides important security features:
• Confidentiality - Encryption of packets to prevent snooping by an unauthorized source.
• Integrity - Message integrity to ensure that a packet has not been tampered with in transit
including an optional packet replay protection mechanism.
• Authentication - to verify that the message is from a valid source.
The following answers are all incorrect:
MOB: Management Observation Base
SIB: System Information Base
SMTP: Simple Machine Testing Protocol
All of the choices above are made up and does not exists in real life.
ASN 1 on Wiki
OID - Object ID
MIB
Question 152
An attack that uses the processing power of distributed computers each assisting a little in the attack is
called what?
• Rainbow Attack
• IDS Evasion Attack
• Distributed Attack
• Centralized Attack
Correct Answer is: Distributed Attack
Details:
The correct answer is: Distributed Attack
Cracking passwords takes time and a lot of CPU horsepower. If the attacker could spread the processing
load across multiple systems, it would be a lot faster. This is where DNA - Distributed Network Attacks
come into relevancy.
L0phtcrack (Pronounced like loft) can pass about 10,000 passwords in 4-6 hours depending on the
processer speed. Passing some of the processing load to distributed computers can decrease the time it
takes to crack the passwords. (See also ophcrack )
There are legitimate uses for distributed computing in science and technology research where people
agree to install software which responds to requests from the DNA Manager computer.
Basically, the client computer accepts the incoming processing request, executes it and returns the
results to the DNA Manager computer. In this attack the same technology is used to quicken the speed
of password cracking.
Mitigation: At best, after 3-5 attempts an account locks out and either a set period of time must pass
before the user may try again OR the account will remain locked until a security administrator can
investigate the reason for failed logon attempts. (Most secure solution)
IDS - Intrusion Detection Systems can detect floods of passwords and take actions to stop them like
automatically adding a firewall rule to block the source IP address. Requiring complex passwords,
training users, keeping your systems patched and updated can also help password attacks.
Home computer users can help mitigate this threat by using a home-based firewall, host-based firewalls,
antivirus software and turning their computers off when not in use.
Updated antivirus software would likely block the malware that makes your computer take part in the
operation. Also, NOT installing software from untrusted sources can help block the install of this
malware.
Internet service providers could do more to mitigate these threats but it is not in their financial interest
to do so. Only laws to enforce this activity would make this happen.
Centralized Attack: This is not correct because it is the opposite of Distributed.
Rainbow Attack: This is not correct because rainbow tables are not mentioned in the question.
IDS Evasion Attack: This is an incorrect answer because it does not involve evading IDSes.
ophcrack (Rainbow table password cracker)
Question 153
Of the following choices, which type of traffic is NOT at risk if it is sniffed?
• Telnet traffic
• FTP - File Transport Protocol
• POP Mail
• SSH - Secure Shell
Correct Answer is: SSH - Secure Shell
Details:
The correct answer is: SSH
SSH - Secure Shell traffic can be sniffed the network, since it is encrypted it is NOT a problem if it is
captured over the network. The attacker cannot make sense of the data.
SSH traffic is encrypted between the SSH server and client and is generally therefore not subject to
effective sniffing. The traffic can be captured and viewed but it's obviously scrambled and unusable.
It should be noted that since the advent of switching devices it has become slightly more difficult to sniff
network traffic because there is a virtual link setup between host and switch so not all hosts see ALL
network traffic like in the days of hubs.
Computers talk directly to switches which then aggregate traffic to pass to other switches or routers so
network traffic isn't "Seen " by all hosts as with hubs.
Mitigation: Always use secure protocols where possible so that even if traffic is captured it is not useful
to the attacker. Also, using full-duplex switches ensures that most traffic is segregated between
computer and switch and not broadcast to all hosts.

FTP - File Transfer Protocol: FTP is clear text so the password and user name goes across the network
much like Telnet so it IS subject to sniffing.
Telnet Traffic: Telnet traffic is clear text and can easily be sniffed off the wire.
POP Mail: Pop mail is unencrypted so it IS subject to sniffing.
Question contributed by: Gregory F. Miller
Question 154
Of the following answers, which is BEST described by the act of transmitting specially crafted probe
packets to a host then sniffing the packets sent in response to your probes?
• Passive Sniffing
• Active Sniffing
• Direct Sniffing
• Packet Capturing
Correct Answer is: Active Sniffing
Details:
The correct answer is: Active Sniffing

When an attacker just wants to sit there quietly and capture packets without being noticed he would be
using passive sniffing. On the contrary he can send crafted packets with a purpose of eliciting a certain
response from a remote host.
Certain responses can be elicited by the attacker. This means he can stimulate a remote host to emit
packets by sending packets himself then capture the results.
Such elicited traffic can reveal more information than plain packets passing on the network.
Mitigation:
- Use network switches to better segregate traffic.
- Use encrypted network protocols like 443/SSL, SSH - Secure Shell and avoid clear text
protocols like FTP, Telnet and POP mail.
- Use antivirus an system with updated signatures
- HBSS - Host-Based security Systems with updated signatures
- Host-based firewalls and IDS systems
- Only installing Operating systems and software from known and trusted sources
Passive Sniffing: Passive sniffing involves simply running a promiscuous mode wireless card (Sniffer) and
gathering packets for later analysis. This is the opposite of active sniffing.
Direct Sniffing: This is not correct.
Packet Capturing: This is not the right answer but capturing packets is usually referred to as 'sniffing'.
Question 155
Which of the following terms BEST describes network protocols which are subject to being sniffed off a
network and examined by an attacker?
• Clear Text Protocols
• HTTPS Traffic
• VPN Traffic
Correct Answer is: Clear Text Protocols
Details:
The correct answer is: Clear Text Protocols
There are secure protocols for network use like SSH - Secure Shell and HTTPS/443/SSL traffic but there
are also protocols like the following which send traffic in clear/plain text which is easily captured and
read by attackers:
HTTP - Hypertext Transfer Protocol, used by web browsers to view websites.
SMTP - Simple Mail Transfer Protocol used to retrieve mail from a mail server.
NNTP - Network News Protocol, an old-school way to read postings by other people.
POP - Post Office Protocol. An unsecure way to check email on a mail server.
FTP - File Transfer Protocol. Uses telnet as a control channel to retrieve files.
Telnet - A plain text terminal emulator for executing shell commands on a remote server.
When a sniffer is run on a network traffic can be 'seen' by the sniffing host when it accepts all packets in
its interface. Oridinarily network hosts only process packets with their IP Address on the destination.
Sniffers process ALL packets and can capture the traffic for later examination.
SSH - Secure Shell: SSH traffic is encrypted and thus NOT subject to being sniffed. Incorrect.
HTTPS Traffic: This is incorrect, HTTPS is encrypted web traffic.
VPN Traffic: VPNs are encrypted and thus NOT subject to sniffer attack in most cases.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 7, Page
VPN
Question 156
If a host receives an ARP response from an IP Address that is already in the receiver's ARP Cache then
that cache entry is updated with the sender's specified hardware address. What security problem could
this lead to?
• Nothing, this is a normal ARP Cache update
DHCP Server Resource Depletion
• MITM - Man In the Middle Attack

• ARP Poisoning
Correct Answer is: ARP Poisoning
Details:
The correct answer is: ARP Poisoning
Because when a host receives an ARP response from a host that is already in its cache, even if the
hardware address is different it will update its ARP Cache to reflect the change. This is called Gratuitous
ARP replies. You get a reply but never asked for it in the first place.
This means that it is easy to trick a host into controlling the victim PC's ARP cache to make it think it is
talking to an otherwise trusted host when it may be talking to an attacker's machine.
This means that the attacker computer could intercept traffic from the Victim PC, keep a copy then
forward it out to the intended destination leaving the victim unaware.
Mitigation: Static ARP entries can be effective on some operating systems but not all
Static ARP Entry:
arp -s 10.5.1.1 AA:BB:CC:DD:EE:FF
This would assign 10.5.1.1 to always use the AA:BB:CC:DD:EE:FF and disregard any incoming attempts to
modify that entry.
Nothing, this is a normal ARP Cache update: This is incorrect. While this may appear to be normal ARP
activity it leads directly to the conditions where ARP poisoning can occur.
MITM - Man In the Middle Attack: This is a man in the middle attack but more specifically it is a
condition vulnerable to ARP Poisoning. MITM encompasses a large variety of situations. ARP Poisoning
was a better response. ARP Poisoning is a form of MITM attack.
DHCP Server Resource Depletion: This is not correct. When an attacker sends a flood of DHCPDISCOVER
message it can deplete the pool of IP Addresses on the DHCP Server but that is not what is happening
here.
1994 TCP/IP Illustrated Volume 1, W. Richard Stevens. Page 63.
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 8 Page 365.
ARP Spoofing
Question 157
What is the term generally described as how a computer tries to setup communications to another
computer only to drop the conversation when the other side responds to the initial request with a SYN-
ACK packet and the three way handshake is never completed by the computer initiating the request?
• SYN Flood
• FIN Attack
• ICMP Flood Attack
• Distributed Denial of Service
Correct Answer is: SYN Flood
Details:
The correct answer is: SYN Flood
SYN Flood is the type of DoS Attack.

TCP Handshake
TCP must set up a virtual connection between two hosts before any data are sent. This means the two
hosts must agree on certain parameters, data flow, windowing, error detection, and options. These
issues are negotiated during the handshaking phase.
Image Source - http://www.georgecoding.com/index.php/tcpdump-and-3-way-handshake/
The host that initiates communication sends a synchronous (SYN) packet to the receiver. The receiver
acknowledges this request by sending a SYN/ACK packet. This packet translates into, “I have received
your request and am ready to communicate with you.” The sending host acknowledges this with an
acknowledgment (ACK) packet, which translates into, “I received your acknowledgment. Let’s start
transmitting our data.” This completes the handshaking phase, after which a virtual connection is set up,
and actual data can now be passed. The connection that has been set up at this point is considered full
duplex, which means transmission in both directions is possible using the same transmission line.
If an attacker sends a target system SYN packets with a spoofed address, then the victim system replies
to the spoofed address with SYN/ACK packets. Each time the victim system receives one of these SYN
packets it sets aside resources to manage the new connection. If the attacker floods the victim system
with SYN packets, eventually the
victim system allocates all of its available TCP connection resources and can no longer process new
requests. This is a type of DoS that is referred to as a SYN flood. To thwart this type of attack you can use
SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a
piece of software that resides between
the sender and receiver and only sends on TCP traffic to the receiving system if the TCP handshake
process completes successfully.

• Distributed Denial of Service: This is incorrect but it would be correct on a larger scale of DOS
attacks. DDOS attacks or Distributed DOS attacks are essentially the same thing as a DOS attack only with
many computers attacking one or most targets.
• ICMP Flood Attack: This is not correct because ICMP messages aren't used to setup
communications between two computers. ICMP Flood attacks can exhaust ICMP protocol stacks but isn't
generally called a DOS attack.
• FIN Attack: Not a valid attack.
CISSP All In one Exam Guide 6th Edition Page Number 539
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 435
Question 158
Which of the following best describes the type of DOS attack that floods traffic to a high-speed internet
backbone router with the source address of the target thus eliciting massive responses to the intended
target?
• Reflective DDoS Attack
• ICMP Flood attack
• Bounceback DDoS Attack
• Direct DDoS Attack
Correct Answer is: Reflective DDoS Attack
Details:
The correct answer is: Reflective DDoS Attack
Here is a simple step-by-step explanation of a RDDoS Attack:

- Attacker sends a flood of packets to an internet backbone router with spoofed source addresses.
- Source Address is whoever the attacker is targeting.
- Internet backbone router receives the packets, sees the source address and sends his responses
dutifully back to the supposed source.
- Unsolicited responses return to the victim who is quickly overwhelmed by the high-speed internet
routers.
- These attacks are difficult to investigate because the packets are forged but they can't be followed back
to a source and blocked but it's not easy.
Mitigation:
- Have restrictive router configurations to resist floods or at least throttle them.
- Prevent fraudulently address network traffic from being permitted out of the network
- Internet service providers have a responsibility to help mitigate these attacks since they often originate
at private internet service provider enclaves. (They resist helping because it would cost them money to
man a response section despite being better for the community at large.)
Direct DDoS Attack: This isn't correct because in this attack the attackers floods the target himself
directly.
Bounceback DDoS Attack: This isn't a correct answer.
ICMP Flood attack: This isn't the intended answer because Reflective DDoS attacks may be carried out
with ICMP packets but aren't limited to such.

Question 159
If I were to call my ex-wife and hang up when she answered the phone over and over to a degree that
she could not legitimately use her phone anymore: What attack in the computer networking world
would this be called?
• A Botnet Attack
• A Distributed Denial of Service
• Reflective DDoS Attack
• Denial of Service
Correct Answer is: Denial of Service
Details:
The correct answer is: Denial of Service
When a service is abused to a degree that it becomes useless to the owner it is a common denial of
service.
In this case calling my ex-wife and hanging up might also be considered stalking but in computer
networking it is a denial of service or DOS Attack.
If, for example a web server is listening on TCP/80 and a malicious attacker floods the TCP Service with
connection attempts in the form of TCP SYN Packets, this can render the web server unable to process
normal connection requests from web browsing users.
Mitigation:
- Disable unused and insecure services
- Update kernels to the latest releases and keep system patches up to date
- Ensure all systems use an updated antivirus system

- Harden network infrastructure components and protocols
A Distributed Denial of Service: This is incorrect. If I and a bunch of my friends called my ex-wife and she
was unable to use her phone because of it THIS answer would be correct. This is different from the
intended answer.
Reflective DDoS Attack: This is not the correct answer. It would have been correct if I had called a bunch
of people and spoofed my caller ID number and told them to call me back at this number, this answer
might have been more correct. A Reflective DDOS Attack floods traffic to a high-speed internet
backbone router with the source address of the target thus eliciting massive responses to the intended
target taking it offline. This is not the correct answer
A Botnet Attack: This is not correct. A botnet attack would otherwise be called a Distributed DOS attack
2011. EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 10 Page 449

TIP FROM CLEMENT !!!!
The questions refers to a SYN FLOOD attack where you send a very large number of SYN packets, then
you receive a large number of SYN-ACK as responses, and you never complete the connection with a
final acknowledgement.
The remote server would have all possible connections in what is called WAIT STATE and nobody else
can connect to that server because all possible connections are consumed.
Question 160
Which of the following answers best describes a system set up with a deliberately low security posture
to attract attackers away from more critical servers?
HBSS - Host Based Security System
• LSS - Low Security System
• Monkeypot
Honeypot
Correct Answer is:
Honeypot
Details:
The correct answer is: Honeypot
When attackers get into networks then root around looking for unsecured systems. Once they find one
they may spend time there giving forensic investigators more and more evidence like logfile entries
which can be used in legal proceedings against the interlopers.
Clever network administrators may even seed the honey pot with interesting looking files to keep the
attackers distracted and on that system.
Mitigation:
Monkeypot: This isn't the correct answer but it is by far the funniest.
LSS - Low Security System: This seems like a good answer but it is not correct although it does describe a
Honeypot.
HBSS - Host Based Security System: This isn't right but HBSSes are a common component in network and
system security.
Question 161
What sort of Denial of Service attack involves sending a flood of ICMP Echo Request packets with
spoofed source IP Addresses sent to a broadcast addresses on a gateway causing storms of traffic back
to the source IP address of those packets?
PING of Death
ARP Cache Timeouts
• Smurf Attack
• Trinoo DDoS Attack
Correct Answer is: Smurf Attack
Details:
The correct answer is: Smurf Attack
Smurf attack is a type of DOS attack also but involves sending a flood of ICMP packets with spoofed
source IP Address sent to broadcast addresses causing a storm of traffic when systems respond.
You can disable ICMP on systems but that makes network troubleshooting more difficult and doesn't
eliminate other types of DOS attacks like SYN Floods. It could be a wise contribution to a defense in
depth strategy.
Mitigation:

Trinoo DDoS Attack: Trinnoo or Trin00 attacks are similar to Smurf attacks but don't ordinarily involve
ICMP packets.
ARP Cache Timeouts: This is incorrect. ARC Cache timeouts are an important part of ARP - Address
Resolution Protocol cache maintenance. Systems usually flush the ARP Cache entry after between 2-20
minutes but later versions of Microsoft Windows lowered the timeout to a random timeout between 15-
45 seconds.
PING of Death: This is incorrect because a PING of Death attack involves (Historically) sending an
oversized PING (Packet INternet Groper) packet to an unpatched (and very old) operating system
causing it to possibly crash or hang.
Question 162
Which of the following answers is the term used to describe an attack where IP Fragments are sent with
overlapping offset in the subsequent fragments?
Trinoo DDoS Attack

• Smurf attack
• Teardrop Attack
• PING of Death
Correct Answer is: Teardrop Attack
Details:
The correct answer is: Teardrop Attack
While modern computers aren't vulnerable to this sort of attack it is valuable to understand methods
attackers craft packets in ways that target systems aren't prepared to handle creating a situation where
system may become unstable.
When the value of the IP fragment offset is inconsistent or overlaps with other IP Frags the system (At
the time back in the 90s) didn't know how to reassemble the packets and caused issues with unpatched
systems.
Good firewalls can block these and Intrusion Detection - IDSes can notify when they're seen but these
items are really just Band-Aids on already vulnerable systems on internal networks. If vendors were
forced to really secure their systems we wouldn't need firewalls and IDSes to make up for their lack of
security.
Mitigation:

Smurf attack: Smurf is a type of DOS attack also but involves sending a flood of ICMP packets with
spoofed source IP Address sent to broadcast addresses causing a storm of traffic when systems respond.
PING of Death: This is incorrect because a PING of Death attack involves (Historically) sending an
oversized PING (Packet INternet Groper) packet to an unpatched (and very old) operating system
causing it to possibly crash or hang.
Trinoo DDoS Attack: Trinnoo or Trin00 attacks are similar to Smurf attacks but don't ordinarily involve
ICMP packets.
Question 163
What is the very first condition or action in a DOS Attack, not including the actual attack?
System Antivirus doesn't detect the threat
A computer being vulnerable to attack to begin with
•
End user infecting their system
• Attacker sending a stream of malicious packets
Correct Answer is:
A computer being vulnerable to attack to begin with
Details:
The correct answer is: A computer being vulnerable to attack to begin with.
There is a philosophy in reasoning that revolves around going to the source of incidents or situations. It's
called the "Five Whys " and in this case, it's not the actual DOS attack, not the computer getting infected
it's that the computer was vulnerable to begin with.
- Why was the system attacked? Because it was vulnerable.
- Why was it vulnerable? Because the software code was buggy or dangerously written.
- Why was it Buggy? The programmer made mistakes.
- Why did the programmer make mistakes? He was inexperienced or careless
- Why was he careless or inexperienced? He didn't care about his work enough or is a new programmer.
- Why doesn't he care about his work? He doesn't have a good work ethic or hasn't been programming
long. (Actually two Whys)
- Why doesn't he have a good work ethic?
You can see this could go on a lot longer than five whys and tt some point we would reach the core of
the problem and it would likely be human error.
Realistically the software code was written probably as well as the coder or company could create at the
time. In the end the root cause really goes back to human fallibility which is what computer attackers
really take advantage: Human Error.
It is this sort of reasoning and thought that can help us understand problems and predict attacks and
plan accordingly.
Mitigation:
- Don't follow ANY links sent in emails, even from known sources
Attacker sending a stream of malicious packets: This is almost right but it isn't the first part of the attack.
The system must be vulnerable to attack to begin with.
End user infecting their system: This is almost right but since the system must be vulnerable to begin
with it isn't the correct answer.
System Antivirus doesn't detect the threat: This isn't right. Antivirus is good to have but it can't detect
ALL vulnerabilities on a system and if the malware has reached the computer it may be too late.
Question 164
At which OSI layer does SSL reside in?
• Application
• Session
• Transport
• Network
Correct Answer is: Transport
Details:
The correct answer is: Transport
Application - SSL resides in the transport layer.
Session - While SSL does straddle both the session and transport layers, for exam purposes, choose
transport.
Network - SSL resides in the transport layer.
All In One CISSP Exam guide by Shon Harris, Chapter 7, pg 493
Question contributed by: Michael B. Morell

Email or CCCure Nickname of question author: LordInfidel
Question reviewed by:
Question comment submited by:
Quote from Shon Harris
"Different references can place specific protocols at different layers. For example, many references
place the Secure Sockets Layer (SSL) protocol in the session layer, while other references place it in the
trasport layer. It is not that one is right or wrong. The OSI model tries to draw boxes around reality, but
some protocols straddle the different laters. SSL is made up of two protocols--one that works in the
lower portion of the session layer and the other works in the transport layer. For purposes of the CISSP
exam, SSL resides in the transport layer."
Note from Mike: As one who has spent a lot of time inside packet captures looking at SSL traffic, when I
first encountered this question I got it wrong, opting for session layer.
I've included the reference from Shon's book so that others understand that for the purpose of the
exam, SSL resides in the transport layer. In the off chance however, the exam allows you to choose 2
answers, choose both transport and session.
Question 165
Which of the following protocols might help defend against session hijacks?
• ARP - Address Resolution Protocol
TCP/IP Protocol Suite
DHCP - Dual Host Configuration Protocol
• IPSec - IP Security
Correct Answer is: IPSec - IP Security

Details:
The correct answer is: IPSec
IPSec is an end-to-end security protocol suite for securing IP (Internet Protocol) communications
between hosts on the internet. It is an Host to Host virtual private network protocol.
IPSec: Is a protocol suite developed by the IETF for securing IP communications by authenticating and
encrypting each IP packet of a communication session.
IPSec Benefits:
- Replay protection.
- Network-level peer authentication.
- Data origin authentication.
- Data integrity.
- Data confidentiality.
It operates at the Internet layer (Like IP itself) and can either encrypt only the data (Payload) or the
entire packet then encapsulated into a new IP Packet for transport then de-encapsulated at the
receiving end.
The point of all this is that once the data leaves the terminal it is nearly impossible to be sniffed off the
wire in a usable format. Even if it is sniffed off the wire it will be useless to the attacker apart from some
unencrypted header information that is necessary to even move the data around the network.
You can't encrypt MAC and IP address or TCP header info as it's necessary to be available to
intermediary devices to reach the destination. (switches, routers or even other hosts)
Modes of IPSec:
- Transport Mode: Authenticates two connected computers. Has an option to encrypt data transfer.
Compatible with NAT.
- Tunnel Mode: Encapsulates packets being transferred. Has an option to encrypt data transfer. Not
compatible with NAT.
Mitigation:
- Use end to end encryption so that even if the session is hijacked the data is useless to the attacker.
- Use IPSec is a set of protocols developed by the IETF - Internet Engineering Task Force to harden
packets at the IP Layer.
- Enforce switch port security with 802.1X (Certificate Security) so that rogue devices aren't permitted to
talk on the LAN.
- Minimize remote access into the network.
- Develop a comprehensive security plan to avoid the circumstances where attackers can access to the
local network to attack internal hosts.
ARP - Address Resolution Protocol: This isn't the right answer. ARP is a totally unauthenticated protocol
that operates at layer 2 of the OSI model. Essentially it lets hosts figure out how to talk on a switched
network by sharing unique MAC addresses. ARP doesn't enhance security at all, in fact since it's not
authenticated any host can come online saying that it has whatever MAC addresses it wants to so when
hosts come up looking for their file or email server at 10.5.1.10 IP Address, a rogue client can say "Yes,
that's me, send me your traffic" with an ARP Reply message that looks something like "10.5.1.10 is at
DE:EA:BE:EF:CA:FE or whatever MAC he wants to use and he now has whatever traffic you would
ordinarily send to that server. (Plus credentials) An appropriate mitigation to ARP insecurity is using
802.1X certificate security.
TCP/IP: This isn't correct, it's the TCP Protocol suite's vulnerabilities which open systems up to certain
kinds of session highjack attack. The suite is 63 separate protocols each of which has its own
vulnerability.
DHCP: This isn't right. DHCP Servers only give regular IP Addresses to DHCP hosts and doesn't really add
much security. In fact, you might say it presents a security risk because it can be manipulated to give out
all its IP Address leases by a rogue client pretending to be a bunch of hosts. Also, DHCP traffic gives away
much information about hosts on the network which can be sniffed like MAC Addresses, hostnames, IP
Addresses, default routers and whatever other information is configured by the DHCP Server. (Which
can be a lot, actually.)
496.
Question 166
Of the following answers which would NOT help defend against Session Hijack Attacks?
• Using Telnet based applications
ArpWatch
IPSec
• OpenSSH
Correct Answer is: Using Telnet based applications
Details:
The correct answer is: Using Telnet based applications
Telnet is an deprecated application that sends data in clear text unless you're using network encryption
protocols like IPSec.
Don't forget that telnet apart from being an unencrypted shell for a remote system can also be used to
host applications on a remote server so it's not only the telnet shell program but telnet-supported
programs to be cautious with.
Without a network encryption protocol telnet (And FTP because it uses telnet as a control channel)
sends traffic in clear text over the network which is very easy to sniff off the wire.
If you want to carry out a practical exercise run snort on your wireless card and dump the sniffed
packets to a file. On another system FTP or Telnet into a computer and log on.
Then go to the packet capture file and grep for your username or password (grep MyPassword) and it
will pop right up.
The other answers are all ways to secure against session hijacking attacks.
Mitigation:
- Use end to end encryption so that even if the session is hijacked the data is useless to the attacker.
- Use IPSec is a set of protocols developed by the IETF - Internet Engineering Task Force to harden
packets at the IP Layer.
- Enforce switch port security with 802.1X (Certificate Security) so that rogue devices aren't permitted to
talk on the LAN.
- Minimize remote access into the network.
- Develop a comprehensive security plan to avoid the circumstances where attackers can access to the
local network to attack internal hosts.
OpenSSH: SSH replaced telnet years ago so this is the wrong answer.
IPSec: IPSec is a great way to secure your network so this isn't the right answer.
ArpWatch: This is a good tool to run to monitor for people carrying out ARP-level mischief.
495.
Further Reading:
OpenSSH
IPSec
ArpWatch
Question 167
Of the following answers where is the best location on a physical corporate network for a publicly
accessible high-traffic web server to be positioned?
CEN - Corporate External Network outside the DMZ
IIN - Isolated Internal Network
CIN - Corporate Internal Network
• DMZ - Area between outer packet filtering router but before the internal firewall
Correct Answer is: DMZ - Area between outer packet filtering router but before the internal firewall
Details:
The correct answer is: DMZ - Area between outer packet filtering router but before the internal firewall.
Any server exposed to the open internet is subject to attack and if an attack is successful it can lead to
the server becoming a launch pad for further attack.
For this reason it is important to position publicly accessible servers on untrusted areas of your network
like the area behind the external router/filtering device and the firewall protecting your internal
network.
Mitigation:
Ensure you are using a strong, well-configured filtering routing device at your border. Such devices can
filter bad packets, detect and filter attacks permitting only legitimate traffic to your DMZ servers.
Typically administrators use strong firewalls to protect internal networks and rfouting/filtering decices
to filter unnecessary traffic into the DMZ.
Further, it is common to use a server for only a single service like internet or email because each come
with their own sets of vulnerabilities. If one service on a server is compromised it can lead to the other
services on that server to be compromised OR the network on which the server resides. (Separation of
services)
- CIN - Corporate Internal Network: This is not correct. You wouldn't want to place a busy server hosting
public services on your internal network.
- CEN - Corporate External Network outside the DMZ: This isn't correct either. It is important to filter
inappropriate traffic hitting your public services.
- IIN - Isolated Internal Network: In this case no internet users could access the server so it would be
pointless to even have the server so this isn't correct.
** These acronyms are not known to be commonly used terms and were created to be potential
alternate answers to DMZ.
The following reference(s) was/were used to create this question:
528.
Question 168
Imagine you are looking at a packet capture of traffic from a client requesting access to the SSH daemon
on a server. You find the initial SYN packets from the client have seemingly random target ports and
finally TCP/22 at which point the client is granted access to the SSH Daemon by the firewall. What are
you seeing?
• Port Knocking
• Dynamic Firewall Rules
• Browser Cookies
• SYN Cookies
Correct Answer is: Port Knocking
Details:
The correct answer is: Port Knocking
When TCP conversations occur between two hosts on a network, the traffic is directed between TCP
ports on the two hosts. Generally SSH servers listen on 22/TCP so that clients know which port should be
listening on the server.
Servers can use the process called port knocking where the service listens only to clients who
successfully send a series of packets to a required series of ports to meet the proper sequence.
After the proper sequence is seen the firewall rules are dynamically modified to permit that host's
source IP Address from accessing the desired service. There is a variant of this involving a single
encrypted TCP Packet.
- SYN Cookies: This isn't correct but it is used to resist SYN flood attacks.
- Browser Cookies: This is not correct. Browser cookies are usually used to track
- Dynamic Firewall Rules: This isn't correct but these rules are a part of the port knocking process.
500.
Reference:
Port Knocking on Wikipedia
Question 169
Of the following answers which is a way to quickly discover weaknesses on servers?
• Vulnerability Scanners
• SSL - Secure Sockets Layer
• Nmap - Network Mapper
Correct Answer is: Vulnerability Scanners

Details:
The correct answer is: Vulnerability Scanners
Tools like Nikto, Nessus, Retina, ISS, or queso can quickly scan thousands of servers looking for
vulnerabilities. Obscurity was never really security but when every reachable IP Address on the internet
can be scanned for vulnerabilities in minutes even obscure websites got attacked.
Vulnerability scanners can be programmed to scan a range of IP Addresses looking for vulnerable
systems and can launch automated attacks giving even the most novice of "hackers" access to
vulnerable systems.
Mitigation:
- Practice good patch management and apply software patches to all your systems
- Firewall your servers and limit only one service per server to limit damage should the server become
compromised.
- Nmap - Network Mapper: This isn't correct. NMap isn't usually a vulnerability scanner but it can
quickly determine which servers have TCP/80 open
- SSH - Secure Shell: This is incorrect. SSH is a secure shell replacement for telnet that uses PKI - Public
Key Infrastructure to secure sessions.
- SSL - Secure Sockets Layer: This also isn't correct. SSL is a means to protect web traffic data in transit.
Nikto Site
Question 170
Which of the following protocols would BEST mitigate threats of sniffing attacks on web application
traffic?
• SSL or TLS
• ARP Cache Security
• 802.1X
Correct Answer is: SSL or TLS
Details:
The correct answer is: SSL or TLS
While it traverses the network, without some sort of encryption of web application data is vulnerable to
sniffing and interception by attackers on the network. If we observe sniffer traffic on an unencrypted
network we can clearly see the contents of user interaction with the web server and its applications.
SSL - Secure Sockets Layer or TLS - Transport Layer Security
There are similarities between these two protocols but TLS 3.1 supersedes SSL 2.0 but they are not
interoperable. Today both protocols are commonly used on many web server. In either case SSL/TLS
encrypts network traffic as it traverses the wire and protects it from sniffing attacks.
802.1X: This wouldn't secure data in transit but it would help prevent unauthorized devices from
connecting to your network and sniffing data. Also Known As "Dot 1 X" or "The Extensible
Authentication Protocol (EAP)" it provides infrastructure protection by requiring certificates to connect.
ARP Cache Security: This wouldn't mitigate the threat of network sniffing of web app data.
SSH - Secure Shell: Incorrect. SSH is a TELNET replacement for that encrypts traffic to mitigate the threat
of network sniffers on SSH connections.
569.
Question 171
Why is it so easy to spoof MAC addresses on wireless AND regular copper LAN networks?
Because they're not copyrighted
You can't encrypt MAC Addresses
• Because MAC Addresses are sent in the clear
Because Layer 2 MAC addresses are unauthenticated
Correct Answer is:
Because Layer 2 MAC addresses are unauthenticated
Details:
The correct answer is: Because Layer 2 MAC addresses are unauthenticated
MAC Addresses used in Layer 2 communications are completely unauthenticated so that any host on the
network can respond to ARP queries claiming to be whichever MAC addresses.
Recall that computers on a local subnet only really use layer 2 addresses to communicate. They acquire
the MAC address of the intended host by issuing an ARP Request which would look something like this in
wireshark:
ARP WHO HAS 10.5.1.1 TELL 11:22:33:44:55:66
Assuming all was normal the host with that MAC address would respond with:
10.5.1.1 IS AT 22:33:44:55:66:77
At that point the two hosts could talk using MAC addresses. IP Addresses are used but only to resolve
the MAC addresses they use.
Also, remember that MAC addresses are only relevant on local subnets and are not evident past the first
layer 3 device which replaces the source MAC Address with it's own as the packet makes its way through
the layer 3 device.
Mitigation: It is important to use 802.1x Certificate Security on both wireless and wired networks.
802.1X or simply Dot1X is where we assign certificates to each device and they cannot use the network if
they do not have a valid and trusted certificate.
Because MAC Addresses are sent in the clear: Technically this is usually true unless the packet were
enclosed in a VPN packet and encrypted. Otherwise MAC addresses are clearly observable to sniffers.
This is incorrect though because this is only a basic part of the real problem that Layer 2
communications are usually
You can't encrypt MAC Addresses: This is true but not the real reason it's easy to spoof MAC Addresses.
If you encrypted header portions of packets where MAC Addresses reside other devices on the network
wouldn't know where to send the packet so you can't encrypt headers. You could use VPN to encrypt
and enclose a packet in a VPN packet.
Because they're not copyrighted: MAC Addresses aren't copyrighted but they are unique to vendors
because the first half of a MAC address identifies the vendor. The second half is supposed to be unique.
They are sometimes pirated by foreign manufacturers so you could possible MAC conflicts.
Stevens, Richard W. 1994. TCP/IP Illustrated, Volume 1: The Protocols. Pg 58.
Question 172
Which of the following authentication protocol encrypts only the password in the access-request packet,
from the client to the server versus the whole body of the packet?
• XTACACS
• TACACS+
• RADIUS
• TACACS
Correct Answer is: RADIUS
Details:
The correct answer is: RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of
remote and other network connections. Once intended for use on dial-up connections, it has moved far
beyond that and has many modern features. It is used on both wired and wireless networks.
The RADIUS protocol is an IETF standard, and it has been implemented by most of the major operating
system manufacturers. A RADIUS server can be managed centrally, and the servers that allow access to a
network can verify with a RADIUS server whether an incoming caller is authorized. In a large network
with many connections, this allows a single server to perform all authentications.
The communication is encrypted using a fix key between the RADIUS Client and the RADIUS Server.
However, the information is NOT encrypted between the Supplicant and the RADIUS Client.
PACKET ENCRYPTION
RADIUS
RADIUS encrypts only the password in the access-request packet, from the client to the server. The
remainder of the packet is unencrypted. Other information, such as username, authorized services, and
accounting, can be captured by a third party.
TACACS+
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the
header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful
to have the body of the packets unencrypted. However, during normal operation, the body of the packet
is fully encrypted for more secure communications.
TACACS
Terminal Access Controller Access-Control System (TACACS) is a client-server-oriented environment, and

it operates in a manner similar to how RADIUS operates.
XTACACS
Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with
logging to enable auditing.
TACACS+
The most current method or level of TACACS is TACACS+, and this replaces the previous two
incarnations. TACACS+ allows credentials to be accepted from multiple methods, including Kerberos.
Dulaney, Emmett (2011-06-03). CompTIA Security+ Study Guide: Exam SY0-301 (p. 186-187). John Wiley
and Sons. Kindle Edition.
Question 173
Which of the following protocols directly supported within the browser makes using an open wireless
network safer for web browser traffic?
SSL
• DHCP
HTTPS
SSH
Correct Answer is:
SSL
Details:
The correct answer is: SSL
NOTE: Another correct answer and safer choice could have been TLS considering the many issues SSL
has suffered over the past couple years. However, TLS was NOT on the list and SSL is the best choice out
of the 4 choices presented.
Even on an untrusted wireless or any network the very last line of defense for secure web browser
connections is SSL/TLS. If you have nothing else like a VPN connections, password protected and
encrypted wireless the web browser with an SSL/TLS secured connection can be your best protection
against sniffing.
Technically TLS superseded SSL but the terms are used interchangeably despite being different.
NOTE FROM CLEMENT ABOUT THE NEVER ENDING SSL/TLS DEBATE
The old debate about the exact location of SSL and TLS within the OSI and DoD model has been ongoing
for years. Even the standard does not state exactly where SSL and TLS sits within the models. It is vague
and mostly applies to the DoD model.
The protocol standard (RFC 6101 ) says:
"The primary goal of the SSL protocol is to provide privacy and reliability between two communicating
applications. The protocol is composed of two layers. At the lowest level, layered on top of some reliable
transport protocol (e.g., TCP [RFC 793]), is the SSL record protocol.
The SSL record protocol is used for encapsulation of various higher level protocols. One such
encapsulated protocol, the SSL handshake protocol, allows the server and client to authenticate each
other and to negotiate an encryption algorithm and cryptographic keys before the application protocol
transmits or receives its first byte of data. One advantage of SSL is that it is application protocol
independent. A higher level protocol can layer on top of the SSL protocol transparently "
As you can see from the latest RFC above for Version 3 of SSL, it sits on top of a reliable transport
protocol, TCP is at the transport layer, if you make use of the OSI Model it means SSL would be Session
Layer that is on top of Transport. However, if you make use of the DOD Model then it would be
application. See the graphic below showing where it would sit within the layers.
UNIFORM RESOURCE IDENTIFIER
The HTTPS uniform resource identifier (URI) scheme has identical syntax to the standard HTTP scheme,
aside from its scheme token. However, HTTPS signals the browser to use an added encryption layer of
SSL/TLS to protect the traffic. SSL/TLS is especially suited for HTTP, since it can provide some protection
even if only one side of the communication is authenticated. This is the case with HTTP transactions over
the Internet, where typically only the server is authenticated (by the client examining the server's
certificate).
In information technology, a Uniform Resource Identifier (URI) is a string of characters used to identify a
resource. Such identification enables interaction with representations of the resource over a network,
typically the World Wide Web, using specific protocols. Schemes specifying a concrete syntax and
associated protocols define each URI. The most common form of URI is the Uniform Resource Locator
(URL), frequently referred to informally as a web address. More rarely seen in usage is the Uniform
Resource Name (URN), which was designed to complement URLs by providing a mechanism for the
identification of resources in particular namespaces.
A URL is simply a URI that happens to point to a resource over a network.
However, in non-technical contexts and in software for the World Wide Web, the term URL remains
widely used. Additionally, the term web address (which has no formal definition) often occurs in non-
technical publications as a synonym for a URI that uses the http or https scheme. Such assumptions can
lead to confusion, for example in the case of XML namespaces, which have a visual similarity to
resolvable URIs.
While most URI schemes were originally designed to be used with a particular protocol, and often have
the same name (such as the http scheme, which is generally used for interacting with web resources
using HTTP), they should not be referred to as protocols. Some URI schemes are not associated with any
specific protocol (e.g. file) and many others do not use the name of a protocol as their prefix (e.g. news).
To make a long story short, the best answer is SSL, by using https:// you tell or signal the browser to
make use of SSL/TLS. As explained in the question most likely the best choice would be TLS today which
has superseded SSL. However, TLS was not one of the 4 choices. as mentioned in the paragraph above,
URI schemes such as HTTP or HTTPS should NOT be referred to as Protocols.
DHCP: Sorry: Incorrect. It is a Layer 7 protocol so you got that part right but DHCP makes networks less
secure because it can give attackers information about the network or even give him an IP Address
configuration. DHCP can also be subject to resource starvation by attackers flooding it with DHCP
requests.
HTTPS: Technically HTTPS isn't a protocol itself, rather it's a way of layering HTTP on top of SSL/TLS
adding security to standard HTTP communications. HTTPS (HTTP over SSL or HTTP Secure) is the use of
Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sublayer under regular HTTP application
layering. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the
Web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks. HTTPS
was developed by Netscape.
SSH: This isn't the right answer. Using SSH - Secure Shell to connect to a server is more secure than
telnet but it isn't normally a web protocol. Yes, you could tunnel your web traffic through SSH but it is
not directly supported inside the browser.
737.
Question 174
Which wireless encryption method uses the same key for encryption as it does for authentication of all
wireless clients?
• WEP
• WIFPA
• WEP Enterprise 2
• WEP2
Correct Answer is: WEP
Details:
The correct answer is: WEP
Cited as a major weakness of WEP, using the same key for encryption as it does for client authentication
doomed WEP from the start.
Some of the other WEP weakness are:
- The IV is a 24-bit field, too small to be effective. It is also sent in the clear text portion of a message.
- Identical key streams are produced with the reuse of the same IP for data protection because the IV is
short and key streams are repeated after a short period of time.
- Lack of centralized key management and encryption key distribution.
- WEP is based on a password, prone to password cracking attacks.
- Uses RC4 which is a stream cipher and designed to be a one-time cipher not intended for multiple
message use. One-time ciphers are never supposed to be reused.
Overall the problems of WEP stem from it being developed out of view of the general public and
cryptologists who would have pointed out these weaknesses prior to release.
Mitigation: Use WPA2 or one of its variants. Or avoid wireless altogether.

WEP 2 Enterprise: This isn't a real encryption method. Sorry.
WPA2: WPA2 does not use the same key for encryption that it uses for authentication.
WEP2: Sorry, there is no such thing as WEP2 as of this writing.
692.
Question 175
Which type of Firewall typically operates at the session layer of the OSI model?
Bastion Host Firewall
A host-based firewall
• Packet Filtering Firewall
• Circuit-Level Gateway Firewall
Correct Answer is: Circuit-Level Gateway Firewall
Details:
The correct answer is: Circuit-Level Gateway Firewall
Circuit-Level gateway firewalls operate at the session layer of the OSI model or the TCP layer of the DoD
TCP/IP Model.
They monitor TCP handshake traffic between hosts to determine whether a request session is
legitimate.
Packets passed to the remote computer through this type of gateway appears to have originated from
the gateway firewall and not the internal host.
Packet Filtering Firewall: This is not correct because this sort of firewall simply filters out obviously
unwanted traffic either because it's from a known dangerous source, contains inappropriate packets or
other unwanted traffic.
Bastion Host Firewall: This isn't right because a bastion host is not a firewall but a server hosted in the
DMZ and hardened from attack. It hosts limited services to mitigate the threat of attack from
compromised software.
A host-based firewall: This isn't correct because it doesn't operate at the session layer of the OSI Model.
761.
Question 176
Which of the following answers BEST describes a type of firewall that can filter packets at the top layer
of the OSI Model?
• An ARP layer Firewall
• Bastion Host Firewall
Application-Level Firewall
• Packet Filtering Firewall
Correct Answer is:
Application-Level Firewall
Details:
The correct answer is: Application-Level Firewall
An Application Firewall can control network traffic on any OSI Layer up to and including the Application
Layer.
Also known as third-generation firewall an application layer firewall can detect and understand
anomalies or pattern of attacks in certain applications and protocols such as FTP, DNS or web browsing
traffic.
It can also detect whether an unwanted protocol is being tunneled through another application or
whether a protocol is being abused in a dangerous manner. Using a protocol in a way it was not meant
to be used is referred to as a Covert Channel.
Packet Filtering Firewall: This is not correct because this sort of firewall simply filters out obviously
unwanted traffic either because it's from a known dangerous source, contains inappropriate packets or
other unwanted traffic.
Bastion Host Firewall: This isn't right because a bastion host is not a firewall but a server hosted in the
DMZ and hardened from attack. It hosts limited services to mitigate the threat of attack from
compromised software.
An ARP layer Firewall: This isn't correct because ARP operates at Layer 2 of the OSI and not the
Application Layer.
762.
Question 177
What attack becomes possible when your firewall or hosts do not reassemble incoming traffic prior to
being processed and examined for threats?
• Mod_rewrite attacks
• IDS Buffer Overflow attacks
• Router Offset attack
• Fragmentation Attacks
Correct Answer is: Fragmentation Attacks
Details:
The correct answer is: Fragmentation Attacks
When packets arrived they should be reassembled and examined for threats by the firewall prior to
being forwarded to a host. If they are not an attack could be snuck through the firewall because it is
possible to spread attacks across multiple packets so that the threat is not seen until packets are
reassembled and examined back in their unfragmented form.
Mitigation: It is important to configure your IPS, Intrusion Prevention System, routers, IDS - Intrusion
Detection System or Firewall so that they reassemble packets back into their original form THEN
examined for threats.
A common attack is the packet fragmentation attack where the actual attack code is intentionally
fragmented at the source and the packets travel separately to the target and if successful they might
sneak past the IDS/Router/IPS/Firewall device that is supposed to check the traffic.

Mod_rewrite attacks: Sorry, this isn't correct. mod_rewrite is a component of an Apache web server to
detect and stop some attacks.
IDS Buffer Overflow attacks: This isn't the correct answer. Buffer overflows aren't unique to IDS devices.
Router Offset attack: This isn't a valid answer. Such an attack is not currently known.
793.
Question 178
Which type of attack involves the altering of a systems Address Resolution Protocol (ARP) table so that it
contains incorrect IP to MAC address mappings?
• Cache Poisoning
• ARP Poisoning
• Reverse ARP table poisoning
• Reverse ARP
Correct Answer is: ARP Poisoning
Details:
The correct answer is: ARP Poisoning
ARP table poisoning, also referred to as ARP cache poisoning, or simply ARP Poisoning is the process of
altering a system's ARP table so that it contains incorrect IP to MAC address mappings. This allows
requests/packets to be sent to a different device instead of the one it is actually intended for.
It is an excellent way to fool systems into thinking that a certain device has a certain address so that
information can be sent to and captured on an attacker's computer. It is a form of MITM (Man In The
Middle) attack
"Reverse ARP" is the process of determining what an IP address is from a known MAC address
"Cache Poisoning" This is not the best answer. It is too generic, it could be DNS Cache Poisoning or
other types.
"Reverse ARP table poisoning" There is no attack that goes by that name.
TestPrep Certified Information Systems Security Professional (CISSP) Skillsoft Course
Question 179
What is the three way handshake sequence used to initiate TCP connections?
• ACK, SYN/ACK, SYN
• SYN, SYN, ACK/ACK
• SYN, SYN/ACK, ACK
• ACK, SYN/ACK, ACK
Correct Answer is: SYN, SYN/ACK, ACK
Details:
The correct answer is: SYN, SYN/ACK, ACK
The TCP three way handshake:
1. First, the client sends a SYN segment. This is a request to the server to synchronize the sequence
numbers. It specifies its initial sequence number (ISN), which is incremented by 1, and that is sent to the
server. To initialize a connection, the client and server must synchronize each other’s sequence
numbers.
2. Second, the server sends an ACK and a SYN in order to acknowledge the request of the client for
synchronization. At the same time, the server is also sending its request to the client for synchronization
of its sequence numbers. There is one major difference in this transmission from the first one. The
server transmits an acknowledgement number to the client. The acknowledgement is just proof to the
client that the ACK is specific to the SYN the client initiated. The process of acknowledging the client’s
request allows the server to increment the client’s sequence number by one and uses it as its
acknowledgement number.
3. Third, the client sends an ACK in order to acknowledge the request from the server for
synchronization. The client uses the same algorithm the server implemented in providing an
acknowledgement number. The client’s acknowledgment of the server’s request for synchronization
completes the process of establishing a reliable connection.
All of the other choices were incorrect answers
Question 180
Which of the following answers would most closely be related to passive network mapping?
• Packet Sniffers
• Pinging a host
• Network scanners
• Calling the victim on the phone and asking for her IP Address
Correct Answer is: Packet Sniffers
Details:
The correct answer is: Sniffers
There are two basic ways of conducting network mapping: Passive and Active.
- Passive is where we just listen and form a picture of the target network based upon packets we
receive.
- Active network mapping is where we send packets to the target hoping for a response that we can
analyze.
Many firewall operators and router admins disable ICMP on their border devices to mitigate floods or
such network mapping.
If they're blocking ICMP you can do a multitude of other types of scans which do not rely on ICMP like
half-open TCP scans where you just send the TCP packet with the SYN flag set as part of the start of a
normal TCP conversation initiation. This is a good choice because most packet loggers do not log half-
open TCP conversations so you can scan without being logged. (Optimal)
You can also do UDP scans to see if UDP ports are open. nmap and other network scanners have a huge
variety of scans from which to choose.
- Network scanners: This is considered active network mapping or active reconnaissance.
- Actively pinging a host: This is considered active reconnaissance.
- Calling the victim on the phone and asking for her IP Address: This would probably work but it isn't very
passive.
878.
Question 181
Match up the following Protocols with the proper port numbers in order from left to right:
SSH, Kerberos, NetBIOS, LDAP, HTTPS, Secure LDAP
22, 88, 137, 389, 443, 636
• 22, 88, 137, 389, 442, 636
• 22, 88, 136, 389, 443, 636
• 22, 88, 137, 388, 443, 636
Correct Answer is:
22, 88, 137, 389, 443, 636

Details:
The correct answer is: 22, 88, 137, 389, 443, 636
SSH - 22
Kerberos - 88
NetBIOS - 137
LDAP - 389
HTTPS - 443
Secure LDAP - 636
Servers which offer services do so on standard ports for UDP and TCP traffic. They 'listen' for traffic on
the wire and respond if it is addressed to them. (Compared to a sniffer that gladly accepts all packets for
examination)
Once the server accepts the traffic it processes it to do whatever the service is intended to do and
possibly returns information back to the requester.
- 22, 88, 136, 389, 443, 636: Sorry, NetBIOS doesn't run on 136 but it does run on UDP/137, 138 and
139.
- 22, 88, 137, 388, 443, 636: 388 is Incorrect. LDAP doesn't run on that port.
- 22, 88, 137, 389, 442, 636: 442 isn't the standard port for HTTPS traffic.

2013. Official Security+ Curriculum. Copyright CCCure.org.
Question 182
You are using an open source packet analyzer called Wireshark and are sifting through the various
conversations to see if anything appears to be out of order.
You are observing a UDP conversation between a host and a router. It was a file transfer between the
two on port 69. What protocol was used here to conduct the file transfer?
• TFTP
• SCP
• FTP
• SFTP
Correct Answer is: TFTP
Details:
The correct answer is: TFTP
Discussion: TFTP is a curious protocol that doesn't use authentication and is often used to transfer
configuration files between an administrator's computer and switch or router.
The admin's computer would have the TFTP server software installed on it and he would SSH into the
router and run a command that instructs the router to get its configuration from a TFTP server like this:
#copy running-config tftp

The router would request the IP or name of the host from where to get the config and the name of the
config file. It would then be copied down into the running-config (RAM) on the router.
This is how wireshark could have seen the file transfer.
It is advisable that you use a more secure means to transfer router configuration files because of their
sensitive nature. SCP or Secure Copy can be used on most mainstream routing and switching devices.
- SFTP: This isn't correct because SFTP uses TCP and is on port 22.
- FTP: This is not the right answer because FTP uses TCP and ordinarily uses ports 20/21.
- SCP: Good guess but SCP doesn't use UDP or port 69 and even if you did 'see' a file transfer between
SCP hosts you wouldn't see the contents of the packets because they're encrypted. Sorry. Here's more
about SCP.
TFTP
Question 183
Which of the following answers BEST describes why the WEP encryption process was so flawed?
• The IV uses 3DES encryption key
• Weak MD4 Algorithm
• Rotating IVs
• A short, static IV that is sent in cleartext
Correct Answer is: A short, static IV that is sent in cleartext
Details:
The correct answer is: A short, static IV that is sent in cleartext.
WEP or Wired Equivalent Privacy was introduced in 1999 to meet or exceed security of a wired network
however it was quickly demonstrated that it was easy to break.
The main problem with WEP is it's IV or Initialization Vector and how it is only 24 bits long and
transmitted in plain text.
The 24-Bit IV plus a 40-Bit key forms the RC4 key for a total of 64-bit WEP key length. Unfortunately, the
reuse of the IV in a relatively small number of packets (50% probability in 5,000 packets) led to the
failure.
- Weak MD4 Algorithm: This isn't the right answer. MD4 is a hashing algorithm, not an encryption
protocol.
- Rotating IVs: This isn't correct. Initialization Vectors in WEP are static and reused AND sent in cleartext
so they're easy to sniff and use in an attack.
- The IV uses 3DES encryption key: Sorry, 3DES isn't involved in the IV in the WEP protocol.
Question 184
Which of the following answers BEST describes functionality of the CHAP protocol?
• Periodically re-authenticates the user to protect against man-in-the-middle attacks.
• Uses PKI
• Transmits user's passwords in clear text
• Used to prevent remote logon
Correct Answer is: Periodically re-authenticates the user to protect against man-in-the-middle attacks.
Details:
The correct answer is: Periodically re-authenticates the user to protect against man-in-the-middle
attacks.
CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity
of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
This happens at the time of establishing the initial link, and may happen again at any time afterwards.
The verification is based on a shared secret (such as the client user's password).
1. After the completion of the link establishment phase, the authenticator sends a "challenge"
message to the peer.
2. The peer responds with a value calculated using a one-way hash function on the challenge and
the secret combined.
3. The authenticator checks the response against its own calculation of the expected hash value. If
the values match, the authenticator acknowledges the authentication; otherwise it should terminate the
connection.
4. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1
through 3.
- Transmits user's passwords in clear text: Sorry, incorrect answer. This describes PAP - the Password
Authentication Protocol. CHAP uses a challenge mechanism and only hash values are sent over the
network. The password is not sent in clear text.
- Uses PKI: This isn't correct. CHAP doesn't use PKI cryptography.
- Used to prevent remote logon: This isn't right either. CHAP isn't used to prevent remote logon, rather
to control it.
The CCCure Holistic Security+ Computer Based Tutorial, you can subscribe at: http://www.cccure.tv
and
http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol
Question 185
Which one of the following answers was the reason why WEP - Wired Equivalent Privacy failed to be an
effective wireless security protocol.
• Larger IVs
• Per-Frame Sequence Counter
• Dynamic Keys
• Static Keys and Short IVs
Correct Answer is: Static Keys and Short IVs
Details:
The Correct answer is: Static Keys and Short IVs
Static keys and short IVs are two problems with WEP which limited its useful lifespan and level of
security.
Also, WEP keys are either 40 or 104, too short to be effective. Also, WPA uses TKIP - Temporal Key
Integrity Protocol that is a "wrapper" around existing WEP encryption only it uses a 128-bit key so it's
inherently more secure.
- Dynamic Keys: This is incorrect because WPA uses dynamic keys, not WEP.
- Larger IVs: Sorry, incorrect. Larger IVs are a quality of WPA.
- Per-Frame Sequence Counter: This is a quality of WPA, sorry.

Question 186
Which one of these answers is NOT a feature of WPA2?
• Static Keys
• Full IEEE 802.11i standard
• Personal and Enterprise Version
• Uses AES Encryption
Correct Answer is: Static Keys
Details:
The correct answer is: Static Keys
Discussion: WPA2 implements IEEE 802.11i standards, uses AES encryption and is currently comes in two
versions:
WPA2 Personal: AKA PSK Pre-shared key (Password)
WPA2 Enterprise: Requires a RADIUS Authentication Server and supports multiple accounts for each
user
Static keys was an unfortunate feature of WEP which was partly to blame for its relatively short lifespan
and quick replacement by WPA.

- Uses AES Encryption: Sorry, this is a feature of WPA2.
- Personal and Enterprise Version: Sorry, this is a feature of WPA2.
- Full IEEE 802.1i standard: Sorry, this is a feature of WPA2.
Question 187
A spoofing attack at layer 2 of the OSI model is also known as what?
• MAC Spoofing
• DNS Spoofing
• IP Address Spoofing
• Web Spoofing
Correct Answer is: MAC Spoofing
Details:
The correct answer is: MAC Spoofing
Layer 2 attacks are usually easy because communications at this layer are not authenticated. Any host
can come online and pretend to be whatever MAC Addresses he wishes.
Such tools like ettercap can create these conditions. Known as MITM - Man in the Middle Attack,
ettercap leverages known weaknesses in the ARP protocol.
A legitimate Layer 2 conversation establishment looks like this:
ARP WHO HAS 10.5.1.1 TELL 11:22:33:44:55:66
Assuming all was normal the host with that MAC address would respond with:
10.5.1.1 IS AT 22:33:44:55:66:77
At that point the two hosts could talk using MAC addresses. IP Addresses are used but only to resolve
the MAC addresses they use.
It is possible that a rogue system can respond to ANY request for an IP Address with its MAC Address
and fool the other into believing he is the legitimate MAC Address and intercept the traffic bound to the
legitimate host.
Mitigation:
- Switch port security can help (But not stop) unauthorized network devices from connecting to your
physical LAN and attacking devices.
- 802.1X Certificate Security uses certificates to identify all network hosts, others are disregarded and
thus not trusted.
- VMPS - VLAN Membership Policy Server (Deprecated in favor of 802.1X) is a centralized database of
known MAC Addresses which can talk on a server. Since MAC addresses can be spoofed (Faked) this
protocol has fell into disuse.
- DNS Spoofing: Sorry, DNS usually resides on layer 7 of the OSI model.
- IP Address Spoofing: Sorry, IP Address spoofing resides at layer 3, the network layer.
- Web Spoofing: Web spoofing is when an entire website is copied to a rogue server and a phishing email
is sent to the user requesting that he update his account information by logging. This isn't layer 2
spoofing, sorry.
Question 188
What attack would you be seeing if the offset bits in an IP Header overlapped with the value of
previously sent packets?
• Teardrop Attack
• LAND Attack
• Null Scan
• XMas Tree Scan
Correct Answer is: Teardrop Attack
Details:
The correct answer is: Teardrop Attack
The Teardrop attacks involve sending IP Fragments which have overlapping fragment offset numbers so
that when the victim's computer tries to reassemble the IP frags into the intended file the target
crashes. It doesn't know how to handle the improperly-numbered fragments.
This hasn't been a problem since Windows 95 and Windows NT but it is good for academic purposes to
understand the attack and how attackers think and devise new exploits for causing problems.
Mitigation:
- Install only software from trusted sources and don't let kids or other inexperienced people use your
computer with an administrative account; only an unprivileged user account.
- Actively check to be sure your operating system patches are being updated
- User system and network firewalls and an IDS if you know how to run one
- Harden your computer by installing a host-based firewall and maybe HIDS - Host-Based IDS.
- XMas Tree Scan: Sorry, XMas tree scans have little to do with TCP SYN packets having the same
destination IP as source IP Address.
- Null Scan: A null scan is port scan attempt with TCP packets using no session flags set. By RFC these are
illegal but that doesn't stop criminal hackers from doing them.
- LAND Attack: Sorry, not correct. A LAND attack is simply a series of packets sent to the target where
the source and destination IP Addresses are the same as the victim.
The CCCure Holistic CompTIA Security+ Tutorial and CBT
and
https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/
understanding-teardrop-attacks.html
Question 189
What sort of attack is described by the following: An attacker has a list of broadcast addresses which it
stores into an array, the attacker sends a spoofed ICMP ECHO request to each of those addresses in
series and starts again. The spoofed IP address used by the attacker as the source of the packets is the
target/victim IP address.
• Replay Attack
• Fraggle Attack
• Smurf Attack
• LAND Attack
Correct Answer is: Smurf Attack
Details:
The correct answer is: Smurf Attack
The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message
Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer
network using an IP Broadcast address.
Most devices on a network will, in their default settings, respond to this by sending a reply to the source
IP address. If the number of machines on the network that receive and respond to these packets is very
large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the
point where it becomes impossible to work on.
The name Smurf comes from the file "smurf.c", the source code of the attack program, which was
released in 1997 by TFreak.
The author describes the attack as:
The `smurf' attack is quite simple. It has a list of broadcast addresses which it stores into an array, and
sends a spoofed icmp echo request to each of those addresses in series and starts again. The result is a
devistating attack upon the spoofed ip with, depending on the amount of broadcast addresses used,
many, many computers responding to the echo request.
Mitigation:
- Best method for mitigating this threat is to control access to the physical network infrastructure. If the
attacker can't send the attack, this attack will obviously not work.
- Currently the preferred method for controlling access to the network is by using 802.1X - Certificate
security.
- Also, modern operating systems don't usually permit a PING to a broadcast address and just returns an
error message if you try.
- Fraggle Attack: Close but not quite right. A Fraggle attack uses UDP rather than the ICMP that Smurf
Attack uses.
- LAND Attack: Sorry, not correct. A LAND attack is simply a series of packets sent to the target where
the source and destination IP Addresses are the same as the victim.
- Replay Attack: This isn't an attack that takes advantage of a system vulnerability so it isn't the correct
answer.
The CCCure Holistic CompTIA Security+ Tutorial and CBT
and
http://en.wikipedia.org/wiki/Smurf_attack
and
http://searchsecurity.techtarget.com/answer/What-is-a-land-attack
and
http://www.phreak.org/archives/exploits/denial/smurf.c
Question 190
Under normal circumstances, what are the only two parts of a packet which changes between sending
host and the receiving host while in transit?
• TTL and Packet Expiration Counter value
• Routing Protocol and TTL
• MAC Address and Physical Media
• TTL and MAC
Correct Answer is: TTL and MAC
Details:
The correct answer is: TTL and MAC Address
Ordinarily, only two values change in a packet when it is in transit:
1. TTL - Time to Live. It's that part of the IP Header that prevents packets from wandering around the
internet forever looking for the destination. When a packet crosses a layer 3 routing device its TTL field
(Byte Offset 8) is decremented by one and once that value reaches 0 a "TTL Expired in Transit" ICMP
error message is sent back to the originator alerting it that the packet could not find its destination.
2. MAC - Media Access Control Address: MAC Addresses are local only to the network you are on. The
moment it hits the first router or switch the Source and Destination MAC Addresses change to the next
hop in the path. This happens at each device it crosses. (See more about Ethernet.)
Exceptions: Under typical conditions this is the case but if you are behind a proxy or firewall device that
is configured to re-write these values, they will be changed.
That is to say, many firewall and proxy devices are configured specifically to hide internal values to
reduce the leak of operational details of the internal network to the outside world. (Or to mitigate
probes using TTL or other packet values.)
These devices can rewrite any value including the reset of TTL Values but MAC Addresses must change
in the process of devices passing off packets in the routing and switching process between host and
destination.
- TTL and Packet Expiration Counter: Sorry, TTL and Packet Expiration Counter are the same thing. While
there is no official term of Packet Expiration Counter, a TTL is in a sense is just that. It's the number of
hops the packet can take across a routing device (L3) before it expires in transit.
- MAC Address and Physical Media: MAC address is right so, good work there but while the Media
changes between host and destination, media isn't part of the packet. Sorry. Read the question a few
times and let it sink in before answering.
- Routing Protocol and TTL: Almost. TTL is right but the routing protocol isn't technically part of the
packet so this is not correct or the BEST choice.
The CCCure Holistic Security+ Tutorial and CBT
and
https://en.wikipedia.org/wiki/Ethernet
Question 191
You are watching an active stream of your firewall logs and notice suspicious traffic from an IP Address
outside your country which is probing your network.
You, being a curious type try to PING the remote IP Address but receive no response, which is curious to
you. How can a remote host send traffic but not be PING-able?
• Its interface is down
• Its firewall is misconfigured
• It is configured to ignore ICMP Packets
• A host in the path is blocking ICMP
Correct Answer is: It is configured to ignore ICMP Packets
Details:
The correct answer is: It is configured to ignore ICMP Packets
Firewalls offer a huge number of ways of securing a system from network probing or attack by
controlling how it responds to network traffic. One possibility is silently dropping ICMP packets.
Ordinarily, devices should (By RFC) respond to ICMP packets but in today's security environment it is
prudent to silently drop unsolicited internet traffic.
In this case, a system can send packets but not respond to ANY traffic by blocking ALL incoming traffic,
including ICMP, TCP, UDP or any other protocol.
Bottom line: Hosts can send TCP or UDP traffic independent of whether or not it is configured to send or
receive ICMP which to a casual and inexperienced observer might make it look like it isn't there.
Consider trying a UDP or TCP probe to elicit a response, otherwise, it may be impossible to get a
response from the remote host if it is not configured to respond.
Mitigation:
- On a FreeBSD system with ipf (IP Filter) firewall one simple rule can block ALL network traffic without
responding to ANY probes:
#block in quick on xl0 all
- xl0 is the network interface ID and this string would make your system disappear on the network.
- A host in the path is blocking ICMP: This is a good answer but not quite correct. It could be that your
external firewall is blocking ICMP but that lays outside the scope of this question. If the choice would
have been that a gateway on the path is dropping ICMP then it could have been the right choice.
- Its interface is down: This can't be correct because you're receiving packets from it. However, don't
forget that it is possible to receive traffic which has a source IP Address that is invalid or points to
another host.
- Its firewall is misconfigured: This could be true but a firewall misconfiguration wouldn't likely result in
ICMP being blocked.
The CCCure CompTIA Security+ 301 Online Tutorial and CBT

and
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
Question 192
Which of the following is NOT a best practice when hardening systems or bastion hosts?
• Limit Services
• Change default passwords
• Apply Patches
• Deploy a NIDS
Correct Answer is: Deploy a NIDS
Details:
The correct answer is: Deploying a NIDS
While deploying a NIDS - Network Intrusion Detection System is a good idea, it isn't targeted at
hardening a single system, but rather an entire network so this would be the correct answer because it
is not a standard way of hardening a host.
The other steps are critical in securing systems and networks against attack. Consider the mitigation
steps to harden your systems.
Effective bastion hosts are configured very differently from typical hosts. Each bastion host fulfills a
specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed.
A bastion host is hardened to limit potential methods of attack. The specific steps to harden a particular
bastion host depend upon the intended role of that host as well as the operating system and software
that it will be running.
Access Control Lists (ACLs) will be modified on the file system and other system objects; all unnecessary
TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many
utilities and system configuration tools as is practical will also be removed. All appropriate service packs,
hot fixes, and patches should be installed. Logging of all security related events need to be enabled and
steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase
evidence of their visit. Any local user account and password databases should be encrypted.
There are also such things as HIDS - Host Based IDS or HBSS - Host-Based Security Systems which can
identify and protect hosts from network attack but that wasn't an option in the question.
Mitigation: There are a lot of things you can do to mitigate threats:
- Harden all networked devices by removing unnecessary services, fully patching and scanning them
periodically for vulnerabilities.
- Severely limit traffic into your private network or isolate it altogether.
- Deploy an IDS - Intrusion Detection System to identify dangerous behavior on your network.
- Applying Patches: This is not a right answer because patching your systems with updates from the
vendor is vital to protecting your systems. It is part of hardening the host.
- Limiting Services: As with the other options, this is important to protecting your systems. Limiting
services to only those critical to your operations can greatly mitigate threats from attack.
- Change default passwords: This is a great way to secure a host, default password are well known and a
serious threat. So this is not the correct answer.

Wikipedia Host Based Security System (HBSS)
https://www.sans.org/security-resources/idfaq/bastion.php
Question 193
Of the following choices, which one is a type of firewall actively maintaining awareness of the status
conversations between internal and external hosts?
• Stateless
• Stateful Firewall
• Non-Passive Firewall
• Active State Firewall
Correct Answer is: Stateful Firewall
Details:
The correct answer is: Stateful Firewall
Also called Stateful Inspection Firewall, this type of modern firewalls are Stateful and maintain an active
table of the state of conversations between hosts on your internal network.
Previously, firewalls didn't maintain this awareness and were called stateless. In this case, the firewall
was only able to block protocols, source or destination IP Addresses or TCP/UDP Port destinations. (Plus
some other variables)
This proved to be inadequate when someone figured out that you could send traffic with the SYN/ACK
bits set in a attempt to fool the firewall into thinking the traffic originated from inside the protected
network. This permitted attackers to communicate with internal hosts and by pass firewall security.
Now, Stateful inspection firewalls maintain a so-called dynamic state table that maintains visibility of the
origination of the traffic. The benefit being that systems outside your network cannot simply send in
traffic with the TCP state bits set to make it appear like the traffic originated from inside your own
network, therefore bypassing the firewall.
Here's a sample of a stateful firewall table:
bsdfirewall1#fwtable
---- FW-1 CONNECTIONS TABLE ---
Src_IP Src_Prt Dst_IP Dst_Prt IP_prot Kbuf Type Flags Timeout
192.168.7.131 10003 207.229.143.8 25 6 0 16385 02ffff00 2845/3600
192.168.7.131 10002 207.229.143.8 24 6 0 16385 02ffff00 2845/3600
192.168.7.131 10001 207.229.143.8 23 6 0 16385 02ffff00 2845/3600
If an external attacker were to try to send traffic to an internal host it would be blocked by the firewall
because no state table entry exists permitting the traffic back in. A stateful inspection firewall will
consult the state table first to see if the incoming packet is part of an established session. If there is no
entry in the state table then it will consult the rulebase to see if there is a rule allowing the traffic. If
there is no state table entry and there is no rule that matches, the packet will be dropped or rejected.
- Stateless: This is the opposite of the right answer so it is the wrong answer. Sorry. A stateless firewall
doesn't maintain awareness of the status of conversations between hosts in and outside your network.
- Active State Firewall: Sorry, this isn't a correct answer. This is not a valid term related to stateful or
stateless firewalls.
- Non-Passive Firewall: This isn't correct. There is no known firewall called this.

and
http://en.wikipedia.org/wiki/Stateful_firewall
Question 194
Which of the following sequence represents the DoD - Department of Defense TCP/IP Reference Model?
• AITN - Application, Internet, Transport, Network Interface
• ATIL - Application, Transport, Internet, Link
• APIN - Application, Presentation, Internet, Network Interface
• TINA - Transport, Internet, Network Interface, Application
Correct Answer is: ATIL - Application, Transport, Internet, Link
Details:
The correct answer is: ATIL - Application, Transport, Internet, Link
Similar to the OSI model, the DOD TCP/IP Model is in a similar order but more concise.
Mnemonic: ATIL is a great way to remember the layers from top down
TINA - Transport, Internet, Network Interface, Application: Sorry, this is the improper sequence.
APIN: Application, Presentation, Internet, Network Interface

AITN Application, Internet, Transport, Network Interface: Sorry, incorrect: I and T were transposed.
Should be ATIN.
Question 195
How many hosts are possible on a subnet with a mask of 255.255.255.192?
• 62
• 128
• 32
• 64
Correct Answer is: 62
Details:
The correct answer is: 62
Subnetting is a vital part of being a good IT Security administrator. If you cannot easily make sense of
what you are seeing with IP Addresses, subnet masks and network IDs, you will have difficulty being
effective in the cyber battlefield.
However, if you take enough time to become good at it, it will become second nature. Also, try to
identify the best way for YOU to do so because there are many methods and people learn and
understand differently. Here's a good study sheet for IPv4 Subnetting. And, here's a good video on
subnetting.
In the case of this question, we see a subnet of 255.255.255.192 which would give us 64 addresses but
don't forget to subtract the two bits, one for Network ID and one for the Broadcast address. This yields
only 62 usable host addresses.
The most simple way to quickly figure this is:
1. Take the number of hosts you must accommodate and round up to the next possible net block.
Example: If you have 48 hosts, you must round up to a net block of 64 addresses with a subnet mask of
255.255.255.192.
11111111.11111111.11111111.11000000 Blue numbers = Network ID, red = host ID.
2. To figure your network IDs subtract your mask number from 256. This will give you your net blocks to
work with:
- 256 - 192 = 64 (Minus 2 for network ID and broadcast addresses)
- This gives us the network blocks to subnet with.
3. Your network blocks would be as such:
0, 64, 128, 192.
So, in your router you would configure these as your routable networks and from there the switches
would "see" hosts by MAC and IP Addresses and send traffic to the switchports to the intended hosts.
This creates the path to the hosts on the subnet.
- 64 hosts: Almost correct but you forgot to subtract 2 addresses for net ID and broadcast.
- 128 hosts: Sorry, incorrect answer. This mask would be 255.255.255.128. Also, you appear to have
forgotten to subtract the two addresses you can't use, Subnet ID and broadcast addresses.
- 32 hosts: Also not correct. This subnet mask would be 255.255.255.224, AND you forgot to subtract 2
for the network ID and broadcast.
Question 196
Which field in a TCP header is used to reassemble a file back into proper order to be presented to the
receiver?
• TCP Urgent Pointer
• TCP Sequence Number
• TCP Flags
• IP Sequence Number
Correct Answer is: TCP Sequence Number
Details:
The correct answer is: TCP Sequence Number
TCP Sequence Numbers (Byte Offset 4-7) are, in part, used to reassemble packets back into original
order for presentation to the recipient.
Each TCP frame received has a sequence number in the TCP Header. It's a 32-bit number and during TCP
Session establishment, each station selects an ISN - Initial Sequence Number (Randomly generated at
best) as their first sequence number.
Sequence numbers also advise the recipient of missing packets so they may be re-requested from the
sender. If packets are lost due to network congestions or transmission problems the TCP Windows
(Number of packets which can be sent without an ACK of reception.) will be smaller and more ACKs
must be sent to see if packets are getting to the destination.
- IP Sequence Number: Sorry, there's no such thing as an IP Sequence Number.
- TCP Flags: This one really isn't correct. TCP Flags are used to indicate the state a TCP connection is
desired to be in and control TCP state.
- TCP Urgent Pointer : Sorry, not correct. TCP header offset 18-19 (URG Pointer field) isn't used to
reassemble data.
Question 197
Which of the following signaling methods is most closely associated with 802.11 wireless networks?
• Half Duplex
• Wireless Duplex
• Full Duplex
• Mega Duplex
Correct Answer is: Half Duplex
Details:
The correct answer is: Half Duplex
802.11 wireless networks are, by nature, half-duplex. Wired networks can be full-duplex if they make
use of two pairs of the Ethernet cabling. Each pair is a separate channel for transmitting or receiving.
Full Duplex networks are very much more efficient at moving data because no collisions exist on a truly
full duplex network and the CSMA/CD functionality is disabled.
- Full Duplex: This isn't correct because 802.11 networks are, by nature, half-duplex.
- Mega Duplex: This isn't a real computer term but it probably should be.
- Wireless Duplex: This isn't the answer. It looks like a valid answer though if you were not familiar with
this material.
Question 198
Which answer BEST describes the process you are doing if you:
- Apply hotfixes, service packs and patches
- Use effective password management practices
- Enable logging on your systems
- Disable non-essential services
• Implementing Security Controls
• Network Hardening
• Application Hardening
OS Hardening
Correct Answer is:
OS Hardening
Details:
The correct answer is: OS Hardening
When we 'harden' an operating system, this is a process of making the system more resilient to attack.
By default, computers are very insecure and are largely configured just to be functional without much
regard to security. Logging is minimal, updates may be turned off by default and many services are
running even if unused.
Hardening is the process of applying patches and service packs, disabling unnecessary services, locking
down or removing applications and other steps making the computer harder target to attack.
- Application Hardening: Application hardening is a sub component of OS - Operating System hardening,

it is NOT the best answer.
- Network Hardening: Sorry, this is incorrect: Network hardening only applies to network devices like
switches, routers and firewalls.
- Implementing Security Control: This is an important step to security but only a minor component.
Sorry.
The Official ISC2 Guide to the CISSP CBK Fourth Edition - CISSP 2015 CBK
Question 199
Which answer BEST describes a software suite that examines and identifies weaknesses in security of
your network devices and computers?
• Vulnerability Scanners
• IDS - Intrusion Detection System
• Antivirus Scanners
• IPS - Intrusion Prevention System
Correct Answer is: Vulnerability Scanners
Details:
The correct answer is: Vulnerability Scanners
Vulnerability Scanners can be used to scan your computers and networks for a set of known
vulnerabilities which should be addressed so that your security posture may be improved.
Essentially, you configure the scan software with a set of admin or root credentials for the systems you
are to scan. The scanner logs onto the systems with those credentials so that it may have full admin
privileges on the systems and therefore access to all system files and components for examination.
Results can usually be presented in varying degrees of complexity from technician level up to managerial
level with graphics and executive summaries about the results of the scan.
Notable vulnerability scanners are:
- Nessus for Mac OS X, OpenBSD, FreeBSD, Solaris and other Unix variants and Windows.
- GFI LANguard for Windows computers.
- Retina Vulnerability Management and Assessment
- Core Impact
- X-Scan (Freeware)
- SARA - Security Auditor's Research assistant
- SAINT - Security Administrator's Integrated Network Tool
We take the results of these scans and address the vulnerabilities by patching the computers, removing
vulnerable services we don't need and locking down systems to be more attack resistant.
- Antivirus Scanner: Antivirus scanners generally don't identify weaknesses in your networks and
computers although they can point out malicious behavior or files on computers. In this case, it isn't the
right answer.
- IDS - Intrusion Detection System: IDS devices merely look at network traffic to see if a pattern of
network traffic matches a set of known signatures or behavior. If a match is found the IDS can trigger an
alarm for the admin to check out. In this question, the IDS doesn't identify weaknesses.
- IPS - Intrusion Prevention System: IPS systems go a step further than IDSes and can proactively stop
attacks but don't identify weaknesses in systems like a vulnerability scanner. Therefore this isn't correct
either. Sorry.
Question 200
Which of the following authentication method would avoid conditions where a replay attack would be
successful by making use of an authenticator.
• Chap - Challenge Handshake Authentication Protocol
• PAP - Password Authentication Protocol
• Kerberos
• Biometric Authentication
Correct Answer is: Kerberos
Details:
The correct answer is: Kerberos
To protect against replay attacks, the Kerberos authentication protocol uses the concept of an
authenticator.
A Kerberos authenticator is embedded in the Kerberos protocol exchanges that occur between the
authenticating client and the authentication server (in Windows, the domain controller—DC). It holds
additional authentication data, such as the ticket lifetime, and most important, the client's timestamp.
When the Kerberos logic on a Domain Controller (DC) or resource server validates a Kerberos
authentication message, it will always check the authenticator's timestamp. If the timestamp is earlier or
the same as a previous authenticator, the server-side Kerberos logic will reject the packet because it
considers it part of a replay attack and user authentication will fail.
The Kerberos server-side logic also compares the timestamp in the authenticator to the local server
time. If the timestamp in the authenticator isn't within five minutes of the time on the server, it will also
reject the packet. These five minutes are referred to as the Kerberos time skew. In Windows, the time
skew defaults to five, but you can change this value if desired.
- Biometric Authentication Systems: This might be correct if you combined it with Kerberos for a SSO but
by itself a biometric authentication system doesn't provide SSO.
- CHAP - Challenge Handshake Authentication Protocol: This isn't the right answer because it usually only
authenticates a person to a single system. CHAP provides protection against replay attacks by the peer
through the use of an incrementally changing identifier and of a variable challenge-value. It does not
make use of an Authenticator.
- PAP - Password Authentication Protocol: Sorry, PAP doesn't permit access to multiple systems like a
SSO.
2013. Official Security+ Curriculum.
Question 201
Which of the following technologies help mitigate the exhaustion of IPV4 addresses AND allows
companies to have one external IP Address while using a RFC 1918 non-routable internal IP Addressing
scheme. Such a technique changes the source address so traffic going outbound to the internet can find
it's way back into the the internal network?
• Static NAT - Static Network AddressTranslation
• PAT - Port Address Translation
• VLAN - Virtual Local Area Network
• Overloaded NAT - Overloaded Network Address Translation
Correct Answer is: Overloaded NAT - Overloaded Network Address Translation
Details:
The correct answer is: Overloaded NAT - Overloaded Network Address Translation
NAT basically translates internal IP Address into a publicly addressable IP Address so that many internal
users can use that public IP Address but maintain their internal addressing scheme.
Network Address Translation (NAT) is designed for IP address conservation. It enables private IP
networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the private (not globally unique) addresses in
the internal network into legal addresses, before packets are forwarded to another network.
As part of this capability, NAT can be configured to advertise only one address for the entire network to
the outside world. This provides additional security by effectively hiding the entire internal network
behind that address. NAT offers the dual functions of security and address conservation and is typically
implemented in remote-access environments.
RFC 1918 address are those non-routable network address ranges which include:
- 10.0.0.0
- 172.16.0.0
- 192.168.0.0
Basically, packets arrive from the internal hosts to the NAT server using these IP Addresses. The source
IP Address is replaced by that of the NAT Server's public IP Address so that the packets can return to the
network. The NAT Server maintains a table of which data originated from which machine so the packets
can return to the internal hosts.
There are security benefits because the NAT server is making requests on behalf of the internal clients
so that they're not directly exposed to possibly malicious web servers.
Also, network traffic can be scrubbed to avoid information leakage from internal hosts like TTLs which
could divulge information about operating system types.
NAT servers can also scrub unused data fields in an attempt to stop ADS - Alternate Data Streams from
your internal hosts. TCP ADS is where bits are applied to ordinarily unused TCP header fields in an
attempt to use it as a transport or signaling opportunity.
NOTE:
There is a lot of arguments between what is NAT and what is PAT. There is no easy answer.
On one of the CISCO forum I have seen the following information:
Dynamic NAT with overload - Changes the SOURCE address so traffic going to the internet can find it's
way BACK.
Port address translation - Changes the DESTINATION address so traffic from the Internet to an internal
server can get to it.
Click HERE to see the CISCO FAQ on NAT
- Static NAT - Static Network AddressTranslation: Static NAT is a one to one conversion and NOT a one to
many as specified in the question.
- PAT - Port Address Translation: This is incorrect but PAT is a real technology. Depending on the type of
NAT server you use PAT is included with the NAT server.
- VLAN - Virtual Local Area Network: Sorry, VLANs assist in networking but don't play a critical role in
mitigating IPV4 Address exhaustion.

Question 202
You have been asked by your senior executive staff to deploy a web server on your network but you are
worried about it being attacked and compromised. Where would you most likely want to deploy the
server so as to avoid exposing your internal network to the threat of a compromised server?
• DMZ
• Extranet
• Secure VLAN
• Unused Network Area
Correct Answer is: DMZ
Details:
The correct answer is: DMZ
A DMZ used to stand for Demarcation Zone because it is the cutoff point where the ISP ends having
technical responsibility and where the organization's IT staff was responsible for.
Popular media changed DMZ to mean Demilitarized Zone and the name stuck. Whatever the case, it is a
place outside your trusted corporate network but inside your network filtering devices like a router or
filtering firewall.
The external filtering router would filter out obvious inappropriate traffic and it might even normalize
the traffic to make it safer to be in the DMZ. You can even block certain countries by netblock if they
have no reason to visit your web server.
This can heavily mitigate attacks into your DMZ or further into your internal network but it is no perfect
solution because attackers can pivot from hostile countries via a compromised host in your own country.
In the DMZ you might place a web server or other server you need to permit access to. The firewall
device that protects your internal network would be heavily locked down and only allow enough traffic
to administer the external filtering router and web server.
- Secure VLAN: This isn't the right answer because a "Secure VLAN" isn't a term used as a place we would
place servers to be internet accessible.
- Unused Network: This isn't the right answer. Sorry.
- Extranet: An extranet is similar to a DMZ in that you can provide access from an isolated area but in
most cases it is referred to as a DMZ.
Question 204
Among the following answers, which is BEST described by:
- Data is encrypted and encapsulated into another packet for transmission across an untrusted medium.
- Permits networks to be geographically separate but appear as though they were on the same local
network.
• VPN - Virtual Private Network
• VPN - Virtual Public Network
• PPTP - Point-to-Point-Protocol
• L2TP - Layer 2 Transport Protocol

Correct Answer is: VPN - Virtual Private Network
Details:
The correct answer is: VPN - Virtual Private Network
VPN - Virtual Private Networks are common in the enterprise because they allow separated networks to
function as if they are collocated.
Basically, a network packet is encrypted then encapsulated into another packet for transport across an
untrusted network.
- VPN - Virtual Public Network: This is incorrect because it's 'Private' not 'Public'. It wouldn't be very
secure if it were a 'Public' network.
- PPTP - Point to Point Protocol: Technically this is a method for VPN but it is no longer considered
secure because it is cryptographically easy to break.
- L2TP - Layer 2 Transport Protocol: Sorry, this isn't a valid answer because while L2TP is a tunnel
protocol developed jointly by Cisco and Microsoft the acronym stands for Layer 2 Tunneling Protocol.
Read the questions carefully.
Question 205
Which of the following answers is a technology in newer Microsoft Windows computers that can encrypt
an entire drive volume?
• TruCrypt
• NTFS - New Technology File System
• BitLocker
• EFS - Encrypting File System
Correct Answer is: BitLocker
Details:
The correct answer is: Bitlocker
Bitlocker is a feature of modern Windows computers that encrypts all personal and system drives, fixed
data drives and removable data drives. It does not depend on the individual user account to decrypt the
files, it is either on or off for all users or groups.
Bitlocker uses the TPM - Trusted Platform Module to encrypt the operating system drive.
BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise
editions of Microsoft's Windows Vista and Windows 7, and with the Pro and Enterprise editions of
Windows 8 desktop operating systems, as well as the server platforms, Windows Server 2008, Windows
Server 2008 R2 and Windows Server 2012. It is designed to protect data by providing encryption for
entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128-bit or 256-bit
key, combined with the ''Elephant'' diffuser for additional disk encryption-specific security not provided
by AES. CBC is not used over the whole disk, only for each individual disk sector.
- EFS - Encrypting File System: Sorry, EFS encrypts files and folders one at a time while Bitlocker encrypts
entire drives.
- NTFS - New Technology File System: This isn't correct because NTFS supports file encryption but isn't a
drive encryption technology.
- TruCrypt: This answer is incorrect because TruCrypt can't encrypt an operating system's drive and
decrypt it on the fly to host an operating system. It needs the operating system running to decrypt the
files stores. Plus it is not a Microsoft Technology.
http://en.wikipedia.org/wiki/Bitlocker
Question 206
Which transport layer encryption consists of two layers - the Record Protocol and the TLS Handshake
Protocol and encrypts communications between the client and server?
• WTLS - Wireless TCP Layer Security
• SSL - Secure Sockets Layer
• TLS - TCP Layer Security
• TLS - Transport Layer Security
Correct Answer is: TLS - Transport Layer Security
Details:
The correct answer is: TLS - Transport Layer Security
SSL was developed by Netscape in the middle 1990s and TLS came along in January 1999 in RFC 2246
and was developed to secure communications between client web browsers and web servers.
TLS was based on SSL 3.0 and superseded SSL but many web servers still rely on SSL for transport layer
security despite the known vulnerabilities.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols which are designed to provide communication security over the Internet. They use X.509
certificates and hence asymmetric cryptography to assure the counterparty with whom they are
communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing
between the parties. This allows for data/message confidentiality, and message authentication codes for
message integrity and as a by-product, message authentication. An important property in this context is
forward secrecy, so the short term session key cannot be derived from the long term asymmetric secret
key.
TLS - TCP Layer Security: Sorry, the acronym isn't supposed to contain TCP so this is incorrect. If you got
this incorrect because you missed the TCP portion, use it as a learning experience to train yourself to
read the questions very carefully to avoid mistakes.
SSL - Secure Sockets Layer: This is almost correct but TLS uses two layers of encryption and SSL was the
predecessor of TLS.
WTLS - Wireless TCP Layer Security: Sorry, this is incorrect because TLS doesn't include TCP in the
acronym and it's the wrong answer.
Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide
Authorized Courseware: Exam CAS-001 (p. 28). Wiley. Kindle Edition.
Question 207
Which answer BEST describes a technology that offers us the ability to segment network traffic and
allow segregation of network users and resources from each other logically using features on enterprise
switch?
• VLANs
• STP
• WLANS
• WANS
Correct Answer is: VLANs
Details:
The correct answer is: VLANs
VLANs or Virtual LANs were a way to mitigate broadcast traffic when hubs were still common. Back then
with hubs, there was a single collision domain where all computers would 'see' all other traffic. This
caused network latency and was a security risk after the rise of network sniffers.
VLANs allow us to assign physical switch ports to a specific VLAN to mitigate collision traffic, increase
network performance, provide some level of security by isolating sensitive traffic.
Basically, the switch administrator assigns computers to a VLAN, often times by the department of the
user. E.g., finance, personnel, marketing etc. This is not a great security benefit but can limit access to
sensitive VLANs.
- WANS: Wide Area Networks don't offer us those features.

- WLANS: Wireless LANs also don't help us segregate network traffic so this isn't a correct answer.
- STP: Spanning Tree Protocol is a way for Cisco switches to create a single path through a switched
network while eliminating switching loops. STP is used on VLANs but isn't the right answer.
Question 208
Which of the following answers is BEST described as a SAN standard for connecting data storage
facilities to communicate over IP networks?
• iSCSI
• SCSI-SAN
• iSAN
• vSAN
Correct Answer is: iSCSI
Details:
The correct answer is: iSCSI
By transmitting SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets.
iSCSI data can be transmitted over the internet, WANs or LANs.
Unlike Fiber Channel that requires specific cabling, iSCSI just connects to your network and uses IP
Addresses as the interconnect mechanism.
- iSAN - Internet SAN: This isn't a real term for network storage, sorry.
- SCSI-SAN: This is also not a known term in the network storage subject.
- vSAN: Sorry, this isn't right. vSANs are systems of systems sharing their free disk space to create a SAN
on a network.
Question 209
Which answer is BEST described as a transport protocol similar to iSCSI that can operate of up to 10
GBps and rides on top of Ethernet but is not routable?
• FCOE
• iSCSI
• iSAN
• SCSI-SAN
Correct Answer is: FCOE
Details:
The correct answer is: FCOE
Fiber Channel over Ethernet - FCOE is a protocol that rides over Ethernet like iSCSI but is not itself
routable.
iSCSI by comparison operates higher in the OSI stack and uses UDP and TCP as the transport protocol for
the communications.
FCOE operates above Ethernet along with regular IP Traffic but FCOE is not itself routable and will not
work across routed IP Networks like iSCSI.
Memorization Aid:
iSCSI = routable
FCOE = not routable
- iSCSI: Sorry, iSCSI is an IP-based storage networking standard for linking data storage facilities.
Basically, it's SCSI Drives attached by IP instead of cables. Specifically it is incorrect because iSCSI is
internet routable and rides on TCP/UDP transport protocols.
- iSAN - Internet SAN: This isn't a real term for network storage, sorry.
- SCSI-SAN: This is also not a known term in the network storage subject.
Question 210
A ______ is a mechanism for providing secure, reliable transport over the Internet.
• RAS
• TCP
• VPN
• DIAMETER
Correct Answer is: VPN
Details:
The correct answer is: VPN
A Virtual Private Network or VPN is used to provide remote users with a secure method to access
remote network resources while on untrusted networks.
The VPN can be found in workplaces and homes, where they allow employees to safely log into
company networks. Telecommuters and those who travel often find a VPN a more convenient way to
stay connected to the corporate intranet.
The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely
on private leased lines. VPN technologies implement restricted-access networks that utilize the same
cabling and routers as a public network, and they do so without sacrificing features or basic security.
- DIAMETER: DIAMETER is an AAA - Authentication, Authorization and Accounting protocol for

controlling access to network resources but doesn't provide the transport. It evolved from and replaces
the much less capable RADIUS protocol that preceded it. The name is a play on words, derived from the
RADIUS protocol, which is the predecessor (a diameter is twice the radius). Diameter is not directly
backwards compatible but provides an upgrade path for RADIUS
Diameter Applications extend the base protocol by adding new commands and/or attributes, such as
those for use of the Extensible Authentication Protocol (EAP). See the reference below for a full list of
features that DIAMETER provides but not RADIUS.
- TCP: This isn't the right answer because TCP might provide reliable transport, but by itself it does not
provide it in a secure manner.
- RAS: RAS - Remote Access Service is used to enable management of remote access connections
through phone modems so this isn't the right answer.
http://compnetworking.about.com/od/vpn/a/vpn_tutorial.htm
http://en.wikipedia.org/wiki/Diameter_%28protocol%29
Question 211
Of the following answers, which would you want to have inside the DMZ?
• Printers or fax machines
• Regular user computers
• Web servers or DNS Servers
• Sensitive Corporate Computers
Correct Answer is: Web servers or DNS Servers
Details:
The correct answer is: Web servers or DNS Servers
Originally, the DMZ stood for DeMarcation Zone where the end of responsibility for the internet service
provider and where your area began. Popular media changed it to be Demilitarized Zone. Either way, it's
that area outside your trusted network where you would place your web servers, mail or application
servers.
The DMZ ordinarily resides behind a first level firewall or packet filtering router that blocks unwanted
traffic but permits access to those servers.
Another firewall on the trusted side of the DMZ strictly filters traffic entering the trusted internal LAN
thereby protecting internal network hosts.
- Sensitive Corporate computers: This isn't right because a DMZ is a semi-trusted area of your network
and no place for sensitive systems.
- Regular user computers: This also isn't right because regular user computers would need to be on the
internal trusted LAN, not in the DMZ.
- Printers or fax machines: These don't usually go in the DMZ, sorry.

Question 212
You have deployed VOIP phones in your corporate network and you want to protect these
communications against sniffing by encrypting the traffic. You also want to provide message
authentication and integrity as well as defending against VOIP Spam and replay attacks.
Which protocol would support your needs?
• RTP
SIP
• SRTP
• AES
Correct Answer is: SRTP
Details:
The correct answer is: SRTP
SRTP - Secure Real-time Transport Protocol provides protection against sniffing and replay attacks but
also provides message authentication and integrity.
SRTP uses AES - Advanced Encryption Standard as the default cipher.

AES - Advanced Encryption Standard: SRTP uses AES as the default encryption type but this doesn't
answer the question of how to secure VOIP communications.
RTP - Real-time Transport Protocol: Sorry, this isn't correct because RTP is a plaintext UDP protocol
designed to get packets from point to point as quickly as possible to support voice communications.
SIP - Session Initiation Protocol: This is incorrect because SIP was designed by the IETF as a process for
simply establishing phone calls by establishing a session between two hosts but doesn't provide for
security.
Authorized Courseware: Exam CAS-001 (p. 45-46). Wiley. Kindle Edition.
Ric Messier (2014). GSEC - GIAC Security Essentials Certification Exam Guide. (p. 487-488.) McGraw Hill.
Question 213
Which method of securing DNS involves the combination of PKI and DNS?
• PKI DNS
• DNSSEC
• SECDNS
• SDNS
Correct Answer is: DNSSEC

Details:
The correct answer is: DNSSEC
DNSSEC is short for DNS Security Extensions and adds a level of security to DNS queries by digitally
signing responses to DNS queries using PKI - Public Key Infrastructure.
Originally there was no security considerations given to DNS but was designed to be a distributed and
scalable system.
All DNS query responses are digitally signed and by checking the digital signature on DNS query
responses, the client can be assured that the results can be trusted.
DNSSEC does not provide confidentiality or resistance to DOS/DDOS Attacks.
SDNS: SDNS isn't a valid answer because it isn't the right acronym.
SECDNS: This isn't the right answer because SECDNS isn't a manner of securing DNS queries. It does not
exist and it is only a distractor.
PKI DNS: This could have been another name for DNSSEC because PKI is used in DNSSEC but even thou it
sounds good that's not the name used so this is not a right answer.
Official Site for DNS SEC
Question 214
What is the IPv6 equivalent of ARP?
• ARPv6
• ICMPv6
• NDP
• RDP
Correct Answer is: NDP
Details:
The correct answer is: NDP - Neighbor Discovery Protocol
With IPv4 ARP - the Address Resolution Protocol figured out which MAC Address an IP Address was
using by simply asking "ARP WHO HAS 10.0.1.1 TELL 10.0.1.20 ". The other station would reply with
something like "10.0.1.1 is at AA:BB:CC:DD:EE:FF ". At that point both stations could converse using MAC
Addresses.
With IPV6, ARP is known as Neighbor Discovery Protocol and is also a layer 2 protocol responsible for
auto-configuration of nodes on a link and how they find and communication with one another.
NDP uses a mix if ICMPv6 messages and multicast addresses to discover other nodes, manage duplicate
addresses, find available routers and DNS Servers and some other functions.
NDP defines five different ICMPv6 packet types like ICMP and ARP including:
1. Type 133: Router Solicitation to locate routers on the link
2. Type 134 Router Advertisement for routers to advertise their presence
3. Type 135 Neighbor Solicitation used by nodes to discover each other
4. Type 136 Neighbor Advertisement for nodes to respond to Type 135 Neighbor Solicitation messages
5. Type 137 Redirect when routers inform hosts of a better first hop to the nearest router
NOTE: The Official Study Book 7th Edition is lacking when it comes to IPSEC. This is a topic you will need
to supplement your studies by using other resources such as the links below.
- RDP: RDP or Remote Desktop Protocol is not a correct answer and isn't involved in layer two
communications for IPv6. RDP is a Microsoft proprietary protocol that provides a graphical interface on
a remote computer. RDP is the protocol for doing so.
- ARPv6: Sorry, there is no ARPv6. As this scenario explains ARP was replaced with NDP in IPv6.
- ICMPv6: ICMPv6 plays a role in the NDP in that ICMPv6 messages are used as a replacement for ARP
messages and are explained in the discussion above. More explanation is available on the Cisco site
here.
Cisco Technical Description of NDP and IPv6 message
Wikipedia Article on NDP
Question 215
How many bits is the address space reserved for the source IP address within an IPv6 header?
• 128
• 256
• 64
• 32
Correct Answer is: 128
Details:
The correct answer is: 128 Bits
Discussion: An IPv6 address space is 128 bits or:
2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
An IPV6 address is 128bits so the source address will have to take up that much space in the header (as
will the destination address). The key is to distinguish between the size of an IPV6 address and the fact
that the source and destination addresses are part of the packet header.
When IPv4 was conceived in the late 1970s they thought that we would never need 4.3 Billion addresses
but we ran out of them years ago. It is not likely that we will ever run out of addresses any time soon
with numbers like those.
We've gotten by with IPv4 by using NAT - Network Address Translation where private IP Addresses are
used by a single or a few externally routable IP Addresses.
Unfortunately, early on companies were given huge blocks of address spaces like class A networks with
224 or 16,777,216 addresses even when only a small handful were used within the company. Also,
127.0.0.0 loopback wasted as many.
IPv6 addresses are written in 8 groups of 4 hexadecimal digits separated by colons like this:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
What is an IPv6 Header?

An Internet Protocol version 6 (IPv6) data packet comprises of two main parts: the header and the
payload. The first 40 bytes/octets (40x8 = 320 bits) of an IPv6 packet comprise of the header (see Figure
1) that contains the following fields:
Source address (128 bits) The 128-bit source address field contains the IPv6 address of the originating
node of the packet. It is the address of the originator of the IPv6 packet.
Destination address (128 bits) The 128-bit contains the destination address of the recipient node of the
IPv6 packet. It is the address of the intended recipient of the IPv6 packet.
Version/IP version (4-bits) The 4-bit version field contains the number 6. It indicates the version of the
IPv6 protocol. This field is the same size as the IPv4 version field that contains the number 4. However,
this field has a limited use because IPv4 and IPv6 packets are not distinguished based on the value in the
version field but by the protocol type present in the layer 2 envelope.
Packet priority/Traffic class (8 bits) The 8-bit Priority field in the IPv6 header can assume different values
to enable the source node to differentiate between the packets generated by it by associating different
delivery priorities to them. This field is subsequently used by the originating node and the routers to
identify the data packets that belong to the same traffic class and distinguish between packets with
different priorities.
Flow Label/QoS management (20 bits) The 20-bit flow label field in the IPv6 header can be used by a
source to label a set of packets belonging to the same flow. A flow is uniquely identified by the
combination of the source address and of a non-zero Flow label. Multiple active flows may exist from a
source to a destination as well as traffic that are not associated with any flow (Flow label = 0).
The IPv6 routers must handle the packets belonging to the same flow in a similar fashion. The
information on handling of IPv6 data packets belonging to a given flow may be specified within the data
packets themselves or it may be conveyed by a control protocol such as the RSVP (Resource reSerVation
Protocol).
When routers receive the first packet of a new flow, they can process the information carried by the
IPv6 header, Routing header, and Hop-by-Hop extension headers, and store the result (e.g. determining
the retransmission of specific IPv6 data packets) in a cache memory and use the result to route all other
packets belonging to the same flow (having the same source address and the same Flow Label), by using
the data stored in the cache memory.
Payload length in bytes(16 bits) The 16-bit payload length field contains the length of the data field in
octets/bits following the IPv6 packet header. The 16-bit Payload length field puts an upper limit on the
maximum packet payload to 64 kilobytes. In case a higher packet payload is required, a Jumbo payload
extension header is provided in the IPv6 protocol. A Jumbo payload (Jumbogram) is indicated by the
value zero in the Payload Length field. Jumbograms are frequently used in supercomputer
communication using the IPv6 protocol to transmit heavy data payload.
Next Header (8 bits) The 8-bit Next Header field identifies the type of header immediately following the
IPv6 header and located at the beginning of the data field (payload) of the IPv6 packet. This field usually
specifies the transport layer protocol used by a packet's payload. The two most common kinds of Next
Headers are TCP (6) and UDP (17), but many other headers are also possible. The format adopted for
this field is the one proposed for IPv4 by RFC 1700. In case of IPv6 protocol, the Next Header field is
similar to the IPv4 Protocol field.
Time To Live (TTL)/Hop Limit (8 bits) The 8-bit Hop Limit field is decremented by one, by each node
(typically a router) that forwards a packet. If the Hop Limit field is decremented to zero, the packet is
discarded. The main function of this field is to identify and to discard packets that are stuck in an
indefinite loop due to any routing information errors. The 8-bit field also puts an upper limit on the
maximum number of links between two IPv6 nodes. In this way, an IPv6 data packet is allowed a
maximum of 255 hops before it is eventually discarded. An IPv6 data packet can pas through a maximum
of 254 routers before being discarded.
In case of IPv6 protocol, the fields for handling fragmentation do not form a part of the basic header.
They are put into a separate extension header. Moreover, fragmentation is exclusively handled by the
sending host. Routers are not employed in the Fragmentation process.
For further details, please see RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification.
- 32: This answer would be right if the question was about IPv4 but it isn't so the answer is wrong. 32
Bits yields 4,294,967,296 unique IP Address and considering the RFC for that was released in 1981, IPv4
has proven to have a remarkable lifespan. After more than 30 years and the huge growth the internet
it's no wonder its lifespan is coming to an end.
- 64: This is only half the size of an IPv6 header address space so this isn't correct. 64 Bits would yield a
huge number of addresses which probably would have been enough but designers wanted to be sure to
never ever run out of addresses on planet earth with 128-bit address spaces in IPv6.
- 256: This isn't correct because 256 is twice the size of an IPv6 address size, far to many addresses
necessary at this or any other point in time.
Question 216
Which of the following answers presents the MOST significant threat to network based IDS or IPS
systems?
• Complex IDS/IPS Signature Syntax
• Encrypted Traffic
• Digitally Signed Network Packets
• Segregated VLANs
Correct Answer is: Encrypted Traffic
Details:
The correct answer is: Encrypted traffic
Discussion: Encrypted network packets present the biggest threat to an effective IDS/IPS plan because
the network cannot easily (Or quickly) be decoded and examined.
Encrypted packets can't be examined by the IDS to determine if there is a threat there so in most cases
the traffic is just forwarded along with the potential threat.
There is an industry where a company provides examination services for your network traffic, acting like
a proxy server for all your network traffic.
You simply send them copies of your certificates so they can decode the traffic. This is common in the
financial industry where violating federal law or being sued by federal investigators for insider trading
can lead to business collapse.
The external company examines all the network traffic coming and going from your network for
potential liabilities.
- Complex IDS/IPS Signature syntax: IDS/IPS signatures can be complex but this isn't the MOST significant
threat to the functionality of an IDS/IPS system.
- Digitally Signed Network Packets: This is an incorrect answer because it isn't a threat to IDS/IPS
systems looking for dangerous network traffic. Foremost because we don't commonly digitally sign each
network packet we send.
- Segregated VLANs: This is not a correct answer but VLANs can present barriers to IDS/IPS systems
spotting dangerous traffic. There is an easy solution to VLANs and IDS/IPS systems and that would be
simply placing an IDS/IPS sensor on that VLAN and set it up to send its traffic to the IDS/IPS management
system.
Authorized Courseware: Exam CAS-001 (Pg. 138) Wiley. Kindle Edition.
Question 217
Which answer describes an application proxy that monitors and inspects all HTTP/HTTPS requests to
assess web application vulnerabilities?
• Web IDS
• Web Scarab
• HTTP Interceptor
• Web Caching Engine
Correct Answer is: HTTP Interceptor
Details:
The correct answer is: HTTP Interceptor
Threats come from all directions these days including traffic to and from your servers and clients using
HTTP and HTTPS protocols.
HTTP Interceptors analyze applications which communicate using HTTP and HTTPS protocols for web
applications like browsers and other web-based apps.
Some examples of HTTP Interceptors are Burp Suite, Web Scarab and Paros Proxy.
- Web caching engine: Web caching engines don't always monitor HTTP messages for threatening
signatures. Caching engines usually just maintain current copies of web sites for users on a LAN to speed
up fetching of web sites. They also reduce internet traffic.
- Web IDS: This isn't a commonly used term so this is incorrect but an IDS can monitor HTTP
communications for threatening traffic. It can't usually watch HTTPS traffic because it is encrypted.
- Web Scarab: This is a framework for analyzing applications which use HTTP so it is an HTTP Interceptor
so this isn't a correct answer. Read more here about Web Scarab.
Question 218
Which of the following statement correctly describes difference between packet filtering firewall and
stateful inspection firewall?
• Packet filtering firewall and Stateful firewall both maintain session of client.
• Packet filtering firewall do not maintain client session whereas Stateful firewall maintains client
session.
• Packet filtering firewall is a second generation firewall whereas Stateful is a first generation of
firewall.
• Packet filtering firewall and Stateful firewall do not maintain any session of client.
Correct Answer is: Packet filtering firewall do not maintain client session whereas Stateful firewall
maintains client session.
Details:
The correct answer is: Packet filtering firewall do not maintain client session whereas statefull firewall
maintains client session.
Packet Filtering Firewall
• Also Known as First Generation Firewall

• Do not maintain client session
• The advantage of this type of firewall are simplicity and generally stable performance since the
filtering rules are performed at the network layer.
• Its simplicity is also disadvantage, because it is vulnerable to attack from improperly configured
filters and attack tunneled over permitted services.
• Some of the more common attack on packet filtering are IP Spoofing, Source Routing
specification, Miniature fragment attack.
Stateful Inspection Firewall
• A stateful inspection firewall keep track of the destination IP address of each packet that leaves
the organization's internal network.
• The session tracking is done by mapping the source IP address of incoming packet with the list of
destination IP addresses that is maintained and updated
• This approach prevent any attack initiated and originated by outsider.
• The disadvantage includes stateful inspection firewall can be relatively complex to administer as
compare to other firewall.
Firewall
Firewalls are used to restrict access to one network from another network. Most companies use
firewalls to restrict access to their networks from the Internet. They may also use firewalls to restrict
one internal network segment from accessing another internal segment. For example, if the security
administrator wants to make sure employees
cannot access the research and development network, he would place a firewall between this network
and all other networks and configure the firewall to allow only the type of traffic he deems acceptable. A
firewall device supports and enforces the company’s network security policy. An organizational security
policy provides high-level directives on acceptable and unacceptable actions as they pertain to
protecting critical assets. The firewall has a more defined and granular security policy that dictates what
services are allowed to be accessed, what IP addresses and ranges are to be restricted, and what ports
can be accessed.
The firewall is described as a “choke point” in the network because all communication should flow
through it, and this is where traffic is inspected and restricted. A firewall may be a server running a
firewall software product or a specialized hardware appliance. It monitors packets coming into and out
of the network it is protecting. It can discard packets, repackage them, or redirect them, depending
upon the firewall configuration. Packets are filtered based on their source and destination addresses,
and ports by service, packet type, protocol type, header information, sequence bits, and
much more. Many times, companies set up firewalls to construct a demilitarized zone (DMZ), which is a
network segment located between the protected and unprotected networks. The DMZ provides a buffer
zone between the dangerous Internet and the goodies within the internal network that the company is
trying to protect. As shown in
Figure 6-46, two firewalls are usually installed to form the DMZ. The DMZ usually contains web, mail,
and DNS servers, which must be hardened systems because they would be the first in line for attacks.
Many DMZs also have an IDS sensor that listens for malicious and suspicious behavior.
Many different types of firewalls are available, because each environment may have unique
requirements and security goals. Firewalls have gone through an evolution of their own and have grown
in sophistication and functionality. The following sections describe the various types of firewalls.
Image Source - http://en.wikipedia.org/wiki/Firewall_%28computing%29
All other choices presented were incorrect answers because they all had the proper definition.
CISA review manual 2014 Page number 345 and 346
CISSP All In One Exam Guide Page Number 629
Question 219
Which of the following is the unique identifier within an IPSec packet that enables the sending host to
reference the security parameter to apply?
• SA (Security Association)
• SPI (Security Parameter Index)
• AH (Authentication Header)
• ESP (Encapsulating Security Payload)
Correct Answer is: SPI (Security Parameter Index)
Details:
The correct answer is: SPI (Security Parameter Index)
The Security Parameter Index (SPI) is the unique identifier that enables the sending host to reference
the security parameter to apply in order to decrypt the packet.
For you exam you should know the information below about the IPSec protocol:
The IP network layer packet security protocol establishes VPNs via transport and tunnel mode
encryption methods.
For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is
referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the
process.
In the tunnel mode, the ESP payload and its header's are encrypted. To achieve non-repudiation, an
additional authentication header (AH) is applied.
In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines
which security parameters should be applied between communicating parties as encryption algorithms,
key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is
established when a 32 bit security parameter index (SPI) field is defined within the sending host. The SPI
is unique identifier that enables the sending host to reference the security parameter to apply, as
specified, on the receiving host.
IPSec can be made more secure by using asymmetric encryption through the use of Internet Security
Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key
management, use of public keys, negotiation, establishment, modification and deletion of SAs and
attributes. For authentication, the sender uses digital certificates. The connection is made secure by
supporting the generation, authentication, distribution of the SAs and the cryptographic keys.
• SA – Security Association (SA) defines which security parameters should be applied between
communicating parties as encryption algorithms, key initialization vector, life span of keys, etc.
• ESP – Encapsulation Security Payload (ESP) is used to support authentication of sender and
encryption of data
• AH – Authentication Header allows authentication of a sender of a data.
Question 220
Which of the following statements CORRECTLY describes the difference between IPSec and SSH
protocols?
• IPSec works at the transport layer and SSH works at the network layer of an OSI Model
• IPSec works at the network layer and SSH works at the transport layer of an OSI Model
• IPSec works at the network layer where as SSH works at the application layer of an OSI Model
• IPSec works at the transport layer and SSH works at the application layer of an OSI Model
Correct Answer is: IPSec works at the network layer where as SSH works at the application layer of an
OSI Model
Details:
The correct answer is: IPSec works at the network layer where as SSH works at the application layer of
an OSI Model
This question is testing your knowledge about not only the OSI layer that IPSec and SSH operate but to a
large degree the differences between them. There are many secure protocols SKIP, swipe, S-RPC,
SSL/TLS as well as IPSec and SSH. Both IPSec and SSH encrypt sensitive data before transmitting it on
internal networks.
An overview of SSH and IPSec protocol:
• SSH - A client server program that opens a secure, encrypted command-line shell session from
the Internet for remote logon. Uses port 22 Secure Shell (SSH) protocol by default makes its connections
via TCP and allows encrypting data to be sent and received (in motion) securely between two networked
systems usage of Diffie-Hellman key exchange and integrity checking with message authentication codes
(MACs) and used to remotely administer Unix/Linux systems and network devices.
SSH uses strong cryptography to protect data, including password, binary files and administrative
commands, transmitted between systems on a network. SSH is typically implemented between two
parties by validating each other's credential via digital certificates. SSH is implemented at the application
layer.
• IPSec -The IP network layer packet security protocol transmits the actual packets of information
from one IP address to another which is described in the Shon Harris Blog below.
Here is a tutorial on IPSec from the Shon Harris Blog:
The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel
for protected data exchange between two devices. The devices that share this secure channel can be
two servers, two routers, a workstation and a server, or two gateways between different networks.
IPSec is a widely accepted standard for providing network layer protection. It can be more flexible and
less expensive than end-to end and link encryption methods.
IPSec has strong encryption and authentication methods, and although it can be used to enable
tunneled communication between two computers, it is usually employed to establish virtual private
networks (VPNs) among networks across the Internet.
IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to use.
Rather, it is an open, modular framework that provides a lot of flexibility for companies when they
choose to use this type of technology. IPSec uses two basic security protocols: Authentication Header
(AH) and Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is an
authenticating and encrypting protocol that uses cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity.
IPSec can work in one of two modes: transport mode, in which the payload of the message is protected,
and tunnel mode, in which the payload and the routing and header information are protected. ESP in
transport mode encrypts the actual message information so it cannot be sniffed and uncovered by an
unauthorized entity. Tunnel mode provides a higher level of protection by also protecting the header
and trailer data an attacker may find useful. Figure 8-26 shows the high-level view of the steps of setting
up an IPSec connection.
Each device will have at least one security association (SA) for each VPN it uses. The SA, which is critical
to the IPSec architecture, is a record of the configurations the device needs to support an IPSec
connection. When two devices complete their handshaking process, which means they have agreed
upon a long list of parameters they will use to communicate, these data must be recorded and stored
somewhere, which is in the SA.
The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key
lifetime, and the source IP address. When a device receives a packet via the IPSec protocol, it is the SA
that tells the device what to do with the packet. So if device B receives a packet from device C via IPSec,
device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly
authenticate the source of the packet, which key to use, and how to reply to the message if necessary.
SAs are directional, so a device will have one SA for outbound traffic and a different SA for inbound
traffic for each individual communication channel. If a device is connecting to three devices, it will have
at least six SAs, one for each inbound and outbound connection per remote device. So how can a device
keep all of these SAs organized and ensure that the right SA is invoked for the right connection? With
the mighty secu rity parameter index (SPI), that s how. Each device has an SPI that keeps track of the
different SAs and tells the device which one is appropriate to invoke for the different packets it receives.
The SPI value is in the header of an IPSec packet, and the device reads this value to tell it which SA to
consult.
IPSec can authenticate the sending devices of the packet by using MAC (covered in the earlier section,
The One-Way Hash ). The ESP protocol can provide authentication, integrity, and confidentiality if the
devices are configured for this type of functionality.
So if a company just needs to make sure it knows the source of the sender and must be assured of the
integrity of the packets, it would choose to use AH. If the company would like to use these services and
also have confidentiality, it would use the ESP protocol because it provides encryption functionality. In
most cases, the reason ESP is employed is because the company must set up a secure VPN connection.
It may seem odd to have two different protocols that provide overlapping functionality. AH provides
authentication and integrity, and ESP can provide those two functions and confidentiality. Why even
bother with AH then? In most cases, the reason has to do with whether the environment is using
network address translation (NAT). IPSec will generate an integrity check value (ICV), which is really the
same thing as a MAC value, over a portion of the packet. Remember that the sender and receiver
generate their own values. In IPSec, it is called an ICV value. The receiver compares her ICV value with
the one sent by the sender. If the values match, the receiver can be assured the packet has not been
modified during transmission. If the values are different, the packet has been altered and the receiver
discards the packet.
The AH protocol calculates this ICV over the data payload, transport, and network headers. If the packet
then goes through a NAT device, the NAT device changes the IP address of the packet. That is its job.
This means a portion of the data (network header) that was included to calculate the ICV value has now
changed, and the receiver will generate an ICV value that is different from the one sent with the packet,
which means the packet will be discarded automatically.
The ESP protocol follows similar steps, except it does not include the network header portion when
calculating its ICV value. When the NAT device changes the IP address, it will not affect the receiver s ICV
value because it does not include the network header when calculating the ICV.
Because IPSec is a framework, it does not dictate which hashing and encryption algorithms are to be
used or how keys are to be exchanged between devices. Key management can be handled manually or
automated by a key management protocol. The de facto standard for IPSec is to use Internet Key
Exchange (IKE), which is a combination of the ISAKMP and OAKLEY protocols. The Internet Security
Association and Key Management Protocol (ISAKMP) is a key exchange architecture that is independent
of the type of keying mechanisms used. Basically, ISAKMP provides the framework of what can be
negotiated to set up an IPSec connection (algorithms, protocols, modes, keys). The OAKLEY protocol is
the one that carries out the negotiation process. You can think of ISAKMP as providing the playing field
(the infrastructure) and OAKLEY as the guy running up and down the playing field (carrying out the steps
of the negotiation).
IPSec is very complex with all of its components and possible configurations. This complexity is what
provides for a great degree of flexibility, because a company has many different configuration choices to
achieve just the right level of protection. If this is all new to you and still confusing, please review one or
more of the following references to help fill in the gray areas.
7th Study Guide Chapter 5 Section: Protecting Data with Transport Encryption, kindle 5412, page 173
Question 221
Which of the following protocol is developed jointly by VISA and Master Card to secure payment
transactions among all parties involved in credit card transactions on behalf of cardholders and
merchants?
• S/HTTP
• SET
• S/MIME
• SSH
Correct Answer is: SET
Details:
The correct answer is: SET
Secure Electronic Transaction(SET) is a protocol developed jointly by VISA and Master Card to secure
payment transaction among all parties involved in credit card transactions among all parties involved in
credit card transactions on behalf of cardholders and merchants. As an open system specification, SET is
a application-oriented protocol that uses trusted third party's encryption and digital-signature process,
via PKI infrastructure of trusted third party institutions, to address confidentiality of information,
integrity of data, cardholders authentication, merchant authentication and interoperability.

• S/MIME - Secure Multipurpose Internet Mail Extension (S/MIME) is a standard secure email
protocol that authenticates the identity of the sender and receiver, verifies message integrity, and
ensures the privacy of message's content's, including attachments.
• SSH – A client server program that opens a secure, encrypted command-line shell session from
the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including
password, binary files and administrative commands, transmitted between system on a network. SSH is
typically implemented between two parties by validating each other's credential via digital certificates.
SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as
opposed to operating at network layer (IPSec Implementation)
• Secure Hypertext Transfer Protocol (S/HTTP) - As an application layer protocol, S/HTTP

transmits individual messages or pages securely between a web client and server by establishing SSL-
type connection. Using the https:// designation in the URL, instead of the standard http://, directs the
message to a secure port number rather than the default web port address. This protocol utilizes SSL
secure features but does so as a message rather than the session-oriented protocol.
Question 222
A Private Branch Exchange (PBX) environment involves many security risks, including people both
internal and external to an organization. Which of the following risks are NOT associated with a PBX?
1. Theft of service
2. Disclosure of information
3. Data Modifications
4. Denial of service
5. Traffic Analysis
• They are ALL risks associated with PBX

• 1-4
• 4 and 5
• 3 and 4
Correct Answer is: They are ALL risks associated with PBX
Details:
The correct answer is: They are all risks associated with PBX
The NOT is a keyword used in the question. You need to find out the risks which are NOT associated with
PBX. All the risk listed within the options are associated with PBX.
The threat of the PBX telephone system are many, depending on the goals of these attackers, and
include:
• Theft of service - Toll fraud, probably the most common of motives motives for attacker.
• Disclosure of Information - Data disclosed without authorization, either by deliberate action or

by accident. Examples includes eavesdropping on conversation and unauthorized access to routing and
address data.
• Data Modification - Data altered in some meaningful way by recording, deleting or modifying it.
For example, an intruder may change billing information or modify system table to gain additional
services.
• Unauthorized access – Actions that permit an unauthorized user to gain access to system
resources or privileges.
• Denial of service - Actions that prevent the system from functioning in accordance with its
intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a
degraded state; operations that depend on timeliness may be delayed.
• Traffic Analysis – A form of passive attack in which an intruder observes information about calls
and make inferences, e.g. from the source and destination number or frequency and length of
messages. For example an intruder observes a high volume of calls between a company's legal
department and patent office, and conclude that a patent is being filed.
All the risks presented in options are associated with PBX. So other options are not valid.
Question 223
Which of the following is a sophisticated computer based switch that can be thought of as essentially a
small in-house phone company for the organization?
• Virtual Local Area Network
• Voice over IP
• Private Branch Exchange
• Dial-up connection
Correct Answer is: Private Branch Exchange
Details:
The correct answer is: Private Branch Exchange
A Private Branch Exchange(PBX) is a sophisticated computer based switch that can be thought of as
essentially a small in-house phone company for the organization that operates it. Protection of PBX is
thus a hight priority. Failure to secure PBX can result in exposing the organization to toll fraud, theft of
propritary or confidential information, loss of revenue or legal entanglements.
PBX environment involves many security risks, presented by people both internal and external to an
organization. The threat of the PBX telephone system are many, depending on the goals of these
attackers, and include:
• Theft of service - Toll fraud, probably the most common of motives motives for attacker.
• Disclosure of Information - Data disclosed without authorization, either by deliberate action or
by accident. Examples includes eavesdropping on conversation and unauthorized access to routing and
address data.
• Data Modification - Data altered in some meaningful way by recording, deleting or modifying it.
For example, an intruder may change billing information or modify system table to gain additional
services.
• Unauthorized access – Actions that permit an unauthorized user to gain access to system
resources or privileges.
• Denial of service - Actions that prevent the system from functioning in accordance with its
intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a
degraded state; operations that depend on timeliness may be delayed.
• Traffic Analysis – A form of passive attack in which an intruder observes information about calls
and make inferences, e.g. from the source and destination number or frequency and length of
messages. For example an intruder observes a high volume of calls between a company's legal
department and patent office, and conclude that a patent is being filed.
• Virtual Local Area Network - A virtual local area network (VLAN) is a logical group of
workstations, servers and network devices that appear to be on the same LAN despite their geographical
distribution. A VLAN allows a network of computers and users to communicate in a simulated
environment as if they exist in a single LAN and are sharing a single broadcast and multicast domain.
VLANs are implemented to achieve scalability, security and ease of network management and can
quickly adapt to change in network requirements and relocation of workstations and server nodes.
• Voice over IP - VoIP is a technology where voice traffic is carried on top of existing data
infrastructure. Sounds are digitalized into IP packets and transferred through the network layer before
being decode back into the original voice.
• Dial-up connection - Dial-up refers to an Internet connection that is established using a modem.
The modem connects the computer to standard phone lines, which serve as the data transfer medium.
When a user initiates a dial-up connection, the modem dials a phone number of an Internet Service
Provider (ISP) that is designated to receive dial-up calls. The ISP then establishes the connection, which
usually takes about ten seconds and is accompanied by several beeping an buzzing sounds.
Question 224
Which of the following PBX feature allows a PBX to be configured so that incoming calls are distributed
to the next available agent or placed on-hold until one become available?
• Automatic Call distribution
• Voice mail
• Tenanting
• Call forwarding
Correct Answer is: Automatic Call distribution
Details:
The correct answer is: Automatic Call distribution
Automatic Call distribution allows a PBX to be configured so that incoming calls are distributed to the
next available agent or placed on-hold until one become available
For your exam you should know below mentioned PBX features and Risks:
System Features Description Risk
Automatic Call distribution Allows a PBX to be configured so that incoming calls are distributed to
the next available agent or placed on-hold until one become available Tapping and control of traffic
Call forwarding Allow specifying an alternate number to which calls will be forwarded based on certain
condition User tracking
Account codes Used to:
- Track calls made by certain people or for certain projects for appropriate billing
- Dial-In system access(user dials from outside and gain access to normal feature of the PBX)
- Changing the user class of service so a user can access a different set of features (i.e. the override
feature) Fraud,user tracking, non authorized features
Access Codes Key for access to specific feature from the part of users with simple instruments, i.e.
traditional analog phones. Non-authorized features
Silent Monitoring Silently monitors other calls Eavesdropping
Conferencing Allows for conversation among several users Eavesdropping, by adding

unwanted/unknown parties to a conference
override(intrude) Provides for the possibility to break into a busy line to inform another user an
important message Eavesdropping
Auto-answer Allows an instrument to automatically go when called usually gives an auditor or visible
warning which can easily turned off Gaining information not normally available, for various purpose
Tenanting Limits system user access to only those users who belong to the same tenant group –
useful when one company leases out part of its building to other companies and tenants share an
attendant, trunk lines,etc Illegal usage, fraud, eavesdropping
Voice mail Stores messages centrally and – by using a password – allows for retrieval from inside or
outside lines. Disclosure or destruction of all messages of a user when that user's password in known
or discovered by an intruder, disabling of the voice mail system and even the entire switch by lengthy
messages or embedded codes, illegal access to external lines.
Privacy release Supports shared extensions among several devices, ensuring that only one device at a
time can use an extension. Privacy release disables the security by allowing devices to connect to an
extension already in use. Eavesdropping
Nonbusy extension Allows calls to an in-use extension to be added to a conference when that
extension is on conference and already off-hook Eavesdropping a conference in progress
Diagnostics Allows for bypassing normal call restriction procedures. This kind of diagnostic is
sometimes available from any connected device. It is a separate feature, in addition to the normal
maintenance terminal or attendant diagnostics Fraud and illegal usage
Camp-on or call waiting When activated, sends a visual audible warning to an off-hook instrument that is
receiving another call. Another option of this feature is to conference with the camped-on or call waiting
Making the called individual a party to a conference without knowing it.
Dedicated connections Connections made through the PBX without using the normal dialing sequences.
It can be used to create hot-lines between devices i.e. one rings when the other goes off-hook. It is also
used for data connections between devices and the central processing facility Eavesdropping on a line
• Call forwarding - Allow specifying an alternate number to which calls will be forwarded based on
certain condition
• Tenanting - Limits system user access to only those users who belong to the same tenant group
– useful when one company leases out part of its building to other companies and tenants share an
attendant, trunk lines,etc
• Voice Mail - Stores messages centrally and – by using a password – allows for retrieval from
inside or outside lines.
Question 225
Which of the following is an environmental issue caused by electric storms or noisy electric equipment
and may also cause computer system to hang or crash?
• Brownout
• Blackout
• Sag
• Electromagnetic Interference
Correct Answer is: Electromagnetic Interference
Details:
The correct answer is: Electromagnetic Interference
The electromagnetic interference (EMI) caused by electrical storms or noisy electrical equipments. The
interference may cause computer system to hang or crash as well as damages similar to those caused by
sags, spike and surges.
Because Unshielded Twisted Pair cables does not have shielding like shielded twisted-pair cables, UTP is
susceptible to interference from external electrical sources, which could reduce the integrity of the
signal. Also, to intercept transmitted data, an intruder can install a tap on the cable or monitor the
radiation from the wire. Thus, UTP may not be a good choice when transmitting very sensitive data or
when installed in an environment with much electromagnetic interference (EMI) or radio frequency
interference (RFI). Despite its drawbacks, UTP is the most common cable type. UTP is inexpensive, can
be easily bent during installation, and, in most cases, the risk from the above drawbacks is not enough to
justify more expensive cables.
For your exam you should know below information about power failure
• Total Failure (Blackout) – A complete loss of electric power, which may span from a single
building to an entire geographical are and is often caused by weather conditions or inability of an
electric utility company to meet user demands
• Severely reduced voltage (brownout) – The failure of an electric utility company to supply power
withing acceptable range. Such a failure places a strain on electronic equipment and may limit their
operational life or even cause permanent damage.
• Sags, spike and surge – Temporary and rapid decreases (sag) or increases(spike and surges) in a
voltage levels. These anomalies can cause loss of data, data corruption, network transmission errors or
physical damage to hardware devices.
• Electromagnetic interference (EMI) - The electromagnetic interference (EMI) caused by electrical

storms or noisy electrical equipments. The interference may cause computer system to hang or crash as
well as damages similar to those caused by sags, spike and surges.
• Sag – Temporarily rapid decrease in a voltage.
• Total Failure (Blackout) – A complete loss of electric power, which may span from a single
building to an entire geographical are and is often caused by weather conditions or inability of an
electric utility company to meet user demands
• Severely reduced voltage (brownout) – The failure of an electric utility company to supply power
withing acceptable range. Such a failure places a strain on electronic equipment and may limit their
operational life or even cause permanent damage.

and
Question 226
Which of the following computer network is a WAN limited to one city?
• PAN
• LAN
• SAN
• MAN
Correct Answer is: MAN
Details:
The correct answer is: MAN
MAN - A metropolitan area network (MAN) is a computer network in which two or more computers or
communicating devices or networks which are geographically separated but in same metropolitan city
and are connected to each other are said to be connected on MAN. Metropolitan limits are determined
by local municipal corporations; the larger the city, the bigger the MAN, the smaller a metro city, smaller
the MAN.
For your exam you should know below information about computer networks:
Local Area Network (LAN)
A local area network (LAN) is a computer network that interconnects computers within a limited area
such as a home, school, computer laboratory, or office building using network media.
Click HERE for original source of image
Wide Area Network
A wide area network (WAN) is a network that covers a broad area (i.e., any telecommunications network
that links across metropolitan, regional, national or international boundaries) using leased
telecommunication lines.
Source of image: http://www.netprivateer.com/images/lanwan.gif
Metropolitan Area Network
A metropolitan area network (MAN) is a computer network in which two or more computers or
the MAN
Source of image: http://cis.msjc.edu/courses/images/MAN.jpg
Personal Area Network
A personal area network (PAN) is a computer network used for data transmission among devices such as
computers, telephones and personal digital assistants. PANs can be used for communication among the
personal devices themselves (intrapersonal communication), or for connecting to a higher level network
and the Internet (an uplink).
Click HERE for original image
Storage Area Network
A storage area network (SAN) is a dedicated network that provides access to consolidated, block level
data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and
optical jukeboxes, accessible to servers so that the devices appear like locally attached devices to the
operating system. A SAN typically has its own network of storage devices that are generally not
accessible through the local area network (LAN) by other devices.
Source of image: http://www.imexresearch.com/images/sasnassan-3.gif
• PAN - A personal area network (PAN) is a computer network used for data transmission among
devices such as computers, telephones and personal digital assistants. PANs can be used for
communication among the personal devices themselves (intrapersonal communication), or for
connecting to a higher level network and the Internet (an uplink).
• LAN - A local area network (LAN) is a computer network that interconnects computers within a
limited area such as a home, school, computer laboratory, or office building using network media.
• SAN - A storage area network (SAN) is a dedicated network that provides access to consolidated,
block level data storage. SANs are primarily used to enhance storage devices, such as disk arrays, tape
libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached
devices to the operating system. A SAN typically has its own network of storage devices that are
generally not accessible through the local area network (LAN) by other devices.
Question 227
Which of the following type of a computer network are variation of LAN and are dedicated to connecting
storage devices to servers and other computing devices?
• MAN
• SAN
• PAN
• LAN
Correct Answer is: SAN
Details:
The correct answer is: SAN
For your exam you should know below information about computer networks:
Local Area Network (LAN)
A local area network (LAN) is a computer network that interconnects computers within a limited area
such as a home, school, computer laboratory, or office building using network media.
Click HERE for original source of image
Wide Area Network
A wide area network (WAN) is a network that covers a broad area (i.e., any telecommunications network
that links across metropolitan, regional, national or international boundaries) using leased
telecommunication lines.
Source of image: http://www.netprivateer.com/images/lanwan.gif
Metropolitan Area Network
A metropolitan area network (MAN) is a computer network in which two or more computers or
the MAN
Source of image: http://cis.msjc.edu/courses/images/MAN.jpg
Personal Area Network
A personal area network (PAN) is a computer network used for data transmission among devices such as
computers, telephones and personal digital assistants. PANs can be used for communication among the
personal devices themselves (intrapersonal communication), or for connecting to a higher level network
and the Internet (an uplink).
Click HERE for original image
Storage Area Network
Source of image: http://www.imexresearch.com/images/sasnassan-3.gif

• PAN - A personal area network (PAN) is a computer network used for data transmission among
devices such as computers, telephones and personal digital assistants. PANs can be used for
communication among the personal devices themselves (intrapersonal communication), or for
connecting to a higher level network and the Internet (an uplink).
• LAN - A local area network (LAN) is a computer network that interconnects computers within a
limited area such as a home, school, computer laboratory, or office building using network media.
• MAN - A metropolitan area network (MAN) is a computer network in which two or more
computers or communicating devices or networks which are geographically separated but in same
metropolitan city and are connected to each other are said to be connected on MAN. Metropolitan
limits are determined by local municipal corporations; the larger the city, the bigger the MAN, the
smaller a metro city, smaller the MAN
Question 228
Which of the following types of network service is used by network computer to obtain an IP addresses
and other parameters such as default gateway,subnet mask?
• Network Management
• DHCP
• DNS
• Directory Service
Correct Answer is: DHCP
Details:
The correct answer is: DHCP
Dynamic Host Configuration Protocol (DHCP) - The Dynamic Host Configuration Protocol (DHCP) is a
standardized networking protocol used on Internet Protocol (IP) networks for dynamically distributing
network configuration parameters, such as IP addresses for interfaces and services. With DHCP,
computers request IP addresses and networking parameters automatically from a DHCP server, reducing
the need for a network administrator or a user to configure these settings manually.
For your exam you should know below information about network services:
In computer networking, a network service is an application running at the network application layer
and above, that provides data storage, manipulation, presentation, communication or other capability
which is often implemented using a client-server or peer-to-peer architecture based on application layer
network protocols.
Each service is usually provided by a server component running on one or more computers (often a
dedicated server computer offering multiple services) and accessed via a network by client components
running on other devices. However, the client and server components can both be run on the same
machine.
Clients and servers will often have a user interface, and sometimes other hardware associated with
them.
Different types of network services are as follows:
• Network File System - Network File System (NFS) is a distributed file system protocol originally
developed by Sun Microsystems in 1984,allowing a user on a client computer to access files over a
network much like local storage is accessed.
• Remote Access Service - Remote Access Services (RAS) refers to any combination of hardware
and software to enable the remote access tools or information that typically reside on a network of IT
devices.
• Directory Services - A directory service is the software system that stores, organizes and
provides access to information in a directory. In software engineering, a directory is a map between
names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a
dictionary may have multiple definitions, in a directory, a name may be associated with multiple,
different pieces of information. Likewise, as a word may have different parts of speech and different
definitions, a name in a directory may have many different types of data.
• Network Management - In computer networks, network management refers to the activities,

methods, procedures, and tools that pertain to the operation, administration, maintenance, and
provisioning of networked systems. Network management is essential to command and control
practices and is generally carried out of a network operations center.
• Dynamic Host Configuration Protocol (DHCP) - The Dynamic Host Configuration Protocol (DHCP)
is a standardized networking protocol used on Internet Protocol (IP) networks for dynamically
distributing network configuration parameters, such as IP addresses for interfaces and services. With
DHCP, computers request IP addresses and networking parameters automatically from a DHCP server,
reducing the need for a network administrator or a user to configure these settings manually.
• Email service - Provides the ability, through a terminal or PC connected to a communication

network, to send an untrusted message to another individual or group of people.
• Print Services - Provide the ability, typically through a print server on a network, to manage and
execute print request services from other devices on the network
• Domain Name System(DNS) - Translates the names of network nodes into network IP address.
• Directory Service - A directory service is the software system that stores, organizes and provides
access to information in a directory. In software engineering, a directory is a map between names and
values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may
have multiple definitions, in a directory, a name may be associated with multiple, different pieces of
information. Likewise, as a word may have different parts of speech and different definitions, a name in
a directory may have many different types of data.
• Domain Name System(DNS) - Translates the names of network nodes into network IP address.
• Network Management - In computer networks, network management refers to the activities,

methods, procedures, and tools that pertain to the operation, administration, maintenance, and
provisioning of networked systems. Network management is essential to command and control
practices and is generally carried out of a network operations center.
Question 229
Which of the following layer of the OSI model provides a standard interface for applications to
communicate with devices on a network?
• Session layer
• Transport layer
Correct Answer is: Application layer
Details:
The correct answer is: Application layer
The application layer serves as the window for users and application processes to access network
services. This layer contains a variety of commonly needed functions:
• Resource sharing and device redirection
• Remote file access
• Remote printer access
• Inter-process communication
• Network management
• Directory services
• Electronic messaging (such as mail)
• Network virtual terminals
For your exam you should know below information about OSI model:
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and
standardizes the internal functions of a communication system by partitioning it into abstraction layers.
The model is a product of the Open Systems Interconnection project at the International Organization
for Standardization (ISO), maintained by the identification ISO/IEC 7498-1.
The model groups communication functions into seven logical layers. A layer serves the layer above it
and is served by the layer below it. For example, a layer that provides error-free communications across
a network provides the path needed by applications above it, while it calls the next lower layer to send
and receive packets that make up the contents of that path. Two instances at one layer are connected
by a horizontal.
Image source: http://www.petri.co.il/images/osi_model.JPG
PHYSICAL LAYER
The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception
of the unstructured raw bit stream over a physical medium. It describes the electrical/optical,
mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher
layers. It provides:
Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better
accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It
determines:
• What signal state represents a binary 1
• How the receiving station knows when a "bit-time" starts
• How the receiving station delimits a frame
DATA LINK LAYER
The data link layer provides error-free transfer of data frames from one node to another over the
physical layer, allowing layers above it to assume virtually error-free transmission over the link. To do
this, the data link layer provides:
• Link establishment and termination: establishes and terminates the logical link between two
nodes.
• Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are
available.
• Frame sequencing: transmits/receives frames sequentially.

• Frame acknowledgment: provides/expects frame acknowledgments. Detects and recovers
from errors that occur in the physical layer by retransmitting non-acknowledged frames and handling
duplicate frame receipt.
• Frame delimiting: creates and recognizes frame boundaries.
• Frame error checking: checks received frames for integrity.
• Media access management: determines when the node "has the right" to use the physical
medium.
NETWORK LAYER
The network layer controls the operation of the subnet, deciding which physical path the data should
take based on network conditions, priority of service, and other factors. It provides:
• Routing: routes frames among networks.
• Subnet traffic control: routers (network layer intermediate systems) can instruct a sending
station to "throttle back" its frame transmission when the router's buffer fills up.
• Frame fragmentation: if it determines that a downstream router's maximum transmission unit

(MTU) size is less than the frame size, a router can fragment a frame for transmission and re-assembly at
the destination station.
• Logical-physical address mapping: translates logical addresses, or names, into physical

addresses.
• Subnet usage accounting: has accounting functions to keep track of frames forwarded by
subnet intermediate systems, to produce billing information.
Communications Subnet
The network layer software must build headers so that the network layer software residing in the subnet
intermediate systems can recognize them and use them to route data to the destination address.
This layer relieves the upper layers of the need to know anything about the data transmission and
intermediate switching technologies used to connect systems. It establishes, maintains and terminates
connections across the intervening communications facility (one or several intermediate systems in the
communication subnet).
In the network layer and the layers below, peer protocols exist between a node and its immediate
neighbor, but the neighbor may be a node through which data is routed, not the destination station. The
source and destination stations may be separated by many intermediate systems.
TRANSPORT LAYER
The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or
duplications. It relieves the higher layer protocols from any concern with the transfer of data between
them and their peers.
The size and complexity of a transport protocol depends on the type of service it can get from the
network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is
required. If the network layer is unreliable and/or only supports datagrams, the transport protocol
should include extensive error detection and recovery.
The transport layer provides:
• Message segmentation: accepts a message from the (session) layer above it, splits the
message into smaller units (if not already small enough), and passes the smaller units down to the
network layer. The transport layer at the destination station reassembles the message.
• Message acknowledgment: provides reliable end-to-end message delivery with

acknowledgments.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers
are available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link
and keeps track of which messages belong to which sessions (see session layer).
Typically, the transport layer can accept relatively large messages, but there are strict message size
limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the
messages into smaller units, or frames, prepending a header to each frame.
The transport layer header information must then include control information, such as message start
and message end flags, to enable the transport layer on the other end to recognize message boundaries.
In addition, if the lower layers do not maintain sequence, the transport header must contain sequence
information to enable the transport layer on the receiving end to get the pieces back together in the
right order before handing the received message up to the layer above.
End-to-end layers
Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport
layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned
with the details of the underlying communications facility. Transport layer software (and software above
it) on the source station carries on a conversation with similar software on the destination station by
using message headers and control messages.
SESSION LAYER
The session layer allows session establishment between processes running on different stations. It
provides:
• Session establishment, maintenance and termination: allows two application processes on

different machines to establish, use and terminate a connection, called a session.
• Session support: performs the functions that allow these processes to communicate over the
network, performing security, name recognition, logging, and so on.
PRESENTATION LAYER
The presentation layer formats the data to be presented to the application layer. It can be viewed as the
translator for the network. This layer may translate data from a format used by the application layer into
a common format at the sending station, then translate the common format to a format known to the
application layer at the receiving station.
The presentation layer provides:
• Character code translation: for example, ASCII to EBCDIC.
• Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.
• Data compression: reduces the number of bits that need to be transmitted on the network.
• Data encryption: encrypt data for security purposes. For example, password encryption.
APPLICATION LAYER

• Presentation layer - The presentation layer formats the data to be presented to the application
layer. It can be viewed as the translator for the network. This layer may translate data from a format
used by the application layer into a common format at the sending station, then translate the common
format to a format known to the application layer at the receiving station.
• Session layer - The session layer allows session establishment between processes running on
different stations.
• Transport layer - The transport layer ensures that messages are delivered error-free, in
sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern
with the transfer of data between them and their peers.
Question 230
Which of the following layer of an OSI model ensures that messages are delivered error-free, in
sequence, and with no losses or duplications?
• Transport layer
• Session layer
Correct Answer is: Transport layer
Details:
The correct answer is: Transport layer
• Message segmentation: accepts a message from the (session) layer above it, splits the message
into smaller units (if not already small enough), and passes the smaller units down to the network layer.
The transport layer at the destination station reassembles the message.

acknowledgments.
• Message traffic control: tells the transmitting station to "back-off" when no message buffers are
available.
• Session multiplexing: multiplexes several message streams, or sessions onto one logical link and
keeps track of which messages belong to which sessions (see session layer).
by a horizontal.
PHYSICAL LAYER
determines:
DATA LINK LAYER
nodes.
available.

medium.
NETWORK LAYER


addresses.
TRANSPORT LAYER

acknowledgments.
are available.
End-to-end layers
SESSION LAYER
provides:

PRESENTATION LAYER
APPLICATION LAYER
• Application Layer - The application layer serves as the window for users and application
processes to access network services.
• Presentation layer - The presentation layer formats the data to be presented to the application
layer. It can be viewed as the translator for the network. This layer may translate data from a format
used by the application layer into a common format at the sending station, then translate the common
format to a format known to the application layer at the receiving station.
• Session layer - The session layer allows session establishment between processes running on
different stations.
Question 231
Which of the following layer of an OSI model transmits and receives the bit stream as electrical, optical
or radio signals over an appropriate medium or carrier?
• Data Link Layer
• Physical Layer
• Transport Layer
• Network Layer
Correct Answer is: Physical Layer
Details:
The correct answer is: Physical layer
layers.
by a horizontal.

PHYSICAL LAYER
determines:
DATA LINK LAYER
nodes.
available.

medium.
NETWORK LAYER


addresses.
TRANSPORT LAYER

acknowledgments.
are available.
End-to-end layers
SESSION LAYER
provides:

PRESENTATION LAYER
APPLICATION LAYER

• Transport layer - The transport layer ensures that messages are delivered error-free, in
sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern
with the transfer of data between them and their peers.
• Network layer - The network layer controls the operation of the subnet, deciding which physical
path the data should take based on network conditions, priority of service, and other factors.
• Data link layer - The data link layer provides error-free transfer of data frames from one node to
another over the physical layer, allowing layers above it to assume virtually error-free transmission over
the link.
Question 232
In Which of the following media access technology devices are not allowed to send data over the
network until the device/station is in possession of a token?
• CSMA/CD
• Token ring
• CSMA/CA
• CSMA
Correct Answer is: Token ring
Details:
The correct answer is: Token ring
Token Ring Media Access Technology is a protocol which resides at the data link layer (DLL) of the OSI
model.
It uses a special three-byte frame called a token that travels around the ring.
Token-possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop also called ring.
For CISA exam you should know below information about Media Access Technologies :
Carrier Sense Multiple Access (CSMA)
Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC) protocol in which a
node verifies the absence of other traffic before transmitting on a shared transmission medium, such as
an electrical bus, or a band of the electromagnetic spectrum.
Carrier sense means that a transmitter uses feedback from a receiver to determine whether another
transmission is in progress before initiating a transmission. That is, it tries to detect the presence of a
carrier wave from another station before attempting to transmit. If a carrier is sensed, the station waits
for the transmission in progress to finish before initiating its own transmission. In other words, CSMA is
based on the principle "sense before transmit" or "listen before talk".
Multiple access means that multiple stations send and receive on the medium. Transmissions by one
node are generally received by all other stations connected to the medium.
CSMA with Collision Detection (CSMA/CD)
Carrier Sense Multiple Access With Collision Detection (CSMA/CD) is a media access control method
used most notably in local area networking using early Ethernet technology. It uses a carrier sensing
scheme in which a transmitting data station detects other signals while transmitting a frame, and stops
transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying
to resend the frame.
CSMA/CD is a modification of pure carrier sense multiple access (CSMA). CSMA/CD is used to improve
CSMA performance by terminating transmission as soon as a collision is detected, thus shortening the
time required before a retry can be attempted.
Carrier sense multiple access with collision avoidance (CSMA/CA)
Carrier sense multiple access with collision avoidance (CSMA/CA) in computer networking, is a network
multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by
transmitting only when the channel is sensed to be "idle".[1][2] When they do transmit, nodes transmit
their packet data in its entirety.
It is particularly important for wireless networks, where the collision detection of the alternative
CSMA/CD is unreliable due to the hidden node problem.
CSMA/CA is a protocol that operates in the Data Link Layer (Layer 2) of the OSI model.
Token Ring
Token ring local area network (LAN) technology is a protocol which resides at the data link layer (DLL) of
the OSI model. It used a special three-byte frame called a token that travels around the ring. Token-
possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop.
Initially used only in IBM computers, it was eventually standardized with protocol IEEE 802.5.
The data transmission process goes as follows:
• Empty information frames are continuously circulated on the ring.
• When a computer has a message to send, it seizes the token. The computer will then be able to
send the frame.
• The frame is then examined by each successive workstation. The workstation that identifies
itself to be the destination for the message copies it from the frame and changes the token back to 0.
• When the frame gets back to the originator, it sees that the token has been changed to 0 and
that the message has been copied and received. It removes the message from the frame.
• The frame continues to circulate as an "empty" frame, ready to be taken by a workstation when
it has a message to send.
The token scheme can also be used with bus topology LANs.
Fiber Distributed Data Interface (FDDI)
Fiber Distributed Data Interface (FDDI) technology, developed by the American National Standards
Institute (ANSI), is a high-speed, token-passing, media access technology. FDDI has a data transmission
speed of up to 100 Mbps and is usually used as a backbone network using fiber-optic cabling. FDDI also
provides fault tolerance by offering a second counter-rotating fiber ring. The primary ring has data
traveling clock- wise and is used for regular data transmission. The second ring transmits data in a
counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary
ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node
on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two
rings can be joined.
• CSMA - Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC)
protocol in which a node verifies the absence of other traffic before transmitting on a shared
transmission medium, such as an electrical bus, or a band of the electromagnetic spectrum.
• CSMA/CD - Carrier sense means that a transmitter uses feedback from a receiver to determine
whether another transmission is in progress before initiating a transmission. That is, it tries to detect the
presence of a carrier wave from another station before attempting to transmit. If a carrier is sensed, the
station waits for the transmission in progress to finish before initiating its own transmission. In other
words, CSMA is based on the principle "sense before transmit" or "listen before talk".
• CSMA/CA - Carrier sense multiple access with collision avoidance (CSMA/CA) in computer
networking, is a network multiple access method in which carrier sensing is used, but nodes attempt to
avoid collisions by transmitting only when the channel is sensed to be "idle".When they do transmit,
nodes transmit their packet data in its entirety.
Question 233
In Which of the following media access technology device can not put the data on the network wire
without having possession of a token and provide fault tolerance by offering second counter ring?
• CSMA/CD
• Token ring
• FDDI
• CSMA/CA
Correct Answer is: FDDI
Details:
The correct answer is: FDDI
counterclockwise fashion and is invoked only if the primary ring goes down.
For CISA exam you should know below information about Media Access Technologies :
Carrier Sense Multiple Access (CSMA)
Carrier sense multiple access (CSMA) is a probabilistic media access control (MAC) protocol in which a
node verifies the absence of other traffic before transmitting on a shared transmission medium, such as
an electrical bus, or a band of the electromagnetic spectrum.
Carrier sense means that a transmitter uses feedback from a receiver to determine whether another
transmission is in progress before initiating a transmission. That is, it tries to detect the presence of a
carrier wave from another station before attempting to transmit. If a carrier is sensed, the station waits
for the transmission in progress to finish before initiating its own transmission. In other words, CSMA is
based on the principle "sense before transmit" or "listen before talk".
Multiple access means that multiple stations send and receive on the medium. Transmissions by one
node are generally received by all other stations connected to the medium.
CSMA with Collision Detection (CSMA/CD)
Carrier Sense Multiple Access With Collision Detection (CSMA/CD) is a media access control method
used most notably in local area networking using early Ethernet technology. It uses a carrier sensing
scheme in which a transmitting data station detects other signals while transmitting a frame, and stops
transmitting that frame, transmits a jam signal, and then waits for a random time interval before trying
to resend the frame.
CSMA/CD is a modification of pure carrier sense multiple access (CSMA). CSMA/CD is used to improve
CSMA performance by terminating transmission as soon as a collision is detected, thus shortening the
time required before a retry can be attempted.
Image From http://www.hill2dot0.com/wiki/images/thumb/c/ce/G0167_CSMACD.jpg/200px-

G0167_CSMACD.jpg
Carrier sense multiple access with collision avoidance (CSMA/CA)
Carrier sense multiple access with collision avoidance (CSMA/CA) in computer networking, is a network
multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by
transmitting only when the channel is sensed to be "idle".[1][2] When they do transmit, nodes transmit
their packet data in its entirety.
It is particularly important for wireless networks, where the collision detection of the alternative
CSMA/CD is unreliable due to the hidden node problem.
CSMA/CA is a protocol that operates in the Data Link Layer (Layer 2) of the OSI model.
Image From http://www.hill2dot0.com/wiki/images/thumb/f/f4/G0169_CSMACA.jpg/100px-

G0169_CSMACA.jpg
Token Ring
Token ring local area network (LAN) technology is a protocol which resides at the data link layer (DLL) of
the OSI model. It used a special three-byte frame called a token that travels around the ring. Token-
possession grants the possessor permission to transmit on the medium. Token ring frames travel
completely around the loop.
Initially used only in IBM computers, it was eventually standardized with protocol IEEE 802.5.
The data transmission process goes as follows:
• Empty information frames are continuously circulated on the ring.
• When a computer has a message to send, it seizes the token. The computer will then be able to
send the frame.
• The frame is then examined by each successive workstation. The workstation that identifies
itself to be the destination for the message copies it from the frame and changes the token back to 0.
• When the frame gets back to the originator, it sees that the token has been changed to 0 and
that the message has been copied and received. It removes the message from the frame.
• The frame continues to circulate as an "empty" frame, ready to be taken by a workstation when
it has a message to send.
The token scheme can also be used with bus topology LANs.
Image From http://static.ddmcdn.com/gif/ethernet4.gif
Fiber Distributed Data Interface (FDDI)
counterclockwise fashion and is invoked only if the primary ring goes down. Sensors watch the primary
ring and, if it goes down, invoke a ring wrap so the data will be diverted to the second ring. Each node
on the FDDI network has relays that are connected to both rings, so if a break in the ring occurs, the two
rings can be joined.
Image From http://www.mcmcse.com/glossary/images/fddi.jpg
• CSMA/CD - Carrier sense means that a transmitter uses feedback from a receiver to determine
whether another transmission is in progress before initiating a transmission. That is, it tries to detect the
presence of a carrier wave from another station before attempting to transmit. If a carrier is sensed, the
station waits for the transmission in progress to finish before initiating its own transmission. In other
words, CSMA is based on the principle "sense before transmit" or "listen before talk".
• CSMA/CA - Carrier sense multiple access with collision avoidance (CSMA/CA) in computer
networking, is a network multiple access method in which carrier sensing is used, but nodes attempt to
avoid collisions by transmitting only when the channel is sensed to be "idle".When they do transmit,
nodes transmit their packet data in its entirety.
• Token Ring - Token ring local area network (LAN) technology is a protocol which resides at the
data link layer (DLL) of the OSI model. It used a special three-byte frame called a token that travels
around the ring. Token-possession grants the possessor permission to transmit on the medium. Token
ring frames travel completely around the loop.
Question 234
Identify the network topology from below diagram presented below:
• Bus
• Mesh
• Ring
• Star
Correct Answer is: Star

Details:
The correct answer is: Star
The big question is: What does Network Topology mean?
Network topology refers to the physical or logical layout of a network. It defines the way different nodes
are placed and interconnected with each other. Alternately, network topology may describe how the
data is transferred between these nodes.
There are two types of network topologies: physical and logical.
Physical topology emphasizes the physical layout of the connected devices and nodes, while the logical
topology focuses on the pattern of data transfer between network nodes.
For your exam you should know the information below related to LAN topologies:
LAN Topologies
Network topology is the physical arrangement of the various elements (links, nodes, etc.) of a computer
network.
Essentially, it is the topological structure of a network, and may be depicted physically or logically.
Physical topology refers to the placement of the network's various components, including device
location and cable installation, while logical topology shows how data flows within a network, regardless
of its physical design.
Distances between nodes, physical interconnections, transmission rates, and/or signal types may differ
between two networks, yet their topologies may be identical.
Bus
In local area networks where bus topology is used, each node is connected to a single cable. Each
computer or server is connected to the single bus cable. A signal from the source travels in both
directions to all machines connected on the bus cable until it finds the intended recipient. If the machine
address does not match the intended address for the data, the machine ignores the data. Alternatively,
if the data matches the machine address, the data is accepted. Since the bus topology consists of only
one wire, it is rather inexpensive to implement when compared to other topologies. However, the low
cost of implementing the technology is offset by the high cost of managing the network. Additionally,
since only one cable is utilized, it can be the single point of failure. If the network cable is terminated on
both ends and when without termination data transfer stop and when cable breaks, the entire network
will be down.
Graphic from: http://www.technologyuk.net/telecommunications/networks/images/bus_topology.gif
Linear bus
The type of network topology in which all of the nodes of the network are connected to a common
transmission medium which has exactly two endpoints (this is the 'bus', which is also commonly referred
to as the backbone, or trunk) all data that is transmitted between nodes in the network is transmitted
over this common transmission medium and is able to be received by all nodes in the network
simultaneously.
Distributed bus
transmission medium which has more than two endpoints that are created by adding branches to the
main section of the transmission medium the physical distributed bus topology functions in exactly the
same fashion as the physical linear bus topology (i.e., all nodes share a common transmission medium).
Star
In local area networks with a star topology, each network host is connected to a central point with a
point-to-point connection. In Star topology every node (computer workstation or any other peripheral)
is connected to central node called hub or switch.
The switch is the server and the peripherals are the clients. The network does not necessarily have to
resemble a star to be classified as a star network, but all of the nodes on the network must be
connected to one central device.
All traffic that traverses the network passes through the central point. The central point acts as a signal
repeater.
The star topology is considered the easiest topology to design and implement. An advantage of the star
topology is the simplicity of adding additional nodes. The primary disadvantage of the star topology is
that the central point represents a single point of failure.
Image from: http://fcit.usf.edu/network/chap5/pics/star.gif
Ring
A network topology that is set up in a circular fashion in which data travels around the ring in one
direction and each device on the ring acts as a repeater to keep the signal strong as it travels. Each
device incorporates a receiver for the incoming signal and a transmitter to send the data on to the next
device in the ring.
The network is dependent on the ability of the signal to travel around the ring. When a device sends
data, it must travel through each device on the ring until it reaches its destination. Every node is a
critical link. If one node goes down the whole link would be affected.
Image from: https://forrester-infosystems.wikispaces.com/
Mesh
The value of a fully meshed networks is proportional to the exponent of the number of subscribers,
assuming that communicating groups of any two endpoints, up to and including all the endpoints, is
approximated by Reed's Law.
A mesh network provides for high availability and redundancy. However the cost of such network could
be very expensive if dozens of devices are in the mesh.
Image from: http://www.technologyuk.net/telecommunications/networks/images/mesh_topology.gif
Fully connected mesh topology
A fully connected network is a communication network in which each of the nodes is connected to each
other. In graph theory it known as a complete graph. A fully connected network doesn't need to use
switching nor broadcasting. However, its major disadvantage is that the number of connections grows
quadratically with the number of nodes, so it is extremely impractical for large networks. A two-node
network is technically a fully connected network.
Partially connected mesh topology
The type of network topology in which some of the nodes of the network are connected to more than
one other node in the network with a point-to-point link this makes it possible to take advantage of
some of the redundancy that is provided by a physical fully connected mesh topology without the
expense and complexity required for a connection between every node in the network.
The other options presented are not valid.
http://www.bayt.com/en/specialties/q/29596/what-are-network-topologies/
CISA review manual 2014, Page number 262
Question 235
Identify the network topology from below diagram presented below:
• Bus
• Star
• Ring
• Mesh
Correct Answer is: Mesh
Details:
The correct answer is: Mesh
For your exam you should know the information below related to LAN topologies:
LAN Topologies
Network topology is the physical arrangement of the various elements (links, nodes, etc.) of a computer
network.
Essentially, it is the topological structure of a network, and may be depicted physically or logically.
Physical topology refers to the placement of the network's various components, including device
location and cable installation, while logical topology shows how data flows within a network, regardless
of its physical design.
Distances between nodes, physical interconnections, transmission rates, and/or signal types may differ
between two networks, yet their topologies may be identical.
Bus
In local area networks where bus topology is used, each node is connected to a single cable. Each
computer or server is connected to the single bus cable. A signal from the source travels in both
directions to all machines connected on the bus cable until it finds the intended recipient. If the machine
address does not match the intended address for the data, the machine ignores the data. Alternatively,
if the data matches the machine address, the data is accepted. Since the bus topology consists of only
one wire, it is rather inexpensive to implement when compared to other topologies. However, the low
cost of implementing the technology is offset by the high cost of managing the network. Additionally,
since only one cable is utilized, it can be the single point of failure. If the network cable is terminated on
both ends and when without termination data transfer stop and when cable breaks, the entire network
will be down.
Graphic from: http://www.technologyuk.net/telecommunications/networks/images/bus_topology.gif
Linear bus
transmission medium which has exactly two endpoints (this is the 'bus', which is also commonly referred
to as the backbone, or trunk) – all data that is transmitted between nodes in the network is transmitted
over this common transmission medium and is able to be received by all nodes in the network
simultaneously.
Distributed bus
transmission medium which has more than two endpoints that are created by adding branches to the
main section of the transmission medium – the physical distributed bus topology functions in exactly the
same fashion as the physical linear bus topology (i.e., all nodes share a common transmission medium).
Star
In local area networks with a star topology, each network host is connected to a central point with a
point-to-point connection. In Star topology every node (computer workstation or any other peripheral)
is connected to central node called hub or switch.
The switch is the server and the peripherals are the clients. The network does not necessarily have to
resemble a star to be classified as a star network, but all of the nodes on the network must be
connected to one central device.
All traffic that traverses the network passes through the central point. The central point acts as a signal
repeater.
The star topology is considered the easiest topology to design and implement. An advantage of the star
topology is the simplicity of adding additional nodes. The primary disadvantage of the star topology is
that the central point represents a single point of failure.
Image from: http://fcit.usf.edu/network/chap5/pics/star.gif
Ring
A network topology that is set up in a circular fashion in which data travels around the ring in one
direction and each device on the ring acts as a repeater to keep the signal strong as it travels. Each
device incorporates a receiver for the incoming signal and a transmitter to send the data on to the next
device in the ring.
The network is dependent on the ability of the signal to travel around the ring. When a device sends
data, it must travel through each device on the ring until it reaches its destination. Every node is a
critical link. If one node goes down the whole link would be affected.
Image from: https://forrester-infosystems.wikispaces.com/
Mesh
The value of a fully meshed networks is proportional to the exponent of the number of subscribers,
assuming that communicating groups of any two endpoints, up to and including all the endpoints, is
approximated by Reed's Law.
A mesh network provides for high availability and redundancy. However the cost of such network could
be very expensive if dozens of devices are in the mesh.
Image from: http://www.technologyuk.net/telecommunications/networks/images/mesh_topology.gif
Fully connected mesh topology
A fully connected network is a communication network in which each of the nodes is connected to each
other. In graph theory it known as a complete graph. A fully connected network doesn't need to use
switching nor broadcasting. However, its major disadvantage is that the number of connections grows
quadratically with the number of nodes, so it is extremely impractical for large networks. A two-node
network is technically a fully connected network.
Partially connected mesh topology

The type of network topology in which some of the nodes of the network are connected to more than
one other node in the network with a point-to-point link – this makes it possible to take advantage of
some of the redundancy that is provided by a physical fully connected mesh topology without the
expense and complexity required for a connection between every node in the network.
The other options presented are not valid.
CISA review manual 2014, Page number 262
Question 236
Which of the following device in Frame Relay WAN technique is a service provider device that does the
actual data transmission and switching in the frame relay cloud?
• DLE
• DME
• DCE
• DTE
Correct Answer is: DCE
Details:
The correct answer is: DCE

Data Circuit Terminal Equipment (DCE) is a service provider device that does the actual data
transmission and switching in the frame relay cloud.
For your exam you should know below information about WAN Technologies:
Point-to-point protocol
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial
interface, typically a personal computer connected by phone line to a server. For example, your Internet
server provider may provide you with a PPP connection so that the provider's server can respond to
your requests, pass them on to the Internet, and forward your requested Internet responses back to
you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a
member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference
model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP
packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber
optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet
encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it
can handle synchronous as well as asynchronous communication. PPP can share a line with other users
and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
X.25
• X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN)
communication.
• X.25 is a packet switching technology which uses carrier switch to provide connectivity for many
different networks.
• Subscribers are charged based on amount of bandwidth they use. Data are divided into 128
bytes and encapsulated in High Level Data Link Control (HDLC).
• X.25 works at network and data link layer of an OSI model.

Frame Relay
• Works on a packet switching
• Operates at data link layer of an OSI model
• Companies that pay more to ensure that a higher level of bandwidth will always be available,
pay a committed information rate or CIR
Two main types of equipments are used in Frame Relay
1. Data Terminal Equipment (DTE) - Usually a customer owned device that provides a connectivity
between company's own network and the frame relay's network.
2. Data Circuit Terminal Equipment (DCE) - Service provider device that does the actual data
transmission and switching in the frame relay cloud.
The Frame relay cloud is the collection of DCE that provides that provides switching and data
communication functionality. Frame relay is any to any service.
Integrated Service Digital Network
Enables data,voice and other types of traffic to travel over a medium in a digital manner previously used
only for analog voice transmission.
Same copper telephone wire is used.
Provide digital point-to-point circuit switching medium

Asynchronous Transfer Mode (ATM)
• Uses Cell switching method
• High speed network technology used for LAN, MAN and WAN
• Like a frame relay it is connection oriented technology which creates and uses fixed channel
• Data are segmented into fixed size cell of 53 bytes
• Some companies have replaces FDDI back-end with ATM
Multiprotocol Label Switching (MPLS)
Multiprotocol Label Switching (MPLS) is a standards-approved technology for speeding up network

traffic flow and making it easier to manage. MPLS involves setting up a specific path for a given sequence
of packets, identified by a label put in each packet, thus saving the time needed for a router to look up
the address to the next node to forward the packet to. MPLS is called multiprotocol because it works
with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network
protocols. With reference to the standard model for a network (the Open Systems Interconnection, or
OSI model), MPLS allows most packets to be forwarded at the Layer 2 (switching) level rather than at the
Layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a
network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted
as networks begin to carry more and different mixtures of traffic.
• DTE - Data Terminal Equipment (DTE) is usually a customer owned device that provides a
connectivity between company's own network and the frame relay's network.
• DME – Not a valid frame relay technique
• DLE – Not a valid frame relay technique
CISA review manual 2014 page number 266
Question 237
An IS auditor or Information System Security Professional should know information about different
network transmission media. Which of the following transmission media is used for short distance
transmission?
• Satellite Radio Link
• HF Radio Link
• Fiber Optics
• Copper cable
Correct Answer is: Copper cable
Details:
The correct answer is: Copper Cable
Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports
voice and data.
The keyword within the question is "media ".

Network media is the actual path over which an electrical signal travels as it moves from one component
to another. The common types of network media are including twisted-pair cable, coaxial cable, fiber-
optic cable, and wireless.
For your exam you should know below information about transmission media:
Copper Cable
voice and data.
Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in
the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an
electrical conductor.
Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power
generation, power transmission, power distribution, telecommunications, electronics circuitry, and
countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts.
Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all
copper mined is used to manufacture electrical wire and cable conductors.
Satellite radio link uses transponder to send information and easy to intercept.
• Fiber optics - Fiber optics cables are used for long distance, hard to splice, not vulnerable to
cross talk and difficult to tap. It supports voice data, image and video.
• HF Radio Link - Invalid choice
• Satellite Radio Link - Satellite radio link uses transponder to send information and easy to tap.

https://www.google.com/search?q=what+is+network+media&ie=utf-8&oe=utf-8
Question 238
Which of the following transmission media uses a transponder to send information?
• Copper cable
• Coaxial cable
• Fiber Optics
Correct Answer is: Satellite Radio Link
Details:
The correct answer is: Satellite Radio Link
Satellite radio link uses transponder to send information and are easy to intercept.
Copper Cable
voice and data.
Coaxial cable
Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by
a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield
sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for
carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are
controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as
a radio frequency transmission line.
Coaxial cable are expensive and does not support many LAN's. It supports data and video.
Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The
optical fiber elements are typically individually coated with plastic layers and contained in a protective
tube suitable for the environment where the cable will be deployed. Different types of cable are used
for different applications, for example long distance telecommunication, or providing a high-speed data
connection between different parts of a building.
Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It
supports voice data, image and video.
Microwave radio system

Microwave transmission refers to the technology of transmitting information or energy by the use of
radio waves whose wavelengths are conveniently measured in small numbers of centimetre; these are
called microwaves.
Microwaves are widely used for point-to-point communications because their small wavelength allows
conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the
receiving antenna. This allows nearby microwave equipment to use the same frequencies without
interfering with each other, as lower frequency radio waves do. Another advantage is that the high
frequency of microwaves gives the microwave band a very large information-carrying capacity; the
microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A
disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or
mountains as lower frequency radio waves can.
Microwave radio transmission is commonly used in point-to-point communication systems on the

surface of the Earth, in satellite communications, and in deep space radio communications. Other parts
of the microwave radio band are used for radars, radio navigation systems, sensor systems, and radio
astronomy.
Microwave radio systems are carriers for voice data signal, cheap and easy to tap.
Satellite Radio Link
Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast
nationwide, across a much wider geographical area than terrestrial radio stations. It is available by
subscription, mostly commercial free, and offers subscribers more stations and a wider variety of
programming options than terrestrial radio.
Radio System
Radio systems are used for short distance,cheap and easy to intercept.
Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free
space.
Information, such as sound, is carried by systematically changing (modulating) some property of the
radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an
electrical conductor, the oscillating fields induce an alternating current in the conductor. The
information in the waves can be extracted and transformed back into its original form.
• Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short
distance and supports voice and data.
• Fiber optics - Fiber optics cables are used for long distance, hard to splice, not vulnerable to
cross talk and difficult to tap. It supports voice data, image and video.
• Coaxial cable - Coaxial cable are expensive and does not support many LAN's. It supports data
and video
Question 239
Which of the following transmission media is LEAST vulnerable to cross talk?
• Fiber Optics
• Copper cable
• Coaxial cable
Correct Answer is: Fiber Optics
Details:
The correct answer is: Fiber Optics
Fiber optics cables are used for long distance, hard to splice, not vulnerable to cross talk and difficult to
tap. It supports voice data, image and video.
Copper Cable
voice and data.
Coaxial cable
Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by
a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an
insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield
sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for
carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are
controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as
a radio frequency transmission line.
Coaxial cable are expensive and does not support many LAN's. It supports data and video.
Fiber optics
An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The
optical fiber elements are typically individually coated with plastic layers and contained in a protective
tube suitable for the environment where the cable will be deployed. Different types of cable are used
for different applications, for example long distance telecommunication, or providing a high-speed data
connection between different parts of a building.
Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It
supports voice data, image and video.
Microwave radio system
Microwave transmission refers to the technology of transmitting information or energy by the use of
radio waves whose wavelengths are conveniently measured in small numbers of centimetre; these are
called microwaves.
Microwaves are widely used for point-to-point communications because their small wavelength allows
conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the
receiving antenna. This allows nearby microwave equipment to use the same frequencies without
interfering with each other, as lower frequency radio waves do. Another advantage is that the high
frequency of microwaves gives the microwave band a very large information-carrying capacity; the
microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A
disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or
mountains as lower frequency radio waves can.
Microwave radio transmission is commonly used in point-to-point communication systems on the

surface of the Earth, in satellite communications, and in deep space radio communications. Other parts
of the microwave radio band are used for radars, radio navigation systems, sensor systems, and radio
astronomy.
Microwave radio systems are carriers for voice data signal, cheap and easy to intercept.
Satellite Radio Link
Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast
nationwide, across a much wider geographical area than terrestrial radio stations. It is available by
subscription, mostly commercial free, and offers subscribers more stations and a wider variety of
programming options than terrestrial radio.
Radio System
Radio systems are used for short distance,cheap and easy to tap.
Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free
space.
Information, such as sound, is carried by systematically changing (modulating) some property of the
radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an
electrical conductor, the oscillating fields induce an alternating current in the conductor. The
information in the waves can be extracted and transformed back into its original form.
• Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short
distance and supports voice and data.
• Satellite Radio Link - Satellite radio link uses transponder to send information and easy to tap.
• Coaxial cable - Coaxial cable are expensive and does not support many LAN's. It supports data
and video
Question 240
Which of the following is the INCORRECT Layer to Protocol mapping used in the DOD TCP/IP model?
• Network Access layer - Ethernet
• Internet layer – IP
• Transport layer – ICMP
• Application layer – Telnet
Correct Answer is: Transport layer – ICMP
Details:
The correct answer is: Transport layer – ICMP
The keyword INCORRECT is used within the question. You need to find out the incorrect Layer to
Protocol mapping.
The ICMP protocol works at Internet layer of the DoD TCP/IP model, not at the Transport Layer.
For your exam you should know below information about the TCP/IP models:
Layer 4. Application Layer
Application layer is the top most layer of four layer TCP/IP model. Application layer is present on the top
of the Transport layer. Application layer defines TCP/IP application protocols and how host programs
interface with Transport layer services to use the network.
Application layer includes all the higher-level protocols like DNS (Domain Naming System), HTTP
(Hypertext Transfer Protocol), Telnet, SSH, FTP (File Transfer Protocol), TFTP (Trivial File Transfer
Protocol), SNMP (Simple Network Management Protocol), SMTP (Simple Mail Transfer Protocol) , DHCP
(Dynamic Host Configuration Protocol), X Windows, RDP (Remote Desktop Protocol) etc.
Layer 3. Transport Layer
Transport Layer is the third layer of the four layer TCP/IP model. The position of the Transport layer is
between Application layer and Internet layer. The purpose of Transport layer is to permit devices on the
source and destination hosts to carry on a conversation. Transport layer defines the level of service and
status of the connection used when transporting data.
The main protocols included at Transport layer are TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol).
Layer 2. Internet Layer
Internet Layer is the second layer of the four layer TCP/IP model. The position of Internet layer is
between Network Access Layer and Transport layer. Internet layer pack data into data packets known as
IP datagrams, which contain source and destination address (logical address or IP address) information
that is used to forward the datagrams between hosts and across networks. The Internet layer is also
responsible for routing of IP datagrams.
Packet switching network depends upon a connectionless internetwork layer. This layer is known as
Internet layer. Its job is to allow hosts to insert packets into any network and have them to deliver
independently to the destination. At the destination side data packets may appear in a different order
than they were sent. It is the job of the higher layers to rearrange them in order to deliver them to
proper network applications operating at the Application layer.
The main protocols included at Internet layer are IP (Internet Protocol), ICMP (Internet Control Message
Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and IGMP
(Internet Group Management Protocol).
Layer 1. Network Access Layer
Network Access Layer is the first layer of the four layer TCP/IP model. Network Access Layer defines
details of how data is physically sent through the network, including how bits are electrically or optically
signaled by hardware devices that interface directly with a network medium, such as coaxial cable,
optical fiber, or twisted pair copper wire.
The protocols included in Network Access Layer are Ethernet, Token Ring, FDDI, X.25, Frame Relay etc.
The most popular LAN architecture among those listed above is Ethernet. Ethernet uses an Access
Method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection) to access the media, when
Ethernet operates in a shared media. An Access Method determines how a host will place data on the
medium.
IN CSMA/CD Access Method, every host has equal access to the medium and can place data on the wire
when the wire is free from network traffic. When a host wants to place data on the wire, it will check the
wire to find whether another host is already using the medium. If there is traffic already in the medium,
the host will wait and if there is no traffic, it will place the data in the medium. But, if two systems place
data on the medium at the same instance, they will collide with each other, destroying the data. If the
data is destroyed during transmission, the data will need to be retransmitted. After collision, each host
will wait for a small interval of time and again the data will be retransmitted.
Protocol Data Unit (PDU) :

The other options correctly describes the Layer to Protocol mapping of the DoD TCP/IP model protocols.
Question 241
Which of the following is the protocol data unit (PDU) of application layer in TCP/IP model?
• Packet
• Frame
• Segment
• Data
Correct Answer is: Data
Details:
The correct answer is: Data
Application layer's PDU is data.
For your exam you should know below information about TCP/IP model:

Datagram Protocol).
medium.
• Segment – Transport layer PDU
• Packet – Network interface layer PDU
• Frame/bit – LAN or WAN interface layer PDU

Question 242
Which of the following is protocol data unit (PDU) of transport layer in TCP/IP model?
• Frame
• Data
• Packet
• Segment
Correct Answer is: Segment
Details:
The correct answer is: Segment

Datagram Protocol).
medium.
• Data – Application layer PDU
• Packet – Network interface layer PDU

• Frame/bit – LAN or WAN interface layer PDU
Question 243
Which of the following is protocol data unit (PDU) of network layer in OSI model?
• Data
• Frame
• Segment
• Packet
Correct Answer is: Packet
Details:
The correct answer is: Packet
Datagram Protocol).

medium.
Protocol Data Unit (PDU) within the OSI model - Notice the names are different:
• Data – Application layer PDU
• Segment – Transport layer PDU
• Frame/bit – Internet layer PDU

Question 244
Which of the following is the INCORRECT "layer - protocol data unit (PDU)" mapping within the DOD
TCP model?
• Transport layer – Segment
• Internet layer – Frame
• Network Access Layer – bits
• Application layer – Data
Correct Answer is: Internet layer – Frame
Details:
The correct answer is: Internet Layer – Frame
The word INCORRECT is the keyword used in the question. You need to find out incorrect layer-protocol
mapping from give options.
The correct mapping is Internet layer – Packet.
The Network Access layer creates frame.

Datagram Protocol).
medium.
The other options correctly describes layer-PDU mapping in TCP/IP protocol.

Question 245
Which of the following answers is a threat to data in transit?
• HTTPS, SSL or TLS
• S/MIME
• Social Engineering
• Sniffing
Correct Answer is: Sniffing
Details:
The correct answer is: Sniffing
When we have a need to send data from one location to another, the networks over which the data
travels is not always trusted. Data can be subjected to sniffing or eavesdropping where attackers capture
data in transit.
It is possible to do so using various forms of commonly available tools like network sniffers, packet
loggers, Ethernet taps or many other technologies. (Download and try out a good, free sniffer here to
see how it works.)
Data in Transit, if sensitive must be secured using encryption technologies which protect the data no
matter which type of network it crosses.
TLS and SSL, for instance, uses asymmetric cryptography to encrypt the data so that even if sniffed from
a network it is useless to the attackers unless he can get a copy of the encryption key used to secure the
SSL/TLS session.
- S/MIME: This answer is incorrect because it is a secure method of encrypting electronic mail for transit
over untrusted networks. It relies on PKI - Public Key Infrastructure for key management. It protects data
in transit. More about S/MIME.
- Social Engineering: This is the wrong answer because data in transit is not generally affected by social
engineering. Once data is passing over any network, social engineering doesn't make the data more
possible. Social Engineering is when a human is tricked by another human into somehow divulging or
making the information accessible by the attacker.
- HTTPS, SSL or TLS: This isn't the correct answer because those technologies secure data in transit using
encryption. More about TLS and SSL. HTTPS isn't specifically a secure protocol it self, rather, it is the use
of HTTP in combination with TLS/SSL.
Authorized Courseware: Exam CAS-001 (p. 205-206). Wiley. Kindle Edition.
Question 246
Which of the following term related to network performance refers to the delay that a packet may
experience on its way to reach the destination from the source?
• Jitter
• Bandwidth
• Latency
• Throughput
Correct Answer is: Latency
Details:
The correct answer is: Latency
Latency the delay between the sender and the receiver decoding it, this is mainly a function of the
signals travel time, and processing time at any nodes the information traverses.
In a network, latency, a synonym for delay, is an expression of how much time it takes for a packet of
data to get from one designated point to another. In some usages (for example, AT&T), latency is
measured by sending a packet that is returned to the sender and the round-trip time is considered the
latency.
The latency assumption seems to be that data should be transmitted instantly between one point and
another (that is, with no delay at all). The contributors to network latency include:
• Propagation: This is simply the time it takes for a packet to travel between one place and
another at the speed of light.
• Transmission: The medium itself (whether optical fiber, wireless, or some other) introduces
some delay. The size of the packet introduces delay in a round trip since a larger packet will take longer
to receive and return than a short one.
• Router and other processing: Each gateway node takes time to examine and possibly change the
header in a packet (for example, changing the hop count in the time-to-live field).
• Other computer and storage delays: Within networks at each end of the journey, a packet may
be subject to storage and hard disk access delays at intermediate devices such as switches and bridges.
(In backbone statistics, however, this kind of latency is probably not considered.)
For your exam you should know below information about Network performance:
Network performance refers to measurement of service quality of a telecommunications product as

seen by the customer.
The following list gives examples of network performance measures for a circuit-switched network and
one type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the
grade of service. The number of rejected calls is a measure of how well the network is performing under
heavy traffic loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate,
quality of service (QoS), data throughput, connect time, stability, technology, modulation technique and
modem enhancements.
There are many different ways to measure the performance of a network, as each network is different in
nature and design. Performance can also be modelled instead of measured; one example of this is using
state transition diagrams to model queuing performance in a circuit-switched network. These diagrams
allow the network planner to analyze how the network will perform in each state, ensuring that the
network will be optimally designed.
The following measures are often considered important:
• Bandwidth - Bandwidth is commonly measured in bits/second is the maximum rate that

information can be transferred
• Throughput - Throughput is the actual rate that information is transferred
• Latency - Latency is the delay between the sender and the receiver decoding it, this is mainly a
function of the signals travel time, and processing time at any nodes the information traverses
• Jitter - Jitter is the variation in the time of arrival at the receiver of the information
• Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of
the total sen


Question 247
Which of the following term related to network performance refers to the variation in the time of arrival
of packets on the receiver of the information?
• Bandwidth
• Latency
• Throughput
• Jitter
Correct Answer is: Jitter
Details:
The correct answer is: Jitter
Simply said, the time difference in packet inter-arrival time to their destination can be called jitter. Jitter
is specific issue that normally exists in packet switched networks and this phenomenon is usually not
causing any communication problems. TCP/IP is responsible for dealing with the jitter impact on
communication.
On the other hand, in VoIP network environment, or better say in any bigger environment today where
we use IP phones on our network this can be a bigger problem. When someone is sending VoIP
communication at a normal interval (let’s say one frame every 10 ms) those packets can stuck
somewhere in between inside the packet network and not arrive at expected regular peace to the
destined station. That’s the whole jitter phenomenon all about so we can say that the anomaly in tempo
with which packet is expected and when it is in reality received is jitter.
Image from: http://howdoesinternetwork.com/wp-content/uploads/2013/05/jitter.gif
In this image above, you can notice that the time it takes for packets to be send is not the same as the
period in which the will arrive on the receiver side. One of the packets encounters some delay on his
way and it is received little later than it was asumed. Here are the jitter buffers entering the story. They
will mitigate packet delay if required. VoIP packets in networks have very changeable packet inter-
arrival intervals because they are usually smaller than normal data packets and are therefore more
numerous with bigger chance to get some delay along the way.
For your exam you should know below information about Network performance:
Network performance refers to measurement of service quality of a telecommunications product as

seen by the customer.
The following list gives examples of network performance measures for a circuit-switched network and
one type of packet-switched network (ATM):
Circuit-switched networks: In circuit switched networks, network performance is synonymous with the
grade of service. The number of rejected calls is a measure of how well the network is performing under
heavy traffic loads. Other types of performance measures can include noise, echo and so on.
ATM: In an Asynchronous Transfer Mode (ATM) network, performance can be measured by line rate,
quality of service (QoS), data throughput, connect time, stability, technology, modulation technique and
modem enhancements.
There are many different ways to measure the performance of a network, as each network is different in
nature and design. Performance can also be modelled instead of measured; one example of this is using
state transition diagrams to model queuing performance in a circuit-switched network. These diagrams
allow the network planner to analyze how the network will perform in each state, ensuring that the
network will be optimally designed.
The following measures are often considered important:

• Error Rate - Error rate is the number of corrupted bits expressed as a percentage or fraction of
the total sen

and
http://howdoesinternetwork.com/2013/jitter
Question 248
A forensic investigation in a cloud computing environment involves at least which two entities?
• The Cloud Service Provider and Cloud Customer
• Legal Advisor and External Assistance
• Incident Handler and Cloud Customer
• The investigator and Cloud Service Provider representative
Correct Answer is: The Cloud Service Provider and Cloud Customer
Details:
The correct answer is: The Cloud Service Provider and Cloud Customer
Discussion: Cloud Computing forensic investigations are unique and somewhat different from traditional
network investigations due to the unique nature of Cloud Computing.
Two individuals involved with Cloud Computing forensic investigations would be at least the CSP - Cloud
Service Provider and the Cloud Customer.
Apart from these two, other roles in the Cloud Enterprise would be Investigators, IT Professionals,
Incident Handlers and Legal Advisors.
- The investigator and Cloud Service Provider representative: These aren't two primary parties in a Cloud
Computing forensic investigation so this isn't the right answer.
- Incident Handler and Cloud Customer: These two aren't generally involved in a forensic investigation so
this also isn't the correct answer.
- Legal Advisor and External Assistance: The CSP and Cloud Customer are the two who would be involved
in a Cloud forensic investigation so this answer isn't correct.
Official (ISC)2 Guide to the CCFP CBK ((ISC)2 Press) (p. 262). CRC Press. Kindle Edition.
Question 249
Which answer describes an IPv4 conversation between host A at 10.5.1.10 to Host B at 10.5.1.20?
• Unicast address
• Broadcast address
• Desiccant address
• Multicast address
Correct Answer is: Unicast address

Details:
The correct answer is: Unicast
Discussion: Computers talking to each other are considered unicast traffic because it's one to another.
There are other types explained in the incorrect answer section but they're all manners we use to talk to
one or multiple computers.
- Multicast address: This isn't correct because multicast addresses us 224.0.0.0 to 239.255.255.255.
Multicast addresses are used to send traffic to multiple computers in one stream of data, a bit like a
television program.
- Broadcast address: This isn't a right answer because Broadcast addresses have a 255 in them at the far
right. Broadcast addresses are used when we want to send traffic to all computers on a network. Try
this: open a command shell and ping your local subnet's broadcast address then check your ARP cache
(Arp -a) and view all the hosts which are now in your ARP cache. Not all hosts reply to ping packets if
they're sent to broadcast but you should see a few hosts in there.
- Desiccant address: Technically, this is a hygroscopic substance used as a drying agent but that's not
really related to IPV4 Networking so this isn't the right answer. (Don't forget to never eat those
desiccant packets that come in things we buy.)
Lammle, Todd. CCNA Routing and Switching Study Guide: Exams 100-101, 200-101, and 200-120 (p. 328,
491). Wiley. Hardback Edition.
Question 250
Which of the following protocols is odd man out?
• ICMP
• ARP
• NNTP
• IGMP
Correct Answer is: NNTP
Details:
The correct answer is: NNTP
The Network News Transfer Protocol (NNTP) is an application protocol used for transporting Usenet
news articles (netnews) between news servers and for reading and posting articles by end user client
applications.
NNTP is associated with port number 119, the other three options ICMP, IGMP and ARP are not
associated with any port number and belongs to layer 2 & 3
IGMP: The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts
and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral
part of IP multicast
ICMP: The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, like routers, to send error messages and operational information
indicating, for example, that a requested service is not available or that a host or router could not be
reached.
ARP: The address resolution protocol (arp) is a protocol used by the Internet Protocol (IP) [RFC826],
specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.
The protocol operates below the network layer as a part of the interface between the OSI network and
OSI link layer

Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cccure 04. Communication and Network Security Cissp Practice Test With Answer and Explanation

Uploaded by

Copyright:

Available Formats

Question 1

Correct Answer is: TCP

The correct answer is: TCP

The incorrect answers are:

The following reference(s) was used to create this question:

ICMP and IGMP belong to which layer of the OSI model?

• Data Link Layer.

Correct Answer is: Network Layer.

The correct answer is: Network Layer.

From the OIG:

Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer.

The following reference(s) was used to create this question:

Correct Answer is: TCP.

The correct answer is: TCP.

The following answers are incorrect:

ICMP. Is incorrect because the value for an ICMP protocol would be 1.

IGMP. Is incorrect because the value for an IGMP protocol would be 2.

The following reference(s) was used to create this question:

Correct Answer is: IGMP

The correct answer is: IGMP.

The following answers are incorrect:

TCP. Is incorrect because the value for a TCP protocol would be 6.

ICMP. Is incorrect because the value for an ICMP protocol would be 1.

The following reference(s) was used to create this question:

• Over-subscription of the traffic on a backbone.

• A source quench packet.

• A buffer overflow attack.

Correct Answer is: A buffer overflow attack.

The correct answer is: A buffer overflow attack.

The following answers are incorrect:

The following reference(s) were used to create this question:

• A buffer overflow attack.

• A packet destined for the network's broadcast address.

Correct Answer is: A buffer overflow attack.

The correct answer is: A buffer overflow attack.

The following answers are incorrect:

The following reference(s) were used to create this question:

AIOv3 Security Models and Architecture (page 321)

Simple Buffer Overflow Tutorial http://www.milw0rm.com/papers/73

Question contributed by: Sarang Chalikwar

Email or CCCure Nickname of question author:

Question reviewed by: Clement Dupuis

Question comments submitted by:

• The first bit of the IP address would be set to zero.

• The first three bits of the IP address would be set to one.

The following answers are incorrect:

Classless Internet Domain Routing (CIDR)

High Order bits are shown in bold below.

For Class A, the addresses are 0.0.0.0 - 127.255.255.255

The lowest Class A address is represented in binary as 00000000.00000000.0000000.00000000

For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255.

The lowest Class B address is represented in binary as 10000000.00000000.00000000.00000000

For Class C, the addresses are 192.0.0.0 - 223.255.255.255

The lowest Class C address is represented in binary as 11000000.00000000.00000000.00000000

For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast)

The lowest Class D address is represented in binary as 11100000.00000000.00000000.00000000

The lowest Class E address is represented in binary as 11110000.00000000.00000000.00000000

The following reference(s) were used to create this question:

AIOv3 Telecommunications and Networking Security (page 438)

• The first bit of the IP address would be set to zero

• The first three bits of the IP address would be set to one

The following answers are incorrect:

Class D & E have the first three bits set to 1.