| |
|||
| Front | Back | ||
| Which of the following is an advantage of WPA over WEP?
|
WPA improves upon WEP by using dynamic keys for encryption and a stronger method of encryption. Both WPA and WEP are for wireless network security, so the biggest advantages of WPA over WEP is to improve security.
Chapter 8 | ||
| You need to secure your wireless network. Which security protocols could you implement? (Select two)
|
WEP, WPA and WPA2 are all security protocols for wireless networks. Each security protocols protects the wireless data through the use of association keys and encryption protocols.
Chapter 8
| ||
| Which of the following measures will make your wireless network invisible to the casual attacker performing war driving?
|
Wireless access points are tranceivers which transmit and receive information on a wireless network. Each access point has a service set ID (SSID) which identifies the wireless network. By default, access points broadcast the SSID to announce their presence and make it easy for clients to find and connect to the wireless network. Turn off the SSID broadcast to keep a wireless 802.11x network from being authomatically discovered. When SSID broadcasting is turned off, users must know the SSID to connect to the wireless network. This helps to prevent casual attackers from connecting to the network, but any serious hacker with the right tools can still connect to the wireless network.
Chapter 8 | ||
| Which of the following are typically used for encrytping data? (Select two)
|
TKIP and AES are used for encrpting data. TKIP is used with WPA wireless standards, while AES is used with WPA2 and other encrytpion applications.
EIGamal and Diffie-Hellman are asymmentric emcrytpion methods. They are both used for key exchange and digital signatures. MD-5 is a hashing algorithm.
Chapter 8 | ||
| On a wireless network that is employing WEP, which type of users are allowed to authenticate through the access points?
|
On a wireless network that is employing WEP (Wired Equivalent Privacy), only users with the correct WEP key are allowed to authenticate through the WAP (Wireless Application Protocol) access points. That's the whole point of WEP, prevent unauthorized users by employing a wireless session key for access.
Chapter 8 | ||
| You have a small wireless network that uses multiple access points. The network uses WPA and broadcasts the SSID. WPA2 is not supported by the wireless acces points. You want to connect a laptop computer to the wireless network. Which of the following parameters will you need to configure on the laptop? (Select two)
|
To connect to the wireless network using WPA, you will need to use a preshared key and TKIP encryption. When using a preshared key with WPA, it is knows as WPA-PSK or WPA Personal.
AES encryption is used by WPA2. The channel is automatically detected by the client. The Basic Service Set Identifier (BSSID) is a 48-bit value that identifies an AP in an infrastructure network or a STP in an ad hoc network. The client automatically reads this and uses it to keep track of APs when roaming between cells.
Chapter 8 | ||
| You need to place a wireless access point in your two-story building. While trying avoid interference, which of the following is the best location for the access point?
|
In general, place access points higher up to avoid interference problems caused by going through building foundations. Do not place the access point next to sources of interference such as other wireless transmitting devices (cordless phones or microwaves) or other sources of interference (motors or generators)
Chapter 8 | ||
| What is the least secure place to locate the access point when creating a wireless cell?
|
The least secure location for a wireless cell access points against a perimeter wall. So, placement near a window would be the worst option from list of selection.
Chapter 8 | ||
| Which of the following recommendations should you follow when placing access points to provide wireless access for users within your company building?
|
When placing wireless access points:
Chapter 8 | ||
| You need to configure a wireless network. You want to use WPA Enterprise. Which of the following components will be part of your design? (Select two)
|
Answer: TKIP encryption, 802.1x To configure WPA Enterprise, you will need a RADIUS server to support 802.1 x authentication. WPA uses TKIP for encryption. WPA-PSK also called WPA Personal, uses prehared keys for authentication. WPA2supports AES encryption.
Chapter 8 | ||
| You need to add security for your wireless network. You would like to use the most secure method. Which method should you implement?
|
Wi-Fi Protected Access 2 (WPA2) is currently the most secure wireless security specification. WPA2 includes specifications for both encryption and authentication
WPA was an earlier implementation of security specified by the 802.11i committee. WEP was the original security method for wireless networks. WPA is more secure than WEP, but less secure than WPA2.
Kerberos is an authentication method, not a wireless security method
Chapter 8
| ||
| You have physically added a mireless access point to your network and installed a wireless networing card in two laptops running Windows XP. Neither laptop can find the network and you have come to the conclusion that you must manually confgure the wireless access point (AP). Which of the following values uniquely identifies the network AP?
|
The SSID (service set identifier) identifies the wireless network. All PCs and access points in a LAN share the same SSID.
Chapter 8 | ||
| RADIUS is primarily used for what purpose?
|
RADIUS (Remote Authentication Dial-In User Service) is primarily used for pre-authenticating remote clients before access to the network is granted. RADIUS is based on RFC 2865. RADIUS maintains client profiles in a centralized database. RADIUS offloads the authentication burden for dial-in users from the normal authentication of local network clients.
| ||
| Which of the following is a characteristics of TACACS+?
|
TACACS+:
Chapter 9_3.7 | ||
| Which of the following protocols can be used to centralized remote access authentication?
|
Centralized remote access authentication protocols include:
Chapter 9 | ||
| You have a network with 3 romte access servers, a RADIUS server used for authentication and authorization, an a secund RADIUS server used for accounting. Wher should you configure remote access policies?
|
Remote access policies are used for authorization for remote access clients. For larger deployments with multiple remote access servers, you can centralize the administration of remote access policies by using an AAA server (authentication, authorization, and accounting). Configure remote access policies on the AAA server that is used for authorization.
Chapter 9 | ||
| Which ports does LDAP use by default? (Select two)
|
LDAP (Lightweight Directory Access Protocol) uses ports 389 and 636 by default
Port 636 is used for LDAP over SSL. This is the secue form or mode of LDAP Unsecured LDAP uses port 389.
Port 69 is used by TFTP. Port 110 is used by POP3. Port 161 is used by SNMP.
Chapter 9 | ||
| A user has just authenticated using Kerberos. What object is issued to the user immediately following logon?
|
Kerberos works as follows:
Chapter 9 | ||
| Which of the following are used when implementing Kerberos for authentication and authorization? (Select tow)
|
Keberos grants tickets (also called a security token) to authenticated users and to authorized resources. A ticket granting server (TGS) grants tickets that are valid for specific resources on specific servers. Kerberos requires that all servers whithin the process have synchronized clocks to validate tickets, so a centralized time server or other method for time synchronization is required.
Chapter 9 | ||
| Your LDAP directory services solution uses simple authentication. What should you always do when using simple authentication?
|
Protect LDAP simple authentication by using SSL to protect authentication traffic. LDAP simple authentication uses clear text for username and password exchange. While you can protect authentication using SASL, this requires changing the authentication mode of LDAP from simple to SASL. When using SASL, you can use a wide range of solutions such as TLS, Kerberos, IPSec, or certificates.
Chapter 9 | ||
| Which of the following are requirements to deploy Kerberos on a network? (Select two)
|
Keberos requires that there be a centralized database of users and passwords and time synchronization. The user database is usually maintained of the KDC itself or on a separate pre=authentication server system. Time sychronization is required to stamp a consistent expiration date within the Ticket Granting Ticket (TGT).
Chapter 9 | ||
| When using Kerberos authentication, which of the following terms is used to describe the token that verifies the identity of the user to the target system?
|
The tokens used in Kerberos authentication are know as tickets. Thes tickets perform a number of function including notifying the network service of the user who hasbeen granted access, and authenticating the identity of the person when they attempt to use the network service.
Chapter 9 | ||
| You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?
|
Choose SASL (Simple Authentication & Security Layer) authentication mode to use Kerberos with LDAP. SASL is extensible and lets you use a wide variety of protection methods. LDAP authentication modes include Anonymous, Simple , and SASL. EAP is an extensible authentication protocol for remote access, not LDAP.
Chapter 9 | ||
| You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port would this use?
|
To use SSL for LDAP authentication, use port 636.
Port 80 is used to HTTP while port 443 is used for HTTPS (HTTP with SSL). Simple LDAP authentication uses port 389. Chapter 9 | ||
| Which fo the following protocols uses port 88?
|
Kerberos uses port 88 TACACS uses port 49. LDAP uses TCP and UDP ports 389. Secure LDAP uses SSL/TLS over port 636. L2TP uses port 1701. PPTP uses port 1723.
Chapter 9 | ||
| Which of the following protocols uses ports 389 and 636?
|
LDAP uses TCP and UDP 389. Secure LDAP uses SSL/TLS over port 636.
Chapter 9 | ||
| In what form of access control environment is access controlled by rules rather than by identity?
|
A MAC environment controls access based on rules rather than by identity. DAC environments use identity to control acces. ACLs are a specific example of an identity-based access control mechanism used in DAC environments. Most client-server environments use ACLs and thus use DAC solutions.
Chapter 9_1.1 | ||
| You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
|
This is an example of a discretionary access control list (DACL) which uses the Discretionary Access Control (DAC) model. With DAC, individuals use ther own discretion (decisions or preferences) for assigning permissions and allowing or denying access.
Chapter 9_1.1 | ||
| Which access control model manages rights and permissions based on job descriptions and responsibilities?
|
Role Based Access Control (RBAC) is the access control model that manages rights and permissions based on job descriptions. RBAC focuses on job descriptions or work tasks, instead of employing user accounts to define access. RBAC are best suited for environments that have high rate of employee turnover. By defining access based on roles rather than individuals, it simplifies administration when granting a new person access to common activities.
Chapter 9_1.1 | ||
| Which form of access control enforces security based on user indentities and allows individual users to define access controls over owned resources?
|
DAC (Discretionary Access Control) uses identities to control resources access. Users can make their own decisions about the access to grant to other users. RBAC (job descriptions) , MAC (classifications), TBAC (work tasks) enforce security based on rules.
Chapter 9_1.1 | ||
| What does the MAC method use to control access?
|
Mandatory Access Control (MAC) is based on sensitivy labels (a.k.a classifications or clearance levels). A sensitivity label is descriptive tag that indicates haw important, valuable, volatile, or classified a resource is. Common sensitivity labels in military computing environment are: Top Secret, Secret, Classified, Sensitive but Unclassified, Common Sensitivy labes in private sector computing environment include Proprietary, Confidential, Private and Public.
Chapter 9_1.1 | ||
| Which type of access control focuses on assigning privileges based on security clearance and data sensitivity?
|
MAC (Mandatory ccess Control) uses classifications to assign privileges based on a security clearances and data sensitivity. RBAC (Role-based Access Control) is a form of access control that assigns privileges based on job descriptions. New users are simply assigned a job label. TABC (Task-based Access Control) defines individual work tasks to assign privileges. DAC (Discretionary Access Control), an administrator or owner defines user and resource access.
Chapter 9_1.1 | ||
| Which of the following defines an object as used in access control?
|
Objects are the data, applications, systems, networks and physical space. Subjects are the users, applications, or processes that need access to objects. The access control system includes the policies, procedures, and technologies that are implemented to control a subject's access to an object.
Chapter 9_1.1 | ||
| Which of the following principles is implemented in a mandatory access control model to determine access to an object using classification levels?
|
Need to know is used with mandatory access control environments to implement granular control over access to segmented classified data. Separation of duties is the security principle that states no single user is granted sufficient priveleges to compromise the security of an entire environment. Clearance is the subject classification label that grants a user access to a specific security domain in a MAC environment. Ownership is the access right in a DAC environment where a user has complete control over an object usually because they created it.
Chapter 9_1.1 | ||
| The router access control list uses information in a packet such as the destination IP address and port number to make allow or deny forwarding decisions. This is an example of wich kind of access control model?
|
Rule-based access control (RBAC) uses characteristics of objects or subjects along with rules, to restrict access. Access control entries identify a set of characteristics that will be examined for a match. If all characteristics match, access is either allowed or denied based on the rule. An example of rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet (such as IP accress or port number).
Chapter 9_1.1 | ||
| You have implemented an access control method that allows only users who are managers to access specific data. Which type of access control model is used?
|
Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security access level. Users are made members of a role, and receive the permissions assigned to the role. Mandatory Access Control (MAN) uses labels for both subjects (user who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification, and when the user has a need to know (referred to as a category), the user is granted access. Discretiaonary Access Control (DAC) assigns access directly to subjects based on the discretion (or decission) of the owner. Objects have a dicretionary access control list (DACL) with entries for each subject. Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perfor on the object.
Chapter 9_1.1 | ||
| For users who are members of the Sales team, you want to force their computers to use a specific desktop background and remove access to administrative tools from the Start menu. Which solution should you use?
|
Use Group Policy to control the desktop for groups of users or computers. For example, ou can prevent access to specific desktop or Start Menu features. Account policies are specific Group Policy settings that control user passwords. Account restrictions are settings applied in the user account that restrict logon hours or computers. Use file screens to control the types of files that can be saved within a folder.
Chapter 9_1.4 | ||
| You have multiple users who are compute administrators. You want each administrator to be able to shut down systems and install drivers. What should you do? (Select two)
|
Answer: D & E
Creat a security group for the users and grant the group the necessary user rights. On a Microsoft system, user right is a privilege or action that can be taken on the system, such as logging on, shutting down the system, backing up the system, or modifying the system data and time. Permissions apply to objects (files, folders, printers, etc), while user ights apply to the entire system (computer). A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security groups. Only security groups can be used for controlling access to objects. As manager roles change, add or remove user accounts from the group. Chapter 9_1.4 | ||
| You want to give all managers the ability to view and edit a certain file. To do so, you need to edit the discretionary access control list (DACL) associated with the file. You want to be able to easily add and remove managers as their job positions change. What is the best way to accomplish this?
|
Amswer: B Create a security group for the users and add the users to the DACL. A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups: distribution and security groups. Only security groups can be used for controlling access to objects. As manager roles change, add a remove user accounts from the group. Assigning permissions t a group grants those same permissions to all members of the group. Adding individual user accounts instead of groups to the ACL would require more work as you add or remove managers.
Chapter 9_1.4 | ||
| What security mechanism uses a unique list for each object embedded directly in the object itself that defines which subjects have access to certain objects and the level or type of access allowed?
|
A user ACL (Access Control list) is a security mechanism that defines which subjects have access to certain objects and the level or type of access allowed. This security mechanism is unique for each object and is embedded directly in the object itself.
Chapter 9_1.4 | ||
| You have two folders that contain documents used by various departments:
No other permission has been given to either group. Usser Mark Tillman needs to have the Read permission to the Design folder and the Wite permission to the Products folder. You want to use groups as much as possible. What should you do?
|
Answer: C
Make Mark a member of the Sales group to give him the Wriet permission to the Products folder. add Mark's user account to the ACL for the Design folder and grant the Read permission. Adding Mark as a member of the Development group would give him too much permission (Write) to the Design folder. Adding Mark to the ACL for both folders would not use groups where possible.
Chapter 9_1.4 | ||
| Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make this user account a member of the Managers group which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
|
Answer: A
On a Microsoft system, the access token is only generatd during authentication. Changes made to group memberships or user rights do not take effect until the user logs on again and a new access token is created. Use NTFS and share permissions, not Group Policy, to control access to files. In addition, Group Policy is periodically refreshed, with new settings being applied on a regular basis. Chapter 9_1.4 | ||
| Which of the following terms describes the component that is generated following authentication and which is used to gain access to resources followinng logon?
|
When a security principal logs on, an access token is generated. The access token is used for controlling access to resources.
Chapter 9_1.4 | ||
| Which of the following protocols can be used to centralized remote access authentication?
|
Centralized remote access authentication include: Remote Authentication & Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS) Chapter 9_3.7
| ||
| You have a network with 3 remote access servers, a RADIUS server used for authentication and authorization, nd a second RADIUS serve used for accounting. Where should you configure remote access policies?
|
Remote access policies are used for authorization for remote access clients. For larger deployments with multiple remote access servers, you can centralize the administration of remote access policies by using an AAA server (authentication, authorization, and accounting server). Configure remote access policies on the AAA server that is used for authorization.
Chapter 9_3.7 | ||
| Which of the following authentication methods uses tickets to provide single sign-on?
|
Kerberos grants tickets (also called a security token) to authenticated users and to autorized resources. Kerberos uses the following components:
Chapter 9_3.7 | ||
| Which of the following are differences between RADIUS and TACACS+?
|
Answer: C
TACACS+ provides three protocols, one each for authentication, authorization and accounting. This allows each services to be provided by a different server, in addition:
Chapter 9_ 3.7 | ||
| Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access?
|
Both RADIUS and TACACS+ are protocols used for centralized authentication, authorization, and accounting used with remote access. Remote access clients sends authentication credentials to remote access servers. Remote access servers are configured as clients to the RADIUS or TACACS+ server and forward the authentication credentials to the servers. The servers maintain a database of users and policies that control access for multiple remote access servers.
Chapter 9_3.7 | ||
| Which of the following are characteristics of TACACS+ ? (Select two)
|
TACACS+ was originally developed by Cisco for centralized remote access administration. TACACS+:
Chapter 9_3.7 | ||
| You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. Which of the following would be a required part of your configuration?
|
When configuring a RADIUS solution, configure a single server as a RADIUS server. Then configure all remote access servers as RADIUS clients. Certificate-based authentication can be used with a RADIUS solution, but is not a requirement.
| ||
| |< < Previous | x of y cards | Next >| | |
