|
Question 1.
You finish the work you were doing in the morning, and head out to the monthly meeting. During this meeting, the Vice President of Strategic Partner Relations informs the group of some news, "we have decided that we need to implement a new web site that is for our strategic partners only. This site will be used for various purposes, but will primarily be used as a means of information exchange."
"So, is this going to be a private site?" asks Orange.
"Absolutely. We will not want any public users on this website. It's just for the people we identify in our Strategic Partner Program. I need those of you in security to be sure that this site is secure."
"We can take care of that. How many people do you think will be accessing the site?" asks Orange.
"Not too many, perhaps around fifty."
"So, is it correct to assume that you know each of these fifty people?"
"Yes, that is correct."
"OK, well this should not be too hard. We'll get working on this right away."
The meeting ends, and you and Orange chat more about the web site issue.
"Well, we know that only around fifty people are going to access the, and we know
who these fifty are. This should not cause too many problems," Orange says.
"I agree. Do you think it will be all right to spend any money outside of the site itself?" you ask.
"Since we are dealing with so few people, that shouldn't be a problem. However, we cannot go overboard. Go ahead and write up a plan for this and get it back to me in a day or two."
Based on your knowledge of ITCertKeys , choose the best solution to the web site security issue.}
A. You decide to use existing security technology of digital certificates and SSL to secure the site.
You first install a new IIS server that will be the host of the web site. You then connect to the
ITCertKeys CA for the executive building and request a new certificate for the web site.
You then configure the web site to Require a Secure Channel (SSL) and install the certificate.
One you install the new certificate, you connect from the new server to the CA in each office
where one or more of the fifty people that require access works. At that CA, you install the CA's
certificate, so that the new server will trust the certificates that each CA issues.
Next, you return to the configuration of the new web site. To make the site more secure, you
require client certificates, and enable mappings for each user account. You call each user and
ensure that they have a certificate from their own CA, which the new server now trusts. You
walk them through the process of connecting to the site, and verify that secure access to them
has been granted.
B. You decide to use digital certificates on smart cards to secure the web site. You will first install
a new IIS web server to host the site. You then connect to the CA_SERVER and request a new
certificate for the server. The server certificate will be used for authentication, and you have the
certificate issued and stored on a portable USB drive.
You then configure a machine to function as the enrollment machine for smart cards. You are
going to manage the smart cards yourself. At the machine that you are going to use for the
smart cards, you first configure the system with an enrollment agent certificate from the
CA_SERVER, and then you install the driver for the smart card reader.
Once the driver is installed, you make certificate requests for each of the fifty users. You start
with the first user, by logging in to the CA and selecting the option to Request A Certificate For
A Smart Card On Behalf Of Another User Using The Smart Card Enrollment Station radio
button. You then select the Smartcard User template, and enter the user's name. When
prompted, you put a blank smart card in the reader and press the Enroll button, followed by
entering the default PIN.
Once you have created all fifty smart cards, you continue with the configuration of the web site.
You configure the site to Require Secure Channel (SSL) and configure the site's certificate
from the USB drive. You then configure the site to require the user to have certificates as well,
enabling mapping for the specific users of this site.
You then test access to the site from a remote machine using the smart card and PIN to be
authenticated to the site. Once the test is complete, you write a short how to file and send it
along with the smart card, smart card reader, and driver to each of the fifty users. You follow
up with each user upon receipt to walk them through the configuration.
C. You decide that you will use digital certificates to secure the web site. You will first install a
new private CA that the remote users can connect to and request their certificates. This CA
will be protected with a very strong password. Each user will be given a user account to
access the CA, also protected with a strong password.
Next, you install the new private web server. You then connect to the new CA and make a
request for a certificate for the web site. Once you receive the certificate, you configure the
web site to use the certificate to Require a Secure Channel (SSL). You then select the option
to require client certificates, and you enable mapping for each user account.
Finally, you will call each person and instruct them on the process of connecting to the CA and
requesting their certificate, which you will instruct them to store on their local machine. Once
they have their certificate, you have them test access to the site, and when successful you
move on to the next person.
D. You decide to use strong authentication via biometrics, specifically fingerprint scanning to
secure the web site. You will first install a new IIS web server to host the site. You then
configure fifty user accounts for the remote users, and assign those accounts very strong
passwords.
You then ship one biometric mouse and software to each remote client. You call each user
and walk them through the process of configuration of their equipment. First, you tell them to
create a matching user account with the same user name and very strong password as you
used on the IIS server. You then have them install the software, which you instruct them to
configure so that the biometric will be linked to the user account.
Once the software is installed, you instruct them to connect the mouse to their system and load
the appropriate driver. With the driver installed, you tell them how to load the program and
enroll their fingerprint. Once they have their fingerprint enrolled, and it is matched to their user
account, you let them know that their side of the configuration is complete, and that you will
call them shortly to finish the process.
You return to the configuration of the IIS server. In the Security properties of the website, you
select the Advanced authentication tab. On the Advanced tab, you check the box for mapping
user accounts to external biometric devices, and you check the box to allow the remote
machine to control the mapping. You finish the configuration by configuring the site to use
128-bit RSA to encrypt the data between the client and the server.
With the server configuration done, you call the client back and have them log in using their
biometric mouse. Once logged in, you instruct them to connect to the website and verify the
secure site is running.
E. You decide that you will use freely available PGP certificates to secure access to the website.
You will first install a new IIS web server to hose the site. You then configure one user
account, with a strong password. You map this account as the only account that has access to
the website.
You then log on locally, as this user account, to the server and create a public\private key pair.
From that account you then send an outgoing email to all fifty users with the account's private
key. You finish the configuration of the website by making changes in the Security properties
of the website.
In the Security properties, you select the Advanced tab. On the Advanced tab, you check the
box to map this account to a local digital certificate, and you select the new certificate you just
created.
Next, you contact each remote user and instruct them to open the email from you. You have
them store the key they receive in their personal certificate store. To verify the install is
correct, you walk them through the process of viewing their certificates in the MMC. Once
verified, you have the user connect to the website, and enter the location of their certificate
when asked for authentication credentials.
Answer: B
Question 2.
You got the router configured just as you wish, and it is time to get the team together for a meeting. You have the advantage of knowing several of these people for quite some time through your contracting, but this will be your first full meeting with them.
The next day, you sit down with the CEO, HR Director, and other management people in ITCertKeys . You wish for the meeting to be as short as possible, so in this initial meeting, you open with a short summary and project what you feel is a serious problem with the company.
"Thanks for coming. I will try to keep this as brief as possible. As you all know, Purple was let go under difficult circumstances, and for the last week I have been working non-stop to get the network and security under control here. Very good progress has been made, but we are missing a fundamental component. There is no security policy here at ITCertKeys ." To this, you see some heads nod in agreement, others have no reaction whatsoever, and a few people let go disappointing sighs.
"I agree that we need a security policy," adds the HR Director, "as long as it doesn't become too restrictive."
"Policies are only used to document the posture of the organization, and to provide some guidance in the direction of the network and, in this case, the security of the network." You add,
"Without a written policy, how is any employee supposed to know what is acceptable, what is not acceptable, and so on."
"Our employees have common sense, we do not want the company to become overly regulated," says a middle manager who you have not spoken with before.
"Common sense is great, the more the employees have, and the easier it is to implement the policies. But, there is no guarantee for the human element. A simple review of what just took place with Purple is a quick reminder of this
" With that comment, the middle manager relaxed a bit, and hesitantly agreed.
"So, what I would like to do is to lead the development of the policy here, and work with each of you to get it implemented. In the next few days, I will be requesting a bit of your time, so we can talk one on one about your needs and issues surrounding the policy."
The next week, you meet with the management team, and you have a list of questions for them, designed to help you in drafting the security policy. You have decided to break up the creation of the policy into pieces, spending shorter blocks of time on the policy. This allows the management to be able to keep most of their days open for running the company.
During the meeting, you focus solely on the Acceptable Use statement for the users of the network. You ask the following questions to the group, and the consensus answer (after taking your suggestions into account) is listed after each question.
1. Are users allowed to share user accounts? No.
2. Are users allowed to install software without approval? No. Approval must come through you, or the current Chief Security Officer (CSO).
3. Are users allowed to copy software for archive or other purpose? No, archives can only be made by the network administration staff.
4. Are users allowed to read and\or copy files that they do not own, but have access to? Yes.
5. Are users allowed to make copies of any operating system files (such as the Windows directory or the SAM file)? No.
6. Are users allowed to modify files they do not own, but for which they have write abilities? Yes, if they have write abilities, they are allowed to modify the file.
Using the provided information from the meeting, you draft the Acceptable Use Statement. The statement reads as follows:
This Acceptable Use Statement document covers ITCertKeys , networks, computers, and computing resources. Network, computer, and computing resources are defined as physical personal computers, server systems, routers, switches, and network cabling. Also included in the definition are software (media) elements such as floppy disks, CD-ROMs (including writeable and re-writeable), DVD-ROMs, and tape backup systems. A user is defined as the individual account with authorization to access ITCertKeys , resources. All users of the ITCertKeys network are expected to conduct themselves in a respectful and legal manner.
* The ITCertKeys , general computing systems are unclassified systems. As such, top-level secret information is not to be processed or stored on any general unclassified computer system.
* Individual users are responsible for the proper storage of their personal data on their workstations. For assistance on proper storage, users are instructed to contact the Security staff of ITCertKeys .
* In the event that a user has identified a security breech, weakness, or system misuse in a ITCertKeys , system, they are required to contact the on-duty Security staff immediately. Users are to use a completed ITCertKeys -TPS Report for their notice to the Security staff. Initial contact with the Security staff about the incident might be conducted via email or telephone.
* Individual users are not granted access to systems and resources they have not been given explicit authority to access. In the event access to a resource is required, and access has not been granted, the user is to make a request to the on-duty Security staff.
* Individual users shall not make unauthorized copies of copyrighted software, except as permitted by law or by the owner of the copyright.
* Individual users are not permitted to make copies of system configuration files for their own, unauthorized personal use or to provide to other people or users for unauthorized uses.
* Individual users are not permitted to share, loan, or otherwise allow access to a ITCertKeys resource via the user's assigned account.
* Individual users are not permitted to engage in any online or offline activity with the intent or harass other users; degrade the performance of any ITCertKeys, system or resource; impede the ability of an authorized user to access an authorized resource; or attempt to gain access to an unauthorized resource.
* Electronic mail resources are for authorized use only. Messages that might be deemed fraudulent, harassing, or obscene shall not be sent from, to, or stored on ITCertKeys , systems.
* Individual users are not permitted to download, install, or run any unauthorized programs or utilities, including those which reveal weaknesses in the security of a system. This includes, but is not limited to network sniffing tools and password cracking utilities.
Users who are found to be in violation of this policy will be reported to the on-duty Security staff and the ITCertKeys CEO. The CEO will determine if the violation will result in the loss of ITCertKeys , network privileges. In he event the violation warrants, the CEO may press civil or criminal charges against the user.
I have read and understand the ITCertKeys , Acceptable Use Statement, and agree to abide by it.
With this information, and your knowledge of ITCertKeys , choose the answer that will provide the best solution for implementing the Acceptable Use statement policy needs of ITCertKeys :}
A. Once the meeting ends, you make the changes that were discussed during the meeting. They
are not too extensive, but you make them and present the document to the team again on
Friday. Now that you have made the changes, the policy is accepted, and the discussion
moves towards getting every employee to sign and agree to the policy.
"Well, it's Friday afternoon. Everyone needs their paychecks today." Comments the HR
director.
"Good point, let's just print out 100 of these, and tell everyone to sign them in order to get their
check." Agrees one of the managers.
After some discussion, it is agreed that this will be the fastest way to get all the employees to
sign the policy document. The meeting wraps up around 2:00, and the printing and stapling of
the policy documents ends around 4:00.
Over the next hour, the HD director, with the help of the manager, hand our checks, making all
the employees sign the document in order to get their check. You think to yourself that the
efficiency of a small operation like this is nice to see in action. You go to get your check, sign
your document, and are actually able to end your day at 5:00pm on a Friday.
B. You present the draft statement to the team at the next meeting. There is some discussion as
to the wording in the clause regarding the internal TPS Report. Some in the group feel the
TPS Report will be to tedious to use, others think with a distributed memo about the Report,
everything will be fine. After further discussion all agree on the wording of the policy.
The employees meet with the HR director over the next week, and are all presented with a
copy of the policy and discuss how to it is to be implemented. There is some resistance, some
of the employees are not happy about having a new procedure to follow.
While walking back to your office, you see the CEO, and motion that you have a quick
question, "How does the new policy seem to be going with HR?" you ask.
"So far so good, there are a few folks not that happy, but I think we'll be fine."
"I've got to get over there tomorrow to sign mine, when are you meeting with HR?"
"Me? I've got too much going on right now. I have to oversee everything; whatever happens
and goes on here has to go through me anyway. I don't have time to bother with that myself, I
just wanted to be sure we had something legally binding to protect us and to assist the
employees."
"Fair enough. Listen, I need to talk with you soon about our firewall situation," you reply.
"OK, stop by anytime. You know my door is always open."
You walk away, and are pretty happy with how things are going here. You know you have
more work to do, but so far your suggestions are being taken well and appreciated.
C. You present the draft statement to the team at the next meeting. There is some discussion as
to the wording in the clause regarding the internal TPS Report. Some in the group feel the
TPS Report will be to tedious to use, others think with a distributed memo about the Report,
everything will be fine. After further discussion all agree on the wording of the policy.
The team finishes the discussion, and the meeting ends with approval of the document. Once
the document is approved, you move the discussion towards getting everyone in the company
aware of and agreeing to it.
"I suggest that we tie it into our paychecks, and have the document go through HR."
"We could do that, I guess. I can present the document to all the employees over the rest of
the month." the HR Director responds.
Following that, the CEO brings up that there is going to be a company dinner next month, and
that at the dinner the CEO will declare the policy in place, and that "As all of us become
comfortable with this, we all should appreciate this step forward for our company."
The next day, you post the policy on the company intranet site, so everyone has an electronic
copy to go with their copy from the HR meeting. Once that is done, you move on to your next
project.
D. You present the current draft to the team at the next meeting. There is some discussion now
on the language of the different clauses, and it seems that no one can agree on the points.
What you thought was close to being done, now seems to be at risk of never getting done.
As the meeting escalates, and opinions start to get louder, the CEO interrupts the group,
"Enough. We are a small group, we have enough in common, we know what we need out of
this. We will bring in three contractors who specialize in policy writing. We'll give them our
thoughts, they will work with our tireless Security Guru, and get this thing done."
You are not all that thrilled about three consultants coming down on your territory, but realize
the frustration of the CEO. You agree, "That's fine by me. I'll meet with them, and we will draft
the document."
There is other business on the agenda for the meeting, but it is not related to you, so you
excuse yourself and go back to your office.
After working with the three consultants for a month, you have the document, approved by
ITCertKeys . You organize a company wide meeting, where the consultants describe the
policy and what it is for to all the employees. The employees are told where they can find the
policy to review for themselves, and after a question and answer session everyone gets back
to their work.
E. After the review of the policy it is decided that some of the bullet points in the document need
to be changed. You make the requested changes, and the team reviews the document once
more.
"It all looks good to me now," says a manager in the meeting.
"OK, how should we present this to the employees?" you ask.
"I could take a copy to each employee and discuss it with them," offers the HR director.
"No, that would be too time-consuming. That's not a good use of your time," responds the
CEO. "We need to get this done, obviously. What is our most cost-effective way of doing
this?"
"Well, I could post the policy on our intranet site, and we could have the employees go and
download it themselves. During lunch, perhaps?" you suggest.
"That sounds good, let's take that approach," the CEO answers.
Later that day, you create a quick intranet site, called ITCertKeys policy and documents.
You draft a quick email, which will be sent to all the employees in the company:
"Dear _____,
At ITCertKeys we have just finished work on a security policy that will clearly define the use of
the computers and other issues. This document will answer the questions that many of you
have had recently on what you are allowed to do with the computer and when online.
At your earliest convenience, please connect to the new site I have linked here, to download
and read the new policy. Thanks and have a great day.
- ITCertKeys Security Staff."
You verify the site is working, send the email out to all the employees, and go home for the
day.
Answer: C
Question 3.
Things have been running smoothly now at ITCertKeys for the last several weeks.
There have been no major attacks, and it seems that the systems in place are performing just as expected. You are putting together some paperwork when you get a call from Orange to meet in the conference room. When you get there, Orange is wrapping up a meeting with the senior Vice
President of Sales, whom you say hello to on your way in. "I was just talking with our senior VP here, and we've run into a new issue to discuss," Orange tells you.
"We'll I'll let you two sort this out. Orange, do let me know when it's all ready to go.
" With that the VP leaves.
You sit down across from Orange, who starts, "That was an interesting meeting. It seems that even though I have always said no to the request, we are being pressured to implement a wireless network."
"Here?" you ask, "In the executive building?"
"Yes, right here. The sales team wishes to have the ability to be mobile. Instead of running a full scale roll out I have trimmed the request down to running a test implementation on the second floor. The test run on that floor will be used to determine the type of wireless rollout for the rest of the building, and eventually the rest of the campus. So, here is what we need to do. I need you to create the roll out plan, and bring that plan to me. I'll review with you and implement as required."
"As always, what is my budget restriction?" you ask.
"In this case, security is the top priority. If we are going to run wireless, it has to be as secure as possible, use whatever you need. That being said, your plan has to use existing technologies, we are not going to fund the development of a new protocol or proprietary encryption system right now."
You begin your work on this problem by pulling out your own wireless networking gear. You have a laptop that uses an ORiNOCO card, and you have a full directional antenna that you can hold or mount on a small tripod. You take your gear to the lobby of the second floor, and you load up NetStumbler quickly to run a quick check that there are no access points in your area.
The immediate area is clear of any signal, so you take you gear and walk the entire second floor, waiting to see if there is any signal, and you find none. With your quick walk through complete, you take your gear back to your office and start working on your plan.
Using your knowledge of the ITCertKeys network, select the best solution to the wireless networking rollout problem:}
A. You have figured out that since the network is a test roll out, you have some flexibility in its
configuration. After your walk through test, you begin by configuring the wireless nodes in the
network to run in Ad Hoc mode, creating an Independent Basic Service Set (IBSS).
You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure
every node to no longer broadcast any beacon packets. You will configure all the nodes to not
use the default channel, and instead move them all to channel six.
You will configure every node to use MAC address filtering, to avoid unauthorized nodes from
attempting to gain access to the network. Finally, you will configure each node to use WEP in
the strong 128-bit mode, along with a complex 16-character pass phrase.
Once the network is up and running, you take your gear (which is not an authorized client of
the network) and every few days will walk the office again, checking for access.
B. You have figured out that since the network is a test roll out, you have some flexibility in its
configuration. After your walk through test, you begin by configuring the wireless nodes in the
network to run in Ad Hoc mode, creating an Extended Basic Service Set (EBSS).
You will use a complex SSID of 5cN@4M3! on all wireless nodes. You will next configure every
node to no longer broadcast any beacon packets. You will configure all the nodes to not use
the default channel, and instead move them all to channel six.
You will configure every node to use MAC address filtering, to avoid unauthorized nodes from
attempting to gain access to the network. Finally, you will configure each node to use WEP in
the strong 128-bit mode, along with a complex 16-character pass phrase for generating four
keys. You will manually input the WEP Keys into each node. You will divide the test nodes into
quarters, and configure each quarter to startup on the network using a different default WEP
key.
Once the network is up and running, you take your gear (which is not an authorized client of
the network) and every few days will walk the office again, checking for access.
C. You determine that for the test network, you will run the network in infrastructure mode, using
a SSID of FLOOR2. During the test, you will create one single Basic Service Set (BSS),
running through one access point. All test nodes will be configured to participate in the BSS,
using the SSID of FLOOR2, and the access point will be configured with MAC address filtering
of the test nodes.
You will configure the access point to use EAP, specifically EAP-TLS. You will configure a
Microsoft RADIUS Server as the authentication server. You will configure the RADIUS server
with a digital certificate. Using EAP-TLS, both the server and the client will be required to
authenticate using their digital certificates before full network access will be granted. Clients
will have supplicant software configured where required.
You will next make a physical map of the office, using the tool Ekahau. Working with this tool,
you will map out and track the positioning of each wireless device once the network is active.
When the network is up and running, you take your gear (which is not an authorized client of
the network) and every few days will walk the office again, checking for access.
You will continue the test by running checks from the parking lot, ensuring that you cannot gain
access.
D. You determine that for the test network, you will run in infrastructure mode, using a SSID of
FLOOR2. During the test, you will create one single Independent Basic Service Set (IBSS),
running through one access point. All test nodes will be configured to participate in the IBSS,
using the SSID of FLOOR2.
You will configure the access point to use WPA, with an algorithm of TKIP. You will configure
WPA to utilize the full 128-bit key option, with the pre-shared WPA key option. The client
computers will need supplicants, so you will configure the Funk Software Odyssey Client on
the clients, matching the key settings and TKIP settings. You will disable the access point from
broadcasting its SSID, and you will configure MAC address filtering.
Once the network is up and running, you take your gear (which is not an authorized client of
the network) and every few days will walk the office again, checking for access.
E. You figure out that you will run the test network in infrastructure mode, using a SSID of
ITCertKeys. You will create one single Basic Service Set (BSS), all running through one
access point. All test nodes will be configured to participate in the BSS, using the SSID of
ITCertKeys , and the access point will be configured with MAC address filtering of the test
nodes.
You will configure the access point to utilize a combination of 802.1x and WPA. The WPA
settings will be fully secured with TKIP, and 128-bit keys, which change on a per session
basis. The 802.1x settings will be to use Lightweight EAP (LEAP). The clients will be
configured to use LEAP, with a fallback to TKIP at 128-bits.
When the network is up and running, you take your gear (which is not an authorized client of
the network) and every few days will walk the office again, checking for access.
You will continue the test by running checks from the parking lot, ensuring that you cannot gain
access.
Answer: C
Question 4.
You go back through your notes to the day that you recommended that the company get a firewall in place. Purple had been convinced that the ISP protected the network, and that a firewall was too much technology on top of the router. Now that you have been given this responsibility, and since you have configured the router already, you wish to get the firewall in place as quickly as possible. You meet quickly with the CEO and mention that the network currently has no firewall, a serious problem. You inform the CEO that this must be fixed immediately, and that you have several firewall options. For this one instance, the CEO tells you to build the best solution; the decision is not going to be based on direct cost.
Based on your knowledge of and the information you have from ITCertKeys , select the best solution to the organization's firewall problem:}
A. You decide to take advantage of the features of Microsoft's ISA Server and Checkpoint's NG.
You implement two firewalls, each with two network cards. From one Ethernet interface of the
router, you connect to a Checkpoint firewall, and from the other Ethernet interface on the
router, you connect to a Microsoft ISA firewall.
The Checkpoint firewall is connected via one NIC to the router, and the other NIC is connected
to the Web and FTP Server. The Microsoft ISA Server is connected via one NIC to the router
and the other NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewalls:
1. First, you configure the IP Address on both network cards of both firewalls.
2. Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only
components to install and complete the installation of Checkpoint.
3. Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed
inbound.
4. Fourth, you select the Cache Mode option during the install of ISA Server and complete the
installation of Microsoft ISA Server.
5. Fifth, you allow all outbound traffic through the ISA Server.
6. Sixth, you allow only inbound traffic through the ISA Server that is in response to
outbound requests.
B. After analysis, you decide to implement a firewall using Checkpoint's NG. You begin by
installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall will
have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall
NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC to the
LAN switch.
You perform the following steps and configurations to setup the firewall:
1. First, you configure the IP Addresses on all four network cards of the Checkpoint firewall.
2. Second, you select only the VPN-1 & Firewall-1 components to install and complete the
installation of Checkpoint.
3. Third, you configure the only new inbound network traffic to be destined for the WWW and
FTP services on the Web and FTP server
4. Fourth, you block all other incoming traffic.
5. Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed.
6. Sixth, you configure all traffic to be allowed in the outbound direction
C. After you analyze the network, you have decided that you are going to implement a firewall
using Microsoft ISA Server. The new firewall will have four NICs. You connect the two Ethernet
interfaces on the routers to two of the firewall NICs. You connect one NIC to the Web and FTP
server and one NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1. First, you format a new hard drive and install a new copy of Windows 2000 Server.
2. Second, you configure the correct IP Addresses on the four network cards.
3. Third, you install ISA Server into Firewall only mode, and complete the installation.
4. Fourth, you configure all inbound traffic to require the SYN flag to be set, all other inbound
network traffic is denied
5. Fifth, you configure the network card towards the Web and FTP server will only allow ports
80, 20, and 21.
6. Sixth, you configure all outbound traffic to be allowed.
D. After you run an analysis on the network and the ITCertKeys needs, you decide to implement
a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to the
router, one NIC is connected to the Web and FTP server and one NIC is connected to the LAN
switch.
You perform the following steps and configurations to setup the firewall:
1. First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1
components, and complete the installation.
2. Second, you configure the inbound rules to allow only SYN packets that are destined for
ports 80, 20, and 21 on the Web and FTP server.
3. Third, you disallow all inbound traffic for the internal network, unless it is in response to an
outbound request.
4. Fourth, you configure anti-spoofing rules on the inbound interface and log those connections
to a log server.
E. After you analyze the company, you decide to implement a firewall using Microsoft ISA Server.
You create a DMZ with the Web and FTP server on the network segment between the router
and the new firewall. The firewall will have two NICs, one connected to the router, and one
connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1. First, you install a new version of ISA Server, installed in Firewall mode.
2. Second, you configure the inbound network card to disallow all network traffic that did not
originate from inside the network or from the Web and FTP Server.
3. Third, you configure anti-spoofing rules to prevent spoofing attacks.
4. Fourth, you configure all outbound traffic to be allowed.
5. Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged to a
SYSLOG server inside the network.
Answer: D
Question 5.
The network has been receiving quite a lot of inbound traffic, and although you have been given instructions to keep the network open, you want to know what is going on. You have decided to implement an Intrusion Detection System. You bring this up at the next meeting.
"After looking at our current network security, and the network traffic we are dealing with, I recommend that we implement an Intrusion Detection System," you begin.
"We don't have any more budget for security equipment, it will have to wait until next year." This is the reply from the CEO that you were anticipating.
"I realize that the budget is tight, but this is an important part of setting up security." You continue, "If I cannot properly identify all the network traffic, and have a system in place to respond to it, we might not know about an incident until after our information is found for sale on the open market." As expected, your last comment got the group thinking.
"What about false alarms?" asks the VP of sales, "I hear those things are always going off, and just end up wasting everyone's time."
"That's a fair concern, but it is my concern. When we implement the system, I will fine tune it and adjust it until the alarms it generates are appropriate, and are generated when there is legitimately something to be concerned about.
We are concerned with traffic that would indicate an attack; only then will the system send me an alert."
For a few minutes there was talk back and forth in the room, and then the CEO responds again to your inquiry, "I agree that this type of thing could be helpful. But, we simply don't have any more budget for it. Since it is a good idea, go ahead and find a way to implement this, but don't spend any money on it."
With this information, and your knowledge of ITCertKeys , choose the answer that will provide the best solution for the IDS needs of ITCertKeys :}
A. You install Snort on a dedicated machine just outside the router. The machine is designed to
send alerts to you when appropriate. You implement the following rule set: Alert udp any
any_>10.10.0.0\16(msg: "O\S Fingerprint Detected";flags:S12;)
Alert udp any any_>10.10.0.0\16(msg: "Syn\Fin Scan Detected"; flags: SF;) (pg 114)
Alert udp any any_>10.10.0.0\16(msg: "Null Scan Detected";flags:0;)
Log tcp any any -> 10.10.0.0\16 any
You then install Snort on the web and ftp server, also with this system designed to send you
alerts when appropriate. You implement the built-in scan.rules rule set on the server.
B. You configure a new dedicated machine just outside the router and install Snort on that
machine. The machine logs all intrusions locally, and you will connect to the machine remotely
once each morning to pull the log files to your local machine for analysis.
You run snort with the following command: Snort -dev -l \snort\log -c snort.conf and using the
following rule base:
Alert tcp any any <> any 80
Alert tcp any any<>10.10.0.0\16 any (content:"Password";msg:" password transfer Possible";)
Log tcp any any <- 10.10.0.0\16 23
Log tcp any any <> 10.10.0.0\16 1:1024
C. You install your IDS on a dedicated machine just inside the router. The machine is designed to
send alerts to you when appropriate. You begin the install by performing a new install of
Windows on a clean hard drive.
You install ISS Internet Scanner and ISS System Scanner on the new system. System
Scanner is configured to do full backdoor testing, full baseline testing, and full password
testing. Internet Scanner is configured with a custom policy you made to scan for all
vulnerabilities. You configure both scanners to generate automatic weekly reports and to send
you alerts when an incident of note takes place on the network.
D. You install two computers to run your IDS. One will be a dedicated machine that is on the
outside of the router, and the second will be on the inside of the router. You configure the
machine on the outside of the router to run Snort, and you combine the default rules of several
of the built-in rule sets. You combine the ddos.rules, dos.rules, exploit. rules, icmp.rules, and
scan.rules.
On the system that is inside the router, running Snort, you also combine several of the built-in
rule sets. You combine the scan.rules, web-cgi.rules, ftp.rules, web-misc. rules, and web-
iis.rules.
You configure the alerts on the two systems to send you email messages when events are
identified. After you implement the two systems, you run some external scans and tests using
vulnerability checkers and exploit testing software. You modify your rules based on your tests.
E. You install Snort on a dedicated machine just inside the router. The machine is designed to
send alerts to you when appropriate. You do have some concern that the system will have too
many rules to operate efficiently. To address this, you decide to pull the critical rules out of the
built-in rule sets, and create one simple rule set that is short and will cover all of the serious
incidents that the network might experience.
ualert udp any 19 <> $HOME_NET 7(msg: "DOS UDP Bomb"; class type: attempted-dos;
sid:271;rev:1;)
ualert udp $EXTERNAL_NET any_>$HOME_NET any (msg: "DOS Teardrop attack";
id:242;fragbits:M;classtype:attempted-dos;sid:270;rev:1;)
ualert udp $EXTERNAL_NET any_>$HOME_NET any (msg: "DDOS TFN Probe";
id:678;itype:8;content: "1234";classtype:attempted-recon;sid:221;rev:1;)
ualert icmp $EXTERNAL_NET any_>$HOME_NET any (msg: "ICMP PING NMAP";
dsize:0;itype:8;classtype:attempted-recon;sid:469;rev:1;)
ù alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN
XMAS";flags:SRAFPU;classtype:attempted-recon;625;rev:1;)
ù alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg: "SCAN synscan
microsoft";id:39426;flags:SF;classtype:attempted-recon;sid:663;rev:1;)
Answer: D
Question 6.
By now, you are feeling confident that the security of the ITCertKeys network is getting under control. You are aware that there are still several critical areas that you must deal with, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network.
Since the organization is not very large, you are the only person working in the IT end of the company. It will be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the ITCertKeys network:
Server0001, 10.10.20.101, Windows 2000 Server
Server0010, 10.10.20.102, Windows 2000 Server
Server0011, 10.10.20.103, Windows 2000 Server
Server0100, 10.10.20.104, Linux (Red Hat 8.0)
User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional The addressing that you recommended months ago is in place, and it follows a distinct logical pattern, you are hoping that no new systems are hidden in the network somewhere.
In the company, you have been granted domain administrator rights, and no other user is authorized to have administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems.
The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of ITCertKeys select the best solution for hardening the ITCertKeys operating systems:}
A. The first thing you do is to run a Nessus scan against all the servers in the room, noting the
findings of the scans. You then begin on the servers by running some tests on the Linux
server. First, you run Tripwire on the entire system to ensure that there are no rogue Root
accounts, and the test is positive. Second, you ensure that there are no unauthorized objects
available through the network, and third you lock the system down with Bastille.
You then work on the Windows servers. You run a check to ensure there are no unauthorized
administrator accounts, and there are not. You create a custom security template and
implement the template on each server using the Security Configuration and Analysis Snap-In,
and you ensure that each system is updated with the latest patches.
Finally, you analyze the user's desktops. You go one by one through the network checking for
added user accounts, and you find some. You remove these unauthorized accounts and check
for software and applications. Again, you find some applications that are not allowed and you
remove them. You check the systems for hardware changes, and address the issues that you
find.
B. You start the job by running some analysis on the Windows servers. You do this using the
Security Configuration and Analysis Snap-In, and you ensure that each system is updated with
the latest patches. You find several user accounts that have been given local administrator
access, and you remove these accounts. You next use the Secedit tool to implement local
encryption on the shared hard drive to secure the local files for the network users.
You then work on the Linux server. To your surprise there are no unauthorized root accounts,
nor any unauthorized shares. You ensure that the permissions are correct on the shared
objects, and run Bastille to lock down the server.
You then work on the client machines. Before you physically sit at each machine, you run a
Nessus scan from your office. Bringing the results with you, you go to each machine and
address any issues as identified in the Nessus scan, remove any unauthorized applications
C. You being by running a Nessus scan from your office laptop on the systems in the network,
first the servers, then the user's workstations. After the scans are complete, you store the
reports on your laptop, and you take your laptop to the server room.
In the server room, you begin on the Windows servers. You implement a custom security
template on each server using the Security Configuration and Analysis Snap-In, remove any
unauthorized accounts, ensure that each system is updated with the latest patches, and
ensure that the permissions on each shared object are as per policy.
You then work on the Linux server, by addressing each point identified in the Nessus scan.
You then lock the system with Bastille, ensure that each system is updated with the latest
patches, and run a quick Tripwire scan to create a baseline for the system. You take your
laptop with you as you go throughout the network to each user workstation, ensure that each
system is updated with the latest patches, and you take care of each issue you found on the
machines. There are a few systems that you find with unauthorized applications and you
remove those applications.
D. The first thing you decide to do is plug your laptop into the server room, and run a full Nessus
scan on the entire network, specifically looking for every backdoor vulnerability that the
application can check. This takes some time to compile, but you eventually end up with a list of
issues to address on each machine.
You move on to the Linux server, and run a fast Tripwire check on the system to look for any
additional vulnerabilities. Once that check is done, you install SSH so that all access by every
user will be encrypted to the server, and you run Bastille to lock down the system.
At the Windows systems, you address any issues found during the Nessus scan, you ensure
that each system is updated with the latest patches, and you ensure that the systems are all
functioning as fully secure and functional file servers to the network by implementing the
HISECWEB.INF template in the Security Configuration and Analysis Snap-In.
Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan
report. You remove a few pieces of unauthorized hardware and many unauthorized
applications.
E. You begin by running a Nessus scan on each computer in the network, using the \hotfix switch
to create a full report. The report identifies every vulnerability on each system and lists the
specific changes you must make to each system to fix any found vulnerabilities.
You take the report to the server room and start with the Linux server. On the server, you run
through the steps as outlined in the Nessus report, and end by locking the system using
Bastille.
Then, you move to the Windows systems, again following the steps of the Nessus report, and
ending by using the Security Configuration and Analysis Snap-In to implement the Gold
Standard template on every server.
Finally, you proceed to each user workstation. At each user machine, you follow each step for
each system, based on your report. Once you have addressed all the vulnerabilities in the
systems, you run a quick Secedit scan on each system to ensure that they are all locked down
and that proper encryption is configured.
Answer: C
Question 7.
Now that you have ITCertKeys somewhat under control, you are getting ready to go home for the night. You have made good progress on the network recently, and things seem to be going smoothly. On your way out, you stop by the CEO's office and say good night. You are told that you will be meeting in the morning, so try to get in a few minutes early.
The next morning, you get to the office 20 minutes earlier than normal, and the CEO stops by your office, "Thanks for coming in a bit early. No problem really, I just wanted to discuss with you a current need we have with the network."
"OK, go right ahead." You know the network pretty well by now, and are ready for whatever is thrown your way.
"We are hiring 5 new salespeople, and they will all be working from home or on the road. I want to be sure that the network stays safe, and that they can get access no matter where they are."
"Not a problem," you reply. "I'll get the plan for this done right away."
"Thanks a lot, if you have any questions for me, just let me know."
You are relieved that there was not a major problem and do some background work for integrating the new remote users. After talking with the CEO more, you find out that the users will be working from there home nearly all the time, with very little access from on the road locations.
The remote users are all using Windows 2000 Professional, and will be part of the domain. The CEO has purchased all the remote users brand new Compaq laptops, just like the one used in the CEO's office, and which the CEO takes home each night; complete with DVD\CD-burner drives, built-in WNICs, 17"LCD widescreen displays, oversized hard drives, a gig of memory, and fast processing. 'I wish I was on the road to get one of those,' you think.
You start planning and decide that you will implement a new VPN Server next to the Web and FTP Server. You are going to assign the remote users IP Addresses:
10.10.60.100~10.10.60.105, and will configure the systems to run Windows 2000 Professional.
Based on this information, and your knowledge of the ITCertKeys network up to this point, choose the best solution for the secure remote user needs:}
A. You begin with configuring the VPN server, which is running Windows 2000 Server.
You create five new accounts on that system, granting each of them the Allow Virtual Private
Connections right in Active Directory Users and Computers. You then configure the range of IP
Addresses to provide to the clients as: 10.10.60.100 through 10.10.60.105. Next, you configure
five IPSec Tunnel endpoints on the server, each to use L2TP as the protocol.
Then, you configure the clients. On each system, you configure a shortcut on the desktop to
use to connect to the VPN. The shortcut is configured to create an L2TP IPSec tunnel to the
VPN server. The connection itself is configured to exchange keys with the user's ISP to create
a tunnel between the user's ISP endpoint and the ITCertKeys VPN Server.
B. To start the project, you first work on the laptops you have been given. On each laptop, you
configure the system to make a single Internet connection to the user's ISP. Next, you
configure a shortcut on the desktop for the VPN connection. You design the connection to use
L2TP, with port filtering on outbound UDP 500 and UDP 1701. When a user double-clicks the
desktop icon you have it configured to make an automatic tunnel to the VPN server.
On the VPN server, you configure the system to use L2TP with port filtering on inbound UDP
500 and UDP 1701. You create a static pool of assigned IP Address reservations for the five
remote clients. You configure automatic redirection on the VPN server in the routing and
remote access MMC, so once the client has connected to the VPN server, he or she will
automatically be redirection to the inside network, with all resources available in his or her
Network Neighborhood.
C. You decide to start the configuration on the VPN clients. You create a shortcut on the desktop
to connect to the VPN Server. Your design is such that the user will simply double-click the
shortcut and the client will make the VPN connection to the server, using PPTP. You do not
configure any filters on the VPN client systems.
On the VPN Server, you first configure routing and remote access for the new accounts and
allow them to have Dial-In access. You then configure a static IP Address pool for the five
remote users. Next, you configure the remote access policy to grant remote access, and you
implement the following PPTP filtering:
ùInbound Protocol 47 (GRE) allowed
ùInbound TCP source port 0, destination port 1723 allowed
ùInbound TCP source port 520, destination port 520 allowed
ùOutbound Protocol 47 (GRE) allowed
ùOutbound TCP source port 1723, destination port 0 allowed
ùOutbound TCP source port 520, destination port 520 allowed
D. You configure the VPN clients first, by installing the VPN High Encryption Service Pack. With
this installed, you configure the clients to use RSA, with 1024-bit keys. You configure a
shortcut on the desktop that automatically uses the private\public key pair to communicate with
the VPN Server, regardless of where the user is locally connected.
On the VPN Server, you also install the VPN High Encryption Service Pack, and configure
1024-bit RSA encryption. You create five new user accounts, and grant them all remote access
rights, using Active Directory Sites and Services. You configure the VPN service to send the
server's public key to the remote users upon the request to configure the tunnel. Once the
request is made, the VPN server will build the tunnel, from the server side, to the client.
E. You choose to configure the VPN server first, by installing the VPN High Encryption Service
Pack and the HISECVPN.INF built-in security template through the Security Configuration and
Analysis Snap-In. Once the Service pack and template are installed, you configure five user
accounts and a static pool of IP Addresses for each account.
You then configure the PPTP service on the VPN server, without using inbound or outbound
filters - due to the protection of the Service Pack. You grant each user the right to dial into the
server remotely, and move on to the laptops.
On each laptop, you install the VPN High Encryption Service Pack, to bring the security level of
the laptops up to the same level as the VPN server. You then configure a shortcut on each
desktop that controls the direct transport VPN connection from the client to the server.
Answer: C
|
Question 1. Which router can be used for disk-in-access to the router CLI management purposes and does not usually pass normal network traffic? A. AUX B. Gigabit Ethernet C. Fast Ethernet D. Channelized serial Answer: A Explanation: Question 2. Which two pieces of information does the show ip interface brief command display? (Choose two) A. Encapsulation type B. Interface status C. Layer 2 address D. Layer 3 address E. Keep alive Answer: B, D Explanation: Question 3. The pins and RJ-45 are numbered from 1 through 8. With the material points of the plug facing toward you, pin 1 is the leftmost pin. Which two sets are looped on an RJ-45 T1 loopback plug? (Choose two) A. Pins 1 and 4 B. Pins 1 and 7 C. Pins 2 and 5 D. Pins 2 and 8 E. Pins 1 and 5 F. Pins 2 and 7 Answer: A, C Explanation: Question 4. What are two ways to open Microsoft Notepad on a Windows-based computer? (Choose two) A. Start > Run Enter Notepad and 'Ink OK B. Start > Control Panel > Notepad C. Start > All Programs > Notepad D. Start > All Programs > Accessories > Notepad E. Start > All Programs > Microsoft Office > Notepad Answer: A, D Explanation: Question 5. Which three of the following statements are true? (Choose three.) A. Each IP address has two parts: a network ID and a host ID B. An IP subnet equals a broadcast domain. C. An IPv4 address contains 36 bits D. 172.16.1.18 is a Class A address E. A subnet address is created by borrowing bits from the original host ID Answer: A, B, E Explanation: Question 6. Which of the following is a DTE device? A. router B. CSU/DSU C. cable modem D. DSL modem Answer: A Explanation: Question 7. Which two of the following statements are true about a switch? (Choose two) A. It is a repeater. B. It is a data link layer device. C. It will forward the frame out all ports when it receives a broadcast from a host. D. It reads the destination MAC address to forward traffic out the appropriate port. E. It acts as an amplifier. Answer: B, D Explanation: Question 8. Which of the following best describes the cable that is used to connect a laptop to an Ethernet port on a Cisco router? A. Crossover B. Straight-through C. Fiber D. Rollover Answer: A Explanation: Question 9. Refer to the exhibit. Which type of cable us used on the ATM card? A. Fiber-optic BNC B. Coaxial C. Serial D. Crossover Answer: B Explanation: Question 10. What are two features that are associated with single-mode fiber-optic cable? (Choose two.) A. a single strand of glass fiber B. carries higher bandwidth than multimode fiber C. cost is less than multimode fiber D. operates over less distance than multimode fiber Answer: A, B Explanation:
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.