Answers to Review Questions

1. Some examples of laws and directives influencing network security include the following:

■ The U.S. Gramm-Leach-Bliley Act of 1999 (GLBA): Provides limited privacy protections against the sale of private financial information.

■ The U.S. Health Insurance Portability and Accountability Act (HIPAA): Aims to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.

■ European Union Data Protection Directive 95/46/EC: Aims to protect people's privacy rights when their personal data is processed.

■ The U.S. Sarbanes-Oxley Act of 2002 (SOX): Aims to establishe new or enhanced auditing and financial standards for all United States public company boards, management, and public accounting firms.

■ Payment Card Industry (PCI) Data Security Standard (DSS): Aims to ensure safe handling of sensitive payment information, such as storage and transfer of credit card information.

■ The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA): Establishes rules for the management of personal information by organizations involved in commercial activities.

2. A virus is a program that triggers a damaging outcome. A worm is a virus that can self-

duplicate.

3. Reconnaissance is usually the prelude to a more focused attack against a particular target. For example, it can be used to determine which active targets, network services, and so forth are running.

4. A DoS attack attempts to compromise the availability of a network, host, or application. Two methods of causing a DoS attack are by sending malformed data and by sending a large quantity of data.

5. DHCP snooping filters DHCP packets; it prevents a rogue DHCP server from handing out IP addresses on a network by blocking all replies to a DHCP request from an interface (port) unless that port is allowed to reply. DCHP snooping also builds and maintains a DHCP-snooping binding table, which includes MAC address and IP address information for DHCP clients on untrusted interfaces. DAI intercepts all ARP requests and replies on untrusted interfaces and uses the DHCP-snooping binding table information to verify that ARP packets have valid IP-to-MAC address bindings.

6. Answer:

■ Integrity violation: An attacker changes sensitive data

■ Confidentiality breach: Can be very difficult to detect

■ Availability threat: The result of a network's incapability to handle an enormous quantity of data

7. Risk assessment defines threats, their probability, and their severity. A network security policy enumerates risks relevant to the network and determines how to manage those risks. A network security design implements the security policy.

8. The risk index is calculated by dividing the product of the probability and severity factors by the control factor, resulting in this formula:

Risk index = (probability factor * severity factor) / (control factor)

For this example:

9. A general document describes the overall risk management policy, identifies the corporation's assets, identifies where protection must be applied, and documents how risk management responsibility is distributed throughout the enterprise. Other documents might include a general Network Access Control policy, an Acceptable Use of Network policy, a Security Management policy, and an Incident Handling policy.

10. A process consisting of the following four steps helps maintain the security policy: Step 1 Secure

Step 2 Monitor Step 3 Test Step 4 Improve

11. Answer:

■ Trust and identity management: To protect critical assets by allowing access based on privilege level

■ Threat defense: To minimize and mitigate outbreaks

■ Secure connectivity: To ensure privacy and confidentiality of communications

12. The Cisco Self-Defending Network contains three characteristic phases: integrated security, collaborative security systems, and adaptive threat defense.

13. Trust defines the relationship in which two or more network entities are allowed to communicate. The identity is the who of a trust relationship. The identity of a network entity is verified by credentials.

14. Answer:

■ Identification: A subject presents its identity

■ Authentication: A subject proves its identity

■ Domains of trust: Parts of the network with similar security policy

■ Trust: The basis of security policy decisions

■ Password: Something the subject knows

■ Token: A physical device or software application

15. Authentication is traditionally based on one of the following three proofs:

■ Something the subject knows

■ Something the subject has

■ Something the subject is

16. Authentication is used to establish the subject's identity. Authorization is used to limit the subject's access to a network.

17. NAC allows network access only to wired or wireless endpoint devices that are compliant with the network security policies, and can restrict the access of noncompliant devices.

Two NAC options are available: the NAC framework or the NAC appliance. If an endpoint device is noncompliant, the Cisco NAC appliance repairs any vulnerability before permitting the device to access the network.

18. The supplicant is an 802.1X end device or user who is trying to connect to a port. The authenticator is an Ethernet device to which a supplicant is trying to connect.

19. The principle of least privilege is based on the practice by which each subject is given only the minimal rights that are necessary to perform his or her tasks.

20. This risk is managed by not keeping encryption keys on the laptop and by having the ability to revoke credentials.

21. Answer:

■ Endpoint protection: Cisco Security Agent

■ Infection containment: ASA, PIX, FWSM, Cisco IOS Firewall

■ Inline intrusion and anomaly detection: IPS sensor, IDS module, Cisco IOS IPS, Cisco Traffic Anomaly Detector, Cisco Traffic Anomaly Guard

■ Application security and Anti-X defense: Content Security and Control Security Services module

23. Cryptography provides confidentiality through encryption.

24. True

25. Data encrypted with a public key can be decrypted only with the corresponding private key. Data encrypted with a private key can be decrypted only with the corresponding public key.

26. Digital signatures and secure fingerprints are examples of cryptographic mechanisms that ensure data integrity. Secure fingerprints attach a cryptographically strong checksum to data. This checksum is generated and verified using a secret key that only authorized subjects know.

Digital signing of data uses a cryptography method that attaches a digital signature to sensitive data. This signature is generated using a unique signature generation key that is known only to the signer, not to anyone else. Other parties use the signer's signature verification key to verify the signature.

27. Answer:

■ Cisco Security Manager: Configures firewall, VPN, and IPS policies

■ Cisco Security MARS: Appliance-based solution that models packet flows through the network

■ Cisco SDM: Web-based device-management tool for Cisco routers

■ Cisco ASDM: Security management and monitoring for ASA and PIX

■ Cisco IDM: Web-based application for IPS sensors

■ CiscoWorks Management Center for Cisco Security Agents: Assembles network devices into groups to which security policies are attached

■ Cisco Secure ACS: Centralized control for role-based access to all Cisco devices and security management applications

28. The Cisco IOS IPS is an inline, deep packet inspection-based feature that enables Cisco IOS software to effectively mitigate a wide range of network attacks. The Cisco IOS IPS enables the network to defend itself with the intelligence to accurately identify, classify, and stop or block malicious or damaging traffic in real time by loading a set of attack signatures on the router.

29. The Cisco Catalyst 6500 Series Firewall Services Module (FWSM) is a high-speed, integrated firewall module for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers.

This page intentionally left blank

This appendix contains job aids and supplementary information that cover the following topics:

■ IPv4 Addresses and Subnetting Job Aid

■ Decimal-to-Binary Conversion Chart

■ IPv4 Addressing Review

■ IPv4 Access Lists

Was this article helpful?

0 0
Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook


Post a comment