Читаем CISSP Practice полностью

ISDN is a telecommunications industry standard for upgrading local loops to digital service. It enables the existing copper local loops to be used for digital service. However, it requires users to buy new equipment for their end of line, which converts their data to the ISDN format. It also requires that the telephone company’s equipment, such as the central office switches, be upgraded. The local loop uses low-capacity analog copper wires.

67. What is a physical security control that uses a network configuration mechanism to minimize theft or damage to computer equipment?

a. Web server

b. Terminal server

c. Server farm

d. Redundant server

67. c. In a server farm, all servers are kept in a single, secure location, and the chances of theft or damage to computer equipment are lower. Only those individuals who require physical access should be given a key. A redundant server concept is used in contingency planning and disaster recovery, which is kept away from the server farm.

68. Which of the following performs application content filtering?

a. Sensors

b. Gateway

c. Proxy

d. Hardware/software guard

68. c. A software proxy agent performs application content filtering to remove or quarantine viruses that may be contained in e-mail attachments, to block specific MIME types, or to filter other active content (e.g., Java, JavaScript, and ActiveX Controls). The proxy accepts certain types of traffic entering or leaving a network, processes it, and forwards it.

The other three choices are not related to application content filtering. Sensors are composed of network monitors and network scanners, where the former performs intrusion detection, and the latter performs vulnerability scanning. A gateway is an interface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures. A hardware/software guard enables users to exchange data between private and public networks, which is normally prohibited because of information confidentiality.

69. Which of the following functions is similar to a host firewall?

a. Authentication header

b. TCP wrappers

c. Encapsulating security payload

d. Security parameters index

69. b. Transmission control protocol (TCP) wrappers are a freely available application that functions similarly to a firewall. It can be used to restrict access and configured in such a way that only specified user IDs or nodes can execute specified server processes. An authentication header is one part of IPsec’s two security headers: (i) the authentication header and (ii) the encapsulating security payload. The authentication header provides source authentication and integrity to the IP datagram, and the payload provides confidentiality. A security parameter index consists of cryptographic keys and algorithms, and the authentication header contains the index.

70. A major risk involving the use of packet-switching networking is that:

a. It is possible that some packets can arrive at their destinations out of sequence.

b. It is not possible to vary the routing of packets depending on network conditions.

c. Terminals attached to a public data network may not have enough intelligence.

d. Terminals attached to a public data network may not have enough storage capacity.

70. a. Most packet-switching networks can vary the routing of packets depending on network conditions. Because of this, it is possible that some packets can arrive at their destinations out of sequence while most packets can arrive at their destination in normal sequence because they are reassembled at the receiver end. The reason for some packets not reaching their destinations is that there is a potential security risk in that a smart attacker can change the packet sequence numbers in the middle of the stream and divert the packet to his own site for later attack and then change the sequence numbers back to the original condition or forget to do it in the right way thus breaking the sequence. Even worse yet, a malicious attacker can insert fake sequence numbers so the packet would not reach its destination point. Here, the attacker’s goal is to steal valuable information from these packets for his own benefit.

Terminals attached directly to a public data network must have enough intelligence and storage capacity to break large messages into packets and to reassemble them into proper sequence. A packet assembly and disassembly (PAD) facility can help accommodate intelligence and storage problems.

71. One of the goals of penetration testing security controls is to determine: