Читаем CISSP Practice полностью

258. All the following are applications of spanning tree concept except:

a. Multicast routing

b. Spanning port

c. Risk analysis

d. Bridges

258. b. A spanning port is a switch port that can see all network traffic going through the switch. The spanning port has nothing to do with the spanning tree whereas the other three choices are applications of the spanning tree concept. The spanning tree has several applications such as (i) multicast routing which makes excellent use of bandwidth where each router knows which of its lines belong to the tree, (ii) conducting risk analysis, and (iii) building plug-and-play bridges.

259. Which of the following does not perform “prefix filtering” services?

a. Border gateway protocol

b. Sensors

c. Routers

d. Firewalls

259. b. Sensors (intrusion detection systems) are composed of monitors and scanners, and they do not perform prefix filtering services. Sensors identify and stop unauthorized use, misuse, and abuse of computer systems by both internal network users and external attackers in near real time. Sensors do not perform permit and deny actions as do the border gateway protocol (BGP), routers, and firewalls. Prefix filtering services are provided by BGP, routers, and firewalls in that they perform permit and deny actions. Prefix filtering is the most basic mechanism for protecting BGP routers from accidental or malicious disruption, thus limiting the damage to the routes. Filtering of both incoming prefixes (ingress filtering) and outgoing prefixes (egress filtering) is needed. Router filters are specified using syntax similar to that for firewalls. Two options exist. One option is to list ranges of IP prefixes that are to be denied and then permit all others. The other option is to specify a range of permitted prefixes, and the rest are denied. The option of listing a range of permitted prefixes provides greater security.

260. Local-area networks (LANs) operate at what layer of the ISO/OSI reference model?

a. Physical Layer 1

b. Data link Layer 2

c. Network Layer 3

d. Transport Layer 4

260. b. Layer 2 (data link) of the ISO/OSI reference model represents the layer at which network traffic delivery on local-area networks (LANs) occurs.

261. Which of the following are examples of major problems associated with network address translation (NAT)?

1. Cannot abide by the IP architecture model

2. Cannot locate the TCP source port correctly

3. Cannot work with the file transfer protocol

4. Cannot work with the H.323 Internet Telephony Protocol

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

261. d. Major problems associated with network address translation (NAT) include (i) it violates the architectural model of IP, which states that every IP address must uniquely identify a single computer worldwide, (ii) it will not locate the TCP source port correctly, (iii) it violates the rules of protocol layering in that a lower-level layer should not make any assumptions about the next higher-level layer put into the payload field, and (iv) it needs to be patched every time a new application is introduced because it cannot work with file transfer protocol (FTP) or H.323 Internet Telephony Protocol. The FTP and H.323 protocols will fail because NAT does not know the IP addresses and cannot replace them.

262. Hardware/software guards provide which of the following functions and properties?

1. Data-filtering

2. Data-blocking

3. Data-sanitization

4. Data-regrading

a. 1 and 2

b. 2 and 3

c. 1 and 4

d. 1, 2, 3, and 4

262. d. Hardware/software guard technology can bridge across security boundaries by providing some of the interconnectivity required between systems operating at different security levels. Several types of guard exist. These protection approaches employ various data processing, data filtering, and data-blocking techniques in an attempt to provide data sanitization (e.g., downgrade) or separation between networks. Some approaches involve human review of the data flow and support data flow in one or both directions. Guards can be used to counteract attacks made on the enclave.

Information flowing from public to private networks is considered as a data upgrade. This type of transfer may not require a review cycle but should always require a verification of the integrity of the information originating from the public source system and network.

Information flowing from private to public networks is considered as data regrade and requires a careful review.