Читаем CISSP Practice полностью

4. c. Usually, IPsec is implemented on a firewall for VPNs. IPsec encrypts and encapsulates IP packets, so outsiders cannot observe the true source and destinations. VPNs enable a trusted network to communicate with another network over untrusted networks such as the Internet. A policy is needed for use of firewalls with VPNs. Any connection between firewalls over public networks should use encrypted VPNs to ensure the privacy and integrity of the data passing over the public network. Bridges, gateways, and backbones do not have the access control mechanism as the firewall.

5. Which of the following permits IPsec to use external authentication services such as Kerberos and RADIUS?

a. EAP

b. PPP

c. CHAP

d. PAP

5. a. The Internet Key Exchange (IKE) Version 2 of IPsec supports the extensible authentication protocol (EAP), which permits IPsec to use external authentication services such as Kerberos and RADIUS. The point-to-point protocol (PPP) standard specifies that password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) may be negotiated as authentication methods, but other methods can be added to the negotiation and used as well.

6. A VPN creates a secure, private network over the Internet through all the following except:

a. Authentication

b. Encryption

c. Packet tunneling

d. Firewalls

6. a. VPNs enable an organization to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination to create a secure link between peers over a public network. The secure link is built through encryption, firewalls, and packet tunneling. Authentication is done outside the network.

7. From a security viewpoint, which of the following should be the goal for a VPN?

a. Make only one exit point from a company’s network to the Internet.

b. Make only one entry point to a company’s network from the Internet.

c. Make only one destination point from a company’s network to the Internet.

d. Make only one transmission point from the Internet to a company’s network.

7. b. The goal for a VPN should be to make it the only entry point to an organization’s network from the Internet. This requires blocking all the organization’s systems or making them inaccessible from the Internet unless outside users connect to the organization’s network via its VPN.

Sources and References

“Border Gateway Protocol Security (NIST SP 800-54),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2007.

“Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (NIST SP800-97),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2007.

“Guide to Enterprise Telework and Remote Access Security (NIST SP800-46 Revision 1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2009.

“Guidelines on Firewalls and Firewall Policy (NIST SP800-41 Revision 1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2009.

“Guide to General Server Security (NIST SP800-123),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, July 2008.

“Guide to IPsec VPNs (NIST SP800-77),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, January 2005.

“Guide to Securing Legacy IEEE 802.11 Wireless Networks (NIST SP800-48R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, July 2008.

“Guidelines on Securing Public Web Servers (NIST SP800-44 Version 2),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2007.

“Guide to Secure Web Services (NIST SP800-95),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.

“Guide to SSL VPNs, (NIST SP800-113 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.

“Guidelines for Securing Radio Frequency Identification (RFID) Systems (NIST SP800-98),” National Institute of Standards and Technology (NIST), The U.S. Department of Commerce, Gaithersburg, Maryland, April 2007.

“Guidelines on Cell Phone and PDA Security (NIST SP800-124),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 2008.