195. a. An organization’s major access point is the Internet gateway. Attackers often enter networks from alternative access points to avoid detection by security controls monitoring major access points. A classic example of an alternative access point is a modem in a user’s workstation. If an attacker can dial into the workstation and gain access, then attacks can be launched from that workstation against other hosts. In such cases, little or no information about the network activity may be logged because the activity does not pass through firewalls, intrusion detection system (IDS)-monitored network segments, and other common data collection points. Organizations typically address this by limiting alternative access points, such as modems and wireless access points, and ensuring that each is monitored and restricted through firewalls, IDS sensors, or other controls.
196. When monitoring failures occur, redundant equipment should be used for which of the following?
a. IDS sensors
b. Network-based firewalls
c. Host-based firewalls
d. System logs
196. a. In most organizations, the cost of redundant monitoring makes it feasible only for the highest risk areas. In the case of dedicated monitoring systems, such as intrusion detection system (IDS) sensors, using redundant equipment (e.g., two sensors monitoring the same activity) can lessen the impact of monitoring failures. Another strategy is to perform multiple levels of monitoring, such as configuring network-based and host-based firewalls to log connections.
197. Which of the following is not a primary component or aspect of firewall systems?
a. Protocol filtering
b. Application gateways
c. Extended logging capability
d. Packet switching
197. d. Packet switching is not related to a firewall system. It is a message delivery technique in which small units of information (packets) are relayed through stations in a computer network along the best route currently available between the source and the destination. A packet-switching network handles information in small units, breaking long messages into multiple packets before routing. Although each packet may travel along a different path, and the packets composing a message may arrive at different times or out of sequence, the receiving computer reassembles the original message. Packet-switching networks are considered to be fast and efficient. To manage the tasks of routing traffic and assembling or disassembling packets, such networks require some “intelligence” from the computers and software that control delivery.
Protocol filtering is incorrect because it is one of the primary components or aspects of firewall systems. A firewall filters protocols and services that are either not necessary or that cannot be adequately secured from exploitation. Application gateways are incorrect because they are one of the primary components or aspects of firewall systems. A firewall requires inside or outside users to connect first to the firewall before connecting further, thereby filtering the protocol. Extending logging capability is incorrect because it is one of the primary components or aspects of firewall systems. A firewall can concentrate extended logging of network traffic on one system.
198. Which of the following is a major risk in network traffic involving services running on unexpected port numbers?
a. Capturing
b. Monitoring
c. Analyzing
d. Detecting
198. d. Applications such as intrusion detection systems and protocol analyzers often rely on port numbers to identify which service is in use for a given connection. Unfortunately, most services can be run on any port number. Traffic involving services running on unexpected port numbers may not be captured, monitored, or analyzed properly, causing unauthorized services usage (e.g., providing Web services on an atypical port) to be undetected. Another motivation is to slip traffic through perimeter devices that filter based on port numbers. Many Trojans create services on atypical ports for sending SPAM.
199. For sources of network traffic data, which of the following provides the starting point for examining suspicious activity?
a. Firewalls
b. IDS software
c. Proxy servers
d. Remote access servers
