199. b. Organizations typically have many different sources of network traffic data. Intrusion detection system (IDS) data is often the starting point for examining suspicious activity. Unfortunately, IDS software produces false positives, so IDS alerts need to be validated. By itself, data from these sources (e.g., firewalls, routers, proxy servers, and remote access servers) is usually of little value. Examining data over time may indicate overall trends, such as an increase in blocked connection attempts. However, because these sources typically record little information about each event, the data provides little insight as to the nature of the events.
200. Intrusion detection system (IDS) software attempts to identify malicious network traffic at which of the following Transmission Control Protocol/Internet Protocol (TCP/IP) layers?
1. Application layer
2. Transport layer
3. Network layer
4. Data link layer
a. 1 only
b. 2 only
c. 3 only
d. 1, 2, 3, and 4
200. d. Not only does the intrusion detection system (IDS) software typically attempt to identify malicious network traffic at all TCP/IP layers, but it also logs many data fields (and sometimes raw packets) that can be useful in validating events and correlating them with other data sources.
201. Which of the following protocols are the most likely to be spoofed?
1. ICMP
2. UDP
3. TCP
4. Ethernet
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
201. c. Internet control message protocol (ICMP) and user datagram protocol (UDP) are connectionless protocols, thus most likely to be spoofed. Transmission control protocol (TCP) and Ethernet are incorrect because they are connection-oriented protocols, thus least likely to be spoofed. Many attacks use spoofed IP addresses. Spoofing is far more difficult to perform successfully for attacks that require connections to be established because the attacker needs an insight into sequence numbers and connection status.
202. Which of the following applications are used on local-area networks (LANs) with user datagram protocol (UDP)?
1. X.25
2. SMDS
3. DHCP
4. SNMP
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
202. d. User datagram protocol (UDP) is used for applications that are willing to take responsibility for ensuring reliable delivery of data, such as DNS, and applications that are intended for use only on LANs, such as Dynamic Host Configuration Protocol (DHCP) and Simple Network Management Protocol (SNMP). Like TCP, each UDP packet contains a source port and a destination port. X.25 and SMDS are incorrect because they are protocols used in a wide-area network (WAN).
X.25 is an international standard that defines the interface between a computing device and a packet-switched data network. Switched multi-megabit data service (SMDS) provides an effective vehicle for connecting LANs in a metropolitan or larger area.
203. Spoofing in a local-area network (LAN) occurs with which of the following?
1. Internet Protocol (IP) addresses
2. Media access control (MAC) addresses
3. Network address translation (NAT)
4. Dynamic host configuration protocol (DHCP) servers
a. 1 or 2
b. 2 or 3
c. 1 or 4
d. 3 or 4
203. a. Dynamic host configuration protocol (DHCP) servers typically are configured to log each Internet Protocol (IP) address assignment and the associated media access control (MAC) address, along with a timestamp. This information can be helpful to analysts in identifying which host-performed activity uses a particular IP address. However, information security analysts should be mindful of the possibility that attackers on an organization’s internal networks have falsified their IP addresses or MAC addresses to create spoofing. This is possible in light of manufacturers accidentally creating network interface cards (NICs) with duplicate MAC addresses. Network address translation (NAT) modifies the IP addresses in a packet, which directly violates the packet integrity assurance provided by IPsec. Spoofing MACs on a LAN can also occur by a malicious user trying to bypass authentication or by a malicious program modifying the device MAC.
204. For network data analysis, which of the following is difficult when trying to identify and validate the identity of a suspicious host involving the Internet Protocol (IP) address spoofing?
a. Contact the IP address owner.
