CISSP Practice полностью

A local-area network refers to a network that interconnects systems located in a small geographic area, such as a building or a complex of buildings (campus). Traffic padding operates a network up to its full capacity thereby curtailing the resource sharing potential of the LAN.

Security label is a designation assigned to a system resource, such as a file, which cannot be changed except in emergency situations. Security labels protect the confidentiality of data. Similarly, data splitting increases the confidentiality of data where the file is broken up into two or more separate files so that an intruder cannot make any sense out of them. The separate files are then transferred independently via different routes and/or at different times.

299. The Internet Protocol version 6 (IPv6) is not related to which of the following?

a. Session-less protocols

b. Datagram-based protocols

c. Session initiation protocol (SIP)

d. Simple Internet Protocol Plus (SIPP)

299. c. Session initiation protocol (SIP) is a text-based protocol, like simple mail transfer protocol (SMTP) and hypertext transfer protocol (HTTP), for initiating interactive communication sessions between users. Such sessions include voice, video, data, instant messaging, chat, interactive games, and virtual reality. SIP is the protocol used to set up conferencing, telephony, multimedia, and other types of communication sessions on the Internet. SIP has nothing to do with and is not related to the Internet Protocol version 6 (IPv6).

Both the IPv4 and IPv6 are session-less and datagram-based protocols. The IPv6 security features include encryption, user authentication, end-to-end secure transmission, privacy, and automatic network configuration (automatically assigning IP addresses to hosts). IPv6 also handles real-time and delay-sensitive traffic. IPv6 runs on high-speed networks, those using asynchronous transfer mode (ATM) and wireless networks. Simple Internet Protocol Plus (SIPP) is used in IPv6.

300. Which of the following border gateway protocol (BGP) attacks does not use message digest 5 (MD5) authentication signature option as a countermeasure?

a. Peer spoofing

b. Link cutting attack

c. Malicious route injection

d. Unallocated route injection

300. b. An inherent vulnerability in routing protocols is their potential for manipulation by cutting links in the network. By removing links, either through denial-of-service or physical attacks, an attacker can divert traffic to allow for eavesdropping, blackholing, or traffic analysis. Because routing protocols are designed to find paths around broken links, these attacks are hard to defend against. Examples of countermeasures against link cutting attacks include using encryption, intrusion detection systems, and redundant backup paths, not an MD5 authentication signature option.

The other three choices use a message digest 5 (MD5) authentication signature option. The MD5 hash algorithm can be used to protect BGP sessions by creating a keyed hash for TCP message authentication. Because MD5 is a cryptographic algorithm using a 128-bit cryptographic hash (checksum), rather than a simple checksum such as CRC-32 bit, it is computationally difficult to determine the MD5 key from the hash value.

In a peer spoofing attack, the goal is to insert false information into a BGP peer’s routing tables. Examples of countermeasures against peer spoofing include using strong sequence number randomization and an MD5 authentication signature option.

In a malicious route injection attack, a malicious party could begin sending out updates with incorrect routing information. Examples of countermeasures against malicious route injection include using route filtering and an MD5 authentication signature option.

In an unallocated route injection attack, which is a variation of malicious route injection attack, routes are transmitted to unallocated prefixes. These prefixes contain a set of IP addresses that have not been assigned yet, so no traffic should be routed to them. Examples of countermeasures against unallocated route injection include dropping unallocated prefixes and using route filtering and an MD5 authentication signature option.

301. Domain name system (DNS) is a part of which of the following TCP/IP layers?

a. Applications layer

b. Transport layer

c. Network layer

d. Data link layer

301. a. DNS is a function of the application layer, along with HTTP, SMTP, FTP, and SNMP. This layer sends and receives data for particular applications.