308. c. The Internet is an example of external network. Local-area network (LAN), campus-area network (CAN), wide-area network (WAN), intranet, and extranet are examples of internal networks. The virtual private network (VPN) can be either an internal network or external network. The VPN is considered an internal network only if the end user organization establishes the VPN connection between organization-controlled endpoints and does not depend on any external network to protect the confidentiality and integrity of information transmitted across the network. In other words, the VPN is considered an internal network only when it is adequately equipped with appropriate security controls by the end user organization, and no external organization exercises control over the VPN.
309. Which of the following permits Internet Protocol security (IPsec) to use external authentication services such as Kerberos and RADIUS?
a. EAP
b. PPP
c. CHAP
d. PAP
309. a. The Internet Key Exchange (IKE) Version 2 of IPsec supports the extensible authentication protocol (EAP), which permits IPsec to use external authentication services such as Kerberos and RADIUS.
The point-to-point protocol (PPP) standard specifies that password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) may be negotiated as authentication methods, but other methods can be added to the negotiation and used as well.
310. Which of the following supports the secure sockets layer (SSL) to perform client-to-server authentication process?
a. Application layer security protocol
b. Session layer security protocol
c. Transport layer security protocol
d. Presentation layer security protocol
310. c. Transport layer security (TLS) protocol supports the SSL to perform client-to-server authentication process. The TLS protocol enables client/server application to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol provides communication privacy and data integrity over the Internet.
311. Challenge handshake authentication protocol (CHAP) requires which of the following for remote users?
a. Initial authentication
b. Pre-authentication
c. Post-authentication
d. Re-authentication
311. d. CHAP supports re-authentication to make sure the users are still who they were at the beginning of the session. The other authentication methods mentioned would not achieve this goal.
312. A major problem with Serial Line Internet Protocol (SLIP) is which of the following?
a. The protocol does not contain address information.
b. The protocol is used on point-to-point connections.
c. The protocol is used to attach non-IP devices to an IP network.
d. The protocol does not provide error detection or correction mechanism.
312. d. SLIP is a protocol for sending IP packets over a serial line connection. Because SLIP is used over slow lines (56kb), this makes error detection or correction at that layer more expensive. Errors can be detected at a higher layer. The addresses are implicitly defined, which is not a major problem. Point-to-point connections make it less vulnerable to eavesdropping, which is strength. SLIP is a mechanism for attaching non-IP devices to an IP network, which is an advantage.
313. A serious and strong attack on a network is just initiated. The best approach against this type of attack is to:
a. Prevent and detect
b. Detect and recover
c. Prevent and correct
d. Prevent and intervene
313. d. On any attack, preventing network attacks from occurring is the first priority. For serious and strong attacks, prevention should be combined with intervening techniques to minimize or eliminate negative consequences of attacks that may occur. Intervening actions start right after full prevention and right before full detection, correction, and recovery actions by installing decoy systems (e.g., honeypot), vigilant network administrators, and alerts/triggers from central network monitoring centers. In other words, intervening actions face the attacker head on right after the initial signs and symptoms of attack detection but do not wait until the full detection to take place as in a normal case of detection, thus halting the attacker to proceed further. These intervening actions stop the attack right at the beginning by diverting or stalling the attacker.
