Читаем CISSP Practice полностью

A single enclave may span a number of geographically separate locations with connectivity via commercially purchased point-to-point communications (e.g., T-1, T-3, and ISDN) along with WAN connectivity such as the Internet. An enclave is a collection of information systems connected by one or more internal networks under the control of a single organization and security policy. These systems may be structured by physical proximity or by function, independent of location. An enclave boundary is a point at which an enclave’s internal network service layer connects to an external network’s service layer (i.e., to another enclave or to a wide-area network).

151. Which of the following virtual private network (VPN) architectures often replaces costly private wide-area network (WAN) circuits?

a. Gateway-to-gateway

b. Host-to-gateway

c. Contractor-to-company

d. Host-to-host

151. a. The gateway-to-gateway virtual private network (VPN) architecture often replaces more costly private wide-area network (WAN) circuits.

The host-to-gateway VPN architecture often replaces dial-up modem pools, is somewhat complex to implement and maintain for user and host management, and is most often used to provide secure remote access.

The contractor-to-company architecture is an exclusive connection between the VPN client and the VPN network device; all other connectivity is blocked after the establishment of the VPN session, so there is no chance of IP packets being forwarded between the Internet and the company’s private network.

The host-to-host VPN architecture is most often used when a small number of trusted users need to use or administer a remote system that requires the use of insecure protocols (e.g., a legacy system), that requires a secure remote access solution, and that can be updated to provide VPN services. System administrators performing remote management of a single server can use the host-to-host VPN architecture. The host-to-host VPN architecture is resource-intensive to implement and maintain for user and host management.

152. Which of the following provides stronger security in administering the network devices, such as routers or switches?

a. Simple network management protocol (SNMP)

b. SNMP version 1

c. SNMP version 2

d. SNMP version 3

152. d. Simple network management protocol (SNMP) version 3 provides security feature enhancements to basic SNMP, including encryption and message authentication. SNMP, SNMP version 1, and SNMP version 2 rely on default clear-text community strings (e.g., public and private) across the network without cryptographic protection. Therefore, SNMP, SNMP version 1, and SNMP version 2 should not be used to configure network devices over untrusted networks. The default community strings should be removed before real community strings are put into place. If both of these string types are present on the device at any time, an attacker could retrieve real community strings from the device using the default community strings. Hence, SNMP version 3 provides stronger security than the other three choices for administering the network devices such as routers or switches.

153. Which of the following models is used for formally specifying and verifying protocols?

a. Protocol converter

b. Protocol tunneling

c. Petri net model

d. Seeding model

153. c. Petri net model is used for formally specifying and verifying protocols. Petri nets are a graphical technique used to model relevant aspects of the system behavior and to assess and improve safety and operational requirements through analysis and redesign.

The other three choices do not deal with formally specifying and verifying protocols. A protocol converter is a device that changes one type of coded data to another type of coded data for computer processing. Protocol tunneling is a method to ensure confidentiality and integrity of data transmitted over the Internet. A seeding model is used to indicate software reliability in terms of error detection power of a set of test cases.

154. The penetration testing of security controls does not focus on which of the following?

a. Technical controls

b. Physical controls

c. Management controls

d. Procedural controls