Читаем CISSP Practice полностью

165. c. There are known incompatibilities between IPsec and NAT because NAT modifies the IP addresses in the packet, which directly violates the packet integrity-assurance provided by IPsec. In tunnel mode, ESP can provide encryption and integrity protection for an encapsulated IP packet and authentication of the ESP header. Therefore, ESP tunnel mode can be compatible with NAT. However, protocols with embedded addresses (e.g., FTP, IRC, and SIP) can present additional complications.

The AH tunnel mode and the AH transport mode are incorrect because AH is not compatible with NAT implementations. This is because AH includes source and destination IP addresses in its integrity protection calculations. The ESP transport mode is incorrect because it is not compatible with NAT. In transport mode, ESP can provide encryption and integrity protection for the payload of an IP packet and integrity protection for the ESP header.

166. Which of the following is not a recommended solution to make network address translation (NAT) compatible with Internet Protocol security (IPsec)?

a. Perform NAT after applying IPsec.

b. Use UDP encapsulation of ESP packets.

c. Configure cable and DSL routers properly at small offices.

d. Configure cable and DSL routers properly at home offices.

166. a. Because network address translation (NAT) hides the network-addressing schema present behind a firewall environment and that NAT converts the limited number of Internet IP addresses into a large number of legal addresses, NAT should be performed before applying IPsec, not after. For example, the gateway can perform NAT first and then IPsec for outbound packets. The other three choices are incorrect because they are recommended solutions.

167. Which of the following is a viable option for providing confidentiality and integrity for dial-up communications?

a. L2TP only

b. L2TP with IPsec

c. PPTP only

d. L2F only

167. b. Layer 2 tunneling protocol (L2TP) with Internet Protocol security (IPsec) is a viable option for providing confidentiality and integrity for dial-up communications, particularly for organizations that contract virtual private network (VPN) services to an Internet service provider (ISP). L2TP and IPsec together provide stronger security, and the IPsec makes up for the L2TP weaknesses. Point-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 forwarding (L2F) protocol protects communications between two network devices, such as an ISP network access server and VPN gateways. IPsec supersedes PPTP, whereas L2TP supersedes L2F.

168. Virtual private network (VPN) protocols are used in environments requiring high physical security in which of the following TCP/IP layers?

a. Application layer

b. Transport layer

c. Network layer

d. Data link layer

168. d. Data link layer virtual private network (VPN) protocols are used in high security environments to secure particular physical links, such as a dedicated circuit between two buildings, when there is concern for unauthorized physical access to the link’s components. However, network performance should be considered.

169. Which of the following items are not synergistic in nature?

a. Single sign-on system and Kerberos authentication technique

b. Telecommuting and software piracy policies

c. Firewalls and intrusion detection systems

d. Architectural security design and layered protections

169. b. A synergistic control is a complementary control where two or more individual controls are combined to provide an additive or multiplicative (magnifying) effect. The other three choices are examples of synergistic controls. Telecommuting and software piracy policies are not synergistic as they are an example of contradictory control, where a company policy encouraging telecommuting work on one hand and another policy restricting employees to carry software home from work conflict with each other. In addition to accomplishing work from home, these policies target the software piracy issue, so there is no legal problem for the company.