Читаем CISSP Practice полностью

Note that these software policies vary much in practice: (i) some companies allow the employee to carry software home and some do not, (ii) some companies allow the employee only to use the licensed software either by preloading the work/home PC or download the software to the work/home PC from a central computer, and (iii) some companies permit the employee to buy the approved and licensed software and the employee get reimbursed or the company may buy the software and give it to the employee. Regardless, an implicit and potential risk is that a noncompliant telecommuting employee or a family member could load unlicensed, unauthorized, and personal software on the work/home PC without the knowledge of the company. This action could infect the work/home PC with computer viruses and worms, thus risking the work-related data, programs, and systems.

170. Which of the following makes the transport layer security (TLS) proxy server architecture fully compatible with network address translation (NAT)?

a. HTTPS

b. PGP

c. GPG

d. SSH

170. a. The transport layer security (TLS) proxy server provides transport layer VPN services. The use of HTTPS makes the proxy server architecture fully compatible with NAT. HTTPS usage is permitted by firewall rulesets. The other three choices are incorrect because PGP, GPG, and SSH are application layer VPN protocols. Pretty good privacy (PGP) provides security for e-mail encryption, disk encryption, and digital signatures for home and office use. GNU privacy guard (GPG) is the software for safe and encrypted e-mail communication, which is a free software alternative to the PGP.

171. Which one of the following items replaces the other three items?

a. telnet

b. SSH

c. rcp and rsh

d. FTP

171. b. A commonly used application layer protocol suite is secure shell (SSH), which contains secure replacements for several unencrypted application protocols, including telnet, rcp, rsh, and FTP. SSH tunnel-based VPNs are resource-intensive to set up and are most commonly used by small groups of IT administrators.

172. Which of the following cannot protect non-IP protocols?

a. IPsec

b. PPTP

c. L2TP

d. L2F

172. a. The Internet Protocol security (IPsec) can protect only IP-based communications and protocols, which is one of its weaknesses. The other three choices are incorrect because PPTP, L2TP, and L2F can protect non-IP protocols. Point-to-point tunneling protocol (PPTP) hides information in IP packets. Layer 2 tunneling protocol (L2TP) protects communications between an L2TP-enabled client and a server. Layer 2 forwarding (L2F) protocol protects communications between two network devices, such as an ISP network access server and VPN gateways.

173. Internet Protocol security (IPsec) protocols uses which of the following modes?

a. Main mode and agressive mode

b. Quick mode and informational mode

c. State mode and user mode

d. Transport mode and tunnel mode

173. d. The Internet Key Exchange (IKE) of IPsec protocol consists of two phases: Phase 1 exchange includes main mode and aggressive mode. Phase 2 exchange includes quick mode and information exchange mode. If Authentication Header (AH) or Encapsulating Security Payload (ESP) is added to an IP packet following the existing IP header, it is referred to as a transport mode. A tunnel mode requires inserting an additional IP header to the packet but offers increased inflexibility. State mode and user mode are not relevant here.

174. From a security configuration viewpoint, what is a managed or enterprise operational IT environment referred to as?

a. Inward-facing

b. Inward-dialing

c. Outward-facing

d. Outward-dialing

174. a. The managed environment is an inward-facing environment typically structured and centrally managed. When a system connects on the interior of a network behind a firewall, it is called inward facing. When a high-risk system or network directly connects to the Internet, it is called outward facing (e.g., public Web server, e-mail server, and DNS server). Inward dialing is incorrect because it refers to calling into a system and is not a meaningful term here. Outward dialing is incorrect because it refers to calling from a system and is not a meaningful term here.

175. What is a client/server application that requires nothing more than a browser and runs on only a user’s computer called?

a. Thick client

b. Thin client