Читаем CISSP Practice полностью

The other three choices are used to create a click fraud, which is a major problem at Internet service providers (ISPs) and other websites. The click fraud is perpetrated by a combination of individuals, specialized computer programs, bot networks (botnets), and third parties who are hired for a fee to click because they are paid on a per-click basis. (For example, the more clicks they do the more money they make.) In all these situations, fraudulent clicks are made on an online advertisement with no intention of learning further about a product or purchasing the product. The advertiser pays the website owners based on the number of clicks made on its advertisement. Unethical website owners are creating a click fraud to make easy money. Specialized computer programs are written to do the automatic clicking.

113. The purpose of the packet filter is not based on which of the following?

a. IP addresses

b. Protocols

c. Port numbers

d. Applications

113. d. The purpose of the packet filter is to specify how each type of incoming and outgoing traffic should be handled—whether the traffic should be permitted or denied (usually based on IP addresses, protocols, and port numbers), and how permitted traffic should be protected. The type of application does not matter for the packet filter.

114. As the packet filtering rules become more complex, they can lead to which of the following?

a. Authentication errors

b. Cryptographic errors

c. Configuration errors

d. Performance errors

114. c. One caveat in the packet filter is that the more complex the packet filtering rules become, the more likely it is that a configuration error may occur, which could permit traffic to traverse networks without sufficient controls.

115. The Internet Protocol security (IPsec) implementation typically supports which of the following authentication methods?

1. Preshared keys

2. Digital signatures

3. Kerberos

4. TACACS and RADIUS

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

115. d. The endpoints of an IPsec connection use the same authentication method to validate each other. IPsec implementations typically support preshared keys and digital signatures, and in some implementations external authentication services, such as Kerberos. Some IPsec implementations also support the use of legacy asymmetric authentication servers such as terminal access controller access control system (TACACS) and remote authentication dial-in user service (RADIUS).

116. Which of the following does not require redundancy and fail-over capabilities to provide a robust Internet Protocol security (IPsec) solution?

a. IPsec client software in a managed environment

b. IPsec gateways

c. Authentication servers

d. Directory servers

116. a. Redundancy and fail-over capabilities should be considered not only for the core IPsec components, but also for supporting systems. IPsec client software may be broken by a new operating system update. This issue can be handled rather easily in a managed environment, but it can pose a major problem in a nonmanaged environment. Therefore, the IPsec client software does not require redundancy and fail-over capabilities.

IPsec gateways are incorrect because two IPsec gateways can be configured so that when one gateway fails, users automatically fail over to the other gateway. Authentication servers and directory servers are incorrect because they also need redundancy due to their support role.

117. All the following can be disallowed at the voice gateway in Voice over Internet Protocol (VoIP) except:

a. Application level gateway

b. H.323 gateway protocol

c. Session initiation protocol (SIP)

d. Media gateway control protocol (MGCP)

117. a. The application level gateway or firewall control proxy is designed for VoIP traffic to deny packets that are not part of a properly originated call or track the state of connections, which should be allowed to function. The protocols such as H.323, SIP, and MGCP, which are connections from the data network, should be disallowed at the voice gateway of the VoIP that interfaces with the public-switched telephone network (PSTN) because they are not secure.