a) Suppose that someone suggests the following way to confirm that the two of you are both in possession of the same secret key. You create a random bit string the length of the key, XOR it with the key, and send the result over the channel. Your partner XORs the incoming block with the key (which should be the same as your key) and sends it back. You check, and if what you receive is your original random string, you have verified that your partner has the same secret key, yet neither of you has ever transmitted the key. Is there a flaw in this scheme? Explain.
b) True or False: Suppose I generate a RSA public and private key pair, and I publish the public key. Then that's all I need to be able to send you a securely encrypted email.
A) True
B) False
c) Consider the following hashing algorithm. A binary block of length M is divided into subblocks of length 128 bits, and the last block is padded with zeros to a length of 128. The hash consists of the XOR of the resulting 128-bit vectors. Is this hashing algorithm appropriate for cryptography? Explain.
d) You have an issue in your company with users claiming they did not receive e-mail messages, while other users claim they were sent. What PKI component will help you to prove the dates and times of messages sent on the network?
A) Non-Repudiation
B) Encryption
C) Encapsulation
D) Integrity
E) Confidentiality
PROBLEM 2 - Network Design Considerations and Network Device Security (20 points)
(5 pts each)
a) Which of the following are not methods for minimizing a threat to a Web server? Indicate the two best answers from the following list, and explain your choice:
A) Disable all non-Web services.
B) Ensure telnet is running.
C) Disable nonessential services.
D) Enable logging.
b) You are setting up a switched network and want to group users by department. Which technology would you implement? Explain.
A) DMZ
B) VPN
C) VLAN
D) NAT
c) If you notice that the number of existing half-open sessions is beginning to rise, what could this indicate? (Select all that apply)
A) Answers
B) Man in the Middle attack
C) Serial Scan
D) IP Spoofing
E) Port Scan
F) DoS attack
d) Consider using DHCP. What are the major security concerns? Indicate the two best answers from the following list, and explain your choice:
A) The network is vulnerable to man-in-the-middle attacks.
B) Anyone hooking up to the network can automatically receive a network address.
C) Clients might be redirected to an incorrect DNS address.
D) There are no security concerns with using DHCP
PROBLEM 3 - Firewalls (20 points)
(5 pts each)
a) What governs the type of traffic that is and is not allowed through a firewall? Explain.
A) TCP/IP headers
B) Gateway
C) Rule base
D) Access control list
E) Network protocol in use
b) Firewalls can be implemented in different ways. Consider a dedicated firewall device. What is its major advantage when the target is throughput and security? Explain.
A) The management console is easily installed.
B) The device contains proprietary operating systems.
C) The connection to the device is monitored by security personnel.
D) A thorough packet inspection capability.
E) The hackers know most router-based firewall code.
c) Choose the best answer from the following options about the description of a firewall:
A) Firewalls statefully inspect reply packets to determine whether they matchthe expected state of a connection in the state table.
B) Firewalls statically inspect packets in both directions and filter on layer 3and layer 4 information.
C) A firewall is any device that blocks access to a protected network.
D) A firewall is a system or a group of systems that enforce an access control policy between two networks.
E) None of the above
d) For a stateful packet-inspection firewall, which information is stored in the connection flow table?
A) TCP control header and trailer information associated with a particular session
B) Inside private IP address and the translated inside global IP address
C) Outbound and inbound access rules (ACL entries)
D) Source and destination IP addresses, and port numbers and sequencing information associated with a particular session
E) TCP SYN packets and the associated return ACK packets
PROBLEM 4 - Virtual Private Network Security (20 points)
(5 pts each)
a) Select the term that refers to the data recipient's ability to ensure that the data was not altered in any fashion as the data was sent across the VPN:
A) Encryption
B) Integrity
C) Authentication
D) Tunneling
b) Explain how two VPN gateways can protect against the insertion or replay of packets, even if they do not employ encryption.
c) What is the relationship between a VPN and an extranet? Explain.
A) Some extranets are VPNs; some VPNs are extranets
B) Some extranets are VPNs; all VPNs are extranets
C) VPNs and extranets are the same type of network
D) VPNs are unrelated to extranets
d) Which one is the best approach to VPNs? Explain.
A) VPN-specific gateway device
B) Router-based
C) Firewall-based
D) Software only
E) All of the above
PROBLEM 5 - Wireless Network Security (20 points)
(5 pts each)
a) What is the protocol developed for the wireless network communications? Explain.
A) Wireless Encryption Protocol (WEP)
B) Wireless Application Protocol (WAP)
C) Wired Equivalent Privacy (WEP)
D) Wireless Session Protocol (WSP)
b) Consider 802.11 shared key authentication. Which of the following statements is false? Explain.
A) If a device with the key is lost then the security for the entire WLAN is compromised.
B) 802.1X requires shared key authentication.
C) Real users and attackers with a shared WEP key have the same rights.
D) Users cannot determine whether the access point is an imposter.
c) The term used for certified 802.11b products is ___________ .
A. WAP
B. Wi-Fi
C. WEP
D. WPA
d) Which of the following is not a reason why WEP may be considered vulnerable? Explain. (Select all that apply.)
A) Shared WEP keys among all clients
B) 20-bit initialization vector
C) An RC4 engine not properly initialized
D) 48-bit WEP keys