This layer receives its requests from the Application layer:
Control layer
This layer is also known as the Infrastructure layer:
Physical layer
This layer communicates with the Control layer through what is called the northbound interface:
Application layer
This layer provides the Physical layer with configuration and instructions:
Control layer
On this layer, individual networking devices use southbound APIs to communicate with the control
plane:
Physical layer
"Explanation:
For this scenario, you should configure the Wireless Network Mode option as follows:
Change the Wireless Network Mode setting to G-Only.
Change the Wireless Network Name (SSID) setting to Research.
Change the Wireless Channel setting to 5.
Change the Wireless SSID Broadcast setting to Disable.
For the Wireless Network Mode, the scenario specifically stated that you ONLY want to support 802.11g wireless
devices on the network. Because the scenario also stated that you must use a non-overlapping channel, you must choose from channels 1, 5, 9, or 13 for an 802.11g network. Because channels 1 and 9 are already in use and channel 13 is not an option on the router, you must use channel 5. Note that 80211b wireless networks have four non-overlapping channels: 1, 6, 11, and 14.
Finally, the scenario stated that the network name should not be advertised, which means that the Wireless SSID Broadcast option should be set to Disable.
For testing purposes, you should understand how to configure a wireless router. This includes setting the network mode, the SSID name, and the channel used. You should also understand how to enable/disable SSID broadcast and how to configure MAC filtering.
Linksys has an online emulator that will allow you to view the different configurable screens for the various models. The link to the online emulator is given in the References section. When you
access this site, you first select the model number you want to emulate. Then you will need to select the firmware version. The emulator will allow you to view all of the configurable screens for a Linksys wireless router. We suggest that you spend time familiarizing yourself with wireless configuration settings using this free tool.
"
"Answer:
IPSec can work in either tunnel mode or transport mode.
IPSec uses Encapsulation Security Payload
(ESP) and Authentication Header (AH) as security protocols for encapsulation.
The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions.
Explanation:
Internet Protocol Security (IPSec) can operate in either tunnel mode or transport mode. In transport mode, only the message part of a packet (the payload) is encrypted by Encapsulating Security Payload (ESP). In IPSec tunnel mode, the entire packet including the packet header and the routing
information is encrypted. IPSec tunnel mode provides a higher level of security than transport mode. Either of the two modes can be used to secure either gateway-to-gateway or host-to-gateway communication. If used in gateway-to-host communication, the gateway must act as the host.
IPSec uses ESP and Authentication Header (AH) as security protocols. AH provides the authentication mechanism, and ESP provides encryption, confidentiality, and message integrity.
IPSec sets up a secure
channel that uses a strong encryption and authentication method between two network devices, such as routers, VPN concentrators, and firewalls.
IPSec can provide security between any two network devices running IPSec, but its chief implementation is in securing virtual private network (VPN) communications. IPSec provides security by protecting against traffic analysis and replay attacks. IPSec is primarily implemented for data communication between applications that transfer data in plain text. IPSec secures the network device against attacks through encryption and encapsulation.
The IPSec does not use the L2TP protocol to encrypt messages. L2TP is used for secure communication in VPN networks and is a hybrid of L2F and PPTP.
IPSec ensures integrity and confidentiality of IP transmissions, but cannot ensure availability of the information.
"
"Answer:
802.1x
Explanation:
You should deploy 802.1x to allow remote
employees to connect to internal resources via a RADIUS server. Implementing 802.1x would allow a company to reduce the exposure of sensitive systems to unmanaged devices on internal networks. 802.1x can also be used on wired networks to segment traffic intended for the wireless access point. For example, if a company has several conference rooms with wired network jacks that are used by both employees needing access to internal resources and guests needing access to the Internet only, you
should implement 802.1x and VLANs. 802.1x is an good solution if you need to make sure that only devices authorized to access the network would be permitted to log in and utilize resources.
Flood guards are devices that protect against Denial of Service (DoS) attacks.
Unified threat management devices are devices that integrate a traditional firewall with network firewalling, intrusion prevention, antivirus (AV), anti-spam, VPN, content filtering, load balancing, data leak prevention and on-appliance reporting.
A virtual LAN (VLAN) is a virtual subnetwork that is configured using a switch. This allows administrators to isolate network clients on their own subnetwork.
Any remote employees that are allowed to access local resources should be given specialized security training. This training should include guidelines on the types of network that they can use. For example, remote users should NEVER access a corporate VPN or other resources over an unsecure wireless
network. Accessing a VPN over open wireless can result in major security issues.
"
"Answer:
MAC filtering
Explanation:
To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection.
When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB.
A service-set identifier (SSID) broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network.
War driving is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system.
Rogue access points are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to
determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results:
CorpPrivate - Connected Channel 1 - 70dbm
CorpPublic - Connected Channel 5 - 80dbm
CorpResearch - Connected Channel 3 - 75dbm
CorpDev - Connected Channel 6 - 95dbm
Radio frequency interference (RFI) can cause wireless network problems. It can come from cordless phones,
microwaves, and other equipment. For example, if your wireless network is frequently dropping connections, you could have a cordless phone interfering with the wireless access point.
"
"Answer:
An NIDS analyzes encrypted information.
Explanation:
The primary disadvantage of an NIDS is its inability to analyze encrypted information. For example, the packets that traverse through a Virtual Private Network (VPN) tunnel cannot be analyzed by the
NIDS. An NIDS would most likely be used to detect, but not react to, behavior on the network.
An NIDS can monitor either a complete network or some portions of a segregated network. It remains passive while acquiring the network data. For example, an intrusion detection system (IDS) can monitor real-time traffic on the internal network or a de-militarized zone (DMZ). In a DMZ, public servers, such as e-mail, DNS, and FTP servers, are hosted by an organization to segregate these public servers from the internal network. An NIDS monitors real-time traffic over the network, captures the packets, and analyzes them either through a signature database or against the normal traffic pattern behavior to ensure that there are no intrusion attempts or malicious threats. NIDS finds extensive commercial implementation in most organizations. An NIDS can help identify smurf attacks.
NIDS does not monitor specific workstations. A host-based IDS (HIDS) monitors individual workstations
on a network. An intrusion detection agent should be installed on each individual workstation of a network segment to monitor any security breach attempt on a host.
"
"
Answer:
Periodically complete a site survey.
Explanation:
You should periodically complete a site survey to ensure that no unauthorized wireless access points are established. Site surveys generally produce information on the types of systems in use, the protocols in use,
and other critical information. You need to ensure that hackers cannot use site surveys to obtain this information. To protect against unauthorized site surveys, you should change the default Service Set Identifier (SSID) and disable SSID broadcasts. Immediately upon discovering a wireless access point using a site survey, you should physically locate the device and disconnect it. Site surveys are also used to analyze antenna placement.
To ensure that no unauthorized wireless access points are established, you should not change the two wireless networks to WPA2. This would increase the security for the two networks and prevent hackers from accessing the networks. However, it would not prevent an attacker from setting up a new wireless access point.
You should not disable SSID broadcasts for the two wireless networks to ensure that no unauthorized wireless access points are established. The reason you would disable SSID broadcasts is to protect a wireless network from hackers and to prevent unauthorized site surveys. Disabling the SSID broadcast on an existing network CANNOT prevent the establishment of new wireless access points.
When adding a new access point, you should ensure that you correctly configure the new access point, especially if other wireless access points are already in use in the area. If a new access point has intermittent problems with users connecting successfully and then being disconnected, the new access point could be interfering with an old access point. You would need to reconfigure the new access point.
There are three main types of site surveys:
Passive - a site survey application passively listens to wireless traffic to detect access points and measure signal strength and noise level. However, the wireless adapter being used for a survey is not associated with any WLANs. For system design purposes, one or more temporary access points are deployed to identify and quantify access point locations.
Active - the
wireless adapter is associated with one or several access points to measure round-trip time, throughput rates, packet loss, and retransmissions. Active surveys are used to troubleshoot wireless networks or to verify performance post-deployment.
Predictive - a model of the RF environment, including location and RF characteristics of barriers like walls or large objects, is created using simulation tools. Therefore, temporary access points or signal sources can be used to gather information on
propagation in the environment. The value of a predictive survey as a design tool versus a passive survey done with only a few access points is that modeled interference can be taken into account in the design."
"
Answer:
Permit all inbound TCP connections.
Explanation:
The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply
allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts, and drop all others.
In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts.
Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports.
Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used.
Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor"
"
Answer:
Software as a Service
Explanation:
You should use Software as a Service (SaaS) to deploy the suite of applications. This will ensure on-demand, online access to the suite without the need for local installation. Another example of this type of cloud computing deployment is when a company needs to give employees access to a database but cannot invest in any more servers. WebMail is an example of this cloud computing type.
Virtualization hosts one or more operating systems (OSs) within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware and allows multiple OSs to work simultaneously on the same hardware. Virtualization would not be the best choice here because it would limit the number of users who could access the application suite. In addition, the performance of the virtual machine would decline as more users simultaneously access the application suite.
Platform as a Service (PaaS) is not the best choice here. PaaS is a platform that provides not only a deployment platform but also a value added solution stack and an application development platform. It provides customers with an operating system that is easy to configure. It is on-demand computing for customers.
Infrastructure as a Service (IaaS) is not the best choice in this situation. IaaS is a platform that provides computer and server infrastructure typically provided as a virtualization environment. The platform would provide the ability for consumers to scale their infrastructure up or down by demand and pay for the resources consumed. This cloud computing model provides the greatest flexibility but requires a greater setup and maintenance overhead than the other cloud computing models.
Cloud computing has three main models: SaaS, PaaS, and IaaS. The security control that is lost when using cloud computing is physical control of the data. The main difference between virtualization and cloud computing is location and ownership of the physical components. When virtualization is used, a company uses their own devices to set up a virtual machine. When cloud computing is used, a company pays for access to another company's devices.
Other cloud technologies that you need to be familiar with include the following:
Private cloud - a cloud infrastructure operated solely for a single organization that can be managed internally or by a third party, and hosted internally or externally
Public cloud - when the cloud is
rendered over a network that is open for public use
Community cloud - shares infrastructure between several organizations from a specific community that can managed internally or by a third party, and hosted internally or externally
Hybrid cloud - two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models
"