Pass the ISC ISC 2 Credentials SSCP Questions and answers with CertsForce

ARP interrogates the network by sending out a broadcast seeking a network node that has a specific IP address, and asks it to reply with its hardware address. A broadcast message is sent to everyone whether or not the message was requested. A traditional unicast is a "one-to-one" or "narrowcast" message. A multicast is a "one-to-many" message that is traditionally only sent to those machine that requested the information. Semicast is an imposter answer.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.

Any opening of an internal network to the Internet is susceptible of creating a new vulnerability.

Of the given rules, the one that permits all inbound tcp connections is the less likely to be used since it amounts to almost having no firewall at all, tcp being widely used on the Internet.

Reference(s) used for this question:

ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 409).

The data link layer contains the Logical Link Control sublayer and the Media Access Control (MAC) sublayer.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 83).

A SOCKS based server operates at the Session layer of the OSI model.

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for "SOCKetS". As of Version 5 of SOCK, both UDP and TCP is supported.

One of the best known circuit-level proxies is SOCKS proxy server. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct “IP-reachability”

The protocol was originally developed by David Koblas, a system administrator of MIPS Computer Systems. After MIPS was taken over by Silicon Graphics in 1992, Koblas presented a paper on SOCKS at that year's Usenix Security Symposium and SOCKS became publicly available. The protocol was extended to version 4 by Ying-Da Lee of NEC.

SOCKS includes two components, the SOCKS server and the SOCKS client.

The SOCKS protocol performs four functions:

Making connection requests

Setting up proxy circuits

Relaying application data

Performing user authentication (optional)

Source:

KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 96).

and

http://en.wikipedia.org/wiki/SOCKS

and

http://www.faqs.org/rfcs/rfc1928.html

and

The ISC2 OIG on page 619

Ethernet is frame based network technology.

See below a few definitions from RFC 1122:

SEGMENT

A segment is the unit of end-to-end transmission in the TCP protocol. A segment consists of a TCP header followed by application data. A segment is transmitted by encapsulation inside an IP datagram.

PACKET

A packet is the unit of data passed across the interface between the internet layer and the link layer. It includes an IP header and data. A packet may be a complete IP datagram or a fragment of an IP datagram.

FRAME

A frame is the unit of transmission in a link layer protocol, and consists of a link-layer header followed by a packet.

The following answers are incorrect:

Ethernet segment. Is incorrect because Ethernet segment is a distractor, TCP segment would be the correct terminology. Ethernet is a frame based network technology,

Ethernet datagram. Is incorrect because Ethernet datagram is a distractor, IP datagram would be the correct terminology. Ethernet is a frame based network technology

Ethernet packet. Is incorrect because Ethernet packet is a distractor, a Packet is a group of information so would not be a "single unit". Ethernet is a frame based network technology.

Look at the diagrams below that were extracted from my Security+ Computer Based Tutorial.

TCP/IP Data Structures

IMPORTANT NOTE:

The names used on the diagram above are from RFC 1122 which describe the DOD Model.

Vendors and Books may use slightly different names or even number of layers.

TCP/IP Data Structure

The following Reference(s) were used for this question:

Wikipedia http://en.wikipedia.org/wiki/Ethernet

Remotre Procedure Call (RPC) is the only of the above choices to operate at the session layer (layer 5).

All of the other answers were wrong.

LPD operates at layer 7

SPX operates at layer 4

IGMP operates at layer 3.

Firewall rules can be used to enable access for traffic to specific ports or services. "Service numbers" is rather stilted English but you may encounter these types of wordings on the actual exam -- don't let them confuse you.

"Only unauthorized application port or service numbers" is incorrect. Unauthorized ports/services would be blocked in a properly installed firewall rather than permitting access.

"Only authorized application port or ex-service numbers" is incorrect. "Ex-service" numbers is a nonsense term meant to distract you.

"Only authorized application port or service integers." While service numbers are in fact integers, the more usual (and therefore better) answer is either service or "service number."

References

CBK, p. 464

AIO3, pp. 482 – 484

A server cluster is a group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 67.

IEEE 802.3 specifies the standard for Ethernet and uses CSMA/CD, not token-passing.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 104).

A network topology defines the manner in which the network devices are organized to facilitate communications. Common LAN technologies are:

bus

ring

star

meshed

LAN transmission methods refer to the way packets are sent on the network and are:

unicast

multicast

broadcast

LAN transmission protocols are the rules for communicating between computers on a LAN. Common LAN transmission protocols are:

CSMA/CD

polling

token-passing

LAN media access methods control the use of a network (physical and data link layers). They can be:

Ethernet

ARCnet

Token ring

FDDI

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 105).

One the most secure implementations of firewall architectures is the screened-subnet firewall. It employs two packet-filtering routers and a bastion host. Like a screened host firewall, this firewall supports both packet-filtering and proxy services.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 93).

This the best of the four answers as a defense that depends on multiple layers is superior to one where all protection is embedded in a single layer (e.g., a firewall). Defense in depth would include all categories of controls.

The Following answers are incorrect:

"Concept of a pass through device that only allows certain traffic in and out" is incorrect. This is one definition of a firewall which can be a component of a defense in depth strategy in combination with other measures.

"Concept of preventative controls" is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.

"Concept of defensive controls" is incorrect. This is a component of a defense in depth strategy but the core concept is that there must be multiple layers of defenses.

References:

http://en.wikipedia.org/wiki/Defense_in_depth_(computing)

http://www.nsa.gov/snac/support/defenseindepth.pdf

Bridges are simple, protocol-dependent networking devices that are used to connect two or more homogeneous LANs to form an extended LAN.

A bridge does not change the contents of the frame being transmitted but acts as a relay.

A gateway is designed to reduce the problems of interfacing any combination of local networks that employ different level protocols or local and long-haul networks.

A router connects two networks or network segments and may use IP to route messages.

Firewalls are methods of protecting a network against security threats from other systems or networks by centralizing and controlling access to the protected network segment.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 7: Telecommunications and Network Security (page 397).

Ports 1024 to 49151 has been defined as REGISTERED PORTS by IANA.

A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1–65535) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for Assigned Names and Numbers (ICANN) before March 21, 2001) for use with a certain protocol or application.

Ports with numbers lower than those of the registered ports are called well known ports; ports with numbers greater than those of the registered ports are called dynamic and/or private ports.

Ports 0-1023 - well known ports

Ports 1024-49151 - Registered port: vendors use for applications

Ports >49151 - dynamic / private ports

The other answers are not correct

Reference(s) used for this question:

http://en.wikipedia.org/wiki/Registered_port

If the protocol field has a value of 1 then it would indicate it was ICMP.

The following answers are incorrect:

TCP. Is incorrect because the value for a TCP protocol would be 6.

UDP. Is incorrect because the value for an UDP protocol would be 17.

IGMP. Is incorrect because the value for an IGMP protocol would be 2.

Token Ring was designed to be a more fault-tolerant topology than Ethernet, and can be a very resilient topology when properly implemented.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 72.

This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 - 10.255.255.255.

The following answers are incorrect:

11.0.42.5 Is incorrect because it is not a Class A reserved address.

12.0.42.5 Is incorrect because it is not a Class A reserved address.

13.0.42.5 Is incorrect because it is not a Class A reserved address.

The private IP address ranges are defined within RFC 1918:

RFC 1918 private ip address range

References:

3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf

AIOv3 Telecommunications and Networking Security (page 438)

Infrared is generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths.

Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 173).

RFC 2828 (Internet Security Glossary) defines OAKLEY as a key establishment protocol (proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP.

ISAKMP is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

ISAKMP provides a framework for authentication and key exchange but does not define them. ISAKMP is designed to be key exchange independant; that is, it is designed to support many different key exchanges.

Oakley and SKEME each define a method to establish an authenticated key exchange. This includes payloads construction, the information payloads carry, the order in which they are processed and how they are used.

Oakley describes a series of key exchanges-- called modes and details the services provided by each (e.g. perfect forward secrecy for keys, identity protection, and authentication).

SKEME describes a versatile key exchange technique which provides anonymity, repudiability, and quick key refreshment.

RFC 2049 describes the IKE protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI.

While Oakley defines "modes", ISAKMP defines "phases". The relationship between the two is very straightforward and IKE presents different exchanges as modes which operate in one of two phases.

Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA). "Main Mode" and "Aggressive Mode" each accomplish a phase 1 exchange. "Main Mode" and "Aggressive Mode" MUST ONLY be used in phase 1.

Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation. "Quick Mode" accomplishes a phase 2 exchange. "Quick Mode" MUST ONLY be used in phase 2.

References:

CISSP: Certified Information Systems Security Professional Study Guide By James Michael Stewart, Ed Tittel, Mike Chappl, page 397

RFC 2049 at: http://www.ietf.org/rfc/rfc2409

SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

The All-in-one CISSP Exam Guide, 3rd Edition, by Shon Harris, page 674

The CISSP and CAP Prep Guide, Platinum Edition, by Krutz and Vines

A certification authority (CA) is a third party entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate. An issuing authority could be considered a correct answer, but not the best answer, since it is too generic.

Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.