36. (p. 330) Hubs, switches and routers all work at Layer 1 of the OSI seven-layer model.
FALSE
FALSE
37. (p. 343) When you combine a switch and a router into one device, you have more than just a switch and a router.
TRUE
TRUE
38. (p. 351) CompTIA defines the following as logical network topologies: client/server, peer-to-peer, VPN, and VLAN.
TRUE
TRUE
39. (p. 332) In a peer-to-peer network, any system acts as a server or client, but no one system can be both.
FALSE
FALSE
40. (p. 334) Before secure methods were created for making remote connections over the Internet, the biggest drawback to private remote connections was the cost to connect.
TRUE
TRUE
41. (p. 333) Microsoft Exchange is an example of a dedicated e-mail client.
FALSE
FALSE
42. (p. 337) Every recent operating system's VPN client fully supports L2TP/IPSec VPNs.
TRUE
TRUE
43. (p. 337) L2TP natively includes authentication and encryption.
FALSE
FALSE
44. (p. 339) The preset IP address in a managed switch is assigned to a single port.
FALSE
FALSE
45. (p. 344) In DNS load balancing, all Web servers share the same IP address.
FALSE
FALSE
46. (p. 338) The default VLAN that every port on a new switch is preset to is VLAN0.
TRUE
TRUE
47. (p. 341) InterVLAN routing is the process of routing between two VLANs.
TRUE
TRUE
48. (p. 341) VLAN Trunk Protocol (VTP) is used on large networks with many VLANS to manually update switches.
FALSE
FALSE
49. (p. 337) SSL VPNs require special client software to work.
FALSE
FALSE
50. (p. 339) On Layer 2 switches, ports do not have IP addresses.
TRUE
TRUE
Fill in the Blank Questions
51. (p. 331) The earliest networks use a(n) _______________ logical network topology model.
client/server
client/server
52. (p. 330) A hub works at Layer _______________ of the OSI seven-layer model.
one (1)
one (1)
53. (p. 342) A(n) _______________ works at multiple layers of the OSI seven-layer model.
multilayer switch
multilayer switch
54. (p. 330) Ethernet networks employ a hybrid star-bus topology, for example, with a(n) __________ star and a(n) _________ bus.
physical; logical
physical; logical
55. (p. 331) _______________ systems on a client/server network never functioned as servers.
client
client
56. (p. 332) In a client/server network, each server has its _______________, which it uses to authenticate users.
database of user names and passwords
database of user names and passwords
57. (p. 333) Outlook is a(n) _______________ mail client, and as such cannot be a mail server.
dedicated
dedicated
58. (p. 334) An encrypted tunnel must have _______________ where the data is encrypted and decrypted.
endpoints
endpoints
59. (p. 333) _______________ is a popular file-sharing protocol, although people think of it as being only an application.
BitTorrent
BitTorrent
60. (p. 334) A computer connecting remotely to a LAN via a VPN must be on the same network, meaning that it must have the same _______________ as all the other hosts on the LAN.
network ID
network ID
61. (p. 335) A virtual NIC on the client side of a PPTP VPN will send a(n) _______________ in order to obtain an IP address on the private network at the opposite endpoint.
DHCP query
DHCP query
62. (p. 337) An L2TP VPN often uses _______________ for all its security needs.
IPSec
IPSec
63. (p. 337) Most LANs of any size today operate as a(n) _______________.
VLAN
VLAN
64. (p. 338) A(n) _______________, configured into two VLANs, is the simplest form of VLAN.
single switch
single switch
65. (p. 339) Cisco's proprietary form of trunking is called _______________.
Inter-Switch Link (ISL)
Inter-Switch Link (ISL)
66. (p. 339) A(n) _______________ is any switch that you can access and configure.
managed switch
managed switch
67. (p. 339) Out of the box, a managed switch has a preset _______________.
IP address
IP address
68. (p. 340) VLANs based on ports are commonly known as _______________ VLANs.
static
static
69. (p. 341) Each VLAN in a switch is its own _______________.
broadcast domain
broadcast domain
70. (p. 343) _______________ is CompTIA's term for advanced networking devices.
specialized network devices
specialized network devices
71. (p. 343) When multiple servers are made to look like a single server, they are collectively called a(n) _______________.
server cluster
server cluster
72. (p. 343) When requests to a group of identical servers are distributed evenly so that no one server carries too much of the burden of the traffic, this is called _______________.
load balancing
load balancing
73. (p. 345) A(n) _______________ works at least at Layer 7, reading incoming HTTP and HTTPS requests, and performing many functions, including load balancing.
content switch
content switch
74. (p. 346) _______________ is synonymous with traffic shaping.
bandwidth shaping
bandwidth shaping
75. (p. 345) _______________ involves policies to prioritize traffic based on certain rules controlling the bandwidth used by certain devices or applications.
Quality of Server (QoS)
Quality of Server (QoS)
76. (p. 346) A(n) _______________ is an application that inspects incoming packets for the purpose of finding and blocking active intrusions.
intrusion detection system (IDS)
intrusion detection system (IDS)
77. (p. 347) Port mirroring is like having a fully configurable _______________.
promiscuous port
promiscuous port
78. (p. 339) While you can configure many switches via a serial port, most switches have a built-in _______________, accessed via an IP address.
Web server
Web server
79. (p. 339) Your network includes a mix of switches from Cisco and other major switch manufacturers. In order to perform trunking across all these switches, they must all support the _______________ trunk standard.
802.1Q
802.1Q
80. (p. 349) _______________ is an advanced switch feature that requires network devices to authenticate themselves.
port authentication
port authentication
81. (p. 336) In a(n)_______________, a single computer logs into a remote network and becomes, for all intents, a member of that network.
client-to-site connection
client-to-site connection
82. (p. 337) A site-to-site VPN connection uses a(n) __________.
VPN concentrator
VPN concentrator
83. (p. 338) When you buy a new VLAN-capable switch and plug it in, every port on that switch is preset to __________.
VLAN0
VLAN0
84. (p. 347) An IPS on a network is called a(n) __________.
network intrusion prevention system (NIPS)
network intrusion prevention system (NIPS)
85. (p. 341) __________ is a proprietary Cisco protocol that automates updating multiple VLAN switches.
VLAN Trunk Protocol (VTP)
VLAN Trunk Protocol (VTP)
Essay Questions
86. (p. 331) Explain the classic client/server model, and why it worked so well.
A server in a client/server model is dedicated to providing services over the network, while not allowing normal users to sit at the server keyboard and run ordinary user apps. These servers worked so well because all they did was run serving software, which included the security database for user authentication and authorization.
87. (p. 330) Define logical network topology, per the CompTIA view.
A logical network topology is the way in which the many systems on a network are organized to send data to each other.
88. (p. 337) Compare a unicast to a broadcast.
A unicast is a message sent to a single destination, while a broadcast is a message sent to all hosts in the broadcast domain, which would include all computers connected to a single switch (without VLANs).
89. (p. 331-332) Compare the overall security of the classic client/server and peer-to-peer models.
The classic client/server model had strong security, while the classic peer-to-peer model had much lower security.
90. (p. 333) Briefly describe the status of client/server and peer-to-peer today.
Today, every modern operating system has moved away from the classic client/server or peer-to-peer models, and they all have the capability to act as a server or a client, but unlike the classic peer-to-peer model, modern networks have robust security, provided through the use of user accounts and permissions, and more.
91. (p. 331) Describe what a client could see on a network in a traditional client/server environment.
A client in a traditional client-server environment could only see the server (or servers), not any other clients.
92. (p. 335) In designing PPTP, where did Microsoft intend that the two endpoints of a VPN should be?
In their design of PPTP, Microsoft intended that one end of a VPN should be on a client computer, and the other endpoint should be a special remote access server program, Routing and Remote Access Service (RRAS), running on a server.
93. (p. 343) Provide a simple statement that is true of most of today's networking boxes/devices regarding the OSI seven-layer model.
Most of today's networking boxes work at more than one layer of the OSI seven-layer model.
94. (p. 342) What does the term multilayer switch describe?
This term describes a network device that is more than a router that simply works at Layer 3 of the OSI model, and more than a switch, working at Layer 2. This single device works at multiple layers.
95. (p. 343) Compare the terms switchport and router port.
A multilayer switch needs some option or feature for configuring ports to work at Layer 2 or Layer 3. Cisco uses the terms switchport and router port to differentiate between the two types of port. You can configure any port on a multilayer switch to act as a switchport or a router port, depending on your needs.
96. (p. 335-336) You are sitting at a client computer connected via a PPTP VPN over the Internet to your employer's private LAN. When you open a browser on your desktop and browse the Internet, describe in simple terms the path the packets will travel from your computer to the Internet.
The packets from my computer will first travel across the Internet via the VPN connection to the private LAN, and then they are sent out the default gateway of the LAN to the Internet to any site you browse to.
97. (p. 335-336) Compare PPTP and L2TP.
While Point-to-Point Tunneling Protocol (PPTP) was designed mainly as a tunneling protocol between a single client and a private LAN, achieved mainly with software, Layer 2 Tunneling Protocol (L2TP) supports many types of connections and has the endpoint exist on a VPN-capable router (a VPN concentrator), working at Layer 2, rather than having an endpoint be a server program. While PPTP has authentication and encryption, L2TP has no authentication or encryption built in, and relies on other protocols, such as IPSec, for security.
98. (p. 336) Describe how a single client might connect via L2TP to a private LAN.
Cisco, who designed the L2TP protocol, provides free client software to allow individual computers to connect via L2TP to a private LAN.
99. (p. 336) Describe how two LANs can connect via L2TP.
Two LANs can connect via L2TP if each has a Cisco VPN concentrator.
100. (p. 337) What is meant by a pure IPSec tunnel?
Presently, L2TP tunnels using IPSec for security are common, but a pure IPSec tunnel would be one that uses only IPSec in tunnel mode for both the tunnel creation and security.
101. (p. 337) Explain in general terms what it means to create a VLAN.
Creating a VLAN means to take a single physical broadcast domain and to chop it up into multiple virtual broadcast domains.
102. (p. 338) How are VLANs typically named?
VLANs are typically named "VLAN" plus a number, for example: VLAN1 or VLAN300.
103. (p. 338) If the computers in a VLAN are defined by their MAC address, what happens if someone moves the cable for that computer, plugging it into a different port on the switch?
Nothing will change because the computer will still have the same MAC address, which is what is being used to determine its VLAN membership.
104. (p. 338) Define trunking.
Trunking is the process of moving VLAN data between two or more switches in such a way that it allows a single VLAN to span two or more switches.
105. (p. 342) Determine and explain the layer or layers of the OSI model at which a switch operates if it provides switching and routing between VLANs.
As a switch, this device operates at Layer 2, but as a router, it operates at Layer 3 of the OSI model.
106. (p. 343) Define load balancing.
Load balancing is making many servers appear to be one, and also making sure that requests to these servers are distributed evenly to avoid overloading a single server.
107. (p. 344) Describe a shortcoming of using DNS for load balancing of Web servers.
A shortcoming of using DNS for load balancing is that it relies on multiple Web servers, each with its own IP address. Then, because Web clients save recently resolved addresses, the next time a client wants to access the same (Web) server, it will check its cache, skipping the DNS and the round robin.
108. (p. 344-345) Describe some of the tasks that a Layer 7 content switch will perform that makes it a very powerful load-balancing tool.
A Layer 7 content switch will act as both a NAT router and port forwarder, which are just the beginning of the power of this device. Some content switches work with Web servers, reading the incoming HTTP and HTTPS requests and doing many advanced actions, such as handling SSL certificates and cookies, rather than having the Web server handle these tasks.
109. (p. 347) Describe port mirroring as performed on a switch.
A switch that can perform port mirroring allows an administrator to mirror, or copy, all the traffic from some or all ports to a single port. Then an administrator can inspect all the packets going to or from the selected computers.
110. (p. 347) Compare the functions of an intrusion detection system (IDS) and an intrusion prevention system (IPS), including their normal relationship.
You can use an IDS and an IPS together for better protection. While an IDS detects intrusions from several sources, an IPS adds the ability to react to an attack.
111. (p. 347) Define and compare a network-based IDS (NIDS) with a host-based IDS (HIDS).
A NIDS includes several intrusion sensors located around the network—often on one or both sides of a gateway router. The sensors report to a central application that interprets the data to detect unusual activity. A HIDS is software that runs on individual systems, monitoring events, such as system or registry changes. A well-protected network will employ both a NIDS and a HIDS.
112. (p. 342) Provide a simple definition of a switch.
A switch is any device that forwards traffic based on packet contents.
113. (p. 348) Provide three reasons for using a proxy server.
One reason for using a proxy server is to keep a Web server from knowing where the client computer is located. Another reason is for better performance, resulting from caching on the proxy server. The third reason is security, because some proxy servers inspect the contents, looking for inappropriate contents, viruses/malware, and so on.
114. (p. 345 and 348) Compare a content switch with a proxy server.
A content switch takes the load off Web servers, by performing many of the functions required of a Web server responding to HTTP and HTTPS requests. For instance, a content switch may handle SSL certificates and cookies for the Web servers, passing cookies to Web clients, and ensuring that when the Web client returns, its requests are directed to the same Web server. While a content switch benefits Web servers, a proxy server benefits Web clients, effectively hiding the individual host addresses from the Internet, and caching Web pages to speed up subsequent browsing requests.
115. (p. 348-349) Explain what a proxy server does.
It is best to explain this using a specific type of proxy server—an HTTP proxy server. A proxy server redirects all client requests for HTTP or HTTPS. The proxy server forwards Web client requests to Web servers, and forwards the returning packets to the requesting client. Therefore, the client is never directly communicating with Web servers on the Internet.
116. (p. 337) Describe SSL VPNs, and compare the two most common types.
SSL VPNs work by using Secure Sockets Layer (SSL), and work at the Transport layer. They do not require any special client software; rather, they connect using any Web browser. The traffic is secured using SSL. The two most common types are SSL portal and SSL tunnel VPNs.
SSL portal VPNs: A client accesses the VPN and is presented with a secure Web page. The user is able to access anything on that page, such as e-mail, data, links, and so on.
SSL tunnel VPNs: The client browser runs an active control, such as Java or Flash, which enables much greater access to VPN-connected networks and creates a more typical client-to-site connection than SSL portal VPNs. The user must have sufficient permissions to run active browser controls.
SSL portal VPNs: A client accesses the VPN and is presented with a secure Web page. The user is able to access anything on that page, such as e-mail, data, links, and so on.
SSL tunnel VPNs: The client browser runs an active control, such as Java or Flash, which enables much greater access to VPN-connected networks and creates a more typical client-to-site connection than SSL portal VPNs. The user must have sufficient permissions to run active browser controls.
117. (p. 341) Describe VLAN Trunk Protocol (VTP).
VTP is a proprietary Cisco protocol that automates updating multiple VLAN switches. In larger networks with many VLANS, it would require a LOT of manual updates, so VTP is used to make the process easier and more efficient. VTP puts switches into one of three states: server, client, or transparent. When updating configuration of the Server switch, VTP updates all other switches in the Client state within a few minutes. Transparent switches do not update; they keep their manual configurations.
118. (p. 337) Describe site-to-site VPNs.
Site-to-site VPNs are used to connect two LANs separated by a WAN or the cloud, such as a branch office to a main office. They use a device called a VPN concentrator to achieve this. They are much slower, but cheaper, than a dedicated leased line between LANS.
119. (p. 336) Describe Layer 2 Forwarding (L2F).
Cisco made hardware that supported PPP traffic using a proprietary protocol called Layer 2 Forwarding (L2F). L2F did not come with encryption capabilities, so it was combined with PPTP and replaced by L2TP a very long time ago.
120. (p. 346) Differentiate between HIDS and NIDS.
Many network technicians refer to an IDS system by either its location on the network—thus NIDS or HIDS—or by what the IDS system does in each location. The network-based IDS scans the entire network using signature files, thus it is a network IDS. A host-based IDS watches for suspicious behavior on individual hosts.
No comments:
Post a Comment