ISC sscp practice test

Systems Security Certified Practitioner Exam

Last exam update: May 15 ,2024
Page 1 out of 72. Viewing questions 1-15 out of 1076

Question 1

Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?

  • A. Web Applications
  • B. Intrusion Detection Systems
  • C. Firewalls
  • D. DNS Servers
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
XSS or Cross-Site Scripting is a threat to web applications where malicious code is placed on a
website that attacks the use using their existing authenticated session status.
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected
into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an
attacker uses a web application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and
occur anywhere a web application uses input from a user in the output it generates without
validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end users browser
has no way to know that the script should not be trusted, and will execute the script. Because it
thinks the script came from a trusted source, the malicious script can access any cookies, session
tokens, or other sensitive information retained by your browser and used with that site. These scripts
can even rewrite the content of the HTML page.
Mitigation:
Configure your IPS - Intrusion Prevention System to detect and suppress this traffic.
Input Validation on the web application to normalize inputted data.
Set web apps to bind session cookies to the IP Address of the legitimate user and only permit that IP
Address to use that cookie.
See the XSS (Cross Site Scripting) Prevention Cheat Sheet
See the Abridged XSS Prevention Cheat Sheet
See the DOM based XSS Prevention Cheat Sheet
See the OWASP Development Guide article on Phishing.
See the OWASP Development Guide article on Data Validation.
The following answers are incorrect:
Intrusion Detection Systems: Sorry. IDS Systems aren't usually the target of XSS attacks but a
properly-configured IDS/IPS can "detect and report on malicious string and suppress the TCP
connection in an attempt to mitigate the threat.
Firewalls: Sorry. Firewalls aren't usually the target of XSS attacks.
DNS Servers: Same as above, DNS Servers aren't usually targeted in XSS attacks but they play a key
role in the domain name resolution in the XSS attack process.
The following reference(s) was used to create this question;
CCCure Holistic Security+ CBT and Curriculum
and
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

What is malware that can spread itself over open network connections?

  • A. Worm
  • B. Rootkit
  • C. Adware
  • D. Logic Bomb
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Computer worms are also known as Network Mobile Code, or a virus-like bit of code that can
replicate itself over a network, infecting adjacent computers.
A computer worm is a standalone malware computer program that replicates itself in order to spread
to other computers. Often, it uses a computer network to spread itself, relying on security failures on
the target computer to access it. Unlike a computer virus, it does not need to attach itself to an
existing program. Worms almost always cause at least some harm to the network, even if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted
computer.
A notable example is the SQL Slammer computer worm that spread globally in ten minutes on
January 25, 2003. I myself came to work that day as a software tester and found all my SQL servers
infected and actively trying to infect other computers on the test network.
A patch had been released a year prior by Microsoft and if systems were not patched and exposed to
a 376 byte UDP packet from an infected host then system would become compromised.
Ordinarily, infected computers are not to be trusted and must be rebuilt from scratch but the
vulnerability could be mitigated by replacing a single vulnerable dll called sqlsort.dll.
Replacing that with the patched version completely disabled the worm which really illustrates to us
the importance of actively patching our systems against such network mobile code.
The following answers are incorrect:
- Rootkit: Sorry, this isn't correct because a rootkit isn't ordinarily classified as network mobile code
like a worm is. This isn't to say that a rootkit couldn't be included in a worm, just that a rootkit isn't
usually classified like a worm. A rootkit is a stealthy type of software, typically malicious, designed to
hide the existence of certain processes or programs from normal methods of detection and enable
continued privileged access to a computer. The term rootkit is a concatenation of "root" (the
traditional name of the privileged account on Unix operating systems) and the word "kit" (which
refers to the software components that implement the tool). The term "rootkit" has negative
connotations through its association with malware.
- Adware: Incorrect answer. Sorry but adware isn't usually classified as a worm. Adware, or
advertising-supported software, is any software package which automatically renders
advertisements in order to generate revenue for its author. The advertisements may be in the user
interface of the software or on a screen presented to the user during the installation process. The
functions may be designed to analyze which Internet sites the user visits and to present advertising
pertinent to the types of goods or services featured there. The term is sometimes used to refer to
software that displays unwanted advertisements.
- Logic Bomb: Logic bombs like adware or rootkits could be spread by worms if they exploit the right
service and gain root or admin access on a computer.
The following reference(s) was used to create this question;
The CCCure
CompTIA Holistic Security+ Tutorial and CBT
and
http://en.wikipedia.org/wiki/Rootkit
and
http://en.wikipedia.org/wiki/Computer_worm
and
http://en.wikipedia.org/wiki/Adware

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Java is not:

  • A. Object-oriented.
  • B. Distributed.
  • C. Architecture Specific.
  • D. Multithreaded.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
JAVA was developed so that the same program could be executed on multiple hardware and
operating system platforms, it is not Architecture Specific.
The following answers are incorrect:
Object-oriented. Is not correct because JAVA is object-oriented. It should use the object-oriented
programming methodology.
Distributed. Is incorrect because JAVA was developed to be able to be distrubuted, run on multiple
computer systems over a network.
Multithreaded. Is incorrect because JAVA is multi-threaded that is calls to subroutines as is the case
with object-oriented programming.
A virus is a program that can replicate itself on a system but not necessarily spread itself by network
connections.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

What best describes a scenario when an employee has been shaving off pennies from multiple
accounts and depositing the funds into his own bank account?

  • A. Data fiddling
  • B. Data diddling
  • C. Salami techniques
  • D. Trojan horses
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page
644.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Crackers today are MOST often motivated by their desire to:

  • A. Help the community in securing their networks.
  • B. Seeing how far their skills will take them.
  • C. Getting recognition for their actions.
  • D. Gaining Money or Financial Gains.
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
A few years ago the best choice for this question would have been seeing how far their skills can take
them. Today this has changed greatly, most crimes committed are financially motivated.
Profit is the most widespread motive behind all cybercrimes and, indeed, most crimes- everyone
wants to make money. Hacking for money or for free services includes a smorgasbord of crimes such
as embezzlement, corporate espionage and being a hacker for hire. Scams are easier to undertake
but the likelihood of success is much lower. Money-seekers come from any lifestyle but those with
persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy
make better hacks for hire.
"White hats" are the security specialists (as opposed to Black Hats) interested in helping the
community in securing their networks. They will test systems and network with the owner
authorization.
A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization
before they attempt to comprise the security mechanisms in place.
"Grey Hats" are people who sometimes work as a White hat and other times they will work as a
"Black Hat", they have not made up their mind yet as to which side they prefer to be.
The following are incorrect answers:
All the other choices could be possible reasons but the best one today is really for financial gains.
References used for this question;
http://library.thinkquest.org/04oct/00460/crimeMotives.html
and
http://www.informit.com/articles/article.aspx?p=1160835
and
http://www.aic.gov.au/documents/1/B/A/%7B1BA0F612-613A-494D-B6C5-
06938FE8BB53%7Dhtcb006.pdf

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

What do the ILOVEYOU and Melissa virus attacks have in common?

  • A. They are both denial-of-service (DOS) attacks.
  • B. They have nothing in common.
  • C. They are both masquerading attacks.
  • D. They are both social engineering attacks.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
While a masquerading attack can be considered a type of social engineering, the Melissa and
ILOVEYOU viruses are examples of masquerading attacks, even if it may cause some kind of denial of
service due to the web server being flooded with messages. In this case, the receiver confidently
opens a message coming from a trusted individual, only to find that the message was sent using the
trusted party's identity.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
Chapter 10: Law, Investigation, and Ethics (page 650).

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which of the following computer crime is MORE often associated with INSIDERS?

  • A. IP spoofing
  • B. Password sniffing
  • C. Data diddling
  • D. Denial of service (DOS)
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
It refers to the alteration of the existing data , most often seen before it is entered into an
application.This type of crime is extremely common and can be prevented by using appropriate
access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who
have access to data before it is processed.
The other answers are incorrect because :
IP Spoofing is not correct as the questions asks about the crime associated with the insiders. Spoofing
is generally accomplished from the outside.
Password sniffing is also not the BEST answer as it requires a lot of technical knowledge in
understanding the encryption and decryption process.
Denial of service (DOS) is also incorrect as most Denial of service attacks occur over the internet.
Reference : Shon Harris , AIO v3 , Chapter-10 : Law , Investigation & Ethics , Page : 758-760.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

The high availability of multiple all-inclusive, easy-to-use hacking tools that do NOT require much
technical knowledge has brought a growth in the number of which type of attackers?

  • A. Black hats
  • B. White hats
  • C. Script kiddies
  • D. Phreakers
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
As script kiddies are low to moderately skilled hackers using available scripts and tools to easily
launch attacks against victims.
The other answers are incorrect because :
Black hats is incorrect as they are malicious , skilled hackers.
White hats is incorrect as they are security professionals.
Phreakers is incorrect as they are telephone/PBX (private branch exchange) hackers.
Reference : Shon Harris AIO v3 , Chapter 12: Operations security , Page : 830

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which virus category has the capability of changing its own code, making it harder to detect by anti-
virus software?

  • A. Stealth viruses
  • B. Polymorphic viruses
  • C. Trojan horses
  • D. Logic bombs
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
A polymorphic virus has the capability of changing its own code, enabling it to have many different
variants, making it harder to detect by anti-virus software. The particularity of a stealth virus is that it
tries to hide its presence after infecting a system. A Trojan horse is a set of unauthorized instructions
that are added to or replacing a legitimate program. A logic bomb is a set of instructions that is
initiated when a specific event occurs.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 11: Application and System Development (page 786).

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Virus scanning and content inspection of SMIME encrypted e-mail without doing any further
processing is:

  • A. Not possible
  • B. Only possible with key recovery scheme of all user keys
  • C. It is possible only if X509 Version 3 certificates are used
  • D. It is possible only by "brute force" decryption
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Content security measures presumes that the content is available in cleartext on the central mail
server.
Encrypted emails have to be decrypted before it can be filtered (e.g. to detect viruses), so you need
the decryption key on the central "crypto mail server".
There are several ways for such key management, e.g. by message or key recovery methods.
However, that would certainly require further processing in order to achieve such goal.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following virus types changes some of its characteristics as it spreads?

  • A. Boot Sector
  • B. Parasitic
  • C. Stealth
  • D. Polymorphic
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
A Polymorphic virus produces varied but operational copies of itself in hopes of evading anti-virus
software.
The following answers are incorrect:
boot sector. Is incorrect because it is not the best answer. A boot sector virus attacks the boot sector
of a drive. It describes the type of attack of the virus and not the characteristics of its composition.
parasitic. Is incorrect because it is not the best answer. A parasitic virus attaches itself to other files
but does not change its characteristics.
stealth. Is incorrect because it is not the best answer. A stealth virus attempts to hide changes of the
affected files but not itself.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

In computing what is the name of a non-self-replicating type of malware program containing
malicious code that appears to have some useful purpose but also contains code that has a malicious
or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the
person installing it, typically causing loss or theft of data, and possible system harm.

  • A. virus
  • B. worm
  • C. Trojan horse.
  • D. trapdoor
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
A trojan horse is any code that appears to have some useful purpose but also contains code that has
a malicious or harmful purpose imbedded in it. A Trojan often also includes a trapdoor as a means to
gain access to a computer system bypassing security controls.
Wikipedia defines it as:
A Trojan horse, or Trojan, in computing is a non-self-replicating type of malware program containing
malicious code that, when executed, carries out actions determined by the nature of the Trojan,
typically causing loss or theft of data, and possible system harm. The term is derived from the story
of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in
ancient Greece, because computer Trojans often employ a form of social engineering, presenting
themselves as routine, useful, or interesting in order to persuade victims to install them on their
computers.
The following answers are incorrect:
virus. Is incorrect because a Virus is a malicious program and is does not appear to be harmless, it's
sole purpose is malicious intent often doing damage to a system. A computer virus is a type of
malware that, when executed, replicates by inserting copies of itself (possibly modified) into other
computer programs, data files, or the boot sector of the hard drive; when this replication succeeds,
the affected areas are then said to be "infected".
worm. Is incorrect because a Worm is similiar to a Virus but does not require user intervention to
execute. Rather than doing damage to the system, worms tend to self-propagate and devour the
resources of a system. A computer worm is a standalone malware computer program that replicates
itself in order to spread to other computers. Often, it uses a computer network to spread itself,
relying on security failures on the target computer to access it. Unlike a computer virus, it does not
need to attach itself to an existing program. Worms almost always cause at least some harm to the
network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify
files on a targeted computer.
trapdoor. Is incorrect because a trapdoor is a means to bypass security by hiding an entry point into a
system. Trojan Horses often have a trapdoor imbedded in them.
References:
http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29
and
http://en.wikipedia.org/wiki/Computer_virus
and
http://en.wikipedia.org/wiki/Computer_worm
and
http://en.wikipedia.org/wiki/Backdoor_%28computing%29

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Which of the following service is a distributed database that translate host name to IP address to IP
address to host name?

  • A. DNS
  • B. FTP
  • C. SSH
  • D. SMTP
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services,
or any resource connected to the Internet or a private network. It associates information from
domain names with each of the assigned entities. Most prominently, it translates easily memorized
domain names to the numerical IP addresses needed for locating computer services and devices
worldwide. The Domain Name System is an essential component of the functionality of the Internet.
This article presents a functional description of the Domain Name System.
For your exam you should know below information general Internet terminology:
Network access point - Internet service providers access internet using net access point.A Network
Access Point (NAP) was a public network exchange facility where Internet service providers (ISPs)
connected with one another in peering arrangements. The NAPs were a key component in the
transition from the 1990s NSFNET era (when many networks were government sponsored and
commercial traffic was prohibited) to the commercial Internet providers of today. They were often
points of considerable Internet congestion.
Internet Service Provider (ISP) - An Internet service provider (ISP) is an organization that provides
services for accessing, using, or participating in the Internet. Internet service providers may be
organized in various forms, such as commercial, community-owned, non-profit, or otherwise
privately owned. Internet services typically provided by ISPs include Internet access, Internet transit,
domain name registration, web hosting, co-location.
Telnet or Remote Terminal Control Protocol -A terminal emulation program for TCP/IP networks
such as the Internet. The Telnet program runs on your computer and connects your PC to a server on
the network. You can then enter commands through the Telnet program and they will be executed as
if you were entering them directly on the server console. This enables you to control the server and
communicate with other servers on the network. To start a Telnet session, you must log in to a server
by entering a valid username and password. Telnet is a common way to remotely control Web
servers.
Internet Link- Internet link is a connection between Internet users and the Internet service
provider.
Secure Shell or Secure Socket Shell (SSH) - Secure Shell (SSH), sometimes known as Secure Socket
Shell, is a UNIX-based command interface and protocol for securely getting access to a remote
computer. It is widely used by network administrators to control Web and other kinds of servers
remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure versions of the
earlier UNIX utilities, rlogin, rsh, and rcp. SSH commands are encrypted and secure in several ways.
Both ends of the client/server connection are authenticated using a digital certificate, and passwords
are protected by being encrypted.
Domain Name System (DNS) - The Domain Name System (DNS) is a hierarchical distributed naming
system for computers, services, or any resource connected to the Internet or a private network. It
associates information from domain names with each of the assigned entities. Most prominently, it
translates easily memorized domain names to the numerical IP addresses needed for locating
computer services and devices worldwide. The Domain Name System is an essential component of
the functionality of the Internet. This article presents a functional description of the Domain Name
System.
File Transfer Protocol (FTP) - The File Transfer Protocol or FTP is a client/server application that is
used to move files from one system to another. The client connects to the FTP server, authenticates
and is given access that the server is configured to permit. FTP servers can also be configured to
allow anonymous access by logging in with an email address but no password. Once connected, the
client may move around between directories with commands available
Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol
used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at
the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user
save messages in a server mailbox and download them periodically from the server. In other words,
users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for
receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server for e-mail.
A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP
server and can also be set up to include POP3 support.
The following answers are incorrect:
SMTP - Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP
protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue
messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that
let the user save messages in a server mailbox and download them periodically from the server. In
other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or
IMAP for receiving e-mail. On Unix-based systems, send mail is the most widely-used SMTP server
for e-mail. A commercial package, Send mail, includes a POP3 server. Microsoft Exchange includes an
SMTP server and can also be set up to include POP3 support.
FTP - The File Transfer Protocol or FTP is a client/server application that is used to move files from
one system to another. The client connects to the FTP server, authenticates and is given access that
the server is configured to permit. FTP servers can also be configured to allow anonymous access by
logging in with an email address but no password. Once connected, the client may move around
between directories with commands available
SSH - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command
interface and protocol for securely getting access to a remote computer. It is widely used by network
administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three
utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and
rcp. SSH commands are encrypted and secure in several ways. Both ends of the client/server
connection are authenticated using a digital certificate, and passwords are protected by being
encrypted.
The following reference(s) were/was used to create this question;
CISA review
manual 2014 page number 273 and 274

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

While using IPsec, the ESP and AH protocols both provides integrity services. However when using
AH, some special attention needs to be paid if one of the peers uses NAT for address translation
service. Which of the items below would affects the use of AH and its Integrity Check Value (ICV)
the most?

  • A. Key session exchange
  • B. Packet Header Source or Destination address
  • C. VPN cryptographic key size
  • D. Crypotographic algorithm used
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
It may seem odd to have two different protocols that provide overlapping functionality.
AH provides authentication and integrity, and ESP can provide those two functions and
confidentiality.
Why even bother with AH then?
In most cases, the reason has to do with whether the environment is using network address
translation (NAT). IPSec will generate an integrity check value (ICV), which is really the same thing as
a MAC value, over a portion of the packet. Remember that the sender and receiver generate their
own values. In IPSec, it is called an ICV value. The receiver compares her ICV value with the one sent
by the sender. If the values match, the receiver can be assured the packet has not been modified
during transmission. If the values are different, the packet has been altered and the receiver discards
the packet.
The AH protocol calculates this ICV over the data payload, transport, and network headers. If the
packet then goes through a NAT device, the NAT device changes the IP address of the packet. That is
its job. This means a portion of the data (network header) that was included to calculate the ICV
value has now changed, and the receiver will generate an ICV value that is different from the one
sent with the packet, which means the packet will be discarded automatically.
The ESP protocol follows similar steps, except it does not include the network header portion when
calculating its ICV value. When the NAT device changes the IP address, it will not affect the receivers
ICV value because it does not include the network header when calculating the ICV.
Here is a tutorial on IPSEC from the Shon Harris Blog:
The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure
channel for protected data exchange between two devices. The devices that share this secure
channel can be two servers, two routers, a workstation and a server, or two gateways between
different networks. IPSec is a widely accepted standard for providing network layer protection. It can
be more flexible and less expensive than end-to end and link encryption methods.
IPSec has strong encryption and authentication methods, and although it can be used to enable
tunneled communication between two computers, it is usually employed to establish virtual private
networks (VPNs) among networks across the Internet.
IPSec is not a strict protocol that dictates the type of algorithm, keys, and authentication method to
use. Rather, it is an open, modular framework that provides a lot of flexibility for companies when
they choose to use this type of technology. IPSec uses two basic security protocols: Authentication
Header (AH) and Encapsulating Security Payload (ESP). AH is the authenticating protocol, and ESP is
an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source
authentication, confidentiality, and message integrity.
IPSec can work in one of two modes: transport mode, in which the payload of the message is
protected, and tunnel mode, in which the payload and the routing and header information are
protected. ESP in transport mode encrypts the actual message information so it cannot be sniffed
and uncovered by an unauthorized entity. Tunnel mode provides a higher level of protection by also
protecting the header and trailer data an attacker may find useful. Figure 8-26 shows the high-level
view of the steps of setting up an IPSec connection.
Each device will have at least one security association (SA) for each VPN it uses. The SA, which is
critical to the IPSec architecture, is a record of the configurations the device needs to support an
IPSec connection. When two devices complete their handshaking process, which means they have
agreed upon a long list of parameters they will use to communicate, these data must be recorded
and stored somewhere, which is in the SA.
The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key
lifetime, and the source IP address. When a device receives a packet via the IPSec protocol, it is the
SA that tells the device what to do with the packet. So if device B receives a packet from device C via
IPSec, device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly
authenticate the source of the packet, which key to use, and how to reply to the message if
necessary.
SAs are directional, so a device will have one SA for outbound traffic and a different SA for inbound
traffic for each individual communication channel. If a device is connecting to three devices, it will
have at least six SAs, one for each inbound and outbound connection per remote device. So how can
a device keep all of these SAs organized and ensure that the right SA is invoked for the right
connection? With the mighty secu rity parameter index (SPI), thats how. Each device has an SPI that
keeps track of the different SAs and tells the device which one is appropriate to invoke for the
different packets it receives. The SPI value is in the header of an IPSec packet, and the device reads
this value to tell it which SA to consult.
IPSec can authenticate the sending devices of the packet by using MAC (covered in the earlier
section, The One-Way Hash). The ESP protocol can provide authentication, integrity, and
confidentiality if the devices are configured for this type of functionality.
So if a company just needs to make sure it knows the source of the sender and must be assured of
the integrity of the packets, it would choose to use AH. If the company would like to use these
services and also have confidentiality, it would use the ESP protocol because it provides encryption
functionality. In most cases, the reason ESP is employed is because the company must set up a
secure VPN connection.
It may seem odd to have two different protocols that provide overlapping functionality. AH provides
authentication and integrity, and ESP can provide those two functions and confidentiality. Why even
bother with AH then? In most cases, the reason has to do with whether the environment is using
network address translation (NAT). IPSec will generate an integrity check value (ICV), which is really
the same thing as a MAC value, over a portion of the packet. Remember that the sender and receiver
generate their own values. In IPSec, it is called an ICV value. The receiver compares her ICV value
with the one sent by the sender. If the values match, the receiver can be assured the packet has not
been modified during transmission. If the values are different, the packet has been altered and the
receiver discards the packet.
The AH protocol calculates this ICV over the data payload, transport, and network headers. If the
packet then goes through a NAT device, the NAT device changes the IP address of the packet. That is
its job. This means a portion of the data (network header) that was included to calculate the ICV
value has now changed, and the receiver will generate an ICV value that is different from the one
sent with the packet, which means the packet will be discarded automatically.
The ESP protocol follows similar steps, except it does not include the network header portion when
calculating its ICV value. When the NAT device changes the IP address, it will not affect the receivers
ICV value because it does not include the network header when calculating the ICV.
Because IPSec is a framework, it does not dictate which hashing and encryption algorithms are to be
used or how keys are to be exchanged between devices. Key management can be handled manually
or automated by a key management protocol. The de facto standard for IPSec is to use Internet Key
Exchange (IKE), which is a combination of the ISAKMP and OAKLEY protocols. The Internet Security
Association and Key Management Protocol (ISAKMP) is a key exchange architecture that is
independent of the type of keying mechanisms used. Basically, ISAKMP provides the framework of
what can be negotiated to set up an IPSec connection (algorithms, protocols, modes, keys). The
OAKLEY protocol is the one that carries out the negotiation process. You can think of ISAKMP as
providing the playing field (the infrastructure) and OAKLEY as the guy running up and down the
playing field (carrying out the steps of the negotiation).
IPSec is very complex with all of its components and possible configurations. This complexity is what
provides for a great degree of flexibility, because a company has many different configuration choices
to achieve just the right level of protection. If this is all new to you and still confusing, please review
one or more of the following references to help fill in the gray areas.
The following answers are incorrect:
The other options are distractors.
The following reference(s) were/was used to create this question;
Shon Harris
, CISSP All-in-One Exam Guide- fiveth edition, page 759
and
https://neodean.wordpress.com/tag/security-protocol/

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

At which layer of ISO/OSI does the fiber optics work?

  • A. Network layer
  • B. Transport layer
  • C. Data link layer
  • D. Physical layer
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The Answer: Physical layer The Physical layer is responsible for the transmission of the data
Explanation:through the physical medium. This includes such things as cables. Fiber optics is a
cabling mechanism which works at Physical layer of OSI model
All of the other answers are incorrect.
The following reference(s) were/was used to create this question;
Shon Harris
all in one - Chapter 7 (Cabling)

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2