CHAPTER SUMMARY
Network security implementation relies on a thorough understanding of your organization, its goals, its risks, and the technologies employed within your IT infrastructure. Before you can properly deploy network security, you must first design it. Most network security designs include layers of defense, as well as sufficient capacity for growth.
Network security includes an evaluation of the protocols and methods your organization uses. If the current design is insufficient, replace it with a design that addresses productivity and security. You need to assess the addressing schemes in use—whether public or private, static or dynamic—in light of how each improves or detracts from security.
Other important components of network security design and deployment include controlling communication pathways; hardening systems; and selecting proper equipment, authentication, authorization, accounting, communication encryption, types of hosts, redundancy, and node security specifics.
This chapter also introduced the concept of risk assessment and management to aid in determining the proper number of firewalls and other security measures. While the terms are important, it is essential to understand how to convert risk into a quantifiable number and address it in a way that properly protects and defends the network.
KEY CONCEPTS AND TERMS
Annualized loss expectancy (ALE)
Annualized rate of occurrence (ARO)
Authentication, authorization, and accounting (AAA)
Dictionary password cracking
Identity and access management (IAM)
Internet Assigned Numbers Authority (IANA)
Network News Transfer Protocol (NNTP)
Redundant array of inexpensive disks (RAID)
Regional Internet Registry (RIR)
Router anti-spoofing
Simple Mail Transfer Protocol (SMTP)
Tangible
Uninterruptable power supply (UPS)
CHAPTER 4 ASSESSMENT
- Which of the following should be done as part of router configuration?
- Copy and paste the configuration to all routers and firewalls
- Enable a warning banner for all attempted connections
- Require SNMP v 2 or earlier for consistency
- Drop all encrypted packets within the network perimeter
- Which of the following is not a type of attack against password use?
- Brute-force
- Dictionary
- Hybrid
- Recursive
- Which of the following is part of a defense-in-depth strategy?
- Avoid single points of failure
- Avoid having multiple redundancies
- Avoid removing the default account
- Avoid using devices from different manufacturers
- Which addressing class is 192.168.32.16?
- Class A
- Class B
- Class C
- Class D
- Which of the following is an example of redundancy?
- A firewall at each physical perimeter
- Using multifactor authentication
- Encrypting communication outside the network
- An uninterruptable power supply
- Which of the following best defines security through obscurity?
- Changing the names taped to all physical devices
- Changing the logical names of all devices
- Hiding the network in order to secure it
- Expanding the network to hide individual devices
- When considering multifactor authentication, which of the following is something you have?
- An iris scan
- An ID card
- A spoken phrase
- A password
- Which of the following is commonly referred to as access control?
- Accounting
- Auditing
- Authentication
- Authorization
- Which of the following is true of IPv4 versus IPv6?
- IPv4 is more expensive to implement that IPv6.
- IPv4 is more time-consuming when building packets.
- IPv4 is used less and therefore less is known about it.
- IPv4 is plaintext transmission by default.
- Which of the following best describes a dynamic password token?
- A device that shows a random password
- Radio-frequency identification (RFID) chip
- Identification (ID) badge
- Smart card