LPI LINUX ESSENTIALSNETWORK SECURITY
EXAM QUESTIONS AND ANSWERS
"You have been hired by a law firm to create a demilitarized zone (DMZ) on their network. Which
network device should you use to create this type of network?
A. a bridge
B. a firewall
C. a hub
d. a route" Correct "Answer: a firewall
Explanation:
An administrator can install a firewall on a network to create a demilitarized zone (DMZ). A DMZ
separates a public network from a private network. A DMZ can be implemented with one firewall that is
connected to the DMZ segment, the private network, and the Internet. A DMZ can also be implemented
with two firewalls. In this configuration, one firewall is connected to a private network and a DMZ
segment, and the other firewall is connected to the Internet and the DMZ segment.
To implement a firewall, you should first develop and implement a firewall policy. When configuring a
firewall policy, the default setting should deny all traffic not explicitly allowed. Firewalls implement
stateful inspection by inspecting every packet and allowing or denying the packet based on the firewall
policy.
A bridge is a device that separates a network into distinct collision domains to control network traffic. A
network divided by a bridge is considered to be a single network. A hub is a central connection device
used on Ethernet networks. A router is a device that is designed to transmit data between networks on a
TCP/IP internetwork. Bridges, hubs and routers are not used to create DMZs."
"Which type of firewall is also referred to as an appliance firewall?
A. application
B. embedded
C. hardware
D. software
" Correct "Answer:
,hardware
Explanation:
A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as
stand-alone black box solutions that can be plugged in to a network and operated with minimal
configuration and maintenance.
An application firewall is typically integrated into another type of firewall to filter traffic that is traveling
at the Application layer of the Open Systems Interconnection (OSI) model. An embedded firewall is
typically implemented as a component of a hardware device, such as a switch or a router. A software
firewall is a program that runs within an operating system, such as Linux, Unix, or Windows 2000.
Firewalls can be used to create demilitarized zones (DMZs). A DMZ is a network segment placed
between an internal network and a public network, such as the Internet. DMZs allow remote access to
services while segmenting access to the internal network. Typically, either one or two firewalls are used
to create a DMZ. A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ.
However, a DMZ implemented with one firewall connected to a public network, a private network and a
DMZ segment is cheaper to implement than a DMZ implemented with two firewalls. If you have trouble
communicating with a server that is located on a DMZ from the Internet and the internal network, the
server probably has an incorrect default gateway address.
"
"Which network device acts as an Internet gateway, firewall, and Internet caching server for a private
network?
A. proxy server
B. VPN
C. IDS
D. IPS
" Correct "Answer:
proxy server
Explanation:
A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
Hosts on the private network contact the proxy server with an Internet Web site request. The proxy
,server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server
communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible
to the client and the Internet connection. A proxy server can be configured to allow only outgoing
Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the
Internet via the proxy server.
A virtual private network (VPN) is a private network that users can connect to over a public network.
Often a VPN is implemented with a firewall to allow remote employees to connect to local resources. A
VPN concentrator is the device that creates the VPN.
An intrusion detection system (IDS) is a network device that detects network intrusion and either logs
the intrusion or contacts the appropriate personnel.
An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and
prevents the network intrusion. An IPS provides more security than an IDS because it actually provides
prevention, not just detection.
An Internet gateway can also be referred to as a Web security gateway. Its purpose is to defend against
advanced Web attacks at the gateway.
Firewalls, IDSs, IPSs, and proxies are often classified as application-aware devices because many of them
can be configured to allow or deny traffic based on the application requesting access.
"
"Which type of firewall is most detrimental to network performance?
A. stateful firewall
B. circuit-level proxy firewall
C. packet-filtering firewall
D. application-level proxy firewall
" Correct "
Answer:
application-level proxy firewall
, Explanation:
An application-level proxy firewall is most detrimental to network performance because it requires more
processing per packet.
The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while
slower than packet-filtering firewalls, offer better performance than application-level firewalls.
Kernel proxy firewalls offer better performance than application-level firewalls. This type of firewall is a
firewall that is built into the operating system kernel.
An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its
own dedicated portion of the firewall that is concerned only with how to properly filter that protocol's
data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and
port of the data packet. Often these types of firewalls are implemented as a proxy server.
A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall
provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall
provides some dynamic rule configuration with the use of the state table."
"Which device is the BEST solution to protect all traffic on an HTTP/HTTPS server?
A. network-based IDS
B. host-based IDS
C. network firewall
D. Web application firewall" Correct "Answer:
Web application firewall
Explanation:
The BEST solution to protect all traffic on an HTTP/HTTPS server is a Web application firewall. A Web
application firewall can be implemented in hardware or software to protect a Web server from a cross-
site scripting attack. A Web application firewall (WAF) provides security at the Application layer (Layer 7)
of the OSI model.
None of the other solutions provides the same level of security as the Web application firewall.
EXAM QUESTIONS AND ANSWERS
"You have been hired by a law firm to create a demilitarized zone (DMZ) on their network. Which
network device should you use to create this type of network?
A. a bridge
B. a firewall
C. a hub
d. a route" Correct "Answer: a firewall
Explanation:
An administrator can install a firewall on a network to create a demilitarized zone (DMZ). A DMZ
separates a public network from a private network. A DMZ can be implemented with one firewall that is
connected to the DMZ segment, the private network, and the Internet. A DMZ can also be implemented
with two firewalls. In this configuration, one firewall is connected to a private network and a DMZ
segment, and the other firewall is connected to the Internet and the DMZ segment.
To implement a firewall, you should first develop and implement a firewall policy. When configuring a
firewall policy, the default setting should deny all traffic not explicitly allowed. Firewalls implement
stateful inspection by inspecting every packet and allowing or denying the packet based on the firewall
policy.
A bridge is a device that separates a network into distinct collision domains to control network traffic. A
network divided by a bridge is considered to be a single network. A hub is a central connection device
used on Ethernet networks. A router is a device that is designed to transmit data between networks on a
TCP/IP internetwork. Bridges, hubs and routers are not used to create DMZs."
"Which type of firewall is also referred to as an appliance firewall?
A. application
B. embedded
C. hardware
D. software
" Correct "Answer:
,hardware
Explanation:
A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as
stand-alone black box solutions that can be plugged in to a network and operated with minimal
configuration and maintenance.
An application firewall is typically integrated into another type of firewall to filter traffic that is traveling
at the Application layer of the Open Systems Interconnection (OSI) model. An embedded firewall is
typically implemented as a component of a hardware device, such as a switch or a router. A software
firewall is a program that runs within an operating system, such as Linux, Unix, or Windows 2000.
Firewalls can be used to create demilitarized zones (DMZs). A DMZ is a network segment placed
between an internal network and a public network, such as the Internet. DMZs allow remote access to
services while segmenting access to the internal network. Typically, either one or two firewalls are used
to create a DMZ. A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ.
However, a DMZ implemented with one firewall connected to a public network, a private network and a
DMZ segment is cheaper to implement than a DMZ implemented with two firewalls. If you have trouble
communicating with a server that is located on a DMZ from the Internet and the internal network, the
server probably has an incorrect default gateway address.
"
"Which network device acts as an Internet gateway, firewall, and Internet caching server for a private
network?
A. proxy server
B. VPN
C. IDS
D. IPS
" Correct "Answer:
proxy server
Explanation:
A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network.
Hosts on the private network contact the proxy server with an Internet Web site request. The proxy
,server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server
communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible
to the client and the Internet connection. A proxy server can be configured to allow only outgoing
Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the
Internet via the proxy server.
A virtual private network (VPN) is a private network that users can connect to over a public network.
Often a VPN is implemented with a firewall to allow remote employees to connect to local resources. A
VPN concentrator is the device that creates the VPN.
An intrusion detection system (IDS) is a network device that detects network intrusion and either logs
the intrusion or contacts the appropriate personnel.
An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and
prevents the network intrusion. An IPS provides more security than an IDS because it actually provides
prevention, not just detection.
An Internet gateway can also be referred to as a Web security gateway. Its purpose is to defend against
advanced Web attacks at the gateway.
Firewalls, IDSs, IPSs, and proxies are often classified as application-aware devices because many of them
can be configured to allow or deny traffic based on the application requesting access.
"
"Which type of firewall is most detrimental to network performance?
A. stateful firewall
B. circuit-level proxy firewall
C. packet-filtering firewall
D. application-level proxy firewall
" Correct "
Answer:
application-level proxy firewall
, Explanation:
An application-level proxy firewall is most detrimental to network performance because it requires more
processing per packet.
The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while
slower than packet-filtering firewalls, offer better performance than application-level firewalls.
Kernel proxy firewalls offer better performance than application-level firewalls. This type of firewall is a
firewall that is built into the operating system kernel.
An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its
own dedicated portion of the firewall that is concerned only with how to properly filter that protocol's
data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and
port of the data packet. Often these types of firewalls are implemented as a proxy server.
A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall
provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall
provides some dynamic rule configuration with the use of the state table."
"Which device is the BEST solution to protect all traffic on an HTTP/HTTPS server?
A. network-based IDS
B. host-based IDS
C. network firewall
D. Web application firewall" Correct "Answer:
Web application firewall
Explanation:
The BEST solution to protect all traffic on an HTTP/HTTPS server is a Web application firewall. A Web
application firewall can be implemented in hardware or software to protect a Web server from a cross-
site scripting attack. A Web application firewall (WAF) provides security at the Application layer (Layer 7)
of the OSI model.
None of the other solutions provides the same level of security as the Web application firewall.
