〇：3-tier architecture

The 3-tier architecture clearly distinguishes the three layers: the client has the user interface responsible for input and displaying results, and the server has the functional process logic responsible for data processing and data storage for accessing the database. The user interface role is generally handled by the front-end web server with which the user interacts. It can handle both static and cached dynamic content. The functional process logic is where requests are reformatted and processed. It is typically a dynamic content processing and generation level application server. Data storage is where sensitive data is held. It is the back-end database and holds both the data and the database management system software used to manage and provide access to the data.

×：2-tier architecture

Two-tier, or client/server, is incorrect because it describes an architecture in which a server serves one or more clients that request those services.

×：Screened Subnets

A screen-subnet architecture is for one firewall to protect one server (basically a one-tier architecture). The external, public-side firewall monitors requests from untrusted networks like the Internet. If one layer, the only firewall, is compromised, an attacker can access sensitive data residing on the server with relative ease.

×：Public and Private DNS Zones

Separating DNS servers into public and private servers provides protection, but this is not the actual architecture.

Application firewalls target Layer 7 of the OSI. The main advantage of an application firewall is its ability to understand specific applications and protocols. Packets are not decrypted until Layer 6, so Layer 7 can see the entire packet. Other firewalls can only inspect the packet, not the payload. It can detect if an unwanted application or service is trying to bypass the firewall by using a protocol on an allowed port, or if the protocol is being used in a malicious manner.

The data link layer or Layer 2 of the OSI model adds a header and trailer to the packet to prepare the packet in binary format in local area network or wide area network technology for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is logical link control (LLC), which is defined in the IEEE 802.2 specification. It communicates with the network layer above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies interfaces with the protocol requirements of the physical layer.

There are many different types of distributed denial of service (DDoS) attacks; there is no IPSec flood; UDP flood, SYN flood, and MAC flood are all distributed denial of service (DDoS) attacks.

Point-to-Point Tunneling Protocol (PPTP) is a way to implement a virtual private network (VPN). It is Microsoft’s proprietary VPN protocol that operates at the data link layer of the OSI model; PPTP can only provide a single connection and can operate over a PPP connection.

UDP (User Datagram Protocol) floods are often used in distributed denial of service (DDOS) attacks because they are connectionless and yet allow for easy generation of UDP messages from various scripting and compilation languages. UDP is a datagram protocol.

〇：OSI reference model

The OSI reference model is a seven-layer classification of network communication. The concepts of application communication and session are separated, which would be clearly communicated based on the OSI reference model. Therefore, the correct answer is “OSI reference model.

×：TCP/IP model

The TCP/IP model is a layer design that is closer to the concept of a system than the OSI reference model; in the TCP/IP model, the application layer, presentation layer, and session layer of the OSI reference model are represented by a single application layer.

×：Data link model

There is no such model.

×：Biba model

Biba model is one of the security models that indicates that data cannot be changed without permission.

Onion routing is characterized by multiple layers of encryption because encryption is applied each time it passes through a router. However, there is no security feature at the final router because all encryption is decrypted at the final point of the router and becomes plaintext.

IEEE 802.11 is one of the wireless LAN standards established by IEEE.

〇：DNS Hijacking

The DNS plays a great role in the transmission of traffic on the Internet; it directs traffic to the appropriate IP address corresponding to a given domain name DNS queries can be classified as either recursive or iterative. In a recursive query, the DNS server forwards the query to another server, which returns the appropriate response to the inquirer. In an iterative query, the DNS server responds with the address of another DNS server that may be able to answer the question and then proceeds to further ask for a new DNS server. Attackers use recursive queries to pollute the caches of DNS servers.

The attacker sends a recursive query to the victim’s DNS server asking for the IP address of the domain; the DNS server forwards the query to another DNS server. Before the other DNS server responds, the attacker inserts his IP address. The victim server receives the IP address and stores it in its cache for a specific period of time. The next time the system queries the server for resolution, the server directs the user to the attacker’s IP address.

×：Manipulating the hosts file

Manipulating the hosts file is wrong because it does not use recursive queries to pollute the DNS server cache. The client queries the hosts file before issuing a request to the first DNS server. Some viruses add the antivirus vendor’s invalid IP address to the hosts file to prevent the virus definition file from being downloaded and to prevent detection.

×：Social engineering

Social engineering is wrong because it does not require querying DNS servers. Social engineering refers to manipulation by an individual for the purpose of gaining unauthorized access or information.

×：Domain Litigation

Domain litigation is wrong because it does not involve poisoning the DNS server cache. Domain names are at trademark risk, including temporary unavailability or permanent loss of established domain names.

A well-known port is a port number from 0 to 1023 that is reserved for standard services. There are three port number combinations. Well-known port numbers (0-1023) are port numbers officially registered with IANA. Registered port numbers (1024-49151) are port numbers that are officially registered with IANA. A dynamic/private port number (49152-65535) is a port number that is not officially registered with IANA.

Computer worms are standalone malware computer programs that replicate themselves and spread to other computers. They typically operate at OSI reference layers 5-7.

〇：The use of IM can be stopped by simply blocking certain ports on the network firewall.

Instant messaging (IM) allows people to communicate with each other via real-time and personal chat room types. These technologies will have the ability to transfer files. Users install an IM client and are assigned a unique identifier; they provide this unique identifier to anyone they wish to communicate with via IM. ineffective.

Another way to answer the question is to say that the question itself confirms our understanding of security, and then we can lay down the assumption that “should not be included in the presentation” means that we should not say anything that will later be held liable. There will be far more events that indicate that there is a possibility than events that say there is no possibility at all.

×：Sensitive data and files can be transferred from system to system via IM.

This is incorrect because in addition to text messages, instant messaging allows files to be transferred from system to system. These files could contain sensitive information, putting the company at business or legal risk. And sharing files via IM will use that much network bandwidth and impact network performance.

×：Users can be subjected to attacks posing as legitimate senders from malware containing information.

Incorrect because it is true. Due to lack of strong authentication, accounts can be falsified because there is to accept information from malicious users of the legitimate sender, not the receiver. There will also be numerous buffer overflows and malformed packet attacks that have been successful with different IM clients.

×：A security policy is needed specifying IM usage limits.

This is incorrect because his presentation should include the need for a security policy specifying IM usage restrictions. This is only one of several best practices to protect the environment from IM-related security breaches. Other best practices include upgrading IM software to a more secure version that configures the firewall to block IM traffic, implementing a corporate IM server so that only internal employees communicate within the organization’s network, and implementing an integrated Includes implementing an antivirus/firewall product.

〇：Security

Voice over Internet Protocol (VoIP) refers to a transmission technology that delivers voice communications over an IP network; IP telephony uses technology that is similar to TCP/IP and therefore similar in its vulnerabilities. Voice systems are vulnerable to application manipulation and unauthorized administrative access. It is also vulnerable to denial of service attacks against gateway and network resources. Eavesdropping is also a concern since data traffic is transmitted in clear text unless encrypted.

The term security is a difficult answer to choose from because it has a very broad meaning. However, information security scriptures such as CISSP are persistent in saying that VoIP has vulnerabilities. Although this answer is a bit over the top in practical terms, it was made to educate the public, because depending on the creator’s intentions, this issue may arise.

×：Cost

Wrong, because cost is an advantage of VoIP; with VoIP’s, a company becomes a dedicated alternative to a separate network dedicated to data transmission and voice transmission. For telephony features such as conference calling, call forwarding, and automatic redialing are freed up in VoIP, which is open source, while companies that use traditional communications charge for VoIP.

×：Convergence

Wrong because convergence is the advantage of VoIP. Convergence means the integration of traditional IP networks with traditional analog telephone networks.

×：Flexibility

Wrong, because flexibility is an advantage of VoIP. The technology is very simple, easy and supports multiple calls over a single Internet broadband connection.

〇：Make the mail relay server available to everyone.

This is a question of choosing the “ineffective” one. An open mail relay server is not an effective countermeasure against spam. In fact, spammers often use spammers to distribute spam, because the attackers can hide their identities. An open mail relay server is an SMTP server configured to allow inbound SMTP connections from anyone on the Internet, and many relays are properly configured to prevent attackers from distributing spam and pornography. Thus, the correct answer is “have an email relay server available to everyone.” will be.

×：Build a properly configured mail relay server.

A properly configured mail relay server can also suppress spam mail.

×：Perform filtering at the e-mail gateway.

Filtering emails that are considered spam mail at the gateway will help to prevent spam mail.

×：Filtering at the client.

Filtering spam mail at the client, i.e., in a mailing application such as Outlook, is considered to be a countermeasure against spam mail.

〇：IP Session Restriction via Media Gateway

The VoIP Media Gateway translates Internet Protocol (VoIP) voice over time division multiplexing (TDM) voice to and from. As a security measure, the number of calls through the Media Gateway should be limited. The Media Gateway is vulnerable to denial-of-service attacks, hijacking, and other types of attacks.

×：Identification of Rogue Devices  

Incorrect, as rogue devices on both IP telephony and data networks need to be identified.

×：Implementation of Authentication

Incorrect because authentication is recommended for both data and voice networks.

×：Encryption of packets containing sensitive information

Incorrect because sensitive data can be transmitted over either voice or data networks and must be encrypted in both cases. Eavesdropping is a very real threat for VoIP networks.

〇：Content Delivery Network (CDN)

Content delivery networks (CDNs) are designed to optimize the delivery of content to clients based on their global topology. In such a design, multiple web servers hosted at many points of existence on the Internet are globally synchronized and contain the same content, and the client is usually directed to the nearest source via DNS record manipulation based on geolocation algorithms for can be directed to.

×：Distributed Name Service (DNS)

Wrong, as there is no protocol called Distributed Name Service; DNS refers to the Domain Name Service protocol.

×：Distributed Web Service (DWS)

Distributed Web Services is also wrong because it is an incorrect answer. The concept of a distributed Web services discovery architecture is not a formal protocol, although it has been discussed by the IEEE and others.

×：Content Domain Distribution (CDD)

The term Content Domain Distribution (CDD) does not appear in CISSP’s CBK terminology.

〇：DNSSEC

DNSSEC is a set of extensions to the DNS that provide DNS clients (resolvers) with authentication of the origin of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. It is an Internet Engineering Task Force (IETF) specification for securing services.

×：Resource Record

DNS servers contain records that map hostnames to IP addresses, called resource records. The answer is incorrect. When a user’s computer needs to resolve a hostname to an IP address, it looks in its network configuration to find its DNS server. The computer then sends a request containing the hostname to the DNS server for resolution; the DNS server looks at its resource records, finds a record with this particular hostname, retrieves the address, and responds to the computer with the corresponding IP address.

×：Zone Transfer

Primary and secondary DNS servers synchronize their information via zone transfers. The answer is incorrect. After changes are made to the primary DNS server, these changes must be replicated to the secondary DNS server. It is important to configure the DNS servers so that zone transfers can take place between specific servers.

×：Resource Transfer

Equivalent to transferring DNS resource records, but the answer is incorrect.

〇：How routers are centrally managed and control packets based on the controller’s instructions 

Software-defined networks (SDN) are intended to facilitate centralized management of routing decisions and to separate the router’s logical functions of passing data between the routing decision and the interface and making its mechanical functions.SDN architecture is a scalable, a programmable, and is intended to be a standard method of providing router control logic. Therefore, the correct answer is “a way for routers to be centrally managed and control packets based on the controller’s instructions.

×：Mapping between MAC and IP addresses.

ARP table.

×：Updating the routing table in a dynamic way.

Explanation of dynamic routing.

×：A method in which routers communicate with each other to update the routing table when an event occurs.

This is an explanation of routing control in case of communication failure.