|
Objective 5.1
Configure Network Protocol Security
18-9
Objective 5.1 Answers
1.
Correct Answers: D
A. Incorrect: EFS is designed to protect data only while it is stored on a
computer.
When a computer using EFS transmits the data over the network, the operating
system decrypts it before transmitting.
B. Incorrect: The network has computers running operating systems that do
not
support IPSec, such as Windows 98. In addition, configuring all the
computers to
use the Secure Server (Require Security) policy would encrypt all network
traffic,
not just the traffic passing over the WAN links.
C. Incorrect: Configuring the routers to use transport mode would protect
only the
packets generated by the routers themselves, but not the packets generated
by the
local computers using the routers to access the WAN.
D. Correct: IPSec tunnel mode is intended to protect WAN traffic. Because
only the
routers have to support IPSec, all the workstations receive the benefits of
the IPSec
protection, regardless of whether they themselves support it.
2.
Correct Answers: B
A. Incorrect: Packet filtering enables IPSec to apply its protection to
specific types
of traffic; it does nothing to prevent attackers from replaying packets.
B. Correct: An IPSec computer transmitting protected data assigns a sequence
num-
ber value to each packet in a particular transaction. If the destination
system
receives a packet with an incorrect sequence number, it discards the packet
imme-
diately.
C. Incorrect: HMACs are used to protect IPSec traffic from being modified
while en
route to its destination. A destination computer performs the same HMAC
calcula-
tions as the sender, and compares the results to those in the packet. If the
two
results do not match, the packet is discarded.
D. Incorrect: Windows Server 2003 IPSec uses the Diffie-Hellman algorithm to
cal-
culate encryption keys; this algorithm does not perform an anti-replay
function.
3.
Correct Answers: C
A. Incorrect: Assigning an IPSec policy to the Default Domain Policy GPO
will
cause all the computers in the domain to use that policy, including the
servers,
which you want to use a different policy.
B. Incorrect: Although you can assign an IPSec policy to individual
computers, this
is certainly not the easiest method for deploying IPSec, especially when
Active
Directory is available.
|
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)