Checkpoint Exam: Firewalls, Cryptography, and Cloud Security Answers

Explanation: Any traffic that does not match one of the statements in an ACL has the implicit deny applied to it, which means the traffic is dropped.

Explanation: Common ACEs to assist with antispoofing include blocking packets that have a source address in the 127.0.0.0/8 range, any private address, or any multicast addresses. Furthermore, the administrator should not allow any outbound packets with a source address other than a valid address that is used in the internal networks of the organization.

Explanation: The established argument allows TCP return traffic from established connections to be sent on an outgoing interface to a network.

Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255 will match all four network prefixes. All four prefixes have the same 22 high order bits. These 22 high order bits are matched by the network prefix and wildcard mask of 192.168.16.0 0.0.3.255.

Explanation: The access list LIMITED_ACCESS will block ICMPv6 packets from the ISP. Both port 80, HTTP traffic, and port 443, HTTPS traffic, are explicitly permitted by the ACL. The neighbor advertisements from the ISP router are implicitly permitted by the implicit permit icmp any any nd-na statement at the end of all IPv6 ACLs.

Explanation: Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layers 4 and 5.​ Stateful firewalls cannot prevent application layer attacks because they do not examine the actual contents of an HTTP connection.

Explanation: Traffic originating from the public network and traveling toward the DMZ is selectively permitted and inspected. This type of traffic is typically email, DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is dynamically permitted.

Explanation: A stateless firewall uses a simple policy table look-up that filters traffic based on specific criteria. These firewalls are usually part of a router firewall. They permit or deny traffic based on Layer 3 and Layer 4 information.

Explanation: Limitations of stateful firewalls include the following:
Stateful firewalls cannot prevent application layer attacks.
Protocols such as UDP and ICMP are not stateful and do not generate information needed for a state table.
An entire range of ports must sometimes be opened in order to support specific applications that open multiple ports.
Stateful firewalls lack user authentication.

Explanation: Traffic originating from the private network is inspected as it travels toward the public or DMZ network. This traffic is permitted with little or no restriction. Inspected traffic returning from the DMZ or public network to the private network is permitted.

Explanation: The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement.

Explanation: There are two configuration models for Cisco IOS Firewalls, IOS Classic Firewalls and zone-based policy firewalls (ZPF). Both configuration models can be enabled concurrently on a router but they cannot be combined on a single interface. One benefit of using ZPF is that ZPF is not dependent on ACLs.

Explanation: There are several benefits of a ZPF:
– It is not dependent on ACLs.
– The router security posture is to block unless explicitly allowed.
– Policies are easy to read and troubleshoot with C3PL.
– One policy affects any given traffic, instead of needing multiple ACLs and inspection actions.

​In addition, an interface cannot be simultaneously configured as a security zone member and for IP inspection.​

Explanation: After configuring the firewall policy, apply the policy to traffic that would flow between a pair of zones. Use the zone-pair security command in global configuration mode.

Explanation: Zone-based policy firewalls typically have the private (internal or trusted) zone, the public (external or untrusted) zone, and the default self zone, which does not require any interfaces. The private or internal zone is commonly used for internal LANs. The public zone would include the interfaces that connect to an external (outside the business) interface.

Explanation: The Security Guidance for Critical Areas of Focus in Cloud Computing v4 document developed by the Cloud Security Alliance (CSA) covers 14 domains of cloud security. Some of these domains are:

• Infrastructure Security – describes cloud-specific aspects of infrastructure security and the foundation for operating securely in the cloud.
• Data Security and Encryption – describes those controls related to securing the data itself, of which encryption is one of the most important.
• Application Security – provides guidance on how to securely build and deploy applications in cloud computing environments, specifically for PaaS and IaaS.
• Management Plane and Business Continuity – describes the need to secure the cloud computing management plane and business continuity and disaster recovery procedures.

Explanation: Microsegmentation (also referred to as hypersegregation) leverages virtual network topologies to run smaller and more isolated networks without incurring additional hardware costs. Microsegmentation techniques allow for more granular control of security for traffic and workflows within the cloud.

Explanation: Advanced Encryption Standard (AES) is a symmetric encryption algorithm. MD5 is a hashing algorithm while RSA and ECC are asymmetric encryption algorithms.

Explanation: In the staging phase developers test the application in a staging environment to verify that software runs under the required security settings.

Explanation: VM Sprawl occurs when an organization has more VMs on the network than it can effectively control and manage.

Explanation: Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS) appliances to identify risks normally hidden by SSL.

Explanation: Digital certificates are used to prove the authenticity and integrity of PKI certificates, but a PKI Certificate Authority is a trusted third-party entity that issues PKI certificates. PKI certificates are public information and are used to provide authenticity, confidentiality, integrity, and nonrepudiation services that can scale to large requirements.

Explanation: Place the options in the following order:

Explanation: Two common methods of cracking hashes are dictionary and brute force. Given time, the brute force method will always crack a password.

Explanation: The Public Key Infrastructure (PKI) is a third party-system referred to as a certificate authority or CA. The PKI is the framework used to securely exchange information between parties. Common PKI applications are as follows:

SSL/TLS certificate-based peer authentication
Secure network traffic using IPsec VPNs
HTTPS Web traffic
Control access to the network using 802.1x authentication
Secure email using the S/MIME protocol
Secure instant messaging
Approve and authorize applications with Code Signing
Protect user data with the Encryption File System (EFS)
Implement two-factor authentication with smart cards
Securing USB storage devices