1、CISSP认证考试(通信安全与网络安全)模拟试卷 1及答案与解析 1 Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? ( A) LCL and MAC; IEEE 802.2 and 802.3 ( B) LCL and MAC; IEEE 802.1 and 802.3 ( C) Network and MAC; IEEE 802.1 and 802.3
2、( D) LLC and MAC; IEEE 802.2 and 802.3 2 Which of the following is not an effective countermeasure against spam? ( A) Open mail relay servers ( B) Properly configured mail relay servers ( C) Filtering on an e-mail gateway ( D) Filtering on the client 3 Robert is responsible for implementing a common
3、 architecture used when customers need to access confidential information through Internet connections. Which of the following best describes this type of architecture? ( A) Two-tiered model ( B) Screened subnet ( C) Three-tiered model ( D) Public and private DNS zones 4 Two commonly used networking
4、 protocols are TCP and UPD. Which of the following correctly describes the two? ( A) TCP provides best-effort delivery, and UDP sets up a virtual connection with the destination. ( B) TCP provides more services and is more reliable in data transmission, whereas UDP takes less resources and overhead
5、to transmit data. ( C) TCP provides more services and is more reliable, but UDP provides more security services. ( D) TCP is reliable, and UDP deals with flow control and ACKs. 5 Which of the following indicates to a packet where to go and how to communicate with the right service or protocol on the
6、 destination computer? ( A) Socket ( B) IP address ( C) Port ( D) Frame 6 Several different tunneling protocols can be used in dial-up situations. Which of the following would be best to use as a VPN tunneling solution? ( A) L2P ( B) PPTP ( C) IPSec ( D) L2TP 7 Which of the following correctly descr
7、ibes Bluejacking? ( A) Bluejacking is a harmful, malicious attack. ( B) It is the process of taking over another portable device via a Bluetoothenabled device. ( C) It is commonly used to send contact information. ( D) The term was coined by the use of a Bluetooth device and the act of hijacking ano
8、ther device. 8 DNS is a popular target for attackers due to its strategic role on the Internet. What type of attack uses recursive queries to poison the cache of a DNS server? ( A) DNS spoofing ( B) Manipulation of the hosts file ( C) Social engineering ( D) Domain litigation 9 IP telephony networks
9、 require the same security measures as those implemented on an IP data network. Which of the following is unique to IP telephony? ( A) Limiting IP sessions going through media gateways ( B) Identification of rogue devices ( C) Implementation of authentication ( D) Encryption of packets containing se
10、nsitive information 10 Cross-site scripting (XSS) is an application security vulnerability usually found in Web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information? ( A) Persistent XSS vulnerabi
11、lity ( B) Nonpersistent XSS vulnerability ( C) Second-order vulnerability ( D) DOM-based vulnerability 11 Angela wants to group together computers by department to make it easier for them to share network resources. Which of the following will allow her to group computers logically? ( A) VLAN ( B) O
12、pen network architecture ( C) Intranet ( D) VAN 12 Which of the following incorrectly describes how routing commonly takes place on the Internet? ( A) EGP is used in the areas “between“ each AS. ( B) Regions of nodes that share characteristics and behaviors are called ASs. ( C) CAs are specific node
13、s that are responsible for routing to nodes outside of their region. ( D) Each AS uses IGP to perform routing functionality. 13 Both de facto and proprietary interior protocols are in use today. Which of the following is a proprietary interior protocol that chooses the best path between the source a
14、nd destination? ( A) IGRP ( B) RIP ( C) BGP ( D) OSPF 14 Which of the following categories of routing protocols builds a topology database of the network? ( A) Dynamic ( B) Distance-vector ( C) Link-state ( D) Static 15 Which of the following does not describe IP telephony security? ( A) VoIP networ
15、ks should be protected with the same security controls used on a data network. ( B) Softphones are more secure than IP phones. ( C) As endpoints, IP phones can become the target of attacks. ( D) The current Internet architecture over which voice is transmitted is less secure than physical phone line
16、s. 16 When an organization splits naming zones, the names of its hosts that are only accessible from an intranet are hidden from the Internet. Which of the following best describes why this is done? ( A) To prevent attackers from accessing servers ( B) To prevent the manipulation of the hosts file (
17、 C) To avoid providing attackers with valuable information that can be used to prepare an attack ( D) To avoid providing attackers with information needed for cybersquatting 17 Which of the following best describes why e-mail spoofing is easily executed? ( A) SMTP lacks an adequate authentication me
18、chanism. ( B) Administrators often forget to configure an SMTP server to prevent inbound SMTP connections for domains it doesnt serve. ( C) Keyword filtering is technically obsolete. ( D) Blacklists are undependable. 18 Which of the following is not a benefit of VoIP? ( A) Cost ( B) Convergence ( C)
19、 Flexibility ( D) Security 19 Today, satellites are used to provide wireless connectivity between different locations. What two prerequisites are needed for two different locations to communicate via satellite links? ( A) They must be connected via a phone line and have access to a modem. ( B) They
20、must be within the satellites line of site and footprint. ( C) They must have broadband and a satellite in low Earth orbit. ( D) They must have a transponder and be within the satellites footprint. 20 Brad is a security manager at Thingamabobs Inc. He is preparing a presentation for his companys exe
21、cutives on the risks of using instant messaging (IM) and his reasons for wanting to prohibit its use on the company network. Which of the following should not be included in his presentation? ( A) Sensitive data and files can be transferred from system to system over IM. ( B) Users can receive infor
22、mation including malware from an attacker posing as a legitimate sender. ( C) IM use can be stopped by simply blocking specific ports on the network firewalls. ( D) A security policy is needed specifying IM usage restrictions. 21 There are several different types of authentication technologies. Whic
23、h type is being shown in the graphic that follows?( A) 802. lx ( B) Extensible Authentication Protocol ( C) Frequency hopping spread spectrum ( D) Orthogonal frequency-division multiplexing 22 What type of security encryption component is missing from the table that follows?( A) Service Set ID ( B)
24、Temporal Key Integrity Protocol ( C) Ad hoc WLAN ( D) Open system authentication 23 What type of technology is represented in the graphic that follows? ( A) Asynchronous Transfer Mode ( B) Synchronous Optical Networks ( C) Frequency-division multiplexing ( D) Multiplexing 24 What type of telecommuni
25、cation technology is illustrated in the graphic that follows?( A) Digital Subscriber Line ( B) Integrated Services Digital Network ( C) BRI ISDN ( D) Cable modem 25 Which type of WAN tunneling protocol is missing from the table that follows?( A) IPSec ( B) FDDI ( C) L2TP ( D) CSMA/CD 26 IPv6 has man
26、y new and different characteristics and functionality compared to IPv4. Which of the following is an incorrect functionality or characteristic of IPv6? i. IPv6 allows for nonscoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing
27、, for example. ii. IPv6 has IPSec integrated into the protocol stack, which provides application-based secure transmission and authentication, iii. IPv6 has more flexibility and routing capabilities compared to IPv4 and allows for Quality of Service (QoS) priority values to be assigned to timesensit
28、ive transmissions. iv. The protocol offers autoconfiguration, which makes administration much easier compared to IPv4, and it does not require network address translation (NAT) to extend its address space. ( A) i, iii ( B) i, ii ( C) ii, iii ( D) ii, iv 27 Hanna is a new security manager for a compu
29、ter consulting company. She has found out that the company has lost intellectual property in the past because malicious employees installed rogue devices on the network, which were used to capture sensitive traffic. Hanna needs to implement a solution that ensures only authorized devices are allowed
30、 access to the company network. Which of the following IEEE standards was developed for this type of protection? ( A) IEEE 802.1AR ( B) IEEE 802.1 AE ( C) IEEE 802.1 AF ( D) IEEE 802.1 XR 28 There are common cloud computing service models._ usually requires companies to deploy their own operating sy
31、stems, applications, and software onto the provided infrastructure._is the software environment that runs on top of the infrastructure. In the _model the provider commonly gives the customers network-based access to a single copy of an application. ( A) Platform as a Service, Infrastructure as a Ser
32、vice, Software as a Service ( B) Platform as a Service, Platform as Software, Application as a Service ( C) Infrastructure as a Service, Application as a Service, Software as a Service ( D) Infrastructure as a Service, Platform as Software, Software as a Service 29 _is a set of extensions to DNS tha
33、t provides to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. ( A) Resource records ( B) Zone transfer ( C) DNSSEC ( D) Resource transfer 30 Which of the following best describes the difference between a virtual fir
34、ewall that works in bridge mode versus one that is embedded into a hypervisor? ( A) Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a host system. ( B) Bridge-mode virtu
35、al firewall allows the firewall to monitor individual network links, and hypervisor integration allows the firewall to monitor all activities taking place within a guest system. ( C) Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allo
36、ws the firewall to monitor all activities taking place within a guest system. ( D) Bridge-mode virtual firewall allows the firewall to monitor individual guest systems, and hypervisor integration allows the firewall to monitor all activities taking place within a network system. CISSP认证考试(通信安全与网络安全)
37、模拟试卷 1答案与解析 1 【正确答案】 D 【试题解析】 D正确。 OSI模型的数据链路层 (Data Link Layer)(即第 2层 )负责为数据包添加头和尾,为数据包可以转换为适合于局域网和广域网线路传输的二进制格式做准备。第 2层可以分为两个功能子层,上子层是逻辑链路控制 (Logical Link Control, LLC)子层,并在 IEEE 802 2规范中定义,它与数据链路层之上的网络层 (NetworkLayer)通信。 LLC下面是介质访问控制层 (Media Access Control, MAC),它按物理层协议的要求描述了网络接口。因此,这一层的规格取决于物理层的
38、技术。以太网的 IEEE MAC格式是 802 3,令牌环是 802 5,无线 LAN是 802 11,等等。所以,当你看到对 IEEE标准的引用时,如802 11或 802 16,它指的是在协议堆栈中数据链路层中的 MAC子层工作的协议。 A不正确。因为 LCL是一个干扰项。数据链路层上的子层的名称首字母大写缩写形式是 LLC,它代表逻辑链路控制。通过提供多路复用和流量控制机制, LLC允许网络协议在多点网络中并存,并通过同一网络介质进行传输。 B不正确。因为 LCL是一个干扰项。数据链路层的子层是逻辑链路控制层和介质访问控制层。此外, LLC是在 IEEE 802 2规范中定义的,而不是在
39、 IEEE 802 1规范中。 IEEE 802 1规范与 MAC和 LLC层上面的协议层有关。它解决了 LAN MAN体系结构、网络管理、 LAN和 WAN之间的互联以及链接安全等问题。 C不正确。因为网络不是数据链路层的子层。数据链路层的子层是逻辑链路控制层和介质访问控制层。 LLC位于网络层 (数据链路层上面紧挨的一层 )和 MAC子层之间。另外, LLC是在 IEEE 802 2规范中定义的,而不是在 IEEE 802 1规范中。正如前面的解释, IEEE 802 1标准解决了 LAN MAN体系结构 、网络管理、 LAN和 WAN之间的互联以及链接安全等问题。 IEEE 802 1的
40、 4个主动工作组是:网络互连 (Internetworking)、安全 (Security)、音频视频桥接 (AudioVideoBridging)和数据中心桥接 (Data Center Bridging)。 【知识模块】 通信安全与网络安全 2 【正确答案】 A 【试题解析】 A正确。开放邮件中继服务器并不是抵制垃圾邮件的有效对策。实际上,垃圾邮件发送者经常用它们来发送垃圾邮件,因为它们允许攻击者掩藏他们的身份。开放 邮件中继服务器是一个 SMTP服务器,它被配置成允许来自任何人的入站 SMTP请求以及到 Internet上任何人的 SMTP请求。这就是最初的Internet工作方式,但是
41、现在许多中继都已经得到合理配置,能够防止攻击者利用它们来发送垃圾邮件或者色情邮件。 B不正确。因为配置合理的邮件中继服务器仅允许从已知用户发送或接收邮件。封闭的邮件中继服务器使用这种方式防止了垃圾邮件的散布。为了成为封闭的邮件中继服务器, SMTP服务器应该设置成可以从本地 IP地址到本地信箱、从本地IP地址到非本地信箱、从已知且可信的 IP地址到本 地信箱、从已通过身份验证和授权的用户那里接收和转发邮件。开放服务器被认为是对系统缺乏管理所致的结果。 C不正确。因为在电子邮件网关处使用垃圾邮件过滤器是抵制垃圾邮件最常见的对策。这样做有助于保护网络和服务器容量,减少合法电子邮件被丢弃的风险,并且
42、还能节约用户时间。目前有大量基于各种算法的商业垃圾邮件过滤器可供使用。这种过滤软件以接收到的邮件作为输入,然后或者原封不动地将邮件转发给收件人,或者将该信息重定向发到别处,或者丢弃该信息。 D不正确。因为位于客户端的过滤是抵制垃圾邮件的一个对策。实际上,过滤既可以发 生在网关 (这是最常用的方法 ),也可以发生在电子邮件服务器上或者客户端。同样,过滤方法也有多种。基于关键词的过滤曾经是一个非常流行的方法,但现在也已经过时了,因为很容易 m现误报情况,并且垃圾邮件发送者可以很容易地绕过它们。现在使用的过滤器更为复杂,比如基于统计分析或者基于电子邮件流量模式分析的过滤器。 【知识模块】 通信安全与
43、网络安全 3 【正确答案】 C 【试题解析】 C正确。当前许多电子商务的体系结构都采用三层体系结构的方法。这种三层的体系结构是客户机服务器体系结构,其中用户界面、功能进 程逻辑 (functionalprocess logic)和数据存储往往在不同的平台上作为独立开发和维护的组件而运行。这种三层体系结构的模块化使得三层中的任何一层都可以在不影响其他两层的情况下,根据需要进行升级或修改。在电子商务中,表示层是与用户进行交互的前端 Web服务器。它既能提供静态内容,又能提供缓存的动态内容。业务逻辑层是请求进行格式化和处理的地方。它通常是一个动态内容处理和生成级别的应用程序服务器。数据存储是保留敏感
44、数据的地方。它是一个后台数据库,其中既有数据,又有管理并为这些数据提供访问的数据库管理 系统软件。这些独立的层可以通过中间件连接起来,也可在各自的物理服务器上运行。 A不正确。因为两层模型或客户机服务器描述的是服务器向一个或者多个请求服务的客户提供服务的体系结构。目前许多商业应用程序和 Internet协议都使用这种客户机服务器模型。这种体系结构使用两个系统:一个客户端;一个服务器。客户端是一层,服务器是另一 层,因此叫两层体系结构。客户端软件的每个实例都与一个或者多个服务器相连。客户端把信息请求发送给服务器,服务器处理这个请求后把数据返还给客户端。对来自 Internet的请求而言,三层体系
45、 结构是一种更好的保护敏感信息的方法。它比两层模型多一层,攻击者要想访问位于后台服务器的敏感数据必须经过这一层。 B不正确。因为屏蔽的主机体系结构意味着服务器受到防火墙的保护,这在本质上属于一层的体系结构。一个外部的、面向公众的防火墙将屏蔽掉来自诸如Internet等不可信网络上的请求。如果这一层 (即唯一的防火墙 )被攻破的话,攻击者就能相当容易地访问位于服务器上的敏感数据。 D不正确。因为虽然把 DNS服务器分为公共服务器和私人服务器能够提供一定的保护,但它却不是能实现本问题中所提出的目标的真正的体系结构。组织 应该把DNS分开 (公共和私人 ),这意味着在 DMZ中的 DNS服务器用于处
46、理外部决议请求,而内部 DNS服务器仅处理内部请求。这有助于确保内部 DNS拥有保护层,不至于暴露给 Internet连接。 【知识模块】 通信安全与网络安全 4 【正确答案】 B 【试题解析】 B正确。 TCP IP堆栈中工作在传输层的两个主要协议是 TCP和UDP。 TCP是一个可靠的面向连接的协议,这意味着它可以确保数据包一定会被传递到目标计算机。如果数据包在传输过程中丢失了, TCP有能力确认这个问题,并重新发送这个丢失或受损的 数据包。 TCP之所以被称为面向连接的协议,是因为在用户数据被真正发送之前,想要通信的两个系统之间会握手。一旦握手成功完成,两个系统之间便建立了一个虚拟连接。
47、 UDP被认为是一个无连接的协议,因为它不经历这些步骤。相反, UDP在不联系目标计算机的情况下便发出消息,它也不知道数据包是被正确接收了还是被丢弃了。 TCP提供了一个全双工的、可靠的通信机制。如果有数据包丢失或遭破坏,那些数据包会被重新发送。然而,与 UDP相比, TCP需要很多的系统开销。如有程序员知道在传输过程中丢失的数据不会损害到应用程序,他可能会选择使 用 UDP,因为它速度更快、要求的资源更少。 A不正确。因为这个描述说反了。 UDP是无连接的协议,在数据报被接收时,它并不发送或接收确认信息。 UDP并不确保数据到达目的地,它提供的是尽力而为的服务。 TCP是一个面向连接的协议,
48、因此,它与目标计算机之间进行握手,并建立虚拟连接。它保证数据到达目的地。 C不正确。因为 UDP并不提供安全服务。而 TCP更为可靠,比 UDP提供更多服务。与 UDP不同, TCP将确保数据包到达目的地,并在数据包被收到时会发送一个确认信息,因此 TCP是一个可靠的协议。它支持流量控制和拥塞控制、 错误检测和错误纠正。 D不正确。因为这个针对 UDP的描述实际上描述的是 TCP。 UDP并不返回确认信息,也不确保数据包到达目的地,它是一个不可靠的协议。此外,目标计算机也不通过 UDP向源计算机反映有关流量控制的信息。 【知识模块】 通信安全与网络安全 5 【正确答案】 A 【试题解析】 A正
49、确。 UDP和 TCP是应用程序用来在网络上获得数据的传输协议。这两个协议都使用端口与上面的 OSI层进行通信,并记录同时发生的各种会话。这些端口也是确认其他计算机如何访问服务的机制。当一个 TCP或 UDP消息形成 时,源端口和目的端口与源 IP地址和目的 IP地址一起都包含在头部信息里。这就构成了一个套接字:数据包根据目的地址知道去哪,根据端口号知道如何与另一台计算机上的正确服务或协议进行通信。 IP地址是计算机的门口,而端口则是这个真正协议或服务的大门。为了正确进行通信,数据包需要知道这些大门的信息。 B不正确。因为 IP地址并没有告诉数据包如何与一个服务或协议进行通信。 IP地址的日的是标识和寻址主机或网络接口。网络中的每个节点都有一个唯一的 IP地址。这个信息与源端口和目标端口构成一个套接字。 IP地址告诉该数据包应该去哪, 而端口表明如何与正确的服务或协议进行通信。 C不正确。因为端口只告诉数据包如何与正确的服务或协议进行通信,并不告诉数据包去哪里。 IP地址可提供这个信息。端口是由类似 TCP和 UDP的 IP协议所使用的通信端点。端口用一个数字来标识,它们也与 IP地址和通信所使用的协议有关联。 D不正确。囚为帧 (frame)是用来描述在数据链路层加上头和尾之后的数据报
