61. Some of the features of Kerberos authentication system:
- Uses client-server based architecture.
- Kerberos server, referred to as KDC (Key Distribution Ceter) implements
the Authentication Service (AS) and the Ticket Granting Service (TGS).
- The term "application server" generally refers to Kerberized
programs that clients communicate with using Kerberos tickets for
authentication purpose. For example, the Kerberos telnet daemon (telnetd) is
an example of an application server.
62. A biometric authentication depends on the physical characteristic of a
human being. It is not something that can be remembered. Usually, bio
authentication is very secure, though not widely used due to cost constraints.
63. The standard 802.1x corresponds to wireless network access protocols.
Various wireless LAN protocols are given below:
- IEEE 802.11 –supports data rate up to 2 Mbps in the 2.4 GHz frequency
- IEEE 802.11a –supports data rates up to 54 Mbps in the 5 GHz frequency
- IEEE 802.11b –supports data rates up to 11 Mbps in the 2.4 GHz frequency
- IEEE 802.3 describes CSMA/CD Ethernet standard.
- IEEE 802.5 describes Token Ring networks.
- IEEE 802.4 is a standard for Token bus networks.
Note that IEEE 802.11x is the standard that pertains to wireless LANs.
64. IPSec uses authentication Header (AH), and Encapsulating Security Payload
(ESP) protocols for transporting packets securely over the Internet. Note that
PPTP and L2TP are tunneling protocols, where as IPSec provides strong
65. File Transfer Protocol (FTP) transfers files in unencrypted form. Even the
authentication occurs in clear text for FTP and Telnet. A hacker may gain access
to an FTP server by exploiting this weakness.
66. Netstumbler can be used to sniff wireless networks during wardriving. The
software tool provides several details of a wireless network such as SSID. PPTP
is a tunneling protocol. WAP is a protocol, and not a software tool. ActiveX is
a software component used with Microsoft programming languages such as Visual C.
67. Non-repudiation prevents either the sender or the receiver of messages from
denying having sent or received a message.
68. A secure web page using SSL (Secure Socket Layer) starts with https instead
of usual http. SSL uses asymmetric key with 40 or 128-bit cipher strength.
69. The host-to-host configuration provides the highest security for the data.
However, a Gate-to-Gateway VPN is transparent to the end users.
70. Any software is inherently prone to vulnerabilities. Therefore, software
manufacturers provide updates or patches to the software from time to time.
These updates usually take care of any known vulnerabilities. Therefore, it is
important to apply these updates.
Additional functionality is also one of the reasons for applying software
updates. However, many times, it is not the compelling reason to apply the
71. The Packet Filters work at Network Layer of OSI model.
- The Application Layer Proxy works at the Application Layer of OSI model
- Network Address Translation (NAT) is primarily used to hide internal
network from external network, such as the Internet. A NAT basically
translates the internal IP addresses to external IP addresses and
vice-versa. This functionality assures that external users do not see the
internal IP addresses, and hence the hosts.
- A Firewall implemented with stateful technology (like Checkpoint Firewall)
works at all layers of the OSI model.
72. The employees of a Company typically use Intranet within the Company. The
customers and vendors of the Company use Extranet. An Extranet is basically an
extension of Intranet using public Internet. A typical use is when a Company has
multiple vendors and do the order processing, and inventory control on-line.
Note that, on the other hand, Internet is accessible to everybody, i.e. general
The benefit of implementing Intranets and Extranets is security and
customization. Intranets and Extranets are relatively safe because general
public cannot access these networks. Intranets and Extranets are usually
connected securely by means of Virtual Private Network (VPN).
73. IDS stands for Intrusion Detection System. There are primarily two types
of IDSs. These are Network based IDS (NIDS), and Host based IDS (HIDS). If the
IDS monitors network wide communication, it is called Network based IDS, and if
the IDS monitors security on a per host basis, it is called Host based IDS.
74. The first thing to be done when an intrusion is detected is to contain the
damage. For example, if the intrusion is in the form of an unauthorized user,
ensure that the user cannot access any network resource.
75. ISAKMP (Short for Internet Security Association and Key Management Protocol)
defines payloads for exchanging key generation and authentication data.
76. A cryptographic hash function is a "one-way" operation. It is
practically not possible to deduce the input data that had produced the output
You can decrypt an encoded message using matching secret key. Similarly, Digital
certificate is issued by a CA, and can be decrypted to find the contents of the
77. The disadvantages of using symmetric encryption over asymmetric encryption
are given below:
- Inability to support non-repudiation: Since both the sender and receiver
use the same key, it is difficult to determine who is the sender, should a
- Impractical for web commerce: Imagine thousands of customers buying goods
and services over the Internet. If symmetric encryption standard is used,
one unique private key-pair needs to be used for each user. It is therefore,
- Another major difficult is with the transmission of private key. With
symmetric encryption, the private key needs to be transmitted to the other
party for decryption, which may pose security risk.
78. Whether required or not, several services are installed by default.
Disabling the services that are not required will ensure better security for the
79. A rootkit is a collection of tools that enable administrator-level access to
a computer. Typically, a hacker installs a rootkit on a computer after first
obtaining user-level access, either by exploiting a known vulnerability or
cracking a password. Once the rootkit is installed, it allows the attacker to
gain root access to the computer and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic,
keystrokes, etc. using a "backdoor" into the system.
80. Computer based access controls prescribe not only who or what process may
have access to a given resource, but also the type of access that is permitted.
These controls may be implemented in the computer system or in external devices.
Different types of access control are:
- Mandatory access control
- Discretionary access control
- Rule based access control
- Role based access control
Mandatory Access Control (MAC) secures information by assigning sensitivity
labels on objects (resources) and comparing this to the level of sensitivity a
subject (user) is operating at. MAC ensures that all users only have access to
that data for which they have matching or greater security label (or security
clearance). In general, MAC access control mechanisms are more secure than DAC.
MAC is usually appropriate for extremely secure systems including multilevel
secure military applications or mission critical data applications.
Discretionary Access Control (DAC): Discretionary Access Control (DAC) is a
means of restricting access to information based on the identity of users and/or
membership in certain groups. Access decisions are typically based on the
authorizations granted to a user based on the credentials he presented at the
time of authentication (user name, password, hardware/software token, etc.). In
most typical DAC models, the owner of information or any resource is able to
change its permissions at his discretion. DAC has the drawback of the
administrators not being able to centrally manage these permissions on
files/information stored on the web server.
Role Based Access Control (RBAC): In Role-Based Access Control (RBAC), access
decisions are based on an individual's roles and responsibilities within the
organization. For instance, in a corporation, the different roles of users may
include those such as chief executive, manager, executive, and clerk. Obviously,
these members require different levels of access in order to perform their
functions, but also the types of web transactions and their allowed context vary
greatly depending on the security policy. In Role Based Access Control, the
administrator sets the roles. Therefore, this type of access control is
sometimes considered as a subset of MAC.
Rule Based Access Control (RBAC): The access to a resource in Rule Based
Access Control is based a set of rules. ACLs (Access Control Lists) are used for
this type of access control. In Rule Based Access Control, the administrator
sets the rules. Therefore, this type of access control is sometimes considered
as a subset of MAC.