1050 お客様のコメント
質問 1:
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network.
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Blue, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Blue begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Blue, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
Blue responds, "I suggest trust. Not with MassiveCorp, but in our own systems. We must build trusted networks. We must migrate our network from one that is well-defended to one that is well-defended and one that allows us to trust all the network traffic."
The meeting continues for some time, with Blue leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Blue informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Blue has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it's own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:A
質問 2:
You go back through your notes to the day that you recommended that the company get a firewall in place. Red had been convinced that the ISP protected the network, and that a firewall was too much technology on top of the router. Now that you have been given this responsibility, and since you have configured the router already, you wish to get the firewall in place as quickly as possible.
You meet quickly with the CEO and mention that the network currently has no firewall, a serious problem. You inform the CEO that this must be fixed immediately, and that you have several firewall options. For this one instance, the CEO tells you to build the best solution; the decision is not going to be based on direct cost.
Based on your knowledge of and the information you have from MegaCorp, select the best solution to the organization firewall problem:}
A. After analysis, you decide to implement a firewall using Checkpoint NG. You begin by installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you configure the IP Addresses on all four network cards of the Checkpoint firewall.
2.Second, you select only the VPN-1 & Firewall-1 components to install and complete the
installation of Checkpoint.
3.Third, you configure the only new inbound network traffic to be destined for the WWW and FTP
services on the Web and FTP server
4.Fourth, you block all other incoming traffic.
5.Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed.
6.Sixth, you configure all traffic to be allowed in the outbound direction
B. After you analyze the network, you have decided that you are going to implement a firewall using Microsoft ISA Server. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one NIC to the Web and FTP server and one NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you format a new hard drive and install a new copy of Windows 2000 Server.
2.Second, you configure the correct IP Addresses on the four network cards.
3.Third, you install ISA Server into Firewall only mode, and complete the installation.
4.Fourth, you configure all inbound traffic to require the SYN flag to be set, all other inbound
network traffic is denied
5.Fifth, you configure the network card towards the Web and FTP server will only allow ports 80,
20, and 21.
6.Sixth, you configure all outbound traffic to be allowed.
C. After you analyze the company, you decide to implement a firewall using Microsoft ISA Server. You create a DMZ with the Web and FTP server on the network segment between the router and the new firewall. The firewall will have two NICs, one connected to the router, and one connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of ISA Server, installed in Firewall mode.
2.Second, you configure the inbound network card to disallow all network traffic that did not
originate from inside the network or from the Web and FTP Server.
3.Third, you configure anti-spoofing rules to prevent spoofing attacks.
4.Fourth, you configure all outbound traffic to be allowed.
5.Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged to a
SYSLOG server inside the network.
D. After you run an analysis on the network and the MegaCorp needs, you decide to implement a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to the router, one NIC is connected to the Web and FTP server and one NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1 components, and complete the installation. 2.Second, you configure the inbound rules to allow only SYN packets that are destined for ports 80, 20, and 21 on the Web and FTP server. 3.Third, you disallow all inbound traffic for the internal network, unless it is in response to an outbound request. 4.Fourth, you configure anti-spoofing rules on the inbound interface and log those connections to a log server.
E. You decide to take advantage of the features of Microsoft ISA Server and Checkpoint NG. You implement two firewalls, each with two network cards. From one Ethernet interface of the router, you connect to a Checkpoint firewall, and from the other Ethernet interface on the router, you connect to a Microsoft ISA firewall.
The Checkpoint firewall is connected via one NIC to the router, and the other NIC is connected to
the Web and FTP Server. The Microsoft ISA Server is connected via one NIC to the router and the
other NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewalls:
1.First, you configure the IP Address on both network cards of both firewalls.
2.Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only components
to install and complete the installation of Checkpoint.
3.Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed inbound.
4.Fourth, you select the Cache Mode option during the install of ISA Server and complete the
installation of Microsoft ISA Server.
5.Fifth, you allow all outbound traffic through the ISA Server.
6.Sixth, you allow only inbound traffic through the ISA Server that is in response to outbound
requests.
正解:D
質問 3:
By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must deal with, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network.
Since the organization is not very large, you are the only person working in the IT end of the company. It will be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network: Server0001, 10.10.20.101, Windows 2000 Server
Server0010, 10.10.20.102, Windows 2000 Server
Server0011, 10.10.20.103, Windows 2000 Server
Server0100, 10.10.20.104, Linux (Red Hat 8.0)
User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional
The addressing that you recommended months ago is in place, and it follows a distinct logical pattern, you are hoping that no new systems are hidden in the network somewhere.
In the company, you have been granted domain administrator rights, and no other user is authorized to have administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems.
The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}
A. You start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and you remove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.
You then work on the Linux server. To your surprise there are no unauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server.
You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine and address any issues as identified in the Nessus scan, remove any unauthorized applications
B. You being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room.
In the server room, you begin on the Windows servers. You implement a custom security template on each server using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy.
You then work on the Linux server, by addressing each point identified in the Nessus scan. You then lock the system with Bastille, ensure that each system is updated with the latest patches, and run a quick Tripwire scan to create a baseline for the system.
You take your laptop with you as you go throughout the network to each user workstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you remove those applications.
C. The first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objects available through the network, and third you lock the system down with Bastille.
You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches.
Finally, you analyze the user's desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them. You check the systems for hardware changes, and address the issues that you find.
D. You begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities.
You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille.
Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the Gold Standard template on every server.
Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.
E. The first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that the application can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine.
You move on to the Linux server, and run a fast Tripwire check on the system to look for any additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system.
At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are all functioning as fully secure and functional file servers to the network by implementing the HISECWEB.INF template in the Security Configuration and Analysis Snap-In.
Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.
正解:B
質問 4:
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network:
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Orange, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Orange begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Orange, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
This is news to most people, Yellow, the Vice President of Research asks, "We have the best in firewalls, we have the best in you and your systems, what are you suggesting?"
The meeting continues for some time, with Orange leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Orange informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Orange has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:A.
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:D
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network.
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Blue, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Blue begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Blue, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
Blue responds, "I suggest trust. Not with MassiveCorp, but in our own systems. We must build trusted networks. We must migrate our network from one that is well-defended to one that is well-defended and one that allows us to trust all the network traffic."
The meeting continues for some time, with Blue leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Blue informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Blue has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it's own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:A
質問 2:
You go back through your notes to the day that you recommended that the company get a firewall in place. Red had been convinced that the ISP protected the network, and that a firewall was too much technology on top of the router. Now that you have been given this responsibility, and since you have configured the router already, you wish to get the firewall in place as quickly as possible.
You meet quickly with the CEO and mention that the network currently has no firewall, a serious problem. You inform the CEO that this must be fixed immediately, and that you have several firewall options. For this one instance, the CEO tells you to build the best solution; the decision is not going to be based on direct cost.
Based on your knowledge of and the information you have from MegaCorp, select the best solution to the organization firewall problem:}
A. After analysis, you decide to implement a firewall using Checkpoint NG. You begin by installing a new machine, with a fresh hard drive, and the loading of NG. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one firewall NIC to the Web and FTP server and one firewall NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you configure the IP Addresses on all four network cards of the Checkpoint firewall.
2.Second, you select only the VPN-1 & Firewall-1 components to install and complete the
installation of Checkpoint.
3.Third, you configure the only new inbound network traffic to be destined for the WWW and FTP
services on the Web and FTP server
4.Fourth, you block all other incoming traffic.
5.Fifth, you create anti-spoofing rules to block inbound traffic that might be spoofed.
6.Sixth, you configure all traffic to be allowed in the outbound direction
B. After you analyze the network, you have decided that you are going to implement a firewall using Microsoft ISA Server. The new firewall will have four NICs. You connect the two Ethernet interfaces on the routers to two of the firewall NICs. You connect one NIC to the Web and FTP server and one NIC to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you format a new hard drive and install a new copy of Windows 2000 Server.
2.Second, you configure the correct IP Addresses on the four network cards.
3.Third, you install ISA Server into Firewall only mode, and complete the installation.
4.Fourth, you configure all inbound traffic to require the SYN flag to be set, all other inbound
network traffic is denied
5.Fifth, you configure the network card towards the Web and FTP server will only allow ports 80,
20, and 21.
6.Sixth, you configure all outbound traffic to be allowed.
C. After you analyze the company, you decide to implement a firewall using Microsoft ISA Server. You create a DMZ with the Web and FTP server on the network segment between the router and the new firewall. The firewall will have two NICs, one connected to the router, and one connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of ISA Server, installed in Firewall mode.
2.Second, you configure the inbound network card to disallow all network traffic that did not
originate from inside the network or from the Web and FTP Server.
3.Third, you configure anti-spoofing rules to prevent spoofing attacks.
4.Fourth, you configure all outbound traffic to be allowed.
5.Fifth, you configure inbound traffic with the SYN flag on to be allowed, and to be logged to a
SYSLOG server inside the network.
D. After you run an analysis on the network and the MegaCorp needs, you decide to implement a firewall using Checkpoint NG. The firewall will have three NICs. One NIC is connected to the router, one NIC is connected to the Web and FTP server and one NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewall:
1.First, you install a new version of Checkpoint NG, selecting the VPN-1 and Firewall-1 components, and complete the installation. 2.Second, you configure the inbound rules to allow only SYN packets that are destined for ports 80, 20, and 21 on the Web and FTP server. 3.Third, you disallow all inbound traffic for the internal network, unless it is in response to an outbound request. 4.Fourth, you configure anti-spoofing rules on the inbound interface and log those connections to a log server.
E. You decide to take advantage of the features of Microsoft ISA Server and Checkpoint NG. You implement two firewalls, each with two network cards. From one Ethernet interface of the router, you connect to a Checkpoint firewall, and from the other Ethernet interface on the router, you connect to a Microsoft ISA firewall.
The Checkpoint firewall is connected via one NIC to the router, and the other NIC is connected to
the Web and FTP Server. The Microsoft ISA Server is connected via one NIC to the router and the
other NIC is connected to the LAN switch.
You perform the following steps and configurations to setup the firewalls:
1.First, you configure the IP Address on both network cards of both firewalls.
2.Second, you select the Floodgate-1, SMART Clients, and Policy Server as the only components
to install and complete the installation of Checkpoint.
3.Third, you configure the Checkpoint firewall so only Web and FTP traffic are allowed inbound.
4.Fourth, you select the Cache Mode option during the install of ISA Server and complete the
installation of Microsoft ISA Server.
5.Fifth, you allow all outbound traffic through the ISA Server.
6.Sixth, you allow only inbound traffic through the ISA Server that is in response to outbound
requests.
正解:D
質問 3:
By now, you are feeling confident that the security of the MegaCorp network is getting under control. You are aware that there are still several critical areas that you must deal with, and today you are addressing one of those areas. You have been able to take care of the router, firewall, security policy, and intrusion detection, now you are concerned with some of the hosts in the network.
Since the organization is not very large, you are the only person working in the IT end of the company. It will be up to you to directly work on the systems throughout the network. You make a quick chart of the systems you know should be in the MegaCorp network: Server0001, 10.10.20.101, Windows 2000 Server
Server0010, 10.10.20.102, Windows 2000 Server
Server0011, 10.10.20.103, Windows 2000 Server
Server0100, 10.10.20.104, Linux (Red Hat 8.0)
User systems, 10.10.100.100~10.10.100.200, Windows 2000 Professional
The addressing that you recommended months ago is in place, and it follows a distinct logical pattern, you are hoping that no new systems are hidden in the network somewhere.
In the company, you have been granted domain administrator rights, and no other user is authorized to have administrator, root, supervisor, or otherwise privileged level of access. All the Windows systems are to belong to one windows domain called SCNA.edu. Users are no longer allowed to install unauthorized applications, and are all to use the file servers for storage. Although they have the ability to do so, users are not supposed to store any work data on their local systems.
The servers are located in a server cabinet that is inside your office, so you decide to start working there. Using your knowledge of MegaCorp select the best solution for hardening the MegaCorp operating systems:}
A. You start the job by running some analysis on the Windows servers. You do this using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches. You find several user accounts that have been given local administrator access, and you remove these accounts. You next use the Secedit tool to implement local encryption on the shared hard drive to secure the local files for the network users.
You then work on the Linux server. To your surprise there are no unauthorized root accounts, nor any unauthorized shares. You ensure that the permissions are correct on the shared objects, and run Bastille to lock down the server.
You then work on the client machines. Before you physically sit at each machine, you run a Nessus scan from your office. Bringing the results with you, you go to each machine and address any issues as identified in the Nessus scan, remove any unauthorized applications
B. You being by running a Nessus scan from your office laptop on the systems in the network, first the servers, then the user workstations. After the scans are complete, you store the reports on your laptop, and you take your laptop to the server room.
In the server room, you begin on the Windows servers. You implement a custom security template on each server using the Security Configuration and Analysis Snap-In, remove any unauthorized accounts, ensure that each system is updated with the latest patches, and ensure that the permissions on each shared object are as per policy.
You then work on the Linux server, by addressing each point identified in the Nessus scan. You then lock the system with Bastille, ensure that each system is updated with the latest patches, and run a quick Tripwire scan to create a baseline for the system.
You take your laptop with you as you go throughout the network to each user workstation, ensure that each system is updated with the latest patches, and you take care of each issue you found on the machines. There are a few systems that you find with unauthorized applications and you remove those applications.
C. The first thing you do is to run a Nessus scan against all the servers in the room, noting the findings of the scans. You then begin on the servers by running some tests on the Linux server. First, you run Tripwire on the entire system to ensure that there are no rogue Root accounts, and the test is positive. Second, you ensure that there are no unauthorized objects available through the network, and third you lock the system down with Bastille.
You then work on the Windows servers. You run a check to ensure there are no unauthorized administrator accounts, and there are not. You create a custom security template and implement the template on each server using the Security Configuration and Analysis Snap-In, and you ensure that each system is updated with the latest patches.
Finally, you analyze the user's desktops. You go one by one through the network checking for added user accounts, and you find some. You remove these unauthorized accounts and check for software and applications. Again, you find some applications that are not allowed and you remove them. You check the systems for hardware changes, and address the issues that you find.
D. You begin by running a Nessus scan on each computer in the network, using the \hotfix switch to create a full report. The report identifies every vulnerability on each system and lists the specific changes you must make to each system to fix any found vulnerabilities.
You take the report to the server room and start with the Linux server. On the server, you run through the steps as outlined in the Nessus report, and end by locking the system using Bastille.
Then, you move to the Windows systems, again following the steps of the Nessus report, and ending by using the Security Configuration and Analysis Snap-In to implement the Gold Standard template on every server.
Finally, you proceed to each user workstation. At each user machine, you follow each step for each system, based on your report. Once you have addressed all the vulnerabilities in the systems, you run a quick Secedit scan on each system to ensure that they are all locked down and that proper encryption is configured.
E. The first thing you decide to do is plug your laptop into the server room, and run a full Nessus scan on the entire network, specifically looking for every backdoor vulnerability that the application can check. This takes some time to compile, but you eventually end up with a list of issues to address on each machine.
You move on to the Linux server, and run a fast Tripwire check on the system to look for any additional vulnerabilities. Once that check is done, you install SSH so that all access by every user will be encrypted to the server, and you run Bastille to lock down the system.
At the Windows systems, you address any issues found during the Nessus scan, you ensure that each system is updated with the latest patches, and you ensure that the systems are all functioning as fully secure and functional file servers to the network by implementing the HISECWEB.INF template in the Security Configuration and Analysis Snap-In.
Finally, you work on each desktop machine by removing any vulnerabilities listed in the scan report. You remove a few pieces of unauthorized hardware and many unauthorized applications.
正解:B
質問 4:
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network:
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Orange, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Orange begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Orange, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
This is news to most people, Yellow, the Vice President of Research asks, "We have the best in firewalls, we have the best in you and your systems, what are you suggesting?"
The meeting continues for some time, with Orange leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Orange informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Orange has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:A.
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Orange. Your plan follows these
critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:D
Ooki -
SC0-502試験問題と解説があるので、実際どのような問題が出るのかも分かりやすい。きっちりとまとまっていてわかりやすかったです。