817 お客様のコメント
質問 1:
For three years you have worked with MegaCorp doing occasional network and security consulting. MegaCorp is a small business that provides real estate listings and data to realtors in several of the surrounding states. The company is open for business Monday through Friday from 9 am to 6 pm, closed all evenings and weekends. Your work there has largely consisted of advice and planning, and you have been frequently disappointed by the lack of execution and follow through from the full time staff.
On Tuesday, you received a call from MegaCorp's HR director, "Hello, I'd like to inform you that Purple (the full time senior network administrator) is no longer with us, and we would like to know if you are interested in working with us full time."
You currently have no other main clients, so you reply, "Sure, when do you need me to get going?"
"Today," comes the fast and direct response. Too fast, you think. "
What is the urgency, why can this wait until tomorrow?"
"Red was let go, and he was not happy about it. We are worried that he might have done something to our network on the way out."
"OK, let me get some things ready, and Il be over there shortly."
You knew this would be messy when you came in, but you did have some advantage in that you already knew the network. You had recommended many changes in the past, none of which would be implemented by Purple. While pulling together your laptop and other tools, you grab your notes which have an overview of the network:
MegaCorp network notes: Single Internet access point, T1, connected to MegaCorp Cisco router. Router has E1 to a private web and ftp server and E0 to the LAN switch. LAN switch has four servers, four printers, and 100 client machines. All the machines are running Windows 2000. Currently, they are having their primary web site and email hosted by an ISP in Illinois.
When you get to MegaCorp, the HR Director and the CEO, both of whom you already know, greet you. The CEO informs you that Purple was let go due to difficult personality conflicts, among other reasons, and the termination was not cordial. You are to sign the proper employment papers, and get right on the job. You are given the rest of the day to get setup and running, but the company is quite concerned about the security of their network. Rightly so, you think, if these guys had implemented even half of my recommendations this would sure be easier.You get your equipment setup in your new oversized office space, and get started. For the time you are working here, your IP Address is 10.10.50.23 with a mask of \16.
One of your first tasks is to examine the router configuration. You console into the router, issue a show running-config command, and get the following output:
MegaOne#show running-config
Building configuration
Current configuration:
!
version 12.1
service udp-small-servers
service tcp-small-servers
! hostname MegaOne ! enable secret 5 $1$7BSK3$H394yewhJ45JAFEWU73747. enable password clever ! no ip name-server no ip domain-lookup ip routing ! interface Ethernet0 no shutdown ip address 2.3.57.50 255.255.255.0 no ip directed-broadcast ! interface Ethernet1 no shutdown ip 10.10.40.101 255.255.0.0 no ip directed-broadcast ! interface Serial0 no shutdown ip 1.20.30.23 255.255.255.0 no ip directed-broadcast clockrate 1024000 bandwidth 1024 encapsulation hdlc ! ip route 0.0.0.0 0.0.0.0 1.20.30.45
!
line console 0
exec-timeout 0 0
transport input all
line vty 0 4
password remote
login
!
end
After analysis of the network, you recommend that the router have a new configuration. Your goal is to make the router become part of your layered defense, and to be a system configured to help secure the network.
You talk to the CEO to get an idea of what the goals of the router should be in the new configuration. All your conversations are to go through the CEO; this is whom you also are to report to.
"OK, I suggest that the employees be strictly restricted to only the services that they must access on the Internet." You begin.
"I can understand that, but we have always had an open policy. I like the employees to feel comfortable, and not feel like we are watching over them all the time. Please leave the connection open so they can get to whatever they need to get to. We can always reevaluate this in an ongoing basis."
"OK, if you insist, but for the record I am opposed to that policy."
"Noted," responds the CEO, somewhat bluntly.
"All right, let see, the private web and ftp server have to be accessed by the Internet, restricted to the accounts on the server. We will continue to use the Illinois ISP to host our main web site and to host our email. What else, is there anything else that needs to be accessed from the Internet?"
"No, I think that's it. We have a pretty simple network, we do everything in house."
"All right, we need to get a plan in place as well right away for a security policy. Can we set something up for tomorrow?" you ask.
"Let me see, Il get back to you later." With that the CEO leaves and you get to work.
Based on the information you have from MegaCorp; knowing that the router must be an integral part of the security of the organization, select the best solution to the organization's router problem:}
A. You backup the current router config to a temp location on your laptop. Friday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
B. With the office closed, you decide to build the new router configuration on Saturday. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
C. You backup the current router config to a temp location on your laptop. Sunday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#^Z MegaOne#
D. You backup the current router config to a temp location on your laptop. Early Monday morning, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
E. As soon as the office closes Friday, you get to work on the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#^Z MegaOne#
正解:A
質問 2:
Blue thanks you for your plan and design and took it into consideration. You are then informed that Orange has gone ahead and made a new plan, which will incorporate some of your suggestions, but is going to build the network a bit differently. In Testbed and in each remote office there will be a single self-sufficient CA hierarchy, one that is designed to directly integrate with the existing network. Orange mentions that the hierarchy is only to go two-levels deep, you are not to make an extensive hierarchy in any location. This means a distinct CA hierarchy in six locations, inclusive of the Testbed headquarters.
Using this information, choose the solution that will provide for the proper rollout of the Certificate Authorities in the network.}
A. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Configure users for the CAs 6.Configure each Root CA to trust each other Root CA via cross certification 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
B. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as a Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the Registration Authority 6.Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
C. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Once the Subordinate CA is active, take the Root CA offline 6.Configure users for the CAs 7.Configure each Root CA to trust each other Root CA via cross certification 8.Test the CA hierarchy 9.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
D. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise Root CA 6.Once the Subordinate CA is active, take the Enterprise Root CA offline 7.Test the CA hierarchy7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
E. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA 6.Test the CA hierarchy 7.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
正解:E
質問 3:
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network.
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Blue, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Blue begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Blue, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
Blue responds, "I suggest trust. Not with MassiveCorp, but in our own systems. We must build trusted networks. We must migrate our network from one that is well-defended to one that is well-defended and one that allows us to trust all the network traffic."
The meeting continues for some time, with Blue leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Blue informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Blue has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it's own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:A
質問 4:
For the past month, the employees in the executive building have been getting adjusted to their new authentication systems. There was a large spike in help desk calls the first week, which has gone down daily, and now there are fewer login related calls than there was when the office used passwords alone.
During your weekly meeting with Orange, the authentication subject is discussed, "So far, the system is working well. Our call volume has dropped, and it seems that most people are getting used to the tokens. There is one issue, however."
"Really, what that?" you ask.
"It seems that the senior executives are not that keen on carrying the new tokens around with them. They are asking for a way to authenticate without carrying anything, but still have it be secure."
"All right, do we have a budget?"
"Yes, however there are not that many senior executives, so the cost isn't the primary issue; although we do want to keep the costs" down as much as possible."
"So, what limitations do I have?"
"Well you need to be sure it's easy to use, is unintrusive, won't require too much training, won't be all that expensive, and" provides for strong authentication." Orange tells you.
Based on this information, choose the best solution to the authentication problem for the senior executives on the fourth floor.}
A. You talk to several of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in voice authentication. They like the fact that they may be able to simply speak to the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Anovea software for voice authentication, and configure a microphone at each workstation. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the microphone installed, and with the voice authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
B. You talk to several of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in fingerprint authentication. They like the fact that they may be able to simply touch something by the computer and be authenticated.
You begin the configuration by installing a BioLink USB mouse, driver, and authentication software. You walk each person through the process of enrollment, and how to best use the scanner, and have each person test his or her system.
With the software installed, the mouse and driver installed, and with the fingerprint authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
C. You talk to three of the senior executives on the fourth floor and determine that they disliked the tokens therefore you will install a new authentication system. The people you talked to didn say they would have problems with smart cards, so you decide tonew authentication system. The people you talked to didn say they would have problems with smart cards, so you decide to implement a smart card solution.
You configure each machine with a smart card reader and driver. You then create a local account for each user, and make that account use smart cards. You then assign a smart card to the account and load the user credentials on the card. You then walk the executive through the process of using the smart card, and have each person test his or her system.
With the software installed, the reader installed, and with the smart card authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
D. You talk to some of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in retinal authentication. They like the fact that they may be able to simply look at the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Panasonic Authenticam and authentication software. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the retinal scanner installed, and with the retinal authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
E. You talk to two of the senior executives on the fourth floor and determine that these people are interested in a biometric solution, and that they have an interest in retinal authentication. They like the fact that they may be able to simply look at the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Panasonic Authenticam and authentication software. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the retinal scanner installed, and with the retinal authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
正解:B
For three years you have worked with MegaCorp doing occasional network and security consulting. MegaCorp is a small business that provides real estate listings and data to realtors in several of the surrounding states. The company is open for business Monday through Friday from 9 am to 6 pm, closed all evenings and weekends. Your work there has largely consisted of advice and planning, and you have been frequently disappointed by the lack of execution and follow through from the full time staff.
On Tuesday, you received a call from MegaCorp's HR director, "Hello, I'd like to inform you that Purple (the full time senior network administrator) is no longer with us, and we would like to know if you are interested in working with us full time."
You currently have no other main clients, so you reply, "Sure, when do you need me to get going?"
"Today," comes the fast and direct response. Too fast, you think. "
What is the urgency, why can this wait until tomorrow?"
"Red was let go, and he was not happy about it. We are worried that he might have done something to our network on the way out."
"OK, let me get some things ready, and Il be over there shortly."
You knew this would be messy when you came in, but you did have some advantage in that you already knew the network. You had recommended many changes in the past, none of which would be implemented by Purple. While pulling together your laptop and other tools, you grab your notes which have an overview of the network:
MegaCorp network notes: Single Internet access point, T1, connected to MegaCorp Cisco router. Router has E1 to a private web and ftp server and E0 to the LAN switch. LAN switch has four servers, four printers, and 100 client machines. All the machines are running Windows 2000. Currently, they are having their primary web site and email hosted by an ISP in Illinois.
When you get to MegaCorp, the HR Director and the CEO, both of whom you already know, greet you. The CEO informs you that Purple was let go due to difficult personality conflicts, among other reasons, and the termination was not cordial. You are to sign the proper employment papers, and get right on the job. You are given the rest of the day to get setup and running, but the company is quite concerned about the security of their network. Rightly so, you think, if these guys had implemented even half of my recommendations this would sure be easier.You get your equipment setup in your new oversized office space, and get started. For the time you are working here, your IP Address is 10.10.50.23 with a mask of \16.
One of your first tasks is to examine the router configuration. You console into the router, issue a show running-config command, and get the following output:
MegaOne#show running-config
Building configuration
Current configuration:
!
version 12.1
service udp-small-servers
service tcp-small-servers
! hostname MegaOne ! enable secret 5 $1$7BSK3$H394yewhJ45JAFEWU73747. enable password clever ! no ip name-server no ip domain-lookup ip routing ! interface Ethernet0 no shutdown ip address 2.3.57.50 255.255.255.0 no ip directed-broadcast ! interface Ethernet1 no shutdown ip 10.10.40.101 255.255.0.0 no ip directed-broadcast ! interface Serial0 no shutdown ip 1.20.30.23 255.255.255.0 no ip directed-broadcast clockrate 1024000 bandwidth 1024 encapsulation hdlc ! ip route 0.0.0.0 0.0.0.0 1.20.30.45
!
line console 0
exec-timeout 0 0
transport input all
line vty 0 4
password remote
login
!
end
After analysis of the network, you recommend that the router have a new configuration. Your goal is to make the router become part of your layered defense, and to be a system configured to help secure the network.
You talk to the CEO to get an idea of what the goals of the router should be in the new configuration. All your conversations are to go through the CEO; this is whom you also are to report to.
"OK, I suggest that the employees be strictly restricted to only the services that they must access on the Internet." You begin.
"I can understand that, but we have always had an open policy. I like the employees to feel comfortable, and not feel like we are watching over them all the time. Please leave the connection open so they can get to whatever they need to get to. We can always reevaluate this in an ongoing basis."
"OK, if you insist, but for the record I am opposed to that policy."
"Noted," responds the CEO, somewhat bluntly.
"All right, let see, the private web and ftp server have to be accessed by the Internet, restricted to the accounts on the server. We will continue to use the Illinois ISP to host our main web site and to host our email. What else, is there anything else that needs to be accessed from the Internet?"
"No, I think that's it. We have a pretty simple network, we do everything in house."
"All right, we need to get a plan in place as well right away for a security policy. Can we set something up for tomorrow?" you ask.
"Let me see, Il get back to you later." With that the CEO leaves and you get to work.
Based on the information you have from MegaCorp; knowing that the router must be an integral part of the security of the organization, select the best solution to the organization's router problem:}
A. You backup the current router config to a temp location on your laptop. Friday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
B. With the office closed, you decide to build the new router configuration on Saturday. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#no cdp run MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 any MegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 any MegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 any MegaOne(config)#access-list 175 deny ip 192.168.0.0 0.0.255.255 any MegaOne(config)#no ip source-route MegaOne(config)#no ip finger MegaOne(config)#interface serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
C. You backup the current router config to a temp location on your laptop. Sunday night, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#^Z MegaOne#
D. You backup the current router config to a temp location on your laptop. Early Monday morning, you come in to build the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Serial 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#no cdp enable MegaOne(config-if)#no ip directed broadcast MegaOne(config-if)#no ip unreachables MegaOne(config-if)#^Z MegaOne#
E. As soon as the office closes Friday, you get to work on the new router configuration. Using your knowledge of the network, and your conversation with the CEO, you build and implement the following router configuration: MegaOne#configure terminal MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20 MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21 MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 established MegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255 MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255 MegaOne(config)#interface Ethernet 0 MegaOne(config-if)#ip access-group 175 in MegaOne(config)#interface Ethernet 1 MegaOne(config-if)#ip access-group 175 in MegaOne(config-if)#^Z MegaOne#
正解:A
質問 2:
Blue thanks you for your plan and design and took it into consideration. You are then informed that Orange has gone ahead and made a new plan, which will incorporate some of your suggestions, but is going to build the network a bit differently. In Testbed and in each remote office there will be a single self-sufficient CA hierarchy, one that is designed to directly integrate with the existing network. Orange mentions that the hierarchy is only to go two-levels deep, you are not to make an extensive hierarchy in any location. This means a distinct CA hierarchy in six locations, inclusive of the Testbed headquarters.
Using this information, choose the solution that will provide for the proper rollout of the Certificate Authorities in the network.}
A. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Configure users for the CAs 6.Configure each Root CA to trust each other Root CA via cross certification 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
B. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as a Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Stand-Alone Subordinate Enrollment Authority to function as the Registration Authority 6.Once the Stand-Alone Subordinate is installed, take the Enterprise Root CA offline 7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
C. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure CATool on the Root CA 4.Configure CATool on the Registration Authority, as a subordinate to the Root CA 5.Once the Subordinate CA is active, take the Root CA offline 6.Configure users for the CAs 7.Configure each Root CA to trust each other Root CA via cross certification 8.Test the CA hierarchy 9.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
D. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Enterprise Registration Authority, as a subordinate to the Enterprise Root CA 6.Once the Subordinate CA is active, take the Enterprise Root CA offline 7.Test the CA hierarchy7.Test the CA hierarchy 8.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
E. In each location, you recommend the following steps: 1.Harden a system to function as the Root CA 2.Harden a system to function as the Registration Authority 3.Configure a Windows Enterprise Root CA 4.Configure each Enterprise Root CA to trust each other Enterprise Root CA via cross certification 5.Configure a Windows Registration Authority, as a subordinate to the Enterprise Root CA 6.Test the CA hierarchy 7.Have the local administrative staff inform and train each user how to connect to the Registration Authority through their browser and request a certificate
正解:E
質問 3:
GlobalCorp is a company that makes state of the art aircraft for commercial and government use. Recently GlobalCorp has been working on the next generation of low orbit space vehicles, again for both commercial and governmental markets.
GlobalCorp has corporate headquarters in Testbed, Nevada, USA. Testbed is a small town, with a population of less than 50,000 people. GlobalCorp is the largest company in town, where most families have at least one family member working there.
The corporate office in Testbed has 4,000 total employees, on a 40-acre campus environment. The largest buildings are the manufacturing plants, which are right next to the Research and Development labs. The manufacturing plants employee approximately 1,000 people and the R&D labs employ 500 people. There is one executive building, where approximately 500 people work. The rest of the employees work in Marketing, Accounting, Press and Investor Relations, and so on. The entire complex has a vast underground complex of tunnels that connect each building.
All critical functions are run from the Testbed office, with remote offices around the world. The remote offices are involved in marketing and sales of GlobalCorp products. These offices also perform maintenance on the GlobalCorp aircraft and will occasionally perform R&D and on-site manufacturing.
There are 5 remote offices, located in: New York, California, Japan, India, and England. Each of the remote offices has a dedicated T3 line to the GlobalCorp HQ, and all network traffic is routed through the Testbed office the remote offices do not have direct Internet connections.
You had been working for two years in the New York office, and have been interviewing for the lead security architect position in Testbed. The lead security architect reports directly to the Chief Security Officer (CSO), who calls you to let you know that you got the job. You are to report to Testbed in one month, just in time for the annual meeting, and in the meantime you review the overview of the GlobalCorp network.
Your first day in GlobalCorp Testbed, you get your office setup, move your things in place, and about the time you turn on your laptop, there is a knock on your door. It is Blue, the Chief Security Officer, who informs you that there is a meeting that you need to attend in a half an hour.
With your laptop in hand, you come to the meeting, and are introduced to everyone. Blue begins the meeting with a discussion on the current state of security in GlobalCorp.
"For several years now, we have constantly been spending more and more money on our network defense, and I feel confident that we are currently well defended." Blue, puts a picture on the wall projecting the image of the network, and then continues, "We have firewalls at each critical point, we have separate Internet access for our public systems, and all traffic is routed through our controlled access points. So, with all this, you might be wondering why I have concern."
At this point a few people seem to nod in agreement. For years, GlobalCorp has been at the forefront of perimeter defense and security. Most in the meeting are not aware that there is much else that could be done.
Blue continues, "Some of you know this, for the rest it is new news: MassiveCorp is moving their offices to the town right next to us here. Now, as you all know, MassiveCorp has been trying to build their orbital systems up to our standards for years and have never been able to do so. So, from a security point of view, I am concerned."
Blue responds, "I suggest trust. Not with MassiveCorp, but in our own systems. We must build trusted networks. We must migrate our network from one that is well-defended to one that is well-defended and one that allows us to trust all the network traffic."
The meeting continues for some time, with Blue leading the discussion on a whole new set of technologies currently not used in the network. After some time, it is agreed upon that GlobalCorp will migrate to a trusted networking environment.
The following week, Blue informs you that you will be working directly together on the development of the planning and design of the trusted network. The network is going to run a full PKI, with all clients and servers in the network using digital certificates. You are grateful that in the past two years, Blue has had all the systems changed to be running only Windows 2000, both server and professional systems, running Active Directory. You think the consistent platform will make the PKI roll out easier.
The entire GlobalCorp network is running Active Directory, with the domain structure as in the following list:
Testbed.globalcorp.org
Newyork.globalcorp.org
California.globalcorp.org
Japan.globalcorp.org
India.globalcorp.org
England.globalcorp.org
Although you will be working in the Testbed office, the plan you develop will need to include the entire GlobalCorp organization. Based on this information, select the solution that describes the best plan for the new trusted network of GlobalCorp:}
A. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
B. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system, outside of the executive office, to be a full hierarchy, with the Root CA for the
hierarchy located in the executive building. Every remote office will have a subordinate CA, and
every other building on the campus in Testbed will have a subordinate CA.
4.In the executive building, you design the system to be a mesh CA structure, with one CA per
floor of the building.
5.Design the hierarchy with each remote office and building having it own enrollment CA.
6.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
7.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
8.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
9.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
10.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
11.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
C. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
D. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certificate Policy (CP) document to define what users will be allowed to do with their
certificates, and a Certification Practice Statement (CPS) document to define the technology used
to ensure the users are able to use their certificates as per the CPS.
2.Draft a Certificate Practices Framework (CPF) document based on RFC 2527, including every
primary component.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
3.Design the system to be a full mesh, with the Root CA located in the executive building.
4.Design the mesh with each remote office and building having it own Root CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA mesh in the executive office, and get all users acclimated to the system.
7.Implement the CA mesh in each other campus building in Testbed, and get all users acclimated
to the system.
8.One at a time, implement the CA mesh in each remote office; again getting all users acclimated
to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
E. You design the plan for two weeks, and then you present it to Blue. Your plan follows these critical steps:
1.Draft a Certification Practice Statement (CPS) to define what users will be allowed to do with
their certificates, and a Certificate Policy (CP) to define the technology used to ensure the users
are able to use their certificates as per the CPS.
2.Draft a CPF based on your own guidelines, including physical and technology controls.
3.Design the system to be a full hierarchy, with the Root CA located in the executive building.
Every remote office will have a subordinate CA, and every other building on the campus in
Testbed will have a subordinate CA.
4.Design the hierarchy with each remote office and building having it's own enrollment CA.
5.Build a small test pilot program, to test the hierarchy, and integration with the existing network.
6.Implement the CA hierarchy in the executive office, and get all users acclimated to the system.
7.Implement the CA hierarchy in each other campus building in Testbed, and get all users
acclimated to the system.
8.One at a time, implement the CA hierarchy in each remote office; again getting all users
acclimated to the system.
9.Test the team in each location on proper use and understanding of the overall PKI and their
portion of the trusted network.
10.Evaluate the rollout, test, and modify as needed to improve the overall security of the
GlobalCorp trusted network.
正解:A
質問 4:
For the past month, the employees in the executive building have been getting adjusted to their new authentication systems. There was a large spike in help desk calls the first week, which has gone down daily, and now there are fewer login related calls than there was when the office used passwords alone.
During your weekly meeting with Orange, the authentication subject is discussed, "So far, the system is working well. Our call volume has dropped, and it seems that most people are getting used to the tokens. There is one issue, however."
"Really, what that?" you ask.
"It seems that the senior executives are not that keen on carrying the new tokens around with them. They are asking for a way to authenticate without carrying anything, but still have it be secure."
"All right, do we have a budget?"
"Yes, however there are not that many senior executives, so the cost isn't the primary issue; although we do want to keep the costs" down as much as possible."
"So, what limitations do I have?"
"Well you need to be sure it's easy to use, is unintrusive, won't require too much training, won't be all that expensive, and" provides for strong authentication." Orange tells you.
Based on this information, choose the best solution to the authentication problem for the senior executives on the fourth floor.}
A. You talk to several of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in voice authentication. They like the fact that they may be able to simply speak to the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Anovea software for voice authentication, and configure a microphone at each workstation. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the microphone installed, and with the voice authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
B. You talk to several of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in fingerprint authentication. They like the fact that they may be able to simply touch something by the computer and be authenticated.
You begin the configuration by installing a BioLink USB mouse, driver, and authentication software. You walk each person through the process of enrollment, and how to best use the scanner, and have each person test his or her system.
With the software installed, the mouse and driver installed, and with the fingerprint authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
C. You talk to three of the senior executives on the fourth floor and determine that they disliked the tokens therefore you will install a new authentication system. The people you talked to didn say they would have problems with smart cards, so you decide tonew authentication system. The people you talked to didn say they would have problems with smart cards, so you decide to implement a smart card solution.
You configure each machine with a smart card reader and driver. You then create a local account for each user, and make that account use smart cards. You then assign a smart card to the account and load the user credentials on the card. You then walk the executive through the process of using the smart card, and have each person test his or her system.
With the software installed, the reader installed, and with the smart card authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
D. You talk to some of the senior executives on the fourth floor and determine that many of these people are interested in a biometric solution, and that many of them have an interest in retinal authentication. They like the fact that they may be able to simply look at the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Panasonic Authenticam and authentication software. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the retinal scanner installed, and with the retinal authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
E. You talk to two of the senior executives on the fourth floor and determine that these people are interested in a biometric solution, and that they have an interest in retinal authentication. They like the fact that they may be able to simply look at the computer and be authenticated.
Since they like this technology, you decide this is what you will implement. You configure each machine with the Panasonic Authenticam and authentication software. You then walk the executive through the process of enrollment, and have each person test his or her system.
With the software installed, the retinal scanner installed, and with the retinal authentication testing and functional, you uninstall the token software and retrieve their tokens. You verify that everything works, and you move on to the next person system.
正解:B
矢部** -
本日、試験を受験し、無事で合格できました。実質4日での合格です。
ありがとうございました!