Unit – IV

2 Marks

1. Provide a brief definition of network access control.

Ans: - Network access control is the act of keeping unauthorized users and devices out
of a private network.
2. What is an EAP?
Ans: - The Extensible Authentication Protocol (EAP) is an architectural framework that
provides extensibility for authentication methods for commonly used protected
network access technologies, such as IEEE 802.1X-based wireless access, IEEE 802.1X-
based wired access,
3. List and briefly define four EAP authentication methods.

• Ans: - EAP-TLS (Extensible Authentication Protocol Transport Layer

Security)
• EAP-TTLS (EAP Tunneled TLS)
• EAP-GPSK (EAP Generalized Pre-Shared Key)
• EAP-IKEv2.

4. What is DHCP? How useful is it to help achieve security of IP addresses?

Ans: - The DHCP server stores the configuration information in a database that includes:
Valid TCP/IP configuration parameters for all clients on the network. Valid IP addresses,
maintained in a pool for assignment to clients, as well as excluded addresses.
5. Why is EAPOL an essential element of IEEE 802.1X?
Ans: - Extensible Authentication Protocol over LAN (EAPOL) is a network port
authentication protocol used in IEEE 802.1x or port-based network access control which is
developed to give a generic network sign-on to access network resources.
6. What are the essential characteristics of cloud computing?

Ans: - Cloud computing is composed of 5 essential characteristics, viz:

1. On-demand Self Service
2. Broad Network Access
3. Resource Pooling
4. Rapid Elasticity
5. Measured Service
 7. List and briefly define the deployment models of cloud computing.
Ans: -

8. What is the cloud computing reference architecture?

Ans: - The IBM cloud computing reference architecture (CCRA) (figure below), introduces
the fundamental component of cloud environment. The structure of this architecture is
modular. It defines the fundamental architectural components which underpin and provide
guidelines for creating a cloud environment.

9. Describe some of the main cloud-specific security threats

• Ans: - Misconfiguration. Misconfigurations of cloud security settings are a
leading cause of cloud data breaches. ...
• Unauthorized Access. ...
• Insecure Interfaces/APIs. ...
• Hijacking of Accounts. ...
• Lack of Visibility. ...
• External Sharing of Data. ...
• Malicious Insiders. ...
• Cyberattacks.

10. Define SAAS in cloud.

Ans: - Software as a service (SaaS) is a software distribution model in which a cloud
provider hosts applications and makes them available to end users over the internet. In
this model, an independent software vendor (ISV) may contract a third-party cloud provider to
host the application.
 Long answers

1. Explain the operation and role of the IEEE 802.1X Port-Based Network
Access Control mechanism.
• Ans: - 802.1X protocol—An IEEE standard for port-based network access
control (PNAC) on wired and wireless access points. 802.1X defines
authentication controls for any user or device trying to access a LAN or
WLAN.
• NAC—A proven networking concept that identifies users and devices by
controlling access to the network. NAC controls access to enterprise
resources using authorization and policy enforcement.

There are many ways to deploy a NAC, but the essentials are:

• Pre-admission control—Blocks unauthenticated messages.

• Device and user detection—Identifies users and devices with pre-defined
credentials or machine IDs.
• Authentication and authorization—Verifies and provides access.
• Onboarding—Provisions a device with security, management, or host-
checking software.
• Profiling—Scans endpoint devices.

The 802.1X NAC operation sequence is as follows:

1. Initiation—The authenticator (typically a switch) or supplicant (client device)

sends a session initiation request. A supplicant sends an EAP-response message
to the authenticator, which encapsulates the message and forwards it to the
authentication server.

2. Authentication—Messages pass between the authentication server and the

supplicant via the authenticator to validate several pieces of information.

3. Authorization—If the credentials are valid, the authentication server notifies

the authenticator to give the supplicant access to the port.

4. Accounting—RADIUS accounting keeps session records including user and

device details, session types, and service details.

5. Termination—Sessions are terminated by disconnecting the endpoint device,

or by using management software.

2. Explain the Cloud Computing Elements

Ans: - Physical building, electricity, telecommunications facilities, network cables,
networking hardware, storage devices, computers (even more layers there, including
processors, memory, and local storage)…

… operating systems including device drivers, lower-level systems software, hypervisors,

higher-level systems software/low-level distributed systems software, cloud control
plane software, application platform software, managed servers (such as databases and
open source applications)… used to build user-visible components such as compute
instances, functions-a-service, container orchestration, object storage, block storage,
load balancers, DNS…

3. Describe term Security as a Service (SecaaS)

Ans: - Security as a service (SECaaS) is an outsourced service
wherein an outside company handles and manages your
security. At its most basic, the simplest example of security as
a service is using an anti-virus software over the Internet.

There are a lot of advantages to using a security as a service offering. These

include:

1. You work with the latest and most updated security tools
available. For anti-virus tools to be effective and useful, they need to
work with the latest virus definitions, allowing them to stomp out threats,
even the newest ones. With security as a service, you’re always using tools
that are updated with the latest threats and options. This means no more
worrying that your users are not updating their anti-virus software and
keeping other software up to date to ensure the latest security patches are
in use. The same case goes for updating and maintaining spam filters.
2. You get the best security people working for you. IT security
experts are at your beck and call, and they may have more experience and
a better skillset than anybody on your IT team.
3. Faster provisioning. The beauty of as-a-service offerings is that you
can give your users access to these tools instantly. SECaaS offerings are
provided on demand, so you can scale up or down as the need arises, and
you can do so with speed and agility.
4. You get to focus on what's more important for your
organization. Using a web interface or having access to a management
dashboard can make it easier for your own IT team to administer and
control security processes within the organization.
5. Makes in-house management simpler. If you have protected data, it
is not enough to just keep it secure. You should know when a user
accesses this data when he or she does not have any legitimate business
reason to access it.
5. Save on costs. You do not have to buy hardware or pay for software
licenses. Instead, you can replace the upfront capital with variable
operating expense, usually at a discounted rate compared to the upfront
costs.

4. Explain the cloud computing reference architecture?

Ans: - The CCRA is intended to be used as a blueprint for architecting cloud
implementations, driven by functional and non-functional requirements of the
respective cloud implementation.
The CCRA defines the basic building blocks—architectural elements and their
relationships—which make up the cloud.

5. Explain the unique security issues related to cloud computing.

Ans: - Security Issues in Cloud Computing :
There is no doubt that Cloud Computing provides various Advantages
but there are also some security issues in cloud computing. Below are
some following Security Issues in Cloud Computing as follows.
1. Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This
is also known as Data Leakage. As we know that our sensitive
data is in the hands of Somebody else, and we don’t have full
control over our database. So if the security of cloud service is
to break by hackers then it may be possible that hackers will get
access to our sensitive data or personal files.

2. Interference of Hackers and Insecure API’s –

As we know if we are talking about the cloud and its services it
means we are talking about the Internet. Also, we know that the
easiest way to communicate with Cloud is using API. So it is
important to protect the Interface’s and API’s which are used by
 an external user. But also in cloud computing, few services are
available in the public domain. An is the vulnerable part of Cloud
Computing because it may be possible that these services are
accessed by some third parties. So it may be possible that with
the help of these services hackers can easily hack or harm our
data.

3. User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud
Computing. If somehow the Account of User or an Organization
is hijacked by Hacker. Then the hacker has full authority to
perform Unauthorized Activities.

4. Changing Service Provider –

Vendor lock In is also an important Security issue in Cloud
Computing. Many organizations will face different problems
while shifting from one vendor to another. For example, An
Organization wants to shift from AWS Cloud to Google
Cloud Services then they ace various problem’s like shifting of
all data, also both cloud services have different techniques and
functions, so they also face problems regarding that. Also, it
may be possible that the charges of AWS are different from
Google Cloud, etc.

5. Lack of Skill –
While working, shifting o another service provider, need an extra
feature, how to use a feature, etc. are the main problems caused
in IT Company who doesn’t have skilled Employee. So it
requires a skilled person to work with cloud Computing.

6. Denial of Service (DoS) attack –

This type of attack occurs when the system receives too much
traffic. Mostly DoS attacks occur in large organizations such as
the banking sector, government sector, etc. When a DoS attack
occurs data is lost. So in order to recover data, it requires a
great amount of money as well as time to handle it.

6. Explain an overview of cloud computing concepts.

Ans: - Cloud computing is the delivery of different services through the Internet,
including data storage, servers, databases, networking, and software. Cloud-based
storage makes it possible to save files to a remote database and retrieve them on demand.
 7. Explain an overview of the Extensible Authentication Protocol
Ans: - Extensible Authentication Protocol (EAP) is a point-to-point (P2P)
wireless and local area network (LAN) data communication framework
providing a variety of authentication mechanisms.

EAP is used to authenticate simple dialup and LAN connections. Its major
scope is wireless network communication such as access points used to
authenticate client-wireless/LAN network systems.

8. List some commonly used cloud-based data services. Explore and compare
these services based on their use of encryption, flexibility, efficiency, speed,
and ease of use.
Ans: - What are different cloud services?
There are 4 main types of cloud computing: private clouds, public clouds, hybrid
clouds, and multiclouds. There are also 3 main types of cloud computing
services: Infrastructure-as-a-Service (IaaS), Platforms-as-a-Service (PaaS), and
Software-as-a-Service (SaaS).

9. Discuss the principal elements of a network access control system.

Ans: -

10. Discuss the principal network access enforcement methods

Ans: -
 UNIT – V
2 Marks

1. What is the typical relationship among the untrusted network, the firewall,
and the trusted network?

TCP packets usually involve the creation of a connection

Ans: -
from one host computer to another.

A single transaction would not usually involve TCP and UDP

ports.
2. What is the relationship between a TCP and UDP packet? Will any specific
transaction usually involve both types of packets?
Ana: - UDP packets are designed to be connectionless. -TCP packets usually involve the
creation of a connection from one host computer to another. -A single transaction would
not usually involve TCP and UDP ports.
3. How is an application layer firewall different from a packet-filtering firewall?
Why is an application layer firewall sometimes called a proxy server?
Ans: - An application layer firewall is frequently installed on a dedicated server separate
from the filtering router, but commonly used with a filtering router. It is also refereed to as a
proxy server because this firewall can be configured to run special software that acts
as a proxy for a service request.
4. How is static filtering different from dynamic filtering of packets? Which is
perceived to offer improved security
Ans: - static filtering is where the filtering rules tell the firewall which packets are
allowed and which are denied are developed and installed. - dynamic filtering is where
the firewall reacts to an emergent event and update or create rules to deal with the event.
5. What is stateful inspection? How is state information maintained during a
network connection or transaction?
Ans: - Stateful inspection keeps track of each network connection between internal and external
system using a state table. A state table track the context and state of each packet in the
conversation by recording which station sent the packet and when it was dent.

6. What is a circuit gateway, and how does it differ from the other forms of
firewalls?
Ans: - A circuit gateway is a type of firewall that operates at the transport layer. It is
different from regulat firewalls in that it does not look at traffic flow between networks.
7. What special function does a cache server perform? Why is this useful for
larger organizations?
Ans: - These types of servers can store the most recently accessed Web pages in their
internal cache memory, and thus can provide content for heavily accessed pages without
the level of traffic required when pages are not cached.
 8. Describe how the various types of firewalls interact with the network traffic
at various levels of the OSI model.
Ans: - Packet filtering firewalls include Static Filtering, dynamic filtering, and stateful
inspection filtering these all work at the transport layer of the network. Packet filtering
interacts with network traffic to confirm or deny it based on a rule set for a packet going up
against a set of rules that is determined. Static filtering is up against a rule set for each
packet, dynamic filtering filters packets depending on network traffic and usage limits, and
stateful inspection examines packets and verifies where they are coming and going to
determine via logs.
9. What is a hybrid firewall?
Ans: - Hybrid firewalls consist of multiple firewalls, each providing a specified set of
functions. For instance, you can use one firewall to execute packet filtering while another
firewall acts as a proxy.
10. List the five generations of firewall technology. Which generations are still in
common use?

Ans: - five generation for firewall technology are,static packet filtering,

application level firewall, inspection firewall, dynamic packet filtering firewall
and kernal proxy.almost all of them are in common use dnding on the
needs of a network.
 Long Answers

1. How does a commercial-grade firewall appliance differ from a commercial-

grade firewall system? Why is this difference significant?
Ans: - Firewall appliances may feature as a general computer and is a standalone
combination of computing hardware and software while a commercial grade firewall system
is the actual software application that runs on a general purpose computer.
2. Explain the basic technology that makes residential/SOHO firewall
appliances effective in protecting a local network. Why is this usually
adequate for protection?
Ans: - Residential/SOHO firewall appliances are commonly known as broadband routers or
modems and are used in many homes and offices around the world. They act as a stateful
firewall and control traffic from the internet world that is transferred between the host
compute and the internet service provider.
3. What key features point up the superiority of residential/SOHO firewall
appliances over personal computer-based firewall software?
Ans: - Residential/SOHO firewall appliances are superior to personal computer based
firewalls because they are the first line of defense to external threat. They have the capability
to restrict specific MAC addresses.
4. How do screened host architectures for firewalls differ from screened subnet
firewall architectures? Which of these offers more security for the
information assets that remain on the trusted network?
Ans: - Screen subnet firewalls are considered more secure than screened host
architectures. They provide a DMZ while a screened host architecture provides a kind of
dedicated firewall.
5. What a sacrificial host? What is a bastion host?
Ans: - Both of them function similar. Both are in the front line to an untrusted network.
Bastion host has a separate dedicated firewall while a sacrificial host is defending the
network on its own.
6. What are the three questions that must be addressed when selecting a
firewall for a specific organization?
Ans: - The three questions are: 1. is it cost effective? 2. What is included in the base price
and what is not included? and 3. Will it be able to meet growing organization security
requirements?
7. What is a content filter? Where is it placed in the network to gain the best
result for the organization?
Ans: - A content filter gives the administrator the power to restrict access to the content on a
network. It is based inside the trusted network.
 8. What is a VPN? Why is it becoming more widely used?
Ans: - VPN is a virtual private network which is widely used for network security on the
internet with encryption and IPsec techniques
9. Identify the various approaches to control remote and dial up access by
authenticating and authorizing users

Ans: - 5 Common Authentication Types

• Password-based authentication. Passwords are the most common methods of

authentication. ...
• Multi-factor authentication. ...
• Certificate-based authentication. ...
• Biometric authentication. ...
• Token-based authentication.

10. Identify Virtual private networks and discuss the technology that enables
them.
Ans: - A virtual private network, or VPN, is an encrypted connection over the Internet from a
device to a network. The encrypted connection helps ensure that sensitive data is safely
transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows
the user to conduct work remotely. VPN technology is widely used in corporate
environments.

The two most used technologies for this are IPSec VPNs and SSL VPNs. IPSec VPNs use
the IPSec protocol to create the VPN tunnel. IPSec VPNs operate at the network layer of the
OSI model. When a client connects through an IPSec VPN, he or she has virtually full
access to the network.