Free Access to ISACA.CISA.v2024-03-31.q980 with Valid Practice Test (Page 72)

Question 351

To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:

A.the source routing field is enabled.
B.it has a broadcast address in the destination field.
C.a reset flag (RST) is turned on for the TCP connection.
D.dynamic routing is used instead of static routing.

Question 352

Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?

A.The alternate facility will be available until the original information processing facility is restored.
B.User management is involved in the identification of critical systems and their associated critical recovery times.
C.Copies of the plan are kept at the homes of key decision-making personnel.
D.Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current.

Question 353

During what process should router access control lists be reviewed?

A.Environmental review
B.Network security review
C.Business continuity review
D.Data integrity review

Question 354

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

A.Residual risk from the findings of previous audits
B.Audit cycle defined in the audit plan
C.Recommendation from executive management
D.Complexity of management's action plans

Question 355

There are many firewall implementations provided by firewall manufacturers. Which of the following
implementation utilize two packet filtering routers and a bastion host? This approach creates the most
secure firewall system since it supports network and application level security while defining a separate
DMZ.

A.Dual Homed firewall
B.Screened subnet firewall
C.Screened host firewall
D.Anomaly based firewall

Correct Answer: B

Section: Protection of Information Assets
Explanation/Reference:
In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host
firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving
greater throughput and flexibility, although at some cost to simplicity. As each component system of the
screened subnet firewall needs to implement only a specific task, each system is less complex to
configure.
A screened subnet firewall is often used to establish a demilitarized zone (DMZ).
Below are few examples of Firewall implementations:
Screened host Firewall
Utilizing a packet filtering router and a bastion host, this approach implements a basic network layer
security and application server security.
An intruder in this configuration has to penetrate two separate systems before the security of the private
network can be compromised
This firewall system is configured with the bastion host connected to the private network with a packet
filtering router between internet and the bastion host
Dual-homed Firewall
A firewall system that has two or more network interface, each of which is connected to a different network
In a firewall configuration, a dual homed firewall system usually acts to block or filter some or all of the
traffic trying to pass between the network
A dual-homed firewall system is more restrictive form of screened-host firewall system
Demilitarize Zone (DMZ) or screened-subnet firewall
Utilizing two packet filtering routers and a bastion host
This approach creates the most secure firewall system since it supports network and application level
security while defining a separate DMZ network
Typically, DMZs are configured to limit access from the internet and organization's private network.
The following were incorrect answers:
The other types of firewall mentioned in the option do not utilize two packet filtering routers and a bastion
host.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 346

Question 351

Question 352

Question 353

Question 354

Question 355

Download PDF File