GeeCON Prague 2014*
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes security question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "security question" Watch "security question" New topic
Author

security question

Vaithiya Sundaram
Ranch Hand

Joined: Apr 22, 2004
Posts: 98
What type of firewall will you use to the validate the application protocol of a network communication?
a. SSL
b. Packet Filters
c. Stateful packet Filters
d. Proxy

Can you give me answer and explanation?


Vaithiyanathan Sundaram<br />SCJP, SCBCD, SCEA part1
Vaithiya Sundaram
Ranch Hand

Joined: Apr 22, 2004
Posts: 98
some more questions:

2. Which of the following is not an optional step in establishing an SSL handshake?

a. Server side certificate validation by the client
b. client side certificate validation by the server
c. Generation of session keys for encryption and decryption
d. Selection of a suitable Cipher suite for encryption by the server and the client

3. Which of the following is true about SSL

a. SSL can be configured only on port 80
b. SSL can be configured only on port 443
c. SSL can be configured to work on any port above 1024
d. None of the above

4. Which of the following are true about load balancing methods?

a. DNS round robin method maps multiple IPs to a single host name
b. Hardware load balancing maps multiple IPs to a single host name
c. Hardware load balancing can potentially involve a single point of failure
d. DNS round robin is easy to setup than hardware load balancing.
e. DNS load balancing supports server affinity
f. Hardware load balancing supports server affinity

5. Which of the following are true about SSL?

a. SSL facilitates secure communication
b. SSL is a high level protocol and sits on top of HTTP
c. SSL is a low level protocol and sits below HTTP
d. SSL works only with HTTP
James Du
Ranch Hand

Joined: Mar 23, 2001
Posts: 186
My answer is 4

Proxy type firewall works at the application layer. it understands the specific application layer protocol.

Both packet filtering and stateful inspection firewall work at the Ip layer.

Never heared of the SSL firewall.


James Du
Dan Drillich
Ranch Hand

Joined: Jul 09, 2001
Posts: 1180
Good Day,

#3 � I would say d which is 'None of the above' because SSL can be configured on any port; by convention it's configured on port 443.

As my book, HTTP Essentials by Stephen Thomas, says on page #158:

Although the URI scheme allows explicit specification if a TCP port, HTTP over SSL has a default port of 443. This approach does highlight a limitation with SSL. Each application that has the option of using SSL needs two separate default TCP ports: one for standard, non-secure operation (e.g., HTTP�s port 80) and a separate port fir secure communications (such as HTTP�s port 443).


#5 a and c

The book says on page #157:

As a separate protocol, SSL is available to all applications that use TCP for transport. .....
Notice that in the standard case HTTP communicates directly with TCP while, when SSL is involved, HTTP communicates only with SSL, and SSL, in turn, communicates with TCP.


#4 a,b,d,f

The book says:

The simplest way to distribute HTTP requests to multiple servers is to use the Domain Name System (DNS). The DNS protocol translates the host name part of a URL into an IP address. To send requests to different Web servers, the DNS server simply needs to respond with different IP addresses.
.....
The earliest load balancing implementations used a single round-robin algorithm to route the requests. With a round robin, the first request is sent to host A; the next request is sent to host B, and so on. The process continues through all the Web servers and then starts over again at server A.


http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci1005407,00.html says:

A hardware load-balancing device (HLD), also known as a layer 4-7 router, is a physical unit that directs computers to individual servers in a network, based on factors such as server processor utilization, the number of connections to a server, or the overall server performance. The redirection process is one form of load balancing.
The use of an HLD minimizes the probability that any particular server will be overwhelmed and optimizes the bandwidth available to each computer or terminal. In addition, the use of an HLD can minimize network downtime, facilitate traffic prioritization, provide end-to-end application monitoring, provide user authentication, and help protect against malicious activity such as denial-of-service (DoS) attacks.


http://publib.boulder.ibm.com/infocenter/ws40help/index.jsp?topic=/com.ibm.websphere.v4.doc/wasa_content/07010603.html says:

Server affinity refers to the characteristics of each load distribution facility that take these constraints into account. The load distribution facility recognizes that multiple servers can be acceptable targets for a request. However, it also recognizes that each request can be directed to a particular server where it is handled better or faster.


Regards,
Dan


William Butler Yeats: All life is a preparation for something that probably will never happen. Unless you make it happen.
Dan Drillich
Ranch Hand

Joined: Jul 09, 2001
Posts: 1180
About #2

The non-optional steps in establishing an SSL handshake should probably be a, c and d. The optional is therefore b. - client side certificate validation by the server.

-- Dan
Vaithiya Sundaram
Ranch Hand

Joined: Apr 22, 2004
Posts: 98
Thanks Dan Drillich.
My assumptions are matching with you.
But the answers given in mock exam:
#3. c
#4. a,c,d,f
Dan Drillich
Ranch Hand

Joined: Jul 09, 2001
Posts: 1180
Vaithiya,

#3. c doesn't make much sense.

#4. a,c,d,f while we said a,b,d,f

It seems to me that b and c are correct �

b. Hardware load balancing maps multiple IPs to a single host name
c. Hardware load balancing can potentially involve a single point of failure


where the single point of failure is the load balancer.

It just that if we choose c, then we are inconsistent with the a choice.

-- Dan
[ February 28, 2005: Message edited by: Dan Drillich ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: security question