ΤΕΧΝΟΛΟΓΙΚΟ ΠΑΝΕΠΙΣΤΗΜΙΟ ΚΥΠΡΟΥ ΥΠΗΡΕΣΙΑ ΣΥΣΤΗΜΑΤΩΝ ΠΛΗΡΟΦΟΡΙΚΗΣ ΚΑΙ ΤΕΧΝΟΛΟΓΙΑΣ ΓΡΑΠΤΗ ΕΞΕΤΑΣΗ ΓΙΑ ΤΗ

ΤΕΧΝΟΛΟΓΙΚΟ ΠΑΝΕΠΙΣΤΗΜΙΟ ΚΥΠΡΟΥ ΥΠΗΡΕΣΙΑ ΣΥΣΤΗΜΑΤΩΝ ΠΛΗΡΟΦΟΡΙΚΗΣ ΚΑΙ ΤΕΧΝΟΛΟΓΙΑΣ ΓΡΑΠΤΗ ΕΞΕΤΑΣΗ ΓΙΑ ΤΗ ΘΕΣΗ ΛΕΙΤΟΥΡΓΟΥ ΠΑΝΕΠΙΣΤΗΜΙΟΥ (ΘΕΜΑΤΑ ΠΛΗΡΟΦΟΡΙΚΗΣ) Ημερομηνία Εξέτασης: Τετάρτη, 15 Ιουλίου 2009 Εξεταστικό Κέντρο: Ξενοδοχείο AJAX, Λεμεσός (αίθουσα: Αγαμέμνων) Διάρκεια: Τρείς (3) ώρες Ωρα: 16:00-19:00 ΓΕΝΙΚΑ: Θα πρέπει να απαντήσετε σε όλες τις ερωτήσεις στο Βιβλιάριο Απαντήσεων. Η βαθμολογία για κάθε ερώτηση ή υπό-ερώτηση φαίνεται στην παρένθεση. Το γραπτό αποτελείται από είκοσι οκτώ (28) σελίδες. Ελέγξετε τον αριθμό τους και σε περίπτωση που λείπουν σελίδες, παρακαλώ, ενημερώσετε τον υπεύθυνο των εξετάσεων. Το ΜΕΡΟΣ Α πρέπει να απαντηθεί από όλους τους υποψήφιους. Το ΜΕΡΟΣ Β αποτελείται από δύο ενότητες Β-1 Και Β-2. Να απαντηθεί μόνο η μια εκ των δύο. Το ΜΕΡΟΣ Γ πρέπει να απαντηθεί από όλους τους υποψήφιους.

B_1-ΜΕΡΟΣ Α: (Σύνολο 50 μονάδες correct answers with RED COLOR ) Multiple Choice Questions (ONE point EACH Question) QUESTION 1: Which of the following statements is TRUE regarding the security protocols capable of providing protection at the network layer of the OSI model? A. You are aware that the security protocol Internet Protocol Security (IPSec) is capable of providing protection at the network layer of the OSI model B. You are aware that the security protocol Point-to-Point Tunneling Protoco (PPTP) protocol is capable of providing protection at the network layer of the OSI model C. You are aware that the security protocol Kerberos protocol is capable of providing protection at the network layer of the OSI model D. You are aware that the security protocol Layer 2 Forwarding (L2F) protocol is capable of providing protection at the network layer of the OSI model QUESTION 2: You work as a network technician at cut.ac.cy. The newly appointed cut.ac.cy trainee wants to know which security protocol is used to secure web site communication to any visitor. What would your reply be? A. The security protocol IPSec (Internet Protocol Security) is used to secure web site communication B. The security protocol SSL (Secure Sockets Layer) is used to secure web site communication C. The security protocol Wired Equivalent Privacy (WEP) is used to secure web site communication D. The security protocol Kerberos is used to secure web site communication QUESTION 3: Which of the following statements is TRUE regarding the protocol which could be used by a Virtual Private Network (VPN)? A. The Virtual Private Network (VPN) makes use of the Point-to-Point Protocol (PPP) protocol B. The Virtual Private Network (VPN) makes use of the Kerberos protocol C. The Virtual Private Network (VPN) makes use of the Inetnet Protocol Security (IPSec) protocol D. The Virtual Private Network (VPN) makes use of the Point-to- Point Tunneling Protocol (PPTP) protocol QUESTION 4: You work as a network technician at cut.ac.cy. The newly appointed cut.ac.cy trainee wants to know which authentication protocol requires you to use the Network Time Protocols (NTP) server to synchronize the workstations date and time with the server. What would your reply be? Page 2 of 2

A. You should inform the trainee that the Kerberos protocol would require the use of the Network Time Protocol (NTP) B. You should inform the trainee that the Remote Authentication Dial-In User Service (RADIUS) would require the use of the Network Time Protocol (NTP) C. You should inform the trainee that the Internet Protocol Security (IPSec) would require the use of the Network Time Protocol (NTP) D. You should inform the trainee that the Protected Extensible Authentication Protocol (PEAP) would require the use of the Network Time Protocol (NTP) QUESTION 5: Which of the following statements is TRUE regarding the security protocol which should be used for encrypting transmissions and preventing access to the network? A. You should make use of the Protected Extensible Authentication Protocol (PEAP) B. You should make use of the Wired Equivalent Privacy (WEP) C. You should make use of the Password Authentication Protocol (PAP) D. You should make use of the Layer 2 Tunneling Protocol (L2TP) QUESTION 6: You work as a network administrator at CTX.com The CTX.com network has a single Linux server. You need to enable file shares for Windows clients on the Linux server. What network service or daemon must you enable? A. BIND B. SMB C. DHCP D. LDAP QUESTION 7: In Mac OS X Server 10.3, shared files and folder permissions can be set to default to A. CIFS (Common Internet File System) permissions B. NTFS (New Technology File System) permissions C. MAC OS 9 permissions D. Standard UNIX permissions QUESTION 8: Which of the following statements is TRUE regarding a UNIX computer being able to access exported file systems from other UNIX computers by selecting the File system or service? A. You should remember that the UNIX system uses Kerberos for this purpose B. You should remember that the UNIX system uses Network File System (NFS) for this purpose C. You should remember that the UNIX system uses Trivial File Transfer Protocol (TFRP) for this purpose Page 3 of 3

D. You should remember that the UNIX system uses Internetwork Packet Exchange / Sequence Packet Exchange (IPX/SPX) for this purpose QUESTION 9: Which of the following statements is TRUE regarding the port which should be allowed through the firewall to connect to web sites when you implement a packet filter on the network for Internet connections? A. To access the Web sites you should allow port 23 B. To access the Web sites you should allow port 80 C. To access the Web sites you should allow port 25 D. To access the Web sites you should allow port 443 QUESTION 10: You work as a network technician at cut.ac.cy. The newly appointed cut.ac.cy trainee wants to know to which security protocols the authentication server, tickets and session keys are associated with. What would your reply be? A.The authentication server, tickets and session keys are associated with Wired Equivalent Privacy (WEP) B. The authentication server, tickets and session keys are associated with Internet Protocol Security (IPSec) C. The authentication server, tickets and session keys are associated with Kerberos D. The authentication server, tickets and session keys are associated with Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAPv2) QUESTION 11: In a Windows Server 2003 AD (Active Directory) network, which server stores information about resource objects? A. Domain master B. Domain tree C. Domain controller D. Domain configuration QUESTION 12: Which of the following functions does RADIUS (Remote Authentication Dial-In User Service) provide for remote access? A. Verification B. Encryption C. Addressing D. Tunneling Page 4 of 4

QUESTION 13: You work as a network administrator at cut.ac.cy. You need to reduce the bandwidth used between cut.ac.cy and the Internet. Which of the following could be implemented to accomplish this? A. WINS (Windows Internet Name Service) server B. Proxy server C. DHCP (Dynamic Host Configuration Protocol) server D. HTTP (Hypertext Transfer Protocol) server QUESTION 14: Which of the following statements is TRUE regarding the service/device required for caching web pages for future retrieval? A. The network Switch can be used for caching web pages B. The network File server can be used for caching web pages C. The network Wireless Access Point (WAP) can be used for caching web pages D. The Network Address Translation (NAT) service can be used for caching web pages QUESTION 15: You work as a network administrator at cut.ac.cy. The IT department is experimenting with a new DHCP server. Which of the following actions would ensure that the DHCP server does not impact on clients from other departments? A. Create a new subnet for the IT department B. Add a hub for the IT department C. Enable IPX / SPX on the DHCP server D. Ensure NetBEUI is not installed on the DHCP server QUESTION 16: A new Cisco Unity voice mail system is being tested. The calls are being forwarded to voice mail from the Automated Attendant console, but the callers are receiving the wrong greeting. What could be the problem? A. The call routing rules are not working properly B. The mailbox under test is full C. The Unity ports for sending and receiving voice mails are not configured properly D. The Microsoft Exchange server has rejected the call due to a corrupted database QUESTION 17: You work as a network administrator at LEX.com. The LEX.com network uses an IP proxy that provides Network Address Translation (NAT). You have implemented IPSec for all Internet bound traffic; however, Internet access is now no longer possible. What is the cause of this problem? Page 5 of 5

A. Network Address Translation (NAT) does not work with IPSec B. The IP proxy is blocking egress and ingress traffic on port 80 C. The IP proxy is blocking egress and ingress traffic on port 1293 D. The IP proxy is blocking egress and ingress traffic on port 8080 QUESTION 18: Which of the following DO NOT represent fault-tolerant strategies? A. Link redundancy B. UPS (Uninterrupted Power Supply) C. Fail over D. X.25 QUESTION 19: You work as a network technician at cut.ac.cy. The newly appointed trainee wants to know how much hard disk drives would be required when you are in the process of implementing Redundant Array of Independent Disks (RAID0). What would your reply be? A. You should inform the trainee that RAID0 configurations would require 5 hard disks. B. You should inform the trainee that RAID0 configurations would require 2 hard disks. C. You should inform the trainee that RAID0 configurations would require 1 hard disk. D. You should inform the trainee that RAID0 configurations would require 3 hard disks. QUESTION 20: Which one of the following provides a fault-tolerant storage system containing five disks and a single controller that will function if a single disk fails? A. A striped set array without parity B. A RAID-0 (Redundant Array of Independent Disks) array C. A striped set array with parity D. A duplexed RAID-1 (Redundant Array of Independent Disks) QUESTION 21: Which of the following utilities will identify the number of hops from a client to a destination host on a routed network? A. nbtstat B. nslookup/dig C. netstat D. tracert/traceroute Page 6 of 6

QUESTION 22: Which of the following provides basic secure for Wireless networks? A. SSL B. WEP C. IPSec D. L2TP QUESTION 23: Which LED on a NIC should you check FIRST to identify the problem when a workstation suddenly fails to connect to the network? A. Link B. Activity C. Collision D. Power QUESTION 24: Which of the following access methods does Gigabit Ethernet make use of? A. ATM B. CSMA/CD C. Frame Relay D. Token passing QUESTION 25: You work as a network technician at cut.ac.cy. You are troubleshooting a connectivity problem to the www.cut.ac.cy web site. You receive a time out when you ping the web site by name. You verify the TCP/IP configuration on the local computer. You successfully ping to the default gateway and the web server by IP address. Which is the probable cause of this problem? A. The DNS server is down B. The DHCP is down C. The LAN is down D. The router is down Page 7 of 7

QUESTION 26: You have a network that is connected to the Internet for only maintenance purposes. You place a firewall between your network and the Internet. You configure the firewall to permit only UDP traffic. Which network file transfer protocol will be able to pass through the firewall? A. NNTP B. IRTF C. SNMP D. TFTP QUESTION 27: After you loaded print services on a server, the service does not appear to have started and is causing problems. Where would you look to investigate further in an effort to troubleshoot the situation? A. Registry B. Network settings C. Log file D. DNS QUESTION 28: You have just built a small home network that is connected to the Internet via a modem. However, you did find that you cannot connect to Host X from your workstation. A visual examination of your network card, your switch, your router and your modem reveals that lights are lit except the light in interface A of the switch. Your network is shown in the following exhibit: What component is the most likely cause of this problem? Page 8 of 8

A. The switch B. The router C. The modem D. The patch cable QUESTION 29: What standard signaling protocols is used within H.323 for call signaling and call setup? A. RTP B. Q.Sig C. H.225 D. H.245 QUESTION 30: You need to troubleshoot DNS name resolution problems on your network. Which tool should be used to do this? A. Netstat B. Nbtstat C. Nslookup D. ARP QUESTION 31: Which one is NOT supported by most web browsers? A. HTTP B. Telnet C. FTP D. NNTP QUESTION 32: In an encryption method, where a private key and a public key are used? A. SSL B. SET C. PGP D. S/MIME QUESTION 33: Which is used for secure online transactions? A. SSL B. VPN C. SET D. X-500 Page 9 of 9

QUESTION 34: Which of the following devices uses Wireless Application Protocol (WAP)? A. Cordless phone B. Remote control C. Keyless entry card D. Personal Digital Assistant (PDA) QUESTION 35: What is the default subnet mask for the IP address 204.1.4.70? A. 255.0.0.0 B. 255.255.0.0 C. 255.255.192 D. 255.255.255.0 E. 255.255.255.252 QUESTION 36: What type of server is used to provide search capabilities for a web site? A. DNS B. Transaction C. Index D. Search E. Finder QUESTION 37: You work as the network administrator at cut.ac.cy. The cut.ac.cy network consists of a single Active Directory domain named cut.ac.cy. All servers on the cut.ac.cy network run Windows Server 2003. You have just completed the installation of the Remote Administration tools on a cut.ac.cy server named Limassol- SR66. You have configured the Remote Administration tools with default settings. When you enter https://limassol-sr 66/admin in Internet Explorer, you are presented with the following error message: "HTTP Error 404 - File or directory not found." Page 10 of 10

You open IIS Manager, which displays the configuration shown in the exhibit below: Which of the following is the action that you should execute to make sure you are able to utilize Internet Explorer to administer Limassol-SR66? A. Type http://limassol-sr 66:8099 in Internet Explorer. B. Type http://limassol-sr 66 in Internet Explorer. C. Install the Remote Desktop Connection subcomponent of the World Wide Web services. D. Type https:// Limassol-SR 66:8098 in Internet Explorer. E. Type https://limassol-sr 66 in Internet Explorer. QUESTION 38: Which of the following statements regarding private IP address is TRUE? A. A private IP address is required to access resources on the Internet. B. Public organizations are not allowed to use private IP addresses. C. Private IP addresses must be obtained from the American Registry for Internet Numbers (ARIN). D. Private IP addresses allow more that one private IP network to have the same IP address. Page 11 of 11

QUESTION 39: Exhibit: You are a network administrator for your company. A Windows Server 2003 computer named Server1 functions as a mail server. Server1 has a single disk that is configured as a basic disk. You add a second disk. In Disk Management, you right-click the unallocated file system and you discover that the New Partition menu command is unavailable, as shown in the exhibit. You need to create a new partition. What should you do? A. Replace the disk that you added, and then select the New Partition menu command. B. Ask the appropriate administrator to assign you Administrator rights on Server1, and then select the New Partition menu command. C. Right-click the disk, select Initialize, and then select the New Partition menu command. D. Restart the server, and then select the New Partition menu command. QUESTION 40: Which of the following provides are used in Virtual Private Networks (VPNs)? A. SSL B. WEP C. IPSec D. L2TP Page 12 of 12

QUESTION 41: You work as the network administrator at cut.ac.cy. The cut.ac.cy network consists of a single Active Directory domain named cut.ac.cy. Cut.ac.cy requires you to support eight users stationed at one of University s remote offices, who work on Windows XP Professional client computers. This remote office has a firewall configured. You must ensure that you can support these users with the Remote Assistance feature of Windows XP via an open port or ports on the firewall. What port or ports have to be open? A. UDP port 88 and TCP port 88. B. UDP port 69. C. TCP port 3389. D. TCP port 3268 QUESTION 42: Which of the following uses encrypted username and passwords? A. PAP B. CHAP C. RADIUS D. MS-CHAP QUESTION 43: You are the network administrator at cut.ac.cy. The cut.ac.cy network consists of two subnets; one contains all workstations and the other contains all servers. Users complain that they cannot access the servers in the remote subnet. You cannot ping any of the workstations by either host name or IP address but you can ping the other servers. What is the probable cause of this problem? A. The DNS server is down. B. The DHCP server is down. C. The router is down. D. The gateway is down. QUESTION 44: Which of the following protocols is used to transmit e-mail between an e-mail client and an e-mail server? A. Hypertext Transfer Protocol (HTTP) B. Post Office Protocol, version 3 (POP3) C. Simple Mail Transfer Protocol (SMTP) D. Internet Control Message Protocol (ICMP) Page 13 of 13

QUESTION 45: Which of the following CANNOT be used for remote connections? A. Telnet B. SSH C. PPP D. IMAP4 QUESTION 46: Exhibit: You are a desktop support technician for your company. Your company runs Windows XP computers on the corporate network. A remote user, Katsikoyiannis reported that he is not able to open the Outlook Web Access website to check his mail account. He reports that whenever he tries to connect to the website he gets a certificate error, as shown in the exhibit. Which of the following options would you choose to resolve the problem of Katsikoyianni? A. Ask Katsikoyianni to add the URL of the Outlook Web Access website to the Trusted sites zone in Internet Explorer. B. Ask Katsikoyianni to add the URL of the Outlook Web Access website to the Local intranet zone in Internet Explorer. C. Ask Katsikoyianni to install the certificate in the Trusted Root Certification Authority after logging into the system using administrative credentials. D. Ask Katsikoyianni to export the Web Server certificate and then save the file to sytemroot%\system32. E. None of the above Page 14 of 14

QUESTION 47: Exhibit: You are a desktop support technician for cut.ac.cy. The company runs Windows XP computers on the corporate network. A user, Yianni, wanted to give a demo of the client application to his subordinate, Costa using Remote Assistance. Yianni's computer was already configured for remote assistance. When Costas tried to establish a Remote Assistance session on Yianni's computer, he received a connection error. To resolve the problem, Costas called you. You tested the connectivity to Yianni's computers using Ping command and received a response. Which of the following options should be performed on Yianni s computer so that a shared desktop connection from Costa's computer can be established? The services console for Yianni's computer is shown in the exhibit. A. Start the Terminal Services service. B. Start the Terminal Services service and set its startup type to Manual. C. Start the Terminal Services User Mode Port Redirector service and set its startup type to Automatic D. Start the Terminal Services Configuration service and set its startup type to Automatic. E. None of the above Page 15 of 15

QUESTION 48: Exhibit: You are a desktop support technician for cut.ac.cy. An employee Rony, who works for the accounts department called you up and informed you that that he is not able to open the MS Word document sent to him by another employee Sam, who was not present that day. Because that document was an important report that needs to be submitted urgently, he asked for your help to open the document. When you went to Rony's computer and tried to open the report the error, as shown in the exhibit appeared. You know that Rony is using Windows XP and MS Office 2003. Which of the following options would resolve the problem with minimum administrative effort? A. Install the Office Compatibility Pack on Rony's computer B. Modify the extension of the word document from.docx to.doc. C. Modify the file association for the.docx file extension. D. Install MS Office 2007 on Ron's computer. E. None of the above QUESTION 49: You work as the network administrator at cut.ac.cy. The cut.ac.cy network consists of a single Active Directory domain named cut.ac.cy. All servers on the cut.ac.cy network run Windows Server 2003. All client computers run Windows XP Professional. Cut.ac.cy contains four departments, named IT, Sales, Marketing and Finance. These departments are crucial to the School of Economics at cut.ac.cy. All the client computers are divided in the Sales, Marketing and Finance departments. You are designing the organizational unit (OU) structure for cut.ac.cy. Page 16 of 16

You have also created extra OUs as shown in the exhibit. The user and computer accounts are placed in the OU appropriate to the department. You need the Help Desk employees to reset passwords for all user accounts in the domain and to manage all user accounts except those in the IT OU. You need to do this with the least amount of administrative effort. What should you do? A. Delegate authority of the domain to the Help Desk group and allow them to reset passwords and manage user objects. Block Group Policy Inheritance at the IT OU. B. Delegate authority of the Sales, IT, Research and Marketing OUs to the Help Desk and allow them to reset passwords and to manage the user objects. C. Delegate authority of the domain to the Help Desk group and allow them to reset passwords. Delegate authority of the Sales, Marketing, Finance, Admin and Help Desk OUs to manage the user objects. D. Delegate authority of the domain to the Help Desk group and allow them to reset passwords and allow them to manage user objects. Block Permission inheritance at the IT OU. QUESTION 50: What is the acronym of FSMO? A. Flexible Single Master Operation role A. Family Services of Metro Orlando B. Field Service Marching Order C. Forefront Security Management role D. Facility of Security Management operations Page 17 of 17

ΜΕΡΟΣ B -1: (Σύνολο 40 μονάδες) Ερώτηση 1: (Σχεδιάγραμμα 1: Δίκτυο 1) α) Με βάση το σχεδιάγραμμα 1, αντιστοιχίστε τις διευθύνσεις δικτύου (IP addresses) στις θύρες των δρομολογητών (router) στον πιο κάτω πίνακα: Router A Router B Router C Router D Loopback: Loopback: Loopback: Loopback: Port A1: Port Β1: Port C1: Port D1: Port A2: Port Β2: Port C2: Port D2: Port A3: Port Β3: Port C3: Port D3: (Μονάδες 8) β) Ποια είναι η μάσκα δικτύου (subnet mask) σε δεκαδική σημειογραφία τελείας (dotted decimal notation) της θύρας Α2 (port A2) στον δρομολογητή Α (router A). (Μονάδες 2) Page 18 of 18

γ) Στο σχεδιάγραμμα 1, εάν ο υπολογιστής υπηρεσίας Α (host A), θέλει να επικοινωνήσει με τον host D, ποιά διαδρομή θα ακολουθήσει η συνδιάλεξη τους και γιατί; (Θεωρήστε ότι όλες οι θύρες των δρομολογητών είναι ενεργοποιημένες, έχουν τις εργοστασιακές ρυθμίσεις, δεν έχουν ρυθμιστεί οι παράμετροι που μπορούν να επηρεάσουν την διαδρομή και οι συνδέσεις λειτουργούν χωρίς προβλήματα στο 20% της χωρητικότητας τους). (Μονάδες 5) Απάντηση 1 (α) Router A Router B Router C Router D Loopback: 192.168.0.1 Loopback: 192.168.0.2 Loopback: 192.168.0.3 Loopback: 192.168.0.4 Port A1: 10.60.25.0 Port Β1: 10.50.25.0 Port C1: 100.150.125.0 Port D1: 99.99.99.0 Port A2: 200.200.50.1 Port Β2: 200.100.50.1 Port C2: 200.100.50.2 Port D2: 200.200.50.2 Port A3: 172.16.0.1 Port Β3: 172.16.0.2 Port C3: 172.20.0.1 Port D3: 172.20.0.2 (β) Η μάσκα δικτύου δηλώνεται από το /30, το οποίο δεκαδική σημειογραφία τελείας είναι 255.255.255.252 (γ) Η συνδιάλεξη τους θα ακολουθήσει την διαδρομή από router A-router B-router C- router D. Οι συνδέσεις σε αυτή την διαδρομή είναι σε ταχύτητες 1Gbps σε σχέση με τα 10 Mbps μεταξύ router A-router D. Ο αλγόριθμος του OSPF αποφασίζει την καλύτερη διαδρομή υπολογίζοντας το κόστος της με γνώμονα τα χαρακτηριστικά των διεπαφών που χρησιμοποιούνται για δρομολόγηση, όπως την αξιοπιστία των συνδέσεων της διαδρομής, την χωρητικότητα (bandwidth) των επιμέρους συνδέσεων, την διεκπεραιωτική ικανότητα (throughput) των συνδέσεων, κλπ. Η διαδρομή με το χαμηλότερο κόστος επιλέγετε ως η καλύτερη. Συνήθως οι κατασκευαστές δρομολογητών υπολογίζουν το κόστος της διαδρομής με μοναδικό κριτήριο την χωρητικότητα των γραμμών. Για παράδειγμα, η Cisco υπολογίζει το κόστος μιας διαδρομής αθροίζοντας τα κόστη των επιμέρους συνδέσεων με τον εξής τύπο: Κόστος γραμμής=10 8 /(χωρητικότητα) Για το σχεδιάγραμμα 1: η διαδρομή router A-Router D, έχει κόστος 10 8 /10.000.000=10 η διαδρομή router A-router B-router C- router D, έχει κόστος (10 8 /1.000.000.000)+(10 8 /1.000.000.000)+ (10 8 /1.000.000.000)=0,1+0,1+0,1=0,3 Αφού το 0,3 είναι χαμηλότερο από το 10, το OSPF θα επιλέξει την διαδρομή router A-router B- router C- router D. Page 19 of 19

Ερώτηση 2: Ο πιο κάτω πίνακας δείχνει πιθανές επιθέσεις ή άλλες κακόβουλες ενέργειες που είναι εκτεθειμένη η δικτυακή τηλεφωνία (IP Telephony/ VoIP). Αντιστοιχίστε την κάθε επίθεση με τον τρόπο αντιμετώπισης της. 1. Free Calls or Toll Fraud A. SIP Encryption, Media Encryption 2. Impersonation B. User authentication, Secure Caller ID 3. Learning Private Information (calling patters, PIN codes) C. User authentication 4. Steal codes D. Firewalls, IDS, etc 5. DoS (Denial of Services) E. SIP Encryption, Media Encryption Απάντηση 2 1C 2Β 3E or 3A 4A or 4E 5D (Μονάδες 5) Ερώτηση 3: Το Πανεπιστήμιο θέλει να εγκαταστήσει ασύρματο δίκτυο εξωτερικού χώρου για να καλύψει τις ανάγκες του προσωπικού (Ακαδημαϊκό και Διοικητικό) καθώς και των φοιτητών του. Δικτυακή τηλεφωνία (VoIP) πρέπει επίσης να υποστηρίζεται. Όλα τα σημεία πρόσβασης (Access Points=ΑΡ) θα είναι συνδεδεμένα στο ενσύρματο δίκτυο με καλώδιο τύπου CAT 6 σε μεταγωγείς (switches) με δυνατότητες μετάδοσης ηλεκτρικής ισχύς από τις θύρες δεδομένων. Το ενσύρματο δίκτυο είναι χωρισμένο σε VLANs (Virtual Local Area Network) για τους φοιτητές, υπαλλήλους και τηλεφωνία. Τα επιλεγμένα ΑΡ υποστηρίζουν τις εκδόσεις όλων των πρότυπων πρωτοκόλλων ασφαλείας που σχετίζονται με ασύρματα δίκτυα ή χρησιμοποιούνται από αυτά. Αποκλειστικά πρωτόκολλα (proprietary protocols) του συγκεκριμένου κατασκευαστή δεν θα χρησιμοποιηθούν. Δεν περιέχουν τείχος προστασίας (firewall) και στο δίκτυο αυτό δεν θα εφαρμοστούν οποιεσδήποτε τρίτες μορφές ασφαλείας. Τα ΑΡ έχουν τα ακόλουθα χαρακτηριστικά και αρχικές εργοστασιακές ρυθμίσεις: Page 20 of 20

Χαρακτηριστικό: Μεταδότες εκπομπής (RF Radio) Χαρακτηριστικό: Ηλεκτρικά χαρακτηριστικά Χαρακτηριστικό: Ηλεκτρική Ισχύς Χαρακτηριστικό: Θύρα παραμετροποίησης RS-232 Εργοστασιακή Ρύθμιση: Ονομασία SSID Εργοστασιακή Ρύθμιση: Ανακοίνωση (Broadcast) SSID Εργοστασιακή Ρύθμιση: Αλγόριθμος Κρυπτογράφησης Δεδομένων Εργοστασιακή Ρύθμιση: Έλεγχος αυθεντικότητας χρήστη Εργοστασιακή Ρύθμιση: RF Πρωτόκολλο μετάδοσης Εργοστασιακή Ρύθμιση: Πρωτόκολλο διαχείρισης/παρακολούθησης Εργοστασιακή Ρύθμιση: Διαχείριση Διπλός για υποστήριξη όλων των RF standards όπως καθορίζονται από τα RFC Υποδοχή για βύσμα 110/220V Μέσω θύρας RJ-45 Δεν δέχεται μπαταρίες. 13W Υπάρχει wifisystem Ενεργό WEP Ανοικτό σε όλους 802.11b SNMPv1 Επιλογή μοντέλου για αυτόνομη διαχείριση ή διαχείριση από κέντρο ελέγχου (controller). Επιτρέπεται η ασύρματη παραμετροποίηση Σε ποιες αρχικές εργοστασιακές ρυθμίσεις πρέπει να γίνουν αλλαγές, είτε στην παραμετροποίηση είτε στο πρωτόκολλο που χρησιμοποιείτε και ποια άλλα πρωτόκολλα πρέπει να χρησιμοποιηθούν για να επιτευχθούν οι πιο κάτω στόχοι (ονομάστε όλα τα πρωτόκολλα που πρέπει να χρησιμοποιηθούν όπως αναφέρονται στα RFC (request for comments) ή IEEE standards (πχ. 802.3): α) Διαχωρισμός μεταξύ: φοιτητών, προσωπικού και τηλεφωνίας. (2 μονάδες) β) Οι φοιτητές πρέπει να βρίσκουν το SSID (service set identifier) αυτόματα, ενώ στο προσωπικό και χρήστες της τηλεφωνίας είναι ήδη προ-ρυθμισμένο από τον διαχειριστή της τηλεφωνίας. (2 μονάδες) γ) Η τηλεφωνία πρέπει να έχει εξασφαλισμένη χωρητικότητα σε κάθε τηλεφωνική συνδιάλεξη. (2 μονάδες) δ) Όλοι οι χρήστες (προσωπικό, φοιτητές και χρήστες τηλεφωνίας) που συνδέονται στο ασύρματο δίκτυο, πρέπει να χρησιμοποιούν ισχυρή μέθοδο ελέγχου αυθεντικότητας (user authentication) πριν τους επιτραπεί πρόσβαση σε αυτό. (2 μονάδες) ε) Η διαχείριση και παραμετροποίηση των σημείων πρόσβασης (Access Points) πρέπει να γίνεται με την πιο ασφαλισμένη μέθοδο χωρίς να υπάρχουν κωδικοί πρόσβασης διαχείρισης στο AP. (2 μονάδες) Page 21 of 21

Απάντηση 3 (α) Τα ΑΡ πρέπει να υποστηρίζουν πολλαπλά SSIDs και trunking ώστε το κάθε SSID να βάζει τους φοιτητές σε άλλο δίκτυο από τους υπαλλήλους. Θα δημιουργηθούν τρία SSIDs, ένα για κάθε γκρουπ. Το κάθε SSID θα ανήκει σε ξεχωριστό VLAN. Η σύνδεση των ΑΡ στο ενσύρματο δίκτυο θα χρησιμοποιεί trunking encapsulation 802.1q ώστε να μεταφέρονται τα ασύρματα VLAN/SSID στα ενσύρματα VLAN. (β). Το SSID των φοιτητών θα γίνεται broadcast από το ΑΡ, ενώ τα SSID των υπαλλήλων και της φωνής δεν θα γίνονται broadcast. (γ). Χρήση Quality of Services στο trunk σύνδεσης των ΑΡ με το ενσύρματο δίκτυο με πρωτόκολλο 802.1e. (δ). Πρέπει να αντικατασταθεί η αρχική ρύθμιση που είναι ανοικτή η πρόσβαση σε όλους με ΙΕΕΕ 802.1X (το οποίο χρησιμοποιήτε από τους WPA2 ή EAP αλγόριθμους το οποίο επιπρόσθετα θα περνά μέσα από κρυπτογραφημένο IPSEC ή SSL tunnel. (ε). Πρέπει να απενεργοποιηθεί η θύρα διαχείρισης (κονσόλα RS232) και να επιλεγεί το μοντέλο για κεντρική διαχείριση μέσω controller. Επίσης η παραμετροποίηση μέσω ασύρματου δικτύου πρέπει να απενεργοποιηθεί. Οι κωδικοί διαχείρισης θα κρατούνται πάνω στο controller το οποίο θα είναι εγκατεστημένο σε server room με ελεγχόμενη πρόσβαση και το controller θα διαχειρίζεται τα ΑΡ από το ενσύρματο δίκτυο με την χρήση SSH command line η SSL GUI. Ερώτηση 4: (Σχεδιάγραμμα 2) Page 22 of 22