Module 11 Test

What causes most firewall failures?

Misconfiguration

What IEEE standard includes an encryption key generation and management scheme known as TKIP? a. 802.11i b. 802.11h c. 802.11X d.802.11j

a. 802.11i

Active Directory and 389 Directory Server are both compatible with which directory access protocol? a. LDAP b. RADIUS c. Kerberos d. AD DS

a. LDAP

What statement correctly describes a stateless firewall? a. Manages each incoming packet as stand-alone w/o regard to active connection b. Inspects each incoming packet to tell if it belongs to active connection c. Blocks designated types of traffic based on app data contained in packets d. Filters packets based on source and destination IP addresses.

a. Manages each incoming packet as stand-alone w/o regard to active connection

The Group Policy utility can be opened by typing what name into a Run box? a. secpol.msc b. gpedit.msc c. grouppol.msc d. grppol.msc

b. gpedit.msc

Descendant of Spanning Tree Protocol defined by IEEE 802.1W standard & detects/corrects for link failure in milliseconds a. Transparent Interconnection of Lots of Links (TRILL) b. Shortest Path Bridging (SPB) c. Rapid Spanning Tree Protocol (RSTP) d. Multiple Spanning Tree Protocol (MSTP)

c. Rapid Spanning Tree Protocol (RSTP)

When using Kerberos, what is the purpose of a ticket? a. Name for a Kerberos client or user b. Key used by client to gain access to services that are protected by network c. Temporary credentials client uses to provide valid ID to other servers d. Event generated when auditing resource & unauthorized access is attempted

c. Temporary credentials client uses to prove valid ID to other servers

The Wired Equivalent Privacy standard had what significant disadvantage? a. It did not allow the use of a password for access to the network b. It provided no encryption for traffic sent over the air c. Used a shared encryption key for all clients & key might never change d. Only encrypted initial connection authentication but not subsequent traffic

c. Used a shared encryption key for all clients & key might never change

What kind of firewall can block designed types of traffic based on application data contained within packets? a. stateful firewall b. stateless firewall c. content-filtering firewall d. Packet-filter firewall

c. content-filtering firewall

Who is responsible for the security of hardware on which a public cloud runs? a. The cloud customer b. It depends c. Both the cloud customer and the cloud provider d. The cloud provider

d. The cloud provider

What is NOT a variable that an network access control list can filter traffic with? a. The Network layer protocol used for the packet b. The Transport layer protocol used for the packet c. The source or destination TCP/UDP port number in the packet d. The operating system used by the source or destination device

d. The operating system used by the source or destination device

What kinds of issues might indicate a misconfigured ACL?

Blocking needed services, ports, or addresses

What are the two primary features that give proxy servers an advantage over NAT?

Content filtering and file caching

A stateless firewall inspects each incoming packet to determine whether it belongs to a currently active connection. True or False?

False

What characteristic of ARP makes it particularly vulnerable to being used in a DoS attack?

It doesn't perform any authentication

What is the purpose of an ACL when configuring CoPP?

It identifies relevent traffic for the CoPP policies

By default Active Directory is configured to use Kerberos Protocol but be configured to use LDAP or combination of both. True or False?

True

PEAP standard creates encrypted TLS tunnel between supplicant & server before proceeding w/ usual EAP progress. True or False?

True

Proxy servers & ACLs on network devices are examples of non-security devices with security features, while firewalls and IDS/IPD systems are the network's specialized security devices. True or False?

True

The storm-control command is a type of flood guard that is available on most major network switch vender platforms. True or False?

True

The supplicant is an EAP entity responsible for requesting authentication, such as a smartphone or laptop. True or False

True

Most popular AAA service what open-source service runs in Application layer & can use UDP or TCP in the Transport layer? a. Google Authenticator b. RADIUS c. TACAC+ d. Kerberos

b. RADIUS

Which encryption standard was originally utilized with WPA's TKIP? a. Advanced Encryption Standard (AES) b. Rivest Cipher 4 (RC4) c. Blowfish d. Data Encryption Standard (DES)

b. Rivest Cipher (RC4)

Which of the following ACL commands would permit web-browsing traffic from any IP address to any IP address? a. access-list acl_2 deny tcp any any b. access-list acl_2 permit https any any c. access-list acl_2 tcp host 2.2.2.2 host 3.3.3.3 eq www d. access-list acl_2 permit icmp any any

b. access-list acl_2 permit https any any

On a Linux system, which command allows you to modify settings used by the built-in packet filtering firewall? a. ipf b. modfire c. iptables d. netwall

c. iptables

Of the three methods of access control (RBAC, DAC, and MAC), RBAC is the least secure of the options. True or False?

False

The Spanning Tree Protocol operates at the Network layer of the OSI model. True or False?

False

What kind of ticket is held by Kerberos's TGS?

TGT (Ticket-granting ticket)

Which principle ensures auditing processes are managed by someone other than the employees whose activities are being audited? a. Separation of duties b. Principle of least privilege c. Shared responsibility model d. Defense in depth

a. Separation of duties

What information in a transmitted message might an IDS use to identify network threats? a. Signature b. FIM c. Port mirroring d. ACL

a. Signature

Which of the following is an example of proxy server software? a. Squid b. BIND c. Snort d. Apache

a. Squid

Configuration a Juniper switch you restrict number of MAC addresses allowed in address table. What command do you use? a. set max-mac b. set total-macs c. mac-address limit d. mac-limit

d. mac-limit

Any traffic that is not explicitly permitted in the ACL is _________, which is called the __________.

denied, implicit deny rule

Which protocol designed to replace STP operates at layer 3 of the OSI model? a. Rapid Spanning Tree Protocol (RSTP) b. Transparent Interconnection of Lots of Links (TRILL) c. Shortest Path Bridging (SPB) d. Multiple Spanning Tree Protocol (MSTP)

c. Shortest Path Bridging (SPB)

Which policy ensures messages are discarded when they don't match a specific firewall rule? a. Implicit allow b. Explicit deny c. Explicit allow d. Implicit deny

d. Implicit deny

Which legacy authentication protocol requires mutual authentication? a. Password Authentication Protocol (PAP) b. Challenge Handshake Authentication Protocol (CHAP) c. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) d. Microsoft Challenge Handshake Authentication Protocol V2 (MS-CHAPv2)

d. Microsoft Challenge Handshake Authentication Protocol V2 (MS-CHAPv2)

Using host-based intrusion detection what feat. might alert system of changes made to files that shouldn't change a. file integrity monitoring (FIM) b. file change management (FCM) c. file access auditing (FAA) d. file checksum watching (FCW)

a. file integrity monitoring (FIM)

In ACL statements, using the "any" keyword is equivalent to using a wildcard mask of what value? a. 0.0.0.0 b. 255.255.255.255 c. 255.255.0.0 d. 0.0.255.255

b. 255.255.255.255

To prevent ports that serve network hosts from being considered best paths, what should be enabled to block BPDUs a. BPDU filter b. BPDU guard c. root guard d. BPDU drop

b. BPDU guard

Which device would allow an attacker to make network clients use an illegitimate default gateway? a. RA guard b. DHCP server c. Proxy server d. Network-based firewall

b. DHCP server

Which adaptation of EAP utilizes EAP-MSCHAPv2 inside of an encrypted TLS tunnel? a. EAP-TLS b. Protected EAP (PEAP) c. EAP-FAST d. LEAP

b. Protected EAP (PEAP)

What aspect of AAA is responsible for determining what a user can and cannot do with network resources? a. authentication b. authorization c. accounting d. accessibility

b. authorization

Enforcing a virtual security perimeter perimeter using a client's geographic location is known by what term? a. geohashing b. geofencing c. geolocating d. geolocking

b. geofencing

When utilizing Kerberos, an access granting ticket is the same as a key. True or False?

False

Why do network administrators create domain groups to manage user security privileges?

To assign appropriate permissions for each group and to prevent access to network resources that are not needed

Why would you need separate RA guard policies for network hosts and routers attached to a switch?

To ensure that RA messages are coming from a trusted router

When using Spanning Tree Protocol, what is the first step in selecting paths through a network? a. STP must first select the root bridge, or master bridge b. STP examines the possible paths between all other bridges c. STP disables links that are not part of a shortest path d. STP begins to block BPDUs on non-designated ports

a. STP must first select the root bridge, or master bridge

Which term describes config of a port to copy all traffic passing through switch to device at other end of port? a. port supertrunking b. port mirroring c. port shadowing d. port lurking

b. port mirroring

Which of the following is not one of the AAA services provided by RADIUS and TACACS+? a. Authentication b. Authorization c. Administration d. Accounting

c. Administration

Which of the following criteria can a packet-filtering firewall not use to determine whether to accept or deny traffic? a. Destination IP address b. SYN flags c. Application data d. ICMP message

c. Application data

At what layer of the OSI model do proxy servers operate? a. Layer 3 b. Layer 2 c. Layer 7 d. Layer 4

c. Layer 7

In regards to the use of local authentication, what statement is accurate? a. Local authentication provides the most security b. Local authentication is scalable for large networks. c. Local authentication is network and server failure tolerant d. Local authentication does not allow for strong enough passwords.

c. Local authentication is network and server failure tolerant

What scenario might be ideal for the use of root guard in configuring a switch? a. Block BPDUs on an access port serving network hosts b. Disable STP on a port connected to a partnered company's switch c. Prevent switches beyond certain port becoming root bridge but still use STP d. Prevent a rogue switch or computer from hijacking the network's STP paths

c. Prevent switches beyond certain port becoming root bridge but still use STP

What's the essential difference between an IPS and an IDS?

An IDS provides an alert about a potential incident while an IPS blocks the attempted intrusion

What is a SIEM (Security Information and Event Management) system utilized for? a. It's an advanced intrusion protection system with a GUI-frontend b. It's a system used to evaluate data from security devices & generate alerts c. Intellectual protection software that prevents data links & generate alerts d. It's a system that monitors security device hardware availabiliy

b. It's an system used to evaluate data from security devices & generate alerts