Network+ Chapter 10: Security in Network Design
What feature on Windows Server allows for agentless authentication? A. AD (Active Directory) B. ACL (access control list) C. IDS (intrusion detection system) D. Network-based firewall
- A. Active Directory - Not all networks require agents. Active Directory, which allows for agentless authentication, in which the user is authenticated to a domain.
What kind of firewall blocks traffic based on application data contained within the packets? A. Host-based firewall B. Content-filtering firewall C. Packet-filtering firewall D. Stateless firewall
- B. Content-filtering firewall - Content-filtering firewalls, can block designated types of traffic based on application data contained within packets.
Which command on an Arista switch would require an SNMP notification when too many devices try to connect to a port? A. mac-limit B. switchport port-security C. storm-control D. shutdown
- B. switchport port-security - This is essentially a MAC filtering function that also protects against MAC flooding, which makes it a type of flood guard. Acceptable MAC addresses are stored in a MAC address table, which can be configured manually or dynamically from its default of 1 up to a maximum number of devices as determined administrator. Once the MAC address table is full, a security violation occurs if another device attempts to connect to the port.
Which of the following is not one of the three AAA services provided by RADIUS and TACACS+? A. Authentication B. Authorization C. Access Control D. Accounting
- C. Access Control
At what layer of the OSI model do proxy servers operate? A. Layer 3 B. Layer 4 C. Layer 7 D. Layer 4
- C. Layer 7 - Proxy servers manage security at the Application layer of the OSI model. (Layer 7)
What are the two primary features that give proxy servers an advantage over NAT?
- Content filtering, which is possible because they function at the Application layer rather than at the lower, Network layer. - Proxy servers can also improve performance for users accessing resources external to their network by caching files.
What software might be installed on a device in order to authenticate it to the network? A. Operating System B. Security policy C. NAC (network access control) D. Agent
- D. Agent - On some networks, software called an Agent must be installed on the device before the device can be authenticated.
Which NGFW feature allows a network admin to restrict traffic generated by a specific game? A. Content filter B. User awareness C. Context awareness D. Application awareness
- D. Application Awareness - Application aware- monitor and limit the traffic of specific applications, including the applications vendor and digital signature. This includes built-in Application Control features.
Any traffic that is not explicitly permitted in the ACL is ____, which is called the ____.
- Dropped - Implicit deny
EAPoL is primarily used with what kind of transmission?
- EAPoL (EAP over LAN), adapted to work on both wired and wireless LANs in the 802.1x standard.
What's the essential difference between an IPS and an IDS?
- IPS (intrusion prevention system) stands in-line between the attackers and the targeted network or host, and can prevent traffic from reaching that network or host. - IDS (intrusion detection system) is a stand-alone device, an application , or a built-in feature running on a workstation, server, switch, router, or firewall. It monitors network traffic, generating alerts about suspicious activity.
Only one ____ exists on a network using STP.
- Root bridge - or master bridge
What kind of ticket is held by Kerberos's TGS?
- TGT (ticket-granting ticket), which will expire within a specified amount of time (by default, this limit is 0 hours)
What causes most firewall failures?
- The most common cause of firewall failure is firewall misconfiguration.
Why is a BPDU filter needed at the demark?
- To protect the integrity of STP paths and the information transmitted by these BPDU's
Why do network administrators create domain groups to manage user security privileges?
- To simplify the process of granting rights to users
What kinds of issues might indicate a misconfigured ACL?
- When troubleshooting a problematic connection between two hosts, or between some applications or ports on two hosts, consider that the problem might be a misconfigured ACL
Active Directory and 389 Directory Server are both compatible with which directory access protocol? A. LDAP B. RADIUS C. Kerberos D. AES
- A. LDAP - In order for clients to authenticate to network resources, some sort of directory server on the network must maintain a database of account information, such as usernames, passwords, and any other authentication credentials. Often this is accomplished in AD(active directory) or something more Linux-focused like OpenLDAP or 389 Directory Server. LDAP (lightweight directory access protocol)
Which of the following features is common to both an NGFW and traditional firewalls? A. Application Control B. IDS and/or IPS C. User awareness D. User authentication
- D. User authentication
Which of the following ACL commands would permit web-browsing traffic from any IP address to any IP address? A. access-list acl_2 deny tcp any any B. access-list acl_2 permit http any any C. access-list acl_2 deny tcp host 2.2.2.2 host 3.3.3.3 eq www D. access-list acl_2 permit icmp any any
- D. access-list acl_2 permit icmp any any - To permit ICMP traffic from any IP address or network to any IP address or network: