Chapter 5: Devices and Infrastructure 5.1-5.8
5.5 Virtual Private Networks In addition to Authentication Header (AH), IPsec is comprised of what other service? A) Advanced Encryption Standard (AES) B) Extended Authentication Protocol (EAP) C) Encapsulating Security Payload (ESP) D)Encryption File System (EFS)
C) Encapsulating Security Payload (ESP) D)Encryption File
5.4 Network Address Translation How many concurrent connections does NAT support? A) 300 B) 90 C) 5,000 D) Unlimited
C) 5,000
5.7 Network Access Control Which of the following NAC agent types would be used for IoT devices? A) Zero-trust B) Dissolvable C) Agentless D) Permanent
C) Agentless
5.6 Web Threat Protection As the security analyst for your organization, you have noticed an increase in emails that attempt to trick users into revealing confidential information. Which web threat solution should you implement to protect against these threats? A) Proxies B) Data loss prevention C) Anti-phishing software D) Encryption
C) Anti-phishing software
5.1 Security Appliances Which of the following devices can apply quality of service and traffic-shaping rules based on what created the network traffic? A) All-in-one security appliances B) Proxy server C) Application-aware devices D) Network access control
C) Application-aware devices
5.2 Demilitarized Zones Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks? A) Multi-homed B) Kernel proxy C) Bastion or sacrificial host D) Circuit proxy
C) Bastion or sacrificial host
5.3 Firewalls When designing a firewall, what is the recommended approach for opening and closing ports? A) Close all ports. B) Close all ports; open ports 20, 21, 53, 80, and 443. C) Close all ports; open only ports required by applications inside the DMZ. D) Open all ports; close ports that expose common network attacks. E) Open all ports; close ports that show improper traffic or attacks in progress.
C) Close all ports; open only ports required by applications inside the DMZ.
5.7 Network Access Control Which of the following NAC agent types creates a temporary connection? A) Zero-trust B) Agentless C) Dissolvable D) Permanent
C) Dissolvable
5.1 Security Appliances Which of the following is a privately controlled portion of a network that is accessible to some specific external entities? A) Internet B) MAN C) Extranet D) Intranet
C) Extranet
5.6 Web Threat Protection Which of the following are functions of gateway email spam filters? (Select two.) A) Blocks phishing attempts, which try to access confidential information B) Helps enforce an organization's internet usage policy C) Filters messages containing specific content D) Blocks email from specific senders E) Blocks users from visiting websites with malicious content
C) Filters messages containing specific content D) Blocks email from specific senders
5.4 Network Address Translation Which device is NAT typically implemented on? A) RADIUS server B) ISP router C) Gateway router D) AD server
C) Gateway router
5.3 Firewalls Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use? A) Stateful B) Tunneling C) Hardware D) Software
C) Hardware
5.7 Network Access Control What is Cisco's Network Access Control (NAC) solution called? A) Network Access Protection B) Talos C) Identity Services Engine (ISE) D) Network Address Translation (NAT)
C) Identity Services Engine (ISE)
5.5 Virtual Private Networks Which VPN protocol typically employs IPsec as its data encryption mechanism? A) PPTP B) L2F C) L2TP D) PPP
C) L2TP
5.4 Network Address Translation At which layer of the OSI model do NAT routers operate? A) Layer 5 (Session layer) B) Layer 1 (Physical layer) C) Layer 3 (Network layer) D) Layer 7 (Application layer)
C) Layer 3 (Network layer)
5.5 Virtual Private Networks A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.) A) Configure the VPN connection to use MS-CHAPv2 B) Configure the browser to send HTTPS requests through the VPN connection C) Configure the VPN connection to use IPsec D) Configure the VPN connection to use PPTP E) Configure the browser to send HTTPS requests directly to the Wi-Fi network without going through the VPN connection
2) Configure the browser to send HTTPS requests through the VPN connection 3) Configure the VPN connection to use IPsec
5.8.3 Network Threats You are the security analyst for your organization and have discovered evidence that someone is attempting to brute-force the root password on the web server. Which classification of attack type is this? A) Active B) Inside C) External D) Passive
A) Active
5.6 Web Threat Protection You are investigating the use of website and URL content filtering to prevent users from visiting certain websites. Which benefits are the result of implementing this technology in your organization? (Choose two.) A) An increase in bandwidth availability B) Prevention of phishing attempts C) Prevention of emails containing threats D) Enforcement of the organization's internet usage policy E) Identification and disposal of infected content
A) An increase in bandwidth availability D) Enforcement of the organization's internet usage policy
5.1 Security Appliances Where should an organization's web server be placed? A) DMZ B) Intranet C) Honeynet D) Extranet
A) DMZ
5.2 Demilitarized Zones Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet? A) DMZ B) Intranet C) Extranet D)Padded cell
A) DMZ
5.8.3 Network Threats Which area of focus helps to identify weak network architecture or design? A) Documentation B) Inherent vulnerabilities C) Entry points D) Network baseline
A) Documentation
5.4 Network Address Translation Which NAT implementation assigns two IP addresses to the public NAT interface, allowing traffic to flow in both directions? A) Dynamic and static B) Dynamic C) PAT D) Static
A) Dynamic and static
5.7 Network Access Control Which of the following BEST describes zero-trust security? A) Only devices that pass both authentication and authorization are trusted. B) Only devices that pass authentication are trusted. C) Only devices that pass authorization are trusted. D) All devices are trusted.
A) Only devices that pass both authentication and authorization are trusted.
5.4 Network Address Translation Which of the following does a NAT router use to identify where a host is connected on the switch? A) PAT B) Static NAT C) IPv4 D) Dynamic NAT
A) PAT
5.2 Demilitarized Zones What needs to be configured on a firewall to allow traffic directed to the public resource in the DMZ? A) Packet filters B) Subnet C) FTP D) VPN
A) Packet filters
5.1 Security Appliances You are implementing security at a local high school that is concerned with students accessing inappropriate material on the internet from the library's computers. The students use the computers to search the internet for research paper content. The school budget is limited. Which content filtering option would you choose? A) Restrict content based on content categories. B) Block specific DNS domain names. C) Block all content except for content you have identified as permissible. D) Allow all content except for the content you have identified as restricted.
A) Restrict content based on content categories.
5.1 Security Appliances A proxy server can be configured to do which of the following? A) Restrict users on the inside of a network from getting out to the internet. B) Allow all content except for the content you have identified as restricted. C) Block all content except for the content you have identified as permissible. D) Act as a unified threat security device or web security gateway.
A) Restrict users on the inside of a network from getting out to the internet.
5.3 Firewalls Which of the following are characteristics of a packet-filtering firewall? (Select two.) A) Stateless B) Filters IP address and port C) Filters based on URL D) Stateful E) Filters based on sessions
A) Stateless B) Filters IP address and port
5.4 Network Address Translation You have a small network at home that is connected to the internet. On your home network, you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network. You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website. What should you use to allow access? A) Static NAT B) DNS CNAME record C) Multicast D) DNS A record E) Dynamic NAT
A) Static NAT
5.1 Security Appliances A honeypot is used for which purpose? A) To delay intruders in order to gather auditing data B) To disable an intruder's system C) To entrap intruders D) To prevent sensitive data from being accessed
A) To delay intruders in order to gather auditing data
5.2 Demilitarized Zones You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use? A) Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ. B) Use a single firewall. Put the web server and the private network behind the firewall. C) Use a single firewall. Put the web server in front of the firewall and the private network behind the firewall. D) Use firewalls to create a DMZ. Place the web server and the private network inside the DMZ.
A) Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ.
5.8.3 Network Threats Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems. Which of the following is the MOST important aspect of maintaining network security against this type of attack? A) User education and training B) Identifying a network baseline C) Documenting all network assets in your organization D) Identifying inherent vulnerabilities E) Network segmentation
A) User education and training
5.8.3 Network Threats Which of the following is commonly created to segment a network into different zones? A) VLANs B) VPNs C) DNS D) DMZ
A) VLANs
5.2 Demilitarized Zones Which of the following is the BEST solution to allow access to private resources from the internet? A) VPN B) Subnet C) FTP D) Packet filters
A) VPN
5.6 Web Threat Protection As the security analyst for your organization, you have noticed an increase in user computers being infected with malware. Which two solutions should you implement and configure to remedy this problem? (Select two.) A) Virus scanner B) Data loss prevention C) Spam filters D) Proxies E) Encryption
A) Virus scanner C) Spam filters
5.2 Demilitarized Zones How many network interfaces does a dual-homed gateway typically have? A) 2 B) 3 C) 1 D) 4
B) 3
5.7 Network Access Control Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined? A) Plan B) Apply C) Review D) Test
B) Apply
5.7 Network Access Control Which of the following defines all the prerequisites a device must meet in order to access a network? A) Zero-trust security B) Authentication C) Identity Services Engine (ISE) D) Authorization
B) Authentication
5.7 Network Access Control Which of the following applies the appropriate policies in order to provide a device with the access it's defined to receive? A) Authentication B) Authorization C) Zero-trust security D) Identity Services Engine
B) Authorization
5.8.3 Network Threats An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack? A) Replay B) DDoS C) Spamming D) Backdoor
B) DDoS
5.3 Firewalls You have just installed a packet-filtering firewall on your network. Which options are you able to set on your firewall? (Select all that apply.) A) Acknowledgement number B) Destination address of a packet C) Digital signature D) Sequence number E) Port number F) Checksum G) Source address of a packet
B) Destination address of a packet E) Port number G) Source address of a packet
5.3 Firewalls Which of the following best describes a stateful inspection? A) Designed to sit between a host and a web server and communicate with the server on behalf of the host. B) Determines the legitimacy of traffic based on the state of the connection from which the traffic originated. C) Allows all internal traffic to share a single public IP address when connecting to an outside entity. D) Offers secure connectivity between many entities and uses encryption to provide an effective defense against sniffing.
B) Determines the legitimacy of traffic based on the state of the connection from which the traffic originated.
5.4 Network Address Translation You want to connect your small company network to the internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. Which type of Network Address Translation (NAT) should you implement? A) Shared B) Dynamic C) Restricted D) Static
B) Dynamic
5.5 Virtual Private Networks Which IPSec subprotocol provides data encryption? A) SSL B) ESP C) AES D) AH
B) ESP
5.8.3 Network Threats Which area of focus do public-facing servers, workstations, Wi-Fi networks, and personal devices fall under? A) Inherent vulnerabilities B) Entry points C) Network segmentation D) Network baseline
B) Entry points
5.1 Security Appliances Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks. You are concerned that these computers could pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches are installed. Which solution should you use? A) VLAN B) NAC C) NIDS D) DMZ
B) NAC
5.5 Virtual Private Networks Which of the following VPN protocols is no longer considered secure? A) TLS B) PPTP C) SSL D) IPsec
B) PPTP
5.8.3 Network Threats Which classification of attack type does packet sniffing fall under? A) Active B) Passive C) Inside D) External
B) Passive
5.5 Virtual Private Networks Which VPN tunnel style routes only certain types of traffic? A) Host-to-host B) Split C) Full D) Site-to-site
B) Split
5.4 Network Address Translation You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers, but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the inside network, yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these servers? A) Dynamic B) Static C) Restricted D) Overloading
B) Static
5.6 Web Threat Protection Which of the following types of proxies can be used for web filtering? A) Content filter B) Transparent C) VPN D) Reverse
B) Transparent
5.8.3 Network Threats Your network devices are categorized into the following zone types: - No-trust zone - Low-trust zone - Medium-trust zone - High-trust zone Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed. Which of the following is the secure architecture concept that is being used on this network? A) Network firewalling B) Trust-zone networking C) Network segmentation D) Virtual local area networking
C) Network segmentation
5.2 Demilitarized Zones Which of the following is the MOST likely to happen if the firewall managing traffic into the DMZ fails? A) The LAN is compromised, but the DMZ stays protected. B) Nothing will happen - all devices will stay protected. C) Only the servers in the DMZ are compromised, but the LAN will stay protected. D) All devices in the DMZ and LAN will be compromised.
C) Only the servers in the DMZ are compromised, but the LAN will stay protected.
5.7 Network Access Control Which of the following NAC agent types is the most convenient agent type? A) Zero-trust B) Dissolvable C) Permanent D) Agentless
C) Permanent
5.2 Demilitarized Zones You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.) A) Put the database server inside the DMZ. B) Put the web server on the private network. C) Put the database server on the private network. D) Put the web server inside the DMZ.
C) Put the database server on the private network. D) Put the web server inside the DMZ.
5.3 Firewalls Which of the following are features of an application-level gateway? (Select two.) A) Verifies that packets are properly sequenced B) Allows only valid packets within approved sessions C) Reassembles entire messages D) Stops each packet at the firewall for inspection E) Uses access control lists
C) Reassembles entire messages D) Stops each packet at the firewall for inspection
5.4 Network Address Translation Which problem does NAT help address? A) The shortage of IPv6 addresses B) IPSec not working properly C) The shortage of IPv4 addresses D) Registering IP addresses with an ISP
C) The shortage of IPv4 addresses
5.6 Web Threat Protection You are configuring web threat protection on the network and have identified a website that contains malicious content. Which of the following should you configure? A) Virus scanner B) Content filtering C) Web threat filtering D) Anti-phishing software
C) Web threat filtering
5.6 Web Threat Protection You are configuring web threat protection on the network and want to prevent users from visiting www.videosite.org. Which of the following needs to be configured? A) Anti-phishing software B) Virus scanner C) Website filtering D) Content filtering
C) Website filtering
5.2 Demilitarized Zones In which of the following situations would you most likely implement a demilitarized zone (DMZ)? A) You want to detect and respond to attacks in real time. B) You want to encrypt data sent between two hosts using the internet. C) You want to protect a public web server from attack. D) You want internet users to see a single IP address when accessing your company network.
C) You want to protect a public web server from attack.
5.6 Web Threat Protection Which of the following types of proxies would you use to remain anonymous when surfing the internet? A) Content filter B) Reverse C) VPN D) Forward
D) Forward
5.1 Security Appliances You want to create a collection of computers on your network that appear to have valuable data but actually store fake data that could entice a potential intruder. Once the intruder connects, you want to be able to observe and gather information about the attacker's methods. Which feature should you implement? A) Extranet B) NIPS C) NIDS D) Honeynet
D) Honeynet
5.3 Firewalls You connect your computer to a wireless network available at the local library. You find that you can access all of the websites you want on the internet except for two. What might be causing the problem? A) Port triggering is redirecting traffic to the wrong IP address. B) The router has not been configured to perform port forwarding. C) A firewall is blocking ports 80 and 443. D) A proxy server is blocking access to the websites.
D) A proxy server is blocking access to the websites.
5.1 Security Appliances Which of the following BEST describes a honeyfile? A) A file that has been digitally signed. B) A file used to authenticate. C) A default file in the /etc/security directory. D) A single file setup to entice and trap attackers.
D) A single file setup to entice and trap attackers.
5.1 Security Appliances You are the office manager of a small financial credit business. Your company handles personal financial information for clients seeking small loans over the internet. You are aware of your obligation to secure clients records, but the budget is an issue for your company. Which item would provide the BEST security for this situation? A) Network access control system B) Firewall on your gateway server to the internet C) Proxy server with access controls D) All-in-one security appliance
D) All-in-one security appliance
5.3 Firewalls Which of the following describes how access control lists can be used to improve network security? A) An access control list looks for patterns of traffic between multiple packets and takes action to stop detected attacks. B) An access control list filters traffic based on the frame header, such as source or destination MAC address. C) An access control list identifies traffic that must use authentication or encryption. D) An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number.
D) An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number.
5.3 Firewalls You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use? A) VPN concentrator B) Packet-filtering firewall C) Application-level gateway D) Circuit-level gateway
D) Circuit-level gateway
5.4 Network Address Translation A network device is given an IP address of 172.16.0.55. Which type of network is this device on? A) Class A private network B) IPv6 private network C) Class C private network D) Class B private network
D) Class B private network
5.6 Web Threat Protection Travis is sending a highly confidential email to Craig that contains sensitive data. Which of the following should Travis implement to ensure that only Craig is able to read the email? A) Virus scanner B) Spam filter C) Anti-phishing software D) Encryption
D) Encryption
5.3 Firewalls You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling. You want to protect the laptop from internet-based attacks. Which solution should you use? A) VPN concentrator B) Proxy server C) Network-based firewall D) Host-based firewall
D) Host-based firewall
5.8.3 Network Threats In which of the following zones would a web server most likely be placed? A) Medium-trust zone B) No-trust zone C) High-trust zone D) Low-trust zone
D) Low-trust zone
5.7 Network Access Control You are configuring the security settings for your network. You have decided to configure a policy that requires any computer connecting to the network to run at least Windows 10 version 2004. Which of the following have you configured? A) NAP B) ISE C) NAT D) NAC
D) NAC
5.7 Network Access Control You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization. Which step in the NAC process is this? A) Apply B) Review C) Define D) Plan
D) Plan
5.2 Demilitarized Zones Which of the following is another name for a firewall that performs router functions? A) Screened-host gateway B) Screened subnet C) Dual-homed gateway D) Screening router
D) Screening router
5.5 Virtual Private Networks Which VPN implementation uses routers on the edge of each site? A) Remote access VPN B) Always-on VPN C) Host-to-host VPN D) Site-to-site VPN
D) Site-to-site VPN
5.6 Web Threat Protection You are configuring web threat protection on the network and want to block emails coming from a specific sender. Which of the following should be configured? A) Anti-phishing software B) Virus scanner C) Encryption D) Spam filter
D) Spam filter
5.5 Virtual Private Networks A VPN is primarily used for which of the following purposes? A) Allow remote systems to save on long-distance charges B) Allow the use of network-attached printers C) Support the distribution of public web documents D) Support secured communications over an untrusted network
D) Support secured communications over an untrusted network
5.5 Virtual Private Networks Which statement BEST describes IPsec when used in tunnel mode? A) The identities of the communicating parties are not protected B) Packets are routed using the original headers, and only the payload is encrypted C) IPsec in tunnel mode may not be used for WAN traffic D) The entire data packet, including headers, is encapsulated
D) The entire data packet, including headers, is encapsulated
5.5 Virtual Private Networks A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server. Which solution should you implement? A) IPS B) IDS C) DMZ D) VPN concentrator
D) VPN concentrator