CompTIA Server + SK0-004 Chap 7
Which of the following provides a mechanism to access and query directory services systems? A. TACACS B. LDAP C. TACACS+ D. RADIUS
B. Lightweight Directory Access Protocol (LDAP) is a protocol that provides a mechanism to access and query directory services systems.
What type of encryption does PPTP use? A. AES B. IPsec C. MPPE D. Triple DES
C. In VPN operations, tunneling protocols wrap around or encapsulate the original packet when this process occurs. PPTP will encrypt the result using Microsoft Point-to-Point Encryption (MPPE).
Which of the following IPsec components provides authentication and integrity only? A. SPI B. SA C. ESP D. AH
15. D. Authentication Header (AH) provides authentication and integrity, but not confidentiality.
In which of the following devices are records kept using a table that tracks every communications channel? A. Stateful firewall B. Packet filtering firewall C. Application-level proxy D. Host-based firewall
A. In stateful inspection (or stateful packet filtering), records are kept using a state table that tracks every communications channel.
Which of the following cannot be accomplished using port security? A. Set the minimum number of MAC addresses that can be seen on a port. B. Take a specific action when a port violation occurs. C. Define exactly which MAC addresses are allowed on the port. D. Set the maximum number of MAC addresses that can be seen on a port.
A. It is not possible to specify a minimum number of MAC addresses allowed on a port.
Which of the following is used to generate each session key in IPsec? A. IKE B. SA C. ESP D. AH
A. One of the challenges with IPsec is how to generate an encryption key for the session (each session key is unique). Internet Key Exchange (IKE) is the key exchange method that is most commonly used by IPsec. IKE with IPsec provides authentication and key exchange.
Which of the following is true of the requirements to use SSL on a website? A. The web server must have a certificate. B. The client must have a certificate. C. The web server and the client must have a certificate. D. Neither the web server nor the client must have a certificate.
A. SSL is related to a PKI in that a certificate is required on the server end and optionally can be used on the client end of an SSL communication.
Which of the following is a type of table that tracks IPsec security associations? A. SPI B. SA C. ESP D. AH
A. The Security Parameter Index (SPI) is a type of table that tracks the different SAs used and ensures that a device uses the appropriate SA to communicate with another device. Each device has its own SPI.
Which of the following devices can also provide web caching services? A. Proxy firewall B. Packet filtering firewall C. Stateful firewall D. Host-based firewall
A. The proxy firewall can also offer web caching, should the same request be made again, and can increase the efficiency of data delivery.
Which of the following packets will be allowed according to the iptables rule that follows? iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP A. A packet from 192.168.1.6/24 B. A packet from 192.168.0.6/24 C. A packet from 192.168.0.1/24 D. A packet from 192.168.0.240/24
A. This rule set blocks all incoming traffic sourced from the 192.168.0.0/24 network, which is from 192.168.0.1-192.168.0.255.
You have two devices that are connected to the same switch with IP addresses in the same network. After placing the two devices in separate VLANs, they can no longer ping one another. At what layer of the OSI model are the VLANs providing separation? A. Network B. Data link C. Session D. Transport
B. Devices in different VLANs usually have IP addresses in different IP subnets. However, even if they have IP addresses in the same subnet, communication cannot occur without routing—if they reside in different VLANs—because VLANs separate devices at Layer 2, or the Data Link layer, of the OSI model.
Which standard describes centralized port-based access control? A. 802.11i B. 802.1x C. 802.12 D. 802.10
B. The IEEE 802.1x security standard describes a method of centralizing the authentication, authorization, and accounting of users who connect either locally or remotely to the network. It is sometimes called port-based access control because in an 802.1x architecture, the user's port to the network is not opened until the process is complete.
In which operating system is iptables used? A. Windows B. Sun Solaris C. Linux D. Novell
C. On Linux-based systems, a common host-based firewall is iptables, replacing a previous package called ipchains. It has the ability to accept or drop packets.
Which is the only security zone in which PII should be located? A. DMZ B. Extranet C. Intranet D. Public cloud
C. Personally identifiable information (PII)—information that can be used to identify an employee or customer and perhaps steal their identity—should only be located in secure zones and never in the DMZ or the extranet or in public clouds.
Using which of the following protocols can expose your switches to a switch spoofing attack? A. SSL B. VTP C. DTP D. STP
C. Switch ports can be set to use a protocol called Dynamic Trunking Protocol (DTP) to negotiate the formation of a trunk link. If an access port is left configured to use DTP, it is possible for a hacker to set their interface to spoof a switch and use DTP to create a trunk link. If this occurs, the hacker can capture traffic from all VLANs. To prevent this, disable DTP on all switch ports.
Which of the following can read the individual commands of the protocols that are being served? A. Stateful firewall B. Packet filtering firewall C. Application-level proxy D. Host-based firewall
C. The proxy function can occur at either the application level or the circuit level. Application-level proxy functions read the individual commands of the protocols that are being served. This type of server is advanced and must know the rules and capabilities of the protocol used.
When discussing 802.1x, which of the following roles is played by the RADIUS server? A. Supplicant B. Authenticator C. Authentication server D. Imperative
C. The role of the authentication server can be performed by a Remote Authentication Dial-in User Service (RADIUS) or a Terminal Access Controller Access Control System+ (TACACS+) server. Both of these server types centralize the authentication process on behalf of the multiple authenticators.
Which of the following is not an example of an authenticator in an 802.1x architecture? A. 802.1x capable switch B. Access point C. RADIUS server D. VPN server
C. The role of the authenticator can be performed by a wide variety of network access devices, including remote access servers (both dial-up and VPN), switches, and wireless access points. The role of the authentication server can be performed by a RADIUS or TACACS+ server.
Which statement is false with respect to router ACLs? A. The order of the rules is important. B. An implied deny all rule is located at the end of all ACLs. C. It is possible to log all traffic that meets any of the rules. D. All rules in the list are considered before the traffic is allowed.
D. If traffic matches a rule, the action specified by the rule will be applied, and no other rules will be read.
Which of the following would Joe use to encrypt a message that only Sally could decrypt? A. Joe's private key B. Sally's private key C. Joe's public key D. Sally's public key
D. To provide encryption, the data is encrypted with the receiver's public key, which results in cipher text that only his private key can decrypt.