SY0-401:1 TS Quiz Network Security

"Which tool is an intrusion detection system (IDS)? A Snort B Nessus C Tripwire D Ethereal "

"Answer: Snort Explanation: Snort is an intrusion detection system (IDS). Nessus is a vulnerability assessment tool. Tripwire is a file integrity checker. Ethereal is a network protocol analyzer"

"You must deploy the appropriate hardware to satisfy the needs of an organization. The organization has a DMZ that must be fully protected from the Internet. The internal network must have an additional layer of security from the DMZ. The internal network contains two subnets (Subnet A and Subnet B) and two VLANs (named Research and Development). You need to deploy a total of four hardware devices. Drag the appropriate device to one of the four locations on the network exhibit. All four locations require a device."

"Explanation: You should deploy two firewalls, one router, and one switch in the network, as shown below: To protect the DMZ, you need to place a firewall between the DMZ and Internet. To protect the internal network, you need to place a firewall between the DMZ and internal network. The router needs to be placed so that it manages the two subnets and is connected to the switch. The switch must be deployed so that it connects to the two VLANs and the router. "

"Your network is configured as shown in the following exhibit: You need to configure the firewall to meet the following requirements: The Research computer should only be allowed to connect to the file server using SCP. The Sales computer should only be allowed to connect to the Web server using HTTPS. No other connections from the server network to the DMZ should be allowed. Move the firewall rules in the list from the left column to the right column, and place them in the correct order, starting with the first item at the top. All firewall rules may or may not be used. "

"Explanation: You should implement the following firewall rules: Source: 192.168.0.2 - Destination: 172.16.0.2 - Port: 22 - TCP - Allow Source: 192.168.0.3 - Destination: 172.16.0.3 - Port: 443 - TCP - Allow Source: 192.168.0.0/16 - Destination: 172.16.0.0/12 - Port: Any - TCP/UDP - Deny The Research computer at 192.168.0.2 can only connect to the file server if they are using the secure copy protocol (SCP). Because SCP operates over a secure shell (SSH) connection, it utilizes the same port as SSH, which is TCP port 22. Therefore, you should configure an Allow rule for the Research source with a destination of 172.16.0.2 over TCP port 22. TCP port 22 also handles secure file transfer protocol (SFTP) traffic and secure logins. UDP port 69 handles trivial file transfer protocol (TFTP). The Sales computer at 192.168.0.3 should only be allowed to connect to the Web server using HTTPS, which operates over TCP port 443. Therefore, you should configure an Allow rule for the source 192.168.0.3 and destination 172.16.0.3 on TCP port 443. No other connections from the server network to the DMZ should be allowed. Therefore, you should configure a Deny rule from the server network, which is 192.168.0.0/16, to the DMZ network at 172.16.0.0/12. TCP and UDP traffic should be denied on all (""any"") ports. TCP port 21 handles file transfer protocol (FTP) traffic. TCP port 80 handles hypertext transfer protocol (HTTP) traffic. Allowing traffic on these ports will not meet the scenario requirements. The first two rules can be configured in any order as long as both of them appear before the third rule. The Deny rule should be configured last to ensure that any of the allowed connections are not denied by the Deny rule. "

"Which network entity acts as the interface between a local area network and the Internet using one IP address? VPN NAT router router firewall"

" Answer: NAT router Explanation: Network Address Translation (NAT) router acts as the interface between a local area network and the Internet using one IP address. A VPN is a private network that is implemented over a public network, such as the Internet. A router divides a network into smaller subnetworks. Each host on the subnetwork is given its own IP address to use to communicate. A firewall is a device that protects a network from unauthorized access by allowing only certain traffic to pass through it. While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ."

"Several users report that they are having trouble connecting to the organization's Web site that uses HTTPS. When you research this issue, you discover that the Web client and Web server are not establishing a TCP/IP connection. During which phase of SSL communication is the problem occurring? A handshake B key exchange C authentication D encrypted connection establishment"

" Answer: handshake Explanation: The problem is occurring during the handshake phase of Secure Sockets Layer (SSL) communication. First, a TCP/IP connection is established between a Web server and a Web client. Next, the key exchange occurs. Rivest, Shamir, Adleman (RSA) is used for the SSL/TLS key exchange. After the key exchange, the Web client uses a Web server's key information to authenticate the Web server. Finally, the Web client and the Web server establish an encrypted connection and exchange data on an SSL-encrypted connection."

"Management of your company wants to allow the departments to share files using some form of File Transfer Protocol (FTP). You need to explain the different FTP deployments. By default, which FTP solution provides the LEAST amount of security? A FTP B FTPS C SFTP D TFTP "

" Answer: TFTP Explanation: The Trivial File Transfer Protocol (TFTP) provides the least amount of security. TFTP provides no authentication or encryption mechanism. TFTP uses port 69, by default. File Transfer Protocol (FTP) is considered more secure than TFTP because it can provide authentication and encryption mechanisms. FTP uses ports 20 and 21, by default. File Transfer Protocol Secure (FTPS) is a more secure version of FTP. FTPS uses the same commands as FTP. FTPS uses Secure Sockets Layer (SSL) for security. FTPS uses ports 989 and 990, by default. Secure File Transfer Protocol (SFTP) is the most secure version of FTP. This version is actually Secure Shell (SSH) with FTP capabilities. FTPS is more widely known than SFTP, but SFTP is more secure. SFTP uses port 22, by default."

"You have been hired as a company's network administrator. The company's network currently uses statically configured IPv4 addresses. You have been given a list of addresses that are used on the network that include the addresses listed in the options. However, you are sure that some of these addresses are NOT IPv4 addresses. Which addresses are not valid? 192.1.0.1 169.254.0.10 fe80::200:f8ff:fe21:67cf 00-0C-F1-56-98-AD "

" Answer: fe80::200:f8ff:fe21:67cf 00-0C-F1-56-98-AD Explanation: The fe80::200:f8ff:fe21:67cf address is an IPv6 address. The 00-0C-F1-56-98-AD address is a MAC address, which is hard-coded into the network interface card (NIC) by the manufacturer. The 169.254.0.10 and 192.1.0.1 addresses are both valid IPv4 addresses."

"You need to ensure that wireless clients can only communicate with the wireless access point and not with other wireless clients. What should you implement? PEAP LEAP SSID isolation mode "

" Answer: isolation mode Explanation: You should implement isolation mode. This mode ensures that wireless clients can only communicate with the wireless access point and not with other wireless clients. This is also referred to as client isolation mode. Protected Extensible Authentication Protocol (PEAP) is a secure password-based authentication protocol created to simplify secure authentication. Lightweight Extensible Authentication Protocol (LEAP) is an authentication protocol used exclusively by Cisco. Cisco is slowly transitioning from using its proprietary LEAP protocol to using PEAP because LEAP is not as secure as PEAP. A Service Set Identifier (SSID) is a wireless network's name."

"What is the purpose of content inspection? A to distribute the workload across multiple devices B to search for malicious code or behavior C to filter and forward Web content anonymously D to identify and block unwanted messages "

" Answer: to search for malicious code or behavior Explanation: The purpose of content inspection is to search for malicious code or suspicious behavior. The purpose of load balancing is to distribute the workload across multiple devices. Often DNS servers are load balanced to ensure that DNS clients can obtain DNS information as needed. Other services are load balanced as well. Load balancers optimize and distribute data workloads across multiple computers or networks. The purpose of an Internet or Web proxy is to filter and forward Web content anonymously. The purpose of a spam filter is to identify and block unwanted messages. Spam filters should be configured to prevent employees from receiving unsolicited e-mail messages. Another type of hardware that is similar to a spam filter is an all-in-one security appliance. This device filters all types of malicious, wasteful, or otherwise unwanted traffic. Many all-in-one security appliances include a component that performs content inspection and malware inspection. These appliances usually also include a URL filter feature that allows administrators to block and allow certain Web sites. For example, the URL filter in an all-in-one security appliance could be configured to restrict access to peer-to-peer file sharing Web sites. "

" You must configure the routers on your network to ensure that appropriate communication is allowed between the subnetworks. Your configuration must allow multiple protocols to communicate across the routers. Match the protocol from the left with the default port it uses on the right. Move the correct items from the left column to the column on the right to match the protocol with the correct default port. Missing Image"

" Explanation: The protocols given use these default ports: Port 21 - FTP Port 110 - POP3 Port 143 - IMAP Port 443 - HTTPS Port 3389 - RDP FTP also uses port 20, but it was not listed in this scenario."

"You are configuring a wireless access point in the network shown in the following exhibit: The access point must use the most secure encryption method with RADIUS. You need to configure the Security section of the access point. Match the options on the left with the settings given on the right. Not all options will be used. Missing Image"

" Explanation: The wireless access point settings should be matched in the following manner: Security Mode - WPA2 Enterprise Encryption - AES RADIUS Server - 192.168.0.4 RADIUS Port - 1812 WPA2-Enterprise is the strongest security mode. The AES encryption standard is stronger than the TKIP encryption protocol. AES is a symmetric-key standard, formerly called Rijndael, based on CCMP encryption. TKIP is the default standard used with the WPA security mode. The AAA server is the Remote Authentication Dial In User Service (RADIUS) server, so you should use its IP address and port for the RADIUS server configuration. You should not use any MAC addresses in the security configuration. MAC addresses are used to configure MAC filtering. "

"A user complains that he is unable to communicate with a remote virtual private network (VPN) using L2TP. You discover that the port this protocol uses is blocked on the routers in your network. You need to open this port to ensure proper communication. Which port number should you open? A 22 B 88 C 1701 D 1723 "

"Answer: 1701 Explanation: You should open port number 1701 because this is the UDP port used by Layer 2 Tunneling Protocol (L2TP). Port number 22 is reserved for Secure Shell (SSH) remote login. Port number 88 is assigned to the Kerberos protocol. Point-to-Point Tunneling Protocol (PPTP) uses UDP and TCP ports number 1723. There are a total of 65,535 ports in the TCP/IP protocol that are vulnerable to attacks. You should know the following commonly used ports and protocols. FTP - ports 20 and 21 SSH, SCP, and SFTP - port 22 Telnet - port 23 SMTP - port 25 TACACS - port 49 DNS server - port 53 DHCP - ports 67 and 68 TFTP - port 69 HTTP - port 80 Kerberos - port 88 POP3 - port 110 NetBIOS - ports 137-139 IMAP4 - port 143 SNMP - port 161 LDAP - port 389 SSL, FTPS, and HTTPS - port 443 SMB - port 445 LDAP with SSL - port 636 Microsoft SQL Server - port 1433 Point-to-Point Tunneling Protocol (PPTP) - port 1723 RDP protocol and Terminal Services - port 3389"

"A server is located on a DMZ segment. The server only provides FTP service, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall? A 20 B 80 C 110 D 443 "

"Answer: 20 Explanation: FTP uses ports 20 and 21 by default, so port 20 should be opened on the Internet side of the demilitarized zone (DMZ) firewall to enable the server to provide FTP services. The firewall will then allow FTP traffic through, but no other port traffic will be allowed to enter the DMZ. Only necessary ports should be opened on the Internet side of a DMZ firewall in order to limit hackers' abilities to access the internal network. Port 80 is used by Hypertext Transfer Protocol (HTTP) to transfer Web pages. Port 110 is used by the Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). "

"Which statement is NOT a characteristic of a network-based intrusion detection system (NIDS)? A An NIDS monitors real-time traffic. B An NIDS analyzes encrypted information. C An NIDS analyzes network packets for intrusion. D An NIDS does not monitor individual workstations in a network. "

"Answer: An NIDS analyzes encrypted information. Explanation: The primary disadvantage of an NIDS is its inability to analyze encrypted information. For example, the packets that traverse through a Virtual Private Network (VPN) tunnel cannot be analyzed by the NIDS. An NIDS would most likely be used to detect, but not react to, behavior on the network. An NIDS can monitor either a complete network or some portions of a segregated network. It remains passive while acquiring the network data. For example, an intrusion detection system (IDS) can monitor real-time traffic on the internal network or a de-militarized zone (DMZ). In a DMZ, public servers, such as e-mail, DNS, and FTP servers, are hosted by an organization to segregate these public servers from the internal network. An NIDS monitors real-time traffic over the network, captures the packets, and analyzes them either through a signature database or against the normal traffic pattern behavior to ensure that there are no intrusion attempts or malicious threats. NIDS finds extensive commercial implementation in most organizations. An NIDS can help identify smurf attacks. NIDS does not monitor specific workstations. A host-based IDS (HIDS) monitors individual workstations on a network. An intrusion detection agent should be installed on each individual workstation of a network segment to monitor any security breach attempt on a host. "

" A small business owner wants to be able to sell products over the Internet. A security professional suggests the owner should use SSL. Which statement is NOT true of this protocol? A SSL is used to protect Internet transactions. B SSL version 2 provides client-side authentication. C SSL operates at the Network layer of the OSI model. D SSL with TLS supports both server and client authentication. E SSL has two possible session key lengths: 40 bit and 128 bit. "

"Answer: SSL operates at the Network layer of the OSI model. Explanation: The secure sockets layer (SSL) protocol does not operate at the Network layer (Layer 3) of the Open Systems Interconnection (OSI) model. It operates at the Transport layer (Layer 4). It works in conjunction with the Hypertext Transfer Protocol (HTTP) that operates at the Session layer to provide secure HTTP connections. SSL is used to protect Internet transactions. It was developed by Netscape. When SSL is used, the browser address will have the https:// prefix, instead of the http:// prefix. SSL version 2 provides client-side authentication. SSL with TLS supports both server and client authentication. SSL uses public key or symmetric encryption, and provides data encryption and sever authentication. To enable SSL to operate, the server and the client browser must have SSL enabled. SSL has two possible session key lengths: 40 bit and 128 bit. The main advantage of SSL is that SSL supports additional application layer protocols, such as FTP and NNTP. HTTP does not. SSL establishes a secure communication connection between two TCP-based computers. Transport layer security (TLS) is a security protocol that combines SSL and other security protocols. A common implementation of SSL is wireless transport layer security (WTLS) for wireless networks. WTLS transmission is required to traverse both wired and wireless networks. Therefore, the packets that are decrypted at the gateway are required to be re-encrypted with SSL for use over wired networks. This is a security loophole referred to as the Wap Gap security issue. If SSL is being used to encrypt messages that are transmitted over the network, a major concern of the security professional is the networks that the message will travel that the company does not control. Worldwide Internet security achieved a milestone with the signing of certificates associated with SSL. "

"You are deploying a virtual private network (VPN) for remote users. You want to meet the following goals: The VPN gateway should require the use of Internet Protocol Security (IPSec). All remote users must use IPSec to connect to the VPN gateway. No internal hosts should use IPSec. Which IPSec mode should you use? A host-to-host B host-to-gateway C gateway-to-gateway D This configuration is not possible."

"Answer: host-to-gateway Explanation: You should deploy host-to-gateway IPSec mode. In this configuration, the VPN gateway requires the use of IPSec for all remote clients. The remote clients use IPSec to connect to the VPN gateway. IPSec is not used for any communication between the VPN gateway and the internal hosts on behalf of the remote clients. Only the traffic over the Internet uses IPSec. In host-to-host IPSec mode, each host must deploy IPSec. This mode would require that any internal hosts that communicate with the VPN clients would need to deploy IPSec. In gateway-to-gateway IPSec mode, the gateways at each end of the connection provide IPSec functionality. The individual hosts do not. For this reason, the VPN is transparent to the users. This deployment best works when a branch office or partner company needs access to your network. "

"Match the wireless antenna types on the left with the descriptions given on the right. "

"Explanation: The antennas and their descriptions should be matched in the following manner: Omni - a multi-directional antenna that radiates radio wave power uniformly in all directions in one plane with a radiation pattern shaped like a doughnut Yagi - a directional antenna with high gain and narrow radiation pattern Sector - a directional antenna with a circle measured in degrees of arc radiation pattern Dipole - the earliest, simplest, and most widely used antenna with a radiation pattern shaped like a doughnut"

"You are aware that any system in the demilitarized zone (DMZ) can be compromised because the DMZ is accessible from the Internet. What should you do to mitigate this risk? A Implement both DMZ firewalls as bastion hosts. B Implement every computer on the DMZ as a bastion host. C Implement the DMZ firewall that connects to the Internet as a bastion host. D Implement the DMZ firewall that connects to the private network as a bastion host"

" Answer: Implement every computer on the DMZ as a bastion host. Explanation: You should implement every computer on the demilitarized zone (DMZ) as a bastion host because any system on the DMZ can be compromised. A bastion host is, in essence, a system that is hardened to resist attacks. A bastion host is not attached to any firewall software. However, every firewall should be hardened like a bastion host. "

"What is a disadvantage of a hardware firewall compared to a software firewall? A It has a fixed number of available interfaces. B It has lower performance capability than a software firewall. C It is easier to make configuration errors than in a software firewall. D It provides decreased security as compared to a software firewall. "

" Answer: It has a fixed number of available interfaces. Explanation: A hardware firewall is purchased with a fixed number of interfaces available. With a software firewall, adding interfaces is as easy as adding and configuring another network interface card (NIC). A hardware firewall outperforms a software firewall. It is easier to make configuration errors in a software firewall, not a hardware firewall. Most hardware firewalls are advertised as ""turn-key"" solutions, meaning software installation and configuration issues are minimal. Hardware firewalls generally provide increased security over software firewalls."

"Your network contains four segments. Which network devices can you use to connect two or more of the LAN segments together? (Choose three.) A Hub B Router C Switch D Bridge E Repeater F Multiplexer "

" Answer: Router Switch Bridge Explanation: Bridges, switches, and routers can be used to connect multiple LAN segments. Bridges and switches operate at the Data Link layer of the OSI model (Layer 2), using the Media Access Control (MAC) address to send packets to their destination. Routers operate at the Network layer (Layer 3) by using IP addresses to route packets to their destination along the most efficient path. Hubs act as a central connection point for network devices on one network segment. They work at the Physical layer (Layer 1). Repeaters are used to extend the length of network beyond the cable's maximum segment distance. They take a received frame's signal and regenerate it to all other ports on the repeater. They also work at the Physical layer. An inverse multiplexer is used to connect several T1 lines together for fault tolerance purposes. The multiplexer is placed at both ends of the connection. "

"You need to ensure that a single document transmitted from your Web server is encrypted. You need to implement this solution as simply as possible. What should you do? A Use ActiveX. B Use JavaScript. C Use HTTPS. D Use S-HTTP. "

" Answer: Use S-HTTP. Explanation: You should use Secure HTTP (S-HTTP) to encrypt a single document from your Web server. This will allow the two computers to negotiate an encryption connection if this document needs to be transmitted. You should not use ActiveX. ActiveX customizes controls, icons, and other Web-enabled systems to increase their usability. ActiveX components and controls are downloaded to the client. JavaScript is a programming language that allows access to resources on the system running the JavaScript. JavaScript scripts can be downloaded from a Web site and executed. HTTP Secure (HTTPS) is used to encrypt an entire channel using private key encryption. It is used to encrypt all information between two computers. "

"What is a Web security gateway? A a device the filters all types of unwanted traffic B a device that blocks unwanted messages C a device that tunnels private communication over the Internet D a device that filters Web content "

"Answer: a device that filters Web content Explanation: A Web security gateway is a device that filters Web content. An all-in-one security appliance is a device that filters all types of unwanted traffic. A spam filter is a device that blocks unwanted messages. A VPN concentrator is a device that tunnels private communication over the Internet. "

" You must design the network for your company's new location. Which two considerations are important? (Choose two.) A number of hosts to support B number of domains to support C number of subnetworks needed D number of servers to support E number of Internet interfaces available "

"Answer: number of hosts to support number of subnetworks needed Explanation: When designing a network, you need to know the number of hosts to support and the number of subnetworks needed. These two considerations determine the subnetting scheme that your network requires. The number of domains to support, the number of servers to support, and the number of Internet interfaces available do not affect the network design. "

"Which term is synonymous with protocol analyzing? A packet sniffing B vulnerability testing C port scanning D password cracking "

"Answer: packet sniffing Explanation: Packet sniffing is synonymous with protocol analyzing. Both terms refer to the process of monitoring data transmitted on the network. They can also be called network analyzers. Packet sniffing can occur by installing the software on a network device. However, it can also occur by installing a rogue wireless access point, router, or switch on the network. If any hidden network devices are found, it is most likely the source of a packet sniffing attack. Vulnerability testing is the process of testing a computer or network for known vulnerabilities to discover security holes. Often security administrators perform vulnerability tests to discover security issues. They then use the reports from the tests to implement new security policies to protect against the issues found. Port scanning is the process of scanning TCP/IP ports to discover which network services are being used. Password cracking is the process of testing the strength of passwords. It is also referred to as password checking. "

"You must configure the routers on your network to ensure that appropriate communication is allowed between the subnetworks. Your configuration must allow multiple protocols to communicate across the routers. Match the protocol from the left with the default port it uses on the right. Move the correct items from the left column to the column on the right to match the protocol with the correct default port. Missing Image"

"Explanation: The protocols given use these default ports: Port 20 - FTP Port 23 - Telnet Port 25 - SMTP Port 53 - DNS Port 80 - HTTP FTP also uses port 21, but it was not listed in this scenario."

"A Web server is located on a DMZ segment. The Web server only serves HTTP pages, and there are no other computers on the DMZ segment. You need to configure the DMZ to ensure that communication can occur. Which port should be opened on the Internet side of the DMZ firewall? A 20 B 80 C 110 D 443 "

" Answer: 80 Explanation: Only port 80 should be opened on the Internet side of the demilitarized zone (DMZ) firewall. The firewall will allow only HTTP traffic to enter the DMZ; all other port traffic will be prevented from entering the DMZ. Port 20 is used by File Transfer Protocol (FTP) to send data. Port 110 is used by Post Office Protocol (POP), and port 443 is used by Secure Sockets Layer (SSL). The Web server on the DMZ only serves Web pages, so only HTTP services should be activated on the Web server. All other services on the Web server should be deactivated, which will strengthen security on the Web server. "

"You have discovered that hackers are gaining access to your WEP wireless network. After researching, you discover that the hackers are using war driving. You need to protect against this type of attack. What should you do? (Choose all that apply.) Change the default Service Set Identifier (SSID). Disable SSID broadcast. Configure the network to use authenticated access only. Configure the WEP protocol to use a 128-bit key. "

" Answer: Change the default Service Set Identifier (SSID). Disable SSID broadcast. Configure the network to use authenticated access only. Configure the WEP protocol to use a 128-bit key. Explanation: You should complete all of the following steps to protect against war-driving attacks: Change the default SSID - This prevents hackers from being able to use the wireless network based on the access point's default settings. Disable SSID broadcast - This prevents the SSID from being broadcast. Although there are other ways to discover the SSID, disabling the broadcast will cut down on attacks. Configure the network to use authenticated access only - This ensures that no unauthenticated connections can occur. Configure the WEP protocol to use a 128-bit key - WEP using 128-bit key is better than the default WEP. However, it is even BETTER to implement some forms of WPA. Some other suggested steps include the following: Implement Wi-Fi Protected Access (WPA) or WPA2 instead of WEP - WPA is stronger than WEP. WPA2 is stronger than both WPA and WEP. Reduce the access point signal strength or power level controls - This allows you to reduce the area that is covered by the access point. War driving is a method of discovering 802.11 wireless networks by driving around with a laptop and looking for open wireless networks. NetStumbler is a common war-driving tool. "

"You have been hired to access the security needs for an organization that uses several Web technologies. During the assessment, you discover that the organization uses HTTPS, S-HTTP, ActiveX, and JavaScript. You need to rank these technologies based on the level of security they provide. Which of the technologies listed provides the highest level of security? A HTTPS B S-HTTP C ActiveX D JavaScript "

" Answer: HTTPS Explanation: Of the options given, HTTPS provides the highest level of security. The HTTP Secure (HTTPS) protocol provides a secure connection between two computers. The connection is protected, and all traffic between the two computers is encrypted. HTTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It uses private key encryption to encrypt the entire channel. HTTPS uses port 443 by default. Secure HTTP (S-HTTP) is different from HTTPS. S-HTTP allows computers to negotiate an encryption connection and is not as secure as HTTPS. It uses document encryption to protect the HTTP document's contents only. ActiveX is very vulnerable to attacks because users can configure their computer to automatically access an ActiveX component or control. JavaScript scripts can be downloaded from a Web site and executed, causing damage to systems. "

"Which system detects network intrusion attempts and controls access to the network for the intruders? A firewall B IDS C IPS D VPN "

" Answer: IPS Explanation: An intrusion prevention system (IPS) detects network intrusion attempts and controls access to the network for the intruders. An IPS is an improvement over an intrusion detection system (IDS) because an IPS actually prevents intrusion. A firewall is a device that is configured to allow or prevent certain communication based on preconfigured filters. A firewall can protect a computer or network from unwanted intrusion using these filters. However, any communication not specifically defined in the filters is either allowed or denied. Firewalls are not used to detect and prevent network intrusion. An IDS only detects the intrusion and logs the intrusion or notifies the appropriate personnel. A virtual private network (VPN) is a private network that users can connect to over a public network. "

"Your organization is trying to increase network security. After a recent security planning meeting, management decides to implement a protocol that digitally signs packet headers and encrypts and encapsulates packets. Which protocol should you implement? AES CA DES IPsec "

" Answer: IPsec Explanation: You should implement Internet Protocol security (IPsec). This protocol digitally signs Internet Protocol (IP) packet headers and encrypts and encapsulates packets. IPsec provides both authentication and encryption, and is regarded as one of the strongest security standards. When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the Encapsulating Security Protocol (ESP) is used, IPsec encrypts packets. AH is protocol ID 51, and ESP is protocol ID 50. When tunnel mode is used, packets are encapsulated within other packets; when transport mode is used, packets are not encapsulated. Two routers that require secure communications should use IPSec in tunnel mode to encrypt packets. Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are private key encryption standards that can be used to protect the confidentiality of file contents. A Certification Authority (CA) creates and manages digital certificates, which contain digital signatures and identification information for the owners of the digital signatures. "

"Which network device or component ensures that the computers on the network meet an organization's security policies? A NAT B IPsec C DMZ D NAC "

" Answer: NAC Explanation: Network Access Control (NAC) ensures that the computer on the network meet an organization's security policies. NAC user policies can be enforced based on the location of the network user, group membership, or some other criteria. Media access control (MAC) filtering is a form of NAC. Network Address Translation (NAT) is an IEEE standard that provides a transparent firewall solution between an internal network and outside networks. Using NAT, multiple internal computers can share a single Internet interface and IP address. Internet Protocol Security (IPsec) is a protocol that secures IP communication over a private or public network. IPSec allows a security administrator to implement a site-to-site VPN tunnel between a main office and a remote branch office. A demilitarized zone (DMZ) is a section of a network that is isolated from the rest of the network with firewalls. Servers in a DMZ are more secure than those on the regular network. When connecting to a NAC, the user should be prompted for credentials. If the user is not prompted for credentials, the user's computer is missing the authentication agent."

"You have two wireless networks in your building. The wireless networks do not overlap. Both of them use Wi-Fi Protected Access (WPA). You want to ensure that no unauthorized wireless access points are established. What should you do? A Change the two wireless networks to WPA2. B Change the two wireless networks to WEP. C Periodically complete a site survey. D Disable SSID broadcasts for the two wireless networks. "

" Answer: Periodically complete a site survey. Explanation: You should periodically complete a site survey to ensure that no unauthorized wireless access points are established. Site surveys generally produce information on the types of systems in use, the protocols in use, and other critical information. You need to ensure that hackers cannot use site surveys to obtain this information. To protect against unauthorized site surveys, you should change the default Service Set Identifier (SSID) and disable SSID broadcasts. Immediately upon discovering a wireless access point using a site survey, you should physically locate the device and disconnect it. Site surveys are also used to analyze antenna placement. To ensure that no unauthorized wireless access points are established, you should not change the two wireless networks to WPA2. This would increase the security for the two networks and prevent hackers from accessing the networks. However, it would not prevent an attacker from setting up a new wireless access point. You should not disable SSID broadcasts for the two wireless networks to ensure that no unauthorized wireless access points are established. The reason you would disable SSID broadcasts is to protect a wireless network from hackers and to prevent unauthorized site surveys. Disabling the SSID broadcast on an existing network CANNOT prevent the establishment of new wireless access points. When adding a new access point, you should ensure that you correctly configure the new access point, especially if other wireless access points are already in use in the area. If a new access point has intermittent problems with users connecting successfully and then being disconnected, the new access point could be interfering with an old access point. You would need to reconfigure the new access point. There are three main types of site surveys: Passive - a site survey application passively listens to wireless traffic to detect access points and measure signal strength and noise level. However, the wireless adapter being used for a survey is not associated with any WLANs. For system design purposes, one or more temporary access points are deployed to identify and quantify access point locations. Active - the wireless adapter is associated with one or several access points to measure round-trip time, throughput rates, packet loss, and retransmissions. Active surveys are used to troubleshoot wireless networks or to verify performance post-deployment. Predictive - a model of the RF environment, including location and RF characteristics of barriers like walls or large objects, is created using simulation tools. Therefore, temporary access points or signal sources can be used to gather information on propagation in the environment. The value of a predictive survey as a design tool versus a passive survey done with only a few access points is that modeled interference can be taken into account in the design."

"Management has requested that you ensure all firewalls are securely configured against attacks. You examine one of your company's packet-filtering firewalls. You have configured the following rules on the firewall: Permit all traffic to and from local hosts. Permit all inbound TCP connections. Permit all SSH traffic to linux1.kaplanit.com. Permit all SMTP traffic to smtp.kaplanit.com. Which rule will most likely result in a security breach? Permit all traffic to and from local hosts. Permit all inbound TCP connections. Permit all SSH traffic to linux1.kaplanit.com. Permit all SMTP traffic to smtp.kaplanit.com. "

" Answer: Permit all inbound TCP connections. Explanation: The Permit all inbound TCP connections filter will most likely result in a security breach. This rule is one you will not see in most firewall configurations. By simply allowing all inbound TCP connections, you are not limiting remote hosts to certain protocols. Security breaches will occur because of this misconfiguration. You should only allow those protocols that are needed by remote hosts, and drop all others. In most cases, permitting all traffic to and from local hosts is a common firewall rule. If you configure firewall rules regarding local host traffic, you should use extreme caution. It is hard to predict the type of traffic originating with your local hosts. If you decide to drop certain types of traffic, users may complain about being unable to reach remote hosts. Limiting certain types of traffic, such as SSH and SMTP traffic, to certain computers is a common firewall configuration. By using this type of rule, you can protect the other computers on your network from security breaches using those protocols or ports. Other common firewall packet filters include dropping inbound packets with the Source Routing option set, dropping router information exchange protocols, and dropping inbound packets with an internal source IP address. For the most part, filters blocking outbound packets with a specific external destination IP address are not used. Any time rules are implemented on a network, you are using rules-based management. With these rules, you specifically allow or deny traffic based on IP address, MAC address, protocol used, or some other factor"

"Your company has a UNIX computer. Several users have requested remote access to this server. You need to implement a solution that transmits encrypted authentication information over a secure communications channel and transmits data securely during terminal connections with UNIX computers. Which technology should you use? A FTP B HTTP C SSH D Telnet "

" Answer: SSH Explanation: You should use Secure Shell (SSH). It transmits both authentication information and data securely during terminal connections with UNIX computers. SSH operates over port 22 by default. File Transfer Protocol (FTP) and Telnet transfer authentication information in clear text. Hypertext Transfer Protocol (HTTP) transfers data in clear text, and HTTP does not require authentication information. FTP uses ports 20 and 21 by default. Telnet uses port 23 by default. HTTP uses port 80 by default."

"You company needs to be able to provide employees as to a suite of applications. However, you do not want the employees to install a local copy of the applications. Which method should you use to deploy the suite of applications? virtualization Platform as a Service Software as a Service Infrastructure as a Service "

" Answer: Software as a Service Explanation: You should use Software as a Service (SaaS) to deploy the suite of applications. This will ensure on-demand, online access to the suite without the need for local installation. Another example of this type of cloud computing deployment is when a company needs to give employees access to a database but cannot invest in any more servers. WebMail is an example of this cloud computing type. Virtualization hosts one or more operating systems (OSs) within the memory of a single host computer. This mechanism allows virtually any OS to operate on any hardware and allows multiple OSs to work simultaneously on the same hardware. Virtualization would not be the best choice here because it would limit the number of users who could access the application suite. In addition, the performance of the virtual machine would decline as more users simultaneously access the application suite. Platform as a Service (PaaS) is not the best choice here. PaaS is a platform that provides not only a deployment platform but also a value added solution stack and an application development platform. It provides customers with an operating system that is easy to configure. It is on-demand computing for customers. Infrastructure as a Service (IaaS) is not the best choice in this situation. IaaS is a platform that provides computer and server infrastructure typically provided as a virtualization environment. The platform would provide the ability for consumers to scale their infrastructure up or down by demand and pay for the resources consumed. This cloud computing model provides the greatest flexibility but requires a greater setup and maintenance overhead than the other cloud computing models. Cloud computing has three main models: SaaS, PaaS, and IaaS. The security control that is lost when using cloud computing is physical control of the data. The main difference between virtualization and cloud computing is location and ownership of the physical components. When virtualization is used, a company uses their own devices to set up a virtual machine. When cloud computing is used, a company pays for access to another company's devices. Other cloud technologies that you need to be familiar with include the following: Private cloud - a cloud infrastructure operated solely for a single organization that can be managed internally or by a third party, and hosted internally or externally Public cloud - when the cloud is rendered over a network that is open for public use Community cloud - shares infrastructure between several organizations from a specific community that can managed internally or by a third party, and hosted internally or externally Hybrid cloud - two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models "

"Often the sales people for your company need to connect some wireless devices together without having an access point available. You need to set up their laptops to ensure that this communication is possible. Which communications mode should you use? ad hoc infrastructure transport tunnel "

" Answer: ad hoc Explanation: You should use ad hoc, which is an 802.11b communications mode that enables wireless devices to communicate directly. The 802.11b wireless networking technology is sometimes referred to as WiFi. In infrastructure mode, 802.11b devices must communicate through wireless access points. Transport and tunnel modes are provided by Internet Protocol Security (IPSec) to transmit Internet Protocol (IP) packets securely. "

"Which type of monitoring is most likely to produce a false alert? misuse-detection-based anomaly-based behavior-based signature-based "

" Answer: anomaly-based Explanation: Anomaly-based monitoring is most likely to produce a false alert. With anomaly-based monitoring, alerts occur where there are any deviations from normal behavior. Deviations from normal behavior will normally occur but are not always indications of a possible attack. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process. Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring is more likely to give you a false sense of security rather than a false alert. Signature-based monitoring relies upon a database that contains the identities of possible attacks. This database is known as the signature database. Signature-based monitoring watches for intrusions that match a known identity or signature. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. It is more susceptible to giving you a false sense of security. It is only as strong as the behaviors you have defined. If you do not properly define inappropriate behaviors, then attacks can occur. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. "

"Which type of firewall is most detrimental to network performance? A. stateful firewall B. circuit-level proxy firewall C. packet-filtering firewall D. application-level proxy firewall "

" Answer: application-level proxy firewall Explanation: An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet. The packet-filtering firewall provides high performance. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls. Kernel proxy firewalls offer better performance than application-level firewalls. This type of firewall is a firewall that is built into the operating system kernel. An application-level firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol's data. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. Often these types of firewalls are implemented as a proxy server. A proxy-based firewall provides greater network isolation than a stateful firewall. A stateful firewall provides greater throughput and performance than a proxy-based firewall. In addition, a stateful firewall provides some dynamic rule configuration with the use of the state table."

"You are responsible for managing your company's virtualization environment. Which feature should NOT be allowed on a virtualization host? A implementing IPsec B browsing the Internet C implementing a firewall D monitoring the event logs"

" Answer: browsing the Internet Explanation: You should not allow browsing the Internet on a virtualization host. This can present a possible security breach through the introduction of spyware or malware. Anything that affects a virtualization host also affects all virtual computers on the host. Virtual servers have the same information security requirements as physical servers. You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators to detect when security breaches have occurred or are being attempted. "

"Which job is NOT provided by a network protocol analyzer? A. provide network activity statistics B identify the sources and destinations of communications C detect active viruses or malware on the network D identify the types of traffic on the network "

" Answer: detect active viruses or malware on the network Explanation: A network protocol analyzer, also known as a packet sniffer, does not detect active viruses or malware on the network. Most network protocol analyzers provide the following functions: Provide network activity statistics. Identify the sources and destinations of communications. Identify the types of traffic on the network. Detect unusual level of traffic. Detect specific pattern characteristics. A network protocol analyzer can determine if passwords are being transmitted over the network in clear text. It can also be used to read the contents of any File Transfer Protocol (FTP) packet, including an FTP GET request. WireShark is a commercial network protocol analyzer. A protocol analyzer can be used by a security administrator to identify a problem between two systems that are not communicating properly, although there are other tools that may be used first. "

"Which firewall architecture has two network interfaces? A bastion host B screened host C screened subnet D dual-homed firewall "

" Answer: dual-homed firewall Explanation: A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs. A bastion host is a computer that resides on a network that is locked down to provide maximum security. These types of hosts reside on the front line in a company's network security systems. The security configuration for this entity is important because it is exposed to un-trusted entities. Any server that resides in a demilitarized zone (DMZ) should be configured as a bastion host. A bastion host has firewall software installed, but can also provide other services. A screened host is a firewall that resides between the router that connects a network to the Internet and the private network. The router acts as a screening device, and the firewall is the screen host. Screened subnet is another term for a demilitarized zone (DMZ). Two firewalls are used in this configuration: one firewall resides between the public network and DMZ, and the other resides between the DMZ and private network."

"Which type of firewall only examines the packet header information? A stateful firewall B kernel proxy firewall C packet-filtering firewall D application-level proxy firewall "

" Answer: packet-filtering firewall Explanation: A packet-filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet-filtering rules to decide if the packet will be dropped or forwarded to its destination. A packet-filtering firewall only examines the packet header information. Packet-filtering firewalls are based on access control lists (ACLs). They are application independent and operate at the Network layer of the OSI model. They cannot keep track of the state of the connection. A stateful firewall usually examines all layers of the packet to compile all the information for the state table. A kernel proxy firewall examines every layer of the packet, including the data payload. An application-level proxy firewall examines the entire packet. "

"Which type of monitoring requires that updates be regularly obtained to ensure effectiveness? network-based anomaly-based behavior-based signature-based "

" Answer: signature-based Explanation: Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses include logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception. Anomaly-based monitoring detects activities that are unusual. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous activities. Sometimes the baseline is established through a manual process. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly. "

"You are responsible for managing security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Match each description with the protocol that it BEST fits. Missing Image"

" Explanation: The protocols should be matched with the descriptions in the following manner: IPSec - A tunneling protocol that provides secure authentication and data encryption SNMP - A network management protocol that allows communication between network devices and the management console SFTP - A file transferring protocol that uses SSH for security FTPS - A file transferring protocol that uses SSL for security"

"Your company management has recently purchased a RADIUS server. This RADIUS server will be used by remote employees to connect to internal resources. You need to ensure that multiple client computers, including Windows Vista and Windows 7, are able to connect to the RADIUS server in a secure manner. What should you deploy? A flood guard B 802.1x C unified threat management D VLAN "

"Answer: 802.1x Explanation: You should deploy 802.1x to allow remote employees to connect to internal resources via a RADIUS server. Implementing 802.1x would allow a company to reduce the exposure of sensitive systems to unmanaged devices on internal networks. 802.1x can also be used on wired networks to segment traffic intended for the wireless access point. For example, if a company has several conference rooms with wired network jacks that are used by both employees needing access to internal resources and guests needing access to the Internet only, you should implement 802.1x and VLANs. 802.1x is an good solution if you need to make sure that only devices authorized to access the network would be permitted to log in and utilize resources. Flood guards are devices that protect against Denial of Service (DoS) attacks. Unified threat management devices are devices that integrate a traditional firewall with network firewalling, intrusion prevention, antivirus (AV), anti-spam, VPN, content filtering, load balancing, data leak prevention and on-appliance reporting. A virtual LAN (VLAN) is a virtual subnetwork that is configured using a switch. This allows administrators to isolate network clients on their own subnetwork. Any remote employees that are allowed to access local resources should be given specialized security training. This training should include guidelines on the types of network that they can use. For example, remote users should NEVER access a corporate VPN or other resources over an unsecure wireless network. Accessing a VPN over open wireless can result in major security issues. "

"Your organization purchases a set of offices adjacent to your current office. You need to broaden the area to which a wireless access point (AP) can transmit. What should you do? A Maximize the power level setting. B Relocate the AP. C Adjust the power level setting slightly higher. D Change the channel used by the AP. "

"Answer: Adjust the power level setting slightly higher. Explanation: You should adjust the power level setting for the AP to a slightly higher setting. After changing the power level setting, you should reboot the AP. The only way to gain more coverage for an AP is to increase the power level. You should not maximize the power level setting. This might create an area that is larger than you intended. You should not relocate the AP. While this will alter the area covered by the AP, it will not actually make the area any larger and may actually prevent coverage in areas that were covered in the previous location. You should not change the channel used by the AP. This is what you should do if you find that two wireless APs are interfering with each other because they use the same channel."

"Your company has decided to deploy a new wireless network at a branch office. This branch office is located in a busy commercial district. Management has asked you to fully assess the external vulnerabilities of the wireless network before it is deployed. Which three conditions should you assess? (Choose three.) A Number of users B Antenna selection C Antenna placement D Access point power E Speed of connection F Captive portals "

"Answer: Antenna selection Antenna placement Access point power Explanation: Antenna selection (such as the use of directional versus omnidirectional antennas) plays an important role in protecting a wireless network. Using a directional antenna can limit the area that is covered by the antenna. Antenna placement will also have an effect on the vulnerabilities of a wireless system. Antennas should be placed as far away from exterior walls as possible. Otherwise, the signal will go outside the building. This allows anyone outside the building to attach to your network. That is why RADIUS and other technologies are required for wireless networks. The power of the access points should be adjusted to a level that is just strong enough for the operation of the network, but not so strong that signals escape to the outside of the building. You should reduce power levels for better security to ensure that the signal does not extend beyond its needed range. The number of users and the speed of the connection will not cause external vulnerabilities to a wireless system. The number of user addresses is, however, a cause of external vulnerabilities. Captive portals are a type of wireless access point that only permits Internet access to authenticated users. While an organization may want to deploy this solution, it is not necessary to assess this as an external vulnerability. You should ensure that any wireless network that you deploy is properly protected from unauthorized users. Usually this just involves deploying the network using the WPA or WPA2 protocol. If you use WEP, unauthorized users can easily gain access to your network. You should also be careful as to which internal resources are connected to the wireless network without deploying the appropriate security hardware, such as a firewall."

"You need to configure your company's remote access server to authenticate remote users using smart cards. Which protocol should you deploy? A EAP B WEP C WPA D WPA2 "

"Answer: EAP Explanation: You should use the Extensible Authentication Protocol (EAP). By using an EAP authentication protocol, such as EAP-Transport Level Security (EAP-TLS), for authentication, the remote access server can authenticate remote users with smart cards. The other authentication protocols listed do not support authentication using smart cards. WPA2 is stronger than WPA and WEP. WEP uses a 40-bit or 104-bit encryption key that must be manually entered on wireless access points and devices and does not change automatically. WPA uses Temporal Key Integrity Protocol (TKIP) and employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet. WPA2 introduces Counter-Mode/CBC-Mac Protocol (CCMP), a new AES-based encryption mode with strong security. "

"Management has recently expressed concern over port security. You have been asked to ensure that all network ports are as secure as possible. Which of the following methods of port security should you implement? (Choose all that apply.) A Ensure that wiring closets are locked. B Ensure that TCP and UDP ports are managed properly. C Ensure that port knocking is not implemented. D Ensure that the MAC address of connected devices are monitored."

"Answer: Ensure that wiring closets are locked. Ensure that TCP and UDP ports are managed properly. Ensure that the MAC address of connected devices are monitored. Explanation: Port security is implemented on switches to ensure unauthorized devices cannot connect to the network through that port. Valid methods of port security include the following: Ensure wiring closets are locked - This ensures that rogue devices cannot be plugged into your network. Ensure that TCP and UDP ports are managed properly - This ensures that hackers cannot access your network via open TCP or UDP ports. Ensure that the MAC address of connected devices are monitored - This ensures that devices that connect to the network are identified. Media access control (MAC) addresses are used to uniquely identify network devices, including computers. Port knocking does provide some level of port security. The option regarding port knocking is incorrect because it states that you should NOT implement port knocking."

"You have been hired as a security consultant by a new small business. The business owner wants to implement a secure Web site. You suggest that the Web pages be secured using SSL. Which protocol should be used? A HTTPS B L2TP C PPTP D SPX "

"Answer: HTTPS Explanation: Hypertext Transfer Protocol Secure (HTTPS) should be used because it securely transmits Web pages over Secure Sockets Layer (SSL). HTTPS operates over port 443 by default. Sequenced Packet Exchange (SPX) is the connection-oriented transport protocol provided on Internetwork Packet Exchange (IPX)/SPX networks. Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) create secure tunnels through the public Internet. PPTP operates over port 1723 by default. L2TP operates over port 1701 by default. "

"You work for a company that installs networks for small businesses. During a recent deployment, you configure a network to use the Internet Protocol Security (IPSec) protocol. The business owner asks you to explain why this protocol is being used. Which three are valid reasons for using this protocol? (Choose three.) A IPSec can work in either tunnel mode or transport mode. B IPSec uses Encapsulation Security Payload (ESP) and Authentication Header (AH) as security protocols for encapsulation. C The IPSec framework uses L2TP as the encryption protocol. D The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions. E IPSec ensures availability of information as a part of the CIA triad. "

"Answer: IPSec can work in either tunnel mode or transport mode. IPSec uses Encapsulation Security Payload (ESP) and Authentication Header (AH) as security protocols for encapsulation. The IPSec framework is used in a virtual private network (VPN) implementation to secure transmissions. Explanation: Internet Protocol Security (IPSec) can operate in either tunnel mode or transport mode. In transport mode, only the message part of a packet (the payload) is encrypted by Encapsulating Security Payload (ESP). In IPSec tunnel mode, the entire packet including the packet header and the routing information is encrypted. IPSec tunnel mode provides a higher level of security than transport mode. Either of the two modes can be used to secure either gateway-to-gateway or host-to-gateway communication. If used in gateway-to-host communication, the gateway must act as the host. IPSec uses ESP and Authentication Header (AH) as security protocols. AH provides the authentication mechanism, and ESP provides encryption, confidentiality, and message integrity. IPSec sets up a secure channel that uses a strong encryption and authentication method between two network devices, such as routers, VPN concentrators, and firewalls. IPSec can provide security between any two network devices running IPSec, but its chief implementation is in securing virtual private network (VPN) communications. IPSec provides security by protecting against traffic analysis and replay attacks. IPSec is primarily implemented for data communication between applications that transfer data in plain text. IPSec secures the network device against attacks through encryption and encapsulation. The IPSec does not use the L2TP protocol to encrypt messages. L2TP is used for secure communication in VPN networks and is a hybrid of L2F and PPTP. IPSec ensures integrity and confidentiality of IP transmissions, but cannot ensure availability of the information. "

"Your company currently uses IPv4 addresses on its network. You need to convince your organization to start using IPv6 addresses. Which two reasons for changing should you give management? (Choose two.) A It has 4 billion available addresses B It has 340 undecillion available addresses C It uses 32-bit addresses D It uses 128-bit addresses "

"Answer: It has 340 undecillion available addresses It uses 128-bit addresses Explanation: IPv6 uses 128-bit IP addresses and allows for the use of 340 undecillion addresses. An IPv6 address uses a mixture of numbers and alphanumeric characters. IPv4 uses 32-bit addresses and allows for the use of 4 billion addresses. Internet Protocol (IP) is one of the protocols included in the Transmission Control Protocol/Internet Protocol (TCP/IP). "

"You are implementing a new VPN for your organization. You need to use an encrypted tunneling protocol that protects transmitted traffic and supports the transmission of multiple protocols. Which protocol should you use? A HTTP B HTTPS C FTP D L2TP over IPSec "

"Answer: L2TP over IPSec Explanation: You should use Layer 2 Tunneling Protocol (L2TP) over IPSec. When you implement L2TP over IPSec, it encrypts transmitted traffic on virtual private network (VPN) connections. L2TP supports multiple protocols, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA). L2TP is based on two older tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). Hypertext Transfer Protocol (HTTP) transmits information in clear text. Hypertext Transfer Protocol Secure (HTTPS) uses Secure Sockets Layer (SSL) to encrypt HTTP traffic. HTTPS only supports the encryption of HTTP traffic. File Transfer Protocol (FTP) transmits data in clear text. HTTP uses port 80, and HTTPS uses port 443."

"During maintenance, you often discover invalid devices connected to your wireless network. You need to ensure that only valid corporate devices can connect to the network. What should you configure to increase the security of this wireless network? A SSID broadcast B war driving C rogue access points D MAC filtering "

"Answer: MAC filtering Explanation: To increase the security of this wireless network, you should configure Media Access Control (MAC) filtering. With this filtering, the MAC address of each network interface card (NIC) that attempts to connect to the network is checked. Only MAC addresses that are specifically allowed connection are granted connection. When configuring MAC filtering, you should set up an access control list (ACL). Some access points also allow you to configure MAC filtering for those addresses that should be denied access. But always keep in mind that the MAC addresses will need to be entered manually. MAC filtering is easily vulnerable to spoofing because MAC address information is sent unencrypted. An attacker then discovers the address and impersonates an approved device. If a user is able to connect to a wireless network using one mobile device but not another, the most likely cause is that MAC filtering is enabled. MAC filtering can be used to both allow access and deny access. The following examples are both types of entries on a router: PERMIT 0A:1:FA:B1:03:37 and DENY 01:33:7F:AB:10:AB. A service-set identifier (SSID) broadcast actually decreases security in a wireless network. If the SSID is broadcast, any wireless NICs in the proximity can locate the network. If you disable SSID broadcast, you increase the security of your network, and users will have to type the SSID to connect. However, it does not prevent invalid devices from connecting to the network. War driving is a technique used to discover wireless networks. Once intruders locate your wireless network, they attempt to hack into your system. Rogue access points are wireless access points that have been connected to your network without authorization. This decreases the security of your network. A site scan can be used to determine if you have rogue access points. For example, if your company is located in a building with three wireless networks, you have a rogue access point if a quarterly scan showed the following results: CorpPrivate - Connected Channel 1 - 70dbm CorpPublic - Connected Channel 5 - 80dbm CorpResearch - Connected Channel 3 - 75dbm CorpDev - Connected Channel 6 - 95dbm Radio frequency interference (RFI) can cause wireless network problems. It can come from cordless phones, microwaves, and other equipment. For example, if your wireless network is frequently dropping connections, you could have a cordless phone interfering with the wireless access point. "

" At which layer of the OSI model do routers operate? A Session B Network C Physical D Data-link E Transport "

"Answer: Network Explanation: Routers operate at the Network layer (Layer 3) of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to route packets. Switches use MAC addresses, which are located at the Data Link layer, to forward frames. The Data Link layer is Layer 2. The Session layer (Layer 5) starts, maintains, and stops sessions between applications on different network devices. The Physical layer (Layer 1) provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer. The Transport layer (Layer 4) of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission. Bridges work at the Data Link layer (Layer 2)."

"Your company has decided to deploy a data storage network solution. You have been asked to research the available options and report the results, including deployment cost, performance, and security issues. Which of the following solutions should NOT be included as part of your research? A iSCSI B Fibre Channel C RAID D FCoE "

"Answer: RAID Explanation: RAID is a data storage solution that combines multiple physical drives into a single unit. The drives in the RAID configuration all reside in the same physical computer. iSCSI, Fibre Channel, and Fibre Channel over Ethernet (FCoE) are all data storage network solutions that allow you to link data storage locations. "

"You manage the security for a small corporate network that includes a hub and firewall. You want to provide protection against traffic sniffing. What should you do? Replace the hub with a switch. Replace the hub with a repeater. Implement filters on the hub. Implement access control lists (ACLs) on the hub. "

"Answer: Replace the hub with a switch. Explanation: You should replace the hub with a switch. This will provide some protection against traffic sniffing. In a network that uses hubs, packets are visible to every node on the network. When switches are used, the packets are forwarded only to the host for which the packet is intended because a switch does not forward packets out all of its ports. This prevents the ability of users on the same network from viewing each other's traffic, thereby providing some level of protection against traffic sniffing. Traffic sniffing captures data packets not intended for the sniffer. A network-based intrusion detection system (IDS) can be used to capture packets on a switch. You should not replace the hub with a repeater. A repeater receives a signal and repeats it, thereby ensuring the signal degradation does not occur. A repeater cannot protect against traffic sniffing by itself. You cannot implement filters or ACLs on a hub. Implementing filters and ACLs on switches or routers provides a means whereby traffic is allowed or prevented, and then forwarded to the appropriate node. Applying filters to routers can protect against Internet Protocol (IP) spoofing attacks. "

"One department in your company needs to be able to easily transfer files over a secure connection. All of the files are stored on a UNIX server. You have been asked to suggest a solution. Which protocol should you suggest? FTP SCP SSH Telnet "

"Answer: SCP Explanation: You should suggest that the department use Secure Copy (SCP). This protocol is used on UNIX networks to transfer files over a secure connection and operates at OSI layer 7. SCP uses SSH and operates over port 22 by default. File Transfer Protocol (FTP) is used to transfer files in clear text, which is not secure. FTP also transfers authentication information in clear text. FTP operates over ports 20 and 21 by default. Secure Shell (SSH) enables users to establish secure terminal connections with Unix computers, but does not allow the transfer of files. It requires SCP to transfer files. SSH operates over port 22 by default. Telnet enables users to establish nonsecure clear text terminal connections with UNIX computers. Telnet also transmits authentication information in clear text. Telnet operates over port 23 by default. To enhance network security, you should disable all unnecessary services and protocols on all server and client computers on a network because they pose a risk. "

"Recently, your company's network has been attacked from outside the organization. The attackers then changed the configuration of several network devices. Management has asked you to monitor network devices on a regular basis. Which protocol should you deploy? A SMTP B SNMP C DHCP D DNS "

"Answer: SNMP Explanation: You should deploy Simple Network Management Protocol (SNMP) to monitor network devices and the devices' parameters. It uses port 161 to communicate. SNMP allows an administrator to set device traps. Simple Mail Transfer Protocol (SMTP) is used for e-mail over port 25 by default. Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign IP addresses over ports 67 and 68 by default. Domain Name System (DNS) is used to manage IP address to host name mappings. If a power failure or attack occurs, administrators should have a plan for restoring the servers. In most cases, you should bring your DNS or BIND server up first to ensure that Internet communication is restored and that the other servers can connect to the Internet. "

"Your company implements an Ethernet network. During a recent analysis, you discover that network throughput capacity has been wasted as a result of the lack of loop protection. What should you deploy to prevent this problem? A STP B TTL C flood guards D network separation "

"Answer: STP Explanation: You should deploy spanning tree protocol (STP). The primary loop protection on an Ethernet network is STP. The problem with looping is the waste of network throughput capacity. STP can help mitigate the risk of Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Time To Live (TTL) is the primary loop protection on an IP network. Flood guards are devices that protect against Denial of Service (DoS) attacks. Network separation is a technique that is used to prevent network bridging. Network bridging can cause performance issues in the network. You can employ network separation by using routers or firewalls to implement IP subnets. Often routers or switches are the main network devices on an Ethernet network. Switches are considered more secure than routers. Secure router configuration is a must when routers are deployed. A secure router configuration is one where malicious or unauthorized route changes are prevented. To do this, complete the following steps: Configure the router's administrator password to something unique and secret. Configure the router to ignore all Internet Control Message Protocol (ICMP) type 5 redirect messages. Implement a secure routing protocol that requires authentication and data encryption to exchange route data. Configure the router with the IP addresses of other trusted routers with which routing data can be exchanged. "

"You need to implement security countermeasures to protect from attacks being implemented against your PBX system via remote maintenance. Which policies provide protection against remote maintenance PBX attacks? (Choose all that apply.) A Turn off the remote maintenance features when not needed. B Use strong authentication on the remote maintenance ports. C Keep PBX terminals in a locked, restricted area. D Replace or disable embedded logins and passwords. "

"Answer: Turn off the remote maintenance features when not needed. Use strong authentication on the remote maintenance ports. Keep PBX terminals in a locked, restricted area. Replace or disable embedded logins and passwords. Explanation: You should implement all of the given policies to provide protection against remote maintenance PBX attacks. You should turn off the remote maintenance features when not needed and implement a policy whereby local interaction is required for remote administration. You should use strong authentication on the remote maintenance ports. This will ensure that authentication traffic cannot be compromised. You should keep PBX terminals in a locked, restricted area. While this is more of a physical security issue, it can also affect remote maintenance attacks. If the physical security of a PBX system is compromised, the attacker can then reconfigure the PBX system to allow remote maintenance. You should replace or disable embedded logins and passwords. These are usually configured by the manufacturer to allow back door access to the system. "

"While performing routine network monitoring for your company, you notice a lot of IPSec traffic. When you report your findings to management, management wants you to explain the high amount of IPSec traffic. What is a common implementation of this protocol that you should mention? A EDI B VPN C SET D SSL "

"Answer: VPN Explanation: Internet Protocol Security (IPSec) is a security standard commonly implemented to create virtual private networks (VPNs). IPSec allows packets to be securely exchanged over the Internet Protocol (IP) at the Network layer (Layer 3) rather than at the Application layer (Layer 7) of the Open Systems Interconnection (OSI) model. The Internet Engineering Task Force (IETF) developed the standard, but Cisco has contributed to its emergence. Cisco routers have support for IPSec built into the product. IPSec supports two encryption modes: transport and tunnel. Transport mode encrypts only the data portion of each packet, but not the header information. Tunnel mode encrypts both the header and the data. For IPSec to work, the sending and receiving devices must share a public key. Exchange Data Interchange (EDI) is a protocol used to exchange business data in a standard format. Secure Electronic Transfer (SET) is used to provide security for credit card transactions. Secure Sockets Layer (SSL) is a security protocol that uses both encryption and authentication to protect data sent in network communications. VPNs are sometimes commonly referred to as tunnels. A VPN essentially consists of a VPN server, authentication, and encryption. The VPN software encrypts the session information, as well as most message information, including File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) messages. The Data link layer information remains unaltered (Layer 2). The most effective attack against an IPSec-based VPN is a man in the middle attack."

"Which device is the BEST solution to protect all traffic on an HTTP/HTTPS server? A. network-based IDS B. host-based IDS C. network firewall D. Web application firewall"

"Answer: Web application firewall Explanation: The BEST solution to protect all traffic on an HTTP/HTTPS server is a Web application firewall. A Web application firewall can be implemented in hardware or software to protect a Web server from a cross-site scripting attack. A Web application firewall (WAF) provides security at the Application layer (Layer 7) of the OSI model. None of the other solutions provides the same level of security as the Web application firewall. The network firewall would be able to provide some protection, but it provides more services than you really need. In addition, because the network firewall protects the entire network, its performance could be degraded. An intrusion detection system (IDS) does not really secure any devices. By definition, an IDS detects intrusions and sends out alerts when the intrusions occur. Remember that security professionals should always keep a defense-in-depth or layered security approach in mind. Physical security is often considered the first layer of security and includes any mechanisms that protect the physical security of your facility. However, physical security is not enough to completely protect your assets. Once physical security is covered, then perimeter security and internal network security should be assessed. The last three aspects are host security, application security, and data security. Encompassing all of these layers is the personnel you use. Personnel can affect any layer of defense. Training personnel is key to ensuring that security is not compromised. "

"You need to implement an independent network within your private LAN. Only users in the Research and Development department should be able to access the independent network. The solution must be hardware based. Which type of network should you deploy? A a VPN B a VLAN C a DMZ D an extranet "

"Answer: a VLAN Explanation: You should deploy a virtual local area network (VLAN). This type of network can be used to ensure that internal access to other parts of the network is controlled and restricted. A VLAN is usually created using a switch. VLAN segregation protects each individual segment by isolating the segments. VLAN segregation is best used to prevent ARP poisoning attacks across a network. VLANs provide a layer of protection against sniffers, and can decrease broadcast traffic. Creating a VLAN is much simpler than using firewalls or implementing a virtual private network (VPN). A VLAN is a good solution if you need to separate two departments into separate networks. VLAN management is implemented at the switch to configure the VLANs and the nodes that are allowed to participate in a particular VLAN. You can configure a switch to allow only traffic from computers based upon their physical (MAC) address. A VPN is a private network that is implemented over a public network, such as the Internet. A demilitarized zone (DMZ) or screened subnet is a subnet on a LAN that is screened from the private network using firewalls and contains the publicly accessed servers, such as a Web server. An extranet is a secure network connection through the Internet that is designed for business-to-business communications. "

"What is an embedded firewall? a firewall that is integrated into a router a firewall that is installed on a server operating system a black box device a component that is added to a hardware firewall "

"Answer: a firewall that is integrated into a router Explanation: An embedded firewall is integrated into a router. A software firewall is installed on a server operating system, such as Windows XP or Linux. A hardware firewall is a black box device, which is designed to be deployed on a network with a minimum of configuration and installation effort. An application firewall is an example of a component added to a hardware firewall. An application firewall is designed to filter traffic at the Application layer of the Open Systems Interconnection (OSI) model. "

"Which device is designed to provide the most efficient transmission of traffic that is NOT specifically denied between networks? a hub a router a firewall a repeater "

"Answer: a router Explanation: A router is a device that is designed to transmit all data that is not specifically denied between networks, and to do so in the most efficient manner possible. A router enables connectivity between two or more networks and can connect multiple network segments into one network. A firewall is a mechanism that is designed to deny transmission of data that is not specifically allowed. For example, a firewall can be configured to ensure that messages on a TCP/IP subnet stay local to the subnet. Additionally, a firewall can be used to restrict access to a private network from the Internet. A hub and a repeater are central network connection devices that are designed to transmit data between computers on the same subnet. Hubs and repeaters are not used to transmit data between subnets. "

"Recently, an IT administrator contacted you regarding a file server. Currently, all users are granted access to all of the files on this server. You have been asked to change the configuration and designate which users can access the files. What should you use to do this? A. a firewall B. a NAT server C an ACL D a proxy server "

"Answer: an ACL Explanation: An access control list (ACL) is a security mechanism used to designate those users who can gain various types of access, such as read, write, and execute access, to resources on a network. An ACL provides security as granular as the file level. The DAC model uses ACL to identify the users who have permissions to a resource. If a user is unable to access remote resources and you have ensured that the firewall is not blocking the user's communication, it could be that the ACL for the resource needs to be checked to ensure that user has the appropriate permission. An ACL is also configured at the remote access server to grant or deny remote access. A firewall allows and denies network access through communications ports. A NAT server presents public Internet Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web pages, which can reduce the amount of time required for clients to access Web pages. A proxy server is often used to cache and filter content. "

"You are creating an IDS solution for your company's network. You define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted. Which type of IDS are you using? A misuse-detection-based B anomaly-based C behavior-based D signature-based"

"Answer: behavior-based Explanation: A behavior-based IDS looks for behavior that is not allowed and acts accordingly. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. A misuse-detection-based IDS is the same as signature-based monitoring. A signature-based IDS requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. An anomaly-based IDS detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behavior. Sometimes the baseline is established through a manual process. Another type of IDS that you need to understand is a heuristic IDS. This type of monitoring uses artificial intelligence (AI) to detect intrusions. "

"Which term is most commonly used to describe equipment that creates a demilitarized zone (DMZ)? router firewall active hub passive hub "

"Answer: firewall Explanation: A firewall is used to create a demilitarized zone (DMZ). A DMZ is a zone located between a company's internal network and the Internet that usually contains publically accessible servers. The DMZ implementation provides an extra security precaution to protect the resources on the company's internal network. Usually two firewalls are used to create a DMZ; one firewall resides between the public network and the DMZ, and another firewall resides between the DMZ and the private network. A router is used to create individual subnetworks on an Ethernet network. Routers operate at the Network layer of the OSI model (layer 3). While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ. An active hub is used to connect devices in a star topology. An active hub has circuitry that allows signal regeneration. A passive hub connects devices in a star topology, but it does not provide any signal regeneration. A firewall is classified as a rule-based access control device. Rules are configured on the firewall to allow or deny packets passage from one network to another. The configuration of the rules is one of the biggest concerns for a firewall, because the rules can be very complex. Misconfiguration can easily lead to security breaches. Applying detailed instructions to manage the flow of network traffic at the edge of the network is implemented using firewall rules. These rules can allow or prevent traffic based on port, protocol, MAC address, or direction. A default rule found in a firewall's access control list (ACL) is Deny all. Filters are created according to the company's security policy. To provide maximum file security, firewalls should not run the Network Information System (NIS) file system. Compilers should be deleted from firewalls. "

"Which type of firewall is also referred to as an appliance firewall? A. application B. embedded C. hardware D. software "

"Answer: hardware Explanation: A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as stand-alone black box solutions that can be plugged in to a network and operated with minimal configuration and maintenance. An application firewall is typically integrated into another type of firewall to filter traffic that is traveling at the Application layer of the Open Systems Interconnection (OSI) model. An embedded firewall is typically implemented as a component of a hardware device, such as a switch or a router. A software firewall is a program that runs within an operating system, such as Linux, Unix, or Windows 2000. Firewalls can be used to create demilitarized zones (DMZs). A DMZ is a network segment placed between an internal network and a public network, such as the Internet. DMZs allow remote access to services while segmenting access to the internal network. Typically, either one or two firewalls are used to create a DMZ. A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ. However, a DMZ implemented with one firewall connected to a public network, a private network and a DMZ segment is cheaper to implement than a DMZ implemented with two firewalls. If you have trouble communicating with a server that is located on a DMZ from the Internet and the internal network, the server probably has an incorrect default gateway address. "

"You have been hired by a small company to ensure that their internal network is protected against attacks. You must implement a secure network. As part of this implementation, what should be the default permission position? A explicit allow B implicit allow C explicit deny D implicit deny "

"Answer: implicit deny Explanation: The default permission position in a secure network should be implicit deny. This will ensure that if a user or group does not have an explicit allow permission configured, the access will default to an implicit deny. An implicit deny should be the last rule contained on any firewall because most firewalls do not default to this setting. This firewall rule is often defined with a Drop All statement. On Windows servers, the access control list (ACL) defaults to an implicit deny. None of the other permissions should be the default position in a secure network. An explicit allow is an allowed permission that is configured explicitly for that resource. An implicit allow is an allowed permission that is implied for that resource based on another explicit or implicit permission. An explicit deny is a denied permission that is configured explicitly for that resource. "

"What is the primary advantage of using a network-based intrusion detection system (NIDS)? A no counterattack on the intruder B ability to analyze encrypted information C low maintenance D high throughput of the individual workstations on the network "

"Answer: low maintenance Explanation: The primary advantage of an NIDS is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Configuration usually occurs at a single system, rather than on multiple systems. By contrast, host-based intrusion detection systems (HIDSs) are difficult to configure and monitor because the intrusion detection agent should be installed on each individual workstation of a given network segment. HIDSs are configured to use the operating system audit logs and system logs, while NIDSs actually examine the network packets. Individual hosts do not need real-time monitoring because intrusion is monitored on the network segment on which the NIDS is placed, and not on individual workstations. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a Virtual Private network Tunnel (VPN) cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The high throughput of the workstations in a network does not depend on the NIDS installed in the network. Factors such as the processor speed, memory, and bandwidth allocated affect the throughput of workstations. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. An HIDS is not adversely affected by a switched network because it is primarily concerned with monitoring traffic on individual computers. "

"Which network device acts as an Internet gateway, firewall, and Internet caching server for a private network? A. proxy server B. VPN C. IDS D. IPS "

"Answer: proxy server Explanation: A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network. Hosts on the private network contact the proxy server with an Internet Web site request. The proxy server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible to the client and the Internet connection. A proxy server can be configured to allow only outgoing Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the Internet via the proxy server. A virtual private network (VPN) is a private network that users can connect to over a public network. Often a VPN is implemented with a firewall to allow remote employees to connect to local resources. A VPN concentrator is the device that creates the VPN. An intrusion detection system (IDS) is a network device that detects network intrusion and either logs the intrusion or contacts the appropriate personnel. An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and prevents the network intrusion. An IPS provides more security than an IDS because it actually provides prevention, not just detection. An Internet gateway can also be referred to as a Web security gateway. Its purpose is to defend against advanced Web attacks at the gateway. Firewalls, IDSs, IPSs, and proxies are often classified as application-aware devices because many of them can be configured to allow or deny traffic based on the application requesting access. "

"Your manager has asked you to improve network security by confining sensitive internal data traffic to computers on a specific subnet using access control lists (ACLs). Where should the ACLs be deployed? A firewalls B hubs C modems D routers "

"Answer: routers Explanation: The ACLs should be deployed on the routers. The ACLs will improve network security by confining sensitive data traffic to computers on a specific subnet. By implementing ACLs and rules, you can ensure that a secure router configuration is implemented, which will protect the routers and the subnets they manage. Firewalls are typically deployed on the public network interfaces. They typically are not involved in any internal traffic. Therefore, deployment ACLs on firewalls would not confine sensitive internal data traffic to computers on a specific subnet. A firewall is classified as a rule-based access control device. Rules are configured on the firewall to allow or deny packet passage from one network to another. Hubs are typically deployed to connect hosts in a network. Active hubs provide signal regeneration, while passive hubs do not. Hubs do not provide the ability to configure ACLs. Modems are typically deployed to provide phone line connections. Modems cannot control internal data traffic. However, they can provide security on the phone line connection. Another valid answer to the question that was not given is a switch. Switches are typically deployed to create virtual local area networks (VLANs). The switch isolates the VLAN from the rest of the network to provide better security for the VLAN. "

"Which type of intrusion detection system (IDS) watches for intrusions that match a known identity? A network-based IDS B anomaly-based IDS C behavior-based IDS D signature-based IDS "

"Answer: signature-based IDS Explanation: A signature-based IDS watches for intrusions that match a known identity or signature. All attack signatures are contained in a signature database. The signature database must be updated for a signature-based IDS to remain effective. A network-based IDS is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses include logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception. An anomaly-based IDS detects activities that are unusual. With this type of IDS, there is an initial learning period before anomalies can be detected. Once the baselines are established, an anomaly-based IDS can detect anomalous activities. Sometimes the baseline is established through a manual process. A behavior-based IDS detects behavior that is not allowed and acts accordingly. An IDS allows a security administrator to identify malicious activity after it has occurred. An intrusion prevention system (IPS) allows a security administrator to prevent malicious activity when it is attempted. "

"You have been hired by a law firm to create a demilitarized zone (DMZ) on their network. Which network device should you use to create this type of network? A. a bridge B. a firewall C. a hub d. a route"

"Answer: a firewall Explanation: An administrator can install a firewall on a network to create a demilitarized zone (DMZ). A DMZ separates a public network from a private network. A DMZ can be implemented with one firewall that is connected to the DMZ segment, the private network, and the Internet. A DMZ can also be implemented with two firewalls. In this configuration, one firewall is connected to a private network and a DMZ segment, and the other firewall is connected to the Internet and the DMZ segment. To implement a firewall, you should first develop and implement a firewall policy. When configuring a firewall policy, the default setting should deny all traffic not explicitly allowed. Firewalls implement stateful inspection by inspecting every packet and allowing or denying the packet based on the firewall policy. A bridge is a device that separates a network into distinct collision domains to control network traffic. A network divided by a bridge is considered to be a single network. A hub is a central connection device used on Ethernet networks. A router is a device that is designed to transmit data between networks on a TCP/IP internetwork. Bridges, hubs and routers are not used to create DMZs."

"Your organization deploys two wireless networks in close proximity. The configuration of the two wireless networks is as follows: SSID: Students - 802.11b using channel 1 SSID: Guest - 802.11g using channel 9 You have been asked to deploy a new wireless network for the Research department. This wireless network should only support 802.11g wireless devices and must use a different channel than the other wireless networks. The network should be named Research and should not be advertised. When you open the wireless router's interface, the Basic Wireless Settings screen is configured as follows:"

"Explanation: For this scenario, you should configure the Wireless Network Mode option as follows: Change the Wireless Network Mode setting to G-Only. Change the Wireless Network Name (SSID) setting to Research. Change the Wireless Channel setting to 5. Change the Wireless SSID Broadcast setting to Disable. For the Wireless Network Mode, the scenario specifically stated that you ONLY want to support 802.11g wireless devices on the network. Because the scenario also stated that you must use a non-overlapping channel, you must choose from channels 1, 5, 9, or 13 for an 802.11g network. Because channels 1 and 9 are already in use and channel 13 is not an option on the router, you must use channel 5. Note that 80211b wireless networks have four non-overlapping channels: 1, 6, 11, and 14. Finally, the scenario stated that the network name should not be advertised, which means that the Wireless SSID Broadcast option should be set to Disable. For testing purposes, you should understand how to configure a wireless router. This includes setting the network mode, the SSID name, and the channel used. You should also understand how to enable/disable SSID broadcast and how to configure MAC filtering. Linksys has an online emulator that will allow you to view the different configurable screens for the various models. The link to the online emulator is given in the References section. When you access this site, you first select the model number you want to emulate. Then you will need to select the firmware version. The emulator will allow you to view all of the configurable screens for a Linksys wireless router. We suggest that you spend time familiarizing yourself with wireless configuration settings using this free tool. "

"You are trying to decide which type of intrusion detection system (IDS) you should deploy to improve network security. Match the IDS description from the left with their appropriate IDS type on the right. Missing Image"

"Explanation: The IDS types should be matched with the descriptions in the following manner: Behavior-based - An IDS that uses a learned activity baseline to identify intrusion attempts Signature-based - An IDS that maintains an attack profile database to identify intrusion attempts Host-based - An IDS that only monitors a single particular device for intrusion attempts Network-based - An IDS that monitors an entire network segment for intrusion attempts Many IDS solutions actually employ multiple types to provide the greatest protection. Keep in mind that an IDS only detects intrusion attempts and employs the configured alerts to ensure that the intrusion attempts is recorded and reported. An intrusion prevention system (IPS) detects the intrusions and carries out steps to prevent the attack from being successful. "

"Match the descriptions on the left with the cloud deployments on the right. Missing Image"

"Explanation: The cloud deployments should be matched with the descriptions in the following manner: Platform as a Service (PaaS) - Allows organizations to deploy Web servers, databases, and development tools in a cloud Software as a Service (SaaS) - Allows organizations to run applications in a cloud Infrastructure as a Service (IaaS) - Allows organizations to deploy virtual machines, servers, and storage in a cloud "

"Match the descriptions on the left with the network technologies on the right that it BEST matches. Missing image"

"Explanation: The network technologies should be matched with the descriptions in the following way: DMZ - A network that is isolated from other networks using a firewall VLAN - A network that is isolated from other networks using a switch NAT - A transparent firewall solution between networks that allows multiple internal computers to share a single Internet interface and IP address NAC - A network server that ensures that all network devices comply with an organization's security policy "

"You are responsible for managing the security for a network that supports multiple protocols. You need to understand the purpose of each of the protocols that are implemented on the network. Match each description with the protocol that it BEST fits. Missing Image"

"Explanation: The protocols should be matched with the descriptions in the following manner: SSH - A protocol that uses a secure channel to connect a server and a client SSL - A protocol that secures messages between the Application and Transport layer SCP - A protocol that allows files to be copied over a secure connection ICMP - A protocol used to test and report on path information between network devices"