Chapter 8: Securing the Network Infrastructure
B. URL filtering A, C, and D are incorrect. A DMZ does not control access to web sites; it is a network hosting services to external users, and it exists between a private and public network. If a DNS server receives a specific DNS query that it cannot answer and DNS forwarding is configured, it will direct the query to DNS servers that can resolve the specific request. This will not prevent students from visiting malware web sites. 802.1x-compliant switches do not perform detailed packet analysis; they simply authenticate devices against an authentication server before granting network access.
A high school principal insists on preventing student access to known malware web sites. How can this be done? A. DMZ B. URL filtering C. DNS forwarding D. 802.1x-compliant switch
B. Loop protection A, C, and D are incorrect. Web application firewalls have nothing to do with switches; they monitor HTTP conversations to prevent inappropriate activity. SYN floods are not a result of improperly wired switches; they are specific to TCP. Router ACLs do not correct problems stemming from incorrectly linked switches.
A junior IT employee links three network switches together such that each switch connects to the two others. As a result, the network is flooded with useless traffic. What can prevent this situation? A. Web application firewall B. Loop protection C. SYN flood guard D. Router ACL
A. ACL B, C, and D are incorrect. A subnet cannot restrict network traffic. Routers can be used to divide larger networks into smaller subnets. The question specifically states configuring a router, and proxy servers should have routing disabled. Proxy servers do have the ability to limit network access from certain hosts, though. NAT routers do not restrict network traffic from certain hosts; instead, they use a single external IP address to allow many internal computers access to an external network.
A router must be configured to allow traffic only from certain hosts. How can this be accomplished? A. ACL B. Subnet C. Proxy server D. NAT
A. The student computer could link coffee shop patrons to the university network. B, C, and D are incorrect. Being connected to two networks simultaneously will not override a network's default gateway settings. There is no problem with encrypted data finding its way onto either network; only authorized parties can decrypt the transmissions.
A university student has a wired network connection to a restrictive university network. At the same time, the student is connected to a Wi-Fi hotspot for a nearby coffee shop that allows unrestricted Internet access. What potential problem exists in this case? A. The student computer could link coffee shop patrons to the university network. B. The student computer could override the university default gateway setting. C. Encrypted university transmissions could find their way onto the Wi-Fi network. D. Encrypted coffee shop transmissions could find their way onto the university network.
A. ACL B, C, and D are incorrect. Network access control (NAC) checks connecting stations (VPN, switch, Wi-Fi, and so on) to ensure they meet configured policies, such as having a firewall and antivirus solution running. 802.1x is a security standard that requires devices connecting to a network to be authenticated before allowing full network communication. Virtual local area networks (VLANs) create communication boundaries between network devices without the use of multiple routers.
Acme Inc. has hired you to implement security solutions as recommended by the findings of a network security audit. Currently, all users have Read access to project files on the main file server. Your configuration must ensure that only members of the Project Managers group have access to project files. What should you implement? A. ACL B. NAC C. 802.1x D. VLAN
C. 802.1x A, B, and D are incorrect. Access control lists (ACLs) are used to determine what actions a user can issue against a network resource such as a shared folder. Network access control (NAC) checks connecting stations (VPN, switch, Wi-Fi, and so on) to ensure they meet configured policies, such as having a firewall and antivirus solution running. Virtual local area networks (VLANs) create communication boundaries between network devices without the use of multiple routers.
Acme Inc. has hired you to implement security solutions as recommended by the findings of a network security audit. Currently, any station plugged into a switch can communicate on the network without any type of authentication. Acme Inc. would like to limit network communications by connecting stations until they have been authenticated. What should you implement? A. ACL B. NAC C. 802.1x D. VLAN
B. NAC A, C, and D are incorrect. Access control lists (ACLs) are used to determine what actions a user can issue against a network resource such as a shared folder. 802.1x is a security standard that requires devices connecting to a network to be authenticated before allowing full network communication. Virtual local area networks (VLANs) create communication boundaries between network devices without the use of multiple routers.
Acme Inc. has hired you to implement security solutions as recommended by the findings of a network security audit. Stations connecting to the network must have a host-based firewall enabled and must have an up-to-date antivirus solution installed. What should you implement? A. ACL B. NAC C. 802.1x D. VLAN
D. VLAN A, B, and C are incorrect. Access control lists (ACLs) are used to determine what actions a user can issue against a network resource such as a shared folder. Network access control (NAC) checks connecting stations (VPN, switch, Wi-Fi, and so on) to ensure they meet configured policies, such as having a firewall and antivirus solution running. 802.1x is a security standard that requires devices connecting to a network to be authenticated before allowing full network communication.
Acme Inc. has hired you to implement security solutions as recommended by the findings of a network security audit. Stations used by Accounting staff should not be able to communicate with other stations on the network. What should you implement? A. ACL B. NAC C. 802.1x D. VLAN
D. SYN flood protection A, B, and C are incorrect. Packet-filtering firewalls can allow or deny packets based on IP addresses, ports, protocol IDs, and so on, but they cannot prevent SYN floods. Proxy servers do not check for half-open TCP handshakes; they retrieve external content for internal clients. Antivirus software scans for malware, not DoS attacks.
An attacker sends thousands of TCP SYN packets with unreachable source IP addresses to a server. After consuming server resources with this traffic, legitimate traffic can no longer reach the server. What can prevent this type of attack? A. Packet-filtering firewall B. Proxy server C. Antivirus software D. SYN flood protection
C. LAN users can connect to external web servers. External users can use RDP to connect to LAN computers. A, B, and D are incorrect. FTP uses TCP ports 20 and 21. SMTP uses TCP port 25. IPSec uses UDP port 500 in addition to specific protocol IDs, which would have to be allowed through the firewall.
Based on the following LAN firewall rule set, choose the best description: Allow inbound TCP 3389 Allow outbound TCP 80 Allow outbound TCP 443 A. LAN users can connect to external FTP sites. External users can use RDP to connect to LAN computers. B. LAN users can connect to external SMTP servers. External users can use LDAP to connect to LAN computers. C. LAN users can connect to external web servers. External users can use RDP to connect to LAN computers. D. LAN users can connect to external proxy servers. External users can use IPSec to connect to LAN computers.
A. Virtualized networks C. Physically D. Air gap B is incorrect. Port mirroring sends all the data sent and received on a network switch to one switch port and is often used for network traffic monitoring.
How can different networks be segmented from one another? (Choose three.) A. Virtualized networks B. Port mirror C. Physically D. Air gap
B. A host-based firewall A, C, and D are incorrect. A network firewall can control communication, but it controls communication to the network, not a specific system. In this case, an IDS and IPS are not used, as the goal is to control communication, not monitor it.
Jeff, a senior security officer for Company XYZ, is responsible for ensuring systems meet certain security requirements. Jeff needs to ensure the security of the accounting systems by making sure that any systems running the accounting software have specific ports closed down. Which of the following should Jeff use? A. A host-based IDS B. A host-based firewall C. A network firewall D. A host-based IPS
A. Signature-based IDS B, C, and D are incorrect. Signature-based IDSes are less likely to have false positives because they identify suspicious traffic based on the signatures programmed into the product.
John has implemented an intrusion detection system that has identified suspicious traffic without the use of signatures. While responding to the event, John notices that the IDS has falsely identified the traffic as being suspicious. Which of the following devices does John need to configure to prevent additional false alarms? A. Signature-based IDS B. Anomaly-based IDS C. Anomaly-based IPS D. Host-based IDS
C. Sylvia must first log on to the domain. A, B, and D are incorrect. The question refers to a network, not a single device on a network.
Sylvia's workstation has been moved to a new cubicle. On Monday morning, Sylvia reports that even though the network card is plugged into the network jack, there is no link light on the network card. What is the problem? A. The workstation has an APIPA address. Issue the ipconfig / renew command. B. The default gateway has not been set. C. Sylvia must first log on to the domain. D. Since the MAC address has changed, switch port security has disabled the port.
D. HIPS A, B, and C are incorrect. A host-based intrusion detection system (HIDS) will identify suspicious activity against a specific system, but will not take corrective action to prevent the attack. NIDS and NIPS are network-based intrusion detection and prevention systems and are not designed to prevent attacks against a specific system.
The Information System Security Officer (ISSO) for the organization is concerned that attacks against the web server will be successful if the hacker has an unlimited number of attempts. Which of the following is designed to stop attacks on a specific server? A. HIDS B. NIDS C. NIPS D. HIPS
D. Screened-host A, B, and C are incorrect. Packet-filtering and application-layer firewalls are types of firewalls and not topologies. A dual-homed firewall is a system that has two network cards installed and firewall software installed on the system.
What firewall topology typically involves having a router placed between the firewall and the Internet? A. Packet-filtering B. Application-layer C. Dual-homed D. Screened-host
C. NAT A, B, and D are incorrect. IPSec provides a means of encrypting and digitally signing network packets and has nothing to do with translating IP addresses. DHCP and a NIDS do not use a single IP address on behalf of internal computers. DHCP provides a valid TCP/IP configuration for network nodes. A NIDS analyzes network traffic to identify and report network attacks and can run in-band with the network or out-of-band.
What technology uses a single external IP address to represent many computers on an internal network? A. IPSec B. DHCP C. NAT D. NIDS
A. Sensors B, C, and D are incorrect. Data leakage prevention (DLP) is used to prevent sensitive corporate information from being leaving the organization. A Distributed Denial of Service (DDoS) mitigator is a device used to resist the effect of a DDoS and prevent the targeted system from being overwhelmed. A flood guard is a type of DDoS mitigator.
What type of device is used to monitor the physical environment in which the network is housed? A. Sensors B. DLP C. DDoS mitigator D. A flood guard
B. Proxy A, C, and D are incorrect. Network address translation (NAT) is used to hide the systems on the private network behind the NAT device by sharing a single public address. Network access control (NAC) is a feature of networking that allows you to control which systems can connect to the wired or wireless network. VLANs are a feature of a switch that allow you to create communication boundaries on the switch.
What type of system is typically used to monitor and control which web sites a user visits and can block content based on information in the content being accessed? A. NAT B. Proxy C. NAC D. VLAN
A. IPS B, C, and D are incorrect. Like an IPS, an intrusion detection system (IDS) monitors network or system activity for irregular activity, but it does not attempt to stop this activity. IP Security (IPSec) provides data confidentially and integrity to network transmissions and does not detect or prevent intrusions. A DMZ does not detect or prevent attacks; it is a network segment hosting services (and ideally an IPS) that are accessible to an untrusted network.
What will detect a network or host intrusion and take action to prevent the intrusion from succeeding? A. IPS B. IDS C. IPSec D. DMZ
C. NAC A, B, and D are incorrect. Network address translation (NAT) is used to hide the systems on the private network behind the NAT device by sharing a single public address. A proxy server can be used to send requests to the Internet on behalf of the user, while the administrator monitors and filters requests at the proxy server. VLANs are a feature of a switch that allow you to create communication boundaries on the switch.
When a system is connected to a network, the system is checked to ensure that it has recent patches and virus definitions before allowing the system to communicate on the network. What service could be used to do this? A. NAT B. Proxy C. NAC D. VLAN
C. VPN concentrator A, B, and D are incorrect. Forward proxy servers do not encrypt or decrypt network traffic; they retrieve content based on client requests. IPSec is not a network device; it is a software method of encrypting and digitally signing packets. Trusted Platform Module (TPM) is a chip storing keys or passphrases used to encrypt and decrypt disk contents, not network traffic.
Which network device encrypts and decrypts network traffic over an unsafe network to allow access to private LANs? A. Proxy server B. IPSec C. VPN concentrator D. TPM
C. Engine A, B, and D are incorrect. A sensor is responsible for capturing the traffic and sending the traffic to the analysis engine. Notification may be the result of the engine identifying suspicious traffic. The signature database is a database of known attacks and is used to identify suspicious traffic.
Which network-based IDS component is responsible for analyzing the traffic against the signatures? A. Sensor B. Notification C. Engine D. Signature database
B. Bridge D. Aggregation switch A and C are incorrect. A correlation engine is an application that detects questionable and actionable activities on a network using analytics and algorithms. A load balancer is used to distribute network traffic over multiple servers or network connections to increase application or service performance.
Which of the following are network connectivity devices? (Choose two.) A. Correlation engine B. Bridge C. Load balancer D. Aggregation switch
A. The NAT client is unaware of address translation. C. Internet hosts are unaware of address translation. B and D are incorrect. NAT is transparent to clients and Internet hosts.
Which of the following are true regarding NAT? (Choose two.) A. The NAT client is unaware of address translation. B. The NAT client is aware of address translation. C. Internet hosts are unaware of address translation. D. NAT provides a layer.
D. Can filter traffic based on the context of the conversation A, B, and C are incorrect. Although a stateful packet inspection firewall can filter traffic based on source/destination IP address and source/destination port number (packet filtering firewalls can do that as well), what makes it unique is understanding the context of the conversation. An application-layer firewall can filter traffic based on the application data (also known as the payload).
Which of the following identifies the benefit of a stateful packet inspection firewall? A. Can filter traffic based on the source and destination IP address B. Can filter traffic based on the source and destination port number C. Can filter traffic based on the application data D. Can filter traffic based on the context of the conversation
D. Set a password on the device. A, B, and C are incorrect. They do not represent the first thing you should do with a new device.
Which of the following represents the first thing you should do after purchasing a wireless router? A. Disable DHCP. B. Configure proxy rules. C. Configure VLANs. D. Set a password on the device.
C. Block network traffic unless specifically permitted. A, B, and D are incorrect. Specifically allowing network traffic is an example of an explicit allowance. Specifically, blocking outbound traffic is an example of explicit deny. Allowing traffic to pass unless specifically forbidden is an implicit allowance.
Which of the following scenarios best describes an implicit deny? A. Allow network access if it is 802.1x authenticated. B. Block outbound network traffic destined for TCP port 25. C. Block network traffic unless specifically permitted. D. Allow network traffic unless specifically forbidden.
B. Sniffer D. NIDS A and C are incorrect. Port scanners identify running services on network hosts. Port scanners do not analyze all network traffic; they are directed to scan one or more hosts. A DMZ does not analyze network traffic, although sniffers and NIDSs are important to use in a DMZ. A DMZ is a network containing hosts that are accessible to external users. Firewalls limit access from the DMZ to internal resources.
Which technologies enable analysis of network traffic? (Choose two.) A. Port scanner B. Sniffer C. DMZ D. NIDS
C. Protocol analyzer A, B, and D are incorrect. The question refers to capturing and viewing traffic, not scanning the network for vulnerable hosts. Port scanning identifies services running on a host, but it does not capture network traffic. NAT connects internal computers to an external network using a single IP address.
Which tool would enable you to capture and view network traffic? A. Vulnerability scanner B. Port scanner C. Protocol analyzer D. NAT
B. Application-layer A, C, and D are incorrect. A packet-filtering router filters traffic based on the source/destination IP address and the source/destination port number. A stateful packet inspection firewall can filter traffic based on the IP address and port information, but also understands if a packet is received out of context. A screened-host firewall is a topology and not a type of firewall.
Which type of firewall has the capabilities to inspect the payload of a packet to determine if the content is allowed to pass through the firewall? A. Packet-filtering B. Application-layer C. Stateful packet inspection D. Screened-host
C. Proxy server A, B, and D are incorrect. Dynamic Host Configuration Protocol (DHCP) provides to clients a valid IP address, subnet mask, default gateway, Domain Name System (DNS) server, and so on; there is no mechanism for authentication. Network Address Translation (NAT) uses a single public IP address to represent all internal computers. Like DHCP, NAT does not authenticate connections. Switches isolate network conversations between hosts and track which computers are plugged into which switch port using the machine's MAC address on both layer 2 and layer 3 switches.
You are a guest at a hotel offering free Wi-Fi Internet access to guests. You connect to the wireless network at full signal strength and obtain a valid TCP/IP configuration. When you try to access Internet web sites, a web page displays instead asking for a code before allowing access to the Internet. What type of network component is involved in providing this functionality? A. DHCP server B. NAT C. Proxy server D. Switch
D. Check your junk mail; anti-spam software sometimes incorrectly identifies legitimate mail as spam. A, B, and C are incorrect. Although mail servers can hold e-mail until a user cleans out her mailbox, this is not as likely as the message having been flagged by anti-spam software. DLP would not be triggered by routine documentation. Encryption, such as PGP, is very unlikely to fail and would provide an error message to the user if it did.
You are a sales executive for a real estate firm. One of your clients calls you wondering why you have not e-mailed her critical documentation regarding a sale. You check your mail program to verify the message was sent two days ago. You also verify the message was not sent back to you as undeliverable. You tell your client that you did in fact send the message. What should you next tell your client? A. Clean your mailbox; there is no room for new incoming mail. B. DLP prevented the e-mail from being sent. C. Encryption of the e-mail failed and the message wasn't sent. D. Check your junk mail; anti-spam software sometimes incorrectly identifies legitimate mail as spam.
C. Change the admin password. A, B, and D are incorrect. MAC address filtering controls which wireless devices can connect to a wireless network, but it would not prevent admin access to a wireless router using a default admin password. Disabling SSID broadcasting prevents wireless clients from seeing the wireless network name when they are within range, but it does not prevent admin access to an unsecured wireless router. Encrypting wireless network traffic with WPA might secure wireless traffic, but it does not secure the wireless router itself.
You are an IT network consultant. You install a new wireless network for a hotel. What must you do to prevent wireless network users from gaining administrative access to wireless routers? A. Apply MAC filtering. B. Disable SSID broadcasting. C. Change the admin password. D. Enable WPA.
A. The IP address might be that of a NAT router or a proxy server. C. IP addresses can be traced to a regional ISP. B and D are incorrect. IP addresses can be spoofed easily with freely available software. Packets with spoofed source IP addresses will reach their destination, but responses will not reach the originator; instead, they will go to the spoofed IP address. Most networks around the planet have a NAT router (or multiple layers of NAT routers) to allow internal clients using a nonunique IP address access to the Internet. The NAT router modifies the source IP address in outbound packets to be that of its public interface, and it tracks this change so that any responses to the sent packet can be delivered to the internal client.
You are an IT specialist with a law enforcement agency. You have tracked illegal Internet activity down to an IP address. Detectives would like to link a person to the IP address in order to secure an arrest warrant. Which of the following are true regarding this situation? (Choose two.) A. The IP address might be that of a NAT router or a proxy server. B. The IP address could not have been spoofed; otherwise, it would not have reached its destination. C. IP addresses can be traced to a regional ISP. D. IP addresses are unique for every individual device connecting to the Internet.
D. DMZ A, B, and C are incorrect. A LAN would allow customer access to internal computers and is therefore incorrect. Ports 24 and 1 on a switch generally have no special DMZ meaning any more than any other port does, although some network devices do have special designated DMZ ports.
You are configuring a wireless router at a car repair shop so that waiting customers can connect to the Internet. You want to ensure that wireless clients can connect to the Internet but cannot connect to internal computers owned by the car repair shop. Where should you plug in the wireless router? A. LAN B. Port 24 on the switch C. Port 1 on the switch D. DMZ
iptables
You are configuring inbound firewall rules on a Linux host. Which command-line tool would you use?
netsh
You are configuring inbound firewall rules on a Windows host. Which command-line tool would you use?
C. ESP A, B, and D are incorrect. AH can provide authentication and data integrity, IKE is the key exchange protocol, and PPTP is not an IPSec protocol.
You are looking to use IPSec to provide encryption, authentication, and data integrity services. Which IPSec protocol would you use? A. AH B. IKE C. ESP D. PPTP
D. Create a voice VLAN. - Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP) are protocols used by Voice over IP (VoIP). It is a common security practice to create a separate VLAN for the VoIP traffic on the network in order to partition that traffic from other network traffic. A, B, and C are incorrect. They are not common practices to deal with VoIP traffic.
You are monitoring network traffic on the LAN and notice a large number of packets that use the SIP and RTP protocols. Which of the following would you use to segment that traffic on the LAN? A. Create a DMZ. B. Configure NAT. C. Implement an NIPS. D. Create a voice VLAN.
C. TFTP is an insecure protocol. A, B, and D are incorrect. Telnet was not implied in the question. Secure Shell (SSH) uses TCP port 22.
You are reviewing router configurations to ensure they comply with corporate security policies. You notice the routers are configured to load their configurations using TFTP and also that TCP port 22 is enabled. What security problem exists with these routers? A. Telnet should be disabled. B. Telnet should have a password configured. C. TFTP is an insecure protocol. D. Telnet should limit concurrent logins to 1.
D. deny tcp any any port 53 A, B, and C are incorrect. Choice A is a rule that would block all TCP/IP traffic, while choice B would block DNS queries from clients. Choice C would block SMTP traffic.
You are the firewall administrator for Company XYZ and need to ensure that DNS zone transfers are blocked at the firewall. Which of the following rules would you use? A. deny ip any any B. deny udp any any port 53 C. deny tcp any any port 25 D. deny tcp any any port 53
A. DLP B, C, and D are incorrect. NAC would be used to check the health of a system before it is allowed to connect to the network. NAT would be used to hide the internal address scheme of the network. A VPN would be used to encrypt communication across an untrusted network.
You are the security administrator for your company and you would like to prevent employees from e-mailing sensitive data to their personal e-mail accounts. How would you do this? A. DLP B. NAC C. VPN D. NAT
D. Use VLANs on the switch A, B, and C are incorrect. Choice A is close to the correct answer because getting separate switches for the accounting systems will work, but unfortunately, you are spending money when the goal can be accomplished with VLANs. The same point can be made about the router choice (B)—although it will work, it comes with the expense of purchasing more hardware. This question has nothing to do with proxy servers (C).
You have a small network with all servers and workstations connected to a single switch. Your manager would like to ensure that no system outside the systems in the accounting department can communicate with the accounting server. What would you do? A. Get another switch and connect the accounting systems to that switch. B. Get a router and create two networks. C. Get a proxy server to control communication. D. Use VLANs on the switch.
A. VLAN B, C, and D are incorrect. A DMZ does not isolate departmental traffic; it is a network between a private LAN and an unsafe external network such as the Internet. Network services such as e-mail or web servers that must be reachable from the external network reside in the DMZ. Network services on the private LAN are kept unreachable from the external network. NAT devices are not designed to separate busy networks; they are designed to allow many internal computers access to an external network using only one IP address. VPNs allow external connectivity to a private LAN over an untrusted network such as the Internet via an encrypted data stream, but they are not used to separate networks to increase throughput.
You have been asked to somehow separate Engineering departmental network traffic from Accounting departmental traffic because of a decrease in network throughput. What should you use? A. VLAN B. DMZ C. NAT D. VPN
B. Heuristic A, C, and D are incorrect. Anomaly-based analysis is when a baseline of normal activity is determined, and anything outside that normal activity is considered suspicious. Passive is not an analysis method. Signature-based analysis uses a database of known suspicious activity to identify suspicious traffic.
You have intrusion detection software that can monitor the activity and identify suspicious activity based on past experience. What type of analysis is being performed? A. Anomaly B. Heuristic C. Passive D. Signature
C. SSL/TLS accelerator A, B, and D are incorrect. SDN (software-defined networking) is a method of networking that allows network administrators to control network behavior programmatically or through a simple interface and is used often with cloud computing. An SSL decryptor is a device that decrypts packets encrypted with SSL to allow network devices to read the contents of the packets. A bigger hard drive would not speed up the server's encryption speed.
You have noticed that a server has slowed down considerably since encryption was enabled for its outbound traffic. What of the following is the best solution to speed up the server? A. SDN B. SSL decryptor C. SSL/TLS accelerator D. A bigger hard drive
C. Web security gateway A, B, and D are incorrect. NAT does not support content filtering or virus protection; it merely analyzes and modifies packet headers. A host-based intrusion prevention system (HIPS) detects and stops attacks on a computer system and does not monitor the content of LAN network traffic. Packet-filtering firewalls look only at packet headers to allow or deny traffic; they do not analyze packet payloads.
You must purchase a network device that supports content filtering and virus defense for your LAN. What should you choose? A. NAT router B. HIPS C. Web security gateway D. Packet-filtering firewall
C. 802.1x-compliant switch A, B, and D are incorrect. A VPN device allows remote access to a LAN, not local access. Routers do not authenticate devices. LAN access is needed before connecting to a proxy server.
You need a method of authenticating Windows workstations before allowing local LAN access. What should you use? A. VPN concentrator B. Router C. 802.1x-compliant switch D. Proxy server
D. Honeypot A, B, and C are incorrect. The question states a single computer was configured, not an entire network. A logging server would never be left intentionally unpatched. An exploit takes advantage of a vulnerability. An intentional vulnerability has been created, but not an exploit.
You suspect malicious activity on your DMZ. In an effort to identify the offender, you have intentionally configured an unpatched server to attract further attention. What term describes what you have configured? A. Honeynet B. Logging server C. Exploit D. Honeypot
B. Encrypted packet headers could prevent outbound traffic from leaving the internal network. A, C, and D are incorrect. Packet-filtering firewalls do not examine the payload of each packet, and assuming only the payload is encrypted, the traffic will not be affected. Packet-filtering firewalls do not examine packet payload, only the headers. The question discusses encrypting internal traffic; there is no mention of allowing inbound encrypted traffic.
Your IT security director asks you to configure packet encryption for your internal network. She expresses concerns about how existing packet-filtering firewall rules might affect this encrypted traffic. How would you respond to her concerns? A. Encrypted packets will not be affected by existing packet-filtering firewall rules. B. Encrypted packet headers could prevent outbound traffic from leaving the internal network. C. Encrypted packet payloads will prevent outbound traffic from leaving the internal network. D. Inbound encrypted traffic will be blocked by the firewall.
A. False positive B, C, and D are incorrect. Explicit false and implicit false are not terms commonly used in IT security. False negatives mean no problem is stated as existing when in fact one does exist. The question states the exact opposite.
Your NIDS incorrectly reports legitimate network traffic as being suspicious. What is this known as? A. False positive B. Explicit false C. False negative D. Implicit false
B. Media gateway A, C, and D are incorrect. A hardware security module (HSM) stores and handles PKI key pairs. An ad hoc network enables devices to communicate without any preexisting infrastructure to support it. A site-to-site VPN connection would not work, because the data needs to be converted for the Ethernet network.
Your boss approaches you about attaching the PBX system to the Ethernet network. Which device would allow this? A. Hardware security module B. Media gateway C. An ad hoc network D. A site-to-site VPN connection
A. Web application firewall B, C, and D are incorrect. Protocol analyzers can capture network traffic and generate reports, but they do not block any type of traffic. Packet-filtering firewalls do not perform deep packet inspection—that is, they examine only packet headers and not packet payloads, which is where HTTP content exists. Layered security, also known as defense in depth, uses network firewalls, IDSs, host-based firewalls, and so on, to provide multiple layers of security.
Your boss asks that specific HTTP traffic be monitored and blocked. What should you use? A. Web application firewall B. Protocol analyzer C. Packet-filtering firewall D. Layered security/defense in depth
B. NAC A, C, and D are incorrect. A NIDS analyzes network packets looking for abnormal activity; it does not check whether connecting devices meet compliance requirements. VLANs do not verify client compliance; they segment larger broadcast domains into smaller ones to maximize network throughput. A HIDS seeks problems by analyzing data received by a host as well as its logs and local activity.
Your corporate network access policy states that all connecting devices require a host-based firewall, an antivirus scanner, and the latest operating system updates. You would like to prevent noncompliant devices from connecting to your network. What solution should you consider? A. NIDS B. NAC C. VLAN D. HIDS
A. Anomaly B, C, and D are incorrect. Heuristic analysis is when the IDS identifies suspicious events based on past experience. Passive is not an analysis method,. Signature-based analysis uses a database of known suspicious activity to identify suspicious traffic.
Your intrusion detection software uses a baseline, and any activity outside that baseline is considered suspicious traffic. What type of analysis is being performed? A. Anomaly B. Heuristic C. Passive D. Signature
B. Segment into different zones. A, C, and D are incorrect. NAC would be used to check the health of a system before it is allowed to connect to the network. NAT would be used to hide the internal address scheme of the network, and DLP policies would be used to ensure that employees are not leaking sensitive data.
Your manager approaches you and is concerned that customers who visit and connect to the wireless guests SSID will be able to access corporate data and assets. What security solution would you recommend? A. Implement network access control. B. Segment into different zones. C. Install network address translation. D. Use data loss prevention policies.
C. Update the firmware. A, B, and D are incorrect. They will not necessarily help against vulnerabilities that the firmware is exposing the device to.
Your manager is concerned about the vulnerabilities that may exist with a specific switch that was purchased for the office network. What can you do to ensure that you are protected from known vulnerabilities? A. Enable the firewall. B. Configure logon hours. C. Update the firmware. D. Configure VLANs.
B. Site-to-site VPN A, C, and D are incorrect. Full tunnel is when the client cannot access network resources while the VPN client software is running. Split tunnel is when the client can access the Internet through the LAN but also access corporate resources through the VPN. Remote access VPN is the opposite of site-to-site VPN and would require each client to have VPN software to create their own encrypted tunnel to the destination.
Your manager would like to implement a VPN solution that encrypts all communication that travels across the Internet between the two office locations with minimal configuration on each client. What would you recommend? A. Full tunnel B. Site-to-site VPN C. Remote access VPN D. Split tunnel
