Networking + 11
You work as a network administrator in an organization. The company has three locations. A user is unable to access a shared folder located on a desktop in another location. You try to ping the IP address of the desktop, but it fails. You are unable to ping any IP address from that subnet. What is the next step you should perform on your router? Verify the LAN interface status Check the MAC address table Check the IP routing table Verify the WAN interface status Check the ARP cache
Check the IP routing table
You are the network administrator of Virve Mobile Services. You as a network administrator must create user groups associated with the roles of a user as specified to you by the user's supervisor and assign privileges and permissions to each user group. Each user is assigned to a user group that matches a requirement for their job. Which of the following will you use in this scenario? SoD DAC RBAC SIEM
RBAC
Which security device relies on a TAP or port mirroring? a. NIDS b. HIPS c. FIM d. HIDS
a. NIDS An NIDS (network-based intrusion detection system) sits off to the side of network traffic and is sent duplicates of packets traversing the network from a switch configured with port mirroring or from a TAP device. An HIDS (host-based intrusion detection system) runs on a single computer to detect attacks to that one host. An HIDS solution might also include FIM (file integrity monitoring), which alerts the system of any changes made to files that shouldn't change, such as operating system files. Like HIDS, an HIPS (host-based intrusion prevention system) protects a specific host and doesn't need access to all network traffic.
Which authentication protocol is optimized for wireless clients? a. RADIUS b. Active Directory c. Kerberos d. TACACS+
a. RADIUS
Which access control technique is responsible for detection of an intruder who succeeds in accessing a network? a. Authentication b. Accounting c. Separation of duties d. Geofencing
b. Accounting
Robert has been working as a network analyst for IVB Solutions. The IT department has approached him to troubleshoot an error where they can successfully ping a host but are unable to connect with the same host using Telnet. Analyze what might be the problem in this scenario. This error is due to the implicit deny rule. The DAI configuration might be the cause. A misconfigured ACL could be the reason for this error. The error might be due to more tests which the router is scanning.
A misconfigured ACL could be the reason for this error. (access control list)
Which of the following is used to validate a client initially? (kerberos) AS KDC TGS SSO
AS (authentication service) Kerberos server runs two services: [ AS (authentication service)—Initially validates a client. In the carnival analogy, this would be the box office at the entrance gate. TGS (ticket-granting service)—Issues tickets to an authenticated client for access to services on the network. This would be the ticket booth inside the fairgrounds, where you show your wristband to get more tickets. ] KDC (Key Distribution Center)—The server that issues keys to clients during initial authentication SSO(single sign on)
Which of the following technologies act as an intermediary between the external and internal networks, screening all incoming and outgoing traffic? Firewall IDS Proxy server IPS
Proxy server
You as a network administrator plan on using an NIDS (network-based intrusion detection system) to protect your network. You plan on doing this by capturing all the traffic that will traverse your network. Which of the following will you use in such a scenario? TAP HIPS FIM SPAN
TAP
Neon Printers has set up a full network of laptops for the purpose of running multiple printing projects simultaneously. It has contracted Theo Solutions to provide network security solutions while protecting its network from certain traffic. Analyze which of the following is best applicable in this scenario. Using an HIDS Using a proxy server Using a host-based firewall Using a network-based firewall
Using a network-based firewall
Which authorization method will allow Nancy, a custodian, to access the company's email application but not its accounting system? a. Auditing b. Local authentication c. RBAC d. DAC
c. RBAC
Who is responsible for the security of hardware on which a public cloud runs? a. Both the cloud customer and the cloud provider b. It depends c. The cloud provider d. The cloud customer
c. The cloud provider
Which ACL rule will prevent pings from a host at 192.168.2.100? a. access-list acl_2 permit icmp any host 192.168.2.100 b. access-list acl_2 deny icmp any host 192.168.2.100 c. access-list acl_2 deny icmp host 192.168.2.100 any d. access-list acl_2 deny tcp host 192.168.2.100 host 192.168.2.1
c. access-list acl_2 deny icmp host 192.168.2.100 any
Which of the following commands is used to pair the class map to the policy map in CoPP (control plane policing)? class raguard ip dhcp snooping access-list
class
Which of the following is not one of the AAA services provided by RADIUS and TACACS+? a. Accounting b. Authorization c. Authentication d. Administration
d. Administration
Which firewall type can protect a home network from adult content not suitable for the family's children? a. Stateless firewall b. Host-based firewall c. Packet-filtering firewall d. Application layer firewall
d. Application layer firewall
Active Directory and 389 Directory Server are both compatible with which directory access protocol? a. RADIUS b. Kerberos c. AD DS d. LDAP
d. LDAP
Which device can be used to increase network performance by caching websites? a. Security group b. Firewall c. IDS d. Proxy server
d. Proxy server
What does a client present to a network server to access a resource on that server? (Kerberos) a. Ticket-Granting Ticket b. Key c. Principal d. Ticket
d. Ticket A ticket is a temporary set of credentials a client presents to network servers to prove its identity has been validated. A key belongs to the client or server and is used to initially validate their respective identities to each other during the authentication process to create a session. A principal is a Kerberos client or user. A TGT (Ticket-Granting Ticket) will expire within a specified amount of time and is used to request tickets in order to gain access to network services.
You have a complex network environment and have issues related to the routing of network traffic between hosts. Which of the following command will you use to troubleshoot this issue and verify how the packets are routed? ping traceroute show arp netstat -a route print
traceroute Traceroute is a very useful command to troubleshoot routing issues and verify the path between two connections. The traceroute command will give you the IP address of every host that the packets traverse across. The ping command is used to test the connectivity of a remote device and is not used to trace the route of packets. Show arp is an incorrect command. The route print command is used to display the routing table and not the route to a remote device. Netstat -a is used to verify open TCP and UDP ports.
Which of the following versions of SNMP are considered unsecure? [Choose all that apply] SNMPv1 SNMPv3 SNMPv2c SNMPv4
SNMPv1 SNMPv2c
You are working as a network engineer for Maywire Cables. The network administrator informs you to install a firewall that will manage each packet as a fresh connection irrespective of any connections that might be active at that moment. Which of the following will you choose? Host-based firewall Stateful firewall Stateless firewall Packet-filtering firewall
Stateless firewall
You have two users who work on the same floor and belong to the same department. The organization has strict rules implemented for printer access. One of the users is unable to access the printer but has access to the Internet. What should you check on your switch? LAN interface status VLAN assignment MAC address table Access lists
VLAN assignment If a user can access everything but the resources, it means that the user has a working network, but his system could be placed in the wrong VLAN on the switch. You will need to first verify the VLAN assignment of the port to which the user's computer is connected. since the user can access the Internet, the MAC address table and LAN interface status are not relevant to this issue. Access lists are filtering rules applied on routers and are not switch related.
Which of the following criteria can a packet-filtering firewall not use to determine whether to accept or deny traffic? a. Application data b. Destination IP address c. ICMP message d. SYN flags
a. Application data
Which policy ensures messages are discarded when they don't match a specific firewall rule? a. Implicit deny b. Implicit allow c. Explicit allow d. Explicit deny
a. Implicit deny
At what layer of the OSI model do proxy servers operate? a. Layer 7 b. Layer 3 c. Layer 2 d. Layer 4
a. Layer 7
Which principle ensures auditing processes are managed by someone other than the employees whose activities are being audited? a. Separation of duties b. Defense in depth c. Shared responsibility model d. Principle of least privilege
a. Separation of duties
What information in a transmitted message might an IDS use to identify network threats? a. Port mirroring b. Signature c. FIM d. ACL
b. Signature
Which two features on a switch or router are integrated into CoPP? Choose two. a. DHCP b. ICMP c. ACLs d. QoS
c. ACLs d. QoS
Which device would allow an attacker to make network clients use an illegitimate default gateway? a. Proxy server b. Network-based firewall c. DHCP server d. RA guard
c. DHCP server
You have empty ports on your switches, that is, no connected hosts. Which of the following are best practices to ensure that the empty ports are secure? Keep the ports up and running in default VLAN (VLAN 1) Move the ports from the default VLAN to a new, unused VLAN and then disable them Leave the ports in VLAN1 but disable them Keep the ports up and running but move it to a new VLAN that is not used for production
Move the ports from the default VLAN to a new, unused VLAN and then disable them
Which of the following is a form of authentication in which a client signs on one time to access multiple systems or resources? AS KDC TGS SSO
SSO
You are a network manager who wants to distribute sensitive privileges and responsibilities to different persons so that no single person can singlehandedly compromise the security of data and resources. Which authorization method will you apply in this scenario? RBAC DAC SoD MAC
SoD
Which of the following defenses addresses a weakness of IPv6? a. CoPP b. DHCP snooping c. RA guard d. DAI
c. RA guard
Which of the following ACL commands would permit web-browsing traffic from any IP address to any IP address? a. access-list acl_2 deny tcp host 2.2.2.2 host 3.3.3.3 eq www b. access-list acl_2 deny tcp any any c. access-list acl_2 permit icmp any any d. access-list acl_2 permit https any any
d. access-list acl_2 permit https any any
You have implemented your network with new managed switches. A user is experiencing periodical interruptions on the network. While pinging the main server, you notice that there is periodical packet loss. What could cause this problem? Broadcast storm Asymmetric routing Routing loop Problem with Internet access Collisions
Broadcast storm
You work in an organization as a network administrator. One of your new clients owns a hotel and has asked you to provide a single Internet connection for every room, but also ensure that the users are not visible to each other. Which technology on the switch will you use to meet the requirements stated in the scenario? Create a separate VLAN for every room Create one VLAN and connect all rooms to that VLAN Use Promiscuous ports Create Private VLANs
Create Private VLANs
You need to create an access list on your router to filter specific IP addresses and ports. You created entries with permit statements and deny statements. But you forget to add one specific deny statement to filter traffic from host A. How will this traffic be treated? Host A traffic will be permitted because, at the end of every access list, there is an implicit permit statement Host A traffic will be permitted because, at the end of every access list, there is an explicit permit statement Host A traffic will not be processed by this access list at all, so if nothing else is denying it, it will be permitted Host A traffic will be denied because, at the end of every access list, there is an implicit deny statement
Host A traffic will be denied because, at the end of every access list, there is an implicit deny statement
You have configured a new DHCP server and connected it to the network. There is connectivity to the server, but the clients in the network are unable to obtain IP addresses from the server. Which of the following enabled feature on the switch can cause this issue? Port-security DHCP Snooping Dynamic ARP Inspection IPv6 RA Guard
DHCP Snooping
You have configured a new web server in your network, which will be used only from the local network. You published the website on TCP port 8443 but are unable to access the website on that port from a client device. You are able to ping the server IP address and also have access to the server using a Remote Desktop Connection. What could be the cause of this issue? There is no static route pointing to the server on the router Microsoft Edge browser is configured incorrectly on the client device Server is placed in the wrong VLAN NAT is not configured correctly Windows firewall is enabled, and port 8443 is not allowing traffic
Windows firewall is enabled, and port 8443 is not allowing traffic If you are experiencing issues with applications running on a specific port and everything else related to that server is working, it is usually caused by a firewall running on that server. The server is placed locally and only accessible from the LAN network.The configuration of Microsoft Edge is not relevant to be able to access the web server on this specific port. The router does not need to be configured with a static route to point to the web server as it is internally hosted.