Security+ Chapter 3 Practice
10. You need to divide a single Class B IP address range into several ranges. What would you do? A. Subnet the Class B IP address range. B. Create a virtual LAN. C. Create a DMZ. D. Implement STP.
10. A. You can divide any classful IP address range by subnetting it. This breaks up a larger range of IP addresses into smaller network segments or blocks of IP addresses. A virtual local area network (VLAN) divides groups of computers logically, but doesn't use IP ranges. A demilitarized zone (DMZ) is a buffered zone between a protected network and a public network. Spanning Tree Protocol (STP) prevents looping problems caused by incorrect cabling.
9. Lisa wants to manage and monitor the switches and routers in her network. Which of the following protocols would she use? A. Telnet B. SSH C. SNMP D. DNS
9. C. Simple Network Management Protocol version 3 (SNMPv3) monitors and manages network devices. She can use Telnet to connect to the devices, but not monitor them. Secure Shell (SSH) is a more secure alternative than Telnet, but it cannot monitor the devices either. Domain Name System (DNS) provides name resolution services.
8. You need to enable the use of NetBIOS through a firewall. Which ports should you open? A. 137 through 139 B. 20 and 21 C. 80 and 443 D. 22 and 3389
A. Network Basic Input/Output System (NetBIOS) uses ports 137 through 139. File Transfer Protocol (FTP) uses ports 20 and 21. Hypertext Transfer Protocol (HTTP) uses port 80 and HTTP Secure (HTTPS) uses port 443. You can connect to remote systems with Secure Shell (SSH) using port 22, and Remote Desktop Protocol (RDP) using port 3389.
2. What is the default port for SSH? A. 22 B. 23 C. 25 D. 80
A. Secure Shell (SSH) uses Transmission Control Protocol (TCP) port 22 by default, and it is commonly used with other protocols, such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP). Telnet uses port 23. SMTP uses port 25. HTTP uses port 80.
5. Your organization is planning to establish a secure link between one of your mail servers and a business partner's mail server. The connection will use the Internet. What protocol is the BEST choice? A. TLS B. SMTP C. HTTP D. SSH
A. Transport Layer Security (TLS) is a good choice to create a secure connection between two systems over the Internet. Although the mails servers will likely exchange mail using Simple Mail Transfer Protocol (SMTP), SMTP by itself will not create a secure link. Similarly, Hypertext Transfer Protocol (HTTP) doesn't create a secure link. Although Secure Shell (SSH) creates a secure connection, it isn't used with SMTP.
17. Your organization wants to combine some of the security controls used on the network. What could your organization implement to meet this goal? A. SSO B. UTM C. VPN D. VLAN
B. A unified threat management (UTM) device combines multiple security controls into a single device. Single sign-on allows users to sign on once and access multiple resources without signing on again. Users can access a private network over a public network via a virtual private network (VPN). You can configure a virtual local area network (VLAN) on a switch to group computers together logically.
12. Your organization is increasing security and wants to prevent attackers from mapping out the IP addresses used on your internal network. Which of the following choices is the BEST option? A. Implement subnetting. B. Implement secure zone transfers. C. Block outgoing traffic on UDP port 53. D. Add a WAF.
B. By implementing secure zone transfers on internal Domain Name System (DNS) servers, it prevents attackers from downloading zone data and mapping out IP addresses and devices. Subnetting divides classful IP address ranges into smaller subnets, but it doesn't prevent attacks. DNS name resolution queries use UDP port 53, so blocking outgoing traffic on UDP port 53 would prevent internal users from using DNS on the Internet. A web application firewall (WAF) protects a web server.
19. Network administrators connect to a legacy server using Telnet. They want to secure these transmissions using encryption at a lower layer of the OSI model. What could they use? A. IPv4 B. IPv6 C. SSH D. SFTP
B. IPv6 includes the use of Internet Protocol security (IPsec), so it is the best choice and it operates on Layer 3 of the Open Systems Interconnection (OSI) reference model. IPv4 doesn't support IPsec natively. Although you can use Secure Shell (SSH) instead of Telnet, they both operate on Layer 7 of the OSI model. IPv6 operates on Layer 3. Secure File Transfer Protocol (SFTP) is useful for encrypting large files in transit, but it doesn't encrypt Telnet traffic.
1. What protocol does IPv6 use for hardware address resolution? A. ARP B. NDP C. RDP D. SNMP
B. IPv6 uses the Neighbor Discovery Protocol (NDP) to resolve IPv6 addresses to media access control (MAC) addresses (also called hardware addresses). IPv4 uses the Address Resolution Protocol (ARP) to resolve IPv4 addresses to MAC addresses. Remote Desktop Protocol (RDP) is used to connect to remote systems over port TCP 3389. Administrators use Simple Network Management Protocol (SNMP) to monitor and manage network devices.
7. You need to prevent the use of TFTP through your firewall. Which port would you block? A. TCP 69 B. UDP 69 C. TCP 21 D. UDP 21
B. You should block UDP port 69 to block Trivial File Transfer Protocol (TFTP). TFTP does not use TCP. File Transfer Protocol (FTP) uses TCP port 21.
16. Your organization wants to prevent users from accessing file sharing web sites. Which of the following choices will meet this need? A. Content inspection B. Malware inspection C. URL filter D. Web application firewall
C. A URL filter blocks access to specific web sites based on their URLs. Proxy servers and unified threat management (UTM) devices include URL filters. UTM devices include content inspection to identify and filter out different types of files and traffic, and malware inspection to identify and block malware. A web application firewall (WAF) protects a web server from incoming attacks.
18. Your organization hosts a web server and wants to increase its security. You need to separate all web-facing traffic from internal network traffic. Which of the following provides the BEST solution? A. VLAN B. Firewall C. DMZ D. WAF
C. A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server's web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the web server, but doesn't necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.
20. Which of the following operates on the HIGHEST layer of the OSI model, and is the most effective at blocking application attacks? A. IDS B. Router C. WAF D. Stateless firewall
C. A web application firewall (WAF) operates on multiple layers up to Layer 7 of the OSI reference model and blocks attacks against a web server. An intrusion detection system (IDS) also operates on multiple layers up to Layer 7 of the OSI model; however, it is more effective at detecting attacks than blocking them. A router operates on Layer 3 of the OSI model and it can perform packet filtering. A stateless firewall only performs packet filtering and isn't effective against Application layer attacks.
14. Your organization frequently has guests visiting in various conference rooms throughout the building. These guests need access to the Internet via wall jacks, but should not be able to access internal network resources. Employees need access to both the internal network and the Internet. What would BEST meet this need? A. PAT and NAT B. DMZ and VPN C. VLANs and 802.1x D. Routers and Layer 3 switches
C. An 802.1x server provides port-based authentication and can authenticate clients. Clients that cannot authenticate (the guests in this scenario) can be redirected to a virtual local area network (VLAN) that grants them Internet access, but not access to the internal network. None of the other solutions provides port security or adequate network separation. Port Address Translation (PAT) and Network Address Translation (NAT) each translate private IP addresses to public IP addresses. A demilitarized zone (DMZ) provides a buffer zone between a public network and a private network for public-facing servers. A virtual private network (VPN) provides access to a private network via a public network. Routers work on Layer 3, and Layer 3 switches mimic some of the functionality of routers.
11. You need to reboot your DNS server. Of the following choices, which type of server are you MOST likely to reboot? A. Unix server B. Apache server C. BIND server D. Web server
C. Berkeley Internet Name Domain (BIND) is a type of Domain Name System (DNS) software commonly used on the Internet and in some internal networks, so a BIND server is a DNS server. BIND runs on Unix servers, but not all Unix servers are BIND servers. Apache is a type of web server software that runs on Unix and Linux systems.
4. You need to send several large files containing proprietary data to a business partner. Which of the following is the BEST choice for this task? A. FTP B. SNMP C. SFTP D. SSH
C. File Transfer Protocol (FTP) is the best choice to send large files, and Secure File Transfer Protocol (SFTP) is the best choice to send large files that need to be protected with encryption. SFTP encrypts data with Secure Shell (SSH) on port 22. FTP data is cleartext and is not suitable for proprietary data. Simple Network Management Protocol (SNMP) is used to manage network devices. Secure Shell (SSH) provides encryption for other protocols, but is not the best choice to send files without combining it with FTP (as SFTP).
3. You are configuring a host-based firewall so that it will allow SFTP connections. Which of the following is required? A. Allow UDP 21 B. Allow TCP 21 C. Allow TCP 22 D. Allow UDP 22
C. You should create a rule to allow traffic using Transmission Control Protocol (TCP) port 22. Secure File Transfer Protocol (SFTP) uses Secure Shell (SSH) on TCP port 22. FTP uses TCP port 21. SSH does not use UDP.
6. You recently learned that a network router has TCP ports 22 and 80 open, but the organization's security policy mandates that these should not be accessible. What should you do? A. Disable the FTP and HTTP services on the router. B. Disable the DNS and HTTPS services on the router. C. Disable the SSH and HTTP services on the router. D. Disable the Telnet and Kerberos services on the router.
C. You should disable the Secure Shell (SSH) and Hypertext Transfer Protocol (HTTP) services because they use TCP ports 22 and 80 by default. File Transfer Protocol (FTP) uses ports 20 and 21. Domain Name System (DNS) uses port 53. Telnet uses port 23. Kerberos uses port 88.
15. Your network currently has a dedicated firewall protecting access to a web server. It is currently configured with the following two rules in the ACL along with an implicit allow rule at the end: PERMIT TCP ANY ANY 443 PERMIT TCP ANY ANY 80 You have detected DNS requests and zone transfer requests coming through the firewall and you need to block them. Which of the following would meet this goal? (Select TWO. Each answer is a full solution.) A. Add the following rule to the firewall: DENY TCP ALL ALL 53. B. Add the following rule to the firewall: DENY UDP ALL ALL 53. C. Add the following rule to the firewall: DENY TCP ALL ALL 25. D. Add the following rule to the firewall: DENY IP ALL ALL 53. E. Change the implicit allow rule to implicit deny.
D, E. The easiest way is to change the implicit allow rule to implicit deny and that is preferred because it will protect the server from unwanted traffic. You can also deny all IP traffic using port 53 with DENY IP ALL ALL 53. DNS requests use UDP port 53, and zone transfers use TCP port 53 so both UDP 53 and TCP port 53 need to be blocked. You can achieve that goal with DENY IP ALL ALL 53.
13. A network technician incorrectly wired switch connections in your organization's network. It effectively disabled the switch as though it was a victim of a denial-of-service attack. What should be done to prevent this in the future? A. Install an IDS. B. Only use Layer 2 switches. C. Install SNMP on the switches. D. Implement STP or RSTP.
D. Spanning Tree Protocol (STP) or Rapid STP (RSTP) will prevent switching loop problems. It's rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch. An intrusion detection system (IDS) will not prevent a switching loop. Layer 2 switches are susceptible to this problem. Administrators use Simple Network Management Protocol (SNMP) to manage and monitor devices, but it doesn't prevent switching loops.