Security+ - Network Security
How does an NAT (Network Address Translation) server help protect your network?
By masking the IP addresses of internal computers from the network - This helps prevent potential attackers from discovering valid internal IP addresses. When internal computers access resources on the Internet, they use the NAT sever's public IP address instead of their own address.
The following ports are open on your perimeter network firewall: 22 23 443 992 Which port represents the biggest security risk from an antiquated protocol?
Port 23 being open represents a potential risk from an antiquated protocol. Port 23 is used by unsecure telnet. Telnet allows connections and command line access to remote computers. Telnet and File Transfer Protocol (FTP) are among protocols that are considered antiquated and can create security risks because they send user names and passwords as clear, unencrypted text.
You are configuring a host firewall. You need to prevent files from being uploaded or downloaded in a clear text transmission. Which ports should you block?
UDP and TCP Port 20 - File Transfer Protocol (FTP) TCP Port 21 - File Transfer Protocol (FTP) UDP Port 69 - Trivial File Transfer Protocol (TFTP)
A port indicates that a computer is listening on port 80. What does this mean?
When a port scan reveals that a computer is listening on port 80, it means that the computer is running Web server software, such as Internet Information Server (IIS) or Apache Web Server. Port 80 is the default port for Hypertext Transfer Protocol (HTTP). Another commonly used HTTP port is port 8080.
Which wireless protocol uses the pre-shared key to encrypt data?
Wired Equivalent Privacy (WEP) uses the pre-shared key (PSK) to encrypt data. This is a vulnerability of WEP because the PSK is used for both authentication and encryption. An attacker who discovers the PSK can use it to decrypt data.
Which protocol can you use to ensure that a server accepts Telnet traffic only from a designated computer?
You can use IPSec to ensure that a server accept Telnet traffic only from a designated computer, such as a management workstation. A management workstation is a computer that has management utilities installed and is used to remotely manage other computers. Management workstations are typically configured with strong security policies. IPSec can be used to provide server isolation by creating filters that limit the traffic accepted based on IP address and port. IPSec requires computer authentication used pre-shared keys, certificates, or Kerberos. IPSec can also provide encryption using Encapsulating Security Payload (ESP).
You are deploying a corporate telephony solution. The network includes several branch offices in remote geographic locations. You need to provide VoIP support among all office locations. You need to design a network infrastructure to support communications. You need to minimize the impact on network security. You need to minimize the costs related to deploying the solution. What should you do?
You need to configure a demilitarized zone (DMZ), also referred to as a perimeter network. A DMZ uses one or more firewalls to isolate the internal network from the Internet. Voice over IP (VoIP) transmissions can be passed through the firewall(s) and carried over the Internet among the offices.
You are installing wireless access points on a company network that is separated from the Internet by a firewall. Which two steps can you take to mitigate the risk of eavesdropping by outsiders?
You should adjust the antenna placement. A wireless access point listens for and broadcasts radio waves. An eavesdropped can use a wireless sniffer to capture and view the waves. You should adjust the antenna placement of each wireless access point and use directional antennae to prevent the radio waves from going outside the company's walls.
Which ports do you need to allow on an Internet-facing firewall that uses NAT-T to support an L2TP/IPSec VPN connection?
You should allow Internet Protocol (IP) Protocol ID 50, User Datagram Protocol (UDP) port 500, and UDP port 4500 in the Internet-facing firewall to support a Layer 2 Transport Protocol/IP Security (L2TP/IPSec) VPN server using Network Address Translation Traversal (NAT-T). When IPSec is use in conjunction with L2TP, the L2TP packet is encapsulated by IPSec as it passes through the firewall. Therefore, you only need to allow the ports and protocol IDs necessary to support IPSec communication. Encapsulating Security Protocol (ESP), the protocol that carries IPSec data, uses protocol ID 50. Internet Key Excahnge (IKE) traffic is carried on UDP port 500. UDP port 4500 is required for NAT-T.
Client computers on a network use POP3 over SSL to receive e-mail. The e-mail service uses standard port assignments. Which port on the Internet face of the firewall should allow inbound packets?
You should allow inbound packets on Transmission Control Protocol (TCP) port 995. Port 995 is the port typically used by Post Office Protocol 3 (POP3) over Secure Sockets Layer (SSL). POP3 is used to receive incoming mail. Therefore, the Internet facing firewall must be configured to allow inbound packets on port 995. Protocols used for sending and receiving email operate over TCP.
An e-mail server supports IMAP connections. You need to ensure that all IMAP traffic is encrypted. What should you do?
You should allow traffic on Transmission Control Protocol (TCP) port 993. Port 993 is the port assigned to Internet Messaging Application Protocol (IMAP) over Secure Sockets Layer (SSL), which is the protocol used to transmit encrypted IMAP traffic. All email protocols operate over TCP. You should also block traffic on TCP port 143. This is the port used for unencrypted IMAP traffic.
Your network connects to the Internet through a single firewall. The internal network is configured as a single subnet. You need to deploy a public Web server to provide product information to your customers. What should you do?
You should configure a demilitarized zone (DMZ) and deploy the Web server on the DMZ. A DMZ, or perimeter network, is a network located between your internal network and the Internet. Computers accessible from the Internet, such as Web servers and file servers, are typically deployed on the DMZ. This gives remote clients access to the servers, but blocks direct access to the internal network. You can create a perimeter network by deploying two firewalls with the perimeter network between the firewalls or by adding a network adapter to a single firewall and configuring the perimeter network from that network adapter.
A company is concerned about protection against zero-day attacks that are initiated by a malicious script on a website that is visited by employees. What kind of security option will mitigate the risk of such an attack?
A web security gateway can perform URL filtering, content inspection, and malware inspection of web traffic. When content inspection is enabled on the device, the response of web requests will be examined to determine if there is malicious content, such as cookies, scripts, or embedded objects. If a heuristic examination method is used, the code will be examined for constructs or behaviors that might indicate malicious code, regardless of whether such code has been used in an attack. This helps protect against zero-day attacks. However, it increases processing requirements for the inspection and might lead to increased latency. False positive are also more likely because heuristics might flag a script that is not malicious.
A company has an IPv6 network with three sites. Which IP address can be routed only between cooperating sites?
An address with the prefix fc00::/7 is a Unique Local Address (ULA), which can be used to communicate with hosts on any cooperating site.
A company with a UTM wants to ensure that documents with the words "confidential" or "revenue" inside them are not sent outside the company through email or copied to a cloud service. Which UTM feature should the company configure?
Data loss prevention (DLP) allows a company to configure a set of policies that govern which files can be distributed outside the network. Filters can be configured to prevent files that contain certain words from being sent outside the network. You will want to ensure that the Unified Threat Management (UTM) appliance supports Secure Sockets Layer (SSL) to enable it to examine encrypted traffic streams.
Which wireless authentication protocol performs only client authentication?
Extensible Authentication Protocol Message Digest 5 (EAP-MD5) performs only client authentication. When a wireless network is configured to authenticate clients using EAP-MD5, the Remote Authentication Dial-In User Service (RADIUS) server uses challenge/response to authenticate a user. The username and password are the credentials used for authentication. The RADIUS server is not authenticated by the clients.
Which wireless authentication method requires certificates on both the client and the RADIUS server?
Extensible Authentication Protocol Transport Layer Security (EAP-TLS) provides mutual authentication between the Remote Authentication Dial-In User Service (RADIUS) server (known as the authenticator) and the client computer (known as the supplicant). Certificates are used to authenticate both the authenticator and the supplicant.
You are concerned about security on an older Wi-Fi network segment. The segment is configured to use WPA for access security. You need to justify migration of WPA2. What is a primary security enhancement in WPA2 compared to WPA?
Support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was introduced with WPA2. This is a stronger authentication protocol than the Temporal Key Integrity Protocol (TKIP) support with WPA. Support for TKIP is still offered as a means of backward compatibility, but recent innovations in hacking tools for breaking the encryption make it less popular.
A company has 1 Gbps Ethernet network. The company wants to implement a SAN without investing in additional network infrastructure. Which protocol can they use?
The company can use Internet Small Computer System Interface (iSCSI). An iSCSI Storage Area Network (SAN) can be implemented on an existing Ethernet infrastructure, including one that operates at 1 Gbps.
A company with a UTM wants to allow employees in the Marketing department to be able to access Facebook, but prevent them from clicking link. What should the company do?
The company should implement the application control feature of the Unified Threat Management (UTM) device. A UTM device provides various levels of traffic inspection that allows administrators a great deal of flexibility in protecting the network against threats. The application control capability allows you to define rules that determine not only which web applications users are allowed to access, but even which features of those applications are available. A UTM also allows administrators to perform traffic shaping, which throttles the bandwidth for certain applications and define policies that restrict usage based on the time of day.
A port scan indicates that a computer is listening on port 137. Which service is the computer running?
The computer is running Windows Internet Naming Service (WINS). WINS provides NetBIOS name resolution for computers locating in different subnets. A WINS server listens for name resolution and registration requests on port 137. Replication between WINS servers occurs over port 42.
In what kind of situation would it be most appropriate to use a hybrid cloud?
The only situation that specifically calls for a hybrid cloud solution is when an organization hosts its own applications and data, but occasionally needs additional overflow storage. A hybrid cloud combines resources from two types of clouds, such as a private and public cloud. In this case, the organizations could host its own applications and data in a private cloud and use a public cloud storage solution for overflow storage. This type of temporary use of additional resources is known as cloud-bursting.
You are selecting a security appliance to install between an internal network and the Internet. You need to prevent users from accessing gaming sites from their work computers. Which security appliance feature allows you to meet this requirement?
The security appliance needs to support URL filtering to meet the requirements. URL filtering utilizes an online database to allow or block access to websites in specific categories. It also allows companies to whitelist and blacklist certain sites.
Written security policy states that file servers in the legal department can only be accessed by client computers in the legal department and that transmitted data must be encrypted. You configure IPSec to implement this policy. Which security principle does this BEST illustrate?
This illustrates rule-based management. Rule-based management entails translating a written security policy into rules that can be implemented by software. In this case, you are using IPSec rules to implement the policy.
A solution vendor bills customers for access to a three-tier application based on usage. The application is deployed in the vendor's data center as sets of clustered virtual machines. Which type of network design element is exemplified?
This is an example of Infrastructure as a service (IaaS). IaaS is a type of cloud computing in which all tiers of a solution are virtualized and access is sold to customers. One advantage to IaaS is that the solution can be scalable and made highly available as need requires.
A hosting company has set up an infrastructure that provides storage and applications that are targeted specifically at non-profit fundraising organizations. Only these types of organizations will be allowed to subscribe, and each organization's data will be kept separate. Subscribers will be charged an annual fee for access. What is this an example of?
This is an example of a community cloud. A community cloud is a cloud-based infrastructure that is shared by several organizations which operate within the same community or vertical market. In this case, the community is non-profit fundraisers, but it could be any community with shared concerns. The infrastructures is hosted by a third party with community members as subscribers.
A subscription to a productivity application allows users in a company to create and share documents. The service is not hosted on a dedicated server. What is this an example of?
This is an example of a public cloud offering of software as a service (SaaS). Software as a service is an application that is hosted on a server. If a user or company subscribes to a hosted service that is utilized by many different companies, it is an example of public cloud.
When would you implement NAC (Network Access Control)?
To ensure that clients are compliant before allowing network access and to provide automatic remediation for unsecure computers - NAC sets the requirements for allowing computers access to network resources, such as minimum operating system levels, service packs, hotfixes, up-to-date virus definitions, and so forth.
You are configuring a server to be used as an FTPS server. You plan to use well-known port assignments. Only connections encrypted with TLS should be permitted. The host firewall is configured for implicit deny. You define the following firewall rules: Allow UDP port 989 Allow TCP port 989 Which additional firewall rules should you define?
You should configure port 900 as the control port and port 989 as the data port. File Transfer Protocol over SSL (FTPS) is a secure version of FTP that operates over Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It has two modes: implicit mode and explicit mode. With implicit mode, all connections are secure. Implicit mode requires port 990 as the control port. If any port other than port 990 is used as the control port, the client will be able to request encryption. This mode is known as explicit mode. However, clients that do not request encryption will send and receive data in clear text. The default port for sending data over FTPS is port 989. FTPS operates over both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
You are configuring the firewall between the Internet and your perimeter network. There are two servers on the perimeter network. Both servers hots a Web application that uses TLS. Which port should you configure to allow incoming and outgoing traffic?
You should configure the firewall to allow incoming and outgoing traffic on Transmission Control Protocol (TCP) port 443. Transport Layer Security (TLS) is a protocol that sends encrypted data use Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). HTTPS uses TCP port 443 to transmit data.
What should you do to ensure that messages between an SNMP management station and SNMP agents are encrypted?
You should create IPSec filters for port 161 and 162. Simple Network Management Protocol (SNMP) sends most traffic on User Datagram Protocol (UDP) port 161 and traps on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port 162. A trap is an unsolicited message from an agent to a management station. To encrypt SNMP data, you need to create an IPSec rule that applies to the management stations and the agents.
A company recently reorganized. Several employees will be working from home. They will need access to resources on the company's network, including servers and data. You need to configure a secure solution. What should you do?
You should deploy a remote access server at the company network. This lets you set up a secure connection, such as a virtual private network (VPN) connection for the remote users. This will enable them to log onto the network and access resources as if they were local clients.
A set of switches is used to implement a VLAN. Where should you enable loop protection?
You should enable loop protection on all ports of each switch. Loop protection causes a port to be temporarily disabled if it receives the loop protocol packet it sends out to check whether a loop exists. A loop can occur when a device that does not support the spanning tree protocol is attached to a switch port and begins to drop spanning tree packets. Loops can be introduced accidentally or maliciously if the physical security of the switch is not protected.
A router has five virtual terminals. You need to ensure that all router management traffic is encrypted. You run the commands necessary to generate a certificate. Which additional commands should you run?
You should execute the following commands: line vty 0 4 transport input ssh The virtual terminal lines on a Cisco router are numbered starting at 0. If a router has 5 virtual terminals, you will need to specify lines 0 through 4. After you obtain a configuration prompt for the specified lines, you need to enter the transport input ssh command to change the management protocol from unencrypted telnet to encrypted Secure Shell (SSH).
A company uses a Layer 2 switch to segment a network. Each department is assigned to a separate network segment. The conference room contains a wireless AP. You need to ensure that when a user connect a laptop computer to the wireless AP in the conference room, the user can access only resources in their own VLAN. What should you use?
You should use 802.1x. Using 802.1x allows you to configure a virtual local area network (VLAN) assignment according to membership in a Lightweight Directory Access Protocol (LDAP) or Active Directory group. This provides a very flexible way to manage VLAN assignments, particularly when devices roam to multiple access points. Creating VLANs allow you to segment a network. A VLAN acts as both a broadcast domain and a collision domain. Computers assigned to a VLAN can only be seen by other computers that are assigned to the same VLAN, unless routing is configured between the VLANs.
You install a Web application on three identical servers. You need to mitigate the risk that users will be unable to access the Web application if one of the servers fails. It should also mitigate the risk of malware infection. What should you use?
You should use a Unified Threat Management (UTM) appliance. A UTM appliance provides many mitigation features within a single device, including load balancing, anti-malware, and anti-spam.
You have server that hosts several different XML Web services that access a relational database using SQL. You need to install a device that can mitigate the risk of the database server being attacked through data sent in a request. What should you use?
You should use a Web application firewall (WAF). A Web application firewall uses a process called deep packet inspection to examine each request and response. A WAF is useful for preventing attacks that are based on user input, such as a SQL injection attack against a database server. A signature-based Web application firewall uses predefined signatures of malicious activity to determine whether to allow or block a request or response. An anomaly-based Web application firewall blocks requests or responses that deviate from normal usage patterns.
You suspect that an attacker is sending damaged packets into your network as a way to compromise your firewall. You need to collect as much information about network traffic as possible. What should you use?
You should use a protocol analyzer. A protocol analyzer captures network traffic and allows for detailed traffic analysis. In this situation, you can have the protocol analyzer identify damage packets. Damage packets are incorrectly formatted. By looking at the specific details of the packet content, you can often get some insight in to the type of attack being launched and take appropriate mitigating actions.
A number of users in your company telecommute. All users have a high-speed Internet connection. You need to allow secure remote access to the company network from users' home computers. All data sent between users' home computers and the company network must be encrypted. What should you install?
You should use a virtual private network (VPN) concentrator. A VPN concentrator is a hardware device that can provide secure connections for remote users. A VPN connection is a tunnel through a nonsecure network, such as the Internet. Data sent across a VPN is encapsulated in a VPN protocol, such as Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), or Secure Socket Tunneling Protocol (SSTP). Most VPN implementations also encrypt packets.