Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
48 Cards in this Set
- Front
- Back
|
QUESTION 1 Which of the following should be deployed to prevent the transmission of malicious traffic between virtual machines hosted on a singular physical device on a network? A. HIPS on each virtual machine B. NIPS on the network C. NIDS on the network D. HIDS on each virtual machine |
Answer: A Explanation: Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. |
|
|
QUESTION 2 Which of the following components of an all-in-one security appliance would MOST likely be configured in order to restrict access to peer-to-peer file sharing websites? A. Spam filter B. URL filter C. Content inspection D. Malware inspection |
Answer: B Explanation: The question asks how to prevent access to peer-to-peer file sharing websites. You access a website by browsing to a URL using a Web browser or peer-to-peer file sharing client software. A URL filter is used to block URLs (websites) to prevent users accessing the website. Incorrect Answer: A: A spam filter is used for email. All inbound (and sometimes outbound) email is passed through the spam filter to detect spam emails. The spam emails are then discarded or tagged as potential spam according to the spam filter configuration. Spam filters do not prevent users accessing peer- to-peer file sharing websites. C: Content inspection is the process of inspecting the content of a web page as it is downloaded. The content can then be blocked if it doesn't comply with the company's web policy. Contentcontrol software determines what content will be available or perhaps more often what content will be blocked. Content inspection does not prevent users accessing peer-to-peer file sharing websites (although it could block the content of the sites as it is downloaded). D: Malware inspection is the process of scanning a computer system for malware. Malware inspection does not prevent users accessing peer-to-peer file sharing websites. |
|
|
QUESTION 3 Pete, the system administrator, wants to restrict access to advertisements, games, and gambling web sites. Which of the following devices would BEST achieve this goal? A. Firewall B. Switch C. URL content filter D. Spam filter |
Answer: C Explanation: URL filtering, also known as web filtering, is the act of blocking access to a site based on all or part of the URL used to request access. URL filtering can focus on all or part of a fully qualified domain name (FQDN), specific path names, specific filenames, specific fi le extensions, or entire specific URLs. Many URL-filtering tools can obtain updated master URL block lists from vendors as well as allow administrators to add or remove URLs from a custom list. |
|
|
QUESTION 4 The administrator receives a call from an employee named Joe. Joe says the Internet is down and he is receiving a blank page when typing to connect to a popular sports website. The administrator asks Joe to try visiting a popular search engine site, which Joe reports as successful. Joe then says that he can get to the sports site on this phone. Which of the following might the administrator need to configure? A. The access rules on the IDS B. The pop up blocker in the employee's browser C. The sensitivity level of the spam filter D. The default block page on the URL filter |
Answer: D Explanation: A URL filter is used to block access to a site based on all or part of a URL. There are a number of URL-filtering tools that can acquire updated master URL bloc |
|
|
QUESTION 5 Layer 7 devices used to prevent specific types of html tags are called: A. Firewalls B. Content filters C. Routers D. NIDS |
Answer: B Explanation: A content filter is a is a type of software designed to restrict or control the content a reader is authorised to access, particularly when used to limit material delivered over the Internet via the Web, e-mail, or other means. Because the user and the OSI layer interact directly with the content filter, it operates at Layer 7 of the OSI model. |
|
|
QUESTION 6 Pete, an employee, attempts to visit a popular social networking site but is blocked. Instead, a page is displayed notifying him that this site cannot be visited. Which of the following is MOST likely blocking Pete's access to this site? A. Internet content filter B. Firewall C. Proxy server D. Protocol analyzer |
Answer: A Explanation: Web filtering software is designed to restrict or control the content a reader is authorized to access, especially when utilized to restrict material delivered over the Internet via the Web, email, or other means. |
|
|
QUESTION 7 A review of the company's network traffic shows that most of the malware infections are caused by users visiting gambling and gaming websites. The security manager wants to implement a solution that will block these websites, scan all web traffic for signs of malware, and block the malware before it enters the company network. Which of the following is suited for this purpose? A. ACL B. IDS C. UTM D. Firewall |
Answer: C Explanation: An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. A variety is available; those that you should be familiar with for the exam fall under the categories of providing URL filtering, content inspection, or malware inspection. Malware inspection is the use of a malware scanner to detect unwanted software content in network traffic. If malware is detected, it can be blocked or logged and/or trigger an alert. |
|
|
QUESTION 8 Which of the following is BEST at blocking attacks and providing security at layer 7 of the OSI model? A. WAF B. NIDS C. Routers D. Switches |
Answer: A Explanation: A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified. As the protocols used to access a web server (typically HTTP and HTTPS) run in layer 7 of the OSI model, then web application firewall (WAF) is the correct answer. |
|
|
QUESTION 9 Which of the following should the security administrator implement to limit web traffic based on country of origin? (Select THREE). A. Spam filter B. Load balancer C. Antivirus D. Proxies E. Firewall F. NIDS G. URL filtering |
Answer: DEG Explanation: A proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. Firewalls manage traffic using a rule or a set of rules. A URL is a reference to a resource that specifies the location of the resource. A URL filter is used to block access to a site based on all or part of a URL. |
|
|
QUESTION 10 A security engineer is reviewing log data and sees the output below: POST: /payload.php HTTP/1.1 HOST: localhost Accept: */* Referrer: http://localhost/ ******* HTTP/1.1 403 Forbidden Connection: close Log: Access denied with 403. Pattern matches form bypass Which of the following technologies was MOST likely being used to generate this log? A. Host-based Intrusion Detection System B. Web application firewall C. Network-based Intrusion Detection System D. Stateful Inspection Firewall E. URL Content Filter |
Answer: B Explanation: A web application firewall is a device, server add-on, virtual service, or system filter that defines a strict set of communication rules for a website and all visitors. It's intended to be an applicationspecific firewall to prevent cross-site scripting, SQL injection, and other web application attacks. |
|
|
QUESTION 11 An administrator would like to review the effectiveness of existing security in the enterprise. Which of the following would be the BEST place to start? A. Review past security incidents and their resolution B. Rewrite the existing security policy C. Implement an intrusion prevention system D. Install honey pot systems |
Answer: C Explanation: The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it |
|
|
QUESTION 12 A company has proprietary mission critical devices connected to their network which are configured remotely by both employees and approved customers. The administrator wants to monitor device security without changing their baseline configuration. Which of the following should be implemented to secure the devices without risking availability? A. Host-based firewall B. IDS C. IPS D. Honeypot |
Answer: B Explanation: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors" and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content. |
|
|
QUESTION 15 Which of the following firewall rules only denies DNS zone transfers? A. deny udp any any port 53 B. deny ip any any C. deny tcp any any port 53 D. deny all dns packets |
Answer: C Explanation: DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. |
|
|
QUESTION 16 A security administrator suspects that an increase in the amount of TFTP traffic on the network is due to unauthorized file transfers, and wants to configure a firewall to block all TFTP traffic. Which of the following would accomplish this task? A. Deny TCP port 68 B. Deny TCP port 69 C. Deny UDP port 68 D. Deny UDP port 69 |
Answer: D Explanation: Trivial File Transfer Protocol (TFTP) is a simple file-exchange protocol that doesn't require authentication. It operates on UDP port 69. |
|
|
QUESTION 17 Sara, a security technician, has received notice that a vendor coming in for a presentation will require access to a server outside of the network. Currently, users are only able to access remote sites through a VPN connection. How could Sara BEST accommodate the vendor? A. Allow incoming IPSec traffic into the vendor's IP address. B. Set up a VPN account for the vendor, allowing access to the remote site. C. Turn off the firewall while the vendor is in the office, allowing access to the remote site. D. Write a firewall rule to allow the vendor to have access to the remote site. |
Answer: D Explanation: Firewall rules are used to define what traffic is able pass between the firewall and the internal network. Firewall rules block the connection, allow the connection, or allow the connection only if it is secured. Firewall rules can be applied to inbound traffic or outbound traffic and any type of network. |
|
|
QUESTION 18 A technician is deploying virtual machines for multiple customers on a single physical host to reduce power consumption in a data center. Which of the following should be recommended to isolate the VMs from one another? A. Implement a virtual firewall B. Install HIPS on each VM C. Virtual switches with VLANs D. Develop a patch management guide |
Answer: C Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. VLANs can be used to isolate traffic between network segments. |
|
|
QUESTION 19 A router has a single Ethernet connection to a switch. In the router configuration, the Ethernet interface has three sub-interfaces, each configured with ACLs applied to them and 802.1q trunks. Which of the following is MOST likely the reason for the sub-interfaces? A. The network uses the subnet of 255.255.255.128. B. The switch has several VLANs configured on it. C. The sub-interfaces are configured for VoIP traffic. D. The sub-interfaces each implement quality of service. |
Answer: B Explanation: A subinterface is a division of one physical interface into multiple logical interfaces. Routers commonly employ subinterfaces for a variety of purposes, most common of these are for routing traffic between VLANs. Also, IEEE 802.1Q is the networking standard that supports virtual LANs (VLANs) on an Ethernet network. |
|
|
QUESTION 20 Joe, a technician at the local power plant, notices that several turbines had ramp up in cycles during the week. Further investigation by the system engineering team determined that a timed .exe file had been uploaded to the system control console during a visit by international contractors. Which of the following actions should Joe recommend? A. Create a VLAN for the SCADA B. Enable PKI for the MainFrame C. Implement patch management D. Implement stronger WPA2 Wireless |
Answer: A Explanation: VLANs are used for traffic management. VLANs can be used to isolate traffic between network segments. This can be accomplished by not defining a route between different VLANs or by specifying a deny filter between certain VLANs (or certain members of a VLAN). Any network segment that doesn't need to communicate with another in order to accomplish a work task/function shouldn't be able to do so. |
|
|
QUESTION 21 The security administrator needs to manage traffic on a layer 3 device to support FTP from a new remote site. Which of the following would need to be implemented? A. Implicit deny B. VLAN management C. Port security D. Access control lists |
Answer: D Explanation: In the OSI model, IP addressing and IP routing are performed at layer 3 (the network layer). In this question we need to configure routing. When configuring routing, you specify which IP range (in this case, the IP subnet of the remote site) is allowed to route traffic through the router to the FTP server. Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. |
|
|
QUESTION 22 Matt, the network engineer, has been tasked with separating network traffic between virtual machines on a single hypervisor. Which of the following would he implement to BEST address this requirement? (Select TWO). A. Virtual switch B. NAT C. System partitioning D. Access-list E. Disable spanning tree F. VLAN |
Answer: AF Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. A virtual switch is a software application that allows communication between virtual machines. A combination of the two would best satisfy the question. |
|
|
QUESTION 23 A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application's task. Which of the following is the security administrator practicing in this example? A. Explicit deny B. Port security C. Access control lists D. Implicit deny |
Answer: C Explanation: Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted |
|
|
QUESTION 24 An administrator needs to connect a router in one building to a router in another using Ethernet. Each router is connected to a managed switch and the switches are connected to each other via a fiber line. Which of the following should be configured to prevent unauthorized devices from connecting to the network? A. Configure each port on the switches to use the same VLAN other than the default one B. Enable VTP on both switches and set to the same domain C. Configure only one of the routers to run DHCP services D. Implement port security on the switches |
Answer: D Explanation: Port security in IT can mean several things: The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn't actively using them. Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service. |
|
|
QUESTION 25 At an organization, unauthorized users have been accessing network resources via unused network wall jacks. Which of the following would be used to stop unauthorized access? A. Configure an access list. B. Configure spanning tree protocol. C. Configure port security. D. Configure loop protection. |
Answer: C Explanation: Port security in IT can mean several things. It can mean the physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. This can be accomplished by locking down the wiring closet and server vaults and then disconnecting the workstation run from the patch panel (or punch-down block) that leads to a room's wall jack. Any unneeded or unused wall jacks can (and should) be physically disabled in this manner. Another option is to use a smart patch panel that can monitor the MAC address of any device connected to each and every wall port across a building and detect not just when a new device is connected to an empty port, but also when a valid device is disconnected or replaced by an invalid device. |
|
|
QUESTION 26 On Monday, all company employees report being unable to connect to the corporate wireless network, which uses 802.1x with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages. Which of the following is the MOST likely cause for this issue? A. Too many incorrect authentication attempts have caused users to be temporarily disabled. B. The DNS server is overwhelmed with connections and is unable to respond to queries. C. The company IDS detected a wireless attack and disabled the wireless network. D. The Remote Authentication Dial-In User Service server certificate has expired. |
Answer: D Explanation: The question states that the network uses 802.1x with PEAP. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS). A RADIUS server will be configured with a digital certificate. When a digital certificate is created, an expiration period is configured by the Certificate Authority (CA). The expiration period is commonly one or two years. The question states that no configuration changes have been made so it's likely that the certificate has expired. |
|
|
QUESTION 27 A company determines a need for additional protection from rogue devices plugging into physical ports around the building. Which of the following provides the highest degree of protection from unauthorized wired network access? A. Intrusion Prevention Systems B. MAC filtering C. Flood guards D. 802.1x |
Answer: D Explanation: IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN. |
|
|
QUESTION 28 While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure this happens? A. Log Analysis B. VLAN Management C. Network separation D. 802.1x |
Answer: D Explanation: 802.1x is a port-based authentication mechanism. It's based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it's often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System's Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC). |
|
|
QUESTION 29 A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface. PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443 Which of the following rules would accomplish this task? (Select TWO). A. Change the firewall default settings so that it implements an implicit deny B. Apply the current ACL to all interfaces of the firewall C. Remove the current ACL D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53 E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53 F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53 |
Answer: AF Explanation: Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present. DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries. |
|
|
QUESTION 30 Users are unable to connect to the web server at IP 192.168.0.20. Which of the following can be inferred of a firewall that is configured ONLY with the following ACL? PERMIT TCP ANY HOST 192.168.0.10 EQ 80 PERMIT TCP ANY HOST 192.168.0.10 EQ 443 A. It implements stateful packet filtering. B. It implements bottom-up processing. C. It failed closed. D. It implements an implicit deny. |
Answer: D Explanation: Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present. |
|
|
QUESTION 31 The Human Resources department has a parent shared folder setup on the server. There are two groups that have access, one called managers and one called staff. There are many sub folders under the parent shared folder, one is called payroll. The parent folder access control list propagates all subfolders and all subfolders inherit the parent permission. Which of the following is the quickest way to prevent the staff group from gaining access to the payroll folder? A. Remove the staff group from the payroll folder B. Implicit deny on the payroll folder for the staff group C. Implicit deny on the payroll folder for the managers group D. Remove inheritance from the payroll folder |
Answer: B Explanation: Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. |
|
|
QUESTION 32 A company has several conference rooms with wired network jacks that are used by both employees and guests. Employees need access to internal resources and guests only need access to the Internet. Which of the following combinations is BEST to meet the requirements? A. NAT and DMZ B. VPN and IPSec C. Switches and a firewall D. 802.1x and VLANs |
Answer: D Explanation: 802.1x is a port-based authentication mechanism. It's based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it's often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System's Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC). A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. By default, all ports on a switch are part of VLAN 1. But as the switch administrator changes the VLAN assignment on a port-by-port basis, various ports can be grouped together and be distinct from other VLAN port designations. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
QUESTION 33 Matt, the IT Manager, wants to create a new network available to virtual servers on the same hypervisor, and does not want this network to be routable to the firewall. How could this BEST be accomplished? A. Create a VLAN without a default gateway. B. Remove the network from the routing table. C. Create a virtual switch. D. Commission a stand-alone switch. |
Answer: C Explanation: A Hyper-V Virtual Switch implements policy enforcement for security, isolation, and service levels. |
|
|
QUESTION 34 A Chief Information Security Officer (CISO) is tasked with outsourcing the analysis of security logs. These will need to still be reviewed on a regular basis to ensure the security of the company has not been breached. Which of the following cloud service options would support this requirement? A. SaaS B. MaaS C. IaaS D. PaaS |
Answer: B Explanation: Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service (XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud. |
|
|
QUESTION 35 Joe, a security administrator, believes that a network breach has occurred in the datacenter as a result of a misconfigured router access list, allowing outside access to an SSH server. Which of the following should Joe search for in the log files? A. Failed authentication attempts B. Network ping sweeps C. Host port scans D. Connections to port 22 |
Answer: D Explanation: Log analysis is the art and science of reviewing audit trails, log files, or other forms of computergenerated records for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern. SSH uses TCP port 22. All protocols encrypted by SSH also use TCP port 22, such as SFTP, SHTTP, SCP, SExec, and slogin. |
|
|
QUESTION 36 An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to combine the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management |
Answer: A Explanation: When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering, etc.), what used to be called an all-in-one appliance is now known as a unified threat management (UTM) system. The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and--typically-- reduced complexity. |
|
|
QUESTION 37 An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to integrate the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management |
Answer: A Explanation: Unified Threat Management (UTM) is, basically, the combination of a firewall with other abilities. These abilities include intrusion prevention, antivirus, content filtering, etc. Advantages of combining everything into one: You only have one product to learn. You only have to deal with a single vendor. IT provides reduced complexity. |
|
|
QUESTION 38 A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network? A. VLAN B. Subnet C. VPN D. DMZ |
Answer: D Explanation: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted. |
|
|
QUESTION 39 Which of the following devices would MOST likely have a DMZ interface? A. Firewall B. Switch C. Load balancer D. Proxy |
Answer: A Explanation: The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
QUESTION 40 A security analyst needs to ensure all external traffic is able to access the company's front-end servers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended? A. DMZ B. Cloud computing C. VLAN D. Virtualization |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
QUESTION 41 Which of the following network architecture concepts is used to securely isolate at the boundary between networks? A. VLAN B. Subnetting C. DMZ D. NAT |
Answer: C Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
QUESTION 42 When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator's request? A. DMZ B. Cloud services C. Virtualization D. Sandboxing |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
QUESTION 43 Which of the following BEST describes a demilitarized zone? A. A buffer zone between protected and unprotected networks. B. A network where all servers exist and are monitored. C. A sterile, isolated network segment with access lists. D. A private network that is protected by a firewall and a VLAN. |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
QUESTION 44 Which of the following would allow the organization to divide a Class C IP address range into several ranges? A. DMZ B. Virtual LANs C. NAT D. Subnetting |
Answer: D Explanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections. |
|
|
QUESTION 45 Which of the following IP addresses would be hosts on the same subnet given the subnet mask 255.255.255.224? (Select TWO). A. 10.4.4.125 B. 10.4.4.158 C. 10.4.4.165 D. 10.4.4.189 E. 10.4.4.199 |
Answer: CD Explanation: With the given subnet mask, a maximum number of 30 hosts between IP addresses 10.4.4.161 and 10.4.4.190 are allowed. Therefore, option C and D would be hosts on the same subnet, and the other options would not. http://www.subnetonline.com/pages/subnet-calculators/ip-subnet-calculator.php |
|
|
QUESTION 46 Which of the following would the security engineer set as the subnet mask for the servers below to utilize host addresses on separate broadcast domains? Server 1: 192.168.100.6 Server 2: 192.168.100.9 Server 3: 192.169.100.20 A. /24 B. /27 C. /28 D. /29 E. /30 |
Answer: D Explanation: Using this option will result in all three servers using host addresses on different broadcast domains. |
|
|
QUESTION 47 Which of the following is BEST used to break a group of IP addresses into smaller network segments or blocks? A. NAT B. Virtualization C. NAC D. Subnetting |
Answer: D Explanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections. |
|
|
QUESTION 48 A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following should the company configure to protect the servers from the user devices? (Select TWO). A. Deny incoming connections to the outside router interface. B. Change the default HTTP port C. Implement EAP-TLS to establish mutual authentication D. Disable the physical switch ports E. Create a server VLAN F. Create an ACL to access the server |
Answer: EF Explanation: We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks). The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server. In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN. This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN. |
|
|
QUESTION 49 A network engineer is setting up a network for a company. There is a BYOD policy for the employees so that they can connect their laptops and mobile devices. Which of the following technologies should be employed to separate the administrative network from the network in which all of the employees' devices are connected? A. VPN B. VLAN C. WPA2 D. MAC filtering |
Answer: B Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
QUESTION 50 Pete, a network administrator, is capturing packets on the network and notices that a large amount of the traffic on the LAN is SIP and RTP protocols. Which of the following should he do to segment that traffic from the other traffic? A. Connect the WAP to a different switch. B. Create a voice VLAN. C. Create a DMZ. D. Set the switch ports to 802.1q mode. |
Answer: B Explanation: It is a common and recommended practice to separate voice and data traffic by using VLANs. Separating voice and data traffic using VLANs provides a solid security boundary, preventing data applications from reaching the voice traffic. It also gives you a simpler method to deploy QoS, prioritizing the voice traffic over the data. |
