14) Supporting and Troubleshooting Secure Networks Flashcards
An administrator can ping a server by IP address but cannot ping the server by its name. What are some areas the administrator should check to find out why the name isn’t resolving to the IP address? (Select all that apply.)
A. Check the local cache
B. Check that the DHCP server is online
C. Check the HOSTS file
D. Query DNS
A. Check the local cache
C. Check the HOST file
D. Query DNS
The administrator should check the local cache. On Windows, the administrator can use ipconfig /displaydns and ipconfig /flushdns to monitor and clear the system cache.
The administrator should check the HOSTS file which is a static list of hostname to IP address mappings on the system and should not have any entries other than the loopback address.
The administrator should query DNS. A host uses the name servers defined in its IP configuration to resolve queries.
If a DHCP server was offline, it would result in the failure to obtain an IP configuration.
A Windows user is trying to remote desktop into an application server. Although the user can ping the FQDN, they are unable to establish a connection. What is most likely the cause?
A. The application server is down
B. Firewall blocking TCP port 3389
C. The application server is on a different
VLAN
D. DNS misconfiguration
B. Firewall Blocking TCP 3389
The most likely cause is that the firewall is blocking TCP port 3389 which is the port used for remote desktop protocol (RDP) traffic.
The application server cannot be down because the administrator was able to ping it using the fully qualified domain name (FQDN).
Even if the application server was on a different VLAN this would not be the issue because the administrator was able to ping it showing that traffic is passing between the VLANs.
If the Domain Name System (DNS) was misconfigured, the administrator would not be able to ping the application server using the FQDN.
An administrator is configuring a new network from the ground up. Which servers would the administrator configure as bastion hosts? (Select all that apply.)
A. Proxy servers
B. Active directory servers
C. Web servers
D. File servers
A. Proxy servers
C. Web servers
Bastion servers are hosts in the perimeter and are not fully trusted. Proxy servers are bastion servers because they take internal requests and transmit them to the Internet to protect the internal host.
The administrator will configure servers that provide public access services, such as web servers, in a perimeter network. These are bastion servers.
Active directory servers are not bastion servers. Administrators would protect these servers on the internal network behind firewalls.
File servers are not bastion servers. Administrators would protect these servers on the internal network behind firewalls.
An administrator has plugged in a new security camera, but when accessing the camera’s web management interface, the administrator encounters a self-signed certificate error. What should the administrator do?
A. Add an exception for the certificate
B. Have the service owner update the certificate
C. Synchronize the time between the client and server
D. Replace the default certificate
D. Replace the default certificate
On a self-signed certificate, the holder is both the issuer and the subject of the certificate. The administrator should replace the default certificate with one trusted by the enterprise.
The administrator should not add an exception for the certificate unless it is a special circumstance, and the administrator is sure that threat actors have not tampered with the appliance.
The service owner should obtain a correctly formatted certificate if the owner is using the wrong type of certificate.
If the time synchronization does not match between the server and client this can cause certificate errors, but it would not specify that the error was with a self-signed certificate.
An organization purchased a new router with built-in firewall features. The administrator configured the new appliance and it worked as expected. However, after 90 days the firewall stopped working. What is the most likely cause?
A. The license trial period ended
B. There weren’t enough ports on the device
C. There weren’t enough routes allowed in the routing table
D. The routing protocols stopped working
A. The license trial period ended
The most likely cause is that there was a 90-day license trial period for the firewall software and the trial expired.
Licensing or feature activation issues can limit the availability of usable ports on a device. The administrator should verify that the appliance has the correct licenses or activation keys installed.
Licensing or feature activation issues can limit the number of routes allowed in the routing table. The administrator should check the log to verify the issue.
Routing protocols would not stop working unless the administrator blocked them in the access control list.
An administrator received an alert regarding suspicious activity on the network. The system is logging the activity and the administrator must determine how to handle the situation. What kind of system most likely sent the alert?
A. IDS
B. IPS
C. Firewall
D. NAC
A. IDS
This system is most likely an intrusion detection system (IDS), which performs real-time analysis of either network traffic or system and application logs. It raises an alert and can log activity when it detects suspicious activity.
An intrusion prevention system (IPS) raises an alert and logs suspicious activity, but, unlike an IDS, it can also provide an active response to any network threats that it matches.
A firewall is software or a hardware device that protects a system or network by blocking unwanted network traffic.
Network Access Control (NAC) is a system for authenticating endpoints at the point they connect to the network and can ensure that clients are running an authorized OS and have up-to-date patches and security scanner configurations.
An organization is using Dynamic Host Configuration Protocol (DHCP) to centrally manage IP addressing. All clients on the network are receiving IP address autoconfiguration except the clients on a new subnet. What is the most likely reason?
A. The administrator reconfigured the DHCP server
B. The DHCP server is offline
C. There are no IP addresses available
D. The router doesn’t support BOOTP forwarding
D. The router doesn’t support BOOTP forwarding
The router on that subnet doesn’t support BOOTP forwarding so DHCP traffic cannot get through to the clients.
If the administrator reconfigured the DHCP server, all the clients would gradually get reconfigured, but in this case, only clients on one subnet are not receiving IP configurations.
If the DHCP server is offline, users will continue to connect to the network for a period and then start to lose connection as they try to renew a lease, but in this case, only clients on one subnet cannot connect.
IP Address Management (IPAM) software suites track address usage across DHCP, but if the server were out of addresses all clients would lose connection as they tried to renew their lease.
Which service maps ports and documents the mappings for new webserver connections and then substitutes the private IP address for a public IP address before sending the request to the public Internet? (Select all that apply.)
A. Static NAT
B. Dynamic NAT
C. PAT
D. NAPT
C. PAT
D. NAPT
PAT (port address translation), also known as NAPT, allocates connections a port mapping in its state table then substitutes the private IP for the public IP and forwards it to the public Internet.
Network Address Port Translation (NAPT), also known as PAT, allocates connections a port mapping in its state table then substitutes the private IP for the public IP and forwards it to the public Internet.
In a basic static NAT (network address translation) configuration, a simple 1:1 mapping connects the private network address and the public address.
In dynamic NAT, the NAT device exposes a pool of public IP addresses and builds a table of the public to private address mappings that it releases when the sessions end.
An administrator is configuring a firewall at the Session layer of the OSI model. What kind of firewall is the administrator implementing?
A. Router firewall
B. Stateful inspection firewall
C. Appliance firewall
D. Packet filtering firewall
B. Stateful inspection firewall
A stateful inspection firewall operates at Layer 5 (Session) of the OSI model. The firewall checks incoming packets to confirm whether it belongs to an existing connection.
A router firewall operates at Layer 3 and has functionality built into the router firmware. Most home Internet routers/modems have this type of firewall functionality.
An appliance firewall is a type of network-based, layer 2/virtual wire “transparent” firewall, and monitors all traffic passing into and out of a network segment.
A packet-filtering firewall works at Layer 3 of the OSI model to inspect the headers of IP packets and is stateless which means that it does not preserve information about the connection between two hosts.
A user is attempting to access a government network, but the network will not allow the user’s device to connect until the user updates the operating system. What kind of defense mechanism is this?
A. Defense in depth
B. Honeypot
C. Separation of duties
D. Network access control
D. Network access control
Network Access Control (NAC) is a system for authenticating endpoints at the point they connect to the network and can ensure that clients are running an authorized OS and have up-to-date patches and security scanner configurations.
Defense in depth refers to placing security controls throughout the network, so that the network authenticates, authorizes, and audits all access attempts.
A honeypot is a computer system set up to attract attackers, intending to analyze attack strategies and tools and to divert attention from actual computer systems.
Separation of duties is a means of establishing checks and balances against the possibility that insider threats can compromise critical systems or procedures.
