2.1 Install & configure network components, hardware- and software-based, to support org. security Flashcards
An admin deployed an intrusion detection system (IDS) behind the firewall of the demilitarized zone. A recent audit reveals that although the IDS generated the correct event, the penetration tester retrieved the alert notification. Without changing the physical architecture, how will the admin prevent easy detection of future alerts by intruders?
Set up an out-of-band link on a separate VLAN.
An out-of-band link offers better security than in-band. You may use separate cabling or the same cabling and physical switches, but a separate VLAN for management.
An in-band link is less secure, since the management channel is shared by the network being monitored. This will make alerts more detectable by an adversary and can also be blocked.
Rulesets are a configuration setting for the intrusion detection system (IDS). Content filtering, such as blocking URLs and applying keyword-sensitive blacklists or whitelists, are examples of a ruleset.
Deploying a security information and event management (SIEM) changes the physical architecture and is not required.
A company wants to extend the corporate network to their employees over the Internet, anywhere in the United States. Requirements include a small budget and a minimum change to infrastructure. Access is transparent to the user. Which of the following should the company consider? (Select two)
A remote access topology
TLS VPN
A remote access virtual private network (VPN) involves VPN client agents connecting to a VPN-enabled router concentrator at the company’s main network. This is ideal for telecommuters.
A TLS (Transport Layer Security) VPN will require a remote server listening on port 443 (so no changes to firewalls) and optionally, a set of client certificates for authenticating the device (transparent for users after simple set up).
IPSec VPN will use encryption, such as L2TP (Layer 2 Tunneling Protocol) and IKEv2 (Internet Key Exchange). It is generally harder to implement than TLS VPN, due to firewall restrictions and client-side set up.
A site-to-site VPN connects two or more local networks, each site running a VPN gateway. The gateway does all the work.
A Windows firewall rule allows all programs, all protocols, and all ports within a 192.168.0.0/24 subnet to connect to the network. What type of Windows Firewall with Advanced Security is this?
Access Control List
An access control list contains rules that define the type of data packet and the appropriate action to take when it exits or enters a network or system. The general actions are to either deny or accept.
Transport Layer Security is a protocol is like SSL. TLS can be used to create virtual private networks.
Data Leak Prevention scans for content in a structured format like an e-mail and performs an action based on policy. (e.g., blocks an e-mail containing proprietary information).
Secure Sockets Layer is network protocol that establishes an encrypted link between a web server and a browser. Users interact commonly with their bank’s web portal using encrypted communication via an SSL or TLS connection.
A Windows 7 laptop computer has Microsoft’s BitLocker enabled. Upon boot, the Windows operating system brings up the log in screen, ready for user credentials. Which of the following best describes how the system has BitLocker set up?
A TPM chip is on the motherboard.
A TPM or Trusted Platform Module is a hardware security module that BitLocker uses to link an encrypted hard drive with a specific system. Placing an encrypted hard drive in another laptop will require a recovery password.
BitLocker creates a recovery password as part of its encryption process. Although this recovery password can be stored on the same encrypted hard drive, it is not recommended.
BitLocker can be transparent to the user if a TPM chip is used. User may not realize that the hard drive is encrypted when, in fact, it is.
Windows 10 BitLocker allows for only used space on the hard drive to be encrypted. Windows 7 BitLocker only supports full disk encryption.
A company’s data loss prevention (DLP) system’s setup blocks the transferring of proprietary company information to all, but which of the following?
One Drive
A separate cloud-based DLP service is required to work with an on-premise DLP solution, to block the transferring of content to cloud storage services. It does this by using either a proxy to mediate access, or the cloud service provider’s API to perform scanning and policy enforcement.
A DLP can be used to block the writing of information to a CD or DVD based on configured policies and installed agents at the endpoint.
A DLP can block the transferring of content to USB in the same way as writing to CD or DVD.
A DLP can block the sending of proprietary information over email by, for example, preventing the attaching of documents or pictures to an email.
A network with two normal-working switches, have several client computers connected for work and Internet access. After adding two new switches and more client computers, the new computers, as well as some of the old client computers, cannot access the network. What is most likely the cause and the solution? (Select two)
A loop in the network
STP
A switch loop on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch to its final destination. Switching loops also generates broadcast storms.
STP (Spanning Tree Protocol) is a means for the bridges to organize themselves into a hierarchy and prevent loops from forming.
Port security is an advanced security feature that allows a certain amount of MAC addresses to access a physical port. After a certain number, new connections will be blocked.
A flood guard is a feature of a circuit-level firewall that prevents maliciously open connections from forming. This is not applicable to switching loops.
A hacker plans to eavesdrop on a network from a remote location. Multiple rods make up the tool of choice. The tool will point to the target to gather traffic. Which of the following devices will the hacker most likely use?
Yagi
The Yagi or Yagi-Uda array is describe as a rod with fins. It is a directional antenna.
A parabolic or dish antenna are very familiar. These dishes are often pointed to satellites in space.
Also known as a parabolic antenna, a grid antenna has open spacing that solves the high wind issues that dish antennas experience causing them to move.
The rubber ducky or dipole antennas are plastic-coated rods used on wireless access points (WAPs). WAPs without any antennas use omnidirectional vertical rod-type antennas, which can receive and send a signal in all directions.
A remote office has both a file server and a web server. A network appliance is in front of these servers, to manage network traffic. A security administrator configures the access control list (ACL) to specify rules for specific subnet ranges. Which of the following best describes this device?
A layer 3 device
A layer 3 device operates on the network layer. Common devices like a router operate at layer 3 to route traffic based on IP addresses. The network appliance at the remote office describes a layer 3 firewall.
A layer 2 device mostly describes a basic Ethernet switch. These are also called a LAN (local area network) switch, data switch, or workgroup switch. It operates at layer 2 or data link layer of the OSI model.
A VPN (Virtual Private Network) concentrator is a device that incorporates advanced encryption and authentication methods, to handle many VPN tunnels.
A proxy server mediates the communications between a client and another server. It can filter communications and provide caching services to improve performance.
Management hired 20 new people and the network team set up the network connections in the office to accommodate them. There are three dummy client switches, with roughly 40 computers connected to the network. The client computers have an IP (Internet Protocol) address using DHCP (Dynamic Host Configuration Protocol). Connected to the switches are the local DHCP server and file server. When trying to access the servers or the Internet from the client computers, there is no network connectivity. Some clients have a DHCP IP address. What may be the cause?
A loop in the network
A switch loop on the network will cause network connections to drop, since the packet cannot make the appropriate hop to the next switch and to its final destination. Switching loops also generates broadcast storms.
MAC (Media Access Control) filters can block data coming from specific MAC addresses to drop. However, “dummy” client switches were deployed, which normally means no advanced configurations have been made.
Port security is an advanced security feature. “Dummy” switches are basic switches to allow traffic to flow freely.
DHCP is working properly, since some clients did receive DHCP IP addresses. Others have not yet received one because of switch loops.
Management wants to secure company laptops with BitLocker, in case they get stolen, or the hard drives removed. However, the user should not have to type in a password to decrypt the hard drive. What is an alternative, rather than inputting a password, to use a system with BitLocker enabled?
Use a hardware security module
A TPM or Trusted Platform Module is a hardware security module that BitLocker uses to link an encrypted hard drive with a specific system. Placing an encrypted hard drive in another laptop will require a recovery password.
BitLocker can be applied to USB drives, but a laptop cannot boot from an encrypted USB drive. It is not ideal for telecommuters to boot from a USB either.
BitLocker creates a recovery password as part of its encryption process. Although this recovery password can be stored on the same encrypted hard drive, it is not recommended.
SSO (Single Sign On) is applicable with other services or applications after the initial log in. BitLocker does not use single sign on.
An office deployed new client switches. A network administrator disables Telnet and allows SSH (Secure Shell) for secure management. A security administrator suggests disabling HTTP (Hypertext Transfer Protocol). What other best practices can restrict unauthorized connecting of other devices?
Enable port security
Port security is used to prevent the attachment of unauthorized client devices on wall ports, switches, or routers. A maximum number of MAC addresses can be set to record, which will prevent future connections once the maximum is met.
SNMP or Simple Network Management Protocol is used for sending traps to network monitoring tools with status information. Changing the custom string will prevent unauthorized tools from gathering data using default string names.
HTTPS can be enabled on the network switch for secure web management. This is an alternative to managing switches via SSH.
Installing the latest firmware updates can provide new features, fix bugs, and patch any security vulnerabilities. Reviewing vendor security bulletins can help forewarn of possible exploits.
Two virtual hosts run on a stack and each host runs a virtual machine (VM). Both VMs use shared storage, and an admin must provide stateful fault tolerance. The Enterprise services running on these VMs must work on both virtual hosts, and continue working if one of the virtual hosts go offline. What cluster set up would provide the functionality the organization requires?
An active/active configuration consisting of n nodes.
An active/active cluster provides Enterprise services to clients from both virtual servers. All services will transparently transfer to the other server if one virtual host goes offline.
An active/passive cluster provides Enterprise services to clients from only one virtual server. The other server comes online only when the currently active server goes offline.
A session affinity setting is used in load balancing scenarios. This is also known as source IP (internet protocol) and is a layer 4 approach to handling user sessions.
A round robin setting is used in load balancing scenarios. New client sessions are established with the next server in the group. Round robin and affinity provide stateless fault tolerance.
An organization has a network access control (NAC) system that assesses the health of workstations and laptops connected to the corporate network. A network admin must add mobile devices to the list of platforms. How will an admin provide health assessments for these new devices?
Perform an agentless health assessment.
An agentless health or posture assessment supports a wide range of devices, such as smartphones and tablets, but less detailed information about the client is available.
A non-persistent or dissolvable agent is loaded into memory and never installed on the system. This option still requires an agent that may not be compatible with mobile devices.
Enforcing existing policies only apply to workstation and laptops. New policies must be created for mobile devices.
A quarantine network is a restricted network that uncompliant devices are redirected to, only after it has been assessed. A policy for mobile devices must be in place in order for proper remediation to take place.
An Internet service provider (ISP) enters an old neighborhood to make plans to provide high-speed Internet. The neighborhood does not have cable service. Mobile homes in the area have antennas visibly seen above their rooftops. What type of antennas do these residents most likely use?
Yagi
The Yagi or Yagi-Uda array is describe as a rod with fins. It is a directional antenna.
A parabolic or dish antenna are very similar. These dishes are often pointed to satellites in space.
Also known as a parabolic antenna, a grid antenna has open spacing that solves the high wind issues that dish antennas experience causing them to move.
The rubber ducky or dipole antennas, are plastic-coated rods used on wireless access points (WAPs). WAPs without any antennas, use omnidirectional vertical rod-type antennas, which can receive and send a signal in all directions.
The only wireless access point (WAP) in the office is an 802.11ac device that advertises to have faster data rates and better performance, even at the edge, than the older WAP. The device is on the ceiling, in the middle of the office, with limited access to about 100 feet. What may cause the shorter range?
A reduced power setting.
Most Wi-Fi routers come with a transmit (Tx) power setting. This can be reduced to a lower output to reduce the range of the wireless signal.
Multiple Wi-Fi routers cannot conflict with one another by signal alone. The band and channel selections have a better chance of conflicting if both are the same between multiple WAPs.
There are enough channels to suffice the office range. Most offices, even today, are using wireless-N devices, both at 2.4 GHz and 5 GHz. As this office will operate in the 5 GHz band, there are many channels in this range that are open.
When placing the WAP at higher levels, like the ceiling, the device will provide maximum range and reduce interference.
A network administrator logs on to a computer and notices two ethernet ports connected to one another within the guest operating system, under Windows settings. What type of network is on this computer?
Bridge
A bridge connects two network segments together. An example includes a bridged connection between the wireless and Ethernet adapters of a laptop.
An ad hoc network is created when wireless network adapters are configured to connect to one another in a peer-to-peer WLAN (Wireless LAN) topology.
STP stands for Spanning Tree Protocol. It prevents loops with multiple switches and routers.
A tunnel describes a mode used in IPsec (Internet protocol security). Tunnel mode encrypts entire network packets prior to routing through the public Internet and is decrypted at the destination.