Certmaster Supporting and Troubleshooting Secure Networks Flashcards
An organization is using Dynamic Host Configuration Protocol (DHCP) to centrally manage IP addressing. All clients on the network are receiving IP address autoconfiguration except the clients on a new subnet set up with a new router at a branch office. What is the most likely reason?
A.The administrator reconfigured the DHCP server
B.The DHCP server is offline
C.There are no IP addresses available
D.The router doesn’t support BOOTP forwarding
D
The router on that subnet doesn’t support BOOTP forwarding so DHCP traffic cannot get through to the clients.
If the administrator reconfigured the DHCP server, all the clients would gradually get reconfigured, but in this case, only clients on one subnet are not receiving IP configurations.
If the DHCP server is offline, users will continue to connect to the network for a period and then start to lose connection as they try to renew a lease, but in this case, only clients on one subnet cannot connect.
IP Address Management (IPAM) software suites track address usage across DHCP, but if the server were out of addresses all clients would lose connection as they tried to renew their lease.
Which service maps ports, and documents the mappings for new webserver connections, and then substitutes the private IP address for a public IP address before sending the request to the public Internet? (Select all that apply.)
A.Static NAT
B.Dynamic NAT
C.PAT
D.NAPT
C, D
PAT (port address translation), also known as NAPT, allocates connections a port mapping in its state table then substitutes the private IP for the public IP and forwards it to the public Internet.
Network Address Port Translation (NAPT), also known as PAT, allocates connections a port mapping in its state table then substitutes the private IP for the public IP and forwards it to the public Internet.
In a basic static NAT (network address translation) configuration, a simple 1:1 mapping connects the private network address and the public address.
In dynamic NAT, the NAT device exposes a pool of public IP addresses and builds a table of the public to private address mappings that it releases when the sessions end.
An administrator is configuring a new network from the ground up. Which servers would the administrator configure as bastion hosts? (Select all that apply.)
A.Proxy servers
B.Active directory servers
C.Web servers
D.File servers
A, C
Bastion servers are hosts in the perimeter and are not fully trusted. Proxy servers are bastion servers because they take internal requests and transmit them to the Internet to protect the internal host.
The administrator will configure servers that provide public access services, such as web servers, in a perimeter network. These are bastion servers.
Active directory servers are not bastion servers. Administrators would protect these servers on the internal network behind firewalls.
File servers are not bastion servers. Administrators would protect these servers on the internal network behind firewalls.
A user is attempting to access a government network, but the network will not allow the user’s device to connect until the user updates the operating system. What kind of defense mechanism is this?
A.Defense in depth
B.Honeypot
C.Separation of duties
D.Network access control
D
Network Access Control (NAC) is a system for authenticating endpoints at the point they connect to the network and can ensure that clients are running an authorized OS and have up-to-date patches and security scanner configurations.
Defense in depth refers to placing security controls throughout the network, so that the network authenticates, authorizes, and audits all access attempts.
A honeypot is a computer system set up to attract attackers, intending to analyze attack strategies and tools and to divert attention from actual computer systems.
Separation of duties is a means of establishing checks and balances against the possibility that insider threats can compromise critical systems or procedures.
An administrator has plugged in a new security camera, but when accessing the camera’s web management interface, the administrator encounters a self-signed certificate error. What should the administrator do?
A.Add an exception for the certificate
B.Have the service owner update the certificate
C.Synchronize the time between the client and server
D.Replace the default certificate
D
On a self-signed certificate, the holder is both the issuer and the subject of the certificate. The administrator should replace the default certificate with one trusted by the enterprise.
The administrator should not add an exception for the certificate unless it is a special circumstance, and the administrator is sure that threat actors have not tampered with the appliance.
The service owner should obtain a correctly formatted certificate if the owner is using the wrong type of certificate.
If the time synchronization does not match between the server and client this can cause certificate errors, but it would not specify that the error was with a self-signed certificate.
