CH11 Network Design Flashcards

1
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could potentially contain some vulnerabilities that could weaken the security posture of the network. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

a. Scan the laptops for vulnerabilities and patch them
b. Increase the encryption level of VPN used by the laptops
c. Implement a jumpbox system
d. Request 2FA (two-factor authentication) on the laptops

A

c. Implement a jumpbox system

jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.

While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier provided laptop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An analyst is reviewing the configuration of a triple-homed firewall that connects to the internet, a private network, and one other network. Which of the following would best describe the third network connected to this firewall?

a. DMZ
b. Subnet
c. NIDS
d. GPO

A

a. DMZ

A triple-homed firewall connects to three networks internal (private), external (internet/public), and the demilitarized zone (DMZ). The demilitarized zone (DMZ) network hosts systems that require access from external hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should be able to obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same Ethernet port in the conference room, they should be able to access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

a. Create an ACL to allow access
b. Configure a SIEM
c. MAC filtering
d. Implement NAC

A

d. Implement NAC

Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

a. MAC filtering
b. Create an ACL to allow access
c. Configure a SIEM
d. Implement NAC

A

d. Implement NAC

OBJ-3.3: Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes how to secure access to network nodes whenever a device initially attempts to access the network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing network access. Network Access Control can control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do. In this scenario, implementing NAC can identify which machines are known and trusted Dion Training assets and provide them with access to the secure internal network. NAC could also determine unknown machines (assumed to be those of CompTIA employees) and provide them with direct internet access only by placing them on a guest network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by itself control which set of network resources could be utilized from a single ethernet port. A security information and event management (SIEM) system provides real-time analysis of security alerts generated by applications and network hardware. An access control list could define what ports, protocols, or IP addresses the ethernet port could be utilized. Still, it would be unable to distinguish between a Dion Training employee’s laptop and a CompTIA employee’s laptop like a NAC implementation could.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A supplier needs to connect several laptops to an organization’s network as part of their service agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity analyst for the organization, is concerned that these laptops could contain some vulnerabilities that could weaken the network’s security posture. What can Victor do to mitigate the risk to other devices on the network without having direct administrative access to the supplier’s laptops?

a. Scan the laptops for vulnerabilities and patch them
b. Increase the encryption level of VPN used by the laptops
c. Implement a jumpbox system
d. Require 2FA (two-factor authentication) on the laptop

A

c. Implement a jumpbox system

OBJ-3.3: A jumpbox is a system on a network used to access and manage devices in a separate security zone. This would create network segmentation between the supplier’s laptops and the rest of the network to minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. While the other options listed are all good security practices, they do not fully mitigate the risk that insecure systems pose since Victor cannot enforce these configurations on a supplier-provided laptop. Instead, he must find a method of segmenting the laptops from the rest of the network, either physically, logically, using an air gap, or using a jumpbox.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly