Chapter 10

Question 1

Proxy servers and ACLs on network devices are examples of non-security devices with security features, while firewalls and IDS/IPS systems are the network’s specialized security devices.

T/F

Answer 1

T

Question 2

A stateless firewall inspects each incoming packet to determine whether it belongs to a currently active connection.

T/F

Answer 2

F

Question 3

The Spanning Tree Protocol operates at the Network layer of the OSI model.

T/F

Answer 3

F

Question 4

The storm-control command is a type of flood guard that is available on most major network switch vendor platforms.

T/F

Answer 4

T

Question 5

User access to network resources falls into one of these two categories: 1) the privilege or right to execute, install, and uninstall software, and 2) permission to read, modify, create, or delete data files and folders.

T/F

Answer 5

T

Question 6

Of the three methods of access control (RBAC, DAC, and MAC), RBAC is the least secure of the options.

T/F

Answer 6

F

Question 7

By default, Active Directory is configured to use the Kerberos protocol, but can be configured to use LDAP or a combination of LDAP and Kerberos.

T/F

Answer 7

T

Question 8

When utilizing Kerberos, an access granting ticket is the same as a key.

T/F

Answer 8

F

Question 9

The supplicant is an EAP entity responsible for requesting authentication, such as a smartphone or laptop.

T/F

Answer 9

T

Question 10

The PEAP standard creates an encrypted TLS tunnel between the supplicant and the server before proceeding with the usual EAP process.

T/F

Answer 10

T

Question 11

Which of the following is an example of proxy server software?

Squid

BIND

Snort

Apache

Answer 11

Squid

Question 12

What is NOT a variable that an network access control list can filter traffic with?

The Network layer protocol used for the packet.

The Transport layer protocol used for the packet.

The source or destination TCP/UDP port number in the packet.

The operating system used by the source or destination device.

Answer 12

The operating system used by the source or destination device.

Question 13

In ACL statements, using the “any” keyword is equivalent to using a wildcard mask of what value?

0.0.0.0

255.255.255.255

255.255.0.0

0.0.255.255

Answer 13

255.255.255.255

Question 14

What kind of firewall can block designated types of traffic based on application data contained within packets?

stateful firewall

stateless firewall

content-filtering firewall

packet-filtering firewall

Answer 14

content-filtering firewall

Question 15

On a Linux system, which command allows you to modify settings used by the built-in packet filtering firewall?

ipf

modfire

iptables

netwall

Answer 15

iptables

Question 16

What is a SIEM (Security Information and Event Management) system utilized for?

It is an advanced intrusion protection system with a GUI-frontend.

It is a system used to evaluate data from security devices and generate alerts.

It is an intellectual property protection software that prevents data links, and generates alerts.

It is a system that monitors security device hardware availability.

Answer 16

It is a system used to evaluate data from security devices and generate alerts.

Question 17

When using Spanning Tree Protocol, what is the first step in selecting paths through a network?

STP must first select the root bridge, or master bridge.

STP examines the possible paths between all other bridges.

STP disables links that are not part of a shortest path.

STP begins to block BPDUs on non-designated ports.

Answer 17

STP must first select the root bridge, or master bridge.

Question 18

In order to prevent ports that are serving network hosts from being considered as best paths, what should be enabled to block BPDUs?

BPDU filter

BPDU guard

root guard

BPDU drop

Answer 18

BPDU guard

Question 19

Which protocol designed to replace STP operates at Layer 3 of the OSI model?

Rapid Spanning Tree Protocol (RSTP)

Transparent Interconnection of Lots of Links (TRILL)

Shortest Path Bridging (SPB)

Multiple Spanning Tree Protocol (MSTP)

Answer 19

Shortest Path Bridging (SPB)

Question 20

You have been tasked with the configuration of a Juniper switch, and have been told to restrict the number of MAC addresses allowed in the MAC address table. What command should you use?

set max-mac

set total-macs

mac-address limit

mac-limit

Answer 20

mac-limit

Question 21

Enforcing a virtual security perimeter using a client’s geographic location is known by what term?

geohashing

geofencing

geolocating

geolocking

Answer 21

geofencing

Question 22

When using Kerberos, what is the purpose of a ticket?

It is the name for a Kerberos client or user.

It is a key used by the client to gain access to services that are protected by the key on the network.

It is a temporary set of credentials that a client uses to prove to other servers that its identity has been validated.

It is the event that is generated when auditing a resource and unauthorized access is attempted.

Answer 22

It is a temporary set of credentials that a client uses to prove to other servers that its identity has been validated.

Question 23

Which legacy authentication protocol requires mutual authentication?

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Microsoft Challenge Handshake Authentication Protocol, version 2 (MS-CHAPv2)

Answer 23

Microsoft Challenge Handshake Authentication Protocol, version 2 (MS-CHAPv2)

Question 24

By far the most popular AAA service, what open-source service runs in the Application layer and can use UDP or TCP in the Transport layer?

Google Authenticator

RADIUS

TACACS+

Kerberos

Answer 24

RADIUS

Question 25

Which adaptation of EAP utilizes EAP-MSCHAPv2 inside of an encrypted TLS tunnel?

EAP-TLS

Protected EAP (PEAP)

EAP-FAST

LEAP

Answer 25

Protected EAP (PEAP)

Question 26

What IEEE standard includes an encryption key generation and management scheme known as TKIP?

802.11i

802.11h

802.1X

802.11j

Answer 26

802.11i

Question 27

What descendant of the Spanning Tree Protocol is defined by the IEEE 802.1W standard, and can detect as well as correct for link failures in milliseconds?

Transparent Interconnection of Lots of Links (TRILL)

Shortest Path Bridging (SPB)

Rapid Spanning Tree Protocol (RSTP)

Multiple Spanning Tree Protocol (MSTP)

Answer 27

Rapid Spanning Tree Protocol (RSTP)

Question 28

You have been asked by your superior to configure all Cisco network switches to allow only acceptable MAC addresses through switch access ports. How is this accomplished?

Use the switchport port-security command to enable MAC filtering.

Use the mac-limit command to prevent more than one MAC from being accepted.

Use the allowed-mac command to filter by MAC address.

Use the secure port mac-address command to limit the port to learned addresses only.

Answer 28

Use the switchport port-security command to enable MAC filtering.

Question 29

What aspect of AAA is responsible for determining what a user can and cannot do with network resources?

authentication

authorization

accounting

accessibility

Answer 29

authorization

Question 30

What statement regarding role-based access control is accurate?

RBAC allows a network administrator to base privileges and permissions around a detailed description of a user’s roles or jobs.

RBAC allows users to decide for themselves who has access to that user’s resources.

RBAC organizes resources into hierarchical classifications, such as “confidential” or “top secret”.

RBAC is the most restrictive method of access control.

Answer 30

RBAC allows a network administrator to base privileges and permissions around a detailed description of a user’s roles or jobs.

Question 31

Which encryption standard was originally utilized with WPA’s TKIP?

Advanced Encryption Standard (AES)

Rivest Cipher 4 (RC4)

Blowfish

Data Encryption Standard (DES)

Answer 31

Rivest Cipher 4 (RC4)

Question 32

The Wired Equivalent Privacy standard had what significant disadvantage?

It did not allow the use of a password for access to the network.

It provided no encryption for traffic sent over the air.

It used a shared encryption key for all clients, and the key might never change.

It only encrypted the initial connection authentication, but did not encrypt subsequent traffic.

Answer 32

It used a shared encryption key for all clients, and the key might never change.

Question 33

In Open System Authentication, how does authentication occur?

The client sends a pre-shared key along with the access point’s SSID.

The client requests an encrypted tunnel, after which, the client’s MAC serves as the authentication.

The access point forces the client to authenticate via a captive portal, after which all communication is encrypted.

The client “authenticates” using only the SSID name. In other words, no real authentication occurs.

Answer 33

The client “authenticates” using only the SSID name. In other words, no real authentication occurs.

Question 34

The Group Policy utility can be opened by typing what name into a Run box?

secpol.msc

gpedit.msc

grouppol.msc

grppol.msc

Answer 34

gpedit.msc

Question 35

When using Spanning Tree Protocol, which port on non-root bridges can forward traffic toward the root bridge?

Only one root port, which is the bridge’s port that is closest to the root bridge, can forward.

Only one root port, which is the bridge’s port that is furthest from the root bridge, can forward.

All ports can forward frames to the root bridge, provided they are not in a down state.

All ports will forward frames to the root bridge, unless a BPDU is received back on that same port.

Answer 35

Only one root port, which is the bridge’s port that is closest to the root bridge, can forward.

Question 36

Which of the following terms is used to describe the configuration of a port to copy all traffic passing through the switch to the device at the other end of the port?

port supertrunking

port mirroring

port shadowing

port lurking

Answer 36

port mirroring

Question 37

In regards to the use of local authentication, what statement is accurate?

Local authentication provides the most security.

Local authentication is scalable for large networks.

Local authentication is network and server failure tolerant.

Local authentication does not allow for strong enough passwords.

Answer 37

Local authentication is network and server failure tolerant.

Question 38

What scenario might be ideal for the use of root guard in configuring a switch?

You wish to block BPDUs on an access port serving network hosts.

You wish to disable STP on a port connected to a partnered company’s switch.

You wish to prevent switches beyond a certain port from becoming the root bridge, but still wish to use STP.

You wish to prevent a rogue switch or computer from hijacking the network’s STP paths.

Answer 38

You wish to prevent switches beyond a certain port from becoming the root bridge, but still wish to use STP.

Question 39

When using a host-based intrusion detection system, what additional feature might be available to alert the system of any changes made to files that shouldn’t change?

file integrity monitoring (FIM)

file change management (FCM)

file access auditing (FAA)

file checksum watching (FCW)

Answer 39

file integrity monitoring (FIM)

Question 40

What statement correctly describes a stateless firewall?

A stateless firewall manages each incoming packet as a stand-alone entity, without regard to currently active connections.

A stateless firewall inspects each incoming packet to determine whether it belongs to a currently active connection.

A stateless firewall blocks designated types of traffic based on application data contained within packets.

A stateless firewall filters packets based on source and destination IP addresses.

Answer 40

A stateless firewall manages each incoming packet as a stand-alone entity, without regard to currently active connections.