Chapter 13 - Authentication and Access Control

Question 1

following tunneling protocols:

Virtual Private Network (VPN) Secure Sockets Layer (SSL) Secure Sockets Layer Virtual Private Network (SSL VPN) Datagram Transport Layer Security (DTLS) Layer 2 Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Generic Routing Encapsulation (GRE) Internet Protocol Security (IPSec) ISAKMP

Answer 1

Client-to-Site (Remote-Access) VPNs Host-to-Host VPN

Site-to-Site VPNs

Question 2

Datagram Transport Layer Security (DTLS) provides security for datagram-based applications by allowing them to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. It is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees.

Answer 2

L2TP is actually a combination of Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and Cisco’s Layer 2 Forwarding (L2F) technologies. A nice L2TP feature is that, because it works way down there at the Data Link layer (Layer 2) of the OSI model, it can support tons of protocols beyond just TCP/IP—a couple of biggies being Internetwork Packet Exchange (IPX) and AppleTalk.

Question 3

PPTP acts by combining an unsecured Point-to-Point Protocol (PPP) session with a secured session using the Generic Routing Encapsulation (GRE) protocol .

Answer 3

Because PPTP uses two different protocols, it actually opens up two different network sessions: so be warned, PPTP can give you some grief when passing through a router. This is a big reason you won’t find it around much nowadays. Another

Question 4

In fact, as you’d probably expect from a first-generation security protocol, it’s now really vulnerable to spoofing attacks, which is why it’s pretty much been replaced by L2TP and IPSec. (PPTP)

Answer 4

PPTP is a VPN protocol that runs over port 1723 and allows encryption to be done at the Application (data) level. It is important to remember for the CompTIA Network+ exam that PPTP is a protocol that allows secure access to a VPN.

Question 5

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate many protocols inside IP tunnels. Some examples would be routing protocols such as EIGRP and OSPF and the routed protocol IPv6. Figure 13.5 shows GRE.

Answer 5

IP Security (IPSec) was designed by the IETF for providing authentication and encryption over the Internet. It works at the Network layer of the OSI model (Layer 3) and secures all applications that operate in the layers above it.

Question 6

The two major protocols you’ll find working in IPSec are Authentication Header (AH) and Encapsulating Security Payload (ESP) .

Answer 6

AH serves up authentication services only—no encryption—but ESP provides both authentication and encryption abilities.

Question 7

The AH protocol within IPSec isn’t compatible with networks running Network Address Translation (NAT).

Answer 7

IPSec works in two modes: transport mode and tunneling mode. Transport mode creates a secure tunnel between two devices end to end.

Question 8

Until 1998, only software with 40-bit strength or less could be exported, but today, the bar has been raised to 64-bit strength. And by the way, exporting any software with a key length greater than 64 bits is subject to review by the Export Administration Regulations (EAR) required by the U.S. Department of Commerce’s Bureau of Industry and Security.

Answer 8

Point-to-Point Protocol over Ethernet (PPPoE) is an extension of PPP. Its purpose is to encapsulate PPP frames within Ethernet frames.

Question 9

Out of band management refers to any method of managing the server that does use the network. An example of this technology is Integrated Lights-Out, or iLO, a technology embedded into HP servers that allows for out of band management of the server.

Answer 9

servers). HP iLO functions out-of-the-box without additional software installation regardless of the servers’ state of operation giving you complete access to the server from any location via a web browser or the iLO Mobile App.

Question 10

Sometimes people don’t use their real email addresses. If you really want to know where a user is located on the Internet, use third-party software to verify IP addresses and Internet domain names.

Answer 10

On Windows servers, it’s (surprise) Administrator, and in Unix it’s root.

Question 11

An X.509 certificate contains the following fields: Version Serial Number Algorithm ID Issuer Validity Subject Subject Public Key Info
Public Key Algorithm Subject Public Key Issuer Unique Identifier (optional) Subject Unique Identifier (optional)

Answer 11

digital certificate classes: Class 1: For individuals and intended for email. These certificates get saved by web browsers. Class 2: For organizations that must provide proof of identity. Class 3: For servers and software signing in which independent verification and identity and authority checking is done by the issuing CA.

Question 12

Nonpersistent or dissolvable NAC agents may help to make what possible?

A. BYOD initiative
B. Edge control
C. Unified voice services
D. Host-based IDS

Answer 12

1. A. A nonpersistent agent is one that is used to assess the device only during the onetime check-in at login. It can be used to support the assessment of endpoints not owned by the organization and as such can help to make a Bring Your Own Device (BYOD) policy possible.

Question 13

What is the main difference between a private network and a public network?

A. In a private network, everyone has access; in a public network, only authorized users have access. B. There is no difference; in both a private and public network, only authorized users have access.
C. In a private network, only authorized users have access; in a public network, everyone that is connected has access.
D. In a private network, everyone has access; in a public network, only the first 100 people have access.

Answer 13

2. C. On a private network, only authorized users have access to the data, whereas in a public network, everyone connected has access to the data.

Question 14

You have a remote user who can connect to the Internet but not to the office via their VPN client. After determining the problem, which should be your next step?

A. Have the client reboot their host.
B. Make sure the user has the correct VPN address and password.
C. Have the client reinstall their VPN software. D.Reboot the router at the corporate office.

Answer 14

3. B. After determining that the user has Internet access, your next step would be to verify the VPN address and password.

Question 15

Which IP address should you deny into your internetwork?

A. 126.10.10.0/8
B. 168.0.0.0/8
C. 128.0.0.0/8
D. 127.0.0.0/8

Answer 15

4. D. To have good security on your network, deny any addresses from your internal networks, deny any local host addresses (127.0.0.0/8), deny any reserved private addresses, and deny any addresses in the IP multicast address range (224.0.0.0/4).

Question 16

Which of the following is a tunneling protocol?

A. Layer 2 Tunneling Protocol (L2TP)
B. Internet Protocol Security (IPSec)
C. Secure Sockets Layer (SSL)
D. All of the above

Answer 16

5. D. Tunneling is encapsulating one protocol within another protocol to complete a secure transmission. Options A, B, and C are all tunneling protocols you should be aware of, as well as Secure Sockets Layer Virtual Private Network (SSL VPN) and Point-to-Point Tunneling Protocol (PPTP).

Question 17

Which tunneling protocol is based on RSA public-key encryption?

A. SSL
B. L2TP
C. IPSec
D. SSL VPN

Answer 17

6. A. SSL is based on RSA public-key encryption and is used to provide secure Session layer connections over the Internet between a web browser and a web server.

Question 18

What is the minimum number of characters you should use when creating a secure password?

A. 6
B. 7
C. 8
D. 15

Answer 18

7. C. The minimum length should be 8 characters, and the maximum length should be 15 characters. A strong password is a combination of alphanumeric and special characters that is easy for you to remember but difficult for someone else to guess.

Question 19

In which layer of the OSI model does IPSec operate?

A. Physical
B. Network
C. Transport
D. Application

Answer 19

8. B. IPSec works at the Network layer of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the Internet.

Question 20

Which protocol works in both the transport mode and tunneling mode?

A. SSL
B. L2TP
C. PPTP
D. IPSec

Answer 20

9. D. IPSec works in both transport mode and tunneling mode. In transport mode, a secure IP connection between two hosts is created. Data is protected by authentication or encryption (or both). Tunnel mode is used between network endpoints to protect all data going through the tunnel.

Question 21

Companies that want to ensure that their data is secure during transit should use which of the following?

A. Firewalls
B. Encryption
C. Data accounting
D. Routing table

Answer 21

10. B. Companies that want to ensure that their data is secure during transit should encrypt their data before transmission. Encryption is the process that encodes and decodes data.

Question 22

Which network utilities do not have the ability to encrypt passwords? (Select two.)

A. FTP
B. SSH
C. Telnet
D. SCP

Answer 22

11. A, C. Some older network utilities such as FTP and Telnet don’t have the ability to encrypt passwords.

Question 23

To encode or read an encrypted message, what tool is necessary?

A. Routing table
B. Internet access
C. Encryption key
D. Email address

Answer 23

12. C. To encode a message and decode an encrypted message, you need the proper encryption key or keys. The encryption key is the table or formula that defines which character in the data translates to which encoded character.

Question 24

Which of the following is not an enhancement provided by TLS version 2.0?

A. Improvements in the operation of the MD5/SHA-1 hashing function

B. Enhanced support for the Advanced Encryption Standard (AES)

C. Expansion of the use of TLS to VPNs

D. More flexibility in the choice of hashing and encryption algorithm

Answer 24

13. C. TLS was available for use with VPNs in earlier versions prior to 2.0.

Question 25

Which of the following is not a type of public-key encryption?

A. Diffie-Hellman algorithm
B. RSA Data Security
C. Pretty Good Privacy (PGP)
D. DES

Answer 25

14. D. The Data Encryption Standard (DES) is not a type of public-key encryption.

Question 26

Which of the following VPN protocols runs over TCP port 1723, allows encryption to be done at the data level, and allows secure access?

A.RAS
B. RADIUS
C. PPPoE
D. PPTP

Answer 26

15. D. PPTP is a VPN protocol that was created by Microsoft and uses TCP port 1723 for authetication and Generic Routing Encapsulation (GRE) to encrpyt data at the Application level.

Question 27

At which stage of PPPoE are the MAC addresses of the endpoints exchanged?

A. Session
B. Discovery
C. Transport
D. Final

Answer 27

16. B. PPPoE has only two stages: discovery and session. In the discovery phase, the MAC addresses of the endpoints are exchanged so that a secure PPP connection can be made.

Question 28

When utilizing multifactor authentication, which of the following is an example of verifying something you are?

A. Smart card
B. Password
C. Fingerprint
D. Certificate

Answer 28

17. C. A fingerprint is an example of something you are. Other examples are retina scans and facial recognition.

Question 29

Which of the following authentication methods allows for domain authentication on both wired and wireless networks?

A. RADIUS
B. CHAP
C. PKI
D. RDP

Answer 29

18. A. RADIUS servers provide both authentication and encryption services and can combine these into one service. RADIUS can be used for allowing or denying both wired and wireless access at the domain level.

Question 30

Which user-client-server authentication software system combines user authentication and authorization into one central database and maintains user profiles?

A. RADIUS
B. TACACS+
C. Kerberos
D. PKI

Answer 30

19. A. RADIUS combines user authentication and authorization into one centralized database and maintains user profiles.

Question 31

Which of the following is not a Network Access Control method?

A. CHAP
B. 802.1X
C. EAP
D. ICA

Answer 31

20. D. Independent Computing Architecture (ICA) is a protocol designed by Citrix Systems to provide communication between servers and clients. ICA is a remote-access method.