Lesson 6: Securing and Troubleshooting Networks in the Cloud Flashcards
An administrator is practicing security hardening. Which of the following software-based solutions will the administrator take to reduce the vulnerability of the network? (Select all that apply.)
A.Run systemd start sshd and systemd enable sshd on a machine used for remote administration.
B.Use the Nmap tool to scan the network.
C.Install all firmware upgrades.
D.Remove web proxies.
A.Run systemd start sshd and systemd enable sshd on a machine used for remote administration.
B.Use the Nmap tool to scan the network.
The administrator will run systemd start sshd and systemd enable sshd on a machine used for remote administration to secure remote administration tasks with the secure shell tunneling protocol.
The administrator will run the Nmap (Network Mapper) tool to scan the network for open ports on systems and evaluate the results against the function of the systems to ensure that no unnecessary ports are accepting traffic.
A security administrator wants to enhance security by creating a flexible and scalable policy that separates infrastructure at the workload level. Which of the following solutions is best applicable to the administrator?
A.Tiers
B.Virtual local area networks
C.Virtual extensible LAN
D.Microsegmentation
D.Microsegmentation
Microsegmentation applies dividing a network into sections at the workload level, separating workloads—and the infrastructure supporting them—from other workloads.
An organization initially manually assigned random static IP addresses within the organization’s range to network devices. Now that the organization is growing, an administrator is installing a Dynamic Host Configuration Protocol (DHCP) server to automatically assign IP addresses to client devices but needs to free up a contiguous address range in order to provide the DHCP server with a block of available IP addresses to assign. The organization’s file servers are currently using IP addresses in the range the administrator wants to use for DHCP, so the administrator assigns new IP addresses outside of that range to the file servers. Shortly after, the helpdesk begins receiving calls from employees who are unable to access the file servers. What must the administrator do to correct this issue?
A.The administrator must wait for the DNS records to update with the new IP addresses.
B.The administrator must update the DNS records with the new IP addresses.
C.The administrator must confirm that the employee workstations can reach the proxy.
D.The administrator must ensure that the NAT (Network Address Translation) device is online.
B.The administrator must update the DNS records with the new IP addresses.
The administrator must update the DNS records with the new IP addresses for the file servers. Servers and other network nodes and services use static DNS records created by administrators.
A cloud administrator is extending the use of virtual local area networks in their Azure cloud environment. Which solution should the administrator use?
A.NVGRE
B.STT
C.VXLAN
D.NVGRE, VXLAN, and STT can all be used together
A.NVGRE
Microsoft primarily relies on network virtualization using generic routing encapsulation (NVGRE) to extend VLANs.
An administrator is troubleshooting a cloud client that is unable to communicate with other devices on the same subnet. The administrator opens a command prompt on the client, enters ipconfig, and sees that the client’s IPv4 address is 169.254.0.0 and the subnet mask is 255.255.0.0. Why isn’t the client communicating?
A.There are not enough VLANs available for the client to connect.
B.The client has no default gateway.
C.The network is too congested for the client to communicate.
D.The client did not receive an IP address assignment.
D.The client did not receive an IP address assignment.
An IP address of 169.254.0.0 is an APIPA (Automatic Private IP Addressing) configuration indicating that the client did not receive a valid IP address configuration either manually or through DHCP (Dynamic Host Configuration Protocol).
A cloud administrator is troubleshooting the lack of connectivity between Virtual Private Clouds (VPCs). Which of the following steps should the administrator perform? (Select all that apply.)
A.Ensure HTTP header information is compatible
B.Check for high packet retransmissions
C.Update security group memberships
D.Update name resolution
C.Update security group memberships
D.Update name resolution
pdating security group memberships is a troubleshooting step when there is no connectivity between Virtual Private Clouds (VPCs). In a single VPC, instances can only communicate with each other.
Updating name resolution is one of the troubleshooting steps when there is no connectivity between VPCs. Cloud administrators can configure a network connection between two VPCs to enable direct communication between VPC members.
o detect unwanted or dangerous network traffic, an administrator is collecting and analyzing data from the network through the web application firewalls, the intrusion prevention systems, and the protocol analyzers. Network traffic has to travel through all of these devices, and all of these layers of monitoring are taking a toll on system resources and slowing down network traffic. What can the administrator implement to mitigate this issue?
A.NPB
B.NAC
C.DLP
D.WAF
A.NPB
The administrator can implement an NPB (Network Packet Broker) to gather the network traffic and filter it to the appropriate monitoring tool. Using just the NPB to monitor the traffic alleviates the strain on the network.
An organization hired a new administrator to upgrade the VPN (Virtual Private Network) that employees use for off-site connections to the organization’s network. The VPN is currently using PPTP (Point-to-Point Tunneling Protocol) to encapsulate the data packets and provide encryption. What tunneling protocol will the administrator implement for the upgraded VPN?
A.HTTPS
B.GRE
C.L2TP/IPsec
D.SSH
C.L2TP/IPsec
The administrator will implement L2TP/IPsec (Layer 2 Tunneling Protocol/ Internet Protocol Security) for the upgraded VPN. This provides a secure connection that is easy to configure.
An administrator is using the ping command to test connectivity between the on-premises network and the cloud network. The response from the ping command is “Fail: DESTINATION HOST UNREACHABLE”. What does this response indicate?
A.The on-premises computer was not able to send the ping request because the connection is down.
B.The on-premises computer was able to send the ping request but never received an answer.
C.The on-premises computer has a problem.
D.The cloud computer has a problem
A.The on-premises computer was not able to send the ping request because the connection is down.
A ping response of “Fail: DESTINATION HOST UNREACHABLE” indicates that the on-premises computer was not able to send the ping request since the connection is down.
An administrator only allows specific physical devices to connect to the organization’s Virtual Private Cloud (VPC). What command can the administrator use to monitor device connections to the VPC by physical address?
A.ipconfig /all
B.nslookup
C.arp
D.curl
C.arp
The arp (Address Resolution Protocol) command is the correct command that will show the administrator the MAC addresses of all devices on the network mapped to the corresponding IP address.
A user logs in to the cloud platform but cannot see the team’s virtual instance. What troubleshooting steps can a cloud administrator perform? (Select all that apply.)
A.Check security group inheritance.
B.Check access control list (ACL).
C.Check security group misconfiguration.
D.Check micro-segmentation settings.
A.Check security group inheritance.
C.Check security group misconfiguration.
Check the security group inheritance to ensure all applicable resources within folders and sub-folders apply to all resources that the user is approved to see.
Check the security group configuration because in some cases the user is not added to the appropriate group, or the security group is not linked to a resource.
A network administrator reviews protocols in their companies’ cloud environment to search for insecure protocols that should be removed. Which of the following protocols should not be used by themselves? (Select all that apply.)
A.Hypertext Transfer Protocol
B.Secure Shell
C.File Transfer Protocol
D.Generic Routing Encapsulation
A.Hypertext Transfer Protocol
C.File Transfer Protocol
D.Generic Routing Encapsulation
The Hypertext Transfer Protocol (HTTP) is primarily used to transport web files between servers and client computers. This application layer protocol is not encrypted, and anyone who intercepts the transfer can view the contents.
File Transfer Protocol (FTP) does not encrypt data for either confidentiality or integrity.
Generic Routing Encapsulation (GRE) protocol is a tunneling protocol that does not use encryption unless combined with IPsec and should be avoided for any secure communications.
A network administrator is troubleshooting issues with a Virtual Private Cloud (VPC) connection. Which of the following are troubleshooting steps the administrator should test? (Select all that apply.)
A.Ensure that HTTP header information is compatible
B.Update name resolution
C.Confirm security group membership
D.Check packet retransmissions
B.Update name resolution
C.Confirm security group membership
Update name resolution is one of the steps that the administrator should take for troubleshooting Virtual Private Clouds (VPCs).
Confirm security group membership is also one step that helps troubleshoot incorrect firewall and micro-segmentation configurations and peering issues.
A company sets up a hybrid cloud environment to take advantage of cloud virtual instances to increase resources during peak hours for a set of load-balanced web servers. The on-premises load balancers need secure and accessible communication with the web servers in the cloud. How can a cloud administrator set up the network to stretch from on-premises to the cloud?
A.Implement DNS over TLS (DoT).
B.Implement a microsegmentation on the cloud platform.
C.Implement a multi-tier service chain.
D.Implement a VXLAN across both environments.
D.Implement a VXLAN across both environments.
Virtual extensible LAN (VXLAN) provides greater scalability than VLAN. For example, VXLAN stretches a network deployment between the existing on-premises network and a newly created cloud network using a bi-directional tunnel. This requires virtual machines (VMs) on both environments to be members of the same VLAN.
An organization has several VMs in their public cloud configured as web servers. However, when the administrator attempts to access the secure website, the browser times out. What must the administrator configure to correct this error and allow customers to access the website?
A.The administrator must configure an inbound rule in the ACL (Access Control List) to allow traffic on port 443.
B.The administrator must configure an inbound rule in the ACL to allow traffic on port 80.
C.The administrator must configure peering between the web servers.
D.The administrator must configure a load balancer between the web servers.
A.The administrator must configure an inbound rule in the ACL (Access Control List) to allow traffic on port 443.
Secure web traffic uses port 443 to communicate. The administrator must configure an inbound rule in the ACL to allow traffic on port 443, or else the VMs security group will block that traffic by default.
