Lesson 9: Implementing Secure Network Designs

Question 1

Which statement best describes the difference between session affinity and session persistence?

A. With persistence, once a client device establishes a connection, it remains with the node that first accepted its request, while an application-layer load balancer uses session affinity to keep a client connected by setting up a cookie.

B. Session affinity makes node scheduling decisions based on health checks and processes incoming requests based on each node’s load. Session persistence makes scheduling decisions on a first in, first out (FIFO) basis.

C. With session affinity, when a client establishes a session, it remains with the node that first accepted its request, while an application-layer load balancer uses persistence to keep a client connected by setting up a cookie.

D. Session persistence makes scheduling decisions based on traffic priority and bandwidth considerations, while session affinity makes scheduling decisions based on which node is available next.

Answer 1

C

Question 2

During the planning/scoping phase of the kill chain, an attacker decides that a Distributed Denial of Service (DDoS) attack would be the best way to disrupt the target website and remain anonymous. Evaluate the following explanations to determine the reason the attacker chose a DDoS attack.

A. A DDoS attack can launch via covert channels

B. DDoS attacks utilize botnets

C. A DDoS attack creates a backdoor to a website

D. DDoS attacks use impersonation

Answer 2

B

Question 3

There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone.

A. DMZ

B. Screened host

C. Wireless

D. Guest

Answer 3

B

Question 4

Given knowledge of load balancing and clustering techniques, which configuration provides both fault tolerance and consistent performance for applications like streaming audio and video services?

A. Active/Passive clustering

B. Active/Active clustering

C. First in, First out (FIFO) clustering

D. Fault tolerant clustering

Answer 4

A

Question 5

Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architecture weakness.

A. The network architecture is flat.

B. Services rely on the availability of several different systems.

C. The network relies on a single hardware server.

D. Not all hosts on the network can talk to one another.

Answer 5

D

Question 6

A hotel guest opens their computer and logs into the Wi-Fi without prompting the guest for a username and password. Upon opening an internet browser, a splash page appears that requests the guest’s room number and last name for authentication. Which type of authentication is the hotel utilizing?

A. Protected

B. Extensive

C. Group

D. Open

Answer 6

D

Question 7

A company is reviewing the options for installing a new wireless network. They have requested recommendations for utilizing WEP, WPA, or WPA2. Differentiate between Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). Determine which of the following statements accurately distinguishes between the options. (Select all that apply.)

A. WEP and WPA use RC4 with a Temporal Key Integrity Protocol (TKIP), while WPA2 uses a 24-bit Initialization Vector (IV). WPA2 combines the 24-bit IV with an Advanced Encryption Standard (AES) to add security.

B. WEP is the strongest encryption scheme, followed by WPA2, then WPA. WEP is difficult to crack when protected by a strong password, or if deploying enterprise authentication. WPA2 is more vulnerable to decryption due to replay attack possibilities.

C. WPA and WEP use RC4, while WEP uses a 24-bit Initialization Vector (IV). WPA uses a Temporal Key Integrity Protocol (TKIP), and WPA2 uses an Advanced Encryption Standard (AES) for encryption.

D. WPA2 is the strongest encryption scheme, followed by WPA, then WEP. WPA2 is difficult to crack if protected by a strong password, or if deploying enterprise authentication. WEP is more vulnerable to decryption due to replay attack possibilities.

Answer 7

C,D

Question 8

An attacker tricks a host within a subnet into routing through an attacker’s machine, rather than the legitimate default gateway, allowing the attacker to eavesdrop on communications and perform a Man-in-the-Middle (MitM) attack. Compare the types of routing vulnerabilities and conclude what the attacker is exploiting in this scenario.

A. Route injection

B. Denial of service

C. ARP poisoning

D. Source routing

Answer 8

C

Question 9

A team is building a wireless network, and the company has requested the team to use a Wired Equivalent Privacy (WEP) encryption scheme. The team has developed a recommendation to utilize a different encryption scheme based on the problems with WEP. Analyze the features of WEP to determine what problems to highlight in the recommendation.

A. WEP only allows the use of a 128-bit encryption key and is not secure. The Initialization Vector (IV) is too large to provide adequate security.

B. WEP allows for a 256-bit key but is still not secure. The Initialization Vector (IV) is not sufficiently large, thus is not always generated using a sufficiently random algorithm.

C. WEP has the option to use either a 64-bit or a 128-bit key, which is not secure enough for the company. Packets use a checksum to verify integrity that is too difficult to compute.

D. WEP only allows the use of a 64-bit key, which is not secure enough for the company. The Initialization Vector (IV) is often not generated using a sufficiently random algorithm.

Answer 9

B

WEP version 1 has both 64-bit and 128-bit keys, while WEP version 2 has 128-bit and 256-bit keys but is still not secure. The main problem with WEP is the 24-bit Initialization Vector (IV). The IV changes the keystream each time, but this does not always occur due to problems. One of the problems is that the IV is not sufficiently large, meaning the system will reuse the IV within the same keystream under load.

Question 10

Identify the attack that can launch by running software such as Dsniff or Ettercap from a computer attached to the same switch as the target.

A. ARP poisoning attack

B. MAC spoofing

C. MAC flooding

D. Man-in-the-Middle (MitM)

Answer 10

A

Question 11

Given that layer 2 does not recognize Time to Live, evaluate the potential problems to determine which of the following options prevents this issue.

A. ICMP

B. L2TP

C. NTP

D. STP

Answer 11

D

STP (Spanning Tree Protocol) is a switching protocol that prevents network loops by dynamically disabling links as needed. Since layer 2 protocol has no concept of Time To Live, layer 2 broadcast traffic could continue to loop through a network with multiple paths indefinitely.

Question 12

Where should an administrator place an internet-facing host on the network?

A. DMZ

B. Bastion host

C. Extranet

D. Private network

Answer 12

A

Question 13

Compare the characteristics of a rogue Access Point (AP) in wireless networks to determine which statements correctly summarize their attributes. (Select all that apply.)

A. An evil twin is a rogue AP, and an attacker can use a Denial of Service (DoS) to disconnect users from the legitimate AP and connect to the evil twin.

B. Sometimes referred to as an evil twin, a rogue AP masquerading as a legitimate AP, may have a similar name to a legitimate AP.

C. An attacker can set up a rogue AP with something as simple as a smartphone with tethering capabilities.

D. A Denial of Service (DoS) will bypass authentication security (enabled on the AP), so it is important to regularly scan for rogue APs on the network.

Answer 13

A,B,C

Question 14

Consider the types of zones within a network’s topology and locate the zone considered semi-trusted and requires hosts to authenticate to join.

A. Private network

B. Extranet

C. Internet

D. Anonymous

Answer 14

B

Question 15

Which statement regarding attacks on media access control (MAC) addresses accurately pairs the method of protection and what type of attack it guards against? (Select all that apply.)

A. MAC filtering guards against MAC snooping.

B. Dynamic Host Configuration Protocol (DHCP) snooping guards against MAC spoofing.

C. MAC filtering guards against MAC spoofing.

D. Dynamic address resolution protocol inspection (DAI) guards against MAC flooding.

Answer 15

B,D

Question 16

An Internet Service Provider’s (ISP) customer network is under a Distributed Denial of Service (DDoS) attack. The ISP decides to use a blackhole as a remedy. How does the ISP justify their decision?

A. A blackhole drops packets for the affected IP address(es) and is in a separate area of the network that does not reach any other part of the network.

B. A blackhole makes the attack less damaging to the ISP’s other customers and continues to send legitimate traffic to the correct destination.

C. A blackhole routes traffic destined to the affected IP address to a different network. Here, the ISP can analyze and identify the source of the attack, to devise rules to filter it.

D. A blackhole is preferred, as it evaluates each packet in a multi-gigabit stream against an Access Control List (ACL) without overwhelming the processing resources.

Answer 16

A

A blackhole drops packets for the affected IP addresses(es). A blackhole is an area of the network that cannot reach any other part of the network which protects the unaffected portion.

Question 17

Evaluate the typical weaknesses found in network architecture and determine which statement best aligns with a perimeter security weakness.

A. A company has a single network channel.

B. A company has many different systems to operate one service.

C. A company has a habit of implementing quick fixes.

D. A company has a flat network architecture.

Answer 17

D

Question 18

Analyze the available detection techniques and determine which are useful in identifying a rogue system through software management. (Select all that apply.)

A. Visual inspection of ports and switches will prevent rogue devices from accessing the network.

B. Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume.

C. Intrusion detection and NAC are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.

D. Wireless monitoring can reveal whether there are unauthorized access points.

Answer 18

C,D

Question 19

A network manager suspects that a wireless network is undergoing a deauthentication attack. Applying knowledge of wireless network attacks, which scenario best supports the network manager’s suspicion?

A. A network has sudden interference, which is causing connectivity issues for the network. The users disconnect from the network, and upon reauthenticating, they log on to an evil twin Access Point (AP).

B. An attacker creates an Access Point (AP) using a similar name as a legitimate AP, in an attempt to have users authenticate through the rogue AP in order to gain authentication information.

C. A rogue Access Point (AP) captures user logon attempts. The attacker uses this information to authenticate to the system and obtain critical data.

D. A group of systems suddenly disconnects from the network. When the users reconnect, they actually connect to an evil twin Access Point (AP), which gives an attacker information about authentication.

Answer 19

D