Obj 4.X

Question 1

Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network?

VPN
UTM
DMZ
NAC

Answer 1

The correct answer is NAC (Network Access Control). NAC is a security solution that restricts access to the network unless a device meets certain criteria. This can include factors such as device health, user authentication, or whether it’s a known and trusted device. In this scenario, NAC would prevent unauthorized devices from accessing the corporate network simply by plugging into the wall jack.

The other choices are incorrect because they don’t directly address the problem. A VPN (Virtual Private Network) is used for secure remote access to a network, not for controlling access to a wired connection on-site. A UTM (Unified Threat Management) device is a comprehensive security solution that includes firewalls, anti-virus, and more, but it doesn’t specifically prevent a device from plugging into a network port. A DMZ (Demilitarized Zone) is a portion of the network that is exposed to untrusted users, often used for web servers, but it doesn’t stop unauthorized users from accessing the internal network.

Question 2

The administrator would like to use the strongest encryption level possible using PSK without utilizing an additional authentication server. What encryption type should be implemented?

WPA2 Enterprise
WEP
WPA personal
MAC filtering

Answer 2

The correct answer is WPA Personal. WPA Personal, also known as WPA2-PSK (Pre-Shared Key), provides a strong level of encryption without the need for an additional authentication server. It uses AES (Advanced Encryption Standard) encryption, which is much stronger than older protocols like WEP.

The other choices are incorrect because they either require additional authentication methods or provide weaker security. WPA2 Enterprise uses a more secure authentication method involving a RADIUS server, which the question specifically says the administrator does not want to use. WEP is outdated and offers very weak encryption, making it insecure for modern networks. MAC filtering is not an encryption method; it simply restricts access based on device MAC addresses, but it can easily be bypassed and does not provide data encryption.

Question 3

A technician has finished configuring AAA on a new network device. However, the technician cannot log into the device with LDAP credentials but can with a local user account. What is the MOST likely reason for the problem?

IDS is blocking RADIUS
Shared secret key is mismatched
Username is misspelled in the device configuration file
Group policy has not propagated to the device

Answer 3

The most likely reason for the problem is that the shared secret key is mismatched. When configuring AAA (Authentication, Authorization, and Accounting) using LDAP or any RADIUS server, both the server and the network device must have the same shared secret key for authentication to work. If this key does not match, the device will reject the LDAP credentials.

The other options are less likely. IDS blocking RADIUS would typically affect all RADIUS authentication attempts, not just LDAP. If the username were misspelled in the device configuration file, that could cause issues, but it would usually be evident when attempting to log in, as the device would indicate an invalid username. Lastly, group policy not propagating to the device could affect access, but it typically wouldn’t prevent a successful login if the LDAP credentials are correct and properly configured.

Question 4

Which of the following must be added to a VLAN’s gateway to improve the security of the VLAN?

Spanning tree protocol
Access control list
Split horizon
Hold down timer

Answer 4

The correct answer is Access Control List (ACL). An ACL is used to define rules that control the traffic allowed to enter or leave the VLAN through the gateway. By implementing an ACL, you can restrict which devices or types of traffic are permitted to communicate with the VLAN, thereby enhancing security.

The other options are incorrect because they serve different purposes. Spanning Tree Protocol (STP) is used to prevent network loops in a switched environment but doesn’t directly improve security at the VLAN gateway. Split horizon is a routing technique used to prevent routing loops in distance-vector routing protocols, but it doesn’t affect VLAN security. A hold down timer is used in routing protocols to prevent premature route updates, but it doesn’t improve VLAN security.

Question 5

You are working as a network administrator and are worried about the possibility of an insider threat. You want to enable a security feature that would remember the Layer 2 address first connected to a particular switch port to prevent someone from unplugging a workstation from the switch port and connecting their laptop to that same switch port. Which of the following security features would BEST accomplish this goal?

802.1x
NAC
ACL
Port security

Answer 5

The correct answer is Port security. Port security is a feature that allows a network administrator to restrict a switch port to a specific MAC address (Layer 2 address). Once a MAC address is learned or manually assigned to the port, the switch will prevent other devices with different MAC addresses from connecting to that port. This helps prevent an insider from unplugging a device and connecting their own unauthorized laptop.

The other options are incorrect because they serve different purposes. 802.1x is a network access control protocol used for authenticating devices, but it doesn’t specifically prevent MAC address spoofing or switching devices at the port level. NAC (Network Access Control) ensures that devices meet security policies before accessing the network but is more comprehensive and doesn’t focus solely on Layer 2 MAC address restrictions. An ACL (Access Control List) controls network traffic by defining rules for allowing or denying packets based on various criteria, but it doesn’t specifically address port-level device changes.

Question 6

A home user reports to a network technician that the Internet is slow when they attempt to use their smartphone or laptop with their Wi-Fi network. The network administrator logs into the admin area of the user’s access point and discovers that multiple unknown devices are connected to it. What is MOST likely the cause of this issue?

The user is connected to a botnet
An evil twin has been implemented
The user is experiencing ARP poisoning
A successful WPS attack has occurred

Answer 6

The correct answer is A successful WPS attack has occurred. Wi-Fi Protected Setup (WPS) is a method for easily connecting devices to a wireless network, but it has known security vulnerabilities. Attackers can exploit WPS to gain unauthorized access to a Wi-Fi network, allowing multiple unknown devices to connect and potentially slow down the user’s internet by consuming bandwidth.

The other options are incorrect because they do not directly explain the presence of multiple unknown devices. A botnet would involve the user’s devices being compromised and used for malicious activity, but it wouldn’t necessarily result in unknown devices connecting to the Wi-Fi. An evil twin attack involves creating a fake access point to trick users into connecting, not adding unknown devices to a legitimate access point. ARP poisoning can lead to network redirection or data interception but wouldn’t cause unknown devices to connect to the Wi-Fi.

Question 7

You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal?

VLAN
MAC filtering
VPN
WPA2

Answer 7

The correct answer is VLAN (Virtual Local Area Network). Implementing VLANs allows you to segment the corporate network into separate logical networks. By creating one VLAN for corporate-owned devices (the administrative network) and another for employee-owned devices (the untrusted network), you can enhance security and manage traffic more effectively. This separation ensures that the untrusted devices do not have access to sensitive corporate resources.

The other options are incorrect for the following reasons. MAC filtering can restrict devices based on their MAC addresses, but it is not as effective or scalable as VLANs for network segmentation. VPN (Virtual Private Network) is used for secure remote access to the corporate network but does not inherently separate devices within the network. WPA2 (Wi-Fi Protected Access 2) is a security protocol for wireless networks, but it does not provide network segmentation; it primarily secures the wireless connection itself.

Question 8

Which of the following technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on? (SELECT TWO)

NAC
Port security
GPS location
Geo-IP

Answer 8

The correct selections are NAC (Network Access Control) and GPS location. NAC solutions can enforce policies that restrict access to the network based on the physical location of the user, ensuring that only devices within the specified building or premises can authenticate and gain access. This can include checks on whether devices are connected to the correct network or if they meet certain compliance criteria.

GPS location can also be utilized to verify the physical location of users attempting to log in. By using GPS data, the system can determine if a user is within an acceptable geographic boundary before granting network access.

The other options are incorrect for the following reasons. Port security primarily focuses on controlling access to a network switch port by restricting the MAC addresses that can connect, rather than determining the physical location of users. Geo-IP can be used to approximate a user’s location based on their IP address, but it is not as precise as GPS for confirming that a user is in the same building, as IP addresses can sometimes be associated with a broader geographic area. Therefore, NAC and GPS location are the best choices for ensuring users are physically in the same building as the network they are attempting to access.

Question 9

What is a common technique used by malicious individuals to perform an on-path attack on a wireless network?

An evil twin
Session hijacking
ARP spoofing
Amplified DNS attacks

Answer 9

The correct answer is an evil twin. An evil twin attack involves setting up a rogue access point that mimics a legitimate wireless network. Users may unknowingly connect to this malicious access point, allowing the attacker to intercept communications, capture sensitive data, and potentially launch further attacks on the victims.

The other options are incorrect for the following reasons. Session hijacking typically refers to taking over an active session after it has been established, often through methods like cookie theft, rather than targeting the initial connection. ARP spoofing is a technique used primarily in wired networks, where an attacker sends falsified ARP messages over a local area network to associate their MAC address with the IP address of another device, but it is not specifically a wireless attack method. Amplified DNS attacks involve using DNS servers to amplify traffic directed at a target, usually as part of a DDoS attack, and are not related to on-path attacks in a wireless context. Therefore, an evil twin is the correct answer for a common technique used to perform an on-path attack on a wireless network.

Question 10

Dion Training allows its visiting business partners from CompTIA to use an available Ethernet port in their conference room to establish a VPN connection back to the CompTIA internal network. The CompTIA employees should obtain internet access from the Ethernet port in the conference room, but nowhere else in the building. Additionally, if any of the Dion Training employees use the same Ethernet port in the conference room, they should access Dion Training’s secure internal network. Which of the following technologies would allow you to configure this port and support both requirements?

MAC filtering
Configure a SIEM
Create an ACL to allow access
Implement NAC

Answer 10

The correct answer is Implement NAC (Network Access Control).

Network Access Control (NAC) allows you to manage and enforce policies for devices connecting to a network. By implementing NAC, you can ensure that visiting business partners from CompTIA can establish a VPN connection and access the internet only through the designated Ethernet port in the conference room. At the same time, NAC can restrict access for Dion Training employees using the same port, allowing them to connect to the internal secure network.

For the exam, remember that NAC is essential for dynamic access control, providing different network access based on the user’s identity and device status. This technology is particularly useful in environments with multiple user types needing varied access levels.

Question 11

Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?

Kerberos
CHAP
TACACS+
RADIUS

Answer 11

The correct answer is TACACS+. TACACS+ was developed by Cisco to provide centralized authentication, authorization, and accounting (AAA) services for network devices. It offers a flexible and secure method to control user access and track their activities.

The other options are incorrect. Kerberos is a widely used protocol for network authentication that operates on a ticket-granting system, but it’s not specific to Cisco. CHAP is used for authentication over Point-to-Point Protocol (PPP) connections but doesn’t provide full AAA services. RADIUS provides AAA services as well, but it is not Cisco-developed and differs from TACACS+ in terms of encryption and protocol structure.

Question 12

Your company has several small branch offices around the country, but you work as a network administrator at the centralized headquarters building. You need the capability of being able to remotely access any of the remote site’s routers to configure them without having to fly to each location in person. Your company’s CIO is worried that allowing remote access could allow an attacker to gain administrative access to the company’s network devices. Which of the following is the MOST secure way to prevent this from occurring while still allowing you to access the devices remotely?

Install an out-of-band modem
Create an out-of-band management network
Configure the remote router’s ACLs to only permit Telnet traffic
Configure the remote router’s ACLs to only permit HTTP traffic

Answer 12

The correct answer is to create an out-of-band management network. An out-of-band management network separates management traffic from regular network traffic, allowing you to securely access network devices remotely without exposing the management interfaces to potential attackers on the main network.

The other options are less secure. Installing an out-of-band modem can allow remote access, but it doesn’t provide the same level of security and monitoring as a dedicated out-of-band management network. Configuring ACLs to only permit Telnet traffic is insecure because Telnet sends data in plaintext, making it vulnerable to interception. Similarly, permitting HTTP traffic is insecure because it doesn’t encrypt data, leaving it open to potential attacks.

Question 13

An outside organization has completed a penetration test for a company. One of the report items states that an attacker may have the ability to read TLS traffic from the webserver due to a software bug. What is the MOST likely mitigation for this reported item?

Ensure patches are deployed
Configure the firewall to block traffic on port 443
Install an IDS on the network
Implement a VPN for employees

Answer 13

The most likely mitigation for the reported item is to ensure patches are deployed. Software bugs that affect the security of TLS traffic can often be resolved through updates and patches provided by the software vendor. By applying these patches, the organization can fix the vulnerabilities that may allow an attacker to read encrypted traffic.

Configuring the firewall to block traffic on port 443 would not be a viable solution, as this would block all secure web traffic, impacting legitimate users. Installing an Intrusion Detection System (IDS) could help in monitoring for suspicious activity but would not directly address the software bug. Implementing a VPN might enhance security for remote users, but it wouldn’t fix the vulnerability in the web server’s TLS implementation.

Question 14

A user’s smartphone is displaying text in other languages in their web browser when accessing the company’s main website. Which of the following is the MOST likely cause of the issue?

Deauthentication attack
On-path attack
Denial-of-service attack
Reflective DNS attacks

Answer 14

The most likely cause of the issue is an on-path attack. In this scenario, the user’s smartphone is displaying text in other languages, which suggests that an attacker may be intercepting or modifying the communication between the smartphone and the company’s website. This type of attack allows an attacker to manipulate the content being sent to the user, potentially redirecting them to a malicious version of the site or altering the data received.

A deauthentication attack typically disconnects users from a network, while a denial-of-service attack aims to make a service unavailable. Reflective DNS attacks generally involve redirecting traffic to a malicious server using DNS manipulation, but they do not specifically cause the display of different languages in web content. Therefore, the on-path attack is the most relevant explanation for the observed behavior.

Question 15

A disgruntled employee executes an on-path attack on the company’s network. Layer 2 traffic destined for the gateway is now being redirected to the employee’s computer. What type of attack is this an example of?

IP spoofing
Evil twin
Reflective DNS
ARP spoofing

Answer 15

The attack described is an example of ARP spoofing. In this scenario, the disgruntled employee is intercepting Layer 2 traffic by sending falsified Address Resolution Protocol (ARP) messages onto the network. This allows the attacker to associate their MAC address with the IP address of the gateway, effectively redirecting traffic that should go to the gateway to their own computer instead.

IP spoofing involves forging the source IP address of packets but does not specifically address Layer 2 traffic. An evil twin attack typically involves setting up a rogue Wi-Fi access point to trick users into connecting to it. Reflective DNS attacks manipulate DNS responses but are not related to ARP or Layer 2 traffic redirection. Therefore, ARP spoofing is the most accurate answer in this context.

Question 16

Dion Training wants to implement a technology that will automatically test any wireless device that connects to their network before allowing the device full access to the corporate network and its resources. Which of the following should be implemented?

NAC
VPN
DMZ
PSK

Answer 16

The correct technology to implement for automatically testing any wireless device that connects to the network before granting full access is Network Access Control (NAC). NAC solutions provide a mechanism to enforce security policies on devices as they connect to the network. This includes verifying the device’s security posture, such as checking for up-to-date antivirus software or ensuring that certain security patches are installed. Based on the assessment, NAC can either grant access, limit access, or deny access to the corporate network and its resources.

A Virtual Private Network (VPN) provides a secure connection over the internet but does not test devices for compliance before granting access. A Demilitarized Zone (DMZ) is a network segment used to host public-facing services, isolating them from the internal network but is not related to device testing or access control. A Pre-Shared Key (PSK) is a method of authentication for securing wireless networks, but it does not perform any device checks before access is granted. Thus, NAC is the best choice for this scenario.

Question 17

You opened your web browser and attempted to visit DionTraining.com, but you appear to have been redirected to a malicious website instead. What type of attack is being conducted?

DNS poisoning
VLAN hopping
ARP spoofing
Rogue DHCP

Answer 17

The type of attack being conducted in this scenario is DNS poisoning. DNS poisoning involves corrupting the DNS cache of a resolver or server, causing it to return an incorrect IP address for a domain name. When you try to visit DionTraining.com, the poisoned DNS entry leads you to a malicious website instead. This can happen if an attacker successfully alters the DNS records, either on a local machine or within the DNS server itself.

VLAN hopping is an attack where a malicious user accesses traffic from a different VLAN, which doesn’t directly relate to being redirected to a malicious website. ARP spoofing is a technique used to intercept network traffic on a local network by associating the attacker’s MAC address with the IP address of a legitimate device, but it doesn’t specifically target DNS resolution. Rogue DHCP involves an unauthorized DHCP server assigning IP addresses to devices on the network, potentially leading to similar connectivity issues but does not specifically redirect users to a malicious site. Therefore, DNS poisoning is the most fitting explanation for this scenario.

Question 18

Dion Training is concerned with the threat of an attacker modifying the MAC address to IP bindings within the local area network. Which of the following could be enabled on the company’s network to prevent this from occurring?

Private VLAN
DHCP snooping
Router Advertisement Guard
Dynamic ARP Inspection

Answer 18

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings.

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). Port mirroring, ARP inspection, and VLANs do not add any redundancy to the network. DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. When DHCP servers are allocating IP addresses to the LAN clients, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic or rogue DHCP servers. The IPv6 Router Advertisement Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue router advertisement guard messages that arrive at the network device platform.

Question 19

A network administrator, Tamera, follows the best practices to implement firewalls, patch management, and security policies on his network. Which of the following should be performed to verify that the security controls are in place?

Single point of failure testing
Disaster recovery testing
AAA authentication testing
Penetration testing

Answer 19

The action Tamera should perform to verify that the security controls are in place is penetration testing. Penetration testing involves simulating attacks on the network to identify vulnerabilities and assess the effectiveness of security measures such as firewalls, patch management, and security policies. This testing helps confirm that the implemented controls can withstand real-world attacks.

Single point of failure testing examines the network’s resilience to component failures but does not assess security controls. Disaster recovery testing evaluates the organization’s ability to recover from disruptions, while AAA (Authentication, Authorization, and Accounting) authentication testing specifically checks the effectiveness of access controls, not the overall security posture. Therefore, penetration testing is the most comprehensive method to verify the effectiveness of security controls.

Question 20

Barbara has connected her personal wireless router to a network jack inside her office. The router cannot get a DHCP address even though her corporate laptop can get a DHCP address when connected to the same jack. Barbara checked the router’s configuration to ensure it is set up to obtain a DHCP address. Which of the following is the MOST likely reason that the router is not getting a DHCP address?

The wireless router’s MAC address is blocklist by the network
Only allow listed MAC addresses can connect to the network
DHCP snooping is enabled on the network
DHCP requests that originate from access points are blocked

Answer 20

Allow lists specify MAC addresses as a security measure implemented by the administrator to only grant access to a specific user.

It avoids a person with malicious intentions to access the corporate network. Since the router has a different MAC address, it is blocked from connecting to the wired network. Allow listed MAC addresses can be implemented automatically using different forms of port security on a network switch.

Question 21

Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, verifying that the workstation’s anti-malware solution is up-to-date and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?

Zero-day
Session hijacking
Impersonation
MAC spoofing

Answer 21

The correct answer is Zero-day. A zero-day attack exploits a vulnerability that is unknown to the software vendor or the user. In this scenario, since Ted has confirmed that the workstation’s anti-malware solution is up-to-date and the firewall is properly configured, it suggests that traditional security measures may not have detected the malicious activity. A zero-day vulnerability could have been exploited, allowing an attacker to transfer sensitive files without triggering alarms in the existing security measures.

The other options are less likely in this context. Session hijacking involves taking over an active session but does not directly account for the transfer of files unless there was a specific session established for that purpose. Impersonation typically refers to an attacker pretending to be someone else to gain unauthorized access, which does not directly explain the unauthorized file transfer to an external IP address. MAC spoofing involves altering a device’s MAC address to bypass network access controls, but it wouldn’t directly facilitate the exfiltration of files without additional vulnerabilities. Therefore, a zero-day attack is the most plausible explanation for the exfiltration in this scenario.

Question 22

Which of the following open-source remote access tools allows users to connect to their desktop remotely, see what is on their screen, and control it with their mouse and keyboard?

VNC
SSH
Telnet
RDP

Answer 22

The correct answer is VNC. VNC (Virtual Network Computing) is an open-source remote access tool that allows users to connect to their desktop remotely, view the screen, and control it using their mouse and keyboard. It enables graphical desktop sharing, making it easy to manage a remote computer as if the user were sitting right in front of it.

The other options are not primarily designed for graphical remote desktop access. SSH (Secure Shell) is a protocol used for secure command-line access to a remote machine but does not provide a graphical interface. Telnet is also a command-line protocol that lacks encryption and is not secure for remote access. RDP (Remote Desktop Protocol) is a Microsoft proprietary protocol that allows remote access to Windows desktops, but it is not open-source like VNC. Therefore, VNC is the most suitable answer for an open-source solution for remote desktop access.

Question 23

Your mother says there is something wrong with her computer, but unfortunately, she doesn’t know how to fix it. She asks if you can remotely connect to her computer and see if you can fix it. Which of the following technologies would BEST allow you to remotely access her computer and interact with her Windows 10 laptop?

RDP
VPN
SSH
Telnet

Answer 23

The correct answer is RDP (Remote Desktop Protocol). RDP is specifically designed for remote desktop access on Windows systems, allowing you to connect to your mother’s Windows 10 laptop, view her screen, and interact with her system as if you were physically there. It provides a graphical user interface, making it user-friendly for troubleshooting.

VPN (Virtual Private Network) is useful for securely connecting to a remote network but does not allow you to control a computer directly. SSH (Secure Shell) is primarily used for secure command-line access to a system, typically on Unix-like systems, and would not provide a graphical interface for Windows. Telnet is an older protocol that offers command-line access but lacks security features and is not suitable for remote desktop tasks. Therefore, RDP is the best option for remotely accessing and interacting with her Windows laptop.

Question 24

A new network administrator is hired to replace a consultant who ran the network for several months and whose contract was just canceled. After a month of working on the network, the new network administrator realized some network issues and configuration changes in the server settings. The log files on the servers do not contain any error messages related to the issues or changes. What could be the problem?

A TACACS+ or RADIUS misconfiguration is causing logs to be erased
The server was the victim of a brute force password attack
The last ACL on the firewall is set to DENY ANY ANY
A backdoor has been installed to grant someone access to the network

Answer 24

The correct answer is a backdoor has been installed to grant someone access to the network. In this scenario, the lack of error messages in the log files, combined with unexplained network issues and configuration changes, strongly suggests that unauthorized access has occurred. A backdoor allows attackers to bypass standard security measures, making it difficult for the administrator to detect their presence or actions through logs.

The other options are less likely to be the cause. A TACACS+ or RADIUS misconfiguration might affect authentication but wouldn’t typically lead to unexplained configuration changes without logs being generated. While a brute force password attack could compromise a system, it usually produces some form of logging activity, particularly if successful logins are attempted. Lastly, while a DENY ANY ANY rule in an ACL could prevent traffic, it wouldn’t directly cause configuration changes on servers, which implies an unauthorized party is altering the settings. Thus, the most plausible explanation is that a backdoor has been installed, allowing unseen access and manipulation.

Question 25

You are trying to connect to a router using SSH to check its configuration. Your attempts to connect to the device over SSH keep failing. You ask another technician to verify that SSH is properly configured, enabled on the router, and allows access from all subnets. She attempts to connect to the router over SSH from her workstation and confirms all the settings are correct. Which of the following steps might you have missed in setting up your SSH client preventing you from connecting to the router?

Change default credentials
Generate a new SSH key
Perform file hashing
Update firmware

Answer 25

The correct answer is generate a new SSH key. In order to connect to a router via SSH, your SSH client must use a key for authentication if public key authentication is configured on the router. If you haven’t generated an SSH key on your client device, the router will reject the connection attempt. Even if the technician can connect from her workstation, your client may lack the necessary authentication key.

The other options are less likely to be the issue in this scenario. Changing default credentials pertains more to the router’s configuration than the SSH client itself. If SSH is properly configured, as confirmed by the other technician, then default credentials should not prevent your connection. Performing file hashing is unrelated to SSH connections; it typically pertains to data integrity verification, not authentication. Lastly, updating firmware is generally not necessary for a successful SSH connection unless the router’s SSH implementation has a known bug, which is unlikely if the other technician can connect successfully. Therefore, generating a new SSH key is likely the step you missed.

Question 26

A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the back-end authentication system supports EAP and TTLS. What should the network administrator implement?

WPA2 with a pre-shared key
802.1x using PAP
PKI with user authentication
MAC address filtering with IP filtering

Answer 26

802.1x using PAP

The network administrator can utilize 802.1x using EAP-TTLS with PAP for authentication since the backend system supports it. Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point to Point Protocol (PPP) to validate users. MAC address filtering does not filter based on IP addresses, but instead, it filters based on the hardware address of a network interface card, known as a MAC address. WPA2 is a secure method of wireless encryption that relies on the use of a pre-shared key or the 802.1x protocol. In the question, though, it states that the system only supports WPA, therefore WPA2 cannot be used. PKI with user authentication would be extremely secure, but it is only used with EAP-TLS, not EAP-TTLS. EAP-TTLS only works with credential-based authentication, such as a username and password. Therefore, 802.1x using PAP is the best answer.

Question 27

A company is installing several APs for a new wireless system that requires users to authenticate to the domain. The network technician would like to authenticate to a central point. What solution would be BEST to achieve this?

Network controller
RADIUS
LACP
Proxy server

Answer 27

The correct answer is RADIUS. RADIUS (Remote Authentication Dial-In User Service) is a centralized authentication protocol commonly used for authenticating users in a wireless network. It allows users to authenticate against a central server, which is ideal for a setup where multiple access points (APs) need to authenticate users to the same domain.

The other options are not suitable for this specific requirement. A network controller can manage APs and network policies but may not provide authentication functionality by itself. LACP (Link Aggregation Control Protocol) is used for combining multiple network connections for increased bandwidth and redundancy, not for user authentication. A proxy server can facilitate requests to external resources but is not primarily designed for authenticating users on a network. Therefore, using RADIUS would be the best solution for central user authentication in this scenario.

Question 28

An attacker is using double tagging to conduct a network exploit against your enterprise network. Which of the following types of attacks is being conducted?

ARP spoofing
Rogue DHCP
DNS poisoning
VLAN hopping

Answer 28

The correct answer is VLAN hopping. Double tagging is a technique used in VLAN hopping attacks, where an attacker sends frames with two VLAN tags. The first tag is processed by the first switch, allowing the frame to enter the intended VLAN. When the frame reaches the second switch, it removes the first tag, exposing the second tag, which can be used to gain unauthorized access to other VLANs.

The other options are not relevant to double tagging. ARP spoofing involves sending falsified ARP messages over a local area network, allowing the attacker to link their MAC address with the IP address of a legitimate computer or server. Rogue DHCP refers to an unauthorized DHCP server on the network that can assign incorrect IP addresses or configurations to devices, leading to man-in-the-middle attacks or network outages. DNS poisoning involves corrupting the DNS cache to redirect traffic to malicious sites. Thus, VLAN hopping is the attack type associated with double tagging.

Question 29

Eduardo, a network technician, needs to protect IP-based servers in the network DMZ from an intruder trying to discover them. What should the network technician do to protect the DMZ from ping sweeps?

Block all ICMP traffic to and from the DMZ
Disable UDP on the servers in the DMZ
Disable TCP/IP on the servers in the DMZ
Block inbound echo replies to the DMZ

Answer 29

The correct answer is Block all ICMP traffic to and from the DMZ. By blocking ICMP (Internet Control Message Protocol) traffic, Eduardo can prevent ping sweeps, which are used by attackers to discover active devices on a network. ICMP is the protocol used by the ping command, and blocking it will stop ping requests and echo replies, making it harder for intruders to identify live hosts in the DMZ.

The other options are less effective. Disabling UDP on the servers in the DMZ would not directly address ping sweeps, as ping sweeps rely on ICMP, not UDP. Disabling TCP/IP on the servers in the DMZ would render the servers unable to communicate on the network altogether, which is not a practical solution. Finally, blocking inbound echo replies to the DMZ would only stop responses to pings but not the initial ping requests, so this approach is insufficient for protecting against ping sweeps. Therefore, blocking all ICMP traffic provides the most comprehensive protection.

Question 30

Which of the following security features should be enabled to configure a quality of service filter to manage the traffic flow of a Cisco router or switch and protect it against a denial-of-service attack?

Dynamic ARP inspection
Control plane policing
Router Advertisement Guard
DHCP snooping

Answer 30

The correct answer is Control plane policing. This security feature allows a Cisco router or switch to manage the traffic flow and protect against denial-of-service (DoS) attacks by limiting the amount of traffic that can reach the control plane of the device. By configuring control plane policing, you can specify the rate of incoming traffic to control the resource utilization on the router or switch, ensuring that critical control plane functions remain available even during traffic surges or attacks.

The other options are not directly related to managing traffic flow in the same way. Dynamic ARP inspection is designed to prevent ARP spoofing attacks by ensuring that only valid ARP requests and responses are relayed. Router Advertisement Guard helps protect against rogue router advertisements in a network. DHCP snooping prevents unauthorized DHCP servers from providing IP addresses to clients but does not manage traffic flow for the control plane. Thus, for configuring a quality of service filter to manage traffic flow and enhance security, control plane policing is the most relevant choice.

Question 31

Which of the following technologies is not commonly used by a captive portal to perform user redirection?

HTTP redirect
DNS redirect
DHCP redirect
ICMP redirect

Answer 31

The correct answer is DHCP redirect. Captive portals typically utilize HTTP redirect and DNS redirect to manage user access to the network. An HTTP redirect is used to send users to a specific webpage, often for authentication or agreement to terms of service. DNS redirect involves altering DNS responses to direct users to the captive portal when they try to access any webpage.

In contrast, DHCP redirect is not a commonly used method for user redirection in captive portals. DHCP is responsible for assigning IP addresses to devices on a network, and while it may be involved in the initial setup of network access, it does not facilitate the redirection of users to a web page or portal for authentication purposes. ICMP redirect, which is used to inform hosts about more efficient routing paths, is also unrelated to captive portal functionality.

Question 32

A technician needs to add new features to an existing router on the network. Which of the following should be performed to add the new features?

Migrating to IPv6
Firmware update
Clone the router
Vulnerability patching

Answer 32

The correct answer is firmware update. A firmware update is necessary to add new features or functionalities to an existing router. Firmware is the low-level software that controls the hardware, and manufacturers regularly release updates to improve performance, fix bugs, and introduce new capabilities. By updating the router’s firmware, the technician can ensure that the device has the latest features and security enhancements.

Migrating to IPv6 may provide new networking capabilities, but it does not directly add features to the existing router’s firmware. Cloning the router would create a duplicate configuration but would not enhance or add new functionalities. Vulnerability patching is essential for security purposes but does not typically introduce new features; it focuses on fixing security issues in the existing firmware.

Question 33

A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic?

Stateful packet inspection
Application-aware firewall
Intrusion detection system
Stateless packet inspection

Answer 33

The correct answer is application-aware firewall. An application-aware firewall, also known as a next-generation firewall (NGFW), can inspect and analyze the data within the packets, including those that are TLS-encrypted. This capability allows it to identify and block malicious traffic based on application-level signatures and behavior, even if the traffic is obfuscated or sent over random ports.

Stateful packet inspection focuses on monitoring the state of active connections and can track connections based on their state, but it may not analyze the actual content within the encrypted traffic. An intrusion detection system (IDS) can alert on suspicious activity but may not actively block traffic, and stateless packet inspection processes packets individually without considering their context in a session, making it less effective against such sophisticated threats.

Question 34

A network technician is tasked with designing a firewall to improve security for an existing FTP server on the company network. The FTP server must be accessible from the Internet. The security team is concerned that the FTP server could be compromised and used to attack the domain controller hosted within the company’s internal network. What is the BEST way to mitigate this risk?

Upgrade the FTP server to an SFTP server since it is more secure
Configure the firewall to utilize an implicit deny statement
Add a deny rule to the firewall’s ACL that blocks port 21 outbound
Migrate the FTP server from the internal network to a screened subnet

Answer 34

The best way to mitigate the risk is to migrate the FTP server from the internal network to a screened subnet. This approach effectively isolates the FTP server from the internal network, minimizing the potential impact of a compromise. By placing the FTP server in a demilitarized zone (DMZ), you create an additional layer of security, ensuring that even if the FTP server is attacked, the intruder does not have direct access to the more sensitive internal resources, like the domain controller.

Upgrading to an SFTP server is beneficial for securing data in transit but does not address the risk of the FTP server being used as a launch point for attacks on the internal network. Configuring the firewall with an implicit deny statement is a good practice, but it does not specifically isolate the FTP server from the internal network. Adding a deny rule for outbound traffic on port 21 does not fully mitigate the risk since it does not prevent attacks from affecting the internal network; it merely limits certain outbound traffic. Thus, moving the FTP server to a screened subnet provides the best overall security posture.

Question 35

An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. Which of the following protocols should they choose?

PAP
TACACS+
Kerberos
RADIUS

Answer 35

The Kerberos protocol is designed to send data over insecure networks while using strong encryption to protect the information. RADIUS, TACACS+, and PAP are all protocols that contain known vulnerabilities that would require additional encryption to secure them during the authentication process.

Question 36

Which of the following would NOT be useful in defending against a zero-day threat?

Threat intelligence
Segmentation
Patching
Allow listing

Answer 36

Patching would not be useful in defending against a zero-day threat. A zero-day threat refers to a vulnerability that is exploited by attackers before the vendor has had the opportunity to issue a patch or update to fix the vulnerability. Since patching is contingent upon the availability of a fix, it cannot be used as a defense mechanism until after a zero-day vulnerability has been discovered and a patch has been released.

Threat intelligence can help organizations identify emerging threats and vulnerabilities, which is crucial for understanding potential zero-day attacks. Segmentation can limit the impact of an exploit by isolating affected systems and restricting lateral movement within the network. Allow listing allows only approved applications to run, thereby reducing the risk of unknown or malicious software executing on systems. Therefore, while patching is important for long-term security, it does not provide immediate protection against zero-day threats.

Question 37

Rick is upset that he was passed over for a promotion. He decides to take revenge on his nemesis, Mary, who got the job instead of him. Rick sets up an on-path attack against Mary’s computer by redirecting any layer 2 traffic destined for the gateway to his computer first. Rick is careful only to affect the traffic associated with Mary’s computer and not the entire network. Which type of on-path attack is Rick conducting against Mary?

ARP poisoning
MAC spoofing
Evil twin
IP spoofing

Answer 37

Rick is conducting an ARP poisoning attack against Mary. In an ARP poisoning attack, the attacker sends forged ARP (Address Resolution Protocol) messages onto the network to associate their MAC address with the IP address of another device, such as the gateway. This causes traffic that should be directed to the legitimate gateway to be sent to the attacker’s device instead. By carefully targeting only Mary’s computer, Rick is able to intercept her traffic without affecting the entire network, which is characteristic of ARP poisoning.

MAC spoofing involves changing the MAC address of a network interface to impersonate another device on the network but does not specifically involve redirecting traffic. An evil twin attack refers to setting up a rogue access point that mimics a legitimate one, tricking users into connecting to it. IP spoofing involves sending packets from a false (or “spoofed”) source address, which does not apply in this scenario as Rick is targeting layer 2 traffic. Thus, ARP poisoning is the correct identification of the attack Rick is conducting.

Question 38

After an employee connected one of the switchports on a SOHO router to the wall jack in their office, other employees in the building started to receive “duplicate IP address” errors and experiencing intermittent network connectivity. You check the configuration on one of the affected clients and see it has been assigned an IP address of 192.168.1.54. Which of the following could be enabled on the company’s network to prevent this from occurring?

Split horizon
ARP inspection
Router Advertisement guard
DHCP snooping

Answer 38

To prevent the “duplicate IP address” errors and intermittent network connectivity issues caused by the scenario described, enabling DHCP snooping on the company’s network would be the most effective solution. DHCP snooping is a security feature that helps prevent rogue DHCP servers from assigning IP addresses to clients on the network. By only allowing DHCP responses from trusted sources (such as the authorized DHCP server), DHCP snooping helps ensure that clients receive valid IP addresses and prevents unauthorized devices from causing IP address conflicts.

Split horizon is a technique used in routing protocols to prevent routing loops, but it does not directly relate to IP address assignment issues. ARP inspection is designed to prevent ARP spoofing attacks but does not address the issue of duplicate IP assignments directly. Router Advertisement Guard is used in IPv6 networks to secure router advertisements but is not applicable in this case, which deals with IPv4 DHCP assignments. Thus, DHCP snooping is the most suitable choice to mitigate the problem.