Securing the Network Infrastructure Flashcards
Your manager has asked you to configure performance alert notifications for abnormal app performance conditions. What must you establish first?
IP addressing schema
Baseline
Network diagrams
Baseline
A performance baseline is established over time during normal application performance. Comparing the baseline to current performance conditions can identify performance problems, which could be indicative of malicious activity such as excessive CPU utilization resulting from Bitcoin mining malware or other malicious apps
A security audit of your call center has revealed that callers’ credit card numbers are shown on call center employees’ screens while they are working with customer queries. What should be configured to conceal customer credit card numbers?
Encryption
Data tokenization
Data masking
Data masking
Data masking is used to hide, or “mask,” some or all parts of sensitive data, such as hiding all but the last few credit card account numbers. This enables call center workers to verify customer details without exposing the customer’s entire credit card number
Your organization stores sensitive medical data in the cloud. You must ensure that the data is not replicated outside of national boundaries for legal reasons. Which term best encompasses this scenario?
API strategy
Zero trust
Data sovereignty
Data sovereignty
Data sovereignty refers to managing sensitive data that is subject to the laws present at the storage location
Users in your company use a VPN to connect to the corporate network. In terms of network placement, where should the VPN appliance be placed?
Default VLAN
Intranet
Screened subnet
Screened subnet
A screened subnet is a network that resides between a public network such as the Internet and an internal secured network. Publicly accessible services such as corporate VPN end-points should be placed in a screened subnet. Firewall rules are still used to control traffic into and out of the screened subnet
You need to secure network traffic between clients and servers for multiple line of business apps running on your organization’s private Microsoft Active Directory (AD) network. Which solution meets this requirement while minimizing the amount of technician effort?
SSL/TLS
L2TP
IPSec
IPSec
IPSec requires the least amount of administrative effort, because it can be configured centrally for Active Directory using Group Policy, and it can protect network traffic without having to configure individual applications specifically, unlike SSL/TLS
You are running virtual machines in the public cloud. For security reasons, you do not want each virtual machine to have a publicly accessible IP address. What should you configure to enable remote management of the virtual machines? Each answer is independent of the other. (Choose two).
Jump box
VPN
Forward proxy server
HSM
Jump box
VPN
A jump box is a host with connectivity to both a public network such as the Internet as well as to an internal network. By authenticating to a jump box, from there remote management sessions to internal devices and hosts can be initiated. Using a VPN to connect to a private network would also enable remote management of devices and hosts
You need to limit which devices can be active when plugged into a network switch port. What should you configure?
Broadcast storm prevention
MAC filtering
Bridging loop prevention
MAC filtering
Network interface cards are uniquely identified with a 48-bit hexadecimal Media Access Control (MAC) address. Network switch ports can be configured to allow only specific MAC addresses to be connected to a switch port and present on the network
Your network intrusion detection system (NIDS) is configured to receive automatic updates for known malicious attacks. Which type of intrusion detection is used in this case?
Anomaly-based
Heuristic-based
Signature-based
Signature-based
Updated signature databases of known malware and attack patterns can be compared against current activity to determine if a suspicious incident is taking place. Both network intrusion prevention system (IPS) and network intrusion detection system (IDS) sensors can be used to collect and monitor network activity. The primary difference is that an IPS can take response and recovery steps to block suspicious activity, while an IDS is more focused on reporting and alerting
Your firewall is configured to examine each individual packet without regard for network sessions. Which type of firewall being used?
Stateful
Web application firewall
Stateless
Stateless
To determine whether network traffic should be allowed or blocked, stateless firewalls examine each packet and treat each independently from the others with no regard for the relationship of packets in a network session
Virtual machines in your public cloud are configured with private IP addresses. Each virtual machine requires access only to the Internet. Which of the following options is the best choice?
Web application firewall
NAT gateway
Unified threat management gateway
NAT gateway
Network address translation (NAT) gateways enable hosts with only private IP addresses to access Internet resources through the NAT gateway public IP address; this removes the need for all hosts to have public IP addresses
You run a small business and need an inexpensive, yet effective, network firewall solution. Which type of firewall should you consider? (Choose the best answer.)
Unified threat management
Proprietary
Open source
Open source
Open source software such as firewall software is normally inexpensive (often free), compared to proprietary software solutions
You need a fast, secure, and reliable multihomed network perimeter solution that is designed to prevent specific types of network traffic from entering your corporate network. Which solution should you deploy?
Software firewall
Virtual firewall
Hardware firewall
Hardware firewall
Because hardware firewall appliances use firmware that is designed for security purposes, they are generally considered more reliable and fast than most software firewalls, which run within multipurpose operating systems
Due to changes in your network infrastructure, you have been tasked with modifying firewalls to allow and block network traffic. Which aspect of the firewalls will you be configuring?
Port taps
Quality of service
Access control lists
Access control lists
Firewall access control lists (ACLs) are collections of rules that contain transmission detail conditions such as source IP address, destination URL, port numbers, or protocol types that should be allowed or blocked
To which of the following does SSL/TLS directly apply? (Choose two.)
Data at rest
Data in process
Data in motion
Data in transit
Data in motion
Data in transit
Data in motion and data in transit are the same thing: data being transmitted over a network. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are network security protocols that can encrypt network communications. SSL has been deprecated in favor of using newer versions of TLS such as version 1.3. SSL and TLS require a PKI certificate to secure connections, such as requiring a PKI certificate on a web server to allow HTTPS communication
Currently in your organization, on-premises user app access is limited based on their security clearance and the type of mobile device they are using. You would like to extend this configuration to the cloud. Which security service should be enabled?
Unified threat management
Cloud access security broker
DDoS mitigation
Cloud access security broker
A cloud access security broker (CASB) provides services to centrally manage IT security policies including encryption, data loss prevention, authentication, and authorization across on-premises and cloud environments. CASB solutions can greatly enhance an organization’s ability to comply with data privacy regulations
Which type of cryptographic operation serves as a one-way function resulting in a unique value?
Hashing
Encryption
Data masking
Hashing
Hashing feeds data as a one-way cryptographic hashing algorithm such as SHA-256, which results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions
To attract and monitor malicious user activity, you need to deploy a single server with fake data that appears vulnerable. What should you configure?
Honeynet
Honeypot
Honeyfile
Honeypot
A honeypot is a decoy system configured to appear as a legitimate host that may contain legitimate sensitive data. The host is intentionally configured in this way to track malicious user activity. The resultant telemetry can provide insights to the security posture of the organization and indicate what must be done to harden the environment
Which term is used to describe network traffic within a data center?
East-west traffic
North-south traffic
Honeynet traffic
East-west traffic
East-west traffic refers to network transmissions occurring within the boundaries of a network environment, such as between physical and virtual devices and hosts within a single data center
VPN users complain that accessing Internet web sites when connected to the corporate VPN is very slow. Which VPN option should you configure to allow Internet access through the user’s Internet connection when the corporate VPN is active?
Always On VPN
Split tunnel
Full tunnel
Split tunnel
Split tunneling can be configured for the VPN so that connections to corporate resources traverse the VPN and Internet connections go through the user’s Internet connection
You need to connect branch office networks securely over the Internet. Which type of VPN should you deploy?
Always On VPN
Split tunnel
Site-to-site
Site-to-site
A site-to-site VPN can link networks, such as the networks at remote branch offices, together over the Internet. A VPN device must reside on each network. When the VPN tunnel is active, traffic between branch offices is encrypted as it traverses the VPN tunnel. Client end-point devices in each branch office do not need a VPN client configuration, as they would with a client-to-site VPN connection
You need to enable secure remote access to internal company HTTPS web applications as well as SSH connections to internal Linux hosts for users authenticating over the Internet. What should you enable?
Always On VPN
Split tunnel
HTML5 VPN portal
HTML5 VPN portal
An HTML5 VPN portal enables users to make secured connections to private network resources over the Internet using a only an HTML5 web browser. This is normally an option that must be enabled within a unified threat management (UTM) or next-generation firewall. HTML5 VPN portals are also called “clientless VPNs,” since a separate VPN client is not required
You are configuring firewall ACLs. You need to allow DNS client queries to reach DNS servers hosted on different internal networks. Which details should exist in the rule to allow the DNS query traffic?
TCP 53
TCP 80
UDP 53
UDP 53
Client DNS queries occur over UDP port 53
Which statement best embodies the purpose of Network Access Control (NAC) solutions?
DDoS mitigation
Data loss prevention
Control device network access
Control device network access
Network Access Control (NAC) solutions can control device network access by ensuring that connecting users and devices meet a variety of conditions before being granted network access, such as specific authentication method used, device type, up-to-date software patches, and so on. Some NAC solutions require an agent to be installed on connecting devices, whereas others are agentless
Your network infrastructure team has recommended dedicated VLANs with dedicated management interfaces for servers and network equipment. Which term best embodies this configuration?
Data loss prevention
Out-of-band management
Bridge looping
Out-of-band management
Out-of-band management refers to using an alternative connection (not the standard network communication medium) to manage network devices and hosts. This provides a layer of security and reliability due to network isolation
Which of the following is a cryptographic hashing algorithm?
3DES
AES
SHA
SHA
The Secure Hashing Algorithm (SHA-256) is a one-way cryptographic hashing algorithm that results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions
You need to analyze all network traffic within a network switch. What must be configured?
DHCP snooping
BPDU guard
Port mirroring
Port mirroring
Capturing network traffic can be configured within a network switch using port spanning or mirroring, which copies all switch port network traffic to a designated monitoring port. The technician plugged into the monitoring port could then run network-capturing software such as Wireshark to analyze all switch network traffic
Which of the following is used by file integrity monitoring?
Encryption
Hashing
Data loss protection
Hashing
Hashing feeds data as a one-way cryptographic hashing algorithm such as SHA-256, which results in a unique value representative of the original data. This is used for storing standard Unix and Linux passwords in the /etc/shadow file and to track changes to files or network transmissions. File integrity monitoring can use hashing to detect changes to any type of file including database, office productivity, and operating system files
