Security Infrastructure Flashcards

Question

You are modifying an ACL to enhance security. Which of the following actions should you take to ensure proper logging and auditing? A) Disable logging to improve performance. B) Log only permit actions. C) Log all deny actions. D) Use only generic rules to reduce log size.

Answer 1

Answer: C) Log all deny actions. Explanation: A) Incorrect: Disabling logging removes visibility into potential security incidents. B) Incorrect: Logging only permit actions does not provide insight into blocked traffic. C) Correct: Logging all deny actions helps identify and investigate potential threats. D) Incorrect: Generic rules can lead to unintended matches and reduce security.

Answer 2

Answer: D) All of the above Explanation: A) Correct: The type of traffic (protocol) is a key component. B) Correct: The source of traffic (IP address or subnet) is a key component. C) Correct: The destination of traffic (IP address or subnet) is a key component. D) Correct: All of the above are key components of an ACL rule.

Answer 3

Answer: B) To identify and investigate potential security threats. Explanation: A) Incorrect: Logging does not directly improve performance. B) Correct: Logging deny actions helps identify and investigate potential threats. C) Incorrect: Logging does not reduce the size of the ACL. D) Incorrect: Logging does not permit blocked traffic; it only records the action.

Answer 4

Answer: B) Software-Based Firewall Explanation: A) Incorrect: Hardware-based firewalls protect entire networks, not individual devices. B) Correct: Software-based firewalls run on individual devices and provide per-device security. C) Incorrect: WAFs focus on web application traffic, not general workstation traffic. D) Incorrect: Kernel proxy firewalls inspect packets at every layer but are not typically used for individual workstations.

Answer 5

Answer: B) Web-Based Interface

Answer 6

Answer: B) Quality of Service (QoS)

Answer 7

Answer: B) To block all unmatched traffic.

Answer 8

Correct Answer: A ✅ A) IDS logs and alerts, while IPS logs, alerts, and takes action An IDS (Intrusion Detection System) is passive, meaning it only logs or alerts about suspicious activity but does not take direct action. An IPS (Intrusion Prevention System) is active, meaning it logs, alerts, and also takes action (e.g., blocking traffic) to stop threats. Incorrect Answers: ❌ B) IDS takes action against threats, while IPS only monitors and logs them Incorrect because IDS does not take action, while IPS does. ❌ C) IPS operates only on host-based systems, while IDS is network-based Incorrect because both IDS and IPS can be implemented as network-based (NIDS) or host-based (HIDS). ❌ D) IDS and IPS are both preventive technologies that actively block attacks Incorrect because IDS does not block attacks—it only alerts. Only IPS actively blocks threats.

Answer 9

Correct Answer: B ✅ B) On a SPAN (mirror) port of the main switch A SPAN (Switched Port Analyzer) port, also called a mirror port, is commonly used to monitor all network traffic and send a copy to the NIDS for inspection. Incorrect Answers: ❌ A) Inside the firewall, directly monitoring internal traffic Incorrect because NIDS is typically deployed at the network perimeter to monitor incoming/outgoing traffic before reaching internal systems. ❌ C) Installed on each endpoint device individually Incorrect because that describes Host-based IDS (HIDS), not Network-based IDS (NIDS). ❌ D) On a separate network outside of the organization's main network Incorrect because an IDS needs direct access to the main network’s traffic to detect potential threats.

Answer 10

Correct Answer: C ✅ C) Anomaly-based IDS Anomaly-based IDS works by establishing a baseline of normal behavior and detecting deviations, making it effective at identifying zero-day attacks (unknown threats). Incorrect Answers: ❌ A) Signature-based IDS Incorrect because it only detects known threats based on predefined signatures. Zero-day attacks don’t have signatures yet. ❌ B) Stateful-matching IDS Incorrect because it detects threats by tracking the state of network traffic but still relies on predefined rules. ❌ D) Pattern-matching IDS Incorrect because pattern-matching relies on predefined patterns and cannot detect unknown attacks.

Answer 11

Correct Answer: C ✅ C) Wireless IDS (WIDS) WIDS (Wireless Intrusion Detection System) is designed to monitor Wi-Fi traffic, detect unauthorized devices, and identify potential threats to the wireless network. Incorrect Answers: ❌ A) Host-based IDS (HIDS) Incorrect because HIDS monitors specific devices, not wireless networks. ❌ B) Network-based IDS (NIDS) Incorrect because NIDS monitors wired network traffic, not Wi-Fi traffic. ❌ D) Intrusion Prevention System (IPS) Incorrect because IPS is a preventive system, whereas WIDS is specifically for monitoring wireless networks.

Answer 12

Correct Answer: B ✅ B) Correct. Stateful-matching IDS tracks the state of network connections (i.e., keeps track of the connection's status over time) and analyzes patterns of traffic over multiple packets. This allows it to detect more complex, multi-step attacks, like those that involve a series of interactions, such as a buffer overflow attack or a TCP handshake attack. By tracking the entire session, it can identify malicious behavior that spans multiple packets. Incorrect Answers: ❌ A) It requires less processing power and memory Incorrect because stateful-matching requires more resources to track the state of network connections. ❌ C) It is more effective at detecting zero-day attacks Incorrect because anomaly-based IDS is better suited for zero-day detection, not stateful-matching. ❌ D) It only analyzes single packets for specific patterns Incorrect because pattern-matching IDS works this way, whereas stateful-matching looks at sequences of packets. ## Footnote Buffer Overflow Attack Imagine a buffer as a storage space in a computer's memory where data is temporarily held while it's being processed. Every buffer has a specific size—like a cup that can only hold a certain amount of water. What happens in a buffer overflow attack? An attacker sends more data into the buffer than it can handle. This is like trying to pour more water into a cup than it can hold, causing the water to spill over the sides. Why is this a problem? When the excess data "spills" over, it can overwrite important information in the computer’s memory. This could allow the attacker to: Crash the system by corrupting the program. Take control of the system by inserting malicious code into the memory, which then gets executed. Example: Imagine you're entering a password into a website. If the website doesn't properly check the length of the password, an attacker could send a longer password that overflows the memory and could make the system run malicious code. TCP Handshake Attack The TCP handshake is like a way for two devices (like your computer and a server) to introduce themselves and establish a connection before they start communicating. What is the TCP handshake? Step 1: Your computer (client) says, "Hello, I want to connect to you" (this is the SYN request). Step 2: The server responds, "Sure, I’m ready to connect with you" (this is the SYN-ACK reply). Step 3: Your computer says, "Great, let’s start" (this is the ACK reply to finalize the handshake). What happens in a TCP handshake attack? An attacker can interrupt or fake this process, which causes problems: Denial of Service (DoS): The attacker sends many "SYN" requests but doesn't complete the handshake. The server keeps waiting for the final ACK, wasting its resources and making it unavailable to legitimate users. SYN Flood Attack: The attacker floods the server with many incomplete handshake requests. The server’s resources get used up, and it can't process real requests from legitimate users.

Answer 13

Correct Answer: A ✅ A) Directly behind the firewall, inspecting all incoming and outgoing traffic An IPS should be placed directly behind the firewall so that it can inspect traffic that has passed through initial filtering but still might contain threats. Incorrect Answers: ❌ B) On a separate VLAN, monitoring only internal traffic Incorrect because IPS needs to scan traffic entering and leaving the network, not just internal traffic. ❌ C) At the user endpoint level, on each device Incorrect because IPS is typically deployed at the network level, not individual endpoints. HIDS would be used on endpoints. ❌ D) Outside the firewall, monitoring traffic before it reaches the network Incorrect because an IPS outside the firewall would be overwhelmed with malicious traffic, making it inefficient.

Answer 14

Answer: B) Jump Server Explanation: A) Proxy Server: While proxy servers provide security features such as filtering and caching, they are not specifically designed for secure administrative access to servers in different security zones. B) Jump Server: This is the correct option. Jump servers provide a secure gateway for system administrators to access devices in different security zones. It minimizes risk by isolating the sensitive systems and logging all access attempts. C) Load Balancer: Load balancers distribute traffic across multiple servers for high availability but do not control administrative access or provide enhanced security for sensitive server access. D) Network Sensor: Network sensors monitor traffic for suspicious activity, but they are not intended for securing administrative access to critical systems.

Answer 15

Answer: A) Application Delivery Controller (ADC) Explanation: A) Application Delivery Controller (ADC): ADCs are the best choice for distributing traffic across multiple servers while offering additional functionality such as SSL termination, HTTP compression, and content caching. This enhances both performance and security. B) Proxy Server: While proxy servers provide traffic management and caching, they are not as optimized for load balancing and advanced traffic management as ADCs. C) Network Sensor: Network sensors are used to monitor network traffic for suspicious activity, but they don’t manage traffic distribution or load balancing. D) Jump Server: Jump servers secure administrative access to critical systems but do not provide traffic distribution capabilities. SSL Termination: What it is: SSL Termination is when the ADC (Application Delivery Controller) handles the secure SSL/TLS encryption and decryption for you. How it works: Normally, when someone visits a website using HTTPS, the data is encrypted between the user’s browser and the server. With SSL termination, the ADC handles that encryption and decryption process. The ADC decrypts the secure data, passes it to the web server unencrypted, and then encrypts the response back to the user. Why it’s used: It offloads the SSL decryption from the web server, freeing it up to focus on delivering content faster. It also centralizes SSL management (making it easier to renew and manage SSL certificates).

Answer 16

Answer: B) Proxy Server Explanation: A) Application Delivery Controller (ADC): While ADCs manage traffic distribution and enhance performance, they are not designed specifically to hide the server's IP address or filter malicious traffic in the context of DDoS attacks. B) Proxy Server: This is the correct choice. A proxy server can hide the real server's IP address and filter traffic, blocking suspicious or malicious requests, which is crucial during a DDoS attack. C) Jump Server: Jump servers are used for secure administrative access, not for mitigating DDoS attacks or filtering malicious traffic. D) Network Sensor: Network sensors monitor traffic for suspicious activity but do not perform the actual filtering or traffic management to mitigate a DDoS attack.

Answer 17

Answer: A) Application Delivery Controller (ADC) Explanation: A) Application Delivery Controller (ADC): ADCs are designed to optimize web server performance by offloading tasks like SSL termination, content caching, and HTTP compression. This would reduce server load and improve response times. B) Network Sensor: Network sensors are used for traffic monitoring and security but do not directly optimize web server performance or reduce load from frequently requested content. C) Load Balancer: Load balancers distribute traffic across multiple servers, but they do not handle caching or content compression like ADCs. D) Proxy Server: While proxy servers help with caching, they are not as specialized in web server optimization and performance as ADCs.

Answer 18

Answer: A) Proxy Server Explanation: A) Proxy Server: Proxy servers can be configured to route traffic in a way that restricts or controls traffic from specific geographical regions, making it the ideal choice for enforcing this policy. B) Jump Server: Jump servers are used for secure administrative access but do not provide geographical filtering for network traffic. C) Application Delivery Controller (ADC): While ADCs provide traffic management and performance optimization, they do not specifically handle geographical access control. D) Network Sensor: Network sensors monitor traffic for suspicious activity but do not control or filter access based on geographical location.

Answer 19

Correct Answer: B. Use 802.1X authentication in conjunction with port security. Explanation: A: Disabling port security would leave the network vulnerable to unauthorized access. B: 802.1X authentication adds an extra layer of security by requiring devices to authenticate before accessing the network, reducing the risk of MAC spoofing. C: Increasing the number of allowed MAC addresses per port would weaken port security. D: Disabling the CAM table would prevent the switch from functioning properly.

Answer 20

Correct Answer: B. To dynamically authorize the first connected device’s MAC address. Explanation: A: Sticky MACs do not allow unlimited MAC addresses; they restrict access to authorized devices. B: Sticky MACs automatically authorize the first connected device’s MAC address, simplifying setup. C: Sticky MACs do not disable port security; they enhance it. D: Flooding traffic is unrelated to sticky MACs.

Answer 21

Correct Answer: B. By preventing collisions and operating in full-duplex mode. Explanation: A: Switches operate at Layer 2, not Layer 3. B: Switches prevent collisions and use full-duplex mode, allowing simultaneous data transmission and reception. C: Broadcasting all traffic is a characteristic of hubs, not switches. D: Switches do not use static routing tables; they use MAC address tables.

Answer 22

Correct Answer: B. It forwards the frame to all ports except the source port. Explanation: A: The switch does not drop the frame; it floods it. B: This is called flooding, and it ensures the frame reaches its destination. C: Switches do not use default gateways for unknown MAC addresses. D: Blocking the frame would prevent communication.

Answer 23

Correct Answer: A. It can be overwhelmed by MAC flooding attacks. Explanation: A: MAC flooding attacks overwhelm the CAM table, causing the switch to fail open and flood traffic. B: The CAM table can store thousands of MAC addresses, not just 10. C: The CAM table is not encrypted; it is a memory table. D: The CAM table supports VLANs.

Answer 24

Correct Answer: B. Implement port security to limit the number of MAC addresses per port. Explanation: A: Disabling the CAM table would prevent the switch from functioning. B: Port security limits the number of MAC addresses per port, preventing MAC flooding. C: Static routing tables are unrelated to CAM table protection. D: The CAM table cannot be encrypted.

Answer 25

Correct Answer: B. Authenticator Explanation: A: The supplicant is the device trying to connect. B: The authenticator (switch or AP) forwards credentials to the authentication server. C: The authentication server validates the credentials. D: RADIUS is a type of authentication server.

Answer 26

Correct Answer: C. RADIUS combines authentication and authorization, while TACACS+ separates them. Explanation: A: TACACS+ is Cisco proprietary, not RADIUS. B: RADIUS uses UDP, while TACACS+ uses TCP. C: TACACS+ separates authentication, authorization, and accounting (AAA), while RADIUS combines them. D: TACACS+ is slower due to TCP overhead.

Answer 27

Correct Answer: B. EAP-TLS Explanation: A: EAP-MD5 uses passwords, not certificates. B: EAP-TLS requires certificates on both the client and server for mutual authentication. C: EAP-TTLS requires a certificate only on the server. D: EAP-FAST uses protected access credentials (PAC), not certificates. ## Footnote 802.1X is like a gatekeeper that controls access to the network. It says, "Only authenticated devices can pass through." EAP is the method used by 802.1X to authenticate those devices. For example, 802.1X might use EAP to check if the device has the correct password, certificate, or other credentials before letting it onto the network.

Answer 28

Correct Answer: A. EAP-FAST is faster and does not require certificates. Explanation: A: EAP-FAST uses pre-shared keys (PSK) instead of certificates, making it simpler and faster to deploy. B: EAP-TLS provides stronger encryption due to its use of certificates. C: EAP-LEAP is Cisco proprietary, not EAP-FAST. D: EAP-FAST does not use certificates on both the client and server. ## Footnote EAP-FAST is faster mainly because it uses symmetric key cryptography instead of relying on public key infrastructure (PKI) like EAP-TLS.

Answer 29

Correct Answer: B. EAP-TTLS Explanation: EAP-TTLS requires a server certificate but allows clients to use passwords for authentication, making it more flexible than EAP-TLS.

Answer 30

Correct Answer: B. It is vulnerable to dictionary attacks. Explanation: EAP-LEAP uses weak encryption for passwords, making it susceptible to dictionary attacks. ## Footnote EAP-LEAP (Lightweight Extensible Authentication Protocol) is a wireless authentication method created by Cisco. It was designed to improve security over basic WEP encryption, but it has serious weaknesses.

Answer 31

Correct Answer: B. TACACS+ Explanation: TACACS+ uses TCP and separates authentication, authorization, and accounting, providing more granular control.

Answer 32

Correct Answer: C. Implement 802.1X authentication. Explanation: 802.1X authentication ensures that only authorized devices can connect, reducing the risk of MAC spoofing. ## Footnote Where 802.1X is Used: Switches → Used for wired network access control. Wireless Access Points (WAPs) → Used for Wi-Fi authentication (e.g., WPA2-Enterprise). How It Works on a Switch: A device (supplicant) connects to a switch port. The switch (authenticator) blocks access until authentication is complete. The switch forwards authentication requests to a RADIUS server. If credentials are valid, network access is granted. Otherwise, the device is denied or placed in a guest VLAN.

Answer 33

Correct Answer: C. It uses Layer 3 routing to forward the traffic. Explanation: A switch operates primarily at Layer 2 (Data Link Layer), but when devices are in different VLANs, Layer 3 (Network Layer) routing is required to route traffic between them. This routing is done by either a Layer 3 switch or an external router. Here's how it works: Devices in different VLANs are separated at Layer 2, meaning they cannot communicate directly with each other. A Layer 3 switch or router is used to perform inter-VLAN routing (also called routing between VLANs) by forwarding traffic based on IP addresses.

Answer 34

Correct Answer: D. Port security → 802.1X → EAP Explanation: Port security restricts access at the port level, 802.1X enforces authentication, and EAP provides the authentication framework. ## Footnote port security is a feature on network switches that controls how many devices (based on MAC addresses) are allowed to connect to a particular port.

Answer 35

Correct Answer: B. Site-to-Site VPN Explanation: A: Client-to-Site VPN is for individual users, not entire networks. B: Site-to-Site VPN connects two or more networks securely over the internet. C: Clientless VPN is for accessing resources via a web browser, not connecting networks. D: Split Tunnel VPN is a configuration, not a VPN type.

Answer 36

Correct Answer: B. Client-to-Site VPN Explanation: A: Site-to-Site VPN connects networks, not individual users. B: Client-to-Site VPN is designed for individual users to securely access a private network. C: Clientless VPN is for web-based access, not full network access. D: Full Tunnel VPN is a configuration, not a VPN type.

Answer 37

Correct Answer: C. Clientless VPN Explanation: A: Site-to-Site VPN connects networks, not individual users. B: Client-to-Site VPN requires software installation. C: Clientless VPN allows secure access via a web browser without additional software. D: Split Tunnel VPN is a configuration, not a VPN type.

Answer 38

Correct Answer: A. Full Tunnel VPN Explanation: A: Full Tunnel VPN routes all traffic through the VPN, providing higher security on untrusted networks. B: Split Tunnel VPN is less secure as it routes only some traffic through the VPN. C: Clientless VPN is for web-based access, not full network access. D: Site-to-Site VPN connects networks, not individual users.

Answer 39

Correct Answer: B. To encrypt data and establish secure communication. Explanation: A: The TCP 3-way handshake establishes the basic connection. B: The TLS handshake secures the connection by agreeing on encryption keys and methods. C: Authentication is part of the process but not the primary purpose. D: Fragmentation is unrelated to the TLS handshake.

Answer 40

Correct Answer: B. DTLS Explanation: A: IPSec is used for VPNs, not specifically for video conferencing. B: DTLS is a UDP-based version of TLS, ideal for real-time applications like video conferencing. C: AH provides integrity and authentication but does not encrypt data. D: ESP provides encryption but is not UDP-based.

Answer 41

Correct Answer: A. Transport Mode Explanation: A: Transport Mode encrypts only the payload, leaving the original IP header visible( Which contain the source and destination IP addresses). B: Tunnel Mode encrypts the entire packet, including the header. C: Full Tunnel Mode is a VPN configuration, not an IPSec mode. D: Split Tunnel Mode is a VPN configuration, not an IPSec mode.

Answer 42

Correct Answer: B. Increase the MTU size using jumbo frames. Explanation: A: Transport Mode is not suitable for site-to-site VPNs. B: Jumbo frames (up to 9000 bytes) can reduce fragmentation in site-to-site VPNs. C: Clientless VPN is not relevant to fragmentation issues. D: Split Tunnel VPN does not address fragmentation.

Answer 43

Correct Answer: B. AH Explanation: A: ESP provides encryption, integrity, and authentication. B: AH ensures data integrity and authentication but does not encrypt data. C: IKE is used for key exchange, not data integrity. D: DTLS is a UDP-based encryption protocol. ## Footnote Packet Structure (ESP in Tunnel Mode): | New IP Header | ESP Header | Encrypted (Original IP Header + Data) | ESP Trailer | ESP Auth (Optional) | Packet Structure (AH in Tunnel Mode): | New IP Header | AH | Original IP Header | Data | How AH Works: Data Integrity: It uses cryptographic hash functions (e.g., SHA-1, SHA-2) to ensure that the data has not been altered in transit. Authentication: It verifies the sender’s identity using a shared secret or public-key cryptography. No Encryption: It does not modify or hide the content of the data, unlike other IPSec components that provide encryption.

Answer 44

Correct Answer: A. To establish a secure channel for data transfer. Explanation: A: SAs define the encryption algorithms, authentication methods, and keys for secure communication. B: Fragmentation is unrelated to SAs. C: Authentication is part of the SA but not its primary purpose. D: Encrypting the payload is a function of ESP, not SAs.

Answer 45

Correct Answer: B. To establish a secure channel for further negotiations. Explanation: IKE Phase 1 authenticates devices and sets up a secure channel for IKE Phase 2 negotiations.

Answer 46

Correct Answer: C. ACK Explanation: The ACK (Acknowledgment) step confirms the connection is ready for data transfer.

Answer 47

Correct Answer: B. By using sequence numbers to check packet order. Explanation: IPSec uses sequence numbers to ensure packets are not replayed by attackers.

Answer 48

Correct Answer: A. A new IP header. Explanation: Tunnel Mode encapsulates the entire original packet (header + payload) and adds a new IP header.

Answer 49

Correct Answer: C. Local Area Networks (LANs). Explanation: Jumbo frames are used in LANs to improve performance but are not suitable for WANs or VPNs over the internet.

Answer 50

Correct Answer: B. They cannot be used for non-web-based applications. Explanation: Clientless VPNs are limited to web-based access and cannot be used for non-web-based applications.

Answer 51

Correct Answer: C. IPSec Explanation: IPSec operates at the network layer and secures all types of traffic, while TLS operates at the application layer.

Answer 52

Correct Answer: B. Comprehensive security (encryption, integrity, and authentication). Explanation: ESP provides encryption, while AH provides integrity and authentication. Using both ensures comprehensive security.

Answer 53

Correct Answer: B. To efficiently route traffic between remote sites, data centers, and cloud environments. Explanation: A: SD-WAN does not replace firewalls; it focuses on traffic routing. B: SD-WAN optimizes traffic routing for distributed networks. C: Cellular networks are one of the transport services SD-WAN can use, but not its primary purpose. D: Encryption is a feature of VPNs, not the primary purpose of SD-WAN.

Answer 54

Correct Answer: C. Centralized control and cost-effectiveness. Explanation: A: SD-WAN reduces hardware dependency by using software-based control. B: SD-WAN increases agility and flexibility, not reduces it. C: SD-WAN provides centralized control and can use cost-effective internet connections. D: SD-WAN integrates well with cloud services.

Answer 55

Correct Answer: C. Secure Access Service Edge; to combine networking and security in a cloud-based service. Explanation: A: SASE combines networking and security, not just replacing VPNs. B: SD-WAN focuses on traffic routing, not SASE. C: SASE integrates networking (e.g., SD-WAN) and security (e.g., firewalls, Zero Trust) in a cloud-based service. D: SDN manages local networks, not SASE.

Answer 56

Correct Answer: D. Multiprotocol Label Switching (MPLS). Explanation: A: Firewalls are a key component of SASE. B: VPNs are included in SASE for secure connections. C: CASBs are used for cloud security in SASE. D: MPLS is a transport service used by SD-WAN, not a component of SASE. ## Footnote Imagine an employee tries to upload confidential company files to their personal Google Drive. A CASB can detect this and block the action or encrypt the data before it leaves.

Answer 57

MPLS (Multiprotocol Label Switching). Explanation: A: Broadband is cost-effective but less secure and predictable than MPLS. B: LTE is great for backup but not ideal as the primary connection. C: MPLS provides fast, predictable, and secure connections, ideal for enterprises. D: Public Wi-Fi is insecure and unsuitable for enterprise use.

Answer 58

Correct Answer: B. It allows for real-time monitoring and policy enforcement across the entire network. Explanation: A: SD-WAN reduces hardware dependency, not increases it. B: Centralized control provides real-time monitoring and policy enforcement. C: SD-WAN integrates well with cloud services. D: SD-WAN reduces costs, not increases them.

Answer 59

Correct Answer: B. SD-WAN enables dynamic and efficient routing for cloud services. Explanation: A: SD-WAN integrates well with cloud services. B: SD-WAN optimizes traffic routing for cloud-based applications. C: Traditional WANs struggle with cloud integration. D: SD-WAN is superior to traditional WANs for cloud integration.

Answer 60

Correct Answer: C. SASE. Explanation: A: MPLS is for connecting networks, not individual users. B: SD-WAN optimizes traffic but does not provide comprehensive security for remote access. C: SASE combines networking and security, ideal for secure remote access. D: Broadband is a type of connection, not a solution for secure access.

Answer 61

Correct Answer: B. It inspects traffic for security threats before allowing access to company resources. Explanation: A: Encryption is handled by VPNs, not firewalls. B: Firewalls in SASE inspect traffic for threats before granting access. C: Traffic prioritization is a function of SD-WAN, not firewalls. D: Cellular networks are a transport service, not a function of firewalls.

Answer 62

Correct Answer: B. By reducing latency and simplifying network management. Explanation: A: MPLS is a transport service, not related to encryption. B: SD-WAN optimizes traffic routing, reducing latency and simplifying management. C: SD-WAN enhances access to cloud services, not limits it. D: SD-WAN reduces hardware dependency, not increases it.

Answer 63

Correct Answer: C. MPLS. Explanation: MPLS provides fast, predictable, and secure connections, ideal for enterprises.

Answer 64

Monitor performance and set policies. Explanation: The centralized dashboard allows real-time monitoring, policy setting, and troubleshooting.

Answer 65

Correct Answer: A. SD-WAN focuses on WAN optimization, while SDN focuses on LAN/data center management. Explanation: SD-WAN optimizes wide area networks, while SDN manages local area networks or data centers.

Answer 66

Correct Answer: B. Through a common set of policy and management platforms. Explanation: SASE delivers policies through centralized, cloud-based management platforms.

Answer 67

Correct Answer: D. All of the above. Explanation: AWS VPC, Azure Virtual WAN, and Google Cloud Interconnect all align with SASE principles.

Answer 68

Correct Answer: B. To ensure users are authenticated before granting access. Explanation: Zero Trust ensures that users are authenticated and authorized before accessing resources.

Answer 69

Correct Answer: B. To secure cloud applications and enforce security policies. Explanation: CASBs secure cloud applications and enforce security policies in SASE.

Answer 70

Correct Answer: B. Traffic is inspected for security threats before accessing company resources. Explanation: The firewall inspects traffic for threats before granting access to company resources.

Answer 71

Correct Answer: C. It optimizes traffic routing for IaaS, PaaS, and SaaS. Explanation: SD-WAN optimizes traffic routing, making it essential for cloud migration.

Answer 72

Correct Answer: B. When they want to combine networking and security in a cloud-based service. Explanation: SASE combines networking and security, making it a suitable replacement for SD-WAN in some scenarios.

Answer 73

Correct Answer: B. To filter traffic efficiently and enhance security. Explanation: A: Cost reduction is not the primary reason for placing routers at the edge. B: Routers placed at the network’s edge (also called edge routers or border routers) serve as the first line of defense between an internal network and external networks (such as the internet). C: Routers do not directly increase wireless speed. D: Flexibility for mobile devices is more related to access points, not routers. ## Footnote a typical enterprise network, traffic flow is usually: 1. Internet → Router → Firewall → Internal Network

Answer 74

Correct Answer: B. To isolate devices with similar security requirements. Explanation: A: Security zones do not directly increase data flow speed. B: Security zones isolate devices based on security needs, reducing risk. C: Security zones complement firewalls but do not replace them. D: Wireless access is unrelated to security zones.

Answer 75

Correct Answer: B. Screened Subnet. Explanation: A: Security zones isolate devices but are not the modern term for DMZ. B: "Screened Subnet" is the modern term for DMZ. C: Firewalls are security devices, not a term for DMZ. D: Access points provide wireless connectivity, unrelated to DMZ.

Answer 76

Correct Answer: B. To minimize points where unauthorized access can occur. Explanation: A: Reducing the attack surface does not directly increase data flow speed. B: Minimizing the attack surface reduces vulnerabilities and unauthorized access points. C: Reducing the attack surface complements firewalls but does not replace them. D: Wireless access is unrelated to the attack surface.

Answer 77

Correct Answer: B. Ethernet. Explanation: A: Wi-Fi provides flexibility but may suffer from interference. B: Ethernet offers stability and speed but restricts mobility. C: LTE is wireless and flexible but not as stable as Ethernet. D: Microwave links are wireless and used for long-distance communication.

Answer 78

Correct Answer: C. Intrusion Prevention System (IPS). Explanation: A: IDS is a passive device. B: Network TAP is a passive monitoring device. C: IPS is an active inline device that can block or modify traffic. D: SPAN port is used for passive monitoring.

Answer 79

Correct Answer: B. Prioritizes security over connectivity. Explanation: A: Fail-open maintains connectivity, not fail-closed. B: Fail-closed blocks all traffic during a failure, prioritizing security. C: Failure modes do not affect network speed. D: Failure modes are unrelated to hardware costs.

Answer 80

Correct Answer: B. A point in the network where data flow is slowed due to overload. Explanation: A: Bottlenecks slow down the network, not increase speed. B: A bottleneck occurs when a device or link cannot handle the data flow. C: Bottlenecks are not a type of wireless connection. D: Bottlenecks are unrelated to security features.

Answer 81

Correct Answer: A. They require a clear line of sight. Explanation: A: Microwave links require a clear line of sight, which can be challenging. B: Microwave links are cost-effective compared to fiber-optic lines. C: Microwave links can transmit large amounts of data. D: Microwave links are not necessarily slower than Ethernet.

Answer 82

Correct Answer: C. In-Line Mode. Explanation: A: TAP Mode is passive and cannot block or modify traffic. B: Monitor Mode is passive and relies on the switch. C: In-Line Mode allows active inspection and control of traffic. D: SPAN Port is used for passive monitoring.

Answer 83

Correct Answer: C. Strategically throughout the building to reduce interference. Explanation: Access points should be placed to ensure coverage and reduce interference, not just in specific areas.

Answer 84

Correct Answer: B. To host public-facing services and protect internal networks. Explanation: Screened subnets act as buffer zones for public-facing services, protecting internal networks.

Answer 85

Correct Answer: A. Regularly assess and patch vulnerabilities. Explanation: Regularly assessing and patching vulnerabilities reduces the attack surface.

Answer 86

Correct Answer: D. Microwave Links. Explanation: Microwave links are ideal for remote areas where fiber-optic infrastructure is unavailable.

Answer 87

Correct Answer: B. Network TAP. Explanation: Network TAPs passively monitor traffic without disrupting it.

Answer 88

Correct Answer: B. When security is more important than maintaining connectivity. Explanation: Fail-closed prioritizes security over connectivity, making it suitable for critical network segments.

Answer 89

Correct Answer: B. Upgrade network hardware (e.g., switches, routers). Explanation: A. Helps with Wi-Fi coverage but does not directly resolve bottlenecks in the wired network. B. A network bottleneck occurs when network hardware (such as routers, switches, or cables) cannot handle the amount of traffic passing through it. Upgrading to higher-capacity hardware (e.g., gigabit/10G switches, enterprise-grade routers) can increase bandwidth, reduce latency, and improve overall network performance. Common Hardware Upgrades to Fix Bottlenecks: Upgrading to higher-capacity switches (e.g., from 100 Mbps to 1 Gbps or 10 Gbps). Replacing outdated routers with models that support higher throughput and better traffic management. Using high-performance network interface cards (NICs) on servers and workstations. Upgrading network cabling (e.g., from Cat5e to Cat6 or fiber optic cables).

Answer 90

Correct Answer: B. In a remote area with no fiber-optic infrastructure. Explanation: Microwave links are ideal for remote areas where fiber-optic infrastructure is unavailable.

Answer 91

Correct Answer: B. Traffic continues to flow, but without security inspection. Explanation: Fail-open mode allows traffic to pass during a failure, maintaining connectivity but reducing security.

Answer 92

Correct Answer: B. To reduce potential risks and safeguard assets. Explanation: A: Controls are not primarily about increasing data flow speed. B: Controls are protective measures to reduce risks and safeguard assets. C: Controls complement firewalls but do not replace them. D: Wireless access is unrelated to the primary purpose of controls.

Answer 93

Correct Answer: B. Least Privilege. Explanation: A: Defense in Depth involves multiple layers of security. B: Least Privilege ensures users and systems have only necessary access rights. C: Risk-based Approach prioritizes controls based on potential risks. D: Open Design Principle ensures transparency and accountability.

Answer 94

Correct Answer: B. It ensures robust protection even if one control fails. Explanation: A: Defense in Depth may increase costs due to multiple layers of security. B: Defense in Depth provides robust protection by using multiple layers of security. C: Defense in Depth is not about increasing data flow speed. D: Defense in Depth complements firewalls but does not replace them.

Answer 95

Correct Answer: B. Focusing on the biggest risks first. Explanation: A: Applying updates randomly is not a risk-based approach. B: A risk-based approach prioritizes controls based on the biggest risks. C: Increasing access points is unrelated to a risk-based approach. D: Replacing firewalls with IDS is not a risk-based approach.

Answer 96

Correct Answer: B. To adapt to the evolving threat landscape. Explanation: A: Lifecycle management is not about increasing data flow speed. B: Lifecycle management ensures controls are regularly reviewed, updated, and retired to adapt to evolving threats. C: Lifecycle management complements firewalls but does not replace them. D: Wireless access is unrelated to lifecycle management.

Answer 97

Correct Answer: B. To ensure transparency and accountability through rigorous testing. Explanation: A: Open Design Principle is not about increasing data flow speed. B: The Open Design Principle ensures transparency and accountability through rigorous testing and scrutiny of controls. C: Open Design Principle complements firewalls but does not replace them. D: Wireless access is unrelated to the Open Design Principle. ## Footnote The Open Design Principle states that the security of a system should not rely on secrecy of its design or implementation but instead on strong, well-tested mechanisms. 🔹 Key Goals: Encourages transparency, allowing security experts to analyze and improve the system. Ensures accountability through peer review and rigorous testing. Reduces reliance on security through obscurity, making the system more resilient to attacks. 🔹 Example: Open-source encryption protocols (e.g., AES, TLS) are publicly reviewed for vulnerabilities rather than relying on secrecy.

Answer 98

Correct Answer: B. Assess Current State. Explanation: A: Setting clear objectives comes after assessing the current state. B: The first step is to assess the current state of the infrastructure, vulnerabilities, and controls. C: Gap analysis is conducted after assessing the current state. D: Benchmarking is done after setting clear objectives.

Answer 99

Correct Answer: B. To compare processes and security metrics with industry best practices. Explanation: A: Benchmarking is not about increasing data flow speed. B: Benchmarking compares your organization's processes and security metrics with industry best practices. C: Benchmarking complements firewalls but does not replace them. D: Wireless access is unrelated to benchmarking.

Answer 100

Correct Answer: C. Compliance & Legal Teams. Explanation: A: Executives approve budgets and align security with business goals. B: IT & Security Teams implement and maintain controls. C: Compliance & Legal Teams ensure security measures follow regulations (e.g., GDPR, HIPAA). D: Employees & End Users follow security policies.

Answer 101

Correct Answer: B. Conduct regular risk assessments. Explanation: A: Applying updates randomly is not a best practice. B: Selecting the right security controls requires understanding risks to the organization. Regular risk assessments help identify vulnerabilities, threats, and the impact of security breaches, allowing for effective control selection. C: Increasing access points is unrelated to best practices for selecting controls. D: Replacing firewalls with IDS is not a best practice.

Answer 102

Correct Answer: B. Intrusion Prevention System (IPS). Explanation: A: IDS monitors traffic but does not act on it. B: IPS monitors and acts on network traffic (e.g., blocking malicious traffic). C: Network TAP passively monitors traffic. D: SPAN Port passively mirrors traffic.

Answer 103

Correct Answer: B. Patch the critical vulnerability immediately. Explanation: A: Applying updates equally is not a risk-based approach. B: Patching the critical vulnerability first is a risk-based approach. C: Increasing access points is unrelated to vulnerability patching. D: Replacing firewalls with IDS is not a risk-based approach.

Answer 104

Correct Answer: B. Time to patch critical vulnerabilities. Explanation: A: Number of access points is unrelated to patch management. B: Time to patch critical vulnerabilities is a key metric for patch management efficiency. C: Number of firewalls is unrelated to patch management. D: Speed of data flow is unrelated to patch management. ## Footnote Time to patch critical vulnerabilities (also called Mean Time to Patch - MTTP) is a key metric in patch management benchmarking. It measures how quickly an organization applies patches to fix critical security flaws after they are released. 🔹 Why It Matters: Minimizes exposure to exploits. Reduces attack surfaces by closing security gaps. Ensures compliance with industry standards (e.g., NIST, CIS). Improves incident response by quickly addressing vulnerabilities. 🔹 Example: If a critical vulnerability is disclosed in Windows Server, an organization with strong patch management would test and deploy the patch within hours or days, rather than weeks.

Answer 105

Correct Answer: B. IT & Security Teams. Explanation: A: Executives approve budgets and align security with business goals. B: IT & Security Teams implement and maintain security controls. C: Compliance & Legal Teams ensure security measures follow regulations. D: Employees & End Users follow security policies.

Answer 106

Correct Answer: C. Retire. Explanation: A: Review is an ongoing step but not the final one. B: Update is part of the process but not the final step. C: Retire is the final step when controls are no longer needed or effective. D: Implement is an early step in the lifecycle.

Answer 107

Correct Answer: B. Through rigorous testing and scrutiny of controls. Explanation: A: Open Design Principle is not about increasing data flow speed. B: Rigorous testing and scrutiny ensure transparency and accountability. C: Open Design Principle complements firewalls but does not replace them. D: Wireless access is unrelated to the Open Design Principle.

Answer 108

Correct Answer: B. To identify discrepancies between current and desired security postures. Explanation: A: Gap analysis is not about increasing data flow speed. B: Gap analysis identifies discrepancies between current and desired security postures. C: Gap analysis complements firewalls but does not replace them. D: Wireless access is unrelated to gap analysis.

Answer 109

Correct Answer: B. To evaluate the balance between desired security level and required resources. Explanation: A: Cost-benefit analysis is not about increasing data flow speed. B: Cost-benefit analysis evaluates the balance between security and resources. C: Cost-benefit analysis complements firewalls but does not replace them. D: Wireless access is unrelated to cost-benefit analysis. ## Footnote A cost-benefit analysis helps organizations evaluate security controls by balancing the cost of implementing the control with its benefit in reducing risk. The goal is to ensure that the security control provides value without being overly expensive or resource-intensive. 🔹 Key Purpose: Assess costs (e.g., time, money, resources) of a security control. Evaluate benefits (e.g., risk reduction, compliance, and operational efficiency). Ensure cost-effective solutions that meet security requirements. 🔹 Example: Implementing multi-factor authentication (MFA) may have an upfront cost (e.g., software, training), but the benefits in terms of preventing unauthorized access could far outweigh the cost, especially for high-risk assets.

Security Infrastructure Flashcards

- Given a scenario, you must be able to apply security principles to secure enterprise architecture - Given a scenario, you must be able to modify enterprise capabilities to enhance security