Comptia Security Plus Mock Test Q40

The security administrator needs to manage traffic on a layer 3 device to support FTP from a new remote site. Which of the following would need to be implemented?

A. Implicit deny
B. VLAN management
C. Port security
D. Access control lists

Correct Answer: D
Section: Network Security

Explanation:
In the OSI model, IP addressing and IP routing are performed at layer 3 (the network layer). In this question we need to configure routing. When configuring routing, you specify which IP range (in this case, the IP subnet of the remote site) is allowed to route traffic through the router to the FTP server.
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

Incorrect Answers:
A: Implicit deny is used in access control lists in applications, firewalls or routers. The idea is that everything is implicitly denied except what is allowed. For example, in a firewall ACL,
you create ACL entries to allow traffic at the top of the list. If traffic coming in doesn’t match the conditions in a allow ACL entry, then the traffic is implicitly denied. However, in this
question, we need to configure an allow entry in an ACL to allow the remote site to connect to the FTP server. Therefore, implicit deny is not the correct answer.

B: VLAN management is the process of managing VLANs in network switches. Switches (and therefore VLANs) work in Layer 2 of the OSI model.

C: Port security works at level 2 of the OSI model and allows an administrator to configure switch ports so that only certain MAC addresses can use the port.

References:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
http://en.wikipedia.org/wiki/Virtual_LAN
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 157