Comptia Security Plus Mock Test Q67

A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following should the company configure to protect the servers from the user devices? (Select TWO).

A.
Deny incoming connections to the outside router interface.
B. Change the default HTTP port
C. Implement EAP-TLS to establish mutual authentication
D. Disable the physical switch ports
E. Create a server VLAN
F. Create an ACL to access the server

Correct Answer: E,F
Section: Network Security

Explanation:
We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks).
The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server.
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.
This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs.
Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN.

Incorrect Answers:

A: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers should be accessible externally. Denying incoming connections to the outside
router interface would prevent external access to the websites. Furthermore, it would not protect the servers from the user devices.

B: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers should be accessible externally. If you change the default HTTP port, only people
who know what the new port is would be able to access the websites. A member of the public looking to browse the company website would not be able to (without knowing the new
port number). Furthermore, this would not protect the servers from the user devices.

C: Implementing EAP-TLS to establish mutual authentication would ensure that connections to the wireless router are secure. It wouldn’t protect the servers from the user devices
though.

D: The servers need to connect to the physical switch ports. Therefore disabling the ports would take the servers offline.

References:
http://en.wikipedia.org/wiki/Virtual_LAN