A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which is expected to accommodate at most 14 physical hosts. Which of the following subnets would BEST meet the requirements?
A. 192.168.0.16 255.25.255.248 B. 192.168.0.16/28 C. 192.168.1.50 255.255.25.240 D. 192.168.2.32/27
Joe a website administrator believes he owns the intellectual property for a company invention and has been replacing image files on the company’s public facing website in the DMZ. Joe is using steganography to hide stolen data. Which of the following controls can be implemented to mitigate this type of inside threat?
A. Digital signatures B. File integrity monitoring C. Access controls D. Change management E. Stateful inspection firewall
A security technician is concerned there is not enough security staff available the web servers and database server located in the DMZ around the clock. Which of the following technologies, when deployed, would provide the BEST round the clock automated protection?
A. HIPS & SIEM B. NIPS & HIDS C. HIDS& SIEM D. NIPS&HIPS
Given the following set of firewall rules:
From the inside to outside allow source any destination any port any
From inside to dmz allow source any destination any port tcp-80
From inside to dmz allow source any destination any port tcp-443
Which of the following would prevent FTP traffic from reaching a server in the DMZ from the inside network?
A. Implicit deny B. Policy routing C. Port forwarding D. Forwarding proxy
The network manager has obtained a public IP address for use with a new system to be available via the internet. This system will be placed in the DMZ and will communicate with a database server on the LAN. Which of the following should be used to allow fir proper communication between internet users and the internal systems?
Which of the following are examples of network segmentation? (Select TWO).
A. IDS B. IaaS C. DMZ D. Subnet E. IPS
Correct Answer: C,D Section: Application, Data and Host Security
C: A demilitarized zone (DMZ) is a part of the network that is separated of segmented from the rest of the network by means of firewalls and acts as a buffer between the untrusted
public Internet and the trusted local area network (LAN).
D. IP subnets can be used to separate or segment networks while allowing communication between the network segments via routers.
A: An intrusion detection system (IDS) is an automated system that detects intrusions or security policy violations on networks or host systems. It does not feature or offer network
B: The Infrastructure as a Service (IaaS) model is a cloud computing business model uses virtualization, with the clients paying for resources used.
E: An intrusion prevention system (IPS) is an automated system that attempts to prevent intrusions or security policy violations on networks or host systems. It does not feature or offer
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 21, 26, 27-28
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 65, 110-111
Pete, a network administrator, is implementing IPv6 in the DMZ. Which of the following protocols must he allow through the firewall to ensure the web servers can be reached via IPv6 from an IPv6 enabled Internet host?
A. TCP port 443 and IP protocol 46 B. TCP port 80 and TCP port 443 C. TCP port 80 and ICMP D. TCP port 443 and SNMP
Correct Answer: B Section: Network Security
HTTP and HTTPS, which uses TCP port 80 and TCP port 443 respectively, is necessary for Communicating with Web servers. It should therefore be allowed through the firewall.
A: IP protocol 46 was designed to reserve resources across a network for an integrated services Internet.
C: Internet Control Message Protocol (ICMP) is a network health and link-testing protocol that is
commonly used by tools such as ping, traceroute, and pathping.
D: SNMP can be used to interact with various network devices to obtain status information, performance data, statistics, and configuration details.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 42, 46, 47, 52
When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator’s request?
A. DMZ B. Cloud services C. Virtualization D. Sandboxing
Correct Answer: A Section: Network Security
A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.
B: A private cloud is a cloud service within a corporate network and isolated from the Internet. The private cloud is for internal use only.
C: Virtualization offers several benefits, such as being able to launch individual instances of servers or services as needed, real-time scalability, and the ability to run the exact OS
version required for a certain application.
D: Sandboxing is a means of quarantine or isolation. It’s implemented to restrict new or otherwise suspicious software from being able to cause harm to production systems. It can be
used against applications or entire OSs.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 37, 38, 39, 250