CompTIA Security Plus Mock Test Q870

A system administrator is using a packet sniffer to troubleshoot remote authentication. The administrator detects a device trying to communicate to TCP port 49. Which of the following authentication methods is MOST likely being attempted?

A. RADIUS
B. TACACS+
C. Kerberos
D. LDAP

Correct Answer: B
Section: Access Control and Identity Management

Explanation:
TACACS makes use of TCP port 49 by default.

Incorrect Answers:
A: RADIUS makes use of UDP only.
C, D: Kerberos and LDAP do not make use of TCP port 49.

References:
http://en.wikipedia.org/wiki/TACACS
http://en.wikipedia.org/wiki/RADIUS
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

CompTIA Security Plus Mock Test Q658

Which device monitors network traffic in a passive manner?

A. Sniffer
B. IDS
C. Firewall
D. Web browser


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A sniffer is another name for a protocol analyzer. A protocol analyzer performs its function in a passive manner. In other words, computers on the network do not know that their data
packets have been captured.
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets
sent from a computer system is known as packet sniffing.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be
broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other
computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into
promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can
lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Incorrect Answers:
B: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a
management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS)
intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and
prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. An IDS does not passively monitor network
traffic.
C: A firewall is used to block or allow network traffic according to rules specifying source address, destination address, protocol or port number. It does not passively monitor network
traffic.
D: A Web browser is used to view web sites. It does not monitor network traffic.

References:
http://www.techopedia.com/definition/4113/sniffer
http://en.wikipedia.org/wiki/Intrusion_detection_system

CompTIA Security Plus Mock Test Q574

Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues?

A. URL filter
B. Spam filter
C. Packet sniffer
D. Switch

Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
Every data packet transmitted across a network has a protocol header. To view a protocol header, you need to capture and view the contents of the packet with a packet sniffer.
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Incorrect Answers:
A: A URL filter is used to block URLs (websites) to prevent users accessing the website. It is not used to view protocol headers.
B: A spam filter is used for email. All inbound (and sometimes outbound) email is passed through the spam filter to detect spam emails. The spam emails are then discarded or tagged as potential spam according to the spam filter configuration. A spam filter is not used to view protocol headers.
D: A switch is a network device. Most computers on the network will be plugged into a switch. Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as a hub does. The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for. A switch is not used to view protocol headers.

References:
http://www.techopedia.com/definition/4113/sniffer

CompTIA Security Plus Mock Test Q573

Which of the following network devices is used to analyze traffic between various network interfaces?

A. Proxies
B. Firewalls
C. Content inspection
D. Sniffers


Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Incorrect Answers:
A: Web proxies tend to be used for caching web page content and/or restricting access to websites to aid compliance with company Internet usage policies. They are not used to analyze traffic between various network interfaces.
B: A firewall is designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All data packets entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria; typically a combination of port and IP address. A firewall is not used to analyze traffic between various network interfaces.
C: Content inspection is the process of examining typically web content as it is downloaded to a client computer. The content of a web page is examined but the data packets themselves are not captured and examined as is the case with a packet sniffer. Therefore this answer is incorrect.

References:
http://www.techopedia.com/definition/4113/sniffer

CompTIA Security Plus Mock Test Q572

Which statement is TRUE about the operation of a packet sniffer?

A. It can only have one interface on a management network.
B. They are required for firewall operation and stateful inspection.
C. The Ethernet card must be placed in promiscuous mode.
D. It must be placed on a single virtual LAN interface.


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Incorrect Answers:
A: A packet sniffer can have more than one interface on a management network.
B: A packet sniffer is not required for firewall operation and stateful inspection. Firewalls and packet sniffers are two different devices.
D: A virtual LAN interface is not required for packet sniffing.

References:
http://www.techopedia.com/definition/4113/sniffer