A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following should the company configure to protect the servers from the user devices? (Select TWO).
A. Deny incoming connections to the outside router interface. B. Change the default HTTP port C. Implement EAP-TLS to establish mutual authentication D. Disable the physical switch ports E. Create a server VLAN F. Create an ACL to access the server
Correct Answer: E,F Section: Network Security
We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks).
The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server.
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.
This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs.
Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN.
A: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers should be accessible externally. Denying incoming connections to the outside
router interface would prevent external access to the websites. Furthermore, it would not protect the servers from the user devices.
B: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers should be accessible externally. If you change the default HTTP port, only people
who know what the new port is would be able to access the websites. A member of the public looking to browse the company website would not be able to (without knowing the new
port number). Furthermore, this would not protect the servers from the user devices.
C: Implementing EAP-TLS to establish mutual authentication would ensure that connections to the wireless router are secure. It wouldn’t protect the servers from the user devices
D: The servers need to connect to the physical switch ports. Therefore disabling the ports would take the servers offline.
While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure this happens?
A. Log Analysis B. VLAN Management C. Network separation D. 802.1x
Correct Answer: D Section: Network Security
802.1x is a port-based authentication mechanism. It’s based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it’s often used as a component in more complex authentication and connectionmanagement systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System’s Terminal Access Controller Access-Control System Plus (TACACS +), and Network Access Control (NAC).
A: Log analysis is the art and science of reviewing audit trails, log fi les, or other forms of computer-generated records for evidence of policy violations, malicious events, downtimes,
bottlenecks, or other issues of concern.
B: VLAN management is the use of VLANs to control traffic for security or performance reasons.
C: Bridging between networks can be a desired feature of network design. Network bridging is self-configuring, is inexpensive, maintains collision-domain isolation, is transparent to
Layer 3+ protocols, and avoids the 5-4-3 rule’s Layer 1 limitations. However, network bridging isn’t always desirable. It doesn’t limit or divide broadcast domains, doesn’t scale well, can
cause latency, and can result in loops. In order to eliminate these problems, you can implement network separation or segmentation. There are two means to accomplish this. First, if
communication is necessary between network segments, you can implement IP subnets and use routers. Second, you can create physically separate networks that don’t need to
communicate. This can also be accomplished later using firewalls instead of routers to implement secured filtering and traffic management.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 23, 25, 26
An administrator needs to connect a router in one building to a router in another using Ethernet. Each router is connected to a managed switch and the switches are connected to each other via a fiber line. Which of the following should be configured to prevent unauthorized devices from connecting to the network?
A. Configure each port on the switches to use the same VLAN other than the default one B. Enable VTP on both switches and set to the same domain C. Configure only one of the routers to run DHCP services D. Implement port security on the switches
Correct Answer: D Section: Network Security
Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port.
The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn’t actively using them.
Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service.
A: A basic switch not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. Every
device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting the devices to another,
distinct switch of their own. Configuration of the first custom VLAN port group usually involves removing ports from the default VLAN, such that the first custom group of VLAN ports is
actually the second VLAN on the device, in addition to the default VLAN
B: VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that broadcasts the definition of Virtual Local Area Networks (VLAN) on the whole local area network. VTP achieves
this by carrying VLAN information to all the switches in a VTP domain.
C: The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration
parameters, such as IP addresses for interfaces and services.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 24
A router has a single Ethernet connection to a switch. In the router configuration, the Ethernet interface has three sub-interfaces, each configured with ACLs applied to them and 802.1q trunks. Which of the following is MOST likely the reason for the sub-interfaces?
A. The network uses the subnet of 255.255.255.128. B. The switch has several VLANs configured on it. C. The sub-interfaces are configured for VoIP traffic. D. The sub-interfaces each implement quality of service.
Correct Answer: B Section: Network Security
A subinterface is a division of one physical interface into multiple logical interfaces. Routers commonly employ subinterfaces for a variety of purposes, most common of these are for routing traffic between VLANs. Also, IEEE 802.1Q is the networking standard that supports virtual LANs (VLANs) on an Ethernet network.
A, C, D: Subnets, VoIP, and QoS do not make use of this standard.
Which of the following is a best practice when securing a switch from physical access?
A. Disable unnecessary accounts B. Print baseline configuration C. Enable access lists D. Disable unused ports
Correct Answer: D Section: Network Security
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access.
All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.
A: Disabling unnecessary accounts would only block those specific accounts.
B: A security baseline is a standardized minimal level of security that all systems in an organization must comply with. Printing it would not secure the switch from physical access.
C: The purpose of an access list is to identify specifically who can enter a facility.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 60
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 207