CompTIA Security Certification
Question No: 21 – (Topic 1)
A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following should the company configure to protect the servers from the user devices? (Select TWO).
Deny incoming connections to the outside router interface.
Change the default HTTP port
Implement EAP-TLS to establish mutual authentication
Disable the physical switch ports
Create a server VLAN
Create an ACL to access the server
Answer: E,F Explanation:
We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks).
The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server.
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass
between them via one or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.
This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs.
Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN.
Question No: 22 – (Topic 1)
A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network.
Which of the following should the administrator implement?
WPA2 over EAP-TTLS
WPA2 with WPS
WEP over EAP-PEAP
Answer: D Explanation:
D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn’t considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAP-MD5, as well as LEAP and PEAP.
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server#39;s public key. The ensuing exchange of authentication
information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
Question No: 23 – (Topic 1)
A UNIX administrator would like to use native commands to provide a secure way of connecting to other devices remotely and to securely transfer files. Which of the following protocols could be utilized? (Select TWO).
Answer: D,E Explanation:
SSH is used to establish a command-line, text-only interface connection with a server, router, switch, or similar device over any distance.
Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote Copy Protocol (RCP). SCP is commonly used on Linux and Unix platforms.
Question No: 24 – (Topic 1)
A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened on the firewall in order for this VPN to function properly? (Select TWO).
Answer: C,D Explanation:
A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP
connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non-standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. However, as in a normal GRE connection, those modified GRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47.
Question No: 25 – (Topic 1)
The network security engineer just deployed an IDS on the network, but the Chief Technical Officer (CTO) has concerns that the device is only able to detect known anomalies. Which of the following types of IDS has been deployed?
Signature Based IDS
Behavior Based IDS
Anomaly Based IDS
Answer: A Explanation:
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.
Question No: 26 – (Topic 1)
A security analyst has been tasked with securing a guest wireless network. They recommend the company use an authentication server but are told the funds are not available to set this up.
Which of the following BEST allows the analyst to restrict user access to approved devices?
Power level adjustment
Disable SSID broadcasting
A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.
Question No: 27 – (Topic 1)
Which of the following means of wireless authentication is easily vulnerable to spoofing?
WPA – LEAP
WPA – PEAP
Answer: A Explanation:
Each network interface on your computer or any other networked device has a unique MAC address. These MAC addresses are assigned in the factory, but you can easily change, or “spoof,” MAC addresses in software.
Networks can use MAC address filtering, only allowing devices with specific MAC addresses to connect to a network. This isn’t a great security tool because people can spoof their MAC addresses.
Question No: 28 – (Topic 1)
Ann, a security administrator, has concerns regarding her company’s wireless network. The network is open and available for visiting prospective clients in the conference room, but she notices that many more devices are connecting to the network than should be.
Which of the following would BEST alleviate Ann’s concerns with minimum disturbance of current functionality for clients?
Enable MAC filtering on the wireless access point.
Configure WPA2 encryption on the wireless access point.
Lower the antenna’s broadcasting power.
Disable SSID broadcasting.
Answer: C Explanation:
Some access points include power level controls that allow you to reduce the amount of output provided if the signal is traveling too far.
Question No: 29 – (Topic 1)
Which of the following ports is used for SSH, by default?
Answer: D Explanation:
Secure Shell (SSH) is a cryptographic network protocol for securing data communication. It establishes a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login, remote command execution, but any network service can be secured with SSH. SSH uses port 22.
Question No: 30 – (Topic 1)
Which of the following would the security engineer set as the subnet mask for the servers below to utilize host addresses on separate broadcast domains?
Server 1: 192.168.100.6
Server 2: 192.168.100.9
Server 3: 126.96.36.199
A. /24 B. /27 C. /28
Answer: D Explanation:
Using this option will result in all three servers using host addresses on different broadcast domains.
100% Free Download!
–Download Free Demo:SY0-401 Demo PDF
100% Pass Guaranteed!
–Download 2018 EnsurePass SY0-401 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|