A company has several conference rooms with wired network jacks that are used by both employees and guests. Employees need access to internal resources and guests only need access to the Internet. Which of the following combinations is BEST to meet the requirements?
A. NAT and DMZ
B. VPN and IPSec
C. Switches and a firewall
D. 802.1x and VLANs
Correct Answer: D
802.1x is a port-based authentication mechanism. It's based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it's often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System's Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).
A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. By default, all ports on a switch are part of VLAN 1. But as the switch administrator changes the VLAN assignment on a port-by-port basis, various ports can be grouped together and be distinct from other VLAN port designations. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function.
Incorrect Answers:
A: NAT converts the IP addresses of internal systems found in the header of network packets into public IP addresses. A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access.
B: A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted. Internet Protocol Security (IPSec) is both a stand-alone VPN protocol and a module that can be used with L2TP.
C: A switch is a networking device used to connect other devices together and potentially implement traffic management on their communications. Firewalls manage traffic using filters.
The Human Resources department has a parent shared folder setup on the server. There are two groups that have access, one called managers and one called staff. There are many sub folders under the parent shared folder, one is called payroll. The parent folder access control list propagates all subfolders and all subfolders inherit the parent permission. Which of the following is the quickest way to prevent the staff group from gaining access to the payroll folder?
A. Remove the staff group from the payroll folder
B. Implicit deny on the payroll folder for the staff group
C. Implicit deny on the payroll folder for the managers group
D. Remove inheritance from the payroll folder
Correct Answer: B
Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default.
Incorrect Answers:
A: This will not work because the question states: "The parent folder access control list propagates all subfolders and all subfolders inherit the parent permission."
C: This will deny access for the managers group.
D: Removing inheritance from the payroll folder will also affect the manages group.
Users are unable to connect to the web server at IP 192.168.0.20. Which of the following can be inferred of a firewall that is configured ONLY with the following ACL?
PERMIT TCP ANY HOST 192.168.0.10 EQ 80 PERMIT TCP ANY HOST 192.168.0.10 EQ 443
A. It implements stateful packet filtering.
B. It implements bottom-up processing.
C. It failed closed.
D. It implements an implicit deny.
Correct Answer: D
Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present.
Incorrect Answers:
A: Stateful packet filtering automatically creates a response rule for the replay on the fly. But that rule exists only as long as the conversation is taking place.
B: Bottom-up processing is a type of information processing based on incoming data from the environment to form a perception.
C: This option is a reaction to a failure, which has nothing to do with ACL's
A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.
PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443
Which of the following rules would accomplish this task? (Select TWO).
A. Change the firewall default settings so that it implements an implicit deny
B. Apply the current ACL to all interfaces of the firewall
C. Remove the current ACL
D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53
E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53
F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53
Correct Answer: AF
Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default. Implicit deny is the default response when an explicit allow or deny isn't present.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.
Incorrect Answers:
B: Applying the current ACL to all interfaces of the firewall, and adding a deny clause will also prevent internal users from performing the actions included in the deny clause.
C: Removing the current ACL will block web traffic coming in.
D: An implicit deny clause is implied at the end of each ACL.
E: ICMP is a network health and link-testing protocol, and is not related to the question.
While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure this happens?
A. Log Analysis
B. VLAN Management
C. Network separation
D. 802.1x
Correct Answer: D
802.1x is a port-based authentication mechanism. It's based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it's often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System's Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).
Incorrect Answers:
A: Log analysis is the art and science of reviewing audit trails, log fi les, or other forms of computer-generated records for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern.
B: VLAN management is the use of VLANs to control traffic for security or performance reasons.
C: Bridging between networks can be a desired feature of network design. Network bridging is self-configuring, is inexpensive, maintains collision-domain isolation, is transparent to Layer 3+ protocols, and avoids the 5-4-3 rule's Layer 1 limitations. However, network bridging isn't always desirable. It doesn't limit or divide broadcast domains, doesn't scale well, can cause latency, and can result in loops. In order to eliminate these problems, you can implement network separation or segmentation. There are two means to accomplish this. First, if communication is necessary between network segments, you can implement IP subnets and use routers. Second, you can create physically separate networks that don't need to communicate. This can also be accomplished later using firewalls instead of routers to implement secured filtering and traffic management.
A company determines a need for additional protection from rogue devices plugging into physical ports around the building.
Which of the following provides the highest degree of protection from unauthorized wired network access?
A. Intrusion Prevention Systems
B. MAC filtering
C. Flood guards
D. 802.1x
Correct Answer: D
IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN.
Incorrect Answers:
A: Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Plugging a device into the network would not be considered malicious activity so the IPS would not prevent it.
B: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
C: Flood guards are used to prevent network flooding attacks such as DoS, SYN floods, ping floods etc. They are not used to prevent devices connecting to a network.
On Monday, all company employees report being unable to connect to the corporate wireless network, which uses 802.1x with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages.
Which of the following is the MOST likely cause for this issue?
A. Too many incorrect authentication attempts have caused users to be temporarily disabled.
B. The DNS server is overwhelmed with connections and is unable to respond to queries.
C. The company IDS detected a wireless attack and disabled the wireless network.
D. The Remote Authentication Dial-In User Service server certificate has expired.
Correct Answer: D
The question states that the network uses 802.1x with PEAP. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service (RADIUS). A RADIUS server will be configured with a digital certificate. When
a digital certificate is created, an expiration period is configured by the Certificate Authority (CA). The expiration period is commonly one or two years.
The question states that no configuration changes have been made so it's likely that the certificate has expired.
Incorrect Answers:
A: The question asks for the most likely cause of the issue. It's very unlikely that all the users have forgotten their passwords on the same day to cause too many incorrect authentication attempts and caused users to be temporarily disabled.
B: The question asks for the most likely cause of the issue. A DNS server can usually handle thousands of DNS requests. Even if a DNS server was overwhelmed, the users would still be able to connect to the wireless network.
C: The question asks for the most likely cause of the issue. The company IDS detected a wireless attack and disabled the wireless network is very unlikely.
At an organization, unauthorized users have been accessing network resources via unused network wall jacks. Which of the following would be used to stop unauthorized access?
A. Configure an access list.
B. Configure spanning tree protocol.
C. Configure port security.
D. Configure loop protection.
Correct Answer: C
Port security in IT can mean several things. It can mean the physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. This can be accomplished by locking down the wiring closet and server vaults and then disconnecting the workstation run from the patch panel (or punch-down block) that leads to a room's wall jack. Any unneeded or unused wall jacks can (and should) be physically disabled in this manner. Another option is to use a smart patch panel that can monitor the MAC address of any device connected to each and every wall port across a building and detect not just when a new device is connected to an empty port, but also when a valid device is disconnected or replaced by an invalid device.
Incorrect Answers:
A: In the realm of physical security, access controls are mechanisms designed to manage and control entrance into a location such as a building, a parking lot, a room, or even a specific box or server rack.
B: Spanning Tree Protocol (STP) erects transmission blockades to prevent loops from being created.
D: A loop in networking terms is a transmission pathway that repeats itself.
An administrator needs to connect a router in one building to a router in another using Ethernet. Each router is connected to a managed switch and the switches are connected to each other via a fiber line. Which of the following should be configured to prevent unauthorized devices from connecting to the network?
A. Configure each port on the switches to use the same VLAN other than the default one
B. Enable VTP on both switches and set to the same domain
C. Configure only one of the routers to run DHCP services
D. Implement port security on the switches
Correct Answer: D
Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. The management of TCP and User Datagram Protocol
(UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn't actively using them. Port knocking is a security system in which all ports on a system
appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service.
Incorrect Answers:
A: A basic switch not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting the devices to another, distinct switch of their own. Configuration of the first custom VLAN port group usually involves removing ports from the default VLAN, such that the first custom group of VLAN ports is actually the second VLAN on the device, in addition to the default VLAN
B: VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that broadcasts the definition of Virtual Local Area Networks (VLAN) on the whole local area network. VTP achieves this by carrying VLAN information to all the switches in a VTP domain.
C: The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services.
References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p 24.
A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application's task. Which of the following is the security administrator practicing in this example?
A. Explicit deny
B. Port security
C. Access control lists
D. Implicit deny
Correct Answer: C
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.
Incorrect Answers:
A: An explicit deny would block the application until it is added to the ACL.
B: Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. The management of TCP and User Datagram Protocol
(UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn't actively using them. Port knocking is a security system in which all ports on a system
appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service.
C: Implicit deny is the default security stance that says if you aren't specifically granted access or privileges for a resource, you're denied access by default.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.