Domain 4 - Communication & Network Security Flashcards

Question 1

Q

Gary wants to distribute a large file and prefers a peer-to-peer
CDN. Which of the following is the most common example of
this type of technology?
A. CloudFlare
B. BitTorrent
C. Amazon CloudFront
D. Akamai Edge

Answer

A

B. BitTorrent

B. BitTorrent is an example of a peer-to-peer (P2P) content
delivery network. It is commonly used for legitimate purposes to
distribute large files like Linux ISOs and other freely distributed
software packages and files in addition to its less legitimate uses.
CloudFlare, CloudFront, and Akamai’s Edge are all hosted
CDNs.

Question 2

Q

During a security assessment of a wireless network, Jim
discovers that LEAP is in use on a network using WPA. What
recommendation should Jim make?
A. Continue to use LEAP. It provides better security than TKIP for WPA networks.
B. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.
C. Continue to use LEAP to avoid authentication issues, but move to WPA2.
D. Use an alternate protocol like PEAP or EAP-TLS, and implement Wired Equivalent Privacy to avoid wireless security issues.

Answer

A

B. Use an alternate protocol like PEAP or EAP-TLS and implement WPA2 if supported.

B. LEAP, the Lightweight Extensible Authentication Protocol, is
a Cisco proprietary protocol designed to handle problems with
TKIP. Unfortunately, LEAP has significant security issues as
well and should not be used. Any modern hardware should
support WPA2 and technologies like PEAP or EAP-TLS. Using
WEP, the predecessor to WPA and WPA2, would be a major step
back in security for any network.

Question 3

Q

Ben has connected his laptop to his tablet PC using an 802.11ac
connection. What wireless network mode has he used to connect
these devices?
A. Infrastructure mode
B. Wired extension mode
C. Ad hoc mode
D. Standalone mode

Answer

A

C. Ad hoc mode

C. Ben is using ad hoc mode, which directly connects two
clients. It can be easy to confuse this with standalone mode,
which connects clients using a wireless access point but not to
wired resources like a central network. Infrastructure mode
connects endpoints to a central network, not directly to each
other. Finally, wired extension mode uses a wireless access point
to link wireless clients to a wired network.

Question 4

Q

Selah’s and Nick’s PCs simultaneously send traffic by
transmitting at the same time. What network term describes the
range of systems on a network that could be affected by this
same issue?
A. The subnet
B. The supernet
C. A collision domain
D. A broadcast domain

Answer

A

C. A collision domain

C. A collision domain is the set of systems that could cause a
collision if they transmitted at the same time. Systems outside a
collision domain cannot cause a collision if they send at the
same time. This is important, as the number of systems in a
collision domain increases the likelihood of network congestion
due to an increase in collisions. A broadcast domain is the set of
systems that can receive a broadcast from each other. A subnet
is a logical division of a network, while a supernet is made up of
two or more networks

Question 5

Q

Sarah is manually reviewing a packet capture of TCP traffic and
finds that a system is setting the RST flag in the TCP packets it
sends repeatedly during a short period of time. What does this
flag mean in the TCP packet header?
A. RST flags mean “Rest.” The server needs traffic to briefly
pause.
B. RST flags mean “Relay-set.” The packets will be forwarded
to the address set in the packet.
C. RST flags mean “Resume Standard.” Communications will
resume in their normal format.
D. RST means “Reset.” The TCP session will be disconnected.

Answer

A

D. RST means “Reset.” The TCP session will be disconnected.

D. The RST flag is used to reset or disconnect a session. It can
be resumed by restarting the connection via a new three-way
handshake.

Question 6

Q

Gary is deploying a wireless network and wants to deploy the
fastest possible wireless technology. Which one of the following
wireless networking standards should he use?
A. 802.11a
B. 802.11g
C. 802.11n
D. 802.11ac

Answer

A

D. 802.11ac

D. He should choose 802.11ac, which supports theoretical
speeds up to 3.4 Gbps. 802.11n supports up to 600 Mbps,
802.11g and 802.11a are only capable of 54 Mbps.

Question 7

Q

Michele wants to replace FTP traffic with a secure replacement.
What secure protocol should she select instead?
A. TFTP
B. HFTPS
C. SecFTP
D. SFTP

Answer

A

D. SFTP

D. Both FTP/S and SFTP are commonly used as replacement
insecure FTP services. SFTP offers the advantage of using SSH
for transfers, making it easy to use existing firewall rules. TFTP
is trivial FTP, an insecure quick transfer method often used to
transfer files for network devices, among other uses. HFTPS and
SecFTP were made up for this question.

Question 8

Q

Jake has been told that there is a layer 3 problem with his
network. Which of the following is associated with layer 3 in the
OSI model?
A. IP addresses
B. TCP and UDP protocols
C. MAC addresses
D. Sending and receiving bits via hardware

Answer

A

A. IP addresses

A. The Network layer, or layer 3, uses IP addresses for logical
addressing. TCP and UDP protocols are used at the Transport
layer, which is layer 4. Hardware addresses are used at layer 2,
the Data Link layer, and sending and receiving bits via hardware
is done at the Physical layer (layer 1).

Question 9

Q

Frank is responsible for ensuring that his organization has
reliable, supported network hardware. Which of the following is
not a common concern for network administrators as they work
to ensure their network continues to be operational?
A. If the devices have vendor support
B. If the devices are under warranty
C. If major devices support redundant power supplies
D. If all devices support redundant power supplies

Answer

A

D. If all devices support redundant power supplies

D. Most networks include many edge devices like wireless
access points and edge switches. These devices often have a
single power supply to balance cost against reliability and will
simply be replaced if they fail. More critical devices like routers
and core switches are typically equipped with redundant power
supplies to ensure that larger segments of the network do not
fail if a component fails. Of course, making sure devices are
supported so they get updates and that they are under warranty
are both common practices for supportable networks.

Question 10

Q

Brian is selecting an authentication protocol for a PPP
connection. He would like to select an option that encrypts both
usernames and passwords and protects against replay using a
challenge/response dialog. He would also like to reauthenticate
remote systems periodically. Which protocol should he use?
A. PAP
B. CHAP
C. EAP
D. LEAP

Answer

A

B. CHAP

B. The Challenge-Handshake Authentication Protocol, or
CHAP, is used by PPP servers to authenticate remote clients. It
encrypts both the username and password and performs
periodic reauthentication while connected using techniques to
prevent replay attacks. LEAP provides reauthentication but was
designed for WEP, while PAP sends passwords unencrypted.
EAP is extensible and was used for PPP connections, but it
doesn’t directly address the listed items.

Question 11

Q

Which one of the following protocols is commonly used to
provide back-end authentication services for a VPN?
A. HTTPS
B. RADIUS
C. ESP
D. AH

Answer

A

B. RADIUS

B. The Remote Access Dial In User Service (RADIUS) protocol
was originally designed to support dial-up modem connections
but is still commonly used for VPN-based authentication.
HTTPS is not an authentication protocol. ESP and AH are IPsec
protocols but do not provide authentication services for other
systems.

Question 12

Q

Isaac wants to ensure that his VoIP session initialization is
secure. What protocol should he ensure is enabled and
required?
A. SVOIP
B. PBSX
C. SIPS
D. SRTP

Answer

A

C. SIPS

C. SIPS, the secure version of the Session Initialization Protocol
for VoIP, adds TLS encryption to keep the session initialization
process secure. SVOIP and PBSX are not real protocols, but
SRTP is the secure version of RTP, the Real time Transport
Protocol.

Question 13

Q

Internet
|A|
Firewall -|B|- Web Server
Router -|C|- VPN Concentrator
||
Switch
||
Workstations

What type of firewall design is shown in the diagram?
A. A single-tier firewall
B. A two-tier firewall
C. A three-tier firewall
D. A four-tier firewall

Answer

A

B. A two-tier firewall

B. The firewall in the diagram has two protected zones behind
it, making it a two-tier firewall design.

Question 14

Q

Internet
|A|
Firewall -|B|- Web Server
Router -|C|- VPN Concentrator
Switch
Workstations

If the VPN grants remote users the same access to network and
system resources as local workstations have, what security issue
should Chris raise?
A. VPN users will not be able to access the web server.
B. There is no additional security issue; the VPN
concentrator’s logical network location matches the logical
network location of the workstations.
C. Web server traffic is not subjected to stateful inspection.
D. VPN users should only connect from managed PCs.

Answer

A

D. VPN users should only connect from managed PCs.

D. Remote PCs that connect to a protected network need to
comply with security settings and standards that match those
required for the internal network. The VPN concentrator
logically places remote users in the protected zone behind the
firewall, but that means user workstations (and users) must be
trusted in the same way that local workstations are.

Question 15

Q

Internet
|A|
Firewall -|B|- Web Server
Router -|C|- VPN Concentrator
Switch
Workstations

If Chris wants to stop cross-site scripting attacks against the web
server, what is the best device for this purpose, and where
should he put it?
A. A firewall, location A
B. An IDS, location A
C. An IPS, location B
D. A WAF, location C

|

Answer

A

C. An IPS, location B

C. An intrusion protection system can scan traffic and stop both
known and unknown attacks. A web application firewall, or
WAF, is also a suitable technology, but placing it at location C
would only protect from attacks via the organization’s VPN,
which should only be used by trusted users. A firewall typically
won’t have the ability to identify and stop cross-site scripting
attacks, and IDS systems only monitor and don’t stop attacks.

Question 16

Q

Susan is deploying a routing protocol that maintains a list of
destination networks with metrics that include the distance in
hops to them and the direction traffic should be sent to them.
What type of protocol is she using?
A. A link-state protocol
B. A link-distance protocol
C. A destination metric protocol
D. A distance-vector protocol

Answer

A

D. A distance-vector protocol

D. Distance-vector protocols use metrics including the direction
and distance in hops to remote networks to make decisions. A
link-state routing protocol considers the shortest distance to a
remote network. Destination metric and link-distance protocols
don’t exist.

Question 17

Q

Ben has configured his network to not broadcast an SSID. Why
might Ben disable SSID broadcast, and how could his SSID be
discovered?
A. Disabling SSID broadcast prevents attackers from discovering the encryption key. The SSID can be recovered from decrypted packets.
B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer.
C. Disabling SSID broadcast prevents issues with beacon frames. The SSID can be recovered by reconstructing the BSSID.
D. Disabling SSID broadcast helps avoid SSID conflicts. The SSID can be discovered by attempting to connect to the network.

Answer

A

B. Disabling SSID broadcast hides networks from unauthorized personnel. The SSID can be discovered using a wireless sniffer.

B. Disabling SSID broadcast can help prevent unauthorized
personnel from attempting to connect to the network. Since the
SSID is still active, it can be discovered by using a wireless
sniffer. Encryption keys are not related to SSID broadcast,
beacon frames are used to broadcast the SSID, and it is possible
to have multiple networks with the same SSID.

Question 18

Q

What network tool can be used to protect the identity of clients
while providing Internet access by accepting client requests,
altering the source addresses of the requests, mapping requests
to clients, and sending the modified requests out to their
destination?
A. A switch
B. A proxy
C. A router
D. A firewall

Answer

A

B. A proxy

B. A proxy is a form of gateway that provides clients with a
filtering, caching, or other service that protects their information
from remote systems. A router connects networks, while a
firewall uses rules to limit traffic permitted through it. A switch
is used to connect systems and does not provide these
capabilities.

Question 19

Q

Susan wants to secure her communications traffic via multiple
internet service providers as it is sent to her company’s second
location. What technology should she use to protect the traffic
for an always on, always connected link between the sites?
A. FCoE
B. SDWAN
C. A point-to-point IPsec VPN
D. Zigbee

Answer

A

C. A point-to-point IPsec VPN

C. A point-to-point IPsec VPN can provide a secure, encrypted
channel that is established on an ongoing basis between the two
sites, ensuring that Susan’s traffic is not exposed along the path
that it travels. FCoE is Fibre Channel over Ethernet, a storage
protocol. SD-WAN is a software-defined wide area network, and
Zigbee is a low-power wireless protocol. None of these addresses
Susan’s needs.

Question 20

Q

Melissa wants to combine multiple physical networks in her
organization in a way that is transparent to users but allows the
resources to be allocated as needed for networked services.
What type of network should she deploy?
A. iSCSI
B. A virtual network
C. SDWAN
D. A CDN

Answer

A

B. A virtual network

B. A virtual network can be used to combine existing networks
or to divide a network into multiple segments. Melissa can use a
virtual network to combine existing networks and then use
software-defined networking capabilities to allocate and manage
network resources. iSCSI is a converged storage protocol. An
SD-WAN is a software-defined wide area network, and this
question does not specify LAN or WAN technologies. A CDN is a
content distribution network and helps with load and denial-ofservice attacks.

Question 21

Q

Which email security solution provides two major usage modes:
(1) signed messages that provide integrity, sender
authentication, and nonrepudiation; and (2) an enveloped
message mode that provides integrity, sender authentication,
and confidentiality?
A. S/MIME
B. MOSS
C. PEM
D. DKIM

Answer

A

A. S/MIME

A. S/MIME supports both signed messages and a secure
envelope method. While the functionality of S/MIME can be
replicated with other tools, the secure envelope is an S/MIMEspecific concept. MOSS, or MIME Object Security Services, and
PEM can also both provide authentication, confidentiality,
integrity, and nonrepudiation, while DKIM, or Domain Keys
Identified Mail, is a domain validation tool

Question 22

Q

During a security assessment, Jim discovers that the
organization he is working with uses a multilayer protocol to
handle SCADA systems and recently connected the SCADA
network to the rest of the organization’s production network.
What concern should he raise about serial data transfers carried
via TCP/IP?
A. SCADA devices that are now connected to the network can now be attacked over the network.
B. Serial data over TCP/IP cannot be encrypted.
C. Serial data cannot be carried in TCP packets.
D. TCP/IP’s throughput can allow for easy denial-of-service attacks against serial devices.

Answer

A

A. SCADA devices that are now connected to the network can now be attacked over the network.

A. Multilayer protocols like DNP3 allow SCADA and other
systems to use TCP/IP-based networks to communicate. Many
SCADA devices were never designed to be exposed to a network,
and adding them to a potentially insecure network can create
significant risks. TLS or other encryption can be used on TCP
packets, meaning that even serial data can be protected. Serial
data can be carried via TCP packets because TCP packets don’t
care about their content; it is simply another payload. Finally,
TCP/IP does not have a specific throughput as designed, so
issues with throughput are device-level issues.

Question 23

Q

Alicia’s company has implemented multifactor authentication
using SMS messages to provide a numeric code. What is the
primary security concern that Alicia may want to express about
this design?
A. SMS messages are not encrypted.
B. SMS messages can be spoofed by senders.
C. SMS messages may be received by more than one phone.
D. SMS messages may be stored on the receiving phone.

Answer

A

A. SMS messages are not encrypted.

A. SMS messages are not encrypted, meaning that they could be
sniffed and captured. While using two factors is more secure
than a single factor, SMS is one of the less secure ways to
implement two-factor authentication because of this. SMS
messages can be spoofed, can be received by more than one
phone, and are typically stored on the recipient’s phone. The
primary threat here, however, is the unencrypted message itself.

Question 24

Q

The Address Resolution Protocol (ARP) and the Reverse
Address Resolution Protocol (RARP) operate at what layer of the
OSI model?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4

Answer

A

B. Layer 2

B. ARP and RARP operate at the Data Link layer, the second
layer of the OSI model. Both protocols deal with physical
hardware addresses, which are used above the Physical layer
(layer 1) and below the Network layer (layer 3), thus falling at
the Data Link layer.

Question 25

Q

Which of the following is a converged protocol that allows
storage mounts over TCP, and which is frequently used as a
lower-cost alternative to Fibre Channel?
A. MPLS
B. SDN
C. VoIP
D. iSCSI

Answer

A

D. iSCSI

D. iSCSI is a converged protocol that allows locationindependent file services over traditional network technologies.
It costs less than traditional Fibre Channel. VoIP is Voice over
IP, SDN is software-defined networking, and MPLS is
Multiprotocol Label Switching, a technology that uses path
labels instead of network addresses.

Question 26

Q

What speed and frequency range are used by 802.11n?
A. 5 GHz only
B. 900 MHz and 2.4 GHz
C. 2.4 GHz and 5 GHz
D. 2.4 GHz only

Answer

A

C. 2.4 GHz and 5 GHz

C. 802.11n can operate on both the 2.4 and 5 GHz frequency
range. The 900 MHz range has frequently been used for phones
and non-WiFi wireless networks as well as other amateur radio
uses. Knowing that multiple ranges are available and that they
may behave differently based on how many access points are in
use and whether other devices that may cause interference on
that band are in the area can be important for wireless network
deployments

Question 27

Q

Which of the following drawbacks is a concern when multilayer
protocols are allowed?
A. A range of protocols may be used at higher layers.
B. Covert channels are allowed.
C. Filters cannot be bypassed.
D. Encryption can’t be incorporated at multiple layers.

Answer

A

B. Covert channels are allowed.

B. Multilayer protocols create three primary concerns for
security practitioners: they can conceal covert channels (and
thus covert channels are allowed), filters can be bypassed by
traffic concealed in layered protocols, and the logical boundaries
put in place by network segments can be bypassed under some
circumstances. Multilayer protocols allow encryption at various
layers and support a range of protocols at higher layers

Question 28

Q

Ben provides networking and security services for a small chain
of coffee shops. The coffee shop chain wants to provide secure,
free wireless for customers. Which of the following is the best
option available to Ben to allow customers to connect securely to
his wireless network without needing a user account if Ben does
not need to worry about protocol support issues?
A. Use WPA2 in PSK mode.
B. Use WPA3 in SAE mode.
C. Use WPA2 in Enterprise mode.
D. Use a captive portal.

Answer

A

B. Use WPA3 in SAE mode.

B. WPA3’s new SAE (simultaneous authentication of equals)
mode improves on WPA2’s PSK mode by allowing for secure
authentication between clients and the wireless network without
enterprise user accounts. If Ben needed to worry about support
for WPA3, which may not be available to all systems that may
want to connect, he might have to choose WPA2. A captive
portal is often used with open guest networks, and Enterprise
mode requires user accounts.

Question 29

Q

Chris is building an Ethernet network and knows that he needs
to span a distance of more than 150 meters with his 1000BaseT
network. What network technology should he use to help with
this?
A. Install a repeater, a switch, or a concentrator before 100 meters.
B. Use Category 7 cable, which has better shielding for higher speeds.
C. Install a gateway to handle the distance.
D. Use STP cable to handle the longer distance at high speeds.

Answer

A

A. Install a repeater, a switch, or a concentrator before 100 meters.

A. A repeater, switch, or concentrator will amplify the signal,
ensuring that the 100-meter distance limitation of 1000BaseT is
not an issue. A gateway would be useful if network protocols
were changing, while Cat7 cable is appropriate for a 10 Gbps
network at much shorter distances. STP cable is limited to 155
Mbps and 100 meters, which would leave Chris with network
problems.

Question 30

Q

Which of the following is not an example of a converged protocol?
A. MIME
B. FCoE
C. iSCSI
D. VoIP

Answer

A

A. MIME

A. Fibre Channel over Ethernet (FCoE), Internet Small
Computer Systems Interface (iSCSI), and Voice over Internet
Protocol (VoIP) are all examples of converged protocols that
combine specialized protocols with standard protocols like
TCP/IP. MIME, Multipurpose Internet Mail Extensions, is not a
converged protocol.

Question 31

Q

Joanna wants to deploy 4G LTE as an out-of-band management
solution for devices at remote sites. Which of the following
security capabilities is not commonly available from 4G service
providers?
A. Encryption capabilities
B. Device-based authentication
C. Dedicated towers and antennas for secure service subscribers
D. SIM-based authentication

Answer

A

C. Dedicated towers and antennas for secure service subscribers

C. While security features vary from provider to provider,
encryption, device-based authentication (for example, using
certificates), and SIM-based authentication are all common
options for 4G connectivity solutions. Joanna should work with
her provider to determine what capabilities are available and
assess whether they meet her needs.

Question 32

Q

Sue modifies her MAC address to one that is allowed on a
network that uses MAC filtering to provide security. What is the
technique Sue used, and what nonsecurity issue could her
actions cause?
A. Broadcast domain exploit, address conflict
B. Spoofing, token loss
C. Spoofing, address conflict
D. Sham EUI creation, token loss

Answer

A

C. Spoofing, address conflict

C. The process of using a fake MAC (Media Access Control)
address is called spoofing, and spoofing a MAC address already
in use on the network can lead to an address collision,
preventing traffic from reaching one or both systems. Tokens are
used in token ring networks, which are outdated, and EUI refers
to an Extended Unique Identifier, another term for MAC
address, but token loss is still not the issue. Broadcast domains
refer to the set of machines a host can send traffic to via a
broadcast message.

Question 33

Q

The company that Kathleen works for has moved to remote
work for most employees and wants to ensure that the
multimedia collaboration platform that they use for voice, video,
and text-based collaboration is secure. Which of the following
security options will provide the best user experience while
providing appropriate security for communications?
A. Require software-based VPN to the corporate network for all use of the collaboration platform.
B. Require the use of SIPS and SRTP for all communications.
C. Use TLS for all traffic for the collaboration platform.
D. Deploy secure VPN endpoints to each remote location and use a point-to-point VPN for communications.

Answer

A

C. Use TLS for all traffic for the collaboration platform.

C. Most modern applications support TLS throughout their
communications allowing clients to securely connect to the
service and to encrypt communications. VPN, either in software
or hardware form, will be more complex and unwieldy.
Software-based VPN would be more flexible, and hardwarebased VPN would be more expensive and more complex. SIPS
and SRTP are appropriate for a VoIP environment, but are not
generally a complete solution for a modern multimedia
collaboration platform like Microsoft Teams, Zoom, or WebEx

Question 34

Q

Selah wants to provide port-based authentication on her
network to ensure that clients must authenticate before using
the network. What technology is an appropriate solution for this
requirement?
A. 802.11a
B. 802.3
C. 802.15.1
D. 802.1x

Answer

A

D. 802.1x

D. 802.1x provides port-based authentication and can be used
with technologies like EAP, the Extensible Authentication
Protocol. 802.11a is a wireless standard, 802.3 is the standard
for Ethernet, and 802.15.1was the original Bluetooth IEEE
standard.

Question 35

Q

Chris uses a cellular hot spot to provide internet access when he
is traveling. If he leaves the hot spot connected to his PC while
his PC is on his organization’s corporate network, what security
issue might he cause?
A. Traffic may not be routed properly, exposing sensitive data.
B. His system may act as a bridge from the internet to the local network.
C. His system may be a portal for a reflected DDoS attack.
D. Security administrators may not be able to determine his IP
address if a security issue occurs.

Answer

A

B. His system may act as a bridge from the internet to the local network.

B. When a workstation or other device is connected
simultaneously to both a secure network and a nonsecure
network like the internet, it may act as a bridge, bypassing the
security protections located at the edge of a corporate network.
It is unlikely that traffic will be routed improperly leading to the
exposure of sensitive data, as traffic headed to internal systems
and networks is unlikely to be routed to the external network.
Reflected DDoS attacks are used to hide identities rather than to
connect through to an internal network, and security
administrators of managed systems should be able to determine
both the local and wireless IP addresses his system uses.

Question 36

Q

Internet -|TCP 80|- Computer B
||
Firewall
Router
Switch — Computer C
|TCP80|
Computer A

What protocol is the messaging traffic most likely to use based
on the diagram?
A. SLACK
B. HTTP
C. SMTP
D. HTTPS

Answer

A

B. HTTP

B. The use of TCP port 80 indicates that the messaging service
is using the HTTP protocol. Slack is a messaging service that
runs over HTTPS, which uses port 443. SMTP is an email
protocol that uses port 25.

Question 37

Q

Internet -|TCP 80|- Computer B
||
Firewall
Router
Switch — Computer C
|TCP80|
Computer A

How could Selah’s company best address a desire for secure
messaging for users of internal systems A and C?
A. Use a third-party messaging service.
B. Implement and use a locally hosted service.
C. Use HTTPS.
D. Discontinue use of messaging and instead use email, which
is more secure.

Answer

A

B. Implement and use a locally hosted service.

B. If a business need requires messaging, using a local
messaging server is the best option. This prevents traffic from
traveling to a third-party server and can offer additional benefits
such as logging, archiving, and control of security options like
the use of encryption.

Question 38

Q

Casey has been asked to determine if Zigbee network traffic can
be secured in transit. What security mechanism does Zigbee use
to protect data traffic?
A. 3DES encryption
B. AES encryption
C. ROT13 encryption
D. Blowfish encryption

Answer

A

B. AES encryption

B. Zigbee uses AES to protect network traffic, providing
integrity and confidentiality controls. It does not use 3DES, and
ROT13 is a simple rotational cipher you might find in a cereal
box or secret decoder ring.

Question 39

Q

What security control does MAC cloning attempt to bypass for
wired networks?
A. Port security
B. VLAN hopping
C. 802.1q trunking
D. Etherkiller prevention

Answer

A

A. Port security

A. Port security prevents unrecognized or unpermitted systems
from connecting to a network port based on their MAC address.
Cloning a permitted or legitimate MAC address attempts to
bypass this. VLAN hopping and 802.1q trunking attacks attempt
to access other subnets by encapsulating packets so they will be
unwrapped and directed to the other subnet. Etherkiller
prevention is not a security setting or control.

Question 40

Q

Melissa uses the ping utility to check whether a remote system is
up as part of a penetration testing exercise. If she does not want
to see her own ping packets, what protocol should she filter out
from her packet sniffer’s logs?
A. UDP
B. TCP
C. IP
D. ICMP

Answer

A

D. ICMP

D. Ping uses ICMP, the Internet Control Message Protocol, to
determine whether a system responds and how many hops there
are between the originating system and the remote system.
Melissa simply needs to filter out ICMP to not see her pings.

Question 41

Q

In her role as an information security professional, Susan has
been asked to identify areas where her organization’s wireless
network may be accessible even though it isn’t intended to be.
What should Susan do to determine where her organization’s
wireless network is accessible?
A. A site survey
B. Warwalking
C. Wardriving
D. A design map

Answer

A

A. A site survey

A. Wardriving and warwalking are both processes used to locate
wireless networks, but are not typically as detailed and thorough
as a site survey, and design map is a made-up term.

Question 42

Q

Internet -|TCP 80|- Computer B
||
Firewall
Router
Switch — Computer C
|TCP80|
Computer A

What security concern does sending internal communications
from A to B raise?
A. The firewall does not protect system B.
B. System C can see the broadcast traffic from system A to B.
C. It is traveling via an unencrypted protocol.
D. Messaging does not provide nonrepudation.

Answer

A

C. It is traveling via an unencrypted protocol.

C. HTTP traffic is typically sent via TCP80. Unencrypted HTTP
traffic can be easily captured at any point between A and B,
meaning that the messaging solution chosen does not provide
confidentiality for the organization’s corporate communications.

Question 43

Q

What features can IPsec provide for secure communication?
A. Encryption, access control, nonrepudiation and message authentication
B. Protocol convergence, content distribution, microsegmentation, and network virtualization
C. Encryption, authorization, nonrepudiation, and message integrity checking
D. Micro-segmentation, network virtualization, encryption, and message authentication

Answer

A

A. Encryption, access control, nonrepudiation and message authentication

A. IPsec, or Internet Protocol Security, can provide encryption,
access control, nonrepudiation, and message authentication
using public key cryptography. It does not provide
authorization, protocol convergence, content distribution, or the
other items listed.

Question 44

Q

SMTP, HTTP, and SNMP all occur at what layer of the OSI
model?
A. Layer 4
B. Layer 5
C. Layer 6
D. Layer 7

Answer

A

D. Layer 7

D. Application-specific protocols are handled at layer 7, the
Application layer of the OSI model.

Question 45

Q

Ben has deployed a 1000BaseT gigabit network and needs to run
a cable across a large building. If Ben is running his link directly
from a switch to another switch in that building, what is the
maximum distance Ben can cover according to the 1000BaseT
specification?
A. 2 kilometers
B. 500 meters
C. 185 meters
D. 100 meters

Answer

A

D. 100 meters

D. 1000BaseT is capable of a 100-meter run according to its
specifications. For longer distances and exterior runs, a fiberoptic cable is typically used in modern networks.

Question 46

Q

Chris wants to use a low-power, personal area network wireless
protocol for a device he is designing. Which of the following
wireless protocols is best suited to creating small, low-power
devices that can connect to each other at relatively short
distances across buildings or rooms?
A. WiFi
B. Zigbee
C. NFC
D. Infrared

Answer

A

B. Zigbee

B. Zigbee is designed for this type of low-power, Internet of
Things network, and would be the best option for Chris. Some
versions of Bluetooth are designed to operate in low-power
mode as well, but Bluetooth isn’t in this list of answers. WiFi
requires more power, NFC is very short range and would not
work across a building or room, and infrared requires line of
sight and is rarely used for that reason.

Question 47

Q

Cameron is worried about distributed denial-of-service attacks
against his company’s primary web application. Which of the
following options will provide the most resilience against largescale DDoS attacks?
A. A CDN
B. Increasing the number of servers in the web application server cluster
C. Contract for DDoS mitigation services via the company’s ISP
D. Increasing the amount of bandwidth available from one or more ISPs

Answer

A

A. A CDN

A. A content delivery network, or CDN, run by a major provider
can handle large-scale DDoS attacks more easily than any of the
other solutions. Using DDoS mitigation techniques via an ISP is
the next most useful capability, followed by both increases in
bandwidth and increases in the number of servers in the web
application cluster.

Question 48

Q

Wayne wants to deploy a secure voice communication network.
Which of the following techniques should he consider? (Select
all that apply.)
A. Use a dedicated VLAN for VoIP phones and devices.
B. Require the use of SIPS and SRTP.
C. Require the use of VPN for all remote VoIP devices.
D. Implement a VoIP IPS.

Answer

A

A. Use a dedicated VLAN for VoIP phones and devices.
B. Require the use of SIPS and SRTP.

A, B. Wayne should consider the use of a dedicated VLAN for
VoIP devices to help separate them from other networked
devices, and he should also require the use of SIPS and SRTP,
both secure protocols that will keep his VoIP traffic encrypted.
Requiring the use of VPN for all remote VoIP devices is not
necessary if SIPS and SRTP are in use, and a specific IPS for
VoIP is not a typical deployment in most organizations.

Question 49

Q

Which OSI layer includes electrical specifications, protocols, and
interface standards?
A. The Transport layer
B. The Device layer
C. The Physical layer
D. The Data Link layer

Answer

A

C. The Physical layer

C. The Physical layer includes electrical specifications,
protocols, and standards that allow control of throughput,
handling line noise, and a variety of other electrical interface
and signaling requirements. The OSI layer doesn’t have a Device
layer. The Transport layer connects the Network and Session
layers, and the Data Link layer packages packets from the
network layer for transmission and receipt by devices operating
on the Physical layer.

Question 50

Q

Which of the following options includes standards or protocols
that exist in layer 6 of the OSI model?
A. NFS, SQL, and RPC
B. TCP, UDP, and TLS
C. JPEG, ASCII, and MIDI
D. HTTP, FTP, and SMTP

Answer

A

C. JPEG, ASCII, and MIDI

C. Layer 6, the Presentation layer, transforms data from the
Application layer into formats that other systems can
understand by formatting and standardizing the data. That
means that standards like JPEG, ASCII, and MIDI are used at
the Presentation layer for data. TCP, UDP, and TLS are used at
the Transport layer; NFS, SQL, and RPC operate at the Session
layer; and HTTP, FTP, and SMTP are Application layer
protocols

Question 51

Q

Kathleen has two primary locations in a town and wants the two
environments to appear like the same local network. Each
location has a router, switches, and wireless access points
deployed to them. What technology would best work to allow
her to have the two facilities appear to be on the same network
segment?
A. SDWAN
B. VXLAN
C. VMWAN
D. iSCSI

Answer

A

B. VXLAN

B. VXLAN is an encapsulation protocol that carries VLANs
across routable networks, making two different network
locations appear to be on the same segment despite distance and
network differences. SD-WAN is a software-defined wide area
network, a way to manage and control wide area network
connections. iSCSI is a storage protocol over IP, and VMWAN
was made up for this question.

Question 52

Q

There are four common VPN protocols. Which group listed
contains all of the common VPN protocols?
A. PPTP, LTP, L2TP, IPsec
B. PPP, L2TP, IPsec, VNC
C. PPTP, L2F, L2TP, IPsec
D. PPTP, L2TP, IPsec, SPAP

Answer

A

C. PPTP, L2F, L2TP, IPsec

C. PPTP, L2F, L2TP, and IPsec are the most common VPN
protocols. TLS is also used for an increasingly large percentage
of VPN connections and may appear at some point in the CISSP
exam. PPP is a dial-up protocol, LTP is not a protocol, and SPAP
is the Shiva Password Authentication Protocol sometimes used
with PPTP

Question 53

Q

Chris has been asked to choose between implementing PEAP
and LEAP for wireless authentication. What should he choose,
and why?
A. LEAP, because it fixes problems with TKIP, resulting in stronger security
B. PEAP, because it implements CCMP for security
C. LEAP, because it implements EAP-TLS for end-to-end session encryption
D. PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session

Answer

A

D. PEAP, because it can provide a TLS tunnel that encapsulates EAP methods, protecting the entire session

D. PEAP provides encryption for EAP methods and can provide
authentication. It does not implement CCMP, which was
included in the WPA2 standard. LEAP is dangerously insecure
and should not be used due to attack tools that have been
available since the early 2000s.

Question 54

Q

Ben is designing a WiFi network and has been asked to choose
the most secure option for the network. Which wireless security
standard should he choose?
A. WPA2
B. WPA
C. WEP
D. WPA3

Answer

A

D. WPA3

D. WPA3, the replacement for WPA2, adds security features
including a new mode called simultaneous authentication of
equals that replaces the pre-shared key mode from WPA2 with a
more secure option. Overall, it provides security improvements,
but may not be immediately implemented due to time for
hardware and software to fully support it. WPA2 has been the
most commonly deployed wireless security standard having
replaced WPA and WEP.

Question 55

Q

Ben is troubleshooting a network and discovers that the NAT
router he is connected to has the 192.168.x.x subnet as its
internal network and that its external IP is 192.168.1.40. What
problem is he encountering?
A. 192.168.x.x is a nonroutable network and will not be carried to the internet.
B. 192.168.1.40 is not a valid address because it is reserved by RFC 1918.
C. Double NATing is not possible using the same IP range.
D. The upstream system is unable to de-encapsulate his packets, and he needs to use PAT instead.

Answer

A

C. Double NATing is not possible using the same IP range.

C. Double NATing isn’t possible with the same IP range; the
same IP addresses cannot appear inside and outside a NAT
router. RFC 1918 addresses are reserved, but only so they are
not used and routable on the internet, and changing to PAT
would not fix the issue.

Question 56

Q

Segmentation, sequencing, and error checking all occur at what
layer of the OSI model that is associated with SSL, TLS, and
UDP?
A. The Transport layer
B. The Network layer
C. The Session layer
D. The Presentation layer

Answer

A

A. The Transport layer

A. The Transport layer provides logical connections between
devices, including end-to-end transport services to ensure that
data is delivered. Transport layer protocols include TCP, UDP,
SSL, and TLS.

Question 57

Q

What technical difference separates wireless communication via
WiFi and LiFi?
A. LiFi is not susceptible to electromagnetic interference.
B. LiFi cannot be used to deliver broadband speeds.
C. WiFi is not susceptible to electromagnetic interference.
D. WiFi cannot be used to deliver broadband speeds.

Answer

A

A. LiFi is not susceptible to electromagnetic interference.

A. LiFi uses visible and infrared light to transmit data at high
speeds. While LiFi deployments are not occurring broadly yet,
they have met with initial successes in some real-world
applications. LiFi and WiFi can deliver broadband speeds, and
WiFi, unlike LiFi, is susceptible to EM interference.

Question 58

Q

What is the default subnet mask for a Class B network?
A. 255.0.0.0
B. 255.255.0.0
C. 255.254.0.0
D. 255.255.255.0

Answer

A

B. 255.255.0.0

B. A Class B network holds 2^16 systems, and its default
network mask is 255.255.0.0.

Question 59

Q

The Windows ipconfig command displays the following
information:
BC-5F-F4-7B-4B-7D
What term describes this, and what information can usually be
gathered from it?
A. The IP address, the network location of the system
B. The MAC address, the network interface card’s manufacturer
C. The MAC address, the media type in use
D. The IPv6 client ID, the network interface card’s manufacturer

Answer

A

B. The MAC address, the network interface card’s manufacturer

B. Machine Access Control (MAC) addresses are the hardware
address the machine uses for layer 2 communications. The MAC
addresses include an organizationally unique identifier (OUI),
which identifies the manufacturer. MAC addresses can be
changed, so this is not a guarantee of accuracy, but under
normal circumstances you can tell what manufacturer made the
device by using the MAC address.

Question 60

Q

Jim’s organization uses a traditional PBX for voice
communication. What is the most common security issue that
its internal communications are likely to face, and what should
he recommend to prevent it?
A. Eavesdropping, encryption
B. Man-in-the-middle attacks, end-to-end encryption
C. Eavesdropping, physical security
D. Wardialing, deploy an IPS

Answer

A

C. Eavesdropping, physical security

C. Traditional private branch exchange (PBX) systems are
vulnerable to eavesdropping because voice communications are
carried directly over copper wires. Since standard telephones
don’t provide encryption (and you’re unlikely to add encrypted
phones unless you’re the NSA), physically securing access to the
lines and central connection points is the best strategy available.

Question 61

Q

Selah’s organization has deployed VoIP phones on the same
switches that the desktop PCs are on. What security issue could
this create, and what solution would help?
A. VLAN hopping; use physically separate switches.
B. VLAN hopping; use encryption.
C. Caller ID spoofing; MAC filtering.
D. Denial-of-service attacks; use a firewall between networks.

Answer

A

A. VLAN hopping; use physically separate switches.

A. VLAN hopping between the voice and computer VLANs can
be accomplished when devices share the same switch
infrastructure. Using physically separate switches can prevent
this attack. Encryption won’t help with VLAN hopping because it
relies on header data that the switch needs to read (and this is
unencrypted), while Caller ID spoofing is an inherent problem
with VoIP systems. A denial of service is always a possibility, but
it isn’t specifically a VoIP issue and a firewall may not stop the
problem if it’s on a port that must be allowed through.

Question 62

Q

Susan wants to use a set of nonroutable IP addresses for the
location’s internal network addresses. Using your knowledge of
secure network design principles and IP networking, which of
the following IP ranges are usable for that purpose? (Select all
that apply.)
A. 172.16.0.0/12
B. 192.168.0.0/16
C. 128.192.0.0/24
D. 10.0.0.0/8

Answer

A

A. 172.16.0.0/12
B. 192.168.0.0/16
D. 10.0.0.0/8

A, B, D. RFC 1918 defines three address ranges as private
(nonroutable) IP address ranges: 10.0.0.0/8, 172.16.0.0/12, and
192.168.0.0/16. Any of these would work, but many
organizations use the 192.168.0.0/16 range for smaller sites or
opt to carve out sections of the 10.0.0.0/8 range for multiple
remote sites.

Question 63

Q

With her wireless network set up, Susan moves on to ensuring
that her network will remain operational even if disruptions
occur. What is the simplest way she can ensure that her network
devices, including her router, access points, and network
switches, stay on if a brownout or other temporary power issue
occurs?
A. Purchase and install a generator with an automatic start.
B. Deploy dual power supplies for all network devices.
C. Install UPS systems to cover all network devices that must
remain online.
D. Contract with multiple different power companies for
redundant power.

Answer

A

C. Install UPS systems to cover all network devices that must
remain online.

C. A UPS system, or uninterruptible power supply, is designed
to provide backup power during brief power disruptions ranging
from power sags and brownouts to temporary power failures.
For a longer outage, Susan will still want a generator or even a
secondary power feed from another power grid or provider if
possible, but for this specific scenario, a UPS will meet her
needs. Dual power supplies help when the concern is losing
power from one power supply and would be a great idea for her
most critical network devices, but it is rare to have dual power
supplies for edge devices like access points or edge switches

Question 64

Q

Susan knows that she will need to implement a WiFi network for
her customers and wants to gather information about the
customers, such as their email address, without having to
provide them with a wireless network password or key. What
type of solution would provide this combination of features?
A. NAC
B. A captive portal
C. Pre-shared keys
D. WPA3’s SAE mode

Answer

A

B. A captive portal

B. A captive portal is a popular solution that you may be
familiar with from hotels and coffee shops. They combine the
ability to gather data from customers with an open network, so
customer data will not be encrypted. This avoids the need to
distribute network passwords but means that customers must
ensure their own traffic is encrypted if they are worried about
security.

Answer 65

A

B. Fiber
C. Cat6

B, C. Fiber-optic cable and Cat6 cable can both run at 10 gigabit
speeds. Cat5e and coaxial cable are not rated to those speeds.

Answer 66

A

A. Application, Presentation, and Session

A. Data streams are associated with the Application,
Presentation, and Session layers. Once they reach the Transport
layer, they become segments (TCP) or datagrams (UDP). From
there, they are converted to packets at the Network layer, frames
at the Data Link layer, and bits at the Physical layer.

Answer 67

A

C. Place a hardware network security device in front of the devices.

C. If the devices still need to be in production but cannot be
patched, Lucca’s best option is to use a separate security device
to protect them. It may be tempting to simply install a firewall
on the device or to disable all the services it exposes to the
network, but some devices may not have firewall software
available, and even if they do, the underlying operating system
may have vulnerabilities in its implementation of its network
stack or other software that even a firewall could not protect.
Unplugging devices that are needed for protection does not
resolve the need to keep them online.

Answer 68

A

C. A software-defined network

C. Software-defined networking provides a network
architecture that can be defined and configured as code or
software. This will allow Selah’s team to quickly change the
network based on organizational requirements. The 5-4-3 rule is
an old design rule for networks that relied on repeaters or hubs.
A converged network carries multiple types of traffic like voice,
video, and data. A hypervisor-based network may be software
defined, but it could also use traditional network devices
running as virtual machines.

Answer 69

A

D. Segment the network based on functional requirements.

D. Network segmentation can reduce issues with performance
as well as diminish the chance of broadcast storms by limiting
the number of systems in a segment. This decreases broadcast
traffic visible to each system and can reduce congestion.
Segmentation can also help provide security by separating
functional groups that don’t need to be able to access each
other’s systems. Installing a firewall at the border would only
help with inbound and outbound traffic, not cross-network
traffic. Spanning tree loop prevention helps prevent loops in
Ethernet networks (for example, when you plug a switch into a
switch via two ports on each), but it won’t solve broadcast
storms that aren’t caused by a loop or security issues.
Encryption might help prevent some problems between
functional groups, but it won’t stop them from scanning other
systems, and it definitely won’t stop a broadcast storm!

Answer 70

A

D. A broken network cable

D. A broken network cable is a layer 1 problem. If you encounter
a problem like this and aren’t sure, look for the answer that has
a different situation or set of assumptions. Here you have three
questions that occur at the network (layer 3), all of which have
software or protocol implications. A broken network cable is a
completely different type of issue and should stand out. Be
careful, though! The exam is likely to give you two potentially
valid answers to choose from, so work to get rid of the two least
likely answers and spend your time on the remaining options.

Answer 71

A

A. Information is added to the header.

A. Encapsulation adds to the header (and sometimes to the
footer) of the data provided by the previous layer. The main
body of the data is not modified, and encryption may happen
but does not always happen.

Answer 72

A

C. Layer 3

C. ICMP, RIP, and network address translation all occur at layer
3, the Network layer.

Answer 73

A

D. Encrypt all traffic between hosts.

D. In an infrastructure as a service (IaaS) environment, the
company that provides cloud environment has final control of all
the virtual machines and networks. Thus, to protect data, the
best option is to encrypt the data. Unfortunately, Ben cannot
fully ensure that traffic in his environment is not being captured
and must rely on the cloud hosting provider for that assurance.
While preventing the installation of packet sniffers and taps and
ensuring that promiscuous mode cannot be enabled are useful
habits in an environment that you control, this will not provide
the same control in a cloud environment.

Answer 74

A

Ben is an information security professional at an organization

A. Using the same IP range for an on-site and cloud-hosted data
center can be helpful when designing a flat network, but
addresses must be carefully managed and allocated even in a
space as big as the 10.0.0.0/24 range. If addresses are not
properly managed, conflicts may arise that could disrupt
production services. MAC address conflicts should not arise
unless addresses are manually changed or virtual machines are
replicated without changing their MAC addresses. There is
nothing in the problem to suggest routing issues.

Answer 75

A

C. SDWAN

C. A software-defined wide area network, or SD-WAN, is
commonly used to manage multiple ISPs and other connectivity
options to ensure speed, reliability, and bandwidth design goals
are all met. Ben can use SD-WAN capabilities to accomplish his
goals to make his hybrid cloud environment successful. Fibre
Channel over Ethernet (FCoE) is a storage protocol; VXLAN is
used for extensible virtual LANs, not WANs; and LiFi uses
visible and infrared light to transfer data

Answer 76

A

C. AES

C. WPA2’s CCMP encryption scheme is based on AES. As of the
writing of this book, there have not been any practical real-world
attacks against WPA2. DES has been successfully broken, and
neither 3DES nor TLS is used for WPA2

Answer 77

A

B. All hosts stop transmitting, and each host waits a random period of time before attempting to transmit again.

B. Ethernet networks use Carrier-Sense Multiple Access with
Collision Detection (CSMA/CD) technology. When a collision is
detected and a jam signal is sent, hosts wait a random period of
time before attempting retransmission.

Answer 78

A

D. Fiber optic

D. Fiber-optic cable is the most difficult of the listed types of
network to capture data from without specialized equipment.
Given access to a fiber-optic cable and specialized equipment to
tap it, or with access to the endpoints of a fiber-optic cable and
an optical tap, access can still be obtained. In either case,
disruption may be observed when the cable is cut, spliced, or
disconnected, and many attackers will not have access, skills, or
the tools needed to do so. WiFi and Bluetooth traffic can be
captured using standard wireless cards and tools, and data
carried by twisted-pair Ethernet cables is easily captured using
commodity tools

Answer 79

A

C. Fiber-optic cable

C. Buried fiber-optic cable is best suited to long distances,
particularly when there are trees or other obstacles blocking line
of sight that may interfere with WiFi or LiFi deployments.
Ethernet’s distance limitations mean that repeaters would need
to be powered, and there is no description of other structures or
power along the path.

Answer 80

A

B. The volume of data

B. Endpoint security solutions face challenges due to the sheer
volume of data that they can create. When each workstation is
generating data about events, this can be a massive amount of
data. Endpoint security solutions should reduce the number of
compromises when properly implemented, and they can also
help by monitoring traffic after it is decrypted on the local host.
Finally, non-TCP protocols are relatively uncommon on modern
networks, making this a relatively rare concern for endpoint
security system implementations

Answer 81

A

D. A loopback address

D. The IP address 127.0.0.1 is a loopback address and will
resolve to the local machine. Public addresses are non–RFC
1918, nonreserved addresses. RFC 1918 addresses are reserved
and include ranges like 10.x.x.x. An APIPA address is a selfassigned address used when a DHCP server cannot be found.

Answer 82

A

B. Use Bluetooth only for those activities that are not confidential, change the default PIN on your device, turn off discovery mode, and turn off Bluetooth when it’s not in active use.

B. Since Bluetooth doesn’t provide strong encryption, it should
only be used for activities that are not confidential. Bluetooth
PINs are four-digit codes that often default to 0000. Turning it
off and ensuring that your devices are not in discovery mode can
help prevent Bluetooth attacks.

Answer 83

A

C. Switch

C. The assignment of endpoint systems to VLANs is normally
performed by a network switch.

Answer 84

A

B. FCoE

B. Fibre Channel over Ethernet allows Fibre Channel
communications over Ethernet networks, allowing existing highspeed networks to be used to carry storage traffic. This avoids
the cost of a custom cable plant for a Fibre Channel
implementation. MPLS, or Multiprotocol Label Switching, is
used for high-performance networking; VoIP is Voice over IP;
and SDN is software-defined networking.

Answer 85

A

A. The network uses predefined rules to optimize performance.
B. The network conducts continuous monitoring to support better performance.
C. The network uses self-learning techniques to respond to changes in the network.

A, B, C. SD-WAN implementations typically perform all of these
functions, combining active data collection via monitoring and
response via self-learning and machine intelligence techniques,
and then applying predefined rules to take action to make the
network perform as desired. SD-WAN does not imply or require
that all connections are managed by the organization’s primary
internet service provider. In fact, SD-WANs are often used to
handle multiple ISPs to allow for failover and redundancy

Answer 86

A

B. Layer 1 = Physical; Layer 2 = Data Link; Layer 3 = Network;
Layer 4 = Transport; Layer 5 = Session; Layer 6 =
Presentation; Layer 7 = Applications

B. The OSI layers in order from layer 1 to layer 7 are as follows:
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application

Answer 87

A

C. CAM table flooding

C. Valerie is most likely trying to prevent CAM table flooding by
preventing large numbers of MAC addresses from being used on
a single port. If CAM table flooding is successful, switches will
not know where to send traffic and resort to sending all traffic to
every port, potentially exposing traffic to attackers. IP spoofing
and VLAN hopping are not prevented by port security, which
focuses on hardware (MAC) addresses. MAC aggregation was
made up for this question.

Answer 88

A

C. A pre-admit, client-based NAC system

C. A pre-admit, client-based NAC system will test systems
before they are allowed on the network using a client that can
determine more about a system than a clientless model can.
Postadmission tests after clients are already on the network and
clientless versions are useful when installing clients isn’t
possible for systems.

Answer 89

A

A. Active/active

A. An active/active pair can use the full throughput capability of
both devices, but normal deployment models will design to the
maximum throughput of a single device to avoid disruption in
the event that one of the pair fails. Active/passive designs can
only handle the throughput of a single device and allow the
secondary device to remain ready to operate but not passing
traffic until it is needed. Line interactive is a term often used to
describe UPS systems that filter power instead of passing it
through, and near-line is a term used to describe backups that
are not online but can be retrieved relatively quickly.

Answer 90

A

C. PEAP, because it provides encryption and doesn’t suffer from the same vulnerabilities that LEAP does

C. Of the three answers, PEAP is the best solution. It
encapsulates EAP in a TLS tunnel, providing strong encryption.
LEAP is a Cisco proprietary protocol that was originally
designed to help deal with problems in WEP. LEAP’s protections
have been defeated, making it a poor choice. EAP-TLS is secure
but requires client certificates, making it difficult to deploy and
manage

Answer 91

A

D. Latency

D. Most existing satellite internet systems have relatively high
latency. Newer low Earth orbit satellites like Starlink appear to
provide better latency than higher orbits, but latency and
susceptibility to interference from weather are both common
concerns for satellite-based systems.

Answer 92

A

C. The application plane

C. The application plane of a software-defined network (SDN) is
where applications run that use application programming
interfaces (APIs) to communicate with the SDN about needed
resources. The control plane receives instructions and sends
them to the network. The last common plane is the devices
themselves

Answer 93

A

B. They can operate at higher OSI levels.

B. Common drawbacks of multilayer protocols are that they can
bypass filters, allow or create covert channels, and allow
network segment boundaries to be bypassed. The ability to
operate at higher OSI layer levels is normally considered a
benefit.

Answer 94

A

D. 1000 Mbps

D. Category 5e cable is rated for speeds up to 1000 Mbps. If you
need a faster network connection, you can consider Cat6 or
higher copper cables or move to fiber where speeds can be much
higher.

Answer 95

A

C. 1, 4, 3, 2

C. In order, the layers are: Application layer, Transport layer,
Internet layer, and Network Access layer.

Answer 96

A

B. Enhanced subscriber identity protection
C. Mutual authentication capabilities

B, C. 5G technology includes both a new mutual authentication
capability and additional protections for subscriber identities. It
does not have specific anti-jamming security features and does
not specifically use multifactor authentication.

Answer 97

A

C. It tunnels layer 2 connections over a layer 3 network, stretching them across the underlying layer 3 network.

C. VXLAN tunnels layer 2 connections over a layer 3 network,
in essence extending a LAN over distances or networks that it
might not otherwise function over. It does not remove the
distance limitations of Ethernet cables, nor does it allow
multiple subnets to use the same IP space—that requires NAT or
other technologies that remap addresses to avoid conflicts.

Answer 98

A

B. VLANs

B. VLANs can be used to logically separate groups of network
ports while still providing access to an uplink. Per-room VPNs
would create significant overhead for support as well as create
additional expenses. Port security is used to limit what systems
can connect to ports, but it doesn’t provide network security
between systems. Finally, while firewalls might work, they
would add expense and complexity without adding any benefits
over a VLAN solution.

Answer 99

A

D. The Data Link layer

D. MAC addresses and their organizationally unique identifiers
are used at the Data Link layer to identify systems on a network.
The Application and Session layers don’t care about physical
addresses, while the Physical layer involves electrical
connectivity and handling physical interfaces rather than
addressing.

Answer 100

A

C. The session initialization connection is unencrypted and could be viewed.

C. This diagram shows the use of SIP instead of SIPS, meaning
that the session initialization protocol is not encrypted.
Fortunately, the voice data via secure real-time transport
protocol, or SRTP is encrypted. Mikayla should look into using
SIPS in addition to SRTP.

Brainscape's Knowledge GenomeTM

Domain 4 - Communication & Network Security Flashcards

Brainscape's Knowledge Genome^TM