Securing the Network Infrastructure Flashcards
Your manager has asked you to configure performance alert notifications for abnormal app performance conditions. What must you establish first?
IP addressing schema
Baseline
Network diagrams
Baseline
A performance baseline is established over time during normal application performance. Comparing the baseline to current performance conditions can identify performance problems, which could be indicative of malicious activity such as excessive CPU utilization resulting from Bitcoin mining malware or other malicious apps
A security audit of your call center has revealed that callers’ credit card numbers are shown on call center employees’ screens while they are working with customer queries. What should be configured to conceal customer credit card numbers?
Encryption
Data tokenization
Data masking
Data masking
Data masking is used to hide, or “mask,” some or all parts of sensitive data, such as hiding all but the last few credit card account numbers. This enables call center workers to verify customer details without exposing the customer’s entire credit card number
Your organization stores sensitive medical data in the cloud. You must ensure that the data is not replicated outside of national boundaries for legal reasons. Which term best encompasses this scenario?
API strategy
Zero trust
Data sovereignty
Data sovereignty
Data sovereignty refers to managing sensitive data that is subject to the laws present at the storage location
Users in your company use a VPN to connect to the corporate network. In terms of network placement, where should the VPN appliance be placed?
Default VLAN
Intranet
Screened subnet
Screened subnet
A screened subnet is a network that resides between a public network such as the Internet and an internal secured network. Publicly accessible services such as corporate VPN end-points should be placed in a screened subnet. Firewall rules are still used to control traffic into and out of the screened subnet
You need to secure network traffic between clients and servers for multiple line of business apps running on your organization’s private Microsoft Active Directory (AD) network. Which solution meets this requirement while minimizing the amount of technician effort?
SSL/TLS
L2TP
IPSec
IPSec
IPSec requires the least amount of administrative effort, because it can be configured centrally for Active Directory using Group Policy, and it can protect network traffic without having to configure individual applications specifically, unlike SSL/TLS
You are running virtual machines in the public cloud. For security reasons, you do not want each virtual machine to have a publicly accessible IP address. What should you configure to enable remote management of the virtual machines? Each answer is independent of the other. (Choose two).
Jump box
VPN
Forward proxy server
HSM
Jump box
VPN
A jump box is a host with connectivity to both a public network such as the Internet as well as to an internal network. By authenticating to a jump box, from there remote management sessions to internal devices and hosts can be initiated. Using a VPN to connect to a private network would also enable remote management of devices and hosts
You need to limit which devices can be active when plugged into a network switch port. What should you configure?
Broadcast storm prevention
MAC filtering
Bridging loop prevention
MAC filtering
Network interface cards are uniquely identified with a 48-bit hexadecimal Media Access Control (MAC) address. Network switch ports can be configured to allow only specific MAC addresses to be connected to a switch port and present on the network
Your network intrusion detection system (NIDS) is configured to receive automatic updates for known malicious attacks. Which type of intrusion detection is used in this case?
Anomaly-based
Heuristic-based
Signature-based
Signature-based
Updated signature databases of known malware and attack patterns can be compared against current activity to determine if a suspicious incident is taking place. Both network intrusion prevention system (IPS) and network intrusion detection system (IDS) sensors can be used to collect and monitor network activity. The primary difference is that an IPS can take response and recovery steps to block suspicious activity, while an IDS is more focused on reporting and alerting
Your firewall is configured to examine each individual packet without regard for network sessions. Which type of firewall being used?
Stateful
Web application firewall
Stateless
Stateless
To determine whether network traffic should be allowed or blocked, stateless firewalls examine each packet and treat each independently from the others with no regard for the relationship of packets in a network session
Virtual machines in your public cloud are configured with private IP addresses. Each virtual machine requires access only to the Internet. Which of the following options is the best choice?
Web application firewall
NAT gateway
Unified threat management gateway
NAT gateway
Network address translation (NAT) gateways enable hosts with only private IP addresses to access Internet resources through the NAT gateway public IP address; this removes the need for all hosts to have public IP addresses
You run a small business and need an inexpensive, yet effective, network firewall solution. Which type of firewall should you consider? (Choose the best answer.)
Unified threat management
Proprietary
Open source
Open source
Open source software such as firewall software is normally inexpensive (often free), compared to proprietary software solutions
You need a fast, secure, and reliable multihomed network perimeter solution that is designed to prevent specific types of network traffic from entering your corporate network. Which solution should you deploy?
Software firewall
Virtual firewall
Hardware firewall
Hardware firewall
Because hardware firewall appliances use firmware that is designed for security purposes, they are generally considered more reliable and fast than most software firewalls, which run within multipurpose operating systems
Due to changes in your network infrastructure, you have been tasked with modifying firewalls to allow and block network traffic. Which aspect of the firewalls will you be configuring?
Port taps
Quality of service
Access control lists
Access control lists
Firewall access control lists (ACLs) are collections of rules that contain transmission detail conditions such as source IP address, destination URL, port numbers, or protocol types that should be allowed or blocked
To which of the following does SSL/TLS directly apply? (Choose two.)
Data at rest
Data in process
Data in motion
Data in transit
Data in motion
Data in transit
Data in motion and data in transit are the same thing: data being transmitted over a network. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are network security protocols that can encrypt network communications. SSL has been deprecated in favor of using newer versions of TLS such as version 1.3. SSL and TLS require a PKI certificate to secure connections, such as requiring a PKI certificate on a web server to allow HTTPS communication
Currently in your organization, on-premises user app access is limited based on their security clearance and the type of mobile device they are using. You would like to extend this configuration to the cloud. Which security service should be enabled?
Unified threat management
Cloud access security broker
DDoS mitigation
Cloud access security broker
A cloud access security broker (CASB) provides services to centrally manage IT security policies including encryption, data loss prevention, authentication, and authorization across on-premises and cloud environments. CASB solutions can greatly enhance an organization’s ability to comply with data privacy regulations
