CompTIA Security+ Domain 1 Practice

You have a small network at home that is connected to the Internet. On your home network you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network. You want to configure the server as a Web server and allow Internet hosts to contact the server to browse a personal Web site. What should you use to allow access?
Static NAT
You are the network administrator for a small company that implements NAT to access the Internet. However, you recently acquired 5 servers that must be accessible from outside your network. Your ISP has provided you with 5 additional registered IP addresses to support these new servers but you don’t want the public to access these servers directly. You want to place these servers behind your firewall on the inside network yet still allow them to be accessible to the public from the outside.
Which method of NAT translation should you implement for these 5 servers?
Static
You want to connect your small company network to the Internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts. What type of Network Address Translation (NAT) should you implement?
Dynamic
Which of the following is not one of the ranges of IP addresses defined in RFC 1918 that are commonly used behind a NAT server?
169.254.0.0 – 169.254.255.255
Which of the following is a privately controlled portion of a network that is accessible to some specific external entities?
Extranet
Members of the Sales team use laptops to connect to the company network. While traveling, they connect their laptops to the Internet through airport and hotel networks.
You are concerned that these computers will pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches have been
installed. Which solution should you use?
NAC
You manage a network with a single switch. All hosts connect to the network through the switch. You want to increase the security of devices that are part of the accounting department. You want to make sure that broadcast traffic sent by an accounting computer is only received by other accounting computers, and you want to implement ACLs to control traffic sent to accounting computers through the network.
What should you do?
Use a router to configure a subnet for the accounting computers
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ.
Which of the following networking devices or services prevents the use of IPSec in most cases?
NAT
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public Web server from attack.
Which of the following best describes the purpose of using subnets?
Subnets divide an IP network address into multiple network addresses.
Which of the following is not a reason to use subnets on a network?
Combine different media type on to the same subnet.
You want to set up a service to allow multiple users to dial in to the office server from modems on their home computers. What service should you implement?
RAS
You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office and access files on that server that you need.
Remote access
The presence of unapproved modems on desktop systems gives rise to the LAN being vulnerable
to which of the following?
War dialing
Which of the following phone attacks adds unauthorized charges to a telephone bill?
Cramming
Which of the following cloud computing solutions will deliver software applications to a client either over the Internet or on a local area network?
SaaS
Which of the following best describes the Platform as a Service (PaaS) cloud computing service model?
PaaS delivers everything a developer needs to build an application onto the cloud
infrastructure.
Which of the following is not true regarding cloud computing?
Cloud computing requires enduser knowledge of the physical location and
configuration of the system that delivers the services.
Which of the following are true concerning the Virtual Desktop Infrastructure (VDI)? (Select two.)
In the event of a widespread malware infection, the administrator can quickly reimage all user desktops on a few central servers.

User desktop environments are centrally hosted on servers instead of on individual
desktop systems.

You are purchasing a hard disk over the Internet from an online retailer. What does your browser use to ensure that others cannot see your credit card number on the Internet?
SSL
IPSec is implemented through two separate protocols. What are these protocols called?
AH and ESP
Which of the following network layer protocols provides authentication and encryption services for IP based network traffic?
IPSec
Which of the following protocols can be used to securely manage a network device from a remote connection?
SSH
Which of the following protocols are often added to other protocols to provide secure
transmission of data? (Select two.)
TLS and SSL
What is the primary function of the IKE protocol used with IPSec?
Create a security association between communicating partners
FTPS uses which mechanism to provide security for authentication and data transfer?
SSL
Which of the following protocols can TLS use for key exchange? (Select two.)
DiffieHellman and RSA
SFTP uses which mechanism to provide security for authentication and data transfer?
SSH
Which of the following is a secure alternative to FTP that uses SSL for encryption?
FTPS
Which of the following is the best countermeasure against man-in-the-middle attacks?
IPSec
Which protocol uses traps to send notifications from network devices?
SNMP
You have been using SNMP on your network for monitoring and management. You are
concerned about the security of this configuration.
Implement version 3 of SNMP.
Which of the following are improvements to SNMP that are included within SNMP version 3? (Select two.)
Authentication for agents and managers
Encryption of SNMP messages
Which of the following tools allow for remote management of servers? (Select two.)
SSH
Telnet
Which network service would you use to get the IP address from the FQDN hostname?
DNS
You want to implement a protocol on your network that allows computers to find the IP address of a host from a logical name. Which protocol should you implement?
DNS
Which protocol does HTTPS use to offer greater security in Web transactions?
SSL
Which TCP/IP protocol is a secure form of HTTP that uses SSL as a sublayer for security?
HTTPS
Which protocol is used for securely browsing a Web site?
HTTPS
As network administrator you are asked to recommend a secure method of transferring data between hosts on a network. Which of the following protocols would you recommend? (Select two.)
SFTP
SCP
Which of the following protocols allows hosts to exchange messages to indicate problems with packet delivery?
ICMP
Which of the following IPv6 addresses is equivalent to the IPv4 loopback address of 127.0.0.1?
::1
Which of the following describes an IPv6 address? (Select two.)
Eight hexadecimal quartets
128bit address
Which of the following correctly describe the most common format for expressing IPv6 addresses? (Select two.)
32 numbers, grouped using colons
Hexadecimal numbers
Which of the following are valid IPv6 addresses? Select all that apply.
141:0:0:0:15:0:0:1
6384:1319:7700:7631:446A:5511:8940:2552
Which of the following is a valid IPv6 address?
FEC0::AB:9007
You are configuring a network firewall to allow SMTP outbound email traffic, and POP3 inbound email traffic. Which of the following TCP/IP ports should you open on the firewall? (Select two.)
25
110
Which port number is used by SNMP?
161
You want to close all ports associated with NetBIOS on your network firewalls to prevent attacks directed against NetBIOS. Which ports should you close?
135, 137139
Which of the following protocols uses port 443?
HTTPS
Which of the following ports does FTP use to establish sessions and manage traffic?
20, 21
To transfer files to your company’s internal network from home, you use FTP. The administrator has recently implemented a firewall at the network perimeter and disabled as many ports as
possible. Now you can no longer make the FTP connection. You suspect the firewall is causing the issue.
Which ports need to remain open so you can still transfer the files? (Select two.)
21
20
Using the Netstat command, you notice that a remote system has made a connection to your Windows Server 2008 system using TCP/IP port 21. Which of the following actions is the remote system most likely to be performing?
Downloading a file
To access your company’s internal network from home, you have used Telnet. Security policy now prohibits the use of unsecure protocols such as Telnet. The administrator has recently implemented a firewall at the network perimeter and disabled many ports.
Which port needs to be closed to prevent Telnet access from home?
23
You administer a Web server on your network. The computer has multiple IP addresses. They are 192.168.23.8 to 192.168.23.17. The name of the computer is www.westsim.com. You configured the Web site as follows:

• IP address: 192.168.23.8
• HTTP Port: 1030
• SSL Port: 443

Users complain that they can’t connect to the Web site when they type www.westsim.com. What is the most likely source of the problem?

The HTTP port should be changed to 80.
To increase security on your company’s internal network, the administrator has disabled as many ports as possible. Now, however, though you can browse the Internet, you are unable to perform secure credit card transactions.
Which port needs to be enabled to allow secure transactions?
443
Which of the following network services or protocols uses TCP/IP port 22?
SSH
Drag each IP port number on the left to its associated service on the right. Be aware that some
port numbers may be used more than once.
SNMP
161 TCP and UDP

SSH
22 TCP and UDP

TFTP
69 UDP

SCP
22 TCP and UDP

Telnet
23 TCP

HTTPS
443 TCP and UDP

HTTP
80 TCP

FTP
20 TCP

SMTP
25 TCP

POP3
110 TCP

Which of the following specifications identify security that can be added to wireless networks? (Select two.)
802.11i
802.1x
Which of the following wireless security methods uses a common shared key configured on the wireless access point and all wireless clients?
WEP, WPA Personal, and WPA2 Personal
What is the least secure place to locate an access point with an omnidirectional antenna when creating a wireless cell?
Near a window
What purposes does a wireless site survey serve? (Choose two.)
To identify existing or potential sources of interference.
To identify the coverage area and preferred placement of access points.
Which of the following offers the weakest form of encryption for an 802.11 wireless network?
WEP
Which of the following wireless network protection methods prevents the broadcasting of the wireless network name?
SSID broadcast
Which of the following measures will make your wireless network invisible to the casual attacker performing war driving?
Disable SSID broadcast
What encryption method is used by WPA for wireless networks?
TKIP
Which of the following provides security for wireless networks?
WPA
Which of the following features are supplied by WPA2 on a wireless network?
Encryption
You need to secure your wireless network. Which security protocol would be the best choice?
WPA2
On a wireless network that is employing WEP, which type of users are allowed to authenticate through the access points?
Users with the correct WEP key
Which remote access authentication protocol allows for the use of smart cards for
authentication?
EAP
Which of the following do switches and wireless access points use to control access through the
device?
MAC filtering
You have physically added a wireless access point to your network and installed a wireless networking card in two laptops running Windows. Neither laptop can find the network and you have come to the conclusion that you must manually configure the wireless access point (AP). Which of the following values uniquely identifies the network AP?
SSID
You have a small wireless network that uses multiple access points. The network uses WPA and broadcasts the SSID. WPA2 is not supported by the wireless access points.
You want to connect a laptop computer to the wireless network. Which of the following
parameters will you need to configure on the laptop? (Select two.)
TKIP encryption
Preshared key
You need to configure a wireless network. You want to use WPA2 Enterprise. Which of the following components will be part of your design? (Select two.)
AES encryption
802.1x
Which of the following locations will contribute the greatest amount of interference for a wireless access point? (Select two.)
Near backup generators
Near cordless phones
You need to place a wireless access point in your twostory building. While trying avoid
interference, which of the following is the best location for the access point?
In the top floor
Which of the following recommendations should you follow when placing access points to provide wireless access for users within your company building?
Place access points above where most clients are.
You want to implement 802.1x authentication on your wireless network. Which of the following will be required?
RADIUS
You want to implement 802.1x authentication on your wireless network. Where would you
configure passwords that are used for authentication?
On a RADIUS server
You are the wireless network administrator for your organization. As the size of the organization has grown, you’ve decide to upgrade your wireless network to use 802.1x authentication instead of preshared keys.
You’ve decided to use LEAP to authenticate wireless clients. To do this, you configured a Cisco RADIUS server and installed the necessary Cisco client software on each RADIUS client. Which of the following is true concerning this implementation?
The system is vulnerable because LEAP is susceptible to dictionary attacks.
You are the wireless network administrator for your organization. As the size of the organization has grown, you’ve decide to upgrade your wireless network to use 802.1x authentication instead of preshared keys.
To do this, you need to configure a RADIUS server and RADIUS clients. You want the server and the clients to mutually authenticate with each other. What should you do? (Select two. Each response is a part of the complete solution.)
Configure all wireless access points with client certificates.
Configure the RADIUS server with a server certificate.
Which EAP implementation is most secure?
EAPTLS
Match each description on the left with the appropriate cloud technology on the right.
Public cloud
Provides cloud services to just about anyone.

Private cloud
Provides cloud services to a single organization.

Community cloud
Allows cloud services to be shared by several organizations.

Hybrid cloud
Integrates one cloud service with other cloud services.

You’ve decided to use a subnet mask of 255.255.192.0 on the 172.17.0.0 network to create four separate subnets. Which network IDs will be assigned to these subnets in this configuration? (Select two.)
172.17.128.0
172.17.0.0
Your organization uses a Web server to host an ecommerce site. Because this Web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that will analyze the contents of each packet going to or from the Web server. The security control must be able to identify malicious payloads and block them. What should you do?
Implement an applicationaware IPS in front of the Web server.
Drag the Web threat protection method on the left to the correct definition on the right.
Prevents visiting malicious Web sites
Web threat filtering

Prevents outsided attempts to access confidential information
Antiphishing software

Identifies and disposes of infected content
Virus blockers

Prevents unwanted email from reaching your network
Gateway email spam blockers

Prevents visiting restricted Web sites
URL content filtering

Match the applicationaware network device on the right with the appropriate description on the left. Each description may be used once, more than once, or not at all.
Applicationaware proxy
Improves application performance

Applicationaware firewall
Enforces security rules based on the application that is generating network traffic, instead of
the traditional port and protocol

Applicationaware IDS
Analyzes network packets to detect malicious payloads targeted at applicationlayer services

You are investigating the use of Web site and URL content filtering to prevent users from visiting certain Web sites.
Which benefits are the result of implementing this technology in your organization? (Choose two.)
Enforcement of the organization’s Internet usage policy
An increase in bandwidth availability
You’ve just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a user name of admin and a password of admin. You have used the MD5 hashing algorithm to protect the password. What should you do to increase the security of this device? (Select two.)
Change the default administrative user name and password.
Use an SSH client to access the router configuration.
You’ve just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a cubicle near your office. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using an SSH client with a user name of admin01 and a
password of [email protected] You have used the MD5 hashing algorithm to protect the password.

What should you do to increase the security of this device?

Move the router to a secure server room.
You’ve just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router
configuration interface from a notebook computer that is connected to the router’s console port. You’ve configured the device with a user name of admin01 and a password of [email protected] You have used the MD5 hashing algorithm to protect the password.
What should you do to increase the security of this device?
Use SCP to back up the router configuration to a remote location.
You can use a variety of methods to manage the configuration of a network router. Match the management option on the right with its corresponding description on the left. (Each option can be used more than once.)
SSL
Uses publickey cryptography

HTTP
Transfers data in clear text

SSH
Uses publickey cryptography

Telnet
Transfers data in clear text

Console port
Cannot be sniffed

Match the Active Directory component on the left with the appropriate description on the right. Each component may be used once, more than once, or not at all.
Holds a copy of the Active Directory database
Domain Controller

Manages access for a workstation
Computer Object

Manages access for an employee
User Object

Can be created to logically organize network resources
Organizational Unit

Cannot be moved, renamed, or deleted
Generic Container

Defines a collection of network resources that share a common directory database
Domain

The owner of a hotel has contracted with you to implement a wireless network to provide Internet access for guests.
The owner has asked that you implement security controls such that only paying guests are allowed to use the wireless network. She wants guests to be presented with a login page when they initially connect to the wireless network. After entering a code provided by the concierge at
checkin, guests should then be allowed full access to the Internet. If a user does not provide the correct code, they should not be allowed to access the Internet. What should you do?
Implement a captive portal.
You need to implement a wireless network link between two buildings on a college campus. A wired network has already been implemented within each building. The buildings are 100 meters apart. What type of wireless antennae should you use on each side of the link? (Select two.)
Parabolic
Highgain
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization’s order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using WiFi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public WiFi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook
to use a VPN when accessing the home network over an open wireless connection.
Which key steps should you take when implementing this configuration? (Select two.)
Configure the browser to send HTTPS requests through the VPN connection.

Configure the VPN connection to use IPsec.