CompTIA Network+ Question C-35

A firewall ACL is configured as follows:
10. Deny Any Trust to Any DMZ eq to TCP port 22
11. Allow 10.200.0.0/16 to Any DMZ eq to Any
12. Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443
13. Deny Any Trust to Any DMZ eq to Any

A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the DMZ.

The company wants 10.200.0.0/16 to be able to use any protocol, but restrict the rest of the 10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners would meet the company’s objectives?

A. 11, 10, 12, 13
B. 12, 10, 11, 13
C. 13, 10, 12, 11
D. 13, 12, 11, 10

Correct Answer: A

Explanation:
ACL are processed in TOP DOWN process in routers or switches. This means that when a condition in the ACL is met, all processing is stopped. We start by allowing any protocol on the 10.200.0.0/16 subnet:11. Allow 10.200.0.0/16 to Any DMZ eq to Any
We then deny any traffic on TCP port 22:10. Deny Any Trust to Any DMZ eq to TCP port 22
We allow browsing (port 80 and 443) on the 10.0.0.0/8 subnet:Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443 Finally we deny all other traffic:13. Deny Any Trust to Any DMZ eq to Any

CompTIA Network+ Question C-32

A network technician configures a firewall’s ACL to allow outgoing traffic for several popular services such as email and web browsing. However, after the firewall’s deployment, users are still unable to retrieve their emails. Which of the following would BEST resolve this issue?

A. Allow the firewall to accept inbound traffic to ports 25, 67, 179, and 3389
B. Allow the firewall to accept inbound traffic to ports 80, 110, 143, and 443
C. Set the firewall to operate in transparent mode
D. Allow the firewall to accept inbound traffic to ports 21, 53, 69, and 123

Correct Answer: B

CompTIA Network+ Question C-30

A network administrator configures an email server to use secure protocols. When the upgrade is completed, which of the following ports on the firewall should be configured to allow for connectivity? (Choose three.)

A. TCP 25
B. TCP 110
C. TCP 143
D. TCP 389
E. TCP 587
F. TCP 993
G. TCP 995

Correct Answer: EFG

CompTIA Network+ Question C-29

A network technician needs to separate a web server listening on port 80 from the internal LAN and secure the server from the public Internet. The web server should be accessible to the public Internet over port 80 but not the private LAN. Currently, the network is segmented with a network-based firewall using the following IP addressing scheme on each interface:

Which of the following ones should the technician use to place the web server and which of the following firewall rules should the technician configure?

A. Place the web server in the public zone with an inbound rule from eth0 interface to accept traffic over port 80 designated to the web server
B. Place the web server in the DMZ with an inbound rule from eth0 interface to eth1 to accept traffic over port 80 designated to the web server
C. Place the web server in the private zone with an inbound rule from eth2 interface to eth1 to accept traffic over port 80 designated to the web server
D. Place the web server in the DMZ with an inbound rule from eth1 interface to eth0 to accept traffic over port 80 designated to the web server

Correct Answer: B

CompTIA Network+ Question C-10

A network administrator received the following email from a user:
From: user@company.com
To: abuse@company.com
Subject: Free smart phone
Dear user,
please click the following link to get your free smart phone http://www.freesmartphone.it:8080/survey.php

Which of of the following should the administrator do to prevent all employees from accessing the link in the above email, while still allowing Internet access to the freesmartphone.it domain?

A. Add http://www.freesmartphone.it:8080/survey.php to the browser group policy block list.
B. Add DENY TCP http://www.freesmartphone.it ANY EQ 8080 to the firewall ACL
C. Add DENY IP ANY ANY EQ 8080 to the intrusion detection system filter
D. Add http://www.freesmartphone.it:8080/survey.php to the load balancer

Correct Answer: A

CompTIA Network+ Question B-100

A technician is setting up a computer lab. Computers on the same subnet need to communicate with each other using peer to peer communication. Which of the following would the technician MOST likely configure?

A. Hardware firewall
B. Proxy server
C. Software firewall
D. GRE tunneling

Correct Answer: C

Explanation:
A host-based firewall is a computer running firewall software that can protect the computer itself. A software firewall would be the most cost effective in a lab scenario.

CompTIA Network+ Question B-95

A technician needs to install software onto company laptops to protect local running services, from external threats. Which of the following should the technician install and configure on the laptops if the threat is network based?

A. A cloud-based antivirus system with a heuristic and signature based engine
B. A network based firewall which blocks all inbound communication
C. A host-based firewall which allows all outbound communication
D. A HIDS to inspect both inbound and outbound network communication

Correct Answer: C

Explanation:
A host-based firewall is a computer running firewall software that can protect the computer itself. For example, it can prevent incoming connections to the computer and allow outbound communication only.

CompTIA Network+ Question B-89

A network technician is considering opening ports on the firewall for an upcoming VoIP PBX implementation. Which of the following protocols is the technician MOST likely to consider? (Choose three.)

A. SIP
B. NTP
C. H.323
D. SMB
E. ICMP
F. RTP
G. IPSec
H. RDP

Correct Answer: ACF

CompTIA Network+ Question B-86

A network technician is performing a tracert command to troubleshoot a website-related issue. The following output is received for each hop in the tracert:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
The technician would like to see the results of the tracert command. Which of the following will allow the technician to perform tracert on external sites but not allow outsiders to discover information from inside the network?

A. Enable split horizon to allow internal tracert commands to pass through the firewall
B. Enable IGMP messages out and block IGMP messages into the network
C. Configure the firewall to allow echo reply in and echo request out of the network
D. Install a backdoor to access the router to allow tracert messages to pass through

Correct Answer: C

Explanation:
Tracert makes use of ICMP echo packets to trace the route between two hosts. For the command to be successful, the firewall has to allow incoming echo replies and outgoing echo requests.

CompTIA Network+ Question B-85

A network technician has just installed a TFTP server on the administrative segment of the network to store router and switch configurations. After a transfer attempt to the server is made, the process errors out. Which of the following is a cause of the error?

A. Only FTP can be used to copy configurations from switches
B. Anonymous users were not used to log into the TFTP server
C. An incorrect password was used and the account is now locked
D. Port 69 is blocked on a router between the network segments

Correct Answer: D

Explanation:
The question states that the TFTP server is installed on the “administrative segment of the network”. This implies that the network has multiple segments (subnets) and TFTP server is on a different network segment to other computers.
For a computer on one subnet to connect to a computer on a different subnet, a router is required to route traffic between the two subnets. Routers often include firewalls so they can be configured to allow specific traffic to be routed between the subnets and block unwanted traffic.
TFTP uses UDP port 69. The most likely cause of the connection timeout error in the question is that the firewall has not been configured to allow traffic using UDP port 69.