CompTIA Security+ Question K-37

A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this new network?

A. VLAN
B. Subnet
C. VPN
D. DMZ

Answer: D

Explanation:
A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone”, an area between nation states in which military operation is not permitted.

CompTIA Security+ Question G-85

Peter, a network administrator, is implementing IPv6 in the DMZ. Which of the following protocols must he allow through the firewall to ensure the web servers can be reached via IPv6 from an IPv6 enabled Internet host?

A. TCP port 443 and IP protocol 46
B. TCP port 80 and TCP port 443
C. TCP port 80 and ICMP
D. TCP port 443 and SNMP

Answer: B

Explanation:
* HTTP and HTTPS, which uses TCP port 80 and TCP port 443 respectively, is necessary for Communicating with Web servers. It should therefore be allowed through the firewall.

CompTIA Network+ Question C-56

A technician is installing a surveillance system for a home network. The technician is unsure which ports need to be opened to allow remote access to the system. Which of the following should the technician perform?

A. Disable the network based firewall
B. Implicit deny all traffic on network
C. Configure a VLAN on Layer 2 switch
D. Add the system to the DMZ

Correct Answer: D

Explanation:
By putting the system in the DMZ (demilitarized zone) we increase the security, as the system should be opened for remote access.
A DMZ is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ often contains servers that should be accessible from the public Internet.

CompTIA Network+ Question C-35

A firewall ACL is configured as follows:
10. Deny Any Trust to Any DMZ eq to TCP port 22
11. Allow 10.200.0.0/16 to Any DMZ eq to Any
12. Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443
13. Deny Any Trust to Any DMZ eq to Any

A technician notices that users in the 10.200.0.0/16 network are unable to SSH into servers in the DMZ.

The company wants 10.200.0.0/16 to be able to use any protocol, but restrict the rest of the 10.0.0.0/8 subnet to web browsing only. Reordering the ACL in which of the following manners would meet the company’s objectives?

A. 11, 10, 12, 13
B. 12, 10, 11, 13
C. 13, 10, 12, 11
D. 13, 12, 11, 10

Correct Answer: A

Explanation:
ACL are processed in TOP DOWN process in routers or switches. This means that when a condition in the ACL is met, all processing is stopped. We start by allowing any protocol on the 10.200.0.0/16 subnet:11. Allow 10.200.0.0/16 to Any DMZ eq to Any
We then deny any traffic on TCP port 22:10. Deny Any Trust to Any DMZ eq to TCP port 22
We allow browsing (port 80 and 443) on the 10.0.0.0/8 subnet:Allow 10.0.0.0/8 to Any DMZ eq to TCP ports 80, 443 Finally we deny all other traffic:13. Deny Any Trust to Any DMZ eq to Any

CompTIA Network+ Question C-29

A network technician needs to separate a web server listening on port 80 from the internal LAN and secure the server from the public Internet. The web server should be accessible to the public Internet over port 80 but not the private LAN. Currently, the network is segmented with a network-based firewall using the following IP addressing scheme on each interface:

Which of the following ones should the technician use to place the web server and which of the following firewall rules should the technician configure?

A. Place the web server in the public zone with an inbound rule from eth0 interface to accept traffic over port 80 designated to the web server
B. Place the web server in the DMZ with an inbound rule from eth0 interface to eth1 to accept traffic over port 80 designated to the web server
C. Place the web server in the private zone with an inbound rule from eth2 interface to eth1 to accept traffic over port 80 designated to the web server
D. Place the web server in the DMZ with an inbound rule from eth1 interface to eth0 to accept traffic over port 80 designated to the web server

Correct Answer: B

CompTIA Network+ Question A-11

A technician just completed a new external website and setup access rules in the firewall. After some testing, only users outside the internal network can reach the site. The website responds to a ping from the internal network and resolves the proper public address. Which of the following could the technician do to fix this issue while causing internal users to route to the website using an internal address?

A. Configure NAT on the firewall
B. Implement a split horizon DNS
C. Place the server in the DMZ
D. Adjust the proper internal ACL

Correct Answer: B

Explanation:
Split horizon DNS (also known as Split Brain DNS) is a mechanism for DNS servers to supply different DNS query results depending on the source of the request. This can be done by hardware-based separation but is most commonly done in software.
In this question, we want external users to be able to access the website by using a public IP address. To do this, we would have an external facing DNS server hosting a DNS zone for the website domain. For the internal users, we would have an internal facing DNS server hosting a DNS zone for the website domain. The external DNS zone will resolve the website URL to an external public IP address. The internal DNS server will resolve the website URL to an internal private IP address.