CompTIA Security+ Question J-54

A security technician at a small business is worried about the Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches.
Which of the following will BEST mitigate the risk if implemented on the switches?

A. Spanning tree
B. Flood guards
C. Access control lists
D. Syn flood

Answer: A

Explanation:
Spanning Tree is designed to eliminate network ‘loops’ from incorrect cabling between switches. Imagine two switches named switch 1 and switch 2 with two network cables connecting the switches. This would cause a network loop. A network loop between two switches can cause a ‘broadcast storm’ where a broadcast packet is sent out of all ports on switch 1 which includes two links to switch 2. The broadcast packet is then sent out of all ports on switch 2 which includes links back to switch 1. The broadcast packet will be sent out of all ports on switch 1 again which includes two links to switch 2 and so on thus flooding the network with broadcast traffic. The Spanning-Tree Protocol (STP) was created to overcome the problems of transparent bridging in redundant networks. The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. This is done by determining where there are loops in the network and blocking links that are redundant. Spanning-Tree Protocol executes an algorithm called the Spanning-Tree Algorithm (STA). In order to find redundant links, STA will choose a reference point called a Root Bridge, and then determines all the available paths to that reference point. If it finds a redundant path, it chooses for the best path to forward and for all other redundant paths to block. This effectively severs the redundant links within the network. All switches participating in STP gather information on other switches in the network through an exchange of data messages. These messages are referred to as Bridge Protocol Data Units (BPDUs). The exchange of BPDUs in a switched environment will result in the election of a root switch for the stable spanning-tree network topology, election of designated switch for every switched segment, and the removal of loops in the switched network by placing redundant switch ports in a backup state.

CompTIA Security+ Question J-12

The Chief Information Security Officer (CISO) has mandated that all IT systems with credit card data be segregated from the main corporate network to prevent unauthorized access and that access to the IT systems should be logged. Which of the following would BEST meet the CISO’s requirements?

A. Sniffers
B. NIDS
C. Firewalls
D. Web proxies
E. Layer 2 switches

Answer: C

Explanation:
The basic purpose of a firewall is to isolate one network from another.

CompTIA Security+ Question D-6

Which of the following would be MOST appropriate to secure an existing SCADA system by preventing connections from unauthorized networks?

A. Implement a HIDS to protect the SCADA system
B. Implement a Layer 2 switch to access the SCADA system
C. Implement a firewall to protect the SCADA system
D. Implement a NIDS to protect the SCADA system

Answer: C

Explanation:
Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guideline for firewall rules is, “deny by default; allow by exception”. This means that if a network connection is not specifically allowed, it will be denied.

CompTIA Network+ Question C-79

The network install is failing redundancy testing at the MDF. The traffic being transported is a mixture of multicast and unicast signals. Which of the following would BEST handle the rerouting caused by the disruption of service?

A. Layer 3 switch
B. Proxy server
C. Layer 2 switch
D. Smart hub

Correct Answer: A

Explanation:
The question states that the traffic being transported is a mixture of multicast and unicast signals. There are three basic types of network transmissions: broadcasts, which are packets transmitted to every node on the network; unicasts, which are packets transmitted to just one node; and multicasts, which are packets transmitted to a group of nodes. Multicast is a layer 3 feature of IPv4 & IPv6. Therefore, we would need a layer 3 switch (or a router) to reroute the traffic. Unlike layer 2 switches that can only read the contents of the data-link layer protocol header in the packets they process, layer 3 switches can read the (IP) addresses in the network layer protocol header as well.

CompTIA Network+ Question C-56

A technician is installing a surveillance system for a home network. The technician is unsure which ports need to be opened to allow remote access to the system. Which of the following should the technician perform?

A. Disable the network based firewall
B. Implicit deny all traffic on network
C. Configure a VLAN on Layer 2 switch
D. Add the system to the DMZ

Correct Answer: D

Explanation:
By putting the system in the DMZ (demilitarized zone) we increase the security, as the system should be opened for remote access.
A DMZ is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. A DMZ often contains servers that should be accessible from the public Internet.

CompTIA Network+ Question A-69

A technician needs to limit the amount of broadcast traffic on a network and allow different segments to communicate with each other. Which of the following options would satisfy these requirements?

A. Add a router and enable OSPF.
B. Add a layer 3 switch and create a VLAN.
C. Add a bridge between two switches.
D. Add a firewall and implement proper ACL.

Correct Answer: B

Explanation:
We can limit the amount of broadcast traffic on a switched network by dividing the computers into logical network segments called VLANs.
A virtual local area network (VLAN) is a logical group of computers that appear to be on the same LAN even if they are on separate IP subnets. These logical subnets are configured in the network switches. Each VLAN is a broadcast domain meaning that only computers within the same VLAN will receive broadcast traffic.
To allow different segments (VLAN) to communicate with each other, a router is required to establish a connection between the systems. We can use a network router to route between the VLANs or we can use a ‘Layer 3’ switch. Unlike layer 2 switches that can only read the contents of the data-link layer protocol header in the packets they process, layer 3 switches can read the (IP) addresses in the network layer protocol header as well.