PRACTICE

05 Securing Enterprise Networks
Mini Quiz Answers

Question 1: An organization hosts its public web server in a segment that sits between the Internet and the internal LAN, with firewalls controlling traffic between all three zones to prevent direct access from the Internet to internal resources. What is this architectural segment called?

  • A. Air gap. An air gap involves physically isolating a network from all other networks, which is not the scenario described since the web server needs to communicate with both the Internet and internal LAN through firewalls.
  • B. DMZ. A DMZ (Demilitarized Zone or Screened Subnet) is a buffer zone between the untrusted Internet and the trusted internal LAN, hosting public-facing services with firewall rules controlling traffic between all three zones to prevent direct Internet access to internal resources.
  • C. Management VLAN. A Management VLAN is a dedicated network segment for managing devices like switches and routers, not for hosting public web servers accessible from the Internet.
  • D. Internal zone. The internal zone is the trusted corporate network where sensitive resources reside, and placing a public web server directly there would violate security principles by exposing internal resources to direct Internet access.

Question 2: A network administrator discovers that if the primary core switch fails, the entire data center loses connectivity because there is no alternate path or redundant device to assume the gateway role. What concept best describes this situation?

  • A. Complex dependency. Complex dependency refers to hidden inter-service reliance where one system's failure affects others, whereas this question describes a single device failure causing total outage without mention of service interdependencies.
  • B. Single point of failure. A single point of failure exists when one device or link failure brings down the entire service, exactly as described when the primary core switch fails with no redundancy or alternate path.
  • C. Overdependence on perimeter devices. Overdependence on perimeter devices refers to the "hard shell, soft center" security posture where internal segmentation is lacking, not the lack of redundancy for a specific network device.
  • D. Availability gap. Availability gap is not a standard network architecture term for this scenario, which specifically describes a resilience failure due to lack of redundancy.

Question 3: An attacker plugs a rogue laptop into an unused switch port in an empty conference room and immediately gains access to the internal network. Which control would have prevented this unauthorized access?

  • A. 802.1X. While 802.1X provides port-based network access control, it requires supplicant configuration and RADIUS infrastructure, whereas simply disabling unused ports administratively is the most direct and fundamental control to prevent rogue device insertion on unused physical ports.
  • B. Disabling unused ports administratively. Disabling unused ports administratively (shutting down ports not in use) prevents unauthorized devices from establishing a physical connection to the network switch, effectively blocking the attack vector described.
  • C. VLAN hopping. VLAN hopping is an attack technique that exploits switch configurations to access unauthorized VLANs, not a security control to prevent unauthorized access.
  • D. MAC flooding. MAC flooding is an attack that overwhelms a switch's CAM table to force it into hub mode, not a defensive control to prevent rogue device connections.

Question 4: A nuclear power plant's industrial control system network has no physical connection to the Internet or corporate network, requiring technicians to manually transfer patches via USB drives. What security architecture is this?

  • A. Zero trust. Zero trust is a security model requiring strict verification for every user and device regardless of location, but it still involves network connectivity, whereas the scenario describes complete physical isolation.
  • B. Air gap. An air gap is a security architecture where a network is physically isolated from all other networks including the Internet, requiring manual data transfer methods like USB drives, matching the nuclear power plant ICS scenario exactly.
  • C. DMZ. A DMZ is a perimeter network segment connected to both internal and external networks, which contradicts the requirement for no physical connection to the Internet or corporate network.
  • D. Out-of-band management. Out-of-band management uses a dedicated network for device administration separate from production traffic, but it doesn't imply total isolation from all external networks or the manual patch transfer described.

Question 5: Which security appliance combines firewall, VPN, IDS/IPS, antivirus, and content filtering into a single device, offering convenience for small businesses but potentially creating a performance bottleneck and single point of failure?

  • A. UTM. A Unified Threat Management (UTM) appliance combines firewall, VPN, IDS/IPS, antivirus, and content filtering into a single device designed for convenience, particularly for small businesses, though it creates a potential performance bottleneck and single point of failure.
  • B. NGFW. An NGFW provides advanced features like application control and threat intelligence, but it is typically enterprise-focused and doesn't necessarily combine antivirus and content filtering into a single convenience appliance for SMBs with the same all-in-one approach as described.
  • C. WAF. A Web Application Firewall (WAF) is specifically designed to protect web applications from Layer 7 attacks like SQL injection, not to provide comprehensive network security functions like antivirus and content filtering for general traffic.
  • D. Load balancer. A load balancer distributes traffic across multiple servers for availability and performance but does not provide security functions like antivirus, content filtering, or IDS/IPS.

Question 6: Which device is specifically designed to inspect traffic for indicators of common web application attacks like SQLi and XSS?

  • A. NIPS. A Network Intrusion Prevention System monitors network traffic for malicious activity and can block threats, but it is not specifically designed to inspect HTTP/S traffic for web application attacks like SQLi and XSS as its primary function.
  • B. WAF. A Web Application Firewall (WAF) is specifically designed to inspect HTTP/S traffic at Layer 7 for web application attacks including SQL injection (SQLi) and Cross-Site Scripting (XSS), typically placed in front of web servers.
  • C. Stateful firewall. A stateful firewall tracks connection states and filters traffic based on session information but operates primarily at Layers 3 and 4, lacking the Layer 7 application-specific inspection needed for SQLi/XSS detection.
  • D. Reverse proxy server. A reverse proxy forwards client requests to backend servers and may provide some security, but it is not specifically designed for deep inspection of web application attacks like a dedicated WAF.

Question 7: Which load balancing algorithm distributes incoming requests sequentially to each server in the pool in turn, regardless of current load or response time?

  • A. Least connections. Least connections sends traffic to the server with the fewest active connections, considering current load rather than distributing sequentially regardless of load.
  • B. Heartbeat. Heartbeat is a mechanism used to check the health or availability of nodes in a cluster, not a load balancing algorithm for distributing incoming requests.
  • C. Weighted distribution. Weighted distribution assigns traffic based on server capacity or priority weights, not simple sequential rotation.
  • D. Round-robin. Round-robin distributes incoming requests sequentially to each server in the pool in turn, without considering current load, response time, or connection count.

Question 8: A company needs to encrypt traffic between their headquarters and a branch office over the public Internet, using a protocol suite that includes Authentication Header (AH) for integrity and Encapsulating Security Payload (ESP) for confidentiality, with IKE handling key negotiation. What would be the best technology for them to use?

  • A. TLS VPN. TLS VPN (or SSL VPN) operates at the transport layer using port 443 for remote access, but it does not use AH or ESP or IKE for key negotiation as described.
  • B. IPsec site-to-site VPN. IPsec is a protocol suite using Authentication Header (AH) for integrity, Encapsulating Security Payload (ESP) for confidentiality, and Internet Key Exchange (IKE) for key negotiation, designed for gateway-to-gateway encryption over public networks.
  • C. SSH tunnel. SSH tunnel provides encrypted tunnels for specific applications or port forwarding but does not use AH/ESP or IKE and is not typically used for site-to-site network connectivity between locations.
  • D. GRE tunnel. GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates packets but does not provide encryption, integrity checks, or key negotiation mechanisms like AH, ESP, or IKE.

Question 9: An organization wants to deploy a server that acts as an intermediary for outbound web traffic from its internal network. The server will hide the origin IP addresses of internal clients, cache frequently accessed web content to improve performance, and enforce web filtering policies to restrict access to specific URLs and categories. Which type of device best meets these needs?

  • A. Reverse proxy. A reverse proxy sits in front of web servers to protect them from clients, handling inbound requests, whereas the scenario describes outbound traffic from internal clients to the Internet.
  • B. Transparent proxy. A transparent proxy intercepts traffic without requiring client configuration but doesn't necessarily imply the specific outbound traffic inspection and policy enforcement described for user traffic.
  • C. Forward proxy. A forward proxy sits between internal clients and the Internet, handling outbound requests to hide internal IP addresses, cache content, and enforce web filtering policies exactly as described.
  • D. SSL/TLS proxy. An SSL/TLS proxy specifically handles encrypted traffic inspection by acting as a man-in-the-middle, but it doesn't encompass the full range of caching and URL filtering for general outbound web traffic described.

Question 10: A ransomware attack encrypts critical servers in a data center after compromising a single compromised employee workstation. The attack spread rapidly across a flat network, allowing the ransomware to propagate through SMB shares and unpatched vulnerabilities. Which network design principle could have limited the scope of the ransomware outbreak?

  • A. Air-gapping critical systems. Air-gapping isolates specific critical systems completely, but the question describes limiting the spread within a network, not isolating specific systems from the network entirely.
  • B. Implementing internal segmentation. Internal segmentation (or micro-segmentation) divides the network into smaller zones with controlled traffic between them, preventing lateral movement of ransomware from the compromised workstation to other network segments.
  • C. Disabling RDP and SMBv1 on all devices. While disabling these protocols can prevent specific propagation vectors, it does not address the fundamental architectural issue of the flat network that allowed rapid spread across all systems.
  • D. Using stateful firewalls instead of stateless. While stateful firewalls offer better session tracking, simply replacing firewall types without implementing internal network segmentation would not prevent lateral movement within the same broadcast domain or flat network.

Question 11: A network administrator configures centralized authentication for wireless access points and VPN concentrators, using a protocol that operates over UDP ports 1812/1813 and supports Extensible Authentication Protocol (EAP) for 802.1X deployments. Which protocol is being used?

  • A. TACACS+. TACACS+ uses TCP and separates authentication, authorization, and accounting functions, but it typically uses port 49 and is more common for device administration rather than the specific UDP ports 1812/1813 mentioned for wireless and VPN access.
  • B. RADIUS. RADIUS (Remote Authentication Dial-In User Service) operates over UDP ports 1812 (authentication) and 1813 (accounting) and supports EAP for 802.1X deployments, matching the description exactly.
  • C. LDAP. LDAP (Lightweight Directory Access Protocol) is used for directory services and authentication over TCP/UDP port 389, but it does not use UDP 1812/1813 or natively support EAP for wireless authentication in the same way.
  • D. Kerberos. Kerberos is an authentication protocol using port 88 with tickets for authentication, not the RADIUS protocol with its specific UDP ports for centralized AAA.

Question 12: A firewall examines only the source and destination IP addresses, port numbers, and protocols in packet headers. What type of firewall is this?

  • A. Stateful firewall. A stateful firewall tracks the state of active connections and maintains a state table to determine if packets belong to established sessions, going beyond simple header examination.
  • B. Application-layer firewall. An application-layer firewall inspects Layer 7 content and payload, not just IP addresses and ports in headers.
  • C. Next-generation firewall. An NGFW includes deep packet inspection, application awareness, and threat intelligence, far exceeding the simple header examination described.
  • D. Stateless packet filter firewall. A stateless firewall (or packet filter) examines only source/destination IP addresses, ports, and protocols in headers without tracking connection state or maintaining session tables.

Question 13: A device is placed inline with network traffic to automatically block, drop, or modify malicious packets in real-time before they reach their destination. What is the best description of this device?

  • A. IPS. An IPS (Intrusion Prevention System) is placed inline to automatically block, drop, or modify malicious packets in real-time before they reach their destination, matching the description exactly.
  • B. IDS. An IDS (Intrusion Detection System) is passive, monitoring traffic and alerting but not blocking, whereas the question describes active blocking/modification of packets.
  • C. SPAN port. A SPAN port mirrors traffic to a monitoring device but is passive and cannot block or modify traffic inline.
  • D. IKE. IKE (Internet Key Exchange) is a protocol for setting up security associations in IPsec VPNs, not an inline security appliance for blocking malicious packets.

Question 14: An organization's flat network segment currently hosts a mailbox server, a client network, and a mail transfer server, all of which need enhanced security. Which redesign option BEST segregates the network according to the OSI model and secure architecture principles to mitigate vulnerabilities?

  • A. Segregate with VLANs and control inter-VLAN traffic with ACLs. Segregating servers and clients into separate VLANs with Access Control Lists controlling traffic between them follows OSI model layering and secure architecture principles by creating network segmentation that limits lateral movement and vulnerability exposure.
  • B. Monitor the mail server with a WAF at the application layer. While monitoring with a WAF provides application-layer protection, it does not address the underlying network architecture or segregation between the client network and mail servers.
  • C. Strengthen router ACLs and enable IPsec for data-in-transit. Strengthening ACLs and enabling encryption protects data in transit but does not provide the fundamental network segmentation needed to separate the different systems onto distinct network segments.
  • D. Create a DMZ for the mail transfer server and separate others with port security. While creating a DMZ is good for the mail transfer server, using port security (MAC-based) to separate the mailbox server and client network is not scalable or appropriate for segmenting entire network segments compared to VLANs.

Question 15: A security administrator is configuring a new network that requires a device to bridge traffic between wireless clients and wired network resources. The device must handle encryption for wireless communications, authenticate users via 802.1X, and provide access control to internal VLANs. What type of device is being described?

  • A. Wireguard. Wireguard is a VPN protocol for encrypted tunnels, not a device that bridges wireless clients to wired networks with 802.1X authentication.
  • B. Wireless access point. A Wireless Access Point (WAP) bridges wireless clients to wired networks, handles encryption (WPA2/WPA3), supports 802.1X authentication, and provides VLAN access control for wireless clients.
  • C. Wireless controller. A wireless controller centralizes management of multiple access points but is not the direct bridge device between wireless and wired networks described in the question.
  • D. Firewall with wireless interface. While a firewall can have wireless capabilities, the specific device described that bridges wireless to wired with 802.1X is specifically a Wireless Access Point, which may be managed by a firewall but is the correct answer for the bridging function.

Question 16: A company wants to deploy a firewall that can inspect and control traffic based on application type (e.g., blocking social media or video streaming) and protect against advanced threats by integrating intrusion prevention and threat intelligence feeds. Which type of firewall best meets these requirements?

  • A. Layer 3 firewall. A Layer 3 firewall operates at the network layer filtering by IP address and routing, without application-layer inspection capabilities.
  • B. Layer 4 firewall. A Layer 4 firewall inspects TCP and UDP ports and connection states but cannot identify specific applications like social media or video streaming that use various ports.
  • C. Layer 7 firewall. A Layer 7 (Application-layer) firewall inspects the actual application payload to identify and control specific application types like social media or streaming, and can integrate IPS and threat intelligence.
  • D. Stateful inspection firewall. Stateful inspection tracks connection states at Layer 4 but does not inherently provide the deep application-layer inspection and application-type control described.

Question 17: A network architect needs to select a firewall solution that combines firewall capabilities with integrated intrusion prevention, application control, and threat intelligence feeds. They want a single device that can inspect traffic at both the network layer and application layer for granular control. Which appliance fits this description?

  • A. UTM. A UTM combines multiple security functions but is generally targeted at small and medium-sized businesses (SMBs) and may not provide the same level of integrated threat intelligence and application control as an NGFW, and the question specifically describes NGFW characteristics.
  • B. NIDS. A Network Intrusion Detection System monitors for threats but does not provide firewall capabilities or the integrated application control described.
  • C. NGFW. A Next-Generation Firewall combines traditional firewall capabilities with integrated IPS, application control (Layer 7 inspection), and threat intelligence feeds, inspecting traffic at both network and application layers. It is typically aimed at large enterprises.
  • D. SPI. SPI (Stateful Packet Inspection) refers to traditional stateful firewalls tracking connection states but lacking the application awareness and integrated threat intelligence of an NGFW.

Question 18: An organization is establishing remote access for its employees and contractors. The IT department wants to ensure that only authorized users can connect to the internal network, that all traffic is encrypted, and that session activities are logged for audit purposes. Which remote access method BEST fits the organization's needs?

  • A. VPN using username and password authentication. While a VPN provides encrypted access, username/password authentication is less secure than public-key cryptography and the question specifically hints at the stronger method without naming it.
  • B. RDP with default settings. RDP with default settings often lacks strong encryption, uses weak authentication methods, and exposes significant attack surfaces, making it unsuitable for the security requirements described.
  • C. SSH using public-key authentication. SSH provides encrypted remote access with session logging, and public-key authentication offers strong cryptographic verification of user identity without transmitting passwords, fitting all requirements for secure remote access.
  • D. Telnet with a shared password. Telnet transmits data in cleartext without encryption and shared passwords provide no accountability, making it completely unsuitable for the security requirements.

Question 19: A security team is deploying intrusion prevention systems (IPS) to protect critical servers and detect and block malicious traffic in real-time. Where should the IPS be placed to effectively monitor and control traffic to these servers without introducing significant latency?

  • A. In front of the public web servers in the DMZ. Placing the IPS in front of the DMZ would inspect external traffic before it reaches the web servers but would not protect internal servers from lateral movement or internal threats as effectively as inline placement.
  • B. Behind the firewall on the internal network. Being behind the firewall provides some protection but doesn't specify the inline placement needed for real-time blocking without latency.
  • C. Inline between the servers and the network switch. Placing the IPS inline between the servers and their network connection allows real-time blocking of malicious traffic directed at the servers with minimal latency, as traffic must pass through the IPS.
  • D. Passively monitoring the server network interface cards. Passive monitoring does not allow the IPS to block traffic in real-time, which is a key requirement for an IPS as opposed to an IDS.

Question 20: A multinational corporation is reviewing its long-term cybersecurity infrastructure strategy. The security team has raised concerns about ensuring the ongoing availability of security patches, spare hardware components, and maintenance contracts for their critical network devices, including firewalls, intrusion prevention systems, and VPN gateways. They are seeking a strategy to mitigate risks related to supply chain continuity. Which approach best addresses these concerns?

  • A. Implement a strict change control process to limit unauthorized access to security devices. Change control manages configuration changes but does not address supply chain risks or vendor dependency for patches and hardware availability.
  • B. Deploy redundant power supplies and failover mechanisms for all network devices. Redundancy improves availability against hardware failures but does not mitigate risks related to vendor supply chains or patch availability.
  • C. Select a diverse set of vendors for different security functions to prevent dependency on any single source. Vendor diversity mitigates supply chain continuity risks by ensuring that the unavailability of one vendor's patches, spare parts, or maintenance contracts does not compromise the entire security infrastructure.
  • D. Conduct monthly penetration testing to identify vulnerabilities in the existing security infrastructure. Penetration testing identifies vulnerabilities but does not address the supply chain and vendor dependency risks described.