Port authentication
EXPLANATION
Use port authentication to prevent unauthorized access through switch ports. Port authentication is provided by the 802.1x protocol and allows only authenticated devices to connect to the LAN through the switch. Authentication uses usernames and passwords, smart cards, or other authentication methods.
- When a device first connects, the port is set to an unauthorized state. Ports in unauthorized
states can only be used for 802.1x authentication traffic.
- After the server authenticates the device or the user, the switch port is placed in an authorized state, and access to other LAN devices is allowed.
If you use a VLAN, you can assign each port to a VLAN. If the ports in the lobby were assigned to one VLAN, you could control the type of access through the switch for those ports, but could not modify the access based on user. Using a VLAN, both visitors and employees would have the
same access through those ports.
Spanning tree is a protocol on a switch that allows the switch to maintain multiple paths between switches within a subnet. The spanning tree protocol runs on each switch and is used to select a single path between any two switches. Mirroring sends traffic from all switch ports to a switch port you designate as the mirrored port. Bonding allows multiple switch ports to be used at the same time to reach a specific destination.
REFERENCES
LabSim for
Network Pro, Section 13.5.
A password, a biometric scan, and a token device
EXPLANATION
A password, a biometric scan, and a token device together are the strongest form of multi-factor authentication listed here. Multifactor authentication is any combination of two or more of the same or different authentication factors. The three common authentication factor types are something you know [such as a password], something you have [such as a smart card
or a token device], or something you are [such as a biometric quality like a fingerprint].
The other three options are all weaker forms of multi-factor authentication. A password and a biometric scan is a multi-factor authentication system, but it is also an example of two-factor authentication. Two-factor authentication is any combination of two or more different authentication factors. Two passwords is an example of multi-factor authentication, but since it uses two of the same type of
factors, it is not a true two-factor authentication method.
REFERENCES
LabSim for Network Pro, Section 13.5.
Token device, keystroke analysis, cognitive question
EXPLANATION
Three-factor authentication uses three items for authentication, one each from each of the authentication types:
- Type I [something you know, such as a password, PIN, pass phrase, or cognitive question]
- Type II [something you have, such as a smart card, token
device, or photo ID]
- Type III [something you are, such as fingerprints, retina scans, voice recognition, or keyboard dynamics]
Of the examples listed, a token device [Type II], keystroke analysis [Type III], and a cognitive question [Type I] is the only three-factor authentication combination listed. The other options are examples of multi-factor authentication, where multiple authentication credentials, but not of three different types, are used.
REFERENCES
LabSim for Network Pro,
Section 13.5.
You are the security administrator for a medium-sized company that needs to enforce a much stricter password policy via group policy. The aims of this policy are to do the following:
- Prevent using the same password within 12 password changes.
- Ensure that users cannot change the password more than once a day.
- Prevent weak passwords or simple passwords, such as 123456 or password, from being used
Select the options that you will need to fulfill all of these
goals.
a. Enforce password history
b. Minimum password length
c. Passwords must meet complexity requirements
d. Minimum password age
e. Maximum password length
How does a DirectAccess client determine whether it is on the internal network or external network?
If the client can resolve enterpriseregistration.domain.com then it is external
If latency to the network location server is above 40 milliseconds then it is external
If the client can resolve enterpriseregistration.domain.com then it is internal
If the client can connect to the network location server then it is internal
If the client can connect to the network location server then it is external
VPN concentrator
With a remote access VPN, a server on the edge of a network [called a VPN concentrator] is configured to accept VPN connections from individual hosts. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.
A demilitarized zone [DMZ], also called a screened subnet, is a buffer network [or subnet] that sits between the private network and an untrusted network [such as the internet]. A RADIUS server is used to centralize authentication, authorization, and accounting for multiple remote access servers. However, clients still connect to individual remote access servers.
An intrusion detection system [IDS] is a special network device that can detect attacks and suspicious activity. A passive IDS monitors, logs, and detects security breaches, but it does not take action to stop or prevent an attack. An active IDS [also called an intrusion protection system or IPS] performs the functions of an IDS but can also react when security breaches occur.