CompTIA SY0-401 Exam Practice Questions (P. 5)
- Full Access (1780 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #41
Matt, the network engineer, has been tasked with separating network traffic between virtual machines on a single hypervisor. Which of the following would he implement to BEST address this requirement? (Choose two.)
- AVirtual switch
- BNAT
- CSystem partitioning
- DAccess-list
- EDisable spanning tree
- FVLAN
Correct Answer:
AF
A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. A virtual switch is a software application that allows communication between virtual machines. A combination of the two would best satisfy the question.
AF
A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. A virtual switch is a software application that allows communication between virtual machines. A combination of the two would best satisfy the question.
send
light_mode
delete
Question #42
A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the applications task. Which of the following is the security administrator practicing in this example?
- AExplicit deny
- BPort security
- CAccess control lists
- DImplicit deny
Correct Answer:
C
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.
C
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.
send
light_mode
delete
Question #43
An administrator needs to connect a router in one building to a router in another using Ethernet. Each router is connected to a managed switch and the switches are connected to each other via a fiber line. Which of the following should be configured to prevent unauthorized devices from connecting to the network?
- AConfigure each port on the switches to use the same VLAN other than the default one
- BEnable VTP on both switches and set to the same domain
- CConfigure only one of the routers to run DHCP services
- DImplement port security on the switches
Correct Answer:
D
Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port.
The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports
(of TCP or UDP) are closed if a service isnt actively using them.
Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service.
D
Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port.
The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports
(of TCP or UDP) are closed if a service isnt actively using them.
Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service.
send
light_mode
delete
Question #44
At an organization, unauthorized users have been accessing network resources via unused network wall jacks. Which of the following would be used to stop unauthorized access?
- AConfigure an access list.
- BConfigure spanning tree protocol.
- CConfigure port security.
- DConfigure loop protection.
Correct Answer:
C
Port security in IT can mean several things. It can mean the physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. This can be accomplished by locking down the wiring closet and server vaults and then disconnecting the workstation run from the patch panel (or punch-down block) that leads to a rooms wall jack. Any unneeded or unused wall jacks can (and should) be physically disabled in this manner. Another option is to use a smart patch panel that can monitor the MAC address of any device connected to each and every wall port across a building and detect not just when a new device is connected to an empty port, but also when a valid device is disconnected or replaced by an invalid device.
C
Port security in IT can mean several things. It can mean the physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. This can be accomplished by locking down the wiring closet and server vaults and then disconnecting the workstation run from the patch panel (or punch-down block) that leads to a rooms wall jack. Any unneeded or unused wall jacks can (and should) be physically disabled in this manner. Another option is to use a smart patch panel that can monitor the MAC address of any device connected to each and every wall port across a building and detect not just when a new device is connected to an empty port, but also when a valid device is disconnected or replaced by an invalid device.
send
light_mode
delete
Question #45
On Monday, all company employees report being unable to connect to the corporate wireless network, which uses 802.1x with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages.
Which of the following is the MOST likely cause for this issue?
Which of the following is the MOST likely cause for this issue?
- AToo many incorrect authentication attempts have caused users to be temporarily disabled.
- BThe DNS server is overwhelmed with connections and is unable to respond to queries.
- CThe company IDS detected a wireless attack and disabled the wireless network.
- DThe Remote Authentication Dial-In User Service server certificate has expired.
Correct Answer:
D
The question states that the network uses 802.1x with PEAP. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service
(RADIUS). A RADIUS server will be configured with a digital certificate. When a digital certificate is created, an expiration period is configured by the Certificate
Authority (CA). The expiration period is commonly one or two years.
The question states that no configuration changes have been made so its likely that the certificate has expired.
D
The question states that the network uses 802.1x with PEAP. The 802.1x authentication server is typically an EAP-compliant Remote Access Dial-In User Service
(RADIUS). A RADIUS server will be configured with a digital certificate. When a digital certificate is created, an expiration period is configured by the Certificate
Authority (CA). The expiration period is commonly one or two years.
The question states that no configuration changes have been made so its likely that the certificate has expired.
send
light_mode
delete
Question #46
A company determines a need for additional protection from rogue devices plugging into physical ports around the building.
Which of the following provides the highest degree of protection from unauthorized wired network access?
Which of the following provides the highest degree of protection from unauthorized wired network access?
- AIntrusion Prevention Systems
- BMAC filtering
- CFlood guards
- D802.1x
Correct Answer:
D
IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN.
D
IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN.
send
light_mode
delete
Question #47
While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure this happens?
- ALog Analysis
- BVLAN Management
- CNetwork separation
- D802.1x
Correct Answer:
D
802.1x is a port-based authentication mechanism. Its based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today its often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco Systems
Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).
D
802.1x is a port-based authentication mechanism. Its based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today its often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco Systems
Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).
send
light_mode
delete
Question #48
A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.
PERMIT TCP ANY ANY 80 -
PERMIT TCP ANY ANY 443 -
Which of the following rules would accomplish this task? (Choose two.)
PERMIT TCP ANY ANY 80 -
PERMIT TCP ANY ANY 443 -
Which of the following rules would accomplish this task? (Choose two.)
- AChange the firewall default settings so that it implements an implicit deny
- BApply the current ACL to all interfaces of the firewall
- CRemove the current ACL
- DAdd the following ACL at the top of the current ACLDENY TCP ANY ANY 53
- EAdd the following ACL at the bottom of the current ACLDENY ICMP ANY ANY 53
- FAdd the following ACL at the bottom of the current ACLDENY IP ANY ANY 53
Correct Answer:
AF
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default. Implicit deny is the default response when an explicit allow or deny isnt present.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.
AF
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default. Implicit deny is the default response when an explicit allow or deny isnt present.
DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.
send
light_mode
delete
Question #49
Users are unable to connect to the web server at IP 192.168.0.20. Which of the following can be inferred of a firewall that is configured ONLY with the following
ACL?
PERMIT TCP ANY HOST 192.168.0.10 EQ 80
PERMIT TCP ANY HOST 192.168.0.10 EQ 443
ACL?
PERMIT TCP ANY HOST 192.168.0.10 EQ 80
PERMIT TCP ANY HOST 192.168.0.10 EQ 443
- AIt implements stateful packet filtering.
- BIt implements bottom-up processing.
- CIt failed closed.
- DIt implements an implicit deny.
Correct Answer:
D
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default. Implicit deny is the default response when an explicit allow or deny isnt present.
D
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default. Implicit deny is the default response when an explicit allow or deny isnt present.
send
light_mode
delete
Question #50
The Human Resources department has a parent shared folder setup on the server. There are two groups that have access, one called managers and one called staff. There are many sub folders under the parent shared folder, one is called payroll. The parent folder access control list propagates all subfolders and all subfolders inherit the parent permission. Which of the following is the quickest way to prevent the staff group from gaining access to the payroll folder?
- ARemove the staff group from the payroll folder
- BImplicit deny on the payroll folder for the staff group
- CImplicit deny on the payroll folder for the managers group
- DRemove inheritance from the payroll folder
Correct Answer:
B
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default.
B
Implicit deny is the default security stance that says if you arent specifically granted access or privileges for a resource, youre denied access by default.
send
light_mode
delete
All Pages