






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The answers and explanations for a section quiz on network security, specifically focusing on dmzs and firewalls. It includes 10 questions with correct answers, explanations, and references to related facts.
Typology: Summaries
1 / 11
This page cannot be seen from the preview
Don't miss anything!







Date: 3/1/2022 1:44:37 pm • Time spent: 02: Score: 90% Passing Score: 80% Question 1: Correct Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks? Multi-homed Circuit proxy Bastion or sacrificial host Kernel proxy EXPLANATION A bastion or sacrificial host is one that is unprotected by a firewall. The term bastion host is used to describe any device fortified against attack (such as a firewall). A sacrificial host might be a device intentionally exposed to attack, such as a honeypot. Circuit proxy and kernel proxy are types of firewall devices. Multi-homed describes a device with multiple network interface cards. REF ERENCES 5.2.4 DMZ Facts q_dmz_bastion_secp7.question.fex
Question 3: Correct Which of the following is the MOST likely to happen if the firewall managing traffic into the DMZ fails? The LAN is compromised, but the DMZ stays protected. Nothing will happen - all devices will stay protected. All devices in the DMZ and LAN will be compromised. Only the servers in the DMZ are compromised, but the LAN will stay protected. EXPLANATION If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. None of the other options are correct in this scenario. REF ERENCES 3.1.1 Physical Security 3.1.2 Physical Security Facts 3.1.3 Implement Physical Security 3.2.4 Physical Network Protection Facts 5.2.4 DMZ Facts q_dmz_dmz_02_secp7.question.fex
Question 4: Incorrect You have a company network that is connected to the internet. You want all users to have internet access, but you need to protect your private network and users. You also need to make a web server publicly available to internet users. Which solution should you use? Use a single firewall. Put the web server in front of the firewall and the private network behind the firewall. Use firewalls to create a DMZ. Place the web server inside the DMZ and the private network behind the DMZ. Use a single firewall. Put the web server and the private network behind the firewall. Use firewalls to create a DMZ. Place the web server and the private network inside the DMZ. EXPLANATION A demilitarized zone (DMZ), also called a screened subnet, is a buffer network (or subnet) that sits between the private network and an untrusted network such as the internet. A common configuration uses two firewalls, one connected to the public network and one connected to the private network. Publicly-accessible resources (servers) are placed inside the screened subnet. Examples of publicly-accessible resources include web, FTP, or email servers. Private resources that are not accessible from the internet are placed behind the DMZ (behind the inner firewall). Placing the web server inside the private network would mean opening ports in the firewall leading to the private network, which could expose other devices to attack. Placing the web server outside of the firewall would leave it unprotected. REF ERENCES 5.2.4 DMZ Facts q_dmz_firewall_secp7.question.fex
Question 6: Correct What needs to be configured on a firewall to allow traffic directed to the public resource in the DMZ? VPN Subnet Packet filters FTP EXPLANATION Packet filters on the firewall allow traffic directed to the public resources inside the DMZ. Packet filters also prevent unauthorized traffic from reaching the private network. A subnet is used to segment a network. A VPN provides a secure outside connection to an internal network's resources. A VPN does not need to be configured on the firewall to allow traffic to the public resource in the DMZ. FTP is a protocol used to transfer files. This does not need to be configured on the firewall to allow traffic to the public resource in the DMZ. REF ERENCES 3.1.1 Physical Security 3.1.2 Physical Security Facts 3.1.3 Implement Physical Security 3.2.4 Physical Network Protection Facts 5.2.4 DMZ Facts q_dmz_packets_secp7.question.fex
Question 7: Correct You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information. How should you place devices on the network to best protect the servers? (Select two.) Put the web server on the private network. Put the web server inside the DMZ. Put the database server inside the DMZ. Put the database server on the private network. EXPLANATION Publicly accessible resources (servers) are placed inside the DMZ. Examples of publicly accessible resources include web, FTP, or email servers. Devices that should not be accessible to public users are placed on the private network. If you have a public server that communicates with another server, such as a database server, and that server should not have direct contact with public hosts, place the server on the private network and allow only traffic from the public server to cross the inner firewall. REF ERENCES 5.2.4 DMZ Facts q_dmz_private_secp7.question.fex
Question 9: Correct Which of the following is another name for a firewall that performs router functions? Dual-homed gateway Screening router Screened-host gateway Screened subnet EXPLANATION A firewall performing router functions is considered a screening router. A screening router is the router that is most external to your network and closest to the internet. It uses access control lists (ACLs) to filter packets as a form of security. A dual-homed gateway is a firewall device that typically has three network interfaces: one connected to the internet, one connected to the public subnet, and one connected to the private network. A screened-host gateway resides within the DMZ, requiring users to authenticate in order to access resources within the DMZ or the intranet. A screened subnet uses two firewalls. The external firewall is connected to the internet and allows access to public resources. The internal firewall connects the screened subnet to the private network. REF ERENCES 5.2.4 DMZ Facts q_dmz_screen_secp7.question.fex
Question 10: Correct Which of the following is the BEST solution to allow access to private resources from the internet? Packet filters Subnet VPN FTP EXPLANATION A VPN provides a secure outside connection to an internal network's resources. A VPN server can be placed inside the DMZ. Internet users can be required to authenticate to the VPN server and then allowed communications from the VPN server to the private network. Only communications coming through the VPN server are allowed through the inner firewall. Packet filters on the firewall allow traffic directed to a public resource inside the DMZ. Packet filters also prevent unauthorized traffic from reaching the private network. Packet filters won't allow access to private resources from the internet. A subnet is used to segment a network. File Transfer Protocol (FTP) is a protocol used to transfer files. This does not allow access to private resources from the internet. REF ERENCES 5.2.4 DMZ Facts q_dmz_vpn_secp7.question.fex