Free CompTIA N10-008 Practice Exam with Questions & Answers | Set: 6

TACACS+ is used to authenticate users and authorize access to network resources. This protocol provides greater network security by encrypting the authentication credentials and reducing the risk of unauthorized access. According to the CompTIA Network+ Study Manual, “TACACS+ is an authentication protocol used to centralize authentication and authorization for network devices. It is a more secure alternative to Telnet for handling logins and for granting privileges to users.”

It does this by using a two-level hierarchy of switches, where the spine switches connect to the leaf switches, which in turn connect to the end hosts. This reduces the number of hops a packet must take from one host to another, thus reducing latency. According to the CompTIA Network+ N10-008 Exam Guide, the Spine and Leaf topology is a modern architecture that is used to reduce latency in large networks.

• BGP stands for Border Gateway Protocol, and it is the standard protocol for exchanging routing information between different autonomous systems (AS) on the internet12. An AS is a network or a group of networks under a single administrative control, such as an ISP or a large enterprise12.
• BGP is an Exterior Gateway Protocol (EGP), which means it is used to communicate with routers outside the local network or AS12. BGP allows each AS to advertise its own routes and policies to other ASes, and to learn the best routes to reach any destination on the internet12.
• BGP is generally used by major ISPs for handling large-scale internet traffic because it is highly scalable, flexible, and reliable12. BGP can handle millions of routes and thousands of ASes, and it can support various routing policies and preferences12. BGP also has mechanisms to detect and avoid routing loops, and to recover from network failures12.
• The other options are not suitable for handling large-scale internet traffic across different ASes. RIP (Routing Information Protocol) and EIGRP (Enhanced Interior Gateway Routing Protocol) are both Distance Vector protocols, which means they use the number of hops as the metric to find the best route34. They are also Interior Gateway Protocols (IGP), which means they are used to communicate with routers within the same network or AS34. RIP and EIGRP are not scalable or flexible enough to handle the complexity and diversity of the internet34. OSPF (Open Shortest Path First) is a Link State protocol, which means it uses the speed and cost of the links as the metric to find the best route5. It is also an IGP, which means it is used to communicate with routers within the same network or AS5. OSPF is more scalable and flexible than RIP and EIGRP, but it still has limitations in handling large-scale internet traffic across different ASes5. References:
• 1: CompTIA Network+ N10-008 Certification Study Guide, Chapter 3: Routing, Section 3.4: BGP6
• 2: Professor Messer’s CompTIA N10-008 Network+ Course Notes, Page 18: BGP7
• 3: CompTIA Network+ N10-008 Certification Study Guide, Chapter 3: Routing, Section 3.2: RIP and EIGRP6
• 4: Professor Messer’s CompTIA N10-008 Network+ Course Notes, Page 16: RIP and EIGRP7
• 5: CompTIA Network+ N10-008 Certification Study Guide, Chapter 3: Routing, Section 3.3: OSPF6
• 6: CompTIA Network+ N10-008 Certification Study Guide2
• 7: Professor Messer’s CompTIA Network+ N10-008 Training Course5

FHRP stands for First Hop Redundancy Protocol, and it is a group of protocols that allow routers to work together to provide backup or failover for the default gateway in a network. FHRP can prevent network failure at the gateway by protecting data traffic from a failed router and ensuring that there is always an active router to forward packets. Some examples of FHRP protocols are HSRP, VRRP, and GLBP12.

References: 1: CompTIA Network+ N10-008 Cert Guide - Chapter 13: Routing Protocols32: First Hop Redundancy Protocols (FHRP) Explained4

Port mirroring is a feature that allows a network switch to copy the traffic from one or more ports to another port for monitoring purposes. Port mirroring can be used to analyze the network traffic from a specific source, destination, or protocol without affecting the normal operation of the network. Port mirroring can also help to detect and troubleshoot network problems, such as performance issues, security breaches, or policy violations.

The other options are not correct because they do not meet the requirements of the question. They are:

• Turn on port security. Port security is a feature that restricts the number and type of devices that can connect to a switch port. Port security can help to prevent unauthorized access, MAC address spoofing, or MAC flooding attacks. However, port security does not allow the network security engineer to view the traffic from the user’s PC to the switch.
• Implement dynamic ARP inspection. Dynamic ARP inspection (DAI) is a feature that validates the ARP packets on a network and prevents ARP spoofing attacks. DAI can help to protect the network from man-in-the-middle, denial-of-service, or data interception attacks. However, DAI does not allow the network security engineer to view the traffic from the user’s PC to the switch.
• Configure 802.1Q. 802.1Q is a standard that defines how to create and manage virtual LANs (VLANs) on a network. VLANs can help to segment the network into logical groups based on function, security, or performance. However, 802.1Q does not allow the network security engineer to view the traffic from the user’s PC to the switch.

References1: Port Mirroring - an overview | ScienceDirect Topics2: Network+ (Plus) Certification | CompTIA IT Certifications3: Port Security - an overview | ScienceDirect Topics4: Dynamic ARP Inspection - an overview | ScienceDirect Topics5: 802.1Q - an overview | ScienceDirect Topics

A toner is a tool that generates an audible signal that can be traced by a probe. A network technician can use a toner to identify the appropriate patch panel port by connecting the toner to one end of the patch cord and using the probe to scan the patch panel until the signal is detected. A toner is the easiest way to identify the patch panel port when the patch panel is not labeled, as it does not require a laptop, a cable tester, or a visual fault locator. A toner can also be used to locate breaks or shorts in a cable, or to verify continuity.

References:

• Using a Toner and Probe - CompTIA Network+ Certification (N10-008): The Total Course Video
• CompTIA Network+ Certification Exam Objectives, page 141

Port mirroring is a feature that allows a switch to copy the traffic from one or more ports to another port for monitoring or analysis purposes. Port mirroring can help a network administrator to troubleshoot network problems, detect security threats, or optimize network performance. Port mirroring can be configured on most switches using the command-line interface (CLI) or a graphical user interface (GUI).

References:

• CompTIA Network+ N10-008 Certification Exam Objectives, page 51
• CompTIA Network+ N10-008 Cert Guide, Chapter 11: Switching Technologies
• Port Mirroring - CompTIA Network+ Certification (N10-008): The Total Course [Video]1
• CompTIA Network+ N10-005: 2.1 – Port Mirroring - Professor Messer IT Certification Training Courses2
• CompTIA Network+ N10-005: 1.4 – Port Mirroring3

Port 53 is used for DNS, which is a service that translates domain names into IP addresses. Port 995 is used for POP3S, which is a protocol for receiving email messages securely. POP3S supports large file transfers and encryption. Therefore, these two ports should be opened for the mail server and the DNS server project

An on-path attack is a type of attack where an attacker intercepts and modifies the traffic between two devices on the same network. One common example of an on-path attack is ARP poisoning, where an attacker sends fake ARP replies to trick the devices into sending their traffic to the attacker instead of the intended destination. This allows the attacker to eavesdrop, alter, or redirect the traffic.

To mitigate this threat, one of the best practices is to use dynamic ARP inspection (DAI), which is a security feature that validates ARP packets on a network. DAI checks the MAC address and IP address bindings in the ARP packets against a trusted database, such as the DHCP snooping table or a static ARP access list. If the ARP packet contains an invalid or spoofed binding, DAI drops the packet and prevents the ARP poisoning attack.

The other options are not as effective as DAI for mitigating on-path attacks. Role-based access is a method of controlling access to resources based on the roles and permissions of the users, but it does not prevent an attacker from spoofing the MAC address or IP address of a legitimate user. Control plane policing is a feature that protects the control plane of a router or switch from excessive or malicious traffic, but it does not verify the MAC address or IP address bindings in the data plane. MAC filtering is a feature that allows or denies access to a network based on the MAC address of the device, but it does not prevent an attacker from spoofing the MAC address of an allowed device.

References:

https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/on-path-attacks/

https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/cpp.html

The authentication method that this setup describes is SSO (Single Sign-On). SSO is a technique that allows a user to log in once to a main web application and then access multiple other applications or services without having to re-enter credentials. SSO simplifies the user experience and reduces the number of passwords to remember and manage. References: CompTIA Network+ N10-008 Certification Study Guide, page 371; The Official CompTIA Network+ Student Guide (Exam N10-008), page 14-5.

Change management is the process of reviewing previous upgrades to a system. It is a systematic approach to managing changes to an organization's IT systems and infrastructure. Change management involves the assessment of potential risks associated with a change, as well as the identification of any necessary resources required to implement the change. References: Network+ Certification Study Guide, Chapter 8: Network Troubleshooting

A screened subnet is a network topology that uses two firewalls to isolate a segment of the network from both the internal LAN and the internet. The screened subnet, also known as a demilitarized zone (DMZ), hosts the internet-facing servers that need to be accessible from outside the network, such as web servers, mail servers, or DNS servers. The first firewall, also known as the external firewall, filters the traffic between the internet and the DMZ, allowing only the necessary ports and protocols to pass through. The second firewall, also known as the internal firewall, filters the traffic between the DMZ and the internal LAN, allowing only authorized and secure connections to access the internal resources. This way, the screened subnet provides a layer of protection for both the internet-facing hosts and the internal LAN from potential attacks12.

The other options are not defense strategies that help meet the design requirement of partitioning off the internet-facing hosts from the internal LAN and internal server IP ranges. Deploying a honeypot is a deception technique that lures attackers to a fake system or network that mimics the real one, in order to monitor their activities and collect information about their methods and motives. However, a honeypot does not isolate or protect the internet-facing hosts from the rest of the network3. Utilizing network access control is a security method that enforces policies on who or what can access the network resources, based on factors such as identity, role, device type, location, or time. However, network access control does not create a separate segment for the internet-facing hosts from the internal LAN. Enforcing a Zero Trust model is a security paradigm that assumes no trust for any entity inside or outside the network, and requires continuous verification and validation of every request and transaction. However, a Zero Trust model does not necessarily imply a specific network topology or architecture for separating the internet-facing hosts from the internal LAN.

According to troubleshooting methodology, after determining the most likely probable cause of an issue, the next step is to establish a plan of action to resolve the issue and identify potential effects. This step involves defining the steps needed to implement a solution, considering the possible consequences of each step, and obtaining approval from relevant stakeholders if necessary. References: https://partners.comptia.org/docs/default-source/resources/comptia-network-n10-008-exam-objectives-(2-0), https://www.comptia.org/blog/the-comptia-guide-to-it-troubleshooting

A content delivery network (CDN) is a distributed network of servers that delivers web content to users based on their geographic location. By replicating content across multiple servers in various locations, a CDN can optimize speed and reduce latency in high-density user locations.

Next-generation firewalls can provide content filtering and threat protection, and can manage multiple IPSec site-to-site connections. References: CompTIA Network+ Certification Study Guide, Chapter 5: Network Security.