Security Certified Program SC0-502 Test
SC0-502
QUESTION 1Now that you have Certkiller somewhat under control, you are getting ready to gohome for the night. You have made good progress on the network recently, andthings seem to be going smoothly. On your way out, you stop by the CEO's officeand say good night. You are told that you will be meeting in the morning, so try toget in a few minutes early.The next morning, you get to the office 20 minutes earlier than normal, and theCEO stops by your office, "Thanks for coming in a bit early. No problem really, Ijust wanted to discuss with you a current need we have with the network.""OK, go right ahead." You know the network pretty well by now, and are ready forwhatever is thrown your way."We are hiring 5 new salespeople, and they will all be working from home or on theroad. I want to be sure that the network stays safe, and that they can get access nomatter where they are.""Not a problem," you reply. "I'll get the plan for this done right away.""Thanks a lot, if you have an y questions for me, just let me know."You are relieved that there was not a major problem and do some background workfor integrating the new remote users. After talking with the CEO more, you find outthat the users will be working from there home nearly all the time, with very littleaccess from on the road locations.The remote users are all using Windows 2000 Professional, and will be part of thedomain. The CEO has purchased all the remote users brand new Compaq laptops,just like the one used in the CEO's office, and which the CEO takes home eachnight; complete with DVDCD-burner drives,built-in WNICs, 17"LCD widescreendisplays, oversized hard drives, a gig of memory, and fast processing. 'I wish I wason the road to get one of those,' you think.You start planning and decide that you will implement a new VPN Server next tothe Web and FTP Server. You are going to assign the remote users IP Addresses:10.10.60.100~10.10.60.105, and will configure the systems to run Windows 2000Pr ofessional.Based on this information, and your knowledge of the Certkiller network up to thispoint, choose the best solution for the secure remote user needs:}
A. You begin with configuring the VPN server, which is running Windows 2000 Server.You create five new accounts on that system, granting each of them the Allow VirtualPrivate Connections right in Active Directory Users and Computers. You then configurethe range of IP Addresses to provide to the clients as: 10.10.60.100 through 10.10.60.105.Next, you configure five IPSec Tunnel endpoints on the server, each to use L2TP as theprotocol.Then, you configure the clients. On each system, you configure a shortcut on the desktopto use to connect to the VPN. The shortcut is configured to create an L2TP IPSec tunnelto the VPN server. The connection itself is configured to exchange keys with the user'sISP to create a tunnel between the user's ISP endpoint and the Certkiller VPN Server.B. To start the project, you first work on the laptops you have been given. On eachlaptop, you configure the system to make a single Internet connection to the user's ISP. SC0-502
Next, you configure a shortcut on the desktop for the VPN connection. You design theconnection to use L2TP, with port filtering on outbound UDP 500 and UDP 1701. Whena user double-clicks the desktop icon you have it configured to make an automatic tunnelto the VPN server.On the VPN server, you configure the system to use L2TP with port filtering on inboundUDP 500 and UDP 1701. You create a static pool of assigned IP Address reservations forthe five remote clients. You configure automatic redirection on the VPN server in therouting and remote access MMC, so once the client has connected to the VPN server, heor she will automatically be redirected to the inside network, with all resources availablein his or her Network Neighborhood.C. You configure the VPN clients first, by installing the VPN High Encryption ServicePack. With this installed, you configure the clients to use RSA, with 1024-bit keys. Youconfigure a shortcut on the desktop that automatically uses the privatepub lic key pair tocommunicate with the VPN Server, regardless of where the user is locally connected.On the VPN Server, you also install the VPN High Encryption Service Pack, andconfigure 1024-bit RSA encryption. You create five new user accounts, and grant themall remote access rights, using Active Directory Sites and Services. You configure theVPN service to send the server's public key to the remote users upon the request toconfigure the tunnel. Once the request is made, the VPN server will build the tunnel,from the server side, to the client.D. You decide to start the configuration on the VPN clients. You create a shortcut on thedesktop to connect to the VPN Server. Your design is such that the user will simplydouble-click the shortcut and the client will make the VPN connection to the server,using PPTP. You do not configure any filters on the VPN client systems.On the VPN Server, you first configure routing and remote access for the new accountsand allow them to have Dial- In access. You then configure a static IP Address pool forthe five remote users. Next, you configure the remote access policy to grant remoteaccess, and you implement the following PPTP filtering:Inbound Protocol 47 (GRE) allowedInbound TCP source port 0, destination port 1723 allowedInbound TCP source port 520, destination port 520 allowedOutbound Protocol 47 (GRE) allowedOutbound TCP source port 1723, destination port 0 allowedOutbound TCP source port 520, destination port 520 allowedE. You choose to configure the VPN server first, by installing the VPN High EncryptionService Pack and the HISECVPN.INF built-in security template through the SecurityConfiguration and Analysis Snap-In. Once the Service pack and template are installed,you configure five user accounts and a static pool of IP Addresses for each account.You then configure the PPTP service on the VPN server, without using inbound oroutbound filters - due to the protection of the Service Pack. You grant each user t he rightto dial into the server remotely, and move on to the laptops.On each laptop, you install the VPN High Encryption Service Pack, to bring the securitylevel of the laptops up to the same level as the VPN server. You then configure a shortcuton each desktop that controls the direct transport VPN connection from the client to theserver. SC0-502
Answer: D
QUESTION 2For three years you have worked with Certkiller doing occasional network andsecurity consulting. Certkiller is a small business that provides real estate listingsand data to realtors in several of the surrounding states. The company is open forbusiness Monday through Friday from 9 am to 6 pm, closed all evenings andweekends. Your work there has largely consisted of advice and planning, and youhave been frequently disappointed by the lack of execution and follow through fromthe full time staff.On Tuesday, you received a call from Certkiller 's HR director, "Hello, I'd like toinform you that Red (the full time senior network administrator) is no longer withus, and we would like to know if you are interested in working with us full time."You currently have no other main clients, so you reply, "Sure, when do you need meto get going?""Today," comes the fast and direct response. Too fast, you think."What is the urgency, why can't this wait until tomorrow?""Red was let go, and he was not happy about it. We are worried that he might havedone something to our network on the way out.""OK, let me get some things ready, and I'll be over there shortly."You knew this would be messy when you came in, but you did have some advantagein that you already knew the network. You had recommended many changes in thepast, none of which would be implemented by Red. While pulling together yourlaptop and other tools, you grab your notes which have an overview of the network:Certkiller network notes: Single Internet access point, T1, connected to CertkillerCisco router. Router has E1 to a private web and ftp server and E0 to the LANswitch. LAN switch has four servers, four printers, and 100 client machines. All themachines are running Windows 2000. Currently, they are having their primary website and email hosted by an ISP in Illinois.When you get to Certkiller , the HR Director and the CEO, both of whom youalready know, greet you. The CEO informs you that Red was let go due to difficultpersonality conflicts, among other reasons, and the termination was not cordial.You are to sign the proper employment papers, and get right on the job. You aregiven the rest of the day to get setup and running, but the company is quiteconcerned about the security of their network. Rightly so, you think, 'If these guyshad implemented even half of my recommendations this would sure be easier.' Youget your equipment setup in your new oversized office space, and get started. Forthe time you are working here, your IP Address is 10.10.50.23 with a mask of 16.One of your first tasks is to examine the router's configuration. You console into therouter, issue a show running-config command, and get the following output:MegaOne#show running-configBuilding configuration...Current configuration:!version 12.1 SC0-502
service udp-small-serversservice tcp-small-servers!hostname MegaOne!enable secret 5 $1$7BSK3$H394yewhJ45JAFEWU73747.enable password clever!no ip name-serverno ip domain-lookupip routing!interface Ethernet0no shutdownip address 2.3.57.50 255.255.255.0no ip directed-broadcast!interface Ethernet1no shutdownip 10.10.40.101 255.255.0.0no ip directed-broadcast!interface Serial0no shutdownip 1.20.30.23 255.255.255.0no ip directed-broadcastclockrate 1024000bandwidth 1024encapsulation hdlc!ip route 0.0.0.0 0.0.0.0 1.20.30.45!line console 0exec-timeout 0 0transport input allline vty 0 4password remotelogin!endAfter analysis of the network, you recommend that the router have a newconfiguration. Your goal is to make the router become part of your layered defense,and to be a system configured to help secure the network.You talk to the CEO to get an idea of what the goals of the router should be in thenew configuration.All your conversations are to go through the CEO;this is whomyou als o are to report to. SC0-502
"OK, I suggest that the employees be strictly restricted to only the services that theymust access on the Internet." You begin."I can understand that, but we have always had an open policy. I like the employeesto feel comfortable, and not feel like we are watching over them all the time. Pleaseleave the connection open so they can get to whatever they need to get to. We canalways reevaluate this in an ongoing basis.""OK, if you insist, but for the record I am opposed to that policy.""Noted," responds the CEO, somewhat bluntly."All right, let's see, the private web and ftp server have to be accessed by theInternet, restricted to the accounts on the server. We will continue to use the IllinoisISP to host our main web site and to host our email. What else, is there anythingelse that needs to be accessed from the Internet?""No, I think that's it. We have a pretty simple network, we do everything in house.""All right, we need to get a plan in place as well right away for a secu rity policy.Can we set something up for tomorrow?" you ask."Let me see, I'll get back to you later." With that the CEO leaves and you get towork.Based on the information you have from Certkiller;knowing that router must bean integral part of the security of the organization, select the best solution to theorganization's router problem:}
A. You backup the current router config to a temp location on your laptop. Friday night,you come in to build the new router configuration. Using your knowledge of the network,and your conversation with the CEO, you build and implement the following routerconfiguration:MegaOne#configure terminalMegaOne(config)#no cdp runMegaOne(config)#no ip source-routeMegaOne(config)#no ip fingerMegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 80MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 20MegaOne(config)#access-list 175 permit tcp any 2.3.57.60 0.0.0.0 eq 21MegaOne(config)#access-list 175 permit tcp any 10.10.0.0 0.0.255.255 establishedMegaOne(config)#access-list 175 deny ip 0.0.0.0 255.255.255.255 anyMegaOne(config)#access-list 175 deny ip 10.0.0.0 0.255.255.255 anyMegaOne(config)#access-list 175 deny ip 127.0.0.0 0.255.255.255 anyMegaOne(config)#access-list 175 deny ip 172.16.0.0 0.0.255.255 anyMegaOne(config)#access-list 175 deny ip 192.168. 0.0 0.0.255.255 anyMegaOne(config)#access-list 175 permit ip any 10.10.0.0 0.0.255.255MegaOne(config)#access-list 175 permit udp any 10.10.0.0 0.0.255.255MegaOne(config)#access-list 175 permit icmp any 10.10.0.0 0.0.255.255MegaOne(config)#interface serial 0MegaOne(config-if)#ip access-group 175 inMegaOne(config-if)#no ip directed broadcastMegaOne(config-if)#no ip unreachablesMegaOne(config-if)#Z
Original Resource :
Visit SC0-502 Link : SC0-502 Download PDF Link : SC0-502
access point vs router
Niciun comentariu:
Trimiteți un comentariu