Latest Certified Success Dumps Download

SY0-401 Latest Exam (Sep 2017)

[Free] 2017(Sep) EnsurePass Passguide CompTIA SY0-401 Dumps with VCE and PDF 11-20

September 20, 2017

2017 Sep CompTIA Official New Released SY0-401
100% Free Download! 100% Pass Guaranteed!

CompTIA Security Certification

Question No: 11 – (Topic 1)

Which of the following network design elements allows for many internal devices to share one public IP address?

  1. DNAT

  2. PAT

  3. DNS

  4. DMZ

Answer: B Explanation:

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network#39;s router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.

Question No: 12 – (Topic 1)

A security administrator wishes to increase the security of the wireless network. Which of the following BEST addresses this concern?

  1. Change the encryption from TKIP-based to CCMP-based.

  2. Set all nearby access points to operate on the same channel.

  3. Configure the access point to use WEP instead of WPA2.

  4. Enable all access points to broadcast their SSIDs.

Answer: A Explanation:

CCMP makes use of 128-bit AES encryption with a 48-bit initialization vector. This initialization vector makes cracking a bit more difficult.

Question No: 13 – (Topic 1)

Jane, the security administrator, sets up a new AP but realizes too many outsiders are able to connect to that AP and gain unauthorized access. Which of the following would be the BEST way to mitigate this issue and still provide coverage where needed? (Select TWO).

  1. Disable the wired ports

  2. Use channels 1, 4 and 7 only

  3. Enable MAC filtering

  4. Disable SSID broadcast

  5. Switch from 802.11a to 802.11b

Answer: C,D

Explanation: Network administrators may choose to disable SSID broadcast to hide their network from unauthorized personnel. However, the SSID is still needed to direct packets to and from the base station, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should be disabled if the network isn’t for public use.

A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAP to block access to all unauthorized devices.

Question No: 14 – (Topic 1)

Which of the following is a best practice when securing a switch from physical access?

  1. Disable unnecessary accounts

  2. Print baseline configuration

  3. Enable access lists

  4. Disable unused ports

Answer: D Explanation:

Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access.

All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter.

Question No: 15 – (Topic 1)

Which of the following devices would MOST likely have a DMZ interface?

  1. Firewall

  2. Switch

  3. Load balancer

  4. Proxy

Answer: A

Explanation: The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

Question No: 16 – (Topic 1)

A network technician is on the phone with the system administration team. Power to the server room was lost and servers need to be restarted. The DNS services must be the first to be restarted. Several machines are powered off. Assuming each server only provides one service, which of the following should be powered on FIRST to establish DNS services?

  1. Bind server

  2. Apache server

  3. Exchange server

  4. RADIUS server

Answer: A Explanation:

BIND (Berkeley Internet Name Domain) is the most widely used Domain Name System (DNS) software on the Internet. It includes the DNS server component contracted for name daemon. This is the only option that directly involves DNS.

Question No: 17 – (Topic 1)

Which of the following protocols is used by IPv6 for MAC address resolution?

  1. NDP

  2. ARP

  3. DNS

  4. NCP

Answer: A Explanation:

The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6).

Question No: 18 – (Topic 1)

A computer is put into a restricted VLAN until the computer’s virus definitions are up-to- date.

Which of the following BEST describes this system type?

  1. NAT

  2. NIPS

  3. NAC

  4. DMZ

Answer: C Explanation:

Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

Question No: 19 – (Topic 1)

A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application’s task. Which of the following is the security administrator practicing in this example?

  1. Explicit deny

  2. Port security

  3. Access control lists

  4. Implicit deny

    Answer: C Explanation:

    Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

    Question No: 20 HOTSPOT – (Topic 1)

    The security administrator has installed a new firewall which implements an implicit DENY policy by default. Click on the firewall and configure it to allow ONLY the following communication.

    1. The Accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation should not access other networks.

    2. The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port

    3. The Admin workstation should ONLY be able to access the servers on the secure network over the default TFTP port.

      Instructions: The firewall will process the rules in a top-down manner in order as a first match The port number must be typed in and only one port number can be entered per rule Type ANY for all ports. The original firewall configuration can be reset at any time by pressing the reset button. Once you have met the simulation requirements, click save and then Done to submit.

      Ensurepass 2017 PDF and VCE

      Ensurepass 2017 PDF and VCE

      Ensurepass 2017 PDF and VCE


      Ensurepass 2017 PDF and VCE


      Ensurepass 2017 PDF and VCE

      Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default.

      Rule #1 allows the Accounting workstation to ONLY access the web server on the public network over the default HTTPS port, which is TCP port 443.

      Rule #2 allows the HR workstation to ONLY communicate with the Financial server over the default SCP port, which is TCP Port 22

      Rule #3 amp; Rule #4 allow the Admin workstation to ONLY access the Financial and Purchasing servers located on the secure network over the default TFTP port, which is Port 69.


      Stewart, James Michael, CompTIA Security Review Guide, Sybex, Indianapolis, 2014, pp. 26, 44

      100% Free Download!
      Download Free Demo:SY0-401 Demo PDF
      100% Pass Guaranteed!
      Download 2017 EnsurePass SY0-401 Full Exam PDF and VCE

      EnsurePass ExamCollection Testking
      Lowest Price Guarantee Yes No No
      Up-to-Dated Yes No No
      Real Questions Yes No No
      Explanation Yes No No
      PDF VCE Yes No No
      Free VCE Simulator Yes No No
      Instant Download Yes No No

      2017 EnsurePass IT Certification PDF and VCE