IKM - International Knowledge Measurement Network Engineering and Security Questions and Answers

Question 1

A network security engineer is hardening a perimeter firewall. The policy requires that only explicitly allowed traffic can enter the network. After adding rules to permit necessary services like HTTPS (port 443), which of the following rules is MOST critical to place at the very end of the inbound Access Control List (ACL)?

Accepted Answer

deny ip any any

Answer

The principle of 'deny by default' or 'least privilege' is a cornerstone of network security. After explicitly permitting required traffic, a 'deny ip any any' rule at the end of the ACL ensures that any traffic not specifically allowed is blocked. This prevents unintended access and serves as a critical safeguard.

Question 2

In the OSPF routing protocol, what is the primary purpose of electing a Designated Router (DR) on a multi-access network segment like Ethernet?

Accepted Answer

To reduce the number of adjacencies and routing updates exchanged.

Answer

On multi-access networks (like Ethernet), many routers can be connected. Without a DR, every router would need to form a full adjacency with every other router, leading to a high volume of redundant Link State Advertisements (LSAs). The DR acts as a central point for updates; all other routers form an adjacency with the DR, which then distributes the updates, significantly reducing protocol traffic and processing overhead.

Question 3

A company wants to provide remote employees with access to a specific internal web-based application. The goal is to offer a solution that does not require installing a dedicated VPN client and can be easily accessed through a standard web browser. Which of the following VPN technologies is best suited for this requirement?

Accepted Answer

SSL/TLS VPN

Answer

SSL/TLS VPNs are designed to provide secure remote access to specific applications, particularly web-based ones, directly through a web browser. This 'clientless' approach is ideal for scenarios where installing dedicated software on each remote device is undesirable or impractical. IPsec VPNs, in contrast, operate at the network layer and typically require a dedicated software client to provide full network access.

Question 4

A junior network administrator connects two switches using two separate Ethernet cables, intending to provide redundancy. Shortly after, users report that the network is extremely slow and unusable. The activity lights on the switches are blinking constantly and rapidly. What is the MOST likely cause of this issue?

Accepted Answer

A broadcast storm caused by a Layer 2 loop.

Answer

Connecting two switches with multiple links without a loop prevention mechanism like Spanning Tree Protocol (STP) creates a Layer 2 loop. Broadcast frames sent by a host will be forwarded by the switches in an endless circle, amplifying with each pass. This creates a broadcast storm that consumes all available bandwidth and switch CPU resources, bringing the network to a halt.

Question 5

Which statement accurately describes the fundamental difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?

Accepted Answer

An IDS is deployed out-of-band to monitor and alert, while an IPS is deployed inline to actively block threats.

Answer

The core distinction lies in their operational mode and response capability. An IDS is a passive system that monitors network traffic (often via a network tap or SPAN port) and sends alerts when it detects suspicious activity. An IPS is an active, inline device that inspects traffic as it passes through and can take immediate action to block or drop malicious packets, thereby preventing an attack.

IKM - International Knowledge Measurement Practice Test

IKM - International Knowledge Measurement Practice Test

IKM - International Knowledge Measurement Network Engineering and Security Questions and Answers