C is correct. The first step would be to enter ssh-keygen -t rsa at the

terminal. This creates an RSA-based key pair (a private key and a public

key). The public key’s location and the name is ~.ssh/id_rsa.pub, and the

private key’s location and the name is ~/.ssh/id_rsa. The second step is to

copy the public key to the remote server using the command ssh-copy-id -i

~.ssh/id_rsa.pub lisa@gcga. The private key should always stay private,

but the chmod 644 command makes it readable by everyone, so it shouldn’t

be used. The ssh command connects to the remote server using Secure Shell

(SSH). If the key pair is in place, it would use the key pair for

authentication and not require the complex password. The ssh-keygen

command is a utility within the OpenSSH suite of tools. See Chapter 3.

B is correct. Domain Name System Security Extensions (DNSSEC) add

security to DNS systems and can prevent DNS poisoning attacks by adding

data integrity to DNS records. The functions in the list indicate that the

server in the screened subnet (sometimes called a demilitarized zone or

DMZ) is a DNS server but for the DNS server to provide data integrity and

prevent DNS poisoning, it needs DNSSEC. DNSSEC uses a Resource

Record Signature (RRSIG), commonly referred to as a digital signature, to

provide data integrity and authentication for DNS replies. RRSIG can use

Transport Layer Security (TLS) to create the signature, but TLS by itself

doesn’t provide the required protection. Internet Protocol security (IPsec)

uses Encapsulating Security Payload (ESP) to encrypt data. See Chapter 3.

C is correct. The Domain Name System (DNS) rule should be changed

because the source IP address is incorrect. It should be 10.0.3.0/24 instead

of 10.0.1.0/24. All other rules are configured correctly. See Chapter 3.

D is correct. Spanning Tree Protocol (STP) and Rapid STP (RSTP) both

prevent switching loop problems. It’s rare for a wiring error to take down a

switch. However, if two ports on a switch are connected to each other, it

creates a switching loop and effectively disables the switch. An intrusion

detection system (IDS) will not prevent a switching loop. Layer 2 switches

are susceptible to this problem. Administrators use Simple Network

Management Protocol version 3 (SNMPv3) to manage and monitor devices,

but it doesn’t prevent switching loops. See Chapter 3.

C and E are correct. A firewall and a virtual private network (VPN)

would prevent other devices from accessing her laptop. A host-based

firewall provides primary protection. The VPN encrypts all of her Internet-

based traffic going over the public Wi-Fi. A Trusted Platform Module

(TPM) provides full drive encryption and would protect the data if someone

accessed the laptop, but it doesn’t prevent access. A hardware security

module (HSM) is a removable device that can generate and store RSA keys

used with servers. A data loss prevention (DLP) device helps prevent

unauthorized data from leaving a network, but it doesn’t prevent access. See

Chapter 3.

C is correct. A unified threat management (UTM) device is an advanced

firewall and combines multiple security controls into a single device such as

stateless inspection, malware inspection, and a content filter. None of the

other answers include these components. You can configure a virtual local

area network (VLAN) on a switch to provide network segmentation.

Network Address Translation (NAT) translates public IP addresses to

private IP addresses and private addresses back to public IP addresses.

Domain Name System Security Extensions (DNSSEC) is a suite of

extensions for DNS that provides validation for DNS responses. A web

application firewall (WAF) protects a web server from Internet-based

attacks. See Chapter 3.

D is correct. A jump server is a server placed between different security

zones, such as an internal network and a screened subnet (sometimes called

a demilitarized zone or DMZ) and is used to manage devices in the other

security zone. In this scenario, administrators could connect to the jump

server with Secure Shell (SSH) and then connect to the Linux server using

SSH forwarding on the jump server. A forward proxy server (often called a

proxy server) is used by internal clients to access Internet resources, not

resources in the screened subnet. Reverse proxy servers accept traffic from

the Internet, not the internal network, and forward the traffic to one or more

internal web servers. A web application firewall (WAF) protects a web

server from Internet-based attacks but isn’t used to control traffic between

an internal network and the screened subnet. See Chapter 3.