This company has AOS-CX switches. The exhibit shows one access layer switch, Switch-2, as an example, but the campus actually has more switches. Switch-1 is a core switch that acts as the default router for end-user devices. What is a correct way to configure the switches to protect against exploits from untrusted end-user devices?
Correct Answer: B
The scenario involves AOS-CX switches in a two-tier topology with Switch-1 as the core switch (default router) on VLAN 100 and Switch-2 as an access layer switch with VLANs 15 and 25, where end-user devices connect. The goal is to protect against exploits from untrusted end-user devices, such as DHCP spoofing or ARP poisoning attacks, which are common threats in access layer networks. DHCP Snooping: This feature protects against rogue DHCP servers by filtering DHCP messages. It should be enabled on the access layer switch (Switch-2) where end-user devices connect, specifically on the VLANs where these devices reside (VLANs 15 and 25). DHCP snooping builds a binding table of legitimate IP-to-MAC mappings, which can be used by other features like ARP inspection. ARP Inspection: This feature prevents ARP poisoning attacks by validating ARP packets against the DHCP snooping binding table. It should also be enabled on the access layer switch (Switch-2) on VLANs 15 and 25, where untrusted devices are connected. Option B, "On Switch-2, enable DHCP snooping globally and on VLANs 15 and 25. Later, enable ARP inspection on the same VLANs," is correct. DHCP snooping must be enabled first to build the binding table, and then ARP inspection can use this table to validate ARP packets. This configuration should be applied on Switch-2, the access layer switch, because that's where untrusted end-user devices connect. Option A, "On Switch-1, enable ARP inspection on VLAN 100 and DHCP snooping on VLANs 15 and 25," is incorrect. Switch-1 is the core switch and does not directly connect to end-user devices on VLANs 15 and 25. DHCP snooping and ARP inspection should be enabled on the access layer switch (Switch-2) where the devices reside. Additionally, enabling ARP inspection on VLAN 100 (where the DHCP server is) is unnecessary since the DHCP server is a trusted device. Option C, "On Switch-2, enable BPDU filtering on all edge ports in order to prevent eavesdropping attacks by untrusted devices," is incorrect. BPDU filtering is used to prevent spanning tree protocol (STP) attacks by blocking BPDUs on edge ports, but it does not protect against eavesdropping or other exploits like DHCP spoofing or ARP poisoning, which are more relevant in this context. Option D, "On Switch-1, enable DHCP snooping on VLAN 100 and ARP inspection on VLANs 15 and 25," is incorrect for the same reason as Option A. Switch-1 is not the appropriate place to enable these features since it's not directly connected to the untrusted devices on VLANs 15 and 25. The HPE Aruba Networking AOS-CX 10.12 Security Guide states: "DHCP snooping should be enabled on access layer switches where untrusted end-user devices connect. It must be enabled globally and on the specific VLANs where the devices reside (e.g., dhcp-snooping vlan 15,25). This feature builds a binding table of IP-to-MAC mappings, which can be used by Dynamic ARP Inspection (DAI) to prevent ARP poisoning attacks. DAI should also be enabled on the same VLANs (e.g., ip arp inspection vlan 15,25) after DHCP snooping is configured, ensuring that ARP packets are validated against the DHCP snooping binding table." (Page 145, DHCP Snooping and ARP Inspection Section) Additionally, the guide notes: "Dynamic ARP Inspection (DAI) and DHCP snooping are typically configured on access layer switches to protect against exploits from untrusted devices, such as DHCP spoofing and ARP poisoning. These features should be applied to the VLANs where end-user devices connect, not on core switches unless those VLANs are directly connected to untrusted devices." (Page 146, Best Practices Section) : HPE Aruba Networking AOS-CX 10.12 Security Guide, DHCP Snooping and ARP Inspection Section, Page 145. HPE Aruba Networking AOS-CX 10.12 Security Guide, Best Practices Section, Page 146.
Question 22
A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-CX switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. The company is contemplating the use of ClearPass's TCP fingerprinting capabilities. What is a consideration for using those capabilities?
Correct Answer: B
ClearPass Policy Manager (CPPM) uses various methods to classify endpoints, and one of them is TCP fingerprinting, which involves analyzing TCP/IP packets to identify the type of device or operating system sending them. To utilize TCP fingerprinting capabilities, network traffic needs to be accessible to the CPPM. This can be done by mirroring traffic to CPPM's span port from a device that can see the traffic, like a core routing switch. This approach allows CPPM to observe the TCP characteristics of devices as they communicate over the network, enabling it to make more accurate decisions for device classification.
Question 23
What is a benefit of Opportunistic Wireless Encryption (OWE)?
Correct Answer: C
Opportunistic Wireless Encryption (OWE) is a WPA3 feature designed for open wireless networks, where no password or authentication is required to connect. OWE enhances security by providing encryption for devices that support it, without requiring a pre-shared key (PSK) or 802.1X authentication. Option C, "It allows anyone to connect, but provides better protection against eavesdropping than a traditional open network," is correct. In a traditional open network (no encryption), all traffic is sent in plaintext, making it vulnerable to eavesdropping. OWE allows anyone to connect (as it's an open network), but it negotiates unique encryption keys for each client using a Diffie-Hellman key exchange. This ensures that client traffic is encrypted with AES (e.g., using AES-GCMP), protecting it from eavesdropping. OWE in transition mode also supports non-OWE devices, which connect without encryption, but OWE-capable devices benefit from the added security. Option A, "It allows both WPA2-capable and WPA3-capable clients to authenticate to the same WPA-Personal WLAN," is incorrect. OWE is for open networks, not WPA-Personal (which uses a PSK). WPA2/WPA3 transition mode (not OWE) allows both WPA2 and WPA3 clients to connect to the same WPA-Personal WLAN. Option B, "It offers more control over who can connect to the wireless network when compared with WPA2-Personal," is incorrect. OWE is an open network protocol, meaning it offers less control over who can connect compared to WPA2-Personal, which requires a PSK for access. Option D, "It provides protection for wireless clients against both honeypot APs and man-in-the-middle (MITM) attacks," is incorrect. OWE provides encryption to prevent eavesdropping, but it does not protect against honeypot APs (rogue APs broadcasting the same SSID) or MITM attacks, as it lacks authentication mechanisms to verify the AP's identity. Protection against such attacks requires 802.1X authentication (e.g., WPA3-Enterprise) or other security measures. The HPE Aruba Networking AOS-8 8.11 User Guide states: "Opportunistic Wireless Encryption (OWE) is a WPA3 feature for open networks that allows anyone to connect without a password, but provides better protection against eavesdropping than a traditional open network. OWE uses a Diffie-Hellman key exchange to negotiate unique encryption keys for each client, ensuring that traffic is encrypted with AES-GCMP and protected from unauthorized interception." (Page 290, OWE Overview Section) Additionally, the HPE Aruba Networking Wireless Security Guide notes: "OWE enhances security for open WLANs by providing encryption without requiring authentication. It allows any device to connect, but OWE-capable devices benefit from encrypted traffic, offering better protection against eavesdropping compared to a traditional open network where all traffic is sent in plaintext." (Page 35, OWE Benefits Section) : HPE Aruba Networking AOS-8 8.11 User Guide, OWE Overview Section, Page 290. HPE Aruba Networking Wireless Security Guide, OWE Benefits Section, Page 35.
Question 24
Refer to the exhibit, which shows the current network topology. You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs). and campus APs (CAPs). The solution will Include a WLAN that uses Tunnel for the forwarding mode and Implements WPA3-Enterprise security What is a guideline for setting up the vlan for wireless devices connected to the WLAN?
Correct Answer: B
When setting up VLANs for a wireless solution with an Aruba Mobility Master (MM), Aruba Mobility Controllers (MCs), and campus APs (CAPs), it is recommended to use wireless user roles to assign devices to different VLANs. This allows for greater flexibility and control over network resources and policies applied to different user groups. Wireless user roles can dynamically assign devices to the appropriate VLAN based on a variety of criteria such as user identity, device type, location, and the resources they need to access. This approach aligns with the ArubaOS features that leverage user roles for network access control, as detailed in Aruba's configuration and administration guides.
Question 25
What is a correct description of a stage in the Lockheed Martin kill chain?
Correct Answer: A
The Lockheed Martin Cyber Kill Chain is a framework that describes the stages of a cyber attack, from initial reconnaissance to achieving the attacker's objective. It is often referenced in HPE Aruba Networking security documentation to help organizations understand and mitigate threats. Option A, "In the delivery stage, the hacker delivers malware to targeted users, often with spear phishing methods," is correct. The delivery stage in the Lockheed Martin kill chain involves the attacker transmitting the weaponized payload (e.g., malware) to the target. Spear phishing, where the attacker sends a targeted email with a malicious attachment or link, is a common delivery method. This stage follows reconnaissance (gathering information) and weaponization (creating the malware). Option B, "In the installation phase, hackers seek to install vulnerabilities in operating systems across the network," is incorrect. The installation phase involves the attacker installing the malware on the target system to establish persistence (e.g., by creating a backdoor). It does not involve "installing vulnerabilities"; vulnerabilities are pre-existing weaknesses that the attacker exploits in the exploitation phase. Option C, "In the weaponization stage, malware installed in the targeted network seeks to attack intrusion prevention systems (IPS)," is incorrect. The weaponization stage occurs before delivery and involves the attacker creating a deliverable payload (e.g., combining malware with an exploit). The malware is not yet installed in the target network during this stage, and attacking an IPS is not the purpose of weaponization. Option D, "In the exploitation phase, hackers conduct social engineering attacks to exploit weak algorithms and crack user accounts," is incorrect. The exploitation phase involves the attacker exploiting a vulnerability (e.g., a software flaw) to execute the malware on the target system. Social engineering (e.g., phishing) is typically part of the delivery stage, not exploitation, and "exploiting weak algorithms" is not a standard description of this phase. The HPE Aruba Networking Security Guide states: "The Lockheed Martin Cyber Kill Chain describes the stages of a cyber attack. In the delivery stage, the attacker delivers the weaponized payload to the target, often using methods like spear phishing emails with malicious attachments or links. This stage follows reconnaissance (gathering information about the target) and weaponization (creating the malware payload)." (Page 18, Cyber Kill Chain Overview Section) Additionally, the HPE Aruba Networking AOS-8 8.11 User Guide notes: "Understanding the Lockheed Martin kill chain helps in threat mitigation. The delivery stage involves the attacker sending malware to the target, commonly through spear phishing, where a targeted email tricks the user into downloading the malware or clicking a malicious link." (Page 420, Threat Mitigation Section) : HPE Aruba Networking Security Guide, Cyber Kill Chain Overview Section, Page 18. HPE Aruba Networking AOS-8 8.11 User Guide, Threat Mitigation Section, Page 420.
