What is one way that Control Plane Security (CPsec) enhances security for me network?
Correct Answer: D
Control Plane Security (CPsec) enhances security in the network by protecting management traffic between APs and Mobility Controllers (MCs) from eavesdropping. CPsec ensures that all control and management traffic that transits the network is encrypted, thus preventing potential attackers from gaining access to sensitive management data. It helps in securing the network's control plane, which is crucial for maintaining the integrity and privacy of the network operations.References: Aruba Networks' CPsec documentation.
Question 52
What is a reason to set up a packet capture on an HPE Aruba Networking Mobility Controller (MC)?
Correct Answer: A
Packet captures on an HPE Aruba Networking Mobility Controller (MC) are a powerful troubleshooting and analysis tool, allowing administrators to capture and analyze network traffic at various levels (e.g., control plane or data plane). The MC supports packet captures for both wired and wireless traffic, which can be filtered based on criteria such as IP address, MAC address, or port. Option A, "The security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely," is correct. Packet captures are commonly used in security investigations to analyze the traffic of a specific endpoint suspected of malicious activity. For example, if a wireless client is suspected of launching an attack (e.g., a DoS attack or data exfiltration), a packet capture on the MC can capture the client's traffic (filtered by MAC or IP address) for detailed analysis, helping the security team identify the nature of the attack. Option B, "The company wants to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC," is incorrect. While CPPM can use HTTP User-Agent strings for device profiling, this is typically achieved by mirroring HTTP traffic to CPPM (e.g., using a datapath mirror on the MC), not by setting up a packet capture. Packet captures are for manual analysis, not for feeding data to CPPM. Option C, "You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control Web traffic based on the destination URL," is incorrect. The AOS firewall on the MC can control traffic based on applications or services (e.g., using deep packet inspection, DPI), but it does not support URL-based filtering directly. URL filtering typically requires an external solution (e.g., a web proxy or firewall). Packet captures are not used to enable URL-based control by the firewall. Option D, "You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control the traffic based on application," is incorrect. The AOS firewall can already perform application-based control using DPI (if enabled), without requiring a packet capture. Packet captures are for manual analysis, not for enabling firewall functionality. The HPE Aruba Networking AOS-8 8.11 User Guide states: "Packet captures on the Mobility Controller are useful for troubleshooting and security investigations. For example, if the security team suspects that a wireless endpoint is launching an attack, you can set up a packet capture on the MC's data plane to capture the endpoint's traffic. Use the command packet-capture datapath <filter> (e.g., filter by the client's MAC address) to capture the traffic, which can then be analyzed to identify malicious activity." (Page 515, Packet Capture Section) Additionally, the HPE Aruba Networking Security Guide notes: "Packet captures are a critical tool for security teams to investigate potential attacks. By capturing traffic from a specific wireless client suspected of malicious behavior, administrators can analyze the packets to determine the nature of the attack, such as a DoS attack or unauthorized data exfiltration." (Page 65, Security Troubleshooting Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Packet Capture Section, Page 515. HPE Aruba Networking Security Guide, Security Troubleshooting Section, Page 65.
Question 53
You have a network with AOS-CX switches for which HPE Aruba Networking ClearPass Policy Manager (CPPM) acts as the TACACS+ server. When an admin authenticates, CPPM sends a response with: Aruba-Priv-Admin-User = 1 TACACS+ privilege level = 15 What happens to the user?
Correct Answer: C
HPE Aruba Networking AOS-CX switches support TACACS+ for administrative authentication, where ClearPass Policy Manager (CPPM) can act as the TACACS+ server. When an admin authenticates, CPPM sends a TACACS+ response that includes attributes such as the TACACS+ privilege level and vendor-specific attributes (VSAs) like Aruba-Priv-Admin-User. In this scenario, CPPM sends: TACACS+ privilege level = 15: In TACACS+, privilege level 15 is the highest level and typically grants full administrative access (equivalent to a superuser or administrator role). Aruba-Priv-Admin-User = 1: This Aruba-specific VSA indicates that the user should be granted the highest level of administrative access on the switch. On AOS-CX switches, the privilege level 15 maps to the administrator role, which provides full read-write access to all switch functions. The Aruba-Priv-Admin-User = 1 attribute reinforces this by explicitly assigning the admin role, ensuring the user has unrestricted access. Option A, "The user receives auditors access," is incorrect because auditors typically have read-only access, which corresponds to a lower privilege level (e.g., 1 or 3) on AOS-CX switches. Option B, "The user receives no access," is incorrect because the authentication was successful, and CPPM sent a response granting access with privilege level 15. Option D, "The user receives operators access," is incorrect because operators typically have a lower privilege level (e.g., 5 or 7), which provides limited access compared to an administrator. The HPE Aruba Networking AOS-CX 10.12 Security Guide states: "When using TACACS+ for administrative authentication, the switch interprets the privilege level returned by the TACACS+ server. A privilege level of 15 maps to the administrator role, granting full read-write access to all switch functions. The Aruba-Priv-Admin-User VSA, when set to 1, explicitly assigns the admin role, ensuring the user has unrestricted access." (Page 189, TACACS+ Authentication Section) Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes: "ClearPass can send the Aruba-Priv-Admin-User VSA in a TACACS+ response to specify the administrative role on Aruba devices. A value of 1 indicates the admin role, which provides full administrative privileges." (Page 312, TACACS+ Enforcement Section) : HPE Aruba Networking AOS-CX 10.12 Security Guide, TACACS+ Authentication Section, Page 189. HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, TACACS+ Enforcement Section, Page 312.
Question 54
What purpose does an initialization vector (IV) serve for encryption?
Correct Answer: B
The primary purpose of an Initialization Vector (IV) in encryption is to ensure that the same plaintext encrypted with the same encryption key will produce different ciphertext each time it is encrypted. This variability is crucial for securing repetitive data patterns and preventing certain types of cryptographic attacks, such as replay or pattern analysis attacks. The IV adds randomness to the encryption process, making it more secure by ensuring that encrypted messages are unique, even if the plaintext and key remain unchanged. This prevents attackers from deducing patterns or inferring any useful information from repeated ciphertext.
Question 55
Refer to the exhibit. A diem is connected to an ArubaOS Mobility Controller. The exhibit snows all Tour firewall rules that apply to this diem What correctly describes how the controller treats HTTPS packets to these two IP addresses, both of which are on the other side of the firewall 10.1 10.10 203.0.13.5
Correct Answer: B
Referring to the exhibit, the ArubaOS Mobility Controller treats HTTPS packets based on the firewall rules applied to the client. The rule that allows svc-https service for destination IP range 10.1.0.0 255.255.0.0 would permit an HTTPS packet to 10.1.10.10 since this IP address falls within the specified range. There are no rules shown that would allow traffic to the IP address 203.0.13.5; hence, the packet to this address would be dropped. References: ArubaOS firewall configuration guides detailing how firewall rules are interpreted and applied to traffic. Network security textbooks explaining firewall rule processing and packet filtering based on source and destination IP addresses.
