A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless
BYOD users and 2 web servers without wireless access. Which of the following should the company
configure to protect the servers from the user devices? (Select TWO).
A.
Deny incoming connections to the outside router interface.
B.
Change the default HTTP port
C.
Implement EAP-TLS to establish mutual authentication
D.
Disable the physical switch ports
E.
Create a server VLAN
F.
Create an ACL to access the server
Explanation:
We can protect the servers from the user devices by separating them into separate VLANs (virtual local
area networks).
The network device in the question is a router/switch. We can use the router to allow access from devices
in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router
to determine who is able to access the server.
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast
domains, which are mutually isolated so that packets can only pass between them via one or more
routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.
This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port
level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More
sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used
to transport data for multiple VLANs.
Grouping hosts with a common set of requirements regardless of their physical location by VLAN can
greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN),
but it allows for end stations to be grouped together more easily even if they are not on the same
network switch. The network described in this question is a DMZ, not a VLAN.
Incorrect Answers:A: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers
should be accessible externally. Denying incoming connections to the outside router interface would
prevent external access to the websites. Furthermore, it would not protect the servers from the user
devices.
B: The servers are web servers. It’s therefore safe to assume the websites hosted by the web servers
should be accessible externally. If you change the default HTTP port, only people who know what the new
port is would be able to access the websites. A member of the public looking to browse the company
website would not be able to (without knowing the new port number). Furthermore, this would not
protect the servers from the user devices.
C: Implementing EAP-TLS to establish mutual authentication would ensure that connections to the
wireless router are secure. It wouldn’t protect the servers from the user devices though.
D: The servers need to connect to the physical switch ports. Therefore disabling the ports would take the
servers offline.http://en.wikipedia.org/wiki/Virtual_LAN