CompTIA Network+ Practice Test (N10-009)

Implementing and configuring DNSSEC on servers targets the root cause of malicious traffic redirection by authenticating the origins of the data, ensuring that the data integrity is maintained. This specific alignment with protecting against unauthorized changes and redirection aids in counteracting the effects of malicious web traffic redirection techniques. Other options, while beneficial for overall security, do not specifically authenticate the source of web traffic data, which is crucial in mitigating this type of attack.

RADIUS primarily functions as a protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. Authentication verifies who the user is, Authorization determines what a user can and cannot access, and Accounting keeps track of the consumption of network resources by the user. The other options, while plausible-sounding, are incorrect because they do not describe the main functionalities provided by RADIUS.

Enterprise authentication involves a centralized server, such as a RADIUS or LDAP server, to manage user credentials and permissions. The server verifies each user who attempts to access the network, ensuring secure and centralized user management. This contrasts with Pre-shared Key (PSK) authentication, where a single shared key is used for all users, not involving individual verification by a server.

Direct Connect services primarily provide a dedicated network connection that bypasses the internet. This is advantageous because it offers more consistent network performance compared to internet-based connections. The approach reduces latency, increases bandwidth, and offers a more reliable security profile by not exposing data to the public internet. While increased speed and better bandwidth management are benefits, they are secondary to the main purpose of consistent and reliable network performance over a private connection.

The correct answer specifies a specific range of IP addresses from 169.254.0.1 to 169.254.255.254, which are designated for automatic assignment by the host in the event that DHCP server communication is unsuccessful. This range is within the 169.254.0.0/16 subnet, reserved specifically for this purpose by networking standards to prevent IP conflicts with addresses assigned elsewhere.

Automatic Private IP Addressing (APIPA) allows a computer to assign itself an IP address in the absence of a DHCP server. This functionality, defined in RFC 3927 as link-local addressing, uses a designated range of addresses from 169.254.0.1 through 169.254.255.254. The computer randomly chooses an IP address within this range, allowing for basic communication with other devices on the same local network. This is intended as a temporary solution until a DHCP server can be reached. The 192.168.x.x range is a private IP address space defined by RFC 1918, commonly used in local networks. The 127.0.0.0/8 range (e.g., 127.0.0.1) is reserved for loopback addresses, which are used for network software testing on the local machine. The final option is a subnet mask, not an IP address range; it is used with an IP address to define the network and host portions of the address.

WPA3-Enterprise offers the highest security by providing strong encryption and centrally managed user authentication. This method leverages a RADIUS server to authenticate each connecting device independently, which is ideal for a corporate environment. WPA3 includes updated security measures, such as Simultaneous Authentication of Equals (SAE) and stronger encryption, to protect against vulnerabilities found in WPA2, making it the most robust choice.

An Internet gateway enables networked devices to connect to the Internet by providing a routing path from the local network to the Internet. This function is fundamental in network design to facilitate external communication and access to Internet services. The answer specifying data transfer between a private network and the Internet correctly captures this role. Other options, while related to networking tasks, do not accurately describe the primary function of an Internet gateway.

The most likely cause of the signal degradation during peak usage hours is congestion/contention, which leads to increased packet loss and delays as multiple devices attempt to use the same network resources simultaneously. Interference, while a common cause of signal issues, typically relates to wireless signals and environmental factors, not tied directly to network usage patterns. Insufficient wireless coverage usually presents as a consistently poor signal, not one that worsens specifically during high traffic periods. Incorrect cable type would not typically result in a degradation that varies with time; issues would be constant.

TACACS+ provides granular control over individual commands, allowing network administrators to grant specific rights to users, making it distinct from other protocols that may only authenticate user access levels without such detailed control. This feature is particularly beneficial in environments that require precise user permissions or restrictions.

A honeynet is intended to simulate a set of network resources to engage attackers, giving them an array of potential targets that are actually isolated and monitored environments. This allows security teams to analyze attack methods and behaviors without risk to real network assets. Honeypots are individual systems meant to attract attackers, but a honeynet consists of multiple honeypots and additional network devices, making the deception more complex and enabling the collection of broader information about malicious activities.

The most effective method for diagnosing and correcting a suspected TX/RX transposition in fiber-optic links is to use a light source or visual fault locator. By sending a visible signal through the fiber, the technician can observe whether the light appears at the expected receiver side. A lack of light at the intended receiver, or light showing on the opposite fiber, indicates that the transmit and receive fibers are crossed. Adjusting adapter settings does not correct physical misconnections, replacing the cable type is unnecessary, and reviewing system logs is unlikely to pinpoint this specific physical-layer error.

Installing an additional PoE switch or a switch with a higher power budget is the best solution because the existing switch cannot supply the 200 watts required by all ten cameras. The resulting power shortfall causes certain cameras to shut down intermittently. Lowering camera settings or prioritizing some cameras only sidesteps the underlying capacity problem, and replacing the cameras with non-PoE models would require separate power cabling without fixing the current PoE deficit.

When selecting mounting points for wireless access points, the first priority is to guarantee a clean RF line-of-sight so that every part of the floor plan receives a usable signal. This means locating each AP where its antennas are not blocked by thick walls, metal shelving, or other large physical obstacles that absorb or reflect 2.4- and 5-GHz radio waves. After candidate spots free of major obstructions are chosen, the installer can fine-tune spacing and channels to control overlap and can add extra APs in high-density areas to handle client load. Without clear paths for the signal, however, neither channel planning nor additional capacity will overcome poor coverage.

Using key-based authentication instead of passwords is a best practice for securing remote administration sessions because it provides stronger security than password-based authentication. This method relies on cryptographic keys, which are significantly more resistant to brute-force attacks than passwords. While the other options are valid security measures, they are not the BEST method for securing the session's authentication process. Disabling unused services on the server reduces the overall attack surface but does not directly secure the authentication of the management session. Configuring a network firewall to restrict incoming traffic is a critical network-level control that limits who can attempt to connect, but it does not enhance the security of the authentication process itself. Similarly, disabling root logins is an important hardening step to prevent direct attacks on the most privileged account, but it does not strengthen the authentication method used by other administrative accounts.

The broadcast address for any IPv4 subnet is obtained by setting all host bits to 1. For a standard Class C network, the default subnet mask is 255.255.255.0, so the host portion is the final octet. Setting those eight bits to 1 changes 192.168.15.0 to 192.168.15.255, which is the directed broadcast address for that subnet. The incorrect answers either identify the network address, the first usable host address, or the broadcast for a different subnet size.

The 'show route' command is specifically designed to display the routing table on a router. This command provides detailed information about all routes known to the router, including destination networks, next-hop addresses, and metrics, which is useful for troubleshooting routing issues. The other options, while useful for other diagnostic scenarios, do not provide the routing table information that the administrator needs in this situation.

By implementing port mirroring to mirror the traffic to and from the database server to an analysis tool, the administrator can conduct a comprehensive examination of the traffic. This enables the identification of specific packet types, sources, or unusual activity without interrupting server operation. Setting a QoS policy might help in managing traffic but does not provide the detailed insight needed for diagnosis. Reviewing firewall logs could miss detailed traffic content, and optimizing database queries is unrelated until the specific traffic cause is identified.

A Canonical Name (CNAME) record is used to redirect domain aliasing or subdomains to the primary domain. For instance, if you want 'info.example.com' to point to 'www.example.com', a CNAME record would be the right choice. It's important to choose CNAME when the goal is to link a subdomain to the primary domain without providing a direct IP address mapping, which an A record would do.

A cable tester is designed to test the connectivity and signal integrity of network cables. It can diagnose a variety of issues such as breaks or shorts in the cable, ensuring that the physical transmission media is capable of carrying the network signal properly. A toner is typically used to locate a specific cable within a bundle and does not test for signal integrity. A Wi-Fi analyzer and a visual fault locator are not suitable for testing Ethernet cables as they are used for wireless signal analysis and detecting breaks in fiber optic cables, respectively.