Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Go to Exam

Question 90

SIMULATION -

You are a security analyst tasked with interpreting an Nmap scan output from company's privileged network.

The company's hardening guidelines indicate the following:

✑ There should be one primary server or service per device.

✑ Only default ports should be used.

✑ Non-secure protocols should be disabled.

INSTRUCTIONS -

Using the Nmap output, identify the devices on the network and their roles, and any open ports that should be closed.

For each device found by Nmap, add a device entry to the Devices Discovered list, with the following information:

✑ The IP address of the device

The primary server or service of the device (Note that each IP should by associated with one service/port only)

✑ The protocol(s) that should be disabled based on the hardening guidelines (Note that multiple ports may need to be closed to comply with the hardening guidelines)

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Correct Answer:

Based on the specified company's hardening guidelines, here is the detailed analysis and recommendations for each device identified in the Nmap scan output. Each device should have only one primary service, and non-secure protocols should be disabled. Here are the configurations needed for each device based on the scan results provided in the initial query. Keep in mind that the primary service is identified based on the commonly used port numbers for each service type and to ensure only one primary service is active per device while disabling non-secure protocols or unused ports: 1. **Device IP:** 10.1.45.65 - **Primary Service:** SFTP (port 22) - **Ports to be Disabled:** 8080 (HTTP web interface) - **Rationale:** Port 22 is typically used for SFTP, and port 8080 should be disabled as it does not follow secure protocols. 2. **Device IP:** 10.1.45.66 - **Primary Service:** Email Server (port 25 for SMTP) - **Ports to be Disabled:** 415 and 443 (SSL/HTTP) - **Rationale:** Port 25 is commonly used for SMTP (Email server), while ports 415 and 443 should be disabled to avoid unnecessary services running. 3. **Device IP:** 10.1.45.67 - **Primary Service:** Web Server (port 443 for HTTPS) - **Ports to be Disabled:** 21 (FTP) and 80 (HTTP) - **Rationale:** Port 443 is commonly used for secure HTTPS, while ports 21 and 80 are non-secure and should be disabled. 4. **Device IP:** 10.1.45.68 - **Primary Service:** UTM Appliance (Unified Threat Management) - typically involving SSL/FTP-proxy, but disabling non-secure protocols. - **Ports to be Disabled:** 21 (FTP) - **Rationale:** Port 21 is a non-secure protocol and should be disabled. SSL VPN proxy running on the other ports should be kept as they are likely necessary for the appliance to function. These recommendations ensure compliance with the company's hardening guidelines by restricting each device to one primary service and disabling any non-secure or unnecessary protocols and ports.

Discussion

IT_PAYS

IS THE ANSWER PROVIDED CORRECT? 10.1.45.65 SFTP Server Disable 8080 10.1.45.66 Email Server Disable 415 and 443 10.1.45.67 Web Server Disable 21, 80 10.1.45.68 UTM Appliance Disable 21

ripper69

Yes, one issue is that modern Exchange servers (Mail) use port 443 (secure default port) for incoming connections and disabling this might cause issues...

ElDirec

Here are the devices discovered and their details based on the Nmap scan reports: 1. **Device IP:** 10.1.45.65 - SFTP Server - **Primary Service:** SSH on port 22 - **Protocol(s) to be disabled:** HTTP on port 80 (non-secure protocol) 2. **Device IP:** 10.1.45.66 - Email Server - **Primary Service:** SSL/SMTP on port 587 - **Protocol(s) to be disabled:** Port 415 (if it's not necessary for the email server's function, it should be closed to enhance security) 3. **Device IP:** 10.1.45.67 - Web Server - **Primary Service:** SSL/HTTP on port 443 - **Protocol(s) to be disabled:** FTP on port 21 and HTTP on port 80 (both are non-secure protocols) 4. **Device IP:** 10.1.45.68 - UTM Appliance - **Primary Service:** SSL/FTP-proxy on port 443 - **Protocol(s) to be disabled:** SSL/FTP-proxy on port 21 (if it's not necessary for the UTM's function, it should be closed to enhance security)

Delab202

10.1.45.65 SFTP Server Disable 8080 10.1.45.66 Email Server Disable 415 and 443 10.1.45.67 Web Server Disable 21, 80 10.1.45.68 UTM Appliance Disable 21 Answer is correct-

imather

Why precisely is 68 UTM? I'm guessing it's due to the SSL-VPN http proxy service and IPCop 2 firewall OS and it doesn't match any of the other provided options?

imather

Looking closer, device type is firewall, so UTM makes more sense.

ThatGuyOverThere

That and a UTM would probably proxy traffic to SSL decrypt and analyze everything.

aaronhardisonn

How do we know what the primary ports are :/

weaponxcel

Can someone explain why we close port 443 on 10.1.45.66?

ThatGuyOverThere

Because the instructions say each server will only use one port/service. Indicators suggest it is a mail server so you would leave open 587 for secure smtp rather than 443.

Waltsthe

i'd know this one

b49eb27

for thos asking why we don't disable those that are already closed, if you look at the .67 device, there are four protocols listed that are closed that are not in the disabled protocols list. so i have decided not to list those that are already closed as once that should also be disabled.

userguy890

why dont we disable the ports listed as closed? nmap's own docs say they could open up: I had originally selected for closed ports to be disabled too but everyone answered otherwise. It seems this is another comptia trick "Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed . Closed ports have no application listening on them, though they could open up at any time."

Anarckii

10.1.45.65 - port 8080 10.1.45.66 – port 443, 415 10.1.45.67 - port 21, 80 10.1.45.68 – port 21

wizwiz

Why not disable the closed ports as well? Per NMAP "A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next." Should we not disable all the protocols for closed ports as well? So port 20,22,2001,2047,2196 and 6001 as well?

Anarckii

No because even though the state is closed ping attacks and other traffic will just be rejected since the service is unavailable.

tester27

those other ports you've mentioned are not in the selection, so this implies that it is not necessary.

peteymcspeedy

Are all of them separate devices? Or does everything go under 10.1.45.66? I don't understand why 10.1.45.65 is under .66 in the solution pictured.

ThatGuyOverThere

There are four servers with their own output listed from nmap telling you what ports are showing open (or some closed) for each server.