70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Practice Tests

Demo Question 4.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. EliteCertify.com network is made up of an intranet and a perimeter network that is separated by a firewall configuration. A second firewall connects the perimeter network to the Internet. The perimeter network consists of Windows Server 2003 computers. The perimeter network's servers have SNMP installed and are used to host an application managed by SNMP. The application provides information to customers on the merchandise sold by EliteCertify.com. The EliteCertify.com intranet contains Windows XP Professional computers running the SNMP management software. The internet firewall only allows outbound SNMP traffic from the intranet to the perimeter network. The read-write SNMP community name is AppCommRW and the read-only SNMP community name is Public. You have received instruction from the CIO to secure SNMP traffic as is moves from the intranet to the perimeter network. You must ensure that application integrity and network security are not compromised, and at the same time ensure that customer access to the application is not affected. You have also been instructed to use existing hardware or software. You cannot purchase new hardware or software. You must ensure that SNMP traffic on the perimeter network cannot be intercepted by outside individuals. What should you do to achieve your goal in these circumstances?

A. Configure the read-only SNMP community name to AppCommRO. Configure the SNMP service on each application server to: * Transmit only application-specific SNMP information to the management client computers. * Accept only SNMP packets from the IP addresses of the management client computers. * Send authentication traps for both community names.
B. Create an IPSec filter for the default SNMP ports in the local security policy on the management client computers and application server. Create and assign a new IPSec policy that requires security by using the IPSec filter in the local security policy on both the management client computers and application servers. Configure the internal firewall to permit outbound IPSec traffic from the intranet.
C. Modify the community rights for the Public community to Notify. Modify the community rights for the AppCommRW community to Read-Create. Configure the SNMP service on each application server to log on by using a domain user account and not the local system account. Configure the SNMP service to send authentication traps for the AppCommRW community name. Configure the internal firewall to permit inbound SNMP traffic from the perimeter network.
D. Create an organization unit (OU) named SNMPComputers OU and add the management client computers and the application servers to the SNMPComputers OU. Assign the Secure Server (Require Security) IPSec policy to the SNMPComputers OU. Configure the internal firewall to permit outbound IPSec traffic from the intranet.


Display Answer

Answer: B

Explanation: You can use the IPSec console to manage IPSec policies and to add and remove filters applied to the IPSec policies. IPSec filtering is used to permit or block certain types of IP traffic. With IPSec filtering, you can secure workstations from outside security hazards. Simple Network Management Protocol (SNMP) is an application layer Transmission Control Protocol/Internet Protocol (TCP/IP) protocol and query language used to transmit information about the status of network components to a central network management console. Components embedded in network hardware and software products, called SNMP agents, are responsible for collecting data about the activities of the products they service, storing the data in a management information base (MIB. , and transmitting that data to the console at regular intervals using SNMP messages. Keeping the above mentioned in mind, then it is clear that this option will provide the necessary means for ensuring that all SNMP management traffic for the application is secure and cannot be used to compromise network security. Incorrect answers: A. This option will not ensure that that all SNMP management traffic for the application is secure and cannot be used to compromise network security. You should be making use of an IPSec filter and IPSec policies instead. C. This option will not ensure SNMP management will be secure. Furthermore, configuring the firewall to allow inbound SNMP traffic from the perimeter network should not be. D. There is no need to create new organizational units. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 728-730 http://support.microsoft.com/default.aspx?scid=kb;en-us;324261&Product=winsvr2003