Lean Six Sigma Green/Black Belt

Correct: Reviewing VLAN and internal firewall configurations directly addresses the risk of lateral movement by ensuring that even if one segment (such as the web tier) is compromised, the attacker cannot easily access more sensitive areas (such as the database tier). This demonstrates a layered approach at the network and transport layers of the TCP/IP suite, which is a core component of a Defense in Depth strategy.

Incorrect: Updating external firewall firmware is a maintenance task for a perimeter control but does not address internal lateral movement once the perimeter is breached. Security awareness training is an administrative control that helps prevent initial entry but does not provide the technical network-level defense in depth required to stop an active intruder. Failover testing relates to availability and disaster recovery rather than the structural security layers designed to impede an intruder’s progress through the network.

Takeaway: A robust Defense in Depth strategy requires overlapping technical controls across different network layers to prevent a single point of failure from compromising the entire system.

Correct: Private VLANs function by associating a primary VLAN with one or more secondary VLANs (isolated or community). The primary VLAN facilitates communication from the promiscuous port to all other ports, while the secondary VLANs define the specific isolation rules. Ensuring the correct mapping is the most critical factor because it dictates whether hosts can communicate with each other (community) or are completely blocked from peer communication (isolated), which is the core objective of the security control.

Incorrect: Configuring DHCP relay agents on every isolated port is unnecessary and technically incorrect, as PVLANs typically operate within a single subnet where the relay agent resides at the Layer 3 boundary (SVI). Restricting community ports from reaching the promiscuous port would break network connectivity, as the promiscuous port is usually the gateway to the rest of the network. Using classful addressing is an obsolete networking practice that does not enhance the security or functionality of Layer 2 PVLAN segmentation.

Takeaway: The effectiveness of Private VLANs as a security control depends on the accurate configuration of primary-to-secondary VLAN mappings to enforce host isolation within a shared subnet.

Correct: In a Route Reflector (RR) environment, if a cluster has only one RR and it fails, all clients in that cluster lose their BGP routes, leading to routing isolation. Technically, RRs solve the iBGP full-mesh requirement by selectively relaxing the split-horizon rule, which normally prevents an iBGP router from re-advertising a route learned from one iBGP peer to another. Confederations scale the network by breaking a large AS into smaller sub-ASs, where eBGP-like rules apply between the sub-ASs, effectively reducing the number of required iBGP sessions.

Incorrect: The suggestion that Confederations rely on MED for loop prevention is incorrect; they use AS_PATH segments (AS_CONFED_SEQUENCE) to prevent loops. The claim that Route Reflectors require physical connectivity is a misconception, as BGP peering is a logical Layer 4 connection. Finally, Route Reflectors do not masquerade AS numbers; while a Confederation appears as a single AS to the outside world, the risk of internal topology exposure is not the primary concern addressed by these specific scaling mechanisms.

Takeaway: Route Reflectors and Confederations are essential BGP scaling tools that must be implemented with redundancy to avoid single points of failure while managing the iBGP split-horizon rule and AS partitioning respectively.

Correct: The most common and effective method for active containment in a WIPS is the use of 802.11 deauthentication frames. These are management frames defined in the Layer 2 protocol that instruct the client and the access point to terminate their current association. By continuously sending these frames, the WIPS prevents the client from successfully communicating through the rogue device.

Incorrect: Updating DHCP exclusion lists is ineffective because a rogue access point may use static IP addressing or provide its own DHCP services, bypassing the corporate server entirely. DNS sinkholing is a Layer 7/Application layer control that requires the client to already be connected and using specific DNS servers; it does not prevent the initial wireless connection. Increasing signal strength to cause interference is not a standard security practice, is technically unreliable, and would likely cause performance degradation for legitimate users on the network.

Takeaway: Wireless Intrusion Prevention Systems (WIPS) primarily utilize Layer 2 deauthentication frames to actively disrupt and contain unauthorized wireless connections to rogue access points.

Correct: A physical site survey is a fundamental preventive control that identifies environmental obstacles and sources of electromagnetic interference. By establishing a frequency plan that utilizes non-overlapping channels, such as 1, 6, and 11 in the 2.4 GHz band, the organization can prevent co-channel interference and ensure reliable connectivity for mobile devices. This systematic approach allows for the optimization of signal-to-noise ratios before deployment.

Correct: Implementing DHCP Snooping and IP Source Guard is the most effective control because it creates a binding database of legitimate DHCP leases. IP Source Guard then uses this database to drop any traffic from a host that attempts to use an IP address not specifically assigned to its MAC address by the DHCP server, effectively preventing the use of unauthorized static IPs to bypass NAC.

Incorrect: Increasing DNS zone transfer frequency focuses on the consistency of name resolution records across servers but does not provide any mechanism to block unauthorized network access or validate IP assignments. DHCP Option 82 provides additional circuit and remote ID information which is useful for identifying the physical point of attachment, but it does not inherently prevent a user from manually configuring a static IP to bypass a DHCP-based NAC. While IPv6 includes IPsec in its architecture, simply moving to Global Unicast addresses does not automatically enforce NAC or prevent static IP spoofing without additional configuration and infrastructure.

Takeaway: Effective Network Access Control requires the integration of DHCP snooping and source validation to ensure that only dynamically authorized IP-to-MAC bindings can transmit traffic.

Correct: In the TCP three-way handshake (SYN, SYN-ACK, ACK), the server must maintain a queue of ‘half-open’ connections (those that have sent a SYN but not yet completed the handshake). If an application server is overwhelmed by a sudden burst of requests, this SYN backlog queue can become exhausted. When this happens, the server cannot respond with a SYN-ACK to new requests, resulting in the ‘incomplete’ connection attempts observed by the auditor, even if the overall network bandwidth is not saturated.

Incorrect: Low DNS TTL settings would increase the frequency of DNS queries but would not result in incomplete TCP connection attempts on the application server itself. Classful addressing is a legacy method of IP allocation and would not cause intermittent connection failures if the network was already functioning. DHCP lease issues would cause a client to lose its IP address entirely, which would prevent any packets from reaching the server, rather than resulting in incomplete handshakes logged at the server level.

Takeaway: Internal auditors should recognize that application availability can be compromised at the transport layer through TCP backlog exhaustion, even when network layer bandwidth appears sufficient.

Correct: In the TCP/IP protocol suite, a successful connection requires the completion of the three-way handshake (SYN, SYN-ACK, and ACK). Confirming that the internal host sent the final ACK after receiving a SYN-ACK from the external server proves that a stateful connection was established, which is a critical step in investigating whether data exfiltration could have occurred.

Incorrect: DNS queries only indicate that a host attempted to resolve a domain name to an IP address, not that a connection was actually made. DHCP lease logs only confirm that a device was authorized to be on the network and assigned an IP, but they provide no information about specific traffic sessions. ICMP Destination Unreachable messages indicate that the connection attempt failed or was blocked by a security appliance, which would suggest the breach attempt was unsuccessful.

Takeaway: Verifying the completion of the TCP three-way handshake is the standard method for confirming that a reliable network session was established during a security breach investigation.

Correct: Variable Length Subnet Masking (VLSM) is a critical component of scalable network design because it allows for the efficient allocation of IP addresses by creating subnets of varying sizes based on the actual needs of each segment. When combined with hierarchical addressing, it enables route summarization (aggregation), which significantly reduces the size of routing tables, improves router performance, and enhances network stability by isolating topology changes within specific areas.

Incorrect: Classful addressing is an obsolete method that leads to significant address wastage and lacks the flexibility required for modern scalable networks. Static NAT for every internal endpoint is administratively unfeasible and does not solve the underlying issue of internal IP management or routing efficiency. Fixed Length Subnet Masking (FLSM) is inefficient in environments with diverse segment sizes, as it forces the same subnet size on both large and small locations, leading to either address exhaustion or significant wastage.

Takeaway: Scalable network designs prioritize VLSM and hierarchical addressing to optimize IP address utilization and ensure efficient routing through route summarization.

Correct: A “fail-open” configuration (often referred to as a critical VLAN or auth-fail VLAN) is designed to maintain business continuity if the RADIUS server is unreachable. However, if this VLAN is not properly secured with egress filters or ACLs, it provides a loophole for unauthorized devices to access internal resources or move laterally. From an audit perspective, this represents a failure of the primary security objective of 802.1X, which is to ensure only authenticated and authorized devices gain network access.

Incorrect: Using EAP-TLS is a robust security measure and represents a control strength rather than a weakness. A short re-authentication timer is a performance and availability concern that may cause network overhead, but it does not inherently allow unauthorized access. While integrating physical and logical security logs is a mature security practice for monitoring, its absence is a secondary reporting issue rather than a fundamental failure of the 802.1X authentication control mechanism.

Takeaway: Internal auditors must evaluate the security of fallback configurations in 802.1X environments to ensure that availability measures do not inadvertently create unauthorized access paths.