HPE6-A78 Aruba Certified Network Security Associate Exam Practice Test

Page: 1 / 14
Total 168 questions

Want more questions? Get Premium Access.
()

Question 1

What is one method for HPE Aruba Networking ClearPass Policy Manager (CPPM) to use DHCP to classify an endpoint?

AIt can determine information such as the endpoint OS from the order of options listed in Option 55 of a DHCP Discover packet.

BIt can respond to a client's DHCP Discover with different DHCP Offers and then analyze the responses to identify the client OS.

CIt can snoop DHCP traffic to register the clients' IP addresses. It then knows where to direct its HTTP requests to actively probe for information about the client.

DIt can alter the DHCP Offer to insert itself as a proxy gateway. It will then be inline in the traffic flow and can apply traffic analytics to classify clients.

Answer : A

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to classify endpoints, and one of its passive profiling methods involves analyzing DHCP traffic. DHCP fingerprinting is a technique where ClearPass examines the DHCP packets sent by a client, particularly the DHCP Discover packet, to identify the device's operating system or type based on specific attributes.

Option A, 'It can determine information such as the endpoint OS from the order of options listed in Option 55 of a DHCP Discover packet,' is correct. DHCP Option 55 (Parameter Request List) is a field in the DHCP Discover packet where the client specifies the list of DHCP options it requests from the server. The order and combination of these options are often unique to specific operating systems or device types (e.g., Windows, Linux, macOS, or IoT devices). ClearPass maintains a database of DHCP fingerprints and matches the Option 55 data against this database to classify the endpoint.

Option B, 'It can respond to a client's DHCP Discover with different DHCP Offers and then analyze the responses,' is incorrect because ClearPass does not act as a DHCP server or send DHCP Offers. It passively snoops DHCP traffic rather than actively responding to DHCP requests.

Option C, 'It can snoop DHCP traffic to register the clients' IP addresses,' is partially correct in that ClearPass does snoop DHCP traffic, but the purpose is not just to register IP addresses for HTTP probing. While ClearPass can use IP addresses for active probing (e.g., HTTP or SNMP), the question specifically asks about using DHCP to classify, which is done via fingerprinting, not IP registration.

Option D, 'It can alter the DHCP Offer to insert itself as a proxy gateway,' is incorrect because ClearPass does not modify DHCP packets or act as a proxy gateway. This is not a function of ClearPass in the context of DHCP-based profiling.

The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states:

'ClearPass can profile devices using DHCP fingerprinting, a passive profiling method. When a device sends a DHCP Discover packet, ClearPass examines the packet's attributes, including the order of options in DHCP Option 55 (Parameter Request List). The combination and order of these options are often unique to specific operating systems or device types. ClearPass matches these attributes against its DHCP fingerprint database to classify the device (e.g., identifying a device as a Windows 10 laptop or an Android phone).' (Page 247, DHCP Fingerprinting Section)

Additionally, the ClearPass Device Insight Data Sheet notes:

'DHCP fingerprinting allows ClearPass to passively collect device information without interfering with network traffic. By analyzing DHCP Option 55, ClearPass can accurately determine the device's operating system and type, enabling precise policy enforcement.' (Page 3)

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, DHCP Fingerprinting Section, Page 247.

ClearPass Device Insight Data Sheet, Page 3.

===========

Question 2

What is a guideline for managing local certificates on AOS-CX switches?

AUnderstand that the switch must use the same certificate for all usages, such as its HTTPS server and RadSec client.

BCreate a self-signed certificate online on the switch because AOS-CX switches do not support CA-signed certificates.

CBefore installing the local certificate, create a trust anchor (TA) profile with the root CA certificate for the certificate that you will install.

DInstall an Online Certificate Status Protocol (OCSP) certificate to simplify the process of enrolling and re-enrolling for certificates.

Answer : C

AOS-CX switches use certificates for various purposes, such as securing HTTPS access to the switch's web interface, authenticating the switch as a RadSec client, or securing other communications. Managing local certificates on AOS-CX switches involves ensuring that the switch trusts the certificate authority (CA) that issued the certificate, which is critical for proper operation.

Option C, 'Before installing the local certificate, create a trust anchor (TA) profile with the root CA certificate for the certificate that you will install,' is correct. A trust anchor (TA) profile on AOS-CX switches contains the root CA certificate (or intermediate CA certificate) that issued the local certificate. This TA profile allows the switch to validate the certificate chain when the local certificate is installed. For example, if you install a CA-signed certificate for the HTTPS server, the switch needs the root CA certificate in a TA profile to trust the certificate. This is a standard guideline for certificate management on AOS-CX switches to ensure secure and proper operation.

Option A, 'Understand that the switch must use the same certificate for all usages, such as its HTTPS server and RadSec client,' is incorrect. AOS-CX switches support using different certificates for different purposes. For example, you can have one certificate for the HTTPS server and another for RadSec client authentication, as long as each certificate is associated with the appropriate service and trusted by the switch.

Option B, 'Create a self-signed certificate online on the switch because AOS-CX switches do not support CA-signed certificates,' is incorrect. AOS-CX switches fully support CA-signed certificates, and using CA-signed certificates is recommended for production environments to ensure trust and security. Self-signed certificates can be used for testing but are not a guideline for general certificate management.

Option D, 'Install an Online Certificate Status Protocol (OCSP) certificate to simplify the process of enrolling and re-enrolling for certificates,' is incorrect. OCSP is a protocol used to check the revocation status of certificates, not to simplify certificate enrollment. AOS-CX switches support OCSP for certificate validation, but installing an 'OCSP certificate' is not a concept in certificate management, and it's not a guideline for managing local certificates.

The HPE Aruba Networking AOS-CX 10.12 Security Guide states:

'Before installing a CA-signed local certificate on the switch, you must create a trust anchor (TA) profile that includes the root CA certificate (or intermediate CA certificate) that issued the local certificate. This ensures that the switch can validate the certificate chain. For example, to install a CA-signed certificate for the HTTPS server, use the command crypto pki ta-profile to create the TA profile, and then import the root CA certificate into the profile using crypto pki import ta-profile . Then, install the local certificate using crypto pki import local-certificate <certificate-name> and associate it with the HTTPS server.' (Page 201, Certificate Management Section)

Additionally, the guide notes:

'AOS-CX switches support both self-signed and CA-signed certificates. For production environments, it is recommended to use CA-signed certificates and ensure that the appropriate trust anchor profiles are configured to validate the certificate chain.' (Page 202, Best Practices Section)

HPE Aruba Networking AOS-CX 10.12 Security Guide, Certificate Management Section, Page 201.

HPE Aruba Networking AOS-CX 10.12 Security Guide, Best Practices Section, Page 202.

===========

Question 3

Which attack is an example or social engineering?

AAn email Is used to impersonate a Dank and trick users into entering their bank login information on a fake website page.

BA hacker eavesdrops on insecure communications, such as Remote Desktop Program (RDP). and discovers login credentials.

CA user visits a website and downloads a file that contains a worm, which sell-replicates throughout the network.

DAn attack exploits an operating system vulnerability and locks out users until they pay the ransom.

Answer : A

An example of a social engineering attack is described in option A, where an email is used to impersonate a bank and deceive users into entering their bank login information on a counterfeit website. Social engineering attacks exploit human psychology rather than technical hacking techniques to gain access to systems, data, or personal information. These attacks often involve tricking people into breaking normal security procedures. The other options describe different types of technical attacks that do not primarily rely on manipulating individuals through deceptive personal interactions.

Question 4

What is one difference between EAP-Tunneled Layer Security (EAP-TLS) and Protected EAP (PEAP)?

AEAP-TLS begins with the establishment of a TLS tunnel, but PEAP does not use a TLS tunnel as part of its process.

BEAP-TLS requires the supplicant to authenticate with a certificate, but PEAP allows the supplicant to use a username and password.

CEAP-TLS creates a TLS tunnel for transmitting user credentials, while PEAP authenticates the server and supplicant during a TLS handshake.

DEAP-TLS creates a TLS tunnel for transmitting user credentials securely, while PEAP protects user credentials with TKIP encryption.

Answer : B

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) and PEAP (Protected EAP) are two EAP methods used for 802.1X authentication in wireless networks, such as those configured with WPA3-Enterprise on HPE Aruba Networking solutions. Both methods are commonly used with ClearPass Policy Manager (CPPM) for secure authentication.

EAP-TLS:

Requires both the supplicant (client) and the server (e.g., CPPM) to present a valid certificate during authentication.

Establishes a TLS tunnel to secure the authentication process, but the primary authentication mechanism is the mutual certificate exchange. The client's certificate is used to authenticate the client, and the server's certificate authenticates the server.

PEAP:

Requires only the server to present a certificate to authenticate itself to the client.

Establishes a TLS tunnel to secure the authentication process, within which the client authenticates using a secondary method, typically a username and password (e.g., via MS-CHAPv2 or EAP-GTC).

Option A, 'EAP-TLS begins with the establishment of a TLS tunnel, but PEAP does not use a TLS tunnel as part of its process,' is incorrect. Both EAP-TLS and PEAP establish a TLS tunnel. In EAP-TLS, the TLS tunnel is used for the mutual certificate exchange, while in PEAP, the TLS tunnel protects the inner authentication (e.g., username/password).

Option B, 'EAP-TLS requires the supplicant to authenticate with a certificate, but PEAP allows the supplicant to use a username and password,' is correct. This is a key difference: EAP-TLS mandates certificate-based authentication for the client, while PEAP allows the client to authenticate with a username and password inside the TLS tunnel, making PEAP more flexible for environments where client certificates are not deployed.

Option C, 'EAP-TLS creates a TLS tunnel for transmitting user credentials, while PEAP authenticates the server and supplicant during a TLS handshake,' is incorrect. Both methods use a TLS tunnel, and both authenticate the server during the TLS handshake (using the server's certificate). In EAP-TLS, the client's certificate is also part of the TLS handshake, while in PEAP, the client's credentials (username/password) are sent inside the tunnel after the handshake.

Option D, 'EAP-TLS creates a TLS tunnel for transmitting user credentials securely, while PEAP protects user credentials with TKIP encryption,' is incorrect. PEAP does not use TKIP (Temporal Key Integrity Protocol) for protecting credentials; TKIP is a legacy encryption method used in WPA/WPA2 for wireless data encryption, not for EAP authentication. PEAP uses the TLS tunnel to protect the inner authentication credentials.

The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states:

'EAP-TLS requires both the supplicant and the server to present a valid certificate for mutual authentication. The supplicant authenticates using its certificate, and the process is secured within a TLS tunnel. In contrast, PEAP requires only the server to present a certificate to establish a TLS tunnel, within which the supplicant can authenticate using a username and password (e.g., via MS-CHAPv2 or EAP-GTC). This makes PEAP more suitable for environments where client certificates are not deployed.' (Page 292, EAP Methods Section)

Additionally, the HPE Aruba Networking Wireless Security Guide notes:

'A key difference between EAP-TLS and PEAP is the client authentication method. EAP-TLS mandates that the client authenticate with a certificate, requiring certificate deployment on all clients. PEAP allows the client to authenticate with a username and password inside a TLS tunnel, making it easier to deploy in environments without client certificates.' (Page 40, 802.1X Authentication Methods Section)

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, EAP Methods Section, Page 292.

HPE Aruba Networking Wireless Security Guide, 802.1X Authentication Methods Section, Page 40.

Question 5

What is one of the policies that a company should define for digital forensics?

Awhich data should be routinely logged, where logs should be forwarded, and which logs should be archived

Bwhat are the first steps that a company can take to implement micro-segmentation in their environment

Cto which resources should various users be allowed access, based on their identity and the identity of their clients

Dwhich type of EAP method is most secure for authenticating wired and wireless users with 802.1

Answer : A

In the context of digital forensics, policy A is the most relevant. It defines which data should be logged, where logs should be forwarded for analysis or storage, and which logs should be archived for future forensic analysis or audit purposes. This ensures that evidence is preserved in a way that supports forensic activities.

Question 6

A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-Switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. This company is using only CPPM and no other ClearPass solutions.

The ClearPass admins tell you that they want to use HTTP User-Agent strings to help classify endpoints.

What should you do as a part of configuring the ArubaOS-Switches to support this requirement?

ACreate a device fingerprinting policy that includes HTTP, and apply the policy to edge ports.

BCreate remote mirrors that collect traffic on edge ports, and mirror it to CPPM's IP address.

CConfigure CPPM as the sFlow collector, and make sure that sFlow is enabled on edge ports.

DConnect the switches to CPPM's span ports, and set up mirroring of HTTP traffic on the switches.

Answer : C

ArubaOS-Switches can use sFlow technology to sample network traffic and send the samples to a collector, such as ClearPass Policy Manager (CPPM), for analysis. sFlow can be configured to capture various types of traffic, including HTTP, which typically contains User-Agent strings that can be used for device fingerprinting and classification.

To support the requirement for using HTTP User-Agent strings to classify endpoints, the switches would need to be configured to send sFlow samples containing HTTP traffic to CPPM. CPPM would then analyze these samples and use the User-Agent strings to classify the devices.

Therefore, the correct action to configure ArubaOS-Switches would involve:

Configuring CPPM as the sFlow collector on the switches.

Enabling sFlow on the edge ports that connect to endpoints.

This approach allows the network traffic to be analyzed by CPPM without requiring any additional mirroring or redirection of traffic, which would be resource-intensive and potentially disruptive to network performance.

Question 7

You have been instructed to look in an AOS Security Dashboard's client list. Your goal is to find clients that belong to the company and have connected to devices that might belong to hackers.

Which client fits this description?

AMAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Suspected Rogue

BMAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor

CMAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Interfering

DMAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Suspected Rogue

Answer : A

The AOS Security Dashboard in an AOS-8 solution (Mobility Controllers or Mobility Master) provides a client list through its Wireless Intrusion Prevention (WIP) system, showing the classification of clients and the APs they are connected to. The goal is to identify clients that belong to the company (Authorized clients) and have connected to devices that might belong to hackers (rogue or suspected rogue APs).

Client Classification:

Authorized: A client that has successfully authenticated to an authorized AP and is part of the company's network (e.g., an employee device).

Interfering: A client that is not authenticated to the company's network and is considered external or potentially malicious.

AP Classification:

Authorized: An AP that is part of the company's network and managed by the MC.

Suspected Rogue: An AP that is not authorized and is suspected of being malicious, often because it exhibits suspicious behavior (e.g., a BSSID close to an authorized AP, indicating potential spoofing).

Neighbor: An AP that is not part of the company's network but is not connected to the wired network (e.g., a nearby AP from another organization).

Interfering: An AP that is not part of the company's network and may be causing interference, but is not necessarily malicious.

The requirement is to find a client that is Authorized (belongs to the company) and connected to a Suspected Rogue AP (might belong to hackers).

Option A: MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Suspected Rogue

This client is classified as 'Authorized,' meaning it belongs to the company, and it is connected to a 'Suspected Rogue' AP, which might belong to hackers. This matches the requirement perfectly.

Option B: MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor

This client is 'Interfering' (not a company client) and connected to a 'Neighbor' AP, which is not considered a hacker's device (it's just a nearby AP).

Option C: MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Interfering

This client is 'Interfering' (not a company client) and connected to an 'Interfering' AP, which is not necessarily a hacker's device (it may just be causing interference).

Option D: MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Suspected Rogue

This client is 'Interfering' (not a company client), although it is connected to a 'Suspected Rogue' AP. It does not meet the requirement of being a company client.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'The Security Dashboard's client list in ArubaOS shows the classification of each client and the AP it is connected to. An 'Authorized' client is one that has successfully authenticated to an authorized AP and is part of the company's network. A 'Suspected Rogue' AP is an unauthorized AP that exhibits suspicious behavior, such as a BSSID close to an authorized AP, indicating potential spoofing by a hacker. To identify security risks, look for authorized clients connected to suspected rogue APs, as this may indicate a company device has connected to a malicious AP.' (Page 415, Security Dashboard Section)

Additionally, the HPE Aruba Networking Security Guide notes:

'WIP classifies clients as 'Authorized' if they have authenticated to an authorized AP managed by the controller. A 'Suspected Rogue' AP is a potential threat, as it may be attempting to mimic a legitimate AP to lure clients. Identifying authorized clients connected to suspected rogue APs is critical for detecting potential attacks, such as man-in-the-middle attempts by hackers.' (Page 78, WIP Classifications Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Security Dashboard Section, Page 415.

HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.

===========