HP Aruba Certified Network Security Associate HPE6-A78 Exam Practice Test

Page: 1 / 14
Total 168 questions

Want more questions? Get Premium Access.
()

Question 1

Your AOS solution has detected a rogue AP with Wireless Intrusion Prevention (WIP). Which information about the detected radio can best help you to locate the rogue device?

AThe detecting devices

BThe match method

CThe confidence level

DThe match type

Answer : A

In an HPE Aruba Networking AOS-8 solution, the Wireless Intrusion Prevention (WIP) system is used to detect and classify rogue Access Points (APs). When a rogue AP is detected, the AOS system provides various pieces of information about the detected radio, such as the SSID, BSSID, match method, match type, confidence level, and the devices that detected the rogue AP. The goal is to locate the physical rogue device, which requires identifying its approximate location in the network environment.

Option A, 'The detecting devices,' is correct. The 'detecting devices' refer to the authorized APs or radios that detected the rogue AP's signal. This information is critical for locating the rogue device because it provides the physical locations of the detecting APs. By knowing which APs detected the rogue AP and their signal strength (RSSI) readings, you can triangulate the approximate location of the rogue AP. For example, if AP-1 in Building A and AP-2 in Building B both detect the rogue AP, and AP-1 reports a stronger signal, the rogue AP is likely closer to AP-1 in Building A.

Option B, 'The match method,' is incorrect. The match method (e.g., 'Plus one,' 'Eth-Wired-Mac-Table') indicates how the rogue AP was classified (e.g., based on a BSSID close to a known MAC or its presence on the wired network). While this helps understand why the AP was classified as rogue, it does not directly help locate the physical device.

Option C, 'The confidence level,' is incorrect. The confidence level indicates the likelihood that the AP is correctly classified as rogue (e.g., 90% confidence). This is useful for assessing the reliability of the classification but does not provide location information.

Option D, 'The match type,' is incorrect. The match type (e.g., 'Rogue,' 'Suspected Rogue') specifies the category of the classification. Like the match method, it helps understand the classification but does not aid in physically locating the device.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'When a rogue AP is detected by the Wireless Intrusion Prevention (WIP) system, the 'detecting devices' information lists the authorized APs or radios that detected the rogue AP's signal. This is the most useful information for locating the rogue device, as it provides the physical locations of the detecting APs. By analyzing the signal strength (RSSI) reported by each detecting device, you can triangulate the approximate location of the rogue AP. For example, if AP-1 and AP-2 detect the rogue AP, and AP-1 reports a higher RSSI, the rogue AP is likely closer to AP-1.' (Page 416, Rogue AP Detection Section)

Additionally, the HPE Aruba Networking Security Guide notes:

'To locate a rogue AP, use the 'detecting devices' information in the AOS Detected Radios page. This lists the APs that detected the rogue AP, along with signal strength data, enabling triangulation to pinpoint the rogue device's location.' (Page 80, Locating Rogue APs Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Rogue AP Detection Section, Page 416.

HPE Aruba Networking Security Guide, Locating Rogue APs Section, Page 80.

===========

Question 2

How can ARP be used to launch attacks?

AHackers can use ARP to change their NIC's MAC address so they can impersonate legiti-mate users.

BHackers can exploit the fact that the port used for ARP must remain open and thereby gain remote access to another user's device.

CA hacker can use ARP to claim ownership of a CA-signed certificate that actually belongs to another device.

DA hacker can send gratuitous ARP messages with the default gateway IP to cause devices to redirect traffic to the hacker's MAC address.

Answer : D

ARP (Address Resolution Protocol) can indeed be exploited to conduct various types of attacks, most notably ARP spoofing/poisoning. Gratuitous ARP is a special kind of ARP message which is used by an IP node to announce or update its IP to MAC mapping to the entire network. A hacker can abuse this by sending out gratuitous ARP messages pretending to associate the IP address of the router (default gateway) with their own MAC address. This results in traffic that was supposed to go to the router being sent to the attacker instead, thus potentially enabling the attacker to intercept, modify, or block traffic.

Question 3

What is one way that WPA3-Enterprise enhances security when compared to WPA2-Enterprise?

AWPA3-Enterprise implements the more secure simultaneous authentication of equals (SAE), while WPA2-Enterprise uses 802.1X.

BWPA3-Enterprise provides built-in mechanisms that can deploy user certificates to authorized end-user devices.

CWPA3-Enterprise uses Diffie-Hellman in order to authenticate clients, while WPA2-Enterprise uses 802.1X authentication.

DWPA3-Enterprise can operate in CNSA mode, which mandates that the 802.11 association uses secure algorithms.

Answer : D

WPA3-Enterprise enhances network security over WPA2-Enterprise through several improvements, one of which is the ability to operate in CNSA (Commercial National Security Algorithm) mode. This mode mandates the use of secure cryptographic algorithms during the 802.11 association process, ensuring that all communications are highly secure. The CNSA suite provides stronger encryption standards designed to protect sensitive government, military, and industrial communications. Unlike WPA2, WPA3's CNSA mode uses stronger cryptographic primitives, such as AES-256 in Galois/Counter Mode (GCM) for encryption and SHA-384 for hashing, which are not standard in WPA2-Enterprise.

Question 4

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs), and campus APs (CAPs). The solution will include a WLAN that uses Tunnel for the forwarding mode and WPA3-Enterprise for the security option.

You have decided to assign the WLAN to VLAN 301, a new VLAN. A pair of core routing switches will act as the default router for wireless user traffic.

Which links need to carry VLAN 301?

Aonly links in the campus LAN to ensure seamless roaming

Bonly links between MC ports and the core routing switches

Conly links on the path between APs and the core routing switches

Donly links on the path between APs and the MC

Answer : B

In a wireless network deployment with Aruba Mobility Master (MM), Mobility Controllers (MCs), and Campus APs (CAPs), where a WLAN is configured to use Tunnel mode for forwarding, the user traffic is tunneled from the APs to the MCs. VLAN 301, which is assigned to the WLAN, must be present on the links from the MCs to the core routing switches because these switches act as the default router for the wireless user traffic. It is not necessary for the VLAN to be present on all campus LAN links or AP links, only between the MCs and the core routing switches where the routing for VLAN 301 will occur.

Question 5

What is a reason to set up a packet capture on an HPE Aruba Networking Mobility Controller (MC)?

AThe security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely.

BThe company wants to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC.

CYou want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control Web traffic based on the destination URL.

DYou want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control the traffic based on application.

Answer : A

Packet captures on an HPE Aruba Networking Mobility Controller (MC) are a powerful troubleshooting and analysis tool, allowing administrators to capture and analyze network traffic at various levels (e.g., control plane or data plane). The MC supports packet captures for both wired and wireless traffic, which can be filtered based on criteria such as IP address, MAC address, or port.

Option A, 'The security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely,' is correct. Packet captures are commonly used in security investigations to analyze the traffic of a specific endpoint suspected of malicious activity. For example, if a wireless client is suspected of launching an attack (e.g., a DoS attack or data exfiltration), a packet capture on the MC can capture the client's traffic (filtered by MAC or IP address) for detailed analysis, helping the security team identify the nature of the attack.

Option B, 'The company wants to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC,' is incorrect. While CPPM can use HTTP User-Agent strings for device profiling, this is typically achieved by mirroring HTTP traffic to CPPM (e.g., using a datapath mirror on the MC), not by setting up a packet capture. Packet captures are for manual analysis, not for feeding data to CPPM.

Option C, 'You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control Web traffic based on the destination URL,' is incorrect. The AOS firewall on the MC can control traffic based on applications or services (e.g., using deep packet inspection, DPI), but it does not support URL-based filtering directly. URL filtering typically requires an external solution (e.g., a web proxy or firewall). Packet captures are not used to enable URL-based control by the firewall.

Option D, 'You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control the traffic based on application,' is incorrect. The AOS firewall can already perform application-based control using DPI (if enabled), without requiring a packet capture. Packet captures are for manual analysis, not for enabling firewall functionality.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'Packet captures on the Mobility Controller are useful for troubleshooting and security investigations. For example, if the security team suspects that a wireless endpoint is launching an attack, you can set up a packet capture on the MC's data plane to capture the endpoint's traffic. Use the command packet-capture datapath <filter> (e.g., filter by the client's MAC address) to capture the traffic, which can then be analyzed to identify malicious activity.' (Page 515, Packet Capture Section)

Additionally, the HPE Aruba Networking Security Guide notes:

'Packet captures are a critical tool for security teams to investigate potential attacks. By capturing traffic from a specific wireless client suspected of malicious behavior, administrators can analyze the packets to determine the nature of the attack, such as a DoS attack or unauthorized data exfiltration.' (Page 65, Security Troubleshooting Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Packet Capture Section, Page 515.

HPE Aruba Networking Security Guide, Security Troubleshooting Section, Page 65.

===========

Question 6

What is one method for HPE Aruba Networking ClearPass Policy Manager (CPPM) to use DHCP to classify an endpoint?

AIt can determine information such as the endpoint OS from the order of options listed in Option 55 of a DHCP Discover packet.

BIt can respond to a client's DHCP Discover with different DHCP Offers and then analyze the responses to identify the client OS.

CIt can snoop DHCP traffic to register the clients' IP addresses. It then knows where to direct its HTTP requests to actively probe for information about the client.

DIt can alter the DHCP Offer to insert itself as a proxy gateway. It will then be inline in the traffic flow and can apply traffic analytics to classify clients.

Answer : A

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to classify endpoints, and one of its passive profiling methods involves analyzing DHCP traffic. DHCP fingerprinting is a technique where ClearPass examines the DHCP packets sent by a client, particularly the DHCP Discover packet, to identify the device's operating system or type based on specific attributes.

Option A, 'It can determine information such as the endpoint OS from the order of options listed in Option 55 of a DHCP Discover packet,' is correct. DHCP Option 55 (Parameter Request List) is a field in the DHCP Discover packet where the client specifies the list of DHCP options it requests from the server. The order and combination of these options are often unique to specific operating systems or device types (e.g., Windows, Linux, macOS, or IoT devices). ClearPass maintains a database of DHCP fingerprints and matches the Option 55 data against this database to classify the endpoint.

Option B, 'It can respond to a client's DHCP Discover with different DHCP Offers and then analyze the responses,' is incorrect because ClearPass does not act as a DHCP server or send DHCP Offers. It passively snoops DHCP traffic rather than actively responding to DHCP requests.

Option C, 'It can snoop DHCP traffic to register the clients' IP addresses,' is partially correct in that ClearPass does snoop DHCP traffic, but the purpose is not just to register IP addresses for HTTP probing. While ClearPass can use IP addresses for active probing (e.g., HTTP or SNMP), the question specifically asks about using DHCP to classify, which is done via fingerprinting, not IP registration.

Option D, 'It can alter the DHCP Offer to insert itself as a proxy gateway,' is incorrect because ClearPass does not modify DHCP packets or act as a proxy gateway. This is not a function of ClearPass in the context of DHCP-based profiling.

The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states:

'ClearPass can profile devices using DHCP fingerprinting, a passive profiling method. When a device sends a DHCP Discover packet, ClearPass examines the packet's attributes, including the order of options in DHCP Option 55 (Parameter Request List). The combination and order of these options are often unique to specific operating systems or device types. ClearPass matches these attributes against its DHCP fingerprint database to classify the device (e.g., identifying a device as a Windows 10 laptop or an Android phone).' (Page 247, DHCP Fingerprinting Section)

Additionally, the ClearPass Device Insight Data Sheet notes:

'DHCP fingerprinting allows ClearPass to passively collect device information without interfering with network traffic. By analyzing DHCP Option 55, ClearPass can accurately determine the device's operating system and type, enabling precise policy enforcement.' (Page 3)

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, DHCP Fingerprinting Section, Page 247.

ClearPass Device Insight Data Sheet, Page 3.

===========

Question 7

A company has HPE Aruba Networking Mobility Controllers (MCs), campus APs, and AOS-CX switches. The company plans to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to classify endpoints by type. This company is using only CPPM and no other HPE Aruba Networking ClearPass solutions.

The HPE Aruba Networking ClearPass admins tell you that they want to use HTTP User-Agent strings to help profile the endpoints.

What should you do as a part of setting up Mobility Controllers (MCs) to support this requirement?

ACreate datapath mirrors that use the CPPM's IP address as the destination.

BCreate an IF-MAP profile, which specifies credentials for an API admin account on CPPM.

CCreate control path mirrors to mirror HTTP traffic from clients to CPPM.

DCreate a firewall whitelist rule that permits HTTP and CPPM's IP address.

Answer : A

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to classify endpoints, and one of its profiling methods involves analyzing HTTP User-Agent strings to identify device types (e.g., iPhone, Windows laptop). HTTP User-Agent strings are sent in HTTP headers when a client accesses a website. For CPPM to profile devices using HTTP User-Agent strings, it must receive the HTTP traffic from the clients. In this scenario, the company is using Mobility Controllers (MCs), campus APs, and AOS-CX switches, and CPPM is the only ClearPass solution in use.

HTTP User-Agent Profiling: CPPM can passively profile devices by analyzing HTTP traffic, but it needs to receive this traffic. In an AOS-8 architecture, the MC can mirror client traffic to CPPM for profiling. Since HTTP traffic is part of the data plane (user traffic), the MC must mirror the data plane traffic (not control plane traffic) to CPPM.

Option A, 'Create datapath mirrors that use the CPPM's IP address as the destination,' is correct. The MC can be configured to mirror client HTTP traffic to CPPM using a datapath mirror (also known as a GRE mirror). This involves setting up a mirror session on the MC that sends a copy of the client's HTTP traffic to CPPM's IP address. CPPM then analyzes the HTTP User-Agent strings in this traffic to profile the endpoints. For example, the command mirror session 1 destination ip <CPPM-IP> source ip any protocol http can be used to mirror HTTP traffic to CPPM.

Option B, 'Create an IF-MAP profile, which specifies credentials for an API admin account on CPPM,' is incorrect. IF-MAP (Interface for Metadata Access Points) is a protocol used for sharing profiling data between ClearPass and other systems (e.g., Aruba Introspect), but it is not used for sending HTTP traffic to CPPM for profiling. Additionally, IF-MAP is not relevant when only CPPM is in use.

Option C, 'Create control path mirrors to mirror HTTP traffic from clients to CPPM,' is incorrect. Control path (control plane) traffic includes management traffic between the MC and APs (e.g., AP registration, heartbeats), not client HTTP traffic. HTTP traffic is part of the data plane, so a datapath mirror is required, not a control path mirror.

Option D, 'Create a firewall whitelist rule that permits HTTP and CPPM's IP address,' is incorrect. A firewall whitelist rule on the MC might be needed to allow traffic to CPPM, but this is not the primary step for enabling HTTP User-Agent profiling. The key requirement is to mirror the HTTP traffic to CPPM, which is done via a datapath mirror, not a firewall rule.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

'To enable ClearPass Policy Manager (CPPM) to profile devices using HTTP User-Agent strings, the Mobility Controller (MC) must mirror client HTTP traffic to CPPM. This is done by creating a datapath mirror session that sends a copy of the client's HTTP traffic to CPPM's IP address. For example, use the command mirror session 1 destination ip <CPPM-IP> source ip any protocol http to mirror HTTP traffic to CPPM. CPPM then analyzes the HTTP User-Agent strings to classify endpoints by type (e.g., iPhone, Windows laptop).' (Page 350, Device Profiling with CPPM Section)

Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes:

'HTTP User-Agent profiling requires ClearPass to receive HTTP traffic from clients. In an Aruba Mobility Controller environment, configure a datapath mirror to send HTTP traffic to ClearPass's IP address. ClearPass will parse the HTTP User-Agent strings to identify device types and operating systems, enabling accurate profiling.' (Page 249, HTTP User-Agent Profiling Section)

HPE Aruba Networking AOS-8 8.11 User Guide, Device Profiling with CPPM Section, Page 350.

HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, HTTP User-Agent Profiling Section, Page 249.

===========