| Question 1 | The goal of the SAFE Blueprint is to do which of the following? -
A. Maximize security, despite any inconvenience to the users. -
B. Establish a layer of security to satisfy management's need to meet government regulations. -
C. Apply the best security according to the balance between security and ease of use that management has chosen . -
D. Employ the latest technologies everywhere possible in the network. -
E. All of these are correct. |
| A1: | Answer C is correct. The SAFE Blueprint is a design to implement the best security on a given network, but it also acknowledges that no one can have it all. Compromises will be made and design alternatives will be chosen, dependinxg on whether greater ease of use or more security is desired. In other words, it seeks the best security according to the balance an organization chooses between security and ease of use. Part of the challenge of security implementations is to keep things usable, lest the users defeat your implementation by working around it; that rules out answer A. Answer B implies an external driver for security without management necessarily buying in; although that is certainly possible, it is not the goal of the SAFE Blueprint. Answer D leaves no room for compromise or design choices in the balancing actchoices that might reflect a balance slanted toward ease of use. Because answers A, B, and D are incorrect, answer E cannot be correct. |
| Question 2 | When is it appropriate to determine the balance point between security and ease of use? -
A. Before beginning the SAFE implementation. -
B. During the planning process, when technologies to implement are being chosen. -
C. During the planning process, when the specific hardware and software choices are being budgeted. -
D. During the physical installation, when devices are actually placed, with a bit of trial-and-error updating. -
E. None of these is correct. |
| A2: | Answer A is correct. The SAFE Blueprint assumes that management has already chosen how secure it wants the network to be and how easy to use it must be: This is described in the security policy. The technologies chosen (answer B) and the hardware and software choices (answer C) depend on where the balance point is. Although there might be an iterative effect ( especially if you can't implement anything effective with the budget you've been given), the balance point chosen must influence the choice of technologies and supporting devices, not the other way around. In the middle of the project is not the time to be deciding what the goal will be; answer D is just that kind of choice. |
| Question 3 |  | Which of the following is not an information asset? (Choose two.) | |
| A3: | Answers B and C are correct. All the hardware connected to the network, all the software on that hardware, and all the data used by the applications and users are information assets. Some people might argue that the system will eventually experience greater errors without a competent administrator, but the people using and operating the system are not a part of the SAFE Blueprint, and that is what this exam is about. Likewise, the support contract might help you implement SAFE (through technical assistance and provision of software patches), but it does not hold or transport information that belongs to the company. |
| Question 4 | | | End- user devices can be found in which part of the network? (Choose two.) | -
A. Campus module -
B. Edge -
C. Access layer -
D. Distribution layer -
E. Core layer |
| A4: | Answers A and C are correct. End-user devices form a part of the Access layer, while the Distribution layer connects portions of the Access layer, sometimes directly and sometimes via the Core layer. Most of the Access layer resides within the campus. The Distribution and Core layers transport information between end users and the user-support devices, such as servers and printers. The tricky part of the question is answer B: Although end users who are remote connect into the campus via the edge (through the PSTN or the Internet, for instance), those users and their devices are not a part of the edge. Remember that the edge is the part of your network that connects it to the outside worldto the PSTN and the Internet, to receive connections from remote users, among others. |
| Question 5 | IP phones are which kind of device? -
A. PSTN -
B. Network -
C. User support -
D. End user |
| A5: | Answer D is correct: IP phones are one of many types of end-user devices. It might help to remember that their primary users are people instead of other devices. Network devices (answer B) provide and control data transport, while user-support devices (answer C) provide centralized resources for many users, including network and other user-support devices, which might access them independently and simultaneously . Although the PSTN has migrated from an analog to a digital network, IP phones can connect to it for part of their function while connecting to other resources (such as private conferencing) for others. Merely connecting to the PSTN is not enough to make an IP phone a PSTN device (answer A). Therefore, answers A, B, and C are incorrect. |
| Question 6 | Which of the following is not a user-support device? -
A. VPN concentrator -
B. AAA server -
C. Web server -
D. SNMP server |
| A6: | Answer A is correct: A VPN concentrator is a networking device because when you reach the point of having multiple VPN connections, a router cannot manage all the connections. Therefore, the VPN concentrator is needed to handle the data flow for incoming traffic. The AAA server (answer B), the Web server (answer C), and the SNMP server (answer D) all support many users as they do what they need to dothey support actors without ever becoming stars; another way to describe it is that they provide support services to end users. The network and the users could operate without them. |
| Question 7 | Within the campus, which devices need more protection? |
| A7: | Answer C is correct. The user-support devices connect to many user devices, so one infected or corrupted server could infect many hosts . An end-user device (answer B) can connect to a handful of servers, but it has a much smaller potential for direct infection of other devices. IP telephony equipment offers another vector for incoming problems, but the equipment is composed of IP phones (end-user devices) and the call manager servers (user-support devices), and the same reasoning applies. One call manager can infect many phones, but a single phone has few direct connections; this rules out answer A. Answer D is incorrect because the disruptive potential of devices connected to many users (the user-support devices) far exceeds that of the end-user devices, so unequal degrees of protection are advisable. |
| Question 8 | Configuration of networking devices has a kind of priority. Which of these is not among those priorities? |
| A8: | Answer B is correct. Just because something is a reasonable security precaution, and is even discussed in the SAFE Blueprint, does not mean that it is relevant to a particular question. In this case, although antivirus protection is necessary on all end-user devices and many user-support devices (there are not many antivirus programs for printers, for instance), it is not a priority in configuring a network device. Network device-configuration priorities under the SAFE Blueprint are -
Protect themselves -
Protect each other -
Protect the rest of the network devices (end user and user support) |
| Question 9 | Why should internal-only assets be easier to protect than external- facing assets? (Choose two.) -
A. External-facing assets have at least one interface not under your control. -
B. Internal-only assets use different software packages (different IOS versions, for instance), and those packages offer more options. -
C. Internal-only assets are your property, while external-facing assets are customer premises equipment (CPE), owned by the party at the other end of the wire. -
D. Internal-only assets can be accessed only from inside your network. |
| A9: | Answers A and D are correct. All connections to an internal-only device originate on other equipment that you control; there is no access to them from outside your network. Access from outside defines external-facing devices and means that someone else controls the other end of that connection. Because you control all access (including physical access) instead of some access, internal-only devices are subject only to those threats that you permit, not those permitted by someone else as well. External-facing devices are still your assets rather than CPE, which rules out answer C. Answer B might or might not be true (and there are arguments both for and against it); however, which software package is operating on a device is not necessarily the characteristic that determines its protectability. |
| Question 10 | | | When there is a conflict between the standard network design model (Access, Distribution, and Core layers) and the SAFE Blueprint, which should win out? | -
A. SAFE because security must always have priority over ease of use. -
B. The standard model because security cannot be allowed to disrupt network traffic flow. -
C. It depends on where the balance point between security and ease of use has been applied. -
D. Neither. The standard network design model and the SAFE Blueprint answer two different questions. |
| A10: | Answer D is correct. The SAFE Blueprint does not replace the standard Access, Distribution, Core model. In fact, the standard model should be used to optimize traffic flowthat is, the flow of the traffic you choose to permit. Every organization must choose its own balancing point between security and ease of use; that eliminates both answers A and B. However, it makes answer C attractive. Unfortunately, even though answer C is an accurate statement in its own right, it does not answer the question that was asked, which refers to a contest between the two design models that does not exist. In fact, rather than being competing design models, the two are actually complementary, answering two different questions about how to plan and configure a network. |
