Exam CISSP topic 1 question 371 discussion

Although not explicitly mentioned in the question, printers would have to be connected through a switch regardless of VLAN/port security config on that switch. The question states that printers do not support IEEE 802.1x. This means that we have to disable 802.1x for the printers. Now, port security will just ensure that no one could unplug the printer and connect an unauthorized device/workstation. It does this by remembering the MAC address of the printer that was connected to that particular port. The way I would do it instead is via VLAN+ACL+port security. This VLAN will hopefully have all printers that do not support 802.1x

Agree with A.

Implementing A ...you can use sticky mac.. Implementing B .. you can separate all print traffic ok. Goal is to implement NAC... choice A is more in line with this.

vlan do seprate printer from other devices. then how can you use the printer to print ? other device must connect with it. so chose A .

NAC is a form of port control to allow only authorised devices to connect. Short of this the next best closest is Port Security to control based on Layer 2. VLAN does not control who can connect to the port that belongs to printer vlan, its function is just to put them into smaller boradcast domain. I believe this is the answer its asking for.

Port security allows printer to get connected, all other options are with 802.1x and that printer does not support.

D: Implement a (VLAN) for the printers 1. Port security (option A) on the switch ports for the printers can provide some level of control over who can access the printers. However, it may not fully address the issue of printers not supporting IEEE 802.1x. 2. Doing nothing (option B) and considering IEEE 802.1x irrelevant to printers is not recommended. NAC using IEEE 802.1x is an important security measure to control access to the network. Ignoring the issue could leave the printers vulnerable and compromise the overall security of the network. 3. Installing an IEEE 802.1x bridge for the printers (option C) could potentially allow the printers to connect to the network through the NAC system. However, this solution may require additional hardware and configuration, making it more complex and costly compared to implementing a VLAN. Using a VLAN provides a simpler and more straightforward approach to segregating printer traffic.

D. Implement a virtual local area network (VLAN) for the printers. Creating a separate VLAN for the printers is a practical solution in this scenario. It allows you to isolate the printers from the main network while still providing connectivity to them. This way, the printers won't be subject to IEEE 802.1x authentication, and they can function without issues. It also enhances network security by segmenting the printers from other devices, reducing the attack surface.

We want to implement compensating control for NAC, port security does not help if printer is compromised but VLANs can segment the network and limit access to the rest of the network if printer is compromised.

It’s obviously D

A. Implement port security on the switch ports for the printers.

From the CISSP Official Study Guide - "IEEE 802.1 X defines the use of encapsulated EAP to support a wide range of authentication options for LAN connections. The IEEE 802. IX standard is formally named "Port-Based Network Access Control," where port refers to any network link, not just physical RJ-45 jacks. This technology ensures that clients can't communicate with a resource until proper authentication has taken place. It's based on Extensible Authentication Protocol (EAP) from PPP." No IEEE 802. IX no port-based network access control.

A is the best answer. Separate VLAN for a printer is also a solution, it requires further configuration efforts to achieve the expected security and is an expensive option. A is the cost-effective and simplistic solution. Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecured packets) are restricted. You can enable port security on a per-port basis. Port security implements two traffic filtering methods, dynamic locking and static locking. These methods can be used concurrently. Static locking.

Vote D, if the printer not support IEEE 802.1x, B and C wont work. Port security not help for the the printer connection if not support IEEE 802.1x, but separate VLAN can help

port security will ensure identification by restricting printers mc address

Answer is 'A'. port security can give access to printer based on MAC Address - and this is a solution. Answer D do not help. basically today every host is in VLAN :) putting Printer in different vlan change nothing regarding security.

The Answer is "D". VLANs NOT port security, allows administrators to apply security policies to respective zones or segments. This is what needs to happen to these printers since they can NOT follow the NAC 802.1x.