Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

HP Exam HPE6-A84 Topic 1 Question 26 Discussion

Actual exam question for HP's HPE6-A84 exam
Question #: 26
Topic #: 1
[All HPE6-A84 Questions]

Refer to the scenario.

A customer has an AOS10 architecture that is managed by Aruba Central. Aruba infrastructure devices authenticate clients to an Aruba ClearPass cluster.

In Aruba Central, you are examining network traffic flows on a wireless IoT device that is categorized as ''Raspberry Pi'' clients. You see SSH traffic. You then check several more wireless IoT clients and see that they are sending SSH also.

You want a relatively easy way to communicate the information that an IoT client has used SSH to Aruba CPPM.

What is one prerequisite?

Show Suggested Answer Hide Answer
Suggested Answer: B

This is because SNMPv3 is a secure version of SNMP that provides authentication, encryption, and access control for network management. SNMPv3-only is a configuration option on AOS-CX switches that disables SNMPv1 and SNMPv2c, which are insecure versions of SNMP that use plain text community strings for authentication. By setting the snmp-server settings to ''snmpv3-only'', the switch will only respond to SNMPv3 requests and reject any SNMPv1 or SNMPv2c requests, thus remedying the vulnerability and meeting the customer's requirements.

A) Enabling control plane policing to automatically drop SNMP GET requests. This is not a valid recommendation because control plane policing is a feature that protects the switch from denial-of-service (DoS) attacks by limiting the rate of traffic sent to the CPU. Control plane policing does not disable SNMPv1 or SNMPv2c, but rather applies a rate limit to all SNMP requests, regardless of the version. Moreover, control plane policing might also drop legitimate SNMP requests if they exceed the rate limit, which could affect the network management.

C) Adding an SNMP community with a long random name. This is not a valid recommendation because an SNMP community is a shared secret that acts as a password for accessing network devices using SNMPv1 or SNMPv2c. Adding an SNMP community with a long random name does not disable SNMPv1 or SNMPv2c, but rather creates another community string that can be used for authentication. Moreover, adding an SNMP community with a long random name does not improve the security of SNMPv1 or SNMPv2c, as the community string is still transmitted in plain text and can be intercepted by an attacker.

D) Enabling SNMPv3, which implicitly disables SNMPv1/v2. This is not a valid recommendation because enabling SNMPv3 does not implicitly disable SNMPv1 or SNMPv2c on AOS-CX switches. Enabling SNMPv3 only adds support for the secure version of SNMP, but does not remove support for the insecure versions. Therefore, enabling SNMPv3 alone does not remedy the vulnerability or meet the customer's requirements.


by Desmond at Aug 28, 2024, 12:33 AM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Janella
1 months ago
I'm going with option C. It's the only one that doesn't involve me having to wrestle with certificates or create some kind of secret agent API. Just give me that data collector token and let's move on!
upvoted 0 times
...
Lottie
1 months ago
Option D seems like a good fit, but I'm still trying to figure out what an 'API application' is. Is that like a mobile app for APIs? Asking for a friend.
upvoted 0 times
Carlota
2 days ago
You use the API application to generate a token that allows you to access the REST API.
upvoted 0 times
...
Alonso
11 days ago
It's not a mobile app, it's a way to interact with APIs programmatically.
upvoted 0 times
...
...
Julianna
1 months ago
Hold up, are we sure we even need to report this SSH activity to CPPM? Maybe those IoT devices are just doing some top-secret penguin-related business. Just saying.
upvoted 0 times
Anthony
25 days ago
A: Let's go ahead and enable event processing on subscribers in the ClearPass cluster.
upvoted 0 times
...
Makeda
26 days ago
B: I agree, it's better to be proactive about potential security risks.
upvoted 0 times
...
Amber
30 days ago
A: We should report the SSH activity to CPPM just to be safe.
upvoted 0 times
...
...
Emeline
2 months ago
I bet option B is the one they're looking for. Messing with CPPM's CA trust list sounds like a real pain, but it's probably the most secure approach.
upvoted 0 times
...
Anglea
2 months ago
Option C looks like the easiest way to get the job done. Gotta love those Aruba Central platform integration settings!
upvoted 0 times
Leontine
7 days ago
Rolande: No problem, glad I could help!
upvoted 0 times
...
Annamaria
10 days ago
User 3: I think I'll go with option C too. Thanks for the tip!
upvoted 0 times
...
Rolande
23 days ago
User 2: I agree, setting up a data collector token seems like the most straightforward solution.
upvoted 0 times
...
Chauncey
1 months ago
User 1: Option C is definitely the way to go. Aruba Central makes it so convenient.
upvoted 0 times
...
...
Lajuana
2 months ago
I'm not sure, but I think creating an API application and token within the REST API settings could also be a valid prerequisite.
upvoted 0 times
...
Cecilia
2 months ago
I agree with Virgie. It makes sense to have event processing enabled for communicating IoT client SSH usage to Aruba CPPM.
upvoted 0 times
...
Virgie
2 months ago
I think the prerequisite is to enable event processing on subscribers in the ClearPass cluster.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77