Secure Network Design

Correct Answer: Implement a VLAN

Implementing a VLAN is the best solution for this purpose because it helps to segment the network and limit unauthorized access effectively. VLANs also provide the ability to enforce security policies, reducing the chance of data leakage by separating sensitive data into different segments. Using a hub, on the other hand, is not a suitable option because hubs do not provide any security features and they broadcast all data to every device on the network, leading to higher chances of data leakage. Disabling port security is also not recommendable as it leaves the network vulnerable to unauthorized devices. And using WEP encryption is not a desirable option in this case as well because it's an outdated and weak security protocol that is easy to crack. Thus, to ensure a secure enterprise network, implementing a VLAN is the most effective solution.

Correct Answer: Implement encryption for sensitive data

The most prioritized step when designing a secure network for a small financial services company that must follow strict data protection regulations would be to 'Implement encryption for sensitive data'. This is because encryption is one of the most effective ways to achieve data security. When data are in an encryption state, they cannot be easily intercepted or accessed by unauthorized individuals. Financial data, in particular, is extremely sensitive and could have severe consequences if compromised, so encryption is essential. 'Allow remote access for all employees' is not a good security practice, as it increases the attack surface and risks unauthorized access. 'Use a single-sign on system without 2FA' is also not good practice — 2-factor authentication adds an important additional layer of security, making it more difficult for unauthorized users to gain access. Finally, 'Disable network security logging' is actually counterproductive and would degrade network security rather than enhance it, as logs are important for detecting and investigating potential security incidents.

Correct Answer: Place an intrusion prevention system (IPS) between the DMZ and internal network

The best security measure to improve a network architecture that includes a web server hosted in the DMZ is to 'Place an intrusion prevention system (IPS) between the DMZ and the internal network'. An IPS can prevent any unauthorized access or attacks from the DMZ to the internal network, allowing to block any harmful traffic while permitting secure and legitimate trafficThe other options are not the best measures for improving security. 'Disabling firewall rules' would provide less protection, not more, as it would open up the network to all types of unregulated external access. 'Enabling port forwarding on the router' doesn't necessarily increase security, as it could potentially expose the network to attacks by redirecting traffic to specific internal network services. ‘Remove multi-factor authentication (MFA)’ option is wrong, MFA is actually a good security practice that increases protection by requiring multiple methods of identification. Removal of MFA will reduce the security level.