How To Secure Routers And Switches Information Technology Essay

You have been approached by your manager give a talk on the Network security standard ISO 17799. Write a short precise detailing the purpose of this document and the main components within parts 1 and 2 of the document. (http://www.17799central.com/iso17799.htm)

Write a brief analysis detailing the possible threats and consequences for a company that does not have an adequate Security Policy.

Write a summary of how an Edge router can be configured into a firewall; include detail of how it can be used to filter traffic. Describe the operation of CBAC

Detail the encryption techniques that are used in VPN systems and explain how/when they are used.

Describe how you can secure/harden routers and switches

Router hardening, password requirements, ssh, parser views, etc

Port security, vlan hopping, anti-snooping, private vlans

Multi-choice Review Questions

1.

In which type of attack does the potential intruder attempt to discover and map out systems, services, and vulnerabilities?

stake out

reconnaissance

tapping

sniffing

2.

Which type of attack prevents a user from accessing the targeted file server?

Reconnaissance attack

Denial of service attack

Prevention of entry attack

Disruption of structure attack

3.

Which type of action does the “ping sweep” pose to an organization?

eavesdropping

reconnaissance

denial of service

unauthorized access

4.

An employee of ABC Company receives an e-mail from a co-worker with an attachment. The employee opens the attachment and receives a call from the network administrator a few minutes later, stating that the employee’s machine has been attacked and is sending SMTP messages. Which category of attack is this? B)

denial of service

trojan horse

port scanning

password attack

social engineering

5.

What is a major characteristic of a Worm? D)

malicious software that copies itself into other executable programs

tricks users into running the infected software

a set of computer instructions that lies dormant until triggered by a specific event

exploits vulnerabilities with the intent of propagating itself across a network

6.

A large investment firm has been attacked by a worm. In which order should the network support team perform the steps to mitigate the attack? A)

A. inoculation

B. treatment

C. containment

D. quarantine

C,A,D,B

A,B,C,D

A,C,B,D

D,A,C,B

C,B,A,D

7.

At XYZ Company, the policy for network use requires that employees log in to a Windows domain controller when they power on their work computers. Although XYZ does not implement all possible security measures, outgoing traffic is filtered using a firewall. Which security model is the company using? D)

open access

closed access

hybrid access

Restrictive access

8.

Which three of these are common causes of persistent vulnerabilities in networks? (Choose three.)

new exploits in existing software

misconfigured hardware or software

poor network design

changes in the TCP/IP protocol

changes in the core routers on the Internet

end-user carelessness

9.

A new network administrator is assigned the task of conducting a risk assessment of the company’s network. The administrator immediately conducts a vulnerability assessment. Which important task should the administrator have completed first?

threat identification

security level application

patch and update deployment

asset identification

perimeter security upgrade

10.

A company deployed a web server on the company DMZ to provide external web services. While reviewing firewall log files, the administrator discovered that a connection was made to the internal e-mail server from the web server in DMZ. After reviewing the e-mail server logs, the administrator discovered that an unauthorized account was created. What type of attack was successfully carried out?

phishing

port redirection

trust exploitation

man-in-the-middle

11.

Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?

reconnaissance

access

DoS

worms, viruses, and Trojan horses

12.

Which two are examples of Distributed Denial of Service attacks? (Choose two.) B) & D)

SYN Flood

Stacheldraht

Ping of Death

Smurf

WinNuke

Targa.c

13.

Which two of these are examples of DDoS network attacks? (Choose two.) A) & B)

smurf attack

Tribal Flood Network (TFN)

teardrop.c

man-in-the-middle attack

port redirection

social engineering

14.

Which two are technological weaknesses that can lead to a breach in an organization’s security? (Choose two.) C) & D)

software compatibility weakness

DHCP security weakness

TCP/IP protocol weakness

operating system weakness

LDAP weakness

15.

What is the effect of applying this command to a Cisco router? E)

router(config)# no service finger

UNIX commands are disabled on the router.

All TCP/IP services are disabled.

PING usage is disabled.

Users logged into the router remotely will not be able to see if other users are logged into the router

16.

A partial router configuration is shown in the graphic. The network administrator adds the following command at the router prompt.

router(config)# security passwords min-length 10

Which of the following is correct? A)

The current password will continue to be used as a valid password until changed.

No password is required.

The current password is invalid and will not allow a login.

A password that is at least ten characters long must immediately be implemented for a successful login.

17.

The Security Wheel promotes a continuous process to retest and reapply updated security measures. What is the core or “hub” component of the Security Wheel? D)

testing policy

monitor

improve

security policy

18.

After providing for all operational requirements of the network, the network support team has determined that the servers should be hardened against security threats so that the network can operate at full potential. At which stage of the network life cycle does server hardening occur? E)

planning

design

implementation

operation

optimization

19.

A network administrator installs a new stateful firewall. Which type of security solution is this?

secure connectivity

threat defense

policy enforcement

trust and identity

authentication

20.

XYZ Company recently adopted software for installation on critical servers that will detect malicious attacks as they occur. In addition, the software will stop the execution of the attacks and send an alarm to the network administrator. Which technology does this software utilize?

host-based intrusion detection

host-based intrusion protection

host-based intrusion prevention

host-based intrusion notification

21.

A security team is charged with hardening network devices. What must be accomplished first before deciding how to configure security on any device?

Audit all relevant network devices.

Document all router configurations.

Create or update security policies.

Complete a vulnerability assessment.

22.

Which two objectives must a security policy accomplish? (Choose two.)

provide a checklist for the installation of secure servers

describe how the firewall must be configured

document the resources to be protected

identify the security objectives of the organization

identify the specific tasks involved in hardening a router

23.

Which router command will result in the router only accepting passwords of 16 characters or more?

service password-encryption

enable secret min-length 16

security passwords min-length 16

security passwords max-length 16

24.

Which command will encrypt all passwords in the router configuration file? D)

enable secret

password encrypt all

enable password-encryption

service password-encryption

no clear-text password

25.

MD5 can be used for authenticating routing protocol updates for which three protocols? (Choose three.) B), D) & E)

RIPv1

RIPv2

IGRP

EIGRP

BGP

26.

Which configuration will allow an administrator to access the console port using a password of password? B)

router(config)# line aux 0

router(config-line)# login

router(config-line)# password password

router(config)# line console 0

router(config-line)# login

router(config-line)# password password

router(config)# line console 0

router(config-line)# password password

router(config)# line console 0

router(config-line)# access

router(config-line)# password password

router(config)# line vty 0

router(config-line)# password password

router(config)# line vty 0

router(config-line)# access

router(config-line)# password password

27.

Which command sets the inactivity timer, for a particular line or group of lines, to four minutes and fifteen seconds? E

router(config)# line-timeout 4 15

router(config-line)# line-timeout 4 15

router(config-line)# exec-timeout 255

router(config-line)# timeout 255

router(config-line)# exec-timeout 4 15

router(config-line)# line-timeout 255

28.

Which encryption type uses the MD5 hash algorithm?

Type 0

Type 1

Type 5

Type 7

29.

Which privilege level has the most access to the Cisco IOS?

level 0

level 1

level 7

level 15

level 16

level 20

30.

Which algorithm implements stateful connection control through the PIX Security Appliance?

Network Address Translation Algorithm

Access Control Security Algorithm

Adaptive Security Algorithm

Spanning Tree Protocol Algorithm

31.

The Cisco Security Device Manager (SDM) allows administrators to securely configure supported routers by using which security protocol in Microsoft Internet Explorer? B)

IPSec

SSL

SSH

L2TP

PPTP

32.

A network administrator has received a Cisco PIX Security Appliance from another division within the company. The existing configuration has IP addresses that will cause problems on the network. What command sequence will successfully clear all the existing IP addresses and configure a new IP address on ethernet0? B)

pix1(config)# clear ip all

pix1(config)# interface ethernet0

pix1(config-if)# ip address 192.168.1.2

pix1(config)# clear ip

pix1(config)# interface ethernet0

pix1(config-if)# ip address 192.168.1.2 255.255.255.0

pix1(config)# no ip address

pix1(config)# interface ethernet0

pix1(config-if)# ip address 192.168.1.2 255.255.255.0

pix1(config)# clear ip

pix1(config)# interface ethernet0

pix1(config-if)# ip address 192.168.1.2 0.0.0.255

33.

A network team is configuring a Cisco PIX Security Appliance for NAT so that local addresses are translated. The team is creating a global address pool using a subnet of network 192.168.5.0 with a 27-bit mask. What is the proper syntax to set up this global address pool? B)

pix1(config)# global (inside) 1 192.168.5.33-192.168.5.62

pix1(config)# global (outside) 1 192.168.5.33-192.168.5.62

pix1(config)# global (inside) 1 192.168.5.65-192.168.5.95

pix1(config)# global (outside) 1 192.168.5.65-192.168.5.95

pix1(config)# global (inside) 1 192.168.5.64-192.168.5.127

pix1(config)# global (outside) 1 192.168.5.65-192.168.5.127

34.

A network administrator has configured an access control list on the Cisco PIX Security Appliance that allows inside hosts to ping outside hosts for troubleshooting. Which debug command can be used to troubleshoot if pings between hosts are not successful?

debug icmp inside outside

debug ping

debug icmp trace

debug trace icmp

35.

Which protocol provides time synchronization?

STP

TSP

NTP

SMTP

L2TP

36.

Which command would configure a PIX Security Appliance to send syslog messages from its inside interface to a syslog server with the IP address of 10.0.0.3? D

pixfirewall(config)# syslog inside 10.0.0.3

pixfirewall(config)# logging inside 10.0.0.3

pixfirewall(config)# syslog host inside 10.0.0.3

pixfirewall(config)# logging host inside 10.0.0.3

37.

The configuration in the graphic has been entered into a PIX Security Appliance with three interfaces. The interfaces are inside, outside, and DMZ. What source address range will the traffic from inside devices use when they access devices in the DMZ?

10.0.0.1 to 10.0.0.254

172.16.0.20 to 172.16.0.254

172.16.0.1 to 172.16.0.254

192.168.0.20 to 192.168.0.254

10.0.0.1 to 10.255.255.254

38.

What source IP address will the traffic from devices in the 10.0.2.0 network have when they leave the trusted network? C)

192.168.0.8 always

192.168.0.9 always

192.168.0.8 if ports are available, or 192.168.0.9 if 192.168.0.8’s ports are exhausted

192.168.0.9 if ports are available, or 192.168.0.8 if 192.168.0.9’s ports are exhausted

39.

The commands in the graphic have been entered into a PIX Security Appliance. Which two statements are accurate descriptions of what will happen to outgoing traffic when it leaves the trusted network? (Choose two.) B) & C)

The source IP address will be from a pool of addresses in the 192.168.0.3 to 192.168.0.254 range.

The source port will be a random port above port 1023.

The source IP address will be 192.168.0.2 for all outgoing traffic.

The source port will be port 1024.

The source IP address will be in the range 10.0.0.1 to 10.0.255.254.

40.

Interface Ethernet3 on a PIX Security Appliance has been configured with three subinterfaces to pass tagged traffic from three different VLANs. What protocol will be used to tag the VLAN traffic?

ISL

802.1x

VTP

802.1q

41.

Which two commands will configure a static default route on the PIX Security Appliance in the network shown in the graphic? (Choose two.)

route inside outside 0.0.0.0 0.0.0.0 172.16.0.2 1

route outside 0.0.0.0 0.0.0.0 172.16.0.2 1

ip route inside outside 0 0 192.168.0.2 1

route outside 0 0 172.16.0.2 1

ip route inside outside 0 0 172.16.0.2 1

route outside 0 0 192.168.0.2 1

42.

How are transactions between a RADIUS client and a RADIUS server authenticated?

by using a shared secret which is never sent over the network

by hashing the secret using MD5 and then sending it over the network

by hashing the secret using MD4 and then sending it over the network

by using a clear-text password and then sending it over the network

43.

RADIUS uses which transport layer protocol? C)

IP

TCP

UDP

ICMP

DLC

44.

Which authentication method is susceptible to playback attacks? C)

passwords using S/KEY

passwords using token card

passwords requiring periodic change

passwords using one-time password technology

45.

Which authentication method sends passwords over the network in clear text yet protects against eavesdropping and password cracking attacks? C)

authentication with FTP

authentication with Telnet

authentication with S/KEY

authentication in POP3 e-mail

46.

After a security audit, network managers realized that the authentication method used by their telecommuting employees needed to be improved. They set up a server and installed client software on the employee laptops of their remote users. They also provided a device for each remote user that generated a password every time they needed to make a remote network connection. Which authentication technology does this process describe? B)

authentication with S/KEY

authentication with token card

authentication with encrypted password

authentication with compressed password

47.

What function does a digital certificate offer to information security? C)

authorization

accounting

nonrepudiation

intrusion prevention

48.

Bookline Inc., an online bookstore, recently installed a web server running Microsoft Windows 2003 Server. Where should the company obtain a digital signature for the web server in order to assure customers that they are connecting to Bookline’s server and not an impersonating web server?

a digital signature generated by the CA in Microsoft’s corporate headquarters

a digital signature generated by the CA from a trusted third party

a digital signature generated by the CA from a government agency

a digital signature generated by any CA that establishes a secure connection

49.

A large law firm wishes to secure dialup access to its corporate network for employees working at home. Since much of the data to be transmitted is highly confidential, the firm requires a high level of encryption and also prefers that each component of AAA be provided separately. Which security protocol best meets these requirements?

TACACS

XTACACS

TACACS+

RADIUS

50.

What are three reasons TACACS+ is preferred over RADIUS for authentication services? (Choose three.)

RADIUS has limited name space for attributes.

RADIUS is not an industry supported standard.

TACACS+ encrypts the entire TACACS+ packet.

TACACS+ authentication is included with more recent Windows Server versions.

TACACS+ separates authentication and authorization.

RADIUS uses TCP as a transport protocol creating additional overhead

51.

A static username/password authentication method is susceptible to which three types of attacks? (Choose three.)

playback

theft

teardrop

syn flood

eavesdropping

52.

Company security policy requires the use of a centralized AAA server for network access authentication. Which two protocols are supported by the AAA server? (Choose two.) C) & D)

IPSec

SSL

RADIUS

TACACS+

SSH

53.

Which three are functions of AAA? (Choose three.) A), C) & E)

accounting

availability

authentication

architecture

authorization

accessibility

54.

A network administrator wishes to use port-level authentication technology to determine network access and assign IP addresses from different DHCP pools to authenticated and unauthenticated users. What standardized framework supports this objective? A)

IEEE 802.1x

IEEE 802.11af

IEEE 802.1q

IEEE 802.1p

55.

What will be the result of executing the command in the graphic? C)

The default login method will use TACACS+ only.

TACACS+ accounting will be enabled at login.

The enable password will be used if a TACACS+ server is not available.

The default TACACS+ user shell will be enabled.

56.

Which AAA service reduces IT operating costs by providing detailed reporting and monitoring of network user behavior, and also by keeping a record of every access connection and device configuration change across the network?

authentication

accreditation

accounting

authorization

57.

What tool should you use to add a single user account to the Cisco Secure ACS for Windows user database?

database replication

Unknown User Policy

RDBMS Synchronization

Cisco Secure ACS HTML interface

58.

Refer to the exhibit. Which two services can the network access server use to direct requests from the remote user to the Cisco Secure ACS authentication service? (Choose two.)

CSAuth

CSUtil

RADIUS

RDBMS

TACACS+

59.

RTA(config)# tacacs-server key [email protected]?

RTA(config)# tacacs-server host 10.1.2.4

RTA(config)# tacacs-server host 10.1.2.5

What will be the effect of these commands on router RTA? C)

The TACACS+ server is now authenticating for the hosts 10.1.2.4 and 10.1.2.5.

The TACACS+ server key has been exported to the hosts 10.1.2.4 and 10.1.2.5.

The TACACS+ servers 10.1.2.4 and 10.1.2.5 and the router have been set to share the same authentication key.

The TACACS+ servers are 10.1.2.4 and 10.1.2.5 and the configuration adds router RTA as a third TACACS+ server.

60.

RTA(config)# aaa new-model

RTA(config)# aaa authentication login default group tacacs+ enable

After entering the configuration shown, the administrator loses the connection to the router before having the chance to create a new TACACS+ account. What is the easiest way for the administrator to regain administrative access to router RTA? C)

Connect to the router, and use the default TACACS+ username and password.

Erase NVRAM, and redo the configuration from scratch.

Connect to the router, and supply the enable password.

Perform a password recovery procedure on the router

61.

Which command associates the group MYGROUP with the AAA server using the TACACS+ protocol? D)

Pixfirewall(config)# aaa-server MYGROUP tacacs+ protocol

Pixfirewall(config)# aaa-server protocol tacacs+ MYGROUP

Pixfirewall(config)# aaa-server tacacs+ protocol MYGROUP

Pixfirewall(config)# aaa-server MYGROUP protocol tacacs+

62.

Which configuration command defines the association of initiating HTTP protocol traffic with an authentication proxy name MYPROXY? C)

Router(config)# ip auth-proxy MYPROXY http

Router(config)# auth-proxy MYPROXY ip http

Router(config)# ip auth-proxy name MYPROXY http

Router(config)# auth-proxy name MYPROXY ip http

63.

With the following configuration command, how long does the PIX Security Appliance try to access the AAA server 10.0.1.10 before choosing the next AAA server if there is no response from 10.0.1.10?

aaa-server MYTACACS (inside) host 10.0.1.10 secretkey

12 seconds

15 seconds

20 seconds

30 seconds

64.

Which command will enable AAA services on a router? B

Router(config)# aaa enable

Router(config)# aaa new-model

Router(config)# aaa set enable

Router(config)# aaa new-model enable

65.

What is the default timeout in minutes for the inactivity-timer parameter of the ip auth-proxy command?

15

30

45

60

90

66.

The network administrator configured the aaa authorization command below on the PIX Security Appliance. What is the effect of this command?

pix(config)# aaa authorization include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 auth1

FTP traffic from outside is subject to authorization by the AAA server.

SSH traffic from outside is subject to authorization by the AAA server.

HTTP traffic from outside is subject to authorization by the AAA server.

SMTP traffic from outside is subject to authorization by the AAA server.

67.

Which type of authentication is being used when authentication is required via the PIX Security Appliance before direct traffic flow is allowed between users and the company web server? C)

access authentication

console access authentication

cut-through proxy authentication

tunnel access authentication

68.

What will be the effect in the router after these configuration commands are entered? B)

Router(config)# ip auth-proxy name aprule http

Router(config)# interface ethernet0

Router(config-if)# ip auth-proxy aprule

An authentication proxy rule called aprule is created making all authentication proxy services available only through the ethernet0 interface.

An authentication proxy rule called aprule has been created for the HTTP protocol and is associated with the ethernet0 interface.

An authentication proxy rule called aprule has been created for all protocols except the HTTP protocol and is associated with the ethernet0 interface.

An authentication proxy rule called aprule has been created for the HTTP server running internally to the router and is associated with anyone attempting to access the web server from the ethernet0 interface.

69.

When Cisco IOS Firewall authentication proxy is enabled, a user sends HTTP traffic which will trigger the authentication proxy. What is the first action taken by the proxy? C)

The user will be asked to supply a valid username and password.

The TACACS+ server will be contacted to see if the user is a valid user.

The authentication proxy will check to see if the user has already been authenticated.

If the authentication proxy has no user account for the user, it will check to see if a default guest user has been defined.

70.

A TACACS+ server is configured to provide authentication, authorization, and accounting. The IP address of the server is 192.168.50.1, and the AAA authentication encryption key is S3crtK3y. Which command sequence will configure a Cisco router to communicate with the TACACS+ server? D)

Router(config)# aaa new-model

Router(config)# aaa authentication default group tacacs+

Router(config)# aaa authorization auth-proxy default group tacacs+

Router(config)# aaa tacacs-server host 192.168.50.1

Router(config)# aaa tacacs-server key S3crtK3y

Router(config)# aaa enable

Router(config)# aaa authentication default group tacacs+

Router(config)# aaa authorization auth-proxy default group tacacs+

Router(config)# tacacs-server host 192.168.50.1

Router(config)# tacacs-server key S3crtK3y

Router(config)# aaa enable

Router(config)# aaa authentication login default group tacacs+

Router(config)# aaa authorization auth-proxy default group tacacs+

Router(config)# aaa tacacs-server host 192.168.50.1

Router(config)# aaa tacacs-server key S3crtK3y

Router(config)# aaa new-model

Router(config)# aaa authentication login default group tacacs+

Router(config)# aaa authorization auth-proxy default group tacacs+

Router(config)# tacacs-server host 192.168.50.1

Router(config)# tacacs-server key S3crtK3y

71.

The lead network administrator notices that unknown users have made router configuration changes. These changes are adversely affecting the network. Which command can be entered on the router to help identify future configuration changes and who made these changes?

aaa accounting

show uauth

aaa accounting console

aaa accounting match

72.

Refer to the exhibit. Since ABC, Inc. is strengthening security, a PIX Security Appliance firewall must be configured with AAA services. Accounting should be provided for all FTP and HTTP traffic from any host to the WWW server at 192.168.2.10.

Which command sequence would successfully process the desired traffic to the NY_ACS accounting server? A

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http

pixfirewall(config)# aaa accounting match 110 outside NY_ACS

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http

pixfirewall(config)# aaa accounting access-list 110 outside 10.0.0.2

pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq ftp

pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq http

pixfirewall(config)# aaa accounting match 110 outside NY_ACS

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp

pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http

pixfirewall(config)# aaa accounting match 110 outside 10.0.0.2

73.

Which command displays the current authenticated users, the host IP to which they are bound, and any cached IP and port authorization information on a Cisco PIX Security Appliance configured for AAA? B)

pixfirewall(config)# show aaa all

pixfirewall(config)# show uauth

pixfirewall(config)# show aaa statistics

pixfirewall(config)# show aaa-server

74.

A user has initiated an HTTP session through a firewall and has been authenticated by an authentication proxy. They have not generated any traffic in a while and the idle timer has expired for that user. What will the user have to do to allow them to go through the firewall again? D)

The user can manually restart the idle timer.

The user can simply TFTP their user profile to the proxy.

The user must wait two minutes before initiating another session.

The user can re-authenticate and initiate another HTTP session through the firewall.

75.

A network team has been tasked to develop a Cisco Secure ACS solution for port-based authentication. The network operation center for all three regions is located at Region 1. What is the best solution to ensure availability to a Cisco Secure ACS for port-based authentication? B)

Install a centralized primary and secondary authentication server at Region 1, which Region 2 and 3 will use for authentication.

Install a primary authentication server at each region and use one of the authentication servers from another region for redundancy.

Install a primary authentication server at Region 1 for Region 2 and 3 to authenticate, and install a secondary authentication server at Region 2 and 3 for redundancy.

Install a primary authentication server at each region and a secondary authentication server at Region 1 for the network operation center clients only.

76.

Port-based authentication is implemented as shown in the graphic. What protocol will be required for the client-to-switch connection and the switch-to-Cisco Secure ACS communications?

ISL; RADIUS

802.1x; RADIUS

802.1q; TACACS+

L2TP; TACACS

77.

A network administrator wants to configure a Catalyst switch to use a RADIUS server at 172.16.23.31 or a backup RADIUS server at 172.16.23.32 if the first server is unavailable. The administrator wants to use the default RADIUS UDP port and a shared key of Rad4Me. Which configuration will accomplish this goal? B

Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.31

Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.32

Switch(config)# radius-server host 172.16.23.31 auth-port 1812 key Rad4Me

Switch(config)# radius-server host 172.16.23.32 auth-port 1812 key Rad4Me

Switch(config)# radius-server host 172.16.23.31 172.16.23.32 key Rad4Me auth-port 1812

Switch(config)# radius-server host 172.16.23.31 key Rad4Me auth-port 1812

Switch(config)# radius-server host 172.16.23.32 key Rad4Me auth-port 1812

78.

Which command will turn off CBAC alert messages to the console? A

router(config)# ip inspect alert-off

router(config)# no ip inspect alert

router(config)# no ip inspect alert-off

router(config)# ip inspect alert log-only

79.

The timeout value in the ip inspect name command is configured in which units?

seconds

milliseconds

microseconds

minutes

80.

What does CBAC look for when inspecting TCP sequence numbers? B)

CBAC uses the sequence numbers to defragment the full packet.

CBAC checks that the sequence numbers are within an expected range.

CBAC rejects packets that arrive at an unusually high sequence rate.

CBAC matches the source sequence numbers to the destination sequence numbers

81.

Which statement is correct concerning CBAC inspection rules? A)

Alert, audit-trail, and timeout are configurable per protocol and override corresponding global settings.

Alert, audit-trail, and timeout are only globally configurable.

Alert, audit-trail, and timeout are not configurable globally.

Alert, audit-trail, and timeout are configurable only for TCP.

82.

Which statement is true concerning CBAC and fragmentation inspection rules? C)

An inspection rule instructing the router to fragment packets should always be utilized.

A fragmentation rule forces fragments to be buffered until the corresponding initial fragment is received.

A fragmentation rule forces non-initial fragments to be discarded unless the initial fragment was allowed to pass.

A fragmentation rule should not be used on exterior gateways.

83.

A network administrator needs to configure the router to redirect incoming HTTP requests to a web server at port 8020. Which command should be used? B)

Router(config)# ip port-map http eq 8020

Router(config)# ip port-map http port 8020

Router(config)# ip port-map port 8020 http

Router(config)# ip port-map port 8020 eq http

84.

The IT department has decided to offer web and FTP services using TCP port 8000. The web server IP address is 192.168.3.4 and the FTP server IP address is 192.168.5.6. What commands are required to configure the perimeter router to redirect the web and FTP traffic? C)

Router(config)# access-list 10 permit 192.168.5.6

Router(config)# access-list 20 permit 192.168.3.4

Router(config)# ip port-map http port 8000 list 10

Router(config)# ip port-map ftp port 8000 list 20

Router(config)# access-list 10 permit 192.168.3.4

Router(config)# access-list 20 permit 192.168.5.6

Router(config)# ip port-map ftp port 8000 list 10

Router(config)# ip port-map http port 8000 list 20

Router(config)# access-list 10 permit 192.168.3.4

Router(config)# access-list 20 permit 192.168.5.6

Router(config)# ip port-map http port 8000 list 10

Router(config)# ip port-map ftp port 8000 list 20

Router(config)# access-list 10 permit 192.168.3.4

Router(config)# access-list 20 permit 192.168.5.6

Router(config)# ip port-map http list 10 port 8000

Router(config)# ip port-map ftp list 20 port 8000

85.

The graphic shows a client opening a Telnet session to a remote host. Which ACL entry will be created by CBAC to allow traffic to return to complete a successful Telnet connection?

access-list 110 permit udp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447

access-list 110 permit tcp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447

access-list 110 permit tcp host 192.168.2.50 eq 23 host 10.0.0.5 eq 2447

access-list 110 permit tcp host 10.0.0.5 eq 2447 host 192.168.2.50 eq 23

86.

CBAC is configured on the router shown in the graphic, the statement shown in the graphic is included in access control list 101, and the access control list is applied to interface s0/0 as shown. Single-channel TCP inspection is not included in the CBAC inspection rule. What will happen if the workstation tries to send a Telnet packet to the Internet?

The packet will be forwarded by the router as soon as it matches the ACL statement.

The packet will be dropped by the router when no match is found in CBAC.

The packet will be forwarded by the router, but return Telnet traffic will not be allowed.

The packet will be forwarded after CBAC inspection determines that Telnet is an allowed protocol

87.

Which filtering technology maintains complete connection information for each TCP or UDP connection and logs the information in a session flow table? B)

packet filtering

stateful filtering

ACL directional filtering

URL filtering

88.

Which filtering technology is often effective but can be circumvented using packet fragmentation? A)

packet filtering

stateful filtering

URL filtering

ACL directional filtering

89.

What is the result of the command shown below? C)

Router(config)# ip inspect name tester icmp alert on audit-trail on timeout 30

inspects ICMP traffic and sends any alert and audit messages to the log file on tester

inspects IP traffic and sends an ICMP alert and audit message to tester if an outgoing IP packet is not acknowledged within 30 seconds

inspects ICMP traffic and maintains state information on common types of ICMP traffic

inspects ICMP traffic and maintains state information according to the tester rule set

90.

Refer to the graphic. If the complete configuration CBAC on CorpFW is correctly entered, which two statements describe the outcome of the completed configuration? (Choose two.) C) & E)

CBAC will delete all half-open connections necessary to accommodate new connections after 300 users have accessed the servers within the last six minutes.

CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the FTP servers within the last six minutes.

CBAC will delete all half-open connections necessary to accommodate new connections after more than 300 users have half-open attempts to reach the corporate web server within the last minute.

CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the network within the last minute.

CBAC will stop deleting half-open connections after fewer than 150 users have accessed the network within the last minute.

91.

Which two configurations will protect the FTP server in the DMZ from DoS attacks? (Choose two.) BD

CorpFW(config)# max-incomplete host 142.22.2.10

CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0

CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0

CorpFW(config)# ip inspect name Protect ftp timeout 3600

CorpFW(config)# interface FastEthernet 0/0

CorpFW(config-if)# max incomplete host 142.22.2.10

CorpFW(config)# ip inspect max-incomplete high 400

CorpFW(config)# ip inspect max-incomplete low 200

CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0

CorpFW(config)# ip inspect udp max-incomplete host 60 block-time 0

92.

The administrator has two goals. First, the administrator plans to use CBAC to block encapsulated Java applets from IP address 172.16.16.1. Then, the administrator plans to use CBAC to block DoS attacks such as the ping-of-death from external network. Which goals are accomlished when the three commands below are entered?

router(config)# ip access-list 1 deny 172.16.16.1 0.0.0.0

router(config)# ip inspect name FWALL http java-list 1 timeout 120

router(config)# ip inspect name FWALL icmp timeout 50

The first goal is not accomplished because CBAC cannot block encapsulated Java applets. The second goal is accomplished.

The first goal is not accomplished because a subnet mask, not a wild card mask, must be used. The second goal is accomplished.

The first goal is accomplished. The second goal is not accomplished because CBAC provides limited stateful inspection for ICMP.

Both goals are accomplished.

93.

What is the effect after these two commands are configured on a router? A)

router(config)# ip inspect max-incomplete high 300

router(config)# ip inspect max-incomplete low 100

When the combination of half-open TCP and UDP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.

When the number of half-open sessions per minute reaches 300, CBAC begins deleting them. When the number falls to 100 per minute, CBAC stops deleting them.

When the number of half-open sessions reaches 100, CBAC begins deleting them. When the number of cleared sessions equals 300, CBAC stops deleting them.

When the number of half-open TCP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.

94.

What is indicated if two endpoints in a connection receive reset packets from CBAC? B)

A session has ended by CBAC’s proxy fin method.

A DoS attack has been halted by CBAC’s threshold method.

Sequence checking has occured using CBAC’s state table method.

Spoofing has been prevented using CBAC’s session checking method.

95.

What happens when the following commands are executed? D)

router(config)# no ip inspect udp idle-time 45

router(config)# ip inspect dns-timeout 10

The router will not manage any inactive UDP connections.

The only UDP connections that the router will manage are DNS connections.

The router proxies DNS requests and manages them for 10 seconds.

The router will manage UDP connections for 30 seconds and DNS connections for 10

96.

Which three statements describe the use of ACLs on a Cisco PIX Security Appliance? (Choose three.) B), D) & F)

ACLs are used to restrict outbound traffic flowing from a lower to a higher security level interface.

ACLs are used to restrict outbound traffic flowing from a higher to a lower security level interface.

If no ACL is attached to an interface, inbound traffic is permitted by default unless explicitly denied.

If no ACL is attached to an interface, outbound traffic is permitted by default unless explicitly denied.

Cisco PIX Security Appliance ACLs use a wildcard mask like Cisco IOS ACLs.

Cisco PIX Security Appliance ACLs use a regular subnet mask unlike Cisco IOS ACLs.

97.

DES is classified in which cryptographic category?

hybrid

symmetric

asymmetric

hash algorithm

98.

Which two are IPSec security protocols? (Choose two.)

SHA-1

MD5

ESP

AH

GRE

L2TP

99.

A company has implemented an IPSec installation in which the original IP packet is encrypted. The encrypted packet is encapsulated in another IP packet. The new outside IP address in the encapsulating IP packet is used to route the packet through the Internet. What IPSec mode is this?

AH tunnel mode

AH transport mode

ESP tunnel mode

ESP transport mode

100.

A company is using IPSec between two routers. Both routers are communicating with each other using both AH and ESP protocols. How many IPSec SAs will be needed in total for both routers?

2

4

6

8

101

What happens to the outbound traffic that does not match any permit statement in an IPSec crypto ACL? D)

It is dropped.

It is logged and dropped.

It is encrypted by the default encryption algorithm.

It is sent in clear text.

102.

Which three statements are true of WebVPN? (Choose three.) B), C) & F)

It uses purpose-built client software for network access.

It uses a standard web browser for network access.

It uses SSL encryption.

It uses AES encryption.

It provides access to all applications through their native interface.

It provides access to limited applications through a browser portal

103.

Which RSA method is used to provide non-repudiation? B)

RSA proof

RSA signature

RSA encryption

RSA authentication

104.

Which feature of IPSec AH provides protection against packet replay attacks? B)

The AH header includes an initialization vector.

The AH header includes a 64-bit sequence number.

The AH header includes a 32-bit SPI value.

The AH header includes authentication data.

105.

Which parts of an IP datagram are encrypted by the ESP protocol of the IPSec framework to provide data confidentiality? B)

the entire IP datagram

the payload

the IP header

the upper layer IP headers

106.

A network security analyst has been asked to recommend a VPN solution that will allow secure remote access to the internal company network. This solution must meet two objectives:

(a) All communication data should be secured through encryption.

(b) VPN setup should be in a central location for easy maintenance.

The network security analyst recommends IPSec with ESP on tunnel mode. Which objectives are met by this recommendation?

both objective (a) and objective (b)

neither objective (a) nor objective (b)

objective (b) only

objective (a) only

107.

Which are two common examples of LAN-to-LAN VPNs? (Choose two.)

intranet VPNs used to connect mobile users

intranet VPNs used to connect remote users

intranet VPNs used to connect remote offices

extranet VPNs used to connect business partners

extranet VPNs used to connect telecommuters

108.

Which three two-way authentication methods does IKE provide? (Choose three.)

authentication using SHA signatures

authentication using RSA Signatures

authentication using Cisco Secure ACS

authentication using security associations

authentication using RSA encrypted nonces

authentication using a pre-shared secret

109.

In setting up a Cisco IPSec VPN on a Cisco IOS router, what must be done to select interesting traffic to be encrypted? C)

Configure an IPSec security association.

Configure an ISAKMP security association.

Configure an access control list.

Configure an IKE map list.

110.

A Remote Access VPN can be terminated on which two head-end devices? (Choose two.) A & C)

router

switch

Cisco PIX Security Appliance

ISP network access server

111.

Which algorithm uses a 160-bit secret key to produce a 160-bit hash to provide integrity of data through cryptography? C)

AES

HMAC-MD5

HMAC-SHA-1

3DES

112.

Which common digital signature algorithm is used primarily by government agencies?

DSA

MD5

RSA

AES

113.

Which statement describes one of the functions of an IKE tunnel in an IPSec installation?

Encrypts all data traffic.

Provides backup encryption if IPSec fails.

Provides backend security to the connecting private networks.

Negotiates IPSec security associations.

114.

Which statement is true about the security association lifetime?

Before a key expires, IKE negotiates another one to allow for smooth transition from key to key.

Before a key expires, DES negotiates another one to allow for smooth transition from key to key.

Before a key expires, RC4 negotiates another one to allow for smooth transition from key to key.

Before a key expires, CA negotiates another one to allow for smooth transition from key to key.

115.

Which tunneling protocol provides data encryption as well as authentication?

L2F

L2TP

IPSec

GRE

116.

Which is a one-way algorithm that converts a variable length message into a fixed length string?

Layer 2 tunnel

symmetric encryption

asymmetric encryption

hash

117.

How many crypto maps can be applied to each interface?

one in each direction

one for each protocol for each direction

one for each SA

one only

118.

The first four steps in IKE peer authentication using pre-shared secrets are shown in the graphic. What is the fifth step? D)

Peer B locally hashes the random value and the pre-shared secret and matches it against the received authenticated hash.

Peer A and peer B are ready to begin communications.

Peer A sends the authenticated hash back to peer B.

Peer B randomly chooses a different random string and sends it to peer A.

119.

If IKE is not used with an IPSec implementation and it is disabled on all IPSec peers, which four limitations apply? (Choose four.) B), D),E)&F)

Only the AH protocol can be used.

During IPSec sessions between the peers, the encryption keys will never change.

All security associations will be automatically created and may time out during extended IPSec sessions.

Certificate authority (CA) support cannot be used.

The IPSec security associations of the peers will never time out for a given IPSec session.

Anti-replay services will not be available between the peers

120.

The administrator is entering this IKE policy configuration. What three options could be entered after “authentication” in the last line? (Choose three.) A), B) & D)

Router(config)# crypto isakmp policy 4

Router(config-isakmp)# encryption 3des

Router(config-isakmp)# hash md5

Router(config-isakmp)# authentication _______

pre-share

rsa-sig

aes-encr

rsa-encr

aes-sig

sha-sig

121.

Global lifetime values for IPSec SAs can be defined in the Cisco IOS. What could override an IPSec SA global lifetime setting?

the command crypto lifetime override

the command crypto lifetime default

the use of a lifetime value within a crypto map

the global value cannot be overridden

122.

In the network shown, which command will configure an IKE tunnel between RouterA and RouterB with a pre-shared key of Cisco1234? C)

RouterA(config)# crypto ike key cisco1234 address 172.30.2.2

RouterA(config-isakmp)# ike key cisco1234 address 172.30.2.2

RouterA(config)# crypto iaskmp key cisco1234 address 172.30.2.2

RouterA(config-isakmp)# crypto key cisco1234 address 172.30.2.2

123.

Which command produced the output shown in the graphic? B)

Router# show crypto isakmp sa

Router# show crypto isakmp policy

Router# show crypto map

Router# show crypto ipsec sa

124.

While implementing new security policies, a network administrator applies the configuration shown in the graphic. Which command must be used if the new configuration is to be used immediately for all security associations? A)

Router#clear crypto sa

Router#clear crypto sa counters

Router#clear crypto sa map all

Router#clear crypto sa peer all

125.

A new IPSec transform set is configured on a router using the commands shown. Which mode will be associated with this transform set? B)

transport

transform

tunnel

peer

126.

A network administrator wishes to create a transform set that will provide the best throughput with encryption on a Cisco PIX Security Appliance. Which transform should be included in the transform set?

esp-aes

esp-des

esp-3des

esp-aes192

127.

The network administrator has configured this crypto access control list. The administrator has applied the proper crypto map and IPSec configurations to the outbound interface of a Cisco IOS router and its peer. What is the purpose of the ACL configuration?

Router(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

encrypt all traffic from the 10.0.1.0 network destined to the 10.0.2.0 network

encrypt all traffic from the 10.0.2.0 network destined to the 10.0.1.0 network

encrypt all TCP traffic from the 10.0.2.0 network destined to the 10.0.1.0 network

encrypt all TCP traffic from the 10.0.1.0 network destined to the 10.0.2.0 network

128.

What configuration will create a crypto map named MYMAP on Router A to encrypt traffic from Site 1 to Site 2 that matches crypto ACL 110 with two peers for redundancy?

RouterA(config)# crypto map MYMAP ipsec-isakmp

RouterA(config-crypto-map)# match address 110

RouterA(config-crypto-map)# set peer 172.30.2.2

RouterA(config-crypto-map)# set peer 172.30.3.2

RouterA(config)# crypto map MYMAP ipsec-isakmp

RouterA(config-crypto-map)# match address 110

RouterA(config-crypto-map)# set peer 10.0.2.3

RouterA(config)# crypto map MYMAP 110 ipsec-isakmp

RouterA(config-crypto-map)# match address 110

RouterA(config-crypto-map)# set peer 10.0.2.3

RouterA(config)# crypto map MYMAP 110 ipsec-isakmp

RouterA(config-crypto-map)# match address 110

RouterA(config-crypto-map)# set peer 172.30.2.2

RouterA(config-crypto-map)# set peer 172.30.3.2

129.

What command produced the output shown in the graphic? D)

show crypto engine

show crypto ipsec sa

show crypto ipsec client ezvpn

show crypto map

130.

A newly configured VPN between home office and a remote office is not working. What command can be used on the routers to view current and detailed information regarding any security associations? B)

Router# show crypto map

Router# show crypto ipsec sa

Router# show crypto ipsec transform-set

Router# show crypto isakmp policy

131

Which Cisco IOS command generated the output shown in the graphic? B)

debug crypto ipsec

debug crypto isakmp

debug crypto socket

debug ip peer

show crypto isakmp policy

132.

Under which two conditions would this command be entered when configuring a router for IPSec? (Choose two.) A) & D)

Router(config)# crypto isakmp identity address

Only one interface will be used by the peer for ISAKMP negotiations.

More than one interface will be used by the peer for ISAKMP negotiations.

The interface’s IP address is unknown.

The interface’s IP address is known.

The network administrator wishes to change the identity used by the default method

133.

Multiple IKE policies can be created on each of two peer routers, each with a different combination of parameter values as seen in the table. Which parameters must match in each policy to complete IKE phase one? A)

All five parameters must match to complete IKE phase one.

Any four parameters must match to complete IKE phase one.

All but the ISAKMP security association lifetime must match to complete IKE phase one.

All but the Diffie-Hellman group identifier must match to complete IKE phase one.