How To Secure Routers And Switches Information Technology Essay
You have been approached by your manager give a talk on the Network security standard ISO 17799. Write a short precise detailing the purpose of this document and the main components within parts 1 and 2 of the document. (http://www.17799central.com/iso17799.htm)
Write a brief analysis detailing the possible threats and consequences for a company that does not have an adequate Security Policy.
Write a summary of how an Edge router can be configured into a firewall; include detail of how it can be used to filter traffic. Describe the operation of CBAC
Detail the encryption techniques that are used in VPN systems and explain how/when they are used.
Describe how you can secure/harden routers and switches
Router hardening, password requirements, ssh, parser views, etc
Port security, vlan hopping, anti-snooping, private vlans
Multi-choice Review Questions
1.
In which type of attack does the potential intruder attempt to discover and map out systems, services, and vulnerabilities?
stake out
reconnaissance
tapping
sniffing
2.
Which type of attack prevents a user from accessing the targeted file server?
Reconnaissance attack
Denial of service attack
Prevention of entry attack
Disruption of structure attack
3.
Which type of action does the “ping sweep” pose to an organization?
eavesdropping
reconnaissance
denial of service
unauthorized access
4.
An employee of ABC Company receives an e-mail from a co-worker with an attachment. The employee opens the attachment and receives a call from the network administrator a few minutes later, stating that the employee’s machine has been attacked and is sending SMTP messages. Which category of attack is this? B)
denial of service
trojan horse
port scanning
password attack
social engineering
5.
What is a major characteristic of a Worm? D)
malicious software that copies itself into other executable programs
tricks users into running the infected software
a set of computer instructions that lies dormant until triggered by a specific event
exploits vulnerabilities with the intent of propagating itself across a network
6.
A large investment firm has been attacked by a worm. In which order should the network support team perform the steps to mitigate the attack? A)
A. inoculation
B. treatment
C. containment
D. quarantine
C,A,D,B
A,B,C,D
A,C,B,D
D,A,C,B
C,B,A,D
7.
At XYZ Company, the policy for network use requires that employees log in to a Windows domain controller when they power on their work computers. Although XYZ does not implement all possible security measures, outgoing traffic is filtered using a firewall. Which security model is the company using? D)
open access
closed access
hybrid access
Restrictive access
8.
Which three of these are common causes of persistent vulnerabilities in networks? (Choose three.)
new exploits in existing software
misconfigured hardware or software
poor network design
changes in the TCP/IP protocol
changes in the core routers on the Internet
end-user carelessness
9.
A new network administrator is assigned the task of conducting a risk assessment of the company’s network. The administrator immediately conducts a vulnerability assessment. Which important task should the administrator have completed first?
threat identification
security level application
patch and update deployment
asset identification
perimeter security upgrade
10.
A company deployed a web server on the company DMZ to provide external web services. While reviewing firewall log files, the administrator discovered that a connection was made to the internal e-mail server from the web server in DMZ. After reviewing the e-mail server logs, the administrator discovered that an unauthorized account was created. What type of attack was successfully carried out?
phishing
port redirection
trust exploitation
man-in-the-middle
11.
Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?
reconnaissance
access
DoS
worms, viruses, and Trojan horses
12.
Which two are examples of Distributed Denial of Service attacks? (Choose two.) B) & D)
SYN Flood
Stacheldraht
Ping of Death
Smurf
WinNuke
Targa.c
13.
Which two of these are examples of DDoS network attacks? (Choose two.) A) & B)
smurf attack
Tribal Flood Network (TFN)
teardrop.c
man-in-the-middle attack
port redirection
social engineering
14.
Which two are technological weaknesses that can lead to a breach in an organization’s security? (Choose two.) C) & D)
software compatibility weakness
DHCP security weakness
TCP/IP protocol weakness
operating system weakness
LDAP weakness
15.
What is the effect of applying this command to a Cisco router? E)
router(config)# no service finger
UNIX commands are disabled on the router.
All TCP/IP services are disabled.
PING usage is disabled.
Users logged into the router remotely will not be able to see if other users are logged into the router
16.
A partial router configuration is shown in the graphic. The network administrator adds the following command at the router prompt.
router(config)# security passwords min-length 10
Which of the following is correct? A)
The current password will continue to be used as a valid password until changed.
No password is required.
The current password is invalid and will not allow a login.
A password that is at least ten characters long must immediately be implemented for a successful login.
17.
The Security Wheel promotes a continuous process to retest and reapply updated security measures. What is the core or “hub†component of the Security Wheel? D)
testing policy
monitor
improve
security policy
18.
After providing for all operational requirements of the network, the network support team has determined that the servers should be hardened against security threats so that the network can operate at full potential. At which stage of the network life cycle does server hardening occur? E)
planning
design
implementation
operation
optimization
19.
A network administrator installs a new stateful firewall. Which type of security solution is this?
secure connectivity
threat defense
policy enforcement
trust and identity
authentication
20.
XYZ Company recently adopted software for installation on critical servers that will detect malicious attacks as they occur. In addition, the software will stop the execution of the attacks and send an alarm to the network administrator. Which technology does this software utilize?
host-based intrusion detection
host-based intrusion protection
host-based intrusion prevention
host-based intrusion notification
21.
A security team is charged with hardening network devices. What must be accomplished first before deciding how to configure security on any device?
Audit all relevant network devices.
Document all router configurations.
Create or update security policies.
Complete a vulnerability assessment.
22.
Which two objectives must a security policy accomplish? (Choose two.)
provide a checklist for the installation of secure servers
describe how the firewall must be configured
document the resources to be protected
identify the security objectives of the organization
identify the specific tasks involved in hardening a router
23.
Which router command will result in the router only accepting passwords of 16 characters or more?
service password-encryption
enable secret min-length 16
security passwords min-length 16
security passwords max-length 16
24.
Which command will encrypt all passwords in the router configuration file? D)
enable secret
password encrypt all
enable password-encryption
service password-encryption
no clear-text password
25.
MD5 can be used for authenticating routing protocol updates for which three protocols? (Choose three.) B), D) & E)
RIPv1
RIPv2
IGRP
EIGRP
BGP
26.
Which configuration will allow an administrator to access the console port using a password of password? B)
router(config)# line aux 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# password password
router(config)# line console 0
router(config-line)# access
router(config-line)# password password
router(config)# line vty 0
router(config-line)# password password
router(config)# line vty 0
router(config-line)# access
router(config-line)# password password
27.
Which command sets the inactivity timer, for a particular line or group of lines, to four minutes and fifteen seconds? E
router(config)# line-timeout 4 15
router(config-line)# line-timeout 4 15
router(config-line)# exec-timeout 255
router(config-line)# timeout 255
router(config-line)# exec-timeout 4 15
router(config-line)# line-timeout 255
28.
Which encryption type uses the MD5 hash algorithm?
Type 0
Type 1
Type 5
Type 7
29.
Which privilege level has the most access to the Cisco IOS?
level 0
level 1
level 7
level 15
level 16
level 20
30.
Which algorithm implements stateful connection control through the PIX Security Appliance?
Network Address Translation Algorithm
Access Control Security Algorithm
Adaptive Security Algorithm
Spanning Tree Protocol Algorithm
31.
The Cisco Security Device Manager (SDM) allows administrators to securely configure supported routers by using which security protocol in Microsoft Internet Explorer? B)
IPSec
SSL
SSH
L2TP
PPTP
32.
A network administrator has received a Cisco PIX Security Appliance from another division within the company. The existing configuration has IP addresses that will cause problems on the network. What command sequence will successfully clear all the existing IP addresses and configure a new IP address on ethernet0? B)
pix1(config)# clear ip all
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2
pix1(config)# clear ip
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 255.255.255.0
pix1(config)# no ip address
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 255.255.255.0
pix1(config)# clear ip
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 0.0.0.255
33.
A network team is configuring a Cisco PIX Security Appliance for NAT so that local addresses are translated. The team is creating a global address pool using a subnet of network 192.168.5.0 with a 27-bit mask. What is the proper syntax to set up this global address pool? B)
pix1(config)# global (inside) 1 192.168.5.33-192.168.5.62
pix1(config)# global (outside) 1 192.168.5.33-192.168.5.62
pix1(config)# global (inside) 1 192.168.5.65-192.168.5.95
pix1(config)# global (outside) 1 192.168.5.65-192.168.5.95
pix1(config)# global (inside) 1 192.168.5.64-192.168.5.127
pix1(config)# global (outside) 1 192.168.5.65-192.168.5.127
34.
A network administrator has configured an access control list on the Cisco PIX Security Appliance that allows inside hosts to ping outside hosts for troubleshooting. Which debug command can be used to troubleshoot if pings between hosts are not successful?
debug icmp inside outside
debug ping
debug icmp trace
debug trace icmp
35.
Which protocol provides time synchronization?
STP
TSP
NTP
SMTP
L2TP
36.
Which command would configure a PIX Security Appliance to send syslog messages from its inside interface to a syslog server with the IP address of 10.0.0.3? D
pixfirewall(config)# syslog inside 10.0.0.3
pixfirewall(config)# logging inside 10.0.0.3
pixfirewall(config)# syslog host inside 10.0.0.3
pixfirewall(config)# logging host inside 10.0.0.3
37.
The configuration in the graphic has been entered into a PIX Security Appliance with three interfaces. The interfaces are inside, outside, and DMZ. What source address range will the traffic from inside devices use when they access devices in the DMZ?
10.0.0.1 to 10.0.0.254
172.16.0.20 to 172.16.0.254
172.16.0.1 to 172.16.0.254
192.168.0.20 to 192.168.0.254
10.0.0.1 to 10.255.255.254
38.
What source IP address will the traffic from devices in the 10.0.2.0 network have when they leave the trusted network? C)
192.168.0.8 always
192.168.0.9 always
192.168.0.8 if ports are available, or 192.168.0.9 if 192.168.0.8’s ports are exhausted
192.168.0.9 if ports are available, or 192.168.0.8 if 192.168.0.9’s ports are exhausted
39.
The commands in the graphic have been entered into a PIX Security Appliance. Which two statements are accurate descriptions of what will happen to outgoing traffic when it leaves the trusted network? (Choose two.) B) & C)
The source IP address will be from a pool of addresses in the 192.168.0.3 to 192.168.0.254 range.
The source port will be a random port above port 1023.
The source IP address will be 192.168.0.2 for all outgoing traffic.
The source port will be port 1024.
The source IP address will be in the range 10.0.0.1 to 10.0.255.254.
40.
Interface Ethernet3 on a PIX Security Appliance has been configured with three subinterfaces to pass tagged traffic from three different VLANs. What protocol will be used to tag the VLAN traffic?
ISL
802.1x
VTP
802.1q
41.
Which two commands will configure a static default route on the PIX Security Appliance in the network shown in the graphic? (Choose two.)
route inside outside 0.0.0.0 0.0.0.0 172.16.0.2 1
route outside 0.0.0.0 0.0.0.0 172.16.0.2 1
ip route inside outside 0 0 192.168.0.2 1
route outside 0 0 172.16.0.2 1
ip route inside outside 0 0 172.16.0.2 1
route outside 0 0 192.168.0.2 1
42.
How are transactions between a RADIUS client and a RADIUS server authenticated?
by using a shared secret which is never sent over the network
by hashing the secret using MD5 and then sending it over the network
by hashing the secret using MD4 and then sending it over the network
by using a clear-text password and then sending it over the network
43.
RADIUS uses which transport layer protocol? C)
IP
TCP
UDP
ICMP
DLC
44.
Which authentication method is susceptible to playback attacks? C)
passwords using S/KEY
passwords using token card
passwords requiring periodic change
passwords using one-time password technology
45.
Which authentication method sends passwords over the network in clear text yet protects against eavesdropping and password cracking attacks? C)
authentication with FTP
authentication with Telnet
authentication with S/KEY
authentication in POP3 e-mail
46.
After a security audit, network managers realized that the authentication method used by their telecommuting employees needed to be improved. They set up a server and installed client software on the employee laptops of their remote users. They also provided a device for each remote user that generated a password every time they needed to make a remote network connection. Which authentication technology does this process describe? B)
authentication with S/KEY
authentication with token card
authentication with encrypted password
authentication with compressed password
47.
What function does a digital certificate offer to information security? C)
authorization
accounting
nonrepudiation
intrusion prevention
48.
Bookline Inc., an online bookstore, recently installed a web server running Microsoft Windows 2003 Server. Where should the company obtain a digital signature for the web server in order to assure customers that they are connecting to Bookline’s server and not an impersonating web server?
a digital signature generated by the CA in Microsoft’s corporate headquarters
a digital signature generated by the CA from a trusted third party
a digital signature generated by the CA from a government agency
a digital signature generated by any CA that establishes a secure connection
49.
A large law firm wishes to secure dialup access to its corporate network for employees working at home. Since much of the data to be transmitted is highly confidential, the firm requires a high level of encryption and also prefers that each component of AAA be provided separately. Which security protocol best meets these requirements?
TACACS
XTACACS
TACACS+
RADIUS
50.
What are three reasons TACACS+ is preferred over RADIUS for authentication services? (Choose three.)
RADIUS has limited name space for attributes.
RADIUS is not an industry supported standard.
TACACS+ encrypts the entire TACACS+ packet.
TACACS+ authentication is included with more recent Windows Server versions.
TACACS+ separates authentication and authorization.
RADIUS uses TCP as a transport protocol creating additional overhead
51.
A static username/password authentication method is susceptible to which three types of attacks? (Choose three.)
playback
theft
teardrop
syn flood
eavesdropping
52.
Company security policy requires the use of a centralized AAA server for network access authentication. Which two protocols are supported by the AAA server? (Choose two.) C) & D)
IPSec
SSL
RADIUS
TACACS+
SSH
53.
Which three are functions of AAA? (Choose three.) A), C) & E)
accounting
availability
authentication
architecture
authorization
accessibility
54.
A network administrator wishes to use port-level authentication technology to determine network access and assign IP addresses from different DHCP pools to authenticated and unauthenticated users. What standardized framework supports this objective? A)
IEEE 802.1x
IEEE 802.11af
IEEE 802.1q
IEEE 802.1p
55.
What will be the result of executing the command in the graphic? C)
The default login method will use TACACS+ only.
TACACS+ accounting will be enabled at login.
The enable password will be used if a TACACS+ server is not available.
The default TACACS+ user shell will be enabled.
56.
Which AAA service reduces IT operating costs by providing detailed reporting and monitoring of network user behavior, and also by keeping a record of every access connection and device configuration change across the network?
authentication
accreditation
accounting
authorization
57.
What tool should you use to add a single user account to the Cisco Secure ACS for Windows user database?
database replication
Unknown User Policy
RDBMS Synchronization
Cisco Secure ACS HTML interface
58.
Refer to the exhibit. Which two services can the network access server use to direct requests from the remote user to the Cisco Secure ACS authentication service? (Choose two.)
CSAuth
CSUtil
RADIUS
RDBMS
TACACS+
59.
RTA(config)# tacacs-server key [email protected]?
RTA(config)# tacacs-server host 10.1.2.4
RTA(config)# tacacs-server host 10.1.2.5
What will be the effect of these commands on router RTA? C)
The TACACS+ server is now authenticating for the hosts 10.1.2.4 and 10.1.2.5.
The TACACS+ server key has been exported to the hosts 10.1.2.4 and 10.1.2.5.
The TACACS+ servers 10.1.2.4 and 10.1.2.5 and the router have been set to share the same authentication key.
The TACACS+ servers are 10.1.2.4 and 10.1.2.5 and the configuration adds router RTA as a third TACACS+ server.
60.
RTA(config)# aaa new-model
RTA(config)# aaa authentication login default group tacacs+ enable
After entering the configuration shown, the administrator loses the connection to the router before having the chance to create a new TACACS+ account. What is the easiest way for the administrator to regain administrative access to router RTA? C)
Connect to the router, and use the default TACACS+ username and password.
Erase NVRAM, and redo the configuration from scratch.
Connect to the router, and supply the enable password.
Perform a password recovery procedure on the router
61.
Which command associates the group MYGROUP with the AAA server using the TACACS+ protocol? D)
Pixfirewall(config)# aaa-server MYGROUP tacacs+ protocol
Pixfirewall(config)# aaa-server protocol tacacs+ MYGROUP
Pixfirewall(config)# aaa-server tacacs+ protocol MYGROUP
Pixfirewall(config)# aaa-server MYGROUP protocol tacacs+
62.
Which configuration command defines the association of initiating HTTP protocol traffic with an authentication proxy name MYPROXY? C)
Router(config)# ip auth-proxy MYPROXY http
Router(config)# auth-proxy MYPROXY ip http
Router(config)# ip auth-proxy name MYPROXY http
Router(config)# auth-proxy name MYPROXY ip http
63.
With the following configuration command, how long does the PIX Security Appliance try to access the AAA server 10.0.1.10 before choosing the next AAA server if there is no response from 10.0.1.10?
aaa-server MYTACACS (inside) host 10.0.1.10 secretkey
12 seconds
15 seconds
20 seconds
30 seconds
64.
Which command will enable AAA services on a router? B
Router(config)# aaa enable
Router(config)# aaa new-model
Router(config)# aaa set enable
Router(config)# aaa new-model enable
65.
What is the default timeout in minutes for the inactivity-timer parameter of the ip auth-proxy command?
15
30
45
60
90
66.
The network administrator configured the aaa authorization command below on the PIX Security Appliance. What is the effect of this command?
pix(config)# aaa authorization include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 auth1
FTP traffic from outside is subject to authorization by the AAA server.
SSH traffic from outside is subject to authorization by the AAA server.
HTTP traffic from outside is subject to authorization by the AAA server.
SMTP traffic from outside is subject to authorization by the AAA server.
67.
Which type of authentication is being used when authentication is required via the PIX Security Appliance before direct traffic flow is allowed between users and the company web server? C)
access authentication
console access authentication
cut-through proxy authentication
tunnel access authentication
68.
What will be the effect in the router after these configuration commands are entered? B)
Router(config)# ip auth-proxy name aprule http
Router(config)# interface ethernet0
Router(config-if)# ip auth-proxy aprule
An authentication proxy rule called aprule is created making all authentication proxy services available only through the ethernet0 interface.
An authentication proxy rule called aprule has been created for the HTTP protocol and is associated with the ethernet0 interface.
An authentication proxy rule called aprule has been created for all protocols except the HTTP protocol and is associated with the ethernet0 interface.
An authentication proxy rule called aprule has been created for the HTTP server running internally to the router and is associated with anyone attempting to access the web server from the ethernet0 interface.
69.
When Cisco IOS Firewall authentication proxy is enabled, a user sends HTTP traffic which will trigger the authentication proxy. What is the first action taken by the proxy? C)
The user will be asked to supply a valid username and password.
The TACACS+ server will be contacted to see if the user is a valid user.
The authentication proxy will check to see if the user has already been authenticated.
If the authentication proxy has no user account for the user, it will check to see if a default guest user has been defined.
70.
A TACACS+ server is configured to provide authentication, authorization, and accounting. The IP address of the server is 192.168.50.1, and the AAA authentication encryption key is S3crtK3y. Which command sequence will configure a Cisco router to communicate with the TACACS+ server? D)
Router(config)# aaa new-model
Router(config)# aaa authentication default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# aaa tacacs-server host 192.168.50.1
Router(config)# aaa tacacs-server key S3crtK3y
Router(config)# aaa enable
Router(config)# aaa authentication default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# tacacs-server host 192.168.50.1
Router(config)# tacacs-server key S3crtK3y
Router(config)# aaa enable
Router(config)# aaa authentication login default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# aaa tacacs-server host 192.168.50.1
Router(config)# aaa tacacs-server key S3crtK3y
Router(config)# aaa new-model
Router(config)# aaa authentication login default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# tacacs-server host 192.168.50.1
Router(config)# tacacs-server key S3crtK3y
71.
The lead network administrator notices that unknown users have made router configuration changes. These changes are adversely affecting the network. Which command can be entered on the router to help identify future configuration changes and who made these changes?
aaa accounting
show uauth
aaa accounting console
aaa accounting match
72.
Refer to the exhibit. Since ABC, Inc. is strengthening security, a PIX Security Appliance firewall must be configured with AAA services. Accounting should be provided for all FTP and HTTP traffic from any host to the WWW server at 192.168.2.10.
Which command sequence would successfully process the desired traffic to the NY_ACS accounting server? A
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting match 110 outside NY_ACS
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting access-list 110 outside 10.0.0.2
pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq http
pixfirewall(config)# aaa accounting match 110 outside NY_ACS
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting match 110 outside 10.0.0.2
73.
Which command displays the current authenticated users, the host IP to which they are bound, and any cached IP and port authorization information on a Cisco PIX Security Appliance configured for AAA? B)
pixfirewall(config)# show aaa all
pixfirewall(config)# show uauth
pixfirewall(config)# show aaa statistics
pixfirewall(config)# show aaa-server
74.
A user has initiated an HTTP session through a firewall and has been authenticated by an authentication proxy. They have not generated any traffic in a while and the idle timer has expired for that user. What will the user have to do to allow them to go through the firewall again? D)
The user can manually restart the idle timer.
The user can simply TFTP their user profile to the proxy.
The user must wait two minutes before initiating another session.
The user can re-authenticate and initiate another HTTP session through the firewall.
75.
A network team has been tasked to develop a Cisco Secure ACS solution for port-based authentication. The network operation center for all three regions is located at Region 1. What is the best solution to ensure availability to a Cisco Secure ACS for port-based authentication? B)
Install a centralized primary and secondary authentication server at Region 1, which Region 2 and 3 will use for authentication.
Install a primary authentication server at each region and use one of the authentication servers from another region for redundancy.
Install a primary authentication server at Region 1 for Region 2 and 3 to authenticate, and install a secondary authentication server at Region 2 and 3 for redundancy.
Install a primary authentication server at each region and a secondary authentication server at Region 1 for the network operation center clients only.
76.
Port-based authentication is implemented as shown in the graphic. What protocol will be required for the client-to-switch connection and the switch-to-Cisco Secure ACS communications?
ISL; RADIUS
802.1x; RADIUS
802.1q; TACACS+
L2TP; TACACS
77.
A network administrator wants to configure a Catalyst switch to use a RADIUS server at 172.16.23.31 or a backup RADIUS server at 172.16.23.32 if the first server is unavailable. The administrator wants to use the default RADIUS UDP port and a shared key of Rad4Me. Which configuration will accomplish this goal? B
Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.31
Switch(config)# radius-server auth-port 1812 key Rad4Me host 172.16.23.32
Switch(config)# radius-server host 172.16.23.31 auth-port 1812 key Rad4Me
Switch(config)# radius-server host 172.16.23.32 auth-port 1812 key Rad4Me
Switch(config)# radius-server host 172.16.23.31 172.16.23.32 key Rad4Me auth-port 1812
Switch(config)# radius-server host 172.16.23.31 key Rad4Me auth-port 1812
Switch(config)# radius-server host 172.16.23.32 key Rad4Me auth-port 1812
78.
Which command will turn off CBAC alert messages to the console? A
router(config)# ip inspect alert-off
router(config)# no ip inspect alert
router(config)# no ip inspect alert-off
router(config)# ip inspect alert log-only
79.
The timeout value in the ip inspect name command is configured in which units?
seconds
milliseconds
microseconds
minutes
80.
What does CBAC look for when inspecting TCP sequence numbers? B)
CBAC uses the sequence numbers to defragment the full packet.
CBAC checks that the sequence numbers are within an expected range.
CBAC rejects packets that arrive at an unusually high sequence rate.
CBAC matches the source sequence numbers to the destination sequence numbers
81.
Which statement is correct concerning CBAC inspection rules? A)
Alert, audit-trail, and timeout are configurable per protocol and override corresponding global settings.
Alert, audit-trail, and timeout are only globally configurable.
Alert, audit-trail, and timeout are not configurable globally.
Alert, audit-trail, and timeout are configurable only for TCP.
82.
Which statement is true concerning CBAC and fragmentation inspection rules? C)
An inspection rule instructing the router to fragment packets should always be utilized.
A fragmentation rule forces fragments to be buffered until the corresponding initial fragment is received.
A fragmentation rule forces non-initial fragments to be discarded unless the initial fragment was allowed to pass.
A fragmentation rule should not be used on exterior gateways.
83.
A network administrator needs to configure the router to redirect incoming HTTP requests to a web server at port 8020. Which command should be used? B)
Router(config)# ip port-map http eq 8020
Router(config)# ip port-map http port 8020
Router(config)# ip port-map port 8020 http
Router(config)# ip port-map port 8020 eq http
84.
The IT department has decided to offer web and FTP services using TCP port 8000. The web server IP address is 192.168.3.4 and the FTP server IP address is 192.168.5.6. What commands are required to configure the perimeter router to redirect the web and FTP traffic? C)
Router(config)# access-list 10 permit 192.168.5.6
Router(config)# access-list 20 permit 192.168.3.4
Router(config)# ip port-map http port 8000 list 10
Router(config)# ip port-map ftp port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map ftp port 8000 list 10
Router(config)# ip port-map http port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map http port 8000 list 10
Router(config)# ip port-map ftp port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map http list 10 port 8000
Router(config)# ip port-map ftp list 20 port 8000
85.
The graphic shows a client opening a Telnet session to a remote host. Which ACL entry will be created by CBAC to allow traffic to return to complete a successful Telnet connection?
access-list 110 permit udp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
access-list 110 permit tcp host 10.0.0.5 eq 23 host 192.168.2.50 eq 2447
access-list 110 permit tcp host 192.168.2.50 eq 23 host 10.0.0.5 eq 2447
access-list 110 permit tcp host 10.0.0.5 eq 2447 host 192.168.2.50 eq 23
86.
CBAC is configured on the router shown in the graphic, the statement shown in the graphic is included in access control list 101, and the access control list is applied to interface s0/0 as shown. Single-channel TCP inspection is not included in the CBAC inspection rule. What will happen if the workstation tries to send a Telnet packet to the Internet?
The packet will be forwarded by the router as soon as it matches the ACL statement.
The packet will be dropped by the router when no match is found in CBAC.
The packet will be forwarded by the router, but return Telnet traffic will not be allowed.
The packet will be forwarded after CBAC inspection determines that Telnet is an allowed protocol
87.
Which filtering technology maintains complete connection information for each TCP or UDP connection and logs the information in a session flow table? B)
packet filtering
stateful filtering
ACL directional filtering
URL filtering
88.
Which filtering technology is often effective but can be circumvented using packet fragmentation? A)
packet filtering
stateful filtering
URL filtering
ACL directional filtering
89.
What is the result of the command shown below? C)
Router(config)# ip inspect name tester icmp alert on audit-trail on timeout 30
inspects ICMP traffic and sends any alert and audit messages to the log file on tester
inspects IP traffic and sends an ICMP alert and audit message to tester if an outgoing IP packet is not acknowledged within 30 seconds
inspects ICMP traffic and maintains state information on common types of ICMP traffic
inspects ICMP traffic and maintains state information according to the tester rule set
90.
Refer to the graphic. If the complete configuration CBAC on CorpFW is correctly entered, which two statements describe the outcome of the completed configuration? (Choose two.) C) & E)
CBAC will delete all half-open connections necessary to accommodate new connections after 300 users have accessed the servers within the last six minutes.
CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the FTP servers within the last six minutes.
CBAC will delete all half-open connections necessary to accommodate new connections after more than 300 users have half-open attempts to reach the corporate web server within the last minute.
CBAC will delete all half-open connections necessary to accommodate new connections after 150 users have accessed the network within the last minute.
CBAC will stop deleting half-open connections after fewer than 150 users have accessed the network within the last minute.
91.
Which two configurations will protect the FTP server in the DMZ from DoS attacks? (Choose two.) BD
CorpFW(config)# max-incomplete host 142.22.2.10
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
CorpFW(config)# ip inspect name Protect ftp timeout 3600
CorpFW(config)# interface FastEthernet 0/0
CorpFW(config-if)# max incomplete host 142.22.2.10
CorpFW(config)# ip inspect max-incomplete high 400
CorpFW(config)# ip inspect max-incomplete low 200
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time 0
CorpFW(config)# ip inspect udp max-incomplete host 60 block-time 0
92.
The administrator has two goals. First, the administrator plans to use CBAC to block encapsulated Java applets from IP address 172.16.16.1. Then, the administrator plans to use CBAC to block DoS attacks such as the ping-of-death from external network. Which goals are accomlished when the three commands below are entered?
router(config)# ip access-list 1 deny 172.16.16.1 0.0.0.0
router(config)# ip inspect name FWALL http java-list 1 timeout 120
router(config)# ip inspect name FWALL icmp timeout 50
The first goal is not accomplished because CBAC cannot block encapsulated Java applets. The second goal is accomplished.
The first goal is not accomplished because a subnet mask, not a wild card mask, must be used. The second goal is accomplished.
The first goal is accomplished. The second goal is not accomplished because CBAC provides limited stateful inspection for ICMP.
Both goals are accomplished.
93.
What is the effect after these two commands are configured on a router? A)
router(config)# ip inspect max-incomplete high 300
router(config)# ip inspect max-incomplete low 100
When the combination of half-open TCP and UDP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.
When the number of half-open sessions per minute reaches 300, CBAC begins deleting them. When the number falls to 100 per minute, CBAC stops deleting them.
When the number of half-open sessions reaches 100, CBAC begins deleting them. When the number of cleared sessions equals 300, CBAC stops deleting them.
When the number of half-open TCP sessions reaches 300, CBAC begins deleting them. When the number falls to 100, CBAC stops deleting them.
94.
What is indicated if two endpoints in a connection receive reset packets from CBAC? B)
A session has ended by CBAC’s proxy fin method.
A DoS attack has been halted by CBAC’s threshold method.
Sequence checking has occured using CBAC’s state table method.
Spoofing has been prevented using CBAC’s session checking method.
95.
What happens when the following commands are executed? D)
router(config)# no ip inspect udp idle-time 45
router(config)# ip inspect dns-timeout 10
The router will not manage any inactive UDP connections.
The only UDP connections that the router will manage are DNS connections.
The router proxies DNS requests and manages them for 10 seconds.
The router will manage UDP connections for 30 seconds and DNS connections for 10
96.
Which three statements describe the use of ACLs on a Cisco PIX Security Appliance? (Choose three.) B), D) & F)
ACLs are used to restrict outbound traffic flowing from a lower to a higher security level interface.
ACLs are used to restrict outbound traffic flowing from a higher to a lower security level interface.
If no ACL is attached to an interface, inbound traffic is permitted by default unless explicitly denied.
If no ACL is attached to an interface, outbound traffic is permitted by default unless explicitly denied.
Cisco PIX Security Appliance ACLs use a wildcard mask like Cisco IOS ACLs.
Cisco PIX Security Appliance ACLs use a regular subnet mask unlike Cisco IOS ACLs.
97.
DES is classified in which cryptographic category?
hybrid
symmetric
asymmetric
hash algorithm
98.
Which two are IPSec security protocols? (Choose two.)
SHA-1
MD5
ESP
AH
GRE
L2TP
99.
A company has implemented an IPSec installation in which the original IP packet is encrypted. The encrypted packet is encapsulated in another IP packet. The new outside IP address in the encapsulating IP packet is used to route the packet through the Internet. What IPSec mode is this?
AH tunnel mode
AH transport mode
ESP tunnel mode
ESP transport mode
100.
A company is using IPSec between two routers. Both routers are communicating with each other using both AH and ESP protocols. How many IPSec SAs will be needed in total for both routers?
2
4
6
8
101
What happens to the outbound traffic that does not match any permit statement in an IPSec crypto ACL? D)
It is dropped.
It is logged and dropped.
It is encrypted by the default encryption algorithm.
It is sent in clear text.
102.
Which three statements are true of WebVPN? (Choose three.) B), C) & F)
It uses purpose-built client software for network access.
It uses a standard web browser for network access.
It uses SSL encryption.
It uses AES encryption.
It provides access to all applications through their native interface.
It provides access to limited applications through a browser portal
103.
Which RSA method is used to provide non-repudiation? B)
RSA proof
RSA signature
RSA encryption
RSA authentication
104.
Which feature of IPSec AH provides protection against packet replay attacks? B)
The AH header includes an initialization vector.
The AH header includes a 64-bit sequence number.
The AH header includes a 32-bit SPI value.
The AH header includes authentication data.
105.
Which parts of an IP datagram are encrypted by the ESP protocol of the IPSec framework to provide data confidentiality? B)
the entire IP datagram
the payload
the IP header
the upper layer IP headers
106.
A network security analyst has been asked to recommend a VPN solution that will allow secure remote access to the internal company network. This solution must meet two objectives:
(a) All communication data should be secured through encryption.
(b) VPN setup should be in a central location for easy maintenance.
The network security analyst recommends IPSec with ESP on tunnel mode. Which objectives are met by this recommendation?
both objective (a) and objective (b)
neither objective (a) nor objective (b)
objective (b) only
objective (a) only
107.
Which are two common examples of LAN-to-LAN VPNs? (Choose two.)
intranet VPNs used to connect mobile users
intranet VPNs used to connect remote users
intranet VPNs used to connect remote offices
extranet VPNs used to connect business partners
extranet VPNs used to connect telecommuters
108.
Which three two-way authentication methods does IKE provide? (Choose three.)
authentication using SHA signatures
authentication using RSA Signatures
authentication using Cisco Secure ACS
authentication using security associations
authentication using RSA encrypted nonces
authentication using a pre-shared secret
109.
In setting up a Cisco IPSec VPN on a Cisco IOS router, what must be done to select interesting traffic to be encrypted? C)
Configure an IPSec security association.
Configure an ISAKMP security association.
Configure an access control list.
Configure an IKE map list.
110.
A Remote Access VPN can be terminated on which two head-end devices? (Choose two.) A & C)
router
switch
Cisco PIX Security Appliance
ISP network access server
111.
Which algorithm uses a 160-bit secret key to produce a 160-bit hash to provide integrity of data through cryptography? C)
AES
HMAC-MD5
HMAC-SHA-1
3DES
112.
Which common digital signature algorithm is used primarily by government agencies?
DSA
MD5
RSA
AES
113.
Which statement describes one of the functions of an IKE tunnel in an IPSec installation?
Encrypts all data traffic.
Provides backup encryption if IPSec fails.
Provides backend security to the connecting private networks.
Negotiates IPSec security associations.
114.
Which statement is true about the security association lifetime?
Before a key expires, IKE negotiates another one to allow for smooth transition from key to key.
Before a key expires, DES negotiates another one to allow for smooth transition from key to key.
Before a key expires, RC4 negotiates another one to allow for smooth transition from key to key.
Before a key expires, CA negotiates another one to allow for smooth transition from key to key.
115.
Which tunneling protocol provides data encryption as well as authentication?
L2F
L2TP
IPSec
GRE
116.
Which is a one-way algorithm that converts a variable length message into a fixed length string?
Layer 2 tunnel
symmetric encryption
asymmetric encryption
hash
117.
How many crypto maps can be applied to each interface?
one in each direction
one for each protocol for each direction
one for each SA
one only
118.
The first four steps in IKE peer authentication using pre-shared secrets are shown in the graphic. What is the fifth step? D)
Peer B locally hashes the random value and the pre-shared secret and matches it against the received authenticated hash.
Peer A and peer B are ready to begin communications.
Peer A sends the authenticated hash back to peer B.
Peer B randomly chooses a different random string and sends it to peer A.
119.
If IKE is not used with an IPSec implementation and it is disabled on all IPSec peers, which four limitations apply? (Choose four.) B), D),E)&F)
Only the AH protocol can be used.
During IPSec sessions between the peers, the encryption keys will never change.
All security associations will be automatically created and may time out during extended IPSec sessions.
Certificate authority (CA) support cannot be used.
The IPSec security associations of the peers will never time out for a given IPSec session.
Anti-replay services will not be available between the peers
120.
The administrator is entering this IKE policy configuration. What three options could be entered after “authentication” in the last line? (Choose three.) A), B) & D)
Router(config)# crypto isakmp policy 4
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# hash md5
Router(config-isakmp)# authentication _______
pre-share
rsa-sig
aes-encr
rsa-encr
aes-sig
sha-sig
121.
Global lifetime values for IPSec SAs can be defined in the Cisco IOS. What could override an IPSec SA global lifetime setting?
the command crypto lifetime override
the command crypto lifetime default
the use of a lifetime value within a crypto map
the global value cannot be overridden
122.
In the network shown, which command will configure an IKE tunnel between RouterA and RouterB with a pre-shared key of Cisco1234? C)
RouterA(config)# crypto ike key cisco1234 address 172.30.2.2
RouterA(config-isakmp)# ike key cisco1234 address 172.30.2.2
RouterA(config)# crypto iaskmp key cisco1234 address 172.30.2.2
RouterA(config-isakmp)# crypto key cisco1234 address 172.30.2.2
123.
Which command produced the output shown in the graphic? B)
Router# show crypto isakmp sa
Router# show crypto isakmp policy
Router# show crypto map
Router# show crypto ipsec sa
124.
While implementing new security policies, a network administrator applies the configuration shown in the graphic. Which command must be used if the new configuration is to be used immediately for all security associations? A)
Router#clear crypto sa
Router#clear crypto sa counters
Router#clear crypto sa map all
Router#clear crypto sa peer all
125.
A new IPSec transform set is configured on a router using the commands shown. Which mode will be associated with this transform set? B)
transport
transform
tunnel
peer
126.
A network administrator wishes to create a transform set that will provide the best throughput with encryption on a Cisco PIX Security Appliance. Which transform should be included in the transform set?
esp-aes
esp-des
esp-3des
esp-aes192
127.
The network administrator has configured this crypto access control list. The administrator has applied the proper crypto map and IPSec configurations to the outbound interface of a Cisco IOS router and its peer. What is the purpose of the ACL configuration?
Router(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
encrypt all traffic from the 10.0.1.0 network destined to the 10.0.2.0 network
encrypt all traffic from the 10.0.2.0 network destined to the 10.0.1.0 network
encrypt all TCP traffic from the 10.0.2.0 network destined to the 10.0.1.0 network
encrypt all TCP traffic from the 10.0.1.0 network destined to the 10.0.2.0 network
128.
What configuration will create a crypto map named MYMAP on Router A to encrypt traffic from Site 1 to Site 2 that matches crypto ACL 110 with two peers for redundancy?
RouterA(config)# crypto map MYMAP ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
RouterA(config)# crypto map MYMAP ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 10.0.2.3
RouterA(config)# crypto map MYMAP 110 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 10.0.2.3
RouterA(config)# crypto map MYMAP 110 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
129.
What command produced the output shown in the graphic? D)
show crypto engine
show crypto ipsec sa
show crypto ipsec client ezvpn
show crypto map
130.
A newly configured VPN between home office and a remote office is not working. What command can be used on the routers to view current and detailed information regarding any security associations? B)
Router# show crypto map
Router# show crypto ipsec sa
Router# show crypto ipsec transform-set
Router# show crypto isakmp policy
131
Which Cisco IOS command generated the output shown in the graphic? B)
debug crypto ipsec
debug crypto isakmp
debug crypto socket
debug ip peer
show crypto isakmp policy
132.
Under which two conditions would this command be entered when configuring a router for IPSec? (Choose two.) A) & D)
Router(config)# crypto isakmp identity address
Only one interface will be used by the peer for ISAKMP negotiations.
More than one interface will be used by the peer for ISAKMP negotiations.
The interface’s IP address is unknown.
The interface’s IP address is known.
The network administrator wishes to change the identity used by the default method
133.
Multiple IKE policies can be created on each of two peer routers, each with a different combination of parameter values as seen in the table. Which parameters must match in each policy to complete IKE phase one? A)
All five parameters must match to complete IKE phase one.
Any four parameters must match to complete IKE phase one.
All but the ISAKMP security association lifetime must match to complete IKE phase one.
All but the Diffie-Hellman group identifier must match to complete IKE phase one.
Order Now