Networking and security

Which statement describes phone freaking?

A hacker mimics a tone using a whistle to make free long-distance calls on an analog telephone network.

What is involved in an IP address spoofing attack?

A legitimate network IP address is hijacked by a rogue node.

Users report to the helpdesk that icons usually seen on the menu bar are randomly appearing on their computer screens. What could be a reason that computers are displaying these random graphics?

A virus has infected the computers.

What is a significant characteristic of virus malware?

A virus is triggered by an event on the host system.

Which two statements are characteristics of a virus? (Choose two.)

A virus typically requires end-user activation. A virus can be dormant and then activate at a specific time or date.

When implementing an inbound Internet traffic ACL, what should be included to prevent the spoofing of internal networks?

ACEs to prevent traffic from private address spaces

Which security solution provides continuous visibility and control before, during, and after an attack to defeat malware across the extended network of an organization?

AMP

Which statement is true about a characteristic of the PVLAN Edge feature on a Cisco switch?

All data traffic that passes between protected ports must be forwarded through a Layer�3 device.

What is the result in the self zone if a router is the source or destination of traffic?

All traffic is permitted

What three configuration steps must be performed to implement SSH access to a router? (Choose three.)

An ip domain name A user account A unique hostname

If AAA is already enabled, which three CLI steps are required to configure a router with a specific view (Choose three.)

Assign a secret password to the view. Assign commands to the view. Create a view using the�parser view�view-name�command.

What is a recommended best practice when dealing with the native VLAN?

Assign it to an unused VLAN.

What is an effect if AAA authorization on a device is not configured?

Authenticated users are granted full access rights.

Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?

CDP

What tool is available through the Cisco IOS CLI to initiate security audits and to make recommended configuration changes with or without administrator input?

Cisco AutoSecure

Which task is necessary to encrypt the transfer of data between the ACS server and the AAA-enabled router?

Configure the key exactly the same way on the server and the router.

The Cisco Network Foundation Protection framework has three functional areas. The ________ �plane of a router is responsible for routing packets correctly.

Data

Which packet type is user-generated and forwarded by a router?

Data plane packet

What is the meaning of the principle of minimum trust when used to design network security?

Devices in networks should not access and use one another unnecessarily and unconditionally.

What is the best way to prevent a VLAN hopping attack?

Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.

The�_____________ �action in a Cisco IOS Zone-Based Policy Firewall is similar to a deny statement in an ACL.

Drop

Which ICMP message type should be stopped inbound?

Echo

What is the first required task when configuring server-based AAA authentication?

Enable AAA globally.

What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?

Enable port security.

What are two characteristics of ACLs? (Choose two.)

Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.

Antivirus software can prevent viruses from entering the network.

False

A network administrator was testing an IPS device by releasing multiple packets into the network. The administrator examined the log and noticed that a group of alarms were generated by the IPS that identified normal user traffic. Which term describes this group of alarms?

False positive

Which three are SAN transport technologies? (Choose three.)

Fiber Channel FCIP ISCSI

Which protocol creates a virtual point-to-point connection to tunnel unencrypted traffic between Cisco routers from a variety of protocols?

GRE

Which two options provide secure remote access to a router? (Choose two.)

HTTPS SSH

Which are the five security associations to configure in ISAKMP policy configuration mode?

Hash, Authentication, Group, Lifetime, Encryption

During which part of establishing an IPsec VPN tunnel between two sites would NAT-T detection occur?

IKE Phase 1

Where is the firewall policy applied when using Classic Firewall?

Interfaces

Which statement accurately characterizes the evolution of network security?

Internal threats can cause even greater damage than external threats.

Which statement describes a stateful firewall?

It can determine if the connection is in the initiation, data transfer, or termination phase.

What is an IPS signature?

It is a set of rules used to detect typical intrusive activity.

Why is the�username�name�algorithm-type scrypt secret�password�command preferred over the�username�name�secret�password�command?

It uses the SCRYPT algorithm for encrypting passwords.

Which statement describes a characteristic of authorization in an AAA solution?

It works similarly to privilege levels and role-based CLI.

At which layer of the OSI model does Spanning Tree Protocol operate?

Layer 2

What is the biggest issue with local implementation of AAA?

Local implementation does not scale well.

What is the default configuration of the PVLAN Edge feature on a Cisco switch?

No ports are defined as protected.

Consider the access list command applied outbound on a router serial interface.� access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply What is the effect of applying this access list command?

No traffic will be allowed outbound on the serial interface.

What is the service framework that is needed to support large-scale public key-based technologies?

PKI

Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)

Physical security operating system security router hardening

A network administrator is configuring the action type for a specific IPS signature that identifies an attack that contains a specific series of TCP packets. Once detected, the action to be taken is to terminate the current packet and future packets associated with the TCP flow. Which command should be used?

R1(config-sigdef-sig)#�event-action�deny-connection-inline

Which command releases the dynamic resources associated with the Cisco IOS IPS on a Cisco router?

Router# clear ip ips configuration

Which command helps verify the Cisco IOS IPS configuration?

Router# show ip ips configuration

Which of the following can be used to falsify routing information, cause DoS attacks, or cause traffic to be redirected?

Routing Protocol Spoofing

Which OSPF authentication should be used wherever possible, because MD5 authentication is considered vulnerable to attacks?

SHA

Which element of an SNMP implementation can be configured to respond to requests as well as to forward notifications?

SNMP agent

With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.)

SPIT vishing

Which Cisco network security tool is a cloud-based service that provides alerts to network professionals about current network attacks?

Security Intelligence Operations

Which Cisco feature sends copies of frames entering one port to a different port on the same switch in order to perform traffic analysis?

Span

The inspect action in a Cisco IOS Zone-Based Policy Firewall configures Cisco IOS�______________ packet inspection.

Stateful

What is a difference between symmetric and asymmetric encryption algorithms?

Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.

What is a characteristic of TACACS+?

TACACS+ provides authorization of router commands on a per-user or per-group basis.

Which statement identifies an important difference between TACACS+ and RADIUS?

The TACACS+ protocol allows for separation of authentication from authorization.

What is the result if an administrator configures the aaa authorization command prior to creating a user with full access rights?

The administrator is immediately locked out of the system.

Under which circumstance is it safe to connect to an open wireless network?

The connection is followed by a VPN connection to a trusted network.

Which three options describe the phases of worm mitigation? (Choose three.)

The containment phase requires the use of incoming and outgoing ACLs on routers and firewalls. The inoculation phase patches uninfected systems with the appropriate vendor patch for the vulnerability. The treatment phase disinfects actively infected systems.

Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices?

These devices�are more varied in type and are portable.

Refer to the exhibit. A network administrator is configuring an IOS IPS. Which statement describes the IPS signatures that are enabled?

These signatures detect attacks within a single packet.

Which statement is a characteristic of a packet filtering firewall?

They are susceptible to IP spoofing.?

Which two are characteristics of DoS attacks? (Choose two.)

They attempt to compromise the availability of a network, host, or application. Examples include smurf attacks and ping of death attacks.

What are two purposes of launching a reconnaissance attack on a network? (Choose two.)

To scan for accessibility To gather information about the network and devices

Which statement describes a typical security policy for a DMZ firewall configuration?

Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

Which type of security threat can be described as software that attaches to another program to execute a specific unwanted function?

Virus

What type of malware has the primary objective of spreading across the network?

Worm

If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it?

a private key

What is the primary means for mitigating virus and Trojan horse attacks?

antivirus software

How does a DoS attack take advantage of the stateful condition of target systems?

by continuously sending packets of unexpected size or unexpected data

What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)

certificate authority digital certificates

Which security measure is typically found both inside and outside a data center facility?

continuous video surveillance

What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports?

control

The following message was encrypted using a Caesar cipher with a key of 2: fghgpf vjg ecuvng What is the plaintext message??

defend the castle

Which two tasks are associated with router hardening? (Choose two.)

disabling unused ports and interfaces securing administrative access

What IOS privilege levels are available to assign for custom user-level privileges?

levels 2 through 14

A network administrator needs to protect a router against brute force login attempts. What is the correct�login-block-for�command syntax to disable login for 3 minutes if more than 3 failed attempts are made within a 2 minute period?

login block-for 180 attempts 3 within 120

Which type of attack does the use of HMACs protect against?

man-in-the-middle

What functional area of the Cisco Network Foundation Protection framework uses protocols such as Telnet and SSH to manage network devices?

management plane

A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required?

nonrepudiation of the transaction

Where would the following ACE be placed? permit icmp any any nd-na

on an IPv6-enabled router interface that connects to another router

A network administrator is configuring the triggering mechanism for the network-based IPS by defining a pattern of web surfing activities. The signature is applied across the corporate campus regardless of the type of web browser used. What type of triggering mechanism is being implemented?

policy-based

When the Cisco NAC appliance evaluates an incoming connection from a remote device against the defined network policies, what feature is being used?

posture assessment

Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)

private IP addresses any IP address that starts with the number 127

What is one advantage of using a next-generation firewall rather than a stateful firewall?

proactive rather than reactive protection from Internet threats

When role-based CLI is used, which�view is the only view that has the ability to add or remove commands from existing views?

root

What is considered a valid method of securing the control plane in the Cisco NFP framework?

routing protocol authentication

What is a benefit of having users or remote employees use a VPN to connect to the existing network rather than growing the network infrastructure?

scalability

What would be the primary reason an attacker would launch a MAC address overflow attack?

so that the attacker can see frames that are destined for other hosts

A network administrator configures the alert generation of an IPS device in such a way that when multiple attack packets that match the same signature are detected, a single alert for the first packet is generated and the remaining duplicate alarms are counted, but not sent, for a specific time period. When the specified time period is reached, an alert is sent that indicates the number of alarms that occurred during the time interval. What kind of alert generation pattern is configured?

summary alerts

Which three switch security commands are required to enable port security on a port so that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.)

switchport mode trunk switchport port-security mac-address sticky switchport port-security mac-address mac-address

Which command is used to configure the PVLAN Edge feature?

switchport protected

What is hyperjacking?

taking over a virtual machine hypervisor as part of a data center attack

What is the goal of the Cisco NAC framework and the Cisco NAC appliance?

to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network

What is the purpose of the DH algorithm?

to generate a shared secret between two hosts that have not communicated before

What is the reason for HMAC to use an additional secret key as input to the hash function?

to provide authentication

What are two reasons for securing the data plane in the Cisco NFP framework? (Choose two.)

to provide bandwidth control to protect against DoS attacks

What is a main purpose of launching an access attack on network systems?

to retrieve data

Which two methods are used to mitigate VLAN attacks? (Choose two.)

using a dummy VLAN for the native VLAN disabling DTP autonegotiation on all trunk ports