sec150 Chapter 7 ALL

¡Supera tus tareas y exámenes ahora con Quizwiz!

preprocessors

IPS pattern matching is almost impossible because of the different protocols and their intricacies. For example, matching a file pattern in SMTP traffic is not performed the same way as matching it when flowing through HTTP with compression enabled. For that reason, the Cisco NGIPS offers a variety of --- that normalize traffic so that it dan be matched against the defined Snort rules.

a private key

If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it? DH a private key a digital certificate a different public key

Making an online purhcase

In what situation would an asymmetric algorithm most likely be used?

A TAXII server.

Which of the following can be deployed to generate, transport, and consume threat intelligence info?

They are relatively slow because they are based on difficult computational algorithms

Which statement describes asymmetric encryption algorithms?

Generator Prime modulus

Which two non-secret numbers are initially agreed upon when the Diffie-Hellman algorithm is used? (Choose two.)

Asymmetric

Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?

Auto NAT

You are tasked to configure NAT and translate the source address of an object regardless of the destination address. Which of the following NAT configuration features would you deploy to accomplish this task?

Balanced Security and Connectivity

You are tasked to deploy an intrusion policy designed to balance overall network performance with network infrastructure security> Which of the following base policies would you deploy in situations where you want to apply intrusion prevention?

Multiple context mode.

You were hired to deploy a Cisco ASA to provide separation of management and policies on a shared appliance. Which operational mode is best for this scenario?

The ____ MPF command configures security or QoS policies.

policy-map

IPS pattern matching is almost impossible because of the different protocols and their intricacies. For example, matching a file pattern in SMTP email traffic is not performed the same way as matching it when flowing through HTTP with compression enabled. For that reason, the Cisco NGIPS offers a variety of ___________ that normalize traffic so that it can be matched against the defined Snort rules.

preprocessors

nonrepudiation of the transaction

A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? authenticity of digitally signed data integrity of digitally signed data nonrepudiation of the transaction confidentiality of the public key

Implement CBC mode.

A network administrator is forced to use DES on aging equipment. What is one thing the administrator should do in this situation? Use ECC instead of parity.​ Increase the key length. Implement CBC mode. Increase the number of bits used for encryption.​

When you add a Cisco FTD or Firepower device to FMC, what information is required?

A registration key

Symmetric

A shared secret is a key used in a _________ encryption algorithm.

Cisco ASA provides the Modular Policy Framework (MPF) to provide application security or perform Quality of Service (QoS) functions. The MPF offers a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to that used for the Cisco IOS Software Modular QoS CLI. Which of the following are commands associated with the MPF?

ALL

In Cisco ASA deployments, an access control list (ACL) is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL is referred to as an access control entry (ACE). These ACEs classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?

ALL

Variables are used in multiple locations in Cisco Firepower NGIPS. IPS rules use preconfigured variables representing networks and ports. Which of the following are system default variables that are preconfigured in Cisco Firepower devices?

ALL

Which of the following are requirements for failover configurations?

ALL

The digital signatures

An online retailer needs a service to support the nonrepudiation of the transaction. Which component is used for this service?

Match the feature with the following description: Cisco Firepower NGIPS offers deep inspection and control of application-specific information for better efficacy.

Application visibility

Integrity

Authentication,_________________ , and confidentiality are the three objectives of secure communications.

- class-map - policy-map - service-policy

Cisco ASA provides the Modular Policy Framework (MPF) to provide application security or perform Quality of Service (QoS) functions. The MPF offers a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to that used for the Ciso IOS Software Modular QoS CLI. Which of the following are commands associated with the MPF? ALL of these

Which of the following Cisco firewalls is designed for very large enterprises and service providers?

Cisco Firepower 9300 appliances

Zone-based firewalls cannot be implemented in an SD-WAN solution.

Cisco IOS Zone-Based Firewall (ZBFW) can be deployed to provide firewall services in small and medium-sized organizations. Which of the following is NOT true about zone-based firewalls?

- Layer 2 protocol info such as EtherTypes - Layer 3 header info such as source and destination IP addresses. - Layer 4 header info such as source and destination TCP or UDP ports.

In Cisco ASA deployments, an ACL is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL is referred to as an access control entry (ACE). These ACEs classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following? All of these

A network administrator connects to a Cisco router with SSH

In which situation is an asymmetric key algorithm used?

It authenticates a website and establishes a secure connection to exchange confidential data

What is the purpose of a digital certificate?

To ensure that the source of the communications is confirmed

What is the purpose of a nonrepudiation service in secure communications?

Integrity of source .EXE files

What is the purpose of code signing?

to generate a shared secret between two hosts that have not communicated before

What is the purpose of the DH algorithm? to provide nonrepudiation support to support email data confidentiality to encrypt data traffic after a VPN is established to generate a shared secret between two hosts that have not communicated before

to provide authentication

What is the reason for HMAC to use an additional secret key as input to the hash function? to provide encryption to provide authentication to provide integrity verification to prevent DoS attack

PKI

What is the service framework that is needed to support large-scale public key-based technologies? HMAC PKI RSA

Shared secret

What type of encryption algorithm uses the same key to encrypt and decrypt data?

Cisco Firepower 9300 appliances.

Which of the following Cisco firewalls is designed for very large enterprises and service providers?

- The 2 participant devices must be configured in the same firewall mode (eg. routed or transparent). - The 2 participant devices must be running the same software version. - You can configure different Cisco FTD devices in groups (or domain) in the Cisco FMC. Devices configured for failover must be in the same domain or group on on the Cisco FMC.

Which of the following are requirements for failover configurations? ALL of these

After the master boots, it creates a logical interface and assigns an IP address to that interface to communicate to the other units in the cluster.

Which of the following is NOT a step in the Cisco FTD cluster unit transition?

The default security intelligent update frequency is 2 hours. In some scenarios, you may want to reduce this for more agile blacklisting.

Which of the following is a best practice for security intelligence updates?

- Both network analysis and intrusion policies are invoked by a parent access control policy, but at different times. - As the system analyzes traffic, the network analysis (decoding and preprocessing) phase occurs before and separately from the intrusion prevention (additional preprocessing and intrusion rules) phase. - The Cisco FTD has several similarly named network analysis and intrusion policies (eg. Balance Security and Connectivity).

Which of the following is true about Cisco Firepower Intrusion Policies? ALL of these

Threat Grid.

Which of the following sandboxing technologies provides a dynamic analysis that includes an external kernel monitor, dynamic disk analysis that illuminates any modifications to the physical disk (such as the master boot record), monitoring user interaction, video capture and playback, process information, artifacts, and network traffic?

- Inline sets and passive interfaces are only supported on physical interfaces and EtherChannels. - Inline sets cannot use redundant interfaces or VLANs. - Inline sets and passive interfaces are supported in intra-chassis and inter-chassis clustering.

Which of the following statements are true about the inline interface sets and passive interfaces in Cisco FTD deployments? ALL of these

Layer 3 firewalls support EtherType ACLs.

Which of the following statements is NOT true about firewalls deployed in Layer 3 (routed) mode?

Standard ACLs provide a way to group similar items together to reduce the number of ACEs.

Which of the following statements is NOT true about standard ACLs?

integrity

Which requirement of secure communications is ensured by the implementation of MD5 or SHA hash generating algorithms?​ confidentiality authentication integrity nonrepudiation

SEAL is a stream cipher

Which statement describes the Software-Optimized Encryption Algorithm (SEAL)?

A class 0 certificate is for testing purposes A class 4 certificate is for online business transactions between companies.

Which two statements correctly describe certificate classes used in the PKI? (Choose two.) A class 0 certificate is for testing purposes. A class 0 certificate is more trusted than a class 1 certificate. The lower the class number, the more trusted the certificate. A class 5 certificate is for users with a focus on verification of email. A class 4 certificate is for online business transactions between companies.

man-in-the-middle

Which type of attack does the use of HMACs protect against? DoS DDoS brute force man-in-the-middle

One of the keys can be made public

Why is asymmetric algorithm key management simpler than symmetric algorithm key management?

3DES is more trusted because it has been proven secure for a longer period than AES

Why is the 3DES algorithm often preferred over the AES algorithm?

# access-list MY-LIST extended permit tcp 192.168.88.0 255.255.255.128 host 10.2.2.2 eq 25

You were asked to configure a Cisco ASA to permit SMTP traffic from hosts in 192.168.88.0/25 to an email server (10.2.2.2). Which of the following access control entries (ACEs) in an ACL will accomplish this task?

Cisco IOS Zone-Based Firewall (ZBFW) can be deployed to provide firewall services in small- and medium-sized organizations. Which of the following is not true about zone-based firewalls?

Zone-based firewalls cannot be implemented in an SD-WAN solution.

In ZBFW deployments, an interface can be assigned to _____ security zone(s).

one

A Cisco ASA device also can be implemented as a traditional Layer _____ firewall.

Layer 2 or 3

Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack

How do modern cryptographers defend against brute-force attacks?

56 bits

How many bits does the Data Encryption Standad (DES) use for data encryption?

In a multimode transparent firewall (MMTF), Cisco ASA acts in a similar fashion to how it performs in single mode, with two major exceptions

B. Packets are handled in different contexts. C. An interface cannot be shared between multiple contexts in this mode.

At which OSI Layer are ACE EtherTypes packets found?

Layer 3

3DES

Refer to the exhibit. Which encryption algorithm is described in the exhibit?

On an ISR G2, _____ is a Peripheral Component Interconnect Express (PCIe) internal interface, and on a UCS E-Series, _____ is a switched interface connected to the backplane Multi Gigabit Fabric (MGF).

Slot0, Slot1

A registration key

When you add a Cisco FTD or Firepower device to FMC, what info is required?

SHA-2

The SHA-224, SHA-256, SHA-384, and SHA-512 hash functions are known collectively as ________________ algorithms.

defend the castle

The following message was encrypted using a Caesar cipher with a key of 2: fghgpf vjg ecuvng What is the plaintext message?​ defend the region invade the castle defend the castle invade the region

Match the feature with the following description: Cisco Firepower NGIPS provides protection against known and new threats.

Threat containment and remediation

AES

Which algorithm can ensure data confidentiality?

DH

Which encryption algorithm is an asymmetric algorithm?

IPsec protocol suite

Which encryption protocol provides network layer confidentiality?

Confidentiality

Which objective of secure communications is achieved by encrypting data?

$FILE_DATA_PORTS $HOME_NET $HTTP_SERVERS

Variables are used in multiple locations in Cisco Firepower NGIPS. IPS rules use preconfigured variables representing networks and ports. Which of the following are system default variables that are preconfigured in Cisco Firepower devices? ALL of these

certificate authority digital certificates

What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.) intrusion prevention system certificate authority digital certificates pre-shared key generation symmetric encryption algorithms

3DES AES

What are two symmetric encryption algorithms? (Choose two.) 3DES MD5 AES HMAC SHA

Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.

What is a difference between symmetric and asymmetric encryption algorithms? Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms. Symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption algorithms are used to repudiate messages. Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to decrypt data. Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.

Breaking encrypted codes

What is the focus of cryptanalysis?

To secure the exchange of keys used to encrypt data

What is the most common use of the Diffie-Helman algorithm in communications security?

The ____ MPF command classifies the traffic to be inspected.

class-map


Conjuntos de estudio relacionados

Ch. 15 - Succession Planning and Strategies for Harvesting and Ending

View Set

AP Euro: Chapter 20 The Industrial Revolution

View Set

Anatomy And Physiology I Test IV

View Set

9-22-22.T-Shirt Song (Words, Fill-in the blanks)

View Set