CET FINAL
What is the default privilege level of user accounts created on Cisco routers?
1*
What is a requirement to use the Secure Copy Protocol feature?
A command must be issued to enable the SCP server side functionality.*
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
A dynamic ACL entry is added to the external interface in the inbound direction.*
What is a characteristic of the Cisco IOS Resilient Configuration feature?
A snapshot of the router running configuration can be taken and securely archived in persistent storage.*
What is the significant characteristic of worm malware?
A worm can execute independently of the host system.*
When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
ACEs to prevent traffic from private address spaces*
Refer to the exhibit. What is the result of issuing the Cisco IOS IPS commands on router R1?
All traffic that is permitted by the ACL is subject to inspection by the IPS.*
Which two statements describe access attacks? (Choose two.)
Buffer overflow attacks write data beyond the hallocated buffer memory to overwrite valid data or to exploit systems to execute malicious code.* Password attacks can be implemented by the use os brute-force attack methods, Trojan horse, or packet sniffers.*
What is the first step in the risk management process specified by the ISO/IEC?
Conduct a risk assessment.*
If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.)
Create a view using the parser view view-name command.* Assign a secret password to the view.* Assign commands to the view.*
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
Creating a user account that needs access to most but not all commands can be a tedious process.* Commands set on a higher privilege level are not available for lower privilege users.* There is no access control to specific interfaces on a router.*
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"?
DMZ*
Consider the following access list.access list.access-list 100 permit ip host 192.168.10.1 anyaccess-list 100 deny icmp 192.168.10.0 0.0.0.255 any echoaccess-list 100 permit ip any anyWhich two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.)
Devices on the 192.168.10.0/24 network are not allowed to ping other devices on the 192.168.11.0 network.* A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned.*
An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)
Enable inbound vty SSH sessions.* Configure the IP domain name on the router.* Generate the SSH keys.*
When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created?
Establish policies between zones.*
Which two statements characterize DoS attacks? (Choose two.)
Examples include smurf attacks and ping of death attacks.* They attempt to compromise the availability of a network, host, or application*
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
If neither interface is a zone member, then the action is to pass traffic.* If both interfaces are members of the same zone, all traffic will be passed.*
Which solution supports AAA for both RADIUS and TACACS+ servers?
Implement Cisco Secure Access Control System (ACS) only.*
Which statement accurately characterizes the evolution of threats to network security?
Internal threats can cause even greater damage than external threats.*
When a method list for AAA authentication is being configured, what is the effect of the keyword local?
It accepts a locally configured username, regardless of case*
Why is authentication with AAA preferred over a local database method?
It provides a fallback authentication method if the administrator forgets the username or password.*
Refer to the exhibit. Which statement about the JR-Admin account is true?
JR-Admin can issue ping and reload commands*
Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode?
Locate the router in a secure locked room that is accessible only to authorized personnel.*
What is a characteristic of a Trojan horse as it relates to network security?
Malware is contained in a seemingly legitimate executable program.*
What is a characteristic of AAA accounting?
Possible triggers for the aaa accounting exec default command include start-stop and stop-only.*
A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode?
Quiet mode behavior can be overridden for specific networks by using an ACL.*
Which set of commands are required to create a username of admin, hash the password using MD5, and force the router to access the internal username database when a user attempts to access the console?
R1(config)# username admin secret Admin01pa55R1(config)# line con 0R1(config-line)# login local*
What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?
RADIUS
What is a characteristic of TACACS+?
TACACS+ provides authorization of router commands on a per-user or per-group basis.*
Which server-based authentication protocol would be best for an organization that wants to apply authorization policies on a per-group basis?
TACACS+*
Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)
Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.* SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.*
What is a characteristic of the MIB?
The OIDs are organized in a hierarchical structure.*
What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
The generated keys can be used by SSH.*
Why would a network administrator include a local username configuration, when the AAA-enabled router is also configured to authenticate using several ACS servers?
The local username database will provide a backup for authentication in the event the ACS servers become unreachable.*
Refer to the exhibit. Router R1 has been configured as shown, with the resulting log message. On the basis of the information that is presented, which two statements describe the result of AAA authentication operation? (Choose two.)
The locked-out user stays locked out until the clear aaa local user lockout username Admin command is issued.* The locked-out user failed authentication.*
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
The packet is dropped.*
Refer to the exhibit. Which statement describes the configuration of the ports for Server1?
The ports configured for Server1 on the router must be identical to those configured on the RADIUS server.*
What is the result of entering the aaa accounting network command on a router?
The router collects and reports usage data related to network-related service requests.*
A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?
The two models cannot be implemented on a single interface.*
Refer to the exhibit. Which statement describes the function of the ACEs?
These ACEs allow for IPv6 neighbor discovery traffic.*
Which statement describes a typical security policy for a DMZ firewall configuration?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.*
What worm mitigation phase involves actively disinfecting infected systems?
Treatment*
A user complains about being locked out of a device after too many unsuccessful AAA login attempts. What could be used by the network administrator to provide a secure authentication access method without locking a user out of a device?
Use the login delay command for authentication attempts.*
A user complains about not being able to gain access to a network device configured with AAA. How would the network administrator determine if login access for the user account is disabled?
Use the show aaa local user lockout command.*
Which characteristic is an important aspect of authorization in an AAA-enabled network device?
User access is restricted to certain services.*
Which two characteristics apply to role-based CLI access superviews? (Choose two.)
Users logged in to a superview can access all commands specified within the associated CLI views.* A specific superview cannot have commands added to it directly.*
What difference exists when using Windows Server as an AAA server, rather than Cisco Secure ACS?
Windows Server uses its own Active Directory (AD) controller for authentication and authorization.*
What is a ping sweep?
a network scanning technique that indicates the live hosts in a range of IP addresses.
What are the three major components of a worm attack? (Choose three.)
a payload* an enabling vulnerability* a propagation mechanism*
Which component of AAA allows an administrator to track individuals who access network resources and any changes that are made to those resources?
accounting*
In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?
application layer protocol session information*
A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.)
area 0 authentication message-digest* ip ospf message-digest-key 1 md5 1A2b3C*
What causes a buffer overflow?
attempting to write more data to a memory location than that location can hold*
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
authorization*
What is one benefit of using a stateful firewall instead of a proxy server?
better performance*
What method can be used to mitigate ping sweeps?
blocking ICMP echo and echo-replies at the network edge*
How is a smurf attack conducted?
by sending a large number of ICMP requests to directed broadcast addresses from a spoofed source address on the same network*
Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.)
content of a security banner* enable secret password* enable password*
What functional area of the Cisco Network Foundation Protection framework is responsible for device-generated packets required for network operation, such as ARP message exchanges and routing advertisements?
control plane*
Which three actions are produced by adding Cisco IOS login enhancements to the router login process? (Choose three.)
create syslog messages* slow down an active attack* disable logins from specified hosts*
Which debug command is used to focus on the status of a TCP connection when using TACACS+ for authentication?
debug tacacs events*
What is the role of an IPS?
detecting and blocking of attacks in real time*
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
echo reply*
True or False?The single-connection keyword prevents the configuration of multiple TACACS+ servers on a AAA-enabled router.
false*
What commonly motivates cybercriminals to attack networks as compared to hactivists or state-sponsored hackers?
financial gain*
What role does the Security Intelligence Operations (SIO) play in the Cisco SecureX architecture?
identifying and stopping malicious traffic*
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)
inspect* drop*
What is the primary method for mitigating malware?
installing antivirus software on all hosts*
What are the three components of information security ensured by cryptography? (Choose three.)
integrity* availability* confidentiality*
Which two network security solutions can be used to mitigate DoS attacks? (Choose two.)
intrusion protection systems* antispoofing technologies*
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
ipv6 traffic-filter ENG_ACL in*
Which authentication method stores usernames and passwords in the router and is ideal for small networks?
local AAA*
Which authentication method stores usernames and passwords in ther router and is ideal for small networks.
local AAA*
What command must be issued to enable login enhancements on a Cisco router?
login block-for*
An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?
man in the middle*
What is one limitation of a stateful firewall?
not as effective with UDP- or ICMP-based traffic
What is the function of the pass action on a Cisco IOS Zone-Based Policy Firewall?
orwarding traffic from one zone to another*
Fill in the blank.The ____ action in a Cisco IOS Zone-Based Policy Firewall is similar to a permit statement in an ACL.
pass
Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.)
password encryption* utilization of transport layer protocols*
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap*
What is the Control Plane Policing (CoPP) feature designed to accomplish?
prevent unnecessary traffic from overwhelming the route processor*
A disgruntled employee is using Wireshark to discover administrative Telnet usernames and passwords. What type of network attack does this describe?
reconnaissance*
Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)
router hardening* operating system security* physical security*
Which type of packet is unable to be filtered by an outbound ACL?
router-generated packet*
What are the three core components of the Cisco Secure Data Center solution? (Choose three.)
secure segmentation* visibility* threat defense*
Which two options can be configured by Cisco AutoSecure? (Choose two.)
security banner* enable secret password*
Which command will verify a Zone-Based Policy Firewall configuration?
show running-config*
Which three functions are provided by the syslog logging service? (Choose three.)
specifying where captured information is stored* gathering logging information* distinguishing between information to be captured and information to be ignored*
Fill in the blank.A ________ firewall monitors the state of connections as network traffic flows into and out of the organization.
stateful
Which security tool monitors network traffic as it flows into and out of the organization and determines whether packets belong to an existing connection or are from an unauthorized source?
stateful firewall*
Which three types of views are available when configuring the role-based CLI access feature? (Choose three.)
superview* root view* CLI view*
Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?
superview, containing SHOWVIEW and VERIFYVIEW views*
What device is considered a supplicant during the 802.1X authentication process?
the client that is requesting authentication*
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client?
the switch that the client is connected to*
What is the purpose of using the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router?
to configure OSPF MD5 authentication globally on the router*
What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.)
to prevent data traffic from being redirected and then discarded* to prevent redirection of data traffic to an insecure link*
What is an objective of a state-sponsored attack?
to right a perceived wrong*
What is the purpose in configuring an IOS IPS crypto key when enabling IOS IPS on a Cisco router?
to verify the digital signature for the master signature file*
A company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)?
traffic that is going from the private network to the DMZ*
Which condition describes the potential threat created by Instant On in a data center?
when a VM that may have outdated security policies is brought online after a long period of inactivity.*
