Chapter 5 - Network Security and Monitoring (Quiz + Exam) aline

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

b) It uses message integrity to ensure that packets have not been altered in transit. d) It uses authentication to determine if messages are from a valid source. e) It uses encryption to scramble the content of packets to prevent unauthorized access. SNMPv3 provides security by providing confidentiality of the messages, authentication, and encryption, and it uses a hierarchical MIB structure. SNMPv2c provides expanded error codes to identify different types of error conditions.

A company is designing a network monitoring system and is considering SNMPv3. What are three characteristics of SNMPv3? (Choose three.)

b) It adds a new user to the SNMP group. c) It uses the MD5 authentication of the SNMP messages. The command snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 creates a new user and configures authentication with MD5. The command does not use a secret encrypted password on the server. The command snmp-server community string access-list-number-or-name restricts SNMP access to defined SNMP managers.

A network administrator has issued the snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 command. What are two features of this command? (Choose two.)

a) message source validation c) message encryption SNMPv3 provides message integrity to ensure that a packet was not tampered with and authentication to determine if the message is from a valid source. SNMPv3 also supports message encryption. SNMPv1 and SNMPv2 do not support message encryption, but do support community strings. SNMPv2c supports bulk retrieval operation. All SNMP versions support the SNMP trap mechanism.

A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.)

a) If an interface comes up, a trap is sent to the server. The snmp-server enable traps command enables SNMP to send trap messages to the NMS at 10.10.50.25. This notification-types argument can be used to specify what specific type of trap is sent. If this argument is not used, then all trap types are sent. If the notification-types argument is used, then repeated use of this command is required if another subset of trap types is desired.

A network administrator issues two commands on a router: R1(config)# snmp-server host 10.10.50.25 version 2c campus R1(config)# snmp-server enable traps What can be concluded after the commands are entered?

d) replying to GET request and SET request messages that are sent by an NMS

Match SNMP operation to the corresponding description. get-response

snooping DHCP snooping is used to mitigate DHCP spoofing attacks by configuring a switch to stop DHCP server messages on ports that should not be receiving them.

DHCP ________________ is a mitigation technique to prevent rogue DHCP servers from providing false IP configuration parameters.

d) Define an ACL and reference it by using the snmp-server community command. The snmp-server community string access-list-number-or-name command restricts SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL. The snmp-server host host-id [version {1 | 2c | 3 [auth | noauth | priv]}] community-string command specifies the recipient of the SNMP trap operations. The snmp-server community string {ro | rw} command configures the community string and access level. The snmp-server enable traps notification-types command enables traps on an SNMP agent.

How can SNMP access be restricted to a specific SNMP manager?

c) retrieving multiple rows in a table in a single transmission

Match SNMP operation to the corresponding description. get-bulk-request

a) sequentially searching tables to retrieve a value from a variable

Match SNMP operation to the corresponding description. get-next-request

f) storing a value in a specific variable

Match SNMP operation to the corresponding description. set-request

a) The SNMP agent is not configured for write access. Because the SNMP manager is able to access the SNMP agent, the problem is not related to the ACL configuration. The SNMP agent configuration should have an access level configured of rw to support the SNMP manager set requests. The SNMP manager cannot change configuration variables on the SNMP agent R1 with only ro access. The IP address of the SNMP manager does not have to be 172.16.1.1 to make changes to the SNMP agent. The SNMP agent does not have to have traps disabled.

Refer to the exhibit. A SNMP manager has IP address 172.16.1.120. The SNMP manager is unable to change configuration variables on the R1 SNMP agent. What could be the problem?

a) All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1. The show monitor session command is used to verify how SPAN is configured (what ports are involved in the traffic mirroring).

Refer to the exhibit. Based on the output generated by the show monitor session 1 command, how will SPAN operate on the switch?

d) 7 The DHCP snooping configuration includes building the DHCP Snooping Binding Database and assigning necessary trusted ports on switches. A trusted port points to the legitimate DHCP servers. In this network design, because the DHCP server is attached to AS3, seven switch ports should be assigned as trusted ports, one on AS3 toward the DHCP server, one on DS1 toward AS3, one on DS2 toward AS3, and two connections on both AS1 and AS2 (toward DS1 and DS2), for a total of seven.

Refer to the exhibit. PC1 and PC2 should be able to obtain IP address assignments from the DHCP server. How many ports among switches should be assigned as trusted ports as part of the DHCP snooping configuration?

d) There is a problem with the ACL configuration. The permit statement with the incorrect IP address is the reason why the administrator is not able to access router R1. The correct statement should be permit 192.168.1.3. The snmp-server location and snmp-server enable traps commands are optional commands and have no relation to the access restriction to router R1. The rw keyword does not need to be included in this case because the administrator just wants to obtain information, not change any configuration.

Refer to the exhibit. Router R1 was configured by a network administrator to use SNMP version 2. The following commands were issued: R1(config)# snmp-server community batonaug ro SNMP_ACL R1(config)# snmp-server contact Wayne World R1(config)# snmp-server host 192.168.1.3 version 2c batonaug R1(config)# ip access-list standard SNMP_ACL R1(config-std-nacl)# permit 192.168.10.3 Why is the administrator not able to get any information from R1?

d) An ACL was configured to restrict SNMP access to an SNMP manager. The output is produced in response to the show snmp community command. It displays the community string and any ACLs that may be configured. The show snmp command without any keyword does not display information relating to the SNMP community string or, if applicable, the associated ACL. Because the show snmp community command does not display the contact or location information, whether they are configured or not cannot be concluded.

Refer to the exhibit. What can be concluded from the produced output?

d) Sw_A(config)# monitor session 5 source interface gi0/1 Sw_A(config)# monitor session 5 destination interface fa0/7 The local SPAN configuration requires two statements to identify the source and destination ports for the mirrored traffic. The statements must use the same session number. In this example, the source port is the port connected to the server (Gi0/1) and the destination port is the port attached to the packet analyzer (Fa0/7).

Refer to the exhibit. Which command or set of commands will configure SW_A to copy all traffic for the server to the packet analyzer?

b) G0/23 When DHCP snooping is configured, the interface that connects to the DHCP server is configured as a trusted port. Trusted ports can source DHCP requests and acknowledgments. All ports not specifically configured as trusted are considered untrusted by the switch and can only source DHCP requests.

Refer to the exhibit. Which interface on switch S1 should be configured as a DHCP snooping trusted port to help mitigate DHCP spoofing attacks?

a) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1. The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a source port (or VLAN) out another port on the same switch. Typically a packet sniffer or IPS device is attached to the destination port .

Refer to the exhibit. Which statement is true about the local SPAN configuration on switch SW1? a) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1. b) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured in VLAN 10. c) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured as trunk. d) The SPAN session transmits to a device on port Fa3/21 only a copy of unicast traffic that is monitored on port Fa3/1. All multicast and BPDU frames will be excluded from the monitoring process.

True In 802.1X terminology the client workstation is known as the supplicant.

True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.

c) unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network A GET request is a message that is used by the NMS to query the device for data. A SET request is a message that is used by the NMS to change configuration variables in the agent device. An NMS periodically polls the SNMP agents residing on managed devices, by querying the device for data by using the GET request.

What are SNMP trap messages?

a) the switch that the client is connected to The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting and that is actually controlling physical network access The authentication server, which performs the actual authentication

When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client?

b) Enable trunking manually. c) Disable DTP. d) Set the native VLAN to an unused VLAN. Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.

What are three techniques for mitigating VLAN attacks? (Choose three.)

d) SNMP read-only community strings can be used to get information from an SNMP-enabled device. e) SNMP read-write community strings can be used to set information on an SNMP-enabled device. There are two types of SNMP community strings, read-only and read-write. The read-only community string allows the manager to get information from the agent and the read-write allows the manager to get or set information in the agent.

What are two characteristics of SNMP community strings? (Choose two.)

b) untrusted port d) trusted DHCP port DHCP snooping recognizes two types of ports on Cisco switches: Trusted DHCP ports - switch ports connecting to upstream DHCP servers Untrusted ports - switch ports connecting to hosts that should not be providing DHCP server messages

What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)

c) the client that is requesting authentication The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access The authentication server, which performs the actual authentication

What device is considered a supplicant during the 802.1X authentication process?

a) User accounts must be configured locally on each device, which is an unscalable authentication solution. The local database method of securing device access utilizes usernames and passwords that are configured locally on the router. This allows administrators to keep track of who logged in to the device and when. The passwords can also be encrypted in the configuration. However, the account information must be configured on each device where that account should have access, making this solution very difficult to scale.

What is a drawback of the local database method of securing device access that can be solved by using AAA with centralized servers?

c) software that is installed on devices managed by SNMP A management station is used by an administrator for monitoring. An MIB is a database of monitoring information. The Simple Network Management Protocol is the communications protocol that is used between the management station and the management agents. Management agents run the software that enables administrators to gather network performance data.

What is an SNMP management agent?

b) The switch will forward all received frames to all other ports. As a result of a CAM table attack, a switch can run out of memory resources to store MAC addresses. When this happens, no new MAC addresses can be added to the CAM table and the switch will forward all received frames to all other ports. This would allow an attacker to capture all traffic that is flooded by the switch.

What is the behavior of a switch as a result of a successful CAM table attack?

d) to store data about a device The Management Information Base (MIB) resides on a networking device and stores operational data about the device. The SNMP manager can collect information from SNMP agents. The SNMP agent provides access to the information.

What is the function of the MIB element as part of a network management system?

c) Enable port security

What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?

a) DHCP starvation DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?

a) RADIUS Encapsulation of EAP data between the authenticator and the authentication server is performed using RADIUS.

What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?

a) accounting c) authorization d) authentication The authentication, authorization, and accounting (AAA) framework provides services to help secure access to network devices.

What three services are provided by the AAA framework? (Choose three.)

a) SNMPv2c Both SNMPv1 and SNMPv2c use a community-based form of security, and community strings are plaintext passwords. Plaintext passwords are not considered a strong security mechanism. Version 1 is a legacy solution and not often encountered in networks today.

Which SNMP version uses weak community string-based access control and supports bulk retrieval?

b) configuring the community string and access level When SNMPv2 is being configured, the configuration of the community string and access level is required. The other configuration steps, such as system contact, access to NMS hosts, specifying trap recipients, and enabling traps are all optional.

Which SNMPv2 configuration step is required?

b) global configuration mode All required and optional steps in configuring SNMP are completed using global configuration mode.

Which mode is used to configure SNMP?

b) 802.1x 802.1x is an IEEE standard that defines port-based access control. By authenticating each client that attempts to connect to the LAN, 802.1x provides protection from unauthorized clients.

Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?

b) SNMP SNMP can be used to collect and store information such as device CPU utilization. Syslog is used to access and store system messages. Cisco developed NetFlow for the purpose of gathering statistics on packets that are flowing through Cisco routers and multilayer switches. NTP is used to allow network devices to synchronize time settings.

Which protocol or service can be configured to send unsolicited messages to alert the network administrator about a network event such as an extremely high CPU utilization on a router?

b) CDP CDP is a Cisco proprietary protocol that gathers information from other connected Cisco devices, and is enabled by default on Cisco devices. LLDP is an open standard protocol which provides the same service. It can be enabled on a Cisco router. HTTP and FTP are Application Layer protocols that do not collect information about network devices.

Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?

d) A set request is used by the NMS to change configuration variables in the agent device. An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data.

Which statement describes SNMP operation?

a) The RSPAN VLAN must be the same on both the source and destination switch. Remote SPAN (RSPAN) allows source and destination ports to be in different switches. RSPAN uses two sessions. One session is used as the source and one session is used to copy or receive the traffic from a VLAN. The traffic for each RSPAN session is carried over trunk links in a user-specified RSPAN VLAN that is dedicated (for that RSPAN session) in all participating switches.

Which statement describes the RSPAN VLAN?

b) It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected. SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server.

Which statement describes the function of the SPAN tool used in a Cisco switch?

c) SPAN can be configured to send a copy of traffic to a destination port on the same switch. d) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch. f) RSPAN can be used to forward traffic to reach an IPS that is analyzing traffic for malicious behavior. The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a source port (or VLAN), out another port on the same switch. Typically the destination port is attached with a packet sniffer or IPS device. Remote SPAN (RSPAN) allows source and destination ports to be in different switches.

Which three statements describe SPAN and RSPAN? (Choose three.)

d) TACACS+ e) RADIUS Server-based AAA authentication uses an external TACACS or RADIUS authentication server to maintain a username and password database. When a client establishes a connection with an AAA enabled device, the device authenticates the client by querying the authentication servers.

Which two protocols are used to provide server-based AAA authentication? (Choose two.)


Kaugnay na mga set ng pag-aaral

NUR101 EXAM 3: Assessment Objectives (Units 4 & 5, SL 5)

View Set

Excel GO! - Complete Study Guide 1-3, 5-6

View Set