Modules 16 - 17: Building and Securing a Small Network Exam
Which statement is true about Cisco IOS ping indicators?
'U' may indicate that a router along the path did not contain a route to the destination address and that the ping was unsuccessful. The most common indicators of a ping issued from the Cisco IOS are "!", ".", and "U". The "!" indicates that the ping completed successfully, verifying connectivity at Layer 3. The "." may indicate that a connectivity problem, routing problem, or device security issue exists along the path and that an ICMP destination unreachable message was not provided. The "U" indicates that a router along the path may not have had a route to the destination address, and that it responded with an ICMP unreachable message.
Refer to the exhibit. An administrator is testing connectivity to a remote device with the IP address 10.1.1.1. What does the output of this command indicate?
A router along the path did not have a route to the destination. In the output of the ping command, an exclamation mark (!) indicates a response was successfully received, a period (.) indicates that the connection timed out while waiting for a reply, and the letter "U" indicates that a router along the path did not have a route to the destination and sent an ICMP destination unreachable message back to the source.
Identify the steps needed to configure a switch for SSH
Create a local user Generate RSA KEYS Configure a domain name Use the login local command Use the transport input SSH command
Which network service automatically assigns IP addresses to devices on the network?
DHCP Dynamic Host Configuration Protocol (DHCP) can be used to allow end devices to automatically configure IP information, such as their IP address, subnet mask, DNS server, and default gateway. The DNS service is used to provide domain name resolution, mapping hostnames to IP addresses. Telnet is a method for remotely accessing a CLI session of a switch or router. Traceroute is a command used to determine the path a packet takes as it traverses the network.
What is considered the most effective way to mitigate a worm attack?
Download security updates from the operating system vendor and patch all vulnerable systems. Because worms take advantage of vulnerabilities in the system itself, the most effective way to mitigate worm attacks is to download security updates from the operating system vendor and patch all vulnerable systems.
By following a structured troubleshooting approach, a network administrator identified a network issue after a conversation with the user. What is the next step that the administrator should take?
Establish a theory of probable causes. A structured network troubleshooting approach should include these steps in sequence: 1.Identify the problem. 2.Establish a theory of probable causes. 3.Test the theory to determine cause. 4.Establish a plan of action to resolve the issue. 5.Verify full system functionality and implement preventive measures. 6.Document findings, actions, and outcomes.
When configuring SSH on a router to implement secure network management, a network engineer has issued the login local and transport input ssh line vty commands. What three additional configuration actions have to be performed to complete the SSH configuration? (Choose three.)
Generate the asymmetric RSA keys. Configure the correct IP domain name. Create a valid local username and password database. SSH is automatically enabled after the RSA keys are generated. Setting user privilege levels and configuring role-based CLI access are good security practices but are not a requirement of implementing SSH.
Which method is used to send a ping message specifying the source address for the ping?
Issue the ping command without specifying a destination IP address. By issuing the ping command without a destination IP address in privileged EXEC mode, the Cisco IOS enters extended ping mode. This allows the user to implement extended commands which include source IP address.
A network technician issues the C:\> tracert -6 www.cisco.com command on a Windows PC. What is the purpose of the -6 command option?
It forces the trace to use IPv6.
An administrator decides to use "12345678!" as the password on a newly installed router. Which statement applies to the password choice?
It is weak because it uses a series of numbers or letters.
A user is redesigning a network for a small company and wants to ensure security at a reasonable price. The user deploys a new application-aware firewall with intrusion detection capabilities on the ISP connection. The user installs a second firewall to separate the company network from the public network. Additionally, the user installs an IPS on the internal network of the company. What approach is the user implementing?
LAYERED Using different defenses at various points of the network creates a layered approach.
A user reports a lack of network connectivity. The technician takes control of the user machine and attempts to ping other computers on the network and these pings fail. The technician pings the default gateway and that also fails. What can be determined for sure by the results of these tests?
Nothing can be determined for sure at this point.. In networks today, a failed ping could mean that the other devices on the network are blocking pings. Further investigation such as checking network connectivity from other devices on the same network is warranted.
packet filtering
Prevents or allows access based on IP or MAC addresses of the source and destination
Stateful packet inspection
Prevents or allows access based on whether the traffic is in response to requests from internal hosts
application filtering
Prevents or allows access by specific application types based on port numbers used in the request
URL filtering
Prevents or allows access to websites based on specific URLs or keywords.
A technician is to document the current configurations of all network devices in a college, including those in off-site buildings. Which protocol would be best to use to securely access the network devices?
SSH Explanation: Telnet sends passwords and other information in clear text, while SSH encrypts its data. FTP and HTTP do not provide remote device access for configuration purposes.
A ping fails when performed from router R1 to directly connected router R2. The network administrator then proceeds to issue the show cdp neighbors command. Why would the network administrator issue this command if the ping failed between the two routers?
The network administrator wants to verify Layer 2 connectivity. The show cdp neighbors command can be used to prove that Layer 1 and Layer 2 connectivity exists between two Cisco devices. For example, if two devices have duplicate IP addresses, a ping between the devices will fail, but the output of show cdp neighbors will be successful. The show cdp neighbors detail could be used to verify the IP address of the directly connected device in case the same IP address is assigned to the two routers.
Which statement describes the ping and tracert commands?
Tracert shows each hop, while ping shows a destination reply only. The ping utility tests end-to-end connectivity between the two hosts. However, if the message does not reach the destination, there is no way to determine where the problem is located. On the other hand, the traceroute utility (tracert in Windows) traces the route a message takes from its source to the destination. Traceroute displays each hop along the way and the time it takes for the message to get to that network and back.
What is the difference between a virus and a worm?
Worms self-replicate but viruses do not. Viruses requiring the help of a host and worms acting independently. Worms are able to self-replicate and exploit vulnerabilities on computer networks without user participation.
technological weakness
a network engineer is examining the operating system of a network device for vulnerabilities
On which two interfaces or ports can security be improved by configuring executive timeouts? (Choose two.)
console ports vty ports Executive timeouts allow the Cisco device to automatically disconnect users after they have been idle for the specified time. Console, vty, and aux ports can be configured with executive timeouts.
A student wants to save a router configuration to NVRAM. What is the best command to use to accomplish the task?
copy running-config startup-config
What is an accurate description of redundancy?
designing a network to use multiple paths between switches to ensure there is no single point of failure Explanation: Redundancy attempts to remove any single point of failure in a network by using multiple physically cabled paths between switches in the network.
What is the role of an IPS?
detecting and blocking of attacks in real time An intrusion prevention system (IPS) provides real-time detection and blocking of attacks.
When applied to a router, which command would help mitigate brute-force password attacks against the router?
login block-for 60 attempts 5 within 60 The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This helps to mitigate brute-force password cracking since it will significantly increase the amount of time required to crack a password. The exec-timeout command specifies how long the session can be idle before the user is disconnected. The service password-encryption command encrypts the passwords in the running configuration. The banner motd command displays a message to users who are logging in to the device.
What feature of SSH makes it more secure than Telnet for a device management connection?
login information and data encryption Secure Shell (SSH) is a protocol that provides a secure management connection to a remote device. SSH provides security by providing encryption for both authentication (username and password) and the transmitted data. Telnet is a protocol that uses unsecure plaintext transmission. SSH is assigned to TCP port 22 by default. Although this port can be changed in the SSH server configuration, the port is not dynamically changed. SSH does not use IPsec.
Which example of malicious code would be classified as a Trojan horse?
malware that was written to look like a video game A Trojan horse is malicious code that has been written specifically to look like a legitimate program. This is in contrast to a virus, which simply attaches itself to an actual legitimate program. Viruses require manual intervention from a user to spread from one system to another, while a worm is able to spread automatically between systems by exploiting vulnerabilities on those devices.
Users are complaining that they are unable to browse certain websites on the Internet. An administrator can successfully ping a web server via its IP address, but cannot browse to the domain name of the website. Which troubleshooting tool would be most useful in determining where the problem is?
nslookup The nslookup command can be used to look up information about a particular DNS name in the DNS server. The information includes the IP address of the DNS server being used as well as the IP address associated with the specified DNS name. This command can help verify the DNS that is used and if the domain name to IP address resolution works.
Which command can an administrator execute to determine what interface a router will use to reach remote networks?
show ip route The show ip route command is used to display the IP routing table of the router. The IP routing table will show a list of known local and remote networks and the interfaces that the router will use to reach those networks.
Which firewall feature is used to ensure that packets coming into a network are legitimate responses to requests initiated from internal hosts?
stateful packet inspection Stateful packet inspection on a firewall checks that incoming packets are actually legitimate responses to requests originating from hosts inside the network. Packet filtering can be used to permit or deny access to resources based on IP or MAC address. Application filtering can permit or deny access based on port number. URL filtering is used to permit or deny access based on URL or on keywords.
Which command can an administrator issue on a Cisco router to send debug messages to the vty lines?
terminal monitor Debug messages, like other IOS log messages, are sent to the console line by default. Sending these messages to the terminal lines requires the terminal monitor command.
Which command should be used on a Cisco router or switch to allow log messages to be displayed on remotely connected sessions using Telnet or SSH?
terminal monitor Explanation: The terminal monitor command is very important to use when log messages appear. Log messages appear by default when a user is directly consoled into a Cisco device, but require the terminal monitor command to be entered when a user is accessing a network device remotely.
security policy weakness
the network administrator did not fully consider the implications of unauthorized users accessing the network
What is the purpose of a small company using a protocol analyzer utility to capture network traffic on the network segments where the company is considering a network upgrade?
to document and analyze network traffic requirements on each network segment An important prerequisite for considering network growth is to understand the type and amount of traffic that is crossing the network as well as the current traffic flow. By using a protocol analyzer in each network segment, the network administrator can document and analyze the network traffic pattern for each segment, which becomes the base in determining the needs and means of the network growth.
Why would a network administrator use the tracert utility?
to identify where a packet was lost or delayed on a network The tracert utility is used to identify the path a packet takes from source to destination. Tracert is commonly used when packets are dropped or not reaching a specific destination.
**AUTHENTIC** What is the purpose of the network security authentication function?
to require users to prove who they are Authentication, authorization, and accounting are network services collectively known as AAA. Authentication requires users to prove who they are. Authorization determines which resources the user can access. Accounting keeps track of the actions of the user.
Which command has to be configured on the router to complete the SSH configuration?
transport input ssh The missing command to complete the SSH configuration is transport input ssh in line vty 0 4 mode. The commands service password-encryption and enable secret class do configure secure features on the router, but are not required to configure SSH. The command ip domain-name cisco.com is not required because the command ip domain-name span.com has been used.
A network administrator is upgrading a small business network to give high priority to real-time applications traffic. What two types of network services is the network administrator trying to accommodate? (Choose two.)
voice video Streaming media, such as video, and voice traffic, are both examples of real-time traffic. Real-time traffic needs higher priority through the network than other types of traffic because it is very sensitive to network delay and latency.
configuration weakness
when implementing an access list on a router, a network engineer did not filter a type of malicious traffic
