netauth4

Role-based Root view has level ____ privileges but can configure or modify views.

15

Application gateway firewalls (proxy firewall) filter information at what layers?

Layer 3, 4, 5, 7

What are two characteristics of a stateful firewall? (Choose two.) uses static packet filtering techniques uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model uses complex ACLs which can be difficult to configure prevents Layer 7 attacks

uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model

Add views to a superview using the ______ command

view view-name

Role-based CLI creates different ____ of router configurations for different users

views

To enter root view, use the __________ command and the _________ password.

1. Enable root view 2. Enable Secret

Use the ______command to assign a privilege level to a specific user or use the _____ command to assign a privilege level to a specific EXEC mode password.

1. username 2. enable secret

A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.) 172.16.0.255 172.16.15.36 172.16.16.12 172.16.31.24 172.16.65.21

172.16.0.255 172.16.15.36

Which two UDP port numbers may be used for server-based AAA RADIUS authentication? (Choose two.) 1812 1645 1813 1646 49

1812 1645

Packet filtering (stateless) firewalls provide Layer 3 and sometimes Layer ___ filtering.

4

To assign a command to a privilege level, use the command _____.

privilege exec level level [command]

What is a requirement to use the Secure Copy Protocol feature? At least one user with privilege level 1 has to be configured for local authentication. A command must be issued to enable the SCP server side functionality. A transfer can only originate from SCP clients that are routers. The Telnet protocol has to be configured on the SCP server side.

A command must be issued to enable the SCP server side functionality.

When implementing components into an enterprise network, what is the purpose of a firewall? A firewall is a system that inspects network traffic and makes forwarding decisions based solely on Layer 2 Ethernet MAC addresses. A firewall is a system that is designed to secure, monitor, and manage mobile devices, including corporate-owned devices and employee-owned devices. A firewall is a system that stores vast quantities of sensitive and business-critical information. A firewall is a system that enforces an access control policy between internal corporate networks and external networks.

A firewall is a system that enforces an access control policy between internal corporate networks and external networks.

What are two possible limitations of using a firewall in a network? (Choose two.) It provides accessibility of applications and sensitive resources to external untrusted users. It increases security management complexity by requiring off-loading network access control to the device. A misconfigured firewall can create a single point of failure. Network performance can slow down. It cannot sanitize protocol flows.

A misconfigured firewall can create a single point of failure. Network performance can slow down.

What are two differences between stateful and stateless firewalls? (Choose two.) A stateless firewall is able to filter sessions that use dynamic port negotiations while a stateful firewall cannot. A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. A stateless firewall will provide more logging information than a stateful firewall. A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets. A stateless firewall provides more stringent control over security than a stateful firewall.

A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets.

What is the result in the self zone if a router is the source or destination of traffic? No traffic is permitted. All traffic is permitted. Only traffic that originates in the router is permitted. Only traffic that is destined for the router is permitted.

All traffic is permitted.

Which three statements describe ACL processing of packets? (Choose three.) An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. A packet that has been denied by one ACE can be permitted by a subsequent ACE. A packet that does not match the conditions of any ACE will be forwarded by default. Each statement is checked only until a match is detected or until the end of the ACE list. Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made.

An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. Each statement is checked only until a match is detected or until the end of the ACE list.

What is the biggest issue with local implementation of AAA? Local implementation supports only TACACS+ servers. Local implementation cannot provide secure authentication. Local implementation does not scale well. Local implementation supports only RADIUS servers.

Local implementation does not scale well.

T/F Views cant contain the same commands and there is command hierarchy

False. Views can contain the same commands and there is no command hierarchy

Which two characteristics are shared by both standard and extended ACLs? (Choose two.) Both kinds of ACLs can filter based on protocol type. Both can permit or deny specific services by port number. Both include an implicit deny as a final statement. Both filter packets for a specific destination host IP address. Both can be created by using either a descriptive name or number.

Both include an implicit deny as a final statement. Both can be created by using either a descriptive name or number.

What are three characteristics of superviews in the Cisco role-based CLI access feature? (Choose three.) A user uses the command enable view superview-name to enter a superview. A user uses a superview to configure commands inside associated CLI views. Commands cannot be configured for a superview. Level 15 privilege access is used to configure a new superview. Deleting a superview does not delete the associated CLI views. A single CLI view can be shared within multiple superviews.

Commands cannot be configured for a superview. Deleting a superview does not delete the associated CLI views. A single CLI view can be shared within multiple superviews.

Which task is necessary to encrypt the transfer of data between the ACS server and the AAA-enabled router? Configure the key exactly the same way on the server and the router. Specify the single-connection keyword. Create a VPN tunnel between the server and the router. Use identical reserved ports on the server and the router.

Configure the key exactly the same way on the server and the router.

What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI? Define traffic classes. Assign router interfaces to zones. Define firewall policies. Assign policy maps to zone pairs. Create zones.

Create zones.

Networks that require public access to services will often include a ______ that the public can access, while strictly blocking access to the inside network.

DMZ

What are two characteristics of ACLs? (Choose two.) Extended ACLs can filter on destination TCP and UDP ports. Standard ACLs can filter on source TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination IP addresses. Standard ACLs can filter on source and destination TCP and UDP ports.

Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.

T/F AAA authorization can be used to limit the access of users but not groups of users to only the network resources that they need to access

False. AAA authorization can be used to limit the access of users or groups of users to only the network resources that they need to access

T/F Local AAA authentication should be configured for bigger networks. Server-based AAA should be used for smaller networks

False. Local AAA authentication should be configured for smaller networks. Server-based AAA should be used for larger networks Local AAA authentication should be configured for smaller networks. Server-based AAA should be used for larger networks

T/F The lower the privilege level the more router access the user has

False. The higher level the more privlege.

Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.) If neither interface is a zone member, then the action is to pass traffic. If one interface is a zone member, but the other is not, all traffic will be passed. If both interfaces belong to the same zone-pair and a policy exists, all traffic will be passed. If both interfaces are members of the same zone, all traffic will be passed. If one interface is a zone member and a zone-pair exists, all traffic will be passed.

If neither interface is a zone member, then the action is to pass traffic. If both interfaces are members of the same zone, all traffic will be passed.

What are two characteristics of the Cisco IOS Resilient Configuration feature? (Choose two.) It maintains a mirror image of the configuration file in RAM. It sends a backup copy of the IOS image to a TFTP server. It saves a secure copy of the primary image and device configuration that cannot be removed by a user. It minimizes the downtime of a device that has had the image and configuration deleted. It is a universal feature that can be activated on all Cisco devices.

It saves a secure copy of the primary image and device configuration that cannot be removed by a user. It minimizes the downtime of a device that has had the image and configuration deleted.

A ________ _______ approach uses firewalls and other security measures to provide security at different functional layers of the network

Layered Security

What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication? The login local command requires the administrator to manually configure the usernames and passwords, but local AAA authentication does not. Local AAA authentication allows more than one user account to be configured, but login local does not. Local AAA authentication provides a way to configure backup methods of authentication, but login local does not. The login local command uses local usernames and passwords stored on the router, but local AAA authentication does not.

Local AAA authentication provides a way to configure backup methods of authentication, but login local does not.

What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.) Removal of the ACEs is the only step required. Modify the number of the ACL so that it doesn't match the ACL associated with the interface. Copy the ACL into a text editor, add no before each ACE, then copy the ACL back into the router. Remove the inbound/outbound reference to the ACL from the interface. Use the no access-list command to remove the entire ACL. Use the no keyword and the sequence number of every ACE within the named ACL to be removed.

Remove the inbound/outbound reference to the ACL from the interface. Use the no access-list command to remove the entire ACL.

A student is learning role-based CLI access and CLI view configurations. The student opens Packet Tracer and adds a router. Which command should be used first for creating a CLI view named TECH-View? Router# enable view Router(config)# aaa new-model Router# enable view TECH-view Router(config)# parser view TECH-view

Router(config)# aaa new-model

T/F There are four basic steps to configuring AAA server-based authentication: (1) globally enabled AAA on the device; (2) specify the AAA server IP address and protocol; (3) specify the matching encryption key that will be used by the network device and AAA server; and (4) specify the AAA server or servers in the method lists

T

Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.) ZPF must be enabled in the router configuration before enabling an IOS Classic Firewall. The IOS Classic Firewall and ZPF cannot be combined on a single interface. IOS Classic Firewalls and ZPF models can be enabled on a router concurrently. Both IOS Classic Firewall and ZPF models require ACLs to define traffic filtering policies. IOS Classic Firewalls must be enabled in the router configuration before enabling ZPF.

The IOS Classic Firewall and ZPF cannot be combined on a single interface. IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.

Which statement describes Cisco IOS Zone-Based Policy Firewall operation? The pass action works in only one direction. Router management interfaces must be manually assigned to the self zone. A router interface can belong to multiple zones. Service policies are applied in interface configuration mode.

The pass action works in only one direction.

What two statements describe characteristics of IPv6 access control lists? (Choose two.) They permit ICMPv6 router advertisements by default. They can be named or numbered. They include two implicit permit statements by default. They are applied to an interface with the ip access-group command . They use prefix lengths to indicate how much of an address to match.

They include two implicit permit statements by default. They use prefix lengths to indicate how much of an address to match.

When implementing a ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone? Traffic between interfaces in the same zone is selectively forwarded based on Layer 3 information. Traffic between interfaces in the same zone is not subject to any policy and passes freely. Traffic between interfaces in the same zone is blocked. Traffic between interfaces in the same zone is selectively forwarded based on the default policy restrictions.

Traffic between interfaces in the same zone is not subject to any policy and passes freely.

How does a firewall handle traffic when it is originating from the public network and traveling to the private network? Traffic that is originating from the public network is not inspected when traveling to the private network. Traffic that is originating from the public network is usually blocked when traveling to the private network. Traffic that is originating from the public network is usually permitted with little or no restrictions when traveling to the private network. Traffic that is originating from the public network is selectively permitted when traveling to the private network.

Traffic that is originating from the public network is usually blocked when traveling to the private network.

Which statement describes a typical security policy for a DMZ firewall configuration? Traffic that originates from the DMZ interface is selectively permitted to the outside interface. Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface. Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface. Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface. Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with few or no restrictions.

Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

T/F A superview allows a network administrator to combine multiple views together.

True

T/F AAA accounting records user actions including when the user accessed the network ordevice, the length of time for the session, and the resources or functions that wereaccessed by the user.

True

T/F AAA authentication provides a means by which users can be authenticated against a centralized database of users

True

T/F Because privilege levels has limitations we should use the Cisco role-based CLI access feature.

True

T/F IOS software supports two infrastructure access methods: privilege level and role-based CLI.

True

T/F Next-generation firewalls provide additional services beyond application gateways, such as integrated intrusion prevention, application awareness, and techniques to address evolving security threats.

True

By default there is User EXEC mode and Privileged EXEC mode what are there privilege levels?

User EXEC 1 Privileged EXEC 15

____ use the concept of zones to provide additional flexibility.

ZPFs (Zone based policy firewalls)

The type of accounting is configured with the aaa accounting command. The type of accounting is configured with the ___________ command.

aaa accounting

The type of authorization is configured with the _______ command.

aaa authorization

To create a view, AAA must be enabled using the ________ command.

aaa new-model

Which two pieces of information are required when creating a standard access control list? (Choose two.) access list number between 1 and 99 source address and wildcard mask destination address and wildcard mask subnet mask and wildcard mask access list number between 100 and 199

access list number between 1 and 99 source address and wildcard mask

Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients? stateful firewall stateless firewall packet filtering firewall application gateway firewall

application gateway firewall

A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.) area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C username OSPF password 1A2b3C enable password 1A2b3C area 1 authentication message-digest

area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C

Which AAA component can be established using token cards? accessibility accounting auditing authentication authorization

authentication

Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this? accessibility accounting auditing authentication authorization

authorization

What is one benefit of using a stateful firewall instead of a proxy server? ability to perform user authentication better performance ability to perform packet filtering prevention of Layer 7 attacks

better performance

Assign commands to the view using the ___________ command.

commands parser-mode

Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.) IP addresses of interfaces content of a security banner enable secret password services to disable enable password interfaces to enable

content of a security banner enable secret password enable password

Which syslog message type is accessible only to an administrator and only via the Cisco CLI? errors alerts debugging emergency

debugging

A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.) permit tcp any host 2001:db8:48:1c::50 eq 80 deny tcp host 2001:db8:48:1c::50 any eq 80 deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any deny ipv6 any any ip access-group WebFilter in ipv6 traffic-filter WebFilter in

deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any ipv6 traffic-filter WebFilter in

Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices? determine the zones design the physical infrastructure establish policies between zones identify subsets within zones and merge traffic requirements

design the physical infrastructure

To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface? echo request echo reply time-stamp request time-stamp reply router advertisement

echo reply

A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two.) TCP port 40 encryption for all communication single process for authentication and authorization UDP port 1645 encryption for only the password of a user separate processes for authentication and authorization

encryption for all communication separate processes for authentication and authorization

What are two characteristics of the RADIUS protocol? (Choose two.) encryption of the entire body of the packet encryption of the password only the use of UDP ports for authentication and accounting the separation of the authentication and authorization processes the use of TCP port 49

encryption of the password only the use of UDP ports for authentication and accounting

Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.) most host all any some gt

host any

Which privilege level is predefined for the privileged EXEC mode? level 0 level 1 level 15 level 16

level 15

What IOS privilege levels are available to assign for custom user-level privileges? levels 1 through 15 levels 0, 1, and 15 levels 2 through 14 levels 0 and 1

levels 2 through 14

What is the primary function of the aaa authorization command? permit AAA server access to AAA client services limit authenticated user access to AAA client services permit authenticated user access to AAA client services limit AAA server access to AAA client services

limit authenticated user access to AAA client services

Which authentication method stores usernames and passwords in the router and is ideal for small networks? server-based AAA over TACACS+ local AAA over RADIUS server-based AAA local AAA over TACACS+ local AAA server-based AAA over RADIUS

local AAA

A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.) message encryption community-based security SNMP trap mechanism message source validation bulk retrieval of MIB information

message encryption message source validation

What is one limitation of a stateful firewall? weak user authentication cannot filter unnecessary traffic not as effective with UDP- or ICMP-based traffic poor log information

not as effective with UDP- or ICMP-based traffic

Some firewall designs are as simple as designating an _______network and _______network which are determined by two interfaces on a firewall.

outside and inside

Create a view using the ____________ global config mode command

parser view view-name

When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.) pass shape reroute queue inspect drop

pass inspect drop

If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice? permit ip any any permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap permit tcp 172.16.0.0 0.0.3.255 any established permit udp any any range 10000 20000 deny udp any host 172.16.1.5 eq snmptrap deny tcp any any eq telnet

permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap (most specific ACE is placed highest)

Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.) private IP addresses any IP address that starts with the number 127 any IP address that starts with the number 1 NAT translated IP addresses public IP addresses

private IP addresses any IP address that starts with the number 127

An administrator needs to create a user account with custom access to most privileged EXEC commands. Which privilege command is used to create this custom account? privilege exec level 15 privilege exec level 0 privilege exec level 1 privilege exec level 2

privilege exec level 2

A stateful inspection firewall allows or blocks traffic based on state, port, and ______.

protocol

When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device? remark description established eq

remark

Which command will move the show access-lists command to privilege level 14? router(config)# privilege level 14 command show access-lists router(config)# privilege exec level 14 show access-lists router(config)# set privilege level 14 show access-lists router(config)# show access-lists privilege level 14

router(config)# privilege exec level 14 show access-lists

Assign the view a password using the _______ command.

secret password

When using Cisco IOS zone-based policy firewall, where is the inspection policy applied? to a global service policy to a zone to an interface to a zone pair

to a zone pair

In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ? to allow forwarding of ICMPv6 packets to allow automatic address configuration to allow IPv6 to MAC address resolution to allow forwarding of IPv6 multicast packets

to allow IPv6 to MAC address resolution

A student is learning about role-based views and role-based view configurations. The student enters the Router(config)# parser view TECH-view command. What is the purpose of this command? to create a CLI view named TECH-view to enter the superview named TECH-view to check the current setup of the CLI view named TECH-view to enter the CLI view named TECH-view

to create a CLI view named TECH-view