Network Security Final

What are the two primary benefits of using NTP along with a syslog server? (Choose two)

- Correlation of syslog messages from multiple different devices - Accurate accounting of when a syslog message occurred

When is traffic allowed to be routed and forwarded on an ASA if the source of the traffic is from a device located off of a low-security interface and if the destination device is located off of a high-security interface?

- If there is an access list that is permitting this traffic. - This traffic is allowed if the initial traffic was inspected and this traffic is the return traffic.

Which of the following features does the Cisco ASA provide?

- Layer 2 transparent firewall implementation - Simple packet filtering using standard or extended access lists - Support for SSL remote-access VPN connections

Which of the following is an accurate description of the word outbound as it relates to an ASA? (Choose all that apply)

- Traffic from a device that is located on a low-security interface - Traffic that is exiting any interface

Number the elements of the Secure Network Lifecycle in the proper order.

1. Initiation 2. Acquisition and development 3. Implementation 4. Operations and maintenance 5. Disposition (I asked dad if old men dance.)

Define the order in which you would create the following components when implementing a zone-based policy firewall.

1. class maps 2. policy maps 3. service policies can people save

A. Symmetric B. Asymmetric 3DES RSA Diffie-Hellman AES IDEA Elliptical Curve

A - 3DES B - RSA B - Diffie-Hellman A - AES A - IDEA B - Elliptical Curve

R1(config)#ip access-list extended Packet_Filter R1(config-ext-nacl)#deny tcp 171.16.1.0 0.0.0.255 host 1.2.3.4 eq 23 R1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any R1(config-ext-nacl)#permit tcp host 172.16.1.50 host 1.2.3.4 R1(config-ext-nacl)#int fa 0/1 R1(config-if)#ip access-group Packet_Filter in Consider the above ACL. Which of the following is true about packets entering Fa0/1?

A host at 172.16.2.50 cannot connect to a server at 1.2.3.4 using telnet

On a router, what must be configured before attempting to create parser views?

AAA

2 ways to implement role-based access control related to the management plane?

AAA Services Views

Which of the following are most likely to be used for authentication of a network administrator accessing the CLI of a Cisco router?

ACS TACACS+

What VPN algorithms provide confidentiality?

AES 3DES

Which of the following tools could be used to configure or manage an ASA? (Choose all that apply)

ASDM CSM CLI

Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline?

Anamoly-based IPS

Which SSL solution assigns a virtual IP address to the remote user to use for traffic sent over the SSL VPN to the server?

AnyConnect SSL VPN client

Which of the following benefits of the ASA might a basic stateful firewall not contain?

Application aware inspection of traffic

In a network with multiple branch offices and a central data center, what would be the best place to deploy a router-based IOS IPS solution?

At the Remote Branch Offices

Match IPS/IDS MicroEngine Type Atomic Service String A. Examines App-Layer Content B. Flexible pattern matching over groups of packets. C. Can only match on one packet at a time.

Atomic - C Service - A String - B

The microengine that can only match one packet at a time.

Atomic MicroEngine

On the router, what should be created and applied to a vty line to enforce a specific set of methods for identifying who a user is?

Authentication method list

Which of the following is most effective in preventing an STP attack?

BPDU guard

Which type of attack causes a switch to act like a hub, flooding all incoming frames to all of its interfaces?

CAM Overflow Attack

What tool enables you to centrally manage various models of security appliances and devices?

Cisco Security Manager (CSM)

Which three items are the primary network security objectives for a company?

Confidentiality Integrity Availability

Which of the following is not part of configuration of the AnyConnect SSL VPN when using ASDM?

Configuring bookmarks

If you add authentication to your routing protocol so that only trusted authorized routers share information, which plane in the NFP are you securing?

Control Plane

Which of the following algorithms uses asymmetrical keys to establish a symmetric key in IPSec phase 1?

DH

Which of the following are benefits of VPNs?

Data Integrity Confidentiality

On a router implementing ZFW, if interface number 1 is in zone A and interface number 2 is in zone B and there are no policy or serviced commands applied yet to the configuration, what is the status of transit traffic that is being routed between these two interfaces?

Denied

Select the options necessary in order for an IOS-based IPS signature to be compiled, but inactive

Disabled Unretired

How does an SSL client send the desired shared secret to the server?

Encrypts it with the server's public key

A Full AnyConnect SSL VPN Client requires Java to be configured on the client.

False

A clientless SSL VPN requires small applets to be installed on the clients.

False

SSL-based VPNs use symmetric algorithms for authentication and key exchange.

False

True/False: ACLs can be used to filter management traffic that is not passing through the router.

False

Match IPS/IDS Terms 1. False Positive 2. True Negative 3. True Positive 4. False Negative A. Non-malicious traffic on the network. Signature fired. B. Non-malicious traffic on the network. No signature fired. C. Malicious traffic on the network. Signature fired. D. Malicious traffic on the network. No signature fired.

False Negative - Non-malicious traffic on the network. No signature fired. True Negative - Malicious traffic on the network. No signature fired. True Positive - Malicious traffic on the network. Signature fired. False Positive - Non-malicious traffic on the network. Signature fired.

Which of the following might require NAT exemption to be configured in order to allow traffic to the VPN client?

Full Tunnel AnyConnect SSL VPN

Also known as Promiscuous Mode

IDS

Does not prevent malicious traffic from entering the network

IDS

No added latency

IDS

Unable to normalize traffic

IDS

Which of the following enables you to protect the data plane

IOS Zone-Based Firewall IPS Access lists Port security

Which devices can provide VPN termination for both remote-access and site-to-site VPNs?

IOS router ASA

Adds network latency as packets are inspected.

IPS

Also known as Inline Mode.

IPS

Capable of normalizing traffic

IPS

Prevents malicious packets from entering the network.

IPS

Which device can analyze network traffic in real time, generate alerts, and even prevent the first malicious packet from entering the network?

IPS

Which Cisco tool provides protection against against spam and enforces email encryption?

IronPort Security Appliances

When installing an IOS-based IPS, what is the purpose of the realm-cisco.pub file?

It is used to validate the signature that Cisco has placed on the signature package.

What layer is the transparent firewall implemented?

Layer 2

The maximum length of time a business function can be discontinued without causing irreparable harm to the business

Maximum Tolerable Downtime (MTD)

Which of the following would not be part of the IKE Phase 1 process?

Negotiating the transform set to use

When used in an access policy, which component could identify multiple servers?

Object Groups

Where does the ASA keep the copy of the AnyConnect client that may be deployed down to the client?

On flash

Which firewall methodology requires the administrator to know and configure all the specific ports, IPs, and protocols required for the firewall?

Packet filtering

On a router using ZFW, what is the default policy between an administratively created zone and the self zone?

Permit

Which of the following elements, which are part of the Modular Policy Framework, is used to identify the actions that will be taken on traffic?

Policy maps

Which method of IPS requires custom signatures to be created by the administrator?

Policy-based IPS

Most effective mechanism for preventing CAM table overflow attacks?

Port security

TACACS+ or RADIUS: Combines many authentication and authorization functions

RADIUS

TACACS+ or RADIUS: Only encrypts the password. All other data passed in clear text.

RADIUS

TACACS+ or RADIUS: Uses UDP as the layer 4 protocol

RADIUS

Which of the following is used to encrypt data being sent over a VPN using asymmetric encryption?

Receiver's Public Key

The maximum tolerable period in which data might be lost from an IT service due to a major incident

Recovery Point Objective (RPO)

The duration of time that a service level within a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity

Recovery Time Objective (RTO)

Consider an ASA with three interfaces with the associated security levels: inside 100 outside 0 DMZ 50 With this configuration, which traffic, by default, would be allowed to be routed through the firewall?

Reply traffic from the outside to the inside.

Which IOS-based IPS signature option results in the signature not being compiled and using less memory as a result?

Retired

This mechanism is used to simplify the management of IPS/IDS actions and reduce the amount of noise generated in the form of unnecessary alerts.

Risk Rating

Which hashing algorithm has larger digests and is therefore more secure and less likely to have problems with collisions?

SHA

Which cloud-based service could you use as an early-warning system for a threat that might be coming your way via the Internet?

SIO

Which protocol would you use to secure router management session traffic?

SSH

Which SSL solution is most appropriate for a remote user who is at a borrowed computer and needs access to a single server at the central office?

SSL clientless VPN

When implementing ZFW on a router, which zone is implied by default and does not need to be manually created?

Self

The microengine that Examines App-Layer Content

Service MicroEngine

Which element of the ASA Modular Policy Framework is used to activate policy?

Service policy

Which protocols, if abused, could impair an IPv6 network, but not IPv4?

Solicited node multicast addresses NDP (Neighbor Discovery Protocol)

On a router using ZFW, why is it that the return traffic from previously inspected sessions is allowed back to the user in spite of not having a zone pair explicitely configured that matches on return traffic?

Stateful entries (from the initial flow) are matched which dynamically allows return traffic.

Which firewall methodology remembers outgoing traffic and allows responses to that traffic?

Stateful packet filtering

Which of the following is considered to be one of the most important firewall technologies in use today?

Stateful packet filtering

The microengine that has a Flexible pattern matching over groups of packets.

String MicroEngine

TACACS+ or RADIUS: All packets are encrypted between the ACS server and the router

TACACS+

TACACS+ or RADIUS: Separates AAA elements into distinct elements

TACACS+

TACACS+ or RADIUS: Supports granular command-by-command authorization

TACACS+

TACACS+ or RADIUS: Uses TCP as the layer 4 protocol

TACACS+

TACACS+ or RADIUS: Uses TCP port 49

TACACS+

What is a configuration difference between ACLs on the ASA and ACLs on a router IOS?

The ASA uses standard masks in ACL entries.

Which of the following statements most accurately describes how packets are encrypted in IPSec ESP when in tunnel mode?

The entire packet is encrypted and encapsulated in a new IP header.

what does "level 5" indicate? Router(config)# enable secret level 5 0 NewPa5s123&

The password is for accessing privilege level 5.

Which of the following statements are true regarding PVLAN Edge (protected) ports?

Traffic is not forwarded between protected ports on the same switch. Traffic between protected ports on the same switch must be forwarded through a layer 3 device.

The authentication process for SSL-based VPNs uses hashing technologies.

True

With the appropriate IOS software, routers can deploy a full AnyConnect SSL client VPN.

True

Which of the following would be needed in order to avoid users receiveing an Untrusted Connection error when connecting to a Clientless SSL VPN?

Use a digital certificate signed by a certificate authority that the client's browser trusts

Syslog security levels in their proper order

a. Emergencies b. Alerts c. Critical d. Errors e. Warnings f. Notifications g. Informational h. Debugging Do I Notice When Evenings Come Around Early

Which of the following entries, when applied correctly, allows HTTPS source from a client at 172.16.1.5 on port 1025 and destined to a server at 10.2.3.4?

access-list 102 permit tcp 172.16.1.0 0.0.0.7 host 10.2.3.4 eq 443

When configuring AAA authentication on a router, what should be specified for the default method list in order to ensure that you can still log in when the AAA server is down?

enable local

Required to allow CCP to communicate securely with the router?

ip http secure-server ip http authentication local

What actions can be applied to a traffic class in the policy map of a zone-based policy firewall?

pass inspect drop

Which commands result in a secure bootset, also know as resilient configuration?

secure boot-config secure boot-image

What show command can be used to determine if a firewall is running in transparent mode?

show firewall