sec150 Chapter 7 ALL
preprocessors
IPS pattern matching is almost impossible because of the different protocols and their intricacies. For example, matching a file pattern in SMTP traffic is not performed the same way as matching it when flowing through HTTP with compression enabled. For that reason, the Cisco NGIPS offers a variety of --- that normalize traffic so that it dan be matched against the defined Snort rules.
a private key
If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it? DH a private key a digital certificate a different public key
Making an online purhcase
In what situation would an asymmetric algorithm most likely be used?
A TAXII server.
Which of the following can be deployed to generate, transport, and consume threat intelligence info?
They are relatively slow because they are based on difficult computational algorithms
Which statement describes asymmetric encryption algorithms?
Generator Prime modulus
Which two non-secret numbers are initially agreed upon when the Diffie-Hellman algorithm is used? (Choose two.)
Asymmetric
Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?
Auto NAT
You are tasked to configure NAT and translate the source address of an object regardless of the destination address. Which of the following NAT configuration features would you deploy to accomplish this task?
Balanced Security and Connectivity
You are tasked to deploy an intrusion policy designed to balance overall network performance with network infrastructure security> Which of the following base policies would you deploy in situations where you want to apply intrusion prevention?
Multiple context mode.
You were hired to deploy a Cisco ASA to provide separation of management and policies on a shared appliance. Which operational mode is best for this scenario?
The ____ MPF command configures security or QoS policies.
policy-map
IPS pattern matching is almost impossible because of the different protocols and their intricacies. For example, matching a file pattern in SMTP email traffic is not performed the same way as matching it when flowing through HTTP with compression enabled. For that reason, the Cisco NGIPS offers a variety of ___________ that normalize traffic so that it can be matched against the defined Snort rules.
preprocessors
nonrepudiation of the transaction
A customer purchases an item from an e-commerce site. The e-commerce site must maintain proof that the data exchange took place between the site and the customer. Which feature of digital signatures is required? authenticity of digitally signed data integrity of digitally signed data nonrepudiation of the transaction confidentiality of the public key
Implement CBC mode.
A network administrator is forced to use DES on aging equipment. What is one thing the administrator should do in this situation? Use ECC instead of parity. Increase the key length. Implement CBC mode. Increase the number of bits used for encryption.
When you add a Cisco FTD or Firepower device to FMC, what information is required?
A registration key
Symmetric
A shared secret is a key used in a _________ encryption algorithm.
Cisco ASA provides the Modular Policy Framework (MPF) to provide application security or perform Quality of Service (QoS) functions. The MPF offers a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to that used for the Cisco IOS Software Modular QoS CLI. Which of the following are commands associated with the MPF?
ALL
In Cisco ASA deployments, an access control list (ACL) is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL is referred to as an access control entry (ACE). These ACEs classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?
ALL
Variables are used in multiple locations in Cisco Firepower NGIPS. IPS rules use preconfigured variables representing networks and ports. Which of the following are system default variables that are preconfigured in Cisco Firepower devices?
ALL
Which of the following are requirements for failover configurations?
ALL
The digital signatures
An online retailer needs a service to support the nonrepudiation of the transaction. Which component is used for this service?
Match the feature with the following description: Cisco Firepower NGIPS offers deep inspection and control of application-specific information for better efficacy.
Application visibility
Integrity
Authentication,_________________ , and confidentiality are the three objectives of secure communications.
- class-map - policy-map - service-policy
Cisco ASA provides the Modular Policy Framework (MPF) to provide application security or perform Quality of Service (QoS) functions. The MPF offers a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to that used for the Ciso IOS Software Modular QoS CLI. Which of the following are commands associated with the MPF? ALL of these
Which of the following Cisco firewalls is designed for very large enterprises and service providers?
Cisco Firepower 9300 appliances
Zone-based firewalls cannot be implemented in an SD-WAN solution.
Cisco IOS Zone-Based Firewall (ZBFW) can be deployed to provide firewall services in small and medium-sized organizations. Which of the following is NOT true about zone-based firewalls?
- Layer 2 protocol info such as EtherTypes - Layer 3 header info such as source and destination IP addresses. - Layer 4 header info such as source and destination TCP or UDP ports.
In Cisco ASA deployments, an ACL is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL is referred to as an access control entry (ACE). These ACEs classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following? All of these
A network administrator connects to a Cisco router with SSH
In which situation is an asymmetric key algorithm used?
It authenticates a website and establishes a secure connection to exchange confidential data
What is the purpose of a digital certificate?
To ensure that the source of the communications is confirmed
What is the purpose of a nonrepudiation service in secure communications?
Integrity of source .EXE files
What is the purpose of code signing?
to generate a shared secret between two hosts that have not communicated before
What is the purpose of the DH algorithm? to provide nonrepudiation support to support email data confidentiality to encrypt data traffic after a VPN is established to generate a shared secret between two hosts that have not communicated before
to provide authentication
What is the reason for HMAC to use an additional secret key as input to the hash function? to provide encryption to provide authentication to provide integrity verification to prevent DoS attack
PKI
What is the service framework that is needed to support large-scale public key-based technologies? HMAC PKI RSA
Shared secret
What type of encryption algorithm uses the same key to encrypt and decrypt data?
Cisco Firepower 9300 appliances.
Which of the following Cisco firewalls is designed for very large enterprises and service providers?
- The 2 participant devices must be configured in the same firewall mode (eg. routed or transparent). - The 2 participant devices must be running the same software version. - You can configure different Cisco FTD devices in groups (or domain) in the Cisco FMC. Devices configured for failover must be in the same domain or group on on the Cisco FMC.
Which of the following are requirements for failover configurations? ALL of these
After the master boots, it creates a logical interface and assigns an IP address to that interface to communicate to the other units in the cluster.
Which of the following is NOT a step in the Cisco FTD cluster unit transition?
The default security intelligent update frequency is 2 hours. In some scenarios, you may want to reduce this for more agile blacklisting.
Which of the following is a best practice for security intelligence updates?
- Both network analysis and intrusion policies are invoked by a parent access control policy, but at different times. - As the system analyzes traffic, the network analysis (decoding and preprocessing) phase occurs before and separately from the intrusion prevention (additional preprocessing and intrusion rules) phase. - The Cisco FTD has several similarly named network analysis and intrusion policies (eg. Balance Security and Connectivity).
Which of the following is true about Cisco Firepower Intrusion Policies? ALL of these
Threat Grid.
Which of the following sandboxing technologies provides a dynamic analysis that includes an external kernel monitor, dynamic disk analysis that illuminates any modifications to the physical disk (such as the master boot record), monitoring user interaction, video capture and playback, process information, artifacts, and network traffic?
- Inline sets and passive interfaces are only supported on physical interfaces and EtherChannels. - Inline sets cannot use redundant interfaces or VLANs. - Inline sets and passive interfaces are supported in intra-chassis and inter-chassis clustering.
Which of the following statements are true about the inline interface sets and passive interfaces in Cisco FTD deployments? ALL of these
Layer 3 firewalls support EtherType ACLs.
Which of the following statements is NOT true about firewalls deployed in Layer 3 (routed) mode?
Standard ACLs provide a way to group similar items together to reduce the number of ACEs.
Which of the following statements is NOT true about standard ACLs?
integrity
Which requirement of secure communications is ensured by the implementation of MD5 or SHA hash generating algorithms? confidentiality authentication integrity nonrepudiation
SEAL is a stream cipher
Which statement describes the Software-Optimized Encryption Algorithm (SEAL)?
A class 0 certificate is for testing purposes A class 4 certificate is for online business transactions between companies.
Which two statements correctly describe certificate classes used in the PKI? (Choose two.) A class 0 certificate is for testing purposes. A class 0 certificate is more trusted than a class 1 certificate. The lower the class number, the more trusted the certificate. A class 5 certificate is for users with a focus on verification of email. A class 4 certificate is for online business transactions between companies.
man-in-the-middle
Which type of attack does the use of HMACs protect against? DoS DDoS brute force man-in-the-middle
One of the keys can be made public
Why is asymmetric algorithm key management simpler than symmetric algorithm key management?
3DES is more trusted because it has been proven secure for a longer period than AES
Why is the 3DES algorithm often preferred over the AES algorithm?
# access-list MY-LIST extended permit tcp 192.168.88.0 255.255.255.128 host 10.2.2.2 eq 25
You were asked to configure a Cisco ASA to permit SMTP traffic from hosts in 192.168.88.0/25 to an email server (10.2.2.2). Which of the following access control entries (ACEs) in an ACL will accomplish this task?
Cisco IOS Zone-Based Firewall (ZBFW) can be deployed to provide firewall services in small- and medium-sized organizations. Which of the following is not true about zone-based firewalls?
Zone-based firewalls cannot be implemented in an SD-WAN solution.
In ZBFW deployments, an interface can be assigned to _____ security zone(s).
one
A Cisco ASA device also can be implemented as a traditional Layer _____ firewall.
Layer 2 or 3
Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack
How do modern cryptographers defend against brute-force attacks?
56 bits
How many bits does the Data Encryption Standad (DES) use for data encryption?
In a multimode transparent firewall (MMTF), Cisco ASA acts in a similar fashion to how it performs in single mode, with two major exceptions
B. Packets are handled in different contexts. C. An interface cannot be shared between multiple contexts in this mode.
At which OSI Layer are ACE EtherTypes packets found?
Layer 3
3DES
Refer to the exhibit. Which encryption algorithm is described in the exhibit?
On an ISR G2, _____ is a Peripheral Component Interconnect Express (PCIe) internal interface, and on a UCS E-Series, _____ is a switched interface connected to the backplane Multi Gigabit Fabric (MGF).
Slot0, Slot1
A registration key
When you add a Cisco FTD or Firepower device to FMC, what info is required?
SHA-2
The SHA-224, SHA-256, SHA-384, and SHA-512 hash functions are known collectively as ________________ algorithms.
defend the castle
The following message was encrypted using a Caesar cipher with a key of 2: fghgpf vjg ecuvng What is the plaintext message? defend the region invade the castle defend the castle invade the region
Match the feature with the following description: Cisco Firepower NGIPS provides protection against known and new threats.
Threat containment and remediation
AES
Which algorithm can ensure data confidentiality?
DH
Which encryption algorithm is an asymmetric algorithm?
IPsec protocol suite
Which encryption protocol provides network layer confidentiality?
Confidentiality
Which objective of secure communications is achieved by encrypting data?
$FILE_DATA_PORTS $HOME_NET $HTTP_SERVERS
Variables are used in multiple locations in Cisco Firepower NGIPS. IPS rules use preconfigured variables representing networks and ports. Which of the following are system default variables that are preconfigured in Cisco Firepower devices? ALL of these
certificate authority digital certificates
What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.) intrusion prevention system certificate authority digital certificates pre-shared key generation symmetric encryption algorithms
3DES AES
What are two symmetric encryption algorithms? (Choose two.) 3DES MD5 AES HMAC SHA
Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.
What is a difference between symmetric and asymmetric encryption algorithms? Symmetric algorithms are typically hundreds to thousands of times slower than asymmetric algorithms. Symmetric encryption algorithms are used to authenticate secure communications. Asymmetric encryption algorithms are used to repudiate messages. Symmetric encryption algorithms are used to encrypt data. Asymmetric encryption algorithms are used to decrypt data. Symmetric encryption algorithms use pre-shared keys. Asymmetric encryption algorithms use different keys to encrypt and decrypt data.
Breaking encrypted codes
What is the focus of cryptanalysis?
To secure the exchange of keys used to encrypt data
What is the most common use of the Diffie-Helman algorithm in communications security?
The ____ MPF command classifies the traffic to be inspected.
class-map
