Network Auth test 2 :(
What are two characteristics of an IPS operating in promiscuous mode? (Choose two.) It can stop malicious traffic from reaching the intended target for all types of attacks. It sits directly in the path of the traffic flow. It requires the assistance of another network device to respond to an attack. It does not impact the flow of packets in forwarded traffic. It sends alerts and drops any malicious packets.
It requires the assistance of another network device to respond to an attack. It does not impact the flow of packets in forwarded traffic.
What is a minimum system requirement to activate Snort IPS functionality on a Cisco router? at least 4 GB RAM at least 4 GB flash ISR 2900 or higher K9 license
K9 license
At which layer of the OSI model does Spanning Tree Protocol operate? Layer 1 Layer 2 Layer 3 Layer 4
Layer 2
What is the result of a DHCP starvation attack? Legitimate clients are unable to lease IP addresses. Clients receive IP address assignments from a rogue DHCP server. The attacker provides incorrect DNS and default gateway information to clients. The IP addresses assigned to legitimate clients are hijacked.
Legitimate clients are unable to lease IP addresses.
Which algorithm can ensure data integrity? RSA AES MD5 PKI
MD5
What technology has a function of using trusted third-party protocols to issue credentials that are accepted as an authoritative identity? digital signatures hashing algorithms PKI certificates symmetric keys
PKI certificates
Two devices that are connected to the same switch need to be totally isolated from one another. Which Cisco switch security feature will provide this isolation? PVLAN Edge DTP SPAN BPDU guard
PVLAN Edge
____ Ignores the packet Pass Drop Reject Sdrop
Pass
What is an example of the one-time pad cipher? RC4 rail fence Caesar Vigenère
RC4
____ Blocks and logs the packet and sends a TCP reset or ICMP port unreachable message Pass Drop Reject Sdrop
Reject
Which protocol should be used to mitigate the vulnerability of using Telnet to remotely manage network devices? SNMP TFTP SSH SCP
SSH
_____ Blocks but does not log the packet Pass Drop Reject Sdrop
Sdrop
Which tool can perform real-time traffic and port analysis, and can also detect port scans, fingerprinting and buffer overflow attacks? SIEM Nmap Snort Netflow
Snort
Which Snort IPS feature enables a router to download rule sets directly from cisco.com or snort.org? Snort rule set pull Signature allowed listing Snort rule set push Snort rule set updates
Snort rule set pull
What are two properties of a cryptographic hash function? (Choose two.) Complex inputs will produce complex hashes. Hash functions can be duplicated for authentication purposes. The hash function is one way and irreversible. The input for a particular hash algorithm has to have a fixed size. The output is a fixed length.
The hash function is one way and irreversible. The output is a fixed length.
What is the behavior of a switch as a result of a successful CAM table attack? The switch will drop all received frames. The switch interfaces will transition to the error-disabled state. The switch will forward all received frames to all other ports. The switch will shut down.
The switch will forward all received frames to all other ports.
Two users must authenticate each other using digital certificates and a CA. Which option describes the CA authentication procedure? The users must obtain the certificate of the CA and then their own certificate. The CA is always required, even after user verification is complete. CA certificates are retrieved out-of-band using the PSTN, and the authentication is done in-band over a network. After user verification is complete, the CA is no longer required, even if one of the involved certificates expires.
The users must obtain the certificate of the CA and then their own certificate.
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? These devices are not managed by the corporate IT department. These devices pose no risk to security as they are not directly connected to the corporate network. These devices connect to the corporate network through public wireless networks. These devices are more varied in type and are portable.
These devices are more varied in type and are portable.
Which statement describes asymmetric encryption algorithms? They have key lengths ranging from 80 to 256 bits. They include DES, 3DES, and AES. They are also called shared-secret key algorithms. They are relatively slow because they are based on difficult computational algorithms.
They are relatively slow because they are based on difficult computational algorithms.
What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? VLAN hopping DHCP spoofing ARP poisoning ARP spoofing
VLAN hopping
What is a network tap? a Cisco technology that provides statistics on packets flowing through a router or multilayer switch a technology used to provide real-time reporting and long-term analysis of security events a feature supported on Cisco switches that enables the switch to copy frames and forward them to an analysis device a passive device that forwards all traffic and physical layer errors to an analysis device
a passive device that forwards all traffic and physical layer errors to an analysis device
Which two items are used in asymmetric encryption? (Choose two.) a token a TPM a private key a DES key a public key
a private key a public key
What is PulledPork? an open source network IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks a centralized management tool to push the rule sets based on preconfigured policy, to Cisco routers a virtual service container that runs on the Cisco ISR router operating system a rule management application that can be used to automatically download Snort rule updates
a rule management application that can be used to automatically download Snort rule updates
Which command is used as part of the 802.1X configuration to designate the authentication method that will be used? dot1x system-auth-control aaa authentication dot1x aaa new-model dot1x pae authenticator
aaa authentication dot1x
What is contained in an OVA file? a current compilation of known threats and prevention mechanisms an installable version of a virtual machine a list of atomic and composite signatures a set of rules for an IDS or IPS to detect intrusion activity
an installable version of a virtual machine
Which term describes the role of a Cisco switch in the 802.1X port-based access control? agent supplicant authenticator authentication server
authenticator
What is provided by the fail open and close functionality of Snort IPS? provides the ability to automatically disable problematic signatures that routinely cause false positives and pass traffic blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure keeps Snort current with the latest threat protection and term-based subscriptions keeps track of the health of the Snort engine that is running in the service container
blocks the traffic flow or bypasses IPS checking in the event of an IPS engine failure
What are two characteristics of both IPS and IDS sensors? (Choose two.) neither introduce latency or jitter both use signatures to detect patterns both are deployed inline in the data stream both can stop trigger packets both can detect atomic patterns
both use signatures to detect patterns both can detect atomic patterns
How can DHCP spoofing attacks be mitigated? by disabling DTP negotiations on nontrunking ports by implementing port security by the application of the ip verify source command to untrusted ports by implementing DHCP snooping on trusted ports
by implementing DHCP snooping on trusted ports
As data is being stored on a local hard disk, which method would secure the data from unauthorized access? a duplicate hard drive copy deletion of sensitive files two factor authentication data encryption
data encryption
The following message was encrypted using a Caesar cipher with a key of 2: fghgpf vjg ecuvng What is the Plaintext message? invade the castle defend the castle defend the region invade the region
defend the castle
What are two actions that an IPS can perform whenever a signature detects the activity for which it is configured? (Choose two.) disable the link reconverge the network drop or prevent the activity allow the activity restart the infected device
drop or prevent the activity allow the activity
In an 802.1x deployment, which device is a supplicant? RADIUS server access point switch end-user station
end-user station
A network administrator is trying to download a valid file from an internal server. However, the process triggers an alert on a NMS tool. What condition describes this alert? false negative false positive true negative true positive
false positive
In a hierarchical CA topology, where can a subordinate CA obtain a certificate for itself? from the root CA or another subordinate CA at a higher level from the root CA or another subordinate CA at the same level from the root CA or from self-generation from the root CA only from the root CA or another subordinate CA anywhere in the tree
from the root CA or another subordinate CA at a higher level
Which three security services are provided by digital signatures? (Choose three.) provides nonrepudiation using HMAC functions guarantees data has not changed in transit provides data encryption authenticates the source provides confidentiality of digitally signed data authenticates the destination
guarantees data has not changed in transit provides data encryption authenticates the source
Which IPS signature trigger category uses a decoy server to divert attacks away from production devices? honey pot-based detection policy-based detection pattern-based detection anomaly-based detection
honey pot-based detection
What are two examples of traditional host-based security measures? (Choose two.) host-based IPS NAS 802.1X antimalware software host-based NAC
host-based IPS antimalware software
Which requirement of secure communications is ensured by the implementation of MD5 or SHA hash generating algorithms? nonrepudiation authentication integrity confidentiality
integrity
What is a characteristic of the Community Rule Set type of Snort term-based subscriptions? it has 60-day delayed access to updated signatures it uses Cisco Talos to provide coverage in advance of exploits it is fully supported by Cisco it is available for free
it is available for free
What is a characteristic of the connectivity policy setting when configuring Snort threat protection? it attempts to balance network security with network performance it prioritizes security over connectivity it provides the lowest level of protection it enables the highest number of signatures to be verified
it provides the lowest level of protection
In which method used in cryptanalysis does the attacker know a portion of the plaintext and the corresponding ciphertext? meet-in-the-middle brute-force chosen-plaintext ciphertext
meet-in-the-middle
What situation will generate a true negative IPS alarm type? normal traffic that generates a false alarm a verified security incident that is detected a known attack that is not detected normal traffic that is correctly being ignored and forwarded
normal traffic that is correctly being ignored and forwarded
A company is developing a security policy for secure communication. In the exchange of critical messages between a headquarters office and a branch office, a hash value should only be recalculated with a predetermined code, thus ensuring the validity of data source. Which aspect of secure communications is addressed? data integrity non-repudiation data confidentiality origin authentication
origin authentication
What type of data does the DLP feature of Cisco Email Security Appliance scan in order to prevent customer data from being leaked outside of the company? inbound messages outbound messages messages stored on a client device messages stored on the email server
outbound messages
What is another name for confidentiality of information? consistency trustworthiness accuracy privacy
privacy
Alice and Bob are using a digital signature to sign a document. What key should Alice use to sign the document so that Bob can make sure that the document came from Alice? private key from Bob private key from Alice public key from Bob username and password from Alice
private key from Alice
Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.) community ports belonging to other communities promiscuous ports isolated ports within the same community PVLAN edge protected ports community ports belonging to the same community
promiscuous ports community ports belonging to the same community
An 802.1X client must authenticate before being allowed to pass data traffic onto the network. During the authentication process, between which two devices is the EAP data encapsulated into EAPOL frames? (Choose two.) data nonrepudiation server authentication server (TACACS) supplicant (client) authenticator (switch) ASA Firewall
supplicant (client) authenticator (switch)
What device is considered a supplicant during the 802.1X authentication process? the router that is serving as the default gateway the authentication server that is performing client authentication the client that is requesting authentication the switch that is controlling network access
the client that is requesting authentication
What is the keyspace of an encryption algorithm? the set of all possible values used to generate a key the set of procedures used to calculate asymmetric keys the set of hash functions used to generate a key the mathematical equation that is used to create a key
the set of all possible values used to generate a key
What information must an IPS track in order to detect attacks matching a composite signature? the total number of packets in the attack the state of packets related to the attack the attacking period used by the attacker the network bandwidth consumed by all packets
the state of packets related to the attack
A network administrator is configuring DAI on a switch with the command ip arp inspection validate dst-mac . What is the purpose of this configuration command? to check the destination MAC address in the Ethernet header against the MAC address table. to check the destination MAC address in the Ethernet header against the user-configured ARP ACLs. to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body. to check the destination MAC address in the Ethernet header against the source MAC address in the ARP body.
to check the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
What is the goal of the Cisco NAC framework and the Cisco NAC appliance? to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network. to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources. to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices. to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms.
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
What is the purpose for using digital signatures for code signing? to establish an encrypted connection to exchange confidential data with a vendor website to verify the integrity of executable files downloaded from a vendor website to authenticate the identity of the system with a vendor website to generate a virtual ID
to verify the integrity of executable files downloaded from a vendor website
A company implements 802.1X security on the corporate network. A PC is attached to the network but has not authenticated yet. Which 802.1X state is associated with this PC? err-disabled disabled unauthorized forwarding
unauthorized
What are two symmetric encryption algorithms? (Choose two.) 3DES MD5 AES HMAC SHA
3DES AES
Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports? RADIUS TACACS+ 802.1x SSH
802.1x
What is involved in an IP address spoofing attack? A rogue node replies to an ARP request with its own MAC address indicated for the target IP address. Bogus DHCPDISCOVER messages are sent to consume all the available IP addresses on a DHCP server. A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. A legitimate network IP address is hijacked by a rogue node.
A legitimate network IP address is hijacked by a rogue node
What popular encryption algorithm requires that both the sender and receiver know a pre-shared key? PKI MD5 AES HMAC
AES
A network administrator uses the spanning-tree loopguard default global configuration command to enable Loop Guard on switches. What components in a LAN are protected with Loop Guard? All Root Guard enabled ports. All PortFast enabled ports. All point-to-point links between switches. All BPDU Guard enabled ports.
All point-to-point links between switches.
____ is an IPS service enabled on first generation ISRs that is no longer supported. Cisco Firepower Next-Generation IPS Cisco Snort IPS External Snort IPS Server Cisco IOS IPS
CISCO IOS IPS
____ is a Dedicated inline threat prevention appliance Cisco Firepower Next-Generation IPS Cisco Snort IPS External Snort IPS Server Cisco IOS IPS
Cisco Firepower Next-Generation IPS
____ is an IPS service enabled on a second generation ISR. Cisco Firepower Next-Generation IPS Cisco Snort IPS External Snort IPS Server Cisco IOS IPS
Cisco Snort IPS
_____ is when you test the strength of security by breaking secret codes. Cryptology Cryptography Cryptanalyst Cryptanalysis
Cryptanalysis
_____ Is the individuals who try to crack secret codes Cryptology Cryptography Cryptanalyst Cryptanalysis
Cryptanalyst
______ is the development and use of codes Cryptology Cryptography Cryptanalyst Cryptanalysis
Cryptography
_____ is the science of making and breaking secret codes Cryptology Cryptography Cryptanalyst Cryptanalysis
Cryptology
____ Blocks and logs the packet Pass Drop Reject Sdrop
Drop
Which procedure is recommended to mitigate the chances of ARP spoofing? Enable DHCP snooping on selected VLANs. Enable IP Source Guard on trusted ports. Enable DAI on the management VLAN. Enable port security globally.
Enable DHCP snooping on selected VLANs.
____ is an IPS solution that requires a promiscuous port and an external snort IDS/IPS Cisco Firepower Next-Generation IPS Cisco Snort IPS External Snort IPS Server Cisco IOS IPS
External Snort IPS Server
What is an advantage of HIPS that is not provided by IDS? HIPS provides quick analysis of events through detailed logging. HIPS deploys sensors at network entry points and protects critical network segments. HIPS monitors network processes and protects critical files. HIPS protects critical system resources and monitors operating system processes.
HIPS protects critical system resources and monitors operating system processes.
An IT enterprise is recommending the use of PKI applications to securely exchange information between the employees. In which two cases might an organization use PKI applications to securely exchange information between users? (Choose two.) HTTPS web service 802.1x authentication local NTP server FTP transfers file and directory access permission
HTTPS web service 802.1x authentication
What technology supports asymmetric key encryption used in IPsec VPNs? 3DES IKE SEAL AES
IKE
Which Cisco solution helps prevent MAC and IP address spoofing attacks? Port Security DHCP Snooping IP Source Guard Dynamic ARP Inspection
IP Source Guard
What two internal LAN elements need to be secured? (Choose two.) edge routers IP phones fiber connections switches cloud-based hosts
IP phones switches
What is the purpose of a digital certificate? It guarantees that a website has not been hacked. It provides proof that data has a traditional signature attached. It ensures that the person who is gaining access to a network device is authorized. It authenticates a website and establishes a secure connection to exchange confidential data.
It authenticates a website and establishes a secure connection to exchange confidential data.
What is an advantage of using an IPS? It is installed outside of the data traffic flow. It does not impact network traffic if there is a sensor overload. It can stop trigger packets. It has no impact on network latency.
It can stop trigger packets.
Which statement describes the function of the SPAN tool used in a Cisco switch? It is a secure channel for a switch to send logging to a syslog server. It provides interconnection between VLANs over multiple switches. It supports the SNMP trap operation on a switch. It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
What is a characteristic of an IDS? It can affect network performance by introducing latency and jitter. It often requires assistance from other network devices to respond to an attack. It is installed inline with the network traffic flow. It can be configured to drop trigger packets that are associated with a connection.
It often requires assistance from other network devices to respond to an attack.