sec150 - chapter 4
A. EAPoL B. EAP C. RADIUS D. ALL OF THESE
802.1x uses which of the following protocols?
stateful
A _________ firewall monitors the state of connections as network traffic flows into and out of the organization.
traffic that is going from the private network to the DMZ*
A company is deploying a new network design in which the border router has three interfaces. Interface Serial0/0/0 connects to the ISP, GigabitEthernet0/0 connects to the DMZ, and GigabitEthernet/01 connects to the internal private network. Which type of traffic would receive the least amount of inspection (have the most freedom of travel)?
The two models cannot be implemented on a single interface.*
A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?
A dynamic ACL entry is added to the external interface in the inbound direction.*
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
a. Layer 2 protocol info such as EtherTypes b. Layer 3 header info such as source and destination IP address c. Layer 4 header info such as source and destination TCP or UDP ports d. ALL OF THESE OPTIONS ARE CORRECT.
Access control lists classify packets by inspecting Layer 2 through Layer 7 headers for a number of parameters, including which of the following?
What is the result in the self zone if a router is the source or destination of traffic?
All traffic is permitted.
Implicit Deny Need to know
An authoriztion policy should always implement which of the following concepts? (Select all that apply)
Devices on the 192.168.10.0/24 network can successfully ping devices on the 192.168.11.0 network. A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned.*
Consider the following access list. access list.access-list 100 permit ip host 192.168.10.1 any access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo access-list 100 permit ip any any Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned? (Choose two.)
What are two characteristics of ACLs? (Choose two.)
Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresse
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap*
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
application layer protocol session information*
In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?
Which statement describes a stateful firewall?
It can determine if the connection is in the initiation, data transfer, or termination phase.
802.1x
Network access devices (such as network switches and wireless access points) can be us IEEE protocol that when enable, will allow traffic on the port only after the device has been authenticated and authorized. Which of the following is an IEEE standard that is used to implement port-based access control?
Consider the access list command applied outbound on a router serial interface. access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply What is the effect of applying this access list command?
No traffic will be allowed outbound on the serial interface.
UDP port 1813
RADIUS accounting runs over what protocol and port?
The packet is dropped.*
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
DMZ*
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"?
These ACEs allow for IPv6 neighbor discovery traffic.*
Refer to the exhibit. Which statement describes the function of the ACEs?
Cisco Common Classification Policy Language (C3PL)
The ----- is a structured replacement for feature-specific configuration commands. This concept allows you to create traffic policies based on events, conditions, and actions.
Consider the configured access list. R1# show access-lists extended IP access list 100 deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet permit ip any any (15 matches) What are two characteristics of this access list? (Choose two.)
The access list has been applied to an interface. Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
pass
The__________ action in a Cisco IOS Zone-Based Policy Firewall is similar to a permit statement in an ACL.
Which statement is a characteristic of a packet filtering firewall?
They are susceptible to IP spoofing.
echo reply*
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
better performance*
What is one benefit of using a stateful firewall instead of a proxy server?
not as effective with UDP- or ICMP-based traffic*
What is one limitation of a stateful firewall?
forwarding traffic from one zone to another
What is the function of the pass action on a Cisco IOS Zone-Based Policy Firewall?
Establish policies between zones.*
When a Cisco IOS Zone-Based Policy Firewall is being configured via CLI, which step must be taken after zones have been created?
drop* inspect*
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)
ACEs to prevent traffic from private address spaces*
When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?
ipv6 traffic-filter ENG_ACL in*
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
show running-config*
Which command will verify a Zone-Based Policy Firewall configuration?
a. Primary Administration Node (PAN) b. Secondary Administration Node (SAN) c. Policy Service Node (PSN) d. ALL OF THESE
Which of the following are Cisco ISE distributed node types?
A. START B. REPLY C. CONTINUE D. ALL OF THESE are CORRECT E. none of these options are correct.
Which of the following are TACACS+ exchange packets used during the authentication process?
a. Active Directory group membership and AD user-based attributes b. Time and Date c. Location of the user d. Access method (MAB, 802.1x, wired, wireless, and so on) e. none of these f. ALL OF THESE OPTIONS ARE CORRECT.
Which of the following are examples of some of the more popular policy attributes supported by Cisco ISE?
A. SAML B. OpenID Connect C. Microsoft Account D. ALL OF THESE
Which of the following are technologies used in SSO implementations?
aaa new-model
Which of the following commands enables AAA services on a Cisco router?
An authorization model
Which of the following defines how access rights and permission are granted? Examples of that model include object capability, security labels, and ACLs.
Authentication by knowledge
Which of the following describes the type of authentication where the user provides a secret that is only known by him or her?
BeyondCorp
Which of the following is a security model created by Google that is similar to the zero-trust concept?
One-time passcode (OTP)
Which of the following is a set of characteristics that can be sued to prove a subject's identity one time and one time only?
Supplicant
Which of the following is an entity that seeks to be authenticated by an authenticator (switch, WAP, and so on)? This entity could use software such as the Cisco AnyConnect Secure Mobility Client.
SAML
Which of the following is an open standard for exchanging authentication and authorization data between identity providers, and is used in many single sign-on (SSO) implementations?
Ethical hackers use the same methods but strive to do no harm.
Which of the following is one primary difference between a malicious hacker and an ethical hacker?
To authorize only a single MAC address per port
Which of the following is the default behavior of an 802.1x-enabled port?
Accounting
Which of the following is the process of auditing and monitoring what a user does once a specific resource is accessed?
a. SSO implementations use delegation to call external APIs to authenticate and authorize users. b. Delegation is used to make sure that applications and services do not store pw and user info on-premises.
Which of the following is true about delegation in SSO implementations? (Select all that apply)
pxGrid
Which of the following provides a cross-platform integration capability between security monitoring applications, threat detection systems, asset management platforms, network policy systems, and practically any other IT operations platforms?
A. Discretionary access controls (DACs) are defined by the owner of the object. B. DACs are used in commercial OS. C. The object owner builds an ACL that allows or denies access to the object based on the user's unique identity. D. ALL OF THESE
Which of the following statements are true about discretionary access controls (DACs)?
a. RADIUS uses UDP, and TACACS+ uses TCP. b. In RADIUS, authentication and authorization are performed with the same exchange. Accounting is done with a separate exchange. c. In TACACS+, authentication, authorization, and accounting are performed with separate exchanges. d. RADIUS provides limited support for command authorization. TACACS+ provides granular command authorization. e. ALL OF THESE
Which of the following statements are true?
RADIUS CoA is a feature that allows a RADIUS server to adjust the authentication and authorization state of an active client session.
Which of the following statements is true about CoA?
stateful firewall*
Which security tool monitors network traffic as it flows into and out of the organization and determines whether packets belong to an existing connection or are from an unauthorized source?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.*
Which statement describes a typical security policy for a DMZ firewall configuration?
If neither interface is a zone member, then the action is to pass traffic.* If both interfaces are members of the same zone, all traffic will be passed.*
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
router-generated packet*
Which type of packet is unable to be filtered by an outbound ACL?
Principle of Least Privilege and separation of duties
You were hired to configure AAA service in an organization and are asked to make sure that users in the engineering department do not have access to resources that are only meant for the finance department. What authorization principle addresses this scenario?
ACCESS-CHALLENGE messages are sent if additional info is needed. The RADIUS server needs to send an additional challenge to the access server before authenticating the user. The ACCESS-CHALLENGE will be followed by a new ACCESS-REQUEST message.
You were hired to configure RADIUS authentication in a VPN implementation. You start RADIUS debugs in the VPN device and notice ACCESS-CHALLENGE messages. What do those messages mean?
The _______action in a Cisco IOS Zone-Based Policy Firewall is similar to a deny statement in an ACL.
drop
Which ICMP message type should be stopped inbound?
echo
What is one benefit of using a next-generation firewall rather than a stateful firewall?
integrated use of an intrusion prevention system (IPS)
Where is the firewall policy applied when using Classic Firewall?
interfaces
Where would the following ACE be placed? permit icmp any any nd-na
on an IPv6-enabled router interface that connects to another router
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
private IP addresses any IP address that starts with the number 127
What is one advantage of using a next-generation firewall rather than a stateful firewall?
proactive rather than reactive protection from Internet threats
The inspect action in a Cisco IOS Zone-Based Policy Firewall configures Cisco IOS _____packet inspection
stateful