Chapter 5 - Network Security and Monitoring (Quiz + Exam)
b) It uses message integrity to ensure that packets have not been altered in transit. d) It uses authentication to determine if messages are from a valid source. e) It uses encryption to scramble the content of packets to prevent unauthorized access. SNMPv3 provides security by providing confidentiality of the messages, authentication, and encryption, and it uses a hierarchical MIB structure. SNMPv2c provides expanded error codes to identify different types of error conditions.
A company is designing a network monitoring system and is considering SNMPv3. What are three characteristics of SNMPv3? (Choose three.) a) It uses UDP port 514 to send event notifications to message collectors. b) It uses message integrity to ensure that packets have not been altered in transit. c) It uses expanded error codes to identify different types of error conditions. d) It uses authentication to determine if messages are from a valid source. e) It uses encryption to scramble the content of packets to prevent unauthorized access. f) It uses a flat structure of MIB to improve the speed of access to the information.
b) It adds a new user to the SNMP group. c) It uses the MD5 authentication of the SNMP messages. The command snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 creates a new user and configures authentication with MD5. The command does not use a secret encrypted password on the server. The command snmp-server community string access-list-number-or-name restricts SNMP access to defined SNMP managers.
A network administrator has issued the snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 command. What are two features of this command? (Choose two.) a) It forces the network manager to log into the agent to retrieve the SNMP messages. b) It adds a new user to the SNMP group. c) It uses the MD5 authentication of the SNMP messages. d) It allows a network administrator to configure a secret encrypted password on the SNMP server. e) It restricts SNMP access to defined SNMP managers.
a) message source validation c) message encryption SNMPv3 provides message integrity to ensure that a packet was not tampered with and authentication to determine if the message is from a valid source. SNMPv3 also supports message encryption. SNMPv1 and SNMPv2 do not support message encryption, but do support community strings. SNMPv2c supports bulk retrieval operation. All SNMP versions support the SNMP trap mechanism.
A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.) a) message source validation b) community-based security c) message encryption d) SNMP trap mechanism e) bulk retrieval of MIB information
a) If an interface comes up, a trap is sent to the server. The snmp-server enable traps command enables SNMP to send trap messages to the NMS at 10.10.50.25. This notification-types argument can be used to specify what specific type of trap is sent. If this argument is not used, then all trap types are sent. If the notification-types argument is used, then repeated use of this command is required if another subset of trap types is desired.
A network administrator issues two commands on a router: R1(config)# snmp-server host 10.10.50.25 version 2c campus R1(config)# snmp-server enable traps What can be concluded after the commands are entered? a) If an interface comes up, a trap is sent to the server. b) The snmp-server enable traps command needs to be used repeatedly if a particular subset of trap types is desired. c) No traps are sent, because the notification-types argument was not specified yet. d) Traps are sent with the source IP address as 10.10.50.25.
snooping DHCP snooping is used to mitigate DHCP spoofing attacks by configuring a switch to stop DHCP server messages on ports that should not be receiving them.
DHCP ________________ is a mitigation technique to prevent rogue DHCP servers from providing false IP configuration parameters.
d) Define an ACL and reference it by using the snmp-server community command. The snmp-server community string access-list-number-or-name command restricts SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL. The snmp-server host host-id [version {1 | 2c | 3 [auth | noauth | priv]}] community-string command specifies the recipient of the SNMP trap operations. The snmp-server community string {ro | rw} command configures the community string and access level. The snmp-server enable traps notification-types command enables traps on an SNMP agent.
How can SNMP access be restricted to a specific SNMP manager? a) Use the snmp-server community command to configure the community string with no access level. b) Specify the IP address of the SNMP manager by using the snmp-server host command. c) Use the snmp-server traps command to enable traps on an SNMP manager. d) Define an ACL and reference it by using the snmp-server community command.
c) retrieving multiple rows in a table in a single transmission
Match SNMP operation to the corresponding description. get-bulk-request a) sequentially searching tables to retrieve a value from a variable b) retrieving a value from a specific variable c) retrieving multiple rows in a table in a single transmission d) replying to GET request and SET request messages that are sent by an NMS f) storing a value in a specific variable
a) sequentially searching tables to retrieve a value from a variable
Match SNMP operation to the corresponding description. get-next-request a) sequentially searching tables to retrieve a value from a variable b) retrieving a value from a specific variable c) retrieving multiple rows in a table in a single transmission d) replying to GET request and SET request messages that are sent by an NMS f) storing a value in a specific variable
d) replying to GET request and SET request messages that are sent by an NMS
Match SNMP operation to the corresponding description. get-response a) sequentially searching tables to retrieve a value from a variable b) retrieving a value from a specific variable c) retrieving multiple rows in a table in a single transmission d) replying to GET request and SET request messages that are sent by an NMS f) storing a value in a specific variable
f) storing a value in a specific variable
Match SNMP operation to the corresponding description. set-request a) sequentially searching tables to retrieve a value from a variable b) retrieving a value from a specific variable c) retrieving multiple rows in a table in a single transmission d) replying to GET request and SET request messages that are sent by an NMS f) storing a value in a specific variable
a) The SNMP agent is not configured for write access. Because the SNMP manager is able to access the SNMP agent, the problem is not related to the ACL configuration. The SNMP agent configuration should have an access level configured of rw to support the SNMP manager set requests. The SNMP manager cannot change configuration variables on the SNMP agent R1 with only ro access. The IP address of the SNMP manager does not have to be 172.16.1.1 to make changes to the SNMP agent. The SNMP agent does not have to have traps disabled.
Refer to the exhibit. A SNMP manager has IP address 172.16.1.120. The SNMP manager is unable to change configuration variables on the R1 SNMP agent. What could be the problem? a) The SNMP agent is not configured for write access. b) The IP address of the SNMP manager must be 172.16.1.1. c) The SNMP agent should have traps disabled. d) The ACL of ACL_SNMP has not been implemented on an interface yet.
a) All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1. The show monitor session command is used to verify how SPAN is configured (what ports are involved in the traffic mirroring).
Refer to the exhibit. Based on the output generated by the show monitor session 1 command, how will SPAN operate on the switch? a) All traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1. b) All traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1. c) Native VLAN traffic transmitted from VLAN 10 or received on VLAN 20 is forwarded to FastEthernet 0/1. d) Native VLAN traffic received on VLAN 10 or transmitted from VLAN 20 is forwarded to FastEthernet 0/1.
d) 7 The DHCP snooping configuration includes building the DHCP Snooping Binding Database and assigning necessary trusted ports on switches. A trusted port points to the legitimate DHCP servers. In this network design, because the DHCP server is attached to AS3, seven switch ports should be assigned as trusted ports, one on AS3 toward the DHCP server, one on DS1 toward AS3, one on DS2 toward AS3, and two connections on both AS1 and AS2 (toward DS1 and DS2), for a total of seven.
Refer to the exhibit. PC1 and PC2 should be able to obtain IP address assignments from the DHCP server. How many ports among switches should be assigned as trusted ports as part of the DHCP snooping configuration? a) 1 b) 3 c) 5 d) 7
d) There is a problem with the ACL configuration. The permit statement with the incorrect IP address is the reason why the administrator is not able to access router R1. The correct statement should be permit 192.168.1.3. The snmp-server location and snmp-server enable traps commands are optional commands and have no relation to the access restriction to router R1. The rw keyword does not need to be included in this case because the administrator just wants to obtain information, not change any configuration.
Refer to the exhibit. Router R1 was configured by a network administrator to use SNMP version 2. The following commands were issued: R1(config)# snmp-server community batonaug ro SNMP_ACL R1(config)# snmp-server contact Wayne World R1(config)# snmp-server host 192.168.1.3 version 2c batonaug R1(config)# ip access-list standard SNMP_ACL R1(config-std-nacl)# permit 192.168.10.3 Why is the administrator not able to get any information from R1? a) The snmp-server enable traps command is missing. b) The snmp-server location command is missing. c) The snmp-server community command needs to include the rw keyword. d) There is a problem with the ACL configuration.
d) An ACL was configured to restrict SNMP access to an SNMP manager. The output is produced in response to the show snmp community command. It displays the community string and any ACLs that may be configured. The show snmp command without any keyword does not display information relating to the SNMP community string or, if applicable, the associated ACL. Because the show snmp community command does not display the contact or location information, whether they are configured or not cannot be concluded.
Refer to the exhibit. What can be concluded from the produced output? a) This is the output of the show snmp command without any parameters. b) The location of the device was not configured with the snmp-server location command. c) The system contact was not configured with the snmp-server contact command. d) An ACL was configured to restrict SNMP access to an SNMP manager.
d) Sw_A(config)# monitor session 5 source interface gi0/1 Sw_A(config)# monitor session 5 destination interface fa0/7 The local SPAN configuration requires two statements to identify the source and destination ports for the mirrored traffic. The statements must use the same session number. In this example, the source port is the port connected to the server (Gi0/1) and the destination port is the port attached to the packet analyzer (Fa0/7).
Refer to the exhibit. Which command or set of commands will configure SW_A to copy all traffic for the server to the packet analyzer? a) Sw_A(config)# monitor session 1 source interface fa0/7 b) Sw_A(config)# monitor session 5 source interface gi0/1 Sw_A(config)# monitor session 6 destination interface fa0/7 c) Sw_A(config)# monitor session 1 destination interface fa0/7 d) Sw_A(config)# monitor session 5 source interface gi0/1 Sw_A(config)# monitor session 5 destination interface fa0/7 e) Sw_A(config)# monitor session 1 destination interface gi0/1 Sw_A(config)# monitor session 1 source interface fa0/1
b) G0/23 When DHCP snooping is configured, the interface that connects to the DHCP server is configured as a trusted port. Trusted ports can source DHCP requests and acknowledgments. All ports not specifically configured as trusted are considered untrusted by the switch and can only source DHCP requests.
Refer to the exhibit. Which interface on switch S1 should be configured as a DHCP snooping trusted port to help mitigate DHCP spoofing attacks? a) G0/1 b) G0/23 c) G0/24 d) G0/22
a) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1. The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a source port (or VLAN) out another port on the same switch. Typically a packet sniffer or IPS device is attached to the destination port .
Refer to the exhibit. Which statement is true about the local SPAN configuration on switch SW1? a) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1. b) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured in VLAN 10. c) The SPAN session transmits to a device on port Fa3/21 a copy of all traffic that is monitored on port Fa3/1, but only if port Fa3/1 is configured as trunk. d) The SPAN session transmits to a device on port Fa3/21 only a copy of unicast traffic that is monitored on port Fa3/1. All multicast and BPDU frames will be excluded from the monitoring process.
True In 802.1X terminology the client workstation is known as the supplicant.
True or False? In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.
c) unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network A GET request is a message that is used by the NMS to query the device for data. A SET request is a message that is used by the NMS to change configuration variables in the agent device. An NMS periodically polls the SNMP agents residing on managed devices, by querying the device for data by using the GET request.
What are SNMP trap messages? a) messages that are sent periodically by the NMS to the SNMP agents that reside on managed devices to query the device for data b) messages that are used by the NMS to query the device for data c) unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network d) messages that are used by the NMS to change configuration variables in the agent device
b) Enable trunking manually. c) Disable DTP. d) Set the native VLAN to an unused VLAN. Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.
What are three techniques for mitigating VLAN attacks? (Choose three.) a) Enable BPDU guard. b) Enable trunking manually. c) Disable DTP. d) Set the native VLAN to an unused VLAN. e) Use private VLANs. f) Enable Source Guard.
d) SNMP read-only community strings can be used to get information from an SNMP-enabled device. e) SNMP read-write community strings can be used to set information on an SNMP-enabled device. There are two types of SNMP community strings, read-only and read-write. The read-only community string allows the manager to get information from the agent and the read-write allows the manager to get or set information in the agent.
What are two characteristics of SNMP community strings? (Choose two.) a) A vulnerability of SNMPv1, SNMPv2, and SNMPv3 is that they send the community strings in plaintext. b) Commonly known community strings should be used when configuring secure SNMP. c) If the manager sends one of the correct read-only community strings, it can get information and set information in an agent. d) SNMP read-only community strings can be used to get information from an SNMP-enabled device. e) SNMP read-write community strings can be used to set information on an SNMP-enabled device.
b) untrusted port d) trusted DHCP port DHCP snooping recognizes two types of ports on Cisco switches: Trusted DHCP ports - switch ports connecting to upstream DHCP servers Untrusted ports - switch ports connecting to hosts that should not be providing DHCP server messages
What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.) a) unknown port b) untrusted port c) unauthorized port d) trusted DHCP port e) authorized DHCP port f) established DHCP port
c) the client that is requesting authentication The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting to and that is actually controlling physical network access The authentication server, which performs the actual authentication
What device is considered a supplicant during the 802.1X authentication process? a) the router that is serving as the default gateway b) the switch that is controlling network access c) the client that is requesting authentication d) the authentication server that is performing client authentication
a) the switch that the client is connected to The devices involved in the 802.1X authentication process are as follows: The supplicant, which is the client that is requesting network access The authenticator, which is the switch that the client is connecting and that is actually controlling physical network access The authentication server, which performs the actual authentication
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client? a) the switch that the client is connected to b) the router that is serving as the default gateway c) the authentication server d) the supplicant
a) User accounts must be configured locally on each device, which is an unscalable authentication solution. The local database method of securing device access utilizes usernames and passwords that are configured locally on the router. This allows administrators to keep track of who logged in to the device and when. The passwords can also be encrypted in the configuration. However, the account information must be configured on each device where that account should have access, making this solution very difficult to scale.
What is a drawback of the local database method of securing device access that can be solved by using AAA with centralized servers? a) User accounts must be configured locally on each device, which is an unscalable authentication solution. b) It is very susceptible to brute-force attacks because there is no username. c) The passwords can only be stored in plain text in the running configuration. d) There is no ability to provide accountability.
c) software that is installed on devices managed by SNMP A management station is used by an administrator for monitoring. An MIB is a database of monitoring information. The Simple Network Management Protocol is the communications protocol that is used between the management station and the management agents. Management agents run the software that enables administrators to gather network performance data.
What is an SNMP management agent? a) a computer loaded with management software and used by an administrator to monitor a network b) a database that a device keeps about network performance c) software that is installed on devices managed by SNMP d) a communication protocol that is used by SNMP
b) The switch will forward all received frames to all other ports. As a result of a CAM table attack, a switch can run out of memory resources to store MAC addresses. When this happens, no new MAC addresses can be added to the CAM table and the switch will forward all received frames to all other ports. This would allow an attacker to capture all traffic that is flooded by the switch.
What is the behavior of a switch as a result of a successful CAM table attack? a) The switch interfaces will transition to the error-disabled state. b) The switch will forward all received frames to all other ports. c) The switch will shut down. d) The switch will drop all received frames.
d) to store data about a device The Management Information Base (MIB) resides on a networking device and stores operational data about the device. The SNMP manager can collect information from SNMP agents. The SNMP agent provides access to the information.
What is the function of the MIB element as part of a network management system? a) to send and retrieve network management information b) to change configurations on SNMP agents c) to collect data from SNMP agents d) to store data about a device
c) Enable port security
What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow? a) Disable DTP b) Disable STP c) Enable port security d) Place unused ports in an unused VLAN
a) DHCP starvation DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? a) DHCP starvation b) DHCP spoofing c) IP address spoofing d) CAM table attack
a) RADIUS Encapsulation of EAP data between the authenticator and the authentication server is performed using RADIUS.
What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication? a) RADIUS b) SSH c) TACACS+ d) MD5
a) accounting c) authorization d) authentication The authentication, authorization, and accounting (AAA) framework provides services to help secure access to network devices.
What three services are provided by the AAA framework? (Choose three.) a) accounting b) automation c) authorization d) authentication e) autobalancing f) autoconfiguration
a) SNMPv2c Both SNMPv1 and SNMPv2c use a community-based form of security, and community strings are plaintext passwords. Plaintext passwords are not considered a strong security mechanism. Version 1 is a legacy solution and not often encountered in networks today.
Which SNMP version uses weak community string-based access control and supports bulk retrieval? a) SNMPv2c b) SNMPv2Classic c) SNMPv1 d) SNMPv3
b) configuring the community string and access level When SNMPv2 is being configured, the configuration of the community string and access level is required. The other configuration steps, such as system contact, access to NMS hosts, specifying trap recipients, and enabling traps are all optional.
Which SNMPv2 configuration step is required? a) documenting the location of the system contact b) configuring the community string and access level c) restricting SNMP access to NMS hosts d) enabling traps on an SNMP agent
b) global configuration mode All required and optional steps in configuring SNMP are completed using global configuration mode.
Which mode is used to configure SNMP? a) privileged mode b) global configuration mode c) interface configuration mode d) router configuration mode
b) 802.1x 802.1x is an IEEE standard that defines port-based access control. By authenticating each client that attempts to connect to the LAN, 802.1x provides protection from unauthorized clients.
Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports? a) TACACS+ b) 802.1x c) RADIUS d) SSH
b) SNMP SNMP can be used to collect and store information such as device CPU utilization. Syslog is used to access and store system messages. Cisco developed NetFlow for the purpose of gathering statistics on packets that are flowing through Cisco routers and multilayer switches. NTP is used to allow network devices to synchronize time settings.
Which protocol or service can be configured to send unsolicited messages to alert the network administrator about a network event such as an extremely high CPU utilization on a router? a) NetFlow b) SNMP c) syslog d) NTP
b) CDP CDP is a Cisco proprietary protocol that gathers information from other connected Cisco devices, and is enabled by default on Cisco devices. LLDP is an open standard protocol which provides the same service. It can be enabled on a Cisco router. HTTP and FTP are Application Layer protocols that do not collect information about network devices.
Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack? a) HTTP b) CDP c) FTP d) LLDP
d) A set request is used by the NMS to change configuration variables in the agent device. An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data.
Which statement describes SNMP operation? a) A get request is used by the SNMP agent to query the device for data. b) An NMS periodically polls the SNMP agents that are residing on managed devices by using traps to query the devices for data. c) An SNMP agent that resides on a managed device collects information about the device and stores that information remotely in the MIB that is located on the NMS. d) A set request is used by the NMS to change configuration variables in the agent device.
a) The RSPAN VLAN must be the same on both the source and destination switch. Remote SPAN (RSPAN) allows source and destination ports to be in different switches. RSPAN uses two sessions. One session is used as the source and one session is used to copy or receive the traffic from a VLAN. The traffic for each RSPAN session is carried over trunk links in a user-specified RSPAN VLAN that is dedicated (for that RSPAN session) in all participating switches.
Which statement describes the RSPAN VLAN? a) The RSPAN VLAN must be the same on both the source and destination switch. b) The RSPAN VLAN can be used for remote management of network switches. c) The RSPAN VLAN can be used to carry secure traffic between switches. d) The RSPAN VLAN must be the same as the native VLAN.
b) It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. To analyze network traffic passing through a switch, switched port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected. SPAN is not required for syslog or SNMP. SPAN is used to mirror traffic, while syslog and SNMP are configured to send data directly to the appropriate server.
Which statement describes the function of the SPAN tool used in a Cisco switch? a) It provides interconnection between VLANs over multiple switches. b) It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. c) It is a secure channel for a switch to send logging to a syslog server. d) It supports the SNMP trap operation on a switch.
c) SPAN can be configured to send a copy of traffic to a destination port on the same switch. d) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch. f) RSPAN can be used to forward traffic to reach an IPS that is analyzing traffic for malicious behavior. The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that sends copies of the frame entering a source port (or VLAN), out another port on the same switch. Typically the destination port is attached with a packet sniffer or IPS device. Remote SPAN (RSPAN) allows source and destination ports to be in different switches.
Which three statements describe SPAN and RSPAN? (Choose three.) a) SPAN can send a copy of traffic to a port on another switch. b) RSPAN is required for syslog and SNMP implementation. c) SPAN can be configured to send a copy of traffic to a destination port on the same switch. d) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch. e) RSPAN is required to copy traffic on a source VLAN to a destination port on the same switch. f) RSPAN can be used to forward traffic to reach an IPS that is analyzing traffic for malicious behavior.
d) TACACS+ e) RADIUS Server-based AAA authentication uses an external TACACS or RADIUS authentication server to maintain a username and password database. When a client establishes a connection with an AAA enabled device, the device authenticates the client by querying the authentication servers.
Which two protocols are used to provide server-based AAA authentication? (Choose two.) a) 802.1x b) SNMP c) SSH d) TACACS+ e) RADIUS
