Chapter 11 Network+
What characteristic of ARP makes it particularly vulnerable to being used in a DoS attack?
ARP performs no authentication.
Which of the following is not one of the AAA services provided by RADIUS and TACACS+? Authentication Authorization Administration Accounting
Administration Administration is not part of AAA. RADIUS (Remote Authentication Dial-In User Service) treats authentication and authorization as a single process, meaning that the same type of packet is used for both functions, while accounting is a separate process. TACACS+ (Terminal Access Controller Access Control System Plus) offers network administrators the option of separating the authentication, authorization, and auditing capabilities.
What is the purpose of an ACL when configuring CoPP?
An ACL identifies which traffic is relevant to CoPP policies. CoPP (Control Plane Policing) - The CoPP feature protects the control plane of Cisco IOS Software-based routers and switches against many attacks, including reconnaissance and denial-of-service (DoS) attacks.
What's the essential difference between an IPS and an IDS?
An IDS can only detect and log suspicious activity. An IPS can react when alerted to such activity.
Which of the following criteria can a packet-filtering firewall not use to determine whether to accept or deny traffic? Destination IP address SYN flags Application data ICMP message
Application data Application layer firewalls can block designated types of traffic based on application data contained within packets. However, packet-filtering firewalls are limited to information contained in layer 3 and 4 headers, such as IP addresses, TCP flags (such as the SYN flag), and protocols used (such as ICMP).
What kinds of issues might indicate a misconfigured ACL?
Connectivity and performance issues between two hosts in which some applications or ports can make the connection while others can't could indicate an ACL misconfiguration.
What are the two primary features that give proxy servers an advantage over NAT?
Content filtering and file caching
Which device would allow an attacker to make network clients use an illegitimate default gateway? RA guard DHCP server Proxy server Network-based firewall
DHCP server A rogue DHCP server running on a client device could be used to implement an on-path attack by configuring the attacker's IP address as the victim computers' default gateway. The RA guard feature on switches filters RA messages so these messages can only come from specific interfaces on the switch. A proxy server, or proxy, acts as an intermediary between external and internal networks, screening all incoming and outgoing traffic. A network-based firewall protects an entire private network instead of an individual host.
What causes most firewall failures?
Firewall misconfiguration
Which policy ensures messages are discarded when they don't match a specific firewall rule? Implicit allow Explicit deny Explicit allow Implicit deny
Implicit deny Like with ACLs, firewalls maintain an implicit deny policy for any messages that don't match a specific rule. Other rules enforce explicit deny or allow policies for specific traffic. A firewall should never be configured with an implicit allow rule, which would allow all traffic not explicitly blocked.
At what layer of the OSI model do proxy servers operate? Layer 3 Layer 2 Layer 7 Layer 4
Layer 7
Which principle ensures auditing processes are managed by someone other than the employees whose activities are being audited? Separation of duties Principle of least privilege Shared responsibility model Defense in depth
Separation of Duties In the context of AAA's accounting and auditing components, SoD (separation of duties) requires that no one is responsible for monitoring and reporting on themselves, which would create a conflict of interest for that person. The principle of least privilege means employees and contractors are only given enough access and privileges to do their jobs. Cloud security works according to the shared responsibility model, meaning that the cloud provider is partially responsible for your cloud's security and you're responsible for the rest of it. Defense in depth requires that security be implemented in many, seemingly redundant layers that permeate the network and protect resources from every angle.
What information in a transmitted message might an IDS use to identify network threats? Signature FIM Port mirroring ACL
Signature An IDS looks for identifiable patterns, or signatures, of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic on the organization's network. An HIDS solution might also include FIM (file integrity monitoring), which alerts the system of any changes made to files that shouldn't change, such as operating system files. A NIDS might use port mirroring, where one port on a switch is configured to send a copy of all the switch's traffic to the device connected to that port, to monitor traffic carried by that switch. A router can use ACLs (access control lists) to decline to forward certain packets depending on their content.
What kind of ticket is held by Kerberos's TGS?
TGT (ticket-granting ticket)
Who is responsible for the security of hardware on which a public cloud runs? The cloud customer It depends Both the cloud customer and the cloud provider The cloud provider
The cloud provider Cloud security works according to the shared responsibility model, meaning the cloud provider is partially responsible for security and customers are responsible for the rest of it. However, when using a public cloud, the cloud provider is always responsible for the security of the underlying hardware.
Why would you need separate RA guard policies for network hosts and routers attached to a switch?
The hosts policy blocks all RA messages for interfaces with that policy applied, while the ROUTERS policy would only need to filter RA messages to ensure they're coming from a trusted router. A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it.
Why do network administrators create domain groups to manage user security privileges?
To simplify the process of granting rights to users
Which of the following ACL commands would permit web-browsing traffic from any IP address to any IP address? access-list acl_2 deny tcp any any access-list acl_2 permit https any any access-list acl_2 deny tcp host 2.2.2.2 host 3.3.3.3 eq www access-list acl_2 permit icmp any any
access-list acl_2 permit https any any Web-browsing traffic is identified by the protocols HTTP and HTTPS (not TCP or ICMP), which is permitted by the command access-list acl_2 permit https any any. Specifying addresses limits approved source or destination hosts.
Any traffic that is not explicitly permitted in the ACL is _____, which is called the _____.
denied; implicit deny rule
Active Directory and 389 Directory Server are both compatible with which directory access protocol? LDAP RADIUS Kerberos AD DS
LDAP AD (Active Directory) and 389 Directory Server are built to be compliant with LDAP (Lightweight Directory Access Protocol), which is a standard protocol for accessing an authentication directory. An alternative to Active Directory is the cross-platform RADIUS (Remote Authentication Dial-In User Service). Kerberos is a cross-platform authentication protocol that uses key encryption to verify the identity of clients and to securely exchange information after a client logs on to a system. AD DS (Active Directory Domain Services) is a component of Active Directory.