Chapter 2: Securing Network Devices
Quiet mode behavior can be overridden for specific networks by using an ACL.
A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode? Quiet mode behavior will only prevent specific user accounts from attempting to authenticate. Quiet mode behavior can be disabled by an administrator by using SSH to connect. Quiet mode behavior can be overridden for specific networks by using an ACL. Quiet mode behavior can be enabled via an ip access-group command on a physical interface.
ip ospf message-digest-key 1 md5 1A2b3C area 0 authentication message-digest
A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.) ip ospf message-digest-key 1 md5 1A2b3C area 1 authentication message-digest username OSPF password 1A2b3C enable password 1A2b3C area 0 authentication message-digest
Configure the IP domain name on the router. Generate the SSH keys. Enable inbound vty SSH sessions.
An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.) Configure the IP domain name on the router. Enable inbound vty Telnet sessions. Generate the SSH keys. Configure DNS on the router. Enable inbound vty SSH sessions. Generate two-way pre-shared keys.
superview, containing SHOWVIEW and VERIFYVIEW views
Based on the output of the show running-config command, which type of view is SUPPORT? Router# show running-config <output omitted> Parser view SUPPORT superview secret 5 !deruyoe7r984739jjou9whiyr8 view SHOWVIEW view VERIFYVIEW secret view, with a level 5 encrypted password root view, with a level 5 encrypted secret password superview, containing SHOWVIEW and VERIFYVIEW views CLI view, containing SHOWVIEW and VERIFYVIEW commands
Assign a secret password to the view. Assign commands to the view. Create a view using the parser view view-name command.
If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.) Assign a secret password to the view. Assign commands to the view. Assign users who can use the view. Associate the view with the root view. Create a superview using the parser view view-name command. Create a view using the parser view view-name command.
AutoSecure Steps:
The auto secure command is entered. The wizard gathers information about the outside interfaces. AutoSecure secures the management place by disabling unnecessary services. AutoSecure prompts for a security banner. AutoSecure prompts for passwords and enables password and login features. Interfaces are secured. The forwarding plane is secured.
1) AAA must be enabled. 2) the view must be created. 3) a secret password must be assigned to the view. 4) commands must be assigned to the view. 5) view configuration mode must be exited.
What are the five steps involved to create a view on a Cisco router?
to prevent data traffic from being redirected and then discarded to prevent redirection of data traffic to an insecure link
What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.) to ensure more efficient routing to ensure faster network convergence to provide data security through encryption to prevent data traffic from being redirected and then discarded to prevent redirection of data traffic to an insecure link
login block-for 60 attempts 5 within 60 Cisco IOS login enhancements can increase the security for virtual login connections to a router. Although login delay is a login enhancement command, all login enhancements are disabled until the login block-for command is configured.
What command must be issued to enable login enhancements on a Cisco router? login block-for banner motd login delay privilege exec level
A snapshot of the router running configuration can be taken and securely archived in persistent storage.
What is a characteristic of the Cisco IOS Resilient Configuration feature? It maintains a secure working copy of the bootstrap startup program. The secure boot-image command works properly when the system is configured to run an image from a TFTP server. Once issued, the secure boot-config command automatically upgrades the configuration archive to a newer version after new configuration commands have been entered. A snapshot of the router running configuration can be taken and securely archived in persistent storage.
A command must be issued to enable the SCP server side functionality.
What is a requirement to use the Secure Copy Protocol feature? The Telnet protocol has to be configured on the SCP server side. A transfer can only originate from SCP clients that are routers. At least one user with privilege level 1 has to be configured for local authentication. A command must be issued to enable the SCP server side functionality.
prevent unnecessary traffic from overwhelming the route processor
What is the Control Plane Policing (CoPP) feature designed to accomplish? manage services provided by the control plane prevent unnecessary traffic from overwhelming the route processor disable control plane services to reduce overall traffic direct all excess traffic away from the route processor
1 There are 16 privilege levels that can be configured as part of the username command, ranging from 0 to 15. By default, if no level is specified, the account will have privilege level 1,
What is the default privilege level of user accounts created on Cisco routers? 0 1 15 16
to configure OSPF MD5 authentication globally on the router
What is the purpose of using the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router? to encrypt OSPF routing updates to enable OSPF MD5 authentication on a per-interface basis to configure OSPF MD5 authentication globally on the router to facilitate the establishment of neighbor adjacencies
The generated keys can be used by SSH.
What occurs after RSA keys are generated on a Cisco router to prepare for secure device management? All vty ports are automatically configured for SSH to provide secure management. The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys modulus command. The keys must be zeroized to reset Secure Shell before configuring other parameters. The generated keys can be used by SSH.
Locate the router in a secure locked room that is accessible only to authorized personnel.
Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode? Keep a secure copy of the router Cisco IOS image and router configuration file as a backup. Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed. Configure secure administrative control to ensure that only authorized personnel can access the router. Locate the router in a secure locked room that is accessible only to authorized personnel. Provision the router with the maximum amount of memory possible.
R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login local
Which set of commands are required to create a username of admin, hash the password using MD5, and force the router to access the internal username database when a user attempts to access the console? R1(config)# username admin password Admin01pa55 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin password Admin01pa55 R1(config)# line con 0 R1(config-line)# login R1(config)# username admin Admin01pa55 encr md5 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login
JR-Admin can issue ping and reload commands.
Which statement about the JR-Admin account is true? R1(config)# privilege exec level 4 ping R1(config)# privilege exec level 8 reload R1(config)# privilege exec level 12 show R1(config)# username JR-Admin privilege 10 secret cisco10 JR-Admin can issue show, ping, and reload commands. JR-Admin can issue ping and reload commands. JR-Admin can issue only ping commands. JR-Admin can issue debug and reload commands. JR-Admin cannot issue any command because the privilege level does not match one of those defined.
slow down an active attack create syslog messages disable logins from specified hosts
Which three actions are produced by adding Cisco IOS login enhancements to the router login process? (Choose three.) permit only secure console access slow down an active attack create syslog messages create password authentication automatically provide AAA authentication disable logins from specified hosts
physical security operating system security router hardening
Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.) physical security flash security operating system security remote access security router hardening zone isolation
gathering logging information specifying where captured information is stored distinguishing between information to be captured and information to be ignored
Which three functions are provided by the syslog logging service? (Choose three.) authenticating and encrypting data sent over the network gathering logging information specifying where captured information is stored setting the size of the logging buffer distinguishing between information to be captured and information to be ignored retaining messages on the router when a router is rebooted
content of a security banner enable secret password enable password
Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.) content of a security banner interfaces to enable enable secret password enable password IP addresses of interfaces services to disable
There is no access control to specific interfaces on a router. Commands set on a higher privilege level are not available for lower privilege users. Creating a user account that needs access to most but not all commands can be a tedious process.
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.) There is no access control to specific interfaces on a router. The root user must be assigned to each privilege level that is defined. Commands set on a higher privilege level are not available for lower privilege users. Views are required to define the CLI commands that each user can access. Creating a user account that needs access to most but not all commands can be a tedious process. It is required that all 16 privilege levels be defined, whether they are used or not.
root view superview CLI view
Which three types of views are available when configuring the role-based CLI access feature? (Choose three.) superuser view root view superview CLI view admin view config view
Users logged in to a superview can access all commands specified within the associated CLI views. A specific superview cannot have commands added to it directly.
Which two characteristics apply to role-based CLI access superviews? (Choose two.) CLI views have passwords, but superviews do not have passwords. Users logged in to a superview can access all commands specified within the associated CLI views. A single superview can be shared among multiple CLI views. A specific superview cannot have commands added to it directly. Deleting a superview deletes all associated CLI views.
security banner enable secret password
Which two options can be configured by Cisco AutoSecure? (Choose two.) enable secret password SNMP syslog security banner interface IP address
Secure Copy Protocol (SCP)
relies on SSH and requires that AAA authentication and authorization be configured so that the router can determine whether the user has the correct privilege level. For local authentication, at least one user with privilege level 15 has to be configured. Transfers can originate from any _________________________ client whether that client is another router, switch, or workstation. The ip _________________ server enable command has to be issued to enable the server side functionality.
