CNA252 / Chapter 5 / Network Security and Monitoring
SNMP client devices
Where would one find SNMP agents and MIBs?
A) The RSPAN VLAN must be the same on both the source and destination switch.
*Which statement describes the RSPAN VLAN?* A) The RSPAN VLAN must be the same on both the source and destination switch. B) The RSPAN VLAN must be the same as the native VLAN. C) The RSPAN VLAN can be used to carry secure traffic between switches. D) The RSPAN VLAN can be used for remote management of network switches.
B) It uses message integrity to ensure that packets have not been altered in transit. D) It uses authentication to determine if messages are from a valid source. E) It uses encryption to scramble the content of packets to prevent unauthorized access.
*A company is designing a network monitoring system and is considering SNMPv3. What are three characteristics of SNMPv3? (Choose three.)* A) It uses UDP port 514 to send event notifications to message collectors. B) It uses message integrity to ensure that packets have not been altered in transit. C) It uses expanded error codes to identify different types of error conditions. D) It uses authentication to determine if messages are from a valid source. E) It uses encryption to scramble the content of packets to prevent unauthorized access. F) It uses a flat structure of MIB to improve the speed of access to the information.
A) It adds a new user to the SNMP group. B) It uses the MD5 authentication of the SNMP messages.
*A network administrator has issued the snmp-server user admin1 admin v3 encrypted auth md5 abc789 priv des 256 key99 command. What are two features of this command? (Choose two.)* A) It adds a new user to the SNMP group. B) It uses the MD5 authentication of the SNMP messages. C) It restricts SNMP access to defined SNMP managers. D) It allows a network administrator to configure a secret encrypted password on the SNMP server. E) It forces the network manager to log into the agent to retrieve the SNMP messages.
B) message encryption D) message source validation SNMPv3 provides message integrity to ensure that a packet was not tampered with and authentication to determine if the message is from a valid source. SNMPv3 also supports message encryption. SNMPv1 and SNMPv2 do not support message encryption, but do support community strings. SNMPv2c supports bulk retrieval operation. All SNMP versions support the SNMP trap mechanism.
*A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.)* A) SNMP trap mechanism B) message encryption C) bulk retrieval of MIB information D) message source validation E) community-based security
C) If an interface comes up, a trap is sent to the server. The snmp-server enable traps command enables SNMP to send trap messages to the NMS at 10.10.50.25. This notification-types argument can be used to specify what specific type of trap is sent. If this argument is not used, then all trap types are sent. If the notification-types argument is used, then repeated use of this command is required if another subset of trap types is desired.
*A network administrator issues two commands on a router:* *R1(config)# snmp-server host 10.10.50.25 version 2c campus* *R1(config)# snmp-server enable traps* *What can be concluded after the commands are entered?* A) The snmp-server enable traps command needs to be used repeatedly if a particular subset of trap types is desired. B) Traps are sent with the source IP address as 10.10.50.25. C) If an interface comes up, a trap is sent to the server. D) No traps are sent, because the notification-types argument was not specified yet.
snooping
*DHCP ____ is a mitigation technique to prevent rogue DHCP servers from providing false IP configuration parameters.*
D) Define an ACL and reference it by using the *snmp-server community* command.
*How can SNMP access be restricted to a specific SNMP manager?* A) Use the *snmp-server community* command to configure the community string with no access level. B) Specify the IP address of the SNMP manager by using the *snmp-server host* command. C) Use the *snmp-server traps* command to enable traps on an SNMP manager. D) Define an ACL and reference it by using the *snmp-server community* command.
A) get-bulk-request 3) retrieving multiple rows in a table in a single transmission B) get-next-request 5) sequentially searching tables to retrieve a value from a variable C) set-request 4) storing a value in a specific variable D) get-response 2) replying to GET request and SET request messages that are sent by an NMS
*Match each SNMP operation to the corresponding description. (Not all options are used.)* A) get-bulk-request B) get-next-request C) set-request D) get-response 1) retrieving a value from a specific variable 2) replying to GET request and SET request messages that are sent by an NMS 3) retrieving multiple rows in a table in a single transmission 4) storing a value in a specific variable 5) sequentially searching tables to retrieve a value from a variable
True
*True or False?* *In the 802.1X standard, the client attempting to access the network is referred to as the supplicant.*
D) unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network
*What are SNMP trap messages?* A) messages that are used by the NMS to change configuration variables in the agent device B) messages that are used by the NMS to query the device for data C) messages that are sent periodically by the NMS to the SNMP agents that reside on managed devices to query the device for data D) unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network
A) Disable DTP. C) Enable trunking manually. F) Set the native VLAN to an unused VLAN. Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use.
*What are three techniques for mitigating VLAN attacks? (Choose three.)* A) Disable DTP. B) Use private VLANs. C) Enable trunking manually. D) Enable BPDU guard. E) Enable Source Guard. F) Set the native VLAN to an unused VLAN.
C) It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device.
*Which statement describes the function of the SPAN tool used in a Cisco switch?* A) It provides interconnection between VLANs over multiple switches. B) It is a secure channel for a switch to send logging to a syslog server. C) It copies the traffic from one switch port and sends it to another switch port that is connected to a monitoring device. D) It supports the SNMP trap operation on a switch.
D) SNMP read-only community strings can be used to get information from an SNMP-enabled device. E) SNMP read-write community strings can be used to set information on an SNMP-enabled device.
*What are two characteristics of SNMP community strings? (Choose two.)* A) A vulnerability of SNMPv1, SNMPv2, and SNMPv3 is that they send the community strings in plaintext. B) Commonly known community strings should be used when configuring secure SNMP. C) If the manager sends one of the correct read-only community strings, it can get information and set information in an agent. D) SNMP read-only community strings can be used to get information from an SNMP-enabled device. E) SNMP read-write community strings can be used to set information on an SNMP-enabled device.
B) untrusted port D) trusted DHCP port
*What are two types of switch ports that are used on Cisco switches as part of the defense against DHCP spoofing attacks? (Choose two.)* A) unknown port B) untrusted port C) unauthorized port D) trusted DHCP port E) authorized DHCP port F) established DHCP port
B) the client that is requesting authentication
*What device is considered a supplicant during the 802.1X authentication process?* A) the authentication server that is performing client authentication B) the client that is requesting authentication C) the switch that is controlling network access D) the router that is serving as the default gateway
B) User accounts must be configured locally on each device, which is an unscalable authentication solution.
*What is a drawback of the local database method of securing device access that can be solved by using AAA with centralized servers?* A) The passwords can only be stored in plain text in the running configuration. B) User accounts must be configured locally on each device, which is an unscalable authentication solution. C) There is no ability to provide accountability. D) It is very susceptible to brute-force attacks because there is no username.
C) software that is installed on devices managed by SNMP
*What is an SNMP management agent?* A) a computer loaded with management software and used by an administrator to monitor a network B) a database that a device keeps about network performance C) software that is installed on devices managed by SNMP D) a communication protocol that is used by SNMP
D) The switch will forward all received frames to all other ports.
*What is the behavior of a switch as a result of a successful CAM table attack?* A) The switch interfaces will transition to the error-disabled state. B) The switch will shut down. C) The switch will drop all received frames. D) The switch will forward all received frames to all other ports.
C) to store data about a device
*What is the function of the MIB element as part of a network management system?* A) to send and retrieve network management information B) to change configurations on SNMP agents C) to store data about a device D) to collect data from SNMP agents
C) Enable port security.
*What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?* A) Disable DTP. B) Disable STP. C) Enable port security. D) Place unused ports in an unused VLAN.
C) Enable port security.
*What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow?* A) Disable DTP. B) Disable STP. C) Enable port security. D) Place unused ports in an unused VLAN.
A) DHCP starvation
*What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?* A) DHCP starvation B) CAM table attack C) IP address spoofing D) DHCP spoofing
C) RADIUS
*What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?* A) MD5 B) TACACS+ C) RADIUS D) SSH
A) accounting C) authorization D) authentication
*What three services are provided by the AAA framework? (Choose three.)* A) accounting B) automation C) authorization D) authentication E) autobalancing F) autoconfiguration
D) the switch that the client is connected to
*When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client?* A) the supplicant B) the router that is serving as the default gateway C) the authentication server D) the switch that the client is connected to
B) SNMPv2c
*Which SNMP version uses weak community string-based access control and supports bulk retrieval?* A) SNMPv2Classic B) SNMPv2c C) SNMPv3 D) SNMPv1
B) configuring the community string and access level
*Which SNMPv2 configuration step is required?* A) documenting the location of the system contact B) configuring the community string and access level C) restricting SNMP access to NMS hosts D) enabling traps on an SNMP agent
B) global configuration mode
*Which mode is used to configure SNMP?* A) privileged mode B) global configuration mode C) interface configuration mode D) router configuration mode
D) 802.1x
*Which protocol defines port-based authentication to restrict unauthorized hosts from connecting to the LAN through publicly accessible switch ports?* A) TACACS+ B) RADIUS C) SSH D) 802.1x
C) SNMP
*Which protocol or service can be configured to send unsolicited messages to alert the network administrator about a network event such as an extremely high CPU utilization on a router?* A) syslog B) NTP C) SNMP D) NetFlow
B) CDP
*Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?* A) HTTP B) CDP C) FTP D) LLDP
B) A set request is used by the NMS to change configuration variables in the agent device.
*Which statement describes SNMP operation?* A) A get request is used by the SNMP agent to query the device for data. B) A set request is used by the NMS to change configuration variables in the agent device. C) An SNMP agent that resides on a managed device collects information about the device and stores that information remotely in the MIB that is located on the NMS. D) An NMS periodically polls the SNMP agents that are residing on managed devices by using traps to query the devices for data.
C) SPAN can be configured to send a copy of traffic to a destination port on the same switch. D) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch. F) RSPAN can be used to forward traffic to reach an IPS that is analyzing traffic for malicious behavior.
*Which three statements describe SPAN and RSPAN? (Choose three.)* A) SPAN can send a copy of traffic to a port on another switch. B) RSPAN is required for syslog and SNMP implementation. C) SPAN can be configured to send a copy of traffic to a destination port on the same switch. D) SPAN can copy traffic on a source port or source VLAN to a destination port on the same switch. E) RSPAN is required to copy traffic on a source VLAN to a destination port on the same switch. F) RSPAN can be used to forward traffic to reach an IPS that is analyzing traffic for malicious behavior.
B) RADIUS E) TACACS+
*Which two protocols are used to provide server-based AAA authentication? (Choose two.)* A) 802.1x B) RADIUS C) SSH D) SNMP E) TACACS+
set
A ____ request is used by the NMS to change configuration variables in the agent device.
set
A ____ request is used by the NMS to initiate actions within a device.
get
A ____ request is used by the NMS to query the device for data.
CDP CDP
A proprietary Layer 2 link discovery protocol, ____ can automatically discover other ____-enabled devices and help auto-configure their connection.
Network Management System (NMS)
A way to think of an SNMP manager is that it is part of a ____ ____ ____.
802.1Q
An IEEE standard for trunking that is briefly mentioned in the chapter.
DHCP spoofing attack
An attacker configures a fake DHCP server on the network to issue IP addresses to clients.
DHCP starvation attack
An attacker floods the DHCP server with bogus DHCP requests and eventually leases all of the available IP addresses in the DHCP server pool.
DoS (Denial of Service) attack
Any attack that is used to overload specific devices and network services with illegitimate traffic, thereby preventing legitimate traffic from reaching those resources.
security violation
If a port is configured as a secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses will generate a ____ ____.
fail-open mode
In this mode, the switch broadcasts all frames to all machines on the network.
SNMP
It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth.
-Disable DTP (auto trunking) negotiations on non-trunking ports and explicitly force the access ports by using the switchport mode access interface configuration command -Disable DTP (auto trunking) negotiations on trunking and non-trunking ports using the switchport nonegotiate interface configuration command. -Manually enable the trunk link on a trunking port -Set the native VLAN to be something other than VLAN 1 -Disable unused ports and assign them to an unused VLAN.
List some ways to prevent basic VLAN attacks. Now.
False
When an 802.1X port is in the unauthorized state, the port allows all traffic except for 802.1X protocol packets.
SMNP agent software module.
Network devices that must be managed, such as switches, routers, servers, firewalls, and workstations, are equipped with a(n) ____ ____ ____ ____.
agent software module
Network devices that must be managed, such as switches, routers, servers, firewalls, and workstations, are equipped with an SMNP ____ ____ ____.
Application Layer
On which layer of the OSI model would you find SNMP?
MAC Address Flooding Attack (MAC address table overflow attack or CAM table overflow attack)
One of the most basic and common LAN switch attacks.
Dynamic ARP Inspection (DAI)
Prevents ARP spoofing and ARP poisoning attacks.
DHCP Snooping
Prevents DHCP starvation and DHCP spoofing attacks.
IP Source Guard (IPSG)
Prevents MAC and IP address spoofing attacks.
Port Security
Prevents many types of attacks including CAM table overflow attacks and DHCP starvation attacks.
get-response
Replies to a get-request, get-next-request, and set-request sent by an NMS.
get-bulk-request
Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data. Only works with SNMPv2 or later.
get-request
SNMP Operations Retrieves a value from a specific variable
get-next-request
SNMP Operations Retrieves a value from a variable within a table: the SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.
UDP Port 162
SNMP agents send any SNMP traps to the SNMP manager on which port?
It is stored by the agent locally in the MIB.
SNMP agents that reside on managed devices collect and store information about the device and its operation. Where is this information stored?
set-request
Stores a value in a specific variable.
agent MIB
The SNMP ____ and ____ reside on SNMP client devices.
client devices
The SNMP agent and MIB reside on SNMP ____ ____.
D) get
The SNMP manager can collect information from an SNMP agent with this action. Choose the best answer. A) set B) grab C) take D) get E) traps F) action G) find
UDP Port 161
The SNMP manager polls the agents and queries the MIB for SNMP agents on which port?
SNMP manager SNMP agents (managed node) Management Information Base (MIB)
The SNMP system is made up of which three elements?
IEEE 802.1X
The ____ ____ standard defines a port-based access control and authentication protocol.
CDP Reconnaissance Attack Telnet Attacks MAC Address Table Flooding Attack VLAN Attacks DHCP Attacks
The chapter starts by listing several Layer 2 attacks, identify them. Also, you should probably know what they are.
enable port security
The simplest and most effective method to prevent MAC table flooding attacks.
Switch (Authenticator)
This 802.1X role controls physical access to the network based on the authentication status of the client.
Authentication server
This 802.1X role performs the actual authentication of the client.
Local AAA Authentication
This AAA method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database.
C) set
This action can change configurations on an agent. Choose the best answer. A) mod B) grab C) set D) get E) traps F) action G) take
Local AAA Authentication
This common method of implementing AAA services is sometimes called self-contained authentication.
E) traps
This is how SNMP agents can forward information directly to a network manager. Choose the best answer. A) mod B) grab C) set D) get E) traps F) action G) take
DHCP Spoofing Attack
This type of attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.
True
True or False 802.1X port-based authentication adds security to the access layer.
True
True or False Always use TACACS+ to communicate between a router and AAA servers because all TACACS+ protocol exchanges are encrypted.
True
True or False By default, all switch ports are untrusted.
False CDP broadcasts are unencrypted.
True or False CDP information is sent out CDP-enabled ports in periodic, encrypted broadcasts.
True
True or False Only ports connecting to upstream DHCP servers should be trusted.
False SMTP is on port 25 and it is TCP. Fun fact: Auto-correct tried to change SMTP to SMUT.
True or False SNMP resides on UDP port 25.
False
True or False Security Best Practice: Always user Telnet instead of SSH for remote access.
False
True or False Security Best Practice: RADIUS is considered to be the most secure authentication protocol.
True
True or False The SNMP agent is responsible for providing access to the local MIB.
False
True or False When an 802.1X port is in the unauthorized state, the port allows all traffic except for 802.1X protocol packets.
False RADIUS encrypts the user *password* only. Don't be fooled by big blocks of text.
True or False While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol. This is because all TACACS+ protocol exchanges are encrypted, while RADIUS only encrypts the user's username. RADIUS does not encrypt passwords, accounting information, or any other information carried in the RADIUS message.
True It seems weird but that's taken directly out of the chapter.
True or False With 802.1X, the RADIUS security system with EAP extensions is the only supported authentication server.
Client (Supplicant) Switch (Authenticator) Authentication server
What are the three roles in 802.1X?
get and set
What are the two primary SNMP manager requests?
Brute Force Password Attack Telnet DoS Attack
What are the two types of Telnet attacks listed in the chapter?
MIBs
What stores data about the device and operational statistics and is meant to be available to authenticated remote users?
Trusted DHCP ports Untrusted ports
Which type(s) of ports are recognized by DHCP snooping?
Sever-based AAA Authentication
With this AAA method, the router accesses a central AAA server. The AAA server contains the usernames and password for all users and serves as a central authentication system for all infrastructure devices.
IEEE 802.1X
____ ____ restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports.
SNMP
____ is an application layer protocol that provides a message format for communication between managers and agents.
TACACS+ RADIUS
____ or ____ protocols are used to communicate between the router and AAA security servers.
