Network Auth and Security Chapter 1-22
What command will prevent all unencrypted passwords from displaying in plain text in a configuration file? (config)# service password-encryption (config)# enable secret Secret_Password (config)# enable password-secret (config)# password secret (config)# secret-encrypt all 0 15
(config)# service password-encryption
A network administrator establishes a connection to a switch via SSH. What characteristic uniquely describes the SSH connection? Direct access to the switch through the use of a terminal emulation program. Remote access to a switch where data is encrypted during the session. Out-of-band access to a switch through the use of a terminal with password authentication. Remote access to the switch through the use of a tlephone dialup connection. On-site access toa switch through the use of a directly connected PC and a console cable.
Remote access to a switch where data is encrypted during the session.
Which type of firewall generally has a low impact on network performance? Stateful firewall. Stateless firewall. Application gateway firewall. Next generation firewall.
Stateless firewall.
Which network security tool can detect open TCP and UDP ports on most versions of Microsoft Windows? Nmap L0phtcrack SuperScan Zenmap
SuperScan
Which technology allows syslog messages to be filtered to different devices based on event importance? Syslog service timestamps. Syslog severity levels. Syslog service identifiers. Syslog facilities.
Syslog severity levels.
What threat intelligence group provides blogs and podcasts to help network security professionals remain effective and up-to-date? Mitre FireEye CybOX Talos
Talos
Which statement describes the use of certificate classes in the PKI? Email security is provided by the vendor, not by a certificate. The lower the class number, the more trusted the certificate. A vendor must issue only one class of certificates when acting as a CA. A class 5 certificate is more trustworthy than a class 4 certificate.
A class 5 certificate is more trustworthy than a class 4 certificate.
Which statement describes a zone when implementing ZPF on a Cisco router? A zone establishes a security border of a network. Only one zone can be attached to a single interface. A zone is used to implement traffic filtering for either TCP or UDP. It does not require a remote connection to a Cisco device.
A zone establishes a security border of a network.
Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack? Telnet CDP LLDP SSH
CDP
Which open source network monitoring technology performs real-time traffic analysis and generates alerts when threats are detected on IP networks? RSPAN SPAN Snort IPS IOS IPS CSPAN
CSPAN
Which device supports the use of SPAN to enable monitoring of malicious activity? Cisco Security Agent. Cisco IronPort. Cisco Catalyst switch. Cisco NAC.
Cisco Catalyst switch.
Which device is a dedicated inline threat prevention appliance that is effective against both known and unknown threats? Cisco IOS IPS. Cisco ASA. Cisco FirePOWER NGIPS. Cisco Snort IPS.
Cisco FirePOWER NGIPS.
Which intrusion prevention service was available on first-generation ISR routers and is no longer supported by Cisco? Cisco IOS IPS Cisco Firepower Next-Generation External Snort IPS Server Cisco Snort IPS
Cisco IOS IPS
What is the source for IPS rule updates when using a Cisco intrusion prevention service? Cisco Talos. SIEM. Security Onion. Cisco.com
Cisco Talos.
Which range of custom privilege levels can be configured on Cisco routers? 2 through 14 0 through 15 1 through 15 1 through 16
2 through 14
When SNMPv1 or SNMPv2 is being used, which feature provides secure access to MIB objects? Community strings. Message integrity. Packet encryption. Source validation. Destination validation.
Community strings.
Which Cisco platform supports Cisco Snort IPS? 800 series ISR. 3900 series ISR. 4000 series ISR. 2900 series ISR.
4000 series ISR.
Which service is added to the Cisco ASA 5500 by the ASA 5500-X? threat control and containment services ASA virtualization FirePOWER service high availability with failover
FirePOWER service
A company is planning to use a DMZ for their servers and is concerned about securing the network infrastructure. Which device should the network security team use for the edge router? Firewall. VPN gateway. Cisco Nexus Switch. An intrusion prevention device (IPS).
Firewall.
Which protocol or service is used to automatically synchronize the software clocks on Cisco routers? NTP DNS SNMP STP
NTP
At what point in the enterprise network are packets arriving from the internet examined prior to entering the network? Network Edge. WAN Edge. Core Router. On a third-party server one hop off-site
Network Edge.
What is one difference between using Telnet or SSH to connect to a network device for management purposes? Telnet sends data in plain text, where as SSH encrypts the data. If you are consoled in to the router locally, there is no difference. Telnet uses UDP and SSH uses HTTPS. Telnet does not provide authentication whereas SSH provides authentication.
Telnet sends data in plain text, where as SSH encrypts the data.
In ZPF design, what is described as the self zone? The outward facing interface on the edge router. A predefined cluster of servers with configured interfaces. The router itself, including all interfaces with assigned IP addresses. A predefined cluster of routers with configured interfaces.
The router itself, including all interfaces with assigned IP addresses.
When using 802.1X authentication, what device controls physical access to the network, based on the authentication status of the client? The switch to which the client is connected. The supplicant. The router that is serving as the default gateway. The authentication server.
The switch to which the client is connected.
What method is used to apply an IPv6 ACL to a router interface? The use of the ipv6 traffic-filter command. The use of the access-class command. The use of the ipv6 access-list command. The use of the ip access-group command.
The use of the ipv6 traffic-filter command.
An administrator assigned a level of router access to the user ADMIN using the commands below.t are three network enhancements achieved by implementing the Cisco IOS software role-based CLI access feature? (Choose three.) Router(config)# privilege exec level 14 show ip route Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10 Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10 The user can issue the show version command. The user can issue the ip route command. The user can only execute the subcommands under the show ip route command. The user can issue all commands because this privilege level can execute all Cisco IOS commands. The user can execute all subcommands under the show ip interfaces command.
The user cannot issue any commands. The user can issue the show version command. The user can execute all subcommands under the show ip interfaces command.
Refer to the exhibit. Which statement describes the function of the ACEs? NOT WORKING These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns. These ACEs allow for IPv6 neighbor discovery traffic. These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur. These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
These ACEs allow for IPv6 neighbor discovery traffic.
Refer to the exhibit. Which statement describes the function of the ACEs? These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns. These ACEs allow for IPv6 neighbor discovery traffic. These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur. These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
These ACEs allow for IPv6 neighbor discovery traffic.
In what way are zombies used in security attacks? They probe a group of machine for open ports to learn which services are running. They are malicioulsy formed code segments used to replace legitimate applications. They are infected machines that carry out a DDoS attack. They target specific individuals to gain corporate information. They target specific individuals to gain personal information.
They are infected machines that carry out a DDoS attack.
Which statement is a characteristic of a packet filtering firewall? They are susceptible to IP spoofing. They filter fragmented packets. They have a high impact on network performance. They examine each packet in the context of the state of a connection.
They are susceptible to IP spoofing.
When would the authentication port-control command be used during an 802.1X implementation? When a client has sent an EAPOL-logoff message. When the authentication server is located in the cloud. When an organization needs to control the port authorization state on a switch. When the authentication server is located in the cloud.
When an organization needs to control the port authorization state on a switch.
What is the function of the Diffie-Hellman algorithm within the IPsec framework? provides authentication allows peers to exchange shared keys guarantees message integrity provides strong data encryption
allows peers to exchange shared keys
A port has been configured for the 802.1X protocol and the client has successfully authenticated. Which 802.1X state is associated with this PC? up enabled authorized forwarding
authorized
What method can be used to mitigate ping sweeps? Blocking ICMP echo and echo-replies at the network edge. Installing antivirus software on hosts. Deploying antisniffer software on hosts. It uses the enable password for authentication. Blocking ICMP echo and echo-replies in the middle of the network.
blocking ICMP echo and echo-replies at the network edge
Which resource is affected due to weak security settings for a device owned by the company, but housed in another location? Removable media. Hard copy. Social networking. SSD Drive. Cloud Storage Device.
cloud storage device
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports? control broadcast user management
control
As data is being stored on a local hard disk, which method would secure the data from unauthorized access? data encryption deletion of sensitive files two factor authentication a duplicate hard drive copy
data encryption
A new person has joined the security operations team for a manufacturing plant. What is a common scope of responsibility for this person? managing redundancy operations for all systems data security on host devices physical and logical security of all business personnel day-to-day maintenance of network security
day-to-day maintenance of network security
Websites are rated based on the latest website reputation intelligence. Which endpoint security measure prevents endpoints from connecting to websites that have a bad rating? spam filtering DLP denylisting host-based IPS antimalware software
denylisting
Which type of cryptographic key would be used when connecting to a secure website? symmetric keys digital signatures DES key hash keys
digital signatures
How does ZPF handle traffic between an interface that is a zone member and another interface that does not belong to any zone? pass drop allow inspect
drop
Which operator is used in an ACL statement to match packets of a specific application? eq gt lt established implicit deny match
eq
What type of ACL offers greater flexibility and control over network access? named standard numbered standard flexible extended detracted
extended
Which type of alert is generated when an IPS incorrectly identifies normal network user traffic as attack traffic? true positive false positive true negative false negative prognosis negative
false positive
Which two router commands can a user issue when granted privilege level 0? (Choose two.) disable enable ping show help configure
help
Which host-based security measure is used to restrict incoming and outgoing connections? host-based firewall guest-based firewall antivirus/antimalware software host-based IPS rootkit
host-based firewall
Which section of a security policy is used to specify that only authorized individuals should have access to enterprise data? Statement of Authority. Acceptable use policy. Identification and authentication policy. Statement of Scope. Internet access policy.
identification and authentication policy
What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.) identification of Layer 3 protocol support on hosts validation of IT system configuration password auditing TCP and UDP port scanning password recovery
identification of Layer 3 protocol support on hosts TCP and UDP port scanning
Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit? authentication secure key exchange integrity confidentiality
integrity
What three items are components of the CIA triad? (Choose three.) NSA, DHS and FBI. Confidentiality. Availability. Integrity. Scalbility. Intevention. Access.
integrity availability confidentiality
What type of network security test would be used by network administrators for detection and reporting of changes to network systems? penetration testing network scanning integrity checking vulnerability scanning
integrity checking
What do most cryptographic system attacks seek to target? user information the cryptographic algorithm key management the actual data packet
key management
What are three actions that can be performed by Snort in IDS mode? (Choose three.) reject drop log sdrop alert pass
log alert pass
A network engineer wants to synchronize the time of a router with an NTP server at the IPv4 address 209.165.200.225. The exit interface of the router is configured with an IPv4 address of 192.168.212.11. Which global configuration command should be used to configure the NTP server as the time source for this router? ntp server 209.165.200.225 ntp server 209.165.200.0 ntp server 192.168.212.11 ntp server s0/0/0
ntp server 209.165.200.225
What are three network enhancements achieved by implementing the Cisco IOS software role-based CLI access feature? (Choose three.) security scalability fault tolerance cost reduction operational efficiency availability
operational efficiency security availability
Which type of attack allows an attacker to use a brute force approach? password cracking denial of service social engineering packet sniffing
password cracking
Which security service is provided by 802.1x? port-based network access control protection against emerging threats for Cisco products malware analysis and protection across the full attack continuum malware analysis of files
port-based network access control
Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames? LLDP CDP proxy ARP reverse ARP
proxy ARP
What information does the SIEM network security management tool provide to network administrators? detection of open TCP and UDP ports real time reporting and analysis of security events assessment of system security configurations a map of network systems and services
real time reporting and analysis of security events
Which type of VPN may require the Cisco VPN Client software? remote access VPN site-to-site VPN MPLS VPN SSL VPN
remote access VPN
Which command will move the show interface command to privilege level 10? router(config)# privlege exec level 10 show interface router(config)# privlege level 10 show interface router(config)# show interface level 10 router(config-if)# privlege exec level 10 show interface
router(config)# privlege exec level 10 show interface
Which security implementation will provide control plane protection for a network device? There is no ability to secure the control plane. Routing Protocol Authentication. Encryption for remote access connection. NTP for consistent timestamps on logging messages. AAA for authenticating management access. AAA provides free road-side assitance.
routing protocol authentication
What function is provided by the Tripwire network security tool? password recovery IDS signature development logging of security events security policy compliance
security policy compliance
What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity? event file signature trigger definition
signature
What is hyperjacking? taking over a virtual machine hypervisor as part of a data center attack overclocking the mesh network which connects the data center servers adding outdated security software to a virtual machine to gain access to a data center server using processors from multiple computers to increase data processing power
taking over a virtual machine hypervisor as part of a data center attack
What is cryptology? the science of making and breaking secret codes the science of creating transposition and substitution ciphers the science of guaranteeing that a message is not a forgery and comes from the authentic source the science of cracking the code without access to the shared secret key
the science of making and breaking secret codes
What is a purpose of a digital certificate? to support large-scale distribution and identification of public encryption keys to authenticate and verify that a user who is sending a message is who they claim to be to query for the revocation status of an X.509 certificate to assure the authenticity and integrity of software code
to authenticate and verify that a user who is sending a message is who they claim to be
Why would a rootkit be used by a hacker? to do reconnaissance to try to guess a password to gain access to a device without being detected to reverse engineer binary files to root an Android device
to gain access to a device without being detected
What is the primary function of SANS? To maintain the Internet Storm Center. To maintain the Weather Channel To foster cooperation and coordinationin information sharing, incident prevention and rapid reaction. To provide vendor neutral education products and career services. To maintain the list of common vulnerabilities.
to maintain the Internet Storm Center
What is the reason for HMAC to use an additional secret key as input to the hash function? to provide integrity verification to provide encryption to provide authentication to prevent DoS attacks
to provide authentication
Refer to the exhibit. Which type of cipher method is depicted? stream cipher substitution cipher transposition cipher Caesar cipher
transposition cipher
What wild card mask will match networks 172.16.0.0 through 172.19.0.0? 0.252.255.255 0.0.3.255 0.3.255.255 0.0.255.255 0.0.0.255
0.3.255.255
What is the default privilege level of user accounts created on Cisco routers? 16 0 1 15
1
Which CA class of digital certificates would be used by individuals to perform email verification? 1 0 2 3
1
What is the most trustworthy security level that can be configured on an ASA device interface? 100 255 50 0
100
What are two benefits of implementing a firewall in a network? (Choose two.) A firewall will inspect network traffic and forward traffic based solely on the Layer 2 Ethernet MAC address. A firewall will sanitize protocol flow. A firewall will prevent unauthorized traffic from being tunneled or hidden as legitimate traffic through an enteprise network. A firewall will reduce security management complexity. A firewall will provide accessibility of applications and sensitive resources to external untrusted users.
A firewall will sanitize protocol flow. A firewall will reduce security management complexity.
In the video that describes the anatomy of an attack, a threat actor was able to gain access through a network device, download data, and destroy it. Which flaw allowed the threat actor to do this? Lack of a strong password policy. Open ports on the firewall. Improper physical security. A flat network with no subnets or VLANs. A round network with a lot of VLANs.
A flat network with no subnets or VLANs.
Which statement describes SNMP operation? An SNMP agent that resides on a managed device collects information about the device and stores that information remotely in the MIB that is located on the NMS. A get request is used by the SNMP agent to query the device for data. A set request is used by the NMS to change configuration variables in the agent device. An NMS periodically polls the SNMP agents that are residing on managed devices by using traps to query the devices for data.
A set request is used by the NMS to change configuration variables in the agent device.
What is a characteristic of the Cisco IOS Resilient Configuration feature? It maintains a secure working copy of the bootstrap startup program. Once issued, the secure boot-configcommand automatically upgrades the configuration archive to a newer version after new configuration commands have been entered. A snapshot of the router running configuration can be taken and securely archived in persistent storage. The secure boot-image command works properly when the system is configured to run an image from a TFTP server.
A snapshot of the router running configuration can be taken and securely archived in persistent storage.
What is an example of a local exploit? A threat actor performs a brute force attack on an enterprise edge router to gain illegal access. A buffer overflow attack is launched against an online shopping website and causes a server crash. Port scanning is used to determine if the Telnet service is running. The threat actor is within a 5 kilometer radius of the target. A threat actor tries to gain the user password of a remote host by using a keyboard capture installed by a Trojan.
A threat actor tries to gain the user password of a remote host by using a keyboard capture installed by a Trojan.
What three configuration steps must be performed to implement SSH access to a router? (Choose three.) A user account. A unique hostname. An IP domain name. A password on the console line. An encrypted password. An enable mode password. Standard ACLs can filter on source and destination TCP and UDP ports.
A user account. A unique hostname. An IP domain name.
A network administrator is issuing the login block-for 180 attempts 2 within 30 command on a router. Which threat is the network administrator trying to prevent? A device that is trying to inspect the traffic on a link. An unidentified individual who is trying to access the network equipment room. A worm that is attempting to propagate the network. A user who is trying to guess a password to access the router or a brute force attack.
A user who is trying to guess a password to access the router or a brute force attack.
When implementing a ZPF, which statement describes a zone? A zone is a group of hardened computers known as bastion hosts. A zone is a group of one or more devices that provide backup and disaster recovery mechanisms. A zone is a group of administrative devices that protect against rogue access point installations. A zone is a group of one or more interfaces that have similar functions or features.
A zone is a group of one or more interfaces that have similar functions or features.
Which statement describes a factor to be considered when configuring a zone-based policy firewall? The router always filters the traffic between interfaces in the same zone. A zone must be configured with the zone security global command before it can be used in the zone-member security command. The classic firewall ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones. No certificates are used by default. The type must be specified. An interface can belong to multiple zones.
A zone must be configured with the zone security global command before it can be used in the zone-member security command.
Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform? Authentication. Authorization. Accounting. Auditing
Authorization.
What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users? SNMP AAA IpSec Radius
AAA
Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality? ESP DH AH IP protocol 50
AH
What three protocols must be permitted through the company firewall for establishment of IPsec site-to-site VPNs? (Choose three.) AH HTTPS ESP ISAKMP NTP SSH
AH ESP ISAKMP
What is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs? ASA ACLs use forward and drop ACEs, whereas IOS ACLs use permit and deny ACEs. ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask. Multiple ASA ACLs can be applied on an interface in the ingress direction, whereas only one IOS ACL can be applied. ASA ACLs are always named, whereas IOS ACLs are always numbered. ASA ACLs do not have an implicit deny any at the end, whereas IOS ACLs do.
ASA ACLs use the subnet mask in defining a network, whereas IOS ACLs use the wildcard mask.
Which term describes the ability of a web server to keep a log of the users who access the server, as well as the length of time they use it? Authentication. Assigning permissions. Accounting. Authorization.
Accounting
Which statement describes a feature of AAA in an ASA device? Authorization is enabled by default. Accounting can be used alone. Both authorization and accounting require a user to be authenticated first. If authorization is disabled, all authenticated users will have a very limited access to the commands.
Accounting can be used alone.
Why is it important to protect endpoints? Endpoints are the starting point for VLAN attacks. Endpoints are susceptible to STP manipulation attacks that can disrupt the rest of the LAN. After an endpoint is breached, an attacker can gain access to other devices. A breached endpoint gives a threat actor access to system configuration that can modify security policy.
After an endpoint is breached, an attacker can gain access to other devices.
What is the primary means for mitigating virus and Trojan horse attacks? Antivirus Software. Encryption. Blocking ICMP echo and echo replies. Antisniffer Software.
Antivirus Software.
Which scenario would cause an ACL misconfiguration and deny all traffic? Apply a standard ACL using the ip access-group out command. Apply a named ACL to a VTY line. Apply a standard ACL in the inbound direction. Apply an ACL that has all deny ACE statements.
Apply an ACL that has all deny ACE statements.
With the evolution of borderless networks, which vegetable is now used to describe a defense-in-depth approach? Security Onion. Cabbage. Artichoke. Carrots. Mushrooms.
Artichoke
What does the TACACS+ protocol provide in a AAA deployment? Authorization on a per-user or per-group basis. AAA connectivity via UDP. Password encryption without encrypting the packet. Compatibility with previous TACACS protocols.
Authorization on a per-user or per-group basis.
How does BYOD change the way in which businesses implement networks? BYOD users are responsible for their own network security, thus reducing the need for organizational security policies. BYOD devices are more expensive than devices purchased by the organizations. BYOD devices changed nohting. BYOD devices provide flexibility in where and how users can access network resources. BYOD users are better at securing their devices than the IT Department.
BYOD provides flexibility in where and how users can access network resources.
Which statement is true about ASA CLI and IOS CLI commands? Only the ASA CLI requires the use of Ctrl-C to interrupt show commands. The ASA CLI does not recognize the write erase command, but the IOS CLI does. The show ip interface brief command is valid for both CLIs. Both CLIs recognize the Tab key to complete a partial command.
Both CLIs recognize the Tab key to complete a partial command.
Which two statements describe access attacks? (Choose two.) Port rediretction attacks use a network adapter card in promiscuous mode to capture all network packets that are being sent across a LAN. To detect listening services, port scanning attacks scan a range of TCP or UDP port numbers on a host. Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers. Trust exploitation attacks often involve the use of a laptop to act as a rogue access point to capture and copy all network traffic in a public location, such as a wireless hotspot.
Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers.
Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration? An administrator can assign interfaces to zones, regardless of whether the zone has been configured. By default, traffic is allowed to flow among interfaces that are members of the same zone. By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member. An administrator can assign an interface to multiple security zones.
By default, traffic is allowed to flow among interfaces that are members of the same zone.
A security intern is reviewing the corporate network topology diagrams before participating in a security review. Which network topology would commonly have a large number of wired desktop computers? CAN LAN SOHO Cloud Virtualization
CAN
Refer to the exhibit. An IT security manager is planning security updates on this particular network. Which type of network is displayed in the exhibit and is being considered for updates? WAN. CAN. SOHO. VPN. Data Center.
CAN.
When password recovery on a router is being performed and the settings in NVRAM have been bypassed, which step should be taken next? Reload the Router. Reset the Router. Copy the contents of the RAM to the NVRAM. Copy the contents of the NVRAM to the RAM.
Copy the contents of the NVRAM to the RAM.
Which functionality does _the TACACS single-connection keyword provide to AAA services? Allows the use of differing keys between the TACACS+ server and the AAA client. Maintains a single UDP connection for the life of the session. Encrypts the data transfer between the TACACS+ server and the AAA client. Enhances the performance of the TCP connection
Enhances the performance of the TCP connection
In what step of zone-based policy firewall configuration is traffic identified for policy application? Creating policy maps. Defining zones. Configuring class maps. Assigning policy maps to zones.
Configuring class maps.
Which security measure is typically found both inside and outside a data center facility? Continuous video surveillance Security Traps Biometric access Exit sensors Gate
Continuous video surveillance
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.) Creating a user account that needs access to most but all commands can be a tedious process. It is required that all 16 privlege levels be defined whether they are used of not. Views are required to define the CLI commands that each user can access. The root user must be assigned to each privlege that is defined. There is no access control to specific interfaces on a router. Commands set on higher level privleges are not available to lower privlege users.
Creating a user account that needs access to most but all commands can be a tedious process. Commands set on higher level privleges are not available to lower privlege users. There is no access control to specific interfaces on a router.
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing? port security BPDU Guard DHCP snooping root guard
DHCP snooping
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease? DHCP spoofing. DHCP starvation. CAM table attack. IP address spoofing.
DHCP starvation.
Which type of network commonly makes use of redundant air conditioning and a security trap? Data center. CAN. WAN. Cloud. SOHO.
Data center.
What are two objectives of ensuring data integrity? (Choose two.) Access to the data is authenticated. Data is unaltered during transit. Data is available all the time. Data is encrypted while in transit and when stored on disks. Data is not changed by unauthorized entities.
Data is unaltered during transit. Data is not changed by unauthorized entities.
When considering network security, what is the most valuable asset of an organization? Personnell. Customers. Data. Financial Resources. You must be 21 years or older to answer this question
Data.
Designing a ZPF requires several steps. Which step involves defining boundaries where traffic is subjected to policy restrictions as it crosses to another region of the network? Design the physical infrastructure. Identify subsets within zones and merge traffic requirements. Establish policies between zones. Determine the zones.
Determine the zones.
In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services? MITM DoS Address Spoofing Session Hijacking Hyperjacking
DoS
When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.) Forwaard. Copy. Log. Drop. Inspect.
Drop. Inspect.
Which ICMP message type should be stopped inbound? Echo-reply. Echo. Source quench. Echo-tango. Unreachable.
Echo
What is the first required task when configuring server-based AAA authentication? Configure the IP address of the server. Specify the type of server providing the authentication. Enable AAA globally. Configure the type of AAA authentication.
Enable AAA globally.
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow? Disable STP. Enable port security. Disable DTP. Place unused ports in an unused VLAN.
Enable port security.
Which network monitoring technology passively monitors network traffic to detect attacks? IDS TAP RSPAN IPS
IDS
What is one benefit of using a next-generation firewall rather than a stateful firewall? Support of logging. Integrated use of an intrusion prevention system (IPS). Support of TCP-based packet filtering. Reactive protection against Internet threats.
Integrated use of an intrusion prevention system (IPS).
Which statement describes a feature of site-to-site VPNs? The VPN connection is not statically defined. Individual hosts can enable and disable the VPN connection. Internal hosts send normal, unencapsulated packets. VPN client software is installed on each host.
Internal hosts send normal, unencapsulated packets.
Which statement accurately characterizes the evolution of threats to network security? Threats have become less sophisticated while technical knowledge needed by an attacker has grown. Internet architects planned for network security from the beginning. Internal threats can cause even greater damage than external threats. Early internet users users often engaged in activities that would harm others.
Internal threats can cause even greater damage than external threats.
What command or action will verify that a VPN tunnel has been established? Issue a show ip interface command. Issue a show crypto map command. Issue a show crypto isakmp sa command. Send interesting traffic from the VPN router interface.
Issue a show crypto isakmp sa command.
disable What must be done before any role-based CLI views can be created? Costumes must be purchased. Configure user names and passwords. Issue the aaa new-model command. Create a secret password for the root user. Assign Multiple privlege levels.
Issue the aaa new-model command.
When a method list for AAA authentication is being configured, what is the effect of the keyword local? It uses the enable password for authentication. It defaults to the vty line password for authentication. It accepts a locally configured username, regardless of case. The login succeeds, even if all methods return an error.
It accepts a locally configured username, regardless of case.
What is the purpose of using a banner message on a Cisco network device? It will stop attackers dead in their tracks. It can provide more security by slowing down attacks. It can protect an organization from a legal perspective. It can be used to create a quiet period where remote connections are refused.
It can protect an organization from a legal perspective.
What is a feature of an IPS? It has no impact on latency. It is deployed in offline mode. It is primarily focused on identifying possible incidents. It can stop malicious packets.
It can stop malicious packets.
What is a characteristic of an IPS operating in inline-mode? It does not affect the flow of packets in forwarded traffic. It can stop malicious traffic from reaching the intended target. It requires the assistance of another network device to respond to an attack. It can only send alerts and does not drop any packets. An interface can belong to multiple zones.
It can stop malicious traffic from reaching the intended target.
What is a host-based intrusion detection system (HIDS)? It combines the functionalities of antimalware applications with firewall protection. It is an agentless system that scans files on a host for potential malware. It detects and stops potential direct attacks but does not scan for malware. It identifies potential attacks and sends alerts but does not stop the traffic.
It combines the functionalities of antimalware applications with firewall protection.
Which statement describes a feature of a zone-based policy firewall? It does not depend on ACLs. All traffic through a given interface is subject to the same inspection. It uses a flat, non-hierarchical data structure making it easier to configure and troubleshoot. The router security posture is to allow traffic unless explicitly blocked.
It does not depend on ACLs.
What is a feature of the TACACS+ protocol? It combines authentication and authorization as one process. It encrypts the entire body of the packet for more secure communications. It utilizes UDP to provide more efficient packet transfer. It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.
It encrypts the entire body of the packet for more secure communications.
A switch has the following command issued as part of an 802.1X deployment. address ipv4 10.1.1.50 auth-port 1812 acct-port 1813 What is the purpose of this command? It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic. It identifies the address of the switch to which the client connects and the ports used for the EAPOL messages. It identifies the address of the RADIUS server and the ports used for EAPOL messages. It identifies the address of the default gateway and the ports used for traffic destined for remote networks.
It identifies the address of the RADIUS server and ports on the server used for RADIUS traffic.
What is a zero-day attack? It is an attack that results in no hosts able to connect to a network. It is a computer attack that exploits unreported software vulnerabilities. It is an attack that has no impact on the network because the software vendor has mitigated the vulnerability. It is a computer attack that occurs on the first day of the month.
It is a computer attack that exploits unreported software vulnerabilities.
What is an IPS signature? It is the timestamp that is applied to logged security events and alarms. It is the authorization that is required to implement a security policy. It is a security script that is used to detect unknown threats. It is a set of rules used to detect typical intrusive activity.
It is a set of rules used to detect typical intrusive activity.
What is a characteristic of the Snort subscriber rule set term-based subscription? It provides 30-day delayed access to updated signatures. It is available for a fee. It does not provide access to Cisco support. It focuses on reactive responses to security threats.
It is available for a fee.
Which statement describes the term attack surface? It is the total sum of vulnerabilities in a system that is accessible to an attacker It is the total number of attacks toward an organization within a day. it is the group of hosts that expereiences the same attack. It is the interface where the attacks originate. The interface on the gateway router upon which the attack enters.
It is the total sum of vulnerabilities in a system that is accessible to an attacker
Which statement describes the behavior of a switch when the MAC address table is full? It treats frames as unknown unicast and floods all incoming frames to all ports on the switch. It treats frames as unknown unicast and floods all incoming frames to all ports within the collision domain. It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN. It treats frames as unknown unicast and floods all incoming frames to all ports across multiple switches.
It treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN.
What security tool allows a threat actor to hack into a wireless network and detect security vulnerabilities? SuperScan. KisMac. Click fuzzers. Nmap. Open VAS. Wire Shark.
KisMac
Which three layers of the OSI model include information that is commonly inspected by a stateful firewall? (Choose three.) Layer 1. Layer 3. Layer 4. Layer 2. Layer 1. Layer 5.
Layer 3. Layer 4. Layer 5.
Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode? Provision the router with the maximum amount of RAM possible. Keep a secure copy of the router Cisco IOS image and router configuration file as a backup. Ensure that users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination. Locate the router in a secure locked room that is accessible only to authorized personel.
Locate the router in a secure locked room that is accessible only to authorized personel.
Which type of access is secured on a Cisco router or switch with the enable secret command? Enable at least two ports for remote access. Console Line. Disable discovery protocols for all user-facing ports. Block local access. Log and account for all access.
Log and account for all access.
A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation? VLAN hopping. DHCP spoofing. MAC address table overflow Port hopping. VLAN double-tagging.
MAC address table overflow
Which technology is used to secure, monitor, and manage mobile devices? PC Anywhere. Rootkit. ASA Firewall. VPN. MDM.
MDM.
What functional area of the Cisco Network Foundation Protection framework uses protocols such as Telnet and SSH to manage network devices? Management plane. Control plane. Data plane. Fowarding plane.
Management plane
Which network technology uses a passive splitting device that forwards all traffic, including Layer 1 errors, to an analysis device? IDS Network tap SNMP NetFlow
Network tap
Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.) Physical Security. Zone Isolation. Router Hardening. Opertaing System Security. Flash Security. Remote Access Security.
Opertaing System Security. Physical Security. Router Hardening.
Which type of firewall is commonly part of a router firewall and allows or blocks traffic based on Layer 3 or 4 information? Packet filtering firewall. Next generation firewall. Stateful firewall. Proxy firewall.
Packet filtering firewall.
Which type of firewall is supported by most routers and is the easiest to implement? Next generation firewall. Packet filtering firewall. Stateful firewall. Application gateway firewall.
Packet filtering firewall.
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.) Pass, inspect, and drop options can only be applied between two zones. Interfaces can be assigned to a zone before the zone is created. Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone An interface can be assigned to multiple security zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Pass, inspect, and drop options can only be applied between two zones. If traffic is to flow between all interfaces in a router, each interface must be a member of a zone. To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Which IPS signature trigger category uses the simplest triggering mechanism and searches for a specific and pre-defined atomic or composite pattern? Pattern-Based Detection. Honey Pot-Based Detection Policy-Based Detection. Anomaly-Based Detection.
Pattern-Based Detection.
What are two characteristics of an application gateway firewall? (Choose two.) Provides an integrated intrusion prevention and detection feature. Cisco Unified Communications (voice and video) security Uses a simple policy table look-up to filter traffic based on Layer 3 and Layer 4 information. Performs most filtering and firewall control in software. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model. Uses connection information maintained in a state table and analyzes traffic at OSI Layers 3, 4, and 5.
Performs most filtering and firewall control in software. Analyzes traffic at Layers 3, 4, 5 and 7 of the OSI model.
What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source? Vishing Trojan Backdooring Phreaking Cat Phishing Phishing
Phishing
Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials? Spinning Pivoting Traffic Substitution Protocol-level misinterpretation Duck and cover
Pivoting
What is a characteristic of AAA accounting? Accounting can only be enabled for network connections. Possible triggers for the aaa accounting exec default command include start-stop and stop-only. Users are not required to be authenticated before AAA accounting logs their activities on the network. Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.
Possible triggers for the aaa accounting exec default command include start-stop and stop-only.
Which type of access is secured on a Cisco router or switch with the enable secret command? AUX port. Console Line. Virtual Terminal. PuTTY. Privleged EXEC.
Privleged EXEC.
Refer to the exhibit. A network administrator wants to create a standard ACL to prevent Network 1 traffic from being transmitted to the Research and Development network. On which router interface and in which direction should the standard ACL be applied? R1 Gi0/0 outbound R2 S0/0/0 inbound R1 S0/0/0 outbound R2 Gi0/0 outbound. R2 Gi0/0 inbound R1 Gi0/0 inbound
R2 Gi0/0 outbound.
Which statement describes a difference between RADIUS and TACACS+? RADIUS encrypts only the password whereas TACACS+ encrypts all communication. RADIUS uses TCP whereas TACACS+ uses UDP. RADIUS separates authentication and authorization whereas TACACS+ combines them as one process. RADIUS is supported by the Cisco Secure ACS software whereas TACACS+ is not. Neither RADIUS nor TACACS+ is supported by the Cisco Secure ACS software.
RADIUS encrypts only the password whereas TACACS+ encrypts all communication.
Which device is used as the authentication server in an 802.1X implementation? Wireless router. RADIUS server. Ethernet switch. Access point.
RADIUS server.
Which risk management plan involves discontinuing an activity that creates a risk? Risk Mitigation Risk Avoidance Risk Reduction Risk Sharing Risk Retention
Risk Avoidance
A network administrator wants to create a new view so that a user only has access to certain configuration commands. In role-based CLI, which view should the administrator use to create the new view? CLI view. Admin view. Root view. Superview. Superuser.
Root view.
Network analysts are able to access network device log files and to monitor network behavior. SPAN syslog NAC SNMD
SPAN
What name is given to an amateur hacker? Scriptie Red Hat Blue Team Script Kiddie Kid Script
Script Kiddie
Which rule action will cause Snort IPS to block a packet without logging it? Doup. Alert. Sdrop. Reject.
Sdrop
It is recommended that in addition to using FileVault to encrypt the drive: Selecting Create a password. Set the EFI chip password. All removable drive are encrypted. Create a passphrase for FileVault.
Set the EFI chip password.
A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent? Social Engineering DDoS SAAS Anonymous key logging SPAM
Social Engineering
Refer to the exhibit. A network administrator is configuring an IPv6 ACL to allow hosts on the 2001:DB8:CAFE:10::/64 network to access remote web servers, except for PC1. However, a user on PC1 can successfully access the web server PC2. Why is this possible? The IPv6 ACL Deny_WEB is applied in the incorrect direction on router R1. The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked. The IPv6 ACL Deny_WEB is applied to the wrong interface of router R1. The IPv6 ACL Deny_WEB is spelled incorrectly when applied to the interface.
The IPv6 ACL Deny_WEB is permitting all web traffic before the specific host is blocked.
If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge? The Layer 2 address with the lowest hexadecimal value. The lowest IP address. The highest BID. The MAC address with the highest hexadecimal value.
The Layer 2 address with the lowest hexadecimal value.
Which statement correctly describes the configuration of a Snort VPG interface? The VPG1 interface must be configured with a public IP address. The VPG1 interface must use a routable static IP address. The VPG0 interface must have a routable address with access to the internet. The VPG1 interface must receive an address from DHCP.
The VPG0 interface must have a routable address with access to the internet.
What does level 5 in the following enable secret global configuration mode command indicate? Router(config)# enable secret level 5 csc5io. The enable secret password is hashed using SHA. The enable secret password grants access to privleged EXEC level 5. The enable secret password can only be enabled by individuals for EXEC level 5. The enable secret passwrod is hashed using MD5.
The enable secret password grants access to privleged EXEC level 5.
Which statement accurately describes Cisco IOS zone-based policy firewall operation? A router interface can belong to multiple zones. Router management interfaces must be manually assigned to the self zone. Service policies are applied in interface configuration mode. The pass action works in only one direction.
The pass action works in only one direction.
What is the purpose of issuing the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router? To enable OSPF MD5 authentication on a per-interface basis. To facilitate the establichment of neighbor adjacencies. To configure OSPF MD5 authentication globally on the router. To encrypt OSPF routing updates.
To configure OSPF MD5 authentication globally on the router.
A network administrator enters the command R1# enable view adminview. What is the purpose of this command? To create a CLI view named adminview. To enter the root view. To enter a superview named adminview. To enter a CLI view named adminview.
To enter a CLI view named adminview.
What is the purpose of the network security accounting function? To keep track of the actions of a user. To provide challenge and response questions. To require users to prove who they are. To determine which resources a user can access.
To keep track of the actions of a user.
What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.) To ensure faster network convergence. To provide data security through encryption. To prevent data traffic from being redirected and then discarded. To ensure more efficient routing. To prevent redirection of data traffic to an insecure link.
To prevent redirection of data traffic to an insecure link. To prevent data traffic from being redirected and then discarded.
What are three functions provided by the syslog service? (Choose three.) To specify the destinations of captured messages. To periodically poll agents for data. To gather logging information for monitoring and troubleshooting. Enable DTP on all trunk ports. To select the type of logging information that is captured.
To specify the destinations of captured messages. To gather logging information for monitoring and troubleshooting. To select the type of logging information that is captured.
Which network monitoring capability is provided by using SPAN? Statistics on packets flowing through Cisco routers and multilayer switches can be captured. Real-time reporting and long-term analysis of security events are enabled. Traffic exiting and entering a switch is copied to a network monitoring device. A predefined cluster of routers with configured interfaces.
Traffic exiting and entering a switch is copied to a network monitoring device.
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation? TSA WSA AVC ASA ESA
WSA
How does a firewall handle traffic that is originating from the DMZ network and traveling to a private network? Traffic is usually not filtered using firewall rules when it is originating from the DMZ network and traveling to a private network. Traffic is usually allowed when it is originating from the DMZ network and traveling to a private network. Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network. Traffic is allowed when it is originating from the private network, but the response traffic from the DMZ network will be blocked.
Traffic is usually blocked when it is originating from the DMZ network and traveling to a private network.
When configuring a class map for a zone-based policy firewall, how is the match criteria applied when using the match-all parameter? Traffic must match all of the criteria solely defined by ACLs. Traffic must match at least one of the match criteria statements. Traffic must match all of the match criteria specified in the statement. Traffic must match the first criteria in the statement.
Traffic must match all of the match criteria specified in the statement.
Which type of traffic is usually blocked when implementing a demilitarized zone? Traffic that is returning from the public network and traveling to the DMZ network. Traffic originating from the private network and traveling to the DMZ network. Traffic originating from the DMZ network and traveling to the private network. Traffic that is returning from the DMZ network and traveling to the private network.
Traffic originating from the DMZ network and traveling to the private network.
In applying an ACL to a router interface, which traffic is designated as outbound? Traffic that is coming from the source IP address into the router. Traffic that is going from the destination IP address into the router. Traffic that is leaving the router and going toward the destination host. The IP atraffic for which the router can find no routing table entryddresses of IPsec peers.
Traffic that is leaving the router and going toward the destination host.
Which statement describes a typical security policy for a DMZ firewall configuration? Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with little or no restrictions. Traffic that originates from the DMZ interface is selectively permitted to the outside interface. Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface. Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface. Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
What worm mitigation phase involves actively disinfecting infected systems? Innoculation. Containment. Treatment. Quarantine. De-worming.
Treatment
Which two protocols are stateless and do not generate connection information needed to build a state table? (Choose two.) UDP HTTP TCP FTP ICMP
UDP ICMP
What are SNMP trap messages? Unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network Messages that are used by the NMS to change configuration variables in the agent device. Messages that are used by the NMS to query the device for data. Messages that are sent periodically by the NMS to the SNMP agents that reside on managed devices to query the device for data.
Unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network
What is a good password recommendation for a Cisco router? Use the service password-encryption command to protect a password used to log into a remote device across the network. Use a minimum of 7 characters. Leave it blank, no one would guess that and the brute force attacks don't try that. Use one or more spaces within a multiword passphrase. Zeroize all passwords used (like they showed in the video).
Use one or more spaces within a multiword passphrase.
What is the quickest way to remove a single ACE from a named ACL? Use the no access-list command to remove the entire ACL, then recreate it without the ACE. Copy the ACL into a text editor, remove the ACE, then copy the ACL back into the router. Use the no keyword and the sequence number of the ACE to be removed. Create a new ACL with a different number and apply the new ACL to the router interface.
Use the no keyword and the sequence number of the ACE to be removed.
A user complains about not being able to gain access to a network device configured with AAA. How would the network administrator determine if login access for the user account is disabled? Use the show aaa local user lockout command. Use the show aaa user command. Use the show running-configuration command. Use the show aaa sessions command.
Use the show aaa local user lockout command.
Which security technology is commonly used by a teleworker when accessing resources on the main corporate office network? IPS VPN SecureX Biometric
VPN
What are two basic configuration requirements for each operational interface on an ASA 5506-X device? (Choose two.) a name an encryption key an ACL assignment a security level a VLAN assignment
a name a security level
What is the only type of port that an isolated port can forward traffic to on a private VLAN? another isolated port any access port in the same PVLAN a promiscuous port a community port
a promiscuous port
When dynamic NAT on an ASA is being configured, what two parameters must be specified by network objects? (Choose two.) the inside NAT interface the interface security level the outside NAT interface a range of private addresses that will be translated the pool of public global addresses
a range of private addresses that will be translated the pool of public global addresses
Which command is used to enable AAA as part of the 802.1X configuration process on a Cisco device? dot1x pae authenticator aaa new-model dot1x system-auth-control aaa authentication dot1x
aaa new-model
Which two characteristics describe a worm? (Choose two.) executes when software is run on a computer infects computers by attaching software code travels to new computers without any intervention or knowledge of the user hides in a dormant state until needed by an attacker is self-replicating despite being hermaphroditic, it needs a partner to reproduce
travels to new computers without any intervention or knowledge of the user is self-replicating
Which classification indicates that an alert is verified as an actual security incident? true positive false positive true negative false negative prognosis negative
true positive
What is an appropriate use for class 5 digital certificates? used for online business transactions between companies used for private organizations or government security used by organizations for which proof of identity is required used for testing in situations in which no checks have been performed
used for private organizations or government security
Which security function is provided by encryption algorithms? confidentiality key management authorization integrity
confidentiality
Each day, a security analyst spends time examining logs and events from different systems and applications to quickly detect security threats. What function of the Security Information Event Management (SIEM) technology does this action represent? aggregation correlation retention forensic analysis
correlation
Which option lists the four steps to configure the Modular Policy Framework on an ASA? -1) Configure extended ACLS to identify specific granular traffic. This step may be optional.2) Configure the class map to define interesting traffic.3) Configure a policy map to apply actions to the identified traffic.4) Configure a service policy to identify which interface should be activated for the service. -1) Configure a policy map to apply actions to the identified traffic.2) Configure a service policy to identify which interface should be activated for the service.3) Configure extended ACLS to identify specific granular traffic. This step may be optional.4) Configure the class map to define interesting traffic. -1) Configure extended ACLS to identify specific granular traffic. This step may be optional.2) Configure the class map to define interesting traffic.3) Configure a service policy to identify which interface should be activated for the service.4) Configure a policy map to apply actions to the identified traffic. -1) Configure a service policy to identify which interface should be activated for the service.2) Configure extended ACLS to identify specific granular traffic. This step may be optional.3) Configure the class map to define interesting traffic.4) Configure a policy map to apply actions to the identified traffic.
-1) Configure extended ACLS to identify specific granular traffic. This step may be optional.2) Configure the class map to define interesting traffic.3) Configure a policy map to apply actions to the identified traffic.4) Configure a service policy to identify which interface should be activated for the service.
Refer to the exhibit. The ISAKMP policy for the IKE Phase 1 tunnel was configured, but the tunnel does not yet exist. Which action should be taken next before IKE Phase 1 negotiations can begin? Configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel. Configure an ACL to define interesting traffic. Configure the IPsec tunnel lifetime. Bind the transform set with the rest of the IPsec policy in a crypto map.
Configure an ACL to define interesting traffic.
A network analyst is configuring a crypto map and has just bound the ACL and the transform set to the map, and set the IPsec tunnel lifetime. What other step completes the configuration of the crypto map? Define the interesting traffic. Configure the DH group. Apply the map to an interface. Configure the SA policy.
Configure the DH group.
Refer to the exhibit. Given the partial output of the show version command on a router, if a network engineer wants to begin to configure an IPsec VPN, what would be the next step to take? Accept the EULA and activate the security technology package. Configure an ACL to define interesting traffic. Configure the ISAKMP policy for IKE phase 1. Configure a crypto map for the IPsec policy.
Configure the ISAKMP policy for IKE phase 1.
What is a feature of asymmetrical encryption? Different keys are used to encrypt and decrypt data. It requires fewer computations than symmetric encryption requires. Key lengths are short. It encrypts bulk data quickly.
Different keys are used to encrypt and decrypt data.
In which way does the use of HTTPS increase the security monitoring challenges within enterprise networks? HTTPS traffic does not require authentication. HTTPS traffic enables end-to-end encryption. HTTPS traffic is much faster than HTTP traffic. HTTPS traffic can carry a much larger data payload than HTTP can carry.
HTTPS traffic enables end-to-end encryption.
Which are the five security associations to configure in ISAKMP policy configuration mode? Hash, Accounting, Group, Lifetime, ESP Hash, Authorization, Group, Lifetime, Encryption Hash, Authentication, Group, Lifetime, Encryption Hash, Authentication, GRE, Lifetime, ESP
Hash, Authentication, Group, Lifetime, Encryption
Which network security tool allows an administrator to test and detect weak passwords? Metasploit L0phtcrack Tripwire Nessus
L0phtcrack
When security is a concern, which OSI Layer is considered to be the weakest link in a network system? Layer 2 Layer 3 Layer 4 Layer 7 Layer 6
Layer 2
A security technician is evaluating a new operations security proposal designed to limit access to all servers. What is an advantage of using network security testing to evaluate the new proposal? Network security testing is most effective when deploying new security proposals. Network security testing is simple because it requires just one test to evaluate the new proposal. Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs. Network security testing is specifically designed to evaluate administrative tasks involving server and workstation access.
Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs.
Which two statements describe the 8 Gigabit Ethernet ports in the backplane of a Cisco ASA 5506-X device? (Choose two.) They are all routed ports. Three of them are routed ports and 5 of them are switch ports. Port 1 is a routed port and the rest are switch ports. They all can be configured as routed ports or switch ports. These ports all require IP addresses.
They are all routed ports. These ports all require IP addresses.
Which two statements are true about ASA standard ACLs? (Choose two.) They identify only the destination IP address. They are the most common type of ACL. They are applied to interfaces to control traffic. They specify both the source and destination MAC address. They are typically only used for OSPF routes.
They identify only the destination IP address. They are typically only used for OSPF routes.
Which two types of VPNs are examples of enterprise-managed remote access VPNs? (Choose two.) IPsec VPN GRE over IPsec VPN IPsec Virtual Tunnel Interface VPN clientless SSL VPN client-based IPsec VPN
clientless SSL VPN client-based IPsec VPN
A web server administrator is configuring access settings to require users to authenticate first before accessing certain web pages. Which requirement of information security is addressed through the configuration? confidentiality scalability integrity availability
confidentiality
Which objective of secure communications is achieved by encrypting data? integrity confidentiality availability authentication
confidentiality
Which type of attack does the use of HMACs protect against? man-in-the-middle DoS DDoS brute force
man-in-the-middle
Which command is used on an ASA to enable password encryption and encrypt all user passwords? service password-encryption key config-key password-encryption [ new-pass [ old-pass ]] enable password password password encryption aes
password encryption aes
Which type of NAT would be used on an ASA where 10.0.1.0/24 inside addresses are to be translated only if traffic from these addresses is destined for the 198.133.219.0/24 network? policy NAT dynamic NAT static NAT dynamic PAT
policy NAT
A network technician is attempting to resolve problems with the NAT configuration on an ASA. The technician generates a ping from an inside host to an outside host. Which command verifies that addresses are being translated on the ASA? show ip address show xlate show running-config show ip nat translation
show xlate
What is a type of VPN that is generally transparent to the end user? site-to-site remote access public private
site-to-site
What are the two types of VPN connections? (Choose two.) site-to-site leased line remote access Frame Relay PPPoE
site-to-site remote access
A network administrator has deployed object groups in order to make ACLs easier to implement and understand. Which two objects would be part of a service object group? (Choose two.) top-level protocol subnet ICMP type hostname IP address
top-level protocol ICMP type
Which characteristic of security key management is responsible for making certain that weak cryptographic keys are not used? exchange generation verification revocation and destruction
verification
Which security test is appropriate for detecting system weaknesses such as misconfiguration, default passwords, and potential DoS targets? penetration testing vulnerability scanning integrity checkers network scanning
vulnerability scanning
Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN? AES MD5 IPsec ESP
IPsec
What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1? interesting traffic transform sets ISAKMP SA policy DH groups
ISAKMP SA policy
What is a characteristic of ASA security levels? An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level. Each operational interface must have a name and be assigned a security level from 0 to 200. Inbound traffic is identified as the traffic moving from an interface with a higher security level to an interface with a lower security level. The lower the security level on an interface, the more trusted the interface.
An ACL needs to be configured to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level.
What can be used as a VPN gateway when setting up a site-to-site VPN? Cisco Unified Communications Manager Cisco Catalyst switch Cisco AnyConnect Cisco router
Cisco router
What action can a network administrator take to help mitigate the threat of VLAN hopping attacks? Disable automatic trunking negotiation. Configure all switch ports to be members of VLAN 1. Enable PortFast on all switch ports. Disable VTP.
Disable automatic trunking negotiation.
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command? It checks the source MAC address in the Ethernet header against the user-configured ARP ACLs. It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body. It checks the source MAC address in the Ethernet header against the MAC address table.
It checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
Why would HMAC be used to help secure the data as it travels across various links? It is an asymmetric encryption algorithm used when the two communicating parties have not previously shared a secret key. It is a hashing algorithm used to guarantee that the message is not a forgery and actually comes from the authentic source. It is a hashing algorithm used to encrypt the message and guarantee that no one intercepted the message and altered it. It is a popular symmetric encryption algorithm used when each communicating party needs to know the pre-shared key.
It is a hashing algorithm used to guarantee that the message is not a forgery and actually comes from the authentic source.
Which statement describes the Cisco ASAv product? It is a Cisco ASA feature added on a Cisco router. It is a cloud-based Cisco ASA firewall product. It is a Cisco FirePOWER service that can be added on a Cisco router. It is a virtual machine version of Cisco ASA product.
It is a virtual machine version of Cisco ASA product.
A network administrator is planning a VPN tunnel. Why would the engineer select main mode for IKE Phase 1? It requires less configuration. It is the industry standard. It is quicker. It is more secure.
It is more secure.
Refer to the exhibit. How will traffic that does not match access list 101 be treated by the router? It will be sent unencrypted. It will be sent encrypted. It will be blocked. It will be discarded.
It will be sent unencrypted.
Which two algorithms use a hashing function to ensure message integrity? (Choose two.) 3DES MD5 AES SEAL SHA
MD5 SHA
What network scanning tool has advanced features that allows it to use decoy hosts to mask the source of the scan? Nessus Nmap Tripwire Metasploit
Nmap
What protocol is used to query the revocation status of an X.509 certificate? SSL EAP OCSP LDAP
OCSP
Which statement describes the default network access control on an ASA firewall device? Inbound traffic from the DMZ network to the inside network is allowed. Inbound traffic from the outside network to the DMZ network is allowed. Returning traffic from the outside network to the inside network is allowed. Outbound traffic from the inside network to the outside network is allowed without inspection.
Returning traffic from the outside network to the inside network is allowed.
Which protocol uses X.509 certificates to support mail protection performed by mail agents? IPsec SSL S/MIME EAP-TLS
S/MIME
Which statement describes the Software-Optimized Encryption Algorithm (SEAL)? SEAL is a stream cipher. It is an example of an asymmetric algorithm. It uses a 112-bit encryption key. It requires more CPU resources than software-based AES does.
SEAL is a stream cipher.
What determines which switch becomes the STP root bridge for a given VLAN? The highest priority. The highest MAC address. The lowest bridge ID The lowest IP address.
The lowest bridge ID
What is the purpose of IKE? firewall port management security appliance configuration VPN key management key transmission
VPN key management
Which statement describes a VPN? VPNs use open source virtualization software to create the tunnel through the Internet. VPNs use dedicated physical connections to transfer data between remote users. VPNs use virtual connections to create a private network through a public network. VPNs use logical connections to create public networks through the Internet.
VPNs use virtual connections to create a private network through a public network.
What type of ACL is designed for use in the configuration of an ASA to support filtering for clientless SSL VPNs? Standard Webtype EtherType Extended
Webtype
What role does an RA play in PKI? a root CA a super CA a subordinate CA a backup root CA
a subordinate CA
What is the focus of cryptanalysis? developing secret codes breaking encrypted codes implementing encrypted codes hiding secret codes
breaking encrypted codes
A network security specialist is tasked to implement a security measure that monitors the status of critical files in the data center and sends an immediate alert if any file is modified. Which aspect of secure communications is addressed by this security measure? data integrity data confidentiality origin authentication nonrepudiation
data integrity
What is the first step in establishing an IPsec VPN? negotiation of ISAKMP policies detection of interesting traffic creation of a secure tunnel to negotiate a security association policy creation of an IPsec tunnel between two IPsec peers
detection of interesting traffic
What two features must match between ASA devices to implement a failover configuration? (Choose two.) device model software configuration source IP address amount of RAM next-hop destination
device model amount of RAM
What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.) digital certificates pre-shared key generation intrusion prevention system certificate authority symmetric encryption algorithms
digital certificates certificate authority
Which technology is used to provide assurance of the authenticity and integrity of software code? public key infrastructures block ciphers certificate authorities digital signatures
digital signatures
Which advanced ASA Firewall feature provides granular access control based on an association of IP addresses to Windows Active Directory login information? ASA virtualization high availability with failover threat control and containment services identity firewall
identity firewall
What are the two biggest differences among various ASA firewall models. (Choose two.) in the VPN functionality in the operating system version support in the maximum traffic throughput supported in the configuration method using either CLI or ASDM in the number and types of interfaces
in the maximum traffic throughput supported in the number and types of interfaces
Which data security component is provided by hashing algorithms? authentication integrity confidentiality key exchange
integrity
What is the purpose of code signing? integrity of source .EXE files data encryption source identity secrecy reliable transfer of data
integrity of source .EXE files
Which two types of objects can be configured on an ASA device? (Choose two.) protocol ICMP-type security network user service
network service
Which object or object group is required to implement NAT on an ASA 5506-X device? network object protocol object group service object network object group
network object
What is one of the drawbacks to using transparent mode operation on an ASA device? no support for IP addressing no support for QoS no support for management no support for using an ASA as a Layer 2 switch
no support for QoS
What type of security test uses simulated attacks to determine possible consequences of a real threat? penetration testing vulnerability scanning network scanning integrity checking
penetration testing
What is an example of the transposition cipher? Caesar RC4 Vigenère rail fence
rail fence
Which feature is specific to the Security Plus upgrade license of an ASA and provides increased availability? routed mode transparent mode redundant ISP connections stateful packet inspection
redundant ISP connections
What is defined by an ISAKMP policy? the security associations that IPsec peers are willing to use the IP addresses of IPsec peers access lists that identify interesting traffic the preshared keys that will be exchanged between IPsec peers
the security associations that IPsec peers are willing to use
What is the purpose of a nonrepudiation service in secure communications? to provide the highest encryption level possible to ensure that the source of the communications is confirmed to confirm the identity of the recipient of the communications to ensure that encrypted secure communications cannot be decoded
to ensure that the source of the communications is confirmed
What is the purpose of the DH algorithm? to support email data confidentiality to encrypt data traffic after a VPN is established to generate a shared secret between two hosts that have not communicated before to provide nonrepudiation support
to generate a shared secret between two hosts that have not communicated before