Network Auth & Security Chapter 6
At which layer of the OSI model does Spanning Tree Protocol operate? Question options: Layer 1 Layer 2 Layer 3 Layer 4
Layer 2
What is the default configuration of the PVLAN Edge feature on a Cisco switch? Question options: All active ports are defined as protected. All ports are defined as protected. No ports are defined as protected. EtherChannel groups are defined as protected ports.
No ports are defined as protected.
Which security solution provides continuous visibility and control before, during, and after an attack to defeat malware across the extended network of an organization? Question options: AMP ESA WSA NAC
AMP
Which statement is true about a characteristic of the PVLAN Edge feature on a Cisco switch? Question options: All data traffic that passes between protected ports must be forwarded through a Layer 2 device. All data traffic that passes between protected ports must be forwarded through a Layer�3 device. Only broadcast traffic is forwarded between protected ports. Only unicast traffic is forwarded between protected ports.
All data traffic that passes between protected ports must be forwarded through a Layer�3 device.
What is involved in an IP address spoofing attack? Question options: A legitimate network IP address is hijacked by a rogue node. A rogue node replies to an ARP request with its own MAC address indicated for the target IP address. A rogue DHCP server provides false IP configuration parameters to legitimate DHCP clients. Bogus DHCPDISCOVER�messages are sent to consume all the available IP addresses on a DHCP server. Michael Carbonaro makes the system admin think that there is a legitimate IP address on the machine in question.
A legitimate network IP address is hijacked by a rogue node.
Under which circumstance is it safe to connect to an open wireless network? Question options: The connection utilizes the 802.11n standard. The device has been updated with the latest virus protection software. The connection is followed by a VPN connection to a trusted network. The user does not plan on accessing the corporate network when attached to the open wireless network.
The connection is followed by a VPN connection to a trusted network.
Why are traditional network security perimeters not suitable for the latest consumer-based network endpoint devices? Question options: These devices are not managed by the corporate IT department. These devices are more varied in type and are portable. These devices connect to the corporate network through public wireless networks. These devices pose no risk to security as they are not directly connected to the corporate network.
These devices are more varied in type and are portable.
Which two measures are recommended to mitigate VLAN hopping attacks? (Choose two.) Question options: Use a dedicated native VLAN for all trunk ports. Place all unused ports in a separate guest VLAN. Disable trunk negotiation on all ports connecting to workstations. Enable DTP on all trunk ports. Ensure that the native VLAN is used for management traffic.
Use a dedicated native VLAN for all trunk ports. Disable trunk negotiation on all ports connecting to workstations.
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports? Question options: control management broadcast user
control
When the Cisco NAC appliance evaluates an incoming connection from a remote device against the defined network policies, what feature is being used? Question options: authentication and authorization posture assessment quarantining of noncompliant systems remediation of noncompliant systems
posture assessment
What is a recommended best practice when dealing with the native VLAN? Question options: Turn off DTP. Use port security. Assign it to an unused VLAN. Assign the same VLAN number as the management VLAN.
Assign it to an unused VLAN.
What is the best way to prevent a VLAN hopping attack? Question options: Disable STP on all nontrunk ports. Use ISL encapsulation on all trunk links. Use VLAN 1 as the native VLAN on trunk ports. Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
Disable trunk negotiation for trunk ports and statically set nontrunk ports as access ports.
What mitigation plan is best for thwarting a DoS attack that is creating a switch buffer overflow? Question options: Disable DTP. Disable STP. Enable port security. Place unused ports in an unused VLAN.
Enable port security.
Which three are SAN transport technologies? (Choose three.) Question options: Fibre Channel SATA iSCSI IP PBX FCIP IDE
Fibre Channel iSCSI FCIP
With IP voice systems on data networks, which two types of attacks target VoIP specifically? (Choose two.) Question options: CoWPAtty Kismet SPIT virus vishing
SPIT vishing
What would be the primary reason an attacker would launch a MAC address overflow attack? Question options: so that the switch stops forwarding traffic so that legitimate hosts cannot obtain a MAC address so that the attacker can see frames that are destined for other hosts so that the attacker can execute arbitrary code on the switch
so that the attacker can see frames that are destined for other hosts
Which three switch security commands are required to enable port security on a port so that it will dynamically learn a single MAC address and disable the port if a host with any other MAC address is connected? (Choose three.) Question options: switchport mode access switchport mode trunk switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security mac-address mac-address
switchport mode access switchport port-security switchport port-security mac-address sticky
Which command is used to configure the PVLAN Edge feature? Question options: switchport block switchport nonnegotiate switchport protected switchport port-security violation protect
switchport protected
What is the goal of the Cisco NAC framework and the Cisco NAC appliance? Question options: to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network to monitor data from the company to the ISP in order to build a real-time database of current spam threats from both internal and external sources to provide anti-malware scanning at the network perimeter for both authenticated and non-authenticated devices to provide protection against a wide variety of web-based threats, including adware, phishing attacks, Trojan horses, and worms
to ensure that only hosts that are authenticated and have had their security posture examined and approved are permitted onto the network
Which two methods are used to mitigate VLAN attacks? (Choose two.) Question options: enabling port security on all trunk ports using a dummy VLAN for the native VLAN implementing BPDU guard on all access ports disabling DTP autonegotiation on all trunk ports using ISL instead of 802.1q encapsulation on all trunk interfaces
using a dummy VLAN for the native VLAN disabling DTP autonegotiation on all trunk ports
