click below
click below
Normal Size Small Size show me how
IINS 640-554 Part 1
Cisco IINS 640-554 Part 1
Question` | Answer |
---|---|
What layer is alg | 3,4,5,7 |
IPsec VPN's use what two protocols (primarily) | Authentication Header (AH) and Encapsulating Security Payload (ESP) |
What port numbers used by FTP | 20 and 21 |
What IOS command prevents recovery mode | no service password-recovery |
Which algorythyms are symmetric key algorithms | Advanced Encryption Standard (AES), Data Encryption Standard (DES), Triple DES (3DES), Blowfish, IDEA, RC4, RC5, and RC6 |
What are the three actions that can be applied to a traffic class using the Cisco IOS zone-based firewall | Pass, Inspect, and Drop |
What term describes an attack pattern that can be identified by an Intrusion Prevention System (IPS) by examining a single packet? | Atomic Pattern |
Which aspect of network security ensures that access to important data is uninterrupted? | Availability |
What type of network attack attempts to discover running applications on network hosts? | port scan |
What command takes a snapshot of the running configuration and securely archives it in permanent storage? | The secure boot-config command |
What command is enabled by default in newer IOS versions and prevents the forwarding of subnet-based broadcast packets? | The no ip directed-broadcast command |
Which encryption algorithm was officially approved by the U.S. Government in 2002? | Advanced Encryption Standard (AES) |
What is a benefit of SNMP version 3 over previous versions? | SNMPv3 supports message encryption |
What is an Intrusion Prevention System (IPS) method of securing the network by examining traffic and comparing it to a database of recognized attack patterns? | What is an Intrusion Prevention System (IPS) method of securing the network by examining traffic and comparing it to a database of recognized attack patterns? |
What command enables Cisco IOS image resilience? | The secure boot-image command |
Which command can be used to verify that the Cisco IOS image and configuration files have been properly backed up and secured? | show secure bootset |
Which command can be used to verify that the Cisco IOS image and configuration files have been properly backed up and secured? | access-class |
Which term describes a logical broadcast domain than can span multiple physical LAN segments? | vlan |
Which switch command configures an interface as a permanent access port? | switchport mode access |
What protocol and port number does TACACS+ use? | TCP port 49 |
What are the two keys used in asymmetric encryption, and describe their purpose. | Public key to encrypt data, and Private key to decrypt data |
What are the three major SNMP management components? | Manager, Agent, and Management Information Base (MIB) |
What is the minimum recommended length for cryptographic keys? | 1024 |
What is the length of a MD5 hash value? | 128 bit |
What command is used to create a zone for use in the Cisco IOS Zone-based firewall? | The global configuration zone security zone-name command |
What protocol is used by VPN peers when establishing the symmetric key? | Diffie-Helman |
What command applies a created IOS firewall zone to a particular interface? | The interface-level zone-member security zone-name command |
What are the US govt levels of classification | TS, unclassified, confidential |
3 parts of SDN (Self Defending Network) | Integrated, Collaborative, Adaptive |
examples of offsie dr | hot, warm, and cold |
What sets the minimum password to 8 on a router? | security passwords min-length 8 |
When using the security audit wizard what two things does admin provide? | inside, outside interfaces & vulnerabilities to fix. |
5 definitions of confidentiality attacks | packet sniffing, wiretapping, emanation capturing,dumpster diving, social engineering |
Describe passive attacks | Scanners, protocol analyzers - anything not sending data |
Describe active attacks | Hackers sending data via DDOS, ping sweep, login, brute force |
Describe close-in attacks | Close physical proximity to devices (console, ethernet, etc) |
Describe insider attacks | Legitimate user taking their network credentials and attacking the network infrastructure |
Describe distribution attacks | These are backdoor attacks made be software and hardware designers |
What does md5 look like | username admin secret 5 <key> |
Describe Separation of Duties (SoD) types | Two-man - auditing and approving changes of each other. Dual Control - multiple people required to complete a task. |
Primary purpose of a firewall | to enforce access control policies between networks |
Define an untrusted path | Has a lower security level than another interface |
The mode that permits one to change config | Config / Enable Mode |
Has a higher security level than another interface | Is therefore Trusted |
Adaptive Security Algorithm does what | Maintains security perimiters between networks |
Mode that enables one to update an image or perform password recovery | rommon |
Mode accessed by entering the enable password, and uses # prompt | Privileged Mode |
Mode that is obtained by accessing the device and uses > prompt | Unprivleged mode / Usermode |
Define the tag dmz | An interface name that has no automatically assigned securiyt level |
Interface name that is typically assigned to e0 or fa0 and automatically assigned security level of 0 | outisde interface |
Interface name automatically assigned a security level of 100, typically e1/fa1/g1 | inside interface |
A request initiated by an interface with a security level of 90 to an int with a sec level of 40 is allowed or denied | allowed |
A request initiated by an interface with a security level of 50 to an interface with a security level of 60. | deny |
nameif command | names the interface |
security-level command | sets a security level for an int |
nat-control | enables NAT |
nat command | sets which local addresses may use NAT and from which interfaces |
global command | sets which global addresses will be used for NAT and on which interfaces |
static command | Sets a specific local to global address translation for a dev |
route command | sets a specific static IP route |
how is a udp request handled as a connection object in a CSA | A single response is permitted within a specific timeframe |
What will happen based on the following NAT statements? nat-control global (outside) 1 150.12.16.4 netmask 255.255.255.0 global (dmz) 2 147.16.5.14-147.16.5.20 netmask 255.255.255.0 nat (inside) 1 10.0.0.0 255.255.255.0 | The LAN computers can access the Internet, but not the devices on the dmz. |
What is the most correct method to config a server to use same inside and outside address | nat (inside) 0 200.100.50.10 255.255.255.0 |
What is the global address for this device after the following command is configured? static (inside, outside) 200.100.50.10 199.47.41.10 netmask 255.255.255.0 | 200.100.50.10 |
Which of the below best describes what will happen if the following statement is entered on a Cisco security appliance? route inside 188.31.10.0 255.255.0.0 188.31.10.55 1 | Traffic to the 188.31.10.0/24 subnet will be sent to the fa1 interface and addressed to 188.31.10.55. |
Cut-thru proxy authentication is what? | Authenticating users prior to permitting their packets to be sent to any other dev's on the internal networks |
What is an advantage to using ACS and AAA over other authentication servers is? | It is the only server that can download ACLs on a per-user or per-group basis |
whatis the primary purpose of ACLs on a ASA | To override the default security appliance security level policies on any interface |
What is a turbo ACL | compiled and stored ACL in machine language code to make it faster to use, must be over 19 lines in length |
deep level inspection is what | The firewall looks at the application level command to be issued inside the packet payload and decides wheterh or not to permit the packet |