Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Midterm
CIT 484
| Question | Answer |
|---|---|
| What is confidentiality? | Only authorized entities can see data |
| what is Integrity? | Only authorized entities can modify data |
| what is availability? | Authorized entities must be able to access the network The failure of a network equates to loss of revenue |
| Which security term refers to a person, property, or data of value to a company? | Asset |
| Which asset characteristic refers to risk that results from a threat and lack of a countermeasure? | Vulnerability |
| Which three items are the primary network security objectives for a company? | confidentiality, integrity, availability |
| Which data classification label is usually not found in a government organization? | classified but not important |
| Which of the following represents a physical control? | electronic lock |
| What is the primary motivation for most attacks against networks today? | financial |
| Which type of an attack involves lying about the source address of a frame or packet? | spoofing attacks |
| Which two approaches to security provide the most secure results on day one? | Defense in depth, least privilege |
| Which of the following might you find in a network that is based on a defense-in-depth security implementation? | Firewall, IPS, Access lists, Current patches on servers |
| In relation to production networks, which of the following are viable options when dealing with risk? | transfer it, mitigate it, Remove it |
| Which of the following is not a motivation of malicious actors? | Bug bounty awards |
| Which of the following is not considered a type of DDoS attack? | cached |
| Why is UDP the “protocol of choice” for reflected DDoS attacks? | 1. UDP is much more easily spoofed |
| Which of the following is leveraged in social engineering? | human nature |
| Which of the following is not a form of social engineering? | DoS |
| Which of the following is not a valid defense against social engineering? | infrastructure Hardening |
| Which tool provides the most granular information to help in the identification of malware? | Packet Capture |
| NetFlow provides which of the following? | 1. Information on the types of traffic traversing the network |
| Which of the following is not used for identification of malware on the network? | Routing information Base (RIB) |
| Which type of data is not often attractive to malicious actors? | training schedules |
| Which of the following are most likely to be used for authentication of a network administrator accessing the CLI of a Cisco router? | 1. TACACS+, ACS |
| Which of the following allows for granular control related to authorization of specific Cisco IOS commands that are being attempted by an authenticated and authorized Cisco router administrator? | 1. TACACS+ |
| Which devices or uers would be clients of an ACS server? | routers, switches |
| On the router, what should be created and applied to a vty line to enforce a specific set of methods for identifying who a user is? | 1. Authentication method list |
| What is the minimum size for an effective TACACS+ group of servers? | 1 |
| With what can you configure AAA on the router? | CCP and CLI |
| Which statement is true for ACS 5.x and later? | Authorization policies can be associated with user groups that are accessing specific network device groups |
| Where in the ACS do you go to create a new group of administrators? | 1. Users and Identity Stores > Identity Groups |
| From the router, which method tests the most about the ACS configuration, without forcing you to log in again at the router? | test aaa |
| Which of the following could likely cause an ACS authentication failure, even when the user is using the correct credentials? | 1. Incorrect secret on the ACS, incorrect IP address of the ACS configured on the router 2. Incorrect routing 3. Incorrect filtering between the ACS and the router |
| List TACACS+ Facts (5) | 1.Uses TCP as layer 4 protocol 2.Separates AAA elements into distinct elements 3. All packets are encrypted between the ACS server and the router 4.Supports granular command-by-command authorization 5. Uses TCP port 49 |
| List RADIUS facts (3) | 1.Uses UDP as layer 4 protocol 2.Combines many authentication and authorization functions 3/Only encrypts the password. All other data passes in cleartext. |
| Which of the following represents a logical control used to implement a countermeasure? (Choose two) | IPS and Passwords |
| Preliminary risk assessments and categorization of risks. | Initiation |
| Acquiring the products and tools needed to implement the countermeasures needed to reduce risk. | Acquisition and development |
| Countermeasures are put in place on the production network. | Implementation |
| Care and feeding of the network. Monitoring and incident handling. | Operations and maintenance |
| Disposing of network gear. Sanitizing, formatting, and destroying media storage devices. | Disposition |
| Which of the following are methods of risk analysis? | quantity and quality |
| Which of the following techniques can be used to test your security architecture? (Choose all that apply) | Network scanning, Vulnerability scanning, Password cracking, Penetration testing, Social engineering attempts |
| The maximum length of time a business function can be discontinued without causing irreparable harm to the business | maximum tolerable downtime (MTD) |
| The duration of time that a service level within a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity | Recovery Time Objective (RTO) |
| The maximum tolerable period in which data might be lost from an IT service due to a major incident | Recovery Point Objection (RPO) |
| what are the 3 classification roles | 1.owner 2.custodian 3.user |
| responsible for data and senior management | owner |
| responsible for policy implementation | custodian |
| abide by policy rules and access data | user |
| what are the 2 types of classifications? | 1.government 2.private sector |
| what are types of administrative controls? | Written policies, procedures, guidelines, and standards |
| what are types of physical controls? | Limiting physical access to networking equipment, Computer room access restrictions, Power feeds, generators, Air conditioning, Redundant systems (e.g. UPS) |
| what are types of logical controls? | Passwords, firewalls, IPS, ACL, VPN, …, Also referred to as “technical controls” |
| Tunneling malicious traffic inside seemingly harmless protocols | covert channel |
| Attacks via a trusted sources (e.g. DMZ) | trust exploitation |
| Brute force, malware, man-in-the-middle, key loggers, packet sniffers | password attacks |
| A collection of infected computers that take instructions from an attacker | botnet |
| Flooding a network in order to disable it | DoS |
| how does IP spoofing work? | 3-way handshake, the source sends a SYN, destination sends SYN & ACK and the source sends an ACK back, ***BUT if the attacker gets the ACK sent before the source, then they take over |
| What is the secure Network Lifecycle | 1.initiation 2.Acquisition and development 3.Implementation 4.Operations and maintenance 5.Disposition |
| Initiation phase of Network Lifycycle | Preliminary risk assessment; Categorizing risk (low/med/high) |
| Acquisition and development phase of Network Lifecycle | Detailed risk assessment ; Acquiring products and tools; Testing countermeasures |
| Implementation phase of Network Lifecycle | Countermeasures placed into production |
| Operations and maintenance phase of network lifecycle | Monitoring; Tuning; Incident handling |
| What are policy Standards? | Specifies the use of specific technologies as a countermeasure; Helps ensure consistency |
| What are policy procedures? | Specifies how to implement standards and guidelines |
| What are Policy guidelines? | Suggestions (not mandatory); Best practices |
| What are policies? | Owned by senior management team Usually do not include technical details |
| What to document in an incident? | 1.systems involved 2.time of occurrence 3.who was involved |
| Which is the primary Layer 2 mechanism that allows multiple devices in the same VLAN to communicate with each other even though those devices are physically connected to different switches? | Trunk |
| How does a switch know about parallel Layer 2 paths? | BPDU |
| When implemented, which of the following helps prevent CAM table overflows? | Port Security |
| Which of the following is not a best practice for security? | A. Leaving the native VLAN as VLAN 1 |
| Which is the default number of MAC addresses allowed on a switch port that is configured with port security? | 1 |
| Which is the default number of MAC addresses allowed on a switch port that is configured with port security? | A. VLANS C. IP subnetworks |
| What is a typical method used by a device in one VLAN to reach another device in a second VLAN? | C. Use a local default gateway |
| Which two configurations changes prevent users from jumping onto any VLAN they choose to join? | A. Disabling negotiation of trunk ports D. Configuring the port connecting to the client as an access port |
| If you limit the number of MAC addresses learned on a port to five, what benefits do you get from the port security feature? (Choose all that apply) | A. Protection for DHCP servers against starvation attacks E. Protection against CAM table overflows |
| Why should you implement Root Guard on a switch? | To prevent the switch from having specific root ports |
| Why should CDP be disabled on ports that face untrusted networks? | B. CDP can be used as a reconnaissance tool to determine information about the device |
| Which of the following is not a trust statement for DHCP snooping? | DHCP snooping is enabled by default on all VLANs |
| Which of the following is not a true statement regarding dynamic ARP inspection (DAI)? | D. DAI is enabled on a per-interface basis |
| Which of the following is not a core element addressed by NFP (Network Foundation Protection)? | D. Data plane |
| If you add authentication to your routing protocol so that only trusted authorized routers share information, which plane in the NFP are you securing? | control plane |
| If you use authentication and authorization services to control which administrators can access which networked devices and control what they are allowed to do, which primary plane of NFP are you protecting | Management Plane |
| Which of the following is not a best practice to protect the management plane? (choose all that apply) A. HTTP | HTTP and Telnet |
| Which of the following is a way to implement role-based access control related to the management plane? (Choose all that apply) | Views and AAA Services |
| What do CoPP and CPPr have in common? (choose all that apply) | C. They both focus on control plane protection D. They both can identify traffic destined for the router that will likely require direct CPU resources to be used by the router |
| Which type of attack can you mitigate by authenticating a routing protocol? (Choose all that apply) | A. Man-in-the-middle attack B. Denial-of-service C. Reconnaissance attack |
| What is a significant difference between CoPP and CPPr? | B. CPPr can classify and act on more-specific traffic that CoPP |
| Which of the following enables you to protect the data plane? | A. IOS zone-based firewall B. IPS C. Access lists D. Port Security |
| DHCP snooping protects which component of NFP | Data Plane |
| Which type of attack causes a switch to act like a hub, flooding all incoming frames to all of its interfaces? | CAM overflow attack |
| What benefits do you get by using port security to limit the number of MAC addresses learned on a switch port? | 1. Protection for DHCP servers against starvation attacks. 2. Protection against CAM table overflow attacks. |
| What is DTP? | Dynamic Trunking Protocol (DTP) Dynamically negotiates trunks between switches |
| What is Spanning Tree Protocol? | -Prevents loops in redundant switch networks (Listening Learning Forwarding Blocking) |
| VLAN Best Practices? | 1.Don't use VLAN 1 as native 2.Disable DTP 3.Configure AccessPorts as Access Ports 4.Limit learned MAC addresses 5.Turn off CDP 6.Shutdown unused ports 7.Assign unused ports to vacant VLAN |
| How to disable DTP on trunk ports | (config-if)# switchport nonegotiate |
| Attacker sets low switch priority in an attempt to become the root switch through which all traffic on the LAN will flow | STP attack (BPDU prevents this) |
| What does Root Guard Prevent against? | 1.learning new root switch 2.STP tampering 3.becoming root switch |
| Which one of the following follows best practices for a secure password? | B. S1E3peR1# |
| When you connect for the first time to the console port on a new router, which privilege level are you using initially when presented with the command-line interface? | 1 |
| Which of the following is not impacted by a default login authentication method list? | HDLC interface |
| You are trying to configure a method list, and your syntax is correct, but the command is not being accepted. Which of the following might cause this failure? | A. Incorrect privilege level B. AAA not enabled C. Wrong mode D. Not allowed by the view |
| Cisco recommends which version of Simple Network Management Protocol (SNMP) on your network if you needed it? | version 3 |
| How can you implement role-based access control (RBAC)? | A. Provide the password for a custom privilege level to users in a given role B. Associate user accounts with specific views D. Use AAA to authorize specific users for specific sets of permissions |
| Which of the following indirectly requires the administrator to configure a hostname? | SSH |
| What are the two primary benefits of using NTP along with a syslog server | A. Correlation of syslog messages from multiple different devices D. Accurate accounting of when a syslog message occurred |
| Which of the following commands result in a secure bootset? | B. Secure boot-config D. Secure boot-image |
| What is a difference between a default and named method list? | A. A named method list must be assigned to an interface or line |
| Which of the following are the valid first four characters of a globally routable IPv6 address? | 2345 |
| Which of the following are the valid first four characters of a link-local address? | FE80 |
| What is the default method for determining the interface ID for a link-local address on Ethernet? | EUI-64 |
| What is the default method for determining the interface ID for a link-local address on Ethernet? | 8 |
| Which of the following routing protocols have both an IPv4 and IPv6 version? | A. Routing Information Protocol B. Enhanced Interior Gateway Routing Protocol C. Open Shortest Path First |
| Which best practices apply to networks that run both IPv4 and IPv6? | A. Physical Security B. Routing Protocol authentication C. Authorization of Administrators D. Written Security Policy |
| Which of protocols, if abused, could impair an IPv6 network, but not IPv4? | B. NDP D. Solicited node multicast addresses |
| If a rogue IPv6 router is allowed on the network, which information could be incorrectly delivered to the clients on that network | A. IPv6 default gateway B. IPv6 DNS server C. IPv6 network Address |
| Why is tunneling any protocol (including IPv6) through another protocol a security risk? (Choose all that apply) | A. The innermost contents of the original packets may be hidden from normal security filters B. The tunnels, if they extend beyond the network perimeter, may allow undesired traffic through the tunnel. |
| What is one method to protect against a rogue IPv6 router? | RA Guard |
| Security Levels in order from 0-7 | 0-Emergencies 1-Alerts 2-Critical 3-Error 4-Warnings 5-Notification 6-Informational 7-Debugging (Do I Notice When Evenings Come Around Early) |
| When configuring AAA authentication on a router, what should be specified for the default method list in order to ensure that you can still log in when the AAA server is down? | enable and local |
| Two specifications on using ACS server? | group tacasc+ and group radius |
| can combine multiple views together into a single view | superview |
| can combine multiple views together into a single view | 2-14 |
| What is the enable privilege mode for role based AC? | level 15 |
| t/f In Role Base Access Control, lower levels get all the privileges as the higher levels? | False Higher inherits all of lower levels |
| What version of SSH should be used? | ip ssh version 2 |
| Unsolicited messages from a managed device | SNMP traps |
| What type of access should MIB have? | RO (Read only!) |
| what are the 3 modes of SNMPv3? | noAuthNoPriv(usernames only AND accounting); authNoPriv(usernames/Passwords); authPriv(Usernames/Passwords, encryption) |
| What are the best practices for using SNMP? | **If you aren’t using it, disable it **Don’t use default community strings **Use SNMPv3 **Disable write access |
| What version of NTP should be used? | 3 |
| T/F Secured files will not appear on the output of a dir or show flash command | True! use show secure bootset or dir |
| Which firewall methodology requires the administrator to know and configure all the specific ports, Ips, and protocols required for the firewall? | B. Packet filtering |
| Which technology dynamically builds a table for the purpose of permitting the return traffic from an outside server, back to the client, in spite of a default security policy that says no traffic is allowed to initiate from the outside networks? | D. Stateful filtering |
| What does application layer inspection provide? | B. Enables a firewall to listen in on a client/server communication, looking for information regarding communication channels |
| Which one of the following is true about a transparent firewall? | B. Implemented at layer 2 |
| What is the specific term for performing Network Address Translation for multiple inside devices but optimizing the number of global addresses required? | PAT |
| What term refers to the internal IP address of a client using NAT as seen from other devices on the same internal network as the client? | A. Inside local |
| Which of the following describes a rule on the firewall which will never be matches because of where the firewall is in the network? | Orphaned rule |
| What is the long-term impact of providing a promiscuous rule as a short-term test in an attempt to get a network application working? | A. The promiscuous rule may be left in place, leaving a security hole |
| Which zone is implied by default and does not need to be manually created? | self |
| IF interface number 1 is in zone A, and interface number 2 is in zone B, and there are no policy or service commands applied yet to the configuration, what is the status of transit traffic that is being router between these two interfaces? | denied |
| When creating a specific zone pair and applying a policy to it, policy is being implemented on initial traffic is how many directions? | 1 |
| What is the default policy between an administratively created zone and the self zone? | permit |
| What is one of the added configuration elements that the Advanced security setting has in the ZBF Wizard that is not included in the Low security setting? | C. Filtering of peer-to-peer networking application |
| Why is that the return traffic, from previously inspected sessions, is allowed back to the user, in spite of not having a zone pair explicitly configured that matches on the return traffic? | A. Stateful entries (From the initial flow) are matches, which dynamically allows return traffic |
| What does the keyword overload imply in a NAT configuration? | Pat is being used |
| Which of the following commands shows the current NAT translations on the router? | show ip nat translation |
| On a router using ZFW, why is it that the return traffic from previously inspected sessions is allowed back to the user in spite of not having a zone pair explicitely configured that matches on return traffic? | Stateful entries (from the initial flow) are matched which dynamically allows return traffic. |
| Which of the following is considered to be one of the most important firewall technologies in use today? | Stateful packet filtering |
| Define the order in which you would create the following components when implementing a zone-based policy firewall. | 1. class maps 2. policy maps 3. service policies |
| Which firewall methodology remembers outgoing traffic and allows responses to that traffic? | Stateful packet filtering |
| application layer firewall that authenticated individuals and not devices | proxy server |
| Translate multiple inside local IP addresses to a single inside global address | Dynamic PAT |
| Firewall designs? | 1.place at security boundaries 2.deny all 3.defense in depth |
| Bad firewall rules | 1.allowing too much traffic 2.redundant rules 3.shadowed rules 4.orphan rules 5.incorrect rules |
| t/f traffic between zones is denied by default | true |
| what are assigned to zones in ZFW? | interfaces |
| identify sets of packets based on contents using “match” conditions (traffic to control) | class-map |
| used to assign actions to the traffic (Action to apply) | policy-map |
| how many zones can interfaces on a router have? | 1 |
| How to configure a Zone based firewall? (6 steps) | 1.define zone 2.define zone-pair 3.define class-maps 4.define policy-maps 5.apply policy-maps to zone-pairs 6.assign interfaces to zones |
| Match-any VS match-all | Match-any Traffic must meet one of the criteria ** Match-all Traffic must meet all of the criteria |
| Which of the following feature does the Cisco ASA provide? (Choose all that apply) | a. Simple packet filtering using standard or extended access lists b. Layer 2 transparent implementation c. Support for remote-access SSL VPN connections |
| Which of the following Cisco AAA models are designed for small branch offices? | a. 5505 ; 5512-X |
| When used in an access policy, which component could identify multiple servers? | C. Object Groups |
| Which of the following is an accurate description of the word inbound as it relates to an ASA? (choose all that apply) | B. Traffic from a device that is located on a low-security interface C. Traffic that is entering any interface |
| When is traffic allowed to be routed and forwarded if the source of the traffic is from a device located off of a low-security interface if the destination device is located off of a high-security interface? (choose all that apply) | B. This traffic is allowed if the initial traffic was inspected and this traffic is the return traffic C. If there is an access list that is permitting this traffic |
| Which of the following tools could be used to configure or manage an ASA? (Choose all that apply) | A. Cisco Security Manager (CSM) B. ASA Security Device Manager (ASDM) D.The command-line interface |
| 7. Which of the following elements, which are part of the Modular Policy Framework on the ASA, are used to classify traffic? | Class maps |
| When you configure the ASA as a DHCP server for a small office, what default gateway will be assigned for the DHCP clients to use? | C. The ASA's inside IP address |
| When you configure network address translation for a small office, devices on that internet will see the ASA inside users as coming from which IP address? | The outside address of the ASA |
| You are interested in verifying where the security policy you implemented in having the desired effect. How an you verify this policy without involving end users or their computers? | C. Use the Packet Tracer tool |
| Which of the following elements, which are part of the Modular Policy Framework, is used to identify the actions that will be taken on traffic? | policy maps |
| Which of the following is an accurate description of the word outbound as it relates to an ASA? (Choose all that apply) | Traffic from a device that is located on a high-security interface Traffic that is exiting any interface |
| Which element of the ASA Modular Policy Framework is used to activate policy? | service policy |
| Which of the following benefits of the ASA might a basic stateful firewall not contain? | The ASA uses standard masks in ACL entries. |
| On an ASA what level does inside get and what level is the default? | inside:100; everything else:0 |
| what security level is DMZ default | 1-99 |
| Deny certain types of ICMP or UDP traffic Traceroute and ping traffic | reconnasissance attacks |
| what does ACL protect against? | TCP-SYN-Flood attacks, Reconnasissance attacks and Genera vulnerabilities |
| t/f you should log at level 7 | false!!! |
| in IPv6 the explicit "deny any" does not include? | Network solicitation (NS) and Network Advertising |
| ACL close to the destination | standard |
| ACL close to the source | extended |
| ACL only tracks source IP | standard |
| ACL that tracks source, destination, protocols etc... | extended |
| What mode can standard ACLs on ASA's be used? | routed mode (not transparent) |
| ASA ACL that Identify packets based on the destination IP addresses | standard |
| what layer is extended ACL on ASA | layer 3 |
| ACL that can be configured on an ASA in transparent mode? | EtherType ACL |
| Used to filter IP- and non-IP-based traffic Checks Ethernet type code field in the Layer 2 header | EtherType ACL |
| allow traffic to pass if no ACL is defined; Restricts traffic coming through tunnels | WebVPN ACL |
| Steps to configure Packet filtering on ASA | 1.set up ACL 2.Apply ACL to interface 3.Set up IPv6 ACL(Optional) |
| object group that Specifies a list of IP host, subnet, or network addresses. | network object group |
| object group that Used to cluster the TCP and/or UDP services together. | service object group |
| 2 possible syntax for service object groups | eq and range |
| Type of Time-Based ACL | NTP |
| Two types of ASA application layer filtering: | 1.content filtering 2.URL filtering |
| Use ASA to remove malicious content from the packets. | content filtering |
| Determine if the packets are passing through the configured ACLs. hitcnt incremented when ACE is matched | show access-list command |
| what does the show capture command do? | shows captured packets and exports to pcap for wireshark |
| t/f ACLs can be used to filter management traffic that is not passing through the router. | false |
| What is the benefit of a network object group as it relates to access lists? | A single object group, that contains many hosts, can simplify the implementation of an ACL. |
| Extended ACLs should be placed where? | As close as possible to the source of the traffic being filtered |
| With IPv6, what is significantly different about applying a packet filter to an interface compared with IPv4? | You use the command traffic-filter instead of access-group. |
| What algorithms in a VPN provide the confidentiality? (Choose all that apply) | AES and 3DES |
| A remote user needs to access the corporate network from a hotel room from a laptop. What type of VPN is used for this? | a. Remote-Access VPN |
| Which type of VPN technology is likely to be used in a site-to-site VPN? | IPsec |
| Which two of the following are benefits of VPNs? | a. Confidentiality b. Data Integrity |
| Which of the following are symmetrical encryption ciphers? (Choose all that apply) | AES and 3DES |
| Which is the primary difference between a hash and Hashed Message Authentication Code (HMAC)? | Keys |
| What is used to encrypt the hash in a digital signature? | Sender's private Key |
| What are valid options to protect data in motion with or without a full VPN? (Choose all that apply) | a. TLS b. SSL c. HTTPS d. Ipsec |
| Why is the public key in a typical public-private key pair referred to as public? | a. Because it is shared publically |
| What is the key component used to create a digital signature? | Private Key |
| What is the key component used to verify a digital signature? | Sender's public key |
| What is another name for a hash that has been encrypted with a private key? | Digital Signatures |
| What are the primary responsibilities for a certificate authority (CA)? (choose all that apply) | a. Issuing identity certificates b. Tracking identity certificates |
| Which of the following is not a way for a client to check to see whether a certificate has been revoked? | a. Look at the lifetime of the certificate itself |
| Which of the following could be found in a typical identity certificate? (Choose all that apply) | a. CRL locations b. Validity date c. Public key of the certificate owner d. Serial number |
| Which standard format is used to request a digital certificate from a CA? | a. PKCS#10 |
| When obtaining the initial root certificate, what method should be used for validation of the certificate? | Telephone |
| Which method, when supported by both the client and the CA, is the simplest to use when implementing identity certificates on the client? | SCEP |
| Which technology is a primary method that Ipsec used to implement data integrity? | MD5 |
| What are the source and destination addresses used for an encrypted Ipsec packet? | sending and receiving VPN gateway |
| Which phase is used for private management traffic between the two VPN peers? | IKE Phase 1 |
| Which of the following are negotiated during IKE Phase 1? | a. Hashing b. DH group c. Encryption d. Authentication method |
| What method is used to allow two VPN peers to establish shared secret keys and to establish those keys over an untrusted network? | DH |
| Which of the following is not part of the IKE Phase 1 process? | Negotiating the transform set to use |
| How is the negotiation of the Ipsec (IKE Phase 2) tunnel done securely? | a. Use the IKE Phase 1 tunnel |
| What are the two main methods for authenticating a peer as the last step of IKE Phase 1? (Choose all that apply) | a. RSA signatures, using digital certificates to exchange public keys PSK (Pre-shared key) |
| Which component acts as an if-then statement, looking for packets that should be encrypted before they leave the interface? | a. Crypto map |
| What is true about symmetrical algorithms and symmetrical crypto access lists used on VPN peers? | a. Symmetrical algorithms used the same secret (key) to lock and unlock the data. Symmetrical ACLs between two VPN peers should symmetrically swap the source and destination portions of the ACL. |
| Which of the following commands reveal that ACLs, transform sets, and peer information and indicate which interface is being used to connect to the remote Ipsec VPN peer? | a. Show crypto map |
| Which of the following could be part of both an IKEv1 Phase 1 and IKEv1 Phase 2 policy? (Choose all that apply) | a. MD5 b. AES DH |
| How is it possible that a packet with private layer 3 destination address is forwarded over the internet? | a. It is encapsulated into another packet, and the Internet only sees the outside valid IP destination addresses. |
| What is the method for specifying the IKEv1 Phase 2 encryption method? | Crypto ipsec transform-set |
| Which of the following potentially could be negotiated during IKEv1 Phase 2? (Choose all that apply) | a. Hashing b. DH group Encryption |
| Which of the DH groups is the most prudent to use when security is of the utmost importance? | 5 |
| Which of the following is never part of an IKEv1 Phase 2 process? | Main Mode |
| Which encryption method will be used to protect the negotiation of the Ipsec (IKEv1 Phase 2) tunnel? | a. The one negotiated in the ISAKMP policy |
| Which is the most secure method for authentication of IKEv1 Phase 1? | a. RSA signatures, using Digital certificates to exchange public keys |
| Which component is not placed directly in a crypto map? | Authentication policy |
| Which of the following would cause a VPN tunnel using Ipsec to never initialize or work correctly? (Choose all that apply) | a. Incompatible IKEv1 Phase 2 transform sets b. Incorrect pre-shared keys or missing digital certificates c. Lack of interesting traffic d. Incorrect routing |
| Which of the following IKE versions are supported by the CISCO ASA? (Choose all that apply) | a. IKEv1 b. IKEv2 |
| What is the purpose of NAT exemption? | a. To bypass NAT for traffic in the VPN tunnel |
| 13. Which of the following commands are useful when troubleshooting VPN problems in the CISCO ASA (Choose all that apply) | a. Show isakmp sa detail b. Debug crypto ikev1 | ikev2 c. Show crypto ipsec sa detail d. Show vpn-sessiondb |
| (True or False) The Cisco ASA cannot be configured with more than one IKEv1 or IKEv2 policy. | false |
| Which of the following statements most accurately describes how packets are encrypted in IPSec ESP when in tunnel mode? | The entire packet is encrypted and encapsulated in a new IP header. |
| Which of the following algorithms uses asymmetrical keys to establish a symmetric key in IPSec phase 1? | DH |
| Which hashing algorithm has larger digests and is therefore more secure and less likely to have problems with collisions? | SHA |
| T/F The authentication process for SSL-based VPNs uses hashing technologies. | True |
| T/F SSL-based VPNs use symmetric algorithms for authentication and key exchange. | false |
| Which type of encryption algorithm uses the same key for encryption and decryption? | Symmetric |
| What types of VPNs are not supported over Cisco routers and ASAs? (Choose two) | IPsec clientless remote-access VPNs SSL site-to-site VPNs |
| Symmetric Protocols? | 3DES, AES, IDEA |
| Assymetric Protocols | RSA, Diffie-Hellman, Elliptical Curve |
| Which SSL solution is most appropriate for a remote user who is at a borrowed computer and needs access to a single server at the ventral office? | SSL Clientless VPN |
| Which of the following solutions assigns a virtual IP address to the remote user to use for traffic sent over the SSL VPN to the server? | a. Cisco AnyConnect Secure Mobility Client |
| 3. What is the immediate cost savings when implementing SSL VPNs? | easy deployment |
| How does an SSL client send the desired shared secret to the server? | a. Encrypts it with the server's public key |
| Which of the following is not part of configuring the clientless SSL VPN on the ASA? | Configuring a pool of IP addresses for the remote users to use |
| What may be the potential problem when enabling SSL VPNs on an interface on the ASA? | ASDM must be used with a different URL |
| Which of the following steps is configured when setting up Cisco AnyConnect Secure Mobility Client on the ASA that would not be configured for clientless SSL VPN? (Choose all that apply) | a. NAT Exemption b. Pool of addresses |
| Where does the ASA keep the copy of the Cisco AnyConnect Secure Mobility Client that may be deployed down to the client? | On Flash |
| Which of the following are common issues that users experience when they cannot send or receive IP traffic over an SSL VPN tunnel? (choose all that apply) | a. Routing issues behind the ASA b. Access Control lists blocking traffic c. Network address translation not being bypassed for VPN traffic |
| T/F Devices behind a transparent firewall should not configure the transparent firewall as their default gateway. Instead, another router on the other side of the firewall should be used as the default gateway. | true |
| Which type of transparent firewall supports multiple contexts with each context functioning in a separate broadcast domain? | Multi-mode transparent firewall |
| T/F When configuring a transparent firewall in MMTF mode, all contexts should always share a common subnet. | False |
| Which wireless extended authentication protocol is Cisco proprietary? | LEAP |
| When using a transparent firewall, you can protect devices in your network from a malicious device that tries to impersonate the default gateway by using which feature? | ARP Inspection |
| What types of address translation are supported on a transparent firewall? | Static NAT Dynamic NAT PAT configured to use a statically configured IP address |
| Which wireless extented authentication protocol requires the use of public key infrastructure? | EAP-TLS |
| t/f When configured as a transparent firewall, each up/up non-managment interface must be configured with a unique IP address. | false |
| What is the purpose of configuring a default gateway address on an ASA configured as a transparent firewall? | The default gateway on the ASA is used for traffic originating from the ASA |
| What method should you implement when it is not acceptable for an attack to reach its intended victim? | IPS |
| A company has hired you to determine whether attacks are happening against the server farm, and it does not want any additional delay added to the network. Which deployment method should be used? | IDS |
| Why does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim? | a. The IPS is inline with the traffic. |
| Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline? | a. Anomaly-based IPS |
| What type of implementation requires custom signatures to be created by the administrator? | Policy-based IPS |
| Which method requires participation in global correlation involving groups outside your own enterprise? | Reputation-based IPS |
| Which of the micro-engines contains signatures that can only match on a single packet, as opposed to a flow of packets? | Atomic |
| Which of the following are properties directly associated with a signature? (Choose all that apply) | a. ASR b. SFR TVR |
| Which of the following is not a best practice? | a. Assign aggressive IPS responses to specific signatures |
| What is the name of Cisco cloud-based services for IPS correlation? | SIO |
| Which of the following is not a Next-Generation IPS (NGIPS) solution? | SIO IPS |
| Which IOS-based IPS signature option results in the signature not being compiled and using less memory as a result? | retired |
| When installing an IOS-based IPS, what is the purpose of the realm-cisco.pub file? | It is used to validate the signature that Cisco has placed on the signature package. |
| Select the options necessary in order for an IOS-based IPS signature to be compiled, but inactive: | disabled, unretired |
| This mechanism is used to simplify the management of IPS/IDS actions and reduce the amount of noise generated in the form of unnecessary alerts. | Risk rating |
| Which method of IPS uses a baseline of normal network behavior and looks for deviations from that baseline? | Anamoly-based IPS |
| In order to be active, IOS-based IPS signatures must be: (select all that apply) | enabled, unretired |
| Non-malicious traffic on the network. No signature fired. | true negative |
| Malicious traffic on the network. No signature fired. | false negative |
| Malicious traffic on the network. Signature fired. | true positive |
| Non-malicious traffic on the network. Signature fired | false positive |
| Which types of VPNs are NOT supported by an ASA configured as a transparent firewall? | SSL site-to-site on a non-management interface IPSec site-to-site on a non-management interface SSL AnyConnect on a non-management interface. |
| · Be able to name the three network foundation protection planes. Describe what each one does and how you would secure it. | 1. Management: protocols &traffic at the admin level 1.1Sec: sync time w/ NTP, SNMPv3, 2.Control: protocols and traffic for network devices 2.1Sec: use CoPP, CPrr 3.Data: traffic being forwarded via the network 3.1Sec:ACL,Private VLANs,TCP Interception |
| · Be able to explain a CAM table overflow attack and how to mitigate it. | Floods the CAM table. The switch over loaded & acts like a hub by forwarding all frames to VLAN. This allows the attacker to listen • Mitigate: Limit the #of learned MAC addresses, set timers for how long switch ports learn MAC and enable port security. |
| · Be able to explain the difference between static packet filtering and stateful packet filtering and provide examples of each. | • Static packet filtering: filters only based on information defined by admin rules. EX: simple ACLs • Stateful packet filtering: remembers outgoing traffic and allows responses. Modifies rules sets in real time to allow return traffic. EX: Firewalls |
| · Be able to explain how to implement a DMZ using a router or an ASA. | 1. Define zones. 2. Define zone-pairs. 3. Define class-maps zone-pair. 4. Define policy-maps to apply action to your class-maps’ traffic. 5. Apply policy-maps to zone-pairs.; This is also referred to as a service policy 6. Assign interfaces to zones. |
| · Be able to describe object-based ACLs and explain their advantages. | • Object groups for ACLs lets you to classify users, devices, or protocols into groups and apply those groups to ACLs which then can be implemented by using the group name. • easy to edit ACLs, implement and delete. less commands |
| · Be able to identify a SYN flood attack and describe how to mitigate it. | • It is a type of DoS attack that an attacker floods the client device with SYN requests in order to consume enough of the sever to make the device unresponsive. • Mitigation: Use ACLs with Zone-Based Firewall TCP interception |
| · Be able to explain an embryonic connection. | • Half opened request/connection that has not finished the handshake between the source and destination. |
| · Be able to explain how an IPSec site-to-site VPN works. | Ipsec encrypts the data, encapsulates it so that when it is sent over the internet, only the source and destination addresses are shown. Then the destination decrypts the packet so it can read the data. |
| · Be able to explain what a web-launch VPN is and how it is implemented. | look at notes |
| · Be able to explain the differences between an IDS and an IPS. | • IDS: Only detects traffic and can notify other traffic to drop, but cannot drop on its own. Also positioned off to the side on the network. • IPS: Can drop traffic and also notify other devices to drop it. Also inline on the network. |
| · Be able to explain and discuss appropriate applications of a transparent firewall. | look at notes |
Created by:
lax5