Final Seguridad

8/12/2019 Final Seguridad

1/19

1. When logging is enabled for an ACL entry, how does the router switch packets filtered by

the ACL?

topology-based switching

autonomous switching

process switching

optimum switching

2. Which statement is true about the ne!"tep lockdown feature of the CC# "ecurity Audit

wi$ard?

It enables the Secure Copy Protocol (SCP).

It supports AAA configuration.

It enables TCP intercepts.

%t sets an access class ACL on &ty lines.

It proides an option for configuring S!"P# on all routers.

' . What are three common e(amples of AAA implementation on Cisco routers? )Choose

three.*

authenticating administrator access to the router console port, au(iliary port, and &ty ports

authenticating remote users who are accessing the corporate LA+ through %#sec #+

connections

implementing public $ey infrastructure to authenticate and authori%e IPsec &P! peers using digital

certificates

implementing command authori$ation with -ACAC"

securing the router by loc$ing down all unused serices

trac$ing Cisco !etflow accounting statistics


2/19

'. /efer to the e(hibit. -he administrator can ping the "001 interface of /outer but is

unable to gain -elnet access to the router using the password cisco12'. What is a possible

cause of the problem?

The Telnet connection between outerA and outer is not wor$ing correctly.

-he password cisco12' is wrong.

The enable password and the Telnet password need to be the same.

The administrator does not hae enough rights on the PC that is being used.

*. /efer to the e(hibit. An administrator has entered the commands that are shown on router

/1. At what trap le&el is the logging function set?

+

'

*

,

3. %f a switch is configured with the storm!control command and the action shutdown and

action trap parameters, which two actions does the switch take when a storm occurs on a

port? )Choose two.*

-he port is disabled. (Corrected by Elfnet)

The switch is rebooted. (Original answer)

An "+4# log message is sent.

The port is placed in a bloc$ing state.

The switch forwards control traffic only.
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-5-wtmk.jpghttp://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-4-wtmk.jpg


3/19


4/19

55. /efer to the e(hibit. Which interface configuration completes the CAC configuration on

router /1?

5(config)6 interface fa373

5(config-if)6 ip inspect I!SI20 in

5(config-if)6 ip access-group 81T81!2 in


5(config-if)6 ip inspect I!SI20 in

5(config-if)6 ip access-group 81T81!2 in


5(config-if)6 ip inspect 81T81!2 in

5(config-if)6 ip access-group I!SI20 out


5(config-if)6 ip inspect 81T81!2 in

5(config-if)6 ip access-group I!SI20 in

/1)config*; interface fa01

/1)config!if*; ip inspect


5/19

1@. What can be used as a #+ gateway when setting up a site!to!site #+?

Cisco Catalyst switch

Cisco router

Cisco 1nified Communications "anager

Cisco AnyConnect

19. Which type of Layer 2 attack makes a host appear as the root bridge for a LA+?

;A! storm

"AC address spoofing

"AC address table oerflow

"-# manipulation

&;A! attac$

5,. /efer to the e(hibit. An administrator has configured a standard ACL on /1 and applied it

to interface serial 000 in the outbound direction. What happens to traffic lea&ing interface

serial 000 that does not match the configured ACL statements?

The resulting action is determined by the destination IP address.

The resulting action is determined by the destination IP address and port number.

The source IP address is chec$ed and if a match is not found traffic is routed out interface serial

37375.

-he traffic is dropped.

15. -he use of '=:" within the %#sec framework is an e(ample of which of the fi&e %#sec

building blocks?

authentication

confidentiality

2iffie-/ellman
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-16-wtmk.jpg


6/19

integrity

nonrepudiation

5


7/19

authenticates a pac$et by using either the /"AC "2* or /"AC S/A algorithms and encrypts the

pac$et using either the 20S #20S or A0S algorithms

21. Which action best describes a 4AC address spoofing attack?

altering the 4AC address of an attacking host to match that of a legitimate host

bombarding a switch with fa$e source "AC addresses

forcing the election of a rogue root bridge

flooding the ;A! with e9cessie traffic

22. When configuring a site!to!site %#sec #+ using the CL%, the authentication pre!share

command is configured in the %"A>4# policy. Which additional peer authentication

configuration is reuired?

Configure the message encryption algorithm with the encryptiontype ISA:"P policy configuration

command.

Configure the 2/ group identifier with the groupnumber ISA:"P policy configuration command.

Configure a hostname with the crypto isa$mp identity hostname global configuration command.

Configure a #"> with the crypto isakmp key global configuration command.

2'. Which three statements describe limitations in using pri&ilege le&els for assigning

command authori$ation? )Choose three.*

-here is no access control to specific interfaces on a router.

The root user must be assigned to each priilege leel defined.

Commands set on a higher pri&ilege le&el are not a&ailable for lower pri&ileged users.

&iews are re4uired to define the C;I commands that each user can access.

Creating a user account that needs access to most but not all commands can be a tedious

process.

It is re4uired that all 5, priilege leels be defined whether they are used or not.

2@. Which set of Cisco %" commands instructs the %#" to compile a signature category

named iosBips into memory and use it to scan traffic?

5(config)6 ip ips signature-category

5(config-ips-category)6 category all


8/19

5(config-ips-category-action)6 retired false

/1)config*; ip ips signature!category

/1)config!ips!category*; category iosBips basic

/1)config!ips!category!action*; retired false


5(config-ips-category)6 category all

5(config-ips-category-action)6 no retired false


5(config-ips-category)6 category ios>ips basic

5(config-ips-category-action)6 no retired false

+*. /efer to the e(hibit. Which three things occur if a user attempts to log in four times

within 10 seconds using an incorrect password? )Choose three.*

"ubseuent &irtual login attempts from the user are blocked for 30 seconds.

2uring the 4uiet mode an administrator can irtually log in from any host on networ$ 5?+.5,.5.37+'.

Subse4uent console login attempts are bloc$ed for ,3 seconds.

A message is generated indicating the username and source %# address of the user.

=uring the uiet mode, an administrator can log in from host 152.13.1.2.

!o user can log in irtually from any host for ,3 seconds.

23. Which statement describes configuring ACLs to control -elnet traffic destined to the

router itself?

The AC; must be applied to each ty line indiidually.

The AC; is applied to the Telnet port with the ip access-group command.

Apply the AC; to the ty lines without the in or out option re4uired when applying AC;s to

interfaces. (Original)

-he ACL should be applied to all &ty lines in the in direction to pre&ent an unwanted user

from connecting to an unsecured port. (Corrected by Joker!)


9/19

25. What are three characteristics of the A"A routed mode? )Choose three.*

This mode does not support "s# $o%# or &'C elay (Original)

The interfaces of the ASA separate Layer 3 networks and require different IP addresses in

different subnets (Corrected by Elfnet * Joker!)

It is the traditional firewall deployment mode.

NAT can be implemented between connected networks. (Corrected by Elfnet * Joker!)

This mode is referred to as a +bump in the wire, (Original)

-n this mode# the A%A is in.isible to an attacker

26. Which authentication method is a&ailable when specifying a method list for group policy

lookup using the CC# :asy #+ "er&er wi$ard?

Actie 2irectory

:erberos (Original)

Certificate Authority

/A=%


10/19

#3. /efer to the e(hibit. What conclusion can be drawn from the e(hibited window when it is

displayed on a remote user computer screen?

The user has connected to a secure web serer.

-he user has established a client!based #+ connection.

The user has logged out of the AnyConnect &P! client.

The user is installing the AnyConnect &P! client.

The user is using a web browser to connect to a clientless SS; &P!.

'1. What will be disabled as a result of the no ser&ice password!reco&ery command?

aaa new-model global configuration command

changes to the configuration register

password encryption serice

ability to access /4mon

'2. Which type of %#" signature detection is used to distract and confuse attackers?

pattern-based detection

anomaly-based detection

policy-based detection

honey pot!based detection


11/19

##. /efer to the e(hibit. An administrator has configured router /1 as indicated. 8owe&er,

"=:: messages fail to log. Which solution corrects this problem?

Issue the logging on command in global configuration.

%ssue the ip ips notify sdee command in global configuration.

Issue the ip audit notify log command in global configuration.

Issue the clear ip ips sdee eents command to clear the S200 buffer.

'@. Which attack allows the attacker to see all frames on a broadcast network by causing a

switch to flood all incoming traffic?

;A! storm (Original)

&;A! hopping

STP manipulation

4AC table o&erflow (Corrected by Joker! * Andy)


12/19

The user has logged out of an AnyConnect IPsec &P! session.

The user has logged out of an AnyConnect SS; &P! session. (Original)

'3. An administrator has been asked to configure basic access security on a router,

including creating secure passwords and disabling unattended connections. Which three

actions accomplish this using recommended security practices? )Choose three.*

Create passwords with only alphanumeric characters.

"et the minimum password length to 10 characters.

Set the e9ecutie timeout parameters on the console port to 5+3 and 3.(Original)

"et the e(ecuti&e timeout parameters on the &ty lines to ' and 0.(Corrected by Joker!)

:nable the password encryption ser&ice for the router.

0nable login using the Au9 port with the e9ecutie timeout set to 3 and 3.

'5. Which type of intrusion pre&ention technology is primarily used by Cisco %#" security

appliances?

rule-based

profile-based

signature!based

!et=low anomaly-based

protocol analysis-based

'6. Which type of packets e(iting the network of an organi$ation should be blocked by an

ACL?

pac$ets that are not encrypted

pac$ets that are not translated with !AT

packets with source %# addresses outside of the organi$ations network address space

pac$ets with destination IP addresses outside of the organi%ationBs networ$ address space

'7. An administrator wants to pre&ent a rogue Layer 2 de&ice from intercepting traffic from

multiple LA+s on a network. Which two actions help mitigate this type of acti&ity? )Choose

two.*


13/19

=isable =-# on ports that reuire trunking.

Place unused actie ports in an unused &;A!.

Secure the natie &;A! &;A! 5 with encryption.

"et the nati&e LA+ on the trunk ports to an unused LA+.

Turn off trun$ing on all trun$ ports and manually configure each &;A! as re4uired on each port.

@0. Which command would an administrator use to clear generated crypto keys?

outer(config)6 crypto $ey decrypt

outer(config-line)6 transport input ssh clear

outer(config)6 crypto $ey rsa

/outer)config*; crypto key $eroi$e rsa

@1. What occurs after /"A keys are generated on a Cisco router to prepare for secure de&ice

management?

All ty ports are automatically configured for SS/ to proide secure management.

The general-purpose $ey si%e must be specified for authentication with the crypto $ey generate rsa

general-$eys moduluscommand.

The $eys must be %eroi%ed to reset secure shell before configuring other parameters.

-he generated keys can be used by ""8.

'+. /efer to the e(hibit. An administrator has configured an A"A 9909 as indicated but is still

unable toping the inside interface from an inside host. What is the cause of this problem?

An IP address should be configured on the 0thernet 373 and 375 interfaces.(Original)

-he no shutdown command should be entered on interface :thernet 01.(Corrected by Joker!

* Andy)

The security leel of the inside interface should be 3 and the outside interface should be 533.


14/19


15/19

AAA

port forwarding

@5. What are three goals of a port scan attack? )Choose three.*

disable used ports and serices

determine potential &ulnerabilities

identify acti&e ser&ices

identify peripheral configurations

identify operating systems

discoer system passwords

'


16/19

90. "ales representati&es of an organi$ation use computers in hotel business centers to

occasionally access corporate e!mail and the in&entory database. What would be the best

#+ solution to implement on an A"A to support these users?

client-based IPsec &P! using Cisco &P! Client (Original answer)

client-based IPsec &P! using AnyConnect

client-based SS; &P! using AnyConnect

clientless IPsec &P! using a web browser

clientless ""L #+ using a web browser (Corrected by Elfnet)

site-to-site IPsec &P!

*5. /efer to the e(hibit. What information can be obtained from the AAA configuration

statements?

-he authentication method list used for -elnet is named ACC:"".

The authentication method list used by the console port is named ACC0SS.

The local database is chec$ed f irst when authenticating console and Telnet access to the router.

If the TACACS@ AAA serer is not aailable no users can establish a Telnet session with the

router.

If the TACACS@ AAA serer is not aailable console access to the router can be authenticated

using the local database.

92. What must be configured before any /ole!ased CL% &iews can be created?

aaa new!model command

multiple priilege leels

secret password for the root user

usernames and passwords


17/19

*#. /efer to the e(hibit. ased on the output from the show secure bootset command on

router /1, which three conclusions can be drawn regarding Cisco %" /esilience? )Choose

three.*

A copy of the Cisco I8S image file has been made.

A copy of the router configuration file has been made.

-he Cisco %" image file is hidden and cannot be copied, modified, or deleted.

The Cisco I8S image filename will be listed when the show flash command is issued on 5.

The copy tftp flash command was issued on 5.

-he secure boot!config command was issued on /1.

9@. What are two disad&antages of using network %#"? )Choose two.*

+etwork %#" has a difficult time reconstructing fragmented traffic to determine if an attack

was successful.

+etwork %#" is incapable of e(amining encrypted traffic.

!etwor$ IPS is operating system-dependent and must be customi%ed for each platform.

!etwor$ IPS is unable to proide a clear indication of the e9tent to which the networ$ is being

attac$ed.

!etwor$ IPS sensors are difficult to deploy when new networ$s are added.

99.Which statement describes the CC# "ecurity Audit wi$ard?

After the wi%ard identifies the ulnerabilities the CCP 8ne-Step ;oc$down feature must be used to

ma$e all security-related configuration changes.

After the wi%ard identifies the ulnerabilities it automatically ma$es all security-related configuration

changes.

The wi%ard autosenses the inside trusted and outside untrusted interfaces to determine possible

security problems that might e9ist. (Original Answer)


18/19

-he wi$ard is based on the Cisco %" Auto"ecure feature. (Corrected by Elfnet * Andy)

The wi%ard is enabled by using the Intrusion Preention tas$.

93. Which three statements describe $one!based policy firewall rules that go&ern interface

beha&ior and the traffic mo&ing between $one member interfaces? )Choose three.*

An interface can be assigned to multiple security %ones. (Original)

Interfaces can be assigned to a %one before the %one is created.

#ass, inspect, and drop options can only be applied between two $ones. (Corrected by Joker!

* Andy)

%f traffic is to flow between all interfaces in a router, each interface must be a member of a

$one.

Traffic is implicitly preented from flowing by default among interfaces that are members of the

same %one.

-o permit traffic to and from a $one member interface, a policy allowing or inspecting traffic

must be configured between that $one and any other $one.

*?. /efer to the e(hibit. Which option tab on the CC# screen is used to &iew the -op -hreats

table and deploy signatures associated with those threats?

Create IPS

0dit IPS

"ecurity =ashboard

IPS Sensor

IPS "igration

96. Which statement correctly describes a type of filtering firewall?

A transparent firewall is typically implemented on a PC or serer with firewall software running on it.

A pac$et-filtering firewall e9pands the number of IP addresses aailable and hides networ$

addressing design.


19/19

An application gateway firewall (pro9y firewall) is typically implemented on a router to fi lter ;ayer #

and ;ayer ' information.

A stateful firewall monitors the state of connections, whether the connection is in an

initiation, data transfer, or termination state.

97. Which component of AAA is used to determine which resources a user can access and

which operations the user is allowed to perform?

auditing

accounting

authori$ation

authentication

30. Which three statements should be considered when applying ACLs to a Cisco router?

)Choose three.*

Place generic AC; entries at the top of the AC;. (Original)

#lace more specific ACL entries at the top of the ACL.

/outer!generated packets pass through ACLs on the router without filtering.

AC;s always search for the most specific entry before ta$ing any filtering action.

A ma9imum of three IP access lists can be assigned to an interface per direction (in or out).

An access list applied to any interface without a configured ACL allows all traffic to

pass. (Corrected by Elfnet * Joker!)

Final Seguridad

Documents

Transcript of Final Seguridad