Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Cisco IINS v2.

Transcription

1 Number: Passing Score: 800 Time Limit: 120 min File Version: Cisco IINS v2.0 Sections Common Security Threats Security and Cisco Routers AAA IOS ACLs Secure Network Management and Reporting Common Layer 2 Attacks Cisco Firewall Technologies Cisco IPS VPN Technologies

2 Exam A QUESTION 1 Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) A. Spam protection B. Outbreak intelligence C. HTTP and HTTPS scanning D. encryption E. DDoS protection Correct Answer: AD Section: 7. Cisco Firewall Technologies IronPort Security Appliances and IronPort Web Security Appliances (WSA): These appliances provide granular control of and, in the case of web traffic and WSA, can track thousands of applications and enforce security policies to protect networks against threats. QUESTION 2 Which two characteristics represent a blended threat? (Choose two.) A. man-in-the-middle attack B. trojan horse attack C. pharming attack D. denial of service attack E. day zero attack Correct Answer: BE Section: 1. Common Security Threats A blended threat is an exploit that combines elements of multiple types of malware and usually employs multiple attack vectors to increase the severity of damage and the speed of contagion. Nimda, CodeRed, Bugbear and Conficker are a few well-known examples. Although they may be identified as viruses, worms or Trojan horses, most current exploits are blended threats.

3 A blended threat typically includes: More than one means of propagation -- for example, sending an with a hybrid virus/worm that will self-replicate and also infect a Web server so that contagion will spread through all visitors to a particular site. Exploitation of vulnerabilities which may be preexisting or may be caused by malware distributed as part of the attack. The intent to cause real harm, for example, by launching a denial of service (DOS) attack against a target or delivering a Trojan horse that will be activated at some later date. Automation that enables increasing contagion without requiring any user action. To guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products, employ server software to detect malware, and educate users about proper handling and online behavior A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. QUESTION 3 Which type of security control is defense in depth? A. threat mitigation B. risk analysis C. botnet mitigation D. overt and covert channels Correct Answer: A Section: 1. Common Security Threats QUESTION 4 Which four methods are used by hackers? (Choose four.)

4 A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack Correct Answer: ABEF Section: 1. Common Security Threats QUESTION 5 Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router? A. aaa accounting network start-stop tacacs+ B. aaa accounting system start-stop tacacs+ C. aaa accounting exec start-stop tacacs+ D. aaa accounting connection start-stop tacacs+ E. aaa accounting commands 15 start-stop tacacs+ Correct Answer: C Section: 3.0 AAA

5 QUESTION 6 What is the best way to prevent a VLAN hopping attack? A. Encapsulate trunk ports with IEEE 802.1Q. B. Physically secure data closets. C. Disable DTP negotiations. D. Enable BDPU guard. Correct Answer: C Section: 6. Common Layer 2 Attacks QUESTION 7 If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration? A. no switchport mode access B. no switchport trunk native VLAN 1 C. switchport mode DTP D. switchport nonnegotiate Correct Answer: D Section: 6. Common Layer 2 Attacks QUESTION 8 Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) A. root guard B. BPDU filtering C. Layer 2 PDU rate limiter D. BPDU guard

6 Correct Answer: AD Section: 6. Common Layer 2 Attacks The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker. The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port. QUESTION 9 Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.) A. IP source guard B. port security C. root guard D. BPDU guard Correct Answer: AB Section: 6. Common Layer 2 Attacks Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security violation occurs. IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on nonrouted Layer 2 interfaces. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC spoofing Reference: layer2-secftrs-catl3fixed.html#ipsourceguard QUESTION 10

7 Which statement correctly describes the function of a private VLAN? A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains. B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains. C. A private VLAN enables the creation of multiple VLANs using one broadcast domain. D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain. Correct Answer: A Section: 6. Common Layer 2 Attacks A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs. Reference: n400xi_config/privatevlans.html QUESTION 11 What are two primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping B. switch spoofing C. CAM-table overflow D. double tagging Correct Answer: BD Section: 6. Common Layer 2 Attacks Switch Spoofing is when a host uses software to act like a switch and connect via a negotiated trunk port. Double-Tagging is when a host tags frames with two VLAN tags.

8 There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them. VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown below. An important characteristic of the doubleencapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. Reference: QUESTION 12 With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.) A. traffic flowing between a zone member interface and any interface that is not a zone member

9 B. traffic flowing to and from the router interfaces (the self zone) C. traffic flowing among the interfaces that are members of the same zone D. traffic flowing among the interfaces that are not assigned to any zone E. traffic flowing between a zone member interface and another interface that belongs in a different zone F. traffic flowing to the zone member interface that is returned traffic Correct Answer: BCD Section: 7. Cisco Firewall Technologies QUESTION 13 Which two services are provided by IPsec? (Choose two.) A. Confidentiality B. Encapsulating Security Payload C. Data Integrity D. Authentication Header E. Internet Key Exchange Correct Answer: AC Section: 9.0 VPN Technologies QUESTION 14 Which command verifies phase 2 of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active

10 Correct Answer: B Section: 9.0 VPN Technologies The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa shows IKE Phase 1 show crypto ipsec sa Shows IKE Phase 2 WIll show the details from the crypto map, even when the tunnel is down. show crypto session Will show as DOWN when the IPSec connection hasn't been made Shows everything QUESTION 15 Which three protocols are supported by management plane protection? (Choose three.) A. SNMP B. SMTP C. SSH D. OSPF E. HTTPS F. EIGRP Correct Answer: ACE Section: 5. Secure Network Management and Reporting QUESTION 16 Which statement about rule-based policies in Cisco Security Manager is true? A. Rule-based policies contain one or more rules that are related to a device's security and operations parameters.

11 B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device. C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters. D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device. Correct Answer: B Section: 2. Security and Cisco Routers Rule-Based Policies Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow (known as first matching). poman.html Understanding Policies In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices. Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPsec, IKE, GRE, and so forth. Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device. Settings-Based Policies vs. Rule-Based Policies Rule-Based Policies Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow (known as first matching).

12 Settings-Based Policies Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device QUESTION 17 Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C Section: 3.0 AAA QUESTION 18 Which option provides the most secure method to deliver alerts on an IPS? A. IME B. CSM C. SDEE

13 D. syslog Correct Answer: C Section: 8.0 Cisco IPS pull pull pull (syslog can only push, sdee can pull, and will use http/https)

14 QUESTION 19 Which syslog level is associated with LOG_WARNING? A. 1 B. 2 C. 3

15 D. 4 E. 5 F. 6 Correct Answer: D Section: 5. Secure Network Management and Reporting : Syslog levels QUESTION 20 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.

16 What is included in the Network Object Group INSIDE? (Choose two) A. Host B. Network /24

17 C. Network /24 D. Host E. Network /8 Correct Answer: AD Section: 7. Cisco Firewall Technologies : Can't answer from this description/image QUESTION 21 Which represents a unique link-local address (IPv6)? A. FEB0::/8 B. 2002::/16 C. FED0::/8 D. 2001::/32 Correct Answer: A Section: 2. Security and Cisco Routers 2002::/16 is for 6 to 4 tunnels. FEB0::/8 Would be the correct answer then. FE80:: FE90:: FEA0:: FEB0:: QUESTION 22 How many class map can be configured in a (router) interface? A. 1 B. 2

18 C. 3 D. 4 Correct Answer: A Section: 7. Cisco Firewall Technologies I think this question is actually about Policy Maps You can configure a single service policy on an interface this service policy references a policy map A policy map can reference up to 64 class maps, which is the limit of class maps that can be created QUESTION 23 Which command initializes a lawful intercept view? A. username cisco1 view lawful-intercept password cisco B. parser view cisco li-view C. li-view cisco user cisco1 password cisco D. parser view li-view inclusive Correct Answer: C Section: 3.0 AAA Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance. SUMMARY STEPS 1. enable view 2. configure terminal 3. li-view li-password user username password password

19 4. username [lawful-intercept] name [privilege privilege-level view view-name] password password 5. parser view view-name 6. secret 5 encrypted-password 7. name new-name DETAILED STEPS Router> enable view Enables root view. Enter your privilege level 15 password (for example, root password) if prompted. Step 2 Router# configure terminal Enters global configuration mode. Step 3 li-view li-password user username password password Router(config)# li-view lipass user li_admin password li_adminpass Initializes a lawful intercept view with a password of lipass and a user of li_admin whose password is li_adminpass After the li-view is initialized, you must specify at least one user via user username password password options. Step 4 username [lawful-intercept [name] [privilege privilege-level view view-name] password password Example: Router(config)# username lawful-intercept li-user1 password li-user1pass Configures lawful intercept users on a Cisco device. QUESTION 24 Which NAT types are used for ASA in transparent mode? A. Static NAT B. Dynamic NAT C. Overload

20 D. Dynamic PAT Correct Answer: A Section: 7. Cisco Firewall Technologies With a transparent firewall, we still have two interfaces, but we do not assign IP addresses to those interfaces, and those two interfaces act more like a bridge (or a switch with two ports in the same VLAN). Traffic from one segment of a given subnet is going to be forced through the transparent firewall if those frames want to reach the second segment behind the firewall. A transparent firewall has a management IP address so that we can remotely access it, but that is all. Users accessing resources through the firewall will not be aware that it is even present, and one of the biggest advantages of using a transparent firewall is that we do not have to re-address our IP subnets to put a transparent firewall in-line on the network QUESTION 25 Which 3 Radius server authentication protocols are supported on cisco ASA firewalls? A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: CEF Section: 3.0 AAA Supported Authentication Methods The ASA supports the following authentication methods with RADIUS servers: PAP For all connection types. CHAP and MS-CHAPv1 For L2TP-over-IPsec connections. MS-CHAPv2 For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled. You can also use MS-CHAPv2 with clientless connections. Authentication Proxy modes For RADIUS-to Active-Directory, RADIUS-to-RSA/SDI, RADIUS- to-token server, and RSA/SDI-to-RADIUS connections,

21 To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details. QUESTION 26 Which wildcard mask is associated with a subnet mask of /27? A B C D Correct Answer: A Section: 7. Cisco Firewall Technologies QUESTION 27 What does NTP authenticate? A. Client s device and time source B. Time source only C. Client s device only D. Firewall and client s device Correct Answer: B Section: 5. Secure Network Management and Reporting QUESTION 28 Which firewall acts on behalf of end user?

22 A. Proxy B. State C. Asa D. Application Correct Answer: A Section: 7. Cisco Firewall Technologies QUESTION 29 What encryption does Cisco use to protect image downloading? A. Sha1 B. Sha2 C. Md5 D. Md1 Correct Answer: C Section: 8.0 Cisco IPS This is referring to the hash that Cisco uses to allow customers to confirm the download of cisco software, including the IPS signature files. QUESTION 30 How long does the router wait for TACACS+ response before it throws an error? A. 5 seconds B. 10 seconds C. 15 seconds D. 20 seconds Correct Answer: A Section: 3.0 AAA

23 The TACACS+ timout can be set globally, or server specific. Configuring the Global TACACS+ Timeout Interval You can set a global timeout interval that the Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the Nexus 5000 Series switch waits for responses from TACACS+ servers before declaring a timeout failure. Command switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server timeout seconds Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds. Optional- Per server switch(config)# switch(config)# tacacs-server host { ipv4-address ipv6-address host-name } timeout seconds Specifies the timeout interval for a specific server. The default is the global value. Note The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers. Step 3 switch(config)# exit Exits configuration mode. Step 4 switch# show tacacs-server (Optional) Displays the TACACS+ server configuration. QUESTION 31 Which information describes the integrity and authentication for HMAC (choose 2)? A. Password B. Hash C. The key D. Transform sets Correct Answer: BC Section: 9.0 VPN Technologies

24 When using HMAC (Hashed Meessage Authentication Code), we combine the integrity checking capability of the hashing algorithm as well as the authentication by use of a shared key. QUESTION 32 How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration? A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode B. Issue the command anyconnect keep-installer installed in the global configuration C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode Correct Answer: C Section: 9.0 VPN Technologies Enabling Permanent Client Installation Enabling permanent client installation disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user. To enable permanent client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer installed The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following example configures the existing group-policy sales to remove the client on the remote computer at the end of the session: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-policy)# svc keep-installer installed none QUESTION 33 you are the network manager for your organization. you are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true ( choose two ) Feb 1 10:12.08 PST:%SYS-5-CONFIG_I:Configured from console by vty0 ( ) A. Service timestamps have been globally enabled

25 B. this is a normal system-generated information message and does not require further investigation C. this message is unimportant and can be ignored D. this message is a level 5 notification message Correct Answer: AD Section: 5. Secure Network Management and Reporting QUESTION 34 A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting? A. Ensure that the RDP2 plug-in is installed on the VPN gateway B. Reboot the VPN gateway C. Instruct the user to reconnect to the VPN gateway D. Ensure that the RDP plug-in is installed on the VPN gateway Correct Answer: A Section: 9.0 VPN Technologies QUESTION 35 Which tasks is the session management path responsible for? (Choose three.) A. Performing the access list checks B. Performing route lookups C. Allocating NAT translations (xlates) D. Session Lookup E. TCP Sequence Number Check F. NAT Translation based on existing sessions

26 Correct Answer: ABC Section: 7. Cisco Firewall Technologies Establishing sessions in the fast path (this last option was not in the exam but is good to know) A stateful firewall like the ASA, however, takes into consideration the state of a packet: Is this a new connection? If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path. The session management path is responsible for the following tasks: Performing the access list checks Performing route lookups Allocating NAT translations (xlates) Establishing sessions in the fast path Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP. Is this an established connection? If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: IP checksum verification Session lookup TCP sequence number check NAT translations based on existing sessions Layer 3 and Layer 4 header adjustments QUESTION 36 Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts? A. Report Manager B. Health and Performance Monitoring

27 C. Policy Manager D. Event Manager Correct Answer: B Section: 2. Security and Cisco Routers Report Manager Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods. and Health and Performance Monitor (HPM) Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices. QUESTION 37 What best describes transport mode in VPN? (Choose 3) A. support multicast B. support unicast C. used between hosts D. used between gateways E. used between gateway and host Correct Answer: BDE Section: 9.0 VPN Technologies There are two main types of VPN, with numerous subcategories. Remote Access IPSec Full-Tunnel SSL Clientless SSL Full-Tunnel Site-to-Site

28 IPSec QUESTION 38 Which three features are for data plane protection (choose three) A. policing B. ACL C. IPS D. antispoofing E. QoS F. DHCP-snooping Correct Answer: BDF Section: 2. Security and Cisco Routers Data Plane Security Access control lists Private VLAN Firewalling Intrusion Prevention System (IPS) Layer 2 Data Plane Protection Port security prevents MAC flooding attacks. DHCP snooping prevents client attacks on the DHCP server and switch. Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks. IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table. Data Plane Security Data plane security can be implemented using the following features: Access control lists Access control lists (ACLs) perform packet filtering to control which packets move through the network and where. Antispoofing ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address. Layer 2 security features Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.

29 ACLs ACLs are used to secure the data plane in a variety of ways, including the following: Block unwanted traffic or users ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user authentication. Reduce the chance of DoS attacks ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection. Mitigate spoofing attacks ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks. Provide bandwidth control ACLs on a slow link can prevent excess traffic. Classify traffic to protect other planes ACLs can be applied on vty lines (management plane). ACLs can control routing updates being sent, received, or redistributed (control plane). Antispoofing Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack. Features such as Unicast Reverse Path Forwarding (urpf) can be used to complement the antispoofing strategy. Layer 2 Data Plane Protection The following are Layer 2 security tools integrated into the Cisco Catalyst switches: Port security Prevents MAC address spoofing and MAC address flooding attacks DHCP snooping Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch Dynamic ARP inspection (DAI) Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks IP source guard Prevents IP spoofing addresses by using the DHCP snooping table QUESTION 39 On which Cisco Configuration Professional screen do you enable AAA? A. AAA Summary B. AAA Servers and Groups C. Authentication Policies D. Authorization Policies

30 Correct Answer: A Section: 3.0 AAA QUESTION 40 What command is used to change layer 2 port into layer 3 routed port? A. No switchport B. switchport port-security C. ip routing D. sdm prefer lanbase-routing Correct Answer: A Section: 6. Common Layer 2 Attacks QUESTION 41 Where is the best place to place the IPS inline? A. Inline, behind the internet router and firewall B. Inline, before the internet router and firewall C. Promiscuous, behind D. Promiscuous, before Correct Answer: A Section: 8.0 Cisco IPS QUESTION 42 Which syslog severity level is level number 7

31 A. Warning B. Debug C. Critical D. Emergency E. Notice F. Error Correct Answer: B Section: 5. Secure Network Management and Reporting : Syslog levels QUESTION 43 Which statement about the role-based CLI access views on a Cisco router is true? A. The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.

32 B. The maximum number of configurable CLI access views is 10, including one superview. C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view. D. The maximum number of configurable CLI access views is 15, including one lawful intercept view. Correct Answer: C Section: 2. Security and Cisco Routers Restrictions for Role-Based CLI Access Lawful Intercept Images Limitation Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful intercept view is available only in images that contain the lawful intercept subsystem. Maximum Number of Allowed Views The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.) QUESTION 44 Which Cisco Security Manager feature enables the configuration of unsupported device features? A. Deployment Manager B. FlexConfig C. Policy Object Manager D. Configuration Manager Correct Answer: B Section: 2. Security and Cisco Routers FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs, you can extend Security Manager s control over a device configuration and take advantage of new device features before upgrading the product.

33 tmplchap.html#20503 QUESTION 45 Which statement about IPv6 address allocation is true? A. IPv6-enabled devices can be assigned only one IPv6 IP address. B. A DHCP server is required to allocate IPv6 IP addresses. C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses. D. ULA addressing is required for Internet connectivity. Correct Answer: C Section: 2. Security and Cisco Routers A major difference between IPv4 and IPv6 is that with IPv6, it is expected that an IPv6 capable device will have more than one IPv6 address. Most interfaces will have at least a Link-Local address (FE80)and possible a global(2xxx or 3xxx) or unique (fc00::/7) local address. QUESTION 46 Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? A. aaa authentication enable console LOCAL SERVER_GROUP B. aaa authentication enable console SERVER_GROUP LOCAL C. aaa authentication enable console local D. aaa authentication enable console LOCAL Correct Answer: D Section: 3.0 AAA

34 The syntax to create an aaa authentication policy for IOS is aaa authentication [type] [name] [method list] if only one method is specified, there is no fallback However, this question is actually about the ASA, which has a slightly different syntax. The aaa authentication enable console policy is related to users who are consoled in trying to use the enable command to enter the privileged prompt. : To authenticate users who access the adaptive security appliance CLI over a serial, SSH, HTTPS (ASDM), or Telnet connection, or to authenticate users who access privileged EXEC mode using the enable command, use the aaa authentication console command in global configuration mode. To disable authentication, use the no form of this command. aaa authentication {serial enable telnet ssh http} console {LOCAL server_group [LOCAL]} no aaa authentication {serial enable telnet ssh http} console {LOCAL server_group [LOCAL]} Syntax Description enable Authenticates users who access privileged EXEC mode when they use the enable command. http Authenticates ASDM users who access the adaptive security appliance over HTTPS. You only need to configure HTTPS authentication if you want to use a RADIUS or TACACS+ server. By default, ASDM uses the local database for authentication even if you do not configure this command. LOCAL Uses the local database for authentication. LOCAL is case sensitive. If the local database is empty, the following warning message appears: Warning:local database is empty! Use 'username' command to define local users. If the local database becomes empty when LOCAL is still present in the configuration, the following warning message appears: Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication. server-tag [LOCAL] Specifies the AAA server group tag defined by the aaa-server command. If you use the LOCAL keyword in addition to the server-tag, you can configure the adaptive security appliance to use the local database as a fallback method if the AAA server is unavailable. LOCAL is case sensitive. We recommend that you use the same username and password in the local database as the AAA server because the adaptive security appliance prompt does not give any indication which method is being used.

35 serial Authenticates users who access the adaptive security appliance using the serial console port. ssh Authenticates users who access the adaptive security appliance using SSH. telnet Authenticates users who access the adaptive security appliance using Telnet. Defaults By default, fallback to the local database is disabled. If the aaa authentication telnet console command is not defined, you can gain access to the adaptive security appliance CLI with the adaptive security appliance login password (set with the password command). QUESTION 47 Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method? A. aaa authorization exec default group tacacs+ none B. aaa authorization network default group tacacs+ none C. aaa authorization network default group tacacs+ D. aaa authorization network default group tacacs+ local Correct Answer: C Section: 3.0 AAA On a cisco IOS router, the syntax to define new-model AAA authorization policies is: aaa authorization [type] [name] [methods-list] The method list can list a number of different methods to use to authorize. For example: group tacacs+, group radius, local, enable, etc. The methods are tried in order of the list. If one of the methods is unreachable (for example, the router cannot connect to the Tacas server), the next method is tried, providing a fallback method. A FAILED authorization does not try the next method. When only a single method is listed, there is no fallback in case of an inability to connect with the previous method in the list. In this case, we are looking to authorize network services so we need

36 aaa authorization network Only one answer that starts with aaa authorization network has a single method. aaa authorization network default group tacacs+ QUESTION 48 Which three statements about RADIUS are true? (Choose three.) A. RADIUS uses TCP port 49. B. RADIUS uses UDP ports 1645 or C. RADIUS encrypts the entire packet. D. RADIUS encrypts only the password in the Access-Request packet. E. RADIUS is a Cisco proprietary technology. F. RADIUS is an open standard. Correct Answer: BDF Section: 3.0 AAA Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting

37 QUESTION 49 Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C Section: 3.0 AAA On a cisco IOS router, the syntax to define new-model AAA accounting policies is: aaa accounting [type] [name] [ [methods-list]

38 The accounting types are network To create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword. exec To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword. commands To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. connection To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword. resource Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated. QUESTION 50 Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.) A. start-stop B. stop-record C. stop-only D. stop Correct Answer: AC Section: 3.0 AAA The general syntax for accounting is: Router(config)# aaa accounting {system network exec connection commands level} {default list-name} {start-stop stop-only none} [method1 [method2...]] We can account for start and stop or stop only. QUESTION 51 What is the first command you enter to configure AAA on a new Cisco router?

39 A. aaa configuration B. no aaa-configuration C. no aaa new-model D. aaa new-model Correct Answer: D Section: 3.0 AAA When setting up remote aaa, the new model aa must being turned on. Be aware, that this will disable the default line vty and line con login defaults. QUESTION 52 Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: BCE Section: 3.0 AAA TACACS+ Server Support The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. QUESTION 53 What is the default privilege level for a new user account on a Cisco ASA firewall? A. 0 B. 1

40 C. 2 D. 15 Correct Answer: C Section: 2. Security and Cisco Routers Similar to Cisco IOS devices, the ASA has 16 privelege levels, from 0 to 15. The default privilege level for a user is 2. On IOS, the default privilege level is level 1 Authenticating Users Using the Login Command From user EXEC mode, you can log in as any username in the local database using the login command. This feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the "Configuring Local Command Authorization" section for more information. QUESTION 54 Which statement about ACL operations is true? A. The access list is evaluated in its entirety. B. The access list is evaluated one access-control entry at a time. C. The access list is evaluated by the most specific entry. D. The default explicit deny at the end of an access list causes all packets to be dropped. Correct Answer: B Section: 4. IOS ACLs Access Lists are a series of entries Access Lists Entries are processed in order When a match is made, the action specified by that entry is performed and no further entries are processed The last entry on all access lists is the implicit deny all

41 QUESTION 55 Which three statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the destination. B. Extended access lists should be placed as near as possible to the source. C. Standard access lists should be placed as near as possible to the destination. D. Standard access lists should be placed as near as possible to the source. E. Standard access lists filter on the source address. F. Standard access lists filter on the destination address. Correct Answer: BCE Section: 4. IOS ACLs ACL Best practices Standard ACLs can filter only on the source IP address. Standard ACLS should be closest to the destination (since if they were close to the source, they could block too much traffic) Extended ACLS can filter on protocol, source and/or destination IP as well as TCP or UDP port Extended ACLS should be placed as close to the source QUESTION 56 Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks? A. router(config)# ip tcp intercept mode intercept B. router(config)# ip tcp intercept mode watch C. router(config)# ip tcp intercept max-incomplete high 100 D. router(config)# ip tcp intercept drop-mode random Correct Answer: A Section: 1. Common Security Threats

42 About TCP Intercept The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing , using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The basic configuration requires setting up an ACL that is used to "watch" incoming TCP traffic Step 1 Router(config)# access-list access-list-number {deny permit} tcp any destination destination-wildcard Defines an IP extended access list. Step 2 Router(config)# ip tcp intercept list access-list-number Enables TCP intercept. Step 3- Optional Router(config)# ip tcp intercept mode {intercept watch} You can then set the mode to Intercept or Watch. The default is intercept. You can also modify the following: Setting the TCP Intercept Drop Mode (Optional) Changing the TCP Intercept Timers (Optional) Changing the TCP Intercept Aggressive Thresholds (Optional) Monitoring and Maintaining TCP Intercept (Optional) QUESTION 57 Which command will block external spoofed addresses? A. access-list 128 deny ip any B. access-list 128 deny ip any

43 C. access-list 128 deny ip any D. access-list 128 deny ip any Correct Answer: C Section: 4. IOS ACLs Not sure if this is a partial question or mismarked.- Spoofed addresses usually refers to addresses that mimic your own internal addressing scheme Private or Reserved Addresses are defined in RFC 1918 A common set of entries for access lists incoming into a network are as follows:!--- Filter RFC 1918 space. access-list 110 deny ip any access-list 110 deny ip any access-list 110 deny ip any!--- Deny your space as source from entering your AS.!--- Deploy only at the AS edge. access-list 110 deny ip YOUR_CIDR_BLOCK any In this question, denying matches one of the common reserved addresses and is the correct answer. QUESTION 58 Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) A. port security B. DHCP snooping C. IP source guard D. dynamic ARP inspection Correct Answer: BD Section: 6. Common Layer 2 Attacks