Network security ( version 1) - network security 1.0 modules 1-4: securing networks group exam

0% found this document useful (0 votes)

466 views13 pages

Network Security 1.0 Modules 1 - 4 - Securing Networks Group Exam Answers

Original Title:

Network Security 1.0 Modules 1 - 4_ Securing Networks Group Exam Answers

Jump to Page

You are on page 1of 13

You're Reading a Free Preview
Pages 6 to 12 are not shown in this preview.

Reward Your Curiosity

Everything you want to read.

Anytime. Anywhere. Any device.

No Commitment. Cancel anytime.

Network Security ( Version 1) – Network Security 1 Final Exam

Answers

1. Match the type of ASA ACLs to the description. (Not all options are used.)

2. Which statement describes a difference between the Cisco ASA IOS CLI feature and the router IOS CLI feature? ASA uses the? command whereas a router uses the help command to receive help on a brief description and the syntax of a command.

 To use a show command in a general configuration mode, ASA can use the command directly whereas a router will need to enter the do command before issuing the show command. To complete a partially typed command, ASA uses the Ctrl+Tab key combination whereas a router uses the Tab key. To indicate the CLI EXEC mode, ASA uses the % symbol whereas a router uses the # symbol. Explanation: The ASA CLI is a proprietary OS which has a similar look and feel to the Cisco router IOS. Although it shares some common features with the router IOS, it has its unique features. For example, an ASA CLI command can be executed regardless of the current configuration mode prompt. The IOS do command is not required or recognized. Both the ASA CLI and the router CLI use the # symbol to indicate the EXEC mode. Both CLIs use the Tab key to complete a partially typed command. Different from the router IOS, the ASA provides a help command that provides a brief command description and syntax for certain commands.

3. Refer to the exhibit. A network administrator is configuring AAA implementation on an ASA device. What does the option link3 indicate?

the network name where the AAA server resides the specific AAA server name the sequence of servers in the AAA server group  the interface name 4. What provides both secure segmentation and threat defense in a Secure Data Center solution? Cisco Security Manager software AAA server  Adaptive Security Appliance intrusion prevention system 5. What are the three core components of the Cisco Secure Data Center solution? (Choose three.) mesh network  secure segmentation  visibility  threat defense servers infrastructure Explanation: Secure segmentation is used when managing and organizing data in a data center. Threat defense includes a firewall and intrusion prevention system (IPS). Data center visibility is designed to simplify operations and compliance reporting by providing consistent security policy enforcement.

6. What are three characteristics of ASA transparent mode? (Choose three.)  This mode does not support VPNs, QoS, or DHCP Relay. It is the traditional firewall deployment mode.  This mode is referred to as a “bump in the wire.” NAT can be implemented between connected networks.  In this mode the ASA is invisible to an attacker. The interfaces of the ASA separate Layer 3 networks and require IP addresses in different subnets. 7. What is needed to allow specific traffic that is sourced on the outside network of an ASA firewall to reach an internal network?  ACL NAT dynamic routing protocols outside security zone level 0 Explanation: In order to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level, an ACL must be configured. By default, traffic will only flow from a higher security level to a lower.

8. What will be the result of failed login attempts if the following command is entered into a router?

The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers. 14. Which action do IPsec peers take during the IKE Phase 2 exchange? exchange of DH keys  negotiation of IPsec policy negotiation of IKE policy sets verification of peer identity Explanation: The IKE protocol executes in two phases. During Phase 1 the two sides negotiate IKE policy sets, authenticate each other, and set up a secure channel. During the second phase IKE negotiates security associations between the peers.

15. What are two hashing algorithms used with IPsec AH to guarantee authenticity? (Choose two.) SHA RSA DH MD AES Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity and authenticity) are MD5 and SHA.

16. Which command raises the privilege level of the ping command to 7? user exec ping level 7 authorization exec ping level 7 accounting exec level 7 ping  privilege exec level 7 ping 17. What is a characteristic of a role-based CLI view of router configuration? A CLI view has a command hierarchy, with higher and lower views. When a superview is deleted, the associated CLI views are deleted.  A single CLI view can be shared within multiple superviews. Only a superview user can configure a new view and add or remove commands from the existing views. Explanation: A CLI view has no command hierarchy, and therefore, no higher or lower views. Deleting a superview does not delete the associated CLI views. Only a root view user can configure a new view and add or remove commands from the existing views.

18. What is a limitation to using OOB management on a large enterprise network? Production traffic shares the network with management traffic. Terminal servers can have direct console connections to user devices needing management. OOB management requires the creation of VPNs.  All devices appear to be attached to a single management network. Explanation: OOB management provides a dedicated management network without production traffic. Devices within that network, such as terminal servers, have direct console access for management purposes. Because in- band management runs over the production network, secure tunnels or VPNs may be needed. Failures on the production network may not be communicated to the OOB network administrator because the OOB management network may not be affected

19. Refer to the exhibit. A corporate network is using NTP to synchronize the time across devices. What can be determined from the displayed output?

Router03 is a stratum 2 device that can provide NTP service to other devices in the network. The time on Router03 may not be reliable because it is offset by more than 7 seconds to the time server.

The interface on Router03 that connects to the time sever has the IPv4 address 209.165.200. Router03 time is synchronized to a stratum 2 time server 20. Refer to the exhibit. Which two conclusions can be drawn from the syslog message that was generated by the router? (Choose two.)

This message resulted from an unusual error requiring reconfiguration of the interface.  This message indicates that service timestamps have been configured. This message indicates that the interface changed state five times.  This message is a level 5 notification message. This message indicates that the interface should be replaced. Explanation: The message is a level 5 notification message as shown in the %LINEPROTO-5 section of the output. Messages reporting the link status are common and do not require replacing the interface or reconfiguring the interface. The date and time displayed at the beginning of the message indicates that service timestamps have been configured on the router.

21. Which two types of hackers are typically classified as grey hat hackers? (Choose two.)  hacktivists cyber criminals  vulnerability brokers script kiddies state-sponsored hackers Explanation: Grey hat hackers may do unethical or illegal things, but not for personal gain or to cause damage. Hacktivists use their hacking as a form of political or social protest, and vulnerability brokers hack to uncover weaknesses and report them to vendors. Depending on the perspective one possesses, state-sponsored hackers are either white hat or black hat operators. Script kiddies create hacking scripts to cause damage or disruption. Cyber criminals use hacking to obtain financial gain by illegal means.

22. When describing malware, what is a difference between a virus and a worm? A virus focuses on gaining privileged access to a device, whereas a worm does not.  A virus replicates itself by attaching to another file, whereas a worm can replicate itself independently. A virus can be used to launch a DoS attack (but not a DDoS), but a worm can be used to launch both DoS and DDoS attacks. A virus can be used to deliver advertisements without user consent, whereas a worm cannot. Explanation: Malware can be classified as follows: Virus (self-replicates by attaching to another program or file) Worm (replicates independently of another program) Trojan horse (masquerades as a legitimate file or program) Rootkit (gains privileged access to a machine while concealing itself) Spyware (collects information from a target system) Adware (delivers advertisements with or without consent) Bot (waits for commands from the hacker) Ransomware (holds a computer system or data captive until payment isreceived)

23. Which type of packet is unable to be filtered by an outbound ACL? multicast packet ICMP packet broadcast packet  router-generated packet Explanation: Traffic that originates within a router such as pings from a command prompt, remote access from a router to another device, or routing updates are not affected by outbound access lists. The traffic must flow through the router in order for the router to apply the ACEs.

24. Consider the access list command applied outbound on a router serial interface.

access-list 100 deny icmp 192.168.10 0.0.0 any echo reply

31. What would be the primary reason an attacker would launch a MAC address overflow attack? so that the switch stops forwarding traffic so that legitimate hosts cannot obtain a MAC address so that the attacker can see frames that are destined for other hosts so that the attacker can execute arbitrary code on the switch 32. What is the main difference between the implementation of IDS and IPS devices? An IDS can negatively impact the packet flow, whereas an IPS can not. An IDS needs to be deployed together with a firewall device, whereas an IPS can replace a firewall. An IDS would allow malicious traffic to pass before it is addressed, whereas an IPS stops it immediately. An IDS uses signature-based technology to detect malicious packets, whereas an IPS uses profile-based technology. Explanation: An IPS is deployed in inline mode and will not allow malicious traffic to enter the internal network without first analyzing it. An advantage of this is that it can stop an attack immediately. An IDS is deployed in promiscuous mode. It copies the traffic patterns and analyzes them offline, thus it cannot stop the attack immediately and it relies on another device to take further actions once it detects an attack. Being deployed in inline mode, an IPS can negatively impact the traffic flow. Both IDS and IPS can use signature-based technology to detect malicious packets. An IPS cannot replace other security devices, such as firewalls, because they perform different tasks.

33. Which attack is defined as an attempt to exploit software vulnerabilities that are unknown or undisclosed by the vendor?  zero-day Trojan horse brute-force man-in-the-middle 34. Match the network monitoring technology with the description.

35. What are the three signature levels provided by Snort IPS on the 4000 Series ISR? (Choose three.)  security drop reject  connectivity inspect

 balanced 36. What are three attributes of IPS signatures? (Choose three.)  action length  trigger  type depth function Explanation: IPS signatures have three distinctive attributes: type trigger (alarm) action

37. Match each IPS signature trigger category with the description.

38. Which two features are included by both TACACS+ and RADIUS protocols? (Choose two.) SIP support  password encryption 802 support separate authentication and authorization processes  utilization of transport layer protocols Explanation: Both TACACS+ and RADIUS support password encryption (TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+ uses TCP and RADIUS uses UDP). TACACS+ supports separation of authentication and authorization processes, while RADIUS combines authentication and authorization as one process. RADIUS supports remote access technology, such as 802 and SIP; TACACS+ does not.

39. What function is provided by the RADIUS protocol? RADIUS provides encryption of the complete packet during transfer. RADIUS provides separate AAA services.  RADIUS provides separate ports for authorization and accounting. RADIUS provides secure communication using TCP port 49. Explanation: When an AAA user is authenticated, RADIUS uses UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting. TACACS provides separate authorization and accounting services. When a RADIUS client is authenticated, it is also authorized. TACACS provides secure connectivity using TCP port 49. RADIUS hides passwords during transmission and does not encrypt the complete packet.

40. What are three characteristics of the RADIUS protocol? (Choose three.) utilizes TCP port 49  uses UDP ports for authentication and accounting  supports 802 and SIP separates the authentication and authorization processes encrypts the entire body of the packet

43. Place the steps for configuring zone-based policy (ZPF) firewalls in order from first to last. (Not all options are used.)

44. How does a firewall handle traffic when it is originating from the private network and traveling to the DMZ network? The traffic is selectively denied based on service requirements. The traffic is usually permitted with little or no restrictions.  The traffic is selectively permitted and inspected. The traffic is usually blocked. Explanation: With a three interface firewall design that has internal, external, and DMZ connections, typical configurations include the following:

• Traffic originating from DMZ destined for the internal network is normally blocked.
• Traffic originating from the DMZ destined for external networks is typically permitted based on what services are being used in the DMZ.
• Traffic originating from the internal network destined from the DMZ is normally inspected and allowed to return.
• Traffic originating from external networks (the public network) is typically allowed in the DMZ only for specific services.

45. Which two protocols generate connection information within a state table and are supported for stateful filtering? (Choose two.)

ICMP

UDP

DHCP

 TCP

 HTTP

46. Which type of firewall is supported by most routers and is the easiest to implement? next generation firewall  stateless firewall stateful firewall proxy firewall Explanation: Packet Filtering (Stateless) Firewall uses a simple policy table look-up that filters traffic based on specific criteria and is considered the easiest firewall to implement.

47. What network testing tool would an administrator use to assess and validate system configurations against security policies and compliance standards?  Tripwire L0phtcrack Nessus Metasploit Explanation: Tripwire – This tool assesses and validates IT configurations against internal policies, compliance standards, and security best practices.

48. What type of network security test can detect and report changes made to network systems? vulnerability scanning network scanning  integrity checking penetration testing Explanation: Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.

49. What network security testing tool has the ability to provide details on the source of suspicious network activity?  SIEM SuperScan Zenmap Tripwire 50 How do modern cryptographers defend against brute-force attacks? Use statistical analysis to eliminate the most common encryption keys.  Use a keyspace large enough that it takes too much money and too much time to conduct a successful attack. Use an algorithm that requires the attacker to have both ciphertext and plaintext to conduct a successful attack. Use frequency analysis to ensure that the most popular letters used in the language are not used in the cipher message. Explanation: In a brute-force attack, an attacker tries every possible key with the decryption algorithm knowing that eventually one of them will work. To defend against the brute-force attacks, modern cryptographers have as an objective to have a keyspace (a set of all possible keys) large enough so that it takes too much money and too much time to accomplish a brute-force attack. A security policy requiring passwords to be changed in a predefined interval further defend against the brute-force attacks. The idea is that passwords will have been changed before an attacker exhausts the keyspace.

51. How does a Caesar cipher work on a message?  Letters of the message are replaced by another letter that is a set number of places away in the alphabet. Letters of the message are rearranged randomly. Letters of the message are rearranged based on a predetermined pattern. Words of the message are substituted based on a predetermined pattern. 52. What is the main factor that ensures the security of encryption of modern algorithms? complexity of the hashing algorithm

57. A company implements a security policy that ensures that a file sent from the headquarters office to the branch office can only be opened with a predetermined code. This code is changed every day. Which two algorithms can be used to achieve this task? (Choose two.) HMAC MD  3DES SHA-  AES Explanation: The task to ensure that only authorized personnel can open a file is data confidentiality, which can be implemented with encryption. AES and 3DES are two encryption algorithms. HMAC can be used for ensuring origin authentication. MD5 and SHA-1 can be used to ensure data integrity.

58. A network technician has been asked to design a virtual private network between two branch routers. Which type of cryptographic key should be used in this scenario? hash key  symmetric key asymmetric key digital signature Explanation: A symmetric key requires that both routers have access to the secret key that is used to encrypt and decrypt exchanged data.

59. Which two options can limit the information discovered from port scanning? (Choose two.)  intrusion prevention system  firewall authentication passwords encryption Explanation: Using an intrusion prevention system (IPS) and firewall can limit the information that can be discovered with a port scanner. Authentication, encryption, and passwords provide no protection from loss of information from port scanning.

60. An administrator discovers that a user is accessing a newly established website that may be detrimental to company security. What action should the administrator take first in terms of the security policy? Ask the user to stop immediately and inform the user that this constitutes grounds for dismissal. Create a firewall rule blocking the respective website.  Revise the AUP immediately and get all users to sign the updated AUP. Immediately suspend the network privileges of the user. 61. If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.) Create a superview using the parser view view-name command. Associate the view with the root view. Assign users who can use the view.  Create a view using the parser view view-name command.  Assign a secret password to the view.  Assign commands to the view. Explanation: There are five steps involved to create a view on a Cisco router.

1. AAA must be enabled.
2. the view must be created.
3. a secret password must be assigned to the view.
4. commands must be assigned to the view.
5. view configuration mode must be exited.

62. Refer to the exhibit. A network administrator configures a named ACL on the router. Why is there no output displayed when the show command is issued?

A network administrator configures a named ACL on the router

The ACL is not activated.  The ACL name is case sensitive. The ACL has not been applied to an interface. No packets have matched the ACL statements yet. 63. ACLs are used primarily to filter traffic. What are two additional uses of ACLs? (Choose two.):  specifying internal hosts for NAT  identifying traffic for QoS reorganizing traffic into VLANs filtering VTP packets 64. What two features are added in SNMPv3 to address the weaknesses of previous versions of SNMP? (Choose two.)  authentication authorization with community string priority bulk MIB objects retrieval ACL management filtering  encryption 65. What network testing tool is used for password auditing and recovery? Nessus Metasploit  L0phtcrack SuperScan 66. Which type of firewall makes use of a server to connect to destination devices on behalf of clients? packet filtering firewall  proxy firewall stateless firewall stateful firewall Explanation: An application gateway firewall, also called a proxy firewall, filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy server to connect to remote servers on behalf of clients. Remote servers will see only a connection from the proxy server, not from the individual clients.

67. Refer to the exhibit. What will be displayed in the output of the show running-config object command after the exhibited configuration commands are entered on an ASA 5506-

scalability  confidentiality Explanation: Confidentiality ensures that data is accessed only by authorized individuals. Authentication will help verify the identity of the individuals.

71. The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks? authentication nonrepudiation integrity Diffie-Hellman  confidentiality Explanation: The IPsec framework consists of five building blocks. Each building block performs a specific securty function via specific protocols. The function of providing confidentiality is provided by protocols such as DES, 3DES, and AES.

72. What function is provided by Snort as part of the Security Onion? to generate network intrusion alerts by the use of rules and signatures to normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema to display full-packet captures for analysis  to view pcap transcripts generated by intrusion detection tools Explanation: Snort is an open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) developed by Sourcefire. It has the ability to perform real time traffic analysis and packet logging on Internet Protocol (IP) networks and can also be used to detect probes or attacks.

73. What are two drawbacks to using HIPS? (Choose two.) With HIPS, the success or failure of an attack cannot be readily determined.  With HIPS, the network administrator must verify support for all the different operating systems used inthe network.  HIPS has difficulty constructing an accurate network picture or coordinating events that occur across the entire network. If the network traffic stream is encrypted, HIPS is unable to access unencrypted forms of the traffic. HIPS installations are vulnerable to fragmentation attacks or variable TTL attacks 74. In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?  authorization authentication auditing accounting Explanation: Authentication must ensure that devices or end users are legitimate. Authorization is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network. The configure terminal command is rejected because the user is not authorized to execute the command.

75. A company has a file server that shares a folder named Public. The network security policy specifies that the Public folder is assigned Read-Only rights to anyone who can log into the server while the Edit rights are assigned only to the network admin group. Which component is addressed in the AAA network service framework? automation accounting authentication authorization Explanation: After a user is successfully authenticated (logged into the server), the authorization is the process of determining what network resources the user can access and what operations (such as read or edit) the user can perform.

76. What is a characteristic of a DMZ zone? Traffic originating from the inside network going to the DMZ network is not permitted.  Traffic originating from the outside network going to the DMZ network is selectively permitted. Traffic originating from the DMZ network going to the inside network is permitted.

Traffic originating from the inside network going to the DMZ network is selectively permitted. Explanation: The characteristics of a DMZ zone are as follows: Traffic originating from the inside network going to the DMZ network is permitted. Traffic originating from the outside network going to the DMZ network is selectively permitted. Traffic originating from the DMZ network going to the inside network is denied.

77. Which measure can a security analyst take to perform effective security monitoring against network traffic encrypted by SSL technology? Use a Syslog server to capture network traffic. Deploy a Cisco SSL Appliance.  Require remote access connections through IPsec VPN. Deploy a Cisco ASA. 78. Refer to the exhibit. Port security has been configured on the Fa 0/12 interface of switch S1. What action will occur when PC1 is attached to switch S1 with the applied configuration?

Frames from PC1 will be forwarded since the switchport port-security violation command is missing. Frames from PC1 will be forwarded to its destination, and a log entry will be created. Frames from PC1 will be forwarded to its destination, but a log entry will not be created. Frames from PC1 will cause the interface to shut down immediately, and a log entry will be made. Frames from PC1 will be dropped, and there will be no log of the violation. Frames from PC1 will be dropped, and a log message will be created. Explanation: Manual configuration of the single allowed MAC address has been entered for port fa0/12. PC1 has a different MAC address and when attached will cause the port to shut down (the default action), a log message to be automatically created, and the violation counter to increment. The default action of shutdown is recommended because the restrict option might fail if an attack is underway.

79. What security countermeasure is effective for preventing CAM table overflow attacks? DHCP snooping Dynamic ARP Inspection IP source guard  port security Explanation: Port security is the most effective method for preventing CAM table overflow attacks. Port security gives an administrator the ability to manually specify what MAC addresses should be seen on given switch ports. It provides a method for limiting the number of MAC addresses that can be dynamically learned over a switch port.

80. What are two examples of DoS attacks? (Choose two.) port scanning SQL injection  ping of death phishing  buffer overflow Explanation: The buffer overflow and ping of death DoS attacks exploit system memory-related flaws on a server by sending an unexpected amount of data or malformed data to the server.

81. Which method is used to identify interesting traffic needed to create an IKE phase 1 tunnel? transform sets

88. A company is concerned with leaked and stolen corporate data on hard copies. Which data loss mitigation technique could help with this situation? strong PC security settings strong passwords  shredding encryption Explanation: Confidential data should be shredded when no longer required. Otherwise, a thief could retrieve discarded reports and gain valuable information.

89. Upon completion of a network security course, a student decides to pursue a career in cryptanalysis. What job would the student be doing as a cryptanalyst? cracking code without access to the shared secret key creating hashing codes to authenticate data  making and breaking secret codes creating transposition and substitution ciphers 90. What command is used on a switch to set the port access entity type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant?  dot1x pae authenticator authentication port-control auto aaa authentication dot1x default group radius dot1x system-auth-control Explanation: Sets the Port Access Entity (PAE) type. dot1x pae [supplicant | authenticator | both] supplicant—The interface acts only as a supplicant and does not respond to messages that are meant for an authenticator. authenticator-—The interface acts only as an authenticator and does not respond to any messages meant for a supplicant. both—The interface behaves both as a supplicant and as an authenticator and thus does respond to all dot1x messages.

Updating....

Match the security technology with the description. A network analyst is configuring a site-to-site IPsec VPN. The analyst has configured both the ISAKMP and IPsec policies. What is the next step? Configure the hash as SHA and the authentication as pre-shared. Apply the crypto map to the appropriate outbound interfaces. Issue the show crypto ipsec sa command to verify the tunnel. Verify that the security feature is enabled in the IOS.