CCNA Security Questions & Answers 1

Wednesday, September 3rd, 2008 | Exam Braindumps

The IOS Firewall Set Questions & Answers:

1-Question:Define the term “DMZ” as it pertains to network security, and name three different common network devices that are typically found there.

Answer: It’s easy to think of your network as the “inside”, and everything else as “outside”. However, we’ve got a third area when it comes to firewalls – the DMZ.

From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It’s common to find the following devices in a DMZ:

• FTP server
• Email server
• E-commerce server
• DNS servers
• Web servers

2-Question: Identify the true statements.

A. Stateless packet filtering considers the TCP connection state. B. Stateful packet filtering considers the TCP connection state.
C. Neither stateless nor stateful packet filtering monitor the TCP connection state.

D. Both stateless and stateful packet filtering monitor the TCP connection state, and keep a state table containing that information.

Answer: (B.) Stateful packet filtering does monitor the connection state, and that’s particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.

3-Question:Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?

Answer:The Cisco IOS Firewall is a stateful filter.

4-Question: Which of the following are considered parts of the IOS Firewall feature set? A. IOS Firewall
B. Intrusion Prevention System

C. RADIUS

D. Authentication Proxy

E. Password Encryption

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer:(A, B, D.) There are three major components to the IOS Firewall feature set – the IOS
Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5-Question:Identify the true statements regarding the Authentication Proxy. A. It’s part of the IOS Firewall Feature Set.
B. It allows creation of per-user security profiles, rather than more general profiles.

C. It allows creation of general security profiles, but not per-user profiles. D. Profiles can be stored locally, but not remotely.
E. Profiles can be stored on a RADIUS server.

F. Profiles can be stored on a TACACS+ server.

Answer: (A, B, E, F. T he Authentication Proxy allows us to create security profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept
on either of the following:

• RADIUS server
• TACACS+ server

Upon successful authentication, that particular user’s security policy is downloaded from the
RADIUS or TACACS+ server and applied by the IOS Firewall router.

6-Question:Configuring ACLs is an important part of working with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?

Answer: We have the option of using the word host to represent a wildcard mask of 0.0.0.0.
Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that.

R3#conf t
R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0
R3(config)#conf t
R3(config)#access-list 7 permit host 10.1.1.1

The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit all traffic.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There’s no “right” or “wrong” decision to make when you’re configuring ACLs in the real world. For your exam, though, I’d be very familiar with the proper use of host and any.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

7-Question:What does the dollar sign in the following ACL line indicate?

R1(config)#$ 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

Answer: The dollar sign simply indicates that part of the command you’re entering or viewing can’t
be shown because the entry is so long. It does not mean the command is illegal.

8-Question:Basically, how does an IOS Firewall prevent a TCP SYN attack?

Answer: The IOS Firewall can use any or all of the following values to detect when a TCP SYN
attack is underway

Overall total of incomplete TCP sessions
Number of incomplete TCP sessions in a certain amount of time
Number of incomplete TCP sessions on a per-host basis

When any of these thresholds are reached, either of the following actions can be taken: Block all incoming SYN packets for a certain period of time
Transmit a RST to both parties in the oldest incomplete session

9-Question:What does the term “punch a hole in the firewall” refer to? (Logically, that is, not physically.)

Answer: That term simply refers to configuring the firewall to open a port that was previously closed. Don’t forget to close it when you no longer need it to be open!

10-Question:What exactly does the router-traffic option in the following configuration do?

R4(config)#ip inspect name PASSCCNASECURITY tcp router-traffic R4(config)#ip inspect name PASSCCNASECURITY udp router-traffic R4(config)#ip inspect name PASSCCNASECURITY icmp router-traffic

Answer: If you’re going to inspect traffic that is actually generated on the router, you need to include the router-traffic option at the end of that particular ip inspect statement

Questions On NTP, SSH, Telnet, And More

11-Question: We’ll start with a question you learned the answer to in your CCNA studies. When you have an enable secret and an enable password set, which takes precedence over the other?

A. The enable secret takes precedence.

B. The enable password takes precedence.

C. You cannot set both an enable secret and an enable password.

D. You can set them both, but since they must be set to the same value, there is no question of precedence.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer: A. The enable secret always takes precedence over the enable password

12-Question: What device and stratum level are found at the top of the NTP hierarchy? A. Atomic clocks, stratum 1
B. Atomic clocks, stratum 0

C. NTP Masters, stratum 1

D. NTP Masters, stratum 0

E. NTP Primary, stratum 0

F. NTP Primary, stratum 1

Answer: B. Atomic clocks are at the top of the NTP hierarchy, and that top level is Stratum 0. Cisco routers cannot get their time directly from a Stratum 0 device.

13-Question: What port does NTP use?

Answer: NTP uses UDP port 123. Remember that when you’re configuring your ACLs!

14-Question: What are the options for NTP authentication? A. MD5
B. Bellman-Ford

C. clear text

D. CHAP E. PAP
Answer: A. As IOS Help illustrates, the only option here is MD5. You still have to specify that option, though.

R1(config)#ntp authentication-key 1 ?
md5 MD5 authentication

15-Question: What command resulted in the following output?

R2#
Clock is synchronized, stratum 10, reference is 172.12.23.3
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
reference time is CBB9CEC8.17FBD1B8 (15:05:44.093 UTC Wed Apr 23
2008)

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

clock offset is -0.6214 msec, root delay is 37.20 msec
root dispersion is 5.04 msec, peer dispersion is 0.53 msec

Answer: That command output is the result of the show ntp status command

16-Question: What command will limit the overall number of NTP peers and clients that the local router can form an association with?

Answer: You can limit the overall number of NTP peers and clients with the ntp max-associations
command.

R3(config)#ntp max-associations ?
<0-4294967295> Number of associations

17-Question: What authentication option is available for Telnet that is not available with SSH?

Answer: You can use a line password for Telnet, but not for SSH. For SSH, you’ll need to use AAA
or a locally configured database

18-Question: What command resulted in the following output?

R1(config)#
The name for the keys will be: HQ.HQ.com
Choose the size of the key modulus in the range of 360 to 2048 for
your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

Answer: That output is the result of the crypto key generate rsa command.

19-Question: Name the two options for TCP Intercept mode and describe the major operational difference between the two.

Answer: TCP Intercept is generally run in intercept mode, allowing the router to intercept those
TCP SYN requests and answer them on behalf of the server.

If the SYN source is legitimate, a TCP ACK should be received by the router. If and when that happens, the router considers that three-way handshake to be complete and the SYN source to be legitimate.

In turn, the router opens a TCP connection to the server, and when that connection is complete, the router merges the two open connections into one.

This prevents any non-legitimate SYN packets from ever reaching the server. TCP Intercept can be configured to intercept all incoming SYN packets, or an ACL can be written to identify the source
and destination for packets that should be intercepted.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

TCP Intercept can also be run in watch mode, a much more passive mode than intercept mode. In
watch mode, the router does not intercept the SYN packets, but passes them through to the TCP
server.

Using PassGuide online virtual Cisco practice engine, easy to know well Cisco Training knowledge and pass the Cisco certification exams.

The router does watch this incomplete connection, and will close it if it’s not completed after a
certain period of time – by default, 30 seconds.Use the ip tcp intercept-mode command to configure the desired mode.

R1(config)#ip tcp intercept mode ? intercept Intercept connections watch Watch connections

R1(config)#ip tcp intercept mode intercept

20-Question: Name the two operational modes for Autosecure and describe the major difference between them.

Answer: The Autosecure modes:

Interactive, where the admin is prompted for input. This mode is similar to Setup Mode. If you’re going to configure anything requiring user interaction – SSH, enable passwords, etc. – you should use this mode.

Non-interactive, where Cisco’s recommended settings for Autosecure are put into action. Cisco’s recommended settings are very secure – maybe too secure for your network!

Network Attacks And Defenses Questions & Answers:

21-Question Which RFC refers to all of the following network address ranges, and how do these ranges relate to network security?

0.0.0.0 /8

10.0.0.0 /8

127.0.0.0 /8

172.16.0.0 /12

192.168.0.0 /16

224.0.0.0 /4

240.0.0.0 /4

Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets sourced from those address ranges not be allowed to enter your network.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Blocking these address ranges for incoming traffic on your network’s perimeter routers is sometimes
called “2827 filtering” or “3704 filtering”, referring to the original and updated RFCs that discuss this topic in a great deal of detail.

22-Question Which of the following are considered reconnaissance attacks, and which are access attacks?

A. ping sweep

B. port scan

C. password attack D. trust exploitation E. DSL query
Answer: Recon attacks: ping sweeps, port scans, DSL queries. Access attacks: password attacks and trust exploitation
23-Question The term “port redirection” refers to which type of network attack mentioned in
Question 2?

Answer: Port redirections are a type of trust exploitation.

24-Question Which of the following statements referring to Superviews and Views are true?

A. IOS Commands can be contained in multiple views on the same router. B. A single view can be contained in more than one Superview.
C. Deleting a Superview results in all Views contained in that Superview to be deleted as well.

D. Logging into a Superview allows the user to execute all commands in all Views that are part of that Superview.

Answer: A, B, D. The only false statement is that deleting a Superview results in the deletion of all
of the Views it contain. Deleting a Superview does not result in the deletion of its Views.

25-Question Which of the following are disabled by default when you run Autosecure? A. PAD
B. UDP and TCP Small Servers

C. BootP D. CDP

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

E. NTP

Answer: A, B, C, D, E.

By default, the following will be globally disabled by AutoSecure:

Finger – recon attack possibility

PAD – known vulnerabilities

UDP and TCP Small Servers – attacker can request large number of UDP diagnostics

BootP – known vulnerabilitiest

HTTP services, Identification Service (queries TCP port), CDP, NTP and IP source routing are also disabled globally.

26-Question Which of the following are enabled by default when you run Autosecure on a Cisco router?

A. Password encryption service

B. TCP keepalives (inbound only) C. TCP keepalives (outbound only)
D. TCP keepalives (both inbound and outbound)

E. IP source routing

F. HTTP services

Answer: A, D. Both the password encryption service and TCP keepalives (inbound and outbound)
will be enabled by AutoSecure

27-Question Which of the following will be enabled by default when you run Autosecure?

A. logging timestamps and sequence numbers

B. logging console critical

C. logging buffered

D. logging trap disabled

Answer: A, B, C, D. All of those will be enabled by AutoSecure.

28-Question You’re configuring one-step lockdown via SDM. According to SDM, can you undo any
of the lockdown settings once you run the lockdown feature?

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

A. No, the lockdown is irreversible.

B. Yes, by running Security Audit Wizard and selecting “Undo Security Configurations”.

C. Yes, by running the Additional Tasks option. D. Yes, by choosing “Undo Lockdown”.
Answer: B, C. . You can change some or all of the lockdown settings by using the Undo Security
Configurations section of the Security Audit Wizard or by using Additional Tasks, as shown below
in this SDM Screen Shot from my CCNA Security Study Package.

29-Question You’re running Autosecure at the CLI and decide about halfway through the prompts that you’d like to stop without saving any of your Autosecure configuration. Can you do this, and if
so, how? (Unplugging the router is not acceptable.)

Answer: Our old friend ctrl-c will do the job, as shown in the prompts you’re shown after running the auto secure command. Note the disclaimer shown at the top of this output!

R1#auto secure

— AutoSecure Configuration —

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation.

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

At any prompt you may enter ‘?’ for help.
Use ctrl-c to abort this session at any prompt.

30-Question As it relates to how they are spread, what is the major difference between a worm and a virus?

Answer: The terms virus and worm are often used interchangeably, but they’re not quite the same thing. A major difference between the two is that a worm can spread from its entry point to the rest
of your network without the “help” of a human being.

A common worm attack is carried out by the worm finding your email address book and then sending a copy of itself to every recipient in that book. The worm executes its code and then continues to send copies of itself.

A virus can’t be spread without an end user helping out, generally by forwarding an infected file or attachment.

Practice Questions for AAA essentials

31-Question: Which statement below best describes AAA?

a) AAA is an automobile club
b) AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner.
c) AAA is a means for authorizing asymmetric (network) access
d) AAA is gives users total access to the network

Answer: B

32-Question: AAA provides which of the following benefits?

a) increased flexibility and control b) Scalability
c) Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
d) Multiple backup systems e) All of the above

Answer: E

33-Question: Which statement below best describes the AAA philosophy?

a) AAA only allows you to set up group definitions for user access b) AAA does not allow virtual profiles
c) AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-user or per-service basis.
d) AAA does not support IPS services

Source: www.thebryantadvantage.com/

CCNA Security Q&A ——-by Nar(Naresnet@gmail.com)

Answer: C

34-Question: Which three security protocols are used by AAA servers? (Choose three.)

a) RADIUS b) RADIUS+ c) TACACS d) TACACS+
e) Kerberos
f) ISAKMP

Answer: A, D, E

35-Question: Which statement below best describes the difference between RADIUS and
TACACS+?

a) RADIUS uses UDP while TACACS+ uses TCP b) RADIUS uses TCP while TACACS+ uses UDP c) RADIUS and TACACS+ both use TCP
d) RADIUS and TACACS+ both use UDP

Answer: A

36-Question: Which statement below best describes the difference between RADIUS and
TACACS+? (Choose Two.)

a) RADIUS encrypts only the password in the access-request packet, from the client to the server
b) TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
c) RADIUS and TACACS+ both encrypt the entire body of the packet
d) TACACS+ only encrypts the user password and challenge response and reply

Answer: A, B

37-Question: Which statement below is true?

a) RADIUS supports non IP protocols
b) TACACS+ does not support AppleTalk c) TACACS+ offers multiprotocol support d) RADIUS offers multiprotocol support

Answer: C

Bookmark and Share
PassGuide Cisco Exams

PassGuide Practice Test Questions

No comments yet.

Leave a comment

Search

Pages

PassGuide Certification Testing

passguide cisco dumps