CCNA Security Questions & Answers 2
Wednesday, September 3rd, 2008 | Exam Braindumps
38-Question: Which statement below is true regarding the RADIUS protocol?
a) RADIUS does not allow users to control which commands can be executed on a router and which cannot; therefore, it is not as useful for router management or as flexible for terminal services.
b) RADIUS allows users to control which commands can be executed on a router, once
properly authenticated, and as permitted in the authorization reply
c) RADIUS, using TCP, secures the authorization and accounting processes by transmitting sensitive information in a secure tunnel once the connection is properly authenticated.
d) RADIUS provides for flexible user and device authentication and access authorization management
Answer: A
Questions & Answers from The Bryant Advantage
1-Question: In terms of their position in the flow of traffic, what’s the major difference between an
IPS and an IDS?
Answer: An IDS is not in the direct flow of network traffic. Instead, the traffic flows are mirrored to the IDS. When infected traffic does hit the network, the IDS will see this and take appropriate
action.
In contrast, the Intrusion Prevention System (IPS) does sit in the middle of the traffic flow – in this case, the IPS will actually be our Cisco router. When the IPS detects a problem, the IPS itself can prevent the traffic from entering the network
2-Question: What is SDEE, and what do we use it for?
Answer:
3-Question: What is the highest stratum level in the NTP hierarchy? Can a Cisco router serve at that level?
Answer: Stratum-0, and no. Typically that role is held by an atomic clock. Cisco routers are good,
but not atomic
4-Question: What benefit does “GRE over IPSec” offer than IPSec by itself does not?
Answer: By combining GRE and IPSec, each protocol helps to compensate for the other’s limitation:
IPSec adds data integrity and confidentiality that GRE does not offer
GRE offers the ability to carry routing protocol traffic, which IPSec does not offer
Why call it “GRE over IPSec” rather than “IPSec over GRE”? Because the GRE
encapsulation happens first, and then that encapsulation is encapsulated again, by IPSec.
In effect, we have a GRE tunnel inside an IPSec tunnel.
5-Question: You’re editing an ACL in SDM and notice some asterisks under source and
destination. What do those asterisks indicate?
Answer: In SDM, asterisks indicate the ACL keyword any.
6-Question: What is “3704 filtering”, and what does it have to do with network security?
Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets from the following network ranges be prohibited from entering your network:
0.0.0.0 /8
10.0.0.0 /8 (RFC 1918 Class A private range)
127.0.0.0 /8 (loopback address range)
172.16.0.0 /12 (RFC 1918 Class B private range)
192.168.0.0 /16 (RFC 1918 Class C private range)
224.0.0.0 /4 (reserved for IP multicasts)
240.0.0.0 /4 (RFC 1918 Class E private range)
Blocking these address ranges for incoming traffic on your network’s perimeter routers is
sometimes called “2827 filtering” or “3704 filtering”, referring to the original and updated RFCs that discuss this topic in a great deal of detail.
7-Question: The following three timers sound a great deal alike, but they have very different functions. What purpose do each of these timers fill?
ip inspect finwait-time
ip inspect tcp synwait-time ip inspect tcp idle-time Answers:
ip inspect finwait-time defines the amount of time between one of the two endpoints of an established TCP session starts to end the connection and the time that entry is removed from the state table. Default is 5 seconds.
ip inspect tcp idle-time defines just what you think it would – the amount of time an idle TCP
connection is kept in the state table. Default is 3600 seconds.
ip inspect tcp synwait-time defines the time allowed for a TCP three-way handshake to reach the Established stage. Default is 30 seconds. If this timer expires, the connection is terminated and the entry removed from the router’s state table.
8-Question: In regards to the IOS Firewall set, what is generic inspection? What’s so “generic”
about it?
Answer; I’m not going to show you the entire IOS Help readout for the following command, but believe me – it’s a long, long list. On this particular router, I had over 150 options.
R1(config)#ip inspect name CCNP ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation appfw Application Firewall appleqtc Apple QuickTime
bgp Border Gateway Protocol biff Bliff mail notification
bootpc Bootstrap Protocol Client
If you want to inspect all TCP and/or UDP connections, you can specify TCP and/or UDP as the inspected protocol, rather than a more-specific entry. This is generic inspection and is configured by entering tcp or udp at that same point in the ip inspect command.
tcp Transmission Control Protocol
udp User Datagram Protocol
This will inspect any TCP and/or UDP protocol traffic, even if the specific application isn’t named in the inspection rule. Generic inspection is designed to allow return traffic for all TCP and/or UDP connections that are initiated on the inside network.
Using PassGuide online virtual Cisco practice engine, easy to know well Cisco Training knowledge and pass the Cisco certification exams.So why don’t we just configure all TCP and UDP traffic to be inspected generically and leave it at that?
Application-specific commands are not interpreted by generic inspection, and that means that the return packets may not be allowed to enter the inside network. If the return traffic is using a different port number than the original traffic, generic inspection may not allow that return traffic to enter the network.
9-Question: What exactly is fail closed? Is it enabled or disabled by default?
Answer: The following illustration from my CCNP ISCW and CCNA Security study guides explains
it! The default settings are shown – note that Fail Closed is off by default.
10-Question: You’re in SDM and want to perform a one-step router lockdown. Take a look at the following screen shot and tell me where you should click next.
Answer: Click the Security Audit button. You’ll see the following screen at that point – note the mention of one-step lockdown.
11-Question: When you’re configuring SDM, you have two options for the location of
SDF files. What are they?
Answer: You can specify a URL or Flash, as demonstrated by this screen shot from my picture
12-Question: What’s the difference between symmetric and asymmetric encryption?
Answer: Symmetric encryption is an algorithm where the key that is used for encryption is also
used for decryption. The drawback to symmetric encryption is that the key is used for two purposes, making it that much easier for an intruder to discover the key.
In contrast, asymmetric encryption involves two keys for both the sender and receiver. This public key encryption scheme involves a public and private key for each user. Before starting the actual encryption process, the public key should be certified by a third party called a Certificate Authority
(CA).
13-Question: What is the purpose of the 256MB.sdf file? What does the “256″ refer to?
Answer: This is one of three preconfigured Signature Definition Files. Cisco’s website recommends running the Intruder Prevention System (IPS) with the preconfigured files – attack-drop.sdf,
128MB.sdf, and 256MB.sdf. The “128MB” and “256MB” refer to the amount of memory necessary
to use these particular files.
14-Question: Which of the following does not use encryption? A. SSH
B. SSL
C. NTP v 3
D. Telnet
E. SMTP v 3
Answer: D. The other four all use encryption in some form.
15-Question: How can you configure SDM to preview the commands before delivering them to the router, and also give you a confirmation prompt when you leave SDM?
Answer: I personally check Preferences in SDM every time I use it, and I recommend you do the
same. Before proceeding to the Configuration section, go to the upper-left corner of the initial SDM
window and select Preferences, as shown here:
Then you can edit these three prefs to your heart’s delight! (The following illustration was trimmed to
fit Blogger.)
16-Question: What is the anomaly method?
Answer: “This is the IPS method of identifying malicious traffic where differences from normal traffic patterns are sought and detected.”
17-Question: What’s the purpose of the attack-drop.sdf file?
Answer: The attack-drop.sdf file is a Signature Definition File that contains the latest and greatest IPS signatures.
18-Question: There are three basic methods IPS uses to identify potentially malicious traffic. Name all three and give a brief definition of each.
Answer: Both the IPS and IDS can base their identification of dangerous and malicious
traffic on the following:
Policy, where a configured policy may ban particular IP addresses, ports, or even websites
Signature, where byte patterns are considered along with other values.
Anomaly, where differences from normal traffic patterns are sought and detected.
19-Question: In SDM, you might see a green square next to a signature. What does that symbol indicate?
Answer: The green square indicates the signature is at its default setting. Here are the two possibilities, as shown in this image from my CCNA Security Study Package. (Click the
image for a larger view.)
20-Question: You’re working in SDM to configure an Easy VPN Server. You’ll have three options
for authenticating your Easy VPN Clients. What are they?
Answer: The choices are Pre-shared key, Digital Certificates, and Both, as shown here in this screen shot from my CCNA Security Study Package. (Click the image for a larger view.)
PassGuide Practice Test Questions
No comments yet.
Leave a comment
Search
Pages
PassGuide Certification Testing
