1-100 Flashcards Preview

CCNA Security > 1-100 > Flashcards

Flashcards in 1-100 Deck (88):
1

Statement about failover interfaces true?

all info sent over a failover and stateful failover int is sent as clear text by default.

2

ESP fields can be encrypted during transmission (3)

Padding
Pad Length
Next Header

3

According to Cisco best practices, 3 protocols the default ACL should allow wired BYOD to supply credentials and connect to the network?

BOOTP
TFTP
DNS

4

auth methods configured like this, what will happen if auth fails?
"authentication event fail action next-method"

The supplicant will fail to advance beyond the webauth method.

5

packet matches more than one class map in an individual feature type's policy map...how does ASA handle packet?

will apply the actions from only the first matching class map it finds for the feature type.

6

Implemented SF IPS and configured it to block certain addresses utilizing Security Intelligenc IP address reputation. How to allow an IP?

create a whitelist and add the appropriate IP address to allow traffic.

7

Which EAP method uses protected ACcess Creds?

EAP-FAST

8

2 situations to use OOB MGMT?

when a network device failes to forward packets
when you require ROMMON access

9

3 features to protect data plane?

ACL
antispoofing
DHCP-Snooping

10

Number of Crypto map sets you can apply to a router interface?

1

11

transition order of STP states on layer 2 switch int?

blocking, listening, learning, forwarding, disabled

12

Sensor mode can deny attackers in-line?

IPS

13

options are filtering options used to display SDEE message types?

error
all

14

when a company places a security policy in place, what is the effect on the company's business?

minimizing risk.

15

wildcard mask for a /27?

0.0.0.31

16

3 statements about reflexive ACLs?

support UDP
can be attached to extended named IP ACLs
Support TCP sessions

17

Actions promiscuous IPS take to mitigate an attack? (3)

requesting connection blocking
resetting TCP connection
requesting host blocking

18

Cisco Security Manager app collects info about devices status and uses it to generate notficiations and alerts?

Health and Performance Monitor

19

3 ways TACACS differ from RADIUS?

TACACS uses TCP to communicate with NAS
TACACS can encrypt the entire packet that is sent to the NAS.
TACACS support per-command auth

20

SSLVPN SIM with ASDM - user auth method with clientless SSL VPN portal https://.../test

AAA and LOCAL DB - check in Connection Profiles TAb of Remote Access VPN config, where the alias of test is being used.

21

SSLVPN SIM with ASDM - which group policy applied with https://.../test?

Sales - check in Connection Profiles TAb of Remote Access VPN config, where the alias of test, click edit

22

SSLVPN SIM with ASDM - two statements about ASA VPN configs are correct

only clientless SSL VPN access is allowed with the Sales GP.
The defaultWEBVPNGroup connection profile is using AAA with Radius server method.

23

SSLVPN SIM with ASDM - 4 tunneling protocols enabled in the DfltGrpPolicy?

IPSEC IKEv2, v2, Clientless SSLVPN, SSL VPN CLient - COnfig > remote access > clientless SSL VPN Access > Group Policies tab.

24

SIM - config ASDM to allow DMZ/Inside to access Outside, Allow Outside to HTTP to DMZ, Set public on outside, allow echo-reply through ASA

1. Configure NAT rules, Name = WEbSvr, IP version 4, IP address 172.16.1.2 static NAT 209.165.201.30
2. FW, config Access Rules, Int Outside, aCtion Permit, Source any, destination 209.165.201.30, service tcp/http.
3. FW config, service policy rules, global policy, rule action, CIMP and apply
4. ping from PC
type public in web browser on outside PC.

25

Purpose of integrity component of CIA triad?

ensure that only authorized parties can modify data

26

2 statements about telnet on ASA.

You can VPN to access Telnet on inside INT.
best practice is to disable Telnet and use SSH.

27

protocol that provides security to secure copy?

SSH

28

Clientless SSL VPN user is missing RDP on portal web page - what action should be taken?

Ensure that RDP plug-in is installed on VPN gateway.

29

IPV6 address reserved for locally assigned unique local address?

FD00::/8

30

You see "unrecognized command" after entering "aaa server?% on a router - why?

the router is a new device on which the "aaa new-model command must be applied.

31

2 statements about smart tunnels

can be used by clients who don't have admin privileges.
offer better performance than port forwarding.

32

This needs to be considered when you apply an ACL to a physical interface?

Direction of the access group.

33

Source port IKE uses when NAT detected between two VPN gateways?

UDP 4500

34

3 features of IPSEC transport mode?

used between end stations, supports unicast, encrypts only the payload.

35

command causes a layer 2 switchport to operate as a layer 3 int?

no switchport

36

command verifies phase 1 of IPsec VPN?

show cry isakmp sa

37

Purpose of honeypot IPS?

collect info about attacks

38

Which type of firewall can act on the behalf of the end device?

proxy

39

type of attack was Stuxnet?

cyber warfare

40

security connectivity does extranet provide?

other company networks to your company network.

41

After reloading you issue DIR command and don't see the image file - why could this be?

the secure boot-image command is configured.

42

REason for an org to deploy a personal FW?

protect endpoints such as desktops form malicious activity.

43

FirePOWER preprocessor engine is used to prevent SYN attacks?

Rate-Based Prevention

44

VPN feature allows traffic to exit same interface it arrived?

Hairpinning.

45

When IPS detects an attack, what can it do to prevent from spreading?

deny the connection inline.

46

statement about ACS Authentication and Authorization is true?

ACS servers can be clustered to provide scalability.

47

Only permitted operation for processing multicast traffic on ZBF?

only control plane policing can protect the control plane against multicast traffic.

48

One requirement for locking wired or wireless device from ISE?

ISE agent must be installed on the device.

49

Type of FW would see this output?
UDP outside 209.165.201.225:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 266

stateful FW

50

effect of given commands?
crypto map mymap 30 match address 201
access-list 201 permit ip 10.10.10.0 /24 10.100.100.0 /24

defines IPsec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24

51

Tool a hacker can use to attempt a DDos?

botnet

52

How does cisco ASA use AD to authorize VPN access?

It queries the AD server for a specific attribute for the specific user.

53

Statement about application blocking.

blocks access to files with specific extensions.

54

reason to configure multiple security contexts on an aSA?

separate different departments and business units.

55

VPN feature to allow ISP traffic and local LAN/WAN traffic to use same network connection?

split tunneling

56

best time to perform AV signature updates?

every time a new update is available.

57

effect of "send-lifetime local 23:59:00 31 December 31 2013 infinite"?

begin transmitting the authentication key to other devices at said local time and continue using the key indefinitely.

58

statement about personal FWs

can protect a system by denying probing request.

59

show cry IPsec sa shows encrypt/decrypt - what does this mean?

IPSEC Phase 2 is established between networks.

60

statement about PVLAN isolated port config on a switch

isolated port can communicate only with the promiscuous port.

61

802.1x enabled network with Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?

When user failed to authenciate after certain number of attempts

62

show clock detail
.22:22:35.123 UTC Tue Feb 26 2013
Time source is NTP

the time is authoritative, but the NTP process has lost contact with the servers.

63

Type of attack does an attacker virtually change a devices burned in address in an attempt to circumvent ACLs?

MAC Spoofing

64

HOw does ZBF handle traffic between Ints in same Zone?

Traffic between two interfaces in the same zone is allowed by default.

65

An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?

Switch could become the root bridge.

66

2 next gen encryption algorithms does Cisco recommend?

AES, SHA-384

67

In which 3 cases does the ASA firewall permit inbound HTTP GET requests during normal operations?

When a matching TCP connection is found.
When matching ACL entries are configured.
When matching NAT entries are configured.

68

2 features do CoPP and CPPr use to protect the control plane?

QOS
traffic classifications

69

what is the advantage of implementing a Trusted Platform Module for disk encryption?

It provides hardware authentication.

70

effect of commands:
Crypto ikev1 policy 1
encryption aes
hash md5
authentication pre-share
group 2
lifetime 14400

it configures IKE Phase 1

71

Specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting this URL?

Enable URL filtering on the perimeter router and add the URLs you want to block to the routers local URL list.

72

If you change the native VLAN on the port to an unused VLAN, what happens if an attacker attempts a double tagging attack?

A VLAN hopping attack would be prevented.

73

What is an advantage of placing an IPS on the inside of a network.

It receives traffic that has already been filtered.

74

Which three statements about Cisco host-based IPS solutions are true.

It can view encrypted files.
IT can have more restrictive policies than network-based IPS.
It can generate alerts based on behavior at the desktop level.

75

Which syslog severity level is the level number 7?

debugging

76

which type of mirroring does SPAN technology perform?

local mirroring over layer 2.

77

Which tasks is the session mgmt. path responsible for?

performing route lookup
allocating NAT translations
Checking packets against the ACL.

78

Which network device does NTP authenticate?

only the time source.

79

Which option is the most effective placement of an IPS device within the infrastructure?

inline, behind the internet router and firewall.

80

If a router configuration includes the line "aaa authentication login default group tacacs+ enable"

user will be prompted to authenticate using the "enable" pw.
authentication attempts to the router will be denied.

81

Alert protocol used when Cisco IPS Manage Express to support up to 10 sensors?

SDEE

82

Type of Address Translation to be used with ASA is in transparent mode?

Static NAT

83

Default timeout value a router waits for a response from TACACS before declaring a failure?

5 seconds

84

RADIUS server authentication protocols are supported on ASAs?

PAP, MS-CHAPv1, v2

85

Command initializes a lawful intercept view?

li-view cisco user cisco1 password cisco

86

security measures protect control plane of router (2)

CCPr, CoPP

87

Primary attack methods of VLAN hopping?(2)

Switch spoofing, double tagging

88

admin enable permanent client install in a AnyConnect VPN FW config?

issue "annyconnect keep-installer installed" under the group policy or username webvpn mode