Flashcards in 1-100 Deck (88):
Statement about failover interfaces true?
all info sent over a failover and stateful failover int is sent as clear text by default.
ESP fields can be encrypted during transmission (3)
According to Cisco best practices, 3 protocols the default ACL should allow wired BYOD to supply credentials and connect to the network?
auth methods configured like this, what will happen if auth fails?
"authentication event fail action next-method"
The supplicant will fail to advance beyond the webauth method.
packet matches more than one class map in an individual feature type's policy map...how does ASA handle packet?
will apply the actions from only the first matching class map it finds for the feature type.
Implemented SF IPS and configured it to block certain addresses utilizing Security Intelligenc IP address reputation. How to allow an IP?
create a whitelist and add the appropriate IP address to allow traffic.
Which EAP method uses protected ACcess Creds?
2 situations to use OOB MGMT?
when a network device failes to forward packets
when you require ROMMON access
3 features to protect data plane?
Number of Crypto map sets you can apply to a router interface?
transition order of STP states on layer 2 switch int?
blocking, listening, learning, forwarding, disabled
Sensor mode can deny attackers in-line?
options are filtering options used to display SDEE message types?
when a company places a security policy in place, what is the effect on the company's business?
wildcard mask for a /27?
3 statements about reflexive ACLs?
can be attached to extended named IP ACLs
Support TCP sessions
Actions promiscuous IPS take to mitigate an attack? (3)
requesting connection blocking
resetting TCP connection
requesting host blocking
Cisco Security Manager app collects info about devices status and uses it to generate notficiations and alerts?
Health and Performance Monitor
3 ways TACACS differ from RADIUS?
TACACS uses TCP to communicate with NAS
TACACS can encrypt the entire packet that is sent to the NAS.
TACACS support per-command auth
SSLVPN SIM with ASDM - user auth method with clientless SSL VPN portal https://.../test
AAA and LOCAL DB - check in Connection Profiles TAb of Remote Access VPN config, where the alias of test is being used.
SSLVPN SIM with ASDM - which group policy applied with https://.../test?
Sales - check in Connection Profiles TAb of Remote Access VPN config, where the alias of test, click edit
SSLVPN SIM with ASDM - two statements about ASA VPN configs are correct
only clientless SSL VPN access is allowed with the Sales GP.
The defaultWEBVPNGroup connection profile is using AAA with Radius server method.
SSLVPN SIM with ASDM - 4 tunneling protocols enabled in the DfltGrpPolicy?
IPSEC IKEv2, v2, Clientless SSLVPN, SSL VPN CLient - COnfig > remote access > clientless SSL VPN Access > Group Policies tab.
SIM - config ASDM to allow DMZ/Inside to access Outside, Allow Outside to HTTP to DMZ, Set public on outside, allow echo-reply through ASA
1. Configure NAT rules, Name = WEbSvr, IP version 4, IP address 172.16.1.2 static NAT 220.127.116.11
2. FW, config Access Rules, Int Outside, aCtion Permit, Source any, destination 18.104.22.168, service tcp/http.
3. FW config, service policy rules, global policy, rule action, CIMP and apply
4. ping from PC
type public in web browser on outside PC.
Purpose of integrity component of CIA triad?
ensure that only authorized parties can modify data
2 statements about telnet on ASA.
You can VPN to access Telnet on inside INT.
best practice is to disable Telnet and use SSH.
protocol that provides security to secure copy?
Clientless SSL VPN user is missing RDP on portal web page - what action should be taken?
Ensure that RDP plug-in is installed on VPN gateway.
IPV6 address reserved for locally assigned unique local address?
You see "unrecognized command" after entering "aaa server?% on a router - why?
the router is a new device on which the "aaa new-model command must be applied.
2 statements about smart tunnels
can be used by clients who don't have admin privileges.
offer better performance than port forwarding.
This needs to be considered when you apply an ACL to a physical interface?
Direction of the access group.
Source port IKE uses when NAT detected between two VPN gateways?
3 features of IPSEC transport mode?
used between end stations, supports unicast, encrypts only the payload.
command causes a layer 2 switchport to operate as a layer 3 int?
command verifies phase 1 of IPsec VPN?
show cry isakmp sa
Purpose of honeypot IPS?
collect info about attacks
Which type of firewall can act on the behalf of the end device?
type of attack was Stuxnet?
security connectivity does extranet provide?
other company networks to your company network.
After reloading you issue DIR command and don't see the image file - why could this be?
the secure boot-image command is configured.
REason for an org to deploy a personal FW?
protect endpoints such as desktops form malicious activity.
FirePOWER preprocessor engine is used to prevent SYN attacks?
VPN feature allows traffic to exit same interface it arrived?
When IPS detects an attack, what can it do to prevent from spreading?
deny the connection inline.
statement about ACS Authentication and Authorization is true?
ACS servers can be clustered to provide scalability.
Only permitted operation for processing multicast traffic on ZBF?
only control plane policing can protect the control plane against multicast traffic.
One requirement for locking wired or wireless device from ISE?
ISE agent must be installed on the device.
Type of FW would see this output?
UDP outside 22.214.171.124:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 266
effect of given commands?
crypto map mymap 30 match address 201
access-list 201 permit ip 10.10.10.0 /24 10.100.100.0 /24
defines IPsec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24
Tool a hacker can use to attempt a DDos?
How does cisco ASA use AD to authorize VPN access?
It queries the AD server for a specific attribute for the specific user.
Statement about application blocking.
blocks access to files with specific extensions.
reason to configure multiple security contexts on an aSA?
separate different departments and business units.
VPN feature to allow ISP traffic and local LAN/WAN traffic to use same network connection?
best time to perform AV signature updates?
every time a new update is available.
effect of "send-lifetime local 23:59:00 31 December 31 2013 infinite"?
begin transmitting the authentication key to other devices at said local time and continue using the key indefinitely.
statement about personal FWs
can protect a system by denying probing request.
show cry IPsec sa shows encrypt/decrypt - what does this mean?
IPSEC Phase 2 is established between networks.
statement about PVLAN isolated port config on a switch
isolated port can communicate only with the promiscuous port.
802.1x enabled network with Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
When user failed to authenciate after certain number of attempts
show clock detail
.22:22:35.123 UTC Tue Feb 26 2013
Time source is NTP
the time is authoritative, but the NTP process has lost contact with the servers.
Type of attack does an attacker virtually change a devices burned in address in an attempt to circumvent ACLs?
HOw does ZBF handle traffic between Ints in same Zone?
Traffic between two interfaces in the same zone is allowed by default.
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
Switch could become the root bridge.
2 next gen encryption algorithms does Cisco recommend?
In which 3 cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
When a matching TCP connection is found.
When matching ACL entries are configured.
When matching NAT entries are configured.
2 features do CoPP and CPPr use to protect the control plane?
what is the advantage of implementing a Trusted Platform Module for disk encryption?
It provides hardware authentication.
effect of commands:
Crypto ikev1 policy 1
it configures IKE Phase 1
Specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting this URL?
Enable URL filtering on the perimeter router and add the URLs you want to block to the routers local URL list.
If you change the native VLAN on the port to an unused VLAN, what happens if an attacker attempts a double tagging attack?
A VLAN hopping attack would be prevented.
What is an advantage of placing an IPS on the inside of a network.
It receives traffic that has already been filtered.
Which three statements about Cisco host-based IPS solutions are true.
It can view encrypted files.
IT can have more restrictive policies than network-based IPS.
It can generate alerts based on behavior at the desktop level.
Which syslog severity level is the level number 7?
which type of mirroring does SPAN technology perform?
local mirroring over layer 2.
Which tasks is the session mgmt. path responsible for?
performing route lookup
allocating NAT translations
Checking packets against the ACL.
Which network device does NTP authenticate?
only the time source.
Which option is the most effective placement of an IPS device within the infrastructure?
inline, behind the internet router and firewall.
If a router configuration includes the line "aaa authentication login default group tacacs+ enable"
user will be prompted to authenticate using the "enable" pw.
authentication attempts to the router will be denied.
Alert protocol used when Cisco IPS Manage Express to support up to 10 sensors?
Type of Address Translation to be used with ASA is in transparent mode?
Default timeout value a router waits for a response from TACACS before declaring a failure?
RADIUS server authentication protocols are supported on ASAs?
PAP, MS-CHAPv1, v2
Command initializes a lawful intercept view?
li-view cisco user cisco1 password cisco
security measures protect control plane of router (2)
Primary attack methods of VLAN hopping?(2)
Switch spoofing, double tagging