Flashcards in 201-End Deck (93):
Example of social engineering?
gaining access to server room by posing as IT.
Which port should (or would) be open if VPN NAT_T was enabled?
port 4500 in all interfaces where IPsec uses.
Diffie-Hellman Key Exchange uses
2 well known security terms
technology you can run on PC disconnected from network to prevent malicious program from running?
ASA command to conceal internal IP address?
Statement about college campus?
college campus has geographical position.
FP preprpcessor block traffic based on IP?
PVLAN ports that can communicate with every other port?
command to enable OSPF authentication?
ip ospf authentication message-digest
Security term refers to a person, property, or data of value to a company?
term is a weakness in an info-system that an attacker might leverage to gain unauthorized access to the system?
Command to see vpn tunnel establish with traffic passing through?
show crypto IPsec sa
which NAT will auto-NAT process first?
static nat longest prefix
Where do OAKLEY and SKEME come into play?
What does hash key length represent?
number of permutations
Type of attack that is directed against the network directly?
Technology that applies integrity, confidentially, and authentication to the source?
type of layer 2 attack can "do something" for one host?
How to verify SSH is working?
SSH to device and login with ACS creds.
challenges when deploying host based IPS? (2)
Must support multi OS
Does not have full network picture
encryption technology which has broadest platform support?
which preprocessor do you detect incomplete TCP handhsakes?
rate based prevention
PVLAN port which allows it to only communicate with Promiscuous port?
First layer of defense which provides real-time preventive solutions against malicious traffic is provided by what?
SSL certs issued by CA are?
SYN flood attack is a form of?
command debug crypto isakmp results in?
troubleshooting ISAKMP Phase I negotiations
security term which prevents data manipulation even when in transit?
stealing of confidential info of a company is the scope of this type of attack?
OAKLEY cryptography is compatible with the following managing service?
2 features of Cisco WEb Reputation tracking can mitigate web-based threats? 2
web reputation filter
statement about command authorization and security contexts is true?
the change to command invokes a new context session with the creds of the currently logged in user.
Privilege level by default for exec?
When is "Deny all" policy an exception in ZBF?
traffic traverses 2 ints in same zone.
Cisco Resilient COnfiguration Feature
Automatically detects image or config version mismatch
2 characteristics of IPS
can drop traffic
it is cabled directly inline.
what can cause the state table of a stateful FW to update? (2)
when connection is created.
connection timer expired within state table.
IPSEC mode is used to encrypt traffic between client and VPN server?
Command to confirm VPN connection is operational
cryto IPsec sa
command to authenticate NTP time source?
how to allow bi-directional traffic?
Default option in default value for DH group when configuring S2S VPN on ASA?
2 devices are components of BYOD architecture framework?
Where does the DC layer operator?
Cisco cloud based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection.
Cloud Web Security
product can be used to provide application layer protection for TCP port 25?
2 options ZBF can take when looking at traffic?
What type of NAT is "NAT (inside,outside) dynamic interface"?
Two characteristics of an application layer FW?
provides reverse proxy services
provides protection for multiple apps
HIPS and NIPS D&D (HIPS)
alert an admin
protect one device
installed on individual machine
looks for change in files
HIPS and NIPS D&D (NIPS)
alert an admin
protect multiple devices
placed on perimeter
looks for traffic pattern
CIsco IOS zone-based policy FW is configured, which 3 can be applied to a traffic class?
4 tasks are required when you configure IOS IPS using CCP IPS Wizard?
select Ints to apply the IPS rule.
select the traffic flow direction that should be applied by the IPS rule.
Specify the signature file and the Cisco public key.
Specify the config location and select the category of signatures to be applied to the selected interface(s).
effect of crypto isakmp nat-traversal
opens port UDP 4500 on all interfaces that are IPsec enabled.
true about cisco IOS resilient Config feature?
feature automatically detects image and config version mismatch
key length provide in an encryption algorithm?
the hash block size
layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?
MAC Address Spoofing
Type of Cisco ASA ACL entry can be configured to match multiple entries in a single statement?
Two actions ZBF can take when looking at traffic?
The default deny all policy an exception in ZBF?
when trffic traverses two Ints in the same zone?
Statement about configuring zones in ZBF?
The zone must be configured before it can be assigned?
What do you use when you have a Network Object or group and want to use an IP address?
When using AAA what two options should be used as final(fale safe) for admins to gain access?
Cisco IOS ZB-Policy FW, by default, which 3 types of traffic are permitted by the router when some of the router Ints are assigned to a zone?
traffic flowing to and from the router ints (self zone).
traffic flowing among the ints that are members of the same zone.
traffic flowing among the ints that are note assigned to any zone.
Statement is a benefit of using Cisco IOS IPS
It uses the underlying routing infrastructure to provide an additional layer of security.
Benefits of application layer FW?
makes DoS attakcs difficult.
dynamically created ACL for return traffic on the outside of ASA?
permit tcp host x.x.x.x eq 80 host x.x.x.x eq 2300
3 TACACS+ server-authentication protocols are supported on ASA?
Two protocols allow CCP to pull IPS alerts from ISR router?
command used to enable logging start and stop records for user terminal sessions for AAA
aaa accounting exec start-stop tacacs+
on a Cisco ISR what purpose is the realm-cisco.pub public encrypted key used?
used to verify the digital signature of the IPS signature file.
3 examples of AAA on IOS?
authenticating remote users who are accessing the corporate LAN through IPsec VPN connections.
Authenticating admins access to the router console port, aux port, and VTY ports.
performing router commands authorization using TACACS+.
Tasked to deploy IOS IPS for a large corporation, where is best to deploy?
at remote branch offices.
characteristics of TACACS+ (2)
separates AAA functions
encrypts body of every packet.
benefit of web application firewall?
blocks known vulnerabilities w/o patching applications.
filter uses we reputation to prevent web based attacks? (2)
default value for diffie-Hellman group when configuring site-to-site VPN on asa?
results of this config for ZBF? Source: Zone 1, Destination: Zone 2, Zone Pair Exist: Yes, Policy Exist: No
Referring to CIA, where would hash-only make more sense?
Data at rest
Phishing method on phone?
How can you stop reconnaissance attack with CDP?
disable CDP on edge ports (PC)
For protecting FMC what/which is used?
What IPS feature that is less secure among the other options permit a better throughput?
confirm AAA auth is working?
test AAA command
Ports needed for AAA server to integrate with MS AD?
445 and 389
WHat data is transferred during DH for making pub/priv key?
random prime integer
DOS attack difficult to discover
low-rate DOS attack
protocols support in context aware VRF over VRF lite (2)
Quantifiable things you would verify before introducing tech in your company?
Reason a client is placed in a guest/restricted VLAN on 802.1x network?
client entered wrong creds multiple times.