201-End Flashcards Preview

CCNA Security > 201-End > Flashcards

Flashcards in 201-End Deck (93):
1

Example of social engineering?

gaining access to server room by posing as IT.

2

Which port should (or would) be open if VPN NAT_T was enabled?

port 4500 in all interfaces where IPsec uses.

3

Diffie-Hellman Key Exchange uses

IKE

4

2 well known security terms

Trojan
Ransomeware

5

technology you can run on PC disconnected from network to prevent malicious program from running?

IPS

6

ASA command to conceal internal IP address?

no proxy-arp

7

Statement about college campus?

college campus has geographical position.

8

FP preprpcessor block traffic based on IP?

reputation-based

9

PVLAN ports that can communicate with every other port?

Promiscuous

10

command to enable OSPF authentication?

ip ospf authentication message-digest

11

Security term refers to a person, property, or data of value to a company?

asset

12

term is a weakness in an info-system that an attacker might leverage to gain unauthorized access to the system?

vulnerability

13

Command to see vpn tunnel establish with traffic passing through?

show crypto IPsec sa

14

which NAT will auto-NAT process first?

static nat longest prefix

15

Where do OAKLEY and SKEME come into play?

IKE (Diffie-Hellman)

16

What does hash key length represent?

number of permutations

17

Type of attack that is directed against the network directly?

DOS

18

Technology that applies integrity, confidentially, and authentication to the source?

IPSEC

19

type of layer 2 attack can "do something" for one host?

CAM overlow

20

How to verify SSH is working?

SSH to device and login with ACS creds.

21

challenges when deploying host based IPS? (2)

Must support multi OS
Does not have full network picture

22

encryption technology which has broadest platform support?

software

23

which preprocessor do you detect incomplete TCP handhsakes?

rate based prevention

24

PVLAN port which allows it to only communicate with Promiscuous port?

isolated port

25

First layer of defense which provides real-time preventive solutions against malicious traffic is provided by what?

Banyan Filters

26

SSL certs issued by CA are?

Trusted root

27

SYN flood attack is a form of?

DOS

28

command debug crypto isakmp results in?

troubleshooting ISAKMP Phase I negotiations

29

security term which prevents data manipulation even when in transit?

integrity

30

stealing of confidential info of a company is the scope of this type of attack?

social engineer

31

OAKLEY cryptography is compatible with the following managing service?

ISAKMP

32

2 features of Cisco WEb Reputation tracking can mitigate web-based threats? 2

outbreak filter
web reputation filter

33

statement about command authorization and security contexts is true?

the change to command invokes a new context session with the creds of the currently logged in user.

34

Privilege level by default for exec?

1

35

When is "Deny all" policy an exception in ZBF?

traffic traverses 2 ints in same zone.

36

Cisco Resilient COnfiguration Feature

Automatically detects image or config version mismatch

37

2 characteristics of IPS

can drop traffic
it is cabled directly inline.

38

what can cause the state table of a stateful FW to update? (2)

when connection is created.
connection timer expired within state table.

39

IPSEC mode is used to encrypt traffic between client and VPN server?

Transport

40

Command to confirm VPN connection is operational

cryto IPsec sa

41

command to authenticate NTP time source?

NTP authenticate

42

how to allow bi-directional traffic?

static NAT

43

Default option in default value for DH group when configuring S2S VPN on ASA?

Group 2

44

2 devices are components of BYOD architecture framework?

ISE
Prime Infrastructure

45

Where does the DC layer operator?

CORE

46

Cisco cloud based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection.

Cloud Web Security

47

product can be used to provide application layer protection for TCP port 25?

ESA

48

2 options ZBF can take when looking at traffic?

drop
inspect

49

What type of NAT is "NAT (inside,outside) dynamic interface"?

dynamic PAT

50

Two characteristics of an application layer FW?

provides reverse proxy services
provides protection for multiple apps

51

HIPS and NIPS D&D (HIPS)

alert an admin
protect one device
installed on individual machine
looks for change in files

52

HIPS and NIPS D&D (NIPS)

alert an admin
protect multiple devices
placed on perimeter
looks for traffic pattern

53

CIsco IOS zone-based policy FW is configured, which 3 can be applied to a traffic class?

pass
inspect
drop

54

4 tasks are required when you configure IOS IPS using CCP IPS Wizard?

select Ints to apply the IPS rule.
select the traffic flow direction that should be applied by the IPS rule.
Specify the signature file and the Cisco public key.
Specify the config location and select the category of signatures to be applied to the selected interface(s).

55

effect of crypto isakmp nat-traversal

opens port UDP 4500 on all interfaces that are IPsec enabled.

56

true about cisco IOS resilient Config feature?

feature automatically detects image and config version mismatch

57

key length provide in an encryption algorithm?

the hash block size

58

layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?

MAC Address Spoofing

59

Type of Cisco ASA ACL entry can be configured to match multiple entries in a single statement?

object groups

60

Two actions ZBF can take when looking at traffic?

Drop
Inspect

61

The default deny all policy an exception in ZBF?

when trffic traverses two Ints in the same zone?

62

Statement about configuring zones in ZBF?

The zone must be configured before it can be assigned?

63

What do you use when you have a Network Object or group and want to use an IP address?

Dynamic NAT

64

When using AAA what two options should be used as final(fale safe) for admins to gain access?

Local
enable

65

Cisco IOS ZB-Policy FW, by default, which 3 types of traffic are permitted by the router when some of the router Ints are assigned to a zone?

traffic flowing to and from the router ints (self zone).
traffic flowing among the ints that are members of the same zone.
traffic flowing among the ints that are note assigned to any zone.

66

Statement is a benefit of using Cisco IOS IPS

It uses the underlying routing infrastructure to provide an additional layer of security.

67

Benefits of application layer FW?

makes DoS attakcs difficult.
authenticates individuals

68

dynamically created ACL for return traffic on the outside of ASA?

permit tcp host x.x.x.x eq 80 host x.x.x.x eq 2300

69

3 TACACS+ server-authentication protocols are supported on ASA?

ASCII
PAP
PEAP

70

Two protocols allow CCP to pull IPS alerts from ISR router?

SDEE
HTTPS

71

command used to enable logging start and stop records for user terminal sessions for AAA

aaa accounting exec start-stop tacacs+

72

on a Cisco ISR what purpose is the realm-cisco.pub public encrypted key used?

used to verify the digital signature of the IPS signature file.

73

3 examples of AAA on IOS?

authenticating remote users who are accessing the corporate LAN through IPsec VPN connections.
Authenticating admins access to the router console port, aux port, and VTY ports.
performing router commands authorization using TACACS+.

74

Tasked to deploy IOS IPS for a large corporation, where is best to deploy?

at remote branch offices.

75

characteristics of TACACS+ (2)

separates AAA functions
encrypts body of every packet.

76

benefit of web application firewall?

blocks known vulnerabilities w/o patching applications.

77

filter uses we reputation to prevent web based attacks? (2)

outbreak filter
web reputation

78

default value for diffie-Hellman group when configuring site-to-site VPN on asa?

Group 2

79

results of this config for ZBF? Source: Zone 1, Destination: Zone 2, Zone Pair Exist: Yes, Policy Exist: No

drop

80

Referring to CIA, where would hash-only make more sense?

Data at rest

81

Phishing method on phone?

vishing

82

How can you stop reconnaissance attack with CDP?

disable CDP on edge ports (PC)

83

For protecting FMC what/which is used?

AMP

84

What IPS feature that is less secure among the other options permit a better throughput?

Promiscuous

85

confirm AAA auth is working?

test AAA command

86

Ports needed for AAA server to integrate with MS AD?

445 and 389

87

WHat data is transferred during DH for making pub/priv key?

random prime integer

88

DOS attack difficult to discover

low-rate DOS attack

89

protocols support in context aware VRF over VRF lite (2)

EIGRP
Multicast

90

Quantifiable things you would verify before introducing tech in your company?

risk

91

MDM question

deployed certs

92

Reason a client is placed in a guest/restricted VLAN on 802.1x network?

client entered wrong creds multiple times.

93

Which IDS/IPS is used for monitoring system an dsomething?

HIPS