Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

NetSec > Module 4 > Flashcards

Module 4 Flashcards

1
Q

are a primary target for attacks because these devices direct traffic into, out of, and between networks.

A

Routers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The ____ is the last router between the internal network and an untrusted network, such as the internet. All an organization’s internet traffic goes through
_____, which often functions as the first and last line of defense for a network.

A

edge router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Edge Router Security Approaches

A

Single Router Approach
Defense-in-Depth Approach
DMZ Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A single router connects the
protected network or internal local area network
(LAN), to the internet. All security policies are
configured on this device.

A

Single Router Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This uses multiple layers of
security prior to traffic entering the protected LAN.
There are three primary layers of defense: the
edge router, the firewall, and an internal router that
connects to the protected LAN.

A

Defense-in-Depth Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The ___ can be used for servers that
must be accessible from the internet or another
external network. The ___ can be set up between
two routers, with an internal router connecting to
the protected network and an external router
connecting to the unprotected network.

A

DMZ Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Three Areas of Router Security

A
  • Physical
  • Operating System
  • Router Hardening
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel.

Install an uninterruptible power supply (UPS) or diesel
backup power generator.

A

Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Configure the router with the maximum amount of memory possible. The availability of memory can help mitigate DoS attacks.

Use the latest, stable version of the operating
system that meets the feature specifications of the router or network device.

Keep a secure copy of router operating system images and router configuration files as backups.

A

Operating System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Ensure that only authorized personnel have access and that their level of access is controlled.

Disable unused ports and interfaces.

Disable unnecessary services. A router
has services that are enabled by default. Some of these services can be used by an attacker to
gather information about the router and the network.

A

Router Hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Secure Administrative Access

A
  • Restrict device accessibility
  • Log and account for all access
  • Authenticate access
  • Authorize actions
  • Present legal notification
  • Ensure the confidentiality of data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If an unauthorized person gains administrative access to a
router, that person could

A

alter routing parameters,
disable routing functions, or
discover and gain access to other systems within the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A router can be accessed for administrative purposes

A

locally or remotely:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Although the aux port option is
available, the most common remote access method
involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP
connections to the router from a computer. The computer
can be on the local network or a remote network.

A
  • Remote access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The administrator must have physical
access to the router and use a console cable to connect
to the console port. Local access is typically used for
initial configuration of the device.

A
  • Local access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Strong password

A

Combines alphanumeric characters, symbols, and includes a space

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

one method to create a strong password is to use the space bar and create a phrase made of many words. This is called _____ is often easier to remember than a simple password. It is also longer and harder to guess.

A

a passphrase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Use a ____ to secure passwords for your online internet activity.

A

password manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

that authentication requires two or more independent means of verification.

A

multi-factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

To secure privileged EXEC access, use the enable secret password global config command,

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable secret class
Sw-Floor-1(config)# exit
Sw-Floor-1#`

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration command, The zero is used to represent the first (and in most cases the only) console interface. Next, specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command.

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line console 0
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

To secure VTY lines, enter line VTY mode using the line vty 0 15 global config command. Next, specify the VTY password using the password password command. Last, enable VTY access using the login command.

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line vty 0 15
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch including these:

A

Encrypting all plaintext passwords

Setting a minimum acceptable password length

Deterring brute-force password guessing attacks

Disabling an inactive privileged EXEC mode access after a specified amount of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
To encrypt all plaintext passwords, use the service password-encryption global config command
Sw-Floor-1# configure terminal Sw-Floor-1(config)# service password-encryption Sw-Floor-1(config)# The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.
26
Use the command to verify that passwords are now encrypted.
show running-config
27
To ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length length command in global configuration mode.
R1(config)# security passwords min-length 8
28
Threat actors may use password cracking software to conduct a brute-force attack on a network device. This attack continuously attempts to guess the valid passwords until one works. Use the login block-for seconds attempts number within seconds global configuration command to deter this type of attack.
R1(config)# login block-for 120 attempts 3 within 60
29
By default, Cisco routers will logout an EXEC session after 10 minutes of inactivity. However, you can reduce this setting using the exec-timeout minutes seconds line configuration command. This command can be applied online console, auxiliary, and vty lines.
R1(config)# line vty 0 4 R1(config-line)# password cisco123 R1(config-line)# exec-timeout 5 30 R1(config-line)# transport input ssh R1(config-line)# end
30
Additional Password Security
All plaintext passwords are encrypted. New configured passwords must be eight characters or more. If there are more than three failed VTY login attempts within 60 seconds, then lockout the VTY lines for 120 seconds. Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds.
31
are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords.
MD5 hashes
32
The ___ command shown in the figure uses an MD5 hash by default.
enable secret password
33
Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M. Type 8 and type 9 use ___ Because type 9 is slightly stronger than type 8, it will be used throughout this course whenever it is allowed by the Cisco IOS.
SHA encryption.
34
To enter an unencrypted password, use the enable algorithm-type command syntax:
Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret } unencryptedi passwordi
35
Type 5; selects the message digest algorithm 5 (MD5) as the hashing algorithm.
md5
36
Type 9; selects scrypt as the hashing algorithm.
scrypt
37
Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm.
sha256
38
Type 8 and type 9 encryption was also introduced in Cisco IOS 15.3(3)M for the username secret command. Similar to the enable secret command, if you simply enter a user with the username secret command, the default encryption will be MD5. Use the username name algorithm-type command to specify type 9 encryption.
Router(config)# username name algorithm-type { md5 | scrypt | sha256 | secret } unencrypted passwordi
39
the enable password, username password, and line password commands are available in the Cisco IOS. These commands use no encryption by default. At best, they can only use ____
type 7 encryption,
40
is enabling a detection profile that lets you configure a network device to react to repeated failed login attempts by refusing further connection requests.
Login blocking
41
can be used to permit legitimate connections from addresses of known system administrators.
Access control lists (ACLs)
42
Use the banner global configuration mode command to specify appropriate messages. Banners protect the organization from a legal perspective.
Router(config)# banner { motd | exec | login } delimiter message delimiter
43
Configure Login Enhancement Features
login block-for login quiet-mode login delay login on-success login on-failure
44
The login block-for command can defend against DoS attacks by disabling logins after a specified number of failed login attempts.
Router(config)# login block-for seconds attempts triesi within secondsi
45
The login quiet-mode command maps to an ACL that identifies the permitted hosts. This ensures that only authorized hosts can attempt to login to the router.
Router(config)# login quiet-mode access-class {acl-namei | acl-numberi}
46
The login delay command specifies a number of seconds the user must wait between unsuccessful login attempts.
Router(config)# login delay secondsi
47
The login on-success and login on-failure commands log successful and unsuccessful login attempts.
Router(config)# login on-success log [every logini] Router(config)# login on-failure log [every logini]
48
Enable Login Enhancements To help a Cisco IOS device provide DoS detection, use the login block-for command, which must be issued before any other login command. The login block-for command monitors login device activity and operates in two modes:
Normal mode Quiet mode
49
This is also known as the quiet period. If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified in the login block-for command.
Quiet mode
50
This is also known as watch mode. The router keeps count of the number of failed login attempts within an identified amount of time.
Normal mode
51
When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts, such as specific administrative hosts access at all times, this behavior can be overridden using an ACL. The ACL is created and identified using the login quiet-mode access-class command. Only the hosts identified in the ACL have access to the device during quiet mode.
True
52
three commands that can be configured to help an administrator detect a password attack
login on-success log login on-failure log security authentication failure rate
53
generate syslog messages for successful and unsuccessful login attempts.
login on-success log login on-failure log
54
An alternative to the login on-failure log command is the ____ command can be configured to generate a log message when the login failure rate is exceeded.
security authentication failure rate
55
Use the ___ command to verify the login block-for command settings and current mode.
show login
56
The ___ command displays additional information regarding the failed attempts, such as the IP address from which the failed login attempts originated.
show login failures
57
Enable SSH
Step 1. Configure a unique device hostname. hostname Step 2. Configure the IP domain name. ip domain name Step 3. Generate a key to encrypt SSH traffic. crypto key generate rsa general-keys modulus 1024 Step 4. Verify or create a local database entry. username secret Step 5. Authenticate against the local database. login local Step 6. Enable vty inbound SSH sessions. transport input {ssh | telnet}
58
To verify the optional SSH command settings, use the ___ command.
show ip ssh R1# show ip ssh
59
Use the ____ command to modify the default 120-second timeout interval. This configures the number of seconds that SSH can use to authenticate a user.
ip ssh time-out seconds global configuration mode R1(config)# ip ssh time-out 60
60
By default, a user logging in has three attempts to enter the correct password before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication retries integer global configuration mode command.
R1(config)# ip ssh authentication-retries 2
61
Connect a Router to an SSH-Enabled Router To verify the status of the client connections, use the show ssh command.
R1# show ssh
62
There are two different ways to connect to an SSH-enabled router.
By default, when SSH is enabled, a Cisco router can act as an SSH server or SSH client. As a server, a router can accept SSH client connections. As a client, a router can connect via SSH to another SSH-enabled router.
63
Connect a Host to an SSH-Enabled Router Connect using an SSH client (e.g., PuTTY, OpenSSH, TeraTerm) running on a host.
Generally, the SSH client initiates an SSH connection to the router. The router SSH service prompts for the correct username and password combination. After the login is verified, the router can be managed as if the administrator was using a standard Telnet session.
64
At what point in the enterprise network are packets arriving from the internet examined prior to entering the network?
network edge Because the access layer (network edge) is the connection point for endpoints, it plays a big role in ensuring the network is protected from malicious attacks. This protection includes making sure the end users and endpoints that connect to the network are prevented from accessing services for which they are not authorized.
65
What three configuration steps must be performed to implement SSH access to a router? (Choose three.)
user account unique hostname ip domain name To implement SSH on a router the following steps need to be performed: Configure a unique hostname. Configure the domain name of the network. Configure a user account to use AAA or local database for authentication. Generate RSA keys. Enable VTY SSH sessions.
66
What is one difference between using Telnet or SSH to connect to a network device for management purposes?
telnet sends a username and password in plain text while in SSH encrypts the username and password SSH provides security for remote management connections to a network device. SSH does so through encryption for session authentication (username and password) as well as for data transmission. Telnet sends a username and password in plain text, which can be targeted to obtain the username and password through data capture. Both Telnet and SSH use TCP, support authentication, and connect to hosts in CLI.
67
Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)
There are three areas of router security to maintain: 1) physical security 2) router hardening 3) operating system security
68
What is a good password recommendation for a Cisco router?
use one or more spaces within a multiword phrase Strong password guidelines for Cisco routers include: Use a minimum password length of eight or more characters remembering that longer is better. A password cannot begin with a space but spaces within a passphrase are allowed on a Cisco router. The service password-encryption command can only protect passwords being viewed within the configuration, not as they are sent across the network.
69
What is the purpose of using a banner message on a Cisco network device?
protect organization from a legal perspective A banner can be used to create messages shown on Cisco network devices. A banner message can protect the organization from a legal perspective and should be reviewed by legal counsel before being deployed.
70
A network administrator establishes a connection to a switch via SSH. What characteristic uniquely describes the SSH connection?
remote access to a switch where data is encrypted during a session SSH provides a secure remote login through a virtual interface. SSH provides a stronger password authentication than Telnet. SSH also encrypts the data during the session.
71
What command will prevent all unencrypted passwords from displaying in plain text in a configuration file?
(config)# service password-encryption To prevent all configured passwords from appearing in plain text in configuration files, an administrator can execute the service password-encryption command. This command encrypts all configured passwords in the configuration file.
72
A network administrator is issuing the login block-for 180 attempts 2 within 30 command on a router. Which threat is the network administrator trying to prevent?
a user who is trying to guess a password to access the router The login block-for 180 attempts 2 within 30 command will cause the device to block authentication after 2 unsuccessful attempts within 30 seconds for a duration of 180 seconds. A device inspecting the traffic on a link has nothing to do with the router. The router configuration cannot prevent unauthorized access to the equipment room. A worm would not attempt to access the router to propagate to another part of the network.
73
Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode?
locate the router in a secure locked room that is accessible only to authorized personnel Of the three areas of router security, physical security, router hardening, and operating system security, physical security involves locating the router in a secure room accessible only to authorized personnel who can perform password recovery.
74
A company is planning to use a DMZ for their servers and is concerned about securing the network infrastructure. Which device should the network security team use for the edge router?
Firewalls are commonly used on the network edge to create a demilitarized zone (DMZ). The DMZ contains servers that are commonly accessed by external users. By having them in a DMZ, it prevents having servers inside the corporate network with other corporate devices.
75
Which type of access is secured on a Cisco router or switch with the enable secret command?
priv exec The enable secret command secures access to the privileged EXEC mode of a Cisco router or switch.
76
What is a common security task performed when securing administrative access to a network infrastructure device?
log and account for all access When securing both local and remote administrative access to a network device, be sure to record anyone who accesses the device, the actions taken during the access, and the date/time of the access. Other good practices are to limit the number of ports and methods of access, authenticate access, authorize actions performed by those who access the device, display legal notification, and protect data viewed and/or copied. Limit the amount of protocols used for remote access and consider using SSH version 2 or HTTPS. Discovery protocols are not relevant to administrative access.

NetSec (21 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions