CCNA Security Final
Terms in this set (59)
When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?
Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?
It sets an access class ACL on vty lines.
What are three common examples of AAA implementation on Cisco routers? (Choose three.)
authenticating administrator access to the router console port, auxiliary port, and vty ports
authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
implementing command authorization with TACACS+
Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router using the password cisco123. What is a possible cause of the problem?
The password cisco123 is wrong.
Refer to the exhibit. An administrator has entered the commands that are shown on router R1. At what trap level is the logging function set?
If a switch is configured with the storm-control command and the action shutdown and action trap parameters, which two actions does the switch take when a storm occurs on a port? (Choose two.)
The port is disabled.
An SNMP log message is sent.
Why does a worm poses a greater threat than a virus poses?
Worms are more network-based than viruses are.
When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?
The port is shut down.
Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?
Which three statements describe the IPsec protocol framework? (Choose three.)
AH uses IP protocol 51.
AH provides integrity and authentication.
ESP provides encryption, authentication, and integrity.
Refer to the exhibit. Which interface configuration completes the CBAC configuration on router R1?
R1(config)# interface fa0/1
R1(config-if)# ip inspect OUTBOUND in
R1(config-if)# ip access-group INSIDE in
Which statement describes the operation of the IKE protocol?
It calculates shared keys based on the exchange of a series of data packets.
Which two configuration requirements are needed for remote access VPNs using Cisco Easy VPN Server, but are not required for site-to-site VPNs? (Choose two.)
group policy lookup
virtual template interface
What can be used as a VPN gateway when setting up a site-to-site VPN?
Which type of Layer 2 attack makes a host appear as the root bridge for a LAN?
Refer to the exhibit. An administrator has configured a standard ACL on R1 and applied it to interface serial 0/0/0 in the outbound direction. What happens to traffic leaving interface serial 0/0/0 that does not match the configured ACL statements?
The traffic is dropped.
The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?
Refer to the exhibit. Which two statements are correct regarding the configuration on switch S1? (Choose two.)
Port Fa0/5 storm control for broadcasts will be activated if traffic exceeds 80.1 percent of the total bandwidth.
Port Fa0/6 storm control for multicasts will be activated if traffic exceeds 2,000,000 packets per second.
What is a characteristic of AAA accounting?
Possible triggers for the aaa accounting exec default command include start-stop and stop-only.
A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?
authenticates a packet by using either the HMAC with MD5 method or the SHA method
Which action best describes a MAC address spoofing attack?
altering the MAC address of an attacking host to match that of a legitimate host
When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMP policy. Which additional peer authentication configuration is required?
Configure a PSK with the crypto isakmp key global configuration command.
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
There is no access control to specific interfaces on a router.
Commands set on a higher privilege level are not available for lower privileged users.
Creating a user account that needs access to most but not all commands can be a tedious process.
Which set of Cisco IOS commands instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic?
R1(config)# ip ips signature-category
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
Refer to the exhibit. Which three things occur if a user attempts to log in four times within 10 seconds using an incorrect password? (Choose three.)
Subsequent virtual login attempts from the user are blocked for 60 seconds.
A message is generated indicating the username and source IP address of the user.
During the quiet mode, an administrator can log in from host 172.16.1.2.
Which statement describes configuring ACLs to control Telnet traffic destined to the router itself?
The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
What are three characteristics of the ASA routed mode? (Choose three.)
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets.
It is the traditional firewall deployment mode.
NAT can be implemented between connected networks.
Which authentication method is available when specifying a method list for group policy lookup using the CCP Easy VPN Server wizard?
Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?
access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www
Refer to the exhibit. What conclusion can be drawn from the exhibited window when it is displayed on a remote user computer screen?
The user has established a client-based VPN connection.
What will be disabled as a result of the no service password-recovery command?
ability to access ROMmon
Which type of IPS signature detection is used to distract and confuse attackers?
honey pot-based detection
Refer to the exhibit. An administrator has configured router R1 as indicated. However, SDEE messages fail to log. Which solution corrects this problem?
Issue the ip ips notify sdee command in global configuration.
Which attack allows the attacker to see all frames on a broadcast network by causing a switch to flood all incoming traffic?
MAC table overflow
Refer to the exhibit. The indicated window has appeared in the web browser of a remote user. What is the cause of this message?
The user has logged out of a clientless SSL VPN session.
An administrator has been asked to configure basic access security on a router, including creating secure passwords and disabling unattended connections. Which three actions accomplish this using recommended security practices? (Choose three.)
Set the minimum password length to 10 characters.
Set the executive timeout parameters on the vty lines to 3 and 0.
Enable the password encryption service for the router.
Which type of intrusion prevention technology is primarily used by Cisco IPS security appliances?
Which type of packets exiting the network of an organization should be blocked by an ACL?
packets with source IP addresses outside of the organization's network address space
An administrator wants to prevent a rogue Layer 2 device from intercepting traffic from multiple VLANs on a network. Which two actions help mitigate this type of activity? (Choose two.)
Disable DTP on ports that require trunking.
Set the native VLAN on the trunk ports to an unused VLAN.
Which command would an administrator use to clear generated crypto keys?
Router(config)# crypto key zeroize rsa
What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
The generated keys can be used by SSH.
Refer to the exhibit. An administrator has configured an ASA 5505 as indicated but is still unable toping the inside interface from an inside host. What is the cause of this problem?
The no shutdown command should be entered on interface Ethernet 0/1.
Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?
This is a notification message for a normal but significant condition.
What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?
The Cisco IOS image file is not visible in the output of the show flash command.
Which two commands are needed on every IPv6 ACL to allow IPv6 neighbor discovery? (Choose two.)
permit icmp any any nd-na
permit icmp any any nd-ns
Which technology does CCP require for configuring remote access VPN support with the Easy VPN Server wizard?
What are three goals of a port scan attack? (Choose three.)
determine potential vulnerabilities
identify active services
identify operating systems
Refer to the exhibit. An administrator is implementing VPN support on an ASA 5505. What type of VPN support is being implemented?
clientless SSL VPN
Which type of VPN may require the Cisco VPN Client software?
remote access VPN
Sales representatives of an organization use computers in hotel business centers to occasionally access corporate e-mail and the inventory database. What would be the best VPN solution to implement on an ASA to support these users?
clientless SSL VPN using a web browser
Refer to the exhibit. What information can be obtained from the AAA configuration statements?
The authentication method list used for Telnet is named ACCESS.
What must be configured before any Role-Based CLI views can be created?
aaa new-model command
Refer to the exhibit. Based on the output from the show secure bootset command on router R1, which three conclusions can be drawn regarding Cisco IOS Resilience? (Choose three.)
A copy of the router configuration file has been made.
The Cisco IOS image file is hidden and cannot be copied, modified, or deleted.
The secure boot-config command was issued on R1.
What are two disadvantages of using network IPS? (Choose two.)
Network IPS has a difficult time reconstructing fragmented traffic to determine if an attack was successful.
Network IPS is incapable of examining encrypted traffic.
Which statement describes the CCP Security Audit wizard?
The wizard is based on the Cisco IOS AutoSecure feature.
Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)
Pass, inspect, and drop options can only be applied between two zones.
If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.
To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
Refer to the exhibit. Which option tab on the CCP screen is used to view the Top Threats table and deploy signatures associated with those threats?
Which statement correctly describes a type of filtering firewall?
A stateful firewall monitors the state of connections, whether the connection is in an initiation, data transfer, or termination state.
Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform?