Cisco 640-553 Implementing Cisco IOS Network Security (IINS) Q&A with explanations Version 9.0 Important Note, Please Read Carefully Other TestKing products A) Offline Testing engine Use the offline Testing engine product topractice the questions in an exam environment. B) Study Guide (not available for all exams) Build a foundation of knowledge which will be useful also after passing the exam. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing and update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1.Go towww.testking.com 2.Click on Member zone/Log in 3.The latest versions of all purchased products are downloadable from here. Just click the links. For mostupdates,itisenough just to print the new questions at the end of the new version, not the whole document. Feedback If you spot a possible improvement then please let us know. We always interested in improving product quality. Feedback should be send to feedback@testking.com. You should include the following: Exam number, version, page number, question number, and your login ID. Our experts will answer your mail promptly. Copyright Each iPAD file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular iPAD file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws. Leading the way in IT testing and certification tools, www.testking.com - 2 - Table of contents Topic 1, Main (129 Questions) 3 3 Topic 2, TestKing, Scenario 103 103 Topic 2, TestKing (4 Questions) 106 106 Total number of questions: 133 Leading the way in IT testing and certification tools, www.testking.com - 3 - Topic 1, Main(129 Questions) QUESTION NO: 1 Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10 for http (port 80)? A. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80 B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www C. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 D. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255 E. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www F. access-list 101 permit tcp any eq 3030 Answer: B The question provides the following info: FROM 10.1.129.100 on port 3030, TO 192.168.1.10 using http (aka, port 80, aka www) The only entry that allows TCP, plus the correct ranges to include the IP's in question, plus the correct protocols in the correct placement. Incorrect: A: Two issues... wrong destination IP address; and this acl allows IP traffic. Port designations exist at layer 4 (TCP), not layer 3 (IP). C: Wrong direction D: Wrong direction, and incorrect port positioning. E: Correct, except for the www as the originating port... www is wrong, 3030 is correct. F: Wrong on so many levels. QUESTION NO: 2 Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself? A. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. B. The ACL is applied to the Telnet port with the ip access-group command. C. The ACL must be applied to each vty line individually. D. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. Leading the way in IT testing and certification tools, www.testking.com - 4 - Answer: D ACL's are applied in the IN direction, and using the "line vty 0 4" command, can be applied to them all simultaneously. Reference: Chapter 10, page 360, section title: Configuring ACLs to Filter Router Service Traffic. Incorrect: A: VTY lines do indeed need an ACL applied directionally... usually IN. Ie , ( config )#access-list 10 permit host 10.22.200.88 ( config )#line vty 0 4 ( config -line )#password C1sc0 ( config -line )#login ( config -line )#access-class 10 in ( config -line )#end B: Normally correct. VTY lines, however, have ACL's applied with the "access-class" command. C: All five vty lines (0 through 4) can have the acl applied at once. QUESTION NO: 3 What does the secure boot-config global configuration accomplish? A. takes a snapshot of the router running configuration and securely archives it in persistent storage B. enables Cisco IOS image resilience C. stores a secured copy of the Cisco IOS image in its persistent storage D. backs up the Cisco IOS image from flash to a TFTP server E. backs up the router running configuration to a TFTP server Answer: A The "secure boot- config " is a global config command, which takes a copy of the running configuration and saves it to persistent storage. FYI, persistent storage refers to PCMCIA ATA disks, not Flash nor NVRAM. Therefore the command only works on systems with PCMCIA ATA disks installed. Reference: Chapter 3, page 96. Table 3-8 Incorrect: B: Nope, that's the "secure boot-image" command. C: Ditto. D: No, that would be "copy flash:/ file.name tftp " E: No, that would be "copy run tftp " QUESTION NO: 4 DRAG DROP Leading the way in IT testing and certification tools, www.testking.com - 5 - You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in IKE Phases. Match the descriptions with the appropriate IKE phase. Answer: Leading the way in IT testing and certification tools, www.testking.com - 6 - QUESTION NO: 5 DRAG DROP You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in cryptographic algorithms. Match the algorithms with the appropriate algorithm type. Leading the way in IT testing and certification tools, www.testking.com - 7 - Answer: Leading the way in IT testing and certification tools, www.testking.com - 8 - QUESTION NO: 6 With Cisco IOS Zone-Based Policy Firewall, where is the inspection policy applied? A. to the interface B. to the zone-pair C. to the zone D. to the global service policy Answer: B Reference: Chapter 10, page 373, section "Understanding Security Zones", and page 375, section "Working with Zone Pairs" Incorrect: A: The old model worked this way. With the new "Zone-Based" model, interfaces are added to security zones, and the policy is applied to the zone-pairs. C: Half way there, but since an ingress and egress interface is required, so is an ingress and egress zone. Together, they constitute a zone-pair. D: Whatever. QUESTION NO: 7 Cisco Router and Security Device Manager (SDM) utility Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 9 - Further exhibits: Leading the way in IT testing and certification tools, www.testking.com - 10 - You have been tasked to examine the current Cisco IOS Zone-Based Policy Firewall configurations on the LA-ISR router using the Cisco Router and Security Device Manager (SDM) utility. Using the appropriate Cisco SDM configuration screens, you will need to answer the multiple-choice question in this simulation. Which two options correctly identify the associated interface with the correct security zone? (Choose two.) A. FastEthernet0/0 is associated to the "in-zone" zone. B. FastEthernet0/0 and 0/1 are associated to the "self" zone. C. FastEthernet0/0 and 0/1 are not associated to any zone. D. FastEthernet0/0 and 0/1 are associated to the "out-zone" zone. E. FastEthernet0/0 and 0/1 are associated to the "in-zone" zone. F. FastEthernet0/1 is associated to the "out-zone" zone. Answer: A,F QUESTION NO: 8 Which of these can be used to authenticate the IPsec peers during IKE Phase 1? A. Diffie-Hellman Nonce B. XAUTH C. ACS D. AH E. pre-shared key F. integrity check value Answer: E Authentication options include usernames/passwords, biometrics, preshared keys, and digital certs . Reference: Chapter 15, page 529, section "Overview of IPsec " Incorrect: A: Tricky one, since digital certs are a possible authentication method, and Diffie -Hellman can handle this. It's the "Nonce" that makes this answer wrong. A Nonce is a random number generated by both the initiator and responder that is encrypted by the recipient and returned. There is no DH Nonce. B: XAUTH (extended authentication) is typically a username/password, though it may also be a one-time password. It can be used to authenticate users of an IPsec VPN, but not the peers in a VPN tunnel. Leading the way in IT testing and certification tools, www.testking.com - 11 - C: ACS would be a logical option for authenticating peers, however, it is not an option. Most common is preshared keys, followed by certs . D: AH has nothing to do with IKE Phase 1 tunnels, though is one of the optional parameters available when setting up Phase 2 SA's . F: Integrity checking is typically the role of hashes. Integrity checking is involved in the Phase 2 tunnel, as either AH or ESP can be selected, and either one takes on the role of checking integrity. (Page 531) QUESTION NO: 9 When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum of allowed MAC addresses value is exceeded? A. The port is shut down. B. The MAC address table is cleared and the new MAC address is entered into the table. C. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out. D. The port's violation mode is set to restrict. Answer: A Port-Security allows three choices in reaction to a violation... Protect (wherein the switch drops all packets from unknown mac's , while continuing to pass traffic from known mac's , and doesn't generate any alerts); Restrict (same response as Protect, but adds an snmp alert and a syslog message, and keeps a counter going of violations); and Shutdown. The default is, in fact, to Shutdown. Reference: Chapter 6, page 228,229 Section : "Port Security Configuration" Incorrect: B: Sure... that would be secure. C: Whatever. D: "Restrict" is an option when Port-Security is first enabled. It is NOT dynamically applied in response to a violation. QUESTION NO: 10 DRAG DROP You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in attack methods. Match the methods with the appropriate attack types. Leading the way in IT testing and certification tools, www.testking.com - 12 - Answer: Leading the way in IT testing and certification tools, www.testking.com - 13 - QUESTION NO: 11 Cisco Router and Security Device Manager (SDM) utility Exhibit: Further exhibits: Leading the way in IT testing and certification tools, www.testking.com - 14 - You have been tasked to examine the current Cisco IOS Zone-Based Policy Firewall configurations on the LA-ISR router using the Cisco Router and Security Device Manager (SDM) utility. Using the appropriate Cisco SDM configuration screens, you will need to answer the multiple-choice question in this simulation. Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-invalid-src", and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.) A. traffic matched by the nested "sdm-cls-insp-traffic" class map B. inspect C. inspect/log D. traffic matched by ACL 105 E. any traffic F. traffic matched by ACL 104 G. drop/log Answer: A,D Leading the way in IT testing and certification tools, www.testking.com - 15 - QUESTION NO: 12 Exhibit: You work as a network administrator at TestKing.com. You study the exhibit carefully. You are the network security administrator responsible for router security. Your network uses internal IP addressing according to RFC 1918 specifications. From the default rules shown, which access control list would prevent IP address spoofing of these internal networks? A. SDM_Default_199 B. SDM_Default_197 C. SDM_Default_198 D. SDM_Default_196 Answer: C Leading the way in IT testing and certification tools, www.testking.com - 16 - We're talking about stopping something, so it makes sense that we're looking for a Deny statement, of which SDM_Default_196 through 198 apply. From the description, the attacker is outside the network, and has given himself an IP from inside the network This is called Blind Spoofing, and typically requires the use of IP Source Routing. By applying the Deny Private Address Space ACL (SDM_Default_198), the firewall will stop any traffic originating outside the network that has an IP from the private, internal range. Reference: Chapter 1, page 28 ,29 Table 1-7 and Section "Launching a Remote IP Spoofing Attack with IP Source Routing" Incorrect: A: IP Spoofing is the topic here... DHCP insisted implicated. B: Broadcast traffic isn't involved in IP Spoofing. Broadcast traffic is contained in a LAN, and we're talking about an attacker from outside the LAN. D: An important ACL to stop Loopback DOS attacks, but has nothing to do with IP Spoofing. QUESTION NO: 13 What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature? A. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server. B. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location. C. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM. D. The show version command will not show the Cisco IOS image file location. E. The Cisco IOS image file will not be visible in the output from the show flash command. Answer: E The IOS image resilience feature doesn't encrypt or backup the IOS... it just hides it. It does this by removing it from the directory listing when you issue the "show flash" command. The command to enable this feature is "secure boot-image". Leading the way in IT testing and certification tools, www.testking.com - 17 - Reference: Chapter 3, page 96, Table 3-8 Incorrect: A: The Image Resilience Feature neither encrypts nor backs up the IOS. B: What's a "secured FTP location"? Does that mean SFTP, or that the FTP server is physically secured? C: The Image Resilience Feature neither encrypts nor backs up the IOS. D: While the "secure boot-image" command removes the IOS filename from flash (using either "show flash" or "dir" commands ), it does not remove the filename and location from the "show ver " output. For example, in the screenshot, note that image resiliency is enabled, that the " sh flash" does not show any IOS, but the " sh ver " still outputs the filename, beginning with its location in FLASH (last line). Leading the way in IT testing and certification tools, www.testking.com - 18 - QUESTION NO: 14 Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured? A. show archive B. show file systems C. dir archive D. show flash E. dir F. show secure bootset Answer: F Since the command to enable image and configuration resiliency is "SECURE", this should be an easy one. The command is "show secure bootset ". Reference: Chapter 3, page 96, Table 3-8 Incorrect: A: A valid command, but used to compare a current config with an older config , or to view old but archived log files. B: Also a valid command, but used to show the available file systems, including archive, system, flash, nvram , syslog , http, etc. Does not show a secure filesystem . C: Another valid command, but in this context, will show the contents of the 'archive' filesystem . The secured config is not found in the archive. D and E: These two commands produce almost identical results, that of showing the contents of the flash filesystem . These commands were useful before the "secure boot-image" command was issued, but now show nothing regarding the IOS, and would not usually show anything about the configuration anyway (unless the running- config or startup- config was saved to flash) QUESTION NO: 15 Which four methods are used by hackers? (Choose four.) A. footprint analysis attack B. front door attacks C. social engineering attack D. Trojan horse attack E. privilege escalation attack F. buffer Unicode attack Answer: A,C,D,E Hackers can use all four of these techniques. Leading the way in IT testing and certification tools, www.testking.com - 19 - Footprinting - to learn all that's available about a network or system. Ie , the domain name of company, the IP address range in use, the IP's of directory/DNS/DHCP servers, and possibly which ports are open to exploit in the network. Social Engineering - a very common attack method where an attacker poses as a member of the IT Department, contacts a user in the company, and convinces them to share login info. Or, the attacker poses as a member of a government agency, or from the company's ISP, and gets an administrator to provide login information. Trojans - these applications appear legitimate, but contain hidden code that when executed, performs the actions stipulated by the attacker, such as open ports for back-door access, or escalate their privileges, etc. Privilege Escalation - a smart administrator may have restricted the access of regular users, making it important for an attacker who has acquired those credentials to have them improved upon. They may introduce software ( ie , Trojans) that promote the user account to service level or administrator level, so as to have more freedom and cause more havoc. Reference: Chapter 1, pages 23, 24. Section: "Mind-set of a Hacker: Incorrect: B: This one was a possible answer, though in the context of network security, it doesn't fit. Front door attacks refer, not to the underlying servers and networks, but to the applications that run on web servers. Poor website design allows such attacks. If this exam was an html/ cgi/php/flash programming exam, this answer would be correct. F: Again, in a different exam, this could be correct. Buffer attacks are designed to cause overflows/overruns, and the most common versions of functions are ANSI and Unicode. However, if you read the CCNA: Security Official Exam Cert Guide, or any other CCNA: Security material, you didn't read about either front door attacks or Unicode Buffer attacks. QUESTION NO: 16 Which ploicy map is associated to the "adm-zp-in-out" security zone pair? A. adm-permit B. sdm-insp-traffic C. sdm-inspect D. sdm-permit-icmpreply E. sdm-access Answer: A QUESTION NO: 17 Leading the way in IT testing and certification tools, www.testking.com - 20 - Which two statements about configuring the Cisco ACS server to perform router command authorization are true? (Choose two.) A. In the ACS User Group setup screen, use the Shell Command Authorization Set options to configure which commands and command arguments to permit or deny. B. When adding the router as an AAA client on the Cisco ACS server, choose the TACACS+ (Cisco IOS) protocol. C. Configure the Cisco ACS server to forward authentication of users to an external user databases, like Windows Database. D. From the ACS Interface Configuration screen, select RADIUS (Cisco IOS/PIX 6.0), and then enable the Shell (exec) option on the RADIUS Services screen. Answer: A,B The question specifically says that the ACS server will perform router command authorization. Only tacacs + has the ability to authenticate a user, and then authorize them at the command level. Radius, since it combines authentication and authorization, cannot do so. So, the two steps are add the router as a AAA client, selecting to Authenticate Using: TACACS+ (Cisco IOS) on the Network Configuration screen, and then, on the Group Setup screen, use the Shell Command Authorization Set to permit or deny commands. Reference: Chapter 4, page 140, section "Command Authorization with TACACS+" Incorrect : C: Definitely an option for user authentication, but has nothing to do with router command authorization. D: Since Radius does not permit command-level authorization, this is not a step in the direction we need to go. QUESTION NO: 18 Network Topology exhibit: Leading the way in IT testing and certification tools, www.testking.com - 21 - Partial configuration exhibit: You work as a network administrator at TestKing.com. You study the exhibit carefully. Refer to the exhibit and partial configuration. Which statement is true? Leading the way in IT testing and certification tools, www.testking.com - 22 - A. This is a misconfigured ACL resulting in traffic not being allowed into the router in interface S0. B. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all. C. This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet. D. Access-list 101 will prevent address spoofing from interface E0. E. All traffic from network 10.0.0.0 will be permitted. Answer: D Since only traffic with an originating address of 10.20.20.x is allowed through int e0, an internal malicious user who plans on spoofing an external, public IP cannot. This ACL insists that outbound packets MUST have a valid internal IP as its source IP. Reference: Chapter 10, page 357, 358 Section : "Preventing IP Spoofing with ACLs " Incorrect: A: This ACL is properly configured. B: The "any" appended on all three access-list statements would include the 172.16.150.0 range, so traffic to these destinations would definitely get there long before the implicit Deny comes into play. C: No, this ACL does nothing to prevent internet hosts from spoofing the inside network. That would require an inbound ACL placed on the s0 interface, denying all internal IP's as source IP's.... ( config )#access-list 102 deny tcp 10.20.20.0 0.0.0.255 any ( config )# int s0 ( config - if)# ip access-group 102 in This ACL would stop any incoming traffic from the internet that already had an internal source IP (spoofing). E: No, the permit statements specifically identify the 10.20.20.0 subnet as allowed, not the entire 10.0.0.0 range. So with these ACL's, 10.1.1.50 would not be matched, and the implicit Deny at the end would block it QUESTION NO: 19 When using a stateful firewall, which information is stored in the stateful session flow table? A. all TCP and UDP header information only B. the outbound and inbound access rules (ACL entries) C. all TCP SYN packets and the associated return ACK packets only D. the inside private IP address and the translated inside global IP address Leading the way in IT testing and certification tools, www.testking.com - 23 - E. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session Answer: E The state table holds info from the headers, including source/destination IP's (layer 3) and port information (layer 4). It particularly takes note of SYNs , RSTs , ACKs and FINs , and other control codes. Reference: Chapter 10, pages 335, 336. Section: " Stateful Packet Filtering and the State Table" Incorrect: A: TCP and UDP header information ONLY is useless unless the firewall knows who to apply the information to. This requires IP information, so layer 3 info must be required as well. B: By the time an entry is made in the state table, the ACL's have already been checked, and the traffic approved. Therefore, ACL's are not present in the state table. C: Same as Answer A ... ONLY TCP SYN and ACK packets are meaningless unless applied to a host, so layer 3 IP address must also be present. D: Looks like this is describing either a NAT scenario or a virtual IP scenario. Neither matter here. What is important is a source and destination IP, plus port numbers and TCP sequencing info. QUESTION NO: 20 You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in attack mitigation. What are the best practices for attack mitigation? (Select four) Match the descriptions with the appropriate IKE phase. A. Disable unnecessary services B. Keep patches up to date C. Log everything to a syslog server for forensic purposes D. Store sensitive data on a stand-alone device E. Use passwords that cannot be broken F. Develop a dynamic security policy G. Inform users about social engineering H. Develop a static, tested security policy Answer: A, B, F, G Disabling unnecessary services, keeping patches up to date, educate your users about social engineering, and having a security policy that is flexible and can adapt to changing security concerns... these are all mitigation strategies. Leading the way in IT testing and certification tools, www.testking.com - 24 - Reference: Chapter 1, page 40. Section: "Best-Practice Recommendations" Incorrect: C: The goal was attack mitigation. Logging is always a good idea; however, it does nothing to mitigate an attack. D: Impractical from a business perspective. Data must be secure, but still be accessible. E: Passwords can always be broken. The key is to make it infeasible, through the use of strong passwords that frequently change. H: The "static" part of this answer makes it wrong. A static policy will soon leave your network vulnerable to attack, as the complexity of attacks is always changing. The policy needs to be flexible and dynamic. QUESTION NO: 21 Exhibit: You work as a network administrator at TestKing.com. You study the exhibit carefully. Based on the VPN connection shown, which statement is true? A. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy. B. Traffic that matches access list 103 will be protected. C. This VPN configuration will not work because the tunnel IP and peer IP are the same. D. The tunnel is down because the transform set needs to include the Authentication Header parameter. Answer: B Leading the way in IT testing and certification tools, www.testking.com - 25 - This is a sneaky one. You'll note that the Status of the connections is "Down". Sure enough, three of the possible answers reflect possible reasons for the Down state. Unfortunately, none of them are valid reasons. Answer B is correct, as it is the ACL that identifies "interesting traffic", traffic that will cause the IPsec tunnel to come up, to protect that same "interesting traffic". The fact that the state is Down is irrelevant, as an IPsec tunnel that has no "interesting traffic" traverse it in a set period of time will self-destruct. In fact, the cisco default lifetime of an IPsec tunnel is 3600 seconds. Reference: Chapter 15, pages 543-545, particularly section "Configuring an IKE Phase 2 Tunnel" (from CLI) Reference: Chapter 15, page 563-566, Section "Selecting Traffic to Protect in the IPsec Tunnel" (from SDM) Incorrect A: Rules are static. They don't change unless an administrator changes them. C: The IP of the peer IS the IP of the tunnel's destination. D: AH is an option, not a requirement. The other option is ESP. QUESTION NO: 22 Which two functions are required for IPsec operation? (Choose two.) A. using Diffie-Hellman to establish a shared-secret key B. using SHA for encryption C. using PKI for pre-shared-key authentication D. using AH protocols for encryption and authentication E. using IKE to negotiate the SA Answer: A,E The question wants to know what's "required", not "optional". From the choices, it's easier to determine what's "optional" and/or just plain wrong. Those are answers B, C, and D. So are A and E correct? Reference: Chapter 15, page 530, table 15-3. Under Main Mode, note Exchange #2: Diffie -Hellman securely establishes a shared secret key over the unsecured medium. So A is good. Reference: page 531. Not too keen on the wording of this answer, cause you don't really 'use' IKE to negotiate the SA. However, the negotiation of the SA happens 'within' the protection of the IKE Phase 1 tunnel, so that must be what's meant. Incorrect: B: Could be SHA... could be MD5. Optional. C: Wrong. PKI refers to the use of public and private keys, and Certificate Authorities. NOT pre-shared keys. Leading the way in IT testing and certification tools, www.testking.com - 26 - D: Optional, and wrong. AH is optional... the other option being ESP. However, only ESP encrypts, AH doesn't. So discount this answer for two strikes. QUESTION NO: 23 Which consideration is important when implementing Syslogging in your network? A. Enable the highest level of Syslogging available to ensure you log all possible event messages. B. Log all messages to the system buffer so that they can be displayed when accessing the router. C. Use SSH to access your Syslog information. D. Syncronize clocks on the network with a protocol such as Network Time Protocol. Answer: D The time stamps in a syslog are tough to correlate to other syslogs if the time is off. NTP is invaluable in ensuring that all network devices are time- sync'd . Reference: Chapter 5, page 174. Incorrect A: If your goal is to be buried until syslogs , then do this. And make sure you have a terabyte of disc space, cause you'll need it. Enabling the highest level of syslogging (debugging) provides every possible event... many of which are unimportant from a security perspective. Usually Events or Warnings is a sufficient level, which will generate only important messages. B: Optional, but not important, as long as you have a syslog server collecting your notifications. Also, the buffer on a cisco device can become full, which stops the process. And, the buffer is purged at every reboot, so the required messages are gone, making the buffer a less than ideal message store. C: Syslogs are stored on a remote server, not on the device itself. The most common solution is to map a drive to the server's syslog drive (if not local). SSH is a good idea for securely accessing your cisco devices, but doesn't make sense for viewing syslogs . QUESTION NO: 24 When configuring Cisco IOS Zone-Based Policy Firewall, what are the three actions that can be applied to a traffic class? (Choose three.) A. Queue B. Inspect C. Drop D. Police E. Pass F. Shape Leading the way in IT testing and certification tools, www.testking.com - 27 - Answer: B,C,E Reference: Chapter 10, page 371. Section "Zone Membership Rules" Incorrect: A, D, F. They don't exist within the context of Zone-Based Firewalls. QUESTION NO: 25 Which of these is the strongest symmetrical encryption algorithm? A. Diffie-Hellman B. DES C. AES D. SHA E. 3DES F. RSA Answer: C Of the available "symmetrical" encryption types, AES is the strongest. Reference: Chapter 12, page 451. Incorrect: A: An asymmetrical algorithm. B: No where near as strong as AES. D: SHA is a hashing algorithm E: 3DES is a great and still-popular symmetrical algorithm. Of late, it has lost favour compared to AES, based on strength and speed... AES is a far faster algorithm to use. F: RSA is asymmetrical, and is currently a very popular method for public key exchange. QUESTION NO: 26 Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 28 - You work as a network administrator at TestKing.com. You study the exhibit carefully. Based on the show policy-map type inspect zone-pair session command output shown, what can be determined about this Cisco IOS zone based firewall policy? A. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone). B. All non-HTTP traffic will be permitted to pass as long as it matches ACL 110. C. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110. D. All non-HTTP traffic will be inspected. E. All packets will be dropped since the class-default traffic class is matching all traffic. F. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone). Leading the way in IT testing and certification tools, www.testking.com - 29 - Answer: C The "TEST-Class" map has two match statements: Match access-group 110, and Match protocol HTTP. To qualify for the "TEST-Class" map, both of these conditions apply, as the "(match-all)" operator indicates. Nothing else matches this class-map, so everything else moves on to class-map "class-default", where the action is to Drop the traffic. Reference: Chapter 10, pages 377, 378 Incorrect: A: Direction is not indicated. To view the source and destination zones, issue the "show zone-pair security" command. And in zone-pairs, the zones are equal in nature... one is not more- or less-secured. The admin makes those decisions with the use of ACL's and Class-Maps. B: The operator is "match-all", not "match-any", so both qualifications must be met: match acl 110 AND be http traffic. D: Only HTTP traffic (that matches acl 110) will be inspected... non-http traffic will be dropped. E: Would be true if it read: "All packets that make it to the class-default traffic class". ALL packets, however, will not be dropped... those that meet the match statements of the TEST-Class map will be inspected and passed. F: Same as Answer A ... no indication is made about direction. QUESTION NO: 27 Cisco Router and Security Device Manager (SDM) utility Exhibit: *missing* Further exhibits: * Missing* You have been tasked to examine the current Cisco IOS Zone-Based Policy Firewall configurations on the LA-ISR router using the Cisco Router and Security Device Manager (SDM) utility. Using the appropriate Cisco SDM configuration screens, you will need to answer the multiple-choice questions in this simulation. Which statements is correct regarding the "sdm-permit" policy map? A. Traffic matching the "sdm-access" traffic class will be inspected. B. That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone" zone. C. That policy map is applied to traffic sourced from the "out-zone" zone and destined to the "in-zone" zone. D. Traffic matching the "SDM_CA_SERVER" traffic class will be dropped. Leading the way in IT testing and certification tools, www.testking.com - 30 - E. Traffic not matched by any of the class maps within that policy map will be inspected Answer: D QUESTION NO: 28 What does the MD5 algorithm do? A. takes a fixed-length message and produces a 128-bit message digest B. takes a variable-length message and produces a 128-bit message digest C. takes a variable-length message and produces a 168-bit message digest D. takes a message less than 2^64 bits as input and produces a 160-bit message digest Answer: B Both MD5 and SHA-1 are cryptographic hash algorithms that take variable length input to produce a fixed-length string known as the digest. MD5 produces a 128-bit digest (expressed as a 32-character hex value), while SHA-1 produces a hash that is 160 bits long. Reference: Chapter 13, page 468, section "Cryptographic Hash Functions" Incorrect: A: MD5 can take input of varying length C: MD5 produces a digest of 128-bits. 3DES can optionally output a 168-bit key, but 3DES is designed for encryption, not hash functions. D: 2*64? Where'd that come from? And while SHA-1 does output a 160-bit digest, both it and MD5 operate on blocks of 512 bits. MD5 produces a 128-bit digest. QUESTION NO: 29 Cisco Router and Security Device Manager (SDM) utility Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 31 - Further exhibits: Leading the way in IT testing and certification tools, www.testking.com - 32 - You have been tasked to examine the current Cisco IOS Zone-Based Policy Firewall configurations on the LA-ISR router using the Cisco Router and Security Device Manager (SDM) utility. Using the appropriate Cisco SDM configuration screens, you will need to answer the multiple-choice question in this simulation. Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"? A. police B. inspect C. drop D. log E. pass Answer: C QUESTION NO: 30 DRAG DROP You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in AAA functions. Match the functions with the appropriate protocols. Leading the way in IT testing and certification tools, www.testking.com - 33 - Answer: QUESTION NO: 31 Leading the way in IT testing and certification tools, www.testking.com - 34 - During role-based CLI configuration, what must be enabled before any user views can be created? A. usernames and passwords B. HTTP and/or HTTPS server C. secret password for the root user D. aaa new-model command E. multiple privilege levels Answer: D Before role-based CLI views can be created, AAA must be enabled with the " aaa new-model" command. Step 2 is to enable the root view with the "enable view" command. Step 3 creates the actual view with the "parser view view_name " command, and enters the View's edit mode, evidenced by the ( config -view )# prompt. Creating a password for the view with the "secret password " command is Step 4. Finally, adding the necessary commands to the view is the 5 th and final step, using the command syntax of "commands exec include ping" and "commands exec include write". Interestingly, while you assign a local password in Step 4, role-based CLI configurations are still an advanced scheme that requires enabling AAA. Reference: Chapter 3, page 94, section "Creating Command-Line Interface Views" Incorrect: A: A password is required in setting up a role-based configuration, but not a username. And that's Step 4. B: Not required. C: Hopefully it's been long created, but have a secret password is not a prerequisite of enabling views. E: Role-based CLI configs are another way of allowing required commands to be allotted without handing over full EXEC rights, similar to having multiple privilege levels, though not the same. Creating a View allows someone who knows the correct password to enable the View, and have access to only the commands assigned to that particular View. QUESTION NO: 32 What are two characteristics of the SDM Security Audit wizard? (Choose two.) A. displays a screen with Fix-it check boxes to let you choose which potential security-related configuration changes to implement B. requires users to first identify which router interfaces connect to the inside network and which connect to the outside network C. has two modes of operation: interactive and non-interactive Leading the way in IT testing and certification tools, www.testking.com - 35 - D. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router E. uses interactive dialogs and prompts to implement role-based CLI Answer: A,B Reference: Chapter 5, pages 166-171 When you launch the Wizard, you are asked to tell the SDM which interface is internal, and which is external. After acknowledging the results of the scan, you are presented with checkboxes to allow you to "Fix It"... to select the security issues that you desire to fix immediately. Leading the way in IT testing and certification tools, www.testking.com - 36 - Incorrect: C: Careful here. The command-line version of the Security Audit Wizard, run with the "auto secure" command, has the option of adding the "no-interact" parameter, which eliminates user interactivity. The SDM version has no such option. D: Recall that the SDM offers "Fix-It" checkboxes for you to select which security concerns you want to fix... nothing is automatic. E: The SDM version does not use interactive dialogs and prompts, and doesn't offer role-based CLI configurations at all. Leading the way in IT testing and certification tools, www.testking.com - 37 - QUESTION NO: 33 Which kind of table do most firewalls use today to keep track of the connections through the firewall? A. dynamic ACL B. state C. express forwarding D. netflow E. queuing F. reflexive ACL Answer: B The "State" table keeps track of all connection information for traffic flows through the firewall. The state table holds info from the headers, including source/destination IP's (layer 3) and port information (layer 4). It particularly takes note of SYNs , RSTs , ACKs and FINs , and other control codes. Reference: Chapter 10, pages 335, 336. Section: " Stateful Packet Filtering and the State Table" Incorrect: A: Dynamic ACL's are stored in a router's config , not in a table. C: There is an Express Forwarding Table where layer 3 switches keep a record of their peers/adjacencies. It is used to find the best switching path through one of its peers. It is not used by firewalls. D: The Netflow table is very similar to a State Table, in that it keeps track of IP flows as they are received by a cisco router or switch. It is used by routers and switches, though, not by firewalls. E: No queuing table exists. F: Reflexive ACL's are inherent in Cisco firewalls, and allow return traffic from an established flow to return through a firewall that would otherwise block such traffic. The traffic is run against the information in the State table to see if it is return traffic... if it exists, a reflexive acl is created. They are not stored in a table. QUESTION NO: 34 What will be disabled as a result of the no service password-recovery command? A. aaa new-model global configuration command B. the xmodem privilege EXEC mode command to recover the Cisco IOS image C. password encryption service D. ROMMON E. changes to the config-register setting Leading the way in IT testing and certification tools, www.testking.com - 38 - Answer: D Password recovery occurs in the ROMMON, if you have forgotten the password and need to recover. In ROMMON you have the ability to reset the password. Since an attacker that gains physical access to the router could reboot the device and break the boot sequence to enter ROMMON and do the same, the "no service password-recovery" command eliminates the possibility of entering ROMMON. Reference: Chapter 3, page 91. Incorrect: A: No, that would be the "no aaa new-model" command. B: Xmodem ? Recovering the IOS? What would they have to do with password-recovery? C: Close, but that's the "no service password-encryption" command. E: The config -register determines how the IOS is loaded, whether from the first IOS in flash, or from a specific filename. It does not have to do with passwords. QUESTION NO: 35 Exhibit: You work as a network administrator at TestKing.com. You study the exhibit carefully. Which statement is correct based on the show login command output shown? A. Three or more login requests have failed within the last 100 seconds. B. The login block-for command is configured to block login hosts for 93 seconds. C. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured. D. All logins from any sources are blocked for another 193 seconds. Leading the way in IT testing and certification tools, www.testking.com - 39 - Answer: A Note from the output that the router is currently in Quiet Mode. And note that the line above it indicates that the requirement for the lock-out is more than 2 failures in 100 seconds or less. Therefore, on the third login failure, Quiet Mode was invoked, and any further attempts are denied. Reference: Chapter 3, pages 96-98. Particularly table 3-9 Incorrect: B: The "login block-for" command is configured for 100 seconds... there just happens to be 93 seconds left. C: In the absence of an ACL, no one can connect. In this case, an ACL would determine who can still connect during the Quiet Period. The ACL identifies exemptions. D: All logins from any sources are blocked for another 93 seconds, not 193. QUESTION NO: 36 You have configured a standard access control list on a router and applied it to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when traffic being filtered by the access list does not match the configured ACL statements for Serial 0? A. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1. B. The resulting action is determined by the destination IP address and port number. C. The resulting action is determined by the destination IP address. D. The traffic is dropped. Answer: D Tricky one, this one. Just remember that the ACL identifies any traffic that is either Permitted or Denied. If nothing matches, then the implicit DENY included in every ACL kicks in, and the traffic is dropped. Reference: Chapter 10, page 353, Table 10-12. Section: "Considerations When Creating ACLs " Incorrect: A: No, if a match is not found, the traffic is dropped. B: A standard access list is concerned ONLY with source IP's, so even if a match was found, this answer would be wrong. Only extended ACLs consider destination IP's and port numbers. C: Ditto. QUESTION NO: 37 Leading the way in IT testing and certification tools, www.testking.com - 40 - What does level 5 in the following enable secret global configuration mode command indicate? router#enable secret level 5 password A. Set the enable secret command to privilege level 5. B. The enable secret password is for accessing exec privilege level 5. C. The enable secret password is encrypted using Cisco proprietary level 5 encryption. D. The enable secret password is hashed using SHA. E. The enable secret password is hashed using MD5. Answer: B The key to this answer is the presence of the word "level" in the command. That tells you that in this case the 5 has nothing to do with hashes or encryption, but rather is the secret password for access level 5 commands. Reference: Chapter 3, page 93, Section "Configuring Privilege Levels" Incorrect: A: Be careful, as this answer is almost perfect. The only word that makes it wrong is "command"... you're not setting the secret command, you're setting the secret password. C: Cisco's proprietary encryption is enabled with the "service passwords-encryption" command, not this command. And those encrypted password appear with a '7' in the running- config to indicate cisco encryption. D: SHA is not an option when hashing the enable secret password. E: MD5 is used for hashing the secrets of usernames, and does in fact appear in the running- config with a '5' in front of the hashed secret. It is enabled by using the word "secret" in the command... ie , "username cisco secret p@$$w0rd". This commands output could appear as: ! Username cisco secret 5 $a!*&% jaagf%& lkijh ( *c/ QUESTION NO: 38 Which three statements about the IPsec protocol are true? (Choose 3.) A. IPsec uses digital certificates to guarantee confidentiality. B. IPsec ensures data integrity by using checksums. C. IPsec authenticates users and devices that can carry out communication independently. D. IPsec is a framework of open standards. E. IPsec is implemented at Layer 4 of the OSI model. F. IPsec is bound to specific encryption algorithms, such as 3DES and AES. Answer: B,C,D Leading the way in IT testing and certification tools, www.testking.com - 41 - For the purpose of checking integrity, routers involved in an IPsec tunnel can create checksums or hash values. Multiple stages of device authentication occur, from pre-shared keys to certificates to digital signatures (hashes). And if IKE Phase 1.5 is utilized, then users can also be authenticated via the IPsec process. Of interest is the number of protocols used by IPsec , including IKE, DH, ISAKMP, XAUTH, AH/ESP, and MD5/SHA-1. Reference: Chapter 15, pages 529-531 Incorrect: A: Digital certificates are used for authentication purposes... to prove someone is who they say they are. E: IPsec is implemented at Layer 3 (hence, the IP in the name). F: IPsec is bound to almost nothing... everything is optional and negotiated. QUESTION NO: 39 What is the purpose of Diffie-Hellman? A. used to establish a symmetric shared key via a public key exchange process B. used to verify the identity of the peer C. used for asymmetric public key encryption D. used between the initiator and the responder to establish a basic security policy Answer: A Diffie -Hellman provides a reliable and trusted method for key exchange over untrused channels. It is often used to provide keying for other symmetric algorithms, such as 3DES and AES. In IKE Phase 1, Main mode uses DH to securely establish a shared key over the unsecured medium. Reference: Chapter 14, page 499, section "Examining the Features of the DH Key Exchange Algorithm" Incorrect: B: DH is not used for identification purposes or authentication... it's for secure key exchange. Pre-shared keys or digital certs handle authentication. C: Close, but it's not for public key encryption, but rather public key exchange. D: The basic security policy is actually proposed by the initiator in the initial exchange to the responder. This initial exchange occurs before DH establishes the key exchange and settles on a secret key. Then, once the DH has done its negotiating, an ISAKMP session is established and the IPsec tunnel (IKE Phase 2) is created. DH has no part in the establishment of any security policy. QUESTION NO: 40 What is the key difference between host-based and network-based intrusion prevention? Leading the way in IT testing and certification tools, www.testking.com - 42 - A. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. B. Host-based IPS can work in promiscuous mode or inline mode. C. Host-based IPS is more scalable then network-based IPS. D. Host-based IPS deployment requires less planning than network-based IPS. E. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. F. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. Answer: A A host-based solution requires installation of software. In the case of Cisco's HIPS solution, the Cisco Security Agent must be installed on the machine to be used for host-based IPS purposes. Reference: Chapter 2, page 71, table 2-8 Incorrect: B: A nic can be placed in promiscuous mode, and can capture all packets visible to it, the way an IDS functions. Inline mode, however, requires two interfaces... one coming in, another heading out, with the IPS device sitting in-between. A HIPS solution cannot do this. C: On the contrary. Network-based IPS solutions scale far better to large enterprises. D: Not it doesn't. E: No network-based IPS can decrypt encrypted traffic. In this case, a HIPS solution is better as it can see the traffic on the end host after it has been decrypted. F: NIPS provides no protection against kernel-level attacks. QUESTION NO: 41 Which statement is true about asymmetric encryption algorithms? A. They use different keys for encryption and decryption of data. B. They use the same key for decryption but different keys for encryption of data. C. They use different keys for decryption but the same key for encryption of data. D. They use the same key for encryption and decryption of data. Answer: A Symmetric algorithms use the same key for encryption and decryption. Asymmetric algorithms use a different key for key for each function. Asymmetric key lengths range from 512 to 4096 bits, due to the weaker nature of asymmetric algorithms. Also, asymmetric algorithms can be up to 1000 times slower than symmetric algorithms because of the complexity of their mathematical calculations. Leading the way in IT testing and certification tools, www.testking.com - 43 - Reference: Chapter 12, page 443, Section "Asymmetric Encryption Algorithms" Incorrect: B: Each key in an asymmetric solution can be used to encrypt or decrypt. C: Each key in an asymmetric solution can be used to encrypt or decrypt. D: Symmetric solutions use the same keys for both encryption and decryption. QUESTION NO: 42 Exhibit: TestKing3# show run | include username Username testking secret 5 $1$knm. $UkU6fqWD0K1kDU0YQx2S You work as a network administrator at TestKing.com. You study the exhibit carefully. What does the option secret 5 in the username global configuration mode command indicate about the enable secret password? A. It is hashed using SHA. B. It is encrypted via the service password-encryption command. C. It is encrypted using DH group 5. D. It is hashed using a proprietary Cisco hashing algorithm. E. It is encrypted using a proprietary Cisco encryption algorithm. F. It is hashed using MD5. Answer: F When it comes to usernames, the options are plain-text, encrypted, or hashed. If the command "username cisco password C1$C0" is used, the output will show the actual plain-text password. The ability to encrypt this password requires the use of the "service password-encryption" command. Now the same password will appear encrypted, with a "7" in front of it to indicate cisco proprietary encryption. The "secret" is different... secrets are hashed, and the hashing algorithm used by cisco is MD5. Reference: Chapter 3, page 88 Incorrect : A: SHA is not employed by cisco in it's hashing functions B: The "service password-encryption" produces a value of '7', not '5', in the output. C: DH is not used by cisco for encrypting or hashing passwords in the IOS. D: Cisco does not have a proprietary hashing algorithm... it uses MD5. E: The "service password-encryption" command invokes cisco's proprietary encryption algorithm. QUESTION NO: 43 With Cisco IOS Zone-Based Policy Firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.) Leading the way in IT testing and certification tools, www.testking.com - 44 - A. traffic flowing to the zone member interface that is returned traffic B. traffic flowing among the interfaces that are not assigned to any zone C. traffic flowing between a zone member interface and any interface that is not a zone member D. traffic flowing between a zone member interface and another interface that belongs in a different zone E. traffic flowing among the interfaces that are members of the same zone F. traffic flowing to and from the router interfaces (the self zone) Answer: B,E,F Zone-based firewalls are the latest departure for cisco from standard firewall standards, and allow interfaces to be assigned to 'zones'. Access-lists are applied to the zones, rather than to the interfaces in the zones. When zones are defined, traffic must be explicitly allowed in order to flow from one zone to another. In the absence of an ACL, traffic can still travel through any interfaces not assigned to a zone, through interfaces belonging to the same zone, and traffic that is destined for the router itself, or is generated from the router itself. Reference: Chapter 10, page 371, section "Zone Membership Rules" Incorrect: A: This describes 'dynamic' or 'reflexive' ACLs , and is a feature of cisco's previous IOS firewall methodology. The new zone-based model does not employ stateful inspection, where a state table kept track of traffic flows, and could identify when traffic was returning in response to a flow sourced internally. In the zone-based model, ACL's are defined in both directions to allow bi-directional communication ( page 376). C: An interface that belongs to a zone has an implicit 'DENY' that prevents communication with any interface not a member of its zone or the self-zone, or that isn't explicitly permitted by means of an ACL. Interfaces that are not assigned to a zone cannot communicate with interfaces in zones. D: An implicit DENY prevents inter-zone communication that only an ACL with a PERMIT statement can overcome. QUESTION NO: 44 Which characteristic is the foundation of Cisco Self-Defending Network technology? A. threat control and containment B. secure network platform C. secure connectivity D. policy management Answer: B Leading the way in IT testing and certification tools, www.testking.com - 45 - While all four answers have their merits, the Self-Defending Network model is concerned with a secure network platform. Once the secure network foundation is established, the other concerns can be addressed. Reference: Chapter 2, page 69, Figure 2.5 Incorrect: A: Threat control can only occur once the foundation of a secure network is addressed. Viruses and spyware, whether from internet sources or email, must be protected against to keep servers and applications safe. C: Secure connectivity in an insecure network is a futile concept... taking care of the secure network must occur first. IPsec and SSL VPNs can now be used to secure remote-access. D: A dynamic organizational policy allows efficiency when responding to attacks and maintaining consistency of configuration when rolling out multiple devices. QUESTION NO: 45 SIMULATION Network topology exhibit: Leading the way in IT testing and certification tools, www.testking.com - 46 - You work as a network administrator for TestKing.com. There has been an attack on the TestKing campus LAN. Spoofed MAC addresses has been sent to one of the switch ports. You are required to take steps to avoid this kind of attack in the future. In particular you need to reconfigure the TestKing3 Fa0/12 interface. In this scenario assume the following: * the TestKing3 enable password is testking12 * the hacker was connected to the switch TestKing3 Fa0/12 interface through the TestKing2 hub Leading the way in IT testing and certification tools, www.testking.com - 47 - * you are required to limit the maximum number of allowed Mac address of the TestKing3 Fa0/12 interface to two and to set the violation to shutdown Answer: Explanation: TestKing3>enable R!>testking12 TestKing3#config t TestKing3( config )# int f0/12 TestKing3( config -if)# switchport mode access TestKing3( config -if)# switchport access vlan 1 TestKing3( config -if)# switchport port-security TestKing3( config -if)# switchport port-security maximum 2 TestKing3( config -if)# switchport port-security violation shutdown TestKing3( config -if)# end TestKing3#wr mem An even better solution would be to statically assign the two mac -address of your known users in the process above. So right after setting the maximum to 2, you could use the " TestKing3( config -if)# switchport port-security mac -address AAAA.BBBB.CCCC" command to define who the 2 allowed users are. Conversely, you could use the " TestKing3( config -if)# switchport port-security mac -address sticky" command, which takes the first two users to connect and logs their mac -addresses in the running- config . The only possible issue with this method is if the attacker is one of the first two users to connect to the port... his mac would be stored and permitted, while your legitimate user would be restricted. The question, though, did not provide PC2 and PC3's mac addresses, so the above config satisfies the requirements. QUESTION NO: 46 Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management? A. The SSH protocol is automatically enabled. B. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. C. You must then zeroize the keys to reset secure shell before configuring other parameters. D. All vty ports are automatically enabled for SSH to provide secure management. Answer: A Leading the way in IT testing and certification tools, www.testking.com - 48 - The steps to enable SSH on a router are: 1) Configure a domain name on a router using the " ip domain-name name " command 2) Use the "crypto key generate rsa general-keys modulus size " command, where cisco recommends the size to be at least 1024 bits. 3) Configure SSH... like authentication-retries, and "transport input" on the vty lines to permit ssh when telnetting into the router. Reference: Chapter 5, pages 183-185, section "Enabling Secure Shell on a Router" Incorrect: B: The question says that you've already generated RSA keys on your Cisco router. You do that with the "crypto key generate rsa general-keys modulus" command. C: The "crypto key zeroize rsa " command deletes all rsa keys from your router. In the absence of an rsa key, SSH is automatically disabled. If you did this after generating the rsa keys, you've just effectively deleted what you've done and turned off SSH. D: VTY lines are not automatically enabled for SSH... you must use the "transport input SSH" in line configuration mode to allow SSH traffic into the vty lines. QUESTION NO: 47 When configuring role-based CLI on a Cisco router, which step is performed first? A. Enable AAA authentication and authorization using the local database. B. Enable the root view on the router. C. Log in to the router as the root user. D. Create a root local user in the local database. E. Create a parser view called "root view." F. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. Answer: B You'll recall from question 31 that the first step in configuring role-based cli views on a cisco router is to use the " aaa new-model" command. However, that answer is not provided. So the next step is to enable the root view on the router. Reference: Chapter 3, page 94, section "Creating Command-Line Interface Views" Incorrect: A: The " aaa new-model" command enables AAA authentication, but not authorization. Entering the " aaa authorization command to restrict administrative EXEC access is not required. C: The root user isn't in the cisco model. However, as exec level commands are required to enter configuration mode and enable views, had the answer read "log in as an administrator with a privilege level of 15", that would be a consideration. D: Not required. Leading the way in IT testing and certification tools, www.testking.com - 49 - E: You can create a parser view after enabling views, but you can call it whatever you like. F: Enabling views is an EXEC level cisco ios command, but it comes second in the process, after enabling AAA. QUESTION NO: 48 What are three common examples of AAA implementation on Cisco routers? (Choose three.) A. tracking Cisco Netflow accounting statistics B. performing router commands authorization using TACACS+ C. authenticating remote users who are accessing the corporate LAN through IPSec VPN connections D. securing the router by locking down all unused services E. authenticating administrator access to the router console port, auxiliary port, and vty ports F. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates Answer: B,C,E AAA implementations are best known for authenticating administrators who log into the router via the console, auxiliary, and vty lines. However, as you learned, you can authorize different users to utilize router commands using the advanced features in TACACS+. And, a common usage of AAA is to authenticate remote users when IPsec VPNs are used. Reference: Chapter 4, page 140, section "Command Authorization with TACACS+" (for Answer B) Reference: Chapter 4, page 116 (for Answer C) Reference: Chapter 4, pages 120-122 (for Answer E) Incorrect: A: AAA has nothing to do with Netflow stats. D: Always a good idea, but not part of AAA. F: Also a good idea, but as soon as you see PKI and certificates, you know you're not dealing with AAA anymore. QUESTION NO: 49 Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true? A. supports both inline and promiscuous mode B. requires IEV for monitoring Cisco IPS alerts C. uses the built-in signatures that come with the Cisco IOS image as backup D. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts Leading the way in IT testing and certification tools, www.testking.com - 50 - E. requires the Basic or Advanced Signature Definition File F. uses Cisco IPS 5.x signature format Answer: F This topic was not mentioned once in the entire Certification Guide, so be glad you came across the question here. Starting in IOS 12.4(11 )T , version 4.x signature files are no longer supported, and only the 5.x format is accepted. 4.x files have to be migrated to the 5.x format. This link explained the details: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8057 Incorrect : A: The Cisco IOS IPS works in inline mode. The SDM allows you to select the interface on which the rule will be applied, and in what direction. It does not function as an IDS and does not support promiscuous mode. B: IEV stands for IDS Event Viewer. It was not part of this discussion. The IEV is a gui for easy parsing and reading of IDS alerts. C: There doesn't appear to be anything wrong with this answer, and if 'F' wasn't substantiated above, this would be the obvious choice. From Chapter 11, page 408: "Also notice the Use Built-In Signatures (as backup) checkbox. Checking this box allows IPS to use the Cisco IOS built-in signatures if a signature definition file cannot be found." Perhaps this backup feature is universal across all IOS versions, so while correct, it's not the 'most right' answer regarding the specific IOS release of 12.4(11)T. D: It supports SDEE and SNMP to communicate alerts. Syslog is a message format, not a method of sending alerts. E: The IOS IPS doesn't technically require a signature file, though the IPS is rather limited without one. A particular signature file should be selected based on the available amount of memory. If a router has 256MB of RAM, then the 256MB.sdf can be used. If no sdf file is present, the default is to load the approximately 135 signatures that make up the backup. QUESTION NO: 50 Which statement about Cisco IOS Zone-Based Policy Firewall is true? A. Router management interfaces must be manually assigned to the self zone. B. Service policies are applied in the interface configuration mode. C. A router interface can belong to multiple zones. D. Policy maps are used to classify traffic into different traffic classes, and class maps are used to assign action to the traffic classes. E. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions. F. The pass action works in only one direction. Leading the way in IT testing and certification tools, www.testking.com - 51 - Answer: F One of the principles of zone-based firewalls is that policies are unidirectional. Reference: Chapter 10, page 369, Section "Examining the Principles Behind Zone-Based Firewalls" Incorrect: A: Any interface not manually assigned to a zone is automatically named to the self-zone. B: Policies are assigned in zone-pair configuration mode. C: A rule of zones is that they can only belong to one zone at a time. D: A policy-map specifies the name of the policy, and must be done before you can configure policies for individual classes. A class-map contains the match criteria to determine the class a packet belongs to. E: A zone-pair is never bidirectional, and only defines traffic flowing in one direction. On the other hand, a zone is bidirectional. QUESTION NO: 51 Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two.) A. SSH B. Syslog C. FTP D. SDEE E. TFTP F. HTTPS Answer: D,F This information was also not found in the Cert Guide, but showed in the Exam Cram: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8057 SDEE is the protocol used to transport messages from the IPS to the SDM, but SDEE may use HTTPS for the transport protocol. Incorrect : A: SSH allows secure communication with the cisco device, but isn't involved with alerts. B: Don't be tricked by this one. Syslog IS indeed involved in the transmission of alerts, and is configurable within the SDM... so far, so good. Here's the issue: syslog is considered passive. It waits for the sensor to send alerts to the syslog server. On the other hand, SDEE is active and pulls alerts from the sensor on demand, as required in the question. C: FTP is not involved in the transfer of alerts, but rather for file transfer. Leading the way in IT testing and certification tools, www.testking.com - 52 - E: TFTP is in the same boat as FTP. QUESTION NO: 52 DRAG DROP You work as a network administrator for TestKing.com. You boss, Mrs. Tess King, is interested in Cisco Self-Defending Networks. Match the descriptions with the appropriate characteristics. Answer: Leading the way in IT testing and certification tools, www.testking.com - 53 - QUESTION NO: 53 Which location is recommended for extended or extended named ACLs? A. a location as close to the destination traffic as possible B. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed C. an intermediate location to filter as much traffic as possible D. a location as close to the source traffic as possible Answer: D While not always practical, best practice for extended or extended named ACLs is closest to the source of traffic. This is because of the inclusion of destination IP information, as well as port and protocol. To illustrate, if you wanted to filter telnet traffic to a cisco device that's four hops away, you have the option of placing the ACL on any of the ingress interface of any of the four routers. If you put it on the third or fourth, the traffic gets to traverse the first couple hops, only to get dropped further down the chain. If the extended ACL was placed on the first hop, the traffic could be dropped early, and not even have to be seen by any of the other routers. And because of the depth of information involved in an extended ACL, no other traffic from the source other than telnet need be affected. Reference: Chapter 10, page 354, table 10-12 Incorrect: Leading the way in IT testing and certification tools, www.testking.com - 54 - A: This is the ideal placement for standard ACL's, since they filter only on source IP. Recommended placement of extended ACLs is closest to the source. B: An established extended ACL is still an extended ACL. C: Placement of an ACL does not increase the amount of traffic to be filtered. Having said that, to filter traffic as early as possible, place the extended ACL as close to the source as possible. QUESTION NO: 54 Which aaa accounting command is used to enable logging of both the start and stop records for user terminal sessions on the router? A. aaa accounting exec start-stop tacacs+ B. aaa accounting system start-stop tacacs+ C. aaa accounting commands 15 start-stop tacacs+ D. aaa accounting network start-stop tacacs+ E. aaa accounting connection start-stop tacacs+ Answer: A The question specifies accounting for 'user' terminal sessions on the router. That means that of the options available, only exec fits. The rest do not handle user records. Reference: Chapter 4, pages 125, 126, Table 4-6 Incorrect : B: 'System' accounting records all system-level events that are NOT associated with users. C: 'Commands' accounting records all commands for a specified privilege level. D: 'Network' accounting records all network-related service requests, including SLIP, PPP, PPP NCP, and ARAP E: 'Connection' accounting records all outbound connections made from a NAS. QUESTION NO: 55 Exhibit: Jul 23 18:10:15 PST:%SYS-5-CONFIG_I: Configured from console by vty0 (10.1.1.4) You work as a network administrator at TestKing.com. You study the exhibit carefully. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.) A. Service timestamps have been globally enabled. B. This message is unimportant and can be ignored. C. This message is a level 5 notification message. Leading the way in IT testing and certification tools, www.testking.com - 55 - D. This is a normal system-generated information message and does not require further investigation. Answer: A,C Without having run the "service timestamps" commands, syslog messages take the following form: 17w5d: %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to down. The default is to show the uptime of the router/switch, not the specific time and date, leaving you to try and count backwards from today to determine when the event occurred. By issuing the "service timestamps log datetime localtime " command, reading the output, never mind troubleshooting, is greatly simplified. The above output changes to: Aug 20 09:11:22 EST: %LINK-3-UPDOWN: Interface GigabitEthernet0/41, changed state to down And from the output in the question, the alert is a level-5 notification. The output levels are: 0 - Emergencies 1 - Alerts 2 - Critical 3 - Errors 4 - Warnings 5 - Notifications 6 - Informational 7 - Debugging The level of a particular message will be indicated by the Sys-level... in this case, a '5'. Reference: Chapter 5, page 176, table 5-4 Incorrect: B: If you are the administrator of this device, and you didn't telnet/ ssh into this device from IP 10.1.1.4 on July 23, at 6:10pm, you certainly had better be concerned with this alert. D: This is not a system-generated message... it is a user-generated login message. And if the timing and source IP are suspect, then it certainly does require further investigation. QUESTION NO: 56 What is the primary type of intrusion prevention technology used by the Cisco IPS security appliances? A. netflow anomaly-based B. rule-based C. signature-based Leading the way in IT testing and certification tools, www.testking.com - 56 - D. protocol analysis-based E. profile-based Answer: C Signatures are the primary method of detection and prevention used by IDS and IPS technologies. A signature is a string of bytes in a certain context that is recognizable and triggers detection. Reference: Chapter 11, page 389, section: "Signature-Based Detection" Incorrect: A: Anomaly-based detection is getting more popular, as it is practical and affordable. Anywhere that you have a cisco router/switch that is NetFlow ready, you can enable flow-based anomaly detection. It is heavy on statistics, thresholds, and patterns, though. It is also prone to 'false positives'. B: With rule-based methods, you need a very specific declaration of what the rules and policies are. Only then can the IPS report back on when a rule is broken. Anything not clearly defined gets through. D: Application-layer IPS technology is becoming popular, where the IPS analyses layer 7 protocols like HTTP or FTP, looking for anomalous behaviour or exploits. Most IPS's are not full protocol analyzers. E: Profile-based methods are similar to rule-based, in that the profile must be clearly defined. Only when the profile is clearly spelled out can an IPS recognize 'out of profile' traffic that does not conform to the policy. It is prone to 'false positives'. QUESTION NO: 57 Exhibit: You work as a network administrator at TestKing.com. You study the exhibit carefully. Which statement about the aaa configurations is true? Leading the way in IT testing and certification tools, www.testking.com - 57 - A. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router. B. The authentication method list used by the console port is named test. C. The authentication method list used by the vty port is named test. D. The local database is checked first when authenticating console and vty access to the router. E. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database. Answer: C You, as the network administrator, configured "line vty 0 4" to use "test" with the command "login authentication test". Everything else is a distraction. Reference: Chapter 10, page 360, section " vty Filtering " Incorrect: A: If the "login authentication default" command had been issued, then it's Tacacs + or nothing. TEST was written to first look at Tacacs + for authentication, but then allows the local database to be checked before denying access. B: No authentication method list is defined for the console port. D: The local database is checked second when using vty access. E: Since the "login" command has not been issued for the console port, neither Tacacs + nor the local database is required to gain access. QUESTION NO: 58 You suspect an attacker in your network has configured a rogue layer 2 device to intercept traffic from multiple VLANS, thereby allowing the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.) A. Place unused active ports in an unused VLAN B. Disable DTP on ports that require trunking C. Set the native VLAN on the trunk ports to an unused VLAN D. Turn off all trunk ports and manually configure each VLAN as required on each port E. Secure the native VLAN, VLAN 1 with encryption Answer: B,C Leading the way in IT testing and certification tools, www.testking.com - 58 - Most cisco switches default to "auto" for trunking , allowing an attacker to make their switch port into a trunk by spoofing DTP frames, or attaching a switch. Combating this requires disabling trunking on all ports not needing to form trunks, and disabling DTP on those that do. Also, as a preventative measure against double-tagging, the native VLAN should not be used for user traffic. Rather, create a VLAN in the organization that doesn't have any ports assigned to it. This unused VLAN will only serve the purpose of being the native VLAN. Therefore, even if an attacker is successful in double-tagging, they will receive no traffic on the native VLAN. Reference: Chapter 6, pages 213, 214 sections "Switch Spoofing" and "Double Tagging" Incorrect: A: What is an unused but active port? If it's active, then it's in use. D: Manually configuring VLAN's on each port is fine, but without trunks, there can be no communication between VLAN's , since a layer-3 device is required to route between them. E: Encryption? Between where and where? Between the switch and router? Across the whole enterprise? Right from the users' desktop? This option is impractical, if not impossible. QUESTION NO: 59 Which three statements about SSL-based VPNs are true? (Choose three.) A. Asymmetric algorithms are used for authentication and key exchange. B. You can also use the application programming interface to extensively modify the SSL client software for use in special applications. C. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router. D. The authentication process uses hashing technologies. E. SSL VPNs require special-purpose client software to be installed on the client machine. F. Symmetric algorithms are used for bulk encryption. Answer: A,D,F SSL- VPN's have some great built-in features. One is the lack of need for client software, as SSL is built into most browsers today. It also employs several open-standard protocols, including asymmetric algorithms for authentication and key exchange, hashing for authentication, and symmetric algorithms for bulk encrypting (typically RC4). Reference: Chapter 12, page 458, section "SSL VPNs " Incorrect: B: There is no SSL client software... SSL software is built into browser software. C: On the contrary. SSL VPNs and IPsec VPNs provide complementary technologies and can be deployed together. E: Nope, no 'special' software required. Leading the way in IT testing and certification tools, www.testking.com - 59 - QUESTION NO: 60 Which of these correctly matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions? A. class-maps, policy-maps, and service-policy configuration commands and the SDM IPS wizard B. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN wizard C. aaa configuration commands and the SDM Basic Firewall wizard D. setup exec command and the SDM Security Audit wizard E. auto secure exec command and the SDM One-Step Lockdown wizard Answer: E Running "auto secure" from the CLI, particularly with the "no-interact" parameter, automatically secures the router... very similar to using the "One-step Lockdown" wizard in the SDM. Reference: Chapter 5, pages 161-171, section " AutoSecure " and "Cisco SDM One-Step Lockdown" Incorrect: A: Class-maps, policy-maps, and service-policy are firewall commands, not IPS commands. B: The C3PL is for configuring firewall policies, not VPNs . C: AAA commands from the CLI match up with the AAA category in the "Additional Tasks" window in the SDM. AAA is not a function of any of the firewall features in the SDM. D: Seeing as "setup" erases your routers config and launches the System Configuration Dialogue for a fresh start, it certainly doesn't match up with the SDM's "One-Step Lockdown" wizard. QUESTION NO: 61 Which three statements about applying access control lists to a Cisco router are true? (Choose three.) A. If an access list is applied but is not configured, all traffic will pass. B. You can assign multiple access lists per interface, regardless of direction or protocol. C. ACLs always search for the most specific entry before taking any filtering action. D. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the network. E. Router-generated packets cannot be filtered by ACLs on the router. F. Place more specific ACL entries at the top of the ACL. Leading the way in IT testing and certification tools, www.testking.com - 60 - Answer: A,E,F Yes, there is an implicit DENY at the end of every ACL. If, though, you use the " ip access-group 101 in" command, but haven't yet created ACL 101, there is no access-list, therefore, there is no implicit DENY. All traffic flows. You could apply an ACL that denies all traffic outbound on an interface and still be able to ping from that router to a neighbour . Router generated traffic is not checked against outbound filters. Since ACL's are read from top down, you will want your most specific ACL's up high to ensure they're applied before more generic ACL's lower in the list have a chance to act upon the traffic with undesirable consequences. Reference: Chapter 10, page 348, 349, section "The Basics of ACLs " and "Cisco ACL Configuration" Incorrect: B: You can assign TWO ACLs per interface, one in each direction. C: A router scans the ACL from top to bottom in the exact order in which it appears, looking for the first pattern that the packet matches. D: Since ACL's are read from top to bottom, having general 'generic' ACL's at the top will cause traffic that should be denied to be permitted, and traffic that should be permitted may get denied. Therefore, best practice is to place specific ACL's as high as possible, and generic lower. QUESTION NO: 62 Which characteristic is a potential security weakness of a traditional stateful firewall? A. It has low performance due to the use of syn-cookies. B. The status of TCP sessions is retained in the state table after the sessions terminate. C. It cannot support UDP flows. D. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. E. It works only in promiscuous mode. F. It cannot detect application-layer attacks. Answer: F By definition, a stateful firewall constructs a state table which holds info from the headers, including source/destination IP's (layer 3) and port information (layer 4). It particularly takes note of SYNs , RSTs , ACKs and FINs , and other control codes (layer 5). It does not inspect anything at layer 7, where malicious URL's, buffer overflows, unauthorized access, etc, can still wreak havoc. Reference: Chapter 10, page 329. Section: "Benefits of Using Application Layer Firewalls" Leading the way in IT testing and certification tools, www.testking.com - 61 - Incorrect: A: The performance of stateful firewalls is very good, despite the use of syn -cookies. Be aware that syn -cookies, part of the TCP Syn and Ack process, can be used for DOS attacks, in which case the attacker launches numerous Syn packets with random source IPs ; the router replies with a Syn-Ack packet, and awaits the final Ack from the attacker that never arrives. To keep track of the open connections that are waitingThis is a separate issue not mentioned in the question. B: Incorrect. The state table quickly flushes sessions that have terminated. C: Stateful firewalls can support UDP flows, and are able to reflexively permit return traffic back through the firewall, just as with TCP. D: A state table insists that each TCP connection follows the three-way handshake process. Any flow for which the router has replied with a Syn-Ack , and is waiting for the final Ack , is considered by the firewall to be "half-open". Half-Open connections do not transfer data until the handshake is completed. E: The IOS firewall works only in "inline" mode. QUESTION NO: 63 When configuring AAA login authentication on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.) A. if-authenticated B. group TACACS+ C. krb5 D. enable E. group RADIUS F. local Answer: D,F If you use the " aaa authentication default group tacacs +" command, and don't include either "enable" or "local", you are fine, as long as the AAA server never dies or goes offline. In this config , there's no backup authentication method. By adding either "local" or "enable" after the 'default group tacacs +", you instruct the router to first try the AAA server, and if unsuccessful, allow either the enable password (or secret) or a local username/password to suffice. Reference: Chapter 4, pages 119, 120, sections "Defining a Method List" and "Setting AAA Authentication for Login" Incorrect: Leading the way in IT testing and certification tools, www.testking.com - 62 - A: The "if-authenticated" command is an AAA authorization command, not authentication. And, it assumes that a user has been validly authenticated before authorizing the use of commands... if there's an authentication issue, this command is useless. B: This should be part of every AAA command, but as the main method of authentication, it provides no backup. C: Kerberos still uses a remote Kerberos Security Server for authentication, introducing the same login failure issue if the server is unavailable. It is therefore not suitable as a final method to ensure admin login. E: The same as B... if you are using radius over tacacs +, this will be part of your core method. You do not want this to be the only method available, since the remote server is still your single point of failure. QUESTION NO: 64 Cisco Router and Security Device Manager (SDM) utility Exhibit: Further exhibits: Leading the way in IT testing and certification tools, www.testking.com - 63 - You have been tasked to examine the current Cisco IOS Zone-Based Policy Firewall configurations on the LA-ISR router using the Cisco Router and Security Device Manager (SDM) utility. Using the appropriate Cisco SDM configuration screens, you will need to answer the multiple-choice question in this simulation. Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three) A. pop3 B. citrix C. ftp D. SNMP E. 12tp F. sql-net Answer: A,C,F Once again, not in the Cert Guide, so be glad you saw it here. The " sdm-cls-insp-traffic " rule inspects a broad array of protocols, and looks like this when applied: ! Leading the way in IT testing and certification tools, www.testking.com - 64 - class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql -net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp ! Based on that output, you can see that ftp, pop3, and sql -net are included. QUESTION NO: 65 Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth? A. MCU B. Gateway C. Gatekeeper D. Application Server Answer: C Explanation: Gatekeepers can be thought of as the traffic cops of the WAN. For example, because bandwidth on a WAN typically is somewhat limited, a gatekeeper can monitor the available bandwidth. Then, when there is not enough bandwidth to support another voice call, the gatekeeper can deny future call attempts. A) MCU: Multipoint Control Unit MCUs are useful for conference calling. In a conference call, you might have multiple people talking at the same time, and everyone on that conference call can hear them. It takes processing power to mix together these audio streams. MCUs provide that processing power. MCUs might contain digital signal processors (DSP), which are dedicated pieces of computer circuitry that can mix together those audio streams. C) A gateway in CISCO networking concept does not have anything to do with bandwidth monitoring. D) Application Server - possibly be but not in this context. QUESTION NO: 66 Which statement is true about a Smurf Attack? A. It uses Trojan horse applications to create a distributed collection of "zombie" computers, which can be used to launch a coordinated DDos attack B. It sends ping requests in segments of an invalid size C. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a target system Leading the way in IT testing and certification tools, www.testking.com - 65 - D. It intercepts the third step in a TCP three-way handshare to hijack a session Answer: C Explanation: "Smurf attack" can use ICMP traffic directed to a subnet to flood a target system with ping replies. Example: in the figure below that the attacker sends a ping to the subnet broadcast address of 172.16.0.0/16. This collection of pings instructs devices on that subnet to send their ping replies to the target system at IP address 10.2.2.2, thus flooding the target system's bandwidth and processing resources. QUESTION NO: 67 Which statement best describes the Turbo ACL feature? (Choose all that apply.) A. The turbo ACL feature leads to increased latency, because the time it takes to match the packet is variable B. The turbo ACL feature processes ACLs into lookup tables for greater efficiency C. Turbo ACLs increase the CPU load by matching the packet to a predetermined list D. The turbo ACL feature leads to reduced latency, because the time it takes to match the packet is fixed and consistent Leading the way in IT testing and certification tools, www.testking.com - 66 - Answer: B,D Explanation: The Cisco 7200 series, Cisco 7500 series, and Cisco 12000 series routers support the Turbo ACL feature, which processes ACLs into lookup tables for greater efficiency. Turbo ACLs use the packet header to access these tables in a small, fixed number of lookups, independent of the existing number of ACL entries. The Turbo ACL feature has a number of benefits: * For ACLs with more than three entries, the CPU load is lower when matching the packet to the predetermined packet matching. The Turbo ACL feature fixes the CPU load, regardless of the size of the ACL, allowing the use of larger ACLs without adding CPU overhead. * The Turbo ACL feature leads to much reduced latency because the time it takes to match the packet is fixed.More importantly, the time taken to match is consistent, allowing for better network stability and more accurate transit times. QUESTION NO: 68 When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"? A. The period of time between successive login attempts B. A period of time when no on is attempting to log in C. The period of time in which virtual logins are blocked as security services fully initialize D. The period of time in which virtual login attempts are blocked, following repeated failed login attempts Answer: D Explanation: This question is about Cisco IOS Login Enhancements for Virtual Connections feature which adds the following requirements to the login process: - Create a delay between repeated login attempts. - Suspend the login process if a denial-of-service (DoS) attack is suspected. - Create syslog messages upon the success and/or failure of a login attempt. These login enhancements are not enabled by default. To enable the login enhancements with their default settings, you can issue the login block-for command in global configuration mode. The default login settings specify the following: - A delay of 1 second occurs between successive login attempts. Leading the way in IT testing and certification tools, www.testking.com - 67 - - No virtual connection (that is, a connection using Telnet, SSH, or HTTP) can be made during the "quiet period," which is a period of time in which virtual login attempts are blocked, following repeated failed login attempts. QUESTION NO: 69 Which two primary port authentication protocols are used with VSANs? (Choose two.) A. ESP B. DHCHAP C. SPAP D. CHAP Answer: B,D Explanation: This question is about virtual storage-area networks (VSAN) aimed at providing true isolation of SAN-attached devices. There are two primary port authentication protocols when working with VSANs: - Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) - Challenge Handshake Authentication Protocol (CHAP) DHCHAP may be used to authenticate devices connecting to a Fibre Channel switch. By using Fibre Channel authentication, you allow only trusted devices to be added to a fabric. This prevents unauthorized devices from accessing the Fibre Channel switch. DHCHAP supports both switch-to-switch and host-to-switch authentication. It's a mandatory password-based, key-exchange authentication protocol. Before any authentication may be performed, DHCHAP negotiates hash algorithms and Diffie- Hellman (DH) groups. In addition, it supports Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1)-based authentication. CHAP is the mandatory protocol for iSCCI, as chosen by the Internet Engineering Task Force (IETF). CHAP has been around for quite some time and is based on shared secrets. To strengthen CHAP, DHCHAP adds a DH exchange that both strengthens CHAP and provides an agreed-upon secret key. The goal of DHCHAP is to be a simple, easy-to implement protocol. QUESTION NO: 70 If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to capacity and a new frame arrives? A. The frame is transmitted on the native VLAN Leading the way in IT testing and certification tools, www.testking.com - 68 - B. The frame is dropped C. A copy of the frame is forward out all switch ports other than the port the frame was received on D. The switch sends a NACK segment to the frame's source MAC address Answer: C Explanation: A Cisco Catalyst switch uses a Content Addressable Memory (CAM) table to store the information used by the switch to make forwarding decisions. Specifically, the CAM table contains a listing of MAC addresses that have been learned from each switch port. Then, when a frame enters the switch, the switch interrogates the frame's destination MAC address. If the destination MAC address is known to exist off one of the switch ports, the frame is forwarded out only that port. However, the switch's CAM table, however, does have a finite size. Therefore, if the CAM table ever fills to capacity, the switch is unable to learn new MAC addresses. As a result, when frames arrive destined for these unlearned MAC addresses, the switch floods a copy of these frames out all other switch interfaces, other than the interfaces they were received on. QUESTION NO: 71 Do you know an IPSec is negotiated within the protection of which type of tunnel? A. ISAKMP tunnel B. GRE Tunnel C. L2TP tunnel D. L2F tunnel Answer: A Explanation: During IKE Phase 1, a secure ISAKMP session is established, using either main mode or aggressive mode. During IKE Phase 1, the IPsec endpoints establish transform sets (that is, a collection of encryption and authentication protocols), hash methods, and other parameters needed to establish a secure ISAKMP session (sometimes called an ISAKMP tunnel or an IKE Phase 1 tunnel). Leading the way in IT testing and certification tools, www.testking.com - 69 - QUESTION NO: 72 The enable secret password appears as an MD5 hash in a router's configuration file, whereas the enable password is not hashed (or encrypted, if the password-encryption service is not enabled). What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's configuration? A. The enable password is present for backward compatibility B. The enable password is considered to be a router's public key, whereas the enable secret password is considered to be a router's private key C. The enable password is used for IKE Phase I, whereas the enable secret password is used for IKE Phase II D. Because the enable secret password is hash, it cannot be decrypted. Therefore, the enable password is used to match the password that was entered and enable secret is used to verify that the enable password has not been modified since the hash was generated Answer: A Explanation: Enable password is not encrypted (or hashed) by default. Therefore, the enable password is considered weaker than the enable secret password. However, Cisco IOS still supports the enable password for backward compatibility. For example, if the IOS version on a router were rolled back to a version that supported the enable password but not the enable secret password, the enable password would offer some level of security. Enable secret password is used to permit access to a router's privileged mode . The password is stored in the router's configuration as an MD5 hash value, making it difficult for an attacker to guess and impossible to see with the naked eye. QUESTION NO: 73 When configuring role-based CLI on a Cisco router, which action will be taken first? A. Create a parser view called "root view" B. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command C. Enable the root view on the router D. Log in to the router as the root user Answer: C Explanation: Similar to making different commands available to different administrators using privilege levels, role-based command-line interface (CLI) views can be used to provide different sets of configuration information to different administrators. Following are the steps required to configure these views: Step 1 Enable AAAto support views. Leading the way in IT testing and certification tools, www.testking.com - 70 - Example: how to enable AAA on an IOS router: Router# conf term Router (config)# aaa new-model Router (config)# end Step 2 Enable the root view: The root view is represented by the set of commands available to an administrator logged in with a privilege level of 15. You might be required to provide the enable secret password to enable the root view. Example: Router # enable view Password:......... Router # Step 3 Create a view Step 5 Add available commands to the view: The commands parser_mode{include | include-exclusive | exclude} [all] [interface interface_identifier | command] command Step 6 Verify the role-based CLI view configuration Therefore the actual first step to enable AAA which is missing here and the only option left is C: enable root view. QUESTION NO: 74 Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus and antiphishing features? A. Cisco 4200 Series IPS Appliance B. Cisco IOS Router C. Cisco PIX 500 Series security appliance D. Cisco ASA 5500 Series Security Appliance Answer: D Explanation: The Cisco advances in firewall technologies include the acquisition of the original Private Internet Exchange (PIX) technology in 1995. Today Cisco continues to develop PIX capabilities. The Cisco PIX appliances represent network layer firewalls that employ stateful inspection. These firewalls allow internal connections out (outbound traffic) and only allow inbound traffic that is a response to a valid request or that is explicitly allowed Leading the way in IT testing and certification tools, www.testking.com - 71 - by an access control list (ACL). Cisco PIX technology may be configured to perform a variety of critical network functions, including Network Address Translation (NAT) and Port Address Translation (PAT). In addition to working with Cisco PIX appliances, you may choose to use the features of the Cisco IOS Firewall embedded in Cisco IOS software. This allows you to turn your router into an effective, robust firewall with many of the capabilities of the Cisco PIX Security Appliance. Cisco offers the Adaptive Security Appliance (ASA), which provides an easy-to-deploy solution that integrates firewall, Unified Communications (voice/video) security, SSL and IPsec VPN, intrusion prevention system (IPS), and content security services. QUESTION NO: 75 Which classes does the US government place classified data into? (Choose three.) A. SBU B. Top-Secret C. Confidential D. Secret Answer: B,C,D Explanation: Table: Government and Military Data Classification: Leading the way in IT testing and certification tools, www.testking.com - 72 - QUESTION NO: 76 Examine the following options, when editing global IPS settings, which one determines if the IOS-based IPS feature will drop or permit traffic for a particular IP signature engine while a new signature for that engine is being compiled? A. Enable Default IOS Signature B. Enable Engine Fail Closed C. Enable Signature Default D. Enable Fail Opened Answer: B Explanation: Enable Engine Fail Closed: This option determines if the IOS-based IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled . If this option is enabled, traffic is dropped if IPS services are unavailable. If this option were disabled (which would be known as a fail open configuration), traffic would be passed when IPS services are unavailable. Leading the way in IT testing and certification tools, www.testking.com - 73 - QUESTION NO: 77 Which item is the great majority of software vulnerabilities that have been discovered? A. Heap overflows B. Stack vulnerabilities C. Buffer overflows D. Software overflows Answer: C Explanation: Buffer overflow A programming error that may result in erratic program behavior, a memory access exception and program termination, or a possible breach of system security. When user or other source interacts with an application, it has to carefully verify all input, because the input might contain improperly formatted data, control sequences, or simply too much data for the application to work with. When these things occur, a buffer overflow condition can arise. Attackers realize this and try to exploit this vulnerability. In fact, Leading the way in IT testing and certification tools, www.testking.com - 74 - buffer overflows are a very common type of exploitation used by attackers.Buffer overflows are one of the most commonly exploited computer security risks because of the structure of how computers handle data. An attacker who unleashes a buffer overflow exploit essentially tries to overwrite memory on an application stack by supplying too much data to the input buffer. Because this form of attack uses the application's very nature against itself, it can be hard to stop. As soon as an attacker discovers the vulnerabilities that lead to this condition, he or she can repackage exploit code for widespread use. Heap overflow A type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated by the application at runtime and typically contains program data. A heap overflow is not as likely to result in a condition permitting remote code execution as a buffer overflow. B) Stack vulnerabilities are not the most common type of software vulnerability. D) Software overflow - this concept just doesn't exist. QUESTION NO: 78 Which one is the most important based on the following common elements of a network design? A. Security policy B. Business needs C. Best practices D. Risk analysis Answer: B Explanation: A common temptation when designing a security solution for a network is to make the network so secure that it cannot easily be used for its intended purpose. Therefore, when designing a network security solution, designers should recognize that business needs supersede all other needs. However, other factors do enter into the design equation. Consider the following elements of a secure network design: * Business needs: Business needs dictate what an organization wants to accomplish with its network. Note that this need is the most important of all the needs. * Risk analysis: As previously discussed, a comprehensive risk analysis can be used to assign an appropriate level of resources (for example, an appropriate amount of money) to a potential security risk. * Leading the way in IT testing and certification tools, www.testking.com - 75 - Security policy: Earlier in this chapter you read about the elements of a security policy. A security policy typically contains multiple documents, targeting specific audiences within an organization. These individual documents provide day-to-day guidance, relating to network security, for all organizational employees. * Best practices: Rather than the mandatory rules imposed by a security policy, a set of best practices (developed internally and/or externally) can offer proven methods for achieving a desired result. * Security operations: Day-to-day security operations entail responding to an incident, monitoring and maintaining a system, and auditing a system (to ensure compliance with an organization's security policy). QUESTION NO: 79 Please choose the correct description about Cisco-Self-Defending Network Characteristics:Interaction amongst services and devices to mitigate attacksEnabling elements in the networks to be a point of policy enforcementSecurity technologies that evolve with emerging attacks A. INTEGRATED -1 COLLABORATIVE-2 ADAPTIVE-3 B. INTEGRATED-2 COLLABORATIVE-1 ADAPTIVE-3 C. INTEGRATED-2 COLLABORATIVE-3 ADAPTIVE-1 D. INTEGRATED-3 COLLABORATIVE-2 ADAPTIVE-1 Answer: B QUESTION NO: 80 Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured? A. show flash B. show archive C. show secure bootset D. show file systems Leading the way in IT testing and certification tools, www.testking.com - 76 - Answer: C Explanation: To protect a router's image and configuration from an attacker's attempt to erase those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these files. These files are called the bootset. The following table shows the steps required to configure Cisco IOS Resilient Configuration. Step 3 is the answer. QUESTION NO: 81 What is a static packet-filtering used for? A. It validates the fact that a packet is either a connection request or a data packet belonging to a connection B. It evaluates network packets for valid data at the application layer before allowing connections C. It keeps track of the actual communication process through the use of a state table D. It analyzes network traffic at the network and transport protocol layers Answer: D Explanation: Leading the way in IT testing and certification tools, www.testking.com - 77 - There are four generations of firewall technologies including static packet-filtering firewalls, circuit-level firewalls, application layer firewalls, and dynamic packet-filtering firewalls. The table lists the four main types of firewall technologies: QUESTION NO: 82 Which type of Mac address is dynamically learned by a switch port and then added to the switch's running configuration? A. Static secure MAC address Leading the way in IT testing and certification tools, www.testking.com - 78 - B. Dynamic secure MAC address C. Pervasive secure MAC address D. Sticky secure MAC address Answer: D Explanation: To mitigate MAC address spoofing attacks, a switch administrator can configure the Cisco Catalyst switch to use sticky secure MAC addresses. When configured for sticky secure MAC addresses, a Catalyst switch dynamically learns MAC addresses connected to various ports. These dynamically learned MAC addresses are added to the switch's running configuration, thus preventing an attacker from spoofing a previously learned address. QUESTION NO: 83 Which statement is true about vishing? A. Influencing users to forward a call to toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page C. Influencing users to provide personal information over the phone D. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) Answer: C Explanation: A related concept to vishing is phishing which is probably known by more people. The term phishing recently entered the technical vernacular. The basic concept of phishing is an attacker sending an e-mail to a user. The e-mail appears to be from a legitimate business. The user is asked to confirm her information by entering data on a web page, such as her social security number, bank or credit card account number, birth date, or mother's maiden name. The attacker can then take this user-provided data and use it for fraudulent purposes. Similar to phishing, the term vishingrefers to maliciously collecting such information over the phone. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide confidential information over the telephone. User education is the most effective method to combat vishing attacks. Leading the way in IT testing and certification tools, www.testking.com - 79 - Another type of fraud committed against telephony systems is toll fraud. The basic concept of toll fraud is an attacker using a telephony system to place calls he should not be allowed to place. For example, a corporate telephony use policy might state that long distance personal calls are not allowed. If an employee ignored that directive and placed a personal long distance call, that would be a simple example of toll fraud. QUESTION NO: 84 Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure? A. To decrease both capital and operating expenses associated with data storage B. To decrease the threat of viruses and worm attacks against data storage devices C. To increase the performance of long-distance, replication, backup and recovery D. To meet changing business priorities, applications and revenue growth Answer: B Explanation: For many organizations, incorporating SANs in their enterprise infrastructure allows them to meet three primary business requirements: * Effectively meet changing business priorities, application requirements, and revenue growth * Increase performance of long-distance replication, backup, and recovery to meet regulatory requirements as well as industry best practices * Decrease both capital and operating expenses associated with data storage Answer B is therefore not a valid reason for organizations to incorporate SAN in their infrastructure. QUESTION NO: 85 What is the MD5 algorithm used for? A. Takes a variable-length message and produces a 168-bit message digest B. Takes a fixed-length message and produces a 128-message digest C. Takes a variable-length message and produces a 128-bit message digest D. Takes a message less than 2^64 bits as input and produces a 160-bit message digest Answer: C QUESTION NO: 86 Which example is of a function intended for cryptographic hashing? Leading the way in IT testing and certification tools, www.testking.com - 80 - A. XR12 B. SHA-135 C. MD65 D. MD5 Answer: D QUESTION NO: 87 When configuring SSH, which is the Cisco minimum recommended modulus value? A. 1024 bits B. 256 bits C. 512 bits D. 2048 bits Answer: A QUESTION NO: 88 What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX? A. Configuration Interceptor B. Network Interceptor C. Execution space interceptor D. File System interceptor Answer: A Explanation: This question is about Cisco Security Agent Interceptors: The correct answer is A: because a Configuration Interceptor is responsible for intercepting read/write requests to the registry in Windows or to rc files on UNIX. Interception occurs because modifying the operating system configuration can have serious consequences. All read/write requests to the registry are tightly controlled for security by the Cisco Security Agent. Leading the way in IT testing and certification tools, www.testking.com - 81 - B: A network Interceptor is responsible for controlling Network Driver Interface Specification (NDIS) changes and for clearing network connections through the security policy. This also limits how many network connections are allowed within a specified time period to help prevent DoS attacks. Central to its role is providing hardening features such as SYN flood protection and port scan detection. C: Execution Space Interceptor: It is the responsibility of this interceptor to deal with maintaining the integrity of the dynamic runtime environment of each application. It does this by detecting and blocking requests to write to memory not owned by the requesting application. In terms of practical application, when this form of attack occurs, the targeted service, such as SMTP, FTP, or TFTP, crashes. More importantly, the attacker's shell code is not launched successfully. This also blocks attempts by an application to inject code (such as a shared library or dynamic link library [DLL]) into another. Buffer overflows attacks are also detected, helping maintain the integrity of dynamic resources such as the file system and configuration of web services. This also helps preserve the integrity of highly dynamic resources such as memory and network I/O. D: File System Interceptor is responsible for intercepting all file read or write requests and either allowing or denying them based on the security policy. The Reference: CCNA Security- Official Exam Certification Guide by Michael Watkins, Kevin Wallace, CCIE No. 7945 Page 271. QUESTION NO: 89 In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key decrypts the data? A. Roughly 66 percent B. Roughly 10 percent C. Roughly 75 percent D. Roughly 50 percent Answer: D Explanation: Leading the way in IT testing and certification tools, www.testking.com - 82 - All encryption algorithms are vulnerable to a brute-force attack. In this attack, an attacker tries every possible key with the decryption algorithm. Generally, a brute-force attack will succeed about 50 percent of the way through the keyspace. To defend against this form of attack, modern cryptographers have to create a sufficiently large keyspace so that attacking it in this way requires too much time and money to be practical. The Reference: CCNA Security- Official Exam Certification Guide by Michael Watkins, Kevin Wallace, CCIE No. 7945 Page: 439 QUESTION NO: 90 Which three statements are valid SDM configuration wizards? (Choose three.) A. NAT B. Security Audit C. STP D. VPN Answer: A,B,D Explanation: The detailed information is in the attached picture which is a screenshot of SDM configuration wizard. Leading the way in IT testing and certification tools, www.testking.com - 83 - The picture below contains the information that explains the function of each wizards. Leading the way in IT testing and certification tools, www.testking.com - 84 - QUESTION NO: 91 Leading the way in IT testing and certification tools, www.testking.com - 85 - Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply) A. Only symmetric algorithms have a key exchange technology built in B. Asymmetric algorithms are based on more complex mathematical computations C. Only asymmetric algorithms have a key exchange technology built in D. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms Answer: B,C,D QUESTION NO: 92 Which two attacks focus on RSA? (Choose all that apply) A. DDoS attack B. Adaptive chosen ciphertext attack C. BPA attack D. Main-in-the-middle attack Answer: B,C Explanation: The detailed answer: There are essential 3 kinds of attacks against RSA: 1- BPA attack = Branch prediction analysis (BPA) attack: A number of processors use a branch predictor to determine whether a conditional branch in a program's instruction flow is likely to be taken. Generally speaking, these types of processors also implement simultaneous multithreading (SMT). A branch prediction analysis attack uses a spy process to statistically discover the private key when it is processed by these processors. 2- Adaptive chosen ciphertext attack: The first practical adaptive chosen ciphertext attack against an RSAencrypted message was described in 1995. This attack used the targeted flaws in the PKCS #1 scheme, which was used in concert with RSA. This attack focused on RSA implementations of the Secure Socket Layer protocol and was used to recover session keys. Because of the success of this attack, it is now recommended that RSA be used with other, more secure padding schemes, such as Optimal Asymmetric Encryption Padding. Additionally, RSA Laboratories has released updated versions of PKCS #1 that are not vulnerable to this form of attack. 3- Timing attacks: Leading the way in IT testing and certification tools, www.testking.com - 86 - In 1995 an attack against RSA was described wherein if the attacker knew a user's hardware in enough detail, and he could measure the decryption times for several known ciphertexts, he could deduce the decryption key quickly. This same attack could then also be applied against the RSA signature scheme as well. One way to defend against this form of attack is to make sure that a consistent amount of time is required for the decryption operation of each ciphertext. Although this would work, it may not be worth the performance degradation that would result. Most RSA implementations use an alternative approach known as blinding. In this approach, the multiplicative property of RSA is used. The result of applying RSA blinding is that the decryption time is no longer correlated to the value of the input ciphertext, so the timing attack fails. Reference: page 486 - CCNA: Security. QUESTION NO: 93 Which two ports are used with RADIUS authentication and authorization? (Choose two.) A. UDP port 2000 B. TCP port 2002 C. UDP port 1812 D. UDP port 1645 Answer: C,D Explanation: This question is about Ports Used by Cisco Secure ACS for Client Communication: RADIUS authentication authorization use UDP protocol at port 1645 and 1812 RADIUS accounting use UDP protocol at port 1646 and 1813 about B option: The Administrative HTTP port for new sessions use TCP protocol at port 2002 There is NO services by cisco secure ACS use UDP port 2000, but there are services use TCP port 2000: 1- Cisco Secure ACS database replication TCP 2000 2- RDBMS synchronization TCP 2000 3- User-changeable password web application TCP 2000 Leading the way in IT testing and certification tools, www.testking.com - 87 - QUESTION NO: 94 With which three tasks does the IPS Policies Wizard help you? (Choose three.) A. Selecting the inspection policy that will be applied to the interface B. Selecting the direction of traffic that will be inspected C. Selecting the interface to which the IPS rule will be applied D. Selecting the Signature Definition File (SDF) that the router will use Answer: B,C,D Explanation: The detailed answer is as follows: The initial screen explains that the IPS Policies Wizard helps you with the following tasks: ? Selecting the interface to which the IPS rule will be applied ? Selecting the direction of traffic that will be inspected ? Selecting the SDF file to be used by the router After you click Next, the IPS Wizard prompts you to select the interface(s) to which the IPS rule should be applied, in addition to the direction of traffic (that is, inbound or outbound). The screenshot for the IPS policies wizards is in the attatched picture. Leading the way in IT testing and certification tools, www.testking.com - 88 - QUESTION NO: 95 Leading the way in IT testing and certification tools, www.testking.com - 89 - Regarding constructing a good encryption algorithm, what does creating an avalanche effect indicate? A. Altering the key length causes the ciphertext to be completely different B. Alerting the key length cause the plain text to be completely different C. Changing only a few bits of a ciphertext message causes the plain text to be completely different D. Changing only a few bits of a plain-text message causes the ciphertext to be completely different Answer: D Explanation: One desirable property of a hash function is the mixing property. What this means is that a small change in the input (1 bit) should cause a large change in the output (about half of the bits). This significant change in the outcome is called the avalanche effect. Example: The SHA1 function for the first text: SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 When change "dog" to "log": SHA1("The quick brown fox jumps over the lazy log")= de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3 The two results are total different after a little change which is just one "d" to "l". Reference: CCNA Security - Cisco Press; page 487. QUESTION NO: 96 What will be enabled by the scanning technology-The Dynamic Vector Streaming(DVS)? A. Firmware-level virus detection B. Layer 4 virus detection C. Signature-based virus filtering D. Signature-based spyware filtering Answer: D Explanation: Leading the way in IT testing and certification tools, www.testking.com - 90 - The scanning technology-The Dynamic Vector Streaming(DVS) belongs to IronPort. IronPort is designed to protect an enterprise from various Internet threats that target e-mail and web security. IronPort's e-mail security capabilities are readily used by 20 percent of the largest enterprise organizations in the world. In addition to enterprise-level e-mail protection, the IronPort S-Series is the industry's fastest web security appliance. This appliance combines a high-performance security platform with Web Reputation technology and a Dynamic Vectoring and Streaming (DVS) engine. The DVS engine is a new scanning technology that enables signature-based spyware filtering. This solution is complemented by a comprehensive set of management and reporting tools that provide ease of administration and complete visibility into threatrelated activities. QUESTION NO: 97 For the following items, which one acts as a VPN termination device and is located at a primary network location? A. Broadband Service B. Tunnel C. VPN Access device D. Headend VPN device Answer: D QUESTION NO: 98 How do you define the authentication method that will be used with AAA? A. With the method command B. With the method aaa command C. With a method list D. With a method statement Answer: C QUESTION NO: 99 Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances? Leading the way in IT testing and certification tools, www.testking.com - 91 - A. Profile-based B. Protocol analysis-based C. Signature-based D. Rule-based Answer: C QUESTION NO: 100 If you click the configure button along the top of Cisco SDM's graphical interface, which tasks button permits you to configure such feature as SSH, NTP, SNMP and syslog? A. Security Audit B. Additional Tasks C. Intrusion Prevention D. Interfaces and Connections Answer: B QUESTION NO: 101 Which three items are cisco best-practice recommendations for securing a network? (Choose three.) A. Require strong passwords and enable password expiration B. Deploy HIPS software on all end-user workstations C. Routinely apply patches to operating systems and applications D. Disable unneeded services and ports on hosts Answer: A,C,D QUESTION NO: 102 Which description is true about ECB mode? A. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block B. In ECB mode, each 64-bit plain-text block is exclusive ORed(XORed) bitwise with the previous ciphertext block C. In ECB mode, each 56-bit plain-text block is exclusive ORed(XORed) bitwise with the previous ciphertext block D. ECB mode uses the same 64-bit key to serially encrypt each 65-bit plain-text block Leading the way in IT testing and certification tools, www.testking.com - 92 - Answer: A QUESTION NO: 103 Which is the great majority of software vulnerabilities that have been discovered? A. Buffer Overflows B. Stack Vulnerabilities C. Software overflows D. Heap Overflows Answer: A QUESTION NO: 104 Based on the following items, which two types of interfaces are found on all network-based IPS sensors? (Choose two.) A. Monitoring interface B. Command and Control interface C. Management interface D. Loopback interface Answer: A,B QUESTION NO: 105 Which management topology keeps management traffic isolated from production traffic? A. SAFE B. OOB C. MARS D. OTP Answer: B QUESTION NO: 106 Which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol(FCAP)? A. It relies on an underlying Public Key Infrastructure (PKI) Leading the way in IT testing and certification tools, www.testking.com - 93 - B. It is restricted in size to only three segments C. It requires the implementation of IKE D. It requires the user of NetBT as the network Protocol Answer: A QUESTION NO: 107 Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort? A. TrafMon B. E-Base C. SenderBase D. IronPort M-Series Answer: C QUESTION NO: 108 Which Public Key Cryptographic standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures? A. PKCS #10 B. PKCS #12 C. PKCS #7 D. PKCS #8 Answer: C QUESTION NO: 109 Which two statements are correct regarding a Cisco IP phone's web access feature? (Choose two.) A. It is enabled by default B. It uses HTTPS C. It requires login credentials, based on the UCM user database D. It can provide IP address information about other servers in the network Answer: A,D Leading the way in IT testing and certification tools, www.testking.com - 94 - QUESTION NO: 110 Which statement is true about a certificate authority (CA)? A. A trusted third party responsible for signing the public keys of entities in a PKIbased system B. An agency responsible for granting and revoking public-private key pairs C. A trusted third party responsible for signing the private keys of entities in a PKIbased system D. An entity responsible for registering the private key encryption used in a PKI Answer: A QUESTION NO: 111 Which location will be recommended for extended or extended named ACLs? A. A location as close to the destination traffic as possible B. When using the established keyword, a location close to the destination point to ensure that return traffic is allowed C. An intermediate location to filter as much traffic as possible D. A location as close to the source traffic as possible Answer: D QUESTION NO: 112 Stream ciphers run on which of the following? A. Fixed-length groups of digits called blocks B. Fixed-length groups of bits called blocks C. Individual blocks, one at a time, with the transformation varying during the encryption D. Individual digits, one at a time, with transformations varying during the encryption Answer: D QUESTION NO: 113 Which type of firewall is needed to open appropriate UDP ports required for RTP streams? A. Stateful firewall Leading the way in IT testing and certification tools, www.testking.com - 95 - B. Packet filtering firewall C. Proxy Firewall D. Stateless firewall Answer: A QUESTION NO: 114 What is the purpose of aaa authentication login console-in local command? A. It specifies the login authorization method list named console-in using the local RADIUS username-password database B. It specifies the login authorization method list named console-in using the local username-password database on the router C. It specifies the login authentication method list named console-in using the local user database on the router D. It specifies the login authentication list named console-in using the local username-password database on the router Answer: C QUESTION NO: 115 Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies? A. Honey pot detection B. Signature-based detection C. Anomaly-based detection D. Policy-based detection Answer: B QUESTION NO: 116 yoususpect an attacker is your network has configured a rogue layer 2 device to intercept traffic from multiple VLANs, thereby allowing the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.) A. Pace unused active ports in an unused VLAN Leading the way in IT testing and certification tools, www.testking.com - 96 - B. Turn off all trunk ports and manually configure each VLAN as required on each port C. Secure the native VLAN, VLAN 1 with encryption D. Disable DTP on port that require trunking E. Set the native VLAN on the trunk ports to an unused VLAN Answer: D,E QUESTION NO: 117 What is the objective of Diffie-Hellman? A. Used to verify the identity of the peer B. Used between the initiator and the responder to establish a basic security policy C. Used for asymmetric public key encryption D. Used to establish a symmetric shared key via a public key exchange process Answer: D QUESTION NO: 118 DRAG DROP Which statement best describes the relationships between AAA function and TACACS+, RADIUS based on the exhibit shown? Move the statements to either TACACS+ or to RADIOUS. Leading the way in IT testing and certification tools, www.testking.com - 97 - Answer: Leading the way in IT testing and certification tools, www.testking.com - 98 - QUESTION NO: 119 Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what? A. Two nonsecret keys B. Two secret numbers C. Two nonsecret numbers D. Two secret keys Answer: C QUESTION NO: 120 How does CLI view differ from a privilege level? A. A CLI view supports only commands configured for that specific view, whereas a privilege level supports commands available to that level and all the lower levels B. A CLI view supports only monitoring commands, whereas a privilege level allows a user to make changes to an IOS configuration C. A CLI view can function without a AAA configuration, whereas a privilege level requires AAA to be configured D. A CLI view and a privilege level perform the same function. However, a CLI view is used on a Catalyst switch, whereas a privilege level is used on an IOS router Answer: A QUESTION NO: 121 Which one is to ensure that no one employee becomes a pervasive security threat, that data can be recovered from backups and that information system changes do not compromise a system's security? A. Operations security B. Disaster recovery C. Implementation security D. Strategic security planning Answer: A QUESTION NO: 122 Leading the way in IT testing and certification tools, www.testking.com - 99 - When using the Cisco SDM Quick Setup Site-to-Site VPN Wizard, which three parameters do you configure? A. Interface for the VPN connection B. IP Address for the remote peer C. Transform set for the IPSec tunnel D. Source interface where encrypted traffic originates Answer: A,B,D Explanation: The wizard is as in the picture below: Leading the way in IT testing and certification tools, www.testking.com - 100 - On this initial screen, you are prompted to enter the following information: * Interface for this VPN connection * Peer IP address type (dynamic or static) * IP address of the remote peer (for a peer with a static IP address) * Authentication type (preshared keys or digital certificates) * Preshared key (for preshared key authentication) QUESTION NO: 123 In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent? A. Between the authenticator and the authentication server B. Between the RADIUS server and the authenticator C. Between the supplicant and the authenticator D. Between the supplicant and the authentication server Answer: C QUESTION NO: 124 Which one of the following items may be added to a password stored in MD5 to make it more secure? A. Cryptotext B. Ciphertext C. Rainbow table D. Salt Answer: D QUESTION NO: 125 Which firewall best practices can help mitigate worm and other automated attacks? A. Restrict access to firewalls B. Set connection limits C. Use logs and alerts D. Segment security zones Answer: B Leading the way in IT testing and certification tools, www.testking.com - 101 - QUESTION NO: 126 Which description about asymmetric encryption algorithms is correct? A. They use the same key for encryption and decryption of data B. They use different keys for encryption and decryption of data C. They use different keys for decryption but the same key for encryption of data D. They use the same key for decryption but different keys for encryption of data Answer: B QUESTION NO: 127 Information about a managed device's resources and activity is defined by a series of objects. What defines the structure of these management objects? A. CEF B. MIB C. FIB D. LDAP Answer: B QUESTION NO: 128 Which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80 B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 C. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 D. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255 E. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www F. access-list 101 permit tcp any eq 3030 Answer: B The question provides the following info: FROM 10.1.129.100 on port 3030, TO 192.168.1.10 using http (aka, port 80, aka www) The only entry that allows TCP, plus the correct ranges to include the IP's in question, plus the correct protocols in the correct placement. Incorrect: Leading the way in IT testing and certification tools, www.testking.com - 102 - A: Two issues... wrong destination IP address; and this acl allows IP traffic. Port designations exist at layer 4 (TCP), not layer 3 (IP). C: Wrong direction D: Wrong direction, and incorrect port positioning. E: Correct, except for the www as the originating port... www is wrong, 3030 is correct. F: Wrong on so many levels. QUESTION NO: 129 Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device? A. HBA B. ATA C. iSCSI D. SCSI Answer: D Explanation: The question is about Using LUN Masking to Defend Against Attacks. The answer is: A Logical Unit Number (LUN) is an address for an individual disk drive and, by extension, the disk device itself. The SCSI protocol uses the term LUN as a way to differentiate the individual disk drives that comprise a common SCSI target device, such as a SCSI disk array. Referece: CCNA: Security - Cisco Press (page 287). Additional information: To defend against attacks, LUN masking may be employed. In this authorization process, a LUN is made available to some hosts and unavailable to other hosts. Generally, this technique of LUN masking is implemented at the host bus adapter (HBA) level. Unfortunately, when LUN masking is implemented at this level, it is vulnerable to any attack that compromises the HBA. Benefits, with regard to security, are limited with the implementation of LUN masking. This is because with many HBAs it is possible for an attacker to forge source addresses. Leading the way in IT testing and certification tools, www.testking.com - 103 - For this reason, LUN masking is implemented mainly as a way to protect against malfunctioning servers corrupting disks belonging to other servers. An example of where LUN masking might be useful is in the case of Windows servers attached to a SAN. In some instances these corrupt non-Windows volumes by attempting to write Windows volume labels to them. In these cases, hiding the LUNs of the non- Windows volumes from the Windows server can prevent this behavior. With the LUNs masked, the Windows server is unaware of the non-Windows volumes and thereby makes no attempt to write Windows volume labels to them. In today's implementations, typically LUNs are not individual disk drives but rather virtual partitions (or volumes) within a RAID array. Topic 2, TestKing, Scenario Network Topology Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 104 - SDM Exhibit: Leading the way in IT testing and certification tools, www.testking.com - 105 - You work as a network administrator for TestKing.com. TestKing main office is located in Liverpool. Recently TestKing has established remote offices in London (LON), Oxford (OXF), and Birmingham (BIR). TestKing uses IPsec VPN connectivity between Liverpool and the remote offices. As a TestKing trainee you are required to document the IPsec VPN configurations to the remote offices using the Cisco Router and SDM utility. Please refer to the Topology and the SDM exhibits. Leading the way in IT testing and certification tools, www.testking.com - 106 - Topic 2, TestKing(4 Questions) QUESTION NO: 1 Please refer to the iPAD document for the TestKing scenario. The IPsec tunnel to the OXF remote office terminated at which IP address, and what is the protected subnet between the OXF remote office router? Select two. A. 10.5.64.0/24 B. 192.168.5.28 C. 10.8.74.0/24 D. 192.168.2.88 E. 192.168.8.97 F. 10.2.63.0/24 G. 10.8.71.0/24 H. 192.168.86.3 Answer: G, H QUESTION NO: 2 Please refer to the iPAD document for the TestKing scenario. Consider the TestKing IPsec tunnel between its Liverpool main office and the London (LON) branch office. What statement is true? A. The Liverpool main office is the Easy VPN server and the LON remote office is the Easy VPN Remote. B. It is using IPsec tunnel mode, AES encryption, and SHA HMAC Integrity Check. C. It is using pre-shared key to authenticate between the IPsec peers and DH group 5. D. It is using IPsec transort mode, 3DES encryption, and SHA HMAC Integrity Check. E. It is using digital certificate to authenticate between the IPsec peers and DH group 2. F. It is using IPsec tunnel mode to protect the traffic between the 10.10.10.0/24 and the 10.2.53.0/24 subnet. Answer: F Leading the way in IT testing and certification tools, www.testking.com - 107 - QUESTION NO: 3 Please refer to the iPAD document for the TestKing scenario. Which of the following is used to define which traffic will be protected by IPsec between the Liverpool main office and the Oxfort (OXF) remote office? A. IKE Phase 1 B. ACL 177 C. ACL 151 D. ESP-3DES-SHA2 transform set E. IKE Phase 3 F. ACL 174 G. ESP-3DES-SHA1 transform set H. ESP-3DES-SHA3 transform set I. ACL 168 J. IKE Phase 2 Answer: B QUESTION NO: 4 Please refer to the iPAD document for the TestKing scenario. Consider the IPSec tunnel between Oxford (OXF) and the Liverpool main office. What can be said? A. Only the ESP protocol is being used; AH is not being used. B. The OXF remote office router is using dynamic IP address; therefore, the Oxford router is using a dynamic crypto map. C. Tunnel mode is used; therefore, a GRE tunnel interface will be configured. D. Dead Peer Detection (DPD) is used to monitor the IPsec tunnel, so if there is no traffic traversing between the two sites, the IPsec tunnel will disconnect. Answer: A Leading the way in IT testing and certification tools, www.testking.com - 108 -