Ch 26: Network Device Access Control and Infrastructure Security Flashcards
Which command is used to apply an ACL to an interface?
- ip access-group {access-list-number | name} {in|out}
- ip access-class {access-list-number | name} {in|out}
- ip access-list {access-list-number | name} {in|out}
1.
ACLs are applied to interfaces with the command:
- ip access-group {access-list-number | name} {in|out}.
For reference:
- access-class is used to apply an ACL to a VTY line
- access-list is used to configure an ACL
Which of the following password types is the weakest?
- Type 5
- Type 7
- Type 8
- Type 9
2.
Type 7 passwords use a Cisco proprietary Vigenere cypher encryption algorithm that is very weak and can be easily decrypted using multiple online password decryption utilities.
What type of encryption does the command service password encryption provide?
a. Type 0 encryption
b. Type 5 encryption
c. Type 7 encryption
C.
The command service password encryption encrypts plaintext passwords in the configuration and Telnet sessions with type 7 password encryption.
What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)
- The login command is used to enable line password authentication.
- The login command is used to enable username-based authentication.
- The login local command is used to enable line and username-based authentication.
- The login local command is used to enable username-based authentication.
1 and 4.
The login command is used to enable line password authentication, and the login local command is used to enable username-based authentication.
Which of these commands are available to a user logged in with privilege level 0?
(Choose all that apply.)
- disable
- enable
- show
- configure terminal
- exit
- logout
1, 2, 5, and 6..
Privilege level 0 makes available the disable, enable, exit, help, and logout commands.
Which of the following options can be used to only allow inbound SSH access to the vty lines of a router? (Choose two.)
- line vty 0 4 transport output ssh
- line vty 0 4 transport input all
- line vty 0 4 transport input ssh
- ip access-list extended SSH permit tcp any any eq 22
- line vty 0 4
- access-class SSH in
C and D.
Using the command transport input ssh and applying an ACL to the line that only allows port 22 are valid options to allow only SSH traffic into the line. The other two options are not valid because the command transport output ssh does not affect inbound connections, and the command transport input all allows all inbound SSH and Telnet sessions.
T/F: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.
False.
This is false because AAA authorization for the console is disabled by default to prevent unexperienced users from locking themselves out. Authorization for the console is enabled with the command:
- aaa authorization console
Which of the following AAA functions can help log the commands executed by a user on a network device?
- AAA next-generation logging
- Authorization
- Accounting
- Auditing
C.
Accounting provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.
What is the protocol of choice for network device access control?
a. RADIUS
b. SSHv2
c. Telnet
d. TACACS+
D.
TACACS+ is preferred for device access control because it can individually authorize every command that a user tries to execute after logging in to a device. In contrast, RADIUS requires those commands to be sent in the initial authentication response, and because there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device.
Which of the following options describe ZBFW? (Choose two.)
- Provides high security with stateless inspection functionality
- Provides stateful firewall functionality
- Is a network interface module
- Is an integrated IOS solution
- Is a security appliance similar to an ASA 5500-X
B and D.
ZBFW is an integrated IOS solution that provides router stateful firewall functionality.
What are the two system-built zones for ZBFW? (Choose two.)
- Inside zone
- Twilight zone
- System zone
- Outside zone
- Self zone
- Default zone
E and F.
Within the ZBFW architecture, there are two system-built zones: self and default.
Which of the following features was developed specifically to protect the CPU of a router?
a. ZBFW
b. AAA
c. CoPP
d. ACLs
C.
Control plane policing (CoPP) was created with the sole purpose of protecting the CPU or control plane of a router.
T/F: CoPP supports input and output policies to control inbound and outbound traffic.
True.
CoPP supports inbound and outbound policies; however, outbound policies are not commonly used.
Which of the following should be disabled to improve the security posture of a router? (choose two)
a. CoPP
b. CDP
c. ZBFW
d. LLDP
e. LDP
B and D.
Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) can provide unnecessary information to routers outside of the organization and should be disabled where applicable.
What is RBAC?
role-based access control (RBAC)
What is a ZBFW?
Zone-Based Firewall (ZBFW
What is CoPP?
Control Plane Policing (CoPP): This is used to protect the route processor (RP) or CPU of a router.
What are the ranges of numbered standard ACLs?
Numbered standard ACLs: These ACLs define packets based solely on the source network, and they use the numbered entries 1–99 and 1300–1999.
For reference:
Numbered extended ACL ranges: 100–199 and 2000–2699
What are the ranges of Numbered extended ACLs?
Numbered extended ACLs: These ACLs define packets based on source, destination, protocol, port, or a combination of other packet attributes, and they use the numbered entries 100–199 and 2000–2699.
26
Which type of ACL is generally preferred and why?
- Standard ACLs
- Extended ACLs
- Named ACLs
- Port ACLs
- VLAN ACLs
Named ACLs: These ACLs allow standard and extended ACLs to be given names instead of numbers and are generally preferred because they can provide more relevance to the functionality of the ACL.
What is a PACL?
Port ACLs (PACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on Layer 2 switchports.
What is a VACL?
VLAN ACLs (VACLs): These ACLs can use standard, extended, named, and named extended MAC ACLs to filter traffic on VLANs.
ACLs use __________ masks instead of subnet masks to classify packets that are being evaluated.
ACLs use wildcard masks instead of subnet masks to classify packets that are being evaluated.
All that is required to convert a subnet mask into a wildcard mask is to subtract the subnet mask from 255.255.255.255. The following shows a subnet mask 255.255.128.0 being converted into a wildcard mask by subtracting it from 255.255.255.255. The end result is a 0.0.127.255 wildcard mask.
255 255 255 255
− 255 255 128 0 Subnet Mask
0 0 127 255 Wildcard Mask
Basically, a one’s complement of the subnet mask.
What is the numerical equivalent ACL to:
- access-list 1 permit any
access-list 1 permit 0.0.0.0 255.255.255.255 is equivalent to access-list 1 permit any.
What do these three ACLs permit?
- permit any
- permit 172.16.0.0 0.0.255.255
- permit host 192.168.1.1
- Permits all networks
- Permits all networks in the 172.16.0.0/16 range
- Permits only the 192.168.1.1/32 network
Write a numbered standard ACL and apply it to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.
Example 26-1 demonstrates how a numbered standard ACL is created and applied to an interface to deny traffic from the 172.16.0.0/24 subnet and from host 192.168.1.1/32 while allowing all other traffic coming into interface Gi0/1.
Notice that the last ACE in the ACL explicitly permits all traffic (permit any). If this ACE is not included, all traffic will be dropped because of the implicit deny (deny any) at the end of every ACL.
- R1(config)# access-list 1 deny 172.16.0.0 0.0.255.255
- R1(config)# access-list 1 deny host 192.168.1.1
- R1(config)# access-list 1 permit any
- R1(config)# interface GigabitEthernet0/1
- R1(config-if)# ip access-group 1 in
What are the TCP/UDP protocol-options in an ACL?
The protocol-options keyword differs based on the protocol specified in the ACE.
For example, when TCP or UDP protocols are defined, eq, lt, and gt (equal to, less than, and greater than) keywords become available to specify ports to be matched as well as more granular options, such as SYN and ACK.