Chapter 34 - Device Security Features Flashcards
Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode?
a. enable password
b. enable secret
c. Neither
d. The password command, if it’s configured
B.
If both commands are configured, IOS accepts only the password as configured in the enable secret command.
Some IOS commands store passwords as clear text, but you can then encrypt the passwords with the service password-encryption global command. By comparison, other commands store a computed hash of the password, rather than storing the password. Comparing the two options, which one answer is the most accurate about why one method is better than the other?
a. Using hashes is preferred because encrypted IOS passwords can be easily decrypted.
b. Using hashes is preferred because of the large CPU effort required for encryption.
c. Using encryption is preferred because it provides stronger password protection.
d. Using encryption is preferred because of the large CPU effort required for hashes.
A.
The service password-encryption command encrypts passwords on a router or switch that would otherwise be shown in clear text. While a great idea in concept, the algorithm can be easily broken using websites found in the Internet. Cisco long ago provided replacements for commands that store passwords as clear text, instead using hashes—commands like enable secret and username secret. These commands are preferred in part because they avoid the issues of clear-text passwords and easily decrypted passwords.
A network engineer issues a show running-config command and sees only one line of output that mentions the enable secret command, as follows:
enable secret 5 $1$ZGMA$e8cmvkz4UjiJhVp7.maLE1
Which of the following is true about users of this router?
a. A user must type $1$ZGMA$e8cmvkz4UjiJhVp7.maLE1 to reach enable mode.
b. The router will hash the clear-text password that the user types to compare to the hashed password.
c. A no service password-encryption configuration command would decrypt this password.
d. The router will decrypt the password in the configuration to compare to the clear-text password typed by the user.
B.
The enable secret command stores an MD5 hash of the password. It is unaffected by the service password-encryption command. The router does not unhash the value back to the clear-text password. Instead, when the user types her clear-text password, the router also hashes that password and compares that hashed value with the hashed value as listed in the configuration.
The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch:
banner login this is the login banner
Which of the following is true about what occurs the next time a user logs in from the console?
a. No banner text is displayed.
b. The banner text “his is ” is displayed.
c. The banner text “this is the login banner” is displayed.
d. The banner text “Login banner configured, no text defined” is displayed.
B.
The first nonblank character after the banner login phrase is interpreted as the beginning delimiter character. In this case, it’s the letter t. So, the second letter t—the first letter in “the”—is interpreted as the ending delimiter. The resulting login banner is the text between these two ts—namely, “his is ”.
A single-line ACL has been added to a router configuration using the command ip access-list 1 permit 172.16.4.0 0.0.1.255. The configuration also includes the ip access-class 1 in command in VTY configuration mode. Which answer accurately describes how the router uses ACL 1?
a. Hosts in subnet 172.16.4.0/23 alone can telnet into the router.
b. CLI users cannot telnet from the router to hosts in subnet 172.16.4.0/23 alone.
c. Hosts in subnet 172.16.4.0/23 alone can log in but cannot reach enable mode of the router.
d. The router will only forward packets with source addresses in subnet 172.16.4.0/23.
A.
The ip access-class 1 in command enables ACL 1 for processing inbound Telnet and SSH connections into that router, based on the source IP address of those incoming packets. It has no impact on Telnet or SSH attempts from the router to some other host. It has no impact on a user later reaching enable mode. It also has nothing to do with filtering packets that would otherwise be routed through the router. Note that the ACL matches all packets whose source IP address is in subnet 172.16.4.0/23, which includes the range of numbers from 172.16.4.0 to 172.16.5.255.
