Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCNA > Chapter 34 - Securing Network Devices > Flashcards

Chapter 34 - Securing Network Devices Flashcards

1
Q

What command can you use to encrypt passwords that are currently stored in the router as plain text?

A

‘service password-encryption’

  • This only encrypts passwords and not secrets as secrets are already encrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When using the ‘enable secret <secret>' command, what is the encryption level set to by default?</secret>

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When using the ‘service password-encryption’ command, what is the encryption level set to?

A

7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

True or False. Entering ‘enable secret <secret>' and 'enable secret 5 <secret>' will do the same thing.</secret></secret>

A

False.

  • When using ‘enable secret <secret>' you can enter the clear-text version of a password and login with the clear-text version</secret>
  • When using ‘enable secret 5 <secret>' you must enter the MD5 encrypted version of your password and then to login you can use the unencrypted version. The password you enter after the 5 is the encrypted version of your actual password.</secret>

For example, entering ‘$1$mERr$YlCkLMcTYWwkF1Ccndtll.’ as the secret will allow you to login with secret ‘Cisco’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the encryption level for clear-text passwords and secrets?

A

0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False. After using the ‘no service password-encryption’ command on an encrypted password it will automatically decrypt the password into its clear-text state.

A

False. You need to enter a new password which will be created as clear-text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or False. ‘enable secret’ overrides ‘enable password’

A

True. If both are enabled use the secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False. It is best practice to use ‘enable secret’ rather than ‘enable password’.

A

True. Secret is encrypted by default and therefore much more secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 2 more secure algorithm types on newer Cisco IOS versions?

A
  • Type 8 - SHA-256 - ‘enable algorithm-type sha256 secret <secret>'</secret>
  • Type 9 - Scrypt (uses SHA-256) - ‘enable algorithm-type scrypt secret <secret>'</secret>

These can also be used with the username command to create a more secure user login. Just swap ‘enable…’ for ‘username name…’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What command could you use to deny certain addresses from accessing a Cisco device?

A

Create an access-list for the specific addresses and then enable it per vty or console line using the below command from line configuration mode:
- ‘access-class <ACL> in'
- You can also add 'out' at the end to stop users from using the 'telnet' or 'ssh' commands to access other devices from the console of this router. However it bases this decision on the destination address rather than the source.</ACL>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some of the benefits of dedicated firewalls over router ACLs?

A
  • Firewalls can inspect application layer data and connections to know what additional TCP and UDP ports are used by said connections and filter based on those.
  • Firewalls can inspect traffic so thoroughly that it can filter based on the URI of a HTTP request.
  • Firewalls (stateful) can keep state information by storing information about each packet and make decisions about filtering future packets in the same connection based on the historical state information. Cisco router ACLs are generally speaking stateless.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an example of a stateful firewall being a security benefit over a stateless firewall?

A
  • Stateful firewalls could assist when it comes to DOS attacks.
  • They would have historical state information so they could see that a large amount of TCP connections have come from a particular address or small number of devices (characteristic of a DOS attack)
  • However, in a stateless firewall it would not have this historical information so could not filter in this way.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a Security Zone?

A
  • Allows to define security rules based on where the connection comes from and add interfaces to define which rules apply to them.
  • For example, you may have a security zone for the internal network and one for the internet. Your internet facing interfaces would be put in the internet security zone and have different rules applied compared to those on internal interfaces.
  • You may allow new connections from internal to internet but not from internet to internal.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a DMZ?

A
  • De-Militarised Zone
  • Used for devices that need to be accessible from outside your network (e.g. Web servers)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an IPS?

A
  • Intrusion Prevention System
  • Has a database of known potential exploits and characteristics of them
  • Monitors traffic for these characteristics to stop exploits (e.g. DoS, DDoS, Worms, Viruses)
  • Generally uses rules defined by the IPS vendor rather than the company or its engineers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is NGIPS and NGFW?

A
  • Next Generation Intrusion Prevention System
  • Next Generation Firewall
17
Q

What is Cisco AVC?

A
  • Application Visibility and Control
  • Used by Next Generation Firewalls
  • Instead of relying on port numbers to match data being set to or from certain applications, it can inspect application layer data.
  • Useful in the event that attackers use non-standard ports to attempt to exploit a device.
18
Q

Benefits of an NGFW over a traditional firewall

A
  • Uses AVC which can inspect packets based on application layer data rather than just transport layer
  • Uses Advanced Malware Protection by looking out for things such as file transfers that could bring malware into the network and running analysis on the file
  • Can use URL Filtering which categorises URLs and can filter and rate limit them based on their category. An example of a service that offers this is The Cisco Talos security group which keeps a database with a categorisation of each domain on the internet.
  • Uses NGIPs
19
Q

Benefits of an NGIPS system over a traditional IPS

A
  • Uses AVC which can inspect packets based on application layer data rather than just transport layer
  • Allows for contextual awareness by gathering information from hosts (e.g. OS, software version, patches applied, applications running and sending/receiving data, open ports, etc.) and then using this to decide which vulnerabilities are less likely exist in which portion of the network so it can uses its resources for more likely vulnerabilities and reduce the number of logged events
  • Uses Reputation-Based Filtering in the same way that an NGFW uses URL Filtering.
  • Provides logs based on Event Impact Level so that technicians can easily interrogate the logs and decide where to focus efforts.

CCNA (50 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions