Chapter 6 Infrastructure Security Flashcards
Which of the following are different STP port states?
A. Root port
B. Designated
C. Nondesignated
DAll of these answers are correct.
D
Which of the following are Layer 2 best practices?
A. Avoid using VLAN 1 anywhere, because it is a default.
B. Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP]).
C. Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information we would rather not disclose.)
E. On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.
F. All of these answers are correct.
F
The Network Foundation Protection (NFP) framework is broken down into which of the following three basic planes (also called sections/areas)?
A. Controller plane, administrative plane, management plane
B. Management plane, control plane, administrative plane
C. Management plane, control plane, data plane
D. None of these answers is correct.
C
Which of the following are best practices for securing the management plane?
A. Enforce password policy, including features such as maximum number of login attempts and minimum password length.
B. Implement role-based access control (RBAC).
C. Use AAA services, and centrally manage those services on an authentication server (such as Cisco ISE).
D. Keep accurate time across all network devices using secure Network Time Protocol (NTP).
E. All of these answers are correct.
E
Which of the following statements is not true?
A. Control Plane Protection, or CPPr, allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling.
B. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.
C. Using CoPP or CPPr, you can specify which types of management traffic are acceptable at which levels. For example, you could decide and configure the router to believe that SSH is acceptable at 100 packets per second, syslog is acceptable at 200 packets per second, and so on.
D. Routing protocol authentication is not a best practice for securing the control plane; it is a best practice to protect the management plane.
D
You were hired to help increase the security of a new company that just deployed network devices in two locations. You are tasked to deploy best practices to protect the data plane. Which of the following techniques and features should you consider deploying to protect the data plane? (Select all that apply.)
A. Use TCP Intercept and firewall services to reduce the risk of SYN-flood attacks.
B. Filter (deny) packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network.
C. Deploy CoPP and CPPr in firewalls and IPS systems, as well as routing protocol authentication.
D. Configure NetFlow and NETCONF for Control Plane Protection.
A+B
Which of the following are best practices to protect the management plane and management traffic?
A. Deploy Login Password Retry Lockout to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account.
B. Enable role-based access control (RBAC).
C. Use NTP to synchronize the clocks on network devices so that any logging that includes timestamps may be easily correlated. Preferably, use NTP Version 3 to leverage its ability to provide authentication for time updates.
D. All of these answers are correct.
D
Which of the following commands enable timestamps in syslog messages?
A. service syslog timestamps log datetime
B. logging timestamps log datetime
C. service timestamps log datetime
D. None of these answers is correct.
C
You were hired to configure all networking devices (routers, switches, firewalls, and so on) to generate syslog messages to a security information and event management (SIEM) system. Which of the following is recommended that you do on each of the infrastructure devices to make sure that the SIEM is able to correctly correlate all syslog messages ?
A. Enable OSPF.
B. Configure the network infrastructure devices to send syslog messages in batches (at a scheduled interval).
C. Configure the SIEM to process the syslog messages at a scheduled interval.
D. Enable NTP.
D
Which of the following is a feature that’s intended to improve recovery time by making a secure working copy of a router or switch image and the startup configuration files (which are referred to as the primary bootset) so that they cannot be deleted by a remote user?
A. Cisco Resilient Configuration
B. Cisco Secure Firmware Configuration
C. Address Space Layout Randomization (ASLR)
D. None of these answers is correct.
A
If an attacker attempts to spoof many IPv6 destinations in a short time, the router can get overwhelmed while trying to store temporary cache entries for each destination. The XXXXXXXX feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address. It populates all active destinations into the IPv6 first-hop security binding table, and it blocks data traffic when the destination is not identified.
A. IPv6 Destination Guard
B. IPv6 Neighbor Cache Guard
C. IPv6 Hop-by-hop Extension Header
D. IPv6 Neighbor Cache Resource Starvation
A
BGP keychains enable keychain authentication between two BGP peers. The BGP endpoints must both comply with a keychain on one router and a password on the other router. Which of the following statements is not true regarding BGP keychains?
A. BGP is able to use the keychain feature to implement hitless key rollover for authentication.
B. Key rollover specification is time based, and in the event of clock skew between the peers, the rollover process is impacted.
C. The configurable tolerance specification allows for the accept window to be extended (before and after) by that margin. This accept window facilitates a hitless key rollover for applications (for example, routing and management protocols).
D. Routing protocols all support a different set of cryptographic algorithms. BGP supports only HMAC-SHA1-12.
D
You have been asked to restrict users without having to create custom privilege levels. Which of the following features or functionality would you deploy to accomplish this task?
A. Parser views (or “views”)
B. AAA profiles
C. DAI
D. All of these answers are correct.
A
The concept of XXXXXXXX is to create a set of permissions or limited access and assign that set of permissions to users or groups. Those permissions are used by individuals for their given roles, such as a role of administrator, a role of a help desk person, and so on.
A. ABAC
B. RBAC
C. Dynamic groups
D. Downloadable ACLs
B
Which feature can protect against Address Resolution Protocol (ARP) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC-address mapping information), and resulting Layer 2 man-in-the-middle attacks?
A. DHCP spoofing
B. Dynamic ARP Inspection (DAI)
C. IP Source Guard
D. All of these answers are correct.
B