Chapter 6 Infrastructure Security Flashcards

1
Q

Which of the following are different STP port states?

A. Root port

B. Designated

C. Nondesignated

DAll of these answers are correct.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following are Layer 2 best practices?

A. Avoid using VLAN 1 anywhere, because it is a default.

B. Administratively configure access ports as access ports so that users cannot negotiate a trunk and disable the negotiation of trunking (no Dynamic Trunking Protocol [DTP]).

C. Turn off Cisco Discovery Protocol (CDP) on ports facing untrusted or unknown networks that do not require CDP for anything positive. (CDP operates at Layer 2 and may provide attackers information we would rather not disclose.)

E. On a new switch, shut down all ports and assign them to a VLAN that is not used for anything else other than a parking lot. Then bring up the ports and assign correct VLANs as the ports are allocated and needed.

F. All of these answers are correct.

A

F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Network Foundation Protection (NFP) framework is broken down into which of the following three basic planes (also called sections/areas)?

A. Controller plane, administrative plane, management plane

B. Management plane, control plane, administrative plane

C. Management plane, control plane, data plane

D. None of these answers is correct.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following are best practices for securing the management plane?

A. Enforce password policy, including features such as maximum number of login attempts and minimum password length.

B. Implement role-based access control (RBAC).

C. Use AAA services, and centrally manage those services on an authentication server (such as Cisco ISE).

D. Keep accurate time across all network devices using secure Network Time Protocol (NTP).

E. All of these answers are correct.

A

E

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following statements is not true?

A. Control Plane Protection, or CPPr, allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling.

B. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.

C. Using CoPP or CPPr, you can specify which types of management traffic are acceptable at which levels. For example, you could decide and configure the router to believe that SSH is acceptable at 100 packets per second, syslog is acceptable at 200 packets per second, and so on.

D. Routing protocol authentication is not a best practice for securing the control plane; it is a best practice to protect the management plane.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You were hired to help increase the security of a new company that just deployed network devices in two locations. You are tasked to deploy best practices to protect the data plane. Which of the following techniques and features should you consider deploying to protect the data plane? (Select all that apply.)

A. Use TCP Intercept and firewall services to reduce the risk of SYN-flood attacks.

B. Filter (deny) packets trying to enter your network (from the outside) that claim to have a source IP address that is from your internal network.

C. Deploy CoPP and CPPr in firewalls and IPS systems, as well as routing protocol authentication.

D. Configure NetFlow and NETCONF for Control Plane Protection.

A

A+B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following are best practices to protect the management plane and management traffic?

A. Deploy Login Password Retry Lockout to lock out a local AAA user account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAA user account.

B. Enable role-based access control (RBAC).

C. Use NTP to synchronize the clocks on network devices so that any logging that includes timestamps may be easily correlated. Preferably, use NTP Version 3 to leverage its ability to provide authentication for time updates.

D. All of these answers are correct.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following commands enable timestamps in syslog messages?

A. service syslog timestamps log datetime

B. logging timestamps log datetime

C. service timestamps log datetime

D. None of these answers is correct.

A

C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You were hired to configure all networking devices (routers, switches, firewalls, and so on) to generate syslog messages to a security information and event management (SIEM) system. Which of the following is recommended that you do on each of the infrastructure devices to make sure that the SIEM is able to correctly correlate all syslog messages ?

A. Enable OSPF.

B. Configure the network infrastructure devices to send syslog messages in batches (at a scheduled interval).

C. Configure the SIEM to process the syslog messages at a scheduled interval.

D. Enable NTP.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is a feature that’s intended to improve recovery time by making a secure working copy of a router or switch image and the startup configuration files (which are referred to as the primary bootset) so that they cannot be deleted by a remote user?

A. Cisco Resilient Configuration

B. Cisco Secure Firmware Configuration

C. Address Space Layout Randomization (ASLR)

D. None of these answers is correct.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If an attacker attempts to spoof many IPv6 destinations in a short time, the router can get overwhelmed while trying to store temporary cache entries for each destination. The XXXXXXXX feature blocks data traffic from an unknown source and filters IPv6 traffic based on the destination address. It populates all active destinations into the IPv6 first-hop security binding table, and it blocks data traffic when the destination is not identified.

A. IPv6 Destination Guard

B. IPv6 Neighbor Cache Guard

C. IPv6 Hop-by-hop Extension Header

D. IPv6 Neighbor Cache Resource Starvation

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

BGP keychains enable keychain authentication between two BGP peers. The BGP endpoints must both comply with a keychain on one router and a password on the other router. Which of the following statements is not true regarding BGP keychains?

A. BGP is able to use the keychain feature to implement hitless key rollover for authentication.

B. Key rollover specification is time based, and in the event of clock skew between the peers, the rollover process is impacted.

C. The configurable tolerance specification allows for the accept window to be extended (before and after) by that margin. This accept window facilitates a hitless key rollover for applications (for example, routing and management protocols).

D. Routing protocols all support a different set of cryptographic algorithms. BGP supports only HMAC-SHA1-12.

A

D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You have been asked to restrict users without having to create custom privilege levels. Which of the following features or functionality would you deploy to accomplish this task?

A. Parser views (or “views”)

B. AAA profiles

C. DAI

D. All of these answers are correct.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The concept of XXXXXXXX is to create a set of permissions or limited access and assign that set of permissions to users or groups. Those permissions are used by individuals for their given roles, such as a role of administrator, a role of a help desk person, and so on.

A. ABAC

B. RBAC

C. Dynamic groups

D. Downloadable ACLs

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which feature can protect against Address Resolution Protocol (ARP) spoofing, ARP poisoning (which is advertising incorrect IP-to-MAC-address mapping information), and resulting Layer 2 man-in-the-middle attacks?

A. DHCP spoofing

B. Dynamic ARP Inspection (DAI)

C. IP Source Guard

D. All of these answers are correct.

A

B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following statements is not true?

A. CoPP is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.

B. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.

C. The host sub-interface that handles traffic to one of the physical or logical interfaces of the router is one of the sub-interfaces of CPPr.

D. CPPr is not applied to a physical interface, so regardless of the logical or physical interface on which the packets arrive, the router processor can still be protected.

A

D

17
Q

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. Which of the following are activities performed by DHCP snooping?

A. Validates DHCP messages received from untrusted sources and filters out invalid messages.

B. Rate-limits DHCP traffic from trusted and untrusted sources.

C. Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

D. Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

E. All of these answers are correct.

A

E

18
Q

Your switch might be connected to other switches that you do not manage. If you want to prevent your local switch from learning about a new root switch through one of its local ports, you can configure which of the following features?

A. Dynamic Root Inspection

B. Root Guard

C. DHCP Guard

D. Port Security

E. A and C

A

B

19
Q

Which of the following prevents spoofing of Layer 2 information by hosts?

A. Dynamic ARP Inspection

B. BPDU Guard

C. Root Guard

D. All of these answers are correct.

A

A

20
Q

Which of the following prevents spoofing of Layer 3 information by hosts?

A. Dynamic ARP Inspection

B. BPDU Guard

C. IP Source Guard

D. All of these answers are correct.

A

C

21
Q

Which of the following limits the amount of broadcast or multicast traffic flowing through the switch?

A. Root Guard

B. BPDU Guard

C. Storm Control

D. DHCP snooping

A

C

22
Q

CDP operates at XXXXXX and may provide attackers information we would rather not disclose.

A. Layer 2

B. Layer 3

C. Layer 4

D. Layer 7

A

A

22
Q

CDP operates at XXXXXX and may provide attackers information we would rather not disclose.

A. Layer 2

B. Layer 3

C. Layer 4

D. Layer 7

A

A