Chapter 6 - Infrastructure Security Flashcards
1
Q
1. Which method can restrict a user from plugging a wireless access point into a corporate network? A. Access control lists B. Port security C. WiredEquivalentPrivacy D. Static MAC addresses
A
- B. Port security can restrict a port to a single device by MAC address. This will effectively make plugging in a wireless access point a non-event for a corporate network
2
Q
- What does port security use to block unauthorized access?
A. Source MAC addresses
B. Destination MAC addresses C. Source IP addresses
D. Destination IP addresses
A
- A. Port security blocks unauthorized access by examining the source address of a network device.
3
Q
- Which command will enable port security?
A. Switch(config)#switchport port-security
B. Switch(config)#port-security enable
C. Switch(config-if)#switchport port-security
D. Switch(config-if)#port-security enable
A
- C. Port security is enabled by configuring the command switchport port-security. This command must be configured on the interface in which you want to enable port security.
4
Q
- If port security is enabled on an interface, what is the maximum number of MAC
addresses allowed by default? A. 1 MAC address
B. 2 MAC addresses
C. 0 MAC addresses
D. 10 MAC addresses
A
- A. By default, only a single MAC address is allowed on an interface when port security is enabled
5
Q
- Which layer of the OSI model does port security use for securing a port?
A. Layer0 B. Layer1 C. Layer2 D. Layer3
A
- C. Port security operates at layer 2 by inspecting the source MAC addresses in frames. It allows the configured number of source MAC addresses to be switched into the port and onto the switch processor.
6
Q
- Why would a network admin choose to configure port security on an interface? A. To allow or disallow VLANs
B. To allow or disallow IP addresses
C. To prevent unauthorized access by MAC address D. To prevent unauthorized access by user
A
- C. Configuring port security helps a network administrator prevent unauthorized access by MAC address.
7
Q
- Which statement is correct about port security?
A. Port security works best in mobile environments.
B. Port security requires a higher amount of memory. C. Port security works best in static environments.
D. Port security always results in admin intervention to reset the port.
A
- C. Port security works best in static environments where there is minimal change to the environment. It does not require any more memory since the results are pulled from the MAC address table.
8
Q
- When configuring port security on a port that contains a VoIP phone with a voice VLAN and a computer connected to the phone, how many MAC addresses must you allow?
A. 1 MAC address
B. 2 MAC addresses C. 0 MAC addresses
D. 10 MAC addresses
A
- B. Both the computer and the VoIP phone have MAC addresses, and therefore you will need to allow the port to have two MAC addresses, one for the phone to communicate and the other for the computer to communicate on the port.
9
Q
9. What is the default action of port security on the interface when the maximum number of MAC addresses is exceeded? A. Administrative shutdown B. Err-disabledshutdown C. Restricted access without logging D. Restricted access with logging
A
- B. By default, when port security is configured on a port, the violation method is err- disabled shutdown.
10
Q
- You are configuring a port for port security and receive the error “Command rejected: FastEthernet0/1 is a dynamic port.” Which commands will help you configure the port?
A. SwitchA(config-if)#no switchport dynamic
SwitchA(config-if)#switchport
B. SwitchA(config-if)#switchport SwitchA(config-if)#switchport
C. SwitchA(config-if)#switchport SwitchA(config-if)#switchport SwitchA(config-if)#switchport
D. SwitchA(config-if)#switchport SwitchA(config-if)#no dynamic SwitchA(config-if)#switchport
port-security
mode access port-security
mode access nonnegotiate port-security
mode access
port-security
A
- C. When port security is configured, the port cannot be in dynamic mode for Dynamic Trunking Protocol (DTP) mode. You must configure the port as an access port first, then turn off DTP with the command switchport nonnegotiate. You can then configure switchport port security.
11
Q
- Which command will allow you to configure two MAC addresses for port security? A. SwitchA(config-if)#switchport maximum 2
B. SwitchA(config-if)#switchport port-security maximum 2 C. SwitchA(config-if)#port-security maximum 2
D. SwitchA(config-if)#switchport port-security limit 2
A
- B. The command switchport port-security maximum 2 will configure the port with a maximum of two MAC addresses that shall pass through the port.
12
Q
- Which command will limit devices via port security without disabling the port and
logging the restricted device?
A. Switch(config-if)#switchport port-security violation shutdown
B. Switch(config-if)#switchport port-security restrict
C. Switch(config-if)#switchport port-security violation protect
D. Switch(config-if)#switchport port-security violation restrict
A
- D. The command switchport port-security violation restrict will set the violation mode to restrict. This will drop frames over the maximum number of learned MAC addresses and will log security violations to the counters.
13
Q
- Which command will allow you to inspect the status of a port that has been
configured for port security?
A. Switch#show running-configuration
B. Switch#show port-security interface gi 2/13
C. Switch#show port-security details interface gi 2/13
D. Switch#show port-security gi 2/13
A
- B. The command show port-security interface gi 2/13 will allow you to see a detailed view of an individual port configured for port security.
14
Q
- Which command will limit devices via port security and send an SNMP trap
notification?
A. Switch(config-if)#switchport port-security violation shutdown
B. Switch(config-if)#switchport port-security restrict
C. Switch(config-if)#switchport port-security violation protect
D. Switch(config-if)#switchport port-security violation restrict
A
- A. The command switchport port-security violation shutdown puts the interface into the err-disable state immediately and sends an SNMP trap notification to a syslog server
15
Q
- Which command will limit devices via port security without disabling the port and
not provide logging for a security violation counter?
A. Switch(config-if)#switchport port-security violation shutdown
B. Switch(config-if)#switchport port-security restrict
C. Switch(config-if)#switchport port-security violation protect
D. Switch(config-if)#switchport port-security violation restrict
A
- C. The command switchport port-security violation protect will set the violation mode to protect. This will drop frames over the maximum number of learned MAC addresses but will not log security violations to the counters.
16
Q
- Which command will allow you to see logged security violations for port security?
A. Switch#show violations
B. Switch#show port-security violations C. Switch#show port-security
D. Switch#show psec violations
A
- C. The command show port-security will show all ports that have logged port security violations.
17
Q
- You have been tasked to secure ports with port security. You need to make sure that only the computers installed can access the network. The computers are installed already. Which type of configuration for port security would require the least amount of administration?
A. Static port security
B. Dynamic port security C. Sticky port security
D. Time limit port security
A
- C. When you configure sticky port security, the first MAC address seen by the switch will become bound to the port. Any other MAC addresses will trip the access violation set.
18
Q
- Which command will allow the first MAC address learned on the port to be allowed to only pass traffic on the port via port security?
A. SwitchA(config-if)#switchport port-security mac-address sticky B. SwitchA(config-if)#switchport port-security mac-address dynamic C. SwitchA(config-if)#switchport port-security mac-address static
D. SwitchA(config-if)#switchport port-security mac-address learn
A
- A. The command switchport port-security mac-address sticky will configure the port to learn the first MAC address and allow only the first MAC address to pass traffic.
19
Q
- Which command will allow you to globally reset all ports with an err-disable state
with minimal disruption?
A. Switch#clear err-disable
B. Switch#clear switchport port-security C. Switch#clear port-security violation
D. Switch(config)#errdisable recovery cause psecure_violation
A
- D. The global config command errdisable recovery cause psecure_violation will reset all ports with an err-disable status.
20
Q
- You need to verify the sticky MAC addresses learned on a port on the switch.
Which command will allow you to verify the addresses learned? A. SwitchA#show running-configuration
B. SwitchA#show port-security
C. SwitchA#show port-security details
D. SwitchA#show port-security status
A
- A. The command show running-configuration will show you the learned MAC addresses from port security.
21
Q
- Which is a correct statement about sticky MAC addresses learned on a switchport?
A. Sticky MAC addresses are removed by performing a shutdown on the port. B. Sticky MAC addresses become part of the running-configuration.
C. Sticky MAC addresses can be explicitly configured manually.
D. Sticky MAC addresses automatically become part of the startup-configuration
A
- B. Sticky MAC addresses become part of the running-configuration. If the running- configuration is saved to the NVRAM, then the sticky MAC address will become part of the startup-configuration
22
Q
- You need to change a device on a port with which a sticky MAC address is associated. Which command will allow you to change the device and allow for a new sticky MAC address to be learned?
A. Switch#clear switchport port-security f 0/0
B. Switch(config-if)#no switchport port-security
C. Switch#clear port-security f 0/0
D. Switch(config-if)#no switchport port-security mac-address sticky 0045.2342.e4c3
A
- D. The command no switchport port-security mac-address sticky 0045.2342.e4c3 will remove the entry for the device. The command no switchport port-security mac-address sticky will remain, so the next device learned will create a new sticky entry.
23
Q
- Which command will allow you to see all the dynamically learned MAC addresses for port security?
A. SwitchA#show running-configuration B. SwitchA#show mac address-table
C. SwitchA#show port-security details
D. SwitchA#show port-security address
A
- D. The command show port-security address will allow you to see all of the dynamically learned MAC addresses for port security. The command show running- configuration would allow you to see only dynamically learned MAC addresses that are sticky.
24
Q
- In which interface mode should you configure port security for end devices? A. Dynamic
B. Access
C. Trunk
D. Voice
A
- B. The interface switchport should be in an access mode before port security is applied to the interface. Trunks can participate in port security, but it is rare to use these two functions together.
25
Q
- You have default configuration on a port, which is also configured for port security. One of your junior admins is switching out equipment on the port. Which command will need to be entered so the port does not go into the violation mode?
A. Switch#clear port-security dynamic interface gi 2/3 B. Switch(config-if)#no port-security mac-address
C. Switch(config-if)#switchport port-security maximum 2
D. Switch#clear port-security interface gi 2/3
A
- A. The default configuration for port security is dynamic port security and a violation of shutdown. If a new device is connected to the port, it will enter an err- disable status. Therefore, clearing the dynamic MAC addresses will be required via the command clear port-security dynamic interface gi 2/3. Alternatively, the command clear port-security dynamic would clear all dynamically learned MAC addresses on the entire switch
26
Q
- Which command would configure a port to forget the dynamically learned MAC
address after 24 hours?
A. Switch(config-if)#switchport port-security aging 1440
B. Switch(config-if)#switchport port-security aging time 1440 C. Switch(config-if)#switchport port-security time 1440
D. Switch(config-if)#switchport port-security maximum time 1440
A
- B. The command switchport port-security aging time 1440 will configure the port to forget the dynamically learned MAC address after 1,440 minutes. This command is configured in minutes and saves an admin from entering a clear command. However, if a violation of shutdown is configured, the port will need to be manually reset if it enters violation mode within this time period.
27
Q
- Which term describes the area outside of the corporate firewall?
A. DMZ area
B. Perimeterarea C. Internal area
D. Trustedarea
A
- B. The perimeter area, or perimeter network, is outside of the corporate firewall. The perimeter area generally holds equipment necessary for routing to the ISP.
28
Q
- How does DHCP snooping track DHCP messages and mitigate attacks?
A. DHCPfiltering
B. DHCPbindingtable C. Untrustedports
D. IOSACLs
A
- B. The DHCP binding table tracks all interface, MAC address, VLAN, and IP information. This database is critical in snooping out other ports from using identical information.
29
Q
- Which term describes the area accessible to the Internet yet protected by the corporate firewall?
A. DMZ
B. Perimeter C. Internal
D. Trusted
A
- A. The demilitarized zone (DMZ) is an area that is protected by the corporate firewall. However, it allows servers such as web servers, email servers, and application servers to be accessible via the Internet.
30
Q
- Which type of device can prevent an intrusion on your network?
A. Honey pots B. IDS
C. IPS
D. HIDS
A
- C. An intrusion prevention system, or IPS, can detect and prevent attacks based on their signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.
31
Q
- When dealing with firewalls, the term trusted network is used to describe what?
A. Internal network
B. The Internet C. The DMZ
D. A network with SSL
A
- A. The internal network is defined by the firewall. Anything protected by the firewall on the internal network is considered to be the trusted network.
32
Q
- Which is a common attack method used to overwhelm services from traffic from multiple Internet sources?
A. Denial of service
B. Distributed denial of service C. IP address spoofing
D. Session hijacking
A
- B. Distributed denial of service, or DDoS, is a common attack technique used to deny others of service. It is performed by overwhelming the service with bogus traffic. When it is performed from multiple hosts on the Internet, it is very difficult to prevent and sto
33
Q
- Which type of device can detect an intrusion on your network?
A. Honey pots B. IDS
C. IPS
D. HIDS
A
- B. An intrusion detection system, or IDS, can detect an attack based upon its signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.
34
Q
- When you configure DHCP snooping on a network, which mode are clients configured in?
A. Untrustedmode B. Trustedmode
C. Client mode
D. Access mode
A
- A. By default, all ports are considered untrusted, which means they should never serve the request of a DHCP client. Only the port put into trusted mode is allowed to answer client requests.
35
Q
- What method does DHCP snooping employ to thwart DHCP starvation attacks?
A. DHCPguard B. DHCPfiltering C. Rate limiting
D. IOSACLs
A
- C. Rate limiting is employed to thwart DHCP starvation attacks by limiting the number of DHCP packets a port can receive per second.
36
Q
- Which method will allow you to mitigate from a spurious DHCP attack?
A. DHCPsnooping B. DHCPfiltering C. Rate limiting
D. IOSACLs
A
- A. A spurious DHCP attack is when a rouge DHCP server is started on the network. It serves clients with incorrect DHCP information. DHCP snooping helps to mitigate this attack.
37
Q
- Which method can be used to stop ping sweep scans? A. Deploying host intrusion detection systems
B. Deploying network intrusion detection systems C. Blocking RFC 1918 addresses at the perimeter
D. Blocking ICMP echo-requests and echo-replies at the perimeter
A
- D. Ping sweep scans are used by attackers to discover hosts on a network. The scan sends a flood of ICMP echo requests to the perimeter network and awaits echo replies. When ICMP is blocked at the perimeter, an attacker would not be able to scan the network via ICMP.
38
Q
- Which appliance can be used to mitigate denial of service attacks?
A. Honey pots B. IDS
C. IPS
D. HIDS
A
- C. An intrusion prevention system (IPS) will help mitigate denial of service attacks. Common features of IPS can be found in the Cisco Adaptive Security Appliance.
39
Q
- Which is a common attack method used to attempt to gain access to a system using a false identity?
A. Denial of service
B. Distributed denial of service C. IP address spoofing
D. Session hijacking
A
- C. IP address spoofing is a common attack method used to attempt to gain access to a system by spoofing the originating IP address.
40
Q
- Which method would prevent tampering of data in transit?
A. Access control lists B. Spoofing mitigation C. Secure Sockets Layer
D. Encryption of the data
A
- C. Secure Sockets Layer (SSL) communications offer both encryption and authentication of the data via certificate signing. This would prevent tampering of the data end to end.
41
Q
- A rouge wireless access point is created with the same SSID as the corporate SSID. The attacker has employees connect to the SSID and watches the information as it’s relayed to the original SSID. What type of attack is described CB here?
A. Smurf attack
B. Compromised key attack C. Snifferattack
D. Man in the middle attack
A
- D. This attack is called a man in the middle attack. The attacker sits in the middle of communications and relays it back while capturing it and possibly modifying it.
42
Q
- What can you use to protect against spoofing of internal IP addresses on the perimeter of your network?
A. Access control lists
A
- A. Access control lists are an effective way to mitigate spoofing of internal IPs from outside the trusted network.
43
Q
- Which is a requirement for the use of DHCP snooping to protect a device? A. The device is on a layer 2 switched port on the same VLAN.
B. The DHCP server is running on the layer 2 switch.
C. The device is on a layer 3 routed port on the same VLAN.
D. Configuration of a dedicated IP for monitoring DHCP transactions.
A
- A. A requirement of DHCP snooping is that the device is on the VLAN that DHCP snooping is monitoring.
44
Q
- What attack vector can be used for a man in the middle attack?
A. DHCP B. DNS
C. Wireless
D. All of the above
A
- D. Any service that allows the user to create a connection or access to information can be used as an attack vector. In the case of DHCP, the attacker will set the gateway to their IP address. In the case of DNS, the attacker could spoof a request to redirect the traffic.
45
Q
- What is the default mode port configured on a switch for DHCP snooping?
A. Trusted B. Internal C. External
D. Untrusted
A
- D. The default mode of switchports on a switch configured with DHCP snooping is untrusted. An admin must trust ports manually.
46
Q
- Which VLAN is the default native VLAN for Cisco switches?
A. VLAN1
B. VLAN2 C. VLAN255
D. VLAN1024
A
- A. The default native VLAN for Cisco switches is VLAN 1.
47
Q
56. You have just configured DHCP snooping. Which ports should be trusted? A. Ports connecting to clients B. Ports connecting to web servers C. Ports connecting to other switches D. Ports connecting to the DNS server
A
- C. Ports that are connecting to trusted infrastructure devices such as routers and switches should be trusted. This is because legitimate DHCP traffic could originate from these ports.
48
Q
- Which is a correct statement about how DHCP snooping works?
A. Untrusted ports allow Discover and Offer messages to be switched.
B. UntrustedportsdropDiscoverandOffermessages.
C. UntrustedportsdropOfferandAcknowledgmentmessages.
D. Untrusted ports allow Offer and Acknowledgment messages to be switched.
A
- C. The untrusted ports drop Offer and Acknowledgment DHCP messages. The only device that should offer and acknowledge IP addresses is the DHCP server on a trusted port.
49
Q
- Which attack can be used on a native VLAN? A. Double tagging
B. VLANtraversal
C. Trunk popping
D. Denial of service
A
- A. Double tagging is an attack that can be used against the native VLAN. The attacker will tag the native VLAN on a frame and then tag another inside that frame for the VLAN that the attacker intends to compromise. When the switch receives the first frame, it removes the default VLAN tag and forwards it to other switches via a trunk port. When the other switch receives the frame with the second VLAN tag, it forwards it to the VLAN which the attacker is targeting the attack upon.
50
Q
59. Which command is used to view the DHCP snooping database? A. Switch#show dhcp binding B. Switch#show ip dhcp binding C. Switch#show ip dhcp snooping database D. Switch#show ip dhcp snooping binding
A
- D. The command show ip dhcp snooping binding will display the DHCP snooping database. This database will have entries for the MAC address, IP address, lease time, VLAN, and interface.
51
Q
- Which command is used to configure the port of a switch as trusted for DHCP
snooping?
A. Switch(config-if)#ip dhcp snooping trust
B. Switch(config-if)#dhcp snooping trust
C. Switch(config)#ip dhcp snooping trust interface gi 2/3
D. Switch(config-if)#ip dhcp trust
A
- A. The command ip dhcp snooping trust will configure the interface as a trusted port.
52
Q
- Why should you always change the native VLAN?
A. The native VLAN contains frames from all VLANs.
B. The native VLAN is configured on all switches for logging. C. The native VLAN is the default on all switchports.
D. The native VLAN provides no encryption.
A
- C. The native VLAN is the default configuration on all switches. It is very possible that a user could be configured by accident for the native VLAN of 1. This would allow management access to switching and routing.
53
Q
- Which technology will give selective access to the network based upon authentication?
A. 802.1Q B. ACLs C. 802.1x
D. Firewall
A
- C. 802.1x allows selective access to a network at layer 2. It allows this on the switch because the switch acts as an authenticator to an AAA server, only allowing access after the user or device has been authenticated.
54
Q
- What is the end device that sends credentials for 802.1x called? A. Authenticator
B. Supplicant
C. AAAserver
D. RADIUSserver
A
- B. The end device that sends credentials is called the supplicant. The supplicant is a piece of software in the operating system that supplies the credentials for AAA authentication.