Cram Deck Flashcards
A Type __ password is a cleartext password
Type 0
A Type 7 password is one that uses the algorithm from what cipher?
the Vigenere cipher
The Enhanced Password Security feature can be used to configure ____ hashing of passwords for the username command
MD5
ISE aims to deliver what?
ISE aims to deliver consistent access control across multivendor networks (wired & wireless) and remote connections. It also aims to provide superior visibility into who is accessing your valuable network resources
What TCP areas other than TTL are often targeted by hackers?
Window Size, Don’t Fragment (DF) bit, Type of Service (TOS)
Managed devices serve what purpose?
Managed devices are those devices that are installed on different network segments for monitoring traffic
Memory Threshold Notification can mitigate what conditions?
low-memory conditions on a router
How are managed devices deployed?
Managed devices can be deployed passively to gather detailed information about the various network issues. They can also be deployed inline in order to affect the flow of traffic via access control.
After a network address is subnetted the last subnet obtained is being referred to as:
all-ones subnet
What tool can you use to manage virtual managed devices?
Virtual managed devices do not have web interfaces - you need to use the CLI
You may use _________ to identify the type and rate of traffic that reaches the control plane of the router.
Control Plane Policing
To enable dynamic NAT on an interface, what must you define first (and what command would need to be used)?
standard IP access-list, using the access-list command.
In the context of FireSIGHT System, Network-based objects can represent:
IP addresses and networks, port/protocol pairs, VLAN tags, security zones, and geolocation …etc.
What tool can you use to manage ASA FirePOWER devices?
The ASA FirePOWER devices rely on their own management applications such as the ASDM and the CSM for configuration.
You may prevent the router from sending ICMP redirects via what command?
no IP redirects
Control Plane Policing may be performed through the use of what?
Control Plane Policing may be performed through the use of granular classification ACLs, logging, as well as the use of the show policy-map control-plane command.
What is GTSM and what does it do?
Generalized TTL-based Security Mechanism is a TTL-based security protection method that uses the TTL value of IP packets for ensuring that the BGP packets received are from a directly connected peer which is real and legitimate.
Peer authentication via MD5 is desirable or not, and why?
Peer authentication via MD5 is desirable as it creates an MD5 digest of each packet that is sent as part of a BGP session.
What command can you use to determine if IPS is currently configured?
show subsys name ips
Device stacking can be used to increase what?
Device stacking can be used to increase what?
What command can you use to look into the contents of the ARP cache and sort out all IP entries?
show ip arp
To allow hosts with no knowledge of routing to determine the MAC addresses of hosts on other networks, you need to use:
ip proxy-arp
You may use __________ to create an IPS rule.
You may use __________ to create an IPS rule.
You may create a mobility area with a router via what command?
ip mobile arp
What is TVR and what is it for?
Target Value Rating TVR is what is used for developing security policies that can be stricter for some resources than others.
What refers to feedback that can be used for controlling the level in which a user chooses to take actions for minimizing false positives?
Event Risk Rating ERR
The default behavior for IP directed broadcasts can be changed via what command?
ip directed-broadcast
You can use what command to specify a broadcast address which is different from the default one?
ip broadcast-address
The FireSIGHT System can accommodate named objects. What are these objects?
They are a form of reusable configuration.
LEAP was eventually replaced by what?
PEAP
LCP is responsible for:
establishing, setting-up, and terminating point-to-point links
With ___________ there is a dedicated VLAN created to trunk mirrored packets between two switches.
RSPAN
With Local SPAN, where are the destination and source ports located?
on the same local switch
Configuration revision number is carried by what advertisement?
VTP advertisement
You use __________ to enable authentication proxy for AAA.
aaa authorization auth-proxy default
A VLAN is identified with an ID number from 1 to _________ with the enhanced software image.
4094
Your switch must be in _________mode in order to implement VLAN IDs from 1006 to 4094.
VTP transparent mode
The IronPort ___-Series targets email security.
The IronPort C-Series
You may want to statically assign which ports will become the member of your VLAN via the _____________ command.
vlan-membership
LUN Masking is a process of what nature?
LUN Masking is an authorization process.
With ISE, the possible personas include:
Administration, Policy Service, and Monitoring.
To come up with a list of all VLAN IDs on a switch you need to use what command?
show running-config vlan
What will happen when you have a VLAN deleted?
When you have a VLAN deleted, the ports assigned to that VLAN will become inactive but will remain associated with the VLAN until you manually assign them to another VLAN.
In the context of ISE, a node refers to:
the individual instance that runs the Cisco ISE software.
STP is intended for providing:
path redundancy (and preventing network loops)
__________ can be constructed and applied to specific infrastructure related connections from hosts that need to access specific network infrastructure devices.
Infrastructure access control lists iACLs
What feature is for protecting the Cisco 12000 routers’ gigabit route processor (GRP) from unnecessary and potentially dangerous traffics?
Receive ACLs
Which firewall feature allows a packet to avoid redundant ACL checks?
Firewall ACL Bypass
In order to define a reflexive access list, you need to create an entry in an extended named IP access list with the __________ keyword.
reflect
You may use _____________ to enable TCP intercept.
ip tcp intercept list
To enable Turbo ACL, you need to run the ___________ command in global configuration mode.
access-list compiled
You can use _____________ to show issues that are preventing the routers from forming adjacency.
debug ip ospf adj
_____________ is a definite course of action considered to be expedient, prudent or advantageous in guiding security.
policy
___________ is a Cisco model that defines a structure of security objectives and supporting security actions for organizing security controls.
Cisco Security Control Framework SCF
____________ describes a point in time measure of the security state of the concerned IT infrastructure.
Security Posture
____________ aims to provide best practice information on designing and implementing secure networks.
Cisco’s secure blueprint for enterprise networks SAFE
_____________ is for subdividing the infrastructure along different functional boundaries.
Functional Blocks
What feature allows you to apply access control policies across multiple object groups?
PBACL
VACL works at which layer (choose all that apply):
Filtering can be done either through a Layer 2 port or through a Layer 3 port after getting routed.
PBACL works at which layer?
layer 3 only
What is Security Intelligence feed?
A Security Intelligence feed is simply a dynamic collection of IP addresses downloaded at an interval you specify.
Lock-and-key has to be configured via what kinds of access lists?
IP dynamic extended access lists
Are Reflexive ACLs session filtering ACLs?
Yes.
For the initial configuration of an ASA FirePOWER module, you should use what tool?
the CLI
CAM table overflow can be mitigated via what measures?
One can flood the switch with invalid-source MAC addresses until the CAM table is full. Port security can be deployed against this attack.
DHCP snooping aims to protect against what attack?
DHCP snooping aims to protect against rogue DHCP Servers.
What command can you use to set a rate limit for DHCP snooping?
ip dhcp snooping rate
What measures can be used against ARP Cache Poisoning and ARP Spoofing?
Dynamic ARP Inspection DAI
What technique limits the ports within a VLAN that can communicate with other ports on the same VLAN?
Private VLAN
STP root bridge attack can be defended against via what measures?
Configuring Rootguard and BPDUGuard on the switch port.
With _____________, one configures a system to spoof as a switch by emulating either ISL or 802.1q signaling along with Dynamic Trunk Protocol DTP signaling.
switch spoofing
