Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCNA Security 210-640 > DECK > Flashcards

DECK Flashcards

1
Q

What is the attack vector used in a phishing attack?

A. Email
B. Phone
C. LAN
D. Modem

A

A. Email

A phishing attack is an email-based attack in which an email is sent to a user in hopes of convincing him to click in a link to a web site, which will appear to be a web site the user trusts. When the user logs into the fake site, the hacker collects his login credentials.

Some other common social engineering attacks are:

  1. Should surfing - watching someone when they enter sensitive data.
  2. Tailgating - following someone through a door unlocked with someone else’s credentials.
  3. Vishing - a special type of phishing that uses VoIP.
  4. Whaling - a special type of phishing that targets a single power user.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Which of the following instances of malware was deliberately deployed against critical IT targets?
A. Hearbleed
B. Flame
C. Melissa
D. Michelangelo
A

B. Flame

Both the Flame and Stuxnet viruses are examples of cyber warfare, supposedly a part of the US cyberattack strategy codenamed Olympic Games. Discovered in 2012, Flame is a scanning and capture malware deployed across computers in the Middle East. Stuxnet was a coordinated mulit-zero-day Windows exploit, is believed to have been used to degrade the nuclear program of Iran in 2010.

Heartbleed attacks web sites using TLS security, and is otherwise known as the OpenSSL heartbeat extension vulnerability.

Melissa was a mass-mailing macro virus that originated in Microsoft Word and spread through the victim?s Outlook address book.

Michelangelo was a boot sector virus that launched annually on March 6. None of these attacks was targeted at a state or country?s critical military infrastructure, so they are not considered cyber warfare.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
Threat mitigation is a security control that best supports which of the following?
A. Defense in depth
B. Least privilege
C. Need to know
D. Dual control
A

A. Defense in depth

Defense in depth is a concept that prescribes the application of layers of security controls. One of those is performing threat mitigation, which reduces the attack surface of the organization.

Least privilege is a concept that should drive the granting of permissions and privileges. It calls for only granting the minimum privileges for the user to get his job done. It is not supported by threat mitigation.

Need to know is a concept that prescribes that information should only be revealed to those who need to know the information to do their job. It is not supported by threat mitigation.

Dual control is one application of the separation of duties concept, which calls for multiple users to be present to perform sensitive operations. It is not supported by threat mitigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
Which of the following provides business partners with secure access to your network?
A. DMZ
B. Extranet
C. Intranet
D. Stuxnet
A

B. Extranet

An extranet is a logical portion of your network to which you allow access to other companies, vendors, or customers. You would place resources for these groups access in your extranet. An extranet is created for the purpose of hosting resources for a specific group of outsiders, such as business partners or high-end clients. Access to an extranet is typically controlled by use of a VPN.

A demilitarized zone (DMZ) is a logical portion of the network that contains publically accessible computers. That means it should contain no sensitive information and should be securely separated from the extranet and the intranet. Firewalls are used to protect local networks and create demilitarized zones (DMZs).

The intranet is the interior part of your network to which only authorized employees should have access. An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company’s employees. The data contained on it is usually private in nature. An extranet, on the other hand, has a wider boundary because it usually allows two or more companies to communicate and share private information.

Stuxnet is a computer virus and is not a type of network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which statement is true of symmetric key algorithms?
A. They are slower than asymmetric key
B. They use different keys on each end
C. They use the same key on both ends
D. They are typically used for key exchange

A

C. They use the same key on both ends

Symmetric key algorithms use the same key on both ends to encrypt and decrypt.

Symmetric key algorithms are not slower. They are actually faster than asymmetric algorithms.

Symmetric algorithms do not use different keys on each end. That is a characteristic of asymmetric algorithms.

Symmetric algorithms are not used for key exchange; they are used to encrypt data. Asymmetric algorithms are used for key exchange. In asymmetric encryption, which is sometimes referred to as public key encryption, a user creates a public key and a private key pair. The user distributes the public key and retains the private key. Another user can then use the distributed public key to encrypt a file before sending that file to the owner of the private key. The owner then uses the private key to decrypt the received file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q 
Which of the following is NOT a cloud service model?
A. SaaS
B. IaaS
C. PaaS
D. GaaS
A

D. GaaS

There is no cloud service model that uses the acronym GaaS.

Software as a Service (SaaS) is a model that delivers an entire solution including the infrastructure, platform, and the application.

Infrastructure as a Service (IaaS) is a model that delivers only the hardware and access to the hardware to the customer. The customer is responsible for managing applications, data, runtime, middleware, and OSes.

Platform as a Service is a model that delivers the hardware and software required to use the platform as a development environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
What command could you use to determine if a read-only string was used to attempt a write operation?
A. show snmp host
B. show snmp community
C. show snmp location
D. show snmp
A

D. show snmp

The show snmp command can be used. Below is a partial output of the command:

Router# show snmp

Chassis: 12161083

0 SNMP packets input

 0 Bad SNMP version errors

 0 Unknown community name

 5 Illegal operation for community name supplied

 0 Encoding errors

 0 Number of requested variables

 0 Number of altered variables

 0 Get-request PDUs

 0 Get-next PDUs

 0 Set-request PDUs

 0 Input queue packet drops (Maximum queue size 1000)

0 SNMP packets output

 0 Too big errors (Maximum packet size 1500)

 0 No such name errors

 0 Bad values errors

 0 General errors

 0 Response PDUs

 0 Trap PDUs

In the above output, you would look at the only the line with a value of 5 (Illegal operation for community name supplied) to find this information.

The show snmp host command displays details such as IP address of the Network Management System (NMS), notification type, SNMP version, and the port number of the NMS. It does not show illegal operations related to the community string.

The show snmp location command displays the snmp-server location. It does not show illegal operations related to the community string.

The show snmp community displays the Simple Network Management Protocol (SNMP) community access strings. It does not show illegal operations related to the community string.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Examine the following output:
Router > show clock detail
15:29:03.158 PST Mon Mar 3 2015
Time source is NTP

Which of the following statements is true?
A. The time is user configured
B. The time is authoritative and the time source is NTP
C. The time source is not authoritative
D. The time source is a hardware clock

A

B. The time is authoritative and the time source is NTP

The output indicates the time source is authoritative and the time source is an NTP server. The time source will be listed in the output (in this case NTP) and the area to the left of the listed time will indicate one of three conditions:

Time is not authoritative. ( *)
Time is authoritative. ( Blank)
Time is authoritative, but NTP is not synchronized ( .)

In this case, there is nothing to the left of the time or it is blank, which includes the time is authoritative.

The output does not indicate that the time source is user configured. If that were the case, it would be listed as below, stating this fact.

Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is user configured

The output does not indicate that the time source is not authoritative. If that were the case, it would be listed as below with an asterisk before the time, indicating the time is not authoritative.

Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is NTP

The output does not indicate that the time source is a hardware clock. If that were the case, it would be listed as below, stating this fact.

Router > show clock detail
*15:29:03.158 PST Mon Mar 3 2015
Time source is hardware calendar

.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which task can be completed on the AAA Summary page of CCP?
A. Create AAA server groups
B. Create policies to control authentication
C. Configure AAA servers
D. Enable AAA

A

D. Enable AAA

The only listed task that can be performed on this page is to enable AAA. In the screenshot below you can see it has the Enable AAA button.

See screen shot CCP_aaa-enable-1.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which statement is FALSE with regard to the Cisco ACS?
A. ACS servers can be clustered
B. ACS servers cannot support multiple Active Directory forests
C. ACS can use multiple authorization profiles to allow or deny requests
D. ACS allows for the disabling of NetBIOS

A

B. ACS servers cannot support multiple Active Directory forests

One of the new features of ACS for Windows 4.2 is the ability to support multiple AD forests.

ACS servers can be clustered to provide scalability.

ACS servers can use multiple profiles when allowing or denying traffic.

Another new feature of ACS 4.2 for Windows is the ability to disable NetBIOS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
Which of the following must be installed on a wireless Windows device to make remote locking of the device possible with ISE?
A. NAC agent for Windows
B. NAC Web Agent
C. Cisco Agent Desktop
D. Cisco Security Agent
A

A. NAC agent for Windows

The Network Access Control agent (NAC) for Windows must be installed. This agent installs and remains on the client and must be present to accept a remote wipe or remote lock.

The NAC Web Agent only provides temporal posture assessment and, as such, does not install itself on the device. Therefore, it cannot be used for this purpose.

The Cisco Agent Desktop is a computer telephony integration (CTI) solution for single- and multisite IP-based contact centers. It has nothing to do with ISE.

The Cisco Security Agent is an endpoint intrusion prevention system agent and has nothing to do with ISE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following commands will result in maintaining a record of failed authentication attempts?
A. aaa accounting commands 15 ACCCMDS stop-only group tacacs+
B. aaa accounting commands 15 ACCCMDS start-stop group tacacs+ groups radius
C. aaa accounting commands 15 ACCCMDS none grop tacacs+ groups radius
D. aaa accounting commands 15 ACCCMDS stop group tacacs+ groups radius

A

A. aaa accounting commands 15 ACCCMDS stop-only group tacacs+

The only listed command that will result in the maintaining of a record of failed authentication attempts is:

aaa accounting commands 15 ACCCMDS stop-only group tacacs+

This command includes the parameter stop-only. This parameter will record the end of processes, which will include failed authentications.

The command aaa accounting commands 15 ACCCMDS start-stop group tacacs+ groups radius uses the start-stop parameter, which records the start and stop of processes. However, it only records authenticated processes, so it will not record failed authentications.

The command aaa accounting commands 15 ACCCMDS none group tacacs+ groups radius uses the parameter none, which disables accounting services on a line or interface.

The command aaa accounting commands 15 ACCCMDS stop group tacacs+ groups radius uses the parameter stop, which is not a valid parameter with the accounting command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
When EAP-FAST is deployed, what is the function of the PAC?
A. Authenticates the device
B. Establishes the secured tunnel
C. Authenticates the user
D. Performs mutual authentication
A

B. Establishes the secured tunnel

The Protected Access Credential (PAC) is used to establish a secure tunnel prior to the authentication process. This allows it to support the use of passwords rather than certificates, while still protecting the passwords.

The PAC is not used to authenticate either the user or the device. EAP-GTC, TLS, and MS-CHAP are supported as inner authentication EAP methods.

The PAC does not perform mutual authentication. It merely is used to establish the secure tunnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Your assistant configured the default ACL to apply to Access layer switches. It is intended to allow wired BYOD devices to supply valid credentials and connect to the network:

Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps log
20 permit udp any host 10.230.1.45 eq domain
30 permit icmp any any
50 deny ip any any log

Once implemented, how does this ACL affect wired BYOD devices?

A. It does not allow SSL, which is required.
B. It does not allow DNS, which is required.
C. It allows ICMP, which interferes with the process.
D. It does not allow TFTP, which is required.
E. It allows wired BYOD devices to connect to the network.

A

D. It does not allow TFTP, which is required.

This ACL will not allow TFTP, which is required. There are three protocols that, according to best practices, should be allowed in this list. They are:

BOOTP
TFTP
DNS

This line would add the required configuration to permit TFTP:

permit udp any any eq tftp

SSL is not required for this connection type, and so its block it will not be an issue.

DNS is required, but line 20 permits DNS as shown below:

20 permit udp any host 10.230.1.45 eq domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which feature is enabled with the following command?

R2(config)# same-security-traffic permit intra-interface

A. NAT
B. Hairpinning
C. Split Tunneling
D. NAT traversal

A

B. Hairpinning

The same-security-traffic permit intra-interface global configuration command enables hairpinning. In hairpinning, IPSec-protected traffic from a VPN client is sent to another VPN user by allowing such traffic in and out of the same interface.

In the ASDM, you can enable hairpinning on the Configuration page. To do so, highlight the interface to be enabled for the feature and select the check box at the bottom of the screen that says “Enable traffic between two or more hosts connected to the same interface” as shown below: (see screen shot 210-260_2-hairpin.jpg)

The command does not enable Network Address Translation (NAT). Enabling NAT requires multiple steps, the specifics of which depend on the type of NAT to be deployed.

The command does not enable split tunneling. Split tunneling allows a VPN client to access the Internet directly without using the VPN, while using the VPN only to access specified subnets in the Intranet. It involves creating an ACL that specifies the network destinations that should use the VPN, specifying a split tunnel mode, and adding it to the policy controlling the VPN connection. On the ASDM, this is added to the policy, as shown below. In this case, there is a list named Split_Tunnel_List that specifies the only network destinations that should use the VPN. (see screen shot 210-260_3-split_tunnel.jpg)

The command does not enable NAT traversal. NAT traversal makes it possible to send IPsec traffic through a NAT interface. When NAT Traversal or NAT-T is used to allow IPsec to function in a NAT environment, IPsec traffic is encapsulated in UDP packets that are sourced from UDP port 4500. This is why part of the configuration of NAT-T is to create an ACL that allows traffic through UDP port 4500. The configuration is shown below:

ASA(config)# crypto isakmp nat-traversal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Examine the command string:

ASA(config)# group-policy sales attributes
ASA(config-group-policy)# webvpn
ASA(config-group-policy)# anyconnect keep-installer installed none

What will be the result of executing the commands?

A. All VPN users will experience a longer connection time.
B. AnyConnect VPN users under the sales policy will experience slower connection times.
C. All AnyConnect clients will have a faster connection time.
D. All VPN users will experience a shorter connection time.

A

B. AnyConnect VPN users under the sales policy will experience slower connection times.

With these commands executed all Anyconnect VPN users under the sales policy will experience slower connection times. This is because the anyconnect keep-installer none command prevents the permanent installation of the AnyConnect client. This means the client will be downloaded at every connection, slowing the connection time.

It will not cause all VPN users to experience a longer connection time. Only Anyconnect users that are controlled by the Sales policy will have an issue. The fact that the command was executed after entering configuration mode for the Sales policy limits it to the Sales policy, and since they executed the webvpn command as well, that restricts it to Anyconnect clients.

It will not cause all AnyConnect clients to have a faster connection time. If the setting were left at the default, the client will install permanently the first time and then subsequent connections would be faster. Moreover, this command will not affect all Anyconnect clients, but only those controlled by the Sales policy.

It will not cause all VPN users to experience a shorter connection time. For one, it only applies to all Anyconnect clients controlled by the Sales policy. Secondly, it causes connections to be slower not faster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following must be completed before you download the RDP plug-in in a VPN gateway?

A. Install the VNC plug-in.
B. Add a bookmark entry to display a link to the server.
C. Enable clientless SSL VPN on an interface.
D. Specify SSO

A

C. Enable clientless SSL VPN on an interface.

One of the prerequisites of installing the RDP plug-in is that clientless SSL VPN must be enabled in an interface. The RDP plug-in makes it possible to advertise an RDP menu option in the portal web page that clientless SSL VPN users arrive at after authentication. If the RDP plug-in is not present, users will not have the RDP menu option presented to them.

It is not required to install the VNC plug-in. While this is one of the plug-ins that is available to install, it is not related in any way to the RDP plug-in.

You do need to add a bookmark entry to display the link to the server, but it does not have to be done prior to installing the RDP plug-in. This bookmark is what directs the user to the ports page.

You also need to specify single sign on (SSO), but it is done when you add the bookmark and does not need to be done prior to installing the RDP plug-in.

18
Q

What command generated the following output?

IOS resilience router id JMX0704L5GH
IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002
Secure archive slot0:c3745-js2-mz type is image (elf) []
file size is 25469248 bytes, run size is 25634900 bytes
Runnable image, entry point 0x80008000, run from ram
IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002
Secure archive slot0:.runcfg-20020616-081702.ar type is config
configuration archive size 1059 bytes

A. show secure bootset
B. secure boot-image
C. secure boot-config
D. show secure config

A

A. show secure bootset

The output is from the show secure bootset command. This command verifies and displays the name of the hidden image and of the configuration file for configuration resilience. IOS Resilient Configuration is a feature that allows you to secure a copy of both the IOS and the startup configuration file that cannot be seen by using the dir command. Resilient Configuration makes it much easier to recover from a security event in which both original versions have been deleted. If that occurs, restoring from these copies is much faster than restoring the IOS and configuration file from backup on the network.

The secure boot-image command is used to create the hidden backup copy of the IOS. Once this command is executed, the IOS image will no longer appear when you execute the dir command unless you run it from ROMMON mode. Moreover, this feature cannot be disabled unless you are connected to the console port.

The secure boot-config command is used to create the hidden copy of the configuration file.

There is no Cisco command show secure config.

19
Q 
Which of the following is NOT a function of the session management path?
A. Performing access list checks
B. Performing route lookups
C. Allocating new NAT translations
D. Checking TCP sequence numbers
A

D. Checking TCP sequence numbers

Checking TCP sequence numbers is not a function of the session management path. Packets undergoing stateful inspection are subjected to the session management path, and these are always new packets. Packets that are part of existing connections are sent on the “fast” path. On the “fast” path, the following functions may be performed:

  • IP checksum verification
  • Session lookup
  • TCP sequence number check
  • NAT translations based on existing sessions
  • Layer 3 and Layer 4 header adjustments

All packets that are new packets (new conversations) will go through the session management path first. After session establishment, subsequent packets will go to the fast path. Functions performed in the session management path are:

  • Performing the access list checks
  • Performing route lookups
  • Allocating NAT translations (new)
  • Establishing sessions in the “fast path”
20
Q

Which of the following components is the target when a CDP DoS attack is launched?

A. CAM table
B. MAC address table
C. CDP table
D. TCAM table

A

C. CDP table

Explanation:
A Cisco Discover Protocol (CDP) DoS attack floods the CDP table, taking the switch offline and making it unreachable until the attack stops. Along with the fact that CDP frames are in clear text and contain lots of useful information for hackers, many administrators choose to disable CDP. This is an unfortunate situation, as CDP also provides useful error messages to the console about misconfigurations such as duplex mismatches on interfaces.

The Content Addressable Memory (CAM) table is not the target of CDP attacks, but it can be a target of a different attack. The CAM table, more commonly known as the MAC address table, can hold a limited number of MAC address to port mappings. A CAM overflow occurs when a hacker sends many fake MAC addressees to a port, causing the table to eventually fill. When that occurs, the switch will start forwarding all frames out of all ports.

The MAC address table is not the target of CDP attacks. This is simply another name for the CAM table.

The Tertiary Content Addressable Memory (TCAM) table is not the target of CDP attacks. This table is related to the CAM table. These tables are found on multilayer switches. The TCAM table is an extension of the CAM table and allows a packet to be evaluated against an entire access list in a single table lookup.

21
Q

When a switch configured with root guard receives a superior BPDU, how will the switch react?

A. The interface on which it was received will enter a root inconsistent state.
B. All interfaces will enter a blocked state.
C. The interface on which it was received will shut down.
D. The switch will relinquish its role as root bridge.

A

A. The interface on which it was received will enter a root inconsistent state.

When a switch configured with root guard receives a superior BPDU, the interface on which the superior BPDU was received will enter a root inconsistent state. In this state no traffic will be passed, which will allow the switch to maintain its root bridge status. Recovery occurs as soon as the offending device ceases to send superior BPDUs. Bridge Protocol Data Units (BPDU) are used by switches to communicate STP information. A superior BPDU is one that indicates that the sending switch has a lower priority than the current root bridge.

It will not result in all interfaces entering a blocked state. The purpose of root guard is not to isolate the root bridge but to prevent the reception of the superior BPDUs.

The interface on which it was received will not shut down. No traffic will be passed. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

The switch will not relinquish its role as root bridge. The entire purpose of root guard is to ensure the current root bridge remains the root bridge.

22
Q

Which of the following statements is FALSE with respect to PVLANs?

A. A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANS.
B. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
C. Private VLANs can span multiple switches.
D. VTP version 2 supports private VLANs.

A

D. VTP version 2 supports private VLANs.

Neither VTP version 1 nor version 2 supports private VLANs. This means if you need private VLANs to span switches, you must manually create the private VLAN on each switch.

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains The primary VLAN will include all devices in the Layer 3 subnet, while each PVLAN within the primary VLAN will be separated at Layer 2.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.

Private VLANs can span multiple switches; however, you must manually create the PVLAN on each switch. You cannot use VTP to accomplish this.

Note: VTP version 3 does support advertising PVLANs now.

23
Q

Which of the following is an alternative to using port forwarding that offers better performance for Clientless SSL VPN connections?

A. Smart Tunnels
B. Tunnel Groups
C. GRE Tunnels
D. Port Triggering

A

A. Smart Tunnels

Smart tunnels are a feature that can provide seamless access for native client-server applications running on devices that use clientless SSL VPN connections. They are configured as a list of applications that are allowed to use the clientless SSL VPN connection. It requires no administrative privileges on the part of the client and offers better performance than utilizing port forwarding to accomplish the same goal.

Tunnel groups are not used as an alternative to port forwarding. They are used to specify details that apply to groups of users and use a group policy to define those details.

Generic Routing Encapsulation (GRE) tunnels are not used as an alternative to port forwarding. These are general purpose tunnels used to carry a traffic type across a network that doesn’t support the traffic type (for example, IPv6 traffic across an IPV4 network).

Port triggering is not used as an alternative to port forwarding. Port forwarding redirects a communication request from one IP address and port number combination to another while the packets are traversing a network gateway. By contrast, port triggering opens an incoming port when the user’s computer is using a specified outgoing port for specific traffic.

24
Q

You need to provide separation between business units in your network. Which feature on the ASA would allow you to do this?

A. Security Contexts
B. Cisco MPF
C. Interface Security Levels
D. SPAN

A

A. Security Contexts

Security contexts can be used to provide this separation. Security contexts operate as separate virtual firewalls in the same physical ASA. These contexts can each have their own interfaces and configuration.

Cisco Modular Policy Framework (MPF) cannot be used to provide this separation. Modular Policy Framework is a command framework that can be used to create security policies for multiple features, including TCP and general connection settings, inspections, IPS, CSC, and QoS.

Interface security levels cannot be used to provide this separation. Interface security levels are used to specify the relative security of multiple interfaces on the ASA. Once these levels are established, they are used to control the behavior of various features in the ASA, such as filtering inspection and NAT.

The Switched Port Analyzer (SPAN) feature cannot be used to provide this separation. This feature enables the copying of all frames on all ports on a switch to a port configured for SPAN. It is usually used to allow a sniffer to capture all frames on a switch.

25
Q

Which of the following is NOT a configurable action for an ASA IPS sensor in inline mode?

A. Deny Packet Inline.
B. Deny Network Inline.
C. Deny Connection Inline.
D. Deny Attacker Inline.

A

B. Deny Network Inline.

Deny network inline is NOT a configurable action for an ASA IPS sensor in inline mode. The IPS can perform blocking of traffic, or it can drop packets when an attack is occurring.

Blocking and dropping are not the same function. There are three drop actions that can be configured for a sensor in inline mode. They are:

Deny packet inline
Deny connection inline
Deny attacker inline

While there is no drop action called deny network inline, there is a blocking action called network block. However, while this is supported on the sensors, connection blocks and network blocks are not supported on the ASA.

26
Q

Which of the following attacks would be best mitigated with the rate-based preprocessing engine of the ASA Firepower module?

A. SYN Flood
B. Port Scans
C. Loss of sensitive data
D. Back Orifice attacks

A

A. SYN Flood

SYN flood attacks, like all DoS attacks, attempt to overwhelm the target with huge amounts of traffic. Rate-based preprocessing identifies these types of attacks by recognizing that the traffic is coming in a rate that far exceeds normal traffic patterns.

Port scans cannot be mitigated with the rate-based preprocessing engine of the ASA Firepower module. The ASA Firepower module has a port scan detection feature that is more appropriate for this type of reconnaissance.

The loss of sensitive data cannot be prevented with the rate-based preprocessing engine of the ASA Firepower module. Sensitive data preprocessor rules are used to prevent configured types of information from leaving the network.

Back Orifice attacks cannot be prevented with the rate-based preprocessing engine of the ASA Firepower module. The Back Orifice preprocessor analyzes UDP traffic for the Back Orifice magic cookie, “* !*QWTY? “, which is located in the first eight bytes of the packet and is XOR-encrypted.

Reference:http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-Threat-Detection.html#pgfId-1530827

27
Q

Which of the following components of the ASA Firepower module become effective under configurable conditions?

A. Rate-based preprocessing engine.
B. Dynamic Rule States
C. SMTP preprocessor engine.
D. Sensitive data preprocessor rule

A

B. Dynamic Rule States
D. Sensitive data preprocessor rule

Dynamic Rule States are rule states that become effective under configurable conditions. Sensitive data preprocessor rules are used to prevent configured types of information from leaving the network and also become effective under configurable conditions.

The SMTP preprocessor engine cannot become effective under configurable conditions. This component can extract and decode email attachments in client-to-server traffic. You must enable SMTP preprocessor rules, which have a generator ID (GID) of 124, if you want these rules to generate an event.

A rate-based preprocessing engine cannot become effective under configurable conditions. This class of preprocessing engine identifies DoS attacks by recognizing that the traffic is coming in a rate that far exceeds normal traffic patterns.

Reference:http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/NAP-App-Layer.html#pgfId-1534626

28
Q

Which type of IPS identifies unusual traffic outside of normal traffic patterns?

A. Honeypot-based
B. Signature-based
C. Policy-based
D. Anomaly-based

A

D. Anomaly-based

An anomaly-based IPS is one that identifies attacks based on traffic that is outside of the normal traffic pattern. Its purpose is not to collect information about attacks.

A honeypot-based IPS is not one that identifies attacks based on traffic that is outside of the normal traffic pattern. It collects information about attacks. It can confuse and delay attackers as well as gather information.

A signature-based IPS is not one that identifies attacks based on traffic that is outside of the normal traffic pattern. Ituses a database of attack signatures to identify attacks.

A policy-based IPS is not one that identifies attacks based on traffic that is outside of the normal traffic pattern. It uses a configured policy to identify attacks.

29
Q

Which of the following is a supported method of communicating SDEE events?

A. SSH
B. HTTP
C. IPSec
D. GRE

A

B. HTTP

Security Device Event Exchange (SDEE) is a standard format for security devices to communicate security events to one another. The devices can communicate these messages using either HTTP or HTTP over SSL/TLS.

Secure Shell (SSH) cannot be used to communicate SDEE messages. SSH is a protocol used to secure a remote command line session.

While IPsec can used to secure the transport of SDEE messages, it cannot be used to communicate SDEE content. That is done using either HTTP or HTTP over SSL or TLS.

Generic Routing Encapsulation (GRE) cannot be used to communicate SDEE content. GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

30
Q

You need to configure URL filtering to prevent users from intentionally or accidently connecting to a website known to infect systems with malware. In the SDM, what option do you choose to specify the problematic URL?

A. Local URL List
B. URL Filter Servers
C. Zone Pairs
D. Blacklist

A

A. Local URL List

The Local URL List option is used to add to what is called the local URL list. From a higher level, the steps to implement URL filtering are:

  1. Enable URL filtering on the perimeter router
  2. Add the URLs you want to block to the router’ local URL list.

The option to access and add to the Local URL List is shown below: (see screen shot 210-260_4-URLlista.jpg)

You would not choose URL Filter Servers. This option is used to specify the URL filtering server, which is the other of the two steps in this process. The filtering server will use a dynamically generated list of problem URLs, which may not include the one you would like to block.

You would not choose Zone Pairs. This selection is used to implement a zone based policy. It is used to specify a unidirectional firewall policy between two security zones.

Despite the attractiveness of the option, there is no Blacklist option in the SDM.

31
Q

Which of the following is an organization that educates users and other organizations about common web site vulnerabilities?

A. NIST
B. OWASP
C. OSSTMM
D. ISSAF

A

B. OWASP

The Open Web Application Security Project (OWASP) offers several ways to help organizations to secure web infrastructures, including by providing education about common web site vulnerabilities. They also have created a number of tools, guides, and testing methodologies that are free for anyone to use. They publish a list of top 10 web vulnerabilities.

The National Institute of Standards and Technology (NIST) is a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. The NIST 800-115 is a Technical Guide to Information Security Testing that provides guidance and a methodology for reviewing security that is required for the U.S. government’s various departments to follow. It is NOT focused solely on common Web site vulnerabilities.

The Open Source Security Testing Methodology Manual (OSSTMM) is a free methodology to conduct security testing in a thorough and repeatable manner developed under the Creative Commons License. It is NOT focused solely on common Web site vulnerabilities.

The Information Systems Security Assessment Framework (ISSAF) is one of the largest free-assessment methodologies available. It is focused on the business aspect of security, and on a penetration test framework. It is NOT focused solely on common Web site vulnerabilities.

32
Q

Which of the following statements is true with the regard to the following command?

li-view cisco user intercept password secrets

A. It initializes a lawful intercept view.
B. It configures a lawful intercept user account.
C. The username is cisco.
D. It configures an intercept of the user cisco.

A

A. It initializes a lawful intercept view.

This command initializes a lawful intercept view. These views are created in case they are requested by law enforcement as a part of an investigation. The command initializes a view and associates it with the account and password in the same line. Multiple accounts can be set here as well.

Moreover, this command will not work in global configuration mode unless you run this command first at the user mode prompt.

R3 > enable view

This command enables root view, and when you run the command, you will be prompted for the privilege Level 15 (admin) password.

Once you have created the view, you create a user account that matches the username and password specified in the command. Accessing the view will require this username and password.

The command does not configure a lawful intercept user account. While it specifies the account to be used to access the view, creating the account is a separate step.

The username is not cisco. That is the lawful intercept password. The username is intercept. The syntax is:

li-view li-password user username password password

It does not configure an intercept of the user cisco. The word cisco is the LI password and the word intercept is the username.

33
Q

Which of the following is considered a Type 2 OSPF authentication?

A. Null authentication
B. SHA-1
C. Plaintext
D. MD5

A

D. MD5

When MD5 authentication is used to secure routing updates between OSPF routers, it is called Type 2 authentication. There are three possible methods of OSPF authentication available:

Null authentication (none)     referred to as Type 0
Plaintext passwords          referred to as Type 1
Message Digest 5 (MD5)     referred to as Type 2

While plaintext sends the credentials in clear text, MD5 does not and is the most secure. MD5 is a one-way hashing algorithm that produces 128-bit checksums.

Secure Hash Algorithm (SHA-1) is not a supported authentication method for OSPF.

34
Q

You have configured two authentication keys on your OSPF router to be used with MD5 authentication. You would like the router to begin transmitting the first key at 14:32:00 local time on Dec 31 2016 and continue using the key indefinitely. Which of the following commands will configure the specified key?

A. send-lifetime local 14:32:00 31 December 2016 infinite
B. send-lifetime local 14:32:00 31 Dec 2016 infinite
C. send-lifetime local 14:32:00 December 31 2016 infinite
D. send-lifetime local 14:32:00 31 December 2016 indefinite

A

B. send-lifetime local 14:32:00 31 Dec 2016 infinite

The correct command is send-lifetime local 14:32:00 31 Dec 2016 infinite. The syntax of the send-lifetime command is as follows:

send-lifetime start-time {infinite | end-time | duration seconds}

The start-time parameter has some specific syntactic requirements. The syntax can be either of the following:

hh: mm:ss Month date year
hh: mm:ss date Month year

The parameters are defined as follows:

hh - hours
mm - minutes
ss - seconds
Month - first three letters of the month
date - date (1 - 31)
year - year (four digits)

The default start time and earliest acceptable date is January 1, 1993.

The commands send-lifetime local 14:32:00 31 December 2016 infinite and send-lifetime local 23:59:00 December 31 2016 infinite are incorrect because the month must be a three-letter abbreviation.

The command send-lifetime local 14:32:00 31 December 2016 indefinite is incorrect because the month is not a three-letter abbreviation and the parameter indefinite does not exist. The correct parameter is infinite.

35
Q

CCPr is designed to protect which component?

A. Session Management path
B. Control Plane
C. CEF
D. Data Plane

A

B. Control Plane

Control Plane Protection (CPPr) is used to restrict and/or police control plane traffic destined to the route processor. This traffic is typically referred to as the control plane. There are two available options to protect the contrail plane. They are CCPr and Control Plane Policing (CoPP).

CPPr is not designed to protect the session management path. This path is related to the stateful inspection function, not the control plane. Initial packets of conversations undergoing stateful inspection are subjected to the session management path.

CPPr is not designed to protect Cisco Express Forwarding (CEF). CEF is mainly used to increase packet switching speed by reducing the overhead and delays that are introduced by other routing techniques. Although it required for CPPr, it is not protected by it.

CPPr is not designed to protect the data plane. It is used to restrict and/or police control plane traffic destined to the route processor. The data plane is where forwarding takes place while the control plane is where the forwarding decision is made.

36
Q

Which of the following actions takes place first when you connect two switches with redundant links?

A. Root ports are chosen
B. Designated ports are chosen
C. A blocking port is chosen
D. A root bridge is chosen

A

D. A root bridge is chosen

Even when the STP topology is a simple as two switches with two links between them, the operation of STP is the same. The steps are:

  1. One of the two switches will be elected root bridge base on their priorities.
  2. Both ports on the root bridge will be set to designated and will forward.
  3. One of the ports on the non-root bridge will be set to root and will forward.
  4. The remaining port on the non-root bridge will be set to blocking and will block.
37
Q

You need to use the ASDM to make changes to the ASA configuration to allow hosts on the outside network to establish an HTTP session to the DMZ server. The hosts on the outside will need to use the 225.16.3.6 public IP address when connecting to the DMZ server. The HTTP server has a private IP address of 172.16.1.2.Which of the following steps will be a part of the configuration?

A. Create a NAT object under NAT Rules.
B. Create a NAT object under Service Policy Rules.
C. Create a firewall rule to allow HTTP access under Service Policy Rules.
D. Create a firewall rule to allow HTTP access under AAA Rules.

A

A. Create a NAT object under NAT Rules.

There are two steps that must be completed. First, you must create a NAT object under NAT Rules that maps the public address to the private address, as shown in the graphic below: (see screen shot 210-260_5-NAT_obj.jpg)

Next, you must create a firewall rule to allow the HTTP traffic under Access Rules as shown in the following exhibit. The rule shown below allows traffic to 172.16.1.2 using HTTP: (see screen shot 210-260_6-accs_rule.jpg)

NAT objects are not created under Service Policy Rules. They are created under NAT Rules.

Firewall rules to allow HTTP access are neither created under Service Policy Rules or under AAA Rules. They are created under Access Rules.

38
Q

Which of the following represents the equivalent of separate physical firewalls in the ASA?

A. Configuration partitions
B. Security Contexts
C. Execution Spaces
D. Multiple Mode

A

B. Security Contexts

Security contexts operate as separate virtual firewalls in the same physical ASA. These contexts can each have their own interfaces and configurations. In any scenario where compliance with industry or government security requirements is an issue, each security context can use rules to prevent any vulnerabilities those requirements or measures are designed to address.

Configuration partitions is not a term used when discussing the ability of an ASA to function as separate virtual firewalls in the same physical ASA.

Execution spaces are not the equivalent of separate physical firewalls in the ASA. The system execution space is an area created when the ASA is placed in multiple mode, thereby enabling multiple security contexts. It is from the system execution space that contexts are created.

Multiple mode is not the equivalent of separate physical firewall in the ASA. Multiple mode is a mode that the ASA can be set to in which multiple security contexts become possible.

39
Q

Which value is used by Firepower services in the ASA to indicate the total number of bytes transmitted by the session initiator?

A. Initiator bytes
B. Application tags
C. Impact flags
D. URL reputation

A

A. Initiator bytes

Initiator bytes are used by Firepower services in the ASA to indicate the total number of bytes transmitted by the session initiator.

Impact flags of various colors are used to indicate the potential severity of an attack. Flags result from the correlation between intrusion data, network discovery data, and vulnerability information.

Application tags characterize each application to help you understand the application’s function.

URL reputation describes the reputation associated with the URL requested by the monitored host during the session, if available.

40
Q

Examine the dialog box: (see screen shot 210-260_7-SDEE.jpg)

What types of messages are displayed?

A. SDEE messages
B. Service messages
C. Signature messages
D. String messages

A

A. SDEE messages

The messages are Security Device Event Exchange (SDEE) messages. SDEE is a standard format for security devices to communicate security events to one another. This particular dialog box is the SDEE messages dialog box from an instance of Security Device (SD) manager. Notice the drop down box that allows you to filter the messages. While this drop down box is currently set for ALL messages, it can also be set to filter using the following choices in the drop down box:

-All - SDEE error, status, and alert messages are shown.
-Error - Only SDEE error messages are shown.
-Status - Only SDEE status messages are shown.
-Alerts - Only SDEE alert messages are shown.
messages.

CCNA Security 210-640 (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions