Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SCOR 350-701 > Infrastructure Security > Flashcards

Infrastructure Security Flashcards

1
Q

a command-line facility that implements security measures across all three of the planes

A

auto secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  • Specific sub-interfaces classification

- handles traffic to one of the physical or logical interface of the router

A

host sub-interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Specific sub-interfaces classification

-handles certain data plane traffic that requires CPU intervention before forwarding(such as IP Options)

A

transit sub-interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Specific sub-interfaces classification

Exception traffic such as keep-alives or packets with time to live

A

CEF-Exception sub-interface

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Syslog Levels

A 
0 - Emergencies - System is unsuable
1 - Alerts - Immediate Action is needed
2 - Critical 
3 - Error
4 - Warnings
5 - Notifications
6 - Informational
7 - Debugging
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

commands to secure boot image

A

secure boot-image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Threats to Both Ipv4 and ipv6
-an attacker is using a network service in an unexpected or malicious way. To protect againts this, you can place filters to allow only the required protocols through network

A

Application layer attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Threats to Both Ipv4 and ipv6
Individuals not authorized for access are gaining access to network resources. To protect against this, use AAA service to challenge the user.

A

Unauthorized Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Threats to Both Ipv4 and ipv6
Someone or something is between the two devices who believe they are communicating directly with each other. You can prevent this by implement dynamic arp inspectiong (DAI) and spanning tree protocol guards (STP)

A

Man-in-the-middle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Threats to Both Ipv4 and ipv6
An attacker is listening in on the network traffic of others. This could be done where the attacker has implemented a content-addressable memory (CAM) table overflow. To protect against this you can use port-security.

A

Snipping or eavesdropping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Threats to Both Ipv4 and ipv6
Making services that should be available to user unavailable. Performing packet inspection and rate limiting can help mitigate

A

Denial of Service (DOS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threats to Both Ipv4 and ipv6
Forge addressing or packet content. Filtering traffic that is attempting to enter the network is one of the best first steps to mitigate this type of traffic.

A

Spoofed packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

New potential risk with Ipv6

A 
Network Discovery protocol (NDP)
Neighbour cache resource starvation
DHCPv6
Hop-by-hop extension headers
Packet amplification attacks
ICMPv6
Tunneling options
Autoconfigurations
Dual Stacks
Bugs in code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IPV6 Best practices

A 
Filter bogus addresses
Filter nonlocal multicast addresses
Filter ICMPv6 that is not needed
Drop routing header type 0 packets
use manual tunnels rather than automatic tunnels
Protect IPV6 rouge devices
Secure Neighbor Discovery (SeND) in IPV6
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Mechanism to prevent spoofing of IPV6 addresses

A 
IPv6 first-hop security binding table
IPv6 device tracking
IPv6 port-based access list support
IPv6 RA guard
IPV6 ND inspection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Process-switched traffic category

A

Receive adjacency traffic

Data plane traffic requiring special processing by CPU

17
Q

command that can be used for Control Plane Policing (CoPP)

A

show policy-map control plane

18
Q

Is a Cisco-IOS wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices

A

Control Plane Policing (CoPP)

19
Q

Is another feature like CoPP, that can help mitigate the effects on the CPU of traffic the requires processing by the CPU

A

Control Plane Protection (CPPr)

20
Q

CPPr can restrict traffic with finer granuality by diving the aggregate control plane into three seperate control plane categories known as sub interfaces. The three sub interfaces are

A

Host sub-interface
Transit sub-interface
CEF-Exception sub-interface

Other features are;

  • Port-filtering feature
  • Queue-thresholding feature
21
Q

Ways to secure routing protocols

A

by using passsword authentication with routing protocols

MD5

22
Q

Layer 2 best practices

A
  • select unused vlan except for vlan 1 and use that for native vlan. Do not use this vlan for any other thing
  • avoid vlan 1
  • administratively configure access port as access ports and turn off negotiate
  • limit the number of mac learned on given port
  • control spanning tree by using bpdu guard and root guard
  • turn off CDP
  • assign ununsed ports to unused vlan and shut down
23
Q

Layer 2 toolkit

A
  • BPDU guard
  • Root guard
  • Port security
  • DHCP snooping
  • Dynamic Arp inspection
  • IP source guard
  • 802.1x
  • storm control
  • access control list
24
Q

Introduce by Cisco in 1994 to provide mechanism for the management system to automatically learn about devices connected to the the network

A

Cisco Discovery Protocol (CDP)

25
Q

Is a security feature that acts like a firewall between untrusted host and truseted DHCP servers.

A

DHCP Snooping

26
Q

Is a security feature that validates ARP packets in a network. Intercept logs, and discards ARP packets with invalid IP-to-MAC address bindings

A

Dynamic ARP inspection

27
Q

For Cisco IOS router and switches, the Network Foundation Protection (NFP) framework is broken down in three basic planes.

A
  • Management plane
  • Data Plane
  • Control Plane
28
Q

Best practices to securing management plane

A
  • Enforce password policy
  • Implement Role base access control (RBAC)
  • Use AAA services
  • Keep accurate time using NTP
  • Use encrypted version of SNMP (v2 and v3)
  • Control which IP address is allow to initiate management connection
  • lock down syslog
  • disable unnessary services (tcp and udp small services, finger, bootp, dhcp, maintenance operation protocol (mop), DNS, packet assembler/disassembler (pad), http and https server, cdp, lldp)
29
Q

Best practices for deploying control plane

A

deplyoing CoPP and CPPr

30
Q

best practices for protecting data plane

A
  • block unwanted traffic at the router
  • reduce the chance of DOS attacks such as TCP Intercept and firewall services
  • reduce spoofing attack ( blocking traffic from outside with source of internal IP)
  • provide bandwidth management (rate-limiting on certain types like icmp)
  • when possible use IPS
31
Q

Best practices common to IPv4 and IPv6

A
  • physical security
  • device hardening
  • control access between zones
  • routing protocol security
  • AAA
  • NTP
  • Mitigating DOS attacks
  • have an update a security policy
32
Q

command to enable timestamps in syslog messages

A

service timestamps log datetime

33
Q

is a feature thats intended to improve recovery time by making a secure working copy of a router or image and the startup configuration files so they cannot be deleted by user

A

Cisco Resilient Configuration

34
Q

cdp operates in layer?

A

layer 2

35
Q

A custom privileged level. Associate with a subset of commands

A

Parser Views

SCOR 350-701 (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions