Main Flashcards
A. Build ACLs based upon your security policy. B. Always put the ACL closest to the source of origination. C. Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router. D. Always test ACLs in a small, controlled production environment before you roll it out into the larger production network.
A
Which step is important to take when implementing secure network management?
A. Implement in-band management whenever possible. B. Implement telnet for encrypted device management access.
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
85 C. Implement SNMP with read/write access for troubleshooting purposes. D. Synchronize clocks on hosts and devices. E. Implement management plane protection using routing protocol authentication.
D
Explanation:
http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml
Background Information
Network time synchronization, to the degree required for modern performance analysis, is an essential exercise. Depending on the business models, and the services being provided, the characterization of network performance can be considered an important competitive service differentiator. In these cases, great expense may be incurred deploying network management systems and directing engineering resources towards analyzing the collected performance data. However, if proper attention is not given to the often-overlooked principle of time synchronization, those efforts may be rendered useless.
QUESTION 106
Which statement best represents the characteristics of a VLAN?
A. Ports in a VLAN will not share broadcasts amongst physically separate switches. B. A VLAN can only connect across a LAN within the same building. C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments. D. A VLAN provides individual port security.
C Explanation:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4 _0_1a/VLANs.html
Configuring VLANs
You can use virtual LANs (VLANs) to divide the network into separate logical areas. VLANs can also be considered as broadcast domains.
Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in that VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.
QUESTION 107
Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments?
A. root guard B. port fast C. HSRP D. STP
Answer: D
Explanation:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml
Introduction
Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
86
specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.
QUESTION 108
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled. C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. D. All vty ports are automatically enabled for SSH to provide secure management.
Answer: B
Explanation:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml Generate an RSA key pair for your router, which automatically enables SSH. carter(config)#crypto key generate rsa
Refer to crypto key generate rsa - Cisco IOS Security Command Reference, Release 12.3 for more information on the usage of this command.
QUESTION 109
What is the key difference between host-based and network-based intrusion prevention?
A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. D. Host-based IPS can work in promiscuous mode or inline mode. E. Host-based IPS is more scalable then network-based IPS. F. Host-based IPS deployment requires less planning than network-based IPS.QUESTION 110
Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.)
A. Service timestamps have been globally enabled. B. This is a normal system-generated information message and does not require further investigation. C. This message is unimportant and can be ignored. D. This message is a level 5 notification message.
Answer: C
Explanation:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/8_NIDS.
html
Cisco Network-Based Intrusion Detection–Functionalities and Configuration This chapter highlights the need for and the benefits of deploying network-based intrusion detection in the data center. It addresses mitigation techniques, deployment models, and the management of the infrastructure.
Intrusion detection systems help data centers and other computer installations prepare for and deal with electronic attacks. Usually deployed as a component of a security infrastructure with a set of security policies for a larger, comprehensive information system, the detection systems themselves are of two main types.
Network-based systems inspect traffic “on the wire” and host-based systems monitor only individual computer server traffic.
Network intrusion detection systems deployed at several points within a single network topology, together with host-based intrusion detection systems and firewalls, can provide a solid, multi- pronged defense against both outside, Internet-based attacks, and internal threats, including network misconfiguration, misuse, or negligent practices. The Cisco Intrusion Detection System (IDS) product line provides flAnswer: AD
Explanation:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
System Log Message Format
System log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or time-stamp information, if configured. Messages appear in this format:
seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n) The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command.
seq no:
Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section.
timestamp formats:
mm/dd hh:mm:ss
or
hh:mm:ss (short uptime)
or
d h (long uptime)
Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured. For more information, see the “Enabling and Disabling Time Stamps on Log Messages” section.facility
The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 29-4.severity
Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 29-3.
MNEMONIC
Text string that uniquely describes the message.
description
Text string containing detailed information about the event being reported. http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swlog.html
This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:
*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2)xible solutions for data center security.
Which four methods are used by hackers? (Choose four.)
A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack
Answer: ABEF
Explanation:
https://learningnetwork.cisco.com/servlet/JiveServlet/download/15823-1- 57665/CCNA%20Security%20(640-554)%20Portable%20Command%20Guide_ch01.pdf
Thinking Like a Hacker
The following seven steps may be taken to compromise targets and applications:
Step 1 Perform footprint analysis
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
89
Hackers generally try to build a complete profile of a target company’s security posture using a broad range of easily available tools and techniques. They can discover organizational domain names, network blocks, IP addresses of systems, ports, services that are used, and more.
Step 2 Enumerate applications and operating systems
Special readily available tools are used to discover additional target information. Ping sweeps use Internet Control Message Protocol (ICMP) to discover devices on a network. Port scans discover TCP/UDP port status.
Other tools include Netcat, Microsoft EPDump and Remote Procedure Call (RPC) Dump, GetMAC, and software development kits (SDKs).
Step 3 Manipulate users to gain access
Social engineering techniques may be used to manipulate target employees to acquire passwords. They may call or email them and try to convince them to reveal passwords without raising any concern or suspicion.
Step 4 Escalate privileges
To escalate their privileges, a hacker may attempt to use Trojan horse programs and get target users to unknowingly copy malicious code to their corporate system.
Step 5 Gather additional passwords and secrets
With escalated privileges, hackers may use tools such as the pwdump and LSADump applications to gather passwords from machines running Windows.
Step 6 Install back doors
Hacker may attempt to enter through the “front door,” or they may use “back doors” into the system. The backdoor method means bypassing normal authentication while attempting to remain undetected. A common backdoor point is a listening port that provides remote access to the system.
Step 7 Leverage the compromised system
After hackers gain administrative access, they attempt to hack other systems.
QUESTION 113
Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?
A. uses Cisco IPS 5.x signature format B. requires the Basic or Advanced Signature Definition File C. supports both inline and promiscuous mode D. requires IEV for monitoring Cisco IPS alerts E. uses the built-in signatures that come with the Cisco IOS image as backup F. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts
Answer: A
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_ios_ips/configuration/12-4t/sec-ips5-sig- fsue.html
Signature Categories
Cisco IPS appliances and Cisco IOS IPS with Cisco 5.x format signatures operate with signature categories.
All signatures are pregrouped into categories; the categories are hierarchical. An individual signature can belong to more than one category. Top-level categories help to define general types of signatures.
Subcategories exist beneath each top-level signature category. (For a list of supported top-level categories, use your router CLI help (?).)
Router Configuration Files and Signature Event Action Processor (SEAP) As of Cisco IOS Release 12.4(11)T, SDFs are no longer used by Cisco IOS IPS. Instead, routers access signature definition information through a directory that contains three configuration files– the default configuration, the delta configuration, and the SEAP configuration. Cisco IOS accesses this directory through the ip ips config location command.
QUESTION 114
Which characteristic is the foundation of Cisco Self-Defending Network technology?
A. secure connectivity B. threat control and containment C. policy management D. secure network platform
Answer: D
Explanation:
http://www.cisco.com/en/US/solutions/ns170/networking_solutions_products_genericcontent0900aecd8051f378.html
Create a Stronger Defense Against Threats
Each day, you reinvent how you conduct business by adopting Internet-based business models. But Internet connectivity without appropriate security can compromise the gains you hope to make. In today’s connected environment, outbreaks spread globally in a matter of minutes, which means your security systems must react instantly.
Maintaining security using tactical, point solutions introduces complexity and inconsistency, but integrating security throughout the network protects the information that resides on it. Three components are critical to effective information security:
A secure network platform with integrated security to which you can easily add advanced security technologies and services
Threat control services focused on antivirus protection and policy enforcement that continuously monitor network activity and prevent or mitigate problems
Secure communication services that maintain the privacy and confidentiality of sensitive data, voice, video, and wireless communications while cost-effectively extending the reach of your network
QUESTION 115
Which kind of table do most firewalls use today to keep track of the connections through the firewall?
A. dynamic ACL B. reflexive ACL C. netflow D. queuing E. state F. express forwarding
Answer: E
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the ASA, however, takes into consideration the state of a packet:
Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
91
session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
?Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.
QUESTION 116
Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured?
A. show archive B. show secure bootset C. show flash D. show file systems E. dir F. dir archive
Answer: B
Explanation:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_resil_config_ps6922_TSD_Products_Configuration_Guide_Chapter.html
Restrictions for Cisco IOS Resilient Configuration
This feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. There must be enough space on the storage device to accommodate at least one Cisco IOS image (two for upgrades) and a copy of the running configuration. IOS Files System (IFS) support for secure file systems is also needed by the software.
It may be possible to force removal of secured files using an older version of Cisco IOS software that does not contain file system support for hidden files.
This feature can be disabled only by using a console connection to the router. With the exception
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
92
of the upgrade scenario, feature activation does not require console access.
You cannot secure a bootset with an image loaded from the network. The running image must be loaded from persistent storage to be secured as primary.
Secured files will not appear on the output of a dir command issued from an executive shell because the IFS prevents secure files in a directory from being listed. ROM monitor (ROMMON) mode does not have any such restriction and can be used to list and boot secured files. The running image and running configuration archives will not be visible in the Cisco IOS dir command output. Instead, use the show secure bootset command to verify archive existence.
QUESTION 117
What does the secure boot-config global configuration accomplish?
A. enables Cisco IOS image resilience B. backs up the Cisco IOS image from flash to a TFTP server C. takes a snapshot of the router running configuration and securely archives it in persistent storage D. backs up the router running configuration to a TFTP server E. stores a secured copy of the Cisco IOS image in its persistent storage
C
QUESTION 120
When using a stateful firewall, which information is stored in the stateful session flow table?
A. the outbound and inbound access rules (ACL entries) B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. all TCP and UDP header information only D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated inside global IP address
b
QUESTION 121
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself?
A. The ACL is applied to the Telnet port with the ip access-group command. B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. C. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. D. The ACL must be applied to each vty line individually.
Answer: B
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-cntrl-acc- vtl.html
Controlling Access to a Virtual Terminal Line
You can control who can access the virtual terminal lines (vtys) to a router by applying an access list to inbound vtys. You can also control the destinations that the vtys from a router can reach by applying an access list to outbound vtys.
Benefits of Controlling Access to a Virtual Terminal Line
By applying an access list to an inbound vty, you can control who can access the lines to a router. By applying an access list to an outbound vty, you can control the destinations that the lines from a router can reach.
QUESTION 122
When configuring role-based CLI on a Cisco router, which step is performed first?
A. Log in to the router as the root user. B. Create a parser view called “root view.” C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. D. Enable the root view on the router. E. Enable AAA authentication and authorization using the local database. F. Create a root local user in the local database.
Answer: D
Explanation:
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
96
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Role-Based CLI Access
The Role-Based CLI Access feature allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
Configuring a CLI View
Prerequisites
Before you create a view, you must perform the following tasks:
Enable AAA via the aaa new-model command. (For more information on enabling AAA, see the chapter
“Configuring Authentication” in the Cisco IOS Security Configuration Guide, Release 12.3.
Ensure that your system is in root view–not privilege level 15.
SUMMARY STEPS
1. enable view
2. configure terminal
3. parser view view-name
4. secret 5 encrypted-password
5. commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
6. exit
7. exit
8. enable [privilege-level] [view view-name]
9. show parser view [all]
DETAILED STEPS
Step 1
Enable view
Router> enable view
Enables root view.
QUESTION 124
Which characteristic is a potential security weakness of a traditional stateful firewall?
A. It cannot support UDP flows. B. It cannot detect application-layer attacks. C. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. D. It works only in promiscuous mode. E. The status of TCP sessions is retained in the state table after the sessions terminate. F. It has low performance due to the use of syn-cookies.
Answer: B
Explanation:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/product_implementation_design_guide09186a00800fd670.html
Cisco IOS Firewall consists of several major subsystems:
Stateful Packet Inspection provides a granular firewall engine
Authentication Proxy offers a per-host access control mechanism
Application Inspection features add protocol conformance checking and network use policy control Enhancements to these features extend these capabilities to VRF instances to support multiple virtual routers per device, and to Cisco Integrated Route-Bridging features to allow greater deployment flexibility, reduce implementation timelines, and ease requirements to add security to existing networks.
QUESTION 140
Which consideration is important when implementing Syslogging in your network?
A. Use SSH to access your Syslog information. B. Enable the highest level of Syslogging available to ensure you log all possible event messages. C. Log all messages to the system buffer so that they can be displayed when accessing the router. D. Syncronize clocks on the network with a protocol such as Network Time Protocol.
D
QUESTION 141
Which classes does the U.S. government place classified data into? (Choose three.)
A. SBU B. Confidential C. Secret D. Top-secret
BCD
QUESTION 142
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled. C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
124 D. All vty ports are automatically enabled for SSH to provide secure management.
B
QUESTION 143
For the following attempts, which one is to ensure that no one employee becomes a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system’s security?
A. Disaster recovery B. Strategic security planning C. Implementation security D. Operations security
D
QUESTION 144
Which three options are network evaluation techniques? (Choose three.)
A. Scanning a network for active IP addresses and open ports on those IP addresses B. Using password-cracking utilities C. Performing end-user training on the use of antispyware software D. Performing virus scans
ABD
QUESTION 145
In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data?
A. Roughly 50 percent B. Roughly 66 percent C. Roughly 75 percent D. Roughly 10 percent
A
QUESTION 146
Which three items are Cisco best-practice recommendations for securing a network? (Choose three.)
A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. C. Deploy HIPS software on all end-user workstations. D. Require strong passwords, and enable password expiration.
ABD
QUESTION 147
What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?
A. Configuration interceptor B. Network interceptor C. File system interceptor D. Execution space interceptor
Answer: A
Explanation:
Configuration interceptor: Read/write requests to the Registry in Windows or to rc configuration files on UNIX are intercepted. This interception occurs because modification of the operating system configuration can have serious consequences. Therefore, Cisco Security Agent tightly controls read/write requests to the Registry.
QUESTION 148
Information about a managed device??s resources and activity is defined by a series of objects. What defines the structure of these management objects?
A. MIB B. FIB C. LDAP D. CEF
Answer: A
Explanation:
Management Information Base (MIB) is the database of configuration variables that resides on the networking device.
QUESTION 149
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?
A. to the zone-pair B. to the zone C. to the interface D. to the global service policy
A
QUESTION 150
Which statement is true about vishing?
A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) D. Influencing users to provide personal information over the phone
D
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
126
Explanation:
Vishing (voice phishing) uses telephony to glean information, such as account details, directly from users. Because many users tend to trust the security of a telephone versus the security of the web, some users are more likely to provide condential information over the telephone. User education is the most effective method to combat vishing attacks.
QUESTION 151
Which item is the great majority of software vulnerabilities that have been discovered?
A. Stack vulnerabilities B. Heap overflows C. Software overflows D. Buffer overflows
D
QUESTION 152
Which one of the following items may be added to a password stored in MD5 to make it more secure?
A. Ciphertext B. Salt C. Cryptotext D. Rainbow table
B
QUESTION 153
In which two modes can Cisco Configuration Professional Security Audit operate? (Choose two.)
A. Security Audit wizard B. Lockdown C. One-Step Lockdown D. AutoSecure
AC