MODULE 12 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

Question 1

Q

Network Topologies

Network Representations

Network architects and administrators must be able to show what their networks will look like.

They need to be able to easily see which components connect to other components, where they will be located, and how they will be connected.

Diagrams of networks often use symbols, like those shown in the figure, to represent the different devices and connections that make up a network.

Answer

A

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Question 2

Q

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Answer

A

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Question 3

Q

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Answer

A

Network Interface Card (NIC) :

A NIC physically connects the end device to the network.

Question 4

Q

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Answer

A

Physical Port :

A connector or outlet on a networking device where the media connects to an end device or another networking device.

Question 5

Q

https://snipboard.io/8cdTEp.jpg

A diagram provides an easy way to understand how devices connect in a large network.

This type of “picture” of a network is known as a topology diagram.

The ability to recognize the logical representations of the physical networking components is critical to being able to visualize the organization and operation of a network.

In addition to these representations, specialized terminology is used to describe how each of these devices and media connect to each other:

– Network Interface Card (NIC)

– Physical Port

– Interface

Answer

A

Interface :

Specialized ports on a networking device that connect to individual networks. Because routers connect networks, the ports on a router are referred to as network interfaces. Note: The terms port and interface are often used interchangeably.

Question 6

Q

Topology Diagrams Topology diagrams are mandatory documentation for anyone working with a network.

They provide a visual map of how the network is connected.

There are two types of topology diagrams:

physical and logical.

Answer

A

Physical Topology Diagrams

Physical topology diagrams illustrate the physical location of intermediary devices and cable installation, as shown in the figure.

You can see that the rooms in which these devices are located are labeled in this physical topology.

https://snipboard.io/TflmrV.jpg

Question 7

Q

Logical Topology Diagrams

Logical topology diagrams illustrate devices, ports, and the addressing scheme of the network, as shown in the figure.

You can see which end devices are connected to which intermediary devices and what media is being used.

https://snipboard.io/HejSIg.jpg

Answer

A

The topologies shown in the physical and logical diagrams are appropriate for your level of understanding at this point in the course.

Search the internet for “network topology diagrams” to see some more complex examples.

If you add the word “Cisco” to your search phrase, you will find many topologies using icons that are similar to what you have seen in these figures.

Question 8

Q

Networks of Many Sizes

Now that you are familiar with the components that make up networks and their representations in physical and logical topologies, you are ready to learn about the many different types of networks.

Networks come in all sizes.

They range from simple networks consisting of two computers, to networks connecting millions of devices.

Answer

A

Simple home networks let you share resources, such as printers, documents, pictures, and music, among a few local end devices.

Small office and home office (SOHO) networks allow people to work from home, or a remote office.

Many self-employed workers use these types of networks to advertise and sell products, order supplies, and communicate with customers.

Question 9

Q

usinesses and large organizations use networks to provide consolidation, storage, and access to information on network servers.

Networks provide email, instant messaging, and collaboration among employees.

Many organizations use their network’s connection to the internet to provide products and services to customers. The internet is the largest network in existence.

In fact, the term internet means a “network of networks”. It is a collection of interconnected private and public networks.

Answer

A

In small businesses and homes, many computers function as both the servers and clients on the network.

This type of network is called a peer-to-peer network.

– Small Home

– Small Office and Home Office

– Medium to Large

– World Wide

Question 10

Q

In small businesses and homes, many computers function as both the servers and clients on the network.

This type of network is called a peer-to-peer network.

– Small Home

– Small Office and Home Office

– Medium to Large

– World Wide

Answer

A

Small Home :

Small Home Networks Small home networks connect a few computers to each other and to the internet.

Question 11

Q

In small businesses and homes, many computers function as both the servers and clients on the network.

This type of network is called a peer-to-peer network.

– Small Home

– Small Office and Home Office

– Medium to Large

– World Wide

Answer

A

Small Office and Home Office :

Small Office and Home Office Networks

The SOHO network allows computers in a home office or a remote office to connect to a corporate network, or access centralized, shared resources.

Question 12

Q

In small businesses and homes, many computers function as both the servers and clients on the network.

This type of network is called a peer-to-peer network.

– Small Home

– Small Office and Home Office

– Medium to Large

– World Wide

Answer

A

Medium to Large :

Medium to Large Networks Medium to large networks, such as those used by corporations and schools, can have many locations with hundreds or thousands of interconnected hosts.

Question 13

Q

In small businesses and homes, many computers function as both the servers and clients on the network.

This type of network is called a peer-to-peer network.

– Small Home

– Small Office and Home Office

– Medium to Large

– World Wide

Answer

A

Medium to Large :

World Wide Networks

The internet is a network of networks that connects hundreds of millions of computers world-wide.

Question 14

Q

LANs and WANs Network infrastructures vary greatly in terms of:

Size of the area covered

Number of users connected

Number and types of services available

Area of responsibility

Answer

A

The two most common types of network infrastructures are Local Area Networks (LANs), and Wide Area Networks (WANs).

A LAN is a network infrastructure that provides access to users and end devices in a small geographical area.

A LAN is typically used in a department within an enterprise, a home, or a small business network.

A WAN is a network infrastructure that provides access to other networks over a wide geographical area, which is typically owned and managed by a larger corporation or a telecommunications service provider.

The figure shows LANs connected to a WAN.

https://snipboard.io/8qdmyW.jpg

Question 15

Q

LANs A LAN is a network infrastructure that spans a small geographical area.

LANs have specific characteristics: LANs interconnect end devices in a limited area such as a home, school, office building, or campus.

A LAN is usually administered by a single organization or individual. Administrative control is enforced at the network level and governs the security and access control policies.

LANs provide high-speed bandwidth to internal end devices and intermediary devices, as shown in the figure.

https://snipboard.io/ZBSFYh.jpg

Answer

A

WANs The figure shows a WAN which interconnects two LANs.

A WAN is a network infrastructure that spans a wide geographical area. WANs are typically managed by service providers (SPs) or Internet Service Providers (ISPs).

WANs have specific characteristics: WANs interconnect LANs over wide geographical areas such as between cities, states, provinces, countries, or continents.

WANs are usually administered by multiple service providers. WANs typically provide slower speed links between LANs.

https://snipboard.io/0cIzWB.jpg

Question 16

Q

The Three-Layer Network

Design Model

The campus wired LAN uses a hierarchical design model to separate the network topology into modular groups or layers.

Separating the design into layers allows each layer to implement specific functions, which simplifies the network design.

This also simplifies the deployment and management of the network.

The campus wired LAN enables communications between devices in a building or group of buildings, as well as interconnection to the WAN and Internet edge at the network core.

Answer

A

A hierarchical LAN design includes the access, distribution, and core layers as shown in the figure.

Hierarchical Design Model

https://snipboard.io/RsecZd.jpg

Each layer is designed to meet specific functions. The access layer provides endpoints and users direct access to the network.

The distribution layer aggregates access layers and provides connectivity to services. Finally, the core layer provides connectivity between distribution layers for large LAN environments.

User traffic is initiated at the access layer and passes through the other layers if the functionality of those layers is required.

Question 17

Q

Even though the hierarchical model has three layers, some smaller enterprise networks may implement a two-tier hierarchical design.

In a two-tier hierarchical design, the core and distribution layers are collapsed into one layer, reducing cost and complexity, as shown in the figure.

Collapsed Core

https://snipboard.io/1Qx6D9.jpg

Answer

A

In flat or meshed network architectures, changes tend to affect a large number of systems.

Hierarchical design helps constrain operational changes to a subset of the network, which makes it easy to manage as well as improve resiliency.

Modular structuring of the network into small, easy-to-understand elements also facilitates resiliency through improved fault isolation.

Question 18

Q

Common Security

Architectures Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic.

Some designs are as simple as designating an outside network and inside network, which are determined by two interfaces on a firewall.

Here are three common firewall designs.

– Private and Public

– Demilitarized Zone

– Zone-Based Privacy Firewalls

Answer

A

Private and Public :

As shown in the figure, the public network (or outside network) is untrusted, and the private network (or inside network) is trusted.

Typically, a firewall with two interfaces is configured as follows: Traffic originating from the private network is permitted and inspected as it travels toward the public network.

Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted.

Traffic originating from the public network and traveling to the private network is generally blocked.

https://snipboard.io/GOFqy9.jpg

Question 19

Q

Common Security

Architectures Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic.

Some designs are as simple as designating an outside network and inside network, which are determined by two interfaces on a firewall.

Here are three common firewall designs.

– Private and Public

– Demilitarized Zone

– Zone-Based Privacy Firewalls

Answer

A

Demilitarized Zone A demilitarized zone (DMZ) is a firewall design where there is typically one inside interface connected to the private network, one outside interface connected to the public network, and one DMZ interface, as shown in the figure.

Traffic originating from the private network is inspected as it travels toward the public or DMZ network. This traffic is permitted with little or no restriction. Inspected traffic returning from the DMZ or public network to the private network is permitted.

Traffic originating from the DMZ network and traveling to the private network is usually blocked. Traffic originating from the DMZ network and traveling to the public network is selectively permitted based on service requirements.

Traffic originating from the public network and traveling toward the DMZ is selectively permitted and inspected. This type of traffic is typically email, DNS, HTTP, or HTTPS traffic.

Return traffic from the DMZ to the public network is dynamically permitted. Traffic originating from the public network and traveling to the private network is blocked.

https://snipboard.io/XTMkoB.jpg

Question 20

Q

Common Security

Architectures Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic.

Some designs are as simple as designating an outside network and inside network, which are determined by two interfaces on a firewall.

Here are three common firewall designs.

– Private and Public

– Demilitarized Zone

– Zone-Based Privacy Firewalls

Answer

A

Zone-Based Privacy Firewalls Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional flexibility.

A zone is a group of one or more interfaces that have similar functions or features. Zones help you specify where a Cisco IOS firewall rule or policy should be applied. In the figure, security policies for LAN 1 and LAN 2 are similar and can be grouped into a zone for firewall configurations.

By default, the traffic between interfaces in the same zone is not subject to any policy and passes freely. However, all zone-to-zone traffic is blocked. In order to permit traffic between zones, a policy allowing or inspecting traffic must be configured.

The only exception to this default deny any policy is the router self zone. The self zone is the router itself and includes all the router interface IP addresses. Policy configurations that include the self zone would apply to traffic destined to and sourced from the router.

By default, there is no policy for this type of traffic. Traffic that should be considered when designing a policy for the self zone includes management plane and control plane traffic, such as SSH, SNMP, and routing protocols.

https://snipboard.io/x1OtNm.jpg

Question 21

Q

Firewalls A firewall is a system, or group of systems, that enforces an access control policy between networks.

Answer

A

Click each button to learn more about firewalls.

– Common Firewall Properties

– Firewall Benefits

– Firewall Limitations

Question 22

Q

Click each button to learn more about firewalls.

– Common Firewall Properties

– Firewall Benefits

– Firewall Limitations

Answer

A

Common Firewall Properties :

All firewalls share some common properties: Firewalls are resistant to network attacks.

Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall.

Firewalls enforce the access control policy.

Question 23

Q

Click each button to learn more about firewalls.

– Common Firewall Properties

– Firewall Benefits

– Firewall Limitations

Answer

A

Firewall Benefits :

There are several benefits of using a firewall in a network: They prevent the exposure of sensitive hosts, resources, and applications to untrusted users.

They sanitize protocol flow, which prevents the exploitation of protocol flaws. They block malicious data from servers and clients.

They reduce security management complexity by off-loading most of the network access control to a few firewalls in the network.

Question 24

Q

Click each button to learn more about firewalls.

– Common Firewall Properties

– Firewall Benefits

– Firewall Limitations

Answer

A

Firewall Limitations :

Firewalls also have some limitations:

A misconfigured firewall can have serious consequences for the network, such as becoming a single point of failure.

The data from many applications cannot be passed over firewalls securely.

Users might proactively search for ways around the firewall to receive blocked material, which exposes the network to potential attack.

Network performance can slow down.

Unauthorized traffic can be tunneled or hidden as legitimate traffic through the firewall.

Question 25

Q

Firewall Type Descriptions

It is important to understand the different types of firewalls and their specific capabilities so that the right firewall is used for each situation.

– Packet Filtering (Statelss Firewall)

– Statefull Firewall

– Gateway Firewall

– Next Generation Firewall

Answer

A

Packet Filtering (Statelss Firewall) :

Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information.

They are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria. For example, SMTP servers listen to port 25 by default.

An administrator can configure the packet filtering firewall to block port 25 from a specific workstation to prevent it from broadcasting an email virus

https://snipboard.io/CfRVWK.jpg

Question 26

Q

Firewall Type Descriptions

It is important to understand the different types of firewalls and their specific capabilities so that the right firewall is used for each situation.

– Packet Filtering (Statelss Firewall)

– Statefull Firewall

– Gateway Firewall

– Next Generation Firewall

Answer

A

Statefull Firewall :

Stateful firewalls are the most versatile and the most common firewall technologies in use.

Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table.

Stateful filtering is a firewall architecture that is classified at the network layer.

It also analyzes traffic at OSI Layer 4 and Layer 5.

https://snipboard.io/cT9Lm1.jpg

Question 27

Q

Firewall Type Descriptions

It is important to understand the different types of firewalls and their specific capabilities so that the right firewall is used for each situation.

– Packet Filtering (Statelss Firewall)

– Statefull Firewall

– Gateway Firewall

– Next Generation Firewall

Answer

A

Gateway Firewall :

An application gateway firewall (proxy firewall), as shown in the figure, filters information at Layers 3, 4, 5, and 7 of the OSI reference model.

Most of the firewall control and filtering is done in software. When a client needs to access a remote server, it connects to a proxy server.

The proxy server connects to the remote server on behalf of the client. Therefore, the server only sees a connection from the proxy server.

https://snipboard.io/36pjma.jpg

Question 28

Q

Firewall Type Descriptions

It is important to understand the different types of firewalls and their specific capabilities so that the right firewall is used for each situation.

– Packet Filtering (Statelss Firewall)

– Statefull Firewall

– Gateway Firewall

– Next Generation Firewall

Answer

A

Next Generation Firewall :

Next-generation firewalls (NGFW) go beyond stateful firewalls by providing:

Integrated intrusion prevention

Application awareness and control to see and block risky apps

Upgrade paths to include future information feeds

Techniques to address evolving security threats

https://snipboard.io/GYM1CH.jpg

Question 29

Q

Other methods of implementing firewalls include: :

– Host-based (server and personal) firewall

– Transparent firewall

– Hybrid firewall

Answer

A

Host-based (server and personal) firewall :

A PC or server with firewall software running on it.

Question 30

Q

Other methods of implementing firewalls include: :

– Host-based (server and personal) firewall

– Transparent firewall

– Hybrid firewall

Answer

A

Transparent firewall :

Filters IP traffic between a pair of bridged interfaces.

Question 31

Q

Other methods of implementing firewalls include: :

– Host-based (server and personal) firewall

– Transparent firewall

– Hybrid firewall

Answer

A

Hybrid firewall :

A combination of the various firewall types.

For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Question 32

Q

Intrusion Prevention and Detection Devices :

A networking architecture paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or the more scalable intrusion prevention systems (IPS).

The network architecture integrates these solutions into the entry and exit points of the network.

When implementing IDS or IPS, it is important to be familiar with the types of systems available, host-based and network-based approaches, the placement of these systems, the role of signature categories, and possible actions that a Cisco IOS router can take when an attack is detected.

Answer

A

The figure shows how an IPS device handles malicious traffic.

IDS and IPS Characteristics https://snipboard.io/zjEgfI.jpg

https://snipboard.io/SqwkcD.jpg

Question 33

Q

IDS and IPS technologies are both deployed as sensors.

An IDS or IPS sensor can be in the form of several different devices:

A router configured with Cisco IOS IPS software

A device specifically designed to provide dedicated IDS or IPS services

A network module installed in an adaptive security appliance (ASA), switch, or router

Answer

A

IDS and IPS technologies use signatures to detect patterns in network traffic.

A signature is a set of rules that an IDS or IPS uses to detect malicious activity.

Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information.

IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

Question 34

Q

IDS and IPS technologies use signatures to detect patterns in network traffic.

A signature is a set of rules that an IDS or IPS uses to detect malicious activity.

Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information.

IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

Answer

A

IDS and IPS technologies use signatures to detect patterns in network traffic.

A signature is a set of rules that an IDS or IPS uses to detect malicious activity.

Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information.

IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

Question 35

Q

Advantages and Disadvantages of IDS and IPS IDS

Advantages and Disadvantages

The table lists the advantages and disadvantages of IDS and IPS.

– Solutions : IDS and IPS

– Advantages and Disadvantages

Answer

A

Solution :

IDS Advantages :

No Impact on network (latency, jitter)

No Network impact if there is a sensor failure

No network impact if there is sensor overload

Question 36

Q

Advantages and Disadvantages of IDS and IPS IDS

Advantages and Disadvantages

The table lists the advantages and disadvantages of IDS and IPS.

– Solutions : IDS and IPS

– Advantages and Disadvantages

Answer

A

Solution :

IDS Disadvantages :

Response action cannot stop trigger packets

Correct tuning required for response actions

More vulnerable to network security evasion techniques

Question 37

Q

Advantages and Disadvantages of IDS and IPS IDS

Advantages and Disadvantages

The table lists the advantages and disadvantages of IDS and IPS.

– Solutions : IDS and IPS

– Advantages and Disadvantages

Answer

A

Solution :

IPS Advantages :

Stops trigger packets

Can use stream normalization techniques

Question 38

Q

Advantages and Disadvantages of IDS and IPS IDS

Advantages and Disadvantages

The table lists the advantages and disadvantages of IDS and IPS.

– Solutions : IDS and IPS

– Advantages and Disadvantages

Answer

A

Solution :

IPS Disadvantages :

Sensor issues might affect network traffic

Sensor overloading impacts the network

Some impact on network (latency, jitter)

Question 39

Q

IDS Advantages

An IDS is deployed in offline mode and therefore:

The IDS does not impact network performance.

Specifically, it does not introduce latency, jitter, or other traffic flow issues.

The IDS does not affect network functionality if the sensor fails.

It only affects the ability of the IDS to analyze the data.

Answer

A

IDS Disadvantages Disadvantages of an IDS include:

An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in detecting email viruses and automated attacks, such as worms.

Tuning IDS sensors to achieve expected levels of intrusion detection can be very time-consuming.

Users deploying IDS sensor response actions must have a well-designed security policy and a good operational understanding of their IDS deployments.

An IDS implementation is more vulnerable to network security evasion techniques because it is not inline.

Question 40

Q

IPS Advantages Advantages of an IPS include:

An IPS sensor can be configured to drop the trigger packets, the packets associated with a connection, or packets from a source IP address.

Because IPS sensors are inline, they can use stream normalization.

Stream normalization is a technique used to reconstruct the data stream when the attack occurs over multiple data segments.

Answer

A

IPS Disadvantages Disadvantages of an IPS include:

Because it is deployed inline, errors, failure, and overwhelming the IPS sensor with too much traffic can have a negative effect on network performance.

An IPS sensor can affect network performance by introducing latency and jitter.

An IPS sensor must be appropriately sized and implemented so that time-sensitive applications, such as VoIP, are not adversely affected.

Question 41

Q

Deployment Considerations :

You can deploy both an IPS and an IDS.

Using one of these technologies does not negate the use of the other. In fact, IDS and IPS technologies can complement each other.

For example, an IDS can be implemented to validate IPS operation because the IDS can be configured for deeper packet inspection offline.

This allows the IPS to focus on fewer but more critical traffic patterns inline.

Answer

A

Deciding which implementation to use is based on the security goals of the organization as stated in their network security policy.

Question 42

Q

Types of IPS There are two primary kinds of IPS available:

host-based IPS and network-based IPS.

Host-based IPS

Answer

A

Host-based IPS :

Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious activity. A significant advantage of HIPS is that it can monitor and protect operating system and critical system processes that are specific to that host.

With detailed knowledge of the operating system, HIPS can monitor abnormal activity and prevent the host from executing commands that do not match typical behavior.

This suspicious or malicious behavior might include unauthorized registry updates, changes to the system directory, executing installation programs, and activities that cause buffer overflows.

Network traffic can also be monitored to prevent the host from participating in a denial-of-service (DoS) attack or being part of an illicit FTP session.

Question 43

Q

Host-based IPS :

HIPS can be thought of as a combination of antivirus software, antimalware software, and a firewall. Combined with a network-based IPS, HIPS is an effective tool in providing additional protection for the host.

A disadvantage of HIPS is that it operates only at a local level. It does not have a complete view of the network, or coordinated events that might be happening across the network.

To be effective in a network, HIPS must be installed on every host and have support for every operating system. The table lists the advantages and disadvantages of HIPS.

Answer

A

HIPS Advantages :

Provides protection specific to a host operating system

Provides operating system and application level protection

Protects the host after the message is decrypted

Question 44

Q

HIPS Advantages :

Provides protection specific to a host operating system

Provides operating system and application level protection

Protects the host after the message is decrypted

Answer

A

HIPS :

Disadvantages

Operating system dependent

Must be installed on all hosts

Question 45

Q

Network-based IPS A network-based IPS can be implemented using a dedicated or non-dedicated IPS device.

Network-based IPS implementations are a critical component of intrusion prevention.

There are host-based IDS/IPS solutions, but these must be integrated with a network-based IPS implementation to ensure a robust security architecture.

Answer

A

Sensors detect malicious and unauthorized activity in real time and can take action when required.

As shown in the figure, sensors are deployed at designated network points.

This enables security managers to monitor network activity while it is occurring, regardless of the location of the attack target.

Question 46

Q

Sample IPS Sensor Deployment

https://snipboard.io/yCSZ3e.jpg

Answer

A

Specialized Security Appliances

There are a variety of specialized security appliances available. Here are a few examples.

– AMP (Advanced Malware Protection)

– WSA (Web Security Appliance)

– ESA (Email Security Appliance/Cisco Cloud Email Security)

Question 47

Q

Specialized Security Appliances

There are a variety of specialized security appliances available. Here are a few examples.

– AMP (Advanced Malware Protection)

– WSA (Web Security Appliance)

– ESA (Email Security Appliance/Cisco Cloud Email Security)

Answer

A

AMP (Advanced Malware Protection) :

Cisco Advanced Malware Protection (AMP) is an enterprise-class advanced malware analysis and protection solution. It provides comprehensive malware protection for organizations before, during, and after an attack:

Before an attack, AMP strengthens defenses and protects against known and emerging threats.

During an attack, AMP identifies and blocks policy-violating file types, exploit attempts, and malicious files from infiltrating the network.

After an attack, or after a file is initially inspected, AMP goes beyond point-in-time detection capabilities and continuously monitors and analyzes all file activity and traffic, regardless of disposition, searching for any indications of malicious behavior.

If a file with an unknown or previously deemed “good” disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise.

It then provides visibility into where the malware originated, what systems were affected, and what the malware is doing.

AMP accesses the collective security intelligence of the Cisco Talos Security Intelligence and Research Group. Talos detects and correlates threats in real time using the largest threat-detection network in the world.

Question 48

Q

Specialized Security Appliances

There are a variety of specialized security appliances available. Here are a few examples.

– AMP (Advanced Malware Protection)

– WSA (Web Security Appliance)

– ESA (Email Security Appliance/Cisco Cloud Email Security)

Answer

A

WSA (Web Security Appliance) :

A Cisco Web Security Appliance (WSA) is a secure web gateway that combines leading protections to help organizations address the growing challenges of securing and controlling web traffic.

WSA protects the network by automatically blocking risky sites and testing unknown sites before allowing users to access them. WSA provides malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility.

While WSA protects the network from malware intrusion, it does not provide protection for users who want to connect to the internet directly outside of the protected network, such as at a public Wi-Fi service.

In this instance, the user’s PC can be infected with malware which can then spread to other networks and devices.

To help protect user PCs from these types of malware infections there is Cisco Cloud Web Security (CWS). CWS together with WSA provides comprehensive protection against malware and the associated impacts.

The Cisco CWS solution enforces secure communication to and from the internet and provides remote workers the same level of security as onsite employees when using a laptop issued by the employer.

Cisco CWS incorporates two main functions, web filtering and web security, and both are accompanied by extensive, centralized reporting.

Question 49

Q

Specialized Security Appliances

There are a variety of specialized security appliances available. Here are a few examples.

– AMP (Advanced Malware Protection)

– WSA (Web Security Appliance)

– ESA (Email Security Appliance/Cisco Cloud Email Security)

Answer

A

ESA (Email Security Appliance/Cisco Cloud Email Security) :

A Cisco Email Security Appliance (ESA)/ Cisco Cloud Email Security helps to mitigate email-based threats.

The Cisco ESA defends mission-critical email systems.

The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats using a worldwide database monitoring system.

Question 50

Q

ESA (Email Security Appliance/Cisco Cloud Email Security) :

PART 2 These are some of the main features of ESA:

– Global threat intelligence

– Spam blocking

– Advanced malware protection

– Outbound message control

Answer

A

Global threat intelligence :

Cisco Talos provides a 24-hour view into global traffic activity.

It analyzes anomalies, uncovers new threats, and monitors traffic trends.

Question 51

Q

ESA (Email Security Appliance/Cisco Cloud Email Security) :

PART 2

These are some of the main features of ESA:

– Global threat intelligence

– Spam blocking

– Advanced malware protection

– Outbound message control

Answer

A

Spam blocking :

A multilayered defense combines an outer layer of filtering based on the reputation of the sender and an inner layer of filtering that performs a deep analysis of the message.

Question 52

Q

ESA (Email Security Appliance/Cisco Cloud Email Security) :

PART 2

These are some of the main features of ESA:

– Global threat intelligence

– Spam blocking

– Advanced malware protection

– Outbound message control

Answer

A

Advanced malware protection :

Includes AMP that takes advantage of the vast cloud security intelligence network of Sourcefire.

It delivers protection across the attack continuum before, during, and after an attack.

Question 53

Q

ESA (Email Security Appliance/Cisco Cloud Email Security) :

PART 2

These are some of the main features of ESA:

– Global threat intelligence

– Spam blocking

– Advanced malware protection

– Outbound message control

Answer

A

Outbound message control :

Controls outbound messages to help ensure that important messages comply with industry standards and are protected in transit.

Question 54

Q

Traffic Control with ACLs An Access Control List (ACL)

Is a series of commands that control whether a device forwards or drops packets based on information found in the packet header.

When configured, ACLs perform the following tasks:

Answer

A

They limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied.

This would greatly reduce the network load and increase network performance. They provide traffic flow control. ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source.

They provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to authorized users.

They filter traffic based on traffic type.

For example, an ACL can permit email traffic, but block all Telnet traffic. They screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

Question 55

Q

They limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. They provide traffic flow control.

ACLs can restrict the delivery of routing updates to ensure that the updates are from a known source. They provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area.

For example, access to the Human Resources network can be restricted to authorized users. They filter traffic based on traffic type.

For example, an ACL can permit email traffic, but block all Telnet traffic. They screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.

Answer

A

In addition to either permitting or denying traffic, ACLs can be used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.

For example, ACLs can be used to classify traffic to enable priority processing. This capability is similar to having a VIP pass at a concert or sporting event.

The VIP pass gives selected guests privileges not offered to general admission ticket holders, such as priority entry or being able to enter a restricted area. The figure shows a sample topology with ACLs applied to routers R1, R2, and R3. What Is an ACL?

https://snipboard.io/bSZnGQ.jpg

Question 56

Q

ACLs:

Important Features Two types of Cisco IPv4 ACLs are standard and extended.

Standard ACLs can be used to permit or deny traffic only from source IPv4 addresses.

The destination of the packet and the ports involved are not evaluated.

Answer

A

Extended ACLs filter IPv4 packets based on several attributes that include:

Protocol type Source IPv4 address

Destination IPv4 address

Source TCP or UDP ports

Destination TCP or UDP ports

Optional protocol type information for finer control

Question 57

Q

Standard and extended ACLs can be created using either a number or a name to identify the ACL and its list of statements.

Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic.

However, a number does not provide information about the purpose of the ACL.

For this reason, a name can be used to identify a Cisco ACL.

Answer

A

By configuring ACL logging, an ACL message can be generated and logged when traffic meets the permit or deny criteria defined in the ACL.

Cisco ACLs can also be configured to only allow TCP traffic that has an ACK or RST bit set, so that only traffic from an established TCP session is permitted.

This can be used to deny any TCP traffic from outside the network that is trying to establish a new TCP session.

Question 58

Q

SNMP Simple Network Management Protocol (SNMP) allows administrators to manage end devices such as servers, workstations, routers, switches, and security appliances, on an IP network.

It enables network administrators to monitor and manage network performance, find and solve network problems, and plan for network growth.

Answer

A

SNMP is an application layer protocol that provides a message format for communication between managers and agents.

As shown in the figure, the SNMP system consists of two elements.

SNMP manager that runs SNMP management software.

SNMP agents which are the nodes being monitored and managed.

https://snipboard.io/QTYcop.jpg

Question 59

Q

The Management Information Base (MIB) is a database on the agents that stores data and operational statistics about the device.

To configure SNMP on a networking device, it is first necessary to define the relationship between the manager and the agent.

Answer

A

The SNMP manager is part of a network management system (NMS).

The SNMP manager runs SNMP management software.

As shown in the figure, the SNMP manager can collect information from an SNMP agent by using the “get” action and can change configurations on an agent by using the “set” action.

In addition, SNMP agents can forward information directly to a network manager by using “traps”.

Question 60

Q

NetFlow NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a Cisco router or multilayer switch.

While SNMP attempts to provide a very wide range of network management features and options, NetFlow is focused on providing statistics on IP packets flowing through network devices.

Answer

A

NetFlow provides data to enable network and security monitoring, network planning, traffic analysis to include identification of network bottlenecks, and IP accounting for billing purposes.

For example, in the figure, PC 1 connects to PC 2 using an application such as HTTPS.

Question 61

Q

NetFlow in the Network :

https://snipboard.io/TpHbL5.jpg

NetFlow can monitor that application connection, tracking byte and packet counts for that individual application flow.

It then pushes the statistics over to an external server called a NetFlow collector.

Answer

A

etFlow technology has seen several generations that provide more sophistication in defining traffic flows, but “original NetFlow” distinguished flows using a combination of seven fields.

Should one of these fields vary in value from another packet, the packets could be safely determined to be from different flows:

Source IP address Destination IP address

Source port number Destination port number

Layer 3 protocol type

Type of Service (ToS) marking

Input logical interface

Question 62

Q

The first four of the fields NetFlow uses to identify a flow should be familiar.

The source and destination IP addresses, plus the source and destination ports, identify the connection between source and destination application.

The Layer 3 protocol type identifies the type of header that follows the IP header (usually TCP or UDP, but other options include ICMP).

The ToS byte in the IPv4 header holds information about how devices should apply quality of service (QoS) rules to the packets in that flow.

Answer

A

The first four of the fields NetFlow uses to identify a flow should be familiar.

The source and destination IP addresses, plus the source and destination ports, identify the connection between source and destination application.

The Layer 3 protocol type identifies the type of header that follows the IP header (usually TCP or UDP, but other options include ICMP).

The ToS byte in the IPv4 header holds information about how devices should apply quality of service (QoS) rules to the packets in that flow.

Question 63

Q

Port Mirroring

A packet analyzer (also known as a packet sniffer or traffic sniffer) is typically software that captures packets entering and exiting the network interface card (NIC).

It is not always possible or desirable to have the packet analyzer on the device that is being monitored.

Sometimes it is better on a separate station designated to capture the packets.

Answer

A

Because network switches can isolate traffic, traffic sniffers or other network monitors, such as IDS, cannot access all the traffic on a network segment.

Port mirroring is a feature that allows a switch to make duplicate copies of traffic passing through a switch, and then send it out a port with a network monitor attached.

The original traffic is forwarded in the usual manner. An example of port mirroring is illustrated in the figure.

Traffic Sniffing Using a Switch

https://snipboard.io/4y93rd.jpg

Question 64

Q

Syslog Servers

When certain events occur on a network, networking devices have trusted mechanisms to notify the administrator with detailed system messages.

These messages can be either non-critical or significant.

Network administrators have a variety of options for storing, interpreting, and displaying these messages, and for being alerted to those messages that could have the greatest impact on the network infrastructure.

Answer

A

The most common method of accessing system messages is to use a protocol called syslog.

Many networking devices support syslog, including routers, switches, application servers, firewalls, and other network appliances.

The syslog protocol allows networking devices to send their system messages across the network to syslog servers as shown in the figure.

Syslog

https://snipboard.io/HJClbx.jpg

Answer 65

A

The syslog logging service provides three primary functions:

The ability to gather logging information for monitoring and troubleshooting

The ability to select the type of logging information that is captured

The ability to specify the destination of captured syslog messages

Answer 66

A

Typically, the date and time settings on a network device can be set using one of two methods:

Manual configuration of the date and time

Configuring the Network Time Protocol (NTP)

Answer 67

A

A better solution is to configure the NTP on the network.

This protocol allows routers on the network to synchronize their time settings with an NTP server.

A group of NTP clients that obtain time and date information from a single source have more consistent time settings.

When NTP is implemented in the network, it can be set up to synchronize to a private master clock or it can synchronize to a publicly available NTP server on the Internet.

Answer 68

A

NTP Stratum Levels :

https://snipboard.io/mIUFyR.jpg

NTP servers are arranged in three levels known as strata:

– Stratum 0

– Stratum 1

– Stratum 2 and lower strata

Answer 69

A

Stratum 0 :

An NTP network gets the time from authoritative time sources.

These authoritative time sources, also referred to as stratum 0 devices, are high-precision timekeeping devices assumed to be accurate and with little or no delay associated with them.

Answer 70

A

Stratum 1 :

The stratum 1 devices are directly connected to the authoritative time sources.

They act as the primary network time standard.

Answer 71

A

Stratum 2 and lower strata :

The stratum 2 servers are connected to stratum 1 devices through network connections.

Stratum 2 devices, such as NTP clients, synchronize their time using the NTP packets from stratum 1 servers.

They could also act as servers for stratum 3 devices.

Answer 72

A

Smaller stratum numbers indicate that the server is closer to the authorized time source than larger stratum numbers.

The larger the stratum number, the lower the stratum level.

The max hop count is 15.

Stratum 16, the lowest stratum level, indicates that a device is unsynchronized.

Time servers on the same stratum level can be configured to act as a peer with other time servers on the same stratum level for backup or verification of time.

Answer 73

A

Authentication :

Users and administrators must prove that they are who they say they are.

Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods.

AAA authentication provides a centralized way to control access to the network.

Answer 74

A

Authorization :

After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.

An example is “User ‘student’ can access host serverXYZ using SSH only.”

Answer 75

A

Accounting :

Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.

Accounting keeps track of how network resources are used.

An example is “User ‘student’ accessed host serverXYZ using SSH for 15 minutes.”

Answer 76

A

While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.

This is because all TACACS+ protocol exchanges are encrypted, while RADIUS only encrypts the user’s password.

RADIUS does not encrypt usernames, accounting information, or any other information carried in the RADIUS message.

The table lists the differences between the two protocols.

– Functionality – TACACS+ AND RADIUS

– Standard – TACACS+ AND RADIUS

– Transport – TACACS+ AND RADIUS

– Protocol CHAP – TACACS+ AND RADIUS

– Confidentiality – TACACS+ AND RADIUS

– Customization – TACACS+ AND RADIUS

– Accounting – TACACS+ AND RADIUS

Answer 77

A

Functionality – TACACS+ AND RADIUS :

TACACS+ :

Separates AAA according to the AAA architecture, allowing modularity of the security server implementation

RADIUS :

Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+

Answer 78

A

Standard – TACACS+ AND RADIUS :

TACACS+ : Mostly Cisco supported

RADIUS : Open/RFC standard

Answer 79

A

Transport – TACACS+ AND RADIUS :

TACACS+ : TCP

RADIUS : UDP

Answer 80

A

Protocol CHAP – TACACS+ AND RADIUS :

TACACS+ : Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP)

RADIUS : Unidirectional challenge and response from the RADIUS security server to the RADIUS client

Answer 81

A

Confidentiality – TACACS+ AND RADIUS :

TACACS+ : Entire packet encrypted

RADIUS : Password encrypted

Answer 82

A

Customization – TACACS+ AND RADIUS

TACACS+ : Provides authorization of router commands on a per-user or per-group basis

RADIUS : Has no option to authorize router commands on a per-user or per-group basis

Answer 83

A

Accounting – TACACS+ AND RADIUS :

TACACS+ : Limited

RADIUS : Extensive

Answer 84

A

VPN

A VPN is a private network that is created over a public network, usually the internet, as shown in the figure.

Virtual Private Network

https://snipboard.io/m1r7ap.jpg

Answer 85

A

VPN :

A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network.

A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.

Answer 86

A

VPN :

In the simplest sense, a VPN connects two endpoints, such as a remote office to a central office, over a public network, to form a logical connection.

The logical connections can be made at either Layer 2 or Layer 3.

Common examples of Layer 3 VPNs are GRE, Multiprotocol Label Switching (MPLS), and IPsec.

Layer 3 VPNs can be point-to-point site connections, such as GRE and IPsec, or they can establish any-to-any connectivity to many sites using MPLS.

IPsec is a suite of protocols developed with the backing of the IETF to achieve secure services over IP packet-switched networks.

Answer 87

A

IPsec services allow for authentication, integrity, access control, and confidentiality.

With IPsec, the information exchanged between remote sites can be encrypted and verified. VPNs are commonly deployed in a site-to-site topology to securely connect central sites with remote locations.

They are also deployed in a remote-access topology to provide secure remote access to external users travelling or working from home. Both remote-access and site-to-site VPNs can be deployed using IPsec.

Brainscape's Knowledge GenomeTM

MODULE 12 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

Brainscape's Knowledge Genome^TM