Module 4 Flashcards

Question 1

Q

are a primary target for attacks because these devices direct traffic into, out of, and between networks.

Question 2

Q

The ____ is the last router between the internal network and an untrusted network, such as the internet. All an organization’s internet traffic goes through
_____, which often functions as the first and last line of defense for a network.

Answer

A

edge router

Question 3

Q

Edge Router Security Approaches

Answer

A

Single Router Approach
Defense-in-Depth Approach
DMZ Approach

Question 4

Q

A single router connects the
protected network or internal local area network
(LAN), to the internet. All security policies are
configured on this device.

Answer

A

Single Router Approach

Question 5

Q

This uses multiple layers of
security prior to traffic entering the protected LAN.
There are three primary layers of defense: the
edge router, the firewall, and an internal router that
connects to the protected LAN.

Answer

A

Defense-in-Depth Approach

Question 6

Q

The ___ can be used for servers that
must be accessible from the internet or another
external network. The ___ can be set up between
two routers, with an internal router connecting to
the protected network and an external router
connecting to the unprotected network.

Answer

A

DMZ Approach

Question 7

Q

Three Areas of Router Security

Answer

A

Physical
Operating System
Router Hardening

Question 8

Q

Place the router and physical devices that connect to it in a secure locked room that is accessible only to authorized personnel.

Install an uninterruptible power supply (UPS) or diesel
backup power generator.

Question 9

Q

Configure the router with the maximum amount of memory possible. The availability of memory can help mitigate DoS attacks.

Use the latest, stable version of the operating
system that meets the feature specifications of the router or network device.

Keep a secure copy of router operating system images and router configuration files as backups.

Answer

A

Operating System

Question 10

Q

Ensure that only authorized personnel have access and that their level of access is controlled.

Disable unused ports and interfaces.

Disable unnecessary services. A router
has services that are enabled by default. Some of these services can be used by an attacker to
gather information about the router and the network.

Answer

A

Router Hardening

Question 11

Q

Secure Administrative Access

Answer

A

Restrict device accessibility
Log and account for all access
Authenticate access
Authorize actions
Present legal notification
Ensure the confidentiality of data

Question 12

Q

If an unauthorized person gains administrative access to a
router, that person could

Answer

A

alter routing parameters,
disable routing functions, or
discover and gain access to other systems within the network.

Question 13

Q

A router can be accessed for administrative purposes

Answer

A

locally or remotely:

Question 14

Q

Although the aux port option is
available, the most common remote access method
involves allowing Telnet, SSH, HTTP, HTTPS, or SNMP
connections to the router from a computer. The computer
can be on the local network or a remote network.

Answer

A

Remote access

Question 15

Q

The administrator must have physical
access to the router and use a console cable to connect
to the console port. Local access is typically used for
initial configuration of the device.

Answer

A

Local access

Question 16

Q

Strong password

Answer

A

Combines alphanumeric characters, symbols, and includes a space

Question 17

Q

one method to create a strong password is to use the space bar and create a phrase made of many words. This is called _____ is often easier to remember than a simple password. It is also longer and harder to guess.

Answer

A

a passphrase

Question 18

Q

Use a ____ to secure passwords for your online internet activity.

Answer

A

password manager

Question 19

Q

that authentication requires two or more independent means of verification.

Answer

A

multi-factor authentication

Question 20

Q

To secure privileged EXEC access, use the enable secret password global config command,

Answer

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable secret class
Sw-Floor-1(config)# exit
Sw-Floor-1#`

Question 21

Q

To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration command, The zero is used to represent the first (and in most cases the only) console interface. Next, specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command.

Answer

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line console 0
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#

Question 22

Q

To secure VTY lines, enter line VTY mode using the line vty 0 15 global config command. Next, specify the VTY password using the password password command. Last, enable VTY access using the login command.

Answer

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line vty 0 15
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#

Question 23

Q

Question 24

Q

steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch including these:

Answer

A

Encrypting all plaintext passwords

Setting a minimum acceptable password length

Deterring brute-force password guessing attacks

Disabling an inactive privileged EXEC mode access after a specified amount of time.

Question 25

Q

To encrypt all plaintext passwords, use the service password-encryption global config command

Answer

A

Sw-Floor-1# configure terminal
Sw-Floor-1(config)# service password-encryption
Sw-Floor-1(config)#

The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.

Question 26

Q

Use the command to verify that passwords are now encrypted.

Answer

A

show running-config

Question 27

Q

To ensure that all configured passwords are a
minimum of a specified length, use the security
passwords min-length length command in global
configuration mode.

Answer

A

R1(config)# security passwords min-length 8

Question 28

Q

Threat actors may use password cracking software
to conduct a brute-force attack on a network device.
This attack continuously attempts to guess the valid
passwords until one works. Use the login block-for
seconds attempts number within seconds global
configuration command to deter this type of attack.

Answer

A

R1(config)# login block-for 120 attempts 3 within 60

Question 29

Q

By default, Cisco routers will logout an EXEC session after 10 minutes of inactivity. However, you can reduce this setting using the exec-timeout minutes seconds line configuration command. This command can be applied online console, auxiliary, and vty lines.

Answer

A

R1(config)# line vty 0 4
R1(config-line)# password cisco123
R1(config-line)# exec-timeout 5 30
R1(config-line)# transport input ssh
R1(config-line)# end

Question 30

Q

Additional Password Security

Answer

A

All plaintext passwords are encrypted.

New configured passwords must be eight characters or more.

If there are more than three failed VTY login attempts within 60 seconds, then lockout the VTY lines for 120 seconds.

Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds.

Question 31

Q

are no longer considered secure because attackers can reconstruct valid certificates. This can allow attackers to spoof any website. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords.

Answer

A

MD5 hashes

Question 32

Q

The ___ command shown in the figure uses an MD5 hash by default.

Answer

A

enable secret password

Question 33

Q

Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M. Type 8 and type 9 use ___ Because type 9 is slightly stronger than type 8, it will be used throughout this course whenever it is allowed by the Cisco IOS.

Answer

A

SHA encryption.

Question 34

Q

To enter an unencrypted password, use the enable algorithm-type command syntax:

Answer

A

Router(config)# enable algorithm-type { md5 | scrypt | sha256 | secret } unencryptedi passwordi

Question 35

Q

Type 5; selects the message digest algorithm 5 (MD5) as the hashing algorithm.

Question 36

Q

Type 9; selects scrypt as the hashing algorithm.

Question 37

Q

Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm.

Question 38

Q

Type 8 and type 9 encryption was also introduced in Cisco IOS 15.3(3)M for the username secret command. Similar to the enable secret command, if you simply enter a user with the username secret command, the default encryption will be MD5. Use the username name algorithm-type command to specify type 9 encryption.

Answer

A

Router(config)# username name algorithm-type { md5 | scrypt | sha256 | secret } unencrypted passwordi

Question 39

Q

the enable password, username password, and line password commands are available in the Cisco IOS. These commands use no encryption by default. At best, they can only use ____

Answer

A

type 7 encryption,

Question 40

Q

is enabling a detection profile that lets you configure a network device to react to repeated failed
login attempts by refusing further connection requests.

Answer

A

Login blocking

Question 41

Q

can be used to permit legitimate connections from addresses of known system administrators.

Answer

A

Access control lists (ACLs)

Question 42

Q

Use the banner global configuration mode command to specify appropriate messages. Banners protect the
organization from a legal perspective.

Answer

A

Router(config)# banner { motd | exec | login } delimiter message delimiter

Question 43

Q

Configure Login Enhancement Features

Answer

A

login block-for
login quiet-mode
login delay
login on-success
login on-failure

Question 44

Q

The login block-for command can defend against DoS attacks by disabling logins after a specified number of failed login attempts.

Answer

A

Router(config)# login block-for seconds attempts triesi within secondsi

Question 45

Q

The login quiet-mode command maps to an ACL that identifies the permitted hosts. This ensures that only authorized hosts can attempt to login to the router.

Answer

A

Router(config)# login quiet-mode access-class {acl-namei | acl-numberi}

Question 46

Q

The login delay command specifies a number of seconds the user must wait between unsuccessful login attempts.

Answer

A

Router(config)# login delay secondsi

Question 47

Q

The login on-success and login on-failure commands log successful and unsuccessful login attempts.

Answer

A

Router(config)# login on-success log [every logini]
Router(config)# login on-failure log [every logini]

Question 48

Q

Enable Login Enhancements
To help a Cisco IOS device provide DoS detection, use the login block-for command, which must be issued
before any other login command.

The login block-for command monitors login device activity and operates in
two modes:

Answer

A

Normal mode
Quiet mode

Question 49

Q

This is also known as the quiet period. If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied for the time specified in the login block-for command.

Answer

A

Quiet mode

Question 50

Q

This is also known as watch mode. The router keeps count of the number of failed login attempts within an identified amount of time.

Answer

A

Normal mode

Question 51

Q

When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts, such as specific administrative hosts access at all times, this behavior can be overridden using an ACL. The ACL is created and identified using the login quiet-mode access-class command. Only the hosts identified in the ACL have access to the device during quiet mode.

Question 52

Q

three commands that can be configured to help an administrator detect a password attack

Answer

A

login on-success log
login on-failure log
security authentication failure rate

Question 53

Q

generate syslog messages for successful and unsuccessful login attempts.

Answer

A

login on-success log
login on-failure log

Question 54

Q

An alternative to the login on-failure log command is the ____ command can be configured to generate a log message when the login failure rate is exceeded.

Answer

A

security authentication failure rate

Question 55

Q

Use the ___ command to verify the login block-for command settings and current mode.

Answer

A

show login

Question 56

Q

The ___ command displays additional information regarding the failed attempts, such as the IP
address from which the failed login attempts originated.

Answer

A

show login failures

Question 57

Q

Enable SSH

Answer

A

Step 1. Configure a unique device hostname.

hostname

Step 2. Configure the IP domain name.

ip domain name

Step 3. Generate a key to encrypt SSH traffic.

crypto key generate rsa general-keys modulus 1024

Step 4. Verify or create a local database entry.

username secret

Step 5. Authenticate against the local database.

login local

Step 6. Enable vty inbound SSH sessions.

transport input {ssh | telnet}

Question 58

Q

To verify the optional SSH command
settings, use the ___ command.

Answer

A

show ip ssh
R1# show ip ssh

Question 59

Q

Use the ____ command to modify
the default 120-second timeout interval.
This configures the number of seconds
that SSH can use to authenticate a user.

Answer

A

ip ssh time-out seconds global configuration mode

R1(config)# ip ssh time-out 60

Question 60

Q

By default, a user logging in has three
attempts to enter the correct password
before being disconnected. To configure a
different number of consecutive SSH
retries, use the ip ssh authentication retries integer global configuration mode
command.

Answer

A

R1(config)# ip ssh authentication-retries 2

Question 61

Q

Connect a Router to an SSH-Enabled Router

To verify the status of the
client connections, use the
show ssh command.

Answer

A

R1# show ssh

Question 62

Q

There are two different ways to
connect to an SSH-enabled
router.

Answer

A

By default, when SSH
is enabled, a Cisco router can
act as an SSH server or SSH
client. As a server, a router
can accept SSH client
connections. As a client, a
router can connect via SSH to
another SSH-enabled router.

Question 63

Q

Connect a Host to an SSH-Enabled Router

Connect using an SSH client (e.g.,
PuTTY, OpenSSH, TeraTerm) running
on a host.

Answer

A

Generally, the SSH client initiates an
SSH connection to the router. The
router SSH service prompts for the
correct username and password
combination. After the login is verified,
the router can be managed as if the
administrator was using a standard
Telnet session.

Question 64

Q

At what point in the enterprise network are packets arriving from the internet examined prior to entering the network?

Answer

A

network edge

Because the access layer (network edge) is the connection point for endpoints, it plays a big role in ensuring the network is protected from malicious attacks. This protection includes making sure the end users and endpoints that connect to the network are prevented from accessing services for which they are not authorized.

Answer 58

A

user account
unique hostname
ip domain name

To implement SSH on a router the following steps need to be performed:
Configure a unique hostname.
Configure the domain name of the network.
Configure a user account to use AAA or local database for authentication.
Generate RSA keys.
Enable VTY SSH sessions.

Answer 59

A

telnet sends a username and password in plain text while in SSH encrypts the username and password

SSH provides security for remote management connections to a network device. SSH does so through encryption for session authentication (username and password) as well as for data transmission. Telnet sends a username and password in plain text, which can be targeted to obtain the username and password through data capture. Both Telnet and SSH use TCP, support authentication, and connect to hosts in CLI.

Answer 60

A

There are three areas of router security to maintain:
1) physical security
2) router hardening
3) operating system security

Answer 61

A

use one or more spaces within a multiword phrase

Strong password guidelines for Cisco routers include:
Use a minimum password length of eight or more characters remembering that longer is better.
A password cannot begin with a space but spaces within a passphrase are allowed on a Cisco router.
The service password-encryption command can only protect passwords being viewed within the configuration, not as they are sent across the network.

Answer 62

A

protect organization from a legal perspective

A banner can be used to create messages shown on Cisco network devices. A banner message can protect the organization from a legal perspective and should be reviewed by legal counsel before being deployed.

Answer 63

A

remote access to a switch where data is encrypted during a session

SSH provides a secure remote login through a virtual interface. SSH provides a stronger password authentication than Telnet. SSH also encrypts the data during the session.

Answer 64

A

(config)# service password-encryption

To prevent all configured passwords from appearing in plain text in configuration files, an administrator can execute the service password-encryption command. This command encrypts all configured passwords in the configuration file.

Answer 65

A

a user who is trying to guess a password to access the router

The login block-for 180 attempts 2 within 30 command will cause the device to block authentication after 2 unsuccessful attempts within 30 seconds for a duration of 180 seconds. A device inspecting the traffic on a link has nothing to do with the router. The router configuration cannot prevent unauthorized access to the equipment room. A worm would not attempt to access the router to propagate to another part of the network.

Answer 66

A

locate the router in a secure locked room that is accessible only to authorized personnel

Of the three areas of router security, physical security, router hardening, and operating system security, physical security involves locating the router in a secure room accessible only to authorized personnel who can perform password recovery.

Answer 67

A

Firewalls are commonly used on the network edge to create a demilitarized zone (DMZ). The DMZ contains servers that are commonly accessed by external users. By having them in a DMZ, it prevents having servers inside the corporate network with other corporate devices.

Answer 68

A

priv exec

The enable secret command secures access to the privileged EXEC mode of a Cisco router or switch.

Answer 69

A

log and account for all access

When securing both local and remote administrative access to a network device, be sure to record anyone who accesses the device, the actions taken during the access, and the date/time of the access. Other good practices are to limit the number of ports and methods of access, authenticate access, authorize actions performed by those who access the device, display legal notification, and protect data viewed and/or copied. Limit the amount of protocols used for remote access and consider using SSH version 2 or HTTPS. Discovery protocols are not relevant to administrative access.

Brainscape's Knowledge GenomeTM

Module 4 Flashcards

Brainscape's Knowledge Genome^TM