Module 5: Securing Network Devices: Authentication, Authorization, and Accounting Flashcards

1
Q

An edge router security approach that refers to an information security approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.

A

Defense in Depth (DiD) approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An edge router security approach that is a method of providing segregation of networks and services that need to be provided to users, visitors, or partners through the use of firewalls and multiple layers of faltering and control to protect internal systems.

A

demilitarized zone (DMZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An edge router security approach that is used to connect the internal network to the external network (usually the internet). This router is responsible for all the security measures, including firewall, intrusion detection, and prevention systems.

A

Single Router Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the areas of router security?

A
  • physical security
  • router hardening
  • router operating system and configuration file security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An area of router security where the router is secured against attacks as best as possible.

A

router hardening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A protocol to provide communication over the Internet or a LAN a using a virtual terminal connection.

A

Telnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

It allows a direct, non-network connection to the router, from a remote location

A

Auxiliary Port (AUX Port)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Login local needs a _______ and _______, while login only needs ______.

A

username
password
password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A command that allows telnet connections to the device.

A

transport input telnet ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A command that allow ssh connections.

A

transport input ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A feature that allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.

A

(Cisco IOS) Login Enhancements Features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A CISCO command where all login requests are denied and the only available connection is through the console.

login block-for

login quiet-mode access-class

login on-success log

login on-failure log

A

login quiet-mode access-class

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A CISCO command that logs the username and IP of successful login.

login block-for

login quiet-mode access-class

login on-success log

login on-failure log

A

login on-success log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A CISCO command used to configure the number of login on-success log.

login block-for
login on-failure log
security authentication failure rate
login quiet-mode access-class

A

security authentication failure rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A protocol which allows you to connect securely to a remote computer or a server by using a text-based interface.

A

Secure Socket Shell (SSH)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A CISCO command used to generate Rivest, Shamir, and Adelman (RSA) key pairs

A

crypto key generate rsa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Level of access of User EXEC mode

A

privilege level 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Level of access of Privileged EXEC mode

A

privilege level 15

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A feature that allows the network administrator to define “views,” which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.

A

Role-Based CLI Access feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A CISCO command under role-based views that enables root views.

enable root view

secret 5 root

enable view

parser view

A

enable view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A CISCO command under role-based that creates a view and enters view configuration mode.

enable root view

secret 5 root

enable view

parser view

A

parser view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A CISCO command under role-based that used to view a superview.

parser view

secret 5

view HOST

enable view

A

secret 5
or
view HOST
(di ko alam)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A CISCO command under role-based that associates a command-line interface (CLI) view or superview with a password.

enable root view

secret 5 root

enable view

parser view

A

secret 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

It is a feature in CISCO devices that enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

A

Cisco IOS Resilient Configuration feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A CISCO command that enables Cisco IOS image resilience

A

secure boot-image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A CISCO command under IOS image resilience that stores a secure copy of the primary bootset in persistent storage

A

secure boot-config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A CISCO command under IOS image resilience that displays the status of configuration resilience and the primary
bootset filename.

A

show secure bootset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

_______ requires that authentication, authorization, and accounting (AAA) be configured so the router can determine whether the user has the correct privilege level.

A

Secure Copy (SCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the CISCO command to disable password recovery?

A

no service password-recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A type of management access that apply only to devices that need to be managed or monitored.

A

in-band management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A type of management access that mitigates the risk of passing management protocols over the production network.

A

out-of-band management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A type of management access that decides whether the management channel need to be open at all time.

A

in-band management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A type of management access that provides highest level of security.

A

out-of-band management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A type of management access that provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN.

A

out-of-band management

35
Q

A type of management access that uses the same communications channels that the devices themselves support.

A

in-band management

36
Q

A type of management access that uses IPsec, SSH, or SSL when possible.

A

in-band management

37
Q

A standard for logging messages.

A

Syslog (System Logging Protocol)

38
Q

It is used to logged messages from the set level and higher when CISCO message level are set.

A

Syslog (System Logging Protocol)

39
Q

What syslog security level will be logged/raised when interface changed state from up to down or vice-versa?

40
Q

What syslog security level will be logged/raised when it is unable to allocate memory?

41
Q

What syslog security level will be logged/raised when the temperature is too high?

42
Q

What syslog security level will be logged/raised when it has invalid memory size?

43
Q

What syslog security level will be logged/raised when a packet is denied by ACL?

44
Q

What syslog security level will be logged/raised when crypto operation failed?

45
Q

What syslog security level will be logged/raised when CISCO IOS software could not load?

46
Q

What syslog security level will be logged/raised when a packet type is invalid?

47
Q

In configuring system logging, it is used to log messages to syslog server host.

logging source-interface

logging host

logging trap

logging on

A

logging host

48
Q

In configuring system logging, it is used to limit messages logged to the syslog servers.

logging source-interface

logging host

logging trap

logging on

A

logging trap

49
Q

In configuring system logging, it is used to specify a particular IP address for syslog messages.

logging source-interface

logging host

logging trap

logging on

A

logging source-interface

50
Q

In configuring system logging, it is used to enable message logging.

logging source-interface

logging host

logging trap

logging on

A

logging on

51
Q

An Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

A

Simple Network Management Protocol (SNMP)

52
Q

An SNMP version that uses DEA and AES for encryption.

53
Q

An SNMP version that uses username match for authentication.

54
Q

An SNMP version that provides authentication based on HMAC-MD5 or HMAC-SHA algorithms.

55
Q

An SNMP version that uses community string match for authentication.

A

SNMPv1
SNMPv2c

56
Q

What is the CISCO command to configure an SNMP view?

snmp-server user

parser view

snmp-server group

ip access-list standard permit

snmp-server view

A

snmp-server view

57
Q

What is the CISCO command to configure an SNMP group?

snmp-server user

parser view

snmp-server group

ip access-list standard permit

snmp-server view

A

snmp-server group

58
Q

What is the CISCO command to add a user to SNMP group?

snmp-server user

parser view

snmp-server group

ip access-list standard permit

snmp-server view

A

snmp-server user

59
Q

A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

A

Network Time Protocol (NTP)

60
Q

A feature that examines your existing router configurations and then updates your router in order to make your router and network more secure.

A

Security Audit

61
Q

It is a Cisco ISO feature that is based on the Cisco IOS AutoSecure feature and performs checks on and assists in configuration of almost all of the AutoSecure functions.

A

Security Audit

62
Q

It discovery protocol that facilitates the management of Cisco devices by discovering these devices, determining how they are configured, and allowing systems using different network-layer protocols to learn about each other.

A

Cisco Discovery Protocol (CDP)

63
Q

A Layer 2, media-independent, and network-independent protocol that runs on Cisco devices and enables networking applications to learn about directly connected devices nearby.

A

Cisco Discovery Protocol (CDP)

64
Q

It discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.

A

Link Layer Discovery Protocol (LLDP)

65
Q

This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other.

A

Link Layer Discovery Protocol (LLDP)

66
Q

A feature that secures a router by using a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration of the router

A

AutoSecure

67
Q

A routing protocol for Internet Protocol (IP) networks.

A

Open Shortest Path First (OSPF)

68
Q

A Cisco IOS feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks.

A

control plane policing

69
Q

SHA

A

Secure Hash Algorithm

70
Q

CEF

A

Cisco Express Forwarding

71
Q

Control Plane Policing (CoPP)

Support for Distributed or Hardware Switching Platforms

Yes or No

72
Q

Control Plane Policing (CoPP)

CEF required

Yes or No

73
Q

Control Plane Policing (CoPP)

Provides a mechanism for dropping packets that are directed to closed or nonlistening TCP/UDP ports

Yes or No

74
Q

Control Plane Policing (CoPP)

Ability to enforce limits on the number of packets for a specified protocol that are allowed in the control plane IP input queue

Yes or No

75
Q

AAA

A

Authentication, Authorization, Accounting

76
Q

Give types of accounting information.

A
  • network
  • connection
  • system
  • command
  • resource
  • EXEC
77
Q

What is the CISCO command used to enable AAA parameters on the router?

aaa authentication login default local-case

username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

aaa new-model

A

aaa new-model

78
Q

What is the CISCO command used to configure AAA parameters on the router?

aaa authentication login default local-case

username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

aaa new-model

A

aaa authentication login default local-case

79
Q

What is the CISCO command used to add usernames and passwords to the local router for users that need administrative access to the router?

aaa authentication login default local-case

username authentication ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

aaa new-model

A

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

80
Q

What is the CISCO command used to enable AAA globally on the router?

aaa authentication login default local-case

username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

username JR-ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

aaa new-model

A

username ADMIN algorithm-type scrypt secret Str0ng5rPa55w0rd

81
Q

A type of server-based AAA that separates authentication from authorization.

82
Q

A type of server-based AAA that does not separate authentication from authorization.

83
Q

A term in AAA that ensures a device or end-user is legitimate.

A

authentication

84
Q

A term in AAA that allows or disallows authenticated users access to certain areas and programs on the network.

A

Authorization