Security Flashcards
What are the first steps in securing user EXEC access to allow for secure network device access?
Configure passwords for local and remote CLI sessions.
Which command option on remote CLI sessions is used to limit the session to use only a secure connection method?
transport input ssh
What protocol does TACACS+ use for communication between a TACACS+ client (network device) and a TACACS+ server?
TCP port 49
What are two of the high-level benefits of using a remote AAA server over local AAA services on each network device individually?
Scalability and standardized authentication methods using RADIUS and TACACS+
What type of passwords are not encrypted and are stored in plaintext in the device configuration? The enable password uses this type.
Type 0
What type of passwords use an MD5 hashing algorithm? These passwords are easily reversible with tools available on the Internet.
Type 5
The enable secret and username username secret commands use what type of passwords?
Type 5
What type of password encryption is enabled with the service password encryption command?
Type 7
What type of passwords use a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret?
Type 8
What type of passwords use the SCRYPT hashing algorithm?
Type 9
What are the three ways to create a username on a cisco device?
Using the command username username password password configures a plaintext password (type 0).
Using the command username username secret password provides type 5 encryption.
Using the command username username algorithm-type [md5 | sha256 | scrypt] secret password provides type 5, type 8, or type 9 encryption, respectively.
To enable username and password authentication on a line, you need what two commands?
Create the user with the username command in global configuration mode, using one of the three options listed earlier in this section.
Use the login local command in line configuration mode.
What command allows you to enable password authentication on a line?
password
After you enable password authentication on a line, what command enables password checking?
login
What command allows for username/password pairs stored locally on the router to be used for the lines?
login local
What’s the difference between SSHv1 and SSHv2?
The SSHv2 enhancement for RSA supports RSA-based public key authentication for a client and a network device.
What three commands do you need to enable SSH?
hostname hostname
ip domain-name domain-name
crypto key generate rsa
What privilege level allows for the use of five commands: enable, disable, help, logout, and exit?
Privilege level 0
What privilege level is the user EXEC mode where it’s not possible to make configuration changes?
Privilege level 1
What what privilege level are all of the IOS CLI commands are available?
Privilege level 15
What command can you use to force the vty lines to only allow remote connections via a protocol that supports encryption?
transport input ssh
What type of encryption does the service password encryption command provide?
Type 7
True or false: SSH Version 1 implementation is compatible with SSH Version 2 implementation.
False
Which part of AAA provides identity verification before access to a network device is granted?
Authentication
Which part of AAA provides access control?
Authorization
Which part of AAA provides a method for collecting information, logging the information locally on a network device, and sending the information to an AAA server for billing, auditing, and reporting?
Accounting
What are some of the high-level benefits of using a remote AAA server over local AAA services?
Increased flexibility and control of access configuration
Scalability
Standardized authentication methods using RADIUS and TACACS+
Ease of setup, since RADIUS and TACACS+ may have already been deployed across the enterprise
More efficiency, since you can create user attributes once centrally and use them across multiple devices
What protocol allows for a single access control server to provide authentication, authorization, and accounting to the network access server (NAS) independently?
TACACS+
The TACACS+ protocol uses what port for communication between the TACACS+ client (network device) and the TACACS+ server?
TCP port 49
What are the two implementations of RADIUS?
Cisco’s implementation and the industry-standard implementation.
Which of the following is not one of the benefits of AAA?
A. Increased flexibility and control of access configuration
B. Scalability
C. Standardized authentication methods using RADIUS and TACACS+
D. Complete removal of the need for local user creation on IOS devices
D. Complete removal of the need for local user creation on IOS devices
In the industry-standard implementation of the RADIUS protocol, which port is used for accounting?
UDP port 1813
Which command is entered to enable AAA on a Cisco IOS device?
aaa new-model
Which of the following commands is used for configuring a vty line to use the method list name list1?
A. aaa authentication
B. aaa authorization
C. login authentication list1
D. aaa new-model
C. login authentication list1
To add a TACACS+ server in IOS 15.x, what command follows tacacs server name if the IP address is 10.10.10.10?
address ipv4 10.10.10.10
To add a TACACS+ server in IOS 15.x, you need to specify the TACACS+ server name, specify the server IP address with the address ipv4 ip address command (address ipv4 10.10.10.10 in this case), and then specify the key string.
What is one of the reasons you would use named access lists over numbered access lists?
Named access lists allow you to reorder statements in or add statements to an access list.
What command is used to apply port access control lists (PACLs) to interfaces?
ip access-group access-list in
What are the main reasons you would implement the Cisco IOS control plane policing (CoPP) feature?
The Cisco IOS CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic and prioritizes important control plane and management traffic.
Which command is used to verify service policy implementation on the control plane for CoPP?
show policy-map control-plane
A wildcard mask bit 0 means what?
0 bit means check the corresponding bit value; these bit values must match.
A wildcard mask bit 1 means what?
1 bit means ignore that corresponding bit value; these bit values need not match.
Standard ACLs are numbered from what ranges?
1-99 or 1300-1999
Standard IP access lists only check what?
source addresses
Extended ACLs are numbered from what ranges?
100 to 199 or 2000 to 2699
What are some of the packet details extended ACLs can check for?
Source and destination addresses and other IP packet data, such as protocols, TCP or UDP port numbers, type of service (ToS), precedence, TCP flags, and IP options.
T/F: Named ACLs can be specified as either standard or extended, with the standard and extended keywords in the ip access-list command.
True
What command would you use to apply an access-list on an interface?
ip access-group access-list { number | name } {in | out}.
What are some features supported on named access lists but not on numbered?
IP options filtering
Noncontiguous ports
TCP flag filtering
Deletion of entries with the no permit or no deny command
What provides the ability to perform access control on specific Layer 2 ports?
Port Access Control Lists (PACLs)
What provides access control for all packets bridged within a VLAN or routed into or out of a VLAN?
VLAN Access Control Lists (VACLs)
What is a VLAN access map?
A VLAN access map consists of one or more VLAN access map sequences, where each VLAN access map sequence consists of one match and one action statement.
What command would you use to apply a VACL?
Vlan filter vlan-access-map-name vlan-list.
vlan filter VACL_50 vlan-list 50
How many access lists per protocol and per direction are allowed on an interface?
A is correct. Only one access list per interface, per protocol, and per direction is allowed.
Which of the following can a PACL be applied to? (Choose two.)
A. Layer 2 port
B. Layer 3 port
C. Trunk
D. VLAN
A and C are correct. A PACL can be applied to the Layer 2 port of a Catalyst switch, including a physical port or trunk port that belongs to a VLAN.
What is a Cisco IOS-wide feature that is designed to allow users to manage the flow of traffic handled by the RP of a network device?
Control Plane Policing (CoPP)
What is classified as control plane traffic?
Routing protocol traffic
Packets destined to the local IP address of the router
Simple Network Management Protocol (SNMP) packets
Interactive access protocol traffic, such as Secure Shell (SSH) and Telnet, traffic
Traffic related to protocols such as Internet Control Message Protocol (ICMP) or IP options that might also require handling by the device CPU
Layer 2 protocol packets such as bridge protocol data unit (BPDU) and Cisco Discovery Protocol (CDP) packets
What CoPP construct is used to define a traffic class?
class-map
What CoPP command is used to associate a traffic class with one or more QoS policies?
policy-map
What command would you use to attach the service policy to the control plane interface?
The service-policy {input | output} policy-name command is used to attach a service policy to the control plane.
What is the name of the CoPP construct that ties together predefined ACLs?
Class map. Class maps use created ACLs to match known protocols, addresses, IP precedence, DSCP values, CoS, and so on.
True or false: The CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic.
True
Which types of ACLs are applied in the Layer 2 switch environment? (Choose two.)
Standard ACLs
Extended ACLs
PACLs
VACLs
PACLs
VACLs
What happens when a matching ACE is found in an ACL?
Action is taken, and processing is stopped on the remaining ACE.
Processing continues to the next ACE.
Regardless of matching statements, processing needs to go through all ACEs.
Processing continues through other ACEs when there is a permit statement
Action is taken, and processing is stopped on the remaining ACE.
A VACL VLAN list can reference all except which of the following?
A single VLAN
A range of VLANs
A comma-separated list of multiple VLANs
Layer 2 ports
Layer 2 ports
What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)
The login command is used to enable line password authentication.
The login command is used to enable username-based authentication.
The login local command is used to enable line and username-based authentication.
The login local command is used to enable username-based authentication.
The login command is used to enable line password authentication.
The login local command is used to enable username-based authentication.
Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)
disable
enable
show
configure terminal
exit
logout
disable
enable
exit
logout
True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.
False
Which of the following options describe ZBFW? (Choose two.)
Provides high security with stateless inspection functionality
Provides stateful firewall functionality
Is a network interface module
Is an integrated IOS solution
Is a security appliance similar to an ASA 5500-X
Provides stateful firewall functionality
Is an integrated IOS solution
What are the two system-built zones for ZBFW? (Choose two.)
Inside zone
Twilight zone
System zone
Outside zone
Self zone
Default zone
Self zone and Default zone
Which of the following features was developed specifically to protect the CPU of a router?
ZBFW
AAA
CoPP
ACLs
CoPP
True or false: CoPP supports input and output policies to control inbound and outbound traffic.
True
Which of the following are features that can be disabled to improve the overall security posture of a router?
LLDP
When members of a Marketing team are allowed to access Facebook for marketing purposes, but are denied access to Facebook games, this is an example of which type of NGFW feature?
application visibility control
context awareness
intrusion prevention system
advanced malware protection
Context awareness. Context awareness controls who is connecting, to what, from where, using which device, at what time.
Which module works with Cisco AnyConnect to enforce a policy for endpoints that connect to the network via remote-access VPNs?
Cisco WSA AnyConnect
Cisco ISE posture
Cisco ASA posture
Cisco Catalyst AnyConnect
Cisco ASA posture.
Which IPS inspection method observes network traffic and acts if a network event outside normal network behavior is detected?
signature-based
policy-based
anomaly-based
protocol verification
anomaly-based
Which IPS traffic inspection method observes patterns, traffic rates, protocol mix, and traffic volume over time to build a profile of normal behavior?
signature-based inspection
statistical anomaly detection
protocol verification
policy-based inspection
statistical anomaly detection
Where do the Cisco AMP malware detection and analytics engines run?
in the client device
in a Cisco ASA appliance
in a Cisco ISE
in the Cisco Collective Security Intelligence Cloud
in the Cisco Collective Security Intelligence Cloud
Which of the following are Cisco SAFE’s PINs in the network? (Choose all that apply.)
Internet
Data center
Branch office
Edge
Campus
Cloud
WAN
Data center
Branch office
Edge
Campus
Cloud
WAN
Cisco SAFE includes which of the following secure domains? (Choose all that apply.)
Threat defense
Segmentation
Segregation
Compliance
Threat defense
Segmentation
Compliance
Which of the following is the Cisco threat intelligence organization?
Cisco Stealthwatch
Cisco Threat Grid
Cisco Talos
Cisco Threat Research, Analysis, and Communications (TRAC) team
Cisco Talos
What is the Threat Grid?
The Cisco threat intelligence organization
The Cisco sandbox malware analysis solution
The Cisco security framework
An aggregator of network telemetry data
The Cisco sandbox malware analysis solution
Which of the following EAP methods supports EAP chaining?
EAP-TTLS
EAP-FAST
EAP-GTC
PEAP
EAP-FAST
True or false: SGT tags extend all the way down to the endpoints.
False
Which of the following three phases are defined by Cisco TrustSec? (Choose all that apply.)
Classification
Enforcement
Distribution
Aggregation
Propagation
Classification
Enforcement
Propagation
What are the two MACsec keying mechanisms?
Security Association Protocol (SAP)
MACsec Key Agreement (MKA) protocol
What is the proprietary Cisco keying protocol in MACsec used between Cisco switches?
Security Association Protocol (SAP)
In MACsec, what provides the required session keys and manages the required encryption keys?
MACsec Key Agreement (MKA) protocol
Which of the following password types is the weakest?
Type 5
Type 7
Type 8
Type 9
Type 7
What type of encryption does the command service password encryption provide?
Type 7 encryption
What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)
The login command is used to enable line password authentication.
The login command is used to enable username-based authentication.
The login local command is used to enable line and username-based authentication.
The login local command is used to enable username-based authentication.
The login command is used to enable line password authentication.
The login local command is used to enable username-based authentication.
Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)
disable
enable
show
configure terminal
exit
logout
disable
enable
exit
logout
True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.
False
