Security Flashcards

1
Q

What are the first steps in securing user EXEC access to allow for secure network device access?

A

Configure passwords for local and remote CLI sessions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which command option on remote CLI sessions is used to limit the session to use only a secure connection method?

A

transport input ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What protocol does TACACS+ use for communication between a TACACS+ client (network device) and a TACACS+ server?

A

TCP port 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are two of the high-level benefits of using a remote AAA server over local AAA services on each network device individually?

A

Scalability and standardized authentication methods using RADIUS and TACACS+

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of passwords are not encrypted and are stored in plaintext in the device configuration? The enable password uses this type.

A

Type 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of passwords use an MD5 hashing algorithm? These passwords are easily reversible with tools available on the Internet.

A

Type 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The enable secret and username username secret commands use what type of passwords?

A

Type 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of password encryption is enabled with the service password encryption command?

A

Type 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of passwords use a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret?

A

Type 8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of passwords use the SCRYPT hashing algorithm?

A

Type 9

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three ways to create a username on a cisco device?

A

Using the command username username password password configures a plaintext password (type 0).

Using the command username username secret password provides type 5 encryption.

Using the command username username algorithm-type [md5 | sha256 | scrypt] secret password provides type 5, type 8, or type 9 encryption, respectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

To enable username and password authentication on a line, you need what two commands?

A

Create the user with the username command in global configuration mode, using one of the three options listed earlier in this section.

Use the login local command in line configuration mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What command allows you to enable password authentication on a line?

A

password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

After you enable password authentication on a line, what command enables password checking?

A

login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What command allows for username/password pairs stored locally on the router to be used for the lines?

A

login local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What’s the difference between SSHv1 and SSHv2?

A

The SSHv2 enhancement for RSA supports RSA-based public key authentication for a client and a network device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What three commands do you need to enable SSH?

A

hostname hostname
ip domain-name domain-name
crypto key generate rsa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What privilege level allows for the use of five commands: enable, disable, help, logout, and exit?

A

Privilege level 0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What privilege level is the user EXEC mode where it’s not possible to make configuration changes?

A

Privilege level 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What what privilege level are all of the IOS CLI commands are available?

A

Privilege level 15

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What command can you use to force the vty lines to only allow remote connections via a protocol that supports encryption?

A

transport input ssh

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of encryption does the service password encryption command provide?

A

Type 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

True or false: SSH Version 1 implementation is compatible with SSH Version 2 implementation.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which part of AAA provides identity verification before access to a network device is granted?

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which part of AAA provides access control?

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which part of AAA provides a method for collecting information, logging the information locally on a network device, and sending the information to an AAA server for billing, auditing, and reporting?

A

Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are some of the high-level benefits of using a remote AAA server over local AAA services?

A

Increased flexibility and control of access configuration

Scalability

Standardized authentication methods using RADIUS and TACACS+

Ease of setup, since RADIUS and TACACS+ may have already been deployed across the enterprise

More efficiency, since you can create user attributes once centrally and use them across multiple devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What protocol allows for a single access control server to provide authentication, authorization, and accounting to the network access server (NAS) independently?

A

TACACS+

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The TACACS+ protocol uses what port for communication between the TACACS+ client (network device) and the TACACS+ server?

A

TCP port 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the two implementations of RADIUS?

A

Cisco’s implementation and the industry-standard implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which of the following is not one of the benefits of AAA?

A. Increased flexibility and control of access configuration

B. Scalability

C. Standardized authentication methods using RADIUS and TACACS+

D. Complete removal of the need for local user creation on IOS devices

A

D. Complete removal of the need for local user creation on IOS devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

In the industry-standard implementation of the RADIUS protocol, which port is used for accounting?

A

UDP port 1813

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which command is entered to enable AAA on a Cisco IOS device?

A

aaa new-model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following commands is used for configuring a vty line to use the method list name list1?

A. aaa authentication

B. aaa authorization

C. login authentication list1

D. aaa new-model

A

C. login authentication list1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

To add a TACACS+ server in IOS 15.x, what command follows tacacs server name if the IP address is 10.10.10.10?

A

address ipv4 10.10.10.10

To add a TACACS+ server in IOS 15.x, you need to specify the TACACS+ server name, specify the server IP address with the address ipv4 ip address command (address ipv4 10.10.10.10 in this case), and then specify the key string.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is one of the reasons you would use named access lists over numbered access lists?

A

Named access lists allow you to reorder statements in or add statements to an access list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What command is used to apply port access control lists (PACLs) to interfaces?

A

ip access-group access-list in

38
Q

What are the main reasons you would implement the Cisco IOS control plane policing (CoPP) feature?

A

The Cisco IOS CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic and prioritizes important control plane and management traffic.

39
Q

Which command is used to verify service policy implementation on the control plane for CoPP?

A

show policy-map control-plane

40
Q

A wildcard mask bit 0 means what?

A

0 bit means check the corresponding bit value; these bit values must match.

41
Q

A wildcard mask bit 1 means what?

A

1 bit means ignore that corresponding bit value; these bit values need not match.

42
Q

Standard ACLs are numbered from what ranges?

A

1-99 or 1300-1999

43
Q

Standard IP access lists only check what?

A

source addresses

44
Q

Extended ACLs are numbered from what ranges?

A

100 to 199 or 2000 to 2699

45
Q

What are some of the packet details extended ACLs can check for?

A

Source and destination addresses and other IP packet data, such as protocols, TCP or UDP port numbers, type of service (ToS), precedence, TCP flags, and IP options.

46
Q

T/F: Named ACLs can be specified as either standard or extended, with the standard and extended keywords in the ip access-list command.

A

True

47
Q

What command would you use to apply an access-list on an interface?

A

ip access-group access-list { number | name } {in | out}.

48
Q

What are some features supported on named access lists but not on numbered?

A

IP options filtering

Noncontiguous ports

TCP flag filtering

Deletion of entries with the no permit or no deny command

49
Q

What provides the ability to perform access control on specific Layer 2 ports?

A

Port Access Control Lists (PACLs)

50
Q

What provides access control for all packets bridged within a VLAN or routed into or out of a VLAN?

A

VLAN Access Control Lists (VACLs)

51
Q

What is a VLAN access map?

A

A VLAN access map consists of one or more VLAN access map sequences, where each VLAN access map sequence consists of one match and one action statement.

52
Q

What command would you use to apply a VACL?

A

Vlan filter vlan-access-map-name vlan-list.

vlan filter VACL_50 vlan-list 50

53
Q

How many access lists per protocol and per direction are allowed on an interface?

A

A is correct. Only one access list per interface, per protocol, and per direction is allowed.

54
Q

Which of the following can a PACL be applied to? (Choose two.)

A. Layer 2 port

B. Layer 3 port

C. Trunk

D. VLAN

A

A and C are correct. A PACL can be applied to the Layer 2 port of a Catalyst switch, including a physical port or trunk port that belongs to a VLAN.

55
Q

What is a Cisco IOS-wide feature that is designed to allow users to manage the flow of traffic handled by the RP of a network device?

A

Control Plane Policing (CoPP)

56
Q

What is classified as control plane traffic?

A

Routing protocol traffic

Packets destined to the local IP address of the router

Simple Network Management Protocol (SNMP) packets

Interactive access protocol traffic, such as Secure Shell (SSH) and Telnet, traffic

Traffic related to protocols such as Internet Control Message Protocol (ICMP) or IP options that might also require handling by the device CPU

Layer 2 protocol packets such as bridge protocol data unit (BPDU) and Cisco Discovery Protocol (CDP) packets

57
Q

What CoPP construct is used to define a traffic class?

A

class-map

58
Q

What CoPP command is used to associate a traffic class with one or more QoS policies?

A

policy-map

59
Q

What command would you use to attach the service policy to the control plane interface?

A

The service-policy {input | output} policy-name command is used to attach a service policy to the control plane.

60
Q

What is the name of the CoPP construct that ties together predefined ACLs?

A

Class map. Class maps use created ACLs to match known protocols, addresses, IP precedence, DSCP values, CoS, and so on.

61
Q

True or false: The CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic.

A

True

62
Q

Which types of ACLs are applied in the Layer 2 switch environment? (Choose two.)

Standard ACLs

Extended ACLs

PACLs

VACLs

A

PACLs
VACLs

63
Q

What happens when a matching ACE is found in an ACL?

Action is taken, and processing is stopped on the remaining ACE.

Processing continues to the next ACE.

Regardless of matching statements, processing needs to go through all ACEs.

Processing continues through other ACEs when there is a permit statement

A

Action is taken, and processing is stopped on the remaining ACE.

64
Q

A VACL VLAN list can reference all except which of the following?

A single VLAN

A range of VLANs

A comma-separated list of multiple VLANs

Layer 2 ports

A

Layer 2 ports

65
Q

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

The login command is used to enable line password authentication.

The login command is used to enable username-based authentication.

The login local command is used to enable line and username-based authentication.

The login local command is used to enable username-based authentication.

A

The login command is used to enable line password authentication.

The login local command is used to enable username-based authentication.

66
Q

Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)

disable

enable

show

configure terminal

exit

logout

A

disable

enable

exit

logout

67
Q

True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

A

False

68
Q

Which of the following options describe ZBFW? (Choose two.)

Provides high security with stateless inspection functionality

Provides stateful firewall functionality

Is a network interface module

Is an integrated IOS solution

Is a security appliance similar to an ASA 5500-X

A

Provides stateful firewall functionality

Is an integrated IOS solution

69
Q

What are the two system-built zones for ZBFW? (Choose two.)

Inside zone

Twilight zone

System zone

Outside zone

Self zone

Default zone

A

Self zone and Default zone

70
Q

Which of the following features was developed specifically to protect the CPU of a router?

ZBFW

AAA

CoPP

ACLs

A

CoPP

71
Q

True or false: CoPP supports input and output policies to control inbound and outbound traffic.

A

True

72
Q

Which of the following are features that can be disabled to improve the overall security posture of a router?

A

LLDP

73
Q

When members of a Marketing team are allowed to access Facebook for marketing purposes, but are denied access to Facebook games, this is an example of which type of NGFW feature?

application visibility control

context awareness

intrusion prevention system

advanced malware protection

A

Context awareness. Context awareness controls who is connecting, to what, from where, using which device, at what time.

74
Q

Which module works with Cisco AnyConnect to enforce a policy for endpoints that connect to the network via remote-access VPNs?

Cisco WSA AnyConnect

Cisco ISE posture

Cisco ASA posture

Cisco Catalyst AnyConnect

A

Cisco ASA posture.

75
Q

Which IPS inspection method observes network traffic and acts if a network event outside normal network behavior is detected?

signature-based
policy-based
anomaly-based
protocol verification

A

anomaly-based

76
Q

Which IPS traffic inspection method observes patterns, traffic rates, protocol mix, and traffic volume over time to build a profile of normal behavior?

signature-based inspection
statistical anomaly detection
protocol verification
policy-based inspection

A

statistical anomaly detection

77
Q

Where do the Cisco AMP malware detection and analytics engines run?

in the client device
in a Cisco ASA appliance
in a Cisco ISE
in the Cisco Collective Security Intelligence Cloud

A

in the Cisco Collective Security Intelligence Cloud

78
Q

Which of the following are Cisco SAFE’s PINs in the network? (Choose all that apply.)

Internet
Data center
Branch office
Edge
Campus
Cloud
WAN

A

Data center
Branch office
Edge
Campus
Cloud
WAN

79
Q

Cisco SAFE includes which of the following secure domains? (Choose all that apply.)

Threat defense
Segmentation
Segregation
Compliance

A

Threat defense
Segmentation
Compliance

80
Q

Which of the following is the Cisco threat intelligence organization?

Cisco Stealthwatch
Cisco Threat Grid
Cisco Talos
Cisco Threat Research, Analysis, and Communications (TRAC) team

A

Cisco Talos

81
Q

What is the Threat Grid?

The Cisco threat intelligence organization
The Cisco sandbox malware analysis solution
The Cisco security framework
An aggregator of network telemetry data

A

The Cisco sandbox malware analysis solution

82
Q

Which of the following EAP methods supports EAP chaining?

EAP-TTLS
EAP-FAST
EAP-GTC
PEAP

A

EAP-FAST

83
Q

True or false: SGT tags extend all the way down to the endpoints.

A

False

84
Q

Which of the following three phases are defined by Cisco TrustSec? (Choose all that apply.)

Classification
Enforcement
Distribution
Aggregation
Propagation

A

Classification
Enforcement
Propagation

85
Q

What are the two MACsec keying mechanisms?

A

Security Association Protocol (SAP)
MACsec Key Agreement (MKA) protocol

86
Q

What is the proprietary Cisco keying protocol in MACsec used between Cisco switches?

A

Security Association Protocol (SAP)

87
Q

In MACsec, what provides the required session keys and manages the required encryption keys?

A

MACsec Key Agreement (MKA) protocol

88
Q

Which of the following password types is the weakest?

Type 5
Type 7
Type 8
Type 9

A

Type 7

89
Q

What type of encryption does the command service password encryption provide?

A

Type 7 encryption

90
Q

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

The login command is used to enable line password authentication.

The login command is used to enable username-based authentication.

The login local command is used to enable line and username-based authentication.

The login local command is used to enable username-based authentication.

A

The login command is used to enable line password authentication.

The login local command is used to enable username-based authentication.

91
Q

Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)

disable
enable
show
configure terminal
exit
logout

A

disable
enable
exit
logout

92
Q

True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

A

False