The correct answers are A, B, and E. Personal safety and physical plant security, while admirable goals, are not directly addressed when implementing network security.
Question 2
The correct answer is C. A and B are incorrect because they represent broad categories of attacks and not specific threats. Answer D is incorrect because a hacker is a type of attacker.
Question 3
Answers C, D, and E are correct. You might find these easier to remember with an acronym—PAT, as in with these in place, you can stand pat! Answer A is incorrect because user education is an example of administrative control. Answer B is incorrect because firewalls are an example of a technical control.
Question 4
False. It is precisely because hackers think outside the constraints of normal system behavior that we say they think “outside the box.”
Question 5
The correct answers are C and D. Social engineering and dumpster diving are considered to be attacks against confidentiality. SYN floods, MAC flooding, and DoS attacks can interrupt the continuous services offered by a data network and are thus considered availability attacks.
Question 6
The correct answers are A and B. Answer C is incorrect because Single Loss Expectancy (SLE) is the product of AV * EF. Answer D is incorrect as it is an invented term. Answer E, Return on Investment (ROI), is not part of the quantitative risk analysis formula.
Question 7
Answer F is correct. Answers A to E all represent some of the goals of network security testing according to Cisco.
The correct answers, and in the right order, are C, B, and A. Answers D and E are made up.
Question 9
The correct answer is A. The other stakeholders listed in answers B, C, and D, while perhaps interested in an organization’s security, are not considered stakeholders because the policy is particular to the organization and not outsiders.
Question 10
The correct answer is B. This is a trick question because CSM can manage the Intrusion Detection System (IDS-2) module in the Catalyst 6500 series switch, but not the switch itself.
Question 11
The correct answer is C. Answers A and B have the right terms but not in the right order. Answer D is simply incorrect but tricky, because it uses the term DMZ in a misleading way.
Question 12
Question 13
The correct answers are A, B, C, and D. Answer D is also correct because after logging into the view, only the commands specified will be authorized to be executed. You can see an example of this behavior below, where we see that a user cannot execute the copy running-config startup-config command because it is not in the list of authorized commands:
CiscoISR>enable view ISP
Password: hardtoguess
Apr 19 13:19:03.892: %PARSER-6-VIEW_SWITCH: successfully set to view 'ISP'
CiscoISR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
CiscoISR(config)#exit
CiscoISR#ping www.ciscopress.com
Translating "www.ciscopress.com"...domain server (206.248.154.22) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.202.161.68, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms
CiscoISR#copy running-config startup-config
^
% Invalid input detected at '^' marker.
CiscoISR#
Question 14
The correct answer is C. Answer A is incorrect because the choices are in the wrong order. Answer B is incorrect, even though it is true that you use the virtual terminal lines (vtys) to access the router, plus “packet” is wrong anyway. Answer D is incorrect because the terms are deliberate red herrings for people who have studied AAA with Cisco security appliances.
Question 15
The correct answers are A, B, and D. Answers C is incorrect because it does not constitute a main AAA configuration task. Answer E is incorrect because AAA servers and clients authenticate using pre-shared keys and not digital certificates. (See Chapter 6, “Introducing Cryptographic Services,” for an explanation of authentication with digital certificates, as well as the Public Key Infrastructure (PKI) that manages digital certificates.)
Question 16
The correct answer is D. The other answers use terminology that doesn’t apply in this context.
Question 17
|
Errors |
3 |
|
Informational |
6 |
|
Alerts |
1 |
|
Emergencies |
0 |
|
Debugging |
7 |
|
Warnings |
4 |
|
Notifications |
5 |
|
Critical |
2 |
The correct answer is B. The Cisco SDM and CLI are quite consistent; typically, you create a policy and then apply it somewhere or separately activate it. All that is accomplished in this screenshot is to activate the router’s SSH server. You have to separately enable it on the vtys. That is why answers A and E are incorrect. Answers C and D are incorrect because as soon as you press the Generate RSA Key button, the keys are generated and applied in the running-config. You do not have to separately press the Save button, as this simply saves the configuration to NVRAM. Similarly, the Refresh button only parses the router’s running-config in case changes have been made that are invisible to the SDM.
Question 19
The correct answer is F. The auto secure [no-interact] command, though roughly equivalent, has some more functionality than the Cisco SDM Security Audit feature. Use the no-interact option of the command to make auto secure work more like the One-step lockdown feature of the SDM.
Question 20
Answer A is correct. The device’s hostname and domain name must be configured, as these provide material for the public/private RSA key pair (see also Chapter 6, “Introducing Cryptographic Services”), which is required for the Secure Sockets Layer (SSL) encryption that SSH uses.
Question 21
The correct answer is A. Curiously, Cisco’s definition of a firewall is the vaguest of all of them. Essentially, anything that manages access by analyzing flows between two or more networks constitutes a firewall. Answer B is incorrect because it most closely resembles a definition for a stateful packet inspection (SPI) firewall and is too specific. Likewise, answer C is incorrect, as it defines a static packet filter like an IOS router with ACLs. Answer D is incorrect, again because it’s too specific.
Question 22
The correct answers are 1—A; 2—B; 3—A; 4—B; 5—C. Although a static packet-filtering firewall can filter on static packet (and segment) content up to layer 4, it will never be as smart as a dynamic packet-filtering firewall. Similarly, application layer gateways and application inspection firewalls both operate at up to layer 5, but an application inspection firewall is considered more intelligent because it analyzes application layer flows for standards compliance and can look for other protocols tunneled inside the application session. Good firewalls are typically a hybrid of the preceding firewall types.
Question 23
True. If a packet is encrypted, it will first be tested on the inbound ACL to determine whether encrypted packets are allowed. If it is allowed, the packet is decrypted before it is again tested on the inbound ACL.
Question 24
The correct answers are before and after, respectively. If there is an inbound ACL on an interface that is also part of a zone, the packet is tested on the ACL first, and if permitted is then tested on the ZPF policy. Similarly, if there is an outbound ACL on an interface, the packet is first tested on the ZPF policy, and if it is permitted, it is then tested on the outbound interface ACL.
Question 25
False. If one interface is in a zone and the other one isn’t, the traffic is dropped. This is an important feature of ZPF because an interface that isn’t in a zone cannot inadvertently pass traffic to an interface that is in a zone. The active directory server in the figure will not be able to initiate a connection out to the Internet Zone by default.
Question 26
The correct answer is E. In modern cryptosystems, the main area of vulnerability is the storage, generation, safeguarding, and transmission of encryption keys. The encryption algorithms (ciphers) themselves are not considered vulnerable, nor are hashes.
Question 27
The correct answer is C because 3DES has been used far longer than AES and has proven itself as a trusted cipher. Answer A is incorrect because even 128-bit AES is cryptographically stronger than 168-bit 3DES. Answer B is incorrect for two reasons: first, for the same reason that answer A is incorrect; and second, because AES can be configured to use 192- and 256-bit keys. Answer D is incorrect because AES is actually less computationally intensive than 3DES.
False. This is a trick question; although TLS is the replacement for SSL, it stands for Transport Layer Security and not Transmission Level Security.
Question 29
The answers are B, A, and A respectively. Public keys are called public keys because they can be freely transmitted without compromising the cryptosystem; only the holder of the corresponding private key can decrypt messages that have been encrypted with the public key. This is why safeguarding the private key is essential—a compromised private key compromises the trustworthiness of the whole cryptosystem.
Question 30
The correct answers are A, B, C, and D.
Question 31
Answers C and D are correct. Answer A is incorrect because it is not a category as much as it is an implementation technology for site-to-site VPNs; it is not covered in this book in any case. Answers B and E are incorrect because these terms do not describe categories of VPNs.
Question 32
False. IKE Phase I Security Associations (SAs) are created to perform all negotiation and authentication between IPsec VPN peers. IKE Phase II SAs carry data only, using transform sets negotiated during IKE Phase I that can encrypt, verify, and authenticate the data.
Question 33
The correct answers (in order) are A, C, D, and E. Answer B is incorrect because a transform set is used to group a cipher and HMAC during IKE Phase II. Answer F is incorrect because it is a made-up term.
Question 34
The correct answers are B, C, and E. Answer A is incorrect because the “5” in the configuration represents Diffie-Hellman Group 5. Answer D is incorrect because AES stands for Advanced Encryption Standard. This is a bit of a trick question because if aes is chosen and not aes 192 or aes 256, a 128-bit cipher is specified. (See Table 7-5.)
Question 35
Answers A, B, and E are correct. Answer C is incorrect because the specified policy is a Phase I policy (per answer B) and not a Phase II transform set (watch the terminology!). Answer D is incorrect for the same reason...this is an IKE Phase II transform set, not IKE Phase I.
Question 36
The correct answers are A, B, C, D, and E.
Question 37
The correct answers are 1—A; 2—C; 3—B; 4—D.
Question 38
The correct answers are A, B, and E. Answers C and D are not correct because they comprise made-up terminology.
Question 39
True. Cisco makes this recommendation, suggesting this is a baseline for later tuning of the signatures.
Question 40
The correct answer is B. The other commands do not exist.
Question 41
The correct answers are C, D, and E. Perimeter security, while important, is not considered part of this strategy; thus, answer A is incorrect. Answer B is incorrect because end-user security is not part of this strategy. This answer is deliberately misleading as it sounds similar to endpoint and will trip someone who hasn’t studied the subject.
The correct answer is D. Answer A is incorrect because storm control is a feature of switch security found in Chapter 10, “Protecting Switch Infrastructure.” It is misleading because it both sounds familiar and sounds right in this context. Buffer overflows cannot be prevented by the IOS IPS; therefore, answer B is incorrect. Answer C is incorrect because NAC has nothing to do with buffer overflow protection. Answer E is incorrect because Trend Micro’s attack signatures are used in network IPSs.
Question 43
The correct answers are 1—B; 2—D; 3—A; 4—C.
Question 44
The correct answer is C. Answer A is incorrect because employing VLANs is a strategy in LAN security. Answer B is incorrect because employing VSANs is part of zoning and thus not a main strategy. Answer D is incorrect because ZPF (Zone-Based Policy Firewall) is a network firewall security strategy described in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.” Answer E is a nice idea but incorrect in this context.
Question 45
The correct answers are A, B, and C. Answer D is incorrect because the use of VVLANs is not a feature specific to UCM. AVA does not exist; thus, answer E is also incorrect.
Question 46
Answer B is correct. Answers A, C, and E are incorrect because they are nonsensical. Answer d starts off making sense, and then quickly goes downhill as it doesn’t explain the general principle of a VLAN hopping attack.
Question 47
True. This is because a double-tagging VLAN hopping attack is unidirectional and works only if the attacker and the trunk port(s) are in the same native VLAN
The correct answers are C and D. Answers A and B are therefore incorrect in their interpretation of the commands.
Question 49
The correct answers are B and C. Answer B is a variation of the show port-security address command in answer C. Answer A is incorrect because the command doesn’t exist. Answer D is incorrect because this command does not display the port security settings of an interface. Answer E is incorrect because it will show you only the MAC addresses learned by the switch on a port but not the port security settings.
Question 50
The correct answer is C. The other answers are incorrect because these commands do not exist.