Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Cisco IINS v2.

(1)

640-554

Number: 640-554 Passing Score: 800 Time Limit: 120 min File Version: 1.0

http://www.gratisexam.com/

Cisco 640-554 IINS v2.0

Sections

1. 1. Common Security Threats 2. 2. Security and Cisco Routers 3. 3.0 AAA

4. 4. IOS ACLs

5. 5. Secure Network Management and Reporting 6. 6. Common Layer 2 Attacks

7. 7. Cisco Firewall Technologies 8. 8.0 Cisco IPS

(2)

Exam A QUESTION 1

Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) A. Spam protection B. Outbreak intelligence C. HTTP and HTTPS scanning D. Email encryption E. DDoS protection Correct Answer: AD

Section: 7. Cisco Firewall Technologies Explanation

Explanation/Reference:

IronPort Email Security Appliances and IronPort Web Security Appliances

(WSA): These appliances provide granular control of email and, in the case of web traffic and WSA, can track thousands of applications and enforce security policies to protect networks against threats.

QUESTION 2

Which two characteristics represent a blended threat? (Choose two.) A. man-in-the-middle attack

B. trojan horse attack C. pharming attack D. denial of service attack E. day zero attack

Correct Answer: BE

Section: 1. Common Security Threats Explanation

(3)

A blended threat typically includes:

More than one means of propagation -- for example, sending an email with a hybrid virus/worm that will self-replicate and also infect a Web server so that contagion will spread through all visitors to a particular site.

Exploitation of vulnerabilities which may be preexisting or may be caused by malware distributed as part of the attack.

The intent to cause real harm, for example, by launching a denial of service (DOS) attack against a target or delivering a Trojan horse that will be activated at some later date.

Automation that enables increasing contagion without requiring any user action.

To guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products, employ server software to detect malware, and educate users about proper e-mail handling and online behavior

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.

QUESTION 3

Which type of security control is defense in depth? A. threat mitigation

B. risk analysis C. botnet mitigation

D. overt and covert channels Correct Answer: A

QUESTION 4

(4)

http://www.gratisexam.com/

A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack Correct Answer: ABEF

QUESTION 5

Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router? A. aaa accounting network start-stop tacacs+

B. aaa accounting system start-stop tacacs+ C. aaa accounting exec start-stop tacacs+ D. aaa accounting connection start-stop tacacs+ E. aaa accounting commands 15 start-stop tacacs+ Correct Answer: C

Section: 3.0 AAA Explanation

(5)

QUESTION 6

What is the best way to prevent a VLAN hopping attack? A. Encapsulate trunk ports with IEEE 802.1Q.

B. Physically secure data closets. C. Disable DTP negotiations. D. Enable BDPU guard. Correct Answer: C

Section: 6. Common Layer 2 Attacks Explanation

QUESTION 7

If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration? A. no switchport mode access

B. no switchport trunk native VLAN 1 C. switchport mode DTP

D. switchport nonnegotiate Correct Answer: D

QUESTION 8

Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) A. root guard

B. BPDU filtering

(6)

Correct Answer: AD

The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used

to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving

them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network.

BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root

guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are

superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to

an STP listening state, and no data traffic is forwarded across that port.

QUESTION 9

Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.) A. IP source guard

B. port security C. root guard D. BPDU guard Correct Answer: AB

Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC address of the

system connected to a particular port. This also provides the ability to specify an action to take if a port security violation occurs.

IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually configured IP

source bindings in order to restrict IP traffic on nonrouted Layer 2 interfaces. You can use IP source guard to prevent traffic attacks

caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC spoofing

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-seriesswitches/

72846-layer2-secftrs-catl3fixed.html#ipsourceguard

(7)

Which statement correctly describes the function of a private VLAN?

A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains. B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains. C. A private VLAN enables the creation of multiple VLANs using one broadcast domain. D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major

broadcast domain. Correct Answer: A

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch

from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain

share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either

be isolated VLANs or community VLANs. A host on an isolated VLAN can only

communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among

themselves and with their associated promiscuous port but not with ports in other community VLANs.

Reference:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus4000/nexus4000_i/sw/configuration/guide/rel_4_1_2_E1_1/

n400xi_config/PrivateVLANs.html

QUESTION 11

What are two primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping

B. switch spoofing C. CAM-table overflow D. double tagging Correct Answer: BD

(8)

There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network

maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology

behind these attacks and the primary approaches to mitigate them.

VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that

works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for

multiple VLANs across the same physical link, generally between switches.

Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage

of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows

an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original

802.1Q tag did not specify as shown below. An important characteristic of the doubleencapsulated

VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a

trunk link.

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10

QUESTION 12

With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.)

(9)

B. traffic flowing to and from the router interfaces (the self zone)

C. traffic flowing among the interfaces that are members of the same zone D. traffic flowing among the interfaces that are not assigned to any zone

E. traffic flowing between a zone member interface and another interface that belongs in a different zone

F. traffic flowing to the zone member interface that is returned traffic Correct Answer: BCD

QUESTION 13

Which two services are provided by IPsec? (Choose two.) A. Confidentiality

B. Encapsulating Security Payload C. Data Integrity

D. Authentication Header E. Internet Key Exchange Correct Answer: AC

Section: 9.0 VPN Technologies Explanation

QUESTION 14

Which command verifies phase 2 of an IPsec VPN on a Cisco router? A. show crypto map

B. show crypto ipsec sa C. show crypto isakmp sa

(10)

Correct Answer: B

The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa

shows IKE Phase 1 show crypto ipsec sa Shows IKE Phase 2

WIll show the details from the crypto map, even when the tunnel is down. show crypto session

Will show as DOWN when the IPSec connection hasn't been made Shows everything

QUESTION 15

Which three protocols are supported by management plane protection? (Choose three.) A. SNMP B. SMTP C. SSH D. OSPF E. HTTPS F. EIGRP

Correct Answer: ACE

Section: 5. Secure Network Management and Reporting Explanation

QUESTION 16

Which statement about rule-based policies in Cisco Security Manager is true?

(11)

B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.

C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters.

D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device.

Correct Answer: B

Section: 2. Security and Cisco Routers Explanation

Explanation/Reference: Rule-Based Policies

Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow (known as first matching).

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/ poman.html

Understanding Policies

In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices.

Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPsec, IKE, GRE, and so forth.

Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device. Settings-Based Policies vs. Rule-Based Policies

Rule-Based Policies

(12)

Settings-Based Policies

Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device.

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/poman.html#pgfId-508714

QUESTION 17

Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads?

http://www.gratisexam.com/

A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C

QUESTION 18

Which option provides the most secure method to deliver alerts on an IPS? A. IME

(13)

D. syslog

Correct Answer: C Section: 8.0 Cisco IPS Explanation

(14)

QUESTION 19

Which syslog level is associated with LOG_WARNING? A. 1

(15)

D. 4 E. 5 F. 6

Correct Answer: D

Section: 5. Secure Network Management and Reporting Explanation Explanation/Reference: Explanation: Syslog levels QUESTION 20 Scenario:

(16)

What is included in the Network Object Group INSIDE? (Choose two) A. Host 74.125.224.176

(17)

C. Network 10.0.10.0/24 D. Host 74.125.224.179 E. Network 192.168.1.0/8 Correct Answer: AD

Explanation/Reference: Explanation:

Can't answer from this description/image

QUESTION 21

Which represents a unique link-local address (IPv6)? A. FEB0::/8

B. 2002::/16 C. FED0::/8 D. 2001::/32 Correct Answer: A

Explanation/Reference: 2002::/16 is for 6 to 4 tunnels.

FEB0::/8 Would be the correct answer then. FE80::

FE90:: FEA0:: FEB0::

QUESTION 22

How many class map can be configured in a (router) interface? A. 1

(18)

C. 3 D. 4

Correct Answer: A

I think this question is actually about Policy Maps You can configure a single service policy on an interface this service policy references a policy map

A policy map can reference up to 64 class maps, which is the limit of class maps that can be created

QUESTION 23

Which command initializes a lawful intercept view? A. username cisco1 view lawful-intercept password cisco B. parser view cisco li-view

C. li-view cisco user cisco1 password cisco D. parser view li-view inclusive

Correct Answer: C Section: 3.0 AAA Explanation

Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance.

SUMMARY STEPS 1. enable view 2. configure terminal

(19)

4. username [lawful-intercept] name [privilege privilege-level | view view-name] password password 5. parser view view-name

6. secret 5 encrypted-password 7. name new-name

DETAILED STEPS Router> enable view Enables root view.

•Enter your privilege level 15 password (for example, root password) if prompted. Step 2

Router# configure terminal Enters global configuration mode. Step 3

li-view li-password user username password password

Router(config)# li-view lipass user li_admin password li_adminpass

Initializes a lawful intercept view with a password of lipass and a user of li_admin whose password is li_adminpass After the li-view is initialized, you must specify at least one user via user username password password options. Step 4

username [lawful-intercept [name] [privilege privilege-level | view view-name] password password Example:

Router(config)# username lawful-intercept li-user1 password li-user1pass Configures lawful intercept users on a Cisco device.

http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_role_base_cli.html QUESTION 24

Which NAT types are used for ASA in transparent mode? A. Static NAT

(20)

D. Dynamic PAT Correct Answer: A

With a transparent firewall, we still have two interfaces, but we do not assign IP addresses to those interfaces, and those two interfaces act more like a bridge (or a switch with two ports in the same VLAN). Traffic from one segment of a given subnet is going to be forced through the transparent firewall if those frames want to reach the second segment behind the firewall. A transparent firewall has a management IP address so that we can remotely access it, but that is all. Users

accessing resources through the firewall will not be aware that it is even present, and one of the biggest advantages of using a transparent firewall is that we do not have to re-address our IP subnets to put a transparent firewall in-line on the network

QUESTION 25

Which 3 Radius server authentication protocols are supported on cisco ASA firewalls? A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: CEF Section: 3.0 AAA Explanation

Supported Authentication Methods

The ASA supports the following authentication methods with RADIUS servers: PAP—For all connection types.

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled. You can also use MS-CHAPv2 with clientless connections.

(21)

To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the

description of the password-management command for details.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html QUESTION 26

Which wildcard mask is associated with a subnet mask of /27? A. 0.0.0.31

B. 0.0.0.224 C. 0.0.223.255 D. 0.0.0.27

QUESTION 27

What does NTP authenticate? A. Client’s device and time source B. Time source only

C. Client’s device only D. Firewall and client’s device Correct Answer: B

QUESTION 28

(22)

A. Proxy B. State C. Asa D. Application Correct Answer: A

QUESTION 29

What encryption does Cisco use to protect image downloading? A. Sha1

B. Sha2 C. Md5 D. Md1

Correct Answer: C Section: 8.0 Cisco IPS Explanation

This is referring to the hash that Cisco uses to allow customers to confirm the download of cisco software, including the IPS signature files. QUESTION 30

(23)

The TACACS+ timout can be set globally, or server specific. Configuring the Global TACACS+ Timeout Interval

You can set a global timeout interval that the Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the Nexus 5000 Series switch waits for responses from TACACS+ servers before declaring a timeout failure.

Command

switch# configure terminal Enters configuration mode. Step 2

switch(config)# tacacs-server timeout seconds

Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds. Optional- Per server

switch(config)# switch(config)# tacacs-server host { ipv4-address | ipv6-address | host-name } timeout seconds Specifies the timeout interval for a specific server. The default is the global value.

Note The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers. Step 3

switch(config)# exit Exits configuration mode. Step 4

switch# show tacacs-server

(Optional) Displays the TACACS+ server configuration.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_tacacsplus.html#pgfId-1272743 QUESTION 31

(24)

Explanation

When using HMAC (Hashed Meessage Authentication Code), we combine the integrity checking capability of the hashing algorithm as well as the authentication by use of a shared key.

QUESTION 32

How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration? A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode

B. Issue the command anyconnect keep-installer installed in the global configuration

C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode Correct Answer: C

Enabling Permanent Client Installation

Enabling permanent client installation disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user.

To enable permanent client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer installed

The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following example configures the existing group-policy sales to remove the client on the remote computer at the end of the session:

hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn

hostname(config-group-policy)# svc keep-installer installed none QUESTION 33

you are the network manager for your organization. you are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true ( choose two )

Feb 1 10:12.08 PST:%SYS-5-CONFIG_I:Configured from console by vty0 (10.2.2.6)

(25)

B. this is a normal system-generated information message and does not require further investigation C. this message is unimportant and can be ignored

D. this message is a level 5 notification message Correct Answer: AD

QUESTION 34

A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?

A. Ensure that the RDP2 plug-in is installed on the VPN gateway B. Reboot the VPN gateway

C. Instruct the user to reconnect to the VPN gateway

D. Ensure that the RDP plug-in is installed on the VPN gateway Correct Answer: A Section: 9.0 VPN Technologies Explanation Explanation/Reference: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113600-technote-product-00.html QUESTION 35

Which tasks is the session management path responsible for? (Choose three.) A. Performing the access list checks

B. Performing route lookups

C. Allocating NAT translations (xlates) D. Session Lookup

E. TCP Sequence Number Check

(26)

Correct Answer: ABC

Establishing sessions in the “fast path” (this last option was not in the exam but is good to know) A stateful firewall like the ASA, however, takes into consideration the state of a packet:

• Is this a new connection?

If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”

The session management path is responsible for the following tasks: – Performing the access list checks

– Performing route lookups

– Allocating NAT translations (xlates) – Establishing sessions in the “fast path”

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP. • Is this an established connection?

If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the

following tasks:

– IP checksum verification – Session lookup

– TCP sequence number check

– NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1047294 QUESTION 36

Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts? A. Report Manager

(27)

C. Policy Manager D. Event Manager Correct Answer: B

“Report Manager – Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods.”

and

“Health and Performance Monitor (HPM) – Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.”

http://www.cisco.com/c/en/us/products/collateral/security/security-manager/datasheet-c78-735775.html QUESTION 37

What best describes transport mode in VPN ? (Choose 3) A. support multicast

B. support unicast C. used between hosts D. used between gateways

E. used between gateway and host Correct Answer: BDE

There are two main types of VPN, with numerous subcategories. Remote Access

(28)

IPSec

QUESTION 38

Which three features are for data plane protection (choose three) A. policing B. ACL C. IPS D. antispoofing E. QoS F. DHCP-snooping Correct Answer: BDF

Explanation/Reference: Data Plane Security • Access control lists • Private VLAN • Firewalling

• Intrusion Prevention System (IPS) Layer 2 Data Plane Protection

• Port security prevents MAC flooding attacks.

• DHCP snooping prevents client attacks on the DHCP server and switch.

• Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks. • IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table.

Data Plane Security

Data plane security can be implemented using the following features:

Access control lists

Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.

Antispoofing

ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security features

(29)

ACLs

ACLs are used to secure the data plane in a variety of ways, including the following:

Block unwanted traffic or users

ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user authentication.

Reduce the chance of DoS attacks

ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection.

Mitigate spoofing attacks

ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks.

Provide bandwidth control

ACLs on a slow link can prevent excess traffic.

Classify traffic to protect other planes

ACLs can be applied on vty lines (management plane).

ACLs can control routing updates being sent, received, or redistributed (control plane).

Antispoofing

Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack.

Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.

Layer 2 Data Plane Protection

The following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port security

Prevents MAC address spoofing and MAC address flooding attacks

DHCP snooping

Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch

Dynamic ARP inspection (DAI)

Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks

IP source guard

Prevents IP spoofing addresses by using the DHCP snooping table

QUESTION 39

On which Cisco Configuration Professional screen do you enable AAA? A. AAA Summary

(30)

Correct Answer: A Section: 3.0 AAA Explanation

QUESTION 40

What command is used to change layer 2 port into layer 3 routed port? A. No switchport

B. switchport port-security C. ip routing

D. sdm prefer lanbase-routing Correct Answer: A

QUESTION 41

Where is the best place to place the IPS inline ? A. Inline, behind the internet router and firewall B. Inline, before the internet router and firewall C. Promiscuous, behind

D. Promiscuous, before Correct Answer: A Section: 8.0 Cisco IPS Explanation

QUESTION 42

(31)

A. Warning B. Debug C. Critical D. Emergency E. Notice F. Error Correct Answer: B

Syslog levels

QUESTION 43

Which statement about the role-based CLI access views on a Cisco router is true?

(32)

B. The maximum number of configurable CLI access views is 10, including one superview.

C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view. D. The maximum number of configurable CLI access views is 15, including one lawful intercept view.

Correct Answer: C

Restrictions for Role-Based CLI Access Lawful Intercept Images Limitation

Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful intercept view is available only in images that contain the lawful intercept subsystem.

Maximum Number of Allowed Views

The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.)

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html QUESTION 44

Which Cisco Security Manager feature enables the configuration of unsupported device features? A. Deployment Manager

B. FlexConfig

C. Policy Object Manager D. Configuration Manager Correct Answer: B

(33)

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/ tmplchap.html#20503

QUESTION 45

Which statement about IPv6 address allocation is true?

http://www.gratisexam.com/

A. IPv6-enabled devices can be assigned only one IPv6 IP address. B. A DHCP server is required to allocate IPv6 IP addresses.

C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses. D. ULA addressing is required for Internet connectivity.

A major difference between IPv4 and IPv6 is that with IPv6, it is expected that an IPv6 capable device will have more than one IPv6 address. Most interfaces will have at least a Link-Local address (FE80)and possible a global(2xxx or 3xxx) or unique (fc00::/7) local address.

QUESTION 46

Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? A. aaa authentication enable console LOCAL SERVER_GROUP

B. aaa authentication enable console SERVER_GROUP LOCAL C. aaa authentication enable console local

D. aaa authentication enable console LOCAL Correct Answer: D

(34)

Explanation

The syntax to create an aaa authentication policy for IOS is aaa authentication [type] [name] [method list]

if only one method is specified, there is no fallback

However, this question is actually about the ASA, which has a slightly different syntax.

The aaa authentication enable console policy is related to users who are consoled in trying to use the enable command to enter the privileged prompt. http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=3

Explanation:

To authenticate users who access the adaptive security appliance CLI over a serial, SSH, HTTPS (ASDM), or Telnet connection, or to authenticate users who access privileged EXEC mode using the enable command, use the aaa authentication console command in global configuration mode. To disable authentication, use the no form of this command.

aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]} no aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]} Syntax Description

enable Authenticates users who access privileged EXEC mode when they use the enable command.

http Authenticates ASDM users who access the adaptive security appliance over HTTPS. You only need to configure HTTPS authentication if you want to use a RADIUS or TACACS+ server. By default, ASDM uses the local database for authentication even if you do not configure this command.

LOCAL Uses the local database for authentication. LOCAL is case sensitive. If the local database is empty, the following warning message appears: Warning:local database is empty! Use 'username' command to define local users. If the local database becomes empty when LOCAL is still present in the configuration, the following warning message appears:

Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication. server-tag [LOCAL] Specifies the AAA server group tag defined by the aaa-server command.

(35)

serial Authenticates users who access the adaptive security appliance using the serial console port. ssh Authenticates users who access the adaptive security appliance using SSH.

telnet Authenticates users who access the adaptive security appliance using Telnet. Defaults

By default, fallback to the local database is disabled.

If the aaa authentication telnet console command is not defined, you can gain access to the adaptive security appliance CLI with the adaptive security appliance login password (set with the password command).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1555520 QUESTION 47

Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method? A. aaa authorization exec default group tacacs+ none

B. aaa authorization network default group tacacs+ none C. aaa authorization network default group tacacs+ D. aaa authorization network default group tacacs+ local Correct Answer: C

On a cisco IOS router, the syntax to define new-model AAA authorization policies is: aaa authorization [type] [name] [methods-list]

The method list can list a number of different methods to use to authorize. For example: group tacacs+, group radius, local, enable, etc.

The methods are tried in order of the list. If one of the methods is unreachable (for example, the router cannot connect to the Tacas server), the next method is tried, providing a fallback method.

A FAILED authorization does not try the next method.

(36)

aaa authorization network

Only one answer that starts with aaa authorization network has a single method. aaa authorization network default group tacacs+

QUESTION 48

Which three statements about RADIUS are true? (Choose three.) A. RADIUS uses TCP port 49.

B. RADIUS uses UDP ports 1645 or 1812. C. RADIUS encrypts the entire packet.

D. RADIUS encrypts only the password in the Access-Request packet. E. RADIUS is a Cisco proprietary technology.

F. RADIUS is an open standard. Correct Answer: BDF

(37)

QUESTION 49

Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius

B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C

(38)

The accounting types are

network—To create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword.

•exec—To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword.

•commands—To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword.

•connection—To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword.

•resource—Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated. http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html#wp1000952

QUESTION 50

Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.) A. start-stop B. stop-record C. stop-only D. stop Correct Answer: AC Section: 3.0 AAA Explanation Explanation/Reference:

The general syntax for accounting is:

Router(config)# aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1 [method2...]] We can account for start and stop or stop only.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html QUESTION 51

(39)

A. aaa configuration B. no aaa-configuration C. no aaa new-model D. aaa new-model Correct Answer: D Section: 3.0 AAA Explanation Explanation/Reference:

When setting up remote aaa, the new model aa must being turned on. Be aware, that this will disable the default line vty and line con login defaults. QUESTION 52

Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: BCE Section: 3.0 AAA Explanation

Explanation/Reference: TACACS+ Server Support

The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html QUESTION 53

What is the default privilege level for a new user account on a Cisco ASA firewall? A. 0

(40)

C. 2 D. 15

Similar to Cisco IOS devices, the ASA has 16 privelege levels, from 0 to 15. The default privilege level for a user is 2.

On IOS, the default privilege level is level 1 Authenticating Users Using the Login Command

From user EXEC mode, you can log in as any username in the local database using the login command.

This feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the "Configuring Local Command Authorization" section for more information.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/mgaccess.html#wp1042028 QUESTION 54

Which statement about ACL operations is true? A. The access list is evaluated in its entirety.

B. The access list is evaluated one access-control entry at a time. C. The access list is evaluated by the most specific entry.

D. The default explicit deny at the end of an access list causes all packets to be dropped. Correct Answer: B

Section: 4. IOS ACLs Explanation

Access Lists are a series of entries

Access Lists Entries are processed in order

(41)

QUESTION 55

Which three statements about access lists are true? (Choose three.)

A. Extended access lists should be placed as near as possible to the destination. B. Extended access lists should be placed as near as possible to the source. C. Standard access lists should be placed as near as possible to the destination. D. Standard access lists should be placed as near as possible to the source. E. Standard access lists filter on the source address.

F. Standard access lists filter on the destination address. Correct Answer: BCE

Explanation/Reference: ACL Best practices

Standard ACLs can filter only on the source IP address.

Standard ACLS should be closest to the destination (since if they were close to the source, they could block too much traffic) Extended ACLS can filter on protocol, source and/or destination IP as well as TCP or UDP port

Extended ACLS should be placed as close to the source

QUESTION 56

Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks? A. router(config)# ip tcp intercept mode intercept

B. router(config)# ip tcp intercept mode watch

C. router(config)# ip tcp intercept max-incomplete high 100 D. router(config)# ip tcp intercept drop-mode random Correct Answer: A

(42)

About TCP Intercept

The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service, and so on.

The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list.

The basic configuration requires setting up an ACL that is used to "watch" incoming TCP traffic Step 1

Router(config)# access-list access-list-number {deny | permit} tcp any destination destination-wildcard Defines an IP extended access list.

Step 2

Router(config)# ip tcp intercept list access-list-number Enables TCP intercept.

Step 3- Optional

Router(config)# ip tcp intercept mode {intercept | watch}

You can then set the mode to Intercept or Watch. The default is intercept. You can also modify the following:

Setting the TCP Intercept Drop Mode (Optional) Changing the TCP Intercept Timers (Optional)

Changing the TCP Intercept Aggressive Thresholds (Optional) Monitoring and Maintaining TCP Intercept (Optional)

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html QUESTION 57

(43)

C. access-list 128 deny ip 10.0.0.0 0.255.255.255 any D. access-list 128 deny ip 192.168.0.0 0.0.31.255 any Correct Answer: C

Not sure if this is a partial question or

mismarked.-Spoofed addresses usually refers to addresses that mimic your own internal addressing scheme

Private or Reserved Addresses are defined in RFC 1918

A common set of entries for access lists incoming into a network are as follows: !--- Filter RFC 1918 space.

access-list 110 deny ip 10.0.0.0 0.255.255.255 any access-list 110 deny ip 172.16.0.0 0.15.255.255 any access-list 110 deny ip 192.168.0.0 0.0.255.255 any

!--- Deny your space as source from entering your AS. !--- Deploy only at the AS edge. access-list 110 deny ip YOUR_CIDR_BLOCK any

In this question, denying 10.0.0.0 0.255.255.255 matches one of the common reserved addresses and is the correct answer. http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html

QUESTION 58

Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) A. port security

B. DHCP snooping C. IP source guard

D. dynamic ARP inspection Correct Answer: BD

(44)

Explanation

ARP Spoofing is a common Layer 2 attack. It can be used as part of ARP poisoning, man in the middle attacks or session hijacking, among others. In this type of attack, the attacker will send false ARP requests and/or replies.

DHCP Snooping allows a Cisco switch to examine all DHCP requests and build an IP to MAC address table based on the addresses given out. Dynamic ARP inspection checks any ARP traffic against this table to verify the details.

Machines connected that are have statically assigned IPs must be manually added the DHCP Inspection table http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html QUESTION 59

What is the Cisco preferred countermeasure to mitigate CAM overflows? A. port security

B. dynamic port security C. IP source guard D. root guard Correct Answer: B

Port security helps prevent CAM table overflow attacks by limiting the number of MAC address that can be learned on an interface switchport port-security maximum 2

spwitchport port-security

After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: •You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.

•You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. •You can configure a number of addresses and allow the rest to be dynamically configured.

(45)

QUESTION 60

What is the most common Cisco Discovery Protocol version 1 attack? A. denial of service

B. MAC-address spoofing C. CAM-table overflow D. VLAN hopping Correct Answer: A

Since CDP is on by default on most routers, it can be used to flood a router and overwhelm the CPU. This becomes a type of denial of sercice attack.

https://heggel4.wordpress.com/2014/10/11/protect-your-network-against-cdp-attacks/ QUESTION 61

Which option describes a function of a virtual LAN?

A. A virtual LAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain. B. A virtual LAN creates trunks and links two switches together.

C. A virtual LAN adds every port on a switch to its own collision domain. D. A virtual LAN connects many hubs together.

Explanation/Reference: Explanation:

QUESTION 62

(46)

A. Configure another trunk link. B. Configure EtherChannel. C. Configure an access port.

D. Connect a hub between the two switches. Correct Answer: B

When you have two connections between switches, this can cause a loop.

By configuring Etherchannel, the participating interfaces are treated as a single logical interface, a PortChannel.

QUESTION 63

If the native VLAN on a trunk is different on each end of the link, what is a potential consequence? A. The interface on both switches may shut down.

B. STP loops may occur.

C. The switch with the higher native VLAN may shut down. D. The interface with the lower native VLAN may shut down. Correct Answer: B

The native vlan is specified in the 802.1q specification.

In Cisco's implementation, the traffic on the native vlan does not get tagged as it crosses a trunk.

Due to this, if there is a native vlan mismatch between switches, STP updates may not get transferred to the correct devices/STP instances, potentially causing a loop.

QUESTION 64

Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network? A. VTP server

(47)

There are 3 modes for VTP

Server Can manage vlan database. Have a vla.dat in nvram can set domain, add, remove, and rename VLANS

Client get their VLAN list from the server. Can assign ports to VLANS, but cannot change VLAN database. They don't store a vlan.dat in nvram. Transparent will pass VTP updates through trunk ports, but don't use the information. Manage an independant vlan database

QUESTION 65

When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops? A. STP elects the root bridge.

B. STP selects the root port. C. STP selects the designated port. D. STP blocks one of the ports. Correct Answer: A

Explanation/Reference: The high level steps for STP 1. Elect a root Bridge

2. Non-Root Bridges elect a root port

3. Non-Root paths/redundant paths between switches choose designated and alternate/blocking ports QUESTION 66

What is the default STP priority on a switch? A. 4096

B. 24576 C. 16384 D. 32768

(48)

Cisco Switches have their STP priority at 32768 by default

QUESTION 67

Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.) A. Rivest-Shamir-Adleman Algorithm

B. ElGamal encryption system C. Digital Signature Algorithm D. Paillier cryptosystem Correct Answer: AC

WHen generating public/private key pairs for SSH, you can use either RSA or DSA

http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/b_syssec_cr42crs/ b_syssec_cr41crs_chapter_0111.html#wp4092742478

QUESTION 68

Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message? A. the transform set

B. the group policy C. the hash D. the crypto map Correct Answer: C

One-Way Encryption or Hashing is used to generate a fixed length output message. Regardless of the size of the original message.

(49)

SHA1 and MD5

When setting up IPSec, you specify the following: H - hash (md5 or sha)

A - authentication (pre shared keys, rsa-sigs (digital certs)) G- dh group (1, 2, 5 etc)

L- lifetime for the IKE phase 1 tunnel E- encryption to use (des, 3des, aes) MD5 hash will be 128 bits

SHA-224 224 SHA-256 256 SHA-384 384 SHA-512 512 SHA-512/224 224 SHA-512/256 256 QUESTION 69

Which three options are components of Transport Layer Security? (Choose three.) A. stateless handshake B. stateful handshake C. application layer D. session layer E. pre-shared keys F. digital certificates Correct Answer: BCF Section: 9.0 VPN Technologies Explanation Explanation/Reference: TLS is the successor to SSL

In many cases the terms are used interchangeably, but they are not directly compatible.

When configuring security for the WebVPN and AnyConnect, you can choose to use SSL or TLS.

Like SSL, TLS uses an authetication handshake where credentials are exchanged. These credentials are based on digital certificates, which contain public/private key pairs.

(50)

9.3(2) and later) SSLv3 deprecation and SSL server version default change—SSLv3 is now deprecated. The default for the ssl server-version command is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these keywords will be removed from the ASA.

QUESTION 70

What are three features of IPsec tunnel mode? (Choose three.) A. IPsec tunnel mode supports multicast.

B. IPsec tunnel mode is used between gateways. C. IPsec tunnel mode is used between end stations. D. IPsec tunnel mode supports unicast traffic. E. IPsec tunnel mode encrypts only the payload. F. IPsec tunnel mode encrypts the entire packet. Correct Answer: BDF

IPSec can be run in either tunnel mode or transport mode. Both modes only support Unicast traffic.

Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution:

Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.

Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host—for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.

(51)

QUESTION 71

Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router? A. show crypto map

B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto session Correct Answer: D

The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa

(52)

Shows IKE Phase 2

WIll show the details from the crypto map, even when the tunnel is down. show crypto session

Will show as DOWN when the IPSec connection hasn't been made Shows everything

QUESTION 72

How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal?

http://www.gratisexam.com/

A. Configure a web ACL. B. Turn off URL entry. C. Configure a smart tunnel. D. Configure a portal access rule. Correct Answer: B

Clientless SSL VPN Security Precautions

By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless access—group policies, dynamic access policies, or both—to control traffic flows from the portal. Cisco recommends switching off URL Entry on these policies to prevent user confusion over what is accessible.

Step 1

webvpn Switches to group policy Clientless SSL VPN configuration mode. Step 2

(53)

Step 3

(Optional) url-entry disable Switches off URL Entry.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-gateway.html QUESTION 73

Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection? A. perfect forward secrecy

B. dead peer detection C. keep alives D. IKEv2 Correct Answer: B Section: 9.0 VPN Technologies Explanation Explanation/Reference: Configuring DTLS

Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN tunnel only. Note In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you do not enable DPD, and the DTLS connection experiences a problem, the connection terminates instead of falling back to TLS.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html QUESTION 74

Where is the transform set applied in an IOS IPsec VPN? A. on the WAN interface

(54)

The basic steps for an IPSec Site to Site VPN are: Task 1: Ensure that ACLs are compatible with IPsec.

That ISAKMP and AH/ESP are permitted through the firewall Task 2: Create ISAKMP (IKE) policy.

crypto isakmp policy priority

Task 2a- Set the PSK if using that authentication method crypto isakmp key keystring address peer-address Task 3: Configure IPsec transform set.

crypto ipsec transform–set transform-set-name transform1 [transform2] [transform3] Task 4: Create a crypto ACL.

access-list 110 permit tcp/ip [source range] [destination range] Task 5: Create and apply the crypto map.

R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 110 R1(config-crypto-map)# set peer 172.30.2.2 default R1(config-crypto-map)# set peer 172.30.3.2 R1(config-crypto-map)# set pfs group1

R1(config-crypto-map)# set transform-set mine

R1(config-crypto-map)# set security-association lifetime seconds 86400 R1(config)# interface serial0/0/0

R1(config-if)# crypto map MYMAP

QUESTION 75

(55)

Explanation

The password management feature allows users to get warnings and change their authentication passwords through the the ASA SSL VPN.

When you configure the password-management command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

The security appliance, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPSec VPN Client, the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supports MS-CHAPv2.

Password management is not supported for any of these connection types for Kerberos/AD (Windows password) or NT 4.0 Domain.

Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2, so please check with your vendor.

The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security appliance perspective, it is talking only to a RADIUS server.

For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/vpngrp.html#wp1166214 QUESTION 76

In which stage of an attack does the attacker discover devices on a target network? A. reconnaissance

B. gaining access C. maintaining access D. covering tracks Correct Answer: A

(56)

Explanation:

Reconnaissance- Gathering information about targets- DNS Queries, Whois, etc. Scanning (addresses, ports, vulnerabilities)- NMAP, MetaSploit, etc.

Gaining access - MetaSploit, scripts, etc. Maintaining Access

Covering Tracks

QUESTION 77

Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path? A. Unidirectional Link Detection

B. Unicast Reverse Path Forwarding C. TrustSec

D. IP Source Guard Correct Answer: B

Unicast Reverse Path Forwarding verifies the source IP of a packet against the routing table of the router.

Verifying Symmetry means that the packet must be returned along the same path it was received on (can be a problem for multi-homed routers at edges) It can be used in Strict or Loose mode

This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.

When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process.

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html QUESTION 78

By which kind of threat is the victim tricked into entering username and password information at a disguised website? A. phishing