final seguridad
Post on 03-Jun-2018
229 Views
Preview:
TRANSCRIPT
-
8/12/2019 Final Seguridad
1/19
1. When logging is enabled for an ACL entry, how does the router switch packets filtered by
the ACL?
topology-based switching
autonomous switching
process switching
optimum switching
2. Which statement is true about the ne!"tep lockdown feature of the CC# "ecurity Audit
wi$ard?
It enables the Secure Copy Protocol (SCP).
It supports AAA configuration.
It enables TCP intercepts.
%t sets an access class ACL on &ty lines.
It proides an option for configuring S!"P# on all routers.
' . What are three common e(amples of AAA implementation on Cisco routers? )Choose
three.*
authenticating administrator access to the router console port, au(iliary port, and &ty ports
authenticating remote users who are accessing the corporate LA+ through %#sec #+
connections
implementing public $ey infrastructure to authenticate and authori%e IPsec &P! peers using digital
certificates
implementing command authori$ation with -ACAC"
securing the router by loc$ing down all unused serices
trac$ing Cisco !etflow accounting statistics
-
8/12/2019 Final Seguridad
2/19
'. /efer to the e(hibit. -he administrator can ping the "001 interface of /outer but is
unable to gain -elnet access to the router using the password cisco12'. What is a possible
cause of the problem?
The Telnet connection between outerA and outer is not wor$ing correctly.
-he password cisco12' is wrong.
The enable password and the Telnet password need to be the same.
The administrator does not hae enough rights on the PC that is being used.
*. /efer to the e(hibit. An administrator has entered the commands that are shown on router
/1. At what trap le&el is the logging function set?
+
'
*
,
3. %f a switch is configured with the storm!control command and the action shutdown and
action trap parameters, which two actions does the switch take when a storm occurs on a
port? )Choose two.*
-he port is disabled. (Corrected by Elfnet)
The switch is rebooted. (Original answer)
An "+4# log message is sent.
The port is placed in a bloc$ing state.
The switch forwards control traffic only.
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-5-wtmk.jpghttp://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-4-wtmk.jpg -
8/12/2019 Final Seguridad
3/19
-
8/12/2019 Final Seguridad
4/19
55. /efer to the e(hibit. Which interface configuration completes the CAC configuration on
router /1?
5(config)6 interface fa373
5(config-if)6 ip inspect I!SI20 in
5(config-if)6 ip access-group 81T81!2 in
5(config)6 interface fa375
5(config-if)6 ip inspect I!SI20 in
5(config-if)6 ip access-group 81T81!2 in
5(config)6 interface fa375
5(config-if)6 ip inspect 81T81!2 in
5(config-if)6 ip access-group I!SI20 out
5(config)6 interface fa373
5(config-if)6 ip inspect 81T81!2 in
5(config-if)6 ip access-group I!SI20 in
/1)config*; interface fa01
/1)config!if*; ip inspect
-
8/12/2019 Final Seguridad
5/19
1@. What can be used as a #+ gateway when setting up a site!to!site #+?
Cisco Catalyst switch
Cisco router
Cisco 1nified Communications "anager
Cisco AnyConnect
19. Which type of Layer 2 attack makes a host appear as the root bridge for a LA+?
;A! storm
"AC address spoofing
"AC address table oerflow
"-# manipulation
&;A! attac$
5,. /efer to the e(hibit. An administrator has configured a standard ACL on /1 and applied it
to interface serial 000 in the outbound direction. What happens to traffic lea&ing interface
serial 000 that does not match the configured ACL statements?
The resulting action is determined by the destination IP address.
The resulting action is determined by the destination IP address and port number.
The source IP address is chec$ed and if a match is not found traffic is routed out interface serial
37375.
-he traffic is dropped.
15. -he use of '=:" within the %#sec framework is an e(ample of which of the fi&e %#sec
building blocks?
authentication
confidentiality
2iffie-/ellman
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-16-wtmk.jpg -
8/12/2019 Final Seguridad
6/19
integrity
nonrepudiation
5
-
8/12/2019 Final Seguridad
7/19
authenticates a pac$et by using either the /"AC "2* or /"AC S/A algorithms and encrypts the
pac$et using either the 20S #20S or A0S algorithms
21. Which action best describes a 4AC address spoofing attack?
altering the 4AC address of an attacking host to match that of a legitimate host
bombarding a switch with fa$e source "AC addresses
forcing the election of a rogue root bridge
flooding the ;A! with e9cessie traffic
22. When configuring a site!to!site %#sec #+ using the CL%, the authentication pre!share
command is configured in the %"A>4# policy. Which additional peer authentication
configuration is reuired?
Configure the message encryption algorithm with the encryptiontype ISA:"P policy configuration
command.
Configure the 2/ group identifier with the groupnumber ISA:"P policy configuration command.
Configure a hostname with the crypto isa$mp identity hostname global configuration command.
Configure a #"> with the crypto isakmp key global configuration command.
2'. Which three statements describe limitations in using pri&ilege le&els for assigning
command authori$ation? )Choose three.*
-here is no access control to specific interfaces on a router.
The root user must be assigned to each priilege leel defined.
Commands set on a higher pri&ilege le&el are not a&ailable for lower pri&ileged users.
&iews are re4uired to define the C;I commands that each user can access.
Creating a user account that needs access to most but not all commands can be a tedious
process.
It is re4uired that all 5, priilege leels be defined whether they are used or not.
2@. Which set of Cisco %" commands instructs the %#" to compile a signature category
named iosBips into memory and use it to scan traffic?
5(config)6 ip ips signature-category
5(config-ips-category)6 category all
-
8/12/2019 Final Seguridad
8/19
5(config-ips-category-action)6 retired false
/1)config*; ip ips signature!category
/1)config!ips!category*; category iosBips basic
/1)config!ips!category!action*; retired false
5(config)6 ip ips signature-category
5(config-ips-category)6 category all
5(config-ips-category-action)6 no retired false
5(config)6 ip ips signature-category
5(config-ips-category)6 category ios>ips basic
5(config-ips-category-action)6 no retired false
+*. /efer to the e(hibit. Which three things occur if a user attempts to log in four times
within 10 seconds using an incorrect password? )Choose three.*
"ubseuent &irtual login attempts from the user are blocked for 30 seconds.
2uring the 4uiet mode an administrator can irtually log in from any host on networ$ 5?+.5,.5.37+'.
Subse4uent console login attempts are bloc$ed for ,3 seconds.
A message is generated indicating the username and source %# address of the user.
=uring the uiet mode, an administrator can log in from host 152.13.1.2.
!o user can log in irtually from any host for ,3 seconds.
23. Which statement describes configuring ACLs to control -elnet traffic destined to the
router itself?
The AC; must be applied to each ty line indiidually.
The AC; is applied to the Telnet port with the ip access-group command.
Apply the AC; to the ty lines without the in or out option re4uired when applying AC;s to
interfaces. (Original)
-he ACL should be applied to all &ty lines in the in direction to pre&ent an unwanted user
from connecting to an unsecured port. (Corrected by Joker!)
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-25-wtmk.jpg -
8/12/2019 Final Seguridad
9/19
25. What are three characteristics of the A"A routed mode? )Choose three.*
This mode does not support "s# $o%# or &'C elay (Original)
The interfaces of the ASA separate Layer 3 networks and require different IP addresses in
different subnets (Corrected by Elfnet * Joker!)
It is the traditional firewall deployment mode.
NAT can be implemented between connected networks. (Corrected by Elfnet * Joker!)
This mode is referred to as a +bump in the wire, (Original)
-n this mode# the A%A is in.isible to an attacker
26. Which authentication method is a&ailable when specifying a method list for group policy
lookup using the CC# :asy #+ "er&er wi$ard?
Actie 2irectory
:erberos (Original)
Certificate Authority
/A=%
-
8/12/2019 Final Seguridad
10/19
#3. /efer to the e(hibit. What conclusion can be drawn from the e(hibited window when it is
displayed on a remote user computer screen?
The user has connected to a secure web serer.
-he user has established a client!based #+ connection.
The user has logged out of the AnyConnect &P! client.
The user is installing the AnyConnect &P! client.
The user is using a web browser to connect to a clientless SS; &P!.
'1. What will be disabled as a result of the no ser&ice password!reco&ery command?
aaa new-model global configuration command
changes to the configuration register
password encryption serice
ability to access /4mon
'2. Which type of %#" signature detection is used to distract and confuse attackers?
pattern-based detection
anomaly-based detection
policy-based detection
honey pot!based detection
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-30-wtmk.jpg -
8/12/2019 Final Seguridad
11/19
##. /efer to the e(hibit. An administrator has configured router /1 as indicated. 8owe&er,
"=:: messages fail to log. Which solution corrects this problem?
Issue the logging on command in global configuration.
%ssue the ip ips notify sdee command in global configuration.
Issue the ip audit notify log command in global configuration.
Issue the clear ip ips sdee eents command to clear the S200 buffer.
'@. Which attack allows the attacker to see all frames on a broadcast network by causing a
switch to flood all incoming traffic?
;A! storm (Original)
&;A! hopping
STP manipulation
4AC table o&erflow (Corrected by Joker! * Andy)
-
8/12/2019 Final Seguridad
12/19
The user has logged out of an AnyConnect IPsec &P! session.
The user has logged out of an AnyConnect SS; &P! session. (Original)
'3. An administrator has been asked to configure basic access security on a router,
including creating secure passwords and disabling unattended connections. Which three
actions accomplish this using recommended security practices? )Choose three.*
Create passwords with only alphanumeric characters.
"et the minimum password length to 10 characters.
Set the e9ecutie timeout parameters on the console port to 5+3 and 3.(Original)
"et the e(ecuti&e timeout parameters on the &ty lines to ' and 0.(Corrected by Joker!)
:nable the password encryption ser&ice for the router.
0nable login using the Au9 port with the e9ecutie timeout set to 3 and 3.
'5. Which type of intrusion pre&ention technology is primarily used by Cisco %#" security
appliances?
rule-based
profile-based
signature!based
!et=low anomaly-based
protocol analysis-based
'6. Which type of packets e(iting the network of an organi$ation should be blocked by an
ACL?
pac$ets that are not encrypted
pac$ets that are not translated with !AT
packets with source %# addresses outside of the organi$ations network address space
pac$ets with destination IP addresses outside of the organi%ationBs networ$ address space
'7. An administrator wants to pre&ent a rogue Layer 2 de&ice from intercepting traffic from
multiple LA+s on a network. Which two actions help mitigate this type of acti&ity? )Choose
two.*
-
8/12/2019 Final Seguridad
13/19
=isable =-# on ports that reuire trunking.
Place unused actie ports in an unused &;A!.
Secure the natie &;A! &;A! 5 with encryption.
"et the nati&e LA+ on the trunk ports to an unused LA+.
Turn off trun$ing on all trun$ ports and manually configure each &;A! as re4uired on each port.
@0. Which command would an administrator use to clear generated crypto keys?
outer(config)6 crypto $ey decrypt
outer(config-line)6 transport input ssh clear
outer(config)6 crypto $ey rsa
/outer)config*; crypto key $eroi$e rsa
@1. What occurs after /"A keys are generated on a Cisco router to prepare for secure de&ice
management?
All ty ports are automatically configured for SS/ to proide secure management.
The general-purpose $ey si%e must be specified for authentication with the crypto $ey generate rsa
general-$eys moduluscommand.
The $eys must be %eroi%ed to reset secure shell before configuring other parameters.
-he generated keys can be used by ""8.
'+. /efer to the e(hibit. An administrator has configured an A"A 9909 as indicated but is still
unable toping the inside interface from an inside host. What is the cause of this problem?
An IP address should be configured on the 0thernet 373 and 375 interfaces.(Original)
-he no shutdown command should be entered on interface :thernet 01.(Corrected by Joker!
* Andy)
The security leel of the inside interface should be 3 and the outside interface should be 533.
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-42-wtmk.jpg -
8/12/2019 Final Seguridad
14/19
-
8/12/2019 Final Seguridad
15/19
AAA
port forwarding
@5. What are three goals of a port scan attack? )Choose three.*
disable used ports and serices
determine potential &ulnerabilities
identify acti&e ser&ices
identify peripheral configurations
identify operating systems
discoer system passwords
'
-
8/12/2019 Final Seguridad
16/19
90. "ales representati&es of an organi$ation use computers in hotel business centers to
occasionally access corporate e!mail and the in&entory database. What would be the best
#+ solution to implement on an A"A to support these users?
client-based IPsec &P! using Cisco &P! Client (Original answer)
client-based IPsec &P! using AnyConnect
client-based SS; &P! using AnyConnect
clientless IPsec &P! using a web browser
clientless ""L #+ using a web browser (Corrected by Elfnet)
site-to-site IPsec &P!
*5. /efer to the e(hibit. What information can be obtained from the AAA configuration
statements?
-he authentication method list used for -elnet is named ACC:"".
The authentication method list used by the console port is named ACC0SS.
The local database is chec$ed f irst when authenticating console and Telnet access to the router.
If the TACACS@ AAA serer is not aailable no users can establish a Telnet session with the
router.
If the TACACS@ AAA serer is not aailable console access to the router can be authenticated
using the local database.
92. What must be configured before any /ole!ased CL% &iews can be created?
aaa new!model command
multiple priilege leels
secret password for the root user
usernames and passwords
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-51-wtmk.jpg -
8/12/2019 Final Seguridad
17/19
*#. /efer to the e(hibit. ased on the output from the show secure bootset command on
router /1, which three conclusions can be drawn regarding Cisco %" /esilience? )Choose
three.*
A copy of the Cisco I8S image file has been made.
A copy of the router configuration file has been made.
-he Cisco %" image file is hidden and cannot be copied, modified, or deleted.
The Cisco I8S image filename will be listed when the show flash command is issued on 5.
The copy tftp flash command was issued on 5.
-he secure boot!config command was issued on /1.
9@. What are two disad&antages of using network %#"? )Choose two.*
+etwork %#" has a difficult time reconstructing fragmented traffic to determine if an attack
was successful.
+etwork %#" is incapable of e(amining encrypted traffic.
!etwor$ IPS is operating system-dependent and must be customi%ed for each platform.
!etwor$ IPS is unable to proide a clear indication of the e9tent to which the networ$ is being
attac$ed.
!etwor$ IPS sensors are difficult to deploy when new networ$s are added.
99.Which statement describes the CC# "ecurity Audit wi$ard?
After the wi%ard identifies the ulnerabilities the CCP 8ne-Step ;oc$down feature must be used to
ma$e all security-related configuration changes.
After the wi%ard identifies the ulnerabilities it automatically ma$es all security-related configuration
changes.
The wi%ard autosenses the inside trusted and outside untrusted interfaces to determine possible
security problems that might e9ist. (Original Answer)
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-53-wtmk.jpg -
8/12/2019 Final Seguridad
18/19
-he wi$ard is based on the Cisco %" Auto"ecure feature. (Corrected by Elfnet * Andy)
The wi%ard is enabled by using the Intrusion Preention tas$.
93. Which three statements describe $one!based policy firewall rules that go&ern interface
beha&ior and the traffic mo&ing between $one member interfaces? )Choose three.*
An interface can be assigned to multiple security %ones. (Original)
Interfaces can be assigned to a %one before the %one is created.
#ass, inspect, and drop options can only be applied between two $ones. (Corrected by Joker!
* Andy)
%f traffic is to flow between all interfaces in a router, each interface must be a member of a
$one.
Traffic is implicitly preented from flowing by default among interfaces that are members of the
same %one.
-o permit traffic to and from a $one member interface, a policy allowing or inspecting traffic
must be configured between that $one and any other $one.
*?. /efer to the e(hibit. Which option tab on the CC# screen is used to &iew the -op -hreats
table and deploy signatures associated with those threats?
Create IPS
0dit IPS
"ecurity =ashboard
IPS Sensor
IPS "igration
96. Which statement correctly describes a type of filtering firewall?
A transparent firewall is typically implemented on a PC or serer with firewall software running on it.
A pac$et-filtering firewall e9pands the number of IP addresses aailable and hides networ$
addressing design.
http://www.invialgo.com/khidhir/wp-content/uploads/2012/06/question-57-wtmk.jpg -
8/12/2019 Final Seguridad
19/19
An application gateway firewall (pro9y firewall) is typically implemented on a router to fi lter ;ayer #
and ;ayer ' information.
A stateful firewall monitors the state of connections, whether the connection is in an
initiation, data transfer, or termination state.
97. Which component of AAA is used to determine which resources a user can access and
which operations the user is allowed to perform?
auditing
accounting
authori$ation
authentication
30. Which three statements should be considered when applying ACLs to a Cisco router?
)Choose three.*
Place generic AC; entries at the top of the AC;. (Original)
#lace more specific ACL entries at the top of the ACL.
/outer!generated packets pass through ACLs on the router without filtering.
AC;s always search for the most specific entry before ta$ing any filtering action.
A ma9imum of three IP access lists can be assigned to an interface per direction (in or out).
An access list applied to any interface without a configured ACL allows all traffic to
pass. (Corrected by Elfnet * Joker!)
top related