ccna security questions answers

www.640-553.com Help you pass CCNA SECURITY EXAMS

CCNA Security Q&A -------by Nar([email protected]) www.CertBible.org Help you pass any it exams www.ccnp.ccwww.ccvp.ccwww.ccsp.namewww.ccna.cc www.640-802.netwww.ciscoexams.org The IOS Firewall Set Questions & Answers:

1-Question:Define the term "DMZ" as it pertains to network security, and name three different common network devices that are typically found there.

Answer: It's easy to think of your network as the "inside", and everything else as "outside". However, we've got a third area when it comes to firewalls - the DMZ.

From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It's common to find the following devices in a DMZ:

• FTP server • Email server • E-commerce server • DNS servers • Web servers

2-Question: Identify the true statements.

A. Stateless packet filtering considers the TCP connection state. B.

Stateful packet filtering considers the TCP connection state.

C. Neither stateless nor stateful packet filtering monitor the TCP connection state. D. Both stateless and stateful packet filtering monitor the TCP connection state, and keep a state table containing that information.

Answer: (B.) Stateful packet filtering does monitor the connection state, and that's particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.

3-Question:Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?

Answer:The Cisco IOS Firewall is a stateful filter.

4-Question: Which of the following are considered parts of the IOS Firewall feature set? A.

http://www.certbible.org/

http://www.ccnp.cc/

http://www.ccvp.cc/

http://www.ccsp.name/

http://www.ccna.cc/

http://www.640-802.net/


IOS Firewall

B. Intrusion Prevention System C. RADIUS

D. Authentication Proxy

E. Password Encryption


CCNA Security Q&A -------by Nar([email protected]) Answer:(A, B, D.) There are three major components to the IOS Firewall feature set - the IOS Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5-Question:Identify the true statements regarding the Authentication Proxy. A.

It's part of the IOS Firewall Feature Set.

B. It allows creation of per-user security profiles, rather than more general profiles. C. It allows creation of general security profiles, but not per-user profiles. D.

Profiles can be stored locally, but not remotely.

E. Profiles can be stored on a RADIUS server.

F. Profiles can be stored on a TACACS+ server. Answer: (A, B, E, F. T he Authentication Proxy allows us to create security profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept on either of the following:

• RADIUS server • TACACS+ server

Upon successful authentication, that particular user's security policy is downloaded from the RADIUS or TACACS+ server and applied by the IOS Firewall router.

6-Question:Configuring ACLs is an important part of working with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?

Answer: We have the option of using the word host to represent a wildcard mask of 0.0.0.0. Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that.

R3#conf t R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0 R3(config)#conf t R3(config)#access-list 7 permit host 10.1.1.1 The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit all traffic.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There's no "right" or "wrong" decision to make when you're configuring ACLs in the real world. For your exam, though, I'd be very familiar with the proper use of host and any.


CCNA Security Q&A -------by Nar([email protected]) 7-Question:What does the dollar sign in the following ACL line indicate?

R1(config)#$ 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255 Answer: The dollar sign simply indicates that part of the command you're entering or viewing can't be shown because the entry is so long. It does not mean the command is illegal.

8-Question:Basically, how does an IOS Firewall prevent a TCP SYN attack?

Answer: The IOS Firewall can use any or all of the following values to detect when a TCP SYN attack is underway

Overall total of incomplete TCP sessions Number of incomplete TCP sessions in a certain amount of time Number of incomplete TCP sessions on a per-host basis

When any of these thresholds are reached, either of the following actions can be taken: Block all incoming SYN packets for a certain period of time Transmit a RST to both parties in the oldest incomplete session

9-Question:What does the term "punch a hole in the firewall" refer to? (Logically, that is, not physically.)

Answer: That term simply refers to configuring the firewall to open a port that was previously closed. Don't forget to close it when you no longer need it to be open!

10-Question:What exactly does the router-traffic option in the following configuration do?

R4(config)#ip inspect name PASSCCNASECURITY tcp router-traffic R4(config)#ip inspect name PASSCCNASECURITY udp router-traffic R4(config)#ip inspect name PASSCCNASECURITY icmp router-traffic Answer: If you're going to inspect traffic that is actually generated on the router, you need to include the router-traffic option at the end of that particular ip inspect statement

Questions On NTP, SSH, Telnet, And More

11-Question: We'll start with a question you learned the answer to in your CCNA studies. When you have an enable secret and an enable password set, which takes precedence over the other?

A. The enable secret takes precedence.

B. The enable password takes precedence.

C. You cannot set both an enable secret and an enable password.

D. You can set them both, but since they must be set to the same value, there is no question of precedence.


CCNA Security Q&A -------by Nar([email protected]) Answer: A. The enable secret always takes precedence over the enable password

12-Question: What device and stratum level are found at the top of the NTP hierarchy? A.

Atomic clocks, stratum 1

B. Atomic clocks, stratum 0 C. NTP Masters, stratum 1

D. NTP Masters, stratum 0

E. NTP Primary, stratum 0

F. NTP Primary, stratum 1

Answer: B. Atomic clocks are at the top of the NTP hierarchy, and that top level is Stratum 0. Cisco routers cannot get their time directly from a Stratum 0 device.

13-Question: What port does NTP use?

Answer: NTP uses UDP port 123. Remember that when you're configuring your ACLs!

14-Question: What are the options for NTP authentication? A.

MD5

B. Bellman-Ford C. clear text

D. CHAP

E. PAP

Answer: A. As IOS Help illustrates, the only option here is MD5. You still have to specify that option, though.

R1(config)#ntp authentication-key 1 ?

md5 MD5 authentication 15-Question: What command resulted in the following output?

R2# Clock is synchronized, stratum 10, reference is 172.12.23.3 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19 reference time is CBB9CEC8.17FBD1B8 (15:05:44.093 UTC Wed Apr 23 2008)


CCNA Security Q&A -------by Nar([email protected]) clock offset is -0.6214 msec, root delay is 37.20 msec root dispersion is 5.04 msec, peer dispersion is 0.53 msec Answer: That command output is the result of the show ntp status command

16-Question: What command will limit the overall number of NTP peers and clients that the local router can form an association with?

Answer: You can limit the overall number of NTP peers and clients with the ntp max-associations command.

R3(config)#ntp max-associations ?

<0-4294967295> Number of associations 17-Question: What authentication option is available for Telnet that is not available with SSH?

Answer: You can use a line password for Telnet, but not for SSH. For SSH, you'll need to use AAA or a locally configured database

18-Question: What command resulted in the following output?

R1(config)# The name for the keys will be: HQ.HQ.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Answer: That output is the result of the crypto key generate rsa command.

19-Question: Name the two options for TCP Intercept mode and describe the major operational difference between the two.

Answer: TCP Intercept is generally run in intercept mode, allowing the router to intercept those TCP SYN requests and answer them on behalf of the server.

If the SYN source is legitimate, a TCP ACK should be received by the router. If and when that happens, the router considers that three-way handshake to be complete and the SYN source to be legitimate.

In turn, the router opens a TCP connection to the server, and when that connection is complete, the router merges the two open connections into one.

This prevents any non-legitimate SYN packets from ever reaching the server. TCP Intercept can be configured to intercept all incoming SYN packets, or an ACL can be written to identify the source and destination for packets that should be intercepted.


CCNA Security Q&A -------by Nar([email protected]) TCP Intercept can also be run in watch mode, a much more passive mode than intercept mode. In watch mode, the router does not intercept the SYN packets, but passes them through to the TCP server.

The router does watch this incomplete connection, and will close it if it's not completed after a certain period of time - by default, 30 seconds.Use the ip tcp intercept-mode command to configure the desired mode.

R1(config)#ip tcp intercept mode ?

intercept Intercept connections watch Watch connections

R1(config)#ip tcp intercept mode intercept

20-Question: Name the two operational modes for Autosecure and describe the major difference between them.

Answer: The Autosecure modes:

Interactive, where the admin is prompted for input. This mode is similar to Setup Mode. If you're going to configure anything requiring user interaction - SSH, enable passwords, etc. - you should use this mode.

Non-interactive, where Cisco's recommended settings for Autosecure are put into action. Cisco's recommended settings are very secure - maybe too secure for your network!

Network Attacks And Defenses Questions & Answers:

21-Question Which RFC refers to all of the following network address ranges, and how do these ranges relate to network security?

0.0.0.0 /8

10.0.0.0 /8

127.0.0.0 /8

172.16.0.0 /12

192.168.0.0 /16

224.0.0.0 /4

240.0.0.0 /4

Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets sourced from those address ranges not be allowed to enter your network.


CCNA Security Q&A -------by Nar([email protected]) Blocking these address ranges for incoming traffic on your network's perimeter routers is sometimes called "2827 filtering" or "3704 filtering", referring to the original and updated RFCs that discuss this topic in a great deal of detail.

22-Question Which of the following are considered reconnaissance attacks, and which are access attacks?

A. ping sweep

B. port scan

C. password attack

D. trust exploitation

E. DSL query

Answer: Recon attacks: ping sweeps, port scans, DSL queries.

Access attacks: password attacks and trust exploitation

23-Question The term "port redirection" refers to which type of network attack mentioned in Question 2?

Answer: Port redirections are a type of trust exploitation.

24-Question Which of the following statements referring to Superviews and Views are true?

A. IOS Commands can be contained in multiple views on the same router. B.

A single view can be contained in more than one Superview.

C. Deleting a Superview results in all Views contained in that Superview to be deleted as well. D. Logging into a Superview allows the user to execute all commands in all Views that are part of that Superview.

Answer: A, B, D. The only false statement is that deleting a Superview results in the deletion of all of the Views it contain. Deleting a Superview does not result in the deletion of its Views.

25-Question Which of the following are disabled by default when you run Autosecure? A.

PAD

B. UDP and TCP Small Servers C. BootP

D. CDP


CCNA Security Q&A -------by Nar([email protected]) E. NTP

Answer: A, B, C, D, E.

By default, the following will be globally disabled by AutoSecure:

Finger - recon attack possibility

PAD - known vulnerabilities

UDP and TCP Small Servers - attacker can request large number of UDP diagnostics

BootP - known vulnerabilitiest

HTTP services, Identification Service (queries TCP port), CDP, NTP and IP source routing are also disabled globally.

26-Question Which of the following are enabled by default when you run Autosecure on a Cisco router?

A. Password encryption service

B. TCP keepalives (inbound only) C.

TCP keepalives (outbound only)

D. TCP keepalives (both inbound and outbound) E. IP source routing

F. HTTP services

Answer: A, D. Both the password encryption service and TCP keepalives (inbound and outbound) will be enabled by AutoSecure

27-Question Which of the following will be enabled by default when you run Autosecure?

A. logging timestamps and sequence numbers

B. logging console critical

C. logging buffered

D. logging trap disabled

Answer: A, B, C, D. All of those will be enabled by AutoSecure.

28-Question You're configuring one-step lockdown via SDM. According to SDM, can you undo any of the lockdown settings once you run the lockdown feature?


CCNA Security Q&A -------by Nar([email protected]) A. No, the lockdown is irreversible.

B. Yes, by running Security Audit Wizard and selecting "Undo Security Configurations".

C. Yes, by running the Additional Tasks option.

D. Yes, by choosing "Undo Lockdown".

Answer: B, C. . You can change some or all of the lockdown settings by using the Undo Security Configurations section of the Security Audit Wizard or by using Additional Tasks, as shown below in this SDM Screen Shot from my CCNA Security Study Package.

29-Question You're running Autosecure at the CLI and decide about halfway through the prompts that you'd like to stop without saving any of your Autosecure configuration. Can you do this, and if so, how? (Unplugging the router is not acceptable.)

Answer: Our old friend ctrl-c will do the job, as shown in the prompts you're shown after running the auto secure command. Note the disclaimer shown at the top of this output!

R1#auto secure

--- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation.


CCNA Security Q&A -------by Nar([email protected]) At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. 30-Question As it relates to how they are spread, what is the major difference between a worm and a virus?

Answer: The terms virus and worm are often used interchangeably, but they're not quite the same thing. A major difference between the two is that a worm can spread from its entry point to the rest of your network without the "help" of a human being.

A common worm attack is carried out by the worm finding your email address book and then sending a copy of itself to every recipient in that book. The worm executes its code and then continues to send copies of itself.

A virus can't be spread without an end user helping out, generally by forwarding an infected file or attachment.

Practice Questions for AAA essentials

31-Question: Which statement below best describes AAA?

a) AAA is an automobile club b) AAA is an architectural framework for configuring a set of three independent security

functions in a consistent manner. c) AAA is a means for authorizing asymmetric (network) access d) AAA is gives users total access to the network

Answer: B

32-Question: AAA provides which of the following benefits?

a) increased flexibility and control b) Scalability c) Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos d) Multiple backup systems e) All of the above

Answer: E

33-Question: Which statement below best describes the AAA philosophy?

a) AAA only allows you to set up group definitions for user access b) AAA does not allow virtual profiles c) AAA is designed to enable you to dynamically configure the type of authentication and

authorization you want on a per-user or per-service basis. d) AAA does not support IPS services


CCNA Security Q&A -------by Nar([email protected]) Answer: C

34-Question: Which three security protocols are used by AAA servers? (Choose three.)

a) RADIUS

b) RADIUS+ c) TACACS d)

TACACS+ e) Kerberos f) ISAKMP

Answer: A, D, E

35-Question: Which statement below best describes the difference between RADIUS and TACACS+?

a) RADIUS uses UDP while TACACS+ uses TCP b) RADIUS uses TCP while TACACS+ uses UDP c) RADIUS and TACACS+ both use TCP d) RADIUS and TACACS+ both use UDP

Answer: A

36-Question: Which statement below best describes the difference between RADIUS and TACACS+? (Choose Two.)

a) RADIUS encrypts only the password in the access-request packet, from the client to the

server b) TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. c) RADIUS and TACACS+ both encrypt the entire body of the packet d) TACACS+ only encrypts the user password and challenge response and reply

Answer: A, B

37-Question: Which statement below is true?

a) RADIUS supports non IP protocols b) TACACS+ does not support AppleTalk c) TACACS+ offers multiprotocol support d) RADIUS offers multiprotocol support

Answer: C

38-Question: Which statement below is true regarding the RADIUS protocol?

a) RADIUS does not allow users to control which commands can be executed on a

router and which cannot; therefore, it is not as useful for router management or as flexible for terminal services.


CCNA Security Q&A -------by Nar([email protected])

b) RADIUS allows users to control which commands can be executed on a router, once properly authenticated, and as permitted in the authorization reply

c) RADIUS, using TCP, secures the authorization and accounting processes by transmitting sensitive information in a secure tunnel once the connection is properly authenticated.

d) RADIUS provides for flexible user and device authentication and access authorization management

Answer: A


CCNA Security Q&A -------by Nar([email protected]) Questions & Answers from The Bryant Advantage

1-Question: In terms of their position in the flow of traffic, what's the major difference between an IPS and an IDS? Answer: An IDS is not in the direct flow of network traffic. Instead, the traffic flows are mirrored to the IDS. When infected traffic does hit the network, the IDS will see this and take appropriate action. In contrast, the Intrusion Prevention System (IPS) does sit in the middle of the traffic flow - in this case, the IPS will actually be our Cisco router. When the IPS detects a problem, the IPS itself can prevent the traffic from entering the network

2-Question: What is SDEE, and what do we use it for?

Answer:

3-Question: What is the highest stratum level in the NTP hierarchy? Can a Cisco router serve at that level? Answer: Stratum-0, and no. Typically that role is held by an atomic clock. Cisco routers are good, but not atomic

4-Question: What benefit does "GRE over IPSec" offer than IPSec by itself does not?

Answer: By combining GRE and IPSec, each protocol helps to compensate for the other's limitation:

IPSec adds data integrity and confidentiality that GRE does not offer

GRE offers the ability to carry routing protocol traffic, which IPSec does not offer

Why call it "GRE over IPSec" rather than "IPSec over GRE"? Because the GRE encapsulation happens first, and then that encapsulation is encapsulated again, by IPSec. In effect, we have a GRE tunnel inside an IPSec tunnel.

5-Question: You're editing an ACL in SDM and notice some asterisks under source and destination. What do those asterisks indicate?

Answer: In SDM, asterisks indicate the ACL keyword any.

6-Question: What is "3704 filtering", and what does it have to do with network security?

Answer: RFC 3704 (an updated version of RFC 2827) recommends that packets from the following network ranges be prohibited from entering your network:

0.0.0.0 /8

10.0.0.0 /8 (RFC 1918 Class A private range)

127.0.0.0 /8 (loopback address range)

172.16.0.0 /12 (RFC 1918 Class B private range)


CCNA Security Q&A -------by Nar([email protected]) 192.168.0.0 /16 (RFC 1918 Class C private range)

224.0.0.0 /4 (reserved for IP multicasts)

240.0.0.0 /4 (RFC 1918 Class E private range)

Blocking these address ranges for incoming traffic on your network's perimeter routers is sometimes called "2827 filtering" or "3704 filtering", referring to the original and updated RFCs that discuss this topic in a great deal of detail.

7-Question: The following three timers sound a great deal alike, but they have very different functions. What purpose do each of these timers fill?

ip inspect finwait-time

ip inspect tcp synwait-time

ip inspect tcp idle-time

Answers:

ip inspect finwait-time defines the amount of time between one of the two endpoints of an established TCP session starts to end the connection and the time that entry is removed from the state table. Default is 5 seconds.

ip inspect tcp idle-time defines just what you think it would - the amount of time an idle TCP connection is kept in the state table. Default is 3600 seconds.

ip inspect tcp synwait-time defines the time allowed for a TCP three-way handshake to reach the Established stage. Default is 30 seconds. If this timer expires, the connection is terminated and the entry removed from the router's state table.

8-Question: In regards to the IOS Firewall set, what is generic inspection? What's so "generic" about it?

Answer; I'm not going to show you the entire IOS Help readout for the following command, but believe me - it's a long, long list. On this particular router, I had over 150 options.

R1(config)#ip inspect name CCNP ?

802-11-iapp IEEE 802.11 WLANs WG IAPP ace-svr ACE Server/Propagation appfw Application Firewall appleqtc Apple QuickTime bgp Border Gateway Protocol biff Bliff mail notification bootpc Bootstrap Protocol Client

If you want to inspect all TCP and/or UDP connections, you can specify TCP and/or UDP as the inspected protocol, rather than a more-specific entry. This is generic inspection and is configured by entering tcp or udp at that same point in the ip inspect command.

CCNA Security Q&A -------by Nar([email protected]) tcp Transmission Control Protocol

udp User Datagram Protocol

This will inspect any TCP and/or UDP protocol traffic, even if the specific application isn't named in the inspection rule. Generic inspection is designed to allow return traffic for all TCP and/or UDP connections that are initiated on the inside network.

So why don't we just configure all TCP and UDP traffic to be inspected generically and leave it at that?

Application-specific commands are not interpreted by generic inspection, and that means that the return packets may not be allowed to enter the inside network. If the return traffic is using a different port number than the original traffic, generic inspection may not allow that return traffic to enter the network.

9-Question: What exactly is fail closed? Is it enabled or disabled by default? Answer: The following illustration from my CCNP ISCW and CCNA Security study guides explains it! The default settings are shown - note that Fail Closed is off by default.

10-Question: You're in SDM and want to perform a one-step router lockdown. Take a look at the following screen shot and tell me where you should click next.



Answer: Click the Security Audit button. You'll see the following screen at that point - note the mention of one-step lockdown.

11-Question: When you're configuring SDM, you have two options for the location of SDF files. What are they?

Answer: You can specify a URL or Flash, as demonstrated by this screen shot from my picture



12-Question: What's the difference between symmetric and asymmetric encryption? Answer: Symmetric encryption is an algorithm where the key that is used for encryption is also used for decryption. The drawback to symmetric encryption is that the key is used for two purposes, making it that much easier for an intruder to discover the key.

In contrast, asymmetric encryption involves two keys for both the sender and receiver. This public key encryption scheme involves a public and private key for each user. Before starting the actual encryption process, the public key should be certified by a third party called a Certificate Authority (CA).

13-Question: What is the purpose of the 256MB.sdf file? What does the "256" refer to?

Answer: This is one of three preconfigured Signature Definition Files. Cisco's website recommends running the Intruder Prevention System (IPS) with the preconfigured files - attack-drop.sdf, 128MB.sdf, and 256MB.sdf. The "128MB" and "256MB" refer to the amount of memory necessary to use these particular files.

14-Question: Which of the following does not use encryption?

A. SSH

B. SSL

C. NTP v 3

D. Telnet

E. SMTP v 3

Answer: D. The other four all use encryption in some form. 15-Question: How can you configure SDM to preview the commands before delivering them to the router, and also give you a confirmation prompt when you leave SDM? Answer: I personally check Preferences in SDM every time I use it, and I recommend you do the same. Before proceeding to the Configuration section, go to the upper-left corner of the initial SDM window and select Preferences, as shown here:


CCNA Security Q&A -------by Nar([email protected]) Then you can edit these three prefs to your heart's delight! (The following illustration was trimmed to fit Blogger.)

16-Question: What is the anomaly method?

Answer: "This is the IPS method of identifying malicious traffic where differences from normal traffic patterns are sought and detected."

17-Question: What's the purpose of the attack-drop.sdf file? Answer: The attack-drop.sdf file is a Signature Definition File that contains the latest and greatest IPS signatures.

18-Question: There are three basic methods IPS uses to identify potentially malicious traffic. Name all three and give a brief definition of each. Answer: Both the IPS and IDS can base their identification of dangerous and malicious traffic on the following:

Policy, where a configured policy may ban particular IP addresses, ports, or even websites

Signature, where byte patterns are considered along with other values.

Anomaly, where differences from normal traffic patterns are sought and detected.

19-Question: In SDM, you might see a green square next to a signature. What does that symbol indicate?

Answer: The green square indicates the signature is at its default setting. Here are the two possibilities, as shown in this image from my CCNA Security Study Package. (Click the

image for a larger view.) 20-Question: You're working in SDM to configure an Easy VPN Server. You'll have three options for authenticating your Easy VPN Clients. What are they?

Answer: The choices are Pre-shared key, Digital Certificates, and Both, as shown here in this screen shot from my CCNA Security Study Package. (Click the image for a larger view.)



21-Question: You're working in SDM to configure an Easy VPN Server. You'll have three options for authenticating your Easy VPN Clients. What are they?

Answer: The choices are Pre-shared key, Digital Certificates, and Both, as shown here in this screen shot from my CCNA Security Study Package. (Click the image for a larger view.)

22-Question: You're working in SDM to create a VPN. What service must be running on the router to do so? (Hint: If the router isn't already running it, SDM will prompt you to

activate it.) Answer: AAA must be running. As shown here, the Launch Easy VPN Server Wizard button will not even be enabled if AAA is not running. Note that SDM has an Enable AAA option on the right-hand side of the window.



Clicking Enable AAA brings up the following prompt:

Answering Yes will enable AAA on the router and the Launch Easy VPN Server Wizard button will then be enabled.

23-Question: What's the purpose of the ip inspect tcp idle-time command?

Answer: ip inspect tcp idle-time sets the amount of time an idle TCP connection is kept in the state table. Default is 3600 seconds.

24-Question: When configuring a basic firewall in SDM, what are the three options for the preconfigured security levels? Can you create your own custom security levels?

Answer: The options are High, Medium, and Low. In the Basic Firewall Wizard, you cannot create your own custom security levels, but you can do so in the Advanced Wizard.

25-Question: In terms of network security, what purpose does a honeypot serve?

Answer: A honeypot is a network device that is purposely left open to attack. The attack methods are then analyzed in order to develop a defense against that attack type. (Obviously, this will not be a production server!)

26-Question: You're configuring IPS in SDM, and you just enabled the Fail Closed option. What's the net effect?


CCNA Security Q&A -------by Nar([email protected]) Answer: Here's the exact description of Fail Closed from SDM itself:

"By default, while IOS compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make IOS drop packets during the compilation process."

Fail Closed is disabled by default.

27-Question: In SDM, what does an asterisk indicate when it's used in a graphical representation of an ACL?

Answer: An asterisk represents the ACL option "any".

28-Question: Name two major differences between the capabilities between the Basic and Advanced Firewall Wizards in Security Device Manager.

Answer: The Advanced Wizard allows you to configure multiple outside interfaces as well as a DMZ. The Basic Wizard allows neither of these.

Additionally, the Advanced Wizard allows you to define your own customized rules, where the Basic Wizard does not. Here's a screen shot of SDM's Firewall And ACL menu that mentions these differences. (Click the illustration to enlarge.)

29-Question: What are the two options you should expect to see IOS Help display in the following command?

R1(config)#ip tcp intercept mode ? Answer: You can run TCP interfcept in intercept or passive mode. 30-Question: You're using the Authentication Proxy. Where can you store the user-specific security profiles? Answer: The profiles can be downloaded from a TACACS+ or RADIUS server.



CCNA Security Q&A -------by Nar([email protected]) 31-Question: Identify the true statements:

A. An IPS is in the direct path of network traffic flow. B.

An IDS is in the direct path of network traffic flow.

C. Both an IPS and IDS will be found in the direct path of network traffic flow. D. Neither an IPS nor an IDS will be found in the direct path of network traffic flow.

Answer: A. An Intrusion Prevention System will be in the direct path of traffic, but an Intrusion Detection System will not be found there.

32-Question: You've just written and applied an ACL, and you notice your Network Time Protocol deployment is no longer working correctly. What port should your ACL permit to allow NTP to begin working again?

Answer: NTP uses UDP port 123.

33-Question: Describe an IP Spoofing attack.

Answer: You may remember from your ISDN studies that when an ISDN line was pretending to be up, it was said to be spoofing.

When a network intruder uses the IP address of a trusted device in order to gain access to your network, that's IP Spoofing.

IP Spoofing can be used against your network in several ways:

1. To inject a stream of malicious code and/or commands into your network

2. To trick legitimate network hosts into sending sensitive data to the attacker

3. As part of a reconnaissance attack, an attack that in itself may not be damaging, but is used to gather information for future, more destructive attacks.

34-Question: Briefly describe the purpose of a "SYN cookie".

Answer: One defense against SYN attacks, a SYN cookie verifies the client address before actually allocating resources to that client.

35-Question: Briefly describe the term "teardrop attack".

Answer: IP fragments with large payloads are the method of attack. Issues with the TCP fragmentation reassembly code of Windows NT, 96, and 3.1x (among others) created this opening.


CCNA Security Q&A -------by Nar([email protected]) 36-Question: Which of the following queueing strategies gives priority to interactive, low- bandwidth communications?

A. FIFO

B. PQ C.

CQ D.

DQ

E. WFQ.. Answer:

37-Question: In a typical Network Management block, what switch layers are represented?

A. Access

B. Distribution

C. Core

Answers: A, B. In addition to network management devices, both Access and Distribution switches will be found here.

38-Question: What protocol number does the Encapsulating Security Payload use?

Answer: 50.

39-Question: What combination of hex characters at the beginning of an IPV6 address indicates a broadcast?

A. DD

B. EE

C. FF

D. 00110011 E. None of the above.

Answer: E. None of those - IPv6 doesn't use broadcasts.

40-Question: On a low-speed link, how often does EIGRP send hello packets?

A. Every 5 seconds.

B. Every 15 seconds. C. Every 60 seconds.

D. Every 90 seconds.

E. Every 300 seconds.

Answer:

CCNA Security Q&A -------by Nar([email protected]) 41-Question: Briefly describe a "DDoS" attack.

Answer: A Distributed Denial-Of-Service attack is a typical DoS attack, but one that is carried out by a large number of attackers rather than a single host.

42-Question: Which of the following possible points of network vulnerability are enabled by default?

A. NTP

B. TCP / UDP Small Servers

C. BOOTP Server

D. CDP

Answers: C, D. You can turn BOOTP server off with the no ip bootp server command, and you can disable CDP either globally or on a per-interface basis.

43-Question: What term is given to the network attack that occurs when an intruder gathers information in preparation for a larger attack in the future?

Answer: That is a network reconnaissance attack. Recon attacks are generally not destructive in themselves, since the actual point of a recon attack is to avoid notice. It's the information gathered during the recon attack that we're concerned about, since that info can and probably will be used in a future attack - and that attack will be destructive.

44-Question: You want to display a message to users who connect to your router via Telnet. What command will you use to do so?

Answer: Use the banner login command.

45-Question: You're defining inspection rules on a Cisco firewall. What command are you using?

Answer: The global ip inspect command

46-Question:What SDM Wizard is in use below?

Answer: That brick wall in the middle is a firewall, so we know it's a firewall wizard. Since



CCNA Security Q&A -------by Nar([email protected]) we're limited to one outside interface and there's no reference to a DMZ, this must be the Basic Firewall Wizard. (The Advanced Firewall Wizard allows the configuration of multiple outside interfaces and a DMZ)..

47-Question: What is the net effect of the following configuration?

R1(config)#access-list 110 permit tcp any 10.0.0.0 0.255.255.255

R1(config)#ip tcp intercept list 110 Answer: To configure an ACL to define the source and destination of packets that should be subject to TCP Intercept, write the ACL and then apply it with the ip tcp intercept list command. Most likely, you'll specify a source of "any", as I did in the above example.

48-Question: You're ensuring that only the devices in a VPN that should see the data in unencrypted format will see the data that way. Which of the following are you practicing?

a) data confidentiality b) data integrity c) replay attack protection d) data origin authentication

Answer: A.

Data Confidentiality means that only the devices that should see the data in an unencrypted form will see the data that way.

Data Integrity means that the recipient of the data can guarantee that the received data is the same as the transmitted data - in short, that the data was not altered during transport.

Data Origin Authentication guarantees that the data originated from a specific endpoint.

Anti-replay protection (sometimes just called "replay protection") protects against replay attacks, a malicious repeat and/or delay of a valid transmission.

49-Question: Do each of the following terms describe TACACS+, RADIUS, both, or neither? (Answers have been appended to each choice.)

A. encrypts the entire packet - TACACS+ only

B. combines the authentication and authorization processes - RADIUS only

C. supports PAD and ARAP - TACACS+ only

D. cannot control the authorization level of users - TACACS+ only

ccna security questions answers

Documents

ios firewall router

user security profiles

network security

tcp connection state

stateful packet filtering

user profiles

radius server tacacs

state table