CCNAS FINAL 100%

1 Which Cisco IOS configuration option instructs the IPS to compile a signature category name ios_ips into memory an use it to scan traffic! "1#config$% ip ips signature-category "1#config&ips&category$% category all "1#config&ips&category&action$% retired false "1#config$% ip ips signature-category "1#config&ips&category$% category ios_ips basic "1#config&ips&category&action$% retired false "1#config$% ip ips signature-category "1#config&ips&category$% category all "1#config&ips&category&action$% enabled true "1#config$% ip ips signature-category "1#config&ips&category$% category ios_ips basic "1#config&ips&category&action$% enabled true 2

"efer to the e'hi(it) An a ministrator has configure router "1 as in icate ) *o+e,er- S.// messages fail to log) Which solution corrects this pro(lem! Issue the logging on comman in glo(al configuration) Issue the ip ips notify sdee comman in glo(al configuration) Issue the ip audit notify log comman in glo(al configuration) Issue the clear ip ips sdee events comman to clear the S.// (uffer)

Which three principles are ena(le (y a Cisco Self&.efen ing Net+or0! #Choose three)$ a apta(ility colla(oration insulation integration mitigation scala(ility 4What are t+o isa ,antages of using net+or0 IPS! #Choose t+o)$ Net+or0 IPS has a ifficult time reconstructing fragmente traffic to etermine if an attac0 +as successful) Net+or0 IPS is incapa(le of e'amining encrypte traffic) Net+or0 IPS is operating system& epen ent an must (e customi1e for each platform) Net+or0 IPS is una(le to pro,i e a clear in ication of the e'tent to +hich the net+or0 is (eing attac0e )

Net+or0 IPS sensors are ifficult to eploy +hen ne+ net+or0s are a

e )

Which access list statement permits *22P traffic that is source from host 10)1)134)100 port 5600 an 143)178)60)10! access-list 101 permit tcp any eq 4300 access-list 101 permit tcp 192.1 !.30.10 0.0.0.0 eq !0 10.1.0.0 0.0.255.255 access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq """ 192.1 !.30.10 0.0.0.0 eq """ access-list 101 permit tcp 10.1.12!.0 0.0.1.255 eq 4300 192.1 !.30.0 0.0.0.15 eq """ access-list 101 permit tcp #ost 192.1 !.30.10 eq !0 10.1.0.0 0.0.255.255 eq 4300

estine to host

Which type of S.9 rule is create to go,ern the traffic that can enter an lea,e the net+or0 (ase on protocol an port num(er! NAC rule NA2 rule IPsec rule access rule

"efer to the e'hi(it) When configuring SS* on a router using S.9 from the Configure menu- +hich t+o steps are re:uire ! #Choose t+o)$ Choose %dditional &as's ( )outer %ccess ( **+ to generate the "SA 0eys) Choose %dditional &as's ( )outer %ccess ( ,&- to specify SS* as the input an output protocol) Choose %dditional &as's ( )outer .roperties ( /etflo" to generate the "SA 0eys) Choose %dditional &as's ( )outer .roperties ( 0ogging to specify SS* as the input an output protocol) Choose %dditional &as's ( )outer %ccess ( %%% to generate the "SA 0eys) Choose %dditional &as's ( )outer %ccess ( 1anagement %ccess to specify SS* as the input an output protocol) !

"efer to the e'hi(it) Which t+o statements are correct regar ing the configuration on s+itch S1! #Choose t+o)$ Port Fa0;< storm control for (roa casts +ill (e acti,ate if traffic e'cee s 80)1 percent of the total (an +i th) Port Fa0;7 storm control for multicasts an (roa casts +ill (e acti,ate if traffic e'cee s 3-000-000 pac0ets per secon ) Port Fa0;7 storm control for multicasts +ill (e acti,ate if traffic e'cee s 3-000-000 pac0ets per secon ) Port Fa0;< storm control for multicasts +ill (e acti,ate if traffic e'cee s 80)1 percent of the total (an +i th) Port Fa0;< storm control for (roa casts an multicasts +ill (e acti,ate if traffic e'cee s 80)1 percent of 3-000-000 pac0ets per secon )

"efer to the e'hi(it) Which three things occur if a user attempts to log in four times +ithin 10 secon s using an incorrect pass+or ! #Choose three)$ Su(se:uent ,irtual login attempts from the user are (loc0e for 70 secon s) .uring the :uiet mo e- an a ministrator can ,irtually log in from any host on net+or0 1=3)17)1)0;35) Su(se:uent console login attempts are (loc0e for 70 secon s) A message is generate in icating the username an source IP a ress of the user)

.uring the :uiet mo e- an a ministrator can log in from host 1=3)17)1)3) No user can log in ,irtually from any host for 70 secon s) 10Which type of Layer 3 attac0 ma0es a host appear as the root (ri ge for a LAN! LAN storm 9AC a 9AC a ress spoofing ress ta(le o,erflo+

S2P manipulation >LAN attac0

11

What occurs after "SA 0eys are generate on a Cisco router to prepare for secure e,ice management!

All ,ty ports are automatically configure for SS* to pro,i e secure management)

2he general&purpose 0ey si1e must (e specifie for authentication +ith the crypto 'ey generate rsa general-'eys mod comman ) 2he 0eys must (e 1eroi1e to reset secure shell (efore configuring other parameters) 2he generate 0eys can (e use (y SS*) 12An organi1ation has mo(ile +or0ers +ho use corporate&o+ne laptops at customer sites to ,ie+ in,entory an place or ers) Which type of >PN allo+s these +or0ers to securely access all of the client;ser,er applications of the organi1ation! clientless SSL >PN remote&access IPsec >PN site&to&site IPsec >PN *22PS&ena(le SSL >PN

13

Which t+o gui elines relate to in&(an net+or0 management! #Choose t+o)$ Apply in&(an management only to e,ices that must (e manage on the pro uction net+or0) Implement separate net+or0 segments for the pro uction net+or0 an the management net+or0) Attach all net+or0 e,ices to the same management net+or0) ?se IPSec- SS*- or SSL) .eploy a terminal ser,er +ith console connections to each net+or0 e,ice) 14Which three comman s are re:uire to configure SS* on a Cisco router! #Choose three)$ ip domain-namename in glo(al configuration mo e transport input ss# on a ,ty line no ip domain-loo'up in glo(al configuration mo e pass"ordpassword on a ,ty line service pass"ord-encryption in glo(al configuration mo e crypto 'ey generate rsa in glo(al configuration mo e

15

An a ministrator nee s to create a user account +ith custom access to most pri,ilege /@/C comman s) Which privilege comman is use to create this custom account! privilege e2ec level 0 privilege e2ec level 1 privilege e2ec level 2 privilege e2ec level 15

"efer to the e'hi(it) An a ministrator has configure a stan ar ACL on "1 an applie it to interface serial 0;0;0 in the out(oun irection) What happens to traffic lea,ing interface serial 0;0;0 that oes not match the configure ACL statements! 2he resulting action is etermine (y the estination IP a 2he resulting action is etermine (y the estination IP a 2he source IP a ress) ress an port num(er)

ress is chec0e an - if a match is not foun - traffic is route out interface serial 0;0;1)

2he traffic is roppe ) 1$Which statement escri(es configuring ACLs to control 2elnet traffic estine to the router itself! 2he ACL must (e applie to each ,ty line in i,i ually) 2he ACL is applie to the 2elnet port +ith the ip access-group comman ) Apply the ACL to the ,ty lines +ithout the in or out option re:uire +hen applying ACLs to interfaces) 2he ACL shoul (e applie to all ,ty lines in the in irection to pre,ent an un+ante user from connecting to an unsecure port)

1!

Which three statements escri(e SSL&(ase >PNs! #Choose three)$ Asymmetric algorithms are use for authentication an 0ey e'change) It is impossi(le to configure SSL an IPsec >PNs concurrently on the same router) Special&purpose client soft+are is re:uire on the client machine) Symmetric algorithms are use for (ul0 encryption) 2he authentication process uses hashing technologies) 2he application programming interface is use to e'tensi,ely mo ify the SSL client soft+are) 2he primary restriction of SSL >PNs is that they are currently supporte only in har +are) 19

"efer to the e'hi(it) What information can (e o(taine from the AAA configuration statements! 2he authentication metho list use for 2elnet is name ACC/SS) 2he authentication metho list use (y the console port is name ACC/SS)

2he local ata(ase is chec0e first +hen authenticating console an 2elnet access to the router) If the 2ACACSA AAA ser,er is not a,aila(le- no users can esta(lish a 2elnet session +ith the router) If the 2ACACSA AAA ser,er is not a,aila(le- console access to the router can (e authenticate using the local ata(ase)

20

Which t+o Cisco IPS management an monitoring tools are e'amples of B?I&(ase - centrally manage IPS solutions! #Choose t+o)$ Cisco A apti,e Security .e,ice 9anager Cisco IPS .e,ice 9anager Cisco "outer an Security .e,ice 9anager Cisco Security 9anager Cisco Security 9onitoring- Analysis- an "esponse System 21

"efer to the e'hi(it) Which AAA function an protocol is in use in the net+or0! 2he client is authori1ing comman s using the 2ACACSA protocol) 2he client is authori1ing comman s using the "A.I?S protocol) 2he client is authenticating using the "A.I?S protocol) 2he client is authenticating using the 2ACACSA protocol)

22

Which three OSI layers can (e filtere (y a stateful fire+all! #Choose three)$ Layer 3 Layer 6 Layer 5 Layer < Layer 7

Layer = 23

"efer to the e'hi(it) Case on the S.9 screen sho+n- +hich t+o actions +ill the signature ta0e if an attac0 is etecte ! #Choose t+o)$ "eset the 2CP connection to terminate the 2CP flo+) .rop the pac0et an all future pac0ets from this 2CP flo+) Benerate an alarm message that can (e sent to a syslog ser,er) .rop the pac0et an permit remaining pac0ets from this 2CP flo+) Create an ACL that enies traffic from the attac0er IP a ress)

24

Which three s+itch security comman s are re:uire to ena(le port security on a port so that it +ill ynamically learn a single 9AC a ress an isa(le the port if a host +ith any other 9AC a ress is connecte ! #Choose three)$ s"itc#port mode access s"itc#port mode trun' s"itc#port port-security s"itc#port port-security ma2imum 2 s"itc#port port-security mac-address stic'y s"itc#port port-security mac-addressmac-address 25Which statement escri(es the S.9 Security Au it +i1ar ! After the +i1ar i entifies the ,ulnera(ilities- the S.9 One&Step Loc0 o+n feature must (e use to ma0e all security&relate configuration changes) After the +i1ar i entifies the ,ulnera(ilities- it automatically ma0es all security&relate configuration changes) 2he +i1ar autosenses the insi e truste an outsi e untruste interfaces to etermine possi(le security pro(lems that might e'ist) 2he +i1ar is (ase on the Cisco IOS AutoSecure feature) 2he +i1ar is ena(le using the Intrusion Pre,ention tas0)

Which component of AAA is use to etermine +hich resources a user can access an +hich operations the user is allo+e to perform! au iting

accounting authori1ation authentication 2$Which t+o protocols allo+ S.9 to gather IPS alerts from a Cisco IS" router! #Choose t+o)$ F2P *22PS S.// SS* Syslog 2F2P

2!

"efer to the e'hi(it) Which AAA comman logs the acti,ity of a PPP session! aaa accounting connection start-stop group radius aaa accounting connection start-stop group tacacs3 aaa accounting e2ec start-stop group radius aaa accounting e2ec start-stop group tacacs3 aaa accounting net"or' start-stop group radius aaa accounting net"or' start-stop group tacacs3 29What is a feature of the 2ACACSA protocol! It com(ines authentication an authori1ation as one process) It encrypts the entire (o y of the pac0et for more secure communications) It utili1es ?.P to pro,i e more efficient pac0et transfer) It hi es pass+or s uring transmission using PAP an sen s the rest of the pac0et in plainte't)

30

"efer to the e'hi(it) Which interface configuration completes the CCAC configuration on router "1! "1#config$% interface fa040 "1#config&if$% ip inspect 5/*567 in "1#config&if$% ip access-group 89&:89/6 in "1#config$% interface fa041 "1#config&if$% ip inspect 5/*567 in "1#config&if$% ip access-group 89&:89/6 in "1#config$% interface fa041 "1#config&if$% ip inspect 89&:89/6 in "1#config&if$% ip access-group 5/*567 out "1#config$% interface fa040 "1#config&if$% ip inspect 89&:89/6 in "1#config&if$% ip access-group 5/*567 in "1#config$% interface fa041 "1#config&if$% ip inspect 89&:89/6 in "1#config&if$% ip access-group 5/*567 in 31

"efer to the e'hi(it) Which Cisco IOS security feature is implemente on router "3! CCAC fire+all refle'i,e ACL fire+all 1one&(ase policy fire+all AAA access control fire+all 32Which Cisco IOS pri,ilege /@/C comman can (e use to ,erify that the Cisco IOS image an configuration files ha,e (een properly (ac0e up an secure !

"outer% dir "outer% s#o" arc#ive "outer% s#o" secure bootset "outer% s#o" flas#

33

Which e,ice supports the use of SPAN to ena(le monitoring of malicious acti,ity! Cisco NAC Cisco IronPort Cisco Security Agent Cisco Catalyst s+itch 34Which three statements escri(e 1one&(ase policy fire+all rules that go,ern interface (eha,ior an the traffic mo,ing (et+een 1one mem(er interfaces! #Choose three)$ An interface can (e assigne to multiple security 1ones) Interfaces can (e assigne to a 1one (efore the 1one is create ) Pass- inspect- an rop options can only (e applie (et+een t+o 1ones)

If traffic is to flo+ (et+een all interfaces in a router- each interface must (e a mem(er of a 1one) 2raffic is implicitly pre,ente from flo+ing (y efault among interfaces that are mem(ers of the same 1one) 2o permit traffic to an from a 1one mem(er interface- a policy allo+ing or inspecting traffic must (e configure (et+een that 1one an any other 1one)

35

"efer to the e'hi(it) Case on the S.9 screen sho+n- +hich t+o conclusions can (e ra+n a(out the ID/ policy (eing configure ! #Choose t+o)$ It +ill use igital certificates for authentication) It +ill use a pre efine 0ey for authentication) It +ill use a ,ery strong encryption algorithm) It +ill (e the efault policy +ith the highest priority)

It is (eing create using the S.9 >PN Euic0 Setup Wi1ar ) 3 2he use of 6./S +ithin the IPsec frame+or0 is an e'ample of +hich of the fi,e IPsec (uil ing (loc0s! authentication confi entiality .iffie&*ellman integrity nonrepu iation

3$

Which statement escri(es the operation of the ID/ protocol! It uses IPsec to esta(lish the 0ey e'change process) It uses sophisticate hashing algorithms to transmit 0eys irectly across a net+or0) It calculates share 0eys (ase on the e'change of a series of ata pac0ets) It uses 2CP port <0 to e'change ID/ information (et+een the security gate+ays) 3!Which three types of ,ie+s are a,aila(le +hen configuring the "ole&Case CLI Access feature! #Choose three)$ superuser ,ie+ root ,ie+ super,ie+ CLI ,ie+ a min ,ie+ config ,ie+

39

Which statement escri(es a 9AC a An attac0er alters the 9AC a

ress ta(le o,erflo+ attac0! ress of a target host) egra ing net+or0 performance) estination 9AC an IP

ress in a frame to match the a

Frames floo the LAN- creating e'cessi,e traffic an

2he attac0ing host (roa casts S2P configuration an topology change CP.?s to force spanning&tree recalculations) A soft+are tool floo s a s+itch +ith frames containing ran omly generate source an a resses)

40When configuring a class map for 1one&(ase policy fire+all- ho+ are the match criteria applie +hen using the matc#-all parameter! 2raffic must match all of the match criteria specifie in the statement) 2raffic must match the first criteria in the statement) 2raffic must match at least one of the match criteria statements) 2raffic must match accor ing to an e'clusi,e isFunction criteria)

41

Which three statements escri(e limitations in using pri,ilege le,els for assigning comman authori1ation! #Choose three)$ 2here is no access control to specific interfaces on a router) 2he root user must (e assigne to each pri,ilege le,el efine )

Comman s set on a higher pri,ilege le,el are not a,aila(le for lo+er pri,ilege users) >ie+s are re:uire to efine the CLI comman s that each user can access) Creating a user account that nee s access to most (ut not all comman s can (e a te ious process) It is re:uire that all 17 pri,ilege le,els (e efine - +hether they are use or not) 42What is an important ifference (et+een net+or0&(ase an host&(ase intrusion pre,ention! *ost&(ase IPS is more scala(le than net+or0&(ase IPS) *ost&(ase IPS can +or0 in promiscuous mo e or inline mo e) Net+or0&(ase IPS is (etter suite for inspection of SSL an 2LS encrypte ata flo+s)

Net+or0&(ase IPS pro,i es (etter protection against OS 0ernel&le,el attac0s on hosts an ser,ers) Net+or0&(ase IPS can pro,i e protection to hosts +ithout the nee of installing speciali1e soft+are on each one)

43

"efer to the e'hi(it) Case on the output from the s#o" secure bootset comman on router "1- +hich three conclusions can (e ra+n regar ing Cisco IOS "esilience! #Choose three)$ A copy of the Cisco IOS image file has (een ma e) A copy of the router configuration file has (een ma e) 2he Cisco IOS image file is hi en an cannot (e copie - mo ifie - or elete )

2he Cisco IOS image filename +ill (e liste +hen the s#o" flas# comman is issue on "1) 2he copy tftp flas# comman +as issue on "1) 2he secure boot-config comman +as issue on "1) 44Which element of the Cisco 2hreat Control an Containment solution efen s against attempts to attac0 ser,ers (y e'ploiting application an operating system ,ulnera(ilities! threat control for email threat control for en points threat control for infrastructure threat control for systems

45

"efer to the e'hi(it) Case on the S.9 N2P Ser,er .etails screen- +hich t+o conclusions can (e ra+n from the information entere an chec0 (o'es chec0e ! #Choose t+o)$ N2P,1 is (eing configure ) 2he IP a 2he IP a ress of the N2P ser,er is 10)1)1)3) ress of the N2P client is 10)1)1)3)

N2P messages +ill (e sent an recei,e on interface Serial0;0;0 for this router) N2P routing up ates +ill (e sent an recei,e on interface Serial0;0;0 of the N2P ser,er) 4 Which t+o statements match a type of attac0 +ith an appropriate e'ample! #Choose t+o)$ 2o con uct an access attac0- an attac0er uses L0phtCrac0 to o(tain a Win o+s ser,er pass+or ) 2o con uct an access attac0- an attac0er uses Wireshar0 to capture interesting net+or0 traffic) 2o con uct a reconnaissance attac0- an attac0er initiates a ping of eath attac0 to a targete ser,er) 2o con uct a .oS attac0- an attac0er uses han ler systems an 1om(ies to o(tain a Win o+s ser,er pass+or ) 2o con uct a .oS attac0- an attac0er initiates a smurf attac0 (y sen ing a large num(er of IC9P re:uests to irecte (roa cast a resses) 2o con uct a reconnaissance attac0- an attac0er creates a 2CP SGN floo causing the ser,er to spa+n many half&open connections an (ecome unresponsi,e) 4$2he use of +hich t+o options are re:uire for IPsec operation! #Choose t+o)$ A* protocols for encryption an authentication .iffie&*ellman to esta(lish a share &secret 0ey ID/ to negotiate the SA PDI for pre&share &0ey authentication

S*A for encryption

4!

Which three security ser,ices are pro,i e (y igital signatures! #Choose three)$ authenticates the source authenticates the estination guarantees ata has not change in transit pro,i es nonrepu iation of transactions pro,i es nonrepu iation using *9AC functions pro,i es confi entiality of igitally signe ata

49Which three statements shoul (e consi ere +hen applying ACLs to a Cisco router! #Choose three)$ Place generic ACL entries at the top of the ACL) Place more specific ACL entries at the top of the ACL) "outer&generate pac0ets pass through ACLs on the router +ithout filtering) ACLs al+ays search for the most specific entry (efore ta0ing any filtering action) A ma'imum of three IP access lists can (e assigne to an interface per irection #in or out$) An access list applie to any interface +ithout a configure ACL allo+s all traffic to pass)

50 Which consi eration is important +hen implementing syslog in a net+or0! /na(le the highest le,el of syslog a,aila(le to ensure logging of all possi(le e,ent messages) Log all messages to the system (uffer so that they can (e isplaye +hen accessing the router) Synchroni1e cloc0s on all net+or0 e,ices +ith a protocol such as Net+or0 2ime Protocol) ?se SS* to access syslog information)