Cisco CCN A S e cu r it y P r a ct ice E x a m

Implementing Cisco IOS Network Security (IINS) v1.0

Q u e st ion s

Th e follow ing Cisco CCNA S ecurity practice ex am q uestions are based on th e course I m p l e m e n t i n g C i s c o I O S N e t w o r k S e c u r i t y ( I I N S ) v 1 . 0 . Th e answ er k ey is on th e last pag e of th is d ocum ent.

1. W h at is th e g oal of an ov erall security ch alleng e w h en planning a security strateg y ? A ) B ) C) D ) to h ard en all ex terior-facing netw ork com ponents to install firew alls at all critical points in th e netw ork to find a balance betw een th e need to open netw ork s to support ev olv ing business req uirem ents and th e need to inform to ed ucate em ploy ees to be on th e look out for suspicious beh av ior

2. W h ich th reats are th e m ost serious? A ) B ) C) D ) insid e th reats outsid e th reats unk now n th reats reconnaissance th reats

3. Netw ork security aim s to prov id e w h ich th ree k ey serv ices? ( Ch oose th ree.) A ) B ) C) D ) E ) F ) d ata integ rity d ata strateg y d ata and sy stem av ailability d ata m ining d ata storag e d ata confid entiality for a w eak ness in a sy stem or its d esig n th at can be ex ploited by a th reat?

4. W h ich option is th e term A ) B ) C) D ) a v ulnerability a risk an ex ploit an attack

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

5. W h ich option is th e term for th e lik elih ood th at a particular th reat using a specific attack w ill ex ploit a particular v ulnerability of a sy stem th at results in an und esirable conseq uence? A ) B ) C) D ) a v ulnerability a risk an ex ploit an attack

6. W h ich option is th e term for w h at h appens w h en com puter cod e is d ev eloped to tak e ad v antag e of a v ulnerability ? F or ex am ple, suppose th at a v ulnerability ex ists in a piece of softw are, but nobod y k now s about th is v ulnerability . A ) B ) C) D ) a v ulnerability a risk an ex ploit an attack

7. W h at is th e first step y ou sh ould tak e w h en consid ering securing y our netw ork ? A ) B ) C) D ) I nstall a firew all. I nstall an intrusion prev ention sy stem . U pd ate serv ers and user PCs w ith th e latest patch es. D ev elop a security policy .

8. W h ich option is a k ey principle of th e Cisco S elf-D efend ing Netw ork strateg y ? A ) B ) C) D ) S ecurity is static and sh ould prev ent m ost k now n attack s on th e netw ork . Th e self-d efend ing netw ork sh ould be th e k ey point of y our security policy . I nteg rate security th roug h out th e ex isting infrastructure. U pper m anag em ent is ultim ately responsible for policy im plem entation.

9. W h ich th ree options are areas of router security ? ( Ch oose th ree.) A ) B ) C) D ) E ) F ) ph y sical security access control list security zone-based firew all security operating sy stem security router h ard ening Cisco I O S -I PS security

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

10 . Y ou h av e sev eral operating g roups in y our enterprise th at req uire d iffering access restrictions to th e routers to perform th eir j ob roles. Th ese g roups rang e from H elp D esk personnel to ad v anced troublesh ooters. W h at is one m eth od olog y for controlling access rig h ts to th e routers in th ese situations? A ) B ) C) D ) config ure A CL s to control access for th e d ifferent g roups config ure m ultiple priv ileg e lev el access im plem ent sy slog g ing to m onitor th e activ ities of th e g roups config ure TA CA CS + to perform scalable auth entication

11. W h ich of th ese options is a G U I tool for perform ing security config urations on Cisco routers? A ) B ) C) D ) S ecurity A ppliance D ev ice M anag er Cisco CL I Config uration M anag em ent Tool Cisco S ecurity D ev ice M anag er Cisco S ecurity M anag er

12. W h en im plem enting netw ork security , w h at is an im portant config uration task th at y ou sh ould perform to assist in correlating netw ork and security ev ents? A ) B ) C) D ) Config Config Config Config ure Netw ork Tim e Protocol. ure sy nch ronized sy slog reporting . ure a com m on repository of all netw ork ev ents for ease of m onitoring . ure an autom ated netw ork m onitoring sy stem for ev ent correlation.

13. W h ich of th ese options is a Cisco I O S feature th at lets y ou m ore easily config ure security features on y our router? A ) B ) C) D ) Cisco S im plem th e a u t perform elf-D efend ing Netw ork enting A A A com m and auth orization o s e c u r e CL I com m and ing a security aud it v ia S D M

14. W h ich th ree of th ese options are som e of th e best practices w h en y ou im plem ent an effectiv e firew all security policy ? ( Ch oose th ree.) A ) B ) C) D ) E ) Position firew alls at strateg ic insid e locations to h elp m itig ate insid e nontech nical attack s. Config ure log g ing to capture all ev ents for forensic purposes. U se firew alls as a prim ary security d efense; oth er security m easures and d ev ices sh ould be im plem ented to enh ance y our netw ork security . Position firew alls at k ey security bound aries. D eny all traffic by d efault and perm it only necessary serv ices.

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

15. W h ich statem ent is true w h en config uring access control lists ( A CL s) on a Cisco router? A ) B ) C) D ) A CL s filter all traffic th roug h and sourced from th e router. A pply th e A CL to th e interface prior to config uring access control entries to ensure th at controls are applied im m ed iately upon config uration. A n im plicit d eny is applied to th e start of th e A CL entry by d efault. O nly one A CL per protocol, per d irection, and per interface is allow ed .

16. W h ich option correctly d efines asy m m etric encry ption? A ) B ) C) D ) uses th e sam e k ey s to encry pt and d ecry pt d ata uses M D 5 h ash ing alg orith m s for d ig ital sig nag e encry ption uses d ifferent k ey s to encry pt and d ecry pt d ata uses S H A -1 h ash ing alg orith m s for d ig ital sig nag e encry ption

17. W h ich option is a d esirable feature of using sy m m etric encry ption alg orith m s? A ) B ) C) D ) Th Th Th Th ey ey ey ey are often used for w ire-speed encry ption in d ata netw ork s. are based on com plex m ath em atical operations and can easily be accelerated by h ard w are. offer sim ple k ey m anag em ent properties. are best used for one-tim e encry ption need s.

18. W h ich option is true of using cry ptog raph ic h ash es? A ) B ) C) D ) Th Th Th Th ey ey ey ey are easily rev ersed to d eciph er th e m essag e contex t. conv ert arbitrary d ata into a fix ed -leng th d ig est. are based on a tw o-w ay m ath em atical function. are used for encry pting bulk d ata com m unications.

19. W h ich option is true of intrusion prev ention sy stem s? A ) B ) C) D ) Th Th Th Th ey ey ey ey operate in prom iscuous m od e. operate in inline m od e. h av e no potential im pact on th e d ata seg m ent being m onitored . are m ore v ulnerable to ev asion tech niq ues th an I D S .

20 . W h ich statem ent is true w h en using zone-based firew alls on a Cisco router? A ) B ) C) D ) Policies are applied to traffic m ov ing betw een zones, not betw een interfaces. Th e firew alls can be config ured sim ultaneously on th e sam e interface as classic CB A C using th e i p i n s p e c t CL I com m and . I nterface A CL s are applied before zone-based policy firew alls w h en th ey are applied outbound . W h en config ured w ith th e PA S S action, stateful inspection is applied to all traffic passing betw een th e config ured zones.

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .

C C N A S e c u r ity P r a c tic e Q u e s tio n s A n s w e r K e y 1. C 2. A 3. A , C, F 4. A 5. B 6. C 7. D 8. C 9. A , D , E 10 . B 11. C 12. A 13. C 14. C, D , E 15. D 16. C 17. A 18. B 19. B 20 . A

C is c o C C N A S e c u r it y P r a c t ic e E x a m

Q u e s tio n s

20 0 9 C i s c o S y s t e m s , I n c .