cisco. Number: Passing Score: 800 Time Limit: 120 min

Transcription

1 cisco Number: Passing Score: 800 Time Limit: 120 min Sections Common Security Threats Security and Cisco Routers AAA IOS ACLs Secure Network Management and Reporting Common Layer 2 Attacks Cisco Firewall Technologies Cisco IPS VPN Technologies

2 Exam A QUESTION 1 Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) A. Spam protection B. Outbreak intelligence C. HTTP and HTTPS scanning D. encryption E. DDoS protection Correct Answer: AD Section: 7. Cisco Firewall Technologies /Reference: IronPort Security Appliances and IronPort Web Security Appliances (WSA): These appliances provide granular control of and, in the case of web traffic and WSA, can track thousands of applications and enforce security policies to protect networks against threats. QUESTION 2 Which two characteristics represent a blended threat? (Choose two.) A. man-in-the-middle attack B. trojan horse attack C. pharming attack D. denial of service attack E. day zero attack Correct Answer: BE Section: 1. Common Security Threats /Reference: A blended threat is an exploit that combines elements of multiple types of malware and usually employs multiple attack vectors to increase the severity of damage and the speed of contagion. Nimda, CodeRed, Bugbear and Conficker are a few well-known examples. Although they may be identified as viruses, worms or Trojan horses, most current exploits are blended threats.

3 A blended threat typically includes: More than one means of propagation -- for example, sending an with a hybrid virus/worm that will self-replicate and also infect a Web server so that contagion will spread through all visitors to a particular site. Exploitation of vulnerabilities which may be preexisting or may be caused by malware distributed as part of the attack. The intent to cause real harm, for example, by launching a denial of service (DOS) attack against a target or delivering a Trojan horse that will be activated at some later date. Automation that enables increasing contagion without requiring any user action. To guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products, employ server software to detect malware, and educate users about proper handling and online behavior A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. QUESTION 3 Which type of security control is defense in depth? A. threat mitigation B. risk analysis C. botnet mitigation D. overt and covert channels Correct Answer: A Section: 1. Common Security Threats /Reference: QUESTION 4 Which four methods are used by hackers? (Choose four.)

4 A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack Correct Answer: ABEF Section: 1. Common Security Threats /Reference: QUESTION 5 Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router? A. aaa accounting network start-stop tacacs+ B. aaa accounting system start-stop tacacs+ C. aaa accounting exec start-stop tacacs+ D. aaa accounting connection start-stop tacacs+ E. aaa accounting commands 15 start-stop tacacs+ Correct Answer: C Section: 3.0 AAA /Reference:

5 QUESTION 6 What is the best way to prevent a VLAN hopping attack? A. Encapsulate trunk ports with IEEE 802.1Q. B. Physically secure data closets. C. Disable DTP negotiations. D. Enable BDPU guard. Correct Answer: C Section: 6. Common Layer 2 Attacks /Reference: QUESTION 7 If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration? A. no switchport mode access B. no switchport trunk native VLAN 1 C. switchport mode DTP D. switchport nonnegotiate Correct Answer: D Section: 6. Common Layer 2 Attacks /Reference: QUESTION 8 Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) A. root guard B. BPDU filtering C. Layer 2 PDU rate limiter D. BPDU guard

6 Correct Answer: AD Section: 6. Common Layer 2 Attacks /Reference: The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker. The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port. QUESTION 9 Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.) A. IP source guard B. port security C. root guard D. BPDU guard Correct Answer: AB Section: 6. Common Layer 2 Attacks /Reference: Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security violation occurs. IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on nonrouted Layer 2 interfaces. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC spoofing Reference: layer2-secftrs-catl3fixed.html#ipsourceguard QUESTION 10

7 Which statement correctly describes the function of a private VLAN? A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains. B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains. C. A private VLAN enables the creation of multiple VLANs using one broadcast domain. D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain. Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs. Reference: n400xi_config/privatevlans.html QUESTION 11 What are two primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping B. switch spoofing C. CAM-table overflow D. double tagging Correct Answer: BD Section: 6. Common Layer 2 Attacks /Reference: Switch Spoofing is when a host uses software to act like a switch and connect via a negotiated trunk port. Double-Tagging is when a host tags frames with two VLAN tags.

8 There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the general methodology behind these attacks and the primary approaches to mitigate them. VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and pass traffic for multiple VLANs across the same physical link, generally between switches. Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q de-encapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be forwarded to a VLAN that the original 802.1Q tag did not specify as shown below. An important characteristic of the doubleencapsulated VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment that is not a trunk link. Reference: QUESTION 12 With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.) A. traffic flowing between a zone member interface and any interface that is not a zone member

9 B. traffic flowing to and from the router interfaces (the self zone) C. traffic flowing among the interfaces that are members of the same zone D. traffic flowing among the interfaces that are not assigned to any zone E. traffic flowing between a zone member interface and another interface that belongs in a different zone F. traffic flowing to the zone member interface that is returned traffic Correct Answer: BCD Section: 7. Cisco Firewall Technologies /Reference: QUESTION 13 Which two services are provided by IPsec? (Choose two.) A. Confidentiality B. Encapsulating Security Payload C. Data Integrity D. Authentication Header E. Internet Key Exchange Correct Answer: AC Section: 9.0 VPN Technologies /Reference: QUESTION 14 Which command verifies phase 2 of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active

10 Correct Answer: B Section: 9.0 VPN Technologies /Reference: The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa shows IKE Phase 1 show crypto ipsec sa Shows IKE Phase 2 WIll show the details from the crypto map, even when the tunnel is down. show crypto session Will show as DOWN when the IPSec connection hasn't been made Shows everything QUESTION 15 Which three protocols are supported by management plane protection? (Choose three.) A. SNMP B. SMTP C. SSH D. OSPF E. HTTPS F. EIGRP Correct Answer: ACE Section: 5. Secure Network Management and Reporting /Reference: QUESTION 16 Which statement about rule-based policies in Cisco Security Manager is true? A. Rule-based policies contain one or more rules that are related to a device's security and operations parameters.

11 B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device. C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters. D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device. Correct Answer: B Section: 2. Security and Cisco Routers /Reference: Rule-Based Policies Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow (known as first matching). poman.html Understanding Policies In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices. Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPsec, IKE, GRE, and so forth. Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device. Settings-Based Policies vs. Rule-Based Policies Rule-Based Policies Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow (known as first matching).

12 Settings-Based Policies Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device QUESTION 17 Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C Section: 3.0 AAA /Reference: QUESTION 18 Which option provides the most secure method to deliver alerts on an IPS? A. IME B. CSM C. SDEE D. syslog Correct Answer: C Section: 8.0 Cisco IPS /Reference: pull pull pull (syslog can only push, sdee can pull, and will use http/https)

13

14 QUESTION 19 Which syslog level is associated with LOG_WARNING? A. 1 B. 2 C. 3

15 D. 4 E. 5 F. 6 Correct Answer: D Section: 5. Secure Network Management and Reporting /Reference: : Syslog levels QUESTION 20 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.

16 What is included in the Network Object Group INSIDE? (Choose two) A. Host B. Network /24

17 C. Network /24 D. Host E. Network /8 Correct Answer: AD Section: 7. Cisco Firewall Technologies /Reference: : Can't answer from this description/image QUESTION 21 Which represents a unique link-local address (IPv6)? A. FEB0::/8 B. 2002::/16 C. FED0::/8 D. 2001::/32 Correct Answer: A Section: 2. Security and Cisco Routers /Reference: 2002::/16 is for 6 to 4 tunnels. FEB0::/8 Would be the correct answer then. FE80:: FE90:: FEA0:: FEB0:: QUESTION 22 How many class map can be configured in a (router) interface? A. 1 B. 2

18 C. 3 D. 4 Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: I think this question is actually about Policy Maps You can configure a single service policy on an interface this service policy references a policy map A policy map can reference up to 64 class maps, which is the limit of class maps that can be created QUESTION 23 Which command initializes a lawful intercept view? A. username cisco1 view lawful-intercept password cisco B. parser view cisco li-view C. li-view cisco user cisco1 password cisco D. parser view li-view inclusive Correct Answer: C Section: 3.0 AAA /Reference: Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance. SUMMARY STEPS 1. enable view 2. configure terminal 3. li-view li-password user username password password

19 4. username [lawful-intercept] name [privilege privilege-level view view-name] password password 5. parser view view-name 6. secret 5 encrypted-password 7. name new-name DETAILED STEPS Router> enable view Enables root view. Enter your privilege level 15 password (for example, root password) if prompted. Step 2 Router# configure terminal Enters global configuration mode. Step 3 li-view li-password user username password password Router(config)# li-view lipass user li_admin password li_adminpass Initializes a lawful intercept view with a password of lipass and a user of li_admin whose password is li_adminpass After the li-view is initialized, you must specify at least one user via user username password password options. Step 4 username [lawful-intercept [name] [privilege privilege-level view view-name] password password Example: Router(config)# username lawful-intercept li-user1 password li-user1pass Configures lawful intercept users on a Cisco device. QUESTION 24 Which NAT types are used for ASA in transparent mode? A. Static NAT B. Dynamic NAT C. Overload

20 D. Dynamic PAT Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: With a transparent firewall, we still have two interfaces, but we do not assign IP addresses to those interfaces, and those two interfaces act more like a bridge (or a switch with two ports in the same VLAN). Traffic from one segment of a given subnet is going to be forced through the transparent firewall if those frames want to reach the second segment behind the firewall. A transparent firewall has a management IP address so that we can remotely access it, but that is all. Users accessing resources through the firewall will not be aware that it is even present, and one of the biggest advantages of using a transparent firewall is that we do not have to re-address our IP subnets to put a transparent firewall in-line on the network QUESTION 25 Which 3 Radius server authentication protocols are supported on cisco ASA firewalls? A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: CEF Section: 3.0 AAA /Reference: Supported Authentication Methods The ASA supports the following authentication methods with RADIUS servers: PAP For all connection types. CHAP and MS-CHAPv1 For L2TP-over-IPsec connections. MS-CHAPv2 For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled. You can also use MS-CHAPv2 with clientless connections. Authentication Proxy modes For RADIUS-to Active-Directory, RADIUS-to-RSA/SDI, RADIUS- to-token server, and RSA/SDI-to-RADIUS connections,

21 To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details. QUESTION 26 Which wildcard mask is associated with a subnet mask of /27? A B C D Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: QUESTION 27 What does NTP authenticate? A. Client s device and time source B. Time source only C. Client s device only D. Firewall and client s device Correct Answer: B Section: 5. Secure Network Management and Reporting /Reference: QUESTION 28 Which firewall acts on behalf of end user?

22 A. Proxy B. State C. Asa D. Application Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: QUESTION 29 What encryption does Cisco use to protect image downloading? A. Sha1 B. Sha2 C. Md5 D. Md1 Correct Answer: C Section: 8.0 Cisco IPS /Reference: This is referring to the hash that Cisco uses to allow customers to confirm the download of cisco software, including the IPS signature files. QUESTION 30 How long does the router wait for TACACS+ response before it throws an error? A. 5 seconds B. 10 seconds C. 15 seconds D. 20 seconds Correct Answer: A Section: 3.0 AAA

23 /Reference: The TACACS+ timout can be set globally, or server specific. Configuring the Global TACACS+ Timeout Interval You can set a global timeout interval that the Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the Nexus 5000 Series switch waits for responses from TACACS+ servers before declaring a timeout failure. Command switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server timeout seconds Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds. Optional- Per server switch(config)# switch(config)# tacacs-server host { ipv4-address ipv6-address host-name } timeout seconds Specifies the timeout interval for a specific server. The default is the global value. Note The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers. Step 3 switch(config)# exit Exits configuration mode. Step 4 switch# show tacacs-server (Optional) Displays the TACACS+ server configuration. QUESTION 31 Which information describes the integrity and authentication for HMAC (choose 2)? A. Password B. Hash C. The key D. Transform sets Correct Answer: BC Section: 9.0 VPN Technologies

24 /Reference: When using HMAC (Hashed Meessage Authentication Code), we combine the integrity checking capability of the hashing algorithm as well as the authentication by use of a shared key. QUESTION 32 How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration? A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode B. Issue the command anyconnect keep-installer installed in the global configuration C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode Correct Answer: C Section: 9.0 VPN Technologies /Reference: Enabling Permanent Client Installation Enabling permanent client installation disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user. To enable permanent client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer installed The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following example configures the existing group-policy sales to remove the client on the remote computer at the end of the session: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-policy)# svc keep-installer installed none QUESTION 33 you are the network manager for your organization. you are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true ( choose two ) Feb 1 10:12.08 PST:%SYS-5-CONFIG_I:Configured from console by vty0 ( ) A. Service timestamps have been globally enabled

25 B. this is a normal system-generated information message and does not require further investigation C. this message is unimportant and can be ignored D. this message is a level 5 notification message Correct Answer: AD Section: 5. Secure Network Management and Reporting /Reference: QUESTION 34 A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting? A. Ensure that the RDP2 plug-in is installed on the VPN gateway B. Reboot the VPN gateway C. Instruct the user to reconnect to the VPN gateway D. Ensure that the RDP plug-in is installed on the VPN gateway Correct Answer: A Section: 9.0 VPN Technologies /Reference: QUESTION 35 Which tasks is the session management path responsible for? (Choose three.) A. Performing the access list checks B. Performing route lookups C. Allocating NAT translations (xlates) D. Session Lookup E. TCP Sequence Number Check F. NAT Translation based on existing sessions

26 Correct Answer: ABC Section: 7. Cisco Firewall Technologies /Reference: Establishing sessions in the fast path (this last option was not in the exam but is good to know) A stateful firewall like the ASA, however, takes into consideration the state of a packet: Is this a new connection? If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path. The session management path is responsible for the following tasks: Performing the access list checks Performing route lookups Allocating NAT translations (xlates) Establishing sessions in the fast path Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP. Is this an established connection? If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: IP checksum verification Session lookup TCP sequence number check NAT translations based on existing sessions Layer 3 and Layer 4 header adjustments QUESTION 36 Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts? A. Report Manager B. Health and Performance Monitoring

27 C. Policy Manager D. Event Manager Correct Answer: B Section: 2. Security and Cisco Routers /Reference: Report Manager Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods. and Health and Performance Monitor (HPM) Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices. QUESTION 37 What best describes transport mode in VPN? (Choose 3) A. support multicast B. support unicast C. used between hosts D. used between gateways E. used between gateway and host Correct Answer: BDE Section: 9.0 VPN Technologies /Reference: There are two main types of VPN, with numerous subcategories. Remote Access IPSec Full-Tunnel SSL Clientless SSL Full-Tunnel Site-to-Site

28 IPSec QUESTION 38 Which three features are for data plane protection (choose three) A. policing B. ACL C. IPS D. antispoofing E. QoS F. DHCP-snooping Correct Answer: BDF Section: 2. Security and Cisco Routers /Reference: Data Plane Security Access control lists Private VLAN Firewalling Intrusion Prevention System (IPS) Layer 2 Data Plane Protection Port security prevents MAC flooding attacks. DHCP snooping prevents client attacks on the DHCP server and switch. Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks. IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table. Data Plane Security Data plane security can be implemented using the following features: Access control lists Access control lists (ACLs) perform packet filtering to control which packets move through the network and where. Antispoofing ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address. Layer 2 security features Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.

29 ACLs ACLs are used to secure the data plane in a variety of ways, including the following: Block unwanted traffic or users ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user authentication. Reduce the chance of DoS attacks ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to prevent servers from being flooded with requests for a connection. Mitigate spoofing attacks ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks. Provide bandwidth control ACLs on a slow link can prevent excess traffic. Classify traffic to protect other planes ACLs can be applied on vty lines (management plane). ACLs can control routing updates being sent, received, or redistributed (control plane). Antispoofing Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack. Features such as Unicast Reverse Path Forwarding (urpf) can be used to complement the antispoofing strategy. Layer 2 Data Plane Protection The following are Layer 2 security tools integrated into the Cisco Catalyst switches: Port security Prevents MAC address spoofing and MAC address flooding attacks DHCP snooping Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch Dynamic ARP inspection (DAI) Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks IP source guard Prevents IP spoofing addresses by using the DHCP snooping table QUESTION 39 On which Cisco Configuration Professional screen do you enable AAA? A. AAA Summary B. AAA Servers and Groups C. Authentication Policies D. Authorization Policies

30 Correct Answer: A Section: 3.0 AAA /Reference: QUESTION 40 What command is used to change layer 2 port into layer 3 routed port? A. No switchport B. switchport port-security C. ip routing D. sdm prefer lanbase-routing Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: QUESTION 41 Where is the best place to place the IPS inline? A. Inline, behind the internet router and firewall B. Inline, before the internet router and firewall C. Promiscuous, behind D. Promiscuous, before

31 Correct Answer: A Section: 8.0 Cisco IPS /Reference: QUESTION 42 Which syslog severity level is level number 7 A. Warning B. Debug C. Critical D. Emergency E. Notice F. Error Correct Answer: B Section: 5. Secure Network Management and Reporting /Reference: : Syslog levels

32 QUESTION 43 Which statement about the role-based CLI access views on a Cisco router is true? A. The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view. B. The maximum number of configurable CLI access views is 10, including one superview. C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view. D. The maximum number of configurable CLI access views is 15, including one lawful intercept view. Correct Answer: C Section: 2. Security and Cisco Routers /Reference: Restrictions for Role-Based CLI Access Lawful Intercept Images Limitation Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful intercept view is available only in images that contain the lawful intercept subsystem.

33 Maximum Number of Allowed Views The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include the root view.) QUESTION 44 Which Cisco Security Manager feature enables the configuration of unsupported device features? A. Deployment Manager B. FlexConfig C. Policy Object Manager D. Configuration Manager Correct Answer: B Section: 2. Security and Cisco Routers /Reference: FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs, you can extend Security Manager s control over a device configuration and take advantage of new device features before upgrading the product. tmplchap.html#20503 QUESTION 45 Which statement about IPv6 address allocation is true? A. IPv6-enabled devices can be assigned only one IPv6 IP address. B. A DHCP server is required to allocate IPv6 IP addresses. C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses. D. ULA addressing is required for Internet connectivity. Correct Answer: C Section: 2. Security and Cisco Routers

34 /Reference: A major difference between IPv4 and IPv6 is that with IPv6, it is expected that an IPv6 capable device will have more than one IPv6 address. Most interfaces will have at least a Link-Local address (FE80)and possible a global(2xxx or 3xxx) or unique (fc00::/7) local address. QUESTION 46 Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? A. aaa authentication enable console LOCAL SERVER_GROUP B. aaa authentication enable console SERVER_GROUP LOCAL C. aaa authentication enable console local D. aaa authentication enable console LOCAL Correct Answer: D Section: 3.0 AAA /Reference: The syntax to create an aaa authentication policy for IOS is aaa authentication [type] [name] [method list] if only one method is specified, there is no fallback However, this question is actually about the ASA, which has a slightly different syntax. The aaa authentication enable console policy is related to users who are consoled in trying to use the enable command to enter the privileged prompt. : To authenticate users who access the adaptive security appliance CLI over a serial, SSH, HTTPS (ASDM), or Telnet connection, or to authenticate users who access privileged EXEC mode using the enable command, use the aaa authentication console command in global configuration mode. To disable authentication, use the no form of this command. aaa authentication {serial enable telnet ssh http} console {LOCAL server_group [LOCAL]} no aaa authentication {serial enable telnet ssh http} console {LOCAL server_group [LOCAL]} Syntax Description

35 enable Authenticates users who access privileged EXEC mode when they use the enable command. http Authenticates ASDM users who access the adaptive security appliance over HTTPS. You only need to configure HTTPS authentication if you want to use a RADIUS or TACACS+ server. By default, ASDM uses the local database for authentication even if you do not configure this command. LOCAL Uses the local database for authentication. LOCAL is case sensitive. If the local database is empty, the following warning message appears: Warning:local database is empty! Use 'username' command to define local users. If the local database becomes empty when LOCAL is still present in the configuration, the following warning message appears: Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication. server-tag [LOCAL] Specifies the AAA server group tag defined by the aaa-server command. If you use the LOCAL keyword in addition to the server-tag, you can configure the adaptive security appliance to use the local database as a fallback method if the AAA server is unavailable. LOCAL is case sensitive. We recommend that you use the same username and password in the local database as the AAA server because the adaptive security appliance prompt does not give any indication which method is being used. serial Authenticates users who access the adaptive security appliance using the serial console port. ssh Authenticates users who access the adaptive security appliance using SSH. telnet Authenticates users who access the adaptive security appliance using Telnet. Defaults By default, fallback to the local database is disabled. If the aaa authentication telnet console command is not defined, you can gain access to the adaptive security appliance CLI with the adaptive security appliance login password (set with the password command). QUESTION 47 Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method? A. aaa authorization exec default group tacacs+ none B. aaa authorization network default group tacacs+ none C. aaa authorization network default group tacacs+ D. aaa authorization network default group tacacs+ local

36 Correct Answer: C Section: 3.0 AAA /Reference: On a cisco IOS router, the syntax to define new-model AAA authorization policies is: aaa authorization [type] [name] [methods-list] The method list can list a number of different methods to use to authorize. For example: group tacacs+, group radius, local, enable, etc. The methods are tried in order of the list. If one of the methods is unreachable (for example, the router cannot connect to the Tacas server), the next method is tried, providing a fallback method. A FAILED authorization does not try the next method. When only a single method is listed, there is no fallback in case of an inability to connect with the previous method in the list. In this case, we are looking to authorize network services so we need aaa authorization network Only one answer that starts with aaa authorization network has a single method. aaa authorization network default group tacacs+ QUESTION 48 Which three statements about RADIUS are true? (Choose three.) A. RADIUS uses TCP port 49. B. RADIUS uses UDP ports 1645 or C. RADIUS encrypts the entire packet. D. RADIUS encrypts only the password in the Access-Request packet. E. RADIUS is a Cisco proprietary technology. F. RADIUS is an open standard. Correct Answer: BDF Section: 3.0 AAA /Reference: Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting

37 QUESTION 49 Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius Correct Answer: C Section: 3.0 AAA /Reference: On a cisco IOS router, the syntax to define new-model AAA accounting policies is: aaa accounting [type] [name] [ [methods-list]

38 The accounting types are network To create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword. exec To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword. commands To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. connection To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword. resource Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated. QUESTION 50 Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.) A. start-stop B. stop-record C. stop-only D. stop Correct Answer: AC Section: 3.0 AAA /Reference: The general syntax for accounting is: Router(config)# aaa accounting {system network exec connection commands level} {default list-name} {start-stop stop-only none} [method1 [method2...]] We can account for start and stop or stop only. QUESTION 51 What is the first command you enter to configure AAA on a new Cisco router?

39 A. aaa configuration B. no aaa-configuration C. no aaa new-model D. aaa new-model Correct Answer: D Section: 3.0 AAA /Reference: When setting up remote aaa, the new model aa must being turned on. Be aware, that this will disable the default line vty and line con login defaults. QUESTION 52 Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2 Correct Answer: BCE Section: 3.0 AAA /Reference: TACACS+ Server Support The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. QUESTION 53 What is the default privilege level for a new user account on a Cisco ASA firewall? A. 0 B. 1

40 C. 2 D. 15 Correct Answer: C Section: 2. Security and Cisco Routers /Reference: Similar to Cisco IOS devices, the ASA has 16 privelege levels, from 0 to 15. The default privilege level for a user is 2. On IOS, the default privilege level is level 1 Authenticating Users Using the Login Command From user EXEC mode, you can log in as any username in the local database using the login command. This feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the "Configuring Local Command Authorization" section for more information. QUESTION 54 Which statement about ACL operations is true? A. The access list is evaluated in its entirety. B. The access list is evaluated one access-control entry at a time. C. The access list is evaluated by the most specific entry. D. The default explicit deny at the end of an access list causes all packets to be dropped. Correct Answer: B Section: 4. IOS ACLs /Reference: Access Lists are a series of entries Access Lists Entries are processed in order When a match is made, the action specified by that entry is performed and no further entries are processed The last entry on all access lists is the implicit deny all

41 QUESTION 55 Which three statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the destination. B. Extended access lists should be placed as near as possible to the source. C. Standard access lists should be placed as near as possible to the destination. D. Standard access lists should be placed as near as possible to the source. E. Standard access lists filter on the source address. F. Standard access lists filter on the destination address. Correct Answer: BCE Section: 4. IOS ACLs /Reference: ACL Best practices Standard ACLs can filter only on the source IP address. Standard ACLS should be closest to the destination (since if they were close to the source, they could block too much traffic) Extended ACLS can filter on protocol, source and/or destination IP as well as TCP or UDP port Extended ACLS should be placed as close to the source QUESTION 56 Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks? A. router(config)# ip tcp intercept mode intercept B. router(config)# ip tcp intercept mode watch C. router(config)# ip tcp intercept max-incomplete high 100 D. router(config)# ip tcp intercept drop-mode random Correct Answer: A Section: 1. Common Security Threats /Reference:

42 About TCP Intercept The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing , using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The basic configuration requires setting up an ACL that is used to "watch" incoming TCP traffic Step 1 Router(config)# access-list access-list-number {deny permit} tcp any destination destination-wildcard Defines an IP extended access list. Step 2 Router(config)# ip tcp intercept list access-list-number Enables TCP intercept. Step 3- Optional Router(config)# ip tcp intercept mode {intercept watch} You can then set the mode to Intercept or Watch. The default is intercept. You can also modify the following: Setting the TCP Intercept Drop Mode (Optional) Changing the TCP Intercept Timers (Optional) Changing the TCP Intercept Aggressive Thresholds (Optional) Monitoring and Maintaining TCP Intercept (Optional) QUESTION 57 Which command will block external spoofed addresses? A. access-list 128 deny ip any B. access-list 128 deny ip any

43 C. access-list 128 deny ip any D. access-list 128 deny ip any Correct Answer: C Section: 4. IOS ACLs /Reference: Not sure if this is a partial question or mismarked.- Spoofed addresses usually refers to addresses that mimic your own internal addressing scheme Private or Reserved Addresses are defined in RFC 1918 A common set of entries for access lists incoming into a network are as follows:!--- Filter RFC 1918 space. access-list 110 deny ip any access-list 110 deny ip any access-list 110 deny ip any!--- Deny your space as source from entering your AS.!--- Deploy only at the AS edge. access-list 110 deny ip YOUR_CIDR_BLOCK any In this question, denying matches one of the common reserved addresses and is the correct answer. QUESTION 58 Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) A. port security B. DHCP snooping C. IP source guard D. dynamic ARP inspection Correct Answer: BD Section: 6. Common Layer 2 Attacks

44 /Reference: ARP Spoofing is a common Layer 2 attack. It can be used as part of ARP poisoning, man in the middle attacks or session hijacking, among others. In this type of attack, the attacker will send false ARP requests and/or replies. DHCP Snooping allows a Cisco switch to examine all DHCP requests and build an IP to MAC address table based on the addresses given out. Dynamic ARP inspection checks any ARP traffic against this table to verify the details. Machines connected that are have statically assigned IPs must be manually added the DHCP Inspection table QUESTION 59 What is the Cisco preferred countermeasure to mitigate CAM overflows? A. port security B. dynamic port security C. IP source guard D. root guard Correct Answer: B Section: 6. Common Layer 2 Attacks /Reference: Port security helps prevent CAM table overflow attacks by limiting the number of MAC address that can be learned on an interface switchport port-security maximum 2 spwitchport port-security After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these ways: You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command. You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. You can configure a number of addresses and allow the rest to be dynamically configured.

45 QUESTION 60 What is the most common Cisco Discovery Protocol version 1 attack? A. denial of service B. MAC-address spoofing C. CAM-table overflow D. VLAN hopping Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: Since CDP is on by default on most routers, it can be used to flood a router and overwhelm the CPU. This becomes a type of denial of sercice attack. QUESTION 61 Which option describes a function of a virtual LAN? A. A virtual LAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain. B. A virtual LAN creates trunks and links two switches together. C. A virtual LAN adds every port on a switch to its own collision domain. D. A virtual LAN connects many hubs together. Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: : QUESTION 62 Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface?

46 A. Configure another trunk link. B. Configure EtherChannel. C. Configure an access port. D. Connect a hub between the two switches. Correct Answer: B Section: 6. Common Layer 2 Attacks /Reference: When you have two connections between switches, this can cause a loop. By configuring Etherchannel, the participating interfaces are treated as a single logical interface, a PortChannel. QUESTION 63 If the native VLAN on a trunk is different on each end of the link, what is a potential consequence? A. The interface on both switches may shut down. B. STP loops may occur. C. The switch with the higher native VLAN may shut down. D. The interface with the lower native VLAN may shut down. Correct Answer: B Section: 6. Common Layer 2 Attacks /Reference: The native vlan is specified in the 802.1q specification. In Cisco's implementation, the traffic on the native vlan does not get tagged as it crosses a trunk. Due to this, if there is a native vlan mismatch between switches, STP updates may not get transferred to the correct devices/stp instances, potentially causing a loop.

47 QUESTION 64 Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network? A. VTP server B. VTP client C. VTP transparent D. VTP off Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: : There are 3 modes for VTP Server Can manage vlan database. Have a vla.dat in nvram can set domain, add, remove, and rename VLANS Client get their VLAN list from the server. Can assign ports to VLANS, but cannot change VLAN database. They don't store a vlan.dat in nvram. Transparent will pass VTP updates through trunk ports, but don't use the information. Manage an independant vlan database QUESTION 65 When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops? A. STP elects the root bridge. B. STP selects the root port. C. STP selects the designated port. D. STP blocks one of the ports. Correct Answer: A Section: 6. Common Layer 2 Attacks /Reference: The high level steps for STP 1. Elect a root Bridge 2. Non-Root Bridges elect a root port 3. Non-Root paths/redundant paths between switches choose designated and alternate/blocking ports QUESTION 66 What is the default STP priority on a switch?

48 A B C D Correct Answer: D Section: 6. Common Layer 2 Attacks /Reference: Cisco Switches have their STP priority at by default QUESTION 67 Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.) A. Rivest-Shamir-Adleman Algorithm B. ElGamal encryption system C. Digital Signature Algorithm D. Paillier cryptosystem Correct Answer: AC Section: 5. Secure Network Management and Reporting /Reference: WHen generating public/private key pairs for SSH, you can use either RSA or DSA b_syssec_cr41crs_chapter_0111.html#wp QUESTION 68 Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message? A. the transform set B. the group policy C. the hash D. the crypto map

49 Correct Answer: C Section: 9.0 VPN Technologies /Reference: One-Way Encryption or Hashing is used to generate a fixed length output message. Regardless of the size of the original message. Common has algorithms are SHA1 and MD5 When setting up IPSec, you specify the following: H - hash (md5 or sha) A - authentication (pre shared keys, rsa-sigs (digital certs)) G- dh group (1, 2, 5 etc) L- lifetime for the IKE phase 1 tunnel E- encryption to use (des, 3des, aes) MD5 hash will be 128 bits SHA SHA SHA SHA SHA-512/ SHA-512/ QUESTION 69 Which three options are components of Transport Layer Security? (Choose three.) A. stateless handshake B. stateful handshake C. application layer D. session layer E. pre-shared keys F. digital certificates Correct Answer: BCF Section: 9.0 VPN Technologies

50 /Reference: TLS is the successor to SSL In many cases the terms are used interchangeably, but they are not directly compatible. When configuring security for the WebVPN and AnyConnect, you can choose to use SSL or TLS. Like SSL, TLS uses an authetication handshake where credentials are exchanged. These credentials are based on digital certificates, which contain public/private key pairs. TLS is considered an application level tool, although it is sometimes referenced as part of the session and presentation layers in the OSI model. 9.3(2) and later) SSLv3 deprecation and SSL server version default change SSLv3 is now deprecated. The default for the ssl server-version command is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these keywords will be removed from the ASA. QUESTION 70 What are three features of IPsec tunnel mode? (Choose three.) A. IPsec tunnel mode supports multicast. B. IPsec tunnel mode is used between gateways. C. IPsec tunnel mode is used between end stations. D. IPsec tunnel mode supports unicast traffic. E. IPsec tunnel mode encrypts only the payload. F. IPsec tunnel mode encrypts the entire packet. Correct Answer: BDF Section: 9.0 VPN Technologies /Reference: IPSec can be run in either tunnel mode or transport mode. Both modes only support Unicast traffic. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution: Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it. Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host for example, an encrypted Telnet session from a workstation to a router, in which the router is the actual destination.

51 QUESTION 71 Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto session Correct Answer: D Section: 9.0 VPN Technologies /Reference: The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa shows IKE Phase 1 show crypto ipsec sa

52 Shows IKE Phase 2 WIll show the details from the crypto map, even when the tunnel is down. show crypto session Will show as DOWN when the IPSec connection hasn't been made Shows everything QUESTION 72 How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal? A. Configure a web ACL. B. Turn off URL entry. C. Configure a smart tunnel. D. Configure a portal access rule. Correct Answer: B Section: 9.0 VPN Technologies /Reference: Clientless SSL VPN Security Precautions By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless access group policies, dynamic access policies, or both to control traffic flows from the portal. Cisco recommends switching off URL Entry on these policies to prevent user confusion over what is accessible. Step 1 webvpn Switches to group policy Clientless SSL VPN configuration mode. Step 2 url-entry Controls the ability of the user to enter any HTTP/HTTPS URL. Step 3 (Optional) url-entry disable Switches off URL Entry. QUESTION 73 Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection?

53 A. perfect forward secrecy B. dead peer detection C. keep alives D. IKEv2 Correct Answer: B Section: 9.0 VPN Technologies /Reference: Configuring DTLS Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real-time applications that are sensitive to packet delays. By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN tunnel only. Note In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you do not enable DPD, and the DTLS connection experiences a problem, the connection terminates instead of falling back to TLS. QUESTION 74 Where is the transform set applied in an IOS IPsec VPN? A. on the WAN interface B. in the ISAKMP policy C. in the crypto map D. on the LAN interface Correct Answer: C Section: 9.0 VPN Technologies /Reference: The basic steps for an IPSec Site to Site VPN are: Task 1: Ensure that ACLs are compatible with IPsec. That ISAKMP and AH/ESP are permitted through the firewall Task 2: Create ISAKMP (IKE) policy. crypto isakmp policy priority

54 Task 2a- Set the PSK if using that authentication method crypto isakmp key keystring address peer-address Task 3: Configure IPsec transform set. crypto ipsec transform set transform-set-name transform1 [transform2] [transform3] Task 4: Create a crypto ACL. access-list 110 permit tcp/ip [source range] [destination range] Task 5: Create and apply the crypto map. R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 110 R1(config-crypto-map)# set peer default R1(config-crypto-map)# set peer R1(config-crypto-map)# set pfs group1 R1(config-crypto-map)# set transform-set mine R1(config-crypto-map)# set security-association lifetime seconds R1(config)# interface serial0/0/0 R1(config-if)# crypto map MYMAP QUESTION 75 Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate? A. MS-CHAPv1 B. MS-CHAPv2 C. CHAP D. Kerberos Correct Answer: B Section: 9.0 VPN Technologies /Reference: The password management feature allows users to get warnings and change their authentication passwords through the the ASA SSL VPN. When you configure the password-management command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

55 The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. The security appliance, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPSec VPN Client, the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supports MS-CHAPv2. Password management is not supported for any of these connection types for Kerberos/AD (Windows password) or NT 4.0 Domain. Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2, so please check with your vendor. The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security appliance perspective, it is talking only to a RADIUS server. For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port QUESTION 76 In which stage of an attack does the attacker discover devices on a target network? A. reconnaissance B. gaining access C. maintaining access D. covering tracks Correct Answer: A Section: 1. Common Security Threats /Reference: : Reconnaissance- Gathering information about targets- DNS Queries, Whois, etc. Scanning (addresses, ports, vulnerabilities)- NMAP, MetaSploit, etc. Gaining access - MetaSploit, scripts, etc. Maintaining Access Covering Tracks

56 QUESTION 77 Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path? A. Unidirectional Link Detection B. Unicast Reverse Path Forwarding C. TrustSec D. IP Source Guard Correct Answer: B Section: 6. Common Layer 2 Attacks /Reference: Unicast Reverse Path Forwarding verifies the source IP of a packet against the routing table of the router. Verifying Symmetry means that the packet must be returned along the same path it was received on (can be a problem for multi-homed routers at edges) It can be used in Strict or Loose mode This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. QUESTION 78 By which kind of threat is the victim tricked into entering username and password information at a disguised website? A. phishing B. spam C. malware D. spoofing Correct Answer: A Section: 1. Common Security Threats /Reference: the activity of defrauding an online account holder of financial information by posing as a legitimate company.

57 "phishing exercises in which criminals create replicas of commercial Web sites" QUESTION 79 Which Cisco product can help mitigate web-based attacks within a network? A. Adaptive Security Appliance B. Web Security Appliance C. Security Appliance D. Identity Services Engine Correct Answer: B Section: 2. Security and Cisco Routers /Reference: Get advanced threat defense, advanced malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web Security Appliance (WSA) combines all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic, while simplifying deployment and reducing costs. QUESTION 80 Which type of IPS can identify worms that are propagating in a network? A. signature-based IPS B. policy-based IPS C. anomaly-based IPS D. reputation-based IPS Correct Answer: C Section: 8.0 Cisco IPS /Reference:

58 QUESTION 81 When a company puts a security policy in place, what is the effect on the company's business? A. minimizing risk B. minimizing total cost of ownership C. minimizing liability D. maximizing compliance Correct Answer: A Section: 1. Common Security Threats /Reference: The goal of a security policy is to minimize risk, using the best available knowledge and guided by the balance of security vs. availability.

59 However, it needs standards, guidelines and procedures in place to actually work. QUESTION 82 Which IOS feature can limit SSH access to a specific subnet under a VTY line? A. access class B. access list C. route map D. route tag Correct Answer: A Section: 5. Secure Network Management and Reporting /Reference: You can create an access list and rather than apply it to a specific interface, you can apply it with the access-class command on the line vty. This allows you to control the source (and possible destination) IP address that is used to access the VTY (telnet or SSH). QUESTION 83 Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.) A. DTLS B. TLS C. ESP D. AH E. ISAKMP Correct Answer: AB Section: 5. Secure Network Management and Reporting /Reference: QUESTION 84 Which two options are for securing NTP? (Choose two.)

60 A. a stratum clock B. access lists C. Secure Shell D. authentication E. Telnet Correct Answer: BD Section: 5. Secure Network Management and Reporting /Reference: The default command to set up a cisco device as an NTP client is ntp server ip-address hostname [version number] [key key-id] [source interface] [prefer] Specifying the key allows you to use authentication 1. config t 2. [no] ntp authentication-key number md5 md5-string 3. (Optional) show ntp authentication-keys 4. [no] ntp trusted-key number 5. (Optional) show ntp trusted-keys 6. [no] ntp authenticate 7. (Optional) show ntp authentication-status 8. (Optional) copy running-config startup-config Configuring NTP Access Restrictions ntp access-group To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode. To remove access control to the NTP services, use the no form of this command. ntp access-group {query-only serve-only serve peer} access-list-number

61 1. config t 2. [no] ntp access-group {peer serve serve-only query-only} access-list-name 3. (Optional) show ntp access-groups 4. (Optional) copy running-config startup-config QUESTION 85 What must be configured before Secure Copy can be enabled? A. SSH B. AAA C. TFTP D. FTP Correct Answer: B Section: 5. Secure Network Management and Reporting /Reference: The Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH), an application and a protocol that provide a secure replacement for the Berkeley r-tools. SUMMARY STEPS 1. enable 2. configure terminal 3. aaa new-model 4. aaa authentication login {default list-name} method1 [method2...] 5. aaa authorization {network exec commands level reverse-access configuration} {default list-name} [method1 [method2...]] 6. username name [privilege level] {password encryption-type encrypted-password} 7. ip scp server enable QUESTION 86 Which two ports does Cisco Configuration Professional use? (Choose two.) A. 80

62 B C. 443 D. 21 E. 23 Correct Answer: AC Section: 5. Secure Network Management and Reporting /Reference: These are the ports on the router When you check the Connect Securely check box, HTTPS port 443 and SSH port 22 information is automatically added to the device. If you did not check the Connect Securely check box, the HTTP port 80 and Telnet port 23 information is automatically added to the device. For more detail on ports used on the PC, look at: QUESTION 87 Which two options are physical security threats? (Choose two.) A. hardware B. environment C. access lists D. device configurations E. software version Correct Answer: AB Section: 1. Common Security Threats /Reference: QUESTION 88 Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface? A. ip inspect out B. ip inspect in

63 C. ip inspect name audit-trail on D. ip inspect name audit-trail off Correct Answer: B Section: 7. Cisco Firewall Technologies /Reference: The ip inspect command was part of the older CBAC firewall configuration. Since more communication is 2 way, rather than configuring all the details for both directions, you could set up your Access list to restrict outgoing traffic on an interface. You would then create an IP inspect rule so that traffic that passed through was "inspected." This meant the router would build a stateful table to watch outgoing traffic and allow the returned responses. CBAC Definition ip inspect name FWOUT tcp inspects all TCP traffic going out. FWOUT is the name of the inspect rule ip access-list extended OUTBOUND permit ip any any ip access-list extended INBOUND deny ip any any interface serial0/0/0 ip inspect FWOUT out ip access-group OUTBOUND out ip access-group INBOUND in QUESTION 89 Which statement about identity NAT is true? A. It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface. B. It is a dynamic NAT configuration that translates a real IP address to a mapped IP address. C. It is a static NAT configuration that translates a real IP address to a mapped IP address. D. It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.

64 Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: Identity NAT falls into three categories. Dynamic Identity NAT, Static Identity NAT, and Policy based static Identity NAT. NAT Exemption is basically a similar config to Dynamic Identity NAT, but it restricts it to an access-list. Dynamic Identity NAT: Only connections from the inside to elsewhere are translated. ciscoasa(config)# nat (inside) Static Identity NAT: If the interface ACL's allow the traffic, this can be used in either direction. Traffic to/from /24 (on the inside) is not translated ciscoasa(config)# static (inside,outside) netmask Static Identity Policy NAT: Also, if the interface ACL's allow the traffic, connections between and can use this translation in either direction. ciscoasa(config)# access-list NAT ex permit ip ciscoasa(config)# static (inside,outside) access-list NAT Think of the above as the following-- static (inside,outside) if going to /24 NAT Exemption: Again, if ACL allows it, connections between and can use this translation in either direction. Actually it's not a translation, but a "non" translation. ciscoasa(config)# access-list NAT_EXEMPT extended permit ip ciscoasa(config)# nat (inside) 0 access-list NAT_EXEMPT Think of the above as disable translaton of to any interface if going to /24 QUESTION 90 Which element must you configure to allow traffic to flow from one security zone to another?

65 A. a zone pair B. a site-to-site VPN C. a zone list D. a zone-based policy Correct Answer: A Section: 7. Cisco Firewall Technologies /Reference: When using ZONE based firewalls, which is the new standard, the following rules apply: In order to communicate between interfaces in different zones, the zone pair AND policy must exist. R3(config-sec-zone)# zone-pair security in-to-out source inside destination outside ---creates the pair and specifies direction R3(config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP ---specifies which policy to use on the pair QUESTION 91 With which two NAT types can Cisco ASA implement address translation? (Choose two.)

66 A. network object NAT B. destination NAT C. twice NAT D. source NAT E. double NAT Correct Answer: AC Section: 7. Cisco Firewall Technologies /Reference: How NAT is Implemented The adaptive security appliance can implement address translation in two ways: network object NAT and twice NAT. Main Differences Between Network Object NAT and Twice NAT The main differences between these two NAT types are: How you define the real address. Network object NAT You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules. Twice NAT You identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable. How source and destination NAT is implemented. Network object NAT Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination. Twice NAT A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourcea/destinationa can have a different translation than sourcea/destinationb. Order of NAT Rules. Network object NAT Automatically ordered in the NAT table. Twice NAT Manually ordered in the NAT table (before or after network object NAT rules). We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a failure in the translation of indirect addresses that do not belong to either of the objects.)

67 Cisco ASA network objects let us refer to an IP or multiple IPs as an object, simplifying our ability to make rules. The following example configures dynamic NAT that hides network behind a range of outside addresses through : hostname(config)# object network my-range-obj hostname(config-network-object)# range hostname(config)# object network my-inside-net hostname(config-network-object)# subnet hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj QUESTION 92 Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer? A. RMON B. SPAN C. RSPAN D. ERSPAN Correct Answer: B Section: 8.0 Cisco IPS /Reference: SPAN Sessions define a monitor session each monitor session has a source and destination With regular SPAN, both source and destination must be on the same device QUESTION 93 Which three actions can an inline IPS take to mitigate an attack? (Choose three.) A. modifying packets inline B. denying the connection inline C. denying packets inline

68 D. resetting the connection inline E. modifying frames inline F. denying frames inline Correct Answer: ABC Section: 8.0 Cisco IPS /Reference: These answers are made true or false due to the work inline. As Cisco defines it, inline mode event actions are different from promiscuous mode event actions Inline Mode Event Actions Deny connection inline: This action prevents further communication for the specific TCP flow. This action is appropriate when there is the potential for a false alarm or spoofing and when an administrator wants to prevent the action but not deny further communication. Deny packet inline: This action prevents the specific offending packet from reaching its intended destination. Other communication between the attacker and victim or victim network may still exist. This action is appropriate when there is the potential for a false alarm or spoofing. Note that for this action, the default time has no effect. Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, it forwards the modified packet to the destination. This action is appropriate for packet normalization and other anomalies, such as TCP segmentation and IP fragmentation re-ordering. Promiscuous Mode Event Actions Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action. However, in some cases where the attack only needs one packet it may not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP that consistently try to establish new connections, nor are they effective if the reset cannot reach the destination host in time. IPS's dont generally look at Frames, just packets. QUESTION 94 Which monitoring protocol uses TCP port 1470 or UDP port 514? A. RELP B. Syslog C. SDEE D. IMAP E. SNMP

69 F. CSM Correct Answer: B Section: 8.0 Cisco IPS /Reference: UDP port 514 is the old Syslog port TCP port 1470 is associated with the Kiwi Log Server Syslog over TLS uses TCP port number QUESTION 95 Which statement about the Atomic signature engine is true? A. It can perform signature matching on a single packet only. B. It can perform signature matching on multiple packets. C. It can examine applications independent of the platform. D. It can flexibly match patterns in a session. Correct Answer: A Section: 8.0 Cisco IPS /Reference: Signature Engine Atomic Simplest form Consists of a single packet, activity, or event Does not require intrusion system to maintain state information

70 Easy to identify Composite Also called a stateful signature Identifies a sequence of operations distributed across multiple hosts Signature must maintain a state known as the event horizon QUESTION 96 What is the function of an IPS signature? A. It determines the best course of action to mitigate a threat. B. It detects network intrusions by matching specified criteria. C. It provides logging data for allowed connections. D. It provides threat-avoidance controls. Correct Answer: B Section: 8.0 Cisco IPS /Reference: QUESTION 97 Which two options are advantages of a network-based Cisco IPS? (Choose two.) A. It can examine encrypted traffic. B. It can protect the host after decryption. C. It is an independent operating platform. D. It can observe bottom-level network events. E. It can block traffic Correct Answer: CD Section: 8.0 Cisco IPS /Reference: QUESTION 98

71 Which command configures logging on a Cisco ASA firewall to include the date and time? A. logging facility B. logging enable C. logging timestamp D. logging buffered debugging Correct Answer: C Section: 7. Cisco Firewall Technologies /Reference: QUESTION 99 What is the transition order of STP states on a Layer 2 switch interface? A. listening, learning, blocking, forwarding, disabled B. listening, blocking, learning, forwarding, disabled C. blocking, listening, learning, forwarding, disabled D. forwarding, listening, learning, blocking, disabled Correct Answer: C Section: 6. Common Layer 2 Attacks /Reference: QUESTION 100 Which sensor mode can deny attackers inline? A. IPS B. Fail-close C. IDS D. Fail-open Correct Answer: A

72 Section: 8.0 Cisco IPS /Reference: Sensors usually operate in Promiscuous mode. And IPS can deny traffic inline, since it is in the flow of the traffic. QUESTION 101 Which options are filtering options used to display SDEE message types? (Choose two.) A. stop B. none C. error D. all Correct Answer: CD Section: 8.0 Cisco IPS /Reference: Options are All, Error, Status, and Alerts QUESTION 102 Which statements about reflexive access lists are true? (Choose three.) A. Reflexive access lists create a permanent ACE B. Reflexive access lists approximate session filtering using the established keyword C. Reflexive access lists can be attached to standard named IP ACLs D. Reflexive access lists support UDP sessions E. Reflexive access lists can be attached to extended named IP ACLs F. Reflexive access lists support TCP sessions Correct Answer: DEF Section: 4. IOS ACLs

73 /Reference: Router(config)# ip access-list extended Egress Router(config-ext-nacl)# permit ip any any reflect iptraffic Router(config-ext-nacl)# interface f0/1 Router(config-if)# ip access-group out Egress interface Serial 1 description Access to the Internet via this interface ip access-group inboundfilters in! ip access-list extended inboundfilters evaluate iptraffic the refelxive ACL iptraffic will then be evaluated as well Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists. You can use reflexive access lists in conjunction with other standard access lists and static extended access lists. QUESTION 103 Which actions can a promiscuous IDS take to mitigate an attack? (Choose three.) A. modifying packets B. requesting connection blocking C. denying packets D. resetting the TCP connection E. requesting host blocking F. denying frames Correct Answer: BDE Section: 8.0 Cisco IPS

74 /Reference: An IDS that is not inline can be configured to request another security device to block traffic on its behalf. An inline IPS can deny traffic inline. QUESTION 104 Which command is needed to enable SSH support on a Cisco Router? A. crypto key lock rsa B. crypto key generate rsa C. crypto key zeroize rsa D. crypto key unlock rsa Correct Answer: B Section: 5. Secure Network Management and Reporting /Reference: The SSH protocol requires: a fully qualified domain name usernames and passwords a self-signed digitial certificate The crypto key generate rsa command will generate the needed digital certificate QUESTION 105 Which protocol provides security to Secure Copy? A. IPSec B. SSH C. HTTPS D. ESP Correct Answer: B Section: 5. Secure Network Management and Reporting

75 /Reference: Secure Copy is a secure replacement for FTP. It requires SSH. QUESTION 106 Which security zone is automatically defined by the system? A. The source zone B. The self zone C. The destination zone D. The inside zone Correct Answer: B Section: 7. Cisco Firewall Technologies /Reference: All traffic to the router itself is considered as going to the self zone. Zone Pairs A zone pair allows you to specify a unidirectional firewall policy between two security zones. To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination zones. The source and destination zones of a zone pair must be security zones. You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not apply to traffic through the device. The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you cannot use the self zone). QUESTION 107 What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.) A. The Internet Key Exchange protocol establishes security associations B. The Internet Key Exchange protocol provides data confidentiality C. The Internet Key Exchange protocol provides replay detection

76 D. The Internet Key Exchange protocol is responsible for mutual authentication Correct Answer: AD Section: 9.0 VPN Technologies /Reference: Setting Up a IPSec VPN has two phases the IKE Phase 1 uses the Hash Authentication DH Group Lifetime Encryption settings to establish a secure, confidential link over which the endpoints can communicate IKE Phase 2 uses the transform sets to send and possibly encrypt the data. QUESTION 108 What is a possible reason for the error message? Router(config)#aaa server?% Unrecognized command A. The command syntax requires a space after the word server B. The command is invalid on the target device C. The router is already running the latest operating system D. The router is a new device on which the aaa new-model command must be applied before continuing Correct Answer: D Section: 3.0 AAA /Reference: This is the sytax for an ASA For example, to add one TACACS+ group with one primary and one backup server, one RADIUS group with a single server, and an NT domain server, enter the following commands:

77 hostname/contexta(config)# aaa-server AuthInbound protocol tacacs+ hostname/contexta(config-aaa-server-group)# max-failed-attempts 2 hostname/contexta(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname/contexta(config-aaa-server-group)# exit hostname/contexta(config)# aaa-server AuthInbound (inside) host hostname/contexta(config-aaa-server-host)# key TACPlusUauthKey hostname/contexta(config-aaa-server-host)# exit hostname/contexta(config)# aaa-server AuthInbound (inside) host hostname/contexta(config-aaa-server-host)# key TACPlusUauthKey2 hostname/contexta(config-aaa-server-host)# exit hostname/contexta(config)# aaa-server AuthOutbound protocol radius hostname/contexta(config-aaa-server-group)# exit hostname/contexta(config)# aaa-server AuthOutbound (inside) host hostname/contexta(config-aaa-server-host)# key RadUauthKey hostname/contexta(config-aaa-server-host)# exit hostname/contexta(config)# aaa-server NTAuth protocol nt hostname/contexta(config-aaa-server-group)# exit hostname/contexta(config)# aaa-server NTAuth (inside) host hostname/contexta(config-aaa-server-host)# nt-auth-domain-controller primary1 hostname/contexta(config-aaa-server-host)# exit QUESTION 109 Which statements about smart tunnels on a Cisco firewall are true? (Choose two.) A. Smart tunnels can be used by clients that do not have administrator privileges B. Smart tunnels support all operating systems C. Smart tunnels offer better performance than port forwarding D. Smart tunnels require the client to have the application installed locally Correct Answer: AD Section: 7. Cisco Firewall Technologies /Reference: Smart tunnel access allows a client TCP-based application to use a browser-based VPN connection to connect to a service. It offers the following advantages to users, compared to plugins and the legacy technology, port forwarding: Smart tunnel offers better performance than plug-ins. Unlike port forwarding, smart tunnel simplifies the user experience by does not require the user connection of the local application to the local port. Unlike port forwarding, smart tunnel does not require users to have administrator privileges.

78 Smart Tunnel Applications Smart Tunnel allows any TCP-based client-server application to use ASA as a proxy gateway to the private side of a network. Examples of native applications that work through Smart Tunnel include Outlook, SharePoint, Telnet, Passive FTP, Lotus Sametime, Secure Shell (SSH), Remote Desktop Protocol (RDP), and Virtual Network Computing (VNC). Smart Tunnel does not support applications that use Universal Datagram Protocol (UDP). Using the Cisco ASA Device Manager (ASDM), an administrator can define which applications and networks are allowed access. Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java Script, or Flash animations. Smart Tunnel also supports Single SignOn to web applications that require either form-based POST parameters, http basic, FTP, or NTLM authentication Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company network Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java Script, or Flash animations. Smart Tunnel also supports Single Sign-On to web applications that require either form-based POST parameters, http basic, FTP, or NTLM authentication Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company network by using Full-Tunnel VPN Client, while simultaneously connecting to a vendor network by using Smart Tunnel. Smart Tunnel Advantages over Port-Forwarding, Plug-ins Smart Tunnel offers better performance than browser plug-ins. Port forwarding is the legacy technology for supporting TCP-based applications over a Clientless SSL VPN connection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the user connection of the local application to the local port. Smart Tunnel does not require users to have administrator privileges. Smart Tunnel does not require the administrator to know application port numbers in advance. QUESTION 110 Which option describes information that must be considered when you apply an access list to a physical interface? A. Protocol used for filtering B. Direction of the access class C. Direction of the access group D. Direction of the access list Correct Answer: C Section: 4. IOS ACLs /Reference: You can place one IP access list per interface per direction An access list is applied to an interface with the access-group [listname] in/out command

79 QUESTION 111 Which source port does IKE use when NAT has been detected between two VPN gateways? A. TCP 4500 B. TCP 500 C. UDP 4500 D. UDP 500 Correct Answer: C Section: 9.0 VPN Technologies /Reference: NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT. QUESTION 112 Which command verifies phase 1 of an IPsec VPN on a Cisco router? A. sh crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active Correct Answer: C Section: 9.0 VPN Technologies /Reference: QUESTION 113 What is the purpose of a honeypot IPS? A. To create customized policies B. To detect unknown attacks C. To normalize streams D. To collect information about attacks

80 Correct Answer: D Section: 8.0 Cisco IPS /Reference: The main commands for verifying IPSec connections in cisco are: show crypto isakmp sa shows IKE Phase 1 show crypto ipsec sa Shows IKE Phase 2 WIll show the details from the crypto map, even when the tunnel is down. show crypto session Will show as DOWN when the IPSec connection hasn't been made Shows everything QUESTION 114 Which type of mirroring does SPAN technology perform? A. Remote mirroring over Layer 2 B. Remote mirroring over Layer 3 C. Local mirroring over Layer 2 D. Local mirroring over Layer 3 Correct Answer: C Section: 8.0 Cisco IPS /Reference: QUESTION 115 If a router configuration includes the line aaa authentication login default group tacacs+ enable which events will occur when the TACACS+ server returns an error? (Choose two.)

81 A. The user will be prompted to authenticate using the enable password B. Authentication attempts to the router will be denied C. Authentication will use the router`s local database D. Authentication attempts will be sent to the TACACS+ server Correct Answer: AD Section: 3.0 AAA /Reference: The fallback methods are only used in case of error, not if a method fails There may be more than one Tacacs server listed in the group, so it is possible that additional Tacacs servers may be contacted for authentication. QUESTION 116 Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors? A. SDEE B. Syslog C. SNMP D. CSM Correct Answer: A Section: 8.0 Cisco IPS /Reference: QUESTION 117 Which statement about extended access lists is true? A. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source C. Extended access lists perform filtering that is based on destination and are most effective when applied to the source D. Extended access lists perform filtering that is based on source and are most effective when applied to the destination Correct Answer: B Section: 4. IOS ACLs

82 /Reference: Standard ACL 1) Able Restrict, deny & filter packets by Host Ip or subnet only. 2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-In-bound). 3) No Protocol based restriction. (Only HOST IP). Extended ACL 1) More flexible then Standard ACL. 2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort. 3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound) QUESTION 118 Which security measures can protect the control plane of a Cisco router? (Choose two.) A. CCPr B. Parser views C. Access control lists D. Port security E. CoPP Correct Answer: AE Section: 2. Security and Cisco Routers /Reference: The control plane tools can be implemented to limit the damage an attacker can attempt to implement directly at one of the router s IP addresses (traffic addressed directly to the router, which the router must spend CPU resources to process). Control Plane Policing (CoPP) and Control Plane Protection (CPPr) Control plane policing. You can configure this as a filter for any traffic destined to an IP address on the router itself. For example, you can specify that management traffic, such as SSH/HTTPS/SSL and so on, can be ratelimited (policed) down to a specific level or dropped completely. This way, if an attack occurs that involves an excessive amount of this traffic, the excess traffic above the threshold set could simply be ignored and not have to be processed directly by the CPU. Another way to think of this is as applying quality of service (QoS) to the valid management traffic and policing to the bogus management traffic. This is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.

83 Control plane protection. This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling. The three specific subinterfaces that can be classified are (1) Host subinterface, which handles traffic to one of the physical or logical interfaces of the router; (2) Transit subinterface, which handles certain data plane traffic that requires CPU intervention before forwarding (such as IP options); and Cisco (3) Express Forwarding (CEF)-Exception traffic (related to network operations, such as keepalives or packets with Time-To-Live [TTL] mechanisms that are expiring) that has to involve the CPU. The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP. This is also applied to a logical control plane interface, so that regardless of the logical or physical interface on which the packets arrive, the router processor can still be protected. Routing Protocol Authentication ACLs CAN be used, but they are primarily for traffic going through the router, not traffic to the router. QUESTION 119 Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two) A. FTP B. SSH C. Telnet D. AAA E. HTTPS F. HTTP Correct Answer: BE Section: 2. Security and Cisco Routers /Reference: QUESTION 120 Which three properties are included in the inspection Cisco Map BASICFIREWALL? See the exhibits (Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be different, you need to know how to navigate and find the info, like show commands, but an interface) gui2 (exhibit):

84 gui1 (exhibit):

85

86 A. HTTP B. HTTPS C. FTP D. POP E. SMTP F. DNS Correct Answer: ABE Section: 7. Cisco Firewall Technologies /Reference: You must find the C3PL area under Security and investigate the Inspection class maps and policy maps. If you cannot find the MAP under the class map, look at the policy to find the correct class MAP. Drill down and the map names may vary QUESTION 121 Scenario: You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which policy is assigned to Zone Pair LAN-TO-WAN? (Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be different, you need to know how to navigate and find the info, like show commands, but an interface)

87 Exhibit: A. Sdm-cls-http B. OUT_SERVICE C. RegularTrafficAllowed D. Ccp-policy-ccp-cls-2 Correct Answer: C Section: 7. Cisco Firewall Technologies /Reference: Drill down

88 QUESTION 122 Scenario: Using the pictures in the exhibit, answer the following question. You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question. Which Class Maps are used by the INBOUND Rule? (Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be different, you need to know how to navigate and find the info, like show commands, but an interface) Exhibit:

89 A. MailTraffic B. Class-map-ccp-cls-2 C. Web D. Class-map SERVICE_IN Correct Answer: AC

90 Section: 7. Cisco Firewall Technologies /Reference: Assuming this means the INBOUND policy map. Drill down QUESTION 123 Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question. What IP address will be used for the inside global when traffic goes through NAT? (Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be different, you need to know how to navigate and find the info, like show commands, but an interface) Exhibit:

91 A

92 B C. Interface fastethernet 0/1 D. interface serial 0/0 Correct Answer: B Section: 7. Cisco Firewall Technologies /Reference: Drill down