![](/user_photo/1438_p9ksI.png)
- •CCIE Security Written Exam Blueprint
- •General Networking Topics
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Networking Basics—The OSI Reference Model
- •Ethernet Overview
- •Internet Protocol
- •Variable-Length Subnet Masks
- •Classless Interdomain Routing
- •Transmission Control Protocol
- •TCP Services
- •Routing Protocols
- •ISDN
- •IP Multicast
- •Asynchronous Communications and Access Devices
- •Foundation Summary
- •Requirements for FastEther Channel
- •Scenario
- •Scenario 2-1: Routing IP on Cisco Routers
- •Scenario Answers
- •Scenario 2-1 Answers: Routing IP on Cisco Routers
- •Application Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Domain Name System
- •Trivial File Transfer Protocol
- •File Transfer Protocol
- •Hypertext Transfer Protocol
- •Secure Socket Layer
- •Simple Network Management Protocol
- •Simple Mail Transfer Protocol
- •Network Time Protocol
- •Secure Shell
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Scenario 3-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Cisco Hardware
- •show and debug Commands
- •Password Recovery
- •Basic Security on Cisco Routers
- •IP Access Lists
- •Foundation Summary
- •Scenario
- •Scenario Answers
- •Security Protocols
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Authentication, Authorization, and Accounting (AAA)
- •Remote Authentication Dial-In User Service (RADIUS)
- •Kerberos
- •Virtual Private Dial-Up Networks (VPDN)
- •Encryption Technology Overview
- •Internet Key Exchange (IKE)
- •Foundation Summary
- •Scenario
- •Scenario 5-1: Configuring Cisco Routers for IPSec
- •Scenario Answers
- •Scenario 5-1 Solutions
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •UNIX
- •Microsoft NT Systems
- •Common Windows DOS Commands
- •Cisco Secure for Windows and UNIX
- •Cisco Secure Policy Manager
- •Cisco Secure Intrusion Detection System and Cisco Secure Scanner
- •Cisco Security Wheel
- •Foundation Summary
- •Scenarios
- •Scenario 6-1: NT File Permissions
- •Scenario 6-2: UNIX File Permissions
- •Scenario Answers
- •Scenario 6-1 Solution
- •Scenario 6-2 Solution
- •Security Technologies
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Advanced Security Concepts
- •Cisco Private Internet Exchange (PIX)
- •Cisco IOS Firewall Security Feature Set
- •Public Key Infrastructure
- •Virtual Private Networks
- •Foundation Summary
- •Scenario
- •Scenario Answer
- •Scenario 7-1 Solution
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Network Security Policies
- •Standards Bodies and Incident Response Teams
- •Vulnerabilities, Attacks, and Common Exploits
- •Intrusion Detection System
- •Protecting Cisco IOS from Intrusion
- •Foundation Summary
- •Scenario
- •Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time
- •Scenario Answer
- •Scenario 8-1 Solution
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi222x1.jpg)
C H A P T E R 5
Security Protocols
This chapter covers some of today’s most widely used technologies that give network administrators the ability to ensure sensitive data is secure from unauthorized sources.
Standards such as IP security (IPSec) and encryption standards are covered, as are all the fundamental foundation topics you need to master the topics covered in the security written exam.
This chapter covers the following topics:
•Security protocols—This section covers the security protocols authentication, authorization, and accounting (AAA), RADIUS, Terminal Access Controller Access Control System Authentication Plus (TACACS+) protocol, and Kerberos.
•Virtual private dial-up networks—This section covers VPDNs and their use in dialup IP networks.
•Date encryption—This section covers encrypting IP using standard encryption, such as Triple Data Encryption Standard (DES) and IPSec. The mechanism used to authenticate encryption tunnels is also covered.
•Certificate Enrollment Protocol—This section briefly covers the Cisco-defined certificate management protocol, CEP, and how a device communicates with a certificate authority.
“Do I Know This Already?” Quiz
This assessment quiz’s purpose is to help you determine how to spend your limited study time. If you can answer most or all these questions, you might want to skim the “Foundation Topics” section and return to it later, as necessary. Review the “Foundation Summary” section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, read through the entire “Foundation Topics” section and review it until you feel comfortable with your ability to answer all these and the Q & A questions at the end of the chapter.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi223x1.jpg)
200 Chapter 5: Security Protocols
Answers to these questions can be found in Appendix A, “Answers to Quiz Questions.”
1What are the three components of AAA? (Choose the three best answers.)
a.Accounting
b.Authorization
c.Adapting
d.Authentication
2What IOS command must be issued to start AAA on a Cisco router?
a.aaa old-model
b.aaa model
c.aaa new model
d.aaa new-model
e.aaa new_model
3What algorithm initiates and encrypts a session between two routers’ exchange keys between two encryption devices?
a.Routing algorithm
b.Diffie-Hellman algorithm
c.The switching engine
d.The stac compression algorithm
4Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router?
a.No.
b.Yes, provided you have the same lists names applied to the same interfaces.
c.Yes, provided you have the different lists names applied to the same interfaces.
d.Yes, provided you have the different lists names applied to different interfaces.
5How do you enable a RADIUS server to debug messages for Cisco Secure on a UNIX server?
a.Terminal monitor.
b.Edit the configuration file on the router.
c.Edit the syslog.conf and csu.cfg files.
d.Not possible, as UNIX does not run IOS.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi224x1.jpg)
“Do I Know This Already?” Quiz 201
6What RADIUS attribute is used by vendors and not predefined by RFC 2138?
a.1
b.2
c.3
d.4
e.13
f.26
g.333
h.33
7RADIUS can support which of the following protocols?
a.PPP
b.OSPF
c.AppleTalk
d.IPX
e.NLSP
8When a RADIUS server identifies the wrong password entered by the remote users, what packet type is sent?
a.Accept-user
b.Reject-users
c.Reject-deny
d.Reject-accept
e.Reject-Error
f.Access-reject
9Identify the false statement about RADIUS.
a.RADIUS is a defined standard in RFC 2138/2139.
b.RADIUS runs over TCP port 1812.
c.RADIUS runs over UDP port 1812.
d.RADIUS accounting information runs over port 1646.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi225x1.jpg)
202 Chapter 5: Security Protocols
10What is the RADIUS key for the following configuration? If this configuration is not valid, why isn’t it?
aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius
aaa authorization network default group radius radius-server 3.3.3.3
radius-server key IlovemyMum
a.IlovemyMum
b.Ilovemymum
c.This configuration will not work because the command aaa new-model is missing.
d.3.3.3.3
11 What is the RADIUS key for the following configuration?
Aaa new-model
aaa authentication login use-radius group radius local aaa authentication ppp user-radius if-needed group radius aaa authorization exec default group radius
aaa authorization network default group radius radius-server 3.3.3.3
radius-server key IlovemyMum
a.IlovemyMum
b.Ilovemymum
c.This configuration will not work.
d.3.3.3.3
12What versions of TACACS does Cisco IOS support? (Select the best three answers.)
a.TACACS+
b.TACACS
c.Extended TACACS
d.Extended TACACS+
13TACACS+ is transported over which TCP port number?
a.520
b.23
c.21
d.20
e.49
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi226x1.jpg)
“Do I Know This Already?” Quiz 203
14 What is the predefined TACACS+ server key for the following configuration?
radius-server host 3.3.3.3 radius-server key CCIEsrock
a.3.3.3.3
b.Not enough data
c.CCIESROCK
d.CCIEsRock
e.CCIEsrock
15 What does the following command accomplish?
tacacs_server host 3.3.3.3
a.Defines the remote TACACS+ server as 3.3.3.3
b.Defines the remote RADIUS server as 3.3.3.3
c.Not a valid IOS command
d.3.3.3.3
e.Host unknown; no DNS details for 3.3.3.3 provided
16Which of the following protocols does TACACS+ support?
a.PPP
b.AppleTalk
c.NetBIOS
d.All the above
17Kerberos is defined at what layer of the OSI model?
a.Layer 1
b.Layer 2
c.Layer 3
d.Layer 4
e.Layer 5
f.Layer 6
g.Layer 7
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi227x1.jpg)
204 Chapter 5: Security Protocols
18What definition best describes a key distribution center when Kerberos is applied to a network?
a.A general term that refers to authentication tickets
b.An authorization level label for Kerberos principals
c.Applications and services that have been modified to support the Kerberos credential infrastructure
d.A domain consisting of users, hosts, and network services that are registered to a Kerberos server
e.A Kerberos server and database program running on a network host
19What definition best describes a Kerberos credential?
a.A general term that refers to authentication tickets
b.An authorization level label for Kerberos principals
c.Applications and services that have been modified to support the Kerberos credential infrastructure
d.A domain consisting of users, hosts, and network services that are registered to a Kerberos server
e.A Kerberos server and database program running on a network host
20What definition best describes Kerberized?
a.A general term that refers to authentication tickets
b.An authorization level label for Kerberos principals
c.Applications and services that have been modified to support the Kerberos credential infrastructure
d.A domain consisting of users, hosts, and network services that are registered to a Kerberos server
e.A Kerberos server and database program running on a network host
21What definition best describes a Kerberos realm?
a.A general term that refers to authentication tickets
b.An authorization level label for the Kerberos principals
c.Applications and services that have been modified to support the Kerberos credential infrastructure
d.A domain consisting of users, hosts, and network services that are registered to a Kerberos server
e.A Kerberos server and database program running on a network host
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi228x1.jpg)
“Do I Know This Already?” Quiz 205
22What IOS command enables VPDN in the global configuration mode?
a.vpdn-enable
b.vpdn enable
c.vpdn enable in interface mode
d.Both a and c are correct
23What is the number of bits used with a standard DES encryption key?
a.56 bits
b.32 bits; same as IP address
c.128 bits
d.256 bits
e.65,535 bits
f.168 bits
24What is the number of bits used with a 3DES encryption key?
a.56 bits
b.32 bits; same as IP address
c.128 bits
d.256 bits
e.65,535 bits
f.168 bits
25In IPSec, what encapsulation protocol encrypts only the data and not the IP header?
a.ESP
b.AH
c.MD5
d.HASH
e.Both a and b are correct.
26In IPSec, what encapsulation protocol encrypts the entire IP packet?
a.ESH
b.AH
c.MD5
d.HASH
e.Both a and b are correct.
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi229x1.jpg)
206 Chapter 5: Security Protocols
27Which of the following is AH’s destination IP port?
a.23
b.21
c.50
d.51
e.500
f.444
28Which of the following is ESP’s destination IP port?
a.23
b.21
c.50
d.51
e.500
f.444
29Which of the following is not part of IKE phase I negotiations?
a.Authenticating IPSec peers
b.Exchanges keys
c.Establishes IKE security
d.Negotiates SA parameters
30Which of the following is not part of IKE phase II?
a.Negotiates IPSec SA parameters
b.Periodically updates IPSec SAs
c.Rarely updates SAs (at most, once a day)
d.Established IPSec security parameters
31Which is the faster mode in IPSEC?
a.Main mode
b.Fast mode
c.Aggressive mode
d.Quick mode
![](/html/1438/356/html_NlzbDsxuV2.JNlj/htmlconvd-fCsXoi230x1.jpg)
“Do I Know This Already?” Quiz 207
32Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the best two answers.)
a.Same as HTTP
b.Port 80
c.Port 50
d.Port 51
e.Port 333
f.Port 444