Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Securing Cisco IOS Networks Study Guide - Carl Timm.pdf
Скачиваний:
71
Добавлен:
24.05.2014
Размер:
9.74 Mб
Скачать

Assessment Test

1.Which of the following commands trace AAA packets and monitor their activities? (Choose all that apply.)

A.debug aaa authentication

B.debug aaa authorization

C.debug aaa all

D.debug aaa accounting

2.What is the last header you can read in clear text when a packet has been encrypted using IPSec?

A.Physical

B.Data Link

C.Network

D.Transport

3.Which of the following is an example of a configuration weakness?

A.Old software

B.No written security policy

C.Unsecured user accounts

D.No monitoring of the security

4.Which IOS feature best prevents DoS SYN flood attacks?

A.IPSec

B.TCP Intercept

C.MD5 authentication

D.ACLs

5.RSA digital signatures and ___________ are IPSec authentication types supported by the Cisco Easy VPN Server.

A.Pre-shared keys

B.LSA analog signatures

C.DSS

D.DES

E.3DES

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Assessment Test

xxxi

6.Which of the following commands do you use to change the maximum number of half-open TCP connections per minute to 100?

A.ip inspect tcp synwait-time 100

B.ip inspect tcp idle-time 100

C.ip inspect max-incomplete high 100

D.ip inspect one-minute high 100

E.ip inspect tcp max-incomplete host 100

7.IP spoofing, man-in-the-middle, and session replaying are examples of what type of security weakness?

A.Configuration weakness

B.TCP/IP weakness

C.Policy weakness

D.User password weakness

8.Alert is the ___________ for attack signatures in the IOS Firewall IDS.

A.Default action

B.Non-default action

C.Exclusionary rule

D.Inclusionary rule

E.Configured action

9.If you want to make sure you have the most secure authentication method, what should you use?

A.Windows username/password

B.Unix username/password

C.Token cards/soft tokens

D.TACACS+

10.Which of the following are considered typical weaknesses in any network implementation? (Choose all that apply.)

A.Policy weaknesses

B.Technology weaknesses

C.Hardware weaknesses

D.Configuration weaknesses

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

xxxii Assessment Test

11.What are RSA-encrypted nonces?

A.Manually generated/exchanged public keys

B.Automatically generated/exchanged public keys

C.Manually generated/exchanged private keys

D.Automatically generated/exchanged private keys

12.What function does the clear crypto isakmp * command perform?

A.It resets all LDPM SAs configured on a device.

B.It resets all IKE RSAs configured on a device.

C.It resets all IKE SAs configured on a device.

D.It resets the crypto settings for a configured peer.

13.Which component of AAA provides for the login, password, messaging, and encryption of users?

A.Accounting

B.Authorization

C.Authentication

D.Administration

14.Which of the following commands do you use to change the maximum time CBAC waits before closing idle TCP connections to 10 minutes?

A.ip inspect tcp synwait-time 600

B.ip inspect tcp idle-time 600

C.ip inspect max-incomplete high 600

D.ip inspect one-minute high 600

E.ip inspect tcp max-incomplete host 600

15.Which of the following are examples of policy weaknesses? (Choose all that apply.)

A.Absence of a proxy server

B.No trusted networks

C.Misconfigured network equipment

D.No disaster recovery plan

E.Technical support personnel continually changing

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Assessment Test

xxxiii

16.The ESP protocol provides which service not provided by the AH protocol?

A.Data confidentiality

B.Authentication services

C.Tamper detection

D.Anti-replay detection

17.Which of the following are valid methods for populating the CiscoSecure User Database? (Choose all that apply.)

A.Manually

B.Novell NDS

C.Windows NT

D.Database Replication utility

E.Database Import utility

18.What does the command aaa new-model do?

A.It creates a new AAA server on the NAS.

B.It deletes the router’s configuration and works the same as erase startup-config.

C.It disables AAA services on the router.

D.It enables AAA services on the router.

19.A connection that has failed to reach an established state is known as ___________?

A.Full-power

B.Half-baked

C.Half-open

D.Chargen

20.Which of the following security database protocols can be used between the NAS and CSNT? (Choose all that apply.)

A.NTLM

B.SNA

C.TACACS+

D.Clear text

E.RADIUS

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

xxxiv Assessment Test

21.Which of the following are examples of a TCP/IP weakness? (Choose all that apply.)

A.Trojan horse

B.HTML attack

C.Session replaying

D.Application layer attack

E.SNMP

F.SMTP

22.You have just configured IPSec encryption. Which problem are you trying to solve?

A.Denial-of-service (DoS) attacks

B.Rerouting

C.Lack of legal IP addresses

D.Eavesdropping

23.You have just configured MD5 authentication for BGP. Which type of attack are you trying to prevent?

A.DoS

B.Rerouting

C.Hijacking of legal IP addresses

D.Eavesdropping

24.Using your web browser, which port do you go to (by default) to access the CSNT web server?

A.80

B.202

C.1577

D.2002

E.8000

25.To help you both set up and configure CBACs, Cisco has defined six steps for configuring CBAC. What is the correct order for the six steps?

A.Define Port-to-Application Mapping (PAM).

B.Set audit trails and alerts.

C.Test and verify CBAC.

D.Set global timeouts and thresholds.

E.Apply inspection rules and ACLs to interfaces.

F.Define inspection rules.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Assessment Test xxxv

26.What port does ISAKMP use for communications?

A.TCP 50

B.UDP 50

C.TCP 500

D.UDP 500

27.Policy weaknesses, technology weaknesses, and configuration weaknesses are examples of what type of implementation weakness? (Choose all that apply.)

A.Policy implementation

B.Network implementation

C.Hardware implementation

D.Software implementation

28.The ____________________ implement(s) software to protect TCP server from TCP SYN flood attacks.

A.Cisco access control lists (ACL)

B.TCP Intercept feature

C.Cisco queuing methods

D.Cisco CBACS

29.Which of the following do not participate in the Cisco IOS Cryptosystem? (Choose all that apply.)

A.DH

B.MD5

C.ESP

D.DES

E.BPR

30.The ip inspect tcp max-incomplete host 100 command performs what function when invoked?

A.It has no known effect on the router.

B.It sets the total number of TCP connections per host to 1000.

C.It sets the total number of TCP connections per host to 100.

D.It changes the maximum number of half-open TCP connections per host to 1000.

E.It changes the maximum number of half-open TCP connections per host to 100.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

xxxvi Assessment Test

31.What key does Diffie-Hellman (DH) create during IKE phase 1?

A.Xa

B.Bx

C.Xor

D.NorX

32.Which of the following authentication methods is not supported by CiscoSecure ACS 3.0 for Windows NT/2000? (Choose all that apply.)

A.Novell NDS

B.Banyan StreetTalk

C.DNS

D.POP

E.ODBC

F.MS Directory Services

33.The ip inspect max-incomplete high 1000 command changes what setting?

A.It changes the maximum number of half-open TCP connections to 100.

B.It changes the minimum number of half-open TCP connections to 1000.

C.It changes the maximum number of half-open TCP connections to 1000.

D.It changes the IP inspect idle timer to 1000 seconds.

E.It changes the IP inspect idle timer to 100 seconds.

34.Which of the following statements about CS ACS 3.0 token-card server support are true? (Choose all that apply.)

A.Microsoft is supported with service pack 6.0a.

B.AXENT is natively supported.

C.CryptoCard is natively supported.

D.Novell NDS v4.x or higher is supported.

E.ODBC with 6.0.1.1a service pack is supported.

35.IOS version 12.2(8)T is the minimum version required in order to run ___________.

A.LPDM

B.Windows NT Terminal Services

C.IOS Easy VPN Server

D.sRAS (Secure RAS) or sDNS (Secure Domain Name Service)

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

Assessment Test

xxxvii

36.Memory usage and ___________ are two issues to consider when implementing the IOS Firewall IDS.

A.User knowledge

B.Signature coverage

C.User address space

D.TACACS+ server type

37.What does the aaa authentication login default tacacs+ none command instruct the router to do? (Choose all that apply.)

A.No authentication is required to log in.

B.TACACS+ is the default login method for all authentication.

C.If the TACACS+ process is unavailable, no access is permitted.

D.RADIUS is the default login method for all authentication.

E.If the TACACS+ process is unavailable, no login is required.

F.If the RADIUS process is unavailable, no login is required.

38.___________ and ___________ are both supported by Cisco Easy VPN Server.

A.Authentication using DSS

B.DH1

C.DH2

D.Manual keys

E.Perfect forward secrecy (PFS)

F.DH5

39.What does an atomic signature trigger on?

A.Single packet

B.Duplex packet

C.Atomic packet

D.Two-way packet

40.Which of these statements are true regarding the following debug output? (Choose all that apply.)

01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser=''port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN

priv=101:42:12:

AAA/AUTHEN/CONT (864264997): Method=LOCAL

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com

xxxviii Assessment Test

A.This debug output shows that the user is using a remote database for authenticating the user todd.

B.This is a debug output from the authorization component of AAA.

C.This is a debug output from the authentication component of AAA.

D.The password will be checked against the local line password.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.

www.sybex.com