Testking_640-802_V13
.pdf
Section 1: Describe today's increasing network security threats and explain the need to implement a comprehensive security policy to mitigate the threats (2 questions)
QUESTION NO: 1
You need to create a security plan for the TestKing network. What should be part of a comprehensive network security plan?
A.Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
B.Minimize network overhead by deactivating automatic antivirus client updates
C.Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
D.Physically secure network equipment from potential access by unauthorized individuals
E.Allow users to develop their own approach to network security
F.None of the above
Answer: D Explanation:
Computer systems and networks are vulnerable to physical attack; therefore, procedures should be implemented to ensure that systems and networks are physically secure. Physical access to a system or network provides the opportunity for an intruder to damage, steal, or corrupt computer equipment, software, and information. When computer systems are networked with other departments or agencies for the purpose of sharing information, it is critical that each party to the network take appropriate measures to ensure that its system will not be physically breached, thereby compromising the entire network. Physical security procedures may be the least expensive to implement but can also be the most costly if not implemented. The most expensive and sophisticated computer protection software can be overcome once an intruder obtains physical access to the network.
QUESTION NO: 2
As the TestKing network security administrator, you are concerned with the various possible network attacks. Which type of attack is characterized by a flood of packets that are requesting a TCP connection to a server?
Leading the way in IT testing and certification tools, www.testking.com
- 551 -
A.Trojan Horse
B.Reconnaissance
C.Denial of Service
D.Brute Force
E.Virus
F.Worm
Answer: C Explanation:
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Among these are Network connectivity attacks.
These attacks overload the victim with TCP packets so that its TCP/IP stack is not able to handle any further conections, and processing queues are completely full with nonsense malicious packets. As a consequence of this attack, legitimate connections are denied. One classic example of a network connectivity attack is a SYN Flood
Section 2: Explain general methods to mitigate common security threats to network devices, hosts, and applications (2 questions)
QUESTION NO: 1
The TestKing administrator is concerned with enhancing network security. To do this, what are two recommended ways of protecting network device configuration files from outside security threats on the network? (Choose two)
A.Use a firewall to restrict access from the outside to the network devices
B.Allow unrestricted access to the console or VTY ports
C.Prevent the loss of passwords by disabling encryption
D.Always use Telnet to access the device command line because its data is automatically encrypted
E.Use SSH or another encrypted and authenticated transport to access device configurations
F.Use easy to remember passwords so that they are not forgotten
Leading the way in IT testing and certification tools, www.testking.com
- 552 -
Answer: A, E
Explanation:
Whenever the trusted (inside) part of the network connects to an untrusted (outside, or internet) network, the use of a firewall should be implemented to ensure only legitimate traffic is allowed within the enterprise. SSH is a secure alternative to telnet that encrypts the traffic so that data carried within can not be "sniffed." It is always recommended to use SSH over telnet whenever possible.
QUESTION NO: 2
You want to enable telnet access to a TestKing router as securely as possible. Which of the following commands would you execute if you wanted to enable others to establish a telnet session on a Cisco router?
A.testking1(config)# line console 0 testking1(config-if)# enable password testking
B.testking1(config)# line vty 0 testking1(config-line)#enable password testking
C.testking1(config)# line vty 0 testking1(config-line)#enable secret testking testking1(config-line)# login
D.testking1(config)# line console 0 testking1(config-line)#enable secret testking testking1(config-line)#login
E.testking1(config)#line console 0 testking1(config-line)# password testking testking1(config-line)#login
F.testking1(config)#line vty 0
testking1(config-line)#password testking testking1(config-line)#login
Answer: F Explanation:
Telnet sessions use virtual terminal sessions, which are configured under the "line vty" portion of the configuration. There are 5 total vty sessions that can be configured, numbered 0-4. In order to be prompted for a password, one must be configured. Choice F gives the 3 commands needed to allow a single telnet session.
Incorrect Answers:
Leading the way in IT testing and certification tools, www.testking.com
- 553 -
A, B, C, D. The telnet password needs to be configured in addition to the enable password. Without the initial password configured, users that try to telnet to the router will receive a "password required, but none set" message.
D, E. Telnet uses VTY ports, not the console port.
Section 3: Describe the functions of common security appliances and applications (1 question)
QUESTION NO: 1
You want to increase the security in the TestKing network. What are the two security appliances that can be installed in this network? (Choose two)
A.SDM
B.ATM
C.IDS
D.IOX
E.IPS
F.IOS
G.FR
Answer: C, E
Section 4: Describe security recommended practices including initial steps to secure network devices (4 questions)
QUESTION NO: 1
TestKing University has a small campus where 25 faculty members are located. The faculty offices and student computers are currently on the same network. The faculty is concerned about students being able to capture packets going across the network and obtain sensitive material. What could a network administrator do to protect faculty network traffic from student connections?
Leading the way in IT testing and certification tools, www.testking.com
- 554 -
A.Install anti-virus software on the student computers.
B.Put the faculty computers in a separate VLAN.
C.Power down the switches that connect to faculty computers when they are not in use.
D.Remove the student computers from the network and put them on a peer-to-peer network.
E.Create an access list that blocks the students from the Internet where the hacking tolls are located.
F.None of the above
Answer: B
Explanation:
Main Functions of a VLAN:
1.The VLAN can group several broadcast domains into multiple logical subnets.
2.You can accomplish network additions, moves, and changes by configuring a port into the appropriate VLAN.
1.You can place a group of users who need high security into a VLAN so that no users outside f the VLAN can communicate with them.
2.As a logical grouping of users by function, VLANs can be considered independent from heir physical or geographic locations.
3.VLANs can enhance network security.
4.VLANs increase the number of broadcast domains while decreasing their size.
QUESTION NO: 2
What are three valid reasons to assign ports on VLANs on a new TestKing LAN switch? (Choose three)
A.To make VTP easier to implement
B.To isolate broadcast traffic
C.To increase the size of the collision domain
D.To allow more devices to connect to the network
E.To logically group hosts according to function
F.To increase network security
Answer: B, E, F Explanation:
Main Functions of a VLAN (see previous question):
1. The VLAN can group several broadcast domains into multiple logical subnets.
Leading the way in IT testing and certification tools, www.testking.com
- 555 -
2. You can accomplish network additions, moves, and changes by configuring a port into the appropriate VLAN.
1.You can place a group of users who need high security into a VLAN so that no users outside f the VLAN can communicate with them.
2.As a logical grouping of users by function, VLANs can be considered independent from heir physical or geographic locations.
3.VLANs can enhance network security.
4.VLANs increase the number of broadcast domains while decreasing their size.
QUESTION NO: 3
What set of router configuration commands causes the message shown in the exhibit below?
A.TestKing1(config)# line console 0 TestKing1(config-line)# service password-encryption TestKing1(config-line)# login
B.TestKing1(config)# line console 0 TestKing1(config-line)# enable password cisco TestKing1(config-line)# login
C.TestKing1(config)# line console 0 TestKing1(config-line)# enable password cisco TestKing1(config-line)# logging synchronous
D.TestKing1(config)# line console 0 TestKing1(config-line)# enable secret cisco TestKing1(config-line)# login
E.TestKing1(config)# line console 0 TestKing1(config-line)# password cisco TestKing1(config-line)# login
F.None of the above
Answer: E
Explanation:
Leading the way in IT testing and certification tools, www.testking.com
- 556 -
Use the line con 0 command to configure the console line. Use the login and password commands to configure the console for login with a password. Here is an example using the Battle Creek router:
Battle>enable
Password:******* TK1#conf term TK1(config)#line con 0 TK1(config-line)#login
TK1(config-line)#password oatmeal Tk1(config-line)#^Z
The "login" command is needed to enforce users to log in to the router using the console connection.
QUESTION NO: 4
Refer to the TestKing network shown below:
Leading the way in IT testing and certification tools, www.testking.com
- 557 -
For security reasons, information about TestKing1, including platform and IP addresses, should not be accessible from the Internet. This information should, however, be accessible to devices on the internal networks of TestKing1. Which command or series of commands will accomplish these objectives?
A.TestKing1(config)#no cdp enable
B.TestKing1(config)#no cdp run
C.TestKing1(config)#interface s0/0 TestKing1(config-if)#no cdp run
D.TestKing1(config)#interface s0/0 TestKing1(config-if)#no cdp enable
E.None of the above
Answer: D
Explanation:
CDP is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. By using CDP, you can gather hardware and protocol information about neighbor devices which is useful info for
troubleshooting and documenting the network.
To disable the CDP on particular interface use the "no cdp enable" command. To disable CDP on the entire router use the "no cdp run" in global configuration mode.
TOPIC 7, IMPLEMENT, VERIFY, AND
TROUBLESHOOT NAT AND ACLs IN A MEDIUM-SIZED ENTERPRISE BRANCH NETWORK. (75 questions)
Leading the way in IT testing and certification tools, www.testking.com
- 558 -
Section 1: Describe the purpose and types of ACLs (9 questions)
QUESTION NO: 1
An extended access list needs to be applied to a TestKing router. What three pieces of information can be used in an extended access list to filter traffic? (Choose three)
A.Source IP Address and destination IP address
B.Source MAC address and destination MAC address
C.Source switch port number
D.VLAN number
E.Protocol
F.TCP or UDP port numbers
Answer: A, E, F
QUESTION NO: 2
The TestKing administrator is implementing access control lists in the TestKing network. What are two reasons that the TestKing network administrator would use access lists? (Choose two.)
A.To filter traffic as it passes through a router
B.To filter traffic that originates from the router
C.To replace passwords as a line of defense against security incursions
D.To control broadcast traffic through a router
E.To control VTY access into a router
F.To encrypt traffic
Answer: A, E
QUESTION NO: 3
Router TK1 is configured with an inbound ACL. When are packets processed in this inbound access list?
A. Before they are routed to an outbound interface.
Leading the way in IT testing and certification tools, www.testking.com
- 559 -
B.After they are routed for outbound traffic.
C.After they are routed to an outbound interface while queuing.
D.Before and after they are routed to an outbound interface.
E.Depends on the configuration of the interface
F.None of the above
Answer: A Explanation:
When a packet is received on an interface with an inbound access list configured, the packets are matched against the access list to determine if they should be permitted or denied. After this check, the packets are processed by the routing function. The access list check is always done first.
Incorrect Answers:
B, C. The packets are always processed by the inbound access list prior to being routed. D. All packets are always checked against a specific access list only once. While packets traversing through a router may be checked against different access lists for each interface and in each direction (inbound and outbound), each access list is always only consulted once.
QUESTION NO: 4
Many TestKing routers are configured using access lists. Which of the following are benefits provided with access control lists (ACLs)? (Select all that apply)
A.ACLs monitor the number of bytes and packets.
B.Virus detection.
C.ACLs identify interesting traffic for DDR.
D.ACLs provide IP route filtering.
E.ACLs provide high network availability.
F.ACLs classify and organize network traffic.
Answer: C, D
Explanation:
IP access control lists allow a router to discard some packets based on criteria defined by the network engineer. The goal of these filters is to prevent unwanted traffic in the network - whether to prevent hackers from penetrating the network or just to prevent employees from using systems they should not be using.
Leading the way in IT testing and certification tools, www.testking.com
- 560 -