Chapter 14. Practice Exam 2

A _________ is classified as unauthorized discovery and mapping of systems, services, or vulnerabilities on a network.

• A. Reconnaissance attack

• B. Access attack

• C. Denial-of-service attack

Which of the following attacks uses a network adapter card in promiscuous mode to capture network traffic?

• A. Denial of service

• B. Packet sniffing

• C. Trojan horse

• D. Port redirection

In which of the following ways can IP spoofing be mitigated? (Choose all that apply.)

• A. Access control

• B. RFC 2827 filtering

• C. Authentication

• D. Cryptography

In which of the following ways can application attacks be implemented? (Choose all that apply.)

• A. By exploiting protocol weaknesses inherent to an application

• B. Implementing a Trojan horse

• C. Encryption

• D. Vulnerability patching

How are port redirection attacks classified?

• A. IP spoofing

• B. Man-in-the-middle

• C. Trust exploitation

• D. Application layer attack

Which of the following statements are true about creating a security policy? (Choose all that apply.)

• A. Should not provide a process to audit existing security policy

• B. Defines which behavior is allowed

• C. Does not define which behavior is not allowed

• D. Creates a basis of legal action

• E. Defines process of handing network security incidents

Which of the following commands encrypts all the passwords on a Cisco router?

• A. service-password encryption

• B. service encryption

• C. service password encryption

• D. service password-encryption

Which of the following is the first step that is initiated when a remote user tries to connect to a network resource using AAA?

• A. Router communicates with the ACS

• B. Client establishes connection with the router

• C. ACS prompts user for username and password

• D. ACS authenticates the user

Which of the following authentication methods is the most secure?

• A. No username and no password

• B. OTP

• C. Token cards

• D. Username and password (aging)

Which of the following are characterized as remote network access types? (Choose all that apply.)

• A. Async ports

• B. Group -async BRI ports

• C. VTY

• D. Serial PRI ports

What does the word TACGROUP in the command aaa authentication login TACGROUP local mean?

• A. TACGROUP is a method list.

• B. TACGROUP is an access list.

• C. TACGROUP is a prefix list.

• D. TACGROUP is a system default value for TACACS+.

Which of the following commands allows you to access the enable mode of the router using the enable secret password when the AAA server is offline?

• A. aaa authentication enable default group tacacs+

• B. aaa authorization network tacacs+ group tacacs+

• C. aaa accounting system default start-stop group tacacs+

• D. aaa authentication login default local

Which of the following authentication protocols are supported by the Cisco Secure Access Control Server (CSACS) 3.0.1 for Windows? (Choose all that apply.)

• A. EAP-MD5

• B. EAP-TLS

• C. LEAP

• D. DES

• E. AES

Which of the following databases does CSACS support? (Choose all that apply.)

• A. Windows NT

• B. Windows 2000

• C. External Token Servers

• D. NDS

• E. FreeBSD

Which of the following CSACS services is responsible for administrative tasks and comes equipped with a Web server?

• A. CSAdmin

• B. CSAuth

• C. CSTacacs

• D. CSLog

• E. CSDBSynch

• F. CSMonitor

Which of the following commands configures a TACACS+ server located at 10.10.0.1 with the key ciscorocks! on the perimeter router?

• A. tacacs-server key ciscorocks! host 10.10.0.1

• B. tacacs-server host 10.10.0.1 key ciscorocks!

• C. tacacs-server 10.10.0.1 ciscorocks!

• D. tacacs-server 10.10.0.1 key ciscorocks!

What is the consequence of applying the following AAA authentication method to the aux port?

 aaa authentication login TESTING none group tacacs+ groups radius enable 

• A. All users will be able to access the aux port.

• B. Only users who are configured in the TACACS+ database will be able to access the aux port.

• C. Only users who are configured in the RADIUS database will be able to access the aux port.

• D. Only users who know the enable password will be able to access the aux port.

• E. No one will be able to access the aux port.

Which of the following statements are true? (Choose all that apply.)

• A. TACACS+ uses TCP port 49.

• B. RADIUS uses TCP port 49.

• C. The entire payload is encrypted in TACACS+.

• D. RADIUS uses TCP port 1645 for authentication.

• E. RADIUS uses UDP port 1646 for authorization.

You have just configured the following access list and would like only these hosts to have Telnet access to the Central router. Which of the following commands do you use to make sure this implementation works?

 Central(config)#access-list 1 permit host 10.10.0.1 Central(config)#access-list 1 permit host 10.10.0.2 

• A. ip access-group 1 in

• B. access-group 1 in

• C. ip access-class 1 in

• D. access-class 1 in

Which command disables CDP on a router globally?

• A. Central(config)#no cdp run

• B. Central(config-if)#no cdp enable

• C. Central(config-if)#no cdp run

• D. Central(config)#no cdp enable

Which of the following commands prevents someone from accessing privileged EXEC mode of the router via the aux port?

• A. no login

• B. login disable exec

• C. no aux login

• D. exec disable

• E. no exec

Which of following relational databases are supported by CSACS for Unix?

• A. Oracle

• B. Sybase SQL Server

• C. SQL Anywhere

• D. NDS

• E. Windows 2000

Which of the following are true about access lists? (Choose all that apply.)

• A. All ACLs have an explicit deny statement in the beginning.

• B. Standard ACLs can be configured to log for packet matching.

• C. Extended IP numbered ACLs cannot be configured to log for packet matching.

• D. ACLs have directional filters that examine data flow.

• E. ACLs are read in a top-down fashion.

Which of the following commands can you use to configure Turbo ACLs on a router?

• A. R1(config-acl)# access-list turbo

• B. R1# access-list compiled

• C. R1(config)# access-list compiled

• D. R1(config)# access-group compiled

Which of the following features are parts of the Cisco IOS Firewall feature set?

• A. Authentication proxy

• B. CBAC

• C. Intrusion detection

• D. Lock and key

• E. Cut-through proxy

What is the default time that CBAC will wait for a TCP session to reach the established state?

• A. 2 seconds

• B. 5 seconds

• C. 10 seconds

• D. 15 seconds

• E. 30 seconds

What is true about the ip inspect audit-trail command? (Choose all that apply.)

• A. Enables syslog server

• B. Turns on logging

• C. Limits number of half- open TCP connections

• D. Limits number of half-open UDP connections

Which of the following commands applies an inspection rule to a router?

• A. R1(config)# ip inspect CBAC -IN in

• B. R1(config-if)# ip-inspect CBAC -IN in

• C. R1(config-if)# ip inspect CBAC -IN in

• D. R1(config-router)# ip inspect CBAC -IN in

How long does the user have to wait if he or she has entered incorrect login information five times against authentication proxy?

• A. 1

• B. 2

• C. 3

• D. 4

• E. 5

What privilege level must be enabled for all users when configuring a CSACS server for authentication proxy?

• A. 0

• B. 9

• C. 11

• D. 15

• E. 16

What router command do you use to clear all authentication proxy entries?

• A. clear ip auth proxy

• B. clear ip auth-proxy cache *

• C. clear ip auth-proxy users cache

• D. clear ip user auth-proxy

Which of the following statements are true? (Choose all that apply.)

• A. Atomic signatures typically do not require memory allocation.

• B. Compound signatures require memory allocation.

• C. Atomic signatures are triggered based on a single packet.

• D. Compound signatures typically do not require memory allocation.

• E. Atomic signatures require memory allocation.

Which of the following commands disables IDS signature 6150 on Cisco router?

• A. ip audit 6150 sig-disable

• B. ip audit disable signature 6150

• C. ip audit signature 6150 disable

• D. no ip audit disable 3109

Which of the following must be permitted to allow an IPSec session to occur through a firewall?

• A. IKE protocol 49

• B. Protocol 51

• C. Protocol 50

• D. UDP port 500

When configuring context-based access control (CBAC), which of the following statements are true about applying inspection rules and ACLs on the router? (Choose all that apply.)

• A. On the interface where traffic is initiating, apply an ACL on the inward direction that only permits wanted traffic.

• B. On the interface where traffic is initiating, apply a rule on the inward direction that doesn't inspect wanted traffic.

• C. On the interface where traffic is initiating, apply a rule on the inward direction that inspects wanted traffic.

• D. On the interface where traffic does not initiate, apply an ACL on the inward direction to block all unwanted traffic.

Which of the following statements is true about the certificate authority (CA)?

• A. The CA issues the public key.

• B. The CA signs the public key.

• C. The CA issues the private key.

• D. The CA generates a public/private key pair.

Which of the following protocols provides different key strengths for encryption technologies?

• A. DES

• B. 3DES

• C. AES

• D. MD5

Which of the following commands declares the CA your router should use for third-party authentication?

• A. crypto key generate rsa

• B. crypto isakmp key caserver address 10.30.10.1

• C. crypto ca trustpoint

• D. crypto ipsec transform-set

An unusually high number of half-open sessions indicates a DoS. What is the default value of half-open sessions that is allowed by CBAC before it starts deleting these sessions?

• A. 100

• B. 200

• C. 400

• D. 500

IPSec runs on which layer of the OSI model?

• A. Application

• B. Presentation

• C. Session

• D. Transport

• E. Network

Examine the debug output here:

 Aug 23 11:59.40:663: AAA/AUTHEN/CONT (50996754): continue_login (user='admin') Aug 23 11:59.40:663: AAA/AUTHEN(50996754): status=GETPASS Aug 23 11:59.40:663: AAA/AUTHEN/CONT (50996754): Method=LOCAL Aug 23 11:59.40:663: AAA/AUTHEN/( 50996754): STATUS=PASS 

Which of the following statements are true? (Choose all that apply.)

• A. Authentication was successful.

• B. The user belonged to the local group.

• C. Local authentication was expedited.

• D. The output was generated from the debug aaa authorization command.

• E. The output was generated from the debug aaa authentication command.

Which of the following services is not common between AH and ESP?

• A. Antireplay service

• B. Data origin authentication

• C. Confidentiality

• D. Data integrity

Which of the following commands will activate an IPSec policy on a router running the IPSec feature set?

• A. crypto-map MYMAP

• B. ipsec-crypto map MYMAP

• C. crypto ipsec-map MYMAP

• D. crypto map ipsec-allow

Examine the following output:

 Crypto Map "THEMAP" 1 ipsec-isakmp         Peer = 10.0.0.1         Extended IP access list 101             access-list 101 permit ip any any         Current peer: 10.0.0.1         Security association lifetime: 4608000 kilobytes/3600 seconds         PFS (Y/N): N         Transform sets={ THESET, }         Interfaces using crypto map THEMAP: 

Which command was used to generate this output?

• A. show crypto-access-list

• B. show ipsec crypto-map

• C. show crypto map

• D. show isakmp sa

What port number do you use to access the CiscoWorks 2000 application through a Web browser?

• A. 1471

• B. 1174

• C. 1024

• D. 1741

How do crypto ACLs react to all unprotected inbound traffic on the Cisco router that matches a permit entry in the crypto access list for a crypto map entry that is flagged for IPSec?

• A. Drop

• B. Allow

• C. Encrypt

• D. Decrypt

Which of the following terms refers to network groups and transform sets when configuring Router MC?

• A. Devices

• B. IPSec rules

• C. Settings

• D. Activities

• E. Building blocks

True or False: Authentication proxy only works with TACACS+ protocol.

• A. True

• B. False

Cisco Easy VPN supports which of the following attributes of IPSec? (Choose all that apply.)

• A. SHA-1

• B. Preshared keys

• C. D-H 2

• D. 3DES

• E. Tunnel mode

Which of the following is true about half-open TCP sessions on the Cisco IOS Firewall?

• A. The session was denied .

• B. The firewall granted access.

• C. A three-way handshake has been completed and is waiting for data payload.

• D. The session has not reached the established state.

Which of the following are classified as encryption algorithms? (Choose all that apply.)

• A. DES

• B. 3DES

• C. AES

• D. RSA

Joe works for BlueWidgets.com and decides to download a port scanner to determine what it can do. He directs it against his employer's network. What type of threat is Joe? (Choose all that apply.)

• A. Common threat

• B. External threat

• C. Internal threat

• D. Structured threat

• E. Unstructured threat

By default, how long will CBAC manage an idle DNS session?

• A. 2 seconds

• B. 5 seconds

• C. 15 seconds

• D. 30 seconds

• E. 45 seconds

Data integrity is classified as?

• A. Receiver rejects authenticated packets.

• B. Sender authenticates the packets to ensure that no alterations were made.

• C. Encryption of data payload.

• D. Receiver verifies the packets to ensure that no alterations were made.

Which of the following commands displays all the dynamic ACL entries created on a router when implementing authentication proxy?

• A. show access-list auth-proxy

• B. show access-list dynamic

• C. show access-lists

• D. show auth-proxy entries

Which of the following SMTP commands are allowed by CBAC? (Choose all that apply.)

• A. HELO

• B. HELP

• C. NOOP

• D. DEAD

• E. RESET

Which of the following attack types can result from a hacker altering NTP data?

• A. DoS

• B. Port redirection

• C. Virus

• D. Trust exploitation

Which of the following commands saves the CA settings and policies on the router?

• A. ca save all

• B. save crypto-ca

• C. Write standby

• D. They cannot be saved.

Which of the following commands will remove the entire CBAC configuration from your router running the IOS Firewall Feature Set?

• A. no ip inspect

• B. ip inspect clear-all

• C. no ip-inspect

• D. ip-inspect disable

Which of the following statements describes the purpose of the logging trap command?

• A. Enables syslog trap

• B. Sends SNMP traps to the router

• C. Sends logs to an SNMP management station

• D. Enables SNMP traps using the PIX Firewall

When configuring Easy VPN, select the parameters that you can configure in an IKE Phase 1 policy.

• A. PFS

• B. Remote peer IP address

• C. Crypto ACL

• D. Hash algorithm

• E. Encryption algorithm

Which of the following commands generates an RSA key pair on a Cisco router running the IOS Firewall feature set?

• A. crypto ca trustpoint

• B. crypto key generate rsa

• C. crypto ipsec rsa

• D. crypto isakmp key rsa

How does RRI react when both IPSec peers are configured to use Cisco Easy VPN?

• A. Creates a static route on the Easy VPN Server for the VPN Client's internal IP address

• B. Creates a static route on the Easy VPN Remote for the VPN Client's internal IP address

• C. Creates a static route using an internal network address

• D. Creates a dynamic route to the internal DNS server

• E. Creates RIP routes to the internal resources

By default, to what size does the Cisco Systems VPN Client automatically set the MTU?

• A. 1500 bytes

• B. 576 bytes

• C. 1420 bytes

• D. 1300 bytes

In how many ways can a device be imported into the inventory of Router MC? (Choose all that apply.)

• A. Import from configuration file

• B. Single-device import

• C. Multiple-device import via an Oracle database

• D. Multiple-device import via a CSV file

Which protocol does the Router MC use to communicate with the VPN devices to populate the inventory?

• A. Telnet

• B. SSL

• C. SSH

• D. FTP

Which of the following statements are true about packet auditing process? (Choose all that apply.)

• A. If an audit rule is applied to the inbound direction of an interface, packets passing through the interface are audited before the inbound ACL reacts to it.

• B. If an audit rule is applied to the inbound direction of an interface, packets passing through the interface are audited after the inbound ACL reacts to it.

• C. If an audit rule is applied to the outbound direction of an interface, packets passing through the interface are audited before the inbound ACL reacts to it.

• D. If an audit rule is applied to the outbound direction of an interface, packets passing through the interface are audited after the inbound ACL reacts to it.

Which of the following are valid peer authentication methods? (Choose all that apply.)

• A. Preshared key

• B. RSA signatures

• C. RSA encrypted nonces

• D. AES