Chapter 14. Answers to Practice Exam 1

Answer E is correct. A security policy contains an endorsement from the enterprise's management, often in a section called "Statement of Authority and Scope." Management can no longer be indifferent if its authority has been invoked as part of the policy. Whether the users are employees , contractors, or guests, user behaviors are covered in the various usage policies with the overall security policy. Included, whether in a section on acceptable use or in a configuration-management section, is a rule concerning who may and may not make software additions to systems. A section addressing how to handle security incidents is needed; the time to plan what will be done by whom is not when you're trying to cope with a problem.

Answers A and C are correct. Hardware and software are information assets. The hardware might or might not all be owned by the organization (think of an employee's PDA, which is synchronized daily with his business calendar and email). Another major category of information assets is the content stored on the various devicesservers and workstationsin the network. Procedures are how things will be done and, therefore, are not an asset, but rather a standard way to interact with the assets. An upgrade path is a plan for the future, while the assets exist in the present.

Answer C is correct. A security policy contains a number of elements, which are often also called policies, such as an acceptable use policy, an Internet access policy, a remote-user policy, an incident-response policy, and so on. A security policy also contains management's explicit endorsement, typically in a statement describing the policy's scope and authority. However, a system upgrade policy is not usually among the items covered because it is not as directly related to securing the organization's information assets as much as it is related to what those assets might become in the future.

Answer D is correct. Although various sources may disagree , Cisco's position remains that the primary source of network attacks remains internal rather than external ( local and remote are fictitious terms in this context). Certainly , internal persons start with two significant advantages: They already have an account on the system, and they have at least some knowledge of the network (both items that an external attacker must acquire from a zero base).

Answer E is correct. Information assets consist of hardware, software, and the content stored on servers and workstations (the data sets). The hardware can include assets owned and controlled by the organization or those owned but only indirectly controlled by the organization (think of a teleworker or traveling employee with a laptop, far from any administrative control by the IT department). In addition, personal devices, such as PDAs, which interact with the organization's hardware, software, and data are information assets. Finally, the organization might have devices that interact with outside devices, such as a CSU/DSU, and these devices can be considered information assets as much as a router or a switch would be.

Answer A is correct. Packet sniffers are software packagesprogramsthat place a NIC in promiscuous mode. In that condition, it accepts all traffic on the wire to which it listens instead of accepting only traffic addressed to the particular host (or a network broadcast). Neither the host nor a switch has a "promiscuous mode"; the term is specific to network interface cards. To copy all traffic from a Layer 3 device, the sniffer would have to actually be placed on the specific device; a remote copy command would require the router/switch to send copies of all traffic over one link, a condition that would become immediately apparent as the link became overwhelmed.

Answer E is correct. Data manipulation is a somewhat generic term. "Data" can be almost any kind of information. Manipulation could potentially alter any aspect of that information. Thus, you could alter the source address (IP spoofing), whether you originated or received a document ( repudiation ), the path a packet should take (rerouting), or what should be received (replay). Port redirection, however, occurs when software directs traffic properly addressed to one port (such as port 80) to be processed by another port (such as 23) on a given host. The packet is not rewritten; it is simply sent to an alternate process (Telnet instead of Web, in this case).

Answer D is correct. CDP operates at the data link layer (Layer 2), exchanging information between the two hosts providing the endpoints of the link. It is not routable, so it cannot operate above Layer 2.

Answer C is correct. SNMP read-only (ro) installations use a default community name (string) of public , which is quite well known to the hacker community. The community name acts like a weak password, in much the same way that a workgroup name identifies hosts communicating using Microsoft's network browsing function. The default community string for read-write networks is private. admin and cisco are other commonly used as passwords on information assets. ietf is, of course, the acronym for the Internet Engineering Task Force, which promulgates Internet Standards.

Answer B is correct. NTP version 3 is the first version to have a fully encrypted authentication capability. Note that the authentication is encrypted, not the time information. There are qualitative improvements in v3 over previous versions, and it could be argued that these do make v3 more efficient. However, efficiency is not the reason it is important to use v3: The capability to securely authenticate the source of the time data is.

Answer C is correct. The SAFE SMR Blueprint has several design objectives, or design fundamentals:

• Security and attack mitigation based on policy

• Security implementation through the network (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets

Answers A, B, and D are reasonable ideas and make good sense from a security standpoint, but they are not in the list of design fundamentals Cisco offered in the SAFE SMR Blueprint.

Answer B is correct. The SAFE SMR Blueprint has several design objectives, or design fundamentals:

• Security and attack mitigation based on policy

• Security implementation through the network (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets

Answers A, C, and D are valid concepts and make good sense from a security standpoint, but they are not in the list of design fundamentals Cisco offered in the SAFE SMR Blueprint.

Answer C is correct. The SAFE SMR Blueprint has several design objectives, or design fundamentals:

• Security and attack mitigation based on policy

• Security implementation through the network (not just on specialized devices)

• Cost-effective deployment

• Secure management and reporting

• Authentication and authorization of users and administrators to critical network resources

• Intrusion detection for critical resources and subnets

Answers A, B, and D are good precautions to take, but they are not in the list of design fundamentals Cisco offered in the SAFE SMR Blueprint.

Answer D is correct. Cisco lists two reasons for taking a modular approach to security in the various SAFE Blueprints: to enable security to be implemented in stages, if desired, because each grouping of objects is logically separated from the others; and to enable a focus to be placed on how each group interacts with the other groups in a security sense. This is similar to the approach taken with the OSI model (and many other engineering solutions): break the problem into manageable portions, specify the interactions of the portions, and then allow each portion to be optimized or updated without affecting the operation of the other portions.

Answer E is correct. Almost all of the SAFE SMR Blueprint's axioms refer to the targets of network security threats. The axioms are as follows :

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Networks are targets.

• Applications are targets.

• Secure management and reporting.

Answer D is correct. Almost all of the SAFE SMR Blueprint's axioms refer to the targets of network security threats. The axioms are as follows:

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Networks are targets.

• Applications are targets.

• Secure management and reporting.

Answer C is correct. Almost all of the SAFE SMR Blueprint's axioms refer to the targets of network security threats. The axioms are as follows:

• Routers are targets.

• Switches are targets.

• Hosts are targets.

• Networks are targets.

• Applications are targets.

• Secure management and reporting.

Answer B is correct. The VPN Accelerator Card was first supported in PIX OS 5.3(1); it has been supported in all subsequent releases to date.

Answer B is correct. This recommendation is a rule of thumb rather than a hard rule because much depends on the volume and character of the traffic. If the tunnels are stable and things never change, you could bump that boundary to a higher figure. On the other hand, if you have a great deal of flux in your tunnel configurations, you might find it more productive to switch to a VPN concentrator at a lower number. A boundary of 20 is a good fit for most situations.

Answer C is correct. When a general-purpose device such as a router performs a particular task, it must retrieve the instructions from its programming and execute them through a series of lookups. Modern hardware and software are both fast, but the hardware is often waiting for the next instruction to arrive , especially if the CPU is multitasking (as it almost certainly is). However, a device that can offload the processing of a particular function to preprogrammed hardware (such as application-specific integrated circuits, ASICs) will almost always perform the same task more quickly. This is partly because the tightness of the specific code is already programmed into the ASICs and partly because it does not do anything else; its time and CPU cycles are not shared. The PIX does not need to perform route lookups or build a FIB or any other of the primary routing tasks. Therefore, it can perform its fewer tasks faster than the general-purpose router can.

Answers B and D are correct. The Cisco IDS software classifies threats as either atomic (targeted at one system) or compound ( targeted at more than one system), and as either info (deriving information) or attack (attempting to change or abuse the host).

Answer B is correct. The NetRanger product is the former separate management software for the Cisco IDS products. It was replaced by the CiscoSecure IDS; the CiscoSecure IDS Director and CiscoSecure Policy Manager are being replaced by the CiscoWorks VPN/Security Management Solution (VMS). This product includes the CiscoWorks Management Center for IDS Sensors and the CiscoWorks Monitoring Center for Security software. There is no such product as the CiscoSecure Control Console (CSCC).

Answer C is correct. A Layer 3 switch is used when there is a large volume of traffic to be processed at Layer 3, but you do not necessarily need all the flexibility of a router. A Layer 3 switch (apart from being a marketing term) operates with the speed of a Layer 2 switch by offloading much of the Layer 3 processing onto ASICs. Because ASICs are less flexible, you lose some of the many options available with a router. However, in certain environments, such as when many clients are accessing several servers (as you often find in a midsize or larger campus, but not an edge if e-commerce is not involved), it is quite useful.

Answer B is correct. If the VPN software client is being used, the host often is protected (at best) by a personal software firewall. Although these can be quite good (and are much better than the alternative), they are not as strong as an intervening device designed to examine and filter packets (such as a router, firewall, or hardware client). If the host accesses the Internet over a regular connection at the same time the host has a tunnel open to the headend, traffic can conceivably jump (through privilege escalation, for instance) from the public connection to the tunnel. Because it arrives over the tunnel and is implicitly trusted, it might not be detected immediately at the tunnel. It is simply much safer, and it is Cisco's strong recommendation, to disable split tunneling when using the VPN software client and to force all Internet traffic through the corporate WAN link. The extra bandwidth utilization is worth the reduction in risk provided by the corporate-level filtering that this enables.

Answer D is correct. The point of using a VPN concentrator is to offload the encryption/decryption and tunnel-management functions from the firewall to a specialized device. Therefore, it makes the most sense to place this where it can receive the traffic before it passes through the firewall. A switch directs the traffic to the VPN concentrator, where it is decrypted. The traffic egresses and, switched again, is sent to the firewall for filtering and acceptability testing. Because the firewall does not have to decrypt, the tunnel traffic is permitted (or denied ) more quickly, making the firewall's throughput better. It would serve no useful purpose to place the concentrator between the firewall and the DMZ, or between the firewall and the Campus module, or between the firewall and the first NIDS. Place the specialized device where it handles the problem instead of other deviceswhere the traffic that it processes can reach it before reaching other devices.

Answer B is correct. If the small business begins to have a "large" number of VPNs (as might be the case when the business has a number of professionals connecting from home or when traveling), it might become useful to add a VPN concentrator. The boundary between small and midsize businesses is not very well defined: Some people argue that anything greater than 25 hosts is too big to be called "small," while others argue that the boundary is closer to 50 hosts. Because the number of VPNs at which it usually becomes useful to add a VPN concentrator is more than 20, you are likely to be in the midsize business range more than the small business range when you reach that number of VPNs. However, whether it is useful to add a concentrator depends on the traffic and tunnel characteristics. Adding a NIDS in front of the firewall or adding a perimeter router in front of the firewall (if there is a dedicated firewall at ingressremember, the small network Corporate Internet may have either a router or a firewall at ingress as part of the basic design) is overkill in this size of network.

Answer A is correct. If there is concern regarding the security of especially sensitive data traversing the WAN link, IPSec can be added to the connection. Likewise, it might be desirable to add firewalling capability (either on the ingress router or as a dedicated appliance) to filter more aggressively than is possible via ACLs. VPNs replace the confidentiality of a leased line by tunneling over the public infrastructure. There should be no need to emulate a leased line over a leased line, and there is no need to add or connect to a VPN concentrator.

Answers A and C are correct. The Firewall Feature Set includes a NIDS, so there is no reason to add a HIDS to the perimeter router. Likewise, eliminating the perimeter router places the entire filtering load on the firewall. This is a reasonable burden in the small network's Corporate Internet module, but the medium network must handle more traffic. If you wanted to strengthen security, you could add a software firewall to the perimeter router and filter more aggressively before the main firewall is reached. Because the firewall could be filtering out attacks (and you certainly hope it is), it might be advisable to place a NIDS in front of the firewall, to at least become aware of the activity being denied. The firewall's logs will certainly help, but it can be useful to know what specific attacks were prevented, as well as how many packets were dropped. If the NIDS is added, its alarms should carry a lower priority; it might also be useful to log them separately because there are likely to be many of them.

Answer E is correct. There are no design alternatives in the remote-user model. The four options are the alternative designs.

Answer A is correct. Even if the small network is operating as a branch (instead of as a standalone organization), it will need its normal addressing services (and DHCP is the norm, not static addresses). If the branch has fewer public addresses than internal hosts (as is also normally the case), it still needs to be able to NAT. However, VPNs are much more likely to terminate at the larger network (such as headquarters) than at a branch, so there will probably be no need for remote-access VPNs.

Answers A and B are correct. The WAN link can serve as the external connection for a branch, where it might or might not be practical to use only a WAN link at a headend. Remember, a branch basically operates under its headquarters' authority and refers most public activity to its headend. When operating as the headend, however, it must be capable of handling the public traffic and thus needs the greater capabilities of the Corporate Internet module. SAFE is about working, real-world organizational networks, and securing them while they meet their operational requirements. Among those operational requirements could be a need for QoS and support for non-IP traffic, both of which can be done via a private circuit but might not be possible with a generic Internet connection to an ISP. However, using WAN links is more expensive than simply using an Internet connection. You pay for a leased circuit, which the carrier or service provider must dedicate to your use (some overprovisioning is possible, but it must be limited by the service-level agreements, SLAs, in force). Using a WAN link does not preclude a branch from having an Internet connection, although the connection is unlikely to be directly over the WAN link. It could be via the headend, and the parent organization could use this connectivity option to enforce its acceptable use policy.

Answer D is correct. When using an IPSec tunnel for connectivity between a branch and its headend, the tunnel terminates inside the firewall after ingress. The perimeter router is effectively outside the tunnel and must be managed via another connection, typically using SSH. Although a WAN link might be easier to manage and might even take less administrative effort (which lowers those costs), the price difference between an Internet connection and a leased circuit (WAN) is much greater: The move to VPNs instead of leased lines is largely driven by the lower net costs of using the former. Although tunnels traversing the Internet can be susceptible to more attacks en route, this is not necessarily a given; attacks tend to occur at the termini, the endpoints of the tunnel. The attacks occur at the branch or the headend, and not nearly as often on the Internet itself.

Answer D is correct. Unicast Reverse Path Forwarding is the security precaution against IP spoofing that tests for reasonableness in the source IP address on a packet: Could a packet with this source address have reasonably arrived on this interface? If the router has a route to that address (even as a summarized block) via that interface, the packet is accepted. If not, it is dropped. A hacker might know that Company A and Company B exchange traffic. When attempting to insert traffic into Company A with a spoofed Company B source address, the hacker might insert the traffic over a link that is not used for that traffic; URPF would detect that and drop the traffic, preventing the attack. To use URPF, the router must use Cisco Express Forwarding (CEF) because the reverse lookup function uses the Forwarding Information Base (FIB) created by CEF. If you want to see the traffic anyway, you must use an ACL in conjunction with URPF.

Answer B is correct. The commands used must include the overload option to translate the multiple inside addresses to the one outside (NAT pool) address.

Answer F is correct. You must create an IKE policy identified by its priority. The default settings for using IKE to set up tunnels (whether with certificates or with preshared keys) is to use either DES or 3DES for encryption, SHA-1 for the hash, group 1 for the Diffie-Hellman group, and a default IKE SA lifetime of 86,400 seconds, or 1 day. Note that this last item can be easily confused with the default IPSec SA lifetime of 3,600 seconds, or 1 hour . The IKE SA and the IPSec SA are different associations and perform different functions. You must also specify whether you will use preshared keys or certificates (denoted by authentication rsa-sig or authentication rsa-encr, which also require you to either generate certificates or have public-private key pairs available for each peer). If you are using preshared keys (which we are), you must specify both the key and the peer with which it will be used (you canand shouldhave a separate key for each peer, limiting the damage that can be done by a compromised key). You can specify the peer by hostname instead of address , but there must be a name-resolution capability available (such as DNS) to do so.

Answer D is correct. This requires careful reading; of course, when inputting such commands, they require careful typing and proofreading, too. In this case, we have errors in the source (172.18. 28 .0 instead of 172.18. 24 .0), the destination (172.20. 42 .0 instead of 172.20. 32 .0), and access list number (an extended IP access list must number between 100-199, or 2000-2699). Practice comparing each element of the access list to the diagram given, and don't be embarrassed to use your finger against the monitor during the exam as you comparefingerprints can be cleaned off. You can't go back and change your answers later on this exam.

Answer D is correct. This is another example of careful reading/input. The syntax is crypto ipsec , not ipsec crypto . After that, we must be careful to denote an encryption algorithm ( esp-des or esp-3des , but not esp-sha ) and an authentication algorithm ( esp-sha-hmac or esp-md5-hmac , or ah-sha-hmac or ah-md5-hmac ). An access list number is not included in this command; the access list number is invoked in the crypto map command.

Answer E is correct. The VPN concentrator adds the Advanced Encryption System (AES) algorithm, in 128-, 192-, and 256-bit lengths, to the DES and 3DES algorithms used on the router and the PIX (note: PIX OS 6.3(1) also added AES, but the question specified before that releasethere is plenty of legacy software out there). CBC is Cipher Block Chaining, a method for implementing block encryption. CBS is a television network, and CEF is Cisco Express Forwarding, a traffic-switching method. CSP has at least 94 different meanings, none of which is related (to my knowledge) to encryption, except possibly for Certified Security Professional.

Answer D is correct. The VPN Concentrator may have as many as 150 IKE proposals configured. Up to all of them may be active. They are managed in the GUI via the Configuration System Tunneling Protocols IPSec IKE Proposals screen. In addition to adding, copying, deleting, and modifying proposals, you can move them up or down within the list (active or inactive list), which is their preference ordering within the list.

Answer C is correct. The Configuration System Client Update screen has hyperlinks for Enable or Disable. When you click on the Enable hyperlink, it opens a screen with a check box. You enable the update function by checking the box and then clicking on the Apply button below it.

Answer A is correct. Trust exploitation occurs when the automatic trust by one device of another device is abused. Two fundamental methods can mitigate this: restrict the trust relationships to those that are absolutely necessary (and review those periodicallythings do change) and use private VLANs. By implementing private VLANs, you can more closely control which interdevice traffic will be forced to undergo Layer 3 inspection and filtering, at the cost of slowing the traffic somewhat (depending on the complexity and careful construction of your ACLs). HIDS will not help because malware is not involvedthe traffic is legitimate , but it is being used for the wrong purposes. The same, of course, is true of NIDS. Antivirus is ineffective for the same reason: The problem is not malware.

Answers B and C are correct. IP spoofing occurs when the source address of a packet is bogus (there's no point to falsifying the destination addresswhat would be gained by sending the packet to the wrong place?). RFC 2827 filtering drops traffic entering one interface with a source address belonging to another; the premise is that the traffic with that address as its source should never enter except from the interface where that segment is found. As an example, if you have the network segment 172.22.42.0/24 on interface e0 and 192.168.15.0/24 on interface s0, traffic should not enter s0 (which means that it came from outside the network) with a source address of 172.22.42.12, which is inside. Likewise, the private addressing ranges specified in RFC 1918 (10/8, 172.16/12, and 192.168/24) should never be used in publicly addressable space. Therefore, you should never receive incoming traffic from the outside world with those as a source address. Remember, we are talking about the small network public- facing module: the Corporate Internet module. Inside the Campus module, RFC 1918 filtering might not entirely apply (depending on the address scheme you use). RFC 3427 is the "Change Process for the Session Initiation Protocol (SIP)," and RFC 3838 does not yet exist (RFC 3593 is the highest-numbered RFC at this time).

Answer D is correct. Packet sniffing is a passive activity, based on capturing every packet on the wire instead of only those addressed to a given host. Ingress filtering will not limit what a sniffer can capture; neither will an IDS. Only a switched architecture limits the presence of packets to be captured. It might help to remember the meaning of the verb mitigate : to make less severe or painful, less harsh . The assumption is that you might get a packet sniffer emplaced on your network; mitigating it is about limiting the damage it can do.

Answer A is correct. Application-layer attacks depend on the operating system allowing malicious software to execute. Thus, to mitigate these, you should lock down the OS and all permitted applications (restrict the processes allowed to execute to only those needed), to prevent them from being misused, and you should place a HIDS on the system to prevent the installation of malware. A switched architecture might limit how far an attack can propagate (depending on your VLAN structure), but it will do nothing to prevent or limit the damage of an attack in progress. Ingress filtering might help prevent malware from coming in from an external source, but it will not prevent an insider (malicious, ignorant, or well intentioned) from adding software from an internal, trusted host.

Answers C and D are correct. HIDS should be placed on critical assets whose integrity must not be compromised. HIDS is intended for workstations and servers; NIDS works with switches and routers. Most workstations should not contain critical data, although they can always have temporary or working copies of information. The "master copy," however, should always be on a server, and it must be protected. Because the question specified two answers (and Cisco does specify the number of answers to be given), the two servers are better answers than workstations as a generic class.

Answer D is correct. Trust exploitation is the abuse of a legitimate interoperating relationship between two devices. The traffic between them is both normal and expected, and is to be permitted, whether it is switched or routed. Malware, in its many manifestations , corrupts the ongoing activities of a system; it can generate additional traffic to or from a host, which will also receive normal treatment. Unauthorized access depends on how access is granted; switching vs. routing (or "hubbing") is irrelevant to this. A packet sniffer copies all traffic on a given wire; a switched network limits the amount of traffic on a given wire to that relevant to a particular host, as opposed to that relevant to many hosts. A switched architecture will therefore mitigate packet sniffing by reducing the amount of traffic it has access to.

Answer D is correct. HIDS on your servers will prevent the installation of most malware, including known port redirectors. Viruses and trojans are different subsets of malware; an antivirus package, which might also protect against some trojans, will not detect a port redirector. AAA controls user access, but a port redirector is a case of an installed software package abusing access, not a user; AAA will not help. Because the abuse occurs within one host rather than passing over the network to cause the problem, a switched architecture can make no difference.

Answer B is correct. Most OSs have a means of restricting access after a given number of failed logon attempts. This can be disabled, or the password requirements might be weak. If so, a password attack can succeed in an astonishingly short period of time. On the other hand, restricting these parameters and requiring strong passwords can greatly mitigate the password attack program (password attacks run as scripts, so someone does not have to patiently type each new password attempt). A HIDS is likely to detect and interrupt the processing of the attempted attack. A switched network architecture might limit the number of hosts that the attacker can reach (or it might not, depending on the VLAN configuration), but it does nothing to mitigate an attack against a single host. The same protocols are used for attempted logins for password attacks as are used by legitimate users for their logins; you cannot restrict or otherwise filter those protocols and still permit legitimate users their proper access. Private VLANs will force traffic through Layer 3, where it can be filtered, but login attempts must be permitted to pass. Thus, private VLANs help mitigate many problems, but not password attacks.

Answers B and E are correct. Network reconnaissance consists of using TCP/IP's built-in tools, such as ping and traceroute , as well as Telnet attempts (try opening a Telnet session to a mail server on port 25, and you might receive a reply telling you the software and version of the mail program which you have reached), along with other tools such as nmap and nessus, to discover the resources on your network. A switched architecture will pass the traffic permitted at Layer 3 and thus it does not help mitigate this problem. Rate-limiting and limiting TCP session initiation will mitigate attacks that abuse a particular connection type, but they will not generally detect a series of probes of different hosts or ports (although they can limit repeated attempts against the same hosts or same ports). Because access that fails is usually not repeated, AAA has limited effectiveness against this problem. Filtering which protocols are allowed to pass (such as not permitting Telnet sessions with your mail server from anyone outside the network) limits the set of tools the hacker has to poke and pry with. For probes that do pass through your filtering, NIDS can detect the pattern of activity, even if directed at different targets (a compound, info profile). Thus, protocol filtering and NIDS together will mitigate network reconnaissance attemptsand, depending on where you place filters and NIDS devices, might protect you from insiders as well as outsiders.

Answer B is correct. The whole point of filtering by RFC 2827 and RFC 1918 is to keep out traffic whose origin is not appropriate to its ingress point: traffic with spoofed source IP addresses. RFC 2827 refers to not accepting incoming traffic on interface A that has a source address on interface B. RFC 1918 specifies the private IP address blocks that should never appear on the public Internet (and, therefore, can be considered either spoofed or passed by an incompetent ISP). The RFCs have nothing to do with trust relationships, access criteria, malware, or probesonly IP addresses.

Answers C and D are correct. HIDS is coded to detect unauthorized patterns of activity. These patterns include access (or attempted access) of resources, scans , payloads that exploit known vulnerabilities, and so on. HIDS can therefore mitigate attempts to gain access to resources for which a seeker has not been authorized, and it can prevent the insertion (or alert you to the presence) of exploit code. It will probably not help a great deal if one host (perhaps with malware running on it) abuses the otherwise valid trust relationship with this host, nor will it help against IP spoofing (HIDS examines other header fields besides the source address, as well as the payload of the packet). A packet sniffer is passivealthough HIDS will prevent its emplacement on this device, it cannot mitigate the effects of a sniffer elsewhere in the network. Because you are limited to the two best answers, the weaker protection against packet sniffers rules that out.

Answer A is correct. A cynic would say that Cisco wants to sell switches, so, of course, it repeats (often) that switches protect from sniffers. Even the cynic, though, would agree that sniffers are a serious threat to stealing usernames and even passwords, and you do need protection from them. However, a simple understanding of the technologies used by sniffers and by switches makes Cisco's case: Sniffers copy all traffic received on the wire; switches restrict traffic on a wire to that intended only for a given host. Sniffers send little to no traffic of their own, rendering HIDS, NIDS, and protocol filtering useless in combating them (after they are in place). AAA, like HIDS, can prevent a sniffer from being placed on a given host, but it offers no help against a sniffer elsewhere. Only a switched network reliably helps against sniffers.

Answer B is correct. Malware, or malicious software, includes viruses, trojan horses, keystroke loggers (sometimes called key loggers, or even keyloggers), port redirectors, and so forth. Antivirus software, often named just AV software, protects against a subset of malware, viruses, and some trojans. Note that some people would include sniffers as malware; however, many network administrators use one as a troubleshooting tool, to learn at what stage of traffic exchange a connection is failing, for instance. In that sense, a packet sniffer is no more malware than ICMP traffic. Trust exploitation and unauthorized access are both cases of abusing legitimate software applications; AV counters nonlegitimate software. Network reconnaissance can be conducted by malware that accompanies a virus; however, the virus itself simply replicates and tries to propagate once activated (such as by opening an email attachment).

Answer A is correct. Trust exploitation takes advantage of a legitimate relationship, such as that between an email client and the mail server hosting the client's mailbox, or between two servers that back up each other (redundancy), or between two servers that exchange data (such as Dynamic DNS, which requires a relationship between the DNS server and the DHCP server). Because the relationship is legitimate, access is legitimate and is not prevented by AAA or protocol filtering. The traffic is normal system traffic, so NIDS has no cause to raise an alarm. Private VLANs limit the access that servers in the same VLAN have to each other, mitigating implicit trust relationships being abused. Restricting trust to only those systems explicitly named (rather than implicitly accepting all but those explicitly named) is also a good defense. Security postures often begin with a "default deny, then permit as needed" stance, and explicit trust arrangements are a fine example of that.

Answer G is correct. The broadband access device is normally the property of the service provider. Even though it sometimes contains a router, a firewall, or a switch (or some combination of these), configuration remains the sole responsibility of the service provider. Therefore, you cannot expect this device to mitigate any threats because you do not controland quite likely do not even knowits configuration.

Answer A is correct. The hardware VPN client provides tunnel servicesendpoint management and authenticationat the remote site. However, it does not contain a stateful firewall or any routing or filtering capabilities. Therefore, it cannot restrict traffic of any kind, even DoS traffic, in either direction.

Answer F is correct. A router is a multifunction device capable of filtering, firewalling, and tunnel management (depending on the software image it runs). A Cisco router with the IOS and Firewall Feature Set can provide all of the functions listed. Bear in mind, of course, that the more things need to be done with each packet (a longer ACL to pass through, for instance), the longer it will take to process each packet. Size the router and its memory and CPU capability appropriately.

Answers A and C are correct. The ingress device can be a firewall appliance or a router with firewall software; in either of those two cases, the filtering (by ACL for allowed source addresses and allowed protocols or ports) mitigates attempts from the Internet to gain unauthorized access. Note that the VPN hardware client does not offer such filtering, so the host must have a software firewall installed to provide the necessary filter capability. Encryption of the tunnel contents actually makes it easier to obtain unauthorized access: Traffic received with the correct encryption over the tunnel is often implicitly trusted (you assume that the encryption is not compromised and, therefore, that the traffic must be valid). A switched network improves throughput and limits sniffing, but it cannot help mitigate unauthorized access when a device is located.

Answer A is correct. In this case, there is nothing different about what to filter on the ingress in any of the three network models in the SAFE SMR Blueprint: Traffic that should not be entering from the Internet, whether the source address is on the other side of the filtering device or comes from a private address range, should be dropped. Encrypting tunnel traffic does not help against spoofing: The source and destination addresses in the outer IP header must be clear text for intermediate hops to transit the traffic. Antivirus software on the host does not consider IP source address, but rather whether the payload matches an installed profile. Protocol filtering is based on other parts of the header but does not care about the IP source address.

Answer C is correct. Note that this is different from the router's defaults, which are 86,400 seconds (1 day) for the IKE SA, and 3,600 seconds (1 hour) for the IPSec lifetime.