| Question 1 | Which of the following are required to secure a router? (Choose two.) |
| A1: | Answers B and C are correct. Securing a router involves ensuring that only authorized persons can access it and authorizing the kinds of changes they can make (answer B), as well as securing the services that the router provides on the network and how it is managed (answer C). The latter includes the management protocols used and which hosts can engage with the router using those protocols. Securing performance (answer A) is beyond your control: The router's performance depends on many factors, many of which are out of your hands, meaning that you cannot "secure" (ensure) performance. For instance, load offered by devices on the networks connected is a major factor that is usually beyond your control. Securing maintenance (answer D) is dependent on securing access in the sense that maintenance can be performed only by authorized persons. Physical maintenance, rare though it might be, should always be supervised by someone who is authorized to access the router. Access is the more complete answer than maintenance. |
| Question 2 |  | Which version of management protocols should you use? | |
| A2: | Answer C is correct. It is important to use only the protocolsmanagement and data-transmission protocolsthat you need. Every piece of hardware and package of software introduced in your network brings with it the potential for vulnerabilities, so you should always use what you need and not have anything else. If your needs include NTP, you should use version 3 because it supports authentication (and you do not want bogus time stamps in your logs). Likewise, if your needs include SNMP, you should use version 3 because that version supports encryption and authentication. If possible, you should also set SNMP as a read-only community rather than read-write. ICMPv2 (answer D) refers to the Internet Control Message Protocol, the protocol of ping and traceroute, ICMP unreachables, and so on. It is a diagnostic tool, not a management tool. |
| Question 3 | How does the command aaa authentication login no_tacacs line provide a back door into the router for configuration? -
A. It creates a named authentication method that uses the line password. -
B. It creates an authorization method that uses the line password. -
C. It bypasses the TACACS+ server through the use of the no_tacacs command. -
D. All of these are correct. |
| A3: | Answer A is correct. The entry aaa authentication login no_tacacs line is an authentication method list for the login command (eliminating answer B, which refers to authorization). The entry no_tacacs is not a command (eliminating answer C), but is the name of the method list. The entry line is the method to be used for authentication: Use the password assigned to the line against which this method is applied (in line configuration mode). By allowing a login using the line password, a back door is created into the router. |
| Question 4 | Which of the following is not a service that you should disable? -
A. tcp small-servers -
B. ip classless -
C. udp small-servers -
D. ip http server -
E. ip domain-lookup -
F. ip bootp server |
| A4: | Answer B is correct. The following commands to disable services and protocols should be a part of securing services and management protocols on your routers: The command ip classless is not a service; it enables the router to ignore the original classful IP addressing boundaries (Class A, Class B, and Class C). Not enabling classless addressing greatly decreases your flexibility in addressing, not to mention what you are can do with more advanced routing protocols (anything beyond RIPv1). |
| Question 5 | | | Which of these is not a requirement for strong passwords? | -
A. A mixture of upper- and lowercase numbers . -
B. A minimum of eight characters . -
C. Special characters used. -
D. All of these are valid requirements. |
| A5: | Answer A is correct. The requirements for a strong password are as follows : -
A minimum of eight characters -
Both uppercase and lowercase letters -
Numbers included -
Special characters (from the uppercase set of keyboard numbers, such as @#$) used There is no such thing as an uppercase number: The uppercase set on the row of number keys on the keyboard are the special characters (&$@^ and so on). Thus, answer A is not a requirement, even though it looks very much like the rule about a mixture of upper- and lowercase letters . |
| Question 6 | Why does disabling unused switch ports matter? -
A. It conserves power and CPU cycles (because the CPU knows that it need not interrogate those ports periodically). -
B. It simplifies understanding of the configuration file later (or when reading someone else's configuration file). -
C. It prevents the attachment of unknown and unauthorized devices to the network. -
D. It maximizes free memory for security- related processes such as authentication and encryption. |
| A6: | Answer C is correct. Switches are generally very accommodating devices: Plug in an Ethernet cable, and the device on the other end of that cable is connected to the network. A security problem for a network is the attachment of unknown and unauthorized devices. If a contractor or maintenance personor trusted insidercan surreptitiously attach a device to an open port, that person has access to the network that you not only did not authorize, but that you do not even know about (which makes it harder to protect against). Answers A and D refer to conserving switch resources (CPU cycles, memory, and power); disabling ports affects none of these. Answer B is handled by commenting the file (as all the files in the SAFE Blueprints are commented). Without commentary , disabling a port or ports is just another command to be deciphered later. |
| Question 7 | Why would you use the no ip redirects command on a switch? -
A. To prevent the redirection of IP routing protocol updates -
B. To prevent the advertisement of IP routing protocol information -
C. To prevent multiport bridging -
D. To prevent data intended for one port from being redirected to another port |
| A7: | Answer D is correct. Port redirection allows traffic destined for one port to be redirected to another. If a hacker can manage to access a server, he might be able to misconfigure it to redirect traffic from one port to another, enabling the creation of a back door in (for instance, entry via HTTP on port 80 can be redirected to a port that then allows the hacker to escalate his privilege and further compromise a host). Port redirection has nothing to do with IP routing protocol updates or advertisements (answers A and B, respectively). Multiport bridging (answer C) is a real term , but it refers to an option in configuring support for IBM's Systems Network Architecture (SNA) and a Downstream Physical Unit (DSPU), or for supporting virtual Token Rings on SDLLC. Neither of these is mentioned in any SAFE Blueprint. |
| Question 8 | | | NIDS configurations usually require what response if a malicious packet is detected ? | -
A. Drop -
B. Alarm -
C. Reset -
D. Alert |
| A8: | Answer B is correct. A NIDS device processes many packets, and a false positive can cause significant disruption to traffic. Because critical resources are protected by HIDS, malicious traffic need not necessarily be dropped by NIDS (answer A), although you might choose to do so. NIDS is there as much to alert you to the presence of an attack and to enable you to trace it as it is to prevent an attack (which is the primary role of HIDS); therefore, you want an alarm (answer B). You might or might not want to buy some time by also configuring the NIDS to send a TCP reset (answer C) to both ends of the connection (if the traffic is TCP). Alert (answer D) is not an option; only drop, reset, and alarm are valid IP intercept actions. |
| Question 9 | The new Cisco HIDS is known as -
A. The CiscoSecure Host Protection System (CHPS) -
B. The CiscoSecure Host Intrusion Protection System (CS HIPS) -
C. The CiscoSecure Host Intrusion Prevention System (CS HIPS) -
D. The Cisco Security Agent (CSA) |
| A9: | Answer D is correct. The Cisco Security Agent (CSA) is a Host Intrusion Prevention System, based on a set of products developed by Okena, Inc., which Cisco purchased in early 2003. It has not been branded as part of the CiscoSecure set of products. |
| Question 10 | | | The CiscoSecure Access Control Server (CS ACS) is to be supported on which of the following systems? (Choose two.) | -
A. Red Hat Enterprise Linux -
B. Windows 2000 Server with SP3 -
C. Windows Datacenter Server (without Microsoft Clustering Services) -
D. Solaris 8 -
E. Debian Linux -
F. CiscoSecure Solution Engine |
| A10: | Answers B and F are correct. The CS ACS previously was supported on Windows Advanced Server and Datacenter Server (without Microsoft Clustering Services), but those releases of CS ACS are now End of Life, which eliminates answer C. The same is true of CS ACS for Unix (which supported Solaris 2.51, 2.6, 7, and 8): It is being discontinued in 2003, eliminating answer C. Cisco does not yet offer a CS ACS for any distribution of Linux, eliminating answers A and D. |
| Question 11 | The CS ACS supports which AAA protocols? (Choose two.) -
A. Kerberos5 -
B. XTACACS -
C. RADIUS -
D. TACACS+ |
| A11: | Answers C and D are correct. The CS ACS can implement AAA using TACACS+ and/or RADIUS. It does not support Kerberos (answer A) or XTACACS (answer B), which is an older AAA protocol version superseded by TACACS+. |
| Question 12 | What is the CiscoSecure Solution Engine? -
A. A dedicated appliance for AAA implementing CS ACS for Windows. -
B. An improved software version of CS ACS for Unix. -
C. A software option on the PIX firewall to provide local authentication. -
D. None of these is correct. |
| A12: | Answer A is correct. The CiscoSecure Solution Engine is a new, 1-Rack Unit dedicated appliance, preloaded with CS ACS for Windows. It parallels the concept of the PIX firewall as a dedicated appliance, but it has nothing to do with the PIX directly (eliminating answer C). CS ACS for Unix is being discontinued in 2003, eliminating answer B. |
