Chapter 13. Answer Key 1

The correct answers are A, B, C, and D. An unstructured threat consists of inexperienced individuals who are motivated by an intellectual challenge rather than a malicious intent. B is correct because a structured threat consists of hackers who are highly motivated and technically competent. C is correct because external threats are individuals and organizations that work outside your organization and do not have authorized access to your network. D is correct because internal threats occur when someone has authorized access to the network with either a user account or physical access. E is incorrect because there is no such thing as a nonfilterable threat.

The correct answers are A, B, and C. A is correct because businesses have expanded and the need to send and receive data over public network space is cost-effective . B is correct because to secure the data transmission, some kind of security must be in place. C is correct because to protect your electronic data, you must have a sound security policy in place.

The correct answers are A and B. IP spoofing deals with injecting malicious data or commands into a preexisting data stream. You can also implement IP spoofing by changing routing tables in a way that the routing tables point to a spoofed IP address. This move allows hackers to access all network datagrams traversing the network backbone. C and D are incorrect because they are distracters.

The correct answer is B. The only way to mitigate man-in-the-middle attacks is through encryption. You can use IP Security (IPSec) to encrypt all your traffic flowing over the insecure media. A is incorrect because a sound password policy protects resources residing on your critical servers and backbone, but when your data leaves your network, it is vulnerable to man-in-the-middle attacks. C is incorrect because you can use one-time passwords (OTP) to mitigate packet sniffer attacks. D is incorrect because you use RFC 2827 filtering to mitigate IP spoofing attacks.

The correct answers are A and D. Application layer attacks are the hardest to mitigate because they exploit the weaknesses of applications running in the higher layers of the Open Systems Interconnect (OSI) model. You can have a sound application, but if your operating system has holes in it, you will be subject to application attacks. Vulnerability patching can mitigate these application attacks on your network devices. You can also implement an intrusion detection system (IDS) to scan hosts and devices for known attacks and provide a defense mechanism to prevent attacks. B is incorrect because you can use access control to mitigate IP spoofing on your network. C is incorrect because you use encryption to mitigate man-in-the-middle and packet-sniffing attacks.

The correct answers are A and B. Unauthorized attacks cannot be classified as reconnaissance, access, or denial-of-service (DoS) attacks. These attacks constitute the majority of attacks performed in global networks today. An example of an unauthorized network attack happens when a hacker tries to log on to your router, and you have a disclaimer that unauthorized users will be prosecuted. If the hacker sees this disclaimer and still tries to access the system, he is making an unauthorized attack. You can start mitigating these attacks by implementing strict access control by allowing certain IP addresses to access certain systems. You can also prevent unauthorized attacks by shutting down unused ports on the system. C and D are incorrect because an IDS cannot prevent unauthorized access attacks. Encryption plays an important role in mitigating man-in-the-middle attacks but cannot prevent a hacker from breaking into a device.

The correct answers are A, B, C, and D. Besides the mentioned components , the security policy must also contain the statement of authority and scope that defines who supports the security policy and what area the security policy covers. Another thing to consider is the parameters defined under the acceptable security policy. In case there is an incident, you must define an incident-handling procedure that caters to the procedures used during and after an incident has occurred.

The correct answer is B. The exec -timeout in line configuration mode ensures that the administrative interface stays up for the specified duration after the last session activity. It is highly recommended that you modify these values so that you can reduce the idle timeouts. A, C, and D are incorrect because the exec-timeout can only be modified in line configuration mode on the Cisco router.

The correct answers are B and C. You can use either a Terminal Access Controller Access Control System + (TACACS+) or Remote Authentication Dial-In User Service (RADIUS) server to communicate between the authentication, authorization, and accounting (AAA) security server and network access server (NAS). In fact, you can use TACACS+ or RADIUS to communicate between AAA security servers, NAS, Cisco routers, or firewalls. TACACS+ is a TCP-based protocol, and RADIUS is a User Datagram Protocol (UDP)[nd]based protocol. A is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a tunneling protocol. D and E are incorrect because Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) are routing protocols.

The correct answers are A and D. Point-to-Point Protocol (PPP) Challenge Handshake Authentication Protocol (CHAP) provides protection against playback attacks by using incrementally changing identifiers and inconsistent challenge values. B, C, and E are true characteristics of CHAP but are incorrect options because CHAP does not use cleartext authentication; on the contrary, it uses a Message Digest 5 (MD5) hash. CHAP also uses a three-way handshake at the initial link-establishment stage and keeps repeating challenges that eliminate the issues involved with sniffing and replay attacks.

The correct answer is B. You can use the aaa new-model command in global configuration mode to initialize AAA on Cisco routers. An AAA configuration set comes standard with all the IOS feature sets of Cisco routers, and no special feature set is required. A, C, and D are incorrect because they are have incorrect syntax. The command to initialize AAA on a router is aaa new-model .

The correct answer is D. You use the aaa authentication ppp command if you want to authenticate to the AAA server to simply access resources on the IP network. You use AppleTalk Remote Access Protocol (ARAP) for AppleTalk and NetWare Access Server Interface (NASI) for NetWare. A, B, C, and E are incorrect because you use the aaa authentication enable command to determine whether a user can access the enable mode of the router and the aaa authentication login command to determine who can log in to the router. You use aaa authentication arap to authenticate using AppleTalk and aaa authenticate nasi to authenticate using NetWare.

The correct answer is D. The service=shell in the second line means that an exec (shell) session is being requested . The aaa authorization command sends a request packet containing a series of attribute-value (AV) pairs to the RADIUS daemon as part of the authorization process. In the output, an EXEC authorization for user examcramuser is performed. On the first line, the username is authorized, and on the second and third lines, the AV pairs are authorized. A, B, C, and E are incorrect because they are distracters.

The correct answers are A, B, C, D, E, and F. CiscoSecure Access Control Server (CSACS) supports all the mentioned authentication protocols. Besides all these protocols, CSACS also provides support for ARAP.

The correct answer is B. The CSAuth service is responsible for the authentication and authorization of requests from devices to permit or deny access to specified users. A is incorrect because the CSAdmin is responsible for administrative tasks and comes equipped with a Web server. C is incorrect because you use the CSTacacs service to communicate with TACACS+-enabled devices. D is incorrect because you use the CSLog service to capture and place logging information. E is incorrect because you use the CSDBSynch service to provide management services for user and group accounts. F is incorrect because the CSMonitor service corrects system problems and monitors itself as well.

The correct answer is C. Once CSACS is installed, you can access the application by accessing TCP port 2002. CSACS uses unique dynamic port numbers defined using the appliance's Administration Control/Access Policy Web page. By default, CSACS can use the full range of TCP ports. A, B, and D are incorrect because CSACS by default uses TCP port 2002 to establish a Web connection.

The correct answers are A and B. A method list called no_tacacs is applied to the line console 0 interface that looks for the enable password as the authentication parameter before allowing access to the device. C and D are incorrect because console access will always use the enable password, whether AAA server is online or not.

The correct answer is E. You can use the login authentication QUE command in line configuration mode, where QUE is a method list. Note that if you do not apply a list to a line or interface, the default list will be used. A, B, C, and D are incorrect because the correct command to apply an authentication method list is login authentication method_list . Note that method lists are case-sensitive.

The correct answers are C and D. You can use the no ip finger and no service finger commands to prevent a hacker from finding out which users are logged in to the network device. The no service finger command is a legacy command and works in the same way as no ip finger . A is incorrect because show cdp entry displays information about a specific neighboring device discovered using Cisco Discovery Protocol (CDP). B is incorrect because ip finger enables the finger protocol on the router.

The correct answer is C. The ip mask reply command tells a router to respond to Internet Control Message Protocol (ICMP) mask requests by sending the ICMP mask replies containing the IP address of the interface. A is incorrect because the ip classless command works with the classless routing behavior of the router. B is incorrect because the ip redirect command allows the router to redirect messages received from an interface back to the same interface. D is incorrect because the ip source routing command allows the senders of a packet to control the route that packet will take toward the destination endpoint.

The correct answer is C. The no ip directed broadcast command disables an IP packet that is sent to the broadcast address of the subnet to which the sending machine is not directly connected. In IOS version 12.0 and higher, directed broadcast is disabled by default. A is incorrect because the ip classless command works with the classless routing behavior of the router. B is incorrect because the ip redirect command allows the router to redirect messages received from an interface back to the same interface. D is incorrect because the ip source routing command allows the senders of a packet to control the route that packet will take toward the destination endpoint.

The correct answer is A. The aaa new-model command overrides all previously configured authentication methods on the VTY and CTY lines. You should always configure a local login mechanism to ensure against being locked out of a router if your AAA server goes offline. B, C, D, and E are incorrect because they are all subsets of aaa new-model . The moment you enable the aaa new-model command, all previously configured authentication parameters are overridden on the CTY and VTY lines.

The correct answer is B. The Key Distribution Center (KDC) is a third-party facility that generates keys in electrical form. You can relate KDC to a certificate authority (CA). Kerberos uses 40- or 56-bit Data Encryption Standard (DES) for encryption and authentication. It is pretty weak compared to today's standards of Triple DES (3DES) and Advanced Encryption Standard (AES). A, C, D, and E are all incorrect because they are all distracters.

The correct answers are A and B. Turbo access control lists (ACLs) compile ACLs into sets of lookup tables, and you can configure Turbo ACL by applying the access-list compiled command in global configuration mode. This version was introduced in Cisco IOS version 12.0(6)S. If your ACLs entries are larger than three, compiling the ACL results in a smaller CPU load. C and D are incorrect because you can use Turbo ACLs if you have ACLs larger than three entries, and the CPU load is decreased because the ACLs are compiled into sets of lookup tables.

The correct answer is E. To configure the syslog to log debugging messages, configure the router to log at level 7. You can use the logging trap <level> command in global configuration mode. Instead of using the number 7, you can also use the keyword debugging in your configuration. A, B, C, and D are incorrect because they depict different levels of debugging on the Cisco router. If you enable debugging for level 7, then by default, you get all levels of syslog messages from 7 all the way up to 0, where 0 is emergency and 7 is debugging.

The correct answers are A, C, and E. Context-based access control (CBAC) inspects traffic that travels through the router to discover and manage state information for TCP and UDP at the application layer and modifies access lists to allow authorized return traffic. B and D are incorrect because CBAC maintains a state table with session information, and CBAC works only on Layers 3 and 4 of the OSI model.

The correct answers are A and D. With a block-time setting of 0, CBAC deletes the oldest existing half-open session for every new connection request. Zero is the default value, but you can configure this value to suit your network needs. B and C are incorrect because they are distracters.

The correct answer is D. CBAC has the ability to perform inspection on nonstandard ports, and you can configure it using port-to-application mapping (PAM). You can use PAM to customize TCP or UDP port numbers for network services and application. PAM is similar to the fixup protocol on a PIX firewall. A, B, and C are incorrect because they have the wrong syntax.

The correct answer is D. Authentication proxy is an HTTP-based authentication mechanism that enables administrators to apply specific security policies on a per-user basis. Authentication proxy also provides authentication and authorization using the TACACS+ and RADIUS protocols and works on interfaces for inbound and outbound traffic. A, B, and C are incorrect because authentication proxy uses HTTP only.

The correct answers are A, C, and D. When you implement authentication proxy, the source address in the ACL is replaced with the actual IP address of the host making the request and should be set to any . Moreover, you must set a priv-lvl of 15 for all users for auth-proxy to work, and when configuring auth-proxy on CSACS, you are allowed permit statements only. B is incorrect because you cannot have deny statements when configuring authentication proxy rules on CSACS.

The correct answer is B. You can use the show ip auth-proxy cache command to view the current list of the authentication proxy entries. Remember, if the proxy state displayed is HTTP_ESTAB , then the user authenticated successfully. A, C, and D are incorrect because you can use the show ip auth-proxy cache command to view the current list of authentication proxy entries.

The correct answer is A. Cisco recommends that drop and reset actions should happen together to ensure that the attack is terminated effectively. B, C, D, and E are incorrect because Cisco recommends that you drop and reset the action to ensure that the attack is terminated .

The correct answer is E. You can use the clear ip audit configuration command to remove all IDS configuration on any Cisco router running the Cisco IDS solution. This command also releases all dynamic resources that were allocated to the IDS process. A, B, C, and D are incorrect because they are distracters.

The correct answers are A and B. Encapsulating Security Payload (ESP) is part of the IPSec standard and provides both confidentiality using encryption and authentication. Encryption and authentication are optional in ESP; however, you have to select at least one of the two for ESP to work. You can use ESP to mitigate man-in-the-middle attacks because it is part of the IPSec suite. C is incorrect because ESP works seamlessly with NAT. D is incorrect because ESP provides payload encryption as well. AH, on the other hand, does not work with NAT and provides header authentication only.

The correct answers are C and D. You can use either MD5 or Secure Hash Algorithm 1 (SHA-1) to authenticate packet data. MD5 uses a 128-bit shared secret key, and SHA-1 uses a 160-bit shared secret key. Cisco recommends SHA-1, which is cryptographically stronger than MD5. A and B are incorrect because DES and 3DES are encryption algorithms and not hashing algorithms.

The correct answer is C. You can use the ip inspect udp idle-timeout command to specify the UDP idle timeout on a Cisco router. By default, the idle timeout value is 30 seconds. A, B, and D are incorrect because they are distracters and have the wrong syntax.

The correct answer is D. crypto isakmp key examcramrocks! address 10.1.1.1 configures the preshared key of examcramrocks! that will be used to negotiate IKE Phase 1. Remember, both sides of the tunnel must share the same preshared key for this to work. A, B, and C are incorrect because you use the crypto isakmp key command to establish the shared key on tunnel endpoints, not in CA implementation. You configure IPSec in manual mode using the crypto map command and not crypto isakmp key .

The correct answer is A. The number 15 in ip inspect name examcram http java-list 15 refers to a standard IP access list, and to permit only host 30.10.0.1, you can either configure the access list with the host keyword or simply issue the command access-list 15 permit 30.10.0.1 . B, C, and D are incorrect because the question asks specifically about permitting Java applets from the 30.10.0.1 IP address only.

The correct answer is A. You use Diffie-Hellman (D-H) to derive the shared secret between two IPSec peers. You don't use D-H for encryption or digital signatures; instead, you use it to obtain a shared secret "key agreement" between two parties over an insecure medium such as the Internet. B is incorrect because DES is an encryption algorithm. C and D are incorrect because AH and ESP are the two ways of setting up IPSec tunnels.

The correct answer is A. You use the crypto map command to tie all the IPSec parameters to the interface that will be used to establish IPSec peers. You must apply a crypto map to an interface before that interface can provide any kind of IPSec services. Remember, you can apply only one crypto map to an interface. B, C, and D are incorrect because they are distracters.

The correct answers are A, B, and C. Authentication proxy supports CSACS for NT/2000, CSACS for Unix, Lucent, and any other standard RADIUS servers. D is incorrect because TACACS+ is not a RADIUS server.

The correct answer is A. The command crypto ipsec transform-set EXAMCRAM ah-md5-hmac uses Authentication Header (AH) and MD5 as the authentication variant. Note that you can specify transport mode or tunnel mode. By default, routers use tunnel mode. B, C, and D are incorrect because they are distracters.

The correct answer is D. The tacacs-server key examcramrocks!! command configures a shared secret between the NAS and the AAA server. In this case, the AAA server would authenticate users using TACACS+. This shared secret key is used for authentication and encryption and must match the key configured on the AAA server. A, B, and C are incorrect because you use the tacacs-server key command to configure a shared key that the AAA and NAS will use to communicate with each other.

The correct answer is C. Because the Java inspection rule applies to a WWW server, using FTP allows the user to download the applet from any resource (trusted or untrusted) without any problems. A, B, and D are incorrect because they are distracters.

The correct answer is B. You need a security association (SA) for one protected data pipe per direction and per protocol. If you have an IPSec tunnel that uses ESP between peers, you need an ESP SA for each direction, and these SAs are uniquely identified by tunnel endpoints, IPSec security protocols, and Security Parameter Index (SPI) values. A, C, and D are incorrect because they are distracters.

The correct answers are B, C, and E. UDP is an unreliable but efficient transport protocol, and spoofing UDP packets is easy because there is no handshaking or sequencing. Another issue you can face is that UDP has no state machine and relies on an upper-layer protocol for state information. A and D are incorrect because UDP does not provide guaranteed delivery and UDP relies on upper-layer protocols for state information.

The correct answers are A, B, and D. CBAC provides the thresholds against DoS attacks. If the threshold is exceeded, CBAC can send reset messages to the endpoints of the oldest half-open session, and it can also block all SYN packets temporarily for the duration of configured interval. For UDP, "half-open" means that no return traffic was detected . C, E, and F are incorrect because they are distracters.

The correct answer is D. In crypto access lists, a deny statement means that the packets matching the ACL are not encrypted, and a permit statement, on the other hand, indicates that the packets matching the ACL will be encrypted. A, B, and C are incorrect because they are distracters.

The correct answers are A and D. Asymmetric algorithms do not rely on a randomly generated shared encryption key that changes per session; instead, they create two static keys. DES is an encryption algorithm, and D-H is an SHA-1, which is an authentication mechanism. B and C are incorrect: DES is a encryption algorithm and SHA-1 is a hashing algorithm.

The correct answers are C, D, E, and F. You should take four steps when configuring IKE Phase 1 policy. You start off by enabling IKE on the router; then you configure the IKE policy that will be used in IKE Phase 1. Next, you configure IKE preshared key for the peers. Finally, you verify your configuration. A is incorrect because testing VPN is the last step in configuration. B is incorrect because you apply a crypto map to an interface as the second-last step in configuring IPSec.

The correct answer is A. D-H isn't used for encryption or digital signatures; instead, it is used to obtain a shared secret "key agreement" between two parties over an insecure medium such as the Internet. B, C, and D are incorrect because D-H is part of IKE Phase 1 in setting up an IPSec VPN tunnel.

The correct answer is D. PAM stands for port-to-address mapping and is similar to the fixup protocol in PIX. A, B, and C are incorrect because PAM stands for port-to-address mapping.

The correct answer is D. Inspection rules in CBAC define application layer protocols that will be inspected. CBAC performs stateful packet inspection of packets that pass through the CBAC-enabled router. When it inspects a packet, CBAC creates a state table entry. The state table tracks information contained in the packets of a session, and then based on the state table, CBAC decides whether to allow return traffic, for that session, back into the protected network. A, B, and C are incorrect because they are distracters.

The correct answer is D. Once all your authentication proxy parameters are configured, you have to apply it to an interface using the ip authentication-proxy <proxy_name> command. The authentication proxy name is auth-proxy , and you use the ip authentication-proxy auth-proxy command to apply authentication proxy rules to an interface. A, B, and C are incorrect because they are distracters.

The correct answer is D. The authorization feature of AAA limits the services available to users. Once authorization is enabled, the NAS uses information located in user profiles and accordingly allows or disallows a user to access certain information or resources. A, B, and C are incorrect because they are distracters. Authorization limits the services available to users.

The correct answer is C. Antireplay verifies that each packet is unique and not duplicated . It uses IPSec to compare the sequence numbers of the received packets in the sliding window of the tunnel endpoint. A, B, and D are incorrect because antireplay verifies that each packet is unique and not duplicated.

The correct answer is D. Easy VPN was introduced in IOS version 12.2(8)T, and this feature set is available for Cisco 800, 1400, 1600, 1700, 2600, 3600, 3700, 7100, 7200, and 7500 series routers. A, B, C, and E are incorrect because they are distracters.

The correct answer is B. You can use the ip port-map command to associate TCP or UDP port numbers with applications or services at the firewall level. There are three types of PAM tables: system-defined, user-defined, and host-specific. Note that you cannot delete or change system-defined port mappings. For example, you cannot map FTP port 21 to port 80 or vice versa. A, C and D are incorrect because they are distracters. System-defined PAM mapping cannot be changed.

The correct answers are B, C, and D. AH provides for the integrity of IP packets by authenticating the data stream. It provides antireplay protection as well. AH does not encrypt the data payload, which means only the header is authenticated and the data flows in cleartext. AH does not work with NAT either because the IP header changes when the packet passes through the firewall. A is incorrect because AH does not encrypt data payload; it encrypts only the header.

The correct answer is E. When the authentication proxy idle timeout expires , the router removes user authentication entries as well as the router's dynamically configured access-list entries for the user. A, B, C, and D are incorrect because they are distracters.

The correct answer is A. Dynamic ACLs are not saved by the router because they are created when a certain traffic flow is detected on the router's interface. As soon as that data flow is terminated, the dynamic ACLs are automatically removed from the configuration. Rebooting the router also removes all the existing dynamic ACL entries on the router. B, C, and D are incorrect because dynamic ACLs are never saved in any Cisco implementation.

The correct answers are B and C. Instead of using both AH and ESP transforms, you can use only an AH transform or use two ESP transforms if you choose. A, D and E are incorrect because you can use one AH and two ESP transforms when setting up an IPSec VPN tunnel.

The correct answer is C. Extended authentication (XAUTH) is a process that you can implement to authenticate users who initiate an IPSec connection. XAUTH provides an additional layer of security which ensures that the user initiating an IPSec session is legitimate and authorized. A, B, and D are incorrect because you use XAUTH to authenticate users who are initiating IPSec VPN tunnel.

The correct answers are A, C, and D. PAM establishes a table of default port-to-application mapping information at the firewall. A PAM table allows services supported by CBAC to run on nonstandard ports. B is incorrect because it is a distracter.

The correct answer is D. Cisco Easy VPN is a software enhancement for existing Cisco routers and security appliances that greatly simplifies VPN deployment for remote offices and teleworkers. The Easy VPN Server solution is based on the Cisco Unified Client framework, and it centralizes VPN management across all Cisco VPN devices. It reduces the complexity of VPN deployment. A, B, C, and E are incorrect because Easy VPN Server allows Cisco devices to act as VPN headend devices.

The correct answer is B. The crypto isakmp keepalive command ensures that the Cisco IOS VPN gateway, rather than the Cisco Software Client, sends dead peer detection (DPD) messages. You can enable this feature in global configuration mode on the router. The DPD's value is set in seconds, and you can also specify the retry interval as well. A, C, D and E are incorrect because you use the crypto isakmp keepalive command to enable DPD on the router.

The correct answers are A, C, and D. Router Management Center supports the IPSec, IPSec over GRE (Generic Routing Encapsulation), and IPSec over Frame Relay network-tunneling technologies. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data origin authentication between peers that are connected over unprotected networks such as the Internet. GRE is a tunneling protocol that can encapsulate a variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to devices at remote points over an IP internetwork. B and E are incorrect because they are distracters.

The correct answers are B and C. If no other IKE policy is defined, Router MC would use the default policy of 3DES encryption, the SHA hashing algorithm, preshared authentication, and D-H group 2 and a lifetime parameter of 86,400 seconds. A, D, and E are incorrect because they are distracters.