Chapter 15. Answer Key 2

The correct answer is A. A reconnaissance attack is where the intruder attempts to discover and map systems, services, and vulnerabilities. B is incorrect because an access attack refers to data manipulation, system access, or privilege escalation. C is incorrect because a denial-of-service (DoS) attack disables or corrupts network, systems, and services with a malicious intent to deny service to authorized and intended users.

The correct answer is B. Packet sniffing is a technique that can be implemented by using a network adapter card in promiscuous mode. Most operating systems come with a packet sniffer built in. A is incorrect because a DoS attack focuses on making services unavailable for normal use by exhausting specific resources that reside within a network or operating system. C is incorrect because a Trojan horse is an attack tool. A Trojan horse runs on a user 's machine as a program and pirates critical data on that machine to a different, unauthorized location. D is incorrect because port redirection attacks are trust exploitation attacks that are instigated by a compromised host to pass traffic through the firewall that would be dropped otherwise .

The correct answers are A, B, C, and D. Implementing access control on your network can mitigate IP spoofing. You can mitigate IP spoofing by preventing any outbound traffic from leaving your network that does not have a source address in your own IP range. You can further prevent spoofing by implementing authentication on your network backbone. A typical example uses a routing protocol that supports Message Digest (MD5) authentication. Some examples of routing protocols that support MD5 authentication are Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), and Routing Information Protocol (RIP) version 2. You can also use cryptography such as IP Security (IPSec) to encrypt traffic on your network.

The correct answers are A and B. An application attack can be initiated by exploiting the weaknesses in the application layer protocol or in software running on a device. The oldest type of application attack is a Trojan horse, which involves secretly installing software that captures important information such as usernames and passwords on the host. C is incorrect because encryption mitigates man-in-the-middle and packet-sniffing attacks. D is incorrect because vulnerability patching is a way of mitigating application layer attacks.

The correct answer is C. Port redirection is a trust exploitation attack, and uses a compromised host to pass through the firewall certain traffic that would be dropped in normal conditions. You can mitigate trust exploitation attacks by implementing a tight trust model between peer networks and devices. If your system is under attack, you can use a HIDS (host-based intrusion detection system) to detect and block the hacker from installing certain utilities that would breach the trust between two endpoints. A is incorrect because IP spoofing is an attack that deals with injecting malicious data or commands into a pre-existing data stream. You can also implement IP spoofing by changing routing tables in a way that the routing tables point to a spoofed IP address. B is incorrect because man-in-the-middle attacks can be mitigated by using encryption. D is incorrect because application-layer attacks are the hardest to mitigate; they exploit the weaknesses of applications running in the higher layers of the Open Systems Interconnect (OSI) model.

The correct answers are B, D, and E. A security policy is a formal statement that defines the rules which network engineers and people in the organization must follow when accessing network resources. A security policy must define which behavior is and is not allowed. It should also provide processes to allow auditing on the network. A security policy must define the course of legal action if it is necessary and should also outline processes for handling network security incidents. Remember, the security policy provides the framework for implementing network security. A and C are incorrect because a security policy should provide a process to audit the existing security policy, and it defines which behavior is allowed on the network.

The correct answer is D. The service password-encryption command uses a Cisco-proprietary Vigenere cipher to encrypt all the other passwords on the router except the enable secret password (which uses MD5). This password is easy to break, but it provides additional security on the network devices in case someone is eavesdropping on your configuration when you are working on the router. In fact, you can download from the Internet the GETPASS utility, which will decrypt the Vigenere cipher for you. A, B, and C are incorrect because of incorrect syntax.

The correct answer is B. The first step toward successful authentication using AAA is to connect to the perimeter router. A is incorrect because once the connection to the router is established, the router communicates with the CiscoSecure Access Control Server (CSACS). C is incorrect because once communication is established, CSACS prompts the user for a username and password combo. D is incorrect because once CSACS prompts for a username and password, it authenticates the user. If the username and password are valid, the user is granted access to the network resources.

The correct answer is C. Token cards are the same as a SecurID authentication mechanism. This feature is based on two parameters, something you know (a number) and something you have (a token card). Token cards are small electronic devices that generate random numbers , and each number is valid for a specific period of time. To successfully authenticate to the authentication server, you have to provide the number that you know and the random number generated by the token card to authenticate. A is incorrect because no username and password is as bad as no security at all. B is incorrect because OTPs (one-time passwords) are the next best alternative to secure authentication. OTPs are only good for a one-time login. D is incorrect because token cards provide a random number generator combined with a PIN to authenticate the user, rather than age username and passwords.

The correct answers are A, B, and D. Remote network access types are also known as packet or interface mode. VTY is classified as character mode. Character mode is used to first access the router using Telnet or the console, aux, or TTY lines. Once you access the router using character mode, you can then launch into the packet-mode session using Point-to-Point Protocol (PPP), network, and AppleTalk Remote Access Protocol (ARAP) command elements. C is incorrect because VTY is classified as character mode implementation.

The correct answer is A. TACGROUP is a method list that names the list of authentication methods activated when a user logs in. aaa authentication login TACGROUP local states that all users subjected to the TACGROUP method list are subject to local authentication in case the AAA server goes offline. B, C, and D are incorrect because they are distracters.

The correct answer is A. aaa authentication enable default group tacacs+ allows you to access the enable mode of the router even if the AAA server is offline. B is incorrect because the aaa authorization network tacacs+ group tacacs+ command runs authorization for all network- related service requests that include Serial Line Internet Protocol (SLIP), PPP, Network Control Program (NCP), and AppleTalk Remote Access Protocol (ARAP). C is incorrect because aaa accounting system default start-stop group tacacs+ performs accounting for all system-level events such as reloads that are not associated with users. D is incorrect because aaa authentication login default local works when the default list is not set and only the local user database is checked for authentication.

The correct answers are A, B, and C. CSACS offers support for Extensible Authentication Protocol (EAP) over PPP. EAP has RFC 2284 associated with it. You can read about EAP at ftp://ftp.rfc-editor.org/in-notes/rfc2284.txt. Cisco ACS supports EAP-MD5, which is a way of hashing the username and password using the MD5 hashing algorithm. EAP-TLS (Transport Layer Security) is a way of authenticating users with X.509 digital certificates, and provides dynamic key negotiations as well. Data Encryption Standard (DES) and Advanced Encryption Standard (AES) are not authentication methods; they are encryption technologies. D and E are encryption algorithms that you use to encrypt payload and are not authentication protocols.

The correct answers are A, B, C, and D. CSACS works with Windows NT and 2000, external token servers, and Netscape Directory Server (NDS) databases. E is incorrect because CSACS does not work with FreeBSD databases.

The correct answer is A. The CSAdmin is responsible for administrative tasks and comes equipped with a Web server. B is incorrect because the CSAuth service is the service that is responsible for the authentication and authorization of requests from devices to permit or deny access to specified users. C is incorrect because the CSTacacs service communicates with Terminal Access Controller Access Control System + (TACACS+) “enabled devices. D is incorrect because the CSLog service captures and places logging information. E is incorrect because the CSDBSynch service provides management services for user and group accounts. F is incorrect because the CSMonitor service corrects system problems and monitors itself as well.

The correct answer is B. You can configure the TACACS+ server host and key in one single command or by defining the TACACS+ server host in one command and the TACACS+ key in another. You can define multiple TACACS+ servers using this command. A, C, and D are incorrect because they have incorrect syntax.

The correct answer is A. The none method means that authentication is not required. Therefore, all users will be able to access the aux port. B, C, D, and E are incorrect because the none keyword will not require any authentication at all and other method lists will not be checked.

The correct answers are A, C, and E. When you implement TACACS+, the entire payload is encrypted and TACACS+ uses TCP port 49 as a socket. B and D are incorrect because Remote Authentication Dial-In User Service (RADIUS), on the other hand, uses User Datagram Protocol (UDP) port 1645 for authentication and port 1646 for authorization and encrypts only the password parameters.

The correct answer is D. You use the access-class command in line configuration mode in an inbound direction to ensure that only hosts 10.10.0.1 and 10.10.0.2 are allowed to Telnet to the router. By default, all access lists have an implicit deny in the end, and because of that rule, only two hosts will be allowed Telnet access to the Central router. A, B, C, are incorrect because they are all incorrect syntax.

The correct answer is A. You can use the no cdp run command in global configuration mode to disable Cisco Discovery Protocol (CDP) on the router globally. B is incorrect because to turn off CDP on a specific interface of the router, you can use the no cdp enable command in interface configuration mode to accomplish the task. C and D are incorrect because no cdp enable is configurable in global configuration mode.

The correct answer is E. The aux port should be disabled on the router if it is not in use. You can do that by issuing the no exec command in line configuration mode. The no exec command disables all exec sessions on the router and should never be applied to the console port of the router. Doing so would lock you out of the router, and you would have to go into boot mode and modify the running config to access the router via console again. A is incorrect because the no login command will give you access to the aux port without a password prompt. B, C, and D are incorrect because they are distracters.

The correct answers are A, B, and C. CSACS supports Oracle, Sybase SQL Server, and SQL Anywhere databases. Note that the SQL Anywhere database comes bundled with CSACS for Unix. D and E are incorrect because the NDS and Windows databases are not supported by CSACS for UNIX.

The correct answers are B, D, and E. Cisco ACLs are always read in a top-down fashion and have an implicit deny at the end of each block of ACLs. You can use standard and extended access lists to log packets that match permit or deny statements. Note that ACLs provide directional filtering, and you can use the ACLs to provide ingress and egress filtering. A and C are incorrect because ACLs have an implicit deny statement at the end, and all ACLs can be configured to log for packet matching.

The correct answer is C. Turbo ACLs compile ACLs into sets of lookup tables, and you can configure Turbo ACL by applying the access-list compiled command in global configuration mode. This version was introduced in Cisco IOS version 12.0(6)S. A, B, and D are incorrect because they are distracters.

The correct answers are A, B, and C. The Cisco Firewall feature set comes equipped with context-based access control (CBAC), authentication proxy, and intrusion detection system (IDS). Lock and key is a type of access list, and cut-through proxy is a feature in PIX Firewalls. D and E are not part of CBAC. Lock and key is a type of ACL, and cut-though proxy is a feature on a PIX Firewall.

The correct answer is E. You can use the ip inspect tcp synwait-time command to adjust the timer. This command defines how long the software will wait for a TCP session to reach the established state before dropping the session. A, B, C, and D are incorrect because they are distracters.

The correct answers are A and B. The ip inspect audit trail command turns on CBAC audit trail messages, and these messages can be displayed on the console after each CBAC session is closed. Turning on logging provides a record of network activity and access through CBAC. C and D are incorrect because they are distracters.

The correct answer is C. You would use the ip inspect <name_of_rule> <in out> command to apply the inspection rule to a specific interface of a router. Note that you always apply the inspection rule in interface configuration mode. A, B, and D are incorrect because they are distracters.

The correct answer is B. After five unsuccessful login attempts, the user will have to wait for at least 2 minutes before making another attempt. A, C, and D are incorrect because they are distracters.

The correct answer is D. When configuring CSACS for authentication proxy, you must set the privilege level for all users to 15. The command to do that is priv-lvl=15 on the Group tab. You can start authentication proxy by initializing the auth-proxy service under the TACACS+ (Cisco) menu. A, B, and C are incorrect because they are distracters.

The correct answer is B. You can use the clear ip auth-proxy cache * command to clear all authentication proxy entries, which includes user profiles and dynamic access lists. You can also clear the auth-proxy entry of a specific user by specifying the IP address instead of the * . A typical example is clear ip auth-proxy cache 192.168.1.1 , where your user is located at 192.168.1.1. A, C, and D are incorrect because they are distracters.

The correct answers are A, B, and C. All compound signatures require memory allocation to maintain the state of each session per connection and are triggered only when multiple packets are streamed over a period of time. Atomic signatures, on the other hand, do not require memory allocation and are triggered as soon as the first packet is detected . D is incorrect because compound signatures require memory allocation, and E is incorrect because atomic signatures do not require memory allocation.

The correct answer is C. You can use the ip audit signature <sig_id> disable command to disable a specific signature type. Note that by default, all signatures that are included with the IOS are enabled, and if you want to disable a specific signature, you have to manually configure it. A, B, and D are incorrect because they are distracters.

The correct answers are B, C, and D. To implement IPSec between your remote networks, it is imperative that you have UDP port 500 open along with IP protocol numbers 50 and 51. Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) Phase 1 uses UDP 500 to establish the IKE Phase 1 tunnel. Now that your Phase 1 tunnel is up, you have to establish the IKE Phase 2 tunnel using Authentication Header (AH) or Encapsulating Security Payload (ESP). AH uses IP protocol number 51, and you open this port only if you are using AH. However, if you are using network address translation (NAT) at your firewall level, you can only use IP protocol number 50, which is ESP. A is incorrect because IKE uses UDP port 500. TACACS+ uses TCP port 49.

The correct answers are A, C, and D. When configuring Cisco IOS Firewall rules to be effective, you should place the inspection rules and ACLs strategically on the router's interface. On the interface where traffic is initiating, apply an ACL on the inward direction that only permits wanted traffic and apply a rule on the inward direction that inspects wanted traffic. B is incorrect because inspection rules and ACLs on a router should be applied in an inward direction on the interface where interesting traffic is being initiated.

The correct answer is B. The CA's main job is to act as a third-party mediator. The CA signs the certificate request and generates a CA certificate. This certificate is then downloaded to the router. A, C, and D are incorrect because the CA always signs the public key.

The correct answer is C. AES offers three different key strengths of encryption technologies. AES can be configured for 128-, 192-, and 256-bit key strength. A and B are incorrect because AES is computationally faster than Triple DES (3DES) and definitely more secure than DES. D is incorrect because MD5 is not an encryption algorithm, and it can be used for authentication.

The correct answer is C. You use the crypto ca trustpoint command to declare the CA your router will use for third-party authentication. Note that the crypto ca trustpoint command replaces crypto ca identity and crypto ca trusted-root commands by unifying their functionality. A is incorrect because the crypto key generate rsa command generates the Rivest, Shamir, and Adleman (RSA) key pairs. B is incorrect because you use the crypto isakmp key command to configure a preshared authentication key. D is incorrect because you use the crypto ipsec transform-set command to define a transform set.

The correct answer is D. You can use the ip inspect max-incomplete high command to manage the total number of half-open sessions that can be allowed on a router before the software starts deleting half-open sessions. The default number of half-open sessions that CBAC allows is 500. A, B, and C are incorrect because they are distracters.

The correct answer is E. IPSec provides services on Layer 3 of the OSI model. IPSec provides two types of security service, AH and ESP. A, B, C, and D are incorrect because they are distracters.

The correct answers are A, C, and E. The output indicates that the authentication was successful and the user that was authenticated was admin. The number 50996754 indicates a session ID, and this session ID is unique for each authentication. B is incorrect because the user belongs to the admin group. D is incorrect because the output was generated by the debug aaa authentication command.

The correct answer is C. AH does not provide confidentiality for an IP packet. Confidentiality correlates directly with encrypting the data payload in the IP packet. AH provides services such as antireplay protection, origin authentication using the MD5 and Secure Hash Algorithm 1 (SHA-1) hashing algorithms, and data integrity by making sure the hashes match at both ends of the tunnel. This process ensures that the packet is still intact and has not been altered . A, B, and D are incorrect because antireplay , data origin authentication, and data integrity are common features of ESP and AH.

The correct answer is D. You will use the crypto map command to apply the newly created crypto map to the interface you will use to establish an IPSec tunnel. This is a trick question because, in this question, ipsec-allow is the crypto map that has been configured to be used in tunnel establishment. A, B, and C are incorrect because they are distracters.

The correct answer is C. The output was generated by the show crypto map command, and you can use it to display the crypto map configuration on the router. Remember, you can apply only one crypto map to an interface. A, B, and D are incorrect because they are distracters.

The correct answer is D. To access CiscoWorks through a Web browser, you simply type the IP address of the server where the CiscoWorks resides, followed by a colon and the port number 1741. However, if you are accessing the CiscoWorks server locally, you type the loopback address followed by a colon and the port number 1741. Here is an example: type http://127.0.0.1:1741 and then press Enter. A, B, and C are incorrect because they are distracters.

The correct answer is A. By default, any unprotected inbound traffic on the Cisco router that matches a permit entry in the crypto access list for a crypto map entry, flagged as IPSec, is dropped. For all outbound traffic, all traffic that is not selected in the crypto ACL is sent in cleartext. B, C, and D are incorrect because they are distracters.

The correct answer is E. In Router MC, building blocks refer to network groups and transform sets. These building blocks are reusable, named, global components, and multiple policies can reference these components . In the event of a change in the building block, all changes are reflected in all policies that reference that specific building block. A, B, C, and D are incorrect because they are distracters.

The correct answer is B. The authentication proxy feature of the Cisco IOS Firewall feature set provides dynamic, per-user authentication and authorization using both TACACS+ and RADIUS protocol, and is valid for all types of application traffic.

The correct answers are A, B, C, D, and E. Cisco Easy VPN supports Hash Message Authentication Code (HMAC)-MD5 and HMAC-SHA1 authentication algorithms, preshared keys, and digital certificates as authentication types and Diffie-Hellman (D-H) groups 1 and 2, DES, and 3DES as encryption algorithms as well.

The correct answer is D. A TCP half-open session on the Cisco IOS firewall indicates that the session has not reached an established state. In other words, the TCP three-way handshake has not been completed yet, and the router is waiting for an ACK from the remote side. Note that an unusually high number of half-open sessions indicates a DoS attack. A, B, and C are incorrect because they are distracters.

The correct answers are A, B, C, and D. Encryption algorithms provide confidentiality to the IPSec payload by way of encryption. DES, 3DES, AES, and RSA are all encryption algorithms that you can use to protect your data payload.

The correct answers are C and E. Joe does not know what a port scanner is and is therefore an unstructured threat. Additionally, because Joe is using the tool against his employer's network, Joe is an internal threat. A, B, and D are incorrect because they are distracters.

The correct answer is B. The Domain Name System (DNS) idle timeout is valid for DNS name lookup sessions inspected by CBAC. A, C, D, and E are incorrect because they are distracters.

The correct answer is D. Data integrity is the process where the receiver verifies the packets to ensure that no alterations were made in transit. You can achieve data integrity by using authentication in the form of a hashing algorithm. The hash guarantees the integrity of the message. A, B, and C are incorrect because they are distracters.

The correct answer is C. To display any access-list entries on the router, you can use the show access-lists command. If you want to display a specific access list, you can append the access list number; doing so allows you to see all access-list entries specific to that number. These entries include all configured and dynamic access lists on the router. A, B, and D are incorrect because they are distracters.

The correct answer is A, B, and C. CBAC inspects the following SMTP commands: DATA , EXPN , HELO , HELP , MAIL , NOOP , QUIT , RCPT , RSET , SAML , SOML , and VRFY . D is incorrect because DEAD is a fictitious command and is not supported by SMTP. E is incorrect because the correct syntax to reset the connection is RSET command and not RESET .

The correct answer is A. A hacker can possibly attempt a DoS by sending sham NTP data packets to the targeted device with an intent to change device clocks so that digital certificates are considered invalid. Digital certificates rely on the date parameter to ensure the validity of digital certificates. Changing the date would render the digital certificate useless, and this would lead to a DoS attack. B, C, and D are incorrect because they are distracters.

The correct answer is A. The ca save all command saves the keys, certificates, and the CA commands to nonvolatile RAM (NVRAM). B, C, and D are incorrect because they are distracters.

The correct answer is A. To remove all CBAC configuration on a router running the IOS Firewall Feature Set, you issue the no ip inspect command. The no ip inspect command resets all global timeouts and thresholds to their default values. This command further deletes all existing sessions and removes all dynamic ACL entries created by CBAC. B, C, and D are incorrect because they are distracters.

The correct answer is A. You can use the logging trap command to limit messages logged to the syslog servers based on severity. The logging trap command restricts the logging of error messages that are being sent to the syslog servers to the specified level. B, C, and D are incorrect because they are distracters.

The correct answers are D and E. In addition, you can configure the D-H group number, the authentication method, and the IKE security association (SA) lifetime. You can configure the crypto ACL, remote peer's IP address, and PFS under the IPSec policy. A, B, and C are incorrect because they are distracters.

The correct answer is B. You use the crypto key generate rsa command to generate RSA keys that will be used to identify the remote endpoint as a VPN peer. With this command, you can create one or two special-purpose keys. A, C, and D are incorrect because they are distracters.

The correct answer is A. Cisco recommends that Reverse Route Injection (RRI) be enabled in the crypto map for support for VPN Clients. The only exception is if you already have the crypto map applied to a generic routing encapsulation (GRE) tunnel that is used to distribute routes. Remember, the Easy VPN Remote injects its assigned IP address as a host route on the Easy VPN Server. B, C, D, and E are incorrect because they are distracters.

The correct answer is C. By default, the Cisco Systems VPN Client automatically sets the maximum transmission unit (MTU) to 1420 bytes. You can use the SetMTU window to alter or customize the MTU size of the IPSec packet for unique applications. A, B, and D are incorrect because they are distracters.

The correct answers are A, B, and D. You can import devices in three ways: from a configuration file, as a single-file import, or by using a comma-separate values (CSV) file. Importing files to Router MC populates the inventory of VPN devices, where you can classify them as hub or spoke. C is incorrect because it is a distracter.

The correct answer is C. Device discovery in Router MC uses Secure Shell (SSH) as the baseline protocol that is used by Router MC to communicate with the VPN devices. Configuration file import would import routers by processing the configuration files. A, B, and D are incorrect because they are distracters.

The correct answers are A and C. Cisco recommends that, if an audit rule is applied to the inbound direction of an interface, packets passing through the interface be audited before the inbound ACL reacts to it. However, if an audit rule is applied to the outbound direction of an interface, packets passing through the interface are audited after the inbound ACL reacts to it. This process can lead to a loss of IDS alarms, regardless of whether an attack or reconnaissance activity is in progress. B, and D are incorrect because they are distracters.

The correct answers are A, B, and C. To authenticate the tunnel peers before initiating the payload transaction, you can use preshared keys, RSA signatures, or RSA encrypted nonces to ensure that the peers are who they say they are. D is incorrect because it is a distracter.