
Having the proper certifications means better employment opportunities and better partnerships with vendors. This certification series, courtesy of Kaplan's Transcender IT Certification Success, will test your knowledge of various certification exams, including an in-depth tutorial explaining each answer. The tutorial also includes further reading and relevant information.
In our second exam, we'll continue testing your knowledge of the Implementing Cisco IOS Network Security (IINS) exam, which is part of the Cisco CCNA Security certification. If you haven't already, take the first part of the Implementing Cisco IOS Network Security practice test here.
Interested in other IT certifications? Transcender offers practice exams on many certifications, ranging from CompTIA to CISSP, plus many more. For a limited time, ChannelPro-SMB.com readers get an exclusive discount to these practice exams. Use offer code CPSMB10P for 10 percent off of any practice exam. Offer excludes CD and Voucher purchase options. This offer code expires on October 26, 2011.
The Cisco CCNA Security certification is a testing program that certifies the required skill set for specialized job roles in security technologies, such as installation and troubleshooting of devices to maintain the integrity and confidentiality of data. The Implementing Cisco IOS Network Security (IINS) exam tests your knowledge of securing Cisco routers and switches.
The NetCert: Implementing Cisco IOS Network Security (IINS) practice test is designed to prepare you to pass the CCNA (640-460) exam given by Cisco. By first reviewing the suggested materials and then practicing with NetCert: Implementing Cisco IOS Network Security (IINS) you should be fully prepared to pass the actual exam given by Cisco.
Review the Implementing Cisco IOS Network Security (IINS 640-553) information page. This site contains the authoritative list of information about the CCNA Security exam and includes a link to other available references.
Cisco, Cisco Systems, CCDA, CCNA, CCDP, CCNP, CCIE, CCSI, and the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. All other trademarks belong to their respective owners.
Which three of the following are types of services that can be configured for AAA accounting? (Choose three.)
a.) Network
b.) Exec
c.) System
d.) Login
e.) Privileges
f.) Remote
Which of the following are recommended "best practices" when implementing an effective firewall policy? (Choose three.)
a.) Configure firewalls to protect against internal attacks.
b.) Deny all traffic by default.
c.) Disable remote management connectivity to the firewall.
d.) Position firewalls at physical security boundaries.
e.) Regularly monitor firewall event logs.
Which of the following methods are best practices for preventing VLAN hopping attacks? (Choose two.)
a.) Disabling trunk negotiation on trunk ports
b.) Using port security to limit the number of MAC addresses on an interface
c.) Configuring a VLAN that is not being used for data as the native VLAN
d.) Configuring port security to restrict user data from crossing the native VLAN
Which of the following statements is true regarding the configuration of the Cisco IOS Zone-Based Policy Firewall?
a.) The inspection policy is applied to the zone pair.
b.) There can be only one class map configured within a service policy.
c.) Interfaces are assigned to zone pairs.
d.) Router interfaces must be manually configured in the self zone.
Which of the following items are examples of symmetric encryption algorithms? (Choose all that apply.)
a.) 3DES
b.) Diffie-Hellman
c.) AES
d.) RC4
e.) RSA
f.) Elliptic Curve
Which three of the following are types of services that can be configured for AAA accounting? (Choose three.)
a.) Network
b.) Exec
c.) System
d.) Login
e.) Privileges
f.) Remote
Answer:
a.) Network
b.) Exec
c.) System
The following services can be configured for AAA accounting:
Network: runs accounting for all network-related service requests (PPP, SLIP, ARAP)
Exec: runs accounting for the EXEC shell session
Connection: provides information about all outbound connections made from the network access server, such as Telnet
System: performs accounting for all system-level events not associated with users, such as reloads
Resource: performs accounting for resources used by remote users
Command: runs accounting for all commands executed at the specified privilege level
Login, privileges, and remote are not services that can be configured for AAA accounting.
Reference:
CCNA Security Official Exam Certification Guide, Chapter 4: Configuring AAA, pp. 124-125.
Which of the following are recommended "best practices" when implementing an effective firewall policy? (Choose three.)
a.) Configure firewalls to protect against internal attacks.
b.) Deny all traffic by default.
c.) Disable remote management connectivity to the firewall.
d.) Position firewalls at physical security boundaries.
e.) Regularly monitor firewall event logs.
Answer:
b.) Deny all traffic by default.
d.) Position firewalls at physical security boundaries.
e.) Regularly monitor firewall event logs.
The following are recommended "best practices" when implementing an effective firewall policy:
- Deny all traffic by default.
- Position firewalls at physical security boundaries.
- Regularly monitor firewall event logs.
- Do not rely exclusively on firewalls for network security.
- Ensure that physical access to the firewall is controlled.
- Practice change management for firewall configuration changes.
- Remember that firewalls primarily protect from technical attacks originating from the outside of the network.
Configuring firewalls to protect against internal attacks is incorrect, since firewalls are primarily used to protect against technical attacks originating from the outside. Internal attacks are more often non-technical in nature, such as the use of social engineering.
Disabling remote management connectivity to the firewall is incorrect, as remote management is a critical, necessary network function. Remote management should certainly make use of secure management protocols, however, such as Secure Shell (SSH) and SNMPv3.
Reference:
CCNA Security Official Exam Certification Guide, Chapter 10: Using Cisco IOS Firewalls to Defend the Network, pp. 346-347.
Cisco > Cisco IOS Security Configuration Guide, Release 12.4 > Cisco IOS Firewall Overview
Which of the following methods are best practices for preventing VLAN hopping attacks? (Choose two.)
a.) Disabling trunk negotiation on trunk ports
b.) Using port security to limit the number of MAC addresses on an interface
c.) Configuring a VLAN that is not being used for data as the native VLAN
d.) Configuring port security to restrict user data from crossing the native VLAN
Answer:
a.) Disabling trunk negotiation on trunk ports
c.) Configuring a VLAN that is not being used for data as the native VLAN
Disabling trunk negotiation on trunk ports and configuring a VLAN that is not being used for data as the native VLAN are two best practices for preventing VLAN hopping attacks.
VLAN hopping attacks allow traffic from one VLAN to pass into another, bypassing any routing function, and allow the attacker to access or disrupt data beyond the local VLAN. The two primary methods behind VLAN hopping attacks are switch spoofing and double tagging of frames.
Switch spoofing allows a workstation to negotiate a connected switch port into becoming a trunk by using Dynamic Trunking Protocol (DTP) frames. Cisco switch ports run DTP by default, and if they detect another switch to be connected, the link between them will be converted into a trunk link. This allows traffic from all VLANs to traverse the trunk, and the attacking system can eavesdrop and capture data. The switchport mode trunk and switchport nonegotiate commands can be used on trunk ports to disable DTP. The switchport mode access command should be used on access ports to prevent the port from ever becoming a trunk.
Double tagging frames can be accomplished by an attacker who is connected to a switch port configured for the native VLAN of the switch. The attacking system places two 802.1q headers in front of the data portion, or "payload" of the frame. The inner header identifies the remote VLAN the attacker wishes to access, and the outer header identifies the native VLAN of the switch. When switches receive frames tagged with the native VLAN, the outer 802.1q tag is stripped. The remainder of the frame, with the inner header still in place, is sent out over trunk links configured for the same native VLAN. When the frame arrives on a remote switch over a trunk link, the switch will now see the exposed tag, and forward the frame over the target VLAN. This kind of attack can be prevented by configuring the native VLAN on all switches to be an unused VLAN with the switchport trunk native vlanvlan_number command.
Using port security to limit the number of MAC addresses on an interface is not a way to prevent VLAN hopping attacks, as only one system is necessary to execute such an attack.
Configuring port security to restrict user data from crossing the native VLAN is incorrect since port security is used to restrict particular MAC addresses from accessing the switch, or to restrict the number of MAC addresses that can be used over a specific port or VLAN if the port is connected to a trunk.
Reference:
CCNA Security Official Exam Certification Guide, Chapter 6: Securing Layer 2 Devices, pp. 213-215.
Cisco > Cisco IOS Interface and Hardware Component Command Reference > switchport trunk
Cisco > Cisco IOS Interface and Hardware Component Command Reference > switchport mode
Which of the following statements is true regarding the configuration of the Cisco IOS Zone-Based Policy Firewall?
a.) The inspection policy is applied to the zone pair.
b.) There can be only one class map configured within a service policy.
c.) Interfaces are assigned to zone pairs.
d.) Router interfaces must be manually configured in the self zone.
Answer:
a.) The inspection policy is applied to the zone pair.
Inspection policies are applied to zone pair, as opposed to individual zones or router interfaces.
A service (inspection) policy can consist of multiple class maps, which are processed from top to bottom. The built-in class-map "class-default" determines how traffic will be processed when no preceding class maps have been matched.
Interfaces are assigned to zones, not zone pairs. Once interfaces are assigned to individual zones, the service policy is assigned to the pairing of source and destination zones.
Router interfaces belong to the self zone by default, and do not need to be manually configured as such.
Reference:
CCNA Security Official Exam Certification Guide, Chapter 10: Using Cisco IOS Firewalls to Defend the Network, pp. 369-378.
Cisco > Cisco Router and Security Device Manager 2.5 User Guide > Zone-Based Policy Firewall
Which of the following items are examples of symmetric encryption algorithms? (Choose all that apply.)
a.) 3DES
b.) Diffie-Hellman
c.) AES
d.) RC4
e.) RSA
f.) Elliptic Curve
Answer:
a.) 3DES
c.) AES
d.) RC4
Encryption algorithms are used to convert plain, readable data into unreadable ciphertext, providing confidentiality for data being sent over a public network. Encryption is the process of creating ciphertext, while decryption is the reversal of this process. A cryptographic key is used with the data to be encrypted as inputs into an encryption algorithm that produces ciphertext.
Symmetric encryption algorithms use the same key to both encrypt and decrypt data, while asymmetric encryption algorithms employ two separate, mathematically related keys (one public, one private). In asymmetric encryption, the public key is used to encrypt data, while the private key is used for decryption.
Common symmetric encryption algorithms include DES, 3DES (also known as TDES, for "triple DES"), AES, IDEA, and RC4. Common asymmetric encryption algorithms include Diffie-Hellman, RSA, El Gamal, and Elliptic Curve.
Reference:
CCNA Security Official Exam Certification Guide, Chapter 12: Designing a Cryptographic Solution, pp. 441-442; Chapter 14: Exploring PKI and Asymmetric Encryption, pp. 494-495.