Learn About Implementing Cisco IOS Network Security

These practice test questions from MeasureUp are based on Cisco’s exam 640-553: Implementing Cisco IOS Network Security (IINS).

The audience for this exam includes individuals who are responsible for securing networks and Cisco devices. Experience with installing, monitoring and troubleshooting networks and Cisco switches and routers will help you prepare for this exam.

Note: Exam 640-553 is a prerequisite for the Cisco Certified Security Professional (CCSP) certification.

FYI: Some of the references used in these questions are books. Here are the details for each book:

Cisco Press Authorized Self-Study Guide:
Implementing Cisco IOS Network Security (IINS)
Publisher: Cisco Press
ISBN: 978-1-58705-815-4

Exam Cram: CCNA Security
Publisher: Pearson Que
ISBN: 0-7897-3800-7

Objective: Implement secure network management and reporting.
Sub-objective: Use CLI and SDM to configure SSH on Cisco routers to enable secured management access.

Single answer, multiple-choice

Which command will generate two pairs of RSA keys named Measureup with a modulus of 2048?

A.    crypto key generate rsa label Measureup modulus 2048
B.    crypto key generate rsa usage-keys modulus 2048
C.    crypto key generate rsa usage-keys label Measureup modulus 2048
D.    crypto key generate rsa modulus 2048

Answer:
C

Tutorial:
You should enter the crypto key generate rsa usage-keys label Measureup modulus 2048 command.

You specify the creation of two pairs of RSA keys using the usage-keys keyword. If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.

If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys.

You name the keys using the label keyword. Naming RSA keys allows support for multiple RSA key pairs on a single router.

You should not enter the crypto key generate rsa label Measureup modulus 2048 command. Without the usage-keys keyword, the command defaults to creating a single RSA key pair.

You should not enter the crypto key generate rsa usage-keys modulus 2048 or crypto key generate rsa modulus 2048 commands. Neither of the commands uses the label keyword, and both commands will default to naming the key pairs using the following format: hostname.domain name.

In this example, the router is named MU and belongs to the measureup.com domain, so its default key pair name is mu.measureup.com.

Command output:

MU(config)#crypto key generate rsa usage-keys label Measureup modulus 2048
The name for the keys will be: Measureup
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable…[OK]
% Generating 2048 bit RSA keys, keys will be non-exportable…[OK]
MU(config)#

References:
Perimeter Security
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 2

Configuring Secure Shell on Routers and Switches Running Cisco IOS
Cisco.com
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Cisco IOS Security Command Reference, Release 12.3 – Security Commands: crypto dynamic-map through ctype
Cisco.com
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html

Objective: Implement the Cisco IOS firewall feature set using SDM.
Sub-objective: Explain stateful firewall operations and the function of the state table.

Single answer, multiple-choice

The figure represents the traffic of an internal client making a request to a Web server. The traffic transits through a dynamic packet filter.

Which dynamic ACL rule entry applied inbound on the outside interface would permit the response packets from the Web server to the client?

A.    permit tcp host 209.165.200.226 eq 80 host 10.1.1.1 eq 1956
B.    permit tcp host 10.1.1.1 eq 1956 host 209.165.200.226 eq 80
C.    permit tcp host 209.165.200.226 eq 1956 host 10.1.1.1 eq 80
D.    permit tcp host 10.1.1.1 eq 80 host 209.165.200.226 eq 1956

Answer:
A

Tutorial:
The following access control list (ACL) rule entry applied inbound on the outside interface would permit the response packets from the Web server to the client:

permit tcp host 209.165.200.226 eq 80 host 10.1.1.1 eq 1956

The access list is applied inbound on the outside interface. An extended ACL lists first the source and its port, followed by the destination and its port. The response will originate from the Web server 209.165.200.226. Since the original request had come to its port 80, the Web server will use the same port to reply. The response will carry a destination address of 10.1.1.1 to the destination port that was used by the client to open the connection, port 1956.

Reference:
Dynamic or Stateful Packet-Filtering Firewalls
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 3

Objective: Implement the Cisco IOS IPS feature set using SDM.
Sub-objective: Define network-based vs. host-based intrusion detection and prevention.

Single answer, multiple-choice

Which statement about NIDS sensors is true?

A.    They can act as a central repository for alarms generated by peer sensors.
B.    They can discover that distributed alarms are part of a common attack.
C.    They can perform correlation analysis on the different alarms.
D.    They do not assess the success or failure of the actual attacks.

Answer:
D

Tutorial:
Network-based monitoring systems do not assess the success or failure of the actual attacks. They only indicate the presence of intrusive activity. That's why correlation tools, such as CS-MARS, are useful to act as a central repository of those alarms. All those alarms arriving from different corners of the network, once compared to each other by CS-MARS or other correlation tools, might reveal that the organization is currently under a distributed attack.

A sensor only reports an intrusion. It does not perform analysis to conclude whether the attack seems to be successful. A sensor handles its own alarms, but not those of other sensors on the network.

Reference:
Host and Network IPS
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 6

Objective: Implement site-to-site VPNs on Cisco Routers using SDM.
Sub-objective: Explain IKE protocol functionality and phases.

Single answer, multiple-choice

Where do IKE Phase II negotiations occur?

A.    At the session layer of the OSI model.
B.    Within the ISAKMP SA.
C.    During the Diffie-Hellman exchanges.
D.    Within the ESP tunnel.

Answer:
B

Tutorial:
IKE Phase II negotiations are done via the Internet Key Exchange (IKE) Phase I security association (SA), also called the Internet Security Association Key Management Protocol (ISAKMP) SA.

IKE operates at Layer 7 (the Application layer) of the Open Systems Interconnect (OSI) model.

The Diffie-Hellman process takes place during IKE phase I to negotiate keys that will be used for symmetrical encryption.

Encapsulating Security Payload (ESP) tunnels, also called IP Security (IPSec) SAs, are built once IKE Phase I and IKE Phase II are successful. ESP tunnels carry the encrypted payload exchanges between two IPSec peers.

References:
Site-to-Site VPNs
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 5

Virtual Private Networks With IPsec
Exam Cram: CCNA Security
Chapter 7

IPSec Overview Part Four: Internet Key Exchange (IKE)
Ciscopress.com
http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7

Objective: Mitigate common Layer 2 attacks.
Sub-objective: Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features.

Multiple answers, multiple-choice

Which of the following are ways to prevent a basic VLAN hopping attack? (Choose three.)

A.    Turn off trunking on all ports except the ones that specifically require trunking.
B.    Turn on BPDU Guard.
C.    On ports requiring trunking, disable DTP negotiations.
D.    Enable trunking manually.
E.    Add port security to limit the number of secure MAC addresses.
F.    Turn on PortFast.

Answer:
A, C, D

Tutorial:
In a basic VLAN hopping attack, the attacker takes advantage of the default automatic trunking configuration on most switches. The hacker configures a computer to emulate either ISL or 802.1Q signaling along with Dynamic Trunking Protocol (DTP) signaling, thus impersonating a switch. By tricking a switch into thinking that the computer is a switch and needs to trunk, the hacker can gain access to the traffic of VLANs allowed on the trunk port.

To succeed, this attack requires a configuration on the port that supports trunking, such as auto. As a result, the attacker is a member of all of the VLANS that are trunked on the switch and can send and receive traffic on all of those VLANs.

The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.

The Bridge Protocol Data Unit (BPDU) protocol is not involved in trunking. BPDU Guard shuts down a port upon receiving a BPDU frame. BPDU guard is used to protect the switched network from the receipt of BPDUs on ports that should not be receiving them. BPDU guard is best deployed on user-facing ports to prevent rogue switch network extensions by an attacker.

Adding port security to limit the number of Media Access Control (MAC) addresses that can be learned by the switch will not prevent VLAN hopping.

PortFast will not help mitigate a VLAN hopping attack. PortFast transitions a port from the blocking to the forwarding state in spanning tree negotiation, instead of having the ports transitioning through the normal states of blocking, listening, learning and forwarding. PortFast is configured only on access ports.

References:
Mitigating VLAN attacks
Cisco Press Authorized Self-Study Guide: Implementing Cisco IOS Network Security (IINS)
Chapter 7

VLAN Security White Paper
Cisco.com
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml 

Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Tech Know|

Comment: