1. Which of the following commands trace AAA packets and monitor their activities? (Choose all that apply.)
A. debug aaa authentication B. debug aaa authorization C. debug aaa all
D. debug aaa accounting
2. What is the last header you can read in clear text when a packet has been encrypted using IPSec?
A. Physical B. Data Link C. Network D. Transport
3. Which of the following is an example of a configuration weakness?
A. Old software
B. No written security policy C. Unsecured user accounts D. No monitoring of the security
4. Which IOS feature best prevents DoS SYN flood attacks?
A. IPSec
B. TCP Intercept C. MD5 authentication D. ACLs
5. RSA digital signatures and ___________ are IPSec authentication types supported by the Cisco Easy VPN Server.
A. Pre-shared keys B. LSA analog signatures C. DSS
D. DES E. 3DES
Securing Cisco IOS Networks Assessment Test 1 liii
6. Which of the following commands do you use to change the maximum number of half-open TCP connections per minute to 100?
A. ip inspect tcp synwait-time 100 B. ip inspect tcp idle-time 100 C. ip inspect max-incomplete high 100 D. ip inspect one-minute high 100
E. ip inspect tcp max-incomplete host 100
7. IP spoofing, man-in-the-middle, and session replaying are examples of what type of security weakness?
A. Configuration weakness B. TCP/IP weakness C. Policy weakness D. User password weakness
8. Alert is the ___________ for attack signatures in the IOS Firewall IDS.
A. Default action B. Nondefault action C. Exclusionary rule D. Inclusionary rule E. Configured action
9. If you want to make sure you have the most secure authentication method, what should you use?
A. Windows username/password B. Unix username/password C. Token cards/soft tokens D. TACACS+
10. Which of the following are considered typical weaknesses in any network implementation?
(Choose all that apply.) A. Policy weaknesses B. Technology weaknesses C. Hardware weaknesses D. Configuration weaknesses
11. What are RSA-encrypted nonces?
A. Manually generated/exchanged public keys B. Automatically generated/exchanged public keys C. Manually generated/exchanged private keys D. Automatically generated/exchanged private keys
liv Securing Cisco IOS Networks Assessment Test 1
12. What function does the clear crypto isakmp * command perform?
A. It resets all LDPM SAs configured on a device.
B. It resets all IKE RSAs configured on a device.
C. It resets all IKE SAs configured on a device.
D. It resets the crypto settings for a configured peer.
13. Which component of AAA provides for the login, password, messaging, and encryption of users?
A. Accounting B. Authorization C. Authentication D. Administration
14. Which of the following commands do you use to change the maximum time CBAC waits before closing idle TCP connections to 10 minutes?
A. ip inspect tcp synwait-time 600 B. ip inspect tcp idle-time 600 C. ip inspect max-incomplete high 600 D. ip inspect one-minute high 600
E. ip inspect tcp max-incomplete host 600
15. Which of the following are examples of policy weaknesses? (Choose all that apply.) A. Absence of a proxy server
B. No trusted networks
C. Misconfigured network equipment D. No disaster recovery plan
E. Technical support personnel continually changing
16. The ESP protocol provides which service not provided by the AH protocol?
A. Data confidentiality B. Authentication services C. Tamper detection D. Anti-replay detection
17. Which of the following are valid methods for populating the Cisco Secure User Database?
(Choose all that apply.) A. Manually
B. Novell NDS C. Windows NT
D. Database Replication utility E. Database Import utility
Securing Cisco IOS Networks Assessment Test 1 lv
18. What does the command aaa new-model do?
A. It creates a new AAA server on the NAS.
B. It deletes the router’s configuration and works the same as erase startup-config.
C. It disables AAA services on the router.
D. It enables AAA services on the router.
19. A connection that has failed to reach an established state is known as ___________.
A. Full-power B. Half-baked C. Half-open D. Chargen
20. Which of the following security database protocols can be used between the NAS and CSNT?
(Choose all that apply.) A. NTLM
B. SNA C. TACACS+
D. Clear text E. RADIUS
21. Which of the following are examples of a TCP/IP weakness? (Choose all that apply.) A. Trojan horse
B. HTML attack C. Session replaying D. Application layer attack E. SNMP
F. SMTP
22. You have just configured IPSec encryption. Which problem are you trying to solve?
A. Denial-of-service (DoS) attacks B. Rerouting
C. Lack of legal IP addresses D. Eavesdropping
23. You have just configured MD5 authentication for BGP. Which type of attack are you trying to prevent?
A. DoS B. Rerouting
C. Hijacking of legal IP addresses D. Eavesdropping
lvi Securing Cisco IOS Networks Assessment Test 1
24. Using your web browser, which port do you go to (by default) to access the CSNT web server?
A. 80 B. 202 C. 1577 D. 2002 E. 8000
25. To help you both set up and configure CBACs, Cisco has defined six steps for configuring CBAC. What is the correct order for the six steps?
A. Define Port-to-Application Mapping (PAM).
B. Set audit trails and alerts.
C. Test and verify CBAC.
D. Set global timeouts and thresholds.
E. Apply inspection rules and ACLs to interfaces.
F. Define inspection rules.
26. What port does ISAKMP use for communications?
A. TCP 50 B. UDP 50 C. TCP 500 D. UDP 500
27. Policy weaknesses, technology weaknesses, and configuration weaknesses are examples of what type of implementation weakness? (Choose all that apply.)
A. Policy implementation B. Network implementation C. Hardware implementation D. Software implementation
28. The ____________________ implement(s) software to protect TCP server from TCP SYN flood attacks.
A. Cisco access control lists (ACLs) B. TCP Intercept feature
C. Cisco queuing methods D. Cisco CBACS
Securing Cisco IOS Networks Assessment Test 1 lvii
29. Which of the following do not participate in the Cisco IOS Cryptosystem? (Choose all that apply.) A. DH
B. MD5 C. ESP D. DES E. BPR
30. The ip inspect tcp max-incomplete host 100 command performs what function when invoked?
A. It has no known effect on the router.
B. It sets the total number of TCP connections per host to 1000.
C. It sets the total number of TCP connections per host to 100.
D. It changes the maximum number of half-open TCP connections per host to 1000.
E. It changes the maximum number of half-open TCP connections per host to 100.
31. What key does Diffie-Hellman (DH) create during IKE phase 1?
A. Xa B. Bx C. Xor D. NorX
32. Which of the following authentication methods is not supported by Cisco Secure ACS 3.0 for Windows NT/2000? (Choose all that apply.)
A. Novell NDS B. Banyan StreetTalk C. DNS
D. POP E. ODBC
F. MS Directory Services
33. The ip inspect max-incomplete high 1000 command changes what setting?
A. It changes the maximum number of half-open TCP connections to 100.
B. It changes the minimum number of half-open TCP connections to 1000.
C. It changes the maximum number of half-open TCP connections to 1000.
D. It changes the IP inspect idle timer to 1000 seconds.
E. It changes the IP inspect idle timer to 100 seconds.
lviii Securing Cisco IOS Networks Assessment Test 1
34. Which of the following statements about CS ACS 3.0 token-card server support are true?
(Choose all that apply.)
A. Microsoft is supported with service pack 6.0a.
B. AXENT is natively supported.
C. CryptoCard is natively supported.
D. Novell NDS v4.x or higher is supported.
E. ODBC with 6.0.1.1a service pack is supported.
35. IOS version 12.2(8)T is the minimum version required in order to run ___________.
A. LPDM
B. Windows NT Terminal Services C. IOS Easy VPN Server
D. sRAS (Secure RAS) or sDNS (Secure Domain Name Service)
36. Memory usage and ___________ are two issues to consider when implementing the IOS Firewall IDS.
A. User knowledge B. Signature coverage C. User address space D. TACACS+ server type
37. What does the aaa authentication login default tacacs+ none command instruct the router to do? (Choose all that apply.)
A. No authentication is required to log in.
B. TACACS+ is the default login method for all authentication.
C. If the TACACS+ process is unavailable, no access is permitted.
D. RADIUS is the default login method for all authentication.
E. If the TACACS+ process is unavailable, no login is required.
F. If the RADIUS process is unavailable, no login is required.
38. ___________ and ___________ are both supported by Cisco Easy VPN Server.
A. Authentication using DSS B. DH1
C. DH2 D. Manual keys
E. Perfect forward secrecy (PFS) F. DH5
Securing Cisco IOS Networks Assessment Test 1 lix
39. What does an atomic signature trigger on?
A. Single packet B. Duplex packet C. Atomic packet D. Two-way packet
40. Which of these statements are true regarding the following debug output? (Choose all that apply.) 01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser=''
port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN priv=101:42:12:
AAA/AUTHEN/CONT (864264997): Method=LOCAL
A. This debug output shows that the user is using a remote database for authenticating the user todd.
B. This is a debug output from the authorization component of AAA.
C. This is a debug output from the authentication component of AAA.
D. The password will be checked against the local line password.
lx Answers to Securing Cisco IOS Networks Assessment Test 1