Home > Implementing Intrusion Prevention

Implementing Intrusion Prevention

July 7th, 2010 in CCNA Security Go to comments

Here you will find answers to Implementing Intrusion Prevention Questions

 

Question 1

When configuring Cisco IOS login enhancements for virtual connections, what is the “quiet period”?

A. A period of time when no one is attempting to log in
B. The period of time in which virtual logins are blocked as security services fully initialize
C. The period of time in which virtual login attempts are blocked, following repeated failed login attempts
D. The period of time between successive login attempts


Answer: C

Explanation

If the configured number of connection attempts fails within a specified time period, the Cisco IOS device does not accept any additional connections for a period of time that is called the quiet period. This feature is not enabled by default, we can enable its default settings, issue the login block-for command in global configuration mode. Administrators can use this feature to protect from DoS and/or dictionary attacks.

Question 2

Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature?

A. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.
B. The Cisco IOS image file will not be visible in the output from the show flash command.
C. The show version command will not show the Cisco IOS image file location.
D. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.


Answer: B

Explanation

We can enable this feature with the secure boot-image command in the global configuration mode to secure the Cisco IOS image. The running image is secured and the image file is not included in any directory listing of the disk.

Question 3

Which description is true about the show login command output displayed in the exhibit?

Router# show login


A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged and generate SNMP traps.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 100 seconds or less, logins will be disabled
for 100 seconds.
Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds.
Denying logins from all sources.

A. All logins from any sources are blocked for another 193 seconds.
B. The login block-for command is configured to block login hosts for 93 seconds.
C. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured.
D. Three or more login requests have failed within the last 100 seconds.


Answer: D

Question 4

After enabling port security on a Cisco Catalyst switch, what is the default action when the configured maximum of allowed MAC addresses value is exceeded?

A. The port is shut down.
B. The port’s violation mode is set to restrict.
C. The MAC address table is cleared and the new MAC address is entered into the table.
D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.


Answer: A

Question 5

When configuring SSH, which is the Cisco minimum recommended modulus value?

A. 2048 bits
B. 256 bits
C. 1024 bits
D. 512 bits

Answer: C

Question 6

Examine the following options , which Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)?

A. PortFast
B. BPDU Guard
C. UplinkFast
D. Root Guard


Answer: B

Question 7

For the following options, which feature is the foundation of Cisco Self-Defending Network technology?

A. policy management
B. secure connectivity
C. threat control and containment
D. secure network platform


Answer: D

Question 8

Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances?

A. rule-based
B. protocol analysis-based
C. signature-based
D. profile-based


Answer: C

Question 9

What will be enabled by the scanning technology – The Dynamic Vector Streaming (DVS)?

A. Firmware-level virus detection
B. Layer 4 virus detection
C. Signature-based spyware filtering
D. Signature-based virus filtering


Answer: C

Explanation

The DVS engine is a new scanning technology that enables signature-based spyware filtering. This solution is complemented by a comprehensive set of management and reporting tools that provide ease of administration and complete visibility into threat-related activities.

Question 10

Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure?

A. To increase the performance of long-distance replication, backup, and recovery
B. To decrease the threat of viruses and worm attacks against data storage devices
C. To decrease both capital and operating expenses associated with data storage
D. To meet changing business priorities, applications, and revenue growth


Answer: B

Question 11

Which two functions are required for IPsec operation? (Choose two)

A. using AH protocols for encryption and authentication
B. using SHA for encryption
C. using DifTie-Hellman to establish a shared-secret key
D. using PKI for pre-shared-key authentication
E. using IKE to negotiate the SA


Answer: C E

Question 12

In your company’s network, an attacker who has configured a rogue layer 2 device is intercepting traffic from multiple VLANS to capture potentially sensitive data. How to solve this problem? (Choose two)

A.    Secure the native VLAN, VLAN 1 with encryption
B.    Disable DTP on ports that require trunking
C.    Place unused active ports in an unused VLAN
D.    Set the native VLAN on the trunk ports to an unused VLAN


Answer: B D

Comments
  1. Otto
    October 11th, 2010

    Question 12: Why should B be a right answer? If a port needs to be a trunk port, you won’t earn any additional security if you switch on or switch of DTP. It would make sense on an access – port, that is presented to end – users, but not on a port which should be a trunk port by design.

  2. securitytut
    October 12th, 2010

    Please notice that Cisco switch ports will auto-negotiate trunking by the Dynamic Trunking Protocol (DTP). An attacker needs just to trick the switch into negotiating a trunk. The attacker connects a rogue switch to an unused switch port and spoofs DTP messages to automatically negotiate and thus turn on trunking between the rogue switch and the victim switch. Next, the attacker can now send traffic into the network tagged with the VLAN ID of a VLAN that has been learned from the trunk.

  3. Otto
    October 13th, 2010

    Hi,

    technically you are right (and I was aware), but this does not affect / reflect the question. A port which should be used as a trunk port anyway, can not be secured by turning off the DTP – rrotocol to prevent an attacker to access different vlan’s via this port. Because if DTP is switched off, and the port is manually set as a trunk, an attacker would just need to set his network interface as well as a trunk. One answer says “B. Disable DTP on ports that require trunking” but the correct answer would say “B. Disable DTP on ports that do not require trunking”.

    Cheers Otto

  4. Otto
    October 14th, 2010

    Because of the findings in the above comment, the right answers for question 12 should be:

    C. Place unused active ports in an unused VLAN
    D. Set the native VLAN on the trunk ports to an unused VLAN

    With the assumtion that the vlan used in C is a different one for the native VLAN in D.

  5. eastlandgrl
    October 18th, 2010

    interesting, thanks

  6. maquiavelo
    October 18th, 2010

    nice read, keep up the good work

  7. nonamed
    October 27th, 2010

    > C. Place unused active ports in an unused VLAN
    I think that unused ports should be shutdown, and why not, in an unused VLAN. That answer doesn’t seem like a Cisco recommendation.

    > B. Disable DTP on ports that require trunking
    This sounds rare, but would not make any damage. I think it should be something like “disable DTP on all ports, and enable trunking where needed manually”.

  8. Axicos
    October 28th, 2010

    So what did the 1000 % guys chose?

    I have the exam tomorrow. If no one answers by then i will try to provide an update on this.

    At this time i think C might be a recommendation but in the context presented in the question it would be useless. Don’t analyze only the answers, try to relate them to the question at hand.

    If no other sure proof will be presented i incline with B & D.

  9. nonamed
    October 29th, 2010

    I’ve taken the exam today scoring a 1000. Question 12 is OK (B, D).

  10. Axicos
    October 30th, 2010

    As I suspected based on the context presented in the question (An attacker already penetrated the network and is connected/intercepting traffic) the answer C would be useless! So even by elimination (if not by my 1000 score or the fact that B is plausible in this scenario) the correct answer is:
    B. Disable DTP on ports that require trunking
    D. Set the native VLAN on the trunk ports to an unused VLAN

    Cheers.

  11. 6pk2g0
    November 23rd, 2010

    Quick explanation for Question 12. (answer B)

    Every port on your switch that does not lead to another known switch should be placed into access mode.

    Trunking ports should be placed into unconditional trunking mode and then DTP frame transmission should be disabled.

  12. paper
    January 13th, 2011

    hi Exedierge
    Why did you say “need to check”?

    thanks

  13. PK
    February 23rd, 2011

    @Otto,
    While you are technically correct, and you should also add to this list that all unused ports should be put in an unused and nonexistant vlan (to black hole traffic), this is the answer that is required by Cisco. I’ve seen this question on multiple study guide and it is the correct on according to the IINS book.

  14. MoRoCCo
    June 16th, 2011

    hiii friends, i had probleme when i’m trying to download the ios ips signature from cisco.com
    with my CCNA count.
    i need it to finish IPS lab practice, plz add the link where i’ll found the package.
    ALL THE BEST

  15. Payloatimagma
    June 30th, 2011

    three view fashion http://luxefashion.us/men-page23.html fashion chicks on speed 1765840

  16. cisco
    August 11th, 2011

    Hi, I’ve my exam on 19th august 2011. Is P4S 4.38 still valid? Questions shown here are still valid? Has anyone given exam recently?

  17. TimonsPlus
    August 12th, 2011

    q5, recomm 2048

  18. dieta
    September 30th, 2011

    E.C.D.s sole obligation under its warranty is limited to the repair or replacement of defective equipment provided it is returned to E.C.D. transportation prepaid within a reasonable period. This block is also responsible for formatting parallel data for writing into the SDRAM buffer recovering serial data upon reading and generating the appropriately timed memory access requests and addresses to the SDRAM Access Arbiter..The SDRAM Access Arbiter and Refresh Controller handles the interleaving of memory read write requests from the Data Path 12 blocks along with periodic memory refresh timer requests. It also helps to more closely align control lead changes on output to the bit period during which they occurred on input..For high-speed data the word may be up to 16 bits wide.

  19. Tana
    January 28th, 2012

    Q 5 1024 correct

    Use the crypto key generate rsa general-keys modulus modulus-size
    command in global configuration mode to generate the security keys
    used by SSH. Cisco recommends that the minimum value for the
    modulus be 1024 bits.

    pg 184 cisco exam guide

  1. No trackbacks yet.
Add a Comment