Securing Network Devices
Here you will find answers to Securing Network Devices Questions
Question 1
As a network engineer at securitytut.com, you are responsible for the network. Which one will be necessarily taken into consideration when implementing Syslogging in your network?
A. Log all messages to the system buffer so that they can be displayed when accessing the router.
B. Use SSH to access your Syslog information.
C. Enable the highest level of Syslogging available to ensure you log all possible event messages.
D. Syncronize clocks on the network with a protocol such as Network Time Protocol.
Answer: D
Question 2
Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management?
A. All vty ports are automatically enabled for SSH to provide secure management.
B. The SSH protocol is automatically enabled.
C. You must then zeroize the keys to reset secure shell before configuring other parameters.
D. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command.
Answer: B
Question 3
As a candidate for CCNA examination, when you are familiar with the basic commands, if you input the command “enable secret level 5 password” in the global mode, what does it indicate?
A. Set the enable secret command to privilege level 5.
B. The enable secret password is hashed using SHA.
C. The enable secret password is hashed using MD5.
D. The enable secret password is encrypted using Cisco proprietary level 5 encryption.
E. The enable secret password is for accessing exec privilege level 5.
Answer: E
Question 4
Please choose the correct description about Cisco Self-Defending Network characteristics.
| 1 | Interaction amongst services and devices to mitigate attacks |
| 2 | Enabling elements in the networks to be a point of policy enforcement |
| 3 | Security technologies that evolve with emerging attacks |
A. INTEGRATED – 1
COLLABORATIVE – 2
ADAPTIVE – 3
B. INTEGRATED – 2
COLLABORATIVE – 1
ADAPTIVE – 3
C. INTEGRATED – 2
COLLABORATIVE – 3
ADAPTIVE – 1
D. INTEGRATED – 3
COLLABORATIVE – 2
ADAPTIVE – 1
Answer: B
Question 5
Which three items are Cisco best-practice recommendations for securing a network? (Choose three)
A. Deploy HIPS software on all end-user workstations.
B. Routinely apply patches to operating systems and applications.
C. Disable unneeded services and ports on hosts.
D. Require strong passwords, and enable password expiration.
Answer: B C D
Question 6
Given the exhibit below. You are a network manager of your company. You are reading your Syslog server reports. On the basis of the Syslog message shown, which two descriptions are correct? (Choose two)
| Feb 1 10:12:08 PST: %SYS-5-CONFIG_1: Configured from console by vty0 (10.2.2.6) |
A. This message is a level 5 notification message.
B. This message is unimportant and can be ignored.
C. This is a normal system-generated information message and does not require further investigation.
D. Service timestamps have been globally enabled.
Answer: A D
Explanation
Time stamps can be enabled on a router to either debugging or logging messages independently (sometimes it is really important for the administrators to solve the problems)
This Syslog message indicates that someone has configured the router using the vty 0 port.
Service timestamps have been enabled with the command “service timestamps” in the global configuration mode. For example, we can create a similar message as shown above with the command:
Router(config)# service timestamps log datetime localtime show-timezone
For your information, below are the Cisco Log Severity Messages:
| Syslog Level | Definition | Example |
| 0: LOG_EMERG | A panic condition normally broadcast to all users |
Cisco IOS Software could not load. |
| 1: LOG_ALERT | A condition that should be corrected immedi- ately, such as a corrupted system database |
Temperature too high. |
| 2: LOG_CRIT | Critical conditions; for example, hard device errors |
Unable to allocate memory. |
| 3 : LOG_ERR | Errors | Invalid memory size. |
| 4: LOG_WARNING | Warning messages | Crypto operation failed. |
| 5: LOG_NOTICE | Conditions that are not error conditions, but should possibly be handled specially |
Interface changed state, up or down. |
| 6: LOG_INFO | Informational messages | Packet denied by ACL |
| 7: LOG_DEBUG | Messages that contain information normally of use only when debugging a program |
Packet type invalid. |
(Reference: Implementing Cisco IOS Network Security Self-Study)
Question 7
Examine the following items, which one offers a variety of security solutions, including firewall, IPS, VPN, antispyware, antivirus, and antiphishing features?
A. Cisco 4200 series IPS appliance
B. Cisco ASA 5500 series security appliance
C. Cisco IOS router
D. Cisco PIX 500 series security appliance
Answer: B
Explanation
Cisco ASA 5500 series Adaptive Security Appliances are easy-to-deploy solutions that integrate world-class firewall, Cisco Unified Communications (voice and video) security, Secure Sockets Layer (SSL) and IPsec VPN, IPS, and content security services in a flexible, modular product family.
Cisco IPS 4200 series: Cisco IPS 4200 series sensors offer significant protection to your network by helping to detect, classify, and stop threats, including worms, spyware and adware, network viruses, and application abuse.
The Cisco PIX 500 series Security Appliances deliver robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions.
Question 8
For the following items, which management topology keeps management traffic isolated from production traffic?
A. OOB
B. SAFE
C. MARS
D. OTP
Answer: A
Explanation
Two primary schools of thought exist about how management traffic should be sent between a management station and a managed device. One approach is to allow management traffic to traverse a production data network. The other approach is to use a separate network to transport management traffic. This approach, where management
traffic is isolated from production data traffic, is called out-of-band (OOB) management.
(Reference: CCNA Security Official Exam Certification Guide)
Question 9
Information about a managed device resources and activity is defined by a series of objects. What defines the structure of these management objects?
A. FIB
B. LDAP
C. CEF
D. MIB
Answer: D
Explanation
Management Information Base (MIB) is the database of confguration variables that resides on the networking device.
Question 10
Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later?
A. uses Cisco IPS 5.x signature format
B. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts
C. requires the Basic or Advanced Signature Definition File
D. uses the built-in signatures that come with the Cisco IOS image as backup
Answer: A
Question 11
If a switch is working in the fail-open mode, what will happen when the switch’s CAM table fills to capacity and a new frame arrives?
A. The switch sends a NACK segment to the frame’s source MAC address.
B. A copy of the frame is forwarded out all switch ports other than the port the frame was received on.
C. The frame is dropped.
D. The frame is transmitted on the native VLAN.
Answer: B
Explanation
If that component defaults to a mode in which it forwards traffic, rather than performing its previous security function on that traffic, the component is said to be operating in fail-open mode. However, if a security component denies traffic that it cannot inspect, the component is said to be operating in fail-closed (also known as fail-safe) mode, which would be the more secure of the two modes.
(Reference: CCNA Security Official Exam Certification Guide)
Question 12
What is the purpose of the secure boot-config global configuration?
A. backs up the Cisco IOS image from flash to a TFTP server
B. enables Cisco IOS image resilience
C. takes a snapshot of the router running configuration and securely archives it in persistent storage
D. stores a secured copy of the Cisco IOS image in its persistent storage
Answer: C
Question 13
What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX?
A. Network interceptor
B. Configuration interceptor
C. Execution space interceptor
D. File system interceptor
Answer: B
Explanation
Configuration interceptor: Read/write requests to the Registry in Windows or to rc configuration files on UNIX are intercepted. This interception occurs because modification of the operating system configuration can have serious consequences. Therefore, Cisco Security Agent tightly controls read/write requests to the Registry.
Question 14
Which two statements are correct regarding a Cisco IP phone’s web access feature? (Choose two)
A. It is enabled by default.
B. It uses HTTPS.
C. It can provide IP address information about other servers in the network.
D. It requires login credentials, based on the UCM user database.
Answer: A C
Question 15
When configuring role-based CLI on a Cisco router, which action will be taken first?
A. Create a parser view called “root view”
B. Log in to the router as the root user
C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command
D. Enable the root view on the router
Answer: D
Question 16
Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies?
A. Signature-based detection
B. Anomaly-based detection
C. Honey pot detection
D. Policy-based detection
Answer: A
Question 17
Which one of the following items may be added to a password stored in MD5 to make it more secure?
A. Rainbow table
B. Cryptotext
C. Ciphertext
D. Salt
Answer: D
Brilliant website, I hadn’t noticed http://www.securitytut.com previously in my searches!
Continue the wonderful work!
So, we are adding salt to make a md5 hashed pwd more secure …..
)
Awesome
good job securitytut!
@Otto:
“Making an Md5 Hash More Secure
To make the md5 hash more secure we need to add what is called “salt”. Salt in this sense of the meaning is random data appended to the password to make the hash more complicated and difficult to reverse engineer. Without knowing what the salt is, rainbow table attacks are mostly useless.
Now obviously if an attacker figures out what salt you use the entire hash system is flawed. So keep your salt safe.”
Generally speaking, when someone chooses a password, the system chooses the salt (random number) and it then stores both the salt and the hash(salt|password).
So, it is mainly a matter of don’t let access anyone your salts.
very convincing answers,thx for ur time…
awesome website. thanx and keep up da good work .
Had a doubt regarding the third question. Is the answer correct.Please confirm. Thanks
Hi – I am really happy to discover this. Good job!
Hey – I am certainly glad to find this. Good job!
securitytut.com is amazing, thanx for this site
Hi all,
Q3: I think the answer should not be ‘E’: The enable secret password is for accessing exec privilege level 5.
“enable secret level 5 password”: set the passwod for privilege level 5 to be password.
Thank you
It is E as the command sets the secret for level 5 as “password”. Take a look here and learn the material:
http://www.techrepublic.com/article/understand-the-levels-of-privilege-in-the-cisco-ios/5659259
Thanks, Master CJ:-)
No problem!
Hi CJ,
Thank you for your reply. On hindsight, i should have done more on this prior to posting of question. , things r moving so fast now & tough 2 have a peace of mind 2 study.
Based on http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html:
+++++
Router(config)# enable secret level level {0 |5} password-string
+++++
Sets the password for the specified privilege level. This is the password users will enter after entering the enable level command to access the specified level.
•0 indicates an unencrypted password string follows; 5 indicates an encrypted password string follows.
—-
“enable secret level 5 password”: set the password for accessing privilege level 5 as ‘password’
Hence, answer “E: The enable secret password is for accessing exec privilege level 5″ is the most ‘appropriate’ answer, out of all the choices.
Hi, I’ve my exam on 19th august 2011. Is P4S 4.38 still valid? Questions shown here are still valid? Has anyone given exam recently?
Question 4 came as a drag and drop today
, I hope it can help you to update 
Cheers
give me the link of latest dump .. …. for security ccna
As a network engineer at Cisco.com, you are responsible for Cisco network. Which will be necessarily taken into consideration when implementing Syslogging in your network?
thx =)